Quantum Cryptography and Extrasys

pdgnews — Tue, 18 Nov 2008 15:13:38 +0000

Quantum cryptography was in the news recently – it’s fascinating stuff, but practically useless in the real world. In cryptography, you can use a key to encrypt data (e.g. a message) so that you can transmit the message to another person over a public network and only have the message read by the person who knows the key – if anyone else intercepts the message, all they will see is gibberish. However, if the key is discovered by a third party and you continue use that key to encrypt messages, the third party can now read them. In order to make it more difficult for someone to intercept and decrypt your messages without you or the recipient knowing about it (the man in the middle attack), you can use a different key each time you encrypt a message – this is called a one time pad (named because keys were initially written down on notepads – the sender and recipient would each have identical notepads and cross each key off as it was used).

If I wanted to encrypt a series of messages with a new key each time, I would need a method to (a) tell the intended recipient which key was used for each message and (b) ensure that only the intended recipient receives the key. Quantum key distribution is just such a method (this is what quantum cryptography actually refers to) and is done by entangling photons – if Bob wants to send Jane a message securely, Bob will have to encrypt the message with a key, send that key via entangled photons over a single piece of fibre optic cable connecting him and Jane, then send Jane the encrypted message (over a computer network, be it copper, fibre, wireless etc…) which she can then decrypt using the key sent via the entangled photons. In quantum physics, there’s something called the Heisenberg Uncertainty Principle – this says that anyone measuring a quantum system, disturbs that system – so if someone is snooping on the entangled photons, the system is distrubed, the key is destroyed and cannot be used by the attacker. As the entangled photons have been disturbed, it also alerts Bob and Jane to the snooping. [This oversimplifies things a little bit, but is the essence of how quantum key distribution works].

So does quantum cryptography solve real world security problems? Not really. Modern cryptography is pretty robust through techniques like public-key cryptography. By using public-key cryptography, even if your message is intercepted, it can’t be decrypted by the interceptor as only the recipent knows the key – even the sender doesn’t know the key. Thus in the world of privacy and security, encryption is not the weakest link – not by a long way – there are easier targets such as computers and networks and other attack vectors such as social engineering.

So what does quantum cryptography have to do with Extrasys? Well, nothing really, apart from the use of one time pads. Let’s step back a moment and look at what happens when someone wants to access their Extrasys desktop.

1. A user opens www.extrasys.com and clicks on the login button.

2. This takes the user to a TLS encrypted web page where:

3. The user is prompted for a username, password and passcode.

TLS (formerly SSL) is a form or public key cryptography used to encypt, or secure, the network between the user and the Extrasys data centre – it’s very difficult to perform a man in the middle attack on a TLS encrypted network connection, so any passwords transmitted over the network are pretty much safe from eavesdroppers. A much easier attack vector is the computer itself. So how do we prevent, or at least diffuse an attack on the computer?

At this point, I should tell you that the passcode mentioned above is a one time pad, generated using modern cryptographic techniques by a keyfob held by the user. The keyfob is pre-synchronised with an authentication system within the Extrasys data centre. Each press of the button on the keyfob generates a new, unique passcode that is only ever used once.

So why use a one time pad? Imagine you want to access your Extrasys desktop from a computer that, unbeknownst to you, has been tampered with – a hacker could have installed a keylogger (via malware or by installing a hardware keylogger between your keyboard and computer) to record every single keypress you make, recording your username, password and passcode (and anything else you type, e.g. credit card details if making an online purchase). If Extrasys didn’t use [one time] passcodes, the hacker could use your username and password to access your Extrasys desktop. However, because of the use of one time pads as an additional security layer, even if your top secret, highly classified password has been discovered, your Extrasys desktop will still be safe from prying eyes.

Retro Future

pdgnews — Wed, 12 Nov 2008 08:00:45 +0000

Software as a Service (SaaS) is pretty hot right now, but it’s not very different from what I was doing in the academic world in the 90′s: Providing remote access to data, email, applications and hosted desktops (though we didn’t call them hosted desktops back then). Basically: remote access to everything you need as a business (or academic department) to function on a day to day basis. It’s also how and why the World Wide Web was born.

This was (and still is) the world of particle physicists – we were way ahead of the IT curve. It was the nature of the beast – you built a particle accelerator somewhere and spent half your life travelling between home and the bottom of a deep, dark hole a thousand miles away. That meant you needed to work from wherever you happened to be. The World Wide Web was invented to share data between physicists across the world. We accessed UNIX (sometimes VMS running on 64 bit Alpha processors) desktops and applications from dumb X terminals hundreds, sometimes thousands of miles away from where the real computer was located (a computer that could support many users all logged in at the same time, in an era when MSDOS and Windows 3.1 was on the corporate desktop). From that desktop, you could write documents, edit spreadsheets and develop software. You could surf the web with Mosaic and send / receive email. Pretty much what businesses do today – except that today, you’re usually tied to your desk in order to do this without compromise.

Want to work from home or abroad? You might have web-mail, be able to access files and emails via a VPN (which can be tortuous on a slow link) or copy documents to a USB drive. Wouldn’t it be nice to do what particle physicists have been doing for 20 years? And wouldn’t it be nice if your business could predict the cost of IT just like you can predict the cost of a phone call? What if you could access your data and applications from anywhere in the world and have it provisioned by someone who would charge you per user per month? And guarantee that your data was backed up. Cash-flow improves, budgeting is easier and you can reduce the size of your IT department. Your IT cost is transparent. And you can work from home when there’s a tube strike or the plumber is coming around, no laptop, VPN or USB drive required.

This is Software as a Service. It’s ingredients are remote access, application provisioning, transparent pricing and paying for your IT on a per user per month basis. And it’s not just limited to web applications (a common misconception) – if someone requires Microsoft Project next month, no problem – they can have it for a month and pay just for that month. It’s as simple as that. Over the coming weeks and months, I’ll cover SaaS in much more detail, discussing how it’s delivered and some of the technology used to deliver it.

SaaS in a Box

Quantum Cryptography and Extrasys

Retro Future