On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: > Victor Duchovni <[EMAIL PROTECTED]> writes: > > Secure in what sense? Did I miss reading about the part of QKD that > > addresses MITM (just as plausible IMHO with fixed circuits as passive > > eavesdropping)? > > It would be good to read the QKD literature before claiming that QKD is > always unauthenticated.
Noone claimed that it isn't -- the claim is that there is no quantum authentication, so QKD has to be paired with classical crypto in order to defeat MITMs, which renders it worthless (because if you'll rely on classical crypto then you might as well only use classical crypto as QKD doesn't add any security that classical crypto, which you still have to use, doesn't already). The real killer for QKD is that it doesn't work end-to-end across middle boxes like routers. And as if that weren't enough there's the exhorbitant cost of QKD kit. > The generally accepted approach among the physics crowd is to use > authentication with a secret keys and a universal family of has > functions. Everyone who's commented has agreed that authentication is to be done classically as there is no quantum authentication yet. But I can imagine how quantum authentication might be done: generate an entangled pair at one end of the connection, physically carry half of it to the other end, and then run a QKD exchange that depends on the two ends having half of the same entangled particle or photon pair. I'm no quantum physicist, so I can't tell how workable that would be at the physics-wise, but such a scheme would be analogous to pre-sharing symmetric keys in classical crypto. Of course, you'd have to do this physical pre-sharing step every time you restart the connection after having run out of pre-shared entabled pair halfs; ouch. > > Once QKD is augmented with authentication to address MITM, the "Q" > > seems entirely irrelevant. > > It's not if you care about perfect forward secrecy and believe that DH > might be broken, and can't cope with or don't trust a Kerberos-like > scheme. You can authenticate QKD with a symmetric mechanism, and get > PFS against an attacker who records all the traffic and breaks DH later. The end-to-end across middle boxes issue kills this argument about protection against speculative brokenness of public key cryptography. All but the smallest networks depend on middle boxes. Quantum cryptography will be useful when: - it can be deployed in an end-to-end fashion across middle boxes OR - we adopt hop-by-hop methods of building end-to-end authentication And, of course, quantum kit has got to be affordable, but let's assume that economies of scale will be achieved once quantum crypto becomes useful. Critical breaks of public key crypto will NOT be sufficient to drive adoption of quantum crypto: we can still build networks out of symmetric key crypto (and hash/MAC functions) only if need be (with pre-shared keying, Kerberos, and generally Needham-Schroeder). > There are two very hard questions for QKD systems: > > 1) Do you believe the physics? (Most people who know physics seem to.) > > 2) Does the equipment in your lab correspond to the idealized models > with which the proofs for (1) were done. (Not even close.) But the only real practical issue, for Internet-scale deployment, is the end-to-end issue. Even for intranet-scale deployments, actually. > I am most curious as to the legal issue that came up regarding QKD. Which legal issue? Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
