Behind the First Secure Quantum Crypto Network

schliz writes "Researchers behind the world's largest quantum encrypted network said the technology could secure business networks inside six years. The prototype Quantum Key Distribution network was built by the Secure Communication Based On Quantum Cryptography (SECOQC) group last year. It is described in a journal paper published by the Institute of Physics this week, which includes details on how it is based on the trusted-repeater paradigm."

Not at those speeds

[Architect_sasyr]

If they're getting 1kbps over 25km, I find it hard to believe that they will get it up to metropolitan speeds necessary in a few years. They've got decent funding and obviously have invested a fair bit of money into this, but for those speeds you might as well add tampering sensors to some tempest-rated conduit and run fiber. If they make significant speed improvements within 6 years, then I will be proven wrong, but I've seen nothing in the papers to suggest they can (I've been following this idea for a couple of years now).

Re:

[hedwards]

Not necessarily, it depends what they're doing with it. This strikes me as an excellent way of distributing keys off band. From what I can tell they're just promising to secure the networks in that time, and that's possible with what they've got. Theoretically speaking.

Well, that and ensuring that the keys are unobserved.

Re:

[Architect_sasyr]

Even so (and forgive me if I make a mistake here), 1k is only a 1024 bit key, to be sending anything of any decent size will geometrically increase the keying time. 4 seconds for a 4096 bit key, even if the keying is the only thing that happens on one side it's still a long time. I didn't see whether the system was full or half duplex either, so is it actually 2 seconds to setup the basics for a 1024 bit exchange?

Re:

[gweihir]

There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper. In addition the claimed security is wishful thinking. All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

Re:

[QuantumV]

Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links.

Well, the point of the SECOQC network is to demonstrate a network with routing capabilities. It is a network that consists of many point-to-point links.

All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.

Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor. We cannot exclude the possibility that if someone is able to put the fiber through a wormhole, something strange would happen, but from a bright PhD student imagining this possibility to

Re:

[gweihir]

Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means yo

Re:

[QuantumV]

Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.

I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.

During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate

Re:

[gweihir]

I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (Thi

Re:

[ToasterMonkey]

There is nothing excellent about it. Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links. If you look at what made the Internet great, you can see that this is a show-stopper.

This isn't much different from how your credit card & ATM transactions are processed.

You're focusing on the network too much rather than the trust model. Instead of all our banks trusting each other directly and sharing keys with each other (way too many banks in the world, and the key exchange process is nothing to joke about), a bank trusts one or more switches, which trust one or more switches, which trust other banks. AFAIK, the actual network connections are private circuits. Did you know that t

Re:

[lucat]

1kbps should be good enough to exchange secret keys for "real world" cryptography.
This should be used in place of Asymmetric-key cryptography.

Once you know that the secret key has not been eavesdropped then you can use regular symmetric-key cryptography over faster but unsafe communication channels.

The goal of secure quantum networks is to substitute asymmetric-key cryptography, non in place of symmetric-key cryptography.

The length of a symmetric-key for AES-256 is... 256 bits... so 1kbps for that is good e

Re:

[Hurricane78]

So what? You only need to transfer the *keys*. Not the data! The data is safe, because the keys are safe. I thought that was the point, wasn't it?

1kbps is low throughput but...

[mlts]

If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

I can see running these two networks

Re:

[CarpetShark]

perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link.

Exactly. With an out-of-band channel for the encryption keys, you could build something pretty secure easily. Even timesharing a 1kbps secure key exchange network on a one-transaction-per-minute basis would be pretty useful. Of course, there are tons of issues with trusting that link supplier in the first place, and m

Re:

[nacturation]

If one ran the quantum encrypted backbone on one adapter of machines, and normal Internet stuff on another, perhaps the handshakes and the key exchange for large volume data transfers over SSL or ssh be done via the quantum interface, then the session key negotiated be used over the Ethernet link. This way, should a private key be compromised or broken on a host it would not affect future communications (assuming the security hole is patched and the machine re-secured.)

The whole point of public key cryptography is that the encryption setup is secure, even if an attacker is able to watch every byte that gets exchanged. If your private keys are compromised, then having transmitted the private keys over an unbreakable quantum link doesn't really matter at that point because the only solution is to revoke the keys and reissue new ones.

If you really need maximum security, then use 8192 bit public key encryption... nobody's going to be breaking that any time soon.

Re:

[mlts]

The advantage of the dual link setup is that public key cryptography can be done away with altogether. Public key cryptography as of now is secure, but there are worries about it, from theoretical algorithms that speed up factoring, to very large key sizes and large amounts of computations required for larger keys (Big O for larger key sizes is N^3, so an 8192 bit key would require 64 times as much CPU power as a 2048 bit key.)

Of course, because the two machines negotiate a key over a secure connection, th

Excuse me, but...

[kvezach]

... what's the point of this network? The weakness of current crypto isn't that someone will break it to decrypt in feasible time, but rather what happens outside of the crypto itself. No perfectly secure quantum network can stop worms or social engineering attacks, and as far as cryptographic algorithms themselves go, AES-256 and RSA-3072 is strong enough.

Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

Re:

[reashlin]

Now, if suddenly everybody had a quantum computer that could break RSA in polytime, there might be a point to this, but they don't, so there isn't - not that I can see.

If suddenly is in say 10 years time. Then doing this research that will be much more feasible in 6 years time seems pretty smart to me. Just because the technology isnt here now doesn't mean it isnt worth preparing for its arrival

Re:

[kvezach]

I do understand quantum crypto, and I know that it is theoretically secure (that is, if the lasers only generate a single photon at a time, etc).

But say you have two black boxes. The first uses Diffie-Hellman to exchange a key for subsequent AES encryption; the second exchanges a one time pad using quantum cryptography. What's the advantage of the second? In a passive attack (snooping alone), the snooper can't break Diffie-Hellman. In an active attack (man-in-the-middle), quantum crypto fails as well: I j

Re:

[drrobin_]

But say you have two black boxes. The first uses Diffie-Hellman to exchange a key for subsequent AES encryption; the second exchanges a one time pad using quantum cryptography. What's the advantage of the second? In a passive attack (snooping alone), the snooper can't break Diffie-Hellman. In an active attack (man-in-the-middle), quantum crypto fails as well: I just put a machine in the middle that acts as A to B and B to A, receive one pad from A and send a completely different one to B, and go on my merry

Re:

[kvezach]

Let's consider two cases here. The first is where you transmit the photons over a secure channel so nobody can tamper with them. In that case, delaying versus not delaying doesn't grant any advantage, and you could just as well transmit the OTP classically (in that case, the secure channel being a courier or something).

That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive

Re:

[nacturation]

That leaves the case where the channel is insecure. Doing the quantum transmission in one go falls to the man-in-the-middle attack I've detailed: I establish a computer in between, receive A's photons and send my own photons in its stead. I can't clone the photons, but I don't need to: I simply establish one OTP with A (A thinks he's sending that OTP to B), and another OTP with B (B thinks this is A's OTP), and transparently decrypt/encrypt what comes later.

If you're able to convince Alice that you're Bob and convince Bob that you're Alice, then no method of securing data is safe from that MITM attack. That's a fundamental trust issue which cannot be solved by any technology.

If Alice thinks you're Bob, then having Alice whisked to you in one of the NSA's black helicopters and personally hand you the data doesn't really matter, does it? You've already intercepted it, Alice totally trusts you, and you could then copy the data, head over to Bob's place in the N

Re:

[thethibs]

They refer to it as a "Trusted Repeater Paradigm" precisely because you can do a man-in-the-middle attack. The repeater is doing man-in-the-middle forwarding with the exposed key. That's why it has to be trusted.

I'm at a loss to find a use case for this.

You need a secured repeater/router every 25 to 50 km, carrying a signal using an expensive technology whose justification can only be that the path between nodes can't be secured. There's a bit of tension between those two.

So where would you use this that a

Re:

[Anonymous Coward]

.AES-256 and RSA-3072 is strong enough..

AES-256?
You mean AES-110, right?

Re:

[kvezach]

As opposed to AES-128 or AES-192, both of which are permitted by the AES standard. Either of these are probably secure enough, but why not go for the full 256 bits?

Re:

[Anonymous Coward]

AES-192 and AES-256 are weaker than AES-128:

https://cryptolux.uni.lu/mediawiki/uploads/1/1a/Aes-192-256.pdf

AES-128 *is* stronger now than AES-256!!!

[PeterM from Berkeley]

The parent is correct. I have verified this via
https://cryptolux.org/FAQ_on_the_attacks [cryptolux.org]

Per that FAQ, AES-128 is in fact stonger.

PLEASE MOD PARENT UP!!

--PeterM

Re:

[red_blue_yellow]

AES-128 is in fact stonger.

Well, in some scenarios it is. The attack is a related key attack (sort of like what can be used against WEP). However, it's still quite strong. From the page:

Q.: Is this attack practical?

A.: No. Even after improvements we are still over 2^100 encryptions, which is beyond the computational power of the human kind. Moreover this attack works in a related key attack model which assumes a more powerful attacker than the single key model.

Re:

[Antique Geekmeister]

It can be used against "you must give Microsoft all your master private keys" approaches, such as Palladium turned out to be. (It was later renamed Trusted Computing, and has turned out to have quite a few profound flaws.)

This is only a publicity stunt

[gweihir]

Nobody needs quantum key exchange (no, it is not even Cryptography, despite the claims). The data in these links needs to be encrypted with an ordinary cipher anyways, so there really is no need to uses something flashy for the key exchange. In addition, nobody knows whether quantum transmission is really as secure as claimed. These are theoretical predictions from a physical theory, and so far all of these have proven to be only partially accurate.

Doing this the conventional way is cheap, fast, reliable an

Re:

[gweihir]

And if you look at them, one is an original post and the other two are replies. Knowing how to read is more than just knowing the letters.

Re:

[gweihir]

What you call a "fact" is a conjecture. Wanting something to be true does not make it so.

Also you do not understand the security model. The assumption is not that "channels are switched",
as there are no redundant channels in a standard deployment. The Assumption is that the ability
to detect evasdropping will prevent people from trying.

Interesting dicrepancy between knowledge of the subject matter and level of aggressiveness
in your posting. I suggest seeking professional help.

Bunch of new problems with quantum cryptography

[getuid()]

From what I've been told (I am a physics major, but I don't work in quantum cryptography as my main activity), there's a bunch of other weaknesses inherent to quantum encryption methods.

For example, qubits are mostly transfered through some optical medium. At the receiving end, at some point, they are detected in one way or the other. "Detecting" means they alter the state of the detector in a measurable way. And there are some ideas (maybe even implementations?) of attacks that try to measure the alteration of the detector immediately after the detection, for example by probing with a laser pulse that follows the qubit pulse.

Now due to some limitations of the physics of light pulses, this is something that, if implemented, is very difficult to defend against, since the light always goes both ways. It is also a kind of attack that could not be implemented against "classic" information transmission channels...
 
...I really find it interesting that every new technology seems to have its inherent weaknisses at one spot or the other -- kinda feels comfortable to know that "There is no silver bullet" [wikipedia.org] still holds... :-)

Re:

[Anonymous Coward]

Actually, light does not necessarily go both ways: you can have it go only one way using an "isolator". These are cheap fibre components that are used very commonly. Of course there are some implementation weaknesses in quantum cryptogrophy, an article that examines various protocols is: http://arxiv.org/abs/0802.4155

Re:

[gweihir]

Interesting. This detector probing could break the whole thing. Just shows my point that the security claims of "Quantum Key Exchange" (no crypto here) are not up to cryptographic standards, despite me being moderated down above for saying so. Some people seem to really, really want their castle in the sky.

Re:

[QuantumV]

Interesting. This detector probing could break the whole thing..

Yes, it could if if devices allow for this. This has been known for years and no modern device that lets this happen will be taken seriously.

Maginot Line

[sagman]

Maginot Line [wikipedia.org], folks. Point-to-point encryption is one (important) element of a business network, but it's not sufficient to secure the business network. As such, its implementation would need to be assessed with respect to the total network security budget.

The switches are still trusted

[Animats]

This system still assumes the switches are trusted. The point-to-point links have quantum encryption, but that doesn't help in networks with enough stations to need routers.

From a crypto management point of view, secure links between two fixed points are easy. One time keys will work. Networks are much more difficult.

For Those Asking "What's the Point?"

[iateyourcookies]

For Those Asking "What's the Point?"... the detail is in the name. This network is being used to distribute encryption keys (not the content), while the network speeds may not look impressive at first glance, current high end RSA key is only 2048 bits long. A key every second on prototype tech really isn't too shabby. A single key can be used for an entire conversation. Someone else also pointed out that the problem with current crypto isn't that it can be broken, rather that there are ways around it. The

Re:

[owlstead]

Some remarks:
- quantum key distro is not safe from side channel attacks, in other words, you can get around quantum cryptography as well
- key management is much more important than key distribution
- RSA 2048 is now considered to provide minimum security, not "high end" security
- using a single key for an unbounded conversation is not safe
- the key distro does not cover authentication, so some sort of authentication (e.g. asymmetric crypto) is still needed

What is the value of OTP in modern secure systems?

[Anonymous Coward]

All the quantum component of these systems do is generate the same pairs of random bits between exactly two systems. Its no more complicated than this.

There is an obvious problem in that there is no "quantum trust" scheme possible to know exactly "what" is on either end of the system.

Thus we must still rely on some form of "classical" secret key to enable either side to trust the other.

These systems have the benefit that:

A. Easedropping on an established link can be detected -- in practice active MITM atte

Crypto Obsolete?

[Graphene]

Isn't the idea of quantum crypto and even crypto in general seriously in doubt given the advent of the "First Electronic Quantum Processor" (see recent /. posting) Granted, the first processor is only 2qb, but once it's scaled to 8qb won't it be able to crack pretty much any crypto?