Quantum encryption cracked
Yesterday, it was announced that physicists at the University of Toronto in Canada have successfully attacked a commercial quantum cryptography system for the first time in history.
Quantum cryptography was supposed to be unbreakable, and up until this time it had been impossible for an eavesdropper to intercept communications sent using this type of technology.
However, like many other security systems, the technology was built making various assumptions, and in the real-world not all these assumptions have proved to be reliable. In this case, the assumption that the physicists targeted relates to the level of tolerance for noise and associated communication errors.
In order to ensure the security is still intact, quantum cryptographic systems monitor the communication error rate, because a high error rate is indicative that the communication is being intercepted. Because it is impossible to eliminate errors entirely, the cryptographers assumed that an acceptable level of noise or error rate would be 20%.
However, in practice, it was found that there are always errors introduced during the preparation of quantum states and this extra noise exposes the system to an "intercept and resend attack". By intercepting and reading some quantum bits and then sending them on, in such a way that the error rate remains at only 19%, the physicists demonstrated that it is possible to break quantum encryption on a commercially available system.
The Information Security Group of Africa (ISG Africa) maintains that it is best to take a multi-layered approach to security, and that there is no silver bullet to solve complex security problems. What this means is that although encryption has an important role to play in the security of any system, it needs to form part of an overall security strategy, and organisations should be wary of developing a false sense of security just because they have deployed the latest encryption technology.
The South African government has started to take information security issues more seriously, with a salvo of new legislation and regulations released in the last few months. The latest draft legislation to be released by the Ministry of State Security is the Protection of Information Bill number 6 of 2010. This Bill is open for public comment until 25 June 2010 and is designed to improve the level of information security across all non-military government infrastructure.
The Bill will repeal the Protection of Information Act of 1982 and provide for the protection of sensitive information from destruction, loss or unlawful disclosure; and regulate the manner in which information may be protected. It should not be confused with the Protection of Personal Information Bill number 9 of 2009, which is scheduled to go before the parliamentary portfolio committee on 25 May.
The recent introduction of quantum security in South Africa could not have come at a better time, with the comprehensive overhaul of government security legislation that is currently under way. However, this week's security breach comes hot on the heels of a revelation in April of a new memory scraper that is able to steal disk encryption keys stored in memory, thereby enabling hackers to bypass disk encryption software.
For these reasons, the ISG recommends that organisations need to look beyond disk encryption when implementing solutions to comply with privacy legislation, and should really be asking why it is necessary to allow sensitive personal information to be stored on portable media in the first place.
The Information Security Group of Africa is a registered section 21 company established in 2005 and is not biased toward any single vendor, technology or company. ISG Africa was created in response to the increase of information security threats facing companies in Africa. This volunteer group, which consists of security professionals from corporate, government and IT/legal firms within Africa, aims to provide a monthly forum for the exchange of InfoSec information and experience between members and raise awareness of potential vulnerabilities within organisations.