enterprise security tips privacy

SecurityTrails Blog · May 07 · by Nicolas Pence

Random and Mysterious - Quantum Security Series - Part 2

Reading time: 12 minutes

Last week we scratched the surface of what quantum information and quantum security are, saw how current encryption algorithms could be broken and explored how to secure a classical SSH protocol tunnel to make it quantum attack resistant.

What’s next? We need to securely communicate our data between locations to avoid being vulnerable due to missing or poor encryption attack vectors.

That’s right, say hello to “quantum networks”.

In this post we’ll dive a little deeper into the random and mysterious world of quantum teleportation and quantum key distribution. We’ll also examine different ways to approach communicating securely in a post-quantum computing world.

We are honestly still in the early stages of using this technology. The currently available links that create private connections between government and universities are similar to those we had during the internet’s infancy.

Quantum networks

Source: History of the Internet, Internet for Historians By Richard T. Griffiths

Quantum telecommunications

Quantum communication is an exciting topic—and it comes with some pretty difficult problems to solve. On the bright side, it promises an increased level of information transmission security to avoid common network security threats such as “man-in-the-middle” attacks, the likes of which have never been seen before. Powered by the randomness of atomic sub-particles’ behavior, endpoints must agree on a set of “true randomized” keys that can encode and decode the information before transmitting.

For quantum transmission to work, particles need to be connected to each other in a special correlation, allowing them to transport information states across a determined distance.

That state should not be altered by the environment, so values don’t get lost along the way. To achieve quantum communication in a secure and reliable way, it follows a few basic principles:

  • It uses photons (light particles) to communicate between nodes.

  • As information states are volatile, it uses quantum repeaters to re-transmit data (this process differs from the traditional optic-fiber repeater).

  • Information must be teleported between endpoints and there should be a post-sent confirmation ensuring there wasn’t any disruption during transmission.

For a little more clarity regarding quantum links, the following image illustrates the different options available today. On the short-distance side there are optic fiber connections; for longer distances, satellite-powered communications.

Quantum telecommunications

So what’s the behind-the-scenes magic that makes this work? Introducing “quantum entanglement”.

Quantum entanglement

Quantum entanglement is a phenomenon that occurs when there is a special interaction between two subatomic particles so that they share a relation between their states (for example spins) that can be revealed when measured.

Let’s say we have two electrons and we entangle them—this can be done in such a way that they have opposite spin values (one is up and the other is down ↑↓), or they can share the same values (both up ↑↑ or both down ↓↓).

Entangled photons dramatization

Entangled photons dramatization.

What’s so special about this? Well, the “connection” between them has some incredibly odd properties:

  • Once-entangled particles could be billions of light-years away from each other and still be entangled.

  • Entanglement, once made, cannot be shared with other parties.

  • When state measurements are made to one particle, it instantaneously affects the state of the other and the resulting value will depend on how they were initially entangled.

  • Photons have a special property that allows them to be fired against a special crystal that produces two entangled photonic particles from a unique one.

  • While theoretically entangled particles can maintain the correlation between them for extremely long distances, they can be easily affected by environmental activities that make their information state collapse.

What can we do with entangled particles regarding telecommunications? We can make them teleport information.

Quantum teleportation

China was the first country to create a successful quantum transmission by teleporting quantum photonic states to faraway locations across thousands of kilometers.

They did this with a satellite code named “Micius” (named after the ancient philosopher Mozi), launched on August 2016 to perform experiments regarding quantum networks and quantum security.

Once this was achieved, they created the first intercontinental quantum link in a joint China-Austria collaboration which tested the exchange of quantum secure cryptographic keys through a satellite relay across thousands of kilometers.

Intercontinental quantum link

And how is this possible? With quantum teleportation, the ability to send data using entangled particles through a determined link. What they transport is their information state from one place to another, and by doing so they immediately lose the state value. After transmission, this communication must be decoded on the other end by using a classical channel, to confirm the way this information must be measured in order to be seen.

It’s important to clarify that what travels is the information only, and not the subatomic particle itself—that would be how teleportation is commonly known in the world of science fiction.

So what’s the next step toward making this work long-distance? Quantum links. As in optic fiber communications, repeaters are designed to allow information to be transmitted a little further whenever information can get lost. Similarly, quantum repeaters face the challenge of making data reach its destination by following the rules of quantum mechanics.

Quantum repeaters

Actual quantum communications allow qubits to be transmitted without losing information. At the time of this writing, links can carry this kind of information a maximum distance of about 100 km, but that’s not yet far enough for useful, commercial purposes.

So what are quantum repeaters? Quantum repeaters are devices that make use of special parity properties regarding particles’ entanglement, where they measure a set of entangled particles and reveal its spin property to, for example, make a statement (equal or opposite).

Quantum repeaters

Quantum repeater dramatization.

Let’s say we have two pairs of entangled electrons, and we know that they have opposite direction spins. We then separate one electron from each pair and bring them to a repository that we’ll call a “repeater”. Once this is done, scientists use a method called “pairing” where they measure both particles against each other and determine if their spin is equal or opposite. Once that’s determined, and as they know beforehand the state correlation between them and their “stay at lab” pair, it’s possible to establish the relation between the particles on each endpoint.

This process is studied so it can be repeated several times for every repeater, allowing it to reach farther distances.

Quantum key distribution

Quantum key distribution is a method that makes use of the properties of quantum mechanics to protect communication between devices, by securely agreeing to a mutual key that allows data to be exchanged privately. This special kind of encryption protocol utilizes this generated shared private key to encrypt data transmission, and with some particular capabilities:

  • Key cannot be cloned; due to the no-cloning principle.
  • Key cannot be eavesdropped; measurement affects the particle’s state.

This empowers communications security by taking these two properties and applying them to information transmission as well:

  • Information cannot be read by a third party; malicious or not.
  • Messages cannot be cloned; due to the no-cloning principle mentioned above.

Encrypted messages between two parties occur after the key generation takes place and that key is exchanged between devices, which will encode and decode that ciphertext into a readable message.

In the event of media tampering, the state of the particle gets affected and the quantum state gets destroyed, making it necessary to re-initialize the state of the network to restore the process. This alone will help you reduce your attack surface exposure at the lowest level possible.

Are quantum networks vulnerable?

The short answer is “yes”. There is available research regarding the stability and security of a quantum network when facing specially crafted attacks, launched to take down the quantum states that allow the network to function.

While these communications are being developed under private links, as in the early days of the internet, the previously mentioned physical tapping methods are still valid, but for DoS attacks instead.

For this reason, post-quantum cryptography adoption is necessary to protect our assets from quantum power cryptanalysis and posterior data inspection.

Post-quantum VPN

Virtual private networks are an excellent way to secure communications between your devices and a secure endpoint of your choosing. With them you can browse the internet from that gateway, or connect two or more different networks in a private way.

In any case, we bring you today a post-quantum VPN concentrator developed by Microsoft Research. It’s a fork version of the extremely popular OpenVPN software that adds the post-quantum encryption Picnic algorithm to the mix.

This customized VPN version is publicly available for everybody to play with, whether you use Linux or Windows. It runs on docker and even includes a raspberry-pi wifi access point package (wouldn’t this be a seriously awesome addition to your SOC office wifi!?).

Following the PostQuantumCrypto-VPN link you can download both OS binaries or source code in case you’re fond of compiling it yourself. We’re going to download both binaries and use Windows as a GUI client and Linux as the VPN server.

Post-quantum VPN

Client installation

On Windows, once downloaded, proceed with executing the binary and accept the permissions requested as well as the creation of TAP interfaces for the VPN to operate.

Client installation

Save the client configuration file from this link as it includes all ciphers required to connect to the server. Once downloaded, place it in the config folder. That’s all for now until we have our server ready.

You’ll need to change the remote line, to place the hostname of your to-be-configured below VPN server.

remote VPN.SERVER.NAME.HERE 1194

Server installation

In case you decide to try the binary package, simply download it from the releases github section we visited.

Download the file and decompress so that all files are placed properly:

wget -q
https://github.com/microsoft/PQCrypto-VPN/releases/download/PQCrypto-1.1/pq-openvpn-linux-staged.tar.gz
tar -C / -xzf pq-openvpn-linux-staged.tar.gz

Once completed, you’ll find openvpn files in the /usr/local/openvpn path where all configuration and binaries are placed. Next, we’re downloading a server configuration sample so we can start the VPN daemon inside the /usr/local/openvpn/etc folder.

cd /usr/local/openvpn/etc
wget -O server.ovpn https://raw.githubusercontent.com/microsoft/PQCrypto-VPN/master/openvpn/config/server-passdb.ovpn

In case you’re curious about the different configuration file options, here is a brief describing the purpose of each:

  • client.ovpn: Client authenticating with a certificate
  • client-passdb.ovpn: Client authenticating with a username/password
  • server.ovpn: Server only accepting client certificate authentication
  • server-passdb.ovpn: Server only accepting username/password authentication

To create a username and a password for your VPN client authentication we will use Linux usernames that should be configured as follows:

useradd -c "<User Full Name Here>" -d /usr/local/openvpn -s /bin/false <username>
passwd <username>

After this you’ll need to setup a CA (Certificate Authority) certificate signing request (CSR), a Diffie-Hellman parameter file and a pair of server certificates (private and public key). While that goes beyond the immediate scope of this post, we can offer documentation regarding this step here.

Once all this is accomplished, you should be able to start your daemon after running the initialsetup.sh script located at /usr/local/openvpn/sbin/initialsetup.sh

Afterwards, you can start/restart/stop daemon like this:

systemctl (start|restart|stop|status) pq-openvpn

If you’re seeking a more secure setup, you can try certificate authentication by reading instructions on how to create them, by following this link.

This is of course an experimental setup, more is needed for a secure implementation. Let it be a challenge for the reader!

Quantum vs. post-quantum cryptography

Why is the discipline of quantum encryption important, or the creation of a quantum internet, when post-quantum encryption is available to protect us?

Some thoughts regarding both topics:

  • Post-quantum encryption is a computational secure scheme that protects data by presenting “difficult-enough” problems to an attacker. To be secure, these algorithms must be well-known and reviewed by the community, which will attack them to confirm their strength. This model is the same as the traditional encryption algorithm models, and the weakness lies between the time the industry will take to create a computer with sufficient power to break them, and the possibility that a foundational problem is found that could introduce the algorithm in an early obsolescence status.

  • Quantum encryption is a completely different beast. It’s based on the fact that you have no information whatsoever to work with; no keys, no data, nothing. The fact that you see the information passing by collapses the whole network state, so its security relies on the absence of useful pieces of data (which could help you build a useful reconstruction for beginning a cryptanalysis).

So even if quantum cryptography promises a better and stronger security protocol foundation for unbreakable communication, it’s far from popular at this point. We’re left with the initial option of protecting ourselves using post-quantum techniques, at least for now.

Conclusions

This time we looked a little further into quantum mechanics and computing concepts that can lead to a brighter future, potentially strengthening communications to the point of resistance to eavesdropping. Links of this kind are currently used by governments and universities, but they’re also commercially available for use over short distances.

For the time being, and while the security of information exchange in network transmissions is paramount, quantum networks and a publicly available quantum internet is far from being ready to use.

As we saw earlier, quantum resistant, virtually made private networks are an effective way to bring stronger security to communications while the use of more advanced technologies becomes available to common users over time.

Continue reading the last chapter of this quantum computing security series: All Things Quantum - Quantum Security Series - Part 3


Curious about developing your own set of infosec tools? Start integrating our intelligence API with your apps to strengthen them with even more powerful capabilities.

And there’s a lot more we can do! To learn about other products that can be integrated with your software or team, contact our sales team and schedule a call today!