Re: Quantum Cryptography
Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. See http://portal.acm.org/citation.cfm?id=863982dl=GUIDEdl=ACM for a citation and http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf for text, for a discussion of a system that uses regular IKE and AH to authenticate the control channel and uses the resulting bits to key ESP with AES or a one-time pad to get PFS against a DH-capable attacker. This all ran on NetBSD over 3 sites in the Boston area for several years. There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Because of (2) I wouldn't have confidence in any current QKD system. The one I worked on was for research, to address some of the basic systems issues, because the physics community concentrates on the physics parts. I am most curious as to the legal issue that came up regarding QKD. pgpVro7qtbxAH.pgp Description: PGP signature
Re: ID theft -- so what?
Jörn Schmidt [EMAIL PROTECTED] writes: The answer to this dilemma? I'm afraid this time it really is legislation. Frankly, I'm not even sure if that would work but, at this time, it's our best shot. Congress won't do anything about this unless a few representatives have their identities stolen and experience first-hand what a PITA it is to have to deal with the fallout. I agree that legislative changes are necessary, but I think they are fairly small. Consider the following: Alice is a model citizen with a good credit history Bob steals Alice's identity by finding out semi-public static information Bob gets a loan from Charlie under Alice's identity, where Charlie transfers something of value to Bob and records a debt from Alice. Here, Bob has committed a crime, and this being a crime isn't controversial. Until this point, Alice hasn't really been harmed unless she tries to interact with Charlie herself. Charlie tries to collect from Alice, or Charlie reports that Alice owes a debt to a third party, or Charlie reports that Alice is in default to a third party. In my view, _Charlie_ has comitted a tort against Alice because he has been negligent (or at least incorrect) in issuing credit. If Charlie has decided to issue credit with minimal checks because the business benefit of that is more than the fraud losses (similar to our credit card system today), then it's only fair for Charlie to cover the full burden to Alice, including all the effort of cleanup. If Charlie isn't being careful to the some degree, so that such incidents are rare, triple damages are probably in order. Even if Charlie is very careful, actual damages should be paid. A reasonable penalty for Charlie might be on the order of $1000 statutory damages plus $100/hr for any time over two hours Alice has to spend dealing with the issue, plus any legal fees incurred if any problems remain 30 days after the first report. This puts the onus on Charlie and the reporting systems will quickly adjust to enable Charlie to withdraw the incorrect report completely and quickly. Of course, Charlie should be able to recover all of his own costs, as well as payments to Alice, in triplicate from Bob. Many credit issuers willfully conduct their business with the knowledge that this will occur. So, as I see it the basic problem is not one of security, but the fact that credit issuers etc. impose costs on innocent third parties and get away with it. -- Greg Troxel [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Can Eve repeat?
That's pretty much what I was talking about when I said that it may be possible to clone an arbitrarily large proportion of photons - and that Quantum Cryptography may not actually be secure. A key point is the probability that the measurement/cloning operation has of disturbing the original state. Errors at the receiver are assumed to be the result of eavesdropping. The current canoncial paper on how to calculate the number of bits that must be hashed away due to detected eavesdropping and the inferred amount of undetected eavesdropping is Defense frontier analysis of quantum cryptographic systems by Slutsky et al: http://topaz.ucsd.edu/papers/defense.pdf (I don't want to take a position on whether cloning is or isn't possible - that's way out of my area of expertise!) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: quantum hype
I'm always stuck on that little step where Alice tells Bob what basis she used for each photon sent. Tells him how? They need integrity protection and endpoint authentication for N bits of basis. Is the quantum trick converting those N bits to N/2 privacy-protected bits really as exciting as it's made out to be? They need integrity and data origin authentication, but not confidentiality. This is what is referred to as the public channel in QC papers. The standard approach (in papers) is to use universal hashing. This is just math, with no quantum aspects. But, it enables authenticating an arbitrarily long string of bits with a single key, just like one can MAC a long message with HMAC-SHA1. The difference is that because of the hash construction there are two key property changes from an HMAC such as used in IPsec: One can prove that the odds of a forgery are vanishingly small (1 in $2^{n-1}$ for n bit keys, or something like that), even with an adversary with infinite computional power. You can only use the key once (or perhaps twice). Otherwise, an adversary can recover it. This results in needing a constant stream of authentication keying material. Whether these two properties are a good tradeoff from HMAC in practice for any particular situation and threat model is an interesting question. See Universal Classes of Hash Functions, by Carter and Wegman, Journal of Computer and System Sciences 18, 143-154 (1979) for the canonical paper on universal hashing. -- Greg Troxel [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]