Slashdot Mirror

← Back to Stories (view on slashdot.org)

Quantum Cryptography Is Safe Again

Posted by Soulskill on from the umpires-in-agreement-after-further-review dept.

sciencehabit writes "In theory, so-called quantum cryptography provides a totally secure way of sending information. In practice, maybe not. But now physicists have demonstrated how to close a technological loophole that could have left secrets open to eavesdroppers. '[I]n 2010, an international team of researchers showed that [an attacker] could hack the system by exploiting a weakness in the so-called avalanche photodiodes (APDs) used to detect the individual photons. The problem is that APDs react differently to intense pulses of light than they do to single photons, so that the energy of the pulse must exceed a threshold to register a hit. As a result, all [the attacker] has to do is intercept the single photons, make her best-guess measurements of their polarizations, and send her answers off to Bob as new, brighter pulses. ... Last year, physicist Hoi-Kwong Lo at the University of Toronto and colleagues claimed to find a way around the problem. In the new protocol, Alice and Bob would begin the creation of a quantum key by sending randomly polarized signals to Charlie, a third party. Charlie would measure the signals to determine not their actual polarization, but only whether the polarizations were at right angles. ... Now, in papers in press at Physical Review Letters, two independent groups of physicists have shown that the new protocol works.'"

34 comments

  1. so-called summary by Anonymous Coward · · Score: 0

    In the so-called summary, there is a lot of so-called repetition of a silly phrase. It's not just a so-called avalanche photodiode, that's what it is.

    1. Re: so-called summary by Anonymous Coward · · Score: 2, Interesting

      Wake me up in 10 years when they're only 5-10 years away from bringing this to market.

    2. Re: so-called summary by quax · · Score: 2

      You can already buy commercial quantum encryption devices. That was the point of the hacking to begin with. Only caveat: The existing tech is point to point protocol. That's why this was such big news earlier this year.

    3. Re: so-called summary by Florian+Weimer · · Score: 1

      The relays in that networking protocol are decrypt-and-encrypt, so it enables even more (undetectable) eavesdropping.

      Quantum key distribution has a strange security model where it is assumed that someone inside the network cannot run two instances of the protocol and give the two parties in a communication the illusion of talking directly to each other, when they in fact talk each to the attacker. In other words, it is assumed that there is confidentiality without authentication. All kinds of strange things follow if you make that kind of a mistake.

    4. Re: so-called summary by slashmydots · · Score: 1

      More like a week after a quantum decryption computer with enough quibits is built. Then all encryption certified by governments, spy agencies, etc all goes out the window.

  2. Schrödinger protocol by Smidge204 · · Score: 5, Funny

    Quantum Cryptogaphy exists in a superposition of simultaneously being secure and not-secure.

    (Eh, somebody was gonna...)
    =Smidge=

    1. Re:Schrödinger protocol by Em+Adespoton · · Score: 1

      Quantum Cryptogaphy exists in a superposition of simultaneously being secure and not-secure.

      (Eh, somebody was gonna...)
      =Smidge=

      But now that we know that, does it actually exist?

    2. Re:Schrödinger protocol by letherial · · Score: 2

      Perfectly secure when nobody is looking at it, not so good when its being analyzed

  3. Third party? by Anonymous Coward · · Score: 1

    So in order to achieve the ultimate in secure two-party communications, we need a third party?

    Ok, Ok, I'll go read the rest of the article.

  4. I love news without a use by themushroom · · Score: 3, Insightful

    Yes, you can reason that quantum cryptography is going to protect this and that thing that isn't at the consumer level. Good on it. But you're still going to have people typing "password" as their password at their bank or "Jeremy85", the boy in the photo on their desk and his year of birth, in sensitive work email.

    --
    Laughter is the Spackle of the Soul.
    1. Re:I love news without a use by InfiniteLoopCounter · · Score: 4, Funny

      No, no. Banks have secure passwords of at least 12 characters, with mix of upper and lower case, symbols, and numbers, and completely hidden from view on a sticky note on the back of the keyboard.

    2. Re:I love news without a use by EmperorArthur · · Score: 1

      No, no. Banks have secure passwords of at least 12 characters, with mix of upper and lower case, symbols, and numbers, and completely hidden from view on a sticky note on the back of the keyboard.

      My favorite password policy prevented you from using any letter in your username, and only 3 letters from your real name. Or something like that. Plus everything you said. It made it nearly impossible to remember the password. If I didn't have LastPass I would have had to write it down.

      At least the University didn't follow up with the rest of the policy. Can't reuse the last ten passwords, and have to change the password relatively frequently.

      See here for my rant about it. NOTE: Just realized the server's down. I'm going to have to re image that thing.

      --
      So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
    3. Re:I love news without a use by Anonymous Coward · · Score: 0

      Yes, you can reason that quantum cryptography is going to protect this and that thing that isn't at the consumer level. Good on it. But you're still going to have people typing "password" as their password at their bank or "Jeremy85", the boy in the photo on their desk and his year of birth, in sensitive work email.

      Complaining about developments in quantum cryptography based on the fact that they don't stop users from doing stupid things is almost directly analogous to complaining that advances in automobile lock design still haven't solved the problem of users leaving their car keys in the bar.

      While we definitely need more work on user education, and secure systems user interface design, to try to reduce unsafe behaviours there is also a lot of work to be done lower down the stack, if you will, and that includes secure point-to-point communications protocols.

    4. Re:I love news without a use by LordLimecat · · Score: 1

      The most important question when addressing "is it secure" is "what is the threat".

      If your primary threat is automated brute-force-bots trying to crack your password, it is better that you have a 12-character alpha-numeric / symbolic password written next to your keyboard, than to use a weak password: it addresses your primary threat while introducing a new, lesser threat (burglary / home intrusion causing password disclosure). Of course it would be better still to do neither.

      "Jeremy85", the boy in the photo on their desk and his year of birth

      If it is not a matter of public record, its not awful for security. The issue isnt that Jeremy is in the photo on the desk (the attacker would need to know what on the desk was used for the password, would need to figure out who it was a photo of, etc)-- its that "jeremy+number" would be nabbed by a decent dictionary attack pretty quickly.

      Again: Understanding your threat is hugely important. I see so much snake-oil security bandied about online and offline simply because people only have a vague conception of what the threats are, and so their conception of how to mitigate them are likewise vague and ineffective.

    5. Re:I love news without a use by Daniel+Dvorkin · · Score: 1

      Things really get ugly when the school calls to say Jeremy spoke in class.

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
    6. Re:I love news without a use by manu0601 · · Score: 2

      Actually, "Jeremy was born in 1985" is a rather good password. Add a typo and it is even better: "Jeremi was born in 1985"

    7. Re:I love news without a use by behrooz0az · · Score: 1

      Isn't that gonna stay in your mussle memory or something and make you make the same typo every time you write jeremy?
      And If you happen to have told any body about your dirty little secret(You just did), whenever you make a typo in public you lose a word from your passwords.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    8. Re: I love news without a use by Anonymous Coward · · Score: 0

      I must admit: clearly I remember picking on the boy. He seemed a harmless little fuck.

    9. Re:I love news without a use by manu0601 · · Score: 1

      There can be many possible typos. How could you be sure a typo I make in public is part of a password?

      As of a dirty little secret, I just told you that dictionary attacks will not be enough to crack my passwords. Not a big deal.

    10. Re:I love news without a use by Anonymous Coward · · Score: 1

      "Isn't that gonna stay in your mussle memory..."

      Better to be shellfish and clam-up than to carp about your passwords to every sole out there.

      (ow.)

    11. Re:I love news without a use by Anonymous Coward · · Score: 0

      No, no. Banks have secure passwords of at least 12 characters, with mix of upper and lower case, symbols, and numbers, and completely hidden from view on a sticky note on the back of the keyboard.

      Here at [insert high profile bank], we use a new security technique.

      Instead of just one sticky note, we use two, laid on top of each other; the first has a dummy password! They'll never figure this one out! It's so secure that we've never had to change the password from the original sticky note!

      The IT guy is even checking that everything is working for us, about once a week! I'm not sure why they keep sending a different guy each time, but they're always highly professional!

    12. Re:I love news without a use by Anonymous Coward · · Score: 0

      whenever you make a typo in public you lose a word from your passwords.

      WAT? I thought hunter2 was completely secure. That's what they told me in that friendly chat room all those years ago.

    13. Re:I love news without a use by slashmydots · · Score: 1

      Mine is a 24 letter memorable phrase with a single number inside it as well. Nobody on Earth can decrypt that and it's written down nowhere. My old bank didn't allow 24 letter passwords (so I assume 16 bit encryption? lol) so I dumped them.

    14. Re:I love news without a use by ultranova · · Score: 1

      Mine is a 24 letter memorable phrase with a single number inside it as well. Nobody on Earth can decrypt that and it's written down nowhere.

      But useful details about it are written down right here on Slashdot. How many combinations of words add up to 24 or 23 letters, with or without spaces? A lot less than add up to a random amount.

      This is the biggest threat to security: people like to brag about how smart they are, and as they do they give up information. Joe Hacker can follow you and learn more and more about your uber-secure password to speed up his brute-forcing, and any near-future botnet data mining Internet forums can do the same.

      Maybe it's time to repurpose those old WWII propaganda posters about how security starts with STFU?

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    15. Re:I love news without a use by Hentes · · Score: 1

      And that's their loss. As long as I have a method of secure communication, what do I care when idiots get haxed?

  5. Another open question receives far less attention by quax · · Score: 1

    Is quantum entanglement the only physical resource that allows for such strong encryption?

    I.e. does exploiting thermodynamic properties already suffice as claimed in the Kish cypher?

  6. SSL by Anonymous Coward · · Score: 0

    Why are people interested in quantum cryptography at all when they can't even get it togeather enough to use SSL. Instead they blame the NSA for viewing all the endless plain text they insist on sending.

  7. Interesting aspects here by Anonymous Coward · · Score: 0

    So what we have is the following
    - Quantum security is secure if no one is actually probing it -- just like all other security :)
    - A quantum security device of low quality (cheap electronics/APDs) is more vulnerable than better equipment

  8. Oh thank goodness! by Anonymous Coward · · Score: 0

    That quantum encryption system that we weren't using, weren't evaluating, and weren't even capable of implementing, has been saved!

    The Space Family Robinson can now safely move on to their next adventure.

    1. Re:Oh thank goodness! by JoshuaZ · · Score: 1

      That quantum encryption system that we weren't using, weren't evaluating, and weren't even capable of implementing, has been saved!

      The development of quantum crypto is happening and there's a lot of work on it. Moreover, the claim that we aren't capable of implementing is false. There are even commercial implementations. See http://en.wikipedia.org/wiki/Quantum_key_distribution#Commercial for a list. Computer networks using secure quantum crypto have also been made (scroll just a bit further in that Wikipedia article).

  9. Re:Another open question receives far less attenti by JoshuaZ · · Score: 1

    Is quantum entanglement the only physical resource that allows for such strong encryption?

    The original quantum crypto protocol BB84 http://en.wikipedia.org/wiki/BB84 does not require entanglement, and is secure if one is still sending single photons at a time.

  10. Quantum punting by Anonymous Coward · · Score: 0

    Excuse my extreme ignorance why not use single photons? This seems to now be possible.

    So anyway we now trust Charlie to generate trustworthy answers over purely classical channels? What keeps Charlie from telling lies at what consequence?

  11. Cryptography safe? Ha ha ha ha!!! by Helio+Spheric · · Score: 1

    Cryptography safe? Ha ha ha ha!!!

  12. Still an irrelevant stunt by gweihir · · Score: 1

    Quantum modulation (and no, it is not "encryption") cannot be routed. The Internet only became possible when global routing rules were introduced. In fact, the Internet can well be described as the "IP routing domain". Its properties mean that quantum modulation will never scale and always only be good for site-to-site links. But these can be protected better, cheaper and more securely in other ways. For example, for site-to-site links, one-time-pads become practical. Quantum modulation is so terribly slow, that it will only be used to transfer keys, that are then used for conventional encryption, the dirty secret behind this technology. But for that, one-time-pads (in this scenario list of one-time keys) are far, far superior.

    When will this BS finally end? This technology has zero rational use.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.