One of the topics that has tended to surface in discussions about the way forward for computer and communications security is quantum cryptography. This term has been used with various meanings, but the one I have in mind is the use of a communications system, based on principles of quantum mechanics, to provide a secure mechanism for distributing cryptographic keys. (This is also the only version of quantum cryptography that exists as a product today.) The method is based on the physical principle that it is not possible to observe the state of a quantum mechanical system without altering that state.
The idea is this: we have two people who need to exchange secret messages, canonically called Alice and Bob. We assume that some conventional cryptographic system (e.g., AES) is used to transmit the body of the encrypted message; the goal here is for Alice to send Bob the secret key in an unbreakable way. We’ll assume that the key has been represented as a bit string. What Alice does is to send Bob the key one bit at a time, using one photon to represent each bit. Alice applies one polarization to ‘0’ bits, and an opposite one to ‘1’ bits. Even if an attacker (canonically, Eve) intercepts the message, when she measures the polarization of the photons, she will disturb their state, in a way that Bob and Alice can detect. So, in theory, the method is completely secure against undetected interception or tampering.
In a post on his Schneier on Security blog, Bruce Schneier points out an article at Nature News that reports on a successful “man in the middle” attack against two commercial quantum cryptographic systems, described in a paper by Vadim Makarov and his colleagues at the Norwegian University of Science and Technology. The attack does not invalidate the theoretical analysis of the system, but exploits a weakness in the implementation. Essentially, the attack works by using a (relatively) bright light to “blind” Bob’s photon detector.
In Makarov and colleagues’ hack, Eve gets round this constraint by ‘blinding’ Bob’s detector — shining a continuous, 1-milliwatt laser at it. While Bob’s detector is thus disabled, Eve can then intercept Alice’s signal.
The cunning part is that while blinded, Bob’s detector cannot function as a ‘quantum detector’ that distinguishes between different quantum states of incoming light. However, it does still work as a ‘classical detector’ — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.
The paper [abstract, PDF download available] has been published online in Nature Photonics. Again, as the authors are at pains to point out, the attack is against the mechanics of the implementation, not against the theoretical basis of the technique
The loophole is likely to be present in most QKD [quantum key distribution] systems using avalanche photodiodes to detect single photons. We believe that our findings are crucial for strengthening the security of practical QKD, by identifying and patching technological deficiencies..
They are probably correct in thinking that this particular vulnerability in the technique can be fixed. Nonetheless, the result should serve to remind us all that encryption does not exist in a pure theoretical universe; to be useful, it must be part of a system, and that system is only as strong as its weakest link.
It is perhaps useful to remember the example of the “provably unbreakable” method of classical cryptography, the one-time pad. This system, perfectly secure in theory, has been used successfully in some specialized applications, but its practical difficulties have made its use as a general-pupose technique almost impossible. The USSR used it for a time to communicate with KGB agents around the world, but (apparently) had trouble distributing the key “pads”. This led to re-use of some pads (which, for the theory to hold, one must not do), and the cracking of some communications by the NSA.
Theoretical security is a good thing, but it’s the security of the whole system that matters.