
Researchers show how to break quantum cryptography - llambda
http://arstechnica.com/science/news/2011/11/researchers-show-how-to-break-quantum-cryptography-by-faking-quantum-entanglement.ars
======
beloch
That's a completely misleading article. They haven't "broken quantum
cryptography", nor have they claimed to. Yet again, journalists have mislead
the public by claiming overly dramatic things that aren't true in order to
sell copy.

Quantum cryptography is completely and fundamentally secure in theory.
However, real world devices don't behave quite like their theoretical
counterparts, and this can create flaws in real world systems. The idiot
journalist did get at least that much right.

A big part of research in quantum crypto these days is finding holes in real-
world implementations so that we can build future systems without those holes.
Kurtsiefer's group had done just that. He hasn't broken quantum cryptography,
he's helped make the real-world implementations of tomorrow more secure. This
evolutionary improvement of a technology in its infancy has happened again and
again, and idiot journalists insist on reporting that "QUANTUM CRYPTO HAS BEEN
BROKEN" every bloody time.

Now, for those of you wondering what good QC is if we can't trust real world
implementations, here's the gist of why, even though we'll probably never
finish making them better, they're still worth using.

If you send a message via conventional factoring based crypto, like RSA, that
message must be viewed as being made public with an undefined delay. Even
without quantum computing on the horizon, decryption algorithms are improving
at a steady pace and making it possible to crack messages encoded in this way.

For example, look at crypto algorithms like DES that, ten years ago, people
thought would take thousands of years to crack given Moore's law growing
computational resources. Wide freakin' open now, thanks to improved cracking
algorithms. Any message sent via classical channels can be copied without your
knowledge, so any message you sent via DES ten years ago could be decrypted
and in anyone's hands without your knowledge. The same thing is true of
anything you send via public key encryption today. Fortunately for most of us,
the information we usually send is only sensitive for a limited period of
time. Who cares if your credit card number is decoded in ten years? You'll
have a new one.

Anyone with long-term sensitive transmissions to make has to look at other
methods of encryption. That's why quantum crypto has early adopters. Now, say
a hole is found in one of these early adopters systems. Are they screwed? Is
the cat out of the bag? _No_. Thanks to how quantum cryptography works, there
is no possible copy of the transmission that could be cracked with technology
developed later in time, as is the case with public key encryption. Attacks on
quantum systems have to work at the time the message is sent. If a flaw in the
system was not known and an eavesdropper not present and taking advantage of
it at the time a message was sent, it will be secure for all time. That's the
difference. Public key encryption is secure for a while. Quantum encryption is
secure for all time.

~~~
randombit
_For example, look at crypto algorithms like DES that, ten years ago, people
thought would take thousands of years to crack given Moore's law growing
computational resources._

Whitfield Diffie proposed triple DES in 1975 (even before the FIPS was
published), because it was obvious even then that a 56 bit key would not be
sufficient for long term security against attackers with serious
financial/technological resources. EFF's Deep Crack broke a DES key in less
than a day 13 years ago. The AES selection process started in 1998, and a
winner finalized in 2001. I'm not sure where you're getting your history from
here.

~~~
asharp
Also, I believe a good portion of the cryptosystems around DES's time were
intentionally crippled to meet export restrictions so that they were not
classed as munitions. So it would not be so much to say that the cyphers were
weak insomuch as they were defective by design.

------
Egregore
When I developed a RSA based application I was worried about quantum computers
breaking it (which proved false, I should had worried more about marketing).
Now it seems that there is a flaw in quantum cryptography itself, which
actually is not a cryptography in classical meaning, but rather a way of
securely transmitting data.

~~~
asharp
Actually you would worry more about incorrectly implemented padding or a side
channel attack or something similarly stupid destroying your cryptosystem.
Sad, but true.

~~~
X4
Side-channels are just another way to "see" what is going on, whether it is on
a keyboard, hard-disk, display, videoboard, CPU, bus, controller, etc.

You've got execution time (latency), sounds, radio frequencies,
electromagnetic fields, etc. just to cite the 'accidental' leak channels that
act as a side-effect of the intended infrastructure.

we're not secure.

------
asharp
Very interesting, i'd like to see what physics hacks they end up using to
patch this.

------
X4
You can say it even louder, but I fear people won't hear. I heard it almost a
half year ago, but the real news that Quantum Cryptography "can" be broken is
a lot older.

Adding more randomness doesn't add more security, but just another shadow
layer.

We know SSL and TLS are broken as well as the Certificate Authorities have
been invaded long time ago, even if most people don't accept the truth yet.

Could happen in your Startup too:

a: Let's use SSL!

b: Why?

a: Because people trust us more then.

b: Isn't that a lie? I mean SSL isn't secure.

a: But it works! People believe it, when we believe it.

"c: Live in your Dreamworld, until it collapses! :( Sad."

RSA/DSA/MD5 and other hashing and encryption algorithms are broken or
unreliable. We know that increasing the time needed to crack something doesn't
make it more secure, but obscures security and reliance on that technology.

You still see large scale websites getting hacked, just because of stupid code
injections or exploits. The experience is even worse in the crypto side, you'd
cry, if you knew how bad the situation actually is.

One thought. Develop your own, if you can. But that puts you into the radar of
Curious Goverments.

~~~
cchurch
Are you insane?

~~~
pkteison
I think that was written by an experimental robot, like the automated sports
coverage that StatSheet generates.

