Quantum crypto experts dispute potency of 'blinding' hack


SANS - Survey on application security programs

A dispute has emerged between experts in quantum cryptography over the effectiveness of a recently discovered attack that takes advantage of implementation flaws in high-security key exchange systems.

A paper published in September's Nature Photonics explained how the avalanche photo-detectors used in some commercial quantum cryptography rigs might be blinded, essentially causing equipment to go wrong without generating an error indicating that a key exchange might have been compromised. The ruse – akin in very simplistic terms to bright light in a guard's face so he doesn't see someone sneaking past him – might allow an eavesdropper to gain at least snippets of a secret encryption key being exchanged over a supposedly super-secure link.

Commercial systems from MagiQ Technology and ID Quantique were demonstrated as potentially vulnerable by a team from the Norwegian University of Science and Technology (NTNU), the University of Erlangen-Nürnberg and the Max Planck Institute for the Science of Light in Erlangen. The attack relied on the use of off-the-shelf commercial, albeit expensive ($50K), kit. The German and Norwegian computer scientists worked with manufacturers to address and develop countermeasures against the attack, which involved subverting the link error compensation features necessary to getting practical systems to work.

A follow-up paper in December's Nature Photonicsby scientists at Toshiba’s Cambridge Research Laboratory concluded the attack would fail to work against properly operated single photon detectors. Straightforward adaptations on potentially vulnerable avalanche photo-detector systems would also blunt the attack.

That, or so we thought, was that.

However, since publishing a story about Toshiba's follow-up research, a member of the original team of quantum-crypto boffins has been in touch to dispute Toshiba's conclusions.

Vadim Makarov, a researcher in the Quantum Hacking group at NTNU, said the Norwegian / German team have published three variations of their original attack (including an after-gate attack, a thermal binding attack and a sinkhole attack), which might work against Toshiba's kit.

However Andrew Shields, assistant managing director at Toshiba Research Europe, has turned down requests from the Norwegian / German team to test the revised attack on their kit, according to Makarov.

"These three attacks are variations of the attack we published in Nature Photonics," Makarov told El Reg. "Two of these three will probably work perfectly on Shield's 'hack-proofed' detector (I wanted to come to his lab with our equipment and test this but was not given a chance). Shields is aware of these attacks yet he carefully avoids to mention them when he brags about his 'easy fix' to the detector."

The German / Norwegian team have published a detailed response to Toshiba's paper here, discussing the possible remaining vulnerabilities in Toshiba's "hack-proofed" detector.

We asked Toshiba for a response to Makarov's contention that a variant of the original attack might be successful. In a statement, Shields said the after-gate attack and sinkhole discussed by the Norwegian / German team would also be ineffective against a properly operated system.

We always welcome feedback in this area, as it helps to uncover any security loopholes and to devise appropriate countermeasures. However, when we repeated the Trondheim group’s tests, exactly as they described, their results could only recreated if the detector was set up incorrectly. In particular, we could only get the attack to work if there was a large resistor in series with the avalanche photodiode and if the discriminator level was set to a very high (and inappropriate) level.

Another known attack on QKD systems is called the ‘after-gate attack’. This involves Eve blocking the signals from Alice and then sending bright pulses after the avalanche photodiode (APD) gate when the APD is in linear mode. This attack is not a detector blinding attack, but seeks to exploit a potential deficiency in the QKD system, rather than the detector. However this attack does not work on our QKD system, because Bob only accepts detection events that occur during the detector gate and rejects all those after the detector gate.  Furthermore, Bob only modulates the arriving photon during the duration of the detector gate which also renders the attack ineffective. The attack also does not work because the bright pulses create afterpulse noise resulting in a very high error rate, altering Alice and Bob to the attack.

Only if the detector can be ‘blinded’ (and we have proven that it cannot be blinded, provided it is operated correctly) is it possible to avoid this telltale noise. Thus the after-gate attack does not work. The thermal blinding and sinkhole attacks are also ineffective on our system.  We are happy to test any other attack that is proposed, as testing and improvement is a crucial element to the continued development of QKD systems. Indeed it is a central element to the work we are doing with European Telecommunications Standards Institute (ETSI) on the standardisation of QKD.

We sense this may not be the final word on the difference of opinion and that Makarov will only be satisfied if he is allowed to test the effectiveness of the revised attack himself. Failing that, perhaps a light-sabre battle might provide satisfaction. The dispute does involve extremely clever people expert with the intricacies of lasers and quantum physics, after all.

Leaving aside questions about their potency, the detector blinding attack or its variants are not the first implementation weakness to be discovered in quantum cryptography systems, which find a place in high value banking and government communications. All parties agree that the theoretical basis of these systems is rock solid - it's just real life and engineering difficulties getting in the way of absolute security. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.