[ISN] Researchers find hole in 'flawless' encryption technology

From: InfoSec News (alerts@private)
Date: Tue Apr 22 2008 - 22:08:05 PDT


http://abc.com.au/news/stories/2008/04/21/2223348.htm

ABC.com.au
April 21, 2008

Quantum cryptography, a new technology until now considered 100 per cent 
secure against attacks on sensitive data traffic, has a flaw after all, 
Swedish researchers say.

"In computer terms, we've found a bug," said Jan-Aake Larsson, an 
associate professor of applied mathematics at the Linkoeping University 
in southern Sweden.

"It was surprising - we didn't expect to find a flaw," he said, adding 
that he and another researcher at the university had also discovered a 
way to fix the problem.

Many experts hope quantum cryptography will be the answer to growing 
fears about data security on the Internet, providing a one-off code that 
would be unbreakable for hackers.

Most sensitive data like money transactions have to date been 
transmitted over the internet using a so-called public key, which is 
considered safe because it consists of a string of some 2,000 data bits 
and requires enormous calculations to break.

Meanwhile, an evolving technology called quantum cryptography has 
emerged as absolutely secure since quantum mechanical objects, according 
to the laws of physics, cannot be measured upon without being disturbed 
and setting off alarm bells that the transmitted data has been 
manipulated.

"If somebody tries to copy a quantum-cryptographic key in transit, this 
will be noticeable as extra noise. An eavesdropper can cause problems, 
but not extract usable information," a statement from Linkoeping 
University said.

Not quite airtight

The technology, which requires special hardware, is considered 
absolutely airtight and is widely expected to revolutionise the field of 
secure data transmission.

However at the moment, quantum cryptography is limited to short-range 
transmissions and is so pricey that only a handful of banks and 
businesses have so far begun testing the system.

Contrary to current convictions, Assoc Professor Larsson said he and his 
student Joergen Cederloef had discovered a weakness in the supposedly 
flawless technology.

"To send the key over the quantum channel, you must simultaneously send 
additional data over the traditional Internet channel, and then verify 
that the classical data has not been changed through an authentication 
process, he said.

While all data travelling though the quantum channel was 100 per cent 
secure, "a gap appears because this is a combined system, which 
complicates things so much that the usual security system in some cases 
does not work," Assoc Professor Larsson said.

He said the problem arises when the system had been running for a long 
period of time, adding he and Mr Cederloef proposed adding a so-called 
handshake between legitimate users.

"All that's needed is a small addition to the authentication process to 
fill the security gap," Assoc Professor Larsson said.

- AFP


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 22 2008 - 22:14:39 PDT