Encryption: The Next GenerationResearch Paves Way for Safer Way to Share Keys
While researchers have taken a significant step toward making quantum cryptography more cost-effective, much more research is necessary before organizations can secure their communications using this advanced technology for exchanging encryption keys, experts say.
See Also: 2022 Unit 42 Incident Response Report
In conventional cryptography, long strings of numbers generated by complex mathematical algorithms are exchanged over a network and used to encrypt and decrypt messages. In contrast, quantum key distribution relies on the principles of quantum physics to exchange those keys. The method of key generation is the same, but instead of transmitting them as 0s and 1s, QKD relies on particles of light known as photons.
Researchers from Toshiba's Cambridge Research Laboratory have identified a way to reduce the hardware requirements for each user added to a QKD network. They demonstrated how 64 users can share a single photon while exchanging encryption keys, according to a paper published in the September issue of Nature. Up until now, QKD required each sender and recipient to have their own specially prepared photon, making QKD-based systems far too expensive and complex for commercial use.
Cryptography is effective so long as the generated keys are strong enough that it isn't worth a hacker's time to try to crack it. However, recent advances in mathematics and engineering have shrunk the time it takes a hacker to figure out the correct string of numbers used to protect the message. "QKD revolutionizes the distribution of cryptographic keys," says Zhiliang Yuan, one of the principal researchers behind the Toshiba study. In theory, a message protected using QKD remains a secret because the key cannot be easily copied.
The threat of eavesdropping is very real. The National Security Agency, for example, has intercepted encryption keys to stealthily decrypt and eavesdrop on secure communications on the Internet, according to a news report from the New York Times and Pro Publica (see: Report: NSA Circumvented Encryption). While the NSA has devoted plenty of resources toward cracking encryption algorithms, most of its attempts focused on obtaining the keys being used to unlock the data and then view it without the involved parties being aware they were being monitored, according to the report.
[The NSA is] breaking into cryptographic systems not by breaking the math, but by bypassing the math," says Bruce Schneier, chief technology officer at the technology firm BT and a leading encryption expert. The mathematics isn't at risk here, but rather the way the keys are distributed.
While QKD itself doesn't result in crack-proof keys, due to fundamental principles of quantum physics, anyone attempting to retrieve any information from the photon would inevitably change it, explains Wolfgang Tittel, a professor specializing in quantum secured communications at the University of Calgary's Institute for Quantum Science and Technology. The resulting changes would immediately alert involved parties that someone else was attempting to access their communications. Then, the key could be discarded.
QKD-secured communication networks show promise for potential use in industry sectors, such as in banking, government and healthcare, where security is paramount. In the Toshiba study, researchers demonstrated the new technique to transfer 10 gigabytes of data, or protect about 100,000 e-mails, among eight users.
A Long Way to Go
While enterprises should keep an eye on advancements made in quantum computing, current research is "just one more evolutionary step" toward making QKD-based systems a reality, says Kevin Bocek, vice-president of product marketing at Venafi, a key management company.
Until then, enterprises need to focus on securing and protecting the keys and certificates used within their infrastructure. The NSA frequently obtained encryption keys simply by breaking into the servers, according to the news report, so it's likely these keys hadn't been secured properly and the organizations did not know they had been improperly accessed.
Security is a chain, notes Schneier, and the mathematics of cryptography is still the strongest link. "Making that link stronger, while the rest of security is so incredibly weak, makes no sense," he says.
While QKD offers intriguing possibilities for securing sensitive networks, there are still plenty of challenges ahead. For example, quantum networks currently cannot extend more than 200 kilometers, or a little more than 120 miles. This means it cannot be used to protect communications on the open Internet. Tittel's research is focused on extending the distances photons can be used over fiber optic networks so that QKD can have broader applications.
Also, QKD must be affordable before it can be put to wide use, says Michael Wiener, a leading cryptography expert. As long as costs remain high, only a small number of organizations with "unusually high security needs" will adopt the technology, Wiener says.
The Toshiba study demonstrated one step toward reducing costs, says Yuan, the member of the research team. The next step for the team is to demonstrate the technique can work outside of a laboratory and over a real fiber optic network.
"Commercial applications for quantum computing still aren't just around the corner," Venafi's Bocek says.