# Laser security coming to you?

Later this month at a conference in California, Dr. Jacob Scheuer of Tel Aviv University's School of Electrical Engineering will unveil a new strategy called the UFL (Ultra-Long Fiber Laser) to defend against hackers. Using fiber optic and computer technology, Scheuer's system uses binary lock-and-key data sent via light pulses that can be unlocked only by the receiver and sender.

The foundation of this system is a new laser invented by Scheuer that, he asserts, improves on current quantum key distribution schemes because it is simpler, faster, allows for longer communication links and is less expensive.

To explain how it works, he began by introducing an analogy:

Imagine a large justice scale with one side at Alices's home and the other in Bob's room. Both A and B have a set of two weights, say 1kg indicating "0" and 2kg indicating "1". When A and B want to exchange a bit they both randomly pick one of their weights and place it on their side of the scales. If they picked different weights, the scales tilts and Eve, who observes the beam of the scales, can tell which weight was picked by each user. In this case, the bit generation or transfer was not secure and it is discarded. However, if A and B picked the same weight, the scales remain balanced and Eve can only tell that A and B picked the same weight, but not which one! A and B do know which one was placed the scales and therefore they have managed to securely exchange a bit ("0" if it was the 1kg and "1" if it was the 2 kg).

The UFL works in a similar fashion. The two weights are like the two mirrors at lambda_1 and lambda_2. When A and B want to exchange a bit they picked one of the mirrors and connect it to the laser. If they picked the same mirror then the laser would lase at either lambda_1 or lambda_2 depending on the mirror picked. These are the non-secure scenarios because Eve can determine the choice of mirror according to the lasing wavelength. However, if A and B picked different mirrors, the laser would lase at the mean wavelength regardless which user picked lambda_1 and which picked lambda_2. These are the secure states because Eve cannot determine the choice of mirrors while A and B can. Note that the secure cases are opposite to those of the scales but I suppose the idea is clearer now.

Whenever the bit exchange attempt was secure, A and B keep the bit and when it was not they discard the result. This way, they can construct a random string of bits which can be used as the secret key

It is better than current QKD schemes by the fact that it simpler, faster, allows for longer communication links and less expensive.

If it's done right, the system could be absolutely secure, he added. “Even with a quantum computer of the future, a hacker couldn't decipher the key.”

Rich Baich, principal for security and privacy, Deloitte and Touche, said using fiber optics to operationalize information security is definitely possible. Anytime a new technology is introduced that improves an existing process and security posture, one would assume the advancement would be beneficial. However, he warned, one must always consider risk versus reward. Plus, based on computing power and skills, there is no such thing as a foolproof encryption system, he said.

"Fiber optics have helped advance many forms of network transmission, as well as make them more secure than traditional cooper wire," added Baich. "This discussion seems to use the fiber concept and effectiveness to attempt to improve security. Any advancements to improve the confidentiality, integrity and availability of data are always welcomed; however, one must always way the risk and operational effectiveness of new technologies."

Ari Juels, chief scientist and director of RSA Laboratories, had his doubts as well. “There are limitations to any system of this kind. It tethers key exchange to a physical medium. It also requires an authentication infrastructure; otherwise Eve can potentially insert her own mirror and deceive Alice or Bob into accepting the wrong key.”

Research such as this is extremely interesting because it provides insight into the principles underlying communications and information theory, but it's not going to solve the problem of securing data on the internet, said Paul Kocher, president and chief scientist at Cryptography Research. Optical and quantum mechanical approaches don't work with packet switched networks, he pointed out.

There are a number of reasons why optical and quantum mechanical approaches are not practical, he said, including: They don't work with packet switched networks. There are not many applications where it's plausible to run special optical links between every pair of devices that might ever need to communicate. (Conventional cryptography allows devices to communicate securely irrespectively of what equipment lies between them. In contrast, optical and quantum mechanical approaches require that the endpoints of each optical link be completely trustworthy.)

As well, Kocher explained, security applications require the certification and authentication capabilities that only public key systems can provide. In addition, the proposed approach is only usable for key negotiation, so the approach isn't really an alternative to conventional cryptography.

Further, Kocher said implementation weaknesses are the overwhelming problem in computer security today. Exotic methods like this introduce new ways that things can go wrong that aren't understood.

"Even if an exotic communications security technology's underlying theory is valid (e.g., is based on well-accepted quantum mechanical properties), nobody knows how to test whether a given implementation actually meets the security objectives," said Kocher. "Security flaws in several quantum cryptographic implementations have been found, so this is not a hypothetical concern. In contrast, well-designed systems using mathematical-based cryptographic methods can be very robust, and have (reasonably) well-understood failure modes and testing requirements. As a result, switching to a system whose security depends on subtle low-level implementation properties (like ensuring there are no stray photons) is not an improvement from an overall security perspective."

However, Kocher said, research such as this is extremely interesting because it provides insight into the principles underlying communications and information theory.  "But it's not going to solve the problem of securing data on the internet."

Mark Lobel, principal, advisory services, PricewaterhouseCoopers, said Scheuer's system sounds a little like an SSL key exchange used for web transactions, but he's not sure. He had questions, such as how big is the encrypting/decryption device and what scenarios do they see this used for?

If it were to be used for consumer web shopping to protect transactions, it would take a massive build-out to distribute the technology and justify why SSL is not good enough to justify the cost, said Lobel.

He also wondered whether users on the system would need a direct fiber connection to the PC? "If so, that does not exist today," he said, "as most commercial fiber implementations are to consumer premises, but inside the house they use a non-fiber connection, like 10 or 100 base T wire or an 802.11x wireless network. Also, how would this work to secure mobile connections over GSM/CDMA/3G/4G wireless networks?"

Lobel had other questions as well, including: does this just protect data in transit or is there a way to use this to protect data at rest?

"Most credit card incidents occur when a database (data at rest in a company) is breached, not while in transit from the consumer to the retail website," he said.

Scheuer and his team are not yet in discussions with any vendors to produce this. “We are still in the development phase,” he says.