igor - Fotolia
I've read quantum key distribution (QKD) will help secure smartphones and tablets. Can you explain what QKD is and how it can help improve mobile security?
Anyone wishing to send an encrypted message has the problem of securely passing the key needed to decrypt the message to the recipient. In the past, this has involved using trusted couriers, diplomatic bags or some other channel -- all of which required making prior arrangements before the message could be sent. This "key exchange problem" was solved with the development of public key cryptography and the Diffie-Hellman method of exchanging cryptographic keys. These are widely used for securing communications over the Internet and Wi-Fi, as they allow two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Public key cryptography depends upon the existence of so-called "one-way functions" (or mathematical functions) that are easy to compute, but their inverse function is relatively difficult to compute (such as mathematical problems inherent in certain integer factorization, discrete logarithm and elliptic curve relationships). As computer processing power increases, so must the difficulty of these functions -- otherwise what was once a secure method of exchanging keys becomes susceptible to attacks. This is why Microsoft and others are forcing a move to 2048-bit keys as longer keys provide stronger encryption. The National Institute of Standards and Technologies speculates that 2048-bit keys will be valid up to about the year 2030.
However, note that public key cryptography can't provide any indication of eavesdropping or guarantee of key security, so if an attacker can break in on the key distribution process, they can circumvent the need to solve a mathematical problem to obtain the key.
Quantum key distribution relies on the foundations of quantum mechanics to provide key security as well as a way to detect eavesdropping attempts on the key exchange process. By exchanging bits encoded in a quantum system (typically a photon), two parties can generate a shared random secret key known only to them to encrypt communications. If a third party tries to obtain the key during this process, it must measure the photons, which will disturb the system and introduce detectable anomalies. This opens up the possibility to have a communication system that inherently detects eavesdropping.
The reason QKD is not widely used in enterprises is because of the cost of equipment and the lack of a real threat to existing key exchange protocols -- although this assumption may need revisiting in the light of revelations about the NSA's activities.
In addition, how far QKD can help improve mobile security is unclear. Miniaturizing the hardware involved isn't a long-term problem, nor will boosting its performance. However, detectors sensitive enough to measure individual photons tend to be expensive. A simple client/complex server model would shift most of the burden to a central server while requiring less expensive hardware from the client (such as a single-photon source to send randomly generated bits directly into an optical fiber connected to the server). The infrastructure for fiber-optic networks exists in many countries, but cost and convenience will determine which sorts of devices end up benefiting from this form of encryption. It's not entirely clear how much value there is in a handheld device that needs to be plugged into a fiber-optic cable for security.
Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
Learn more about encryption and cryptography
View this guide on mobile encryption techniques
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading