Supposedly ultra-secure quantum cryptography systems aren't so secure
September 1, 2010
Security researchers using various hardware hacking techniques have discovered new generic flaws in supposedly ultra-secure quantum cryptography systems that were said to be 'hacker-proof' and now have the IT and Internet security community up in arms.
At the very heart of the problem, the basic security of quantum cryptography relies on using the fundamental properties of quantum physics for quantum key exchange. Any attempts to monitor this exchange would inevitably be detected as increased noise on the line and an abandoned data exchange.
That principle still remains solid and the attack, like others before it, relies on exploiting implementation flaws that may or may not work, depending in the particular way they are initiated by the potential attacker.
However, this particular crypto-busting technique, which uses off-the-shelf but expensive hardware, relies on remotely manipulating a photon detector at the receiver's end of a supposedly secure link.
Complex and commercial systems from MagiQ Technology's QPN 5505 and ID Quantique Clavis 2 systems were demonstrated yesterday as potentially vulnerable by a team of Internet security professionals and various computer scientists from Norway and Germany.
Researchers from Norwegian University of Science and Technology (NTNU), the University of Erlangen-Nürnberg and the Max Planck Institute for the Science of Light in Erlangen are working with manufacturers to develop countermeasures.
The critical security flaw - which relies on especially tailored bright illumination - is likely to be common in most QKD systems using avalanche photodiodes to detect single photons, the researchers warn.
Dr Vadim Makarov, a researcher in the Quantum Hacking group at NTNU says “Unlike previously published attempts, this particular attack is implementable with current off-the-shelf hardware components. Our eavesdropping method worked both against MagiQ Technology's QPN 5505 and ID Quantique Clavis2 systems, which is particularly disturbing to us in terms of security.”
The successful hacking attempt pulled off by the team is complex and might involve an initial outlay of about $50,000 or more, potentially within the reach of industrial spies and certainly in the scope of government intelligence agencies like the CIA and the KGB, however.
Quantum key distribution systems became commercially available in 2004 and 2005 and are used for the secure exchange of highly sensitive material by banks and governments, so a major up-front investment in equipment, hardware, software and overall expertise is certainly the case here if someone is serious about this.
The security researchers have published their preliminary findings in a letter to the August 29 edition of academic journal Nature Photonics.
Source: The Norwegian University of Science and Technology.
You can link to the Internet Security web site as much as you like.