Sunday, October 19, 2008

Quantum Crypto - Schneier Commentary in Wired

While ordinarily I have to admit I find some of Bruce's stuff a bit... harsh and pointy, I read his recent commentary on Quantum Cryptography in Wired and found myself nodding my head in agreement.

I don't think it's a secret I tend to be a realist when it comes to security; and often find myself arguing against the concept of "piling on" when there are much weaker links in the chain. Bruce's assertion that the level of extra security gain from quantum crypto (the assurance that no one is listening in) is great but we have bigger problems. Well, no kidding!

I can't remember whom I was talking to about this at OWASP '08 (I think it was RSnake... I'm fairly sure) but the other person's assertion was that encrypting/signing stuff is inherently broken for most applications. Interesting huh? I'm fairly certain it was RSnake (now that I think about it) that said this, referencing MITM (man-in-the-middle) attacks. I include my PGP key in my signature on my personal email - but how do you really know it's coming from me and it wasn't altered along the way? Did I give it to you in person, and did you verify it was really me? See, this builds upon the interesting basic question of how much trust do you have in any given system. Do you trust the PGP key-maintenance system? And if you do, why? Think it over for a minute.

Cryptography really depends on the mechanism of distribution of the key(s), and how "trusted" that mechanism is. Within the ranks of the DoD, I imagine but don't have any first-hand knowledge, they've probably built their own key management system that is ~100% trusted (or darn near 100%). But I digress.

Quantum crypto is a wonderful theoretical concept - but another one of those things that has very little real application beyond academia. Bummer... neat idea though.

No comments: