Victor Duchovni <[EMAIL PROTECTED]> writes: > Secure in what sense? Did I miss reading about the part of QKD that > addresses MITM (just as plausible IMHO with fixed circuits as passive > eavesdropping)?
It would be good to read the QKD literature before claiming that QKD is always unauthenticated. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. > Once QKD is augmented with authentication to address MITM, the "Q" > seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. See http://portal.acm.org/citation.cfm?id=863982&dl=GUIDE&dl=ACM for a citation and http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf for text, for a discussion of a system that uses regular IKE and AH to authenticate the "control channel" and uses the resulting bits to key ESP with AES or a one-time pad to get PFS against a DH-capable attacker. This all ran on NetBSD over 3 sites in the Boston area for several years. There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Because of (2) I wouldn't have confidence in any current QKD system. The one I worked on was for research, to address some of the basic systems issues, because the physics community concentrates on the physics parts. I am most curious as to the legal issue that came up regarding QKD.
pgpVro7qtbxAH.pgp
Description: PGP signature