Schneier on Security
A blog covering security and security technology.
« New U.S. Customs Database on Trucks and Travellers |
| The Zotob Worm and the DHS »
November 6, 2006
Classical Crypto with Lasers
I simply don't have the physics background to evaluate this:
Scheuer and Yariv's concept for key distribution involves establishing a laser oscillation between the two users, who each decide how to reflect the light at their end by choosing one of three mirrors that peak at different frequencies.
Before a key is exchanged, the users reset the system by using the first mirror. Then they both randomly select a bit (either 1 or 0) and choose the corresponding mirror out of the other two, causing the lasing properties (wavelength and intensity) to shift in accordance with the mirror they chose. Because each user knows his or her own bit, they can determine the value of each other's bits; but an eavesdropper, who doesn't know either bit, could only figure out the correlation between bits, but not the bits themselves. Similar to quantum key distribution systems, the bit exchange is successful in about 50% of the cases.
"For a nice analogy, consider a very large 'justice scale' where Alice is at one side and Bob is at the other," said Scheuer. "Both Alice and Bob have a set of two weights (say one pound representing '0' and two pounds representing '1'). To exchange a bit, Alice and Bob randomly select a bit and put the corresponding weight on the scales. If they pick different bits, the scales will tilt toward the heavy weight, thus indicating who picked '1' and who picked '0.' If however, they choose the same bit, the scales will remain balanced, regardless whether they (both) picked '0' or '1.' These bits can be used for the key because Eve, who in this analogy can only observe the tilt of the scales, cannot deduce the exchanged bit (in the previous case, Eve could deduce the bits). Of course, there are some differences between the laser concept and the scales analogy: in the laser system, the successful bit exchanges occur when Alice and Bob pick opposite bits, and not identical; also, there is the third state needed for resetting the laser, etc. But the underlying concept is the same: the system uses some symmetry properties to 'calculate' the correlation between the bits selected in each side, and it reveals only the correlation. For Alice and Bob, this is enough--but not for Eve."
But this quote gives me pause:
Although users can't easily detect an eavesdropper here, the system increases the difficulty of eavesdropping "almost arbitrarily," making detecting eavesdroppers almost unnecessary.
EDITED TO ADD (11/6): Here's the paper.
Posted on November 6, 2006 at 7:49 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't see anything that would stop a man-in-the-middle attack by someone with lasers, mirrors and an ability to cut the transmission line.
In reading the paper, it seems that the security depends on transmitting the signal at a very low signal-to-noise ratio, so low that the parties are able to detect the signal, but Eve is not.
The success of this scheme therefore depends on the following:
(a) the parties are able to decode a lower level signal than Eve
(b) the parties have to know what level of signal Eve can decode
(c) the parties have to know what level of signal and noise she sees at her evesdropping point
If each of the above three conditions are met, than the parties can keep their transmission level low enough that Eve cannot decode it.
In order to in any way be useful, it would seem that there would need to be some fundamental physics that guarantee each of the three items above are satisfied. This does not appear to be demonstrated in the paper.
It also, as mentioned, does not appear to address active man-in-the-middle attacks.
@Alan: Given that Lasers are line-of-sight, your are pretty likely to notice a man-in-the-middle. ;-)
If you use optical fibre, you could simply send through a permanent beam of light to detect the temporary cut in the cable that would have to be done in order to insert the additional mirrors.
The trick with quantum cryptography is that if the key exchange is done using a single quantum state (like the polarization of a single light quantum), a 'man in the middle' who observes the quantum state will definitely change the quantum state, which is easily observable for the communicating parties.
If One uses this laser key exchange, a man in the middle-attack will only be detected if the optical equipment of the users is better than the attacker's.
The system is just as flawed as the resistor-based key exchange Bruce mentioned some time ago in his blog.
I brought this to Bruce's attention, highlighting the phrase that gave Bruce pause with a "WTF?!?" comment of my own.
I wish I could find something cool to show him so I can feel special inside too!
@Alan: I disagree that the paper suggests reducing the signal-to-noise for Alice and Bob. Detecting the correlation between the two bits is always easy, and Alice and Bob know one of the bits so they have everything.
The part about signal-to-noise is about reducing Eve's ability to pick out the correlation *and* the values of the bits. In principle, she can intercept both bits, but appears from the paper that you can make it as hard as you want for Eve to do that, without making it any harder for Alice and Bob (and Eve for that matter) to get the correlation out.
I think this calls for an add-on module to Khet the laser game (http://www.khet.com/). It's one thing to hit your opponent's pharoah with a laser, but if you can manage to exchange keys successfully.... :)
@Paeniteo: assuming your two statements are true regarding the difficulty of a man-in-the-middle attack when the transmission system is a laser, why not just use the laser to perform a Diffie-Hellman or similar key exchange? What do you gain from the mirror system that you can't get from traditional mathemetics?
What is really going on here is that the signal on the fibre is analagous to an XOR of Alice and Bob's data.
Neat in a way, but any time skew between the two participants' signals would make cracking this trivial. You would see one sides contribution happening before the other and hence be able to extract it (the only unknown being a possible inversion). Having got one, reapply it to get the other signal.
Nice idea though.
I agree, as it's vulnerable to most of the same attacks. It does have a few advantages though - photons are faster than electrons through a copper wire, which makes an attack based on timing (Instead of a single Eve, you have an Eve1 and an Eve2, at different locations; the difference in time of the state changes theoretically gives you enough information to re-create what Alice and Bob are doing) more difficult. Also, lased light dosen't leak electromagnetic radiation like electrons through a copper wire does, so that increases the chance that an attacker will be noticed.
More to the point, an attacker can theoretically guarantee a time skew, simply by using two taps seperated in space. The only question is if the attacker's timers are good enough to note the time difference frequently enough to get the needed data.
@Martin: I think that's one point of using lasers. Unless both have set their respective mirrors, there's no laser signal, since there's not amplification. I could imagine this might make it more difficult to exploit these syncronization issues.
I think that the xor analogy is probably the best. Basically, the physics principle being used is that a laser bouncing between 2 mirrors is affected by the nature of both mirrors. Sampling of the beam can only give information about the "difference" between the two mirrors, not what either mirror is.
Effectivly, the "key" to this system is the knowledge of which type of mirror is considered 1 and which is considered 0. If you know (or guess) this "key" I'm pretty sure that you could mount a man in the middle attack. However, there may well be physics preventing passive eavsdropping.
Yes, this could work. If there was a defined dark period that covered any foreseeable skew then you would not be able to see who was first (given that both mirrors need to be in place to get resonance).
I'm not seeing that as an advantage, other than speed (which allows Alice and Bob to be further apart). Lasers still propogate at the local speed of light; therefore it takes time for the information at either end to change relative to the other end. Therefore a timing attack (while it may not be practicle) is possible unless you can proove that you can't distinguish the times that information is changed. If the distance between Alice and Bob is 1 nano-meter, this is pretty trivial to proove. If the distance between Alice and Bob is on the order of say, 186 miles (1 light millisecond- in a vaccumn), it's pretty trivial to proove the inverse.
It appears that this is what they are doing (It's the use for the T mirror). See the figure on page 2.
Well this is my feild, and it sounds OK. Its very similar to others recently proposed (some of which has been posted here), and try to over come the attacks found with different physics. Basicly we shift the problem to a enginnering one.... more or less.
Lasers are used to keep both ends "couppled" and its important the lasers do *not* propogate over free space, but a erbiumdoped fiber laser. That is the fiber *is* the laser. Hence the name Gaint Fiber Laser (aka 10's km long). This is what makes life hard for Eve. It becomes a physics problem because what are the parameters that it provides the said security. ie what if the fiber laser saturates? Can eve force it to saturate. What about over effects such as temprature sablity? etc...Its now a enginnering problem
However this atemps to solve a problem that we currently have a much better solution. Public Key systems (patents not withstanding) are simply better at this point in time. Unless there is a fundamentaly break (aka Factoring in p time) they are the way to go. IMO
Of course, you really ment 186 Million miles apart... A bit harder to acheive on Earth.
@Paeniteo: Fiber optics work on the principle of total internal reflection. It's entirely possible to create a splicing rig that will cut a cable without disrupting the signal for any longer that the length of the loop you're putting in, which would be well under a quarter of a nanosecond. Difficult to detect.
"The bit exchange is successful in about 50% of the cases."
Why would I want to futz with a system that's only going to provide reliable security 50% of the time? (This is even worse if failed bit exchange means both failed security and failed communication.)
And the whole "Eve" example doesn't make sense. If you prime the system by using the first mirror, then choose one of the two remaining for your encryption, it would seem that by splicing into the line and monitoring Bob's transmissions, you will eventually acquire a sufficient sample to decode the transmissions. (Not to mention which, everyone has the same two bits.)
Or am I misreading something here?
Sounds to me like an optical version of Kish's electrical resistance scheme, which has been covered in this Web log in December 2005 and February 2006. The claim of security seems to be based on the same concept - both ends modulate natural randomly-occurring noise in a way that either end can decode but an eavesdropper can't - and it seems to me that it will likely be prey to the same kinds of issues of synchronization and transients.
"The bit exchange is successful in about 50% of the cases"
So an exchange of N bits is successful once every 2^N times?. You might resort to brute force, then.
It smells snake-oil to me. I have a degree in physics, so I'll try to see if I can make something out of the paper.
This 50% transmission success rate is common to many of these quantum mechanics-based schemes. Basically, it's the same problem as a known very lossy line, which is a solved problem. Note that a failure to communicate is not a system failure; it's part of the system.
The concept here is that instead of Alice and Bob having lasers that they use to send each other messages, Alice and Bob control two different parts of a (presumably very large) laser. Whenever Alice's mirror matches Bob's, and they are both mirrors pointing towards each other, you get a laser between the mirrors. When they don't match, very little information is leaked (the paper claims that you can keep this information leak down to an arbitrarily small amount).
Anon - no, it's like quantum crypto. The bits being exchanged are random, and the parties know when a bit was exchanged, but the eavesdropper doesn't know the value of the exchanged bit. After they accumulate enough secret bits, the parties use those as a key for some other scheme (one-time pad if absolutely necessary).
Because they get to know whether each bit, independently, was exchanged correctly, the parties only need to exchange on average 2N, not 2^N, bits. That much is all just the same as the quantum crypto schemes based on polarized light; it's neither new nor suspicious. The questionable part is whether the bits considered to be securely exchanged, really are.
There may be another problem with this scheme. As I understand it central to the protective nature of this scheme is the fact that any "man in the middle" would not be able to discern the exact nature of the mirrors.
However, a resonable individual with sufficient knowledge of the engineering involved would probably be able to deduce this information.
For example - you insert a monitoring device in to the fibreoptic cable. You will then be able to tell the ground state wavelength and emissive radiance of the laser source. You know based on practical knowledge that lasers of the size typically used for this sort of application are usually of a certain power, size and wavelength. Coupled with knowledge of the properties of the doped glass from which the cable is extruded, it would probably then be possible to make a fairly accurate informed guess as to the material make up of the mirror surfaces.
In this case of course this sort of deduction would not merely be an analogouse or accademic problem but an actual one, since the strength of the encryption itself has been changed from being a purely mathematical problem to an engineering / physical one.
Just a thought...
the "justice scale" analogy is poor. if eve can see the tilt of the scale, and it's tilting down in bob's direction, can't she safely infer that bob placed a 2-pound weight and alice placed a 1-pound weight? what am i missing here?
It looks like they are using randomized phased shifts to obfuscate the infromation.
Haven't had the chance to digest the paper yet but it seems feasible.
As for the current polarized methods they only work absolutely if you can isolate and detect single photons. That is only sort of possible so you end up with a series of "good enoughs". Still better than anything else out there. If you have to send 20 photons per burst to get the signal 48 clicks and Eve only messes with 3 of them a click out.
Way oversimplified but on the right track.
ignore last comment, i figured it out.
Won't there be a wavefront when you "switch" mirrors, which an eavesdropper could see? I don't entirely know the physics here, but going by the "scale" analogy, if the eavesdropper is anywhere other than dead in the middle between Alice and Bob (ie if he is closer to Bob than Alice), then he'll see Bob's transition before Alice's transition gets to him. I don't know if there's some magical quantum property in these lasers which negates that, but it sure seems like the state transition would propagate at some speed between Bob and Alice, so being off-middle between them you'd see the transitions of each side at slightly different times. Of course, the speed is probably the speed of light, so the delay would be pretty tiny unless Bob and Alice were pretty far apart, but it still might well be detectable.
"so being off-middle between them you'd see the transitions of each side at slightly different times."
Actually, no. This is one of the advantages of their scheme (of having Alice & Bob be parts of a big laser); whenever the information that either mirror has switched to the next state reaches the receiver, the information changes from the one data point to the next, with no intervening visable information, assuming "perfect" engineering.
The problem with the timing attack I proposed above is actually mentioned by me in response to Martin, but I didn't catch the significance. You see, the trick (I missed) is that information is only conveyed in the non-lased state, which is when the system is giving a minimal amount of information. The second trick is that there is a default dead state bewteen each potential bit of information. In that state, all the attacker (presumably) knows via timing is that information is being sent.
This one uses an average of four bits of entropy to negotiate one bit of key. (One bit per cycle per endpoint with fifty percent of cycles failing.) Thus ,it stays below the 50% threshold I've mentioned before (basically, that key negotiation protocols always require at least two times the entropy of the key they negotiate).
Thank you all for the comments. This thread is making this topic more understandable and reducing the WTF factor.
Defending against a Man-in-the-middle attack is very easy: use a strong enough laser, target the eyes. ;-)
What if Alice is approaching the speed of light ?
Does the system work inside a black hole ?
Can the man in the middle see the colour of Bob's shirt ?
@Alan: "assuming your two statements are true regarding the difficulty of a man-in-the-middle attack when the transmission system is a laser, why not just use the laser to perform a Diffie-Hellman or similar key exchange?"
Well, you get a One-Time-Pad just like with quantum cryptography.
Apart from this, the asymmetric key exchanges rely on the fact to transfer some public key in a manipulation-safe manner from A to B (not too sure about D-H, correct me if I'm wrong).
This is not necessary here, as A and B "agree" on the bits without having to assure that a specific bit was not changed during transmission (in fact, they do not really transmit bits in one direction).
It seems to be vunerable to transient analisys, as lots of other people aready pointed. Those square waves of figure 2 can hide lots of problems, even more when you don't really make the system, just simulate it.
But it is also vunerable to man-in-the-middle attack, just as every quantum cryptography scheme I ever saw. You being sure that nobody changed the data on the channel before it reached the other end is useless if you have no means of knowing know who is the one at the other end. (I guess this is Alan's point.)
Quantum cryptography systems are vulnerable to man-in-the-middle attacks, though only if the man-in-the-middle completely controls both the quantum cryptography channel and the standard communications channel. Otherwise, an eavesdropper can be detected.
However, even then, standard methods for mitigating the man-in-the-middle attack apply, such as vocally reading off checksum data (assuming the man-in-the-middle is not a consumate mimic, and disguise artist if a video channel is used) or using securely signed or pre-exchanged public keys.
I might point out that *any* one-time pad exchange method is theoretically vulnerable to a man-in-the-middle, if these mitigation methods fail or cannot be used.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.