By Alex Salkever In a dark, quiet room inside the Cambridge (Mass.) labs of Verizon (VZ) subsidiary BBN Corp., network engineer Chip Elliott is using the laws of physics to build what he hopes will be an unbreakable encryption machine. The system, which sits atop a pink heat-stablization table, is designed to harness subatomic particles to create a hacker-proof way to communicate over fiber-optic networks.
To build his black box, Elliott and his team of co-researchers have used off-the-shelf fiber-optic gear such as lasers and detectors, which he has tweaked to do unusual things. The goal is to reliably emit and detect single photons or tightly linked pairs of photons -- the key particles in light waves. It's all part of a leading edge information-security field known as quantum cryptography.
Over the next few years, Elliott and others in the field may turn the information-security business on its ear. Quantum cryptography could make the secret codes that protect data transmissions far more difficult to decipher -- an important feature for financial-services companies, telecom carriers, and governments. Quantum cryptography may also quickly alert systems administrators to the presence of cybersnoops, whether they be hackers, fraudsters, or corporate spies.
OBSERVED -- AND ALTERED. In theory, that will all be thanks to Heisenberg's Uncertainty Principle. This basic law of physics, postulated in 1927 by German physicist Werner Heisenberg, holds that the mere act of observing or measuring a particle will ultimately change its behavior. At macroscopic levels, humans don't notice this law. Put your leg inside an MRI machine, for example, and it doesn't come out noticeably different. But at the atomic level, the MRI's application of strong magnetic forces alters the trajectory and spin of the electrons that are orbiting atoms inside your body.
Messing with photons in a data stream will have the same effect. Under the laws of quantum physics, a moving photon has one of four orientations; vertical, horizontal, or diagonal in opposing directions. Lasers can be modified to emit single photons, each possessing a particular orientation. Photon detectors -- such as a hacker might use -- can record that orientation. But according to Heisenberg's principle, doing so will change the orientation of some particles. That will tip off the sender and the receiver, who can reencode their transmission or switch to a different communications line to avoid eavesdroppers.
Scientists have been working on the concepts behind quantum cryptography for three decades. After a long journey from chalkboard to lab to working prototype, the field is on the verge of a breakout. A Swiss firm, ID Quantique, introduced the first commercial quantum cryptography products last summer. Sometime this summer, MagiQ Technologies in New York City is expected to unveil its Navajo quantum cryptographic system. Several communications companies are currently testing Navajo on their networks, and researchers in the field say the U.S. government could already be using quantum cryptography to secure communications.
IN THE LOOP. In fact, the Defense Dept. is funding numerous quantum cryptography experiments as part of its $20.6 million quantum information initiative at the Defense Advance Research Projects Agency (DARPA). MagiQ estimates that the market for quantum cryptography will hit $200 million within the next few years. It sells its quantum cryptography units for $50,000 apiece.
BBN, meantime, is building a test network funded by DARPA that will allow multiple parties to tap into a fiber-optic cable loop secured by quantum cryptography. "Rather than having one link protected by quantum cryptography, we imagined a big service where everyone could connect to everybody else," explains Elliot. And at Los Alamos National Laboratory in New Mexico, quantum cryptography researcher Richard Hughes already has run experiments proving that photon detectors can pick up a single photon shot through the air. This could ultimately lead to a role for quantum cryptography in securing satellite communications.
And yet quantum cryptography remains an immature technology. Researchers have only been able to send photon signals for limited distances -- 100 kilometers or less -- over fiber optic cables. Photon detectors aren't particularly reliable, either. They often signal that they've detected a photon when one never arrived. "As much as possible, you want to suppress spurious signals," explains Donald Bethune, a quantum cryptography and photonics expert at IBM's (IBM) Almaden Research Center. "Just having the detector running in an environment that's too warm can cause this problem." To some degree, scientists can compensate for such flakiness with super-cooled detectors and error-correction software that can sift through the noise and pick out the valid signals.
STOLEN KEYS. Another problem, for now, is that bursts of single photons move too slowly to be an effective means of real-time data exchange. Once errors are factored in, most quantum encryption systems move data at a rate of 1,000 bits per second or less. This is 1/10,000 the transmission speed of today's fastest systems. For that reason, MagiQ and ID Quantique hope to use quantum cryptography initially to securely distribute secret numerical keys. Nearly ubiquitous in computer security today, these keys are required to decode data encrypted by traditional means -- using mathematical equations to obscure the plain text of messages.
Key distribution has long been a weak link of digital encryption. Hackers who get their hands on secret encryption keys can intercept and read a data stream without the violated parties finding out. "Digital keys can be copied with 100% fidelity and an insider could sell the key to a criminal or some corporate espionage operative and create a vulnerability in the data being transmitted," says Robert Gelfond, CEO of MagiQ.
A key distributed via quantum cryptography, however, would be all but impossible to steal. If a bank pairs a quantum cryptography system with a classical encryption system, then the quantum unit can be automated to pass fresh, secret keys from the sender to the receiver with assurance that no one has read those keys. It can do so as often as several times a second without slowing the data transmission. Since the key exchange is automated with quantum crypto, it's also much easier to work with than existing key-exchange mechanisms, which require more human intervention.
SIMPLE TO USE. None of this will matter if an enterprising hacker has put a keyboard-sniffer program on your machine to detect your keystrokes. Still, quantum cryptography will provide a new layer of safety for whom paranoia is an essential fact of life -- the kind of people who inhabit banks and the Defense Dept. While the concept and execution of quantum cryptography remain complex, apparently the technology, even it is immature state, is ready for prime time.
Jim Capuano is the operations director at NEON Communications, a Boston-based fiber-optic bandwidth retailer with 80 major customers along the Northeast Corridor. His company test-drove MagiQ's system earlier this spring, and he came away impressed. "It's a very simple product to configure," says Capuano. ID Quantique likewise has customers up and running on its system. The computer world just might be witnessing a new and intriguing phase in the history of cybersecurity. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column