Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Encryption Science Technology

Commercial Quantum Cryptography System Hacked 117

Posted by Soulskill
from the superposition-of-safe-and-unsafe dept.
KentuckyFC writes "Any proof that quantum cryptography is perfect relies on idealized assumptions that don't always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of 'intercept and resend attack,' the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique."
This discussion has been archived. No new comments can be posted.

Commercial Quantum Cryptography System Hacked

Comments Filter:
  • by jd (1658) <<moc.oohay> <ta> <kapimi>> on Monday May 17, 2010 @05:17PM (#32245692) Homepage Journal

    ...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

  • by razathorn (151590)

    ...stopping reading the blurb on slashdot last week about the new position based system being secure because the people who previously said it wasn't secure changed their mind and said it was provably secure and then proceeded to use the words "cannot easily" to justify it being secure. Now, this week I see a commercial system that has been cracked because some how thresholds of likely hood were once again used. Anyone else see a trend?

  • by Anonymous Coward

    If this article is correct, all an eavesdropper has to know is the proper error threshold to stay under to remain undetected.

    Doesn't seem so secure to me.

    • It's hardly fundamentally flawed. Even if the eavesdropper knows the error threshold and can intercept a few bits without detection thanks to errors in the system, the information gain is very minimal. You might be able to get a few percent of the transmitted bits in a key. Three out of every hundred bits in a one-time pad isn't going to break the encryption. The parties can always XOR some bits until the information that an eavesdropper could extract is negligible.

      • by TheLink (130905) on Monday May 17, 2010 @09:49PM (#32248362) Journal
        Thing is nowadays TB drives are quite cheap. Generate a huge OTP, spread it over three drives at A, spread it over another three drives and send all three to B via three different couriers/paths. Add ECC if you want.

        If they all made it safely without interception. You've got your secure channel. 1TB/128kbps = 2 years. 1TB/256kbps = 1 year.

        You could send more than one set of drives. When they all arrive, you tell the "B" let's start with drive set #5.
        • Quantum cryptography really isn't being proposed as a practical solution right now (hush, don't tell Id Quantique) but what's fun about it is that it's theoretically secure. If the person whose wrist your briefcase of disks is handcuffed to is bought out, you'd never know it and your enemies just gained access to all your secure communications. Two to four decades from now quantum cryptography might be practically competitive with carrying disks around, but for now, it's just for fun.
          • by TheLink (130905)
            > If the person whose wrist your briefcase of disks is handcuffed to is bought out,

            1) You would need all three disks to reconstruct the original OTP that will be used.
            2) If I send more sets of three and only use some sets, that makes it even harder.
            3) I could even send 9 disks over time and over different couriers/channels and then randomly choose different combinations of them to construct the actual OTP.
  • Quantum Bullshit (Score:2, Interesting)

    by sexconker (1179573)

    The core idea of using quantum communication security (or, in general, quantum communication) is that you'll be able to tell when the message has been altered.

    All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

    Reading the message is trivial.

    Recreating the message, while introducing tolerable levels of noise is trivial once you have the key. Alice does it all the time.

    Blocking the original message is not trivial, but it i

    • Re: (Score:2, Informative)

      by arndawg (1468629)
      It's not just that you can tell when a message have been altered. It's that you can tell if someone have been eavesdropping.
      • Uh, read my entire post please?
        And someone has to successfully eavesdrop for that protection to kick in. You can't control when they'll eavesdrop, so information can still get out, so it's far from a "secure" communication channel.

        And with a noise tolerance of X, eavesdropping without being detected is not only possible, but likely very easy. Remember that Alice has to generate noise-free signals in the first place. Alice isn't made of magic. Eve can do anything Alice can.

        And if you have a perfect netwo

        • Re: (Score:3, Insightful)

          In a sense, though it is called "cryptography", quantum crypto is basically about link integrity detection, rather than anything resembling cryptography in the classical sense.

          Basically, if you have a fiber run that you want to make sure nobody is tapping, you can either station trustworthy guys with guns every few yards along its length or you can put a quantum crypto box at each end. Given that the guys-with-guns approach is largely impractical(especially for buried or undersea lines) the potential to
          • by Lehk228 (705449)
            or you can use strong encryption on the line with the assumption that 5000 years from now your messages won't be terribly important
            • And endure the outside chance that the prime factorization guys will come up with something useful in the real world in 10...

              Obviously, for the vast majority of applications it is total overkill. Quick quiz: Do you own/seriously lease the actual fiber over which you are transmitting? If not, you are definitely not a candidate. If so, you are probably not a candidate.

              There are, though, probably some applications where the risk of future disclosure is simply unacceptable.
          • by cashdot (954651)
            A key is also involved in quantum cryptography, and not having it renders the message useless just as with classical cryptography.
            The only difference is that with classical crypto you can guess infinitely, while with quantum crypto you can guess only once.
            • The only difference is that with classical crypto you can guess infinitely, while with quantum crypto you can guess only once.

              You can copy a signal - any signal.
              You can copy a quantum signal and test against it forever.

              Reading said signal is probably detectable on the other end, so they SHOULD stop communicating.
              You get one small piece of the message when you get the key (brute force or otherwise) and you have performed a successful denial of service attack.

              If the two hosts then try to reestablish communication, they need to generate new keys. You can DOS them indefinitely since they're using a dedicated line that you have physic

              • by cashdot (954651)

                You can copy a quantum signal and test against it forever.

                No, you can't due to the no-cloning theorem, see http://en.wikipedia.org/wiki/No-cloning_theorem [wikipedia.org]

                Please do yourself a favor and learn some basics about quantum mechanics. The no-cloning theorem is a vital ingredient in quantum cryptography. The eavesdropping detection is a nice bye-effect, but QC offers much more than that. You simply cannot decrypt a 'quantum message' unless you know the key, period. If you try a wrong key the message is lost, hence the eavesdropping detection.

                Let me illustrate this

                • Quantum communication occurs how, by magic?
                  No, you measure the signal. Analyze it, modulate it, decode it, and present it to the user.

                  Write down the measurements once, test against them forever.

                  You can't measure the signal without disrupting the legitimate people trying to communicate, but you have still measured the signal.

                  Alice and Bob measure the signals all the fucking time in order to communicate.

                  5000 years for classical crypto to be brute forced? Massively parallel FPGAs (or GPUs if you're cheap) sa

                  • by cashdot (954651)

                    Quantum communication occurs how, by magic?

                    Yes, quantum mechanics has some implications that indeed appear magical with our classical understanding of the world.

                    Write down the measurements once, test against them forever.

                    You did not read the article about the non-cloning theorem, did you? If you are familiar with the Heisenberg principle and are willing to accept it as a fact, the informal proof is quite easy to understand.

                    You can't measure the signal without disrupting the legitimate people trying to communicate, but you have still measured the signal.

                    The point that you don't seem to understand is the fact, that in quantum cryptography, the measurement of the signal corresponds to a key guess in classical crypto. If in quantum crypto yo

        • by arndawg (1468629)
          Communication is usually two-ways and each packet in it's own is useless. It's not like your sending the entire library of congress in one packet.
          • Each packet on it's own is not useless.
            And for two-way communication you just need both keys.

            And an attacker pretending to be Alice saying "Bob, you're a fag." would be pretty successful.

            So would "Obama" telling Putin "Duck and cover, here it comes!" and then severing the communication line.

        • by cashdot (954651)
          What you are saying doesn't make much sense for me. Are you just trolling?
          If you have have physical access to the communication line, and you want to inhibit the communication between Alice and Bob, you can just as well cut the cable.
          • The intertrons is a switching network, not a mass of dedicated circuits.

            If you want to take someone down, you probably want to make sure that they can't re-route around your cut, and you probably want to do it without taking yourself down.

            Are you proposing that quantum communication gets adopted and we actually have dedicated circuits for every host pair?

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        I think his point is that traditional MITM will always succeed. Say Alice wants to talk to Bob, using QC. Evil Mallory sits in the middle, posing as Bob for Alice and Alice for Bob. When Alice sends the quanta to what she thinks is Bob, she's actually negotiating a connection with Mallory; and so is Bob. Thus, Alice encrypts, sends to "Bob" (Mallory), Mallory decrypts, re-encrypts, and sends to Bob.

        No system, quantum or classical, can protect against this unless Alice and Bob have a shared secret. If they d

    • Re: (Score:3, Informative)

      by Hurricane78 (562437)

      All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

      Reading the message is trivial.

      You don’t understand quantum physics AT ALL, do you? Or you’re just a troll.

      Read up on entanglement.

      There is no way to recreate the message. Because you can’t entangle the photons again. It’s literally physically impossible.

      • Literally physically impossible assuming you have a dedicated circuit for each host pair.
        Otherwise you have to trust the nodes and routers.

        It is infeasible to have a dedicated circuit for each node pair on the internet.

        It is only feasible for small local networks, or one off pairs.

        For a copper network using a dedicated circuit, you get the same boost in security. Quantum bullshit adds nothing.

        And if you do have a quantum dedicated circuit, any failed MITM attack is a successful DOS attack. Any successful

    • Re:Quantum Bullshit (Score:4, Informative)

      by Interoperable (1651953) on Monday May 17, 2010 @07:57PM (#32247514)

      Sending out the spoofed message is trivial.

      No it isn't. It's impossible to do it with better than 50% accuracy, which will make the man-in-the-middle very, very detectable. None of the useful information is ever sent using quantum bits, it's only one-time-pad style key. If a man-in-the-middle is detected, the key is not used and no secure information is breached. I mentioned it in an above post, but the best that a "hacker" could ever do is get a few random bits of information out of every hundred, even with this attack. That isn't enough information about the key to extract any information about the message.

      Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

      • by selven (1556643)

        50% accuracy? Isn't that just transmitting random data?

        • Ah, 75% accuracy I suppose. 50% of the data is would be retransmitted correctly, 50% would be random so 75% of the bits would end up appearing correct.

      • by radtea (464814)

        Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

        There's something here that one of us isn't understanding. Either you're missing the OP's point, or I'm missing yours.

        The OP's point seems to me to be that the exchange between Alice and Bob necessarily goes like this:

        1) Get individual quanta from an entangled source such that they have a shared secret that cannot have been interfered with.

        2) Use that shared secret to encrypt in a conventional way and communicate.

        The OP is pointing out that the MTM attack is just as practical against step 1 as step 2 by ha

        • Re: (Score:3, Informative)

          I was basing my description on the BB84 cryptographic protocol. That protocol does not use an entangling source, rather it sends single q-bits along a quantum channel to be detected by Bob. I interpreted a man-in-the-middle attack to be an intercept-resend attack in that channel. So:

          Ideal: Alice --------> Bob

          MITM: Alice ------> detect - read - resend ------> Bob

          If the channel is noise-free, the detectors are ideal and the states are prepared perfectly, this is theoretically secure against if error

          • But the channel is NOT noise free.

            And for it to have any measure of security provided by the quantum nature, it needs to be a dedicated circuit between all host pairs.

            When you have a dedicated circuit, you need physical access to perform any attacks. Quantum or regular, it doesn't matter.

            Given a dedicated circuit and an attacker with physical access, any unsuccessful MITM attack becomes a successful DOS attack.

            Any successful MITM attack will require the private keys of one of the parties. You need both if

          • by sjames (1099)

            The problem is MUCH more fundamental. The commercial systems want you to believe that it's a magic bullet because it's quantum. In fact, it DOES prevent simple eavesdropping but it does NOT stop an attack where Eve controls both channels of communication.

          • by radtea (464814)

            Thanks! That's one of the most informative and useful replies I've ever had on /.

    • by cashdot (954651)
      No.
      The core idea of quantum communication security is that it is impossible to decipher a quantum message unless you destroy the quantum state nature of the communication media (photons, electron, ... whatever).
      Unlike with classical communication you just have *one* try to decrypt the message. If the wrong key is used, the message is lost, forever. That even Bob (with the correct key) wont be able to decrypt/read the message afterward (and hence will notice the eavesdropping) is just a side effect.
      • Read my post.

        The entire point of it being quantum means nothing.

        If someone has the key, you won't know.

        If someone doesn't have the key, you often won't know because they can fudge around in that tolerance level, and you'll just resend your message anyway because the network is not reliable, etc.

        The only practical application which would give you any benefit from the quantum nature would be a dedicated circuit for each host pair. That is simply not feasible.

        All.
        Digital.
        Security.
        Ever.
        Boils.
        Down.
        To.
        A.
        Key.
        Shar

    • by DrXym (126579)
      It seems that anyone capable of tampering with a quantum link (i.e. they know where the equipment and the cable are), it seems they have a simpler solution. Just "accidentally" run a digging machine through the link, or otherwise damage the connection and then just wait for the sender & recipient to use a less secure method of communication.
  • by Anonymous Coward on Monday May 17, 2010 @05:33PM (#32245916)

    Really, is a little fidelity in this relationship too much to ask for? I've caught Bob kissing that skank Alice so many fucking times and he always says he's sorry and he'll stop seeing her, but still I can tell they're exchanging information through hidden channels.

    But what I really hate is when people act like I'm so unreasonable by trying to find out what is going on and who my allegedly significant other is seeing behind my back. What the fuck.

    -
    Cryptographically Signed,

    Eve.

    (Inspired by xkcd [xkcd.com], of course.)

  • by pla (258480) on Monday May 17, 2010 @05:36PM (#32245940) Journal
    Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.
    Then they do not "prove" anything.

    When you start from a false premise, you produce "garbage", not "proofs" (Actually, you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the original concept). Particularly when talking about security, what moron would assume any sources of error come from the environment rather than the attacker???
    • Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.

      Then they do not "prove" anything.

      When you start from a false premise, you produce "garbage", not "proofs" (Actually,
      you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the
      original concept). Particularly when talking about security, what moron would assume any sources of error come from
      the environment rather than the attacker???

      Wow, it's obvious you have no idea what you are talking about. The premise may have been non-physical but that doesn't affect the proof. The proof is fine. It just happens not to be true. There's only a problem here, if you assume proof means true or more specifically physically true.

      Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

    • by Dthief (1700318)
      The Physical device they hacked works under this 20% assumption.....this 20% is due to limitations between reality and the ideal-world

      If you RTFA you will see they openly discuss that this attack works only for this real world device, and that it is easy to stop:

      Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

    • by Interoperable (1651953) on Monday May 17, 2010 @08:04PM (#32247570)

      Those "morons" have doctorates in math and physics. What do you have?

      The idea is that if you can account for all known systemic noise sources then anything left will be from the attacker. The proofs set bounds for what error thresholds rule out the possibility of an attacker under given, known sources of noise in the system. The proofs are not wrong, they were simply done using particular sets of assumptions. If those assumptions are not applicable to a particular system, then obviously those calculations wouldn't be used.

      It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

      • Re: (Score:3, Interesting)

        by pla (258480)
        It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

        Funny thing about the internet... Believe it or not, some of us do actually count as experts in the domain of knowledge in question, fully capable of calling BS even on all those magically-always-right PhDs out there.

        In this case, I can't claim myself an expert (merely have a minor in math, concentrating on, of all things, proof theory).
        • by Interoperable (1651953) on Monday May 17, 2010 @09:32PM (#32248248)

          I happen to have have read a number of such papers because it is related to the field that I work in and I have some idea of what is involved in determining bounds on error rates. They are absolutely proofs in the very strictest sense of the word. They state up-front what the assumptions are and derive rigorous proofs within the conditions that were laid out.

          The mathematical premises are completely sound. The only question is what physical system the assumptions used to arrive at those premises apply to. The idealized system is clearly laid out in the paper and can be assessed for how applicable it is to a given physical system. To say that the premises are unsound because the simplifying assumptions may not apply to real systems is to reject any mathematical analysis of the physical world.

          You are confusing the ideas of a premise in mathematics and an assumption in physics. What has been done is the different between a correct analysis of an idealized system. What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

          • by radtea (464814)

            What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

            And yet for reasons that escape me these correct analyses of unrealistic models have been used in the marketing of quantum cryptography as a realistic solution to the problem of secure communication.

            Can you provide any insight into how that situation has come about?

          • by sjames (1099)

            And that's the whole problem! Proving that given a set of conditions A is true is just fine mathematically. But as soon as you try to use it in engineering, you face the potentially much more difficult problem of proving that the real world matches those conditions. If the conditions are things like approximately 1 earth gravity and ambient temperatures don't exceed 300C you're on fairly solid ground, when you start having to worry about exact levels of quantum noise, you can easily get into trouble.

      • You know what's sad... I actually agree with your conclusion but your entire argument consists of a call-to-authority. A fallacy.

        Don't you think it's a bit of an insult to the discipline that your best defense for it is a false argument ?

        Especially since history (even RECENT history) is filled with examples of untrained outsiders spotting a fatal flaw in the work of a discipline, which then needs to be corrected leading to a paradigm shift. Scientists consider the call-to-authority one of the worst fallacie

        • Re: (Score:3, Insightful)

          It's not the questioning of conclusions that I disagree with. Scientists love informed debate, but don't appreciate being called "morons." Anyone with the insight about the discipline to make a shrewd observation about the correctness of the work would recognize that the people involved are not morons.

          It's important to keep an open mind, but the vast, vast majority of "OMG, how can you sheeple be so stupid?" posts about quantum physics can be safely ignored without any loss to the body of knowledge.

      • by sjames (1099)

        The whole field of practical quantum encryption (as opposed to fun games) is riddled with real world problems. So much so that I'd say most of the applications are snake oil. Currently it's usefulness is confined to cases where the endpoints are close enough to use an unamplified fiber and there exists a second communications channel that cannot be subjected to a MITM attack even by someone determined enough to dig up and splice into that fiber in the first place. If the information isn't valuable enough fo

  • by mrsteveman1 (1010381) on Monday May 17, 2010 @05:36PM (#32245950)

    Eve is a fucking spy, arrest her.

    I'm not too sure about Alice and Bob either, seems they're always around when these things happen.

  • can be broken by a man

    depending upon your current situation in life, this is either a wonderfully hopeful or horribly depressing realization

    • I was thinking the same. But my train of thought was more along the lines of "no matter how secure a system, some doofus will stick a post-it with his key next to the monitor".

      The weakest link in almost all security systems is still the human.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        It's obvious then we need to get rid of the weakest link.

  • Hardware Arms Race (Score:1, Interesting)

    by Anonymous Coward

    The third paragraph from the end of TFA is the key. Alice/Bob will be in an arms race with Eve. Alice/Bob will need better single-photon detectors and generators to stay ahead of Eve. As Alice/Bob improve the quality of their hardware and increase the probability of being to emit and then detect a single photon increase, Eve has to keep pace with the quality of her hardware. Over time as Alice/Bob increase the quality of their hardware, the attack surface available to Eve shrinks, and it will take her l

  • I don't get why anyone even bother with the so-called quantum encryption*, a simple pre shared key scheme is perfectly safe, a lot cheaper, well understood and well tested.

    *The quantum part has nothing to do with encryption, it's just an over the top high tech attempt at preventing wire taps.
  • by ortholattice (175065) on Monday May 17, 2010 @07:22PM (#32247222)
    One the main contributors to the error rate is the photon detection efficiency, where 80% or better is considered "good". In a major breakthrough last month, NIST (yes, the National Institute of Standards and Technology, not some startup company's marketing hype) has achieved a record single-photon detection rates of 99% [sciencedaily.com] - and possibly better, since there currently exists no metrology to test that level of efficiency. So in terms of that source of error, things are looking up.
    • But at what dark-count rate? There are always trade-offs.

      • Re: (Score:3, Informative)

        by ortholattice (175065)
        But at what dark-count rate? There are always trade-offs.

        The dark count is essentially zero. That's what makes this breakthrough so impressive.

        FTA I linked:

        "When these detectors indicate they've spotted a photon, they're trustworthy. They don't give false positives," says Nam, a physicist with NIST's Optoelectronics division. "Other types of detectors have really high gain so they can measure a single photon, but their noise levels are such that occasionally a noise glitch is mistakenly identified as

  • Insightful FTA:

    Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

  • until he tells you what was in the message.

    Of course you can't beat Alice because she's a girl. If Alice had sent the message to Eve then you'd be out of luck.

  • Dump Alice (Score:2, Funny)

    by fyoder (857358)

    I say Bob should dump Alice and go with Eve. Bad girls are hot.

    Though dumped good girls can be trouble as well, so the original problem remains.

    Sadly, as long as Eve (or Alice) are sufficiently determined to intercept Bob's communications, he's got problems. The only answer may be to become a celibate monk in a monastery committedly observing a vow of silence.

  • Does she live next door to Bob?

    Had to be asked.. ;)

  • Human ingenuity cannot concoct a cipher in which human ingenuity cannot break. --- Edgar Alan Poe

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

Working...