Don`t Jump for the Quantum Leap in Cryptography

Several years ago, I was editing a primer on something that sounded radically new and exciting: quantum cryptography. Imagine, an encryption system that’s based entirely on the subatomic nature of the universe and entirely unbreakable. It’s the kind of stuff you’d see on Star Trek where even the best efforts of Data and Spock couldn’t crack this kind of code.

The problem with quantum cryptography is the technical limitations and boundaries of physics. Encryption keys are generated by the random polarization of photons—the stuff that makes up light. Early work in quantum cryptography found that it requires a line of sight between the transmitting and receiving stations for it to work. Even then, distance became a limiting factor.

Scientists working on European Union’s Development of a Global Network for Secure Communications based on Quantum Cryptography (SECOQC) report this week that they’ve successfully tested a system that will lead to the commercialization of the nearly unbreakable technology within the next three to four years.

If it proves true, it’s a fantastic breakthrough in security technology. Users will avoid the entire sticky issue of key management since every quantum key is randomly generated and unique for each use. And the keys themselves will be unbreakable since they will require special receivers to collect and process the photon carriers.

What makes quantum cryptography unbreakable isn’t the strength of the key, but rather the physical nature of the keys. This is where a little knowledge of Heisenberg’s Principle comes in handy. The German physicist said that merely observing a process will alter its outcome. In conventional data transmissions, hackers and eavesdroppers can intercept and copy packets and attempt to crack the algorithm without the knowledge of the sender or receiver. In quantum cryptography, any attempt to sniff the line will result in an alteration of the photons, which will immediately signal an intrusion to the two communicating parties.

All this sounds pretty cool, but so what?

Quantum cryptography is in use today, but only by organizations—governments, military, financial institutions—that can afford its expensive systems and truly require this level of protection. It’s expensive, difficult to manage and limited in practical use.

Much of the world is standardized on the Advanced Encryption Standard (AES), the cryptography system developed by the U.S. government to replace the Data Encryption Standard (DES). Even though DES and TripleDES stood as the encryption standards for nearly two decades because it literally took tens of thousands of years to brute-force crack the algorithm, hackers were able to develop systems that reduced the attacks to days and ultimately hours.

AES proved a much stronger algorithm. The National Institute of Standards (NIST) says it would take 149 trillion years to successfully brute-force attack a standard 128-bit AES key. To put that in perspective, our universe is roughly 14 billion years old.

Yes, some report having cracked AES, but no attack has set off any alarms to threaten the integrity of the AES standard. And brute-force attacks—or randomly trying different decryption keys until you find the right combination—is not the only method for cracking encryption algorithms. If there’s anything we’ve learned about encryption is that every code can be broken. The British at Benchley Park broke the code of the Nazi Enigma machines. The U.S. and Soviet Union were constantly deciphering each other’s communiqués during the Cold War. And hackers have broken everything from DES to Wired Equivalent Privacy in the modern era. Eventually AES will fall.

Will quantum cryptography be the answer? As famed cryptographer and security guru Bruce Schneier once told me, cryptography is like building the strongest fence post, a fence post that can’t be knocked down. The only problem is that its value in security requires the attacker to run right into the fence post.

In other words, security is more about risk management than building the strongest piece of cryptography. Being able to encode data is important in a security schema, but it’s not a silver bullet. Solution providers and end users must consider their risk and threat profiles, and then apply appropriate levels of security to counter the real and foreseeable threats. Investing in heavy pieces of technology, such as quantum cryptography, is in many cases overkill that won’t result in a true elevation of an organization’s security posture.

The day may come when we can set our phasers to stun and ensure an unbreakable data protection because of technology breakthroughs like the ones at  SECOQC, but the day when all organizations will require this level of security will remain in the far off future.

Lawrence M. Walsh is vice president and group publisher of Channel Insider and noted security journalist. You can reach him at lawrence.walsh@ziffdavisenterprise.com.