News Bits

NIST Special Publication on Key Management, 12/28/09, Press Release from Elaine Barker

NIST is proud to announce the publication of NIST Special Publication (SP) 800-57, RECOMMENDATION FOR KEY MANAGEMENT, Part 3: Application-Specific Key Management Guidance. This SP is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in normal use of the application. Recommendations are given for a select set of applications, namely: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC) and Encrypted File Systems (EFS). The document is available at

Elaine Barker
National Institute of Standards and Technology


26th Chaos Communication Congress
How you can build an eavesdropper for a quantum cryptosystem

This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during the conference.

Quantum cryptography, as being based on the laws of physics, was claimed to be much more secure than all classical cryptography schemes.(Un)fortunately physical hardware is not beyond of an evil control: We present a successful attack of an existing quantum key distribution system exploiting a photon detector vulnerability which is probably present in all existing devices. Without Alice and Bob losing their faith in their secure communication, we recorded 100% of the supposedly secret key.

Single photon detectors based on passively quenched avalanche photodiodes are used in a number of quantum key distribution experiments. A vulnerability has been found in which these detectors can be temporarily blinded and then forced to produce a click [1]. An attack exploiting this vulnerability against a free-space polarization based quantum cryptosystem [2,3] is feasible. By controlling the polarization of a bright beam the eavesdropper Eve can force any detector of her choice to fire in the legitimate receiver Bob, such that she gets a full control of it without introducing additional errors. This allows Eve to run an intercept-resend attack without getting caught, and obtain a full copy of the transmitted secret key. We have fully demonstrated this attack under realistic conditions on an installed fiber optic quantum key distribution system. The system uses polarization encoding over 290 m of optical fiber spanning four buildings. A complete eavesdropper has been built, inserted at a mid-way point in the fiber line, and 100% of the secret key information has been recorded. Under attack, no significant changes in the system operating parameters have been observed by the legitimate users, which have happily continued to generate their 'secret' key.

[1] V. Makarov, New J. Phys. 11, 065003 (2009).
[2] I. Marcikic, A. Lamas-Linares, C. Kurtsiefer, Appl. Phys. Lett. 89, 101122 (2006).
[3] M. P. Peloso et al., New J. Phys. 11, 045007 (2009).

Ars Technica, RSA Challenge Modulus, 768 Bits, Factored , by John Timmer, January 10, 2010

Using some new advances in practical factoring methods, an international team has factored a 768-bit challenge number, and that is typical in public key cryptography. The team published a technical report explaining their work.

German government warns against using Microsoft Interent Explorer
By Daniel Emery
Technology Reporter, BBC News

The BBC News article reports that a serious flaw in Microsoft's Internet Explorer has been utiliized in attacks against Google's GMail, and especially against Chinese dissidents. Because there is as yet no patch for the problem, the German government issued a statement advising its citizens to find alternative browsers.