Cryptography

Quantum Cryptography (a background)

In this article I hope to illustrate some of the ideas behind the strange topic of Quantum Cryptography, though I won't be discussing cryptography itself, that comes later - just the necessary physics. First we must consider the nature of light (this can be generalised to any particle once we get all quantum mechanical, but let's stick with light for now).

Classically, light can be thought of as a wave. It's a transverse wave meaning that the 'oscillations' of the thing doing the waving are at right angles to the direction that the wave is travelling in. Another example of transverse waves are waves on the surface of water.

Picture showing waves horizontally and vertically polarised

These oscillations defined a 'plane' in which the waves are oscillating, and this plane can be oriented at any angle. Waves on the surface of water are vertically polarised. Though the plane of polarisation can be any angle, it is convenient to pick two planes which are at 90 degrees to each other. We can express any polarisation by talking about how much of each is present. Hence, we can talk of 'vertical' and 'horizontal' polarization. Here is an applet which demonstrates this.

You can see polaroid filters in action if you have a pair of polaroid glasses (often sold as 'anti-glare'). Find a light shining on a surface such as a desk. You don't want to be 'square on' to the surface, the light should be bouncing at an angle, 45 degrees is a good start. For the most obvious effect, don't use a mirror.

Look at the surface through your polaroid glasses, then rotate them 90 degrees, and keep looking. You should see the glare change in brightness. You will find that polaroid glasses are best at reducing glare from horizontal reflections when held normally. (See: Brewsters' Angle)

If you use your glasses for driving, you may find that you have trouble with the LCD screens on petrol pumps, this is because the LCD screen relies on polarising light!

If you take a polarised filter, this will ensure that all the light which passes through has the same polarisation. Classically, if a particular wave comes in with an amplitude of A, and a plane of polarisation at angle θ to the plane of polarisation, the amount of light which emerges has amplitude Acosθ.

Picture showing the effect of multiple polarising filters

Suppose that we have two polaroid filters. Unpolarised light hits the first and emerges polarised. It emerges with amplitude, A (on average). This light hits the second filter. The two filters have an angle θ between their planes of polarisation - the amount of light which emerges is Acosθ. So, if the filters are aligned, the second filter has no effect. If it is turned 90 degrees, no light emerges (note, if it is turned 180 degrees, it has no effect - the sign of the amplitude doesn't matter, it's not 'negative light'!)

(Note that for real filters, there is a little scattering, so 90 degrees doesn't give total black, and zero degrees does give some reduction in intensity)

Imagine we have two filters, aligned at 90 degrees. No light emerges. This is because the cosine of 90 degrees is zero.

Now, insert a filter at 45 degrees between the two. What happens? More 'stuff' can only make the amount of light getting through smaller, right? The cunning reader will have assumed that I wouldn't ask the question if the answer were obvious. Some light emerges. In this circumstance, two filters allows through less light than three.

This counterintuitive result is easily explained. Imagine the second filter is at an angle of θ compared to the first.  The third is at 90 degrees. In other words, the angle from the second is (90-θ). From the first filter, we have light with amplitude Acosθ. This is then reduced by the third filter by cos(90-θ). The overall light intensity is now Acosθ.cos(90-θ) or Asinθcosθ, this reduces to A(sin2θ)/2. In other words, we get most light out when sin2θ=1, or when 2θ=90°, or when θ=45° 

The newly inserted second filter is changing the polarisation of the light.

Take your time on polarisation, it's important that you understand the above if you're to comprehend subsequent articles. We'll put this aside for a while, though - the next step is to talk about photons.

Mythbusters Gagged

Adam Savage, of the excellent 'Mythbusters' programme(*) reports that they were going to do a segment on RFID chips only to have the lawyers descend from Visa, American Express etc.

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.

A great quote from the video:

You do have about 3000 people in the room who aren't under such legal arrangements.

The full video is here, and starts with a great talk from Savage about his obsessions.

The point is that keeping the information 'secret' does not stop the bad guys getting it - it stops the rest of us knowing that our information is insecure. If you're reliant on security by obscurity you have no security at all. Given that RFID is a widely distributed technology, the RFID chips should be able to withstand full scrutiny if they're to be trusted for the purpose.

They can't withstand that scrutiny, as evidenced by the reaction of the lawyers, and by this video.

With a bigger antenna on this I can go into Starbucks and get the [details] of everyone there.

It's a shame discovery didn't feel able to nod at the lawyers, and then make the programme anyway - including the conversation with the legal people. Still, when you're depending upon ad revenues, it's not as easy as all that - at least in the short term. A good argument for the BBC TV Licence!

(*) Although the announcer in the UK does often mix concepts of mass, pressure, force etc. Not sure about the guy in the US - the people in the show sometimes do this too, but that comes across to me as more of a 'shorthand' - as they obviously know the difference!

Bank unilaterally changes password

Just seen a funny, but worrying, story on the BBC, a man who had the password 'Lloyds is pants' on his bank account had it changed by the bank to 'no it's not'. It was changed as it was 'inappropriate'. He tried to change it to 'Lloyds is Rubbish' - or 'Barclays is better' but this was not allowed. He tried 'censorship', but was told his password had to be six letters or less!

  1. "No it's not" is more than six letters.
  2. A bank suggesting a password that's seven letters long is too long is sadly mistaken
  3. Why was an employee at the bank even able to see the whole password?

When the password is set, it should be done by having the customer enter it secretly in the branch, at the time the account was opened. If done by post, then it should be by an anonymised form which bears a reference number allowing the computer to tie the password to the account, but not for the person entering that password to know the account.

Anyone employee needing to verify a customer should be told by the computer to ask for the 'second, tenth and eleventh' characters of the password, they should enter them - but not be able to see the characters before a correct verification (so if just one letter is wrong, the employee can't know what two were).

At no time should an employee be able to link a full password to an account. The only time an employee should even see a full password is if they're in the section of the head office which handles the anonymised forms.

Unless I've overlooked something, this seems indicative of a security flaw... and as someone with shares in the bank concerned, it worries me. I've written to the bank to try and find out what's happening here.

The bank said: "It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission. "

Stupid Security

Privacy International has opened up nominations for the 'Stupid Security Awards 2006'.

The Stupid Security Awards is an open competition run by Privacy International to discover the world's most pointless, intrusive, annoying and self-serving security measures. The awards aim to highlight the absurdities of the security industry. The awards were first staged in 2003 and attracted over 5,000 nominations from members of the public from around the world.

The competition is judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists. Together they decide on the following award categories:

  • Most Egregiously Stupid Award
  • Most Inexplicably Stupid Award
  • Most Annoyingly Stupid Award
  • Most Flagrantly Intrusive Award
  • Most Stupidly Counter Productive Award

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

It's hard to know just where to start, but the recent scares about airports have lots of possibilities, for example the reduction in hand luggage size - as if someone could smuggle something nasty in slightly larger luggage, but not slightly smaller. In addition there's the fact that liquids can't be taken through security - but can be bought on the far side of security but not if travelling to the USA, bottles of water bought at the airport are much more dangerous when flying to the US. Obviously.

There's also the whole idea that ID cards will axiomatically make us secure (potential terrorists would have valid ID too).

The full announcement is here, and says:

The airline industry is the most prominent offender, but it is not alone. Consider the UK rail company that banned train-spotters on the grounds of security (e.g. see this article(external). Or the security desk of a US office building that complained because paramedics rushing to attend a heart-attack victim had failed to sign-in. Or the metro company that installed a $20,000 biological weapons/gas detector and placed it openly next to a power plug so terrorists could conveniently unplug the device.

In 2003, the final list was published with this leading paragraph:

"The extraordinary number of nominations indicates that the situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over".

Cryptography

I've begun the process of moving a sub-blog into the main blog as a sub archive. I've imported the posts already, and will now need to go through and check that all is well in terms of images etc (I can almost guarantee it won't be). Once I've fixed whatever needs fixing, I shall be redirecting the RSS feeds for the sub-blog to the CATEGORY feed of the new section. This should be seamless for folks reading cryptography - though they may get a one-off glitch of old posts appearing as new when it changes over.

People reading the main blog might get a few extra posts on cryptography (you can always sub to category feeds if you don't like this!) There won't be many though, as I've been all cryptography'd out for a while.

Update: Everything looks good, too good. It turns out that my bad habit of absolute links has saved me. No biggie at the moment, but at some point I really must put that to rights. The feeds have been redirected, and if you're reading this via an old crypto feed then all is well. You will continue to see crypto stuff only (but a full feed, which includes crypto stuff) is available. The reason for this change was that most of my posts have been non-crypto of late and the crypto part was 'out of sight, out of mind'.... now it is back 'in sight'.

Why is Cryptography Important?

Cryptography seems quite an esoteric subject, yet it is fundamental to our world in so many ways. When people think about cryptography, assuming they have heard the word, they will tend to think of 'cloak and dagger' stories, of spies and battles, of secret liaisons amongst lovers and all sorts of high drama.

Of course, there are plenty of examples of this sort of thing in history, from Babington writing in code to Queen mary, to the Allies cracking the German Enigma code, to the Rosenberg trials in the states.

However, cryptography is essential in everyday life. When you buy from a site such as amazon you are relying upon public key cryptography to keep your credit card details safe. When your operating software automatically updates over the internet it too will use a public key algorithm to check that the update it is about to install was really published by the right people, and not by someone trying to get into your computer.

Without cryptography cash machines would not be possible, as the machines would not be able to reliably communicate with the bank computers. Without cryptography, even the idea of electronic voting would not be possible (though they are making a mess of the new systems in the US).

Cryptographic ideas can also be used in making message easier to decode - without these ideas we would not have error checking capabilities on communications lines, and the internet would run much more slowly. We would not be able to reduce redundancy in a message and hence compress it, thus negating popular archival programs such as 'zip'.

All of these ideas, making messages compact, error resistant, secure (or all of the above) are related to cryptography.

Without cryptographic ideas, you would not be able to read this website.