- Email: [email protected]
Quantum Cryptography Revisited
printlayout.qxd
8/13/02
10:26 AM
Page 14
feature computational power of Pocket PCs, this system might become more widely adopted in corporate environments. However, all PDAs have some common special properties that need to be considered:
potential attacker would now not only have to find out the password but also need to replicate the user's way (form and speed) of writing it. This implements a fast and convenient way of authenticating a user.
Authenticating the user
Don't focus on the PDA only
PDAs typically only boot when a socalled ‘Soft reset’ is performed. Normally they are only in standby mode, resuming at power-on immediately at the same state, which they occupied before they were turned off. What is typically a big advantage requires some special treatment when trying to authenticate the rightful user. In contrast to a workstation where the user authenticates maybe only twice a day (in the morning and after lunch), a PDA is very frequently turned on and off by the user, maybe 30 times a day. For a workstation the use of a hardware token like a smartcard combined with a user PIN may be acceptable to increase trust in the user authentication but this would be very clumsy when trying the same on a PDA. First you need special additional hardware like a smartcard reader to access the token. Although this is technically available, it increases the size, weight and costs of the PDA. Furthermore, if done so frequently, it would be too clumsy for the user always to first get the token and authenticate before being able to enter just
Fig. 1 PDA a new note in the calendar. Other means of authentication need to be found which are a good compromise between security and convenience. Since complex passwords are clumsy to enter on a PDA, vendors have looked for new ways of handling the authentication of users on a PDA. Besides alternatives where you have to tap on a sequence of symbols or areas of a picture to authenticate, there is a biometric method, which is ideal for this class of devices. The touch screen display of a PDA can act as a signature pad where the user enters a hand written password. A
Quantum Cryptography Revisited By Philip Hunter The elusive silver bullet of provably secure communication is achievable in theory, but virtually impossible to deliver in practice. It is well known that absolute security could be implemented in theory by using a one-time private key of equal length to the message. This falls down not so much because of its profligate consumption of bandwidth, although that would be an issue, but because of the logistical difficulty of distributing the private keys securely in the first place. Whichever process is adopted involves a risk of compromise, so that communication is not after all “provably secure”. In practice, the public key system has been widely adopted since its invention
14
in the 1970s as a way of distributing private session keys, with reasonable success.
When looking for security solutions for PDAs in a corporate environment, make sure that the solution covers both PDAs and normal workstations, since data should typically be exchanged between these platforms in a secure way. This is true for file encryption systems as well as email and VPN systems and the related key/user management. Since PDAs have no hard disk and are currently not a manageable object in the Windows 2000 Active Directory, some traditional software distribution and management systems (e.g. disk imaging) are no longer applicable. Look for general management solutions that also (but not only) cover PDAs and for products that integrate there instead of providing their own management server just for this product. PDAs are definitely a significant step towards the ‘anytime, anywhere’ vision which will bring us new, innovative applications in the future, but only with proper security can it be ensured that the new possibilities can really be enjoyed. Richard Aufrieter will be exploring the subject further at ISSE 2002, 2-4 October at Disneyland Paris. But it can be attacked, and there is always the risk that mathematical advances will make it trivial to crack, leaving many of the world’s networks wide open. Rather than waiting for this to happen, the security industry is coming up with an alternative in the shape of quantum cryptography. Computer Fraud & Security covered quantum cryptography in some detail in an article last year, and argued that although a highly promising approach, it was not the end of the game and there would still be a need for classical security approaches. It also goes without saying that having secure communications is only half the battle, and will not remove
printlayout.qxd
8/13/02
10:26 AM
Page 15
feature the need for all the good practices such as having a proper and well maintained security policy. It is also important though to realize that quantum cryptography will represent a breakthrough in secure communications, even if it does not in practice quite provide the total provable security that had been expected in the initial flush of hype and enthusiasm during the 1990s. In fact enthusiasm for quantum cryptography within the security industry has increased again since the last Computer Fraud & Security article, and the consensus around it as the logical successor to public key cryptography for key exchange has hardened. This is partly the result of several successful trials (of which more later) that have demonstrated that the technology can work in practice rather than just in theory. It is worth then recapping the fundamental points of quantum cryptography in order to monitor progress and reassess its exact role in future IT security systems. Since in practice the session keys used to encrypt messages are much shorter than the messages themselves, and are reused many times, there is the potential for an eavesdropper to unpick the key by monitoring multiple transmissions. This exploits the principle first discovered in the 1940s by Claude Shannon that if a key is shorter than the message it is encrypting, or if the key is used more than once, information about the content can be inferred given sufficient computational power. Indeed, this principle was exploited during the World War II in decrypting German military messages. Such monitoring is possible because there is no way at present of telling that it is taking place. If you can tell that you are being eavesdropped, this would not enable you at once to communicate securely, but it does mean that you can deliver a private session key to the person or system at the other end knowing whether it has been eavesdropped or not. You can then go on sending digital bits until a sufficient number have been received that the sender knows have not been intercepted. A key can then be constructed from this bit sequence and then
be used to encrypt subsequent message data safe in the knowledge that it has not been compromised. And the key could be changed by this process sufficiently frequently to minimize the risk of a covert eavesdropper gaining enough information from the sequences to decrypt any of the data payload. At first sight though there seems to be no way of telling that a communication’s channel has been eavesdropped. After all, the eavesdropper does not necessarily have to physically tamper with the line. In the case of radio or satellite communication, it is merely necessary to locate a receiver somewhere within range. But, this is to reckon without quantum theory. With classical physical systems such as a radio transmission network, all properties can in practice be measured without disturbing the system — and therefore without detection. One of the fundamental principles of quantum mechanics though is that no property of a system can be measured without disturbing it, and therefore without leaving a trace of the action. In truth, this also holds for classical systems, but then the disturbance is so minute that it cannot in practice be detected. Quantum theory is concerned with very small scale interactions such that the disturbance caused by any attempt at measurement is significant. In this sense all systems are actually quantum systems. The point is that just as gravity is insignificant on a small scale, so quantum effects are negligible at dimensions much greater than those of an atom. Anyway, the theory suggested that it is possible to build a quantum communication channel carrying signals, such as light photons, that are subject to quantum phenomena, making it possible to detect that eavesdropping has taken place. In practice, it is impossible to implement quantum cryptography in such a way that the sender and receiver can be 100% sure that an eavesdropping attempt has been made. But it is possible to get arbitrarily close to 100% with extra computational effort. The process is analogous to a combination lock, or a system
protected by a PIN, where security can be increased by adding extra digits, but is never 100%. There is always a chance of a thief getting lucky. Quantum cryptography then is provably secure in the statistical sense, and in effect it puts the gamekeeper in control. The bar can be raised when required to whatever level deemed necessary. The reason quantum cryptography does not, in practice, deliver 100% security is that no communication system ever devised or likely to be devised provides totally error free transmission. Therefore, some allowance has to be made for error recovery, and this means there is a tiny chance that an eavesdropping attempt cannot be distinguished from an error. During the 1990s, it was feared by some researchers that the level of errors in quantum communication might be such as to render the technology impracticable for real systems. Fortunately, such fears have been quashed by recent trials. Among the more exciting of the trials was a British one involving the Defence Evaluation and Research Agency (DERA) for satellite communications. The agency is the first in the world to demonstrate an operational system using weak light pulses to transmit encryption keys between sites located a significant distance apart — in this case about two km. The DERA system uses polarised photons to transmit the signals. Individual photons are indivisible fundamental units of light according to quantum theory, and so can in effect only be received once at a particular receptor site. Any attempt to intercept the signals therefore results in disruption to at least some of the photons, and this is detectable. The way the signal transmission works in the DERA trial system illustrates the general principle of quantum cryptography very well. Single photons are polarised to transform them into binary 'bits'. A random sequence of these bits is then transmitted to the receiver. The received 'bits' are used to build a large random number, which, in theory, should be identical to the sequence sent by the transmitter. In practice most bits
15
printlayout.qxd
8/13/02
10:26 AM
Page 16
feature are lost in transmission and hence the communication system relies on matching sent bits to received bits by cross-referencing arrival time and transmission time. The receiver sends the arrival of received pulses to the sender by a data link (e.g. telephone), enabling the sender to erase any bits in the sequence that were lost during transmission, thus creating two matching sequences. The addition of a complementary randomization factor guarantees the absolute security of the transmitted sequence. Each sent pulse is subjected to a randomly introduced 45 degree polarisation rotation, whilst the received pulse is subjected to a randomly introduced -45 degree polarisation rotation. In this way, the sent bit is randomized (i.e. contains no useful information) when only one of the rotators is activated. The sender and receiver compare their records of presence and absence of their polarization rotators and
retain only the received bits when both rotated or when both did not rotate. The result is that sender and receiver end up with an identical randomly generated number, termed a 'cryptographic key', that can be used as the basis for encryption and subsequent decryption of conventionally transmitted data. At present, the system is confined to relatively short-range communication, but it is only needs electronic engineering to extend it to satellite ranges. This would represent a significant breakthrough in secure global communications, for it would render covert monitoring futile. The trial was also exciting from a scientific perspective because it was the first pure application of quantum mechanics. It is true that quantum effects are significant in a number of existing processes, notably semi-conductors, but in these cases they are merely properties that have to be taken into
All Quiet on the Virus Front? Julian Bogajski, Sybari So what are the hot issues in security at the moment? Are companies getting complacent – if so, why? In this article, Julian Bogajski, UK commercial director of Sybari, discusses some of the findings of the recent PwC report, outlining what they mean for the security market. Network security issues are in the headlines almost daily. The daunting task of measuring how organizations may be open targets for hackers and virus writers is continual, with many recent reports giving corporates some real food for thought. One particular report of interest is The Information Security Breaches Survey 2002, produced by the DTI and PriceWaterhouseCoopers which discusses many of the important issues surrounding the current security market. Reports like this are not only a useful indication of industry trends, but they also help to show the
16
level of end users’ awareness — or lack of it — of possible security breaches. This survey produced some interesting findings which highlight the irresponsible and inadequate security measures that are still employed by organizations in the 21st century. The first surprising finding from the report states that “34% of businesses are confident they have adequate antivirus protection”. If over a third of businesses have adequate protection then why do we read about new virus attacks hitting companies almost daily? And these are not new (unique) viruses: despite the
consideration. Quantum cryptography exploits the properties directly. There are other potential applications of quantum mechanics currently at an earlier stage of research and development, mostly IT-related. Of these, the one where most progress has been made is for searching large databases, where significant improvements in search times are achievable through quantum parallelization. But the most dramatic potential performance gains will come in a more specialized application, which is factorizing large numbers, where a quantum parallelisation can be exploited to a much greater extent. Ironically, this would jeopardize the security of public key cryptography, which relies for its security on the difficulty of factorizing the product of two large prime numbers. So, what quantum computing takes away from IT security with one hand, it gives back with the other.
recent attempts of virus writers to infect JPEGs — a truly unique way of spreading a virus — we haven’t had a new virus strain in over a year. My belief is that we’re due for a ‘headline’ virus such as Klez or Melissa soon — and many organizations out there are still not ready. Even if there isn’t a superbug waiting in the wings to make its grand entrance, virus attacks are hitting harder each year, with the number of successful attacks rising. The confidence of those 34% is misplaced: many businesses simply don’t have adequate protection.
Place your bets… It’s clear from this one statistic that many organizations have the wrong attitude and approach to ensuring system security. It’s an area where mistakes can be expensive, with a considerable amount of time and money spent on responding to virus attacks. Judging by the increasing amount of virus outbreaks, I’m sure many companies’ security strategy is based on wishful thinking: “if I don’t think about it, it will go away” — or foolhardiness: “it’ll never happen
8/13/02
10:26 AM
Page 14
feature computational power of Pocket PCs, this system might become more widely adopted in corporate environments. However, all PDAs have some common special properties that need to be considered:
potential attacker would now not only have to find out the password but also need to replicate the user's way (form and speed) of writing it. This implements a fast and convenient way of authenticating a user.
Authenticating the user
Don't focus on the PDA only
PDAs typically only boot when a socalled ‘Soft reset’ is performed. Normally they are only in standby mode, resuming at power-on immediately at the same state, which they occupied before they were turned off. What is typically a big advantage requires some special treatment when trying to authenticate the rightful user. In contrast to a workstation where the user authenticates maybe only twice a day (in the morning and after lunch), a PDA is very frequently turned on and off by the user, maybe 30 times a day. For a workstation the use of a hardware token like a smartcard combined with a user PIN may be acceptable to increase trust in the user authentication but this would be very clumsy when trying the same on a PDA. First you need special additional hardware like a smartcard reader to access the token. Although this is technically available, it increases the size, weight and costs of the PDA. Furthermore, if done so frequently, it would be too clumsy for the user always to first get the token and authenticate before being able to enter just
Fig. 1 PDA a new note in the calendar. Other means of authentication need to be found which are a good compromise between security and convenience. Since complex passwords are clumsy to enter on a PDA, vendors have looked for new ways of handling the authentication of users on a PDA. Besides alternatives where you have to tap on a sequence of symbols or areas of a picture to authenticate, there is a biometric method, which is ideal for this class of devices. The touch screen display of a PDA can act as a signature pad where the user enters a hand written password. A
Quantum Cryptography Revisited By Philip Hunter The elusive silver bullet of provably secure communication is achievable in theory, but virtually impossible to deliver in practice. It is well known that absolute security could be implemented in theory by using a one-time private key of equal length to the message. This falls down not so much because of its profligate consumption of bandwidth, although that would be an issue, but because of the logistical difficulty of distributing the private keys securely in the first place. Whichever process is adopted involves a risk of compromise, so that communication is not after all “provably secure”. In practice, the public key system has been widely adopted since its invention
14
in the 1970s as a way of distributing private session keys, with reasonable success.
When looking for security solutions for PDAs in a corporate environment, make sure that the solution covers both PDAs and normal workstations, since data should typically be exchanged between these platforms in a secure way. This is true for file encryption systems as well as email and VPN systems and the related key/user management. Since PDAs have no hard disk and are currently not a manageable object in the Windows 2000 Active Directory, some traditional software distribution and management systems (e.g. disk imaging) are no longer applicable. Look for general management solutions that also (but not only) cover PDAs and for products that integrate there instead of providing their own management server just for this product. PDAs are definitely a significant step towards the ‘anytime, anywhere’ vision which will bring us new, innovative applications in the future, but only with proper security can it be ensured that the new possibilities can really be enjoyed. Richard Aufrieter will be exploring the subject further at ISSE 2002, 2-4 October at Disneyland Paris. But it can be attacked, and there is always the risk that mathematical advances will make it trivial to crack, leaving many of the world’s networks wide open. Rather than waiting for this to happen, the security industry is coming up with an alternative in the shape of quantum cryptography. Computer Fraud & Security covered quantum cryptography in some detail in an article last year, and argued that although a highly promising approach, it was not the end of the game and there would still be a need for classical security approaches. It also goes without saying that having secure communications is only half the battle, and will not remove
printlayout.qxd
8/13/02
10:26 AM
Page 15
feature the need for all the good practices such as having a proper and well maintained security policy. It is also important though to realize that quantum cryptography will represent a breakthrough in secure communications, even if it does not in practice quite provide the total provable security that had been expected in the initial flush of hype and enthusiasm during the 1990s. In fact enthusiasm for quantum cryptography within the security industry has increased again since the last Computer Fraud & Security article, and the consensus around it as the logical successor to public key cryptography for key exchange has hardened. This is partly the result of several successful trials (of which more later) that have demonstrated that the technology can work in practice rather than just in theory. It is worth then recapping the fundamental points of quantum cryptography in order to monitor progress and reassess its exact role in future IT security systems. Since in practice the session keys used to encrypt messages are much shorter than the messages themselves, and are reused many times, there is the potential for an eavesdropper to unpick the key by monitoring multiple transmissions. This exploits the principle first discovered in the 1940s by Claude Shannon that if a key is shorter than the message it is encrypting, or if the key is used more than once, information about the content can be inferred given sufficient computational power. Indeed, this principle was exploited during the World War II in decrypting German military messages. Such monitoring is possible because there is no way at present of telling that it is taking place. If you can tell that you are being eavesdropped, this would not enable you at once to communicate securely, but it does mean that you can deliver a private session key to the person or system at the other end knowing whether it has been eavesdropped or not. You can then go on sending digital bits until a sufficient number have been received that the sender knows have not been intercepted. A key can then be constructed from this bit sequence and then
be used to encrypt subsequent message data safe in the knowledge that it has not been compromised. And the key could be changed by this process sufficiently frequently to minimize the risk of a covert eavesdropper gaining enough information from the sequences to decrypt any of the data payload. At first sight though there seems to be no way of telling that a communication’s channel has been eavesdropped. After all, the eavesdropper does not necessarily have to physically tamper with the line. In the case of radio or satellite communication, it is merely necessary to locate a receiver somewhere within range. But, this is to reckon without quantum theory. With classical physical systems such as a radio transmission network, all properties can in practice be measured without disturbing the system — and therefore without detection. One of the fundamental principles of quantum mechanics though is that no property of a system can be measured without disturbing it, and therefore without leaving a trace of the action. In truth, this also holds for classical systems, but then the disturbance is so minute that it cannot in practice be detected. Quantum theory is concerned with very small scale interactions such that the disturbance caused by any attempt at measurement is significant. In this sense all systems are actually quantum systems. The point is that just as gravity is insignificant on a small scale, so quantum effects are negligible at dimensions much greater than those of an atom. Anyway, the theory suggested that it is possible to build a quantum communication channel carrying signals, such as light photons, that are subject to quantum phenomena, making it possible to detect that eavesdropping has taken place. In practice, it is impossible to implement quantum cryptography in such a way that the sender and receiver can be 100% sure that an eavesdropping attempt has been made. But it is possible to get arbitrarily close to 100% with extra computational effort. The process is analogous to a combination lock, or a system
protected by a PIN, where security can be increased by adding extra digits, but is never 100%. There is always a chance of a thief getting lucky. Quantum cryptography then is provably secure in the statistical sense, and in effect it puts the gamekeeper in control. The bar can be raised when required to whatever level deemed necessary. The reason quantum cryptography does not, in practice, deliver 100% security is that no communication system ever devised or likely to be devised provides totally error free transmission. Therefore, some allowance has to be made for error recovery, and this means there is a tiny chance that an eavesdropping attempt cannot be distinguished from an error. During the 1990s, it was feared by some researchers that the level of errors in quantum communication might be such as to render the technology impracticable for real systems. Fortunately, such fears have been quashed by recent trials. Among the more exciting of the trials was a British one involving the Defence Evaluation and Research Agency (DERA) for satellite communications. The agency is the first in the world to demonstrate an operational system using weak light pulses to transmit encryption keys between sites located a significant distance apart — in this case about two km. The DERA system uses polarised photons to transmit the signals. Individual photons are indivisible fundamental units of light according to quantum theory, and so can in effect only be received once at a particular receptor site. Any attempt to intercept the signals therefore results in disruption to at least some of the photons, and this is detectable. The way the signal transmission works in the DERA trial system illustrates the general principle of quantum cryptography very well. Single photons are polarised to transform them into binary 'bits'. A random sequence of these bits is then transmitted to the receiver. The received 'bits' are used to build a large random number, which, in theory, should be identical to the sequence sent by the transmitter. In practice most bits
15
printlayout.qxd
8/13/02
10:26 AM
Page 16
feature are lost in transmission and hence the communication system relies on matching sent bits to received bits by cross-referencing arrival time and transmission time. The receiver sends the arrival of received pulses to the sender by a data link (e.g. telephone), enabling the sender to erase any bits in the sequence that were lost during transmission, thus creating two matching sequences. The addition of a complementary randomization factor guarantees the absolute security of the transmitted sequence. Each sent pulse is subjected to a randomly introduced 45 degree polarisation rotation, whilst the received pulse is subjected to a randomly introduced -45 degree polarisation rotation. In this way, the sent bit is randomized (i.e. contains no useful information) when only one of the rotators is activated. The sender and receiver compare their records of presence and absence of their polarization rotators and
retain only the received bits when both rotated or when both did not rotate. The result is that sender and receiver end up with an identical randomly generated number, termed a 'cryptographic key', that can be used as the basis for encryption and subsequent decryption of conventionally transmitted data. At present, the system is confined to relatively short-range communication, but it is only needs electronic engineering to extend it to satellite ranges. This would represent a significant breakthrough in secure global communications, for it would render covert monitoring futile. The trial was also exciting from a scientific perspective because it was the first pure application of quantum mechanics. It is true that quantum effects are significant in a number of existing processes, notably semi-conductors, but in these cases they are merely properties that have to be taken into
All Quiet on the Virus Front? Julian Bogajski, Sybari So what are the hot issues in security at the moment? Are companies getting complacent – if so, why? In this article, Julian Bogajski, UK commercial director of Sybari, discusses some of the findings of the recent PwC report, outlining what they mean for the security market. Network security issues are in the headlines almost daily. The daunting task of measuring how organizations may be open targets for hackers and virus writers is continual, with many recent reports giving corporates some real food for thought. One particular report of interest is The Information Security Breaches Survey 2002, produced by the DTI and PriceWaterhouseCoopers which discusses many of the important issues surrounding the current security market. Reports like this are not only a useful indication of industry trends, but they also help to show the
16
level of end users’ awareness — or lack of it — of possible security breaches. This survey produced some interesting findings which highlight the irresponsible and inadequate security measures that are still employed by organizations in the 21st century. The first surprising finding from the report states that “34% of businesses are confident they have adequate antivirus protection”. If over a third of businesses have adequate protection then why do we read about new virus attacks hitting companies almost daily? And these are not new (unique) viruses: despite the
consideration. Quantum cryptography exploits the properties directly. There are other potential applications of quantum mechanics currently at an earlier stage of research and development, mostly IT-related. Of these, the one where most progress has been made is for searching large databases, where significant improvements in search times are achievable through quantum parallelization. But the most dramatic potential performance gains will come in a more specialized application, which is factorizing large numbers, where a quantum parallelisation can be exploited to a much greater extent. Ironically, this would jeopardize the security of public key cryptography, which relies for its security on the difficulty of factorizing the product of two large prime numbers. So, what quantum computing takes away from IT security with one hand, it gives back with the other.
recent attempts of virus writers to infect JPEGs — a truly unique way of spreading a virus — we haven’t had a new virus strain in over a year. My belief is that we’re due for a ‘headline’ virus such as Klez or Melissa soon — and many organizations out there are still not ready. Even if there isn’t a superbug waiting in the wings to make its grand entrance, virus attacks are hitting harder each year, with the number of successful attacks rising. The confidence of those 34% is misplaced: many businesses simply don’t have adequate protection.
Place your bets… It’s clear from this one statistic that many organizations have the wrong attitude and approach to ensuring system security. It’s an area where mistakes can be expensive, with a considerable amount of time and money spent on responding to virus attacks. Judging by the increasing amount of virus outbreaks, I’m sure many companies’ security strategy is based on wishful thinking: “if I don’t think about it, it will go away” — or foolhardiness: “it’ll never happen