Quantum Cryptography
Greg Troxel
gdt at ir.bbn.com
Mon Jun 25 20:23:14 EDT 2007
Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
> Secure in what sense? Did I miss reading about the part of QKD that
> addresses MITM (just as plausible IMHO with fixed circuits as passive
> eavesdropping)?
It would be good to read the QKD literature before claiming that QKD is
always unauthenticated.
The generally accepted approach among the physics crowd is to use
authentication with a secret keys and a universal family of has
functions.
> Once QKD is augmented with authentication to address MITM, the "Q"
> seems entirely irrelevant.
It's not if you care about perfect forward secrecy and believe that DH
might be broken, and can't cope with or don't trust a Kerberos-like
scheme. You can authenticate QKD with a symmetric mechanism, and get
PFS against an attacker who records all the traffic and breaks DH later.
See
http://portal.acm.org/citation.cfm?id=863982&dl=GUIDE&dl=ACM
for a citation and
http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf
for text, for a discussion of a system that uses regular IKE and AH to
authenticate the "control channel" and uses the resulting bits to key
ESP with AES or a one-time pad to get PFS against a DH-capable attacker.
This all ran on NetBSD over 3 sites in the Boston area for several
years.
There are two very hard questions for QKD systems:
1) Do you believe the physics? (Most people who know physics seem to.)
2) Does the equipment in your lab correspond to the idealized models
with which the proofs for (1) were done. (Not even close.)
Because of (2) I wouldn't have confidence in any current QKD system.
The one I worked on was for research, to address some of the basic
systems issues, because the physics community concentrates on the
physics parts.
I am most curious as to the legal issue that came up regarding QKD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070625/579e14fa/attachment.pgp>
More information about the cryptography
mailing list