Originally Posted by
Synthaxx
Quantum cryptograhy: Kerckhoffs's principle assumes it's ultimate form.
The thing is, you still need some sort of standard on either end. QC simply ensures it can't be intercepted between source and destination, but there's some things it doesn't protect against, such as injection. You should always assume someone knows the private key (even if it's not the case). Theoretically, you could intercept the original message, decrypt it, and send out a false message using the same principles as used to construct the original message. The actual fingerprint of the message will have changed with the contents, but injection attacks in this sense are still a concern that'd need addressing. Kerckhoff's principle does state that even if everything about a system is known except the key, the system should still be secure.
However, it's good practice to assume that someone else does know the key, and this is what encourages people to build secure systems. If the key is known, but entire details of the system are not (such as the IV/Init. Vector [used in several different cryptographic standards], or the actual encryption method [which is often easy to discovered based upon a few identifying features of the messages]), then you've still maintained some of your security, but it still relies on the system itself being secure. That does imply security through obscurity, which isn't a good standard on it's own, but is a good standard when used in conjunction with other principles (e.g. "keep it simple", "don't invent your own security", "maximize processing time of hashing and encryption functions", etc).
Verifying someone is who they say they are is still going to be the biggest challenge even with QC. Biometric ID is probably the most secure (it's not infallible though), while passwords are the least secure. Actually, I'd say keycards are more insecure (physical object, could be stolen with relative ease), but that's another discussion entirely. As long as you can verify that someone is who they say they are without any doubt, then the details of your system are much less relevant. That's not to say you should have an insecure or badly designed system, just that you've defeated the chance that someone unauthorized will access it (again, 'without doubt' is the major clause there). Then again, if you could verify without doubt, there would be no need for cryptography.
As I said above, even biometric isn't truly secure. I recall reading a horror story of a fingerprint scanner where the actual material covering the sensor... actually 'trapped' fingerprint marks (and so dusting it off and lifting the print meant the system was defeated at the first stage), I'll try and find a link to the story if possible. If ever there was a facepalm moment in security, that was it. However, there's still the chance (albeit a very low chance, and on the extreme end) that someone could kill you and steal your eyes or cut off your hand, or even hold you at gunpoint to 'break into' the system.
Regardless, it's still good to see that progress is being made. I do believe QC will be a major breakthrough when it's actually extended, but I figure that even that isn't infallible.