gdt at ir.bbn.com
Mon Jun 25 20:23:14 EDT 2007
Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
> Secure in what sense? Did I miss reading about the part of QKD that
> addresses MITM (just as plausible IMHO with fixed circuits as passive
It would be good to read the QKD literature before claiming that QKD is
The generally accepted approach among the physics crowd is to use
authentication with a secret keys and a universal family of has
> Once QKD is augmented with authentication to address MITM, the "Q"
> seems entirely irrelevant.
It's not if you care about perfect forward secrecy and believe that DH
might be broken, and can't cope with or don't trust a Kerberos-like
scheme. You can authenticate QKD with a symmetric mechanism, and get
PFS against an attacker who records all the traffic and breaks DH later.
for a citation and
for text, for a discussion of a system that uses regular IKE and AH to
authenticate the "control channel" and uses the resulting bits to key
ESP with AES or a one-time pad to get PFS against a DH-capable attacker.
This all ran on NetBSD over 3 sites in the Boston area for several
There are two very hard questions for QKD systems:
1) Do you believe the physics? (Most people who know physics seem to.)
2) Does the equipment in your lab correspond to the idealized models
with which the proofs for (1) were done. (Not even close.)
Because of (2) I wouldn't have confidence in any current QKD system.
The one I worked on was for research, to address some of the basic
systems issues, because the physics community concentrates on the
I am most curious as to the legal issue that came up regarding QKD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 185 bytes
Desc: not available
More information about the cryptography