Researchers at Toshiba have developed a method that they say makes it possible -- barring a change in the laws of physics -- to absolutely secure distribution of encryption keys across a network.

Their system, which was unveiled at this week's NanoTech 2007 exhibition in Tokyo, builds on quantum key distribution, which has been the subject for research and development work for some time because it promises to make possible the secure distribution of encryption keys across a network. Currently encryption keys must be sent offline, typically on physical media in tamper-proof packages, to ensure their integrity.

"With quantum key distribution we can guarantee unconditional security of the key," said Andrew Shields, quantum information group leader at Toshiba Research Europe. "What that means is it's secure from all advances in mathematics, engineering and computing."

Using the system, each bit of an encryption key is encoded on a single photon of light. The quantum status of photons is changed once they are read, so if an eavesdropper snoops the key while it is being distributed, the action is immediately noticeable by the intended recipient and the key can be discarded as insecure and a new one sent. Thus it's possible for encryption keys to be securely distributed across a network and for Shields to make such a bold statement.

Or at least that's the theory.

In practice is very difficult to control a laser so that it reliably generates a single photon of light with each data pulse. The power can be turned down so that a single photon is emitted almost all the time but occasionally two or more photons are produced. That opens the possibility for an eavesdropper to read the second photon while allowing the first to continue on its way. Such an attack wouldn't be detectable.

The Toshiba scientists say this can be guarded against by transmitting decoy photons. For these, the power of the laser is ratcheted down even further so that fewer photons are produced and proportionally fewer double photons. If an eavesdropper attempts to read part of the key by pulling off the second of each double photon, the receiver would get proportionally fewer decoy photons and so the eavesdropping could be detected, Shields said.

The system on display at NanoTech 2007 involved encryption of a video link. Images from a camera were fed into an encryption device via Ethernet. The device was connected to a decryptor via two fiber-optic cable runs of 25 kilometers each. One link was used for transmission of the key and another for transmission of the encrypted data.

The IDG News Service is a Network World affiliate.