Simple Comm Technique Beats Quantum Crypto

Atario wrote us with a link to a New Scientist article about an innovative new way of encrypting communications. An engineer at Texas A&M may have a way to exploit the thermal properties of a wire to create a secure channel. The result could be an effectively impenetrable way of securing communications, possibly outperforming quantum cryptography keys. "In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use ... Half the time ... they will choose different [resistances], producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say."

Cool.

[bytesex (112972)]

But if I understand correctly, and I want to do this over ethernet, for example, that means that it is a) unroutable and b) my ethernet endpoints would have to be aware of my security preferences ?

Well, they quote Bruce saying it's good.

[khasim (1285)]

From TFA:

"This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum."

Although I don't recall seeing anything about it on his website. Bruce knows a lot more than I do, but this

Re:Well, they quote Bruce saying it's good.

[Lagged2Death (31596)]

If Eve or Mallory get to the wire first, then the "normal" wire state that Alice and Bob see will include their taps.

Eavesdropping on this wouldn't do any good. From an eavesdropper's point of view, there are three noise levels, two of which mean nothing and one of which means a bit has just been transferred from A to B or from B to A. An eavesdropper can't tell which direction the bit is going or what the value of the bit was.

Sure they can.

[khasim (1285)]

All Eve has to do is to have two taps on the wire. She can watch the signal propagate from one to the other and determine who sent it.

And I'm not seeing why there would be three noise levels on the wire. You'd start off with the plain wire. Then Eve's taps. Then Eve would see the wire characteristic change when Alice put her resistor on. So she'd know that information. Then she'd see it change again when Bob put his resistor on. So she'd have that information also.

All Alice and Bob would know is the state A

Re:

[tomz16 (992375)]

You are incorrect... If Eve gets to the wire first, then Alice and Bob may not know that there is a tap, but the tap is still worthless. Only the party at an enpoint would know what resistor THEY have put in, allowing them to deduce the resistor used at the other end. The person in the middle would only have the (worthless) piece of information that Alice and Bob differed in the resistor that they chose.

Noise endpoint 1 endpoint 2

High high high
Medium high low
Medium low

Re:

[(negative video) (792072)]

Only the party at an enpoint would know what resistor THEY have put in, allowing them to deduce the resistor used at the other end.

But how do they put in those resistors? With switches. Switches that inject charge onto the output wire when their state changes. Switches with their own resistance and temperature coefficient of resistance. And that is detectable.

High high high
Medium high low
Medium low high
Low low low

Alas, real resistors cannot be perfectly matched; the real wire state table

Re:

[smallfries (601545)]

But he didn't mention eavesdropping, he mentioned man in the middle attacks. Just like a quantum link this is vulnerable to man in the middle attacks when used without a separate authenticated channel.

Moderate +1...

[Joce640k (829181)]

This does nothing to prevent man-in-the middle attacks. If I can get physical access to your wire to eavesdrop I can also cut it completely and put myself in the middle.

Still, it's a nice piece of thinking.

Re:Well, they quote Bruce saying it's good.

[eblot (1108019)]

> Although I don't recall seeing anything about it on his website.
That would be: http://www.schneier.com/crypto-gram-0512.html#15 [schneier.com]

Mod parent up!

[khasim (1285)]

Thanks!

And Bruce does note that it is vulnerable to a man in the middle attack.

MITM...

[SanityInAnarchy (655584)]

I read Schneier's page because I respect the guy, and I figured he'd know what he was talking about. It already seemed trivially vulnerable to a man-in-the-middle attack, but I wanted to see if I was the only one.

Looks like I'm right:

Even more basic: It's vulnerable to man-in-the-middle attacks. Someone who can intercept and modify messages in transit can break the security. This means you need an authenticated channel to make it work -- a link that guarantees you're talking to the person you think you're talking to. How often in the real world do we have a wire that is authenticated but not confidential? Not very often.

He actually details a few more problems:

For those keeping score, that's four practical problems: It's only link encryption and not end-to-end, it's bandwidth-limited (but may be enough for key exchange), it works best for short ranges and it requires authentication to make it work. I can envision some specialized circumstances where this might be useful, but they're few and far between.

But then, I guess it's the best we've got:

But quantum key distributions have the same problems. Basically, if Kish's scheme is secure, it's superior to quantum communications in every respect: price, maintenance, speed, vibration, thermal resistance and so on.

Re:

[nacturation (646836)]

Little known Bruce Schneier fact: [geekz.co.uk] he cryptanalyzed this in his sleep, he just forgot the answer when he woke up.
 

Re:

[Yvanhoe (564877)]

I think here the conditions are the same as the typical quantum crypto test : the goal is to secure a line, not a connection

Re:

[RazzleDazzle (442937)]

Note: Did not RTFA

Does it work with wireless?

Re:

[bytesex (112972)]

No. Obviously, that's not what I meant. I mean that the higher level, routable protocol on top of ethernet would become unroutable, because it's the lower level ethernet that has to be aware, between to electrical endpoints, of my security wishes. Since I can't expect to be able to export those wishes beyond the borders of my network, I'd have a problem. Also, I'd have to have much tighter integration between the levels in my network, as security is usually negotiated on the highest levels, whereas elec

Re:Cool.

[Architect_sasyr (938685)]

I'm friends with one of the team working on the single electron quantum crypto thingy (hey, it's beyond my brain and I'll admit it). They run the cryptography between secured nodes. So, based on that and my vague recollection of how it works, the Quantum boys have it non-routable too... it's a point-to-point security chain... the end point's are what is vulnerable, but there is no way to sniff between them (think of it as the Tor nodes are vulnerable to a malicious server, but not the link between them).

Hope that clears up any debate this would generate.

And I don't know about the rest of the community, but I read the original post and thought "yep, got it in one". Apparantly I understand these things a little better than most.

broken link

[by Anonymous Coward]

Try this:

http://www.newscientist.com/channel/tech/mg1942605 5.300?DCMP=NLC-nletter&nsref=mg19426055.300 [newscientist.com]

dupe?

[roguegramma (982660)]

Seems to me to be a dupe of http://it.slashdot.org/article.pl?sid=05/12/10/171 4256 [slashdot.org]

Well, yes, it *is* a dupe, but...

[Hobart (32767)]

Seems to me to be a dupe of http://it.slashdot.org/article.pl?sid=05/12/10/171 4256 [slashdot.org]

...you have to understand, that when the algorithm was first published, Bruce Schneier roundhouse kicked it so hard it just completed its eighteen month trip around the sun, and arrived back at the frontpage.

--
Slashcode bug # 497457 - unfixed since December 2001 - Go look it up [sourceforge.net]!

Security through Lack of Reference?

[vertigoCiel (1070374)]

From what I can gather from the summary (the New Scientist domain seems to be blocked by the PRC to those in China, so I can't RTFA), the security of this lies in the fact that Eve cannot seperate the message from the inherent thermal noise of the channel. However, wouldn't she be able to decode the message by trial and error by hooking her own resistors? Surely she doesn't have to have identical resistance just around 10 or 100 Ohms of the average.

Could someone correct me if I'm wrong (which I think I am)?

Re:

[26199 (577806)]

It's a bitstream -- high/low resistance being one and zero -- and to get the message back you need to guess exactly the sequence of ones and zeros as Alice or Bob used.

If you guess the wrong sequence you don't get any indication that your guess was wrong -- you just get the wrong message. Similar idea to a one-time pad; if you use the wrong decryption key you can get any message at all with no indication that it wasn't the right message.

Re:

[asuffield (111848)]

Of course, there doesn't seem to be any reason to bother, because you can get exactly the same effect in software with a simple Diffie-Helman key exchange [wikipedia.org] (and that's probably more secure anyway, because it doesn't rely on the precision of hardware resistors). The essential security properties appear to be identical: a secure channel is established between two endpoints, but the identify of those endpoints is not authenticated in any way, so all you know is that you're securely talking to somebody.

In both c

Re:

[SLi (132609)]

The difference of course being that not being able to crack Diffie-Hellman relies on the difficulty of calculating something, but cracking it is definitely computable, while in a quantum crypto cracking it even given infinite time is physically impossible, if you use the generated key data as a one time pad. To me that difference seems in a sense quite significant, but then I'm a theoretical computer scientist :-)

It only works on a direct connection

[by Anonymous Coward]

The system works because the sender and receiver have a direct electrical connection. If you have such a connection, that means that you have an unbroken wire between the two with nothing else connected to the line. You usually don't even get such a connection if you lease cables from the telephone company. The only way such a connection exists is if the wire is owned by the organization that employs the sender and receiver.

Under the conditions stated above, cryptography isn't very important. The most i

Man in the middle

[anwyn (266338)]

This is a secure way to agree to agree on a one-time pad, or other key, but it is subject to man in the middle attacks. How does fred know that it is alice other end of the line switching resistors, or is it darth the man in the middle swiching resistors?

TFA (someone said it was /.'ed)

[milo_a_wagner (1002274)]

SPYING is big business, and avoiding being spied on an even bigger one. So imagine if someone came up with a simple, cheap way of encrypting messages that is almost impossible to hack into? American computer engineer Laszlo Kish at Texas A&M University in College Station claims to have done just that. He says the thermal properties of a simple wire can be exploited to create a secure communications channel, one that outperforms quantum cryptography keys. His cipher device, which he first proposed in 2005, exploits a property called thermal noise. Thermal noise is generated by the natural agitation of electrons within a conductor, which happens regardless of any voltage passed through it. But it does change depending on the conductor's resistance. Kish and his collaborators at the University of Szeged in Hungary say this can be used to securely pass information, or an encryption key, down any wire, including a telephone line or network cable. In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use. A quarter of the time they will both choose the high resistor, producing a lot of noise on the line, while a quarter of the time they will both choose the low resistor, producing little noise. If either detect a high or a low amount of noise in the line, they ignore any communication. Half the time, however, they will choose differently, producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say (http://www.arxiv.org/abs/physics/0612153). That message is also secure. For a start, as Kish notes, it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line. If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0. What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know that someone is listening in. Kish and his team have now successfully built a device that can send a secure message down a wire 2000 kilometres long, much further than the best quantum key distribution (QKD) devices tried so far. Tests show a signal sent via Kish's device is received with 99.98 per cent accuracy, and that a maximum of just 0.19 per cent of the bits sent are vulnerable to eavesdropping. The error rate is down to the inherent resistance of the wire, and choosing a larger wire in future models should help reduce it further. However, this level of security already beats QKD. What's more, the system works with fixed lines, rather than the optical fibres used to carry photons of light at the heart of quantum encryption devices. It is also more robust, as QKD devices are vulnerable to corruption by dust, heat and vibration. It is also much cheaper. "I guess it's around a hundred dollars, at most," Kish says. "This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum."

Already Broken

[by Anonymous Coward]

It can be attacked passively: http://arxiv.org/pdf/physics/0601022 [arxiv.org]

Old news: Broken, rebutted, broken, rebutted again

[sidney (95068)]

The original article was published (and talked about in /., see Related Article link) back in 2005. The paper you cited claiming a break was replied to by the original author, and there have been a number of other papers back and forth since. The technique has credibility. As Bruce Schneier pointed out this technique if it works is no worse than quantum cryptography and is a lot simpler and cheaper, but it has all the other deficiencies of quantum cryptography. The author claims no more than that. He rebuts

Re:Old news: Broken, rebutted, broken, rebutted ag

[(negative video) (792072)]

As Bruce Schneier pointed out this technique if it works is no worse than quantum cryptography ...

This technique is worse. Quantum cryptography** lets you know the extent to which your shared key has been decloaked, providing a rational basis for reusing chunks of the (expensive) one-time pad.

**A bad name. It really ought to be called quantum exposure detection.

crappy crappy method

[timmarhy (659436)]

This can only be applied where there's a direct electrical connection, hence ruling out it's usefulness in any real application. even IF this were applied via some software protocol it does nothing to validate that alice is actually alice and not the feds.

Speed of light?

[The New Andy (873493)]

If you had two sniffing devices, one near Alice, one near Bob then I speculate that if the frequency of the devices is high enough then they will be able to tell who had which resistor active.

This reminds me of another crypto method where the receiver adds noise to the line. The theory is that they know what the noise is, so they can remove it, but Eve can't get it because she doesn't know what the noise was. It falls down under the same attack because the signal is only propagated at the speed of light, not instantaneously.

Alice and Bob should just get a room

[WhoBeDaPlaya (984958)]

'nuff said :)

Random noise.

[Frozen Void (831218)]

Why not use randomly generated numbers,and insert data into the stream using its own contents as location pointer?(which i did with some ciphers http://www.invisionplus.net/forums/index.php?mforu m=stormtower&showtopic=5 [invisionplus.net] )

Re:

[Frozen Void (831218)]

From http://random.org/ [random.org] which is ok for expirementing i guess.For real-world applications,hardware RNGs are required.

Is Schneier enough of an electrical engineer ?

[udippel (562132)]

... or better: is Kish any electrical engineer ?
To me, this whole matter with his formulae of the noise of a resistor is just hocus pocus; as much as the math is correct. But any reasonable electrical engineer knows these ...
What Kish rather seems to propose, is the injection of noise into a link; noise at two levels, nevermind if they are derived from a resistor, short-circuited or not, or any other noise generator.

Over. What he then says is the following:
If Alice sends high noise level ('H'), Bob will send low ('L') noise level; and vice versa.
The man-in-the-middle will have tri-state noise: LL,LH/HL,HH. LL and HH are out. The assumption in that paper, hidden behind a lot of barrage, is: LH and HL will appear identical to the eaves-dropper. Alice. however, when sending L, can pass an information quantum (since Bob will switch to H, knowing Alice sends L); while Alice sending H, Bob will switch to L, knowing Alice sends H).
The theory of Kish is, that Eve will have no clue if she intercepts HL or LH. Which only works in theory.
Because any electrical engineer deserving his title will tell you that those sources won't produce noise of identical spectrum in the first place. Therefore, the spectra will change, giving you a sequence of jumps. The maximum you have to do is toggling ... . Furthermore, if Eve1 and Eve2 listen in a distance of only a few meters, they can auto-correlate the signal(s) and find the direction from which it travels. No, that is even simple, because the levels - as we know - are H and L. So the autocorrelation of H can be found out without much ado; either H travels right-to-left or left-to-right. Voilà. L doesn't disturb the autocorrelation function. Along the line, any line, higher spectral components are reduced; another rule all electrical engineers know: any practical system is by default a lowpass. When Eve1 and Eve2 simply record the signal, close to Alice and close to Bob, they can find out where the higher spectral components are to be found. Meaning, the sender of H is known.

Much ado about nothing, me thinks ...

Re:

[jmv (93421)]

Furthermore, if Eve1 and Eve2 listen in a distance of only a few meters, they can auto-correlate the signal(s) and find the direction from which it travels.

Not even a need to auto-correlate. If you measure both the current and voltage in one point of the transmission line, you can figure out which way the signals are going. On top of that problem, I can't really see that method scale in the Gbps, while I can easily imagine the single-photon methods scaling that high.

What would this be good for?

[grumbel (592662)]

What would this or quantum cryptography be good for in practical terms? From what I understand they only work for a single connection, i.e. when Alice wants to talk to Bob they have to have a wire running from one to another. Which means that range is rather limited and it also means it would be easy to attack. Somebody could simply cut the wire and thus forcing Alice and Bob to fall back to other insecure means of communication or to not communicate at all.

Are there ways to use these secure channels to build a real redundant network where traffic could be rerouted when lines fail? Or would the routers end up being the weak spot? Making it just as insecure as every other network?

Are there any other types of uses where those connections might be useful or are they no more theoretical toys?

Re:What would this be good for?

[evilviper (135110)]

What would this or quantum cryptography be good for in practical terms?

Two offices, say, across town, that want to communicate very securely.

Somebody could simply cut the wire and thus forcing Alice and Bob to [...] not communicate at all.

When would that possibly be a problem? That would basically require some strange situation with a totalitarian government that wants to disrupt communications between two end points, but apparently doesn't actually want to get access to the unencrypted information itself.

If it's just some rival company trying to disrupt service, a line crew goes out, fixes the line, and they're back up and running before they even want/need to change the encryption key.

And what would be the point, since you could just as easily cut the other communications lines (eg. OC3s), the power lines, etc., etc.

Re:

[grumbel (592662)]

### When would that possibly be a problem? That would basically require some strange situation with a totalitarian government that wants to disrupt communications between two end points, but apparently doesn't actually want to get access to the unencrypted information itself.

The point is: When I disrupt your valuable crypto channel long enough you simply can't use it and have to fall back to other means of less secure means of communication which I then can intercept.

### And what would be the point, since y

Know who uses this?

[kulakovich (580584)]

I'm pretty sure this is how the cosmic microwave background radiation [wikipedia.org] is generated.

~kulakovich

Impenetrable == Unsinkable

[MajorBlunder (114448)]

The result could be an effectively impenetrable way of securing communications, possibly outperforming quantum cryptography keys.

When I read this, I had a flash back to a Dr. Who episode.(paraphrasing)

Army General: Trust me doctor this place is impenetrable.

Doctor: The problem with impenetrable is that it sounds too much like unsinkable.

Army General: Well whats wrong with that?

Doctor: Ask the passengers of the Titanic.

I always get a little bit itchy whenever people start throwing superlatives around like unbreakable, impenetrable, etc. Nature, Human ingenuity, or Human stupidity all have a nasty habit of proving us wrong.

Obligatory

[hcdejong (561314)]

Inconceivable!

Not worth 2c of consideration

[by Anonymous Coward]

FTA the reasoning is: "...

[a] it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line.

[b] If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0.

[c] What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know tha

one time pad

[drDugan (219551)]

This looks interesting, great. But as long as we're in the "what is better than what" game, how is this any better than one-time pad?

If you're going to go to the work of putting down a single, dedicated wire with two fixed endpoints - it would seem a lot easier for Alice and Bob to just meet, generate 2 identical random pads (with current disks, 1TB is easy) an then Alice and Bob communicate securely until they meet next. Done.

Seriously, what keeps an attacker from just cutting the wire? Poof! no more ch

Beats quantum crypto...

[The Living Fractal (162153)]

At being hyped beyond its true usefulness!

I belive congrats are in order.

TLF

Re:

[asobala (563713)]

It sounds like Alice and Bob need to coordinate in advance when they will use their low and high resistors. In which case, they're using a one-time pad and already secure.

No. (rtfa?) It's very similar to quantum cryptography, just without the quantum.

When the bit is created, you have no info

[benhocking (724439)]

When a bit is created, all the eavesdropper knows is that one person chose high-resistance and the other person chose low-resistance. Alice and Bob know this, too. However, since they know which setting they chose (or, more accurately, their computer does), it's a simple matter of deducing what setting the other person chose. For the eavesdropper to deduce what Alice chose, he has to know what Bob chose - but to deduce what Bob chose he has to know what Alice chose.

PAIRS of resistors

[Etherwalk (681268)]

Identical pairs of resistors.

I read it the same way you did at first; it's poorly worded.

This sounds like it's someone trying to think outside the box, given a basic knowledge of quantum cryptography. "Well, what else sort of works like light polarization? What is there that, if intercepted, doesn't give the interceptor any more information than said polarization does in the case of quantum cryptography?"

Of course, one of the advantages of quantum is that you can Detect eavesdroppers, because if they listen to more than a few bits they flip more of your bits than probability would reasonably allow for. It isn't only about how much information the eavesdropper can obtain--it's about whether or not you'll realize they're there.

Re:

[gnasher719 (869701)]

'' So a transmission hidden in noise is new again? ''

No, there is nothing hidden in the noise. What A and B and anyone listening in can measure is whether there is a small amount of noise, a medium amount of noise, or a huge amount of noise. There is nothing hidden in the noise. But if there is a medium amount of noise, then all I know as someone listening in is that one side sent a 0 and the other side sent a 1. I don't know _which_ side sent the 0 and which one sent the 1. A and B who were sending the da

Re:

[Goaway (82658)]

Maybe you should try to attack the actual method, and not the verbal description of it.