Quantum cryptography, a new technology until now considered 100 percent secure against attacks on sensitive data traffic, has a flaw after all, Swedish researchers said Friday.
“In computer terms, we’ve found a bug,” said Jan-Aake Larsson, an associate professor of applied mathematics at the Linkoeping University in southern Sweden.
“It was surprising,” he told AFP.
“We didn’t expect to find a flaw,” he said, adding that he and another researcher at the university had also discovered a way to fix the problem.
Many experts hope quantum cryptography will be the answer to growing fears about data security on the Internet, providing a one-off code that would be unbreakable for hackers.
Most sensitive data like money transactions have to date been transmitted over the Internet using a so-called public key, which is considered safe because it consists of a string of some 2,000 data bits and requires enormous calculations to break.
An evolving technology called quantum cryptography has meanwhile emerged as absolutely secure since quantum mechanical objects, according to the laws of physics, cannot be measured upon without being disturbed and setting off alarm bells that the transmitted data has been manipulated.
“If somebody tries to copy a quantum-cryptographic key in transit, this will be noticeable as extra noise. An eavesdropper can cause problems, but not extract usable information,” a statement from Linkoeping University explained.
The technology, which requires special hardware, is considered absolutely airtight and is widely expected to revolutionise the field of secure data transmission.
At the moment, however, quantum cryptography is limited to short-range transmissions and is so pricey that only a handful of banks and businesses have so far begun testing the system.
Contrary to current convictions, Larsson said he and his student Joergen Cederloef had discovered a weakness in the supposedly flawless technology.
To send the key over the quantum channel, you must simultaneously send additional data over the traditional Internet channel, and then verify that the classical data has not been changed through an authentication process, he explained.
While all data traveling though the quantum channel was 100 percent secure, “a gap appears because this is a combined system, which complicates things so much that the usual security system in some cases does not work,” Larsson said.
The problem arises when the system had been running for a long period of time, he said, adding that he and Cederloef proposed adding a so-called handshake between legitimate users.
“All that’s needed is a small addition to the authentication process to fill the security gap,” Larsson said.