Sometimes I just disagree with research...

http://www.heraldsun.news.com.au/common/story_page/0,5478,15123393%255E11869,00.html

Researchers at Melbourne University are growing diamond particles on optical fibres to transmit information they say will be impossible to hack.

Okay...

At the moment, when information is sent electronically, such as credit card details, it is encrypted and then decoded at the other end, but the information can be stolen along the way.

These people seem to miss the point. When data is encrypted, it DOESN'T MATTER if someone else sees it. It's a garbled, incomprehensible mess in its encrypted state.

"They're stealing a coded message and then if they have very powerful computers they can start to try to crack the code," he said.

"Computers are getting faster and faster so codes have to get better.

Not really. With encryption, all you have to do is add one bit and your data is twice as difficult to decode. With modern 1024-bit encryption, this is a complete non-issue. The greatest encryption level ever broken by a human-made computer is somewhere between 50 and 60 bits.

"But our technique exploits quantum mechanics. This allows you to communicate in total secrecy, with unhackable codes."

There is a deadly flaw in their logic. They mention credit card transactions over the internet, and then they mention their technology. They're directly implying that their methods can be used to make credit card transactions more secure.

This seems impossible to me. Information is sent over the Internet through a series of routers. Each router needs to make an educated guess as to where to send the signal next to get it to the destination. The Internet does not run on direct paths from sender to receiver, and it can't. That's why private information such as credit cards and e-mail must be scrambled before they're sent. You cannot base security on hiding your signals entirely.

In more technical terms, they've developed a layer 1 and 2 solutions for message secrecy, but the Internet operates on 7 layers, and it's generally layer 6 that handles security.

Being able to grow diamonds has its advantages, but the ability to send credit card numbers is NOT one of them. These people may know a lot about quantum physics, but they seem to know nothing about the way the Internet works.

Um, the researchers don't mention using it for the Internet at all.

Read the part that says "credit card details." They're directly implying eBay, e-commmerce sites, etc. What else could they possible mean?

That part is not part of a quote. It appears to be the journalist's commentary, and may have no basis in what the researchers said.

Journalists are notorious for their inability to get things right.

When information is encrypted it's normally based on one or more keys. In the case of SSH, for example, once you connect to the server your SSH client generates a 256bit key which is encrypted using 1024 and 768 keys from the server (host and server keys, the 256bit key is the session key). The host key is public and the server key changes hourly.

If the server key becomes compromised somehow (not easy to do, but probably possible), and since the host key is public you can essentially gain access to the session key in this way and decrypt any packets you intercept without the client or server ever noticing.

Also keep in mind people that do petty hacking for stealing credit card information are not usually professionals. Guys that work for the government are often the best of the best, and tactical military information (for example) is a hell of a lot more sensetive than some schlub's credit card number.

Brute forcing the encrypted packets is almost never the best solution since it can take forever. The current system is fine for the internet, but it's not impossible to get to encrypted information.

Okay, you might be right. Anyway, we can still make fun of the journalist.

AndrewB said:

Okay, you might be right. Anyway, we can still make fun of the journalist.

Of course. Journalists are quite bad at technology-related facts I find, which really makes me wonder how much of the other stuff I don't know as much about they also get wrong :/

Cyb said:

If the server key becomes compromised somehow (not easy to do, but probably possible), and since the host key is public you can essentially gain access to the session key in this way and decrypt any packets you intercept without the client or server ever noticing.

The key word is IF. Yes, if someone gets the server's private key, then information could theoretically be siphoned without the two parties ever knowing. But this is so unrealistic and unlikely that it is not a concern.

Brute forcing the encrypted packets is almost never the best solution since it can take forever. The current system is fine for the internet, but it's not impossible to get to encrypted information.

It doesn't have to be impossible; it's so unlikely to brute force successfully that it's a complete non-concern, in much the same way that an asteroid can strike Earth and kill everyone at any time, but is so unlikely that it is of no concern.