Swedish researchers find vulnerability in quantum encryption technology

Here we go again about quantum cryptography: The technology is — or, in light of the following story, has been — considered 100 percent secure against attacks on sensitive data traffic (see HSDW story), has a flaw after all, Swedish researchers said Friday. “In computer terms, we’ve found a bug,” said Jan-Aake Larsson, an associate professor of applied mathematics at the Linkoeping University in southern Sweden. “It was surprising,” he told AFP. “We didn’t expect to find a flaw,” he said, adding that he and another researcher at the university had also discovered a way to fix the problem.

Many experts hope quantum cryptography will be the answer to growing fears about data security on the Internet, providing a one-off code that would be unbreakable for hackers. Most sensitive data like money transactions have to date been transmitted over the Internet using a public key, which is considered safe because it consists of a string of some 2,000 data bits and requires enormous calculations to break. Quantum cryptography has meanwhile emerged as (supposedly) absolutely secure since quantum mechanical objects, according to the laws of physics, cannot be measured upon without being disturbed and setting off alarm bells that the transmitted data has been manipulated. “If somebody tries to copy a quantum-cryptographic key in transit, this will be noticeable as extra noise. An eavesdropper can cause problems, but not extract usable information,” a statement from Linkoeping University explained. The technology, which requires special hardware, is considered absolutely airtight and is widely expected to revolutionise the field of secure data transmission.

At the moment, however, quantum cryptography is limited to short-range transmissions and is so expensive that only a handful of banks and businesses have so far begun testing the system. We should qualify this last statement: The canton of Geneva became a world pioneer when it decided to use quantum cryptography to protect the dedicated line used for counting votes in the October 2007 Swiss national elections. The world’s first commercial quantum random number generator and quantum cryptography system was developed by the Swiss company id Quantique, a spin-off company of the University of Geneva (see HSDW story). Contrary to current convictions, Larsson said he and his student Joergen Cederloef had discovered a weakness in the supposedly flawless technology. To send the key over the quantum channel, you must simultaneously send additional data over the traditional Internet channel, and then verify that the classical data has not been changed through an authentication process, he explained. All data traveling though the quantum channel was 100 percent secure, but “a gap appears because this is a combined system, which complicates things so much that the usual security system in some cases does not work,” Larsson said. The problem arises when the system had been running for a long period of time, he said, adding that he and Cederloef proposed adding a handshake between legitimate users. “All that’s needed is a small addition to the authentication process to fill the security gap,” Larsson said.