2010 quantum security risk is ‘academic’

751

Physicists at the University of Toronto, in Canada, have successfully attacked a commercial quantum cryptography system, for the first time in history.

However, professor Francesco Petruccione, head of the University of KwaZulu-Natal’s Centre for Quantum Technology (CQT), says this is not a threat for the system being implemented at the Moses Mabhida Stadium for the 2010 Soccer World Cup.

A quantum cryptography system is being put in place to secure communication channels from the operations centre at the Durban stadium to the Joint Operations Centre of Durban.

Interception can’t hide

Project manager Abdul Mirza says the initiative by CQT is called QuantumStadium. He explains that it uses quantum cryptography, or more accurately quantum key distribution (QKD), to allow for secure communication and will be unveiled at the stadium later this month.

Johann van der Merwe, part of the advisory for PricewaterhouseCoopers, adds that QKD is used to establish shared, secret keys in support of encryption.

Van der Merwe says two communicating parties will know if there is any interference in their communication, because the principle which QKD is based on states that anyone measuring a quantum system will disturb it. “This means you cannot interfere with the channel without introducing noise, which may be detected by the communication parties, if the system is correctly implemented.”

Up until this time, it had been impossible for an eavesdropper to intercept communications sent using this type of technology, according to the Information Security Group Africa (ISG).

Van der Merwe explains: “A successful eavesdropper will discover the shared secret key if he/she can ‘listen’ without detection (namely introducing noise above a certain threshold). As a result, all subsequent communications are insecure.”

Successful eavesdropping

ISG explains that, like many other security systems, the technology was built making various assumptions, and in the real-world not all these assumptions have proved to be reliable. “In this case, the assumption that the physicists targeted relates to the level of tolerance for noise and associated communication errors.”

To ensure the security is still intact, quantum cryptographic systems monitor the communication error rate, because a high error rate is indicative that the communication is being intercepted.
“Because it is impossible to eliminate errors entirely, the cryptographers assumed that an acceptable level of noise or error rate would be 20%. However, in practice it was found that there are always errors introduced during the preparation of quantum states and this extra noise exposes the system to an ‘intercept and resend attack’.
“By intercepting and reading some quantum bits and then sending them on, in such a way that the error rate remains at only 19%, the physicists demonstrated that it is possible to break quantum encryption on a commercially available system,” says ISG.

Because of this, ISG maintains that a multi-layered approach to security must be taken. Encryption is important, but it must form only one part of an overall security strategy. “Organisations should be wary of developing a false sense of security just because they have deployed the latest encryption technology.”

No threat

Petruccione says this is actually not the first paper proposing such an attack and probably not the last one either. “In the past few months, research on practical security of quantum cryptography has gained momentum. It is important to understand that testing is an essential step to evaluate security products. The fact that this is now also applied to quantum cryptography is a sign of maturity for this technology.”

He adds that the impact of the Toronto group research should not be overestimated. This attack is very academic in the sense that it requires characterisation of the specific QKD target system in depth in order to take advantage of it, so you can’t make this on a copy of the system, he explains.
“This is possible in the lab, but not in a real application. It would also require an adjustment phase that would generate an alarm. It also seems that it would produce a QBER [Quantum Bit Error Rate] of 19%, but practical systems stop working with a QBER of only 8%. No reason to panic.”

The system being implemented at the stadium uses “dual key agreement”, according to Petruccione. “If QKD were really to fail, which is not the case, we would still retain the security of conventional cryptography.”

Mirza sums it up saying: “This is an academic attack that has taken many assumptions and would not really be feasible in reality. It also attacks the implementation and not the concept of quantum cryptography.”

Pic: Cape Town Greenpoint stadium

Source: www.ITWeb.co.za