‘Quantum Trojans’ undermine security theory
Can dodgy vendors compromise ‘uncrackable’ security?
A group of English and Canadian researchers has cast doubt on the nascent push to develop device-independent quantum cryptography standards, asserting that such schemes could be undermined by malicious vendors.
Their paper, Prisoners of their own device: Trojan attacks on device-independent quantum cryptography, is published on Arxiv.org, here.
The paper outlines scenarios which the authors say would be undetectable to the user, but would allow the attacker to obtain sufficient information to snoop on supposedly “uncrackable” quantum cryptography.
The paper, authored by London University mathematician Jonathan Barrett, Roger Colbeck of Canada’s Perimeter Institute of Theoretical Physics, and Adrian Kent of Cambridge’s Centre for Quantum Information and Foundations, states:
“A malicious manufacturer who wishes to mislead users or obtain data from them can equip devices with a memory [El Reg – to clarify, in our reading this refers to a memory included in the devices specifically for attack purposes] and use it in programming them.
“A task is potentially vulnerable to our attacks if it involves secret data generated by devices, and if Eve [El Reg – ie, the attacker] can learn some function of the device outputs.”
Their analysis gives rise, for example, to a scenario in which the attacking equipment might store key exchange communications from “day 1”, use this to analyse the key exchange taking place on “day 2”; and use this to extract the “day 1” key.
This is supposed to be impossible, since any tampering with the quantum communication channel should be revealed – for example, as (entanglement-destroying) noise on the quantum channel.
However, as the authors point out, all real-world channels contain noise; to overcome this, quantum crypto schemes exchange multiple pairs over a noisy channel, and use a statistical analysis to detect interference in the channel.
The malicious manufacturer, however, should be able to conceal its activities below the noise threshold the system uses to decide that the channel remains secure. The attacker could even build systems whose actual noise levels are lower than claimed, and use the gap between specified and real noise to conceal their activity.
If not addressed, the authors say the flaws they have identified effectively turn QKD devices into a “use once” proposition: you can only guarantee security for the first exchange, so the device has to be disposed of. ®
Comment: Before the world proclaims “quantum crypto not secure!” in headlines (too late? Oh well…) El Reg would make a couple of observations.
First, the malicious manufacturer is not a quantum-specific threat: backdoors can be just as easily inserted into classical cryptography kit.
Second, this paper is presenting a discussion not on any mass-deployed system, but on proposed schemes for device-independent QKD. Device independence has come to the fore chiefly because of prior demonstrations suggesting that today’s implementations have exploitable flaws; as a result, there has been ongoing discussion as to how users might verify the security of a quantum communication without knowing anything about the equipment used to create that channel.
For those interested in the kinds of schemes they believe could be compromised, the article cites some key papers on Arxiv, such as:
Third, the authors do not claim to have actually built a working proof-of-concept: their paper is a discussion of how a malicious system may be designed; it’s been published on Arxiv for review, and El Reg would expect a veritable feast of future papers for quantum crypto enthusiasts. ®
Mum's the Word on that which delivers MkUltraSensitive Absolute Power to CHAOS Control*
" .... and El Reg would expect a veritable feast of future papers for quantum crypto enthusiasts."
One thing you can be certain of, El Reg, given the very clear undetected and undetectable advantage that cracking quantum cryptography delivers to control communications systems, is that those who know how and why it works so effortlessly and efficiently, to reveal every past and future secret previously thought to be secured and an exclusive intellectual property, will be conspicuous by their absence in the veritable future papers feast ....... grand phishing competition.
* Or as close to it with/in IT and Media Manipulation Machines as makes no difference to lemmings and alien subjects being objected to human programming/prime thought control.**
Something which may be novel and news to you, but for the likes of all those GCHQ clones out there, just as another easy day at the office. Mess with and/or challenge the lead position of intelligence with the artificial beads and gaudy baubles provided by easily arranged paper and instantly transferred electronic wealth, and the puppets into supply of the latter will lose their hold on the reins of future power and absolutely fabulous fabless control.
** If you prefer, please also realise the probability and inevitability of that being equally well versed as makes no difference to lemmings and human subjects being objected to alien programming/prime thought control.
'dodgy vendors' compromise security through ignorance already
When I read the sub-headline, "Can dodgy vendors compromise ‘uncrackable’ security," I first thought that Richard referred to the idiots that keep selling me software that (still!) requires admin access on Windows 7 just to run.
I don't worry about vendors beling malicious about it. They make us compromise security without really trying.
Real-world channels contain noise
"This is supposed to be impossible, since any tampering with the quantum communication channel should be revealed – for example, as (entanglement-destroying) noise on the quantum channel. However, as the authors point out, all real-world channels contain noise; to overcome this, quantum crypto schemes exchange multiple pairs over a noisy channel, and use a statistical analysis to detect interference in the channel."
Umm, doesn't this rather drive a coach and horses through the whole business. The message appears to be that to make this thing work from an engineering stand-point you have to fall back on classical methods for noise handling, at which point you've lost the advantage you were claiming for quantum undetectability.