The clock is ticking on encryption

Today's secure cipher-text may be tomorrow's open book

1 2 3 4 Page 4
Page 4 of 4

At one end of an optical fiber, an emitter sends individual photons to the other end. The phase of some the photons are measured as they are transmitted and thereby acquire a value, and the receiver is informed of the value through a separate channel. Normally the photons will arrive with the expected values and will be used to generate a new encryption key.

But if there is an eavesdropper on the line, that third party will have reassigned values to the photons through the act of measuring them. In that case, the receiver will see an error rate in the photon values and no key will be generated. In the absence of that error rate, the security of the channel is assured, Ribordy says.


"It's like a fountain of random bits," he says of the system. "You can store the bits in a buffer and use them different ways, and with standard applications we use them to make 256-bit AES keys, and then replace the key every minute."

However, since security can only be assured after the fact -- when the error rate is measured, which happens immediately -- the channel should be used to send only the keys, and not actual messages, he notes.

The other limitation of the system is range, which currently doesn't exceed 100 kilometers (62 miles), although they have achieved 250 kilometers in the lab. However, due to the rate that photons get lost in the fiber, the theoretical maximum is 400 kilometers, Ribordy says. Going beyond that must await the development of a quantum repeater -- which would presumably use the same technology as a quantum computer, he adds.

QKD security, like all security, is not cheap, with an emitter-receiver pair costing about 100,000 Swiss francs (about $97,000), he says.

Safe, at least for now

For the time being, "code-breaking today is an end-run game -- it's all about snatching the user's machine," says Kolodgy at IDC."These days, if you pull something out of the air, you can't decrypt it."

But the biggest problem with encryption, typically, is the lack of any. "All business-critical data should be encrypted at rest, especially credit card data," says Richard Stiennon at IT-Harvest, a security analyst firm in Birmingham, Mich. "The Payment Card Industry Security Standards Council requires that merchants encrypt it -- or better yet not store it at all. And data breach notification laws don't require you to disclose your lost data if it was encrypted."

And of course, leaving your encryption keys lying around on slips of paper also turns out to be a bad idea.

Lamont Wood is a freelance writer in San Antonio.

Copyright © 2010 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
Shop Tech Products at Amazon