April 21, 2008
Quantum cryptography, a new technology until now considered 100 per cent
secure against attacks on sensitive data traffic, has a flaw after all,
Swedish researchers say.
"In computer terms, we've found a bug," said Jan-Aake Larsson, an
associate professor of applied mathematics at the Linkoeping University
in southern Sweden.
"It was surprising - we didn't expect to find a flaw," he said, adding
that he and another researcher at the university had also discovered a
way to fix the problem.
Many experts hope quantum cryptography will be the answer to growing
fears about data security on the Internet, providing a one-off code that
would be unbreakable for hackers.
Most sensitive data like money transactions have to date been
transmitted over the internet using a so-called public key, which is
considered safe because it consists of a string of some 2,000 data bits
and requires enormous calculations to break.
Meanwhile, an evolving technology called quantum cryptography has
emerged as absolutely secure since quantum mechanical objects, according
to the laws of physics, cannot be measured upon without being disturbed
and setting off alarm bells that the transmitted data has been
"If somebody tries to copy a quantum-cryptographic key in transit, this
will be noticeable as extra noise. An eavesdropper can cause problems,
but not extract usable information," a statement from Linkoeping
Not quite airtight
The technology, which requires special hardware, is considered
absolutely airtight and is widely expected to revolutionise the field of
secure data transmission.
However at the moment, quantum cryptography is limited to short-range
transmissions and is so pricey that only a handful of banks and
businesses have so far begun testing the system.
Contrary to current convictions, Assoc Professor Larsson said he and his
student Joergen Cederloef had discovered a weakness in the supposedly
"To send the key over the quantum channel, you must simultaneously send
additional data over the traditional Internet channel, and then verify
that the classical data has not been changed through an authentication
process, he said.
While all data travelling though the quantum channel was 100 per cent
secure, "a gap appears because this is a combined system, which
complicates things so much that the usual security system in some cases
does not work," Assoc Professor Larsson said.
He said the problem arises when the system had been running for a long
period of time, adding he and Mr Cederloef proposed adding a so-called
handshake between legitimate users.
"All that's needed is a small addition to the authentication process to
fill the security gap," Assoc Professor Larsson said.
Subscribe to the InfoSec News RSS Feed