Hackers Eavesdrop On Quantum Crypto With Lasers

Martin Hellman writes "According to an article in Nature magazine, quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission —' they have fully cracked their encryption keys, yet left no trace of the hack.'"

Re:pwned

[PseudonymousBraveguy]

No, it IS a huge problem. If you turn a quantum computing system into a classical system, you basically revert it to sending the key in plaintext. While it does not break the theory of quantum encryption, breaking all (commonly) available implementations of quantum crypto should be enough to be qualified as "huge kick in the balls".

Re:It seems that you could detect this

[PseudonymousBraveguy]

Yes, and if I understand the article correctly, the manufacturers developped a patch to fix the hole.

However, the hack shows (once again), that a system may be secure in theory, but actual implementations of that system may, and will, have bugs that render them insecure. This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security. If that argument does not hold, you could as well use any common "classical" key exchange algorithm, which also delivers "good, but not 100%" practical security, does not need fixed point-to-point fiber and expensive equipment, and is probably much better tested than the quantum systems.

Re:Commercial Systems

[KiloByte]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

a kick in the balls

[davidwr]

A kick in the balls (breaking all current implementations) is not the same as cutting them out and mounting them in a trophy case (proving there can be no secure implementation).

Either one hurts though.

Why 'hackers' and not 'researchers'?

[RevWaldo]

Even respecting the working-all-day-and-night-in-the-basement-computer-lab origin of the term, using 'hacker' in the article seems like a blatant attempt to jazz it up, making it at first glance seem to be more about something akin to bank heist than a story about funded researches working in a university lab trying to find flaws in a security system, with the manufacturer's full approval to boot.

.

Re:not really that bad

[boxwood]

Yeah the good guys inform the company of the hack. The question is how many bad guys were aware of this before now, and for how long?

It took these guys two months in a university lab to figure this out. How long do you suppose it took the NSA (and their counterparts in other countries) who have much bigger budgets?

This research proves that if you're using these devices, the NSA has your data.

Re:It seems that you could detect this

[PseudonymousBraveguy]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free,

It's not only the software. There's a lot of hardware involved, most of which could have bugs of some kind (e.g. for this hack you'd have to prove that your sensor can reliably detect that it's still in "quantum mode"). And after you have proven a lot of properties off all your hard- and software, you'll have to prove that all those properties are actually sufficient for achieving perfect security.

Re:Lessons

[Interoperable]

It's a pretty damn big loophole. They used a 1 mW beam which is about as powerful as a laser pointer. That's many orders of magnitude larger than a single-photon level signal and should be very easy to detect. Not noticing a milliwatt of light hitting the detector in a quantum scheme is something like leaving a key written in plain text on a sticky note on your monitor and being shocked when your key is "hacked."

Re:Well, there's always the "Gitmo" attack

[tibit]

Logic whoosh.

No matter how uneasy, not-quick and not-cheap the torture is, you won't get information that isn't there. That's all I claim, yet you somehow feel the need to muddy the waters.

I'm very clear: I claim that there is/was a bunch of people in Gitmo who in fact know nothing, and who are held solely on an informant's paid (in money or in kind) claim that they, to the contrary, do know something.

You can have $1 billion per detainee and use all the tricks that anyone knows, or had known (think ancient tribes who maybe had better/other tricks we haven't found yet) -- if the detainee doesn't know, you won't get to know either. You may kill the detainee, break the bank, go insane, what the eff ever. The only way to get the information you seek is if the detainee has infinite lifetime, and he/she starts enumerating all possible stories. By the infinite monkey theorem, you will get what you're looking for, but it's hard to say whether it'll happen before our Universe dies a heat death.

If you argue otherwise, you should hand your geek card back.