Strangely enough, there actually MIGHT be a good reason to use
Quantum Encryption. It's a very subtle point, which I will try
to explain succinctly below, but unless you're actually interested
you might want to hit the delete key now.
1. Perfect Forward Security
I hate to invoke "Perfect Forward Security" because I don't really
understand it, and when one pontificates about something that one
does not really understand, one often falls into a pit. In fact,
basic information theoretics argues that it cannot actually exist.
My thinking so far is that, from an information theoretic view,
the communications is encrypted by a link key that has three parts:
a random number thrown by A, the pre-existing shared secret
(or "shared key"), and a random number thrown by B. Consider this
schematic diagram of a man in the middle attack:
A <----> X <----> B
If A and B do Diffie-Helman key exchange, a passive X cannot
eavesdrop, because in addition to the information passed on the
link she would need either the random number thrown by A or the
random number thrown by B to deduce the resulting link key.
The way X defeats this is by an active attack: to B: X plays A
while to A: X plays B. Thus a different link key is generated
on each side of the link:
A <----> X <----> B
AX BX
link link
key key
This will become useful in the section on Mixing in the Key below.
A Perfect Forward Security system has the property that even if
the shared key subsequently becomes known, it is still not possible
to decrypt a prerecorded session. Even if the initial shared
key were compromised, it would not be possible to decrypt the
recorded conversation without knowing the random numbers throw
at A and B, which are now long gone. However, from an information
theoretic point of view, with enough computer power one COULD try
not only every possible bit pattern of the shared key, but ALSO
every possible bit pattern of the two random numbers. This greatly
raises the bar, since these numbers can be of arbitrary size.
This also reduces the vulnerability, since different random
numbers are thrown for each message, breaking one message by
deducing the key and random numbers does not help that much with
breaking a different prerecorded message, since only the key will
be the same. Of course, once the key is known, FUTURE messages
can be ACTIVELY attacked as described above.
2. Mixing the key into the protocol
Note that up to now I've been VERY careful to specify that the
adversary not only has fully capable hardware but also full
knowledge of the protocols in use. The reason I've done so is
that one of the things A and B can do is to "mix" the link key
information in with the data being sent, so in the above case
the fact that one link is using an AX key and the other link
is using a (different) BX key would soon be detected. But if
the adversary knows that this checking is being done, she can
carefully "mix out" the AX key information in a message from A
and then "mix in" the BX key information before forwarding the
message to B. This is similar to why passive mode is required
for FTP from behind a NAT box. The active mode FTP control
information contains network numbers from the inside of the
NAT box, which are pretty useless on the outside.
3. QE and man in the middle
NOW we are in a position to see how the combination of QE and
key mixing can actually buy us something! Consider the plight
of the man in the middle when both are being used. She cannot
passively eavesdrop and record for further analysis because of
the nature of the quantum transmission. She cannot actively
eavesdrop (by doing the above and recording the raw data for
further analysis) because she does not currently have the shared
key so she cannot mix out and mix in the link key information as
described above.
Pretty subtle, eh?
Thanks for playing the other side of this one, Dave, I think
we are a sum that is greater than its parts.
It's interesting that it is the only-one-listener nature of
the quantum encryption process that forces the distinction
between "passive eavesdropping" (just listening to the wire)
and "passive man-in-the-middle" which involves copying the
data from A to B and from B to A without trying to understand
what it all means until a later analysis time.
--
"An Internet-connected Windows machine is tantamount to
a toddler carrying a baggie of $100 bills down a city street..."
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
