more on ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)

[David Farber <dave () farber net>]

Begin forwarded message:

From: David Wagner <daw () cs berkeley edu>
Date: September 19, 2005 6:22:10 PM EDT
To: touch () ISI EDU
Cc: dave () farber net, smb () cs columbia edu
Subject: [IP] more on ARMSTRONG LECTURE on Quantum Crypto and Optical  
Networks (Forwarded)


The real problem with QKE is that it solves a non-problem, and it does
so poorly.

QKE is as good as the security of the optical fiber link you have.
If that fiber isn't tampered with, and is a straight shot from the  
sender
to the receiver, then QKE is secure, and you don't need any pre-shared
authentication keys.  So far, so good.

The first problem with QKE is that, as you notice, the above scenario
can only be applied to point-to-point links.  You can't have routers,
switches, bridges, repeaters, etc., because they violate the security
requirements (roughly, they are indistinguishable from eavesdroppers).
If you have a group of n people who might want to communicate
amongst themselves, you need n^2 links, which isn't really workable.
Consequently, you can only use QKE for a few point-to-point links.

(If you want to avoid point-to-point links, you can try to play these
games with pre-shared authentication keys, but then the QKE is  
pointless.
If you had pre-shared keys, you wouldn't need QKE; you'd just use
classical cryptography and be done with it.)

The other problem with QKE is that it is solving a non-existent problem.
Today's VPNs are perfectly good solutions to the problem of securing a
point-to-point link.  You don't need a $50,000 QKE box; a secure tunnel
using classical cryptography (IPSec, TLS, whatever) is perfectly  
adequate,
and you can get such products for free or for much more cheaply than  
QKE.
The classical crypto is almost never the weakest point in the system,
so even if QKE were more secure than classical crypto, who cares?

Basically, today's QKE products are a bad joke.  As far as I can tell,
they are a way to hoodwink companies with too much money into paying
$50k or $100k for a box that doesn't solve a problem they don't have.

-- David Wagner



In article <6D9F6BAA-0B2E-4FDE-BC73-C84EBE1EAEC1 () farber net> you write:

> Begin forwarded message:
>
> From: Joe Touch <touch () ISI EDU>
> Date: September 19, 2005 1:53:41 PM EDT
> To: dave () farber net
> Cc: smb () cs columbia edu
> Subject: Re: [IP] ARMSTRONG LECTURE on Quantum Crypto and Optical
> Networks (Forwarded)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave and Steve,
>
> So far I've been very curious about all the assertions about quantum
> comm. supporting key distribution, since quantum comm presumes
> pre-distributed keys for state verification, at least as a bootstrap.
> See:
>
>     Why Quantum Cryptography?
>     Kenneth G. Paterson, Fred Piper, Ruediger Schack (Royal
>     Holloway, University of London
>     in Quantum Physics e-print archive, June 2004
>
> Abstract:
> Quantum Key Exchange (QKE, also known as Quantum Key Distribution or
> QKD) allows communicating parties to securely establish cryptographic
> keys. It is a well-established fact that all QKE protocols require  
> that
> the parties have access to an authentic channel. Without this
> authenticated link, QKE is vulnerable to man-in-the-middle attacks.
> Unfortunately this fact is frequently overlooked, resulting in
> exaggerated claims and/or false expectations about the potential  
> impact
> of QKE. In this paper we present a systematic comparison of QKE with
> traditional key exchange protocols in realistic secure communication
> systems.
> http://arXiv.org/abs/quant-ph/0406147
>
> I've heard various assertions about 'key amplification', 'pad
> regeneration', etc., but at the end of the day it seems that the  
> quantum
> system is only as good as the conventional authentication key it  
> started
> with, AFAICT.
>
> I'd be interested if any others on IP have thoughts on this...
>
> Joe
>
>
>
> David Farber wrote:
>
>
> > is it webcast?
> >
> >
> > Begin forwarded message:
> >
> > From: "Steven M. Bellovin" <smb () cs columbia edu>
> > Date: September 14, 2005 6:35:23 PM EDT
> > To: cryptography () metzdowd com
> > Subject: [Colloquium] ARMSTRONG LECTURE on Quantum Crypto and Optical
> > Networks (Forwarded)
> >
> >
> >
> >
> >
> > Date: Wed, 14 Sep 2005 18:30:22 -0400 (EDT)
> > From: Dan Rubenstein <danr () cs columbia edu>
> > To: colloquium () cs columbia edu
> >
> >
> > The Department of Electrical Engineering at Columbia University
> > invites
> > you
> > to attend
> > THE ARMSTRONG MEMORIAL LECTURE
> > Monday, September 19 - 3:00pm
> > Davis Auditorium (Schapiro/Host)
> >
> > Host:  Professor Osgood
> >
> > "Unbreakable Secret Key Distribution?
> > Quantum Cryptography and Optical Networks"
> >
> > by
> >
> > Matthew S. Goodman, Ph.D.,
> > Chief Scientist and Telcordia Fellow, Telcordia Technologies &
> > Laboratory
> > for Telecommunications Sciences Red Bank, NJ and Adelphi, MD
> >
> > Abstract:
> > Manifestly quantum mechanical behavior has had tremendously important
> > implications for the development of modern technology.  In this
> > talk we
> > explore the impact of recent ideas and new approaches that quantum
> > information is having on future secure communications for high
> > performance
> > optical networks. The talk will concentrate on quantum
> > cryptography,  which
> > offers the promise of unconditional security for communications, and
> > complements existing mathematically based cryptography, which is
> > applied at
> > higher networking levels.  The talk will review the rapid progress
> > in  this
> > field as well as some very recent experimental results from the
> > Telcordia
> > research group and its collaborations.  We will describe the impact
> > that
> > this work is having on optical networking research and some early
> > commercial activities and will speculate on its broader commercial
> > implications.
> >
> > Light refreshments will be served.  We look forward to seeing you
> > there!
> >
> > _______________________________________________
> > Colloquium mailing list
> > Colloquium () cs columbia edu
> > http://lists.cs.columbia.edu/mailman/listinfo/colloquium
> >
> >
> > ----------
> >
> >
> >
> >
> >         --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> >
> >
> >
> > ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to
> > majordomo () metzdowd com
> >
> >
> > -------------------------------------
> > You are subscribed as touch () isi edu
> > To manage your subscription, go to
> >  http://v2.listbox.com/member/?listname=ip
> >
> > Archives at: http://www.interesting-people.org/archives/interesting-
> > people/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDLvslE5f5cImnZrsRAjJMAJ44OoJaeo1QQvSOrM+YWKdUcj66YwCeMk30
> VTRSVKoHV86zz5Ob4at5YPE=
> =/quq
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------
> You are subscribed as interesting-people-gate () taverner cs berkeley edu
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/