Simple Comm Technique Beats Quantum Crypto

Atario wrote us with a link to a New Scientist article about an innovative new way of encrypting communications. An engineer at Texas A&M may have a way to exploit the thermal properties of a wire to create a secure channel. The result could be an effectively impenetrable way of securing communications, possibly outperforming quantum cryptography keys. "In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use ... Half the time ... they will choose different [resistances], producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say."

broken link

[Anonymous Coward]

Try this:

http://www.newscientist.com/channel/tech/mg1942605 5.300?DCMP=NLC-nletter&nsref=mg19426055.300 [newscientist.com]

dupe?

[roguegramma]

Seems to me to be a dupe of http://it.slashdot.org/article.pl?sid=05/12/10/171 4256 [slashdot.org]

Well, they quote Bruce saying it's good.

[khasim]

From TFA:

"This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum."

Although I don't recall seeing anything about it on his website. Bruce knows a lot more than I do, but this just sounds weird.

And not just Ethernet. Any wire that has a repeater or relay or amplifier sounds like it would break this.

And don't forget man in the middle attacks. If Eve or Mallory get to the wire first, then the "normal" wire state that Alice and Bob see will include their taps.

Re:Well, they quote Bruce saying it's good.

[Lagged2Death]

If Eve or Mallory get to the wire first, then the "normal" wire state that Alice and Bob see will include their taps.

Eavesdropping on this wouldn't do any good. From an eavesdropper's point of view, there are three noise levels, two of which mean nothing and one of which means a bit has just been transferred from A to B or from B to A. An eavesdropper can't tell which direction the bit is going or what the value of the bit was.

Re:Cool.

[bytesex]

No. Obviously, that's not what I meant. I mean that the higher level, routable protocol on top of ethernet would become unroutable, because it's the lower level ethernet that has to be aware, between to electrical endpoints, of my security wishes. Since I can't expect to be able to export those wishes beyond the borders of my network, I'd have a problem. Also, I'd have to have much tighter integration between the levels in my network, as security is usually negotiated on the highest levels, whereas electrical current is the lowest. Did I formulate it precisely enough for your preferences now ?

TFA (someone said it was /.'ed)

[milo_a_wagner]

SPYING is big business, and avoiding being spied on an even bigger one. So imagine if someone came up with a simple, cheap way of encrypting messages that is almost impossible to hack into? American computer engineer Laszlo Kish at Texas A&M University in College Station claims to have done just that. He says the thermal properties of a simple wire can be exploited to create a secure communications channel, one that outperforms quantum cryptography keys. His cipher device, which he first proposed in 2005, exploits a property called thermal noise. Thermal noise is generated by the natural agitation of electrons within a conductor, which happens regardless of any voltage passed through it. But it does change depending on the conductor's resistance. Kish and his collaborators at the University of Szeged in Hungary say this can be used to securely pass information, or an encryption key, down any wire, including a telephone line or network cable. In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use. A quarter of the time they will both choose the high resistor, producing a lot of noise on the line, while a quarter of the time they will both choose the low resistor, producing little noise. If either detect a high or a low amount of noise in the line, they ignore any communication. Half the time, however, they will choose differently, producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say (http://www.arxiv.org/abs/physics/0612153). That message is also secure. For a start, as Kish notes, it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line. If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0. What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know that someone is listening in. Kish and his team have now successfully built a device that can send a secure message down a wire 2000 kilometres long, much further than the best quantum key distribution (QKD) devices tried so far. Tests show a signal sent via Kish's device is received with 99.98 per cent accuracy, and that a maximum of just 0.19 per cent of the bits sent are vulnerable to eavesdropping. The error rate is down to the inherent resistance of the wire, and choosing a larger wire in future models should help reduce it further. However, this level of security already beats QKD. What's more, the system works with fixed lines, rather than the optical fibres used to carry photons of light at the heart of quantum encryption devices. It is also more robust, as QKD devices are vulnerable to corruption by dust, heat and vibration. It is also much cheaper. "I guess it's around a hundred dollars, at most," Kish says. "This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum."

Re:Well, they quote Bruce saying it's good.

[eblot]

> Although I don't recall seeing anything about it on his website.
That would be: http://www.schneier.com/crypto-gram-0512.html#15 [schneier.com]

Already Broken

[Anonymous Coward]

It can be attacked passively: http://arxiv.org/pdf/physics/0601022 [arxiv.org]

crappy crappy method

[timmarhy]

This can only be applied where there's a direct electrical connection, hence ruling out it's usefulness in any real application. even IF this were applied via some software protocol it does nothing to validate that alice is actually alice and not the feds.

Speed of light?

[The New Andy]

If you had two sniffing devices, one near Alice, one near Bob then I speculate that if the frequency of the devices is high enough then they will be able to tell who had which resistor active.

This reminds me of another crypto method where the receiver adds noise to the line. The theory is that they know what the noise is, so they can remove it, but Eve can't get it because she doesn't know what the noise was. It falls down under the same attack because the signal is only propagated at the speed of light, not instantaneously.

Re:Cool.

[Architect_sasyr]

I'm friends with one of the team working on the single electron quantum crypto thingy (hey, it's beyond my brain and I'll admit it). They run the cryptography between secured nodes. So, based on that and my vague recollection of how it works, the Quantum boys have it non-routable too... it's a point-to-point security chain... the end point's are what is vulnerable, but there is no way to sniff between them (think of it as the Tor nodes are vulnerable to a malicious server, but not the link between them).

Hope that clears up any debate this would generate.

And I don't know about the rest of the community, but I read the original post and thought "yep, got it in one". Apparantly I understand these things a little better than most.

Re:Security through Lack of Reference?

[asuffield]

Of course, there doesn't seem to be any reason to bother, because you can get exactly the same effect in software with a simple Diffie-Helman key exchange [wikipedia.org] (and that's probably more secure anyway, because it doesn't rely on the precision of hardware resistors). The essential security properties appear to be identical: a secure channel is established between two endpoints, but the identify of those endpoints is not authenticated in any way, so all you know is that you're securely talking to somebody.

In both cases, you can authenticate the endpoints by prior exchange of key material. I can't see why you would want to do this in complicated, strange hardware when you can do it perfectly easily in existing software. This is the method by which ssh operates, if you have validated the host key correctly, or SSL/TLS, if you have provided the appropriate certificates.

The point of quantum encryption was that we might someday be able to prove it cannot be broken, if we can show that quantum physics works how we think it does (we are uncertain whether Diffie-Helman can be broken, like all other modern cryptographic algorithms, and have no idea whether we'll ever be able to prove it secure). No such proof appears possible with this method.

Re:Sure they can.

[tomz16]

You are incorrect... If Eve gets to the wire first, then Alice and Bob may not know that there is a tap, but the tap is still worthless. Only the party at an enpoint would know what resistor THEY have put in, allowing them to deduce the resistor used at the other end. The person in the middle would only have the (worthless) piece of information that Alice and Bob differed in the resistor that they chose.

Noise endpoint 1 endpoint 2

High high high
Medium high low
Medium low high
Low low low

You throw out the high/low noise cases. In order to know what the other person is doing in the medium case you need to know what resistor YOU put in!

-Tom

P.S. one of my professors proposed this method during a casual conversation a few years back. It's and idea that has been kicked around for a while, and in my opinion is very solid.

P.P.S. there is no directionality to the signal here.

Re:Already Broken

[Anonymous Coward]

Not only that but it was broken just a month or so after the initial announcement (which by the way was over a year ago).

Old news.

I'm always amazed by these people that make such outrageous claims like unbreakable encryption. Considering all the the bizarre stuff that has been done in breaking systems I can't imagine claiming something like this. There is always a way to break it, always. I imagine even quantum cryptography is breakable, that is if we ever get a practical system.

Arguments from last time..

[Anonymous Coward]

Many holes were picked in this scheme last time it appeared on Slashdot (in 2005), and Laszlo Kish responded to some of the criticisms in this Web log comment thread [sooke.bc.ca].

MITM...

[SanityInAnarchy]

I read Schneier's page because I respect the guy, and I figured he'd know what he was talking about. It already seemed trivially vulnerable to a man-in-the-middle attack, but I wanted to see if I was the only one.

Looks like I'm right:

Even more basic: It's vulnerable to man-in-the-middle attacks. Someone who can intercept and modify messages in transit can break the security. This means you need an authenticated channel to make it work -- a link that guarantees you're talking to the person you think you're talking to. How often in the real world do we have a wire that is authenticated but not confidential? Not very often.

He actually details a few more problems:

For those keeping score, that's four practical problems: It's only link encryption and not end-to-end, it's bandwidth-limited (but may be enough for key exchange), it works best for short ranges and it requires authentication to make it work. I can envision some specialized circumstances where this might be useful, but they're few and far between.

But then, I guess it's the best we've got:

But quantum key distributions have the same problems. Basically, if Kish's scheme is secure, it's superior to quantum communications in every respect: price, maintenance, speed, vibration, thermal resistance and so on.

Old news: Broken, rebutted, broken, rebutted again

[sidney]

The original article was published (and talked about in /., see Related Article link) back in 2005. The paper you cited claiming a break was replied to by the original author, and there have been a number of other papers back and forth since. The technique has credibility. As Bruce Schneier pointed out this technique if it works is no worse than quantum cryptography and is a lot simpler and cheaper, but it has all the other deficiencies of quantum cryptography. The author claims no more than that. He rebuts the arguments in the paper you linked to by showing that the amount of information leakage is less than that from a practical (as opposed to theoretically ideal) quantum cryptography system, and so can be dealt with using the same privacy-enhancing post-processing that has to be used with quantum crypto.

I agree with Schneier's assessment of quantum crypto as a solution in search of a problem, and this appears the same, although much cheaper to implement.

The most recent paper on the topic was a plenary talk [arxiv.org] given by the author last week at a conference in Italy. The references in that paper will give you the complete list of papers arguing with his results and his responses to those arguments.

Broken Nine Months Ago

[Anonymous Coward]

http://www.lightbluetouchpaper.org/2006/10/08/kish s-totally-secure-system-is-insecure/ [lightbluetouchpaper.org]