Crypto with Epoxy Tokens, Glass Balls and Lasers

Anonymous Coward writes "Scientists from MIT and ThingMagic have collaborated and developed an innovative crypto mechanism using epoxy tokens, glass spheres and lasers. They have actually created a physical one-way function that cannot be tampered, copied or faked! The full scoop can be found at MSNBC, and also at Nature, & TOI."

To clarify the story submission

[brunes69]

One thing know once you read the article(s), that really should have been included in the story submisstion, is this technology is more geared toward replacing things such as magnetic stripes on credit cards, and em cards, and whatnot. The tiny crystals that will replace these stripes produce a one-way function that is currently impossible to duplicate, so if widely adopted this would (at least temporailiy) make card couterfitting impossible. It is not describing a new encryption mechanism for your PC, or any software for that matter.

Re:Obvious circumvention scheme

[Remus Shepherd]

I thought of that also. But I read the article more closely, and they mention that different view angles would be used to generate different speckle patterns.

A one-angle view of this token would not be secure, but a security mechanism that scanned the token through multiple angles would be very difficult to recreate. I don't know if they should be throwing around the word 'impossible', however.

Neil Gershenfeld

[AlphaHelix]

Notice that one of the authors on this paper is Neil Gershenfeld, author of The Physics of Information Technology [slashdot.org], reviewed here exactly a year ago yesterday (at least I think it was a year. The searched Slashdot postings have no year indication on them. Is this a Y0K bug?) I liked that book, actually. It had a very readable section on the fluctuation dissipation-theorem, though I think it gave short shrift to research on the underlying causes of the FDT.

Re:Well holy shit.

[Scarblac]

They've discovered the one-time pad!

No, they have not. That would mean that whoever receives a message sent with this data had the same pad, and that isn't the case.If it were, a 12-terabit stamp-size one-time pad would still be rather good.

I'm a bit unclear how this works in practice though. They say they can check the patterns the thing makes against a "secure" database. They can't store all the 12 terabits there.

So, I assume, they pick some number (say, 100) of ways to shine a laser at it at random, and store those in the server. When it's time for identification, the server tells the token reading gadget which position(s) the laser should be in, it sends the pattern back, and it can be checked.

One possible attack is obvious, it may be possible to find out which random spots for the laser have been stored for this token by asking for a verification enough times. However, that gives you the task of making an object that fits into a reader, that gives the right patterns for all the 100 ways... And that's Hard. So it may not even be necessary to randomize the laser positions, just check some number of standard patterns, and it will be too hard to make an item that can fake them all.

Thanks for listening to my train of thought. I think I get it now :)

Re:Remember the SGI Patent? #@ +1; Informative @#

[Simon (S2)]

i'ts called aalib [sourceforge.net].

from the site:
AAlib is an portable ascii art GFX library. If you wish to see some examples of AAlib technology, please browse AA-project homepage.

and here are some *pics [sourceforge.net]* generated from the library.
i think it was intended to play doom over a network on a console, but what lukegalea1234 sad, is equally valid.

ICBMs :)

[the bluebrain]

I recall reading something very similar in I believe Scientific American (which is not searchable, unfortunately), oh, ages ago. Used to identify ICBMs / warheads / other missiles during arms reduction discussions between the US & Russia (might even have been so far back as to make that USSR). Basically a splash of epoxy with sparkles mixed in on some disasterously-expensive-to-replace part of the device, snap a photograph and/or hologram, and the device is reliably tagged.

So it's become cheaper, cheap enough even for everyday use. However, the possible uses I can see are rather limited: local authentication, and pretty much nothing else.
It's good for credit cards, but only if the card is physically read by the entity requestion authentication, and only if that entity is online (or has a local database of the speckle pattern of all cards worldwide, plus a magically updated revocation list).
For any non-local authentication it doesn't seem much good ... unless of course Fritz [Hollings] gets his palladium-plated way and we at some point do get tamperproof, "trusted" hardware (... to play around with - I'm looking forward to that).

So ... it raises the price of duplicating a unique physical dongle.

But it definitely has nothing to do with crypto (i.e. encryption) ... what was the author of this /. article taking? I want some.

Stereolithography

[Inda]

I did a lesson at college on Stereolithography [howstuffworks.com] about 10 years ago. The process of curing two-part epoxy resin with the heat generated with laser lights. It was very accurate back then; more than adequate for producing A1 models and patterns.

I'm wondering how accurate it is now or how accurate it could become.

What's really going on here

[Animats]

First, here's the thesis. [mit.edu] The Nature article is lousy. (Nature used to be a prestigious journal in the life sciences, but when it gets into computing, the articles read like something from Popular Mechanix. But then, Popular Mechanix was a serious scientific journal a century ago.)

This is an improvement on an idea from the 1980s called "quantum subway tokens". There have also been a few schemes involving 2D speckle patterns as unique, hard to forge data items. But they're not challenge/response, like this. Challenge/response devices exist (Sun's Java-powered jewelry, the Dallas Semiconductor button) but they're more complex. On the other hand, their readers are simpler than this optical system will require.

The useful advancement in this thesis is in section 5.3.4, where the authors demonstrate that the registration of the scanning beam doesn't have to be extremely tight. You'd think this scheme would involve optical-bench precision, but it doesn't. (Well, actually it does, but not wavelength-precise optical bench precision. Still, it involves micrometers driven by computer-controlled stepping motors and a very rigid fixture. It's not a "just swipe the card" system.)

The trouble with this system is that there's no public key associated with the object - only a huge number of possible challenge/response pairs. Validation at an untrusted reader is done by probing the object using challenges previously performed at a trusted reader. Those challenges are "used up" as the object is validated, because otherwise, they could be replayed. This is much less convenient than a public/private key system. It's more like one of those systems where you have a wallet card with a long list of challenge/response pairs for logging in. The only advantage here is that the object isn't copyable. It's still stealable, of course.

It's kind of neat, but probably not commercially useful.

Re:Durability?

[p3d0]

Too bad you didn't read the very next sentence. Here it is for you:

Yet the process that transforms the speckle pattern into a string of digits can be modified to ignore accidental surface scratches.

Even if this were not the case, why not just encase it in clear epoxy? Then when it gets scratched, you can polish it smooth.

(Careful---you are in danger of becomming a Slashdot naysayer [slashdot.org].)

Several solutions to this "problem"

[John Harrison]

The smart card could simply ask for a PIN or a fingerprint. It could even validate a signature, or show the clerk a photo of you. And it could use velocity checking to determine the interval for these sorts of checks so that it doesn't make every transaction an extra hassle.

Also this stops mafia-types from mass producing fake cards. At CTST this year an IBM team presented a paper in which they read the keys off several cards through RF leakage, making it easy to make fake cards. This would prevent such fake cards, at least until a way of faking these patterns comes about.

Re:Remember the SGI Patent? #@ +1; Informative @#

[Anonymous Coward]

I do not see this being a patentable technique,
since there is a lot of previous art that exists
in the forensic labs to identify lost jewelry,
where the glittering jewelry(containing diamond,
other precious stones/metals) being photographed
with a polarized light such as ultraviolet light
to produce a pattern that resembled a unique
signature for the jewelry. I do not think that
it is much different from the crytal ball approach.

Re:Why are holographs prohibitive?

[Hal-9001]

Holography requires sufficient film resolution to record the information content of the object modulated on a high spatial frequency carrier. In simplistic terms, lots of images of the object from different perspectives are recorded on film as a hologram, which means the film resolution requirement for making a hologram of the object is much higher than for taking a photograph of the object. The problem here is that the object is so detailed that you could not find film with sufficient resolution to record the hologram.

The original Science article [sciencemag.org] cites an Applied Optics article from 1984, which I'm would guess basically says what I've said in the previous paragraph.

Re:Why are holographs prohibitive?

[snol]

The explanation in the actual paper [sciencemag.org] is this:

Beyond the obvious constraint of having to record 10^11 or more distinct interference patterns in order to produce the hologram, the incoherent superposition of these N patterns decreases the overall diffraction efficiency of the hologram by 1/N, making them all effectively unobservable.

not crypto

[Erpo]

This story has a misleading title. Basically, the article says that they've found a cheap way to implement a hashing function in hardware. Unlike a software hashing function that takes data to be hashed as input and produces the hash as output, the physical mechanism accepts a certain pattern of lasers as input and produces a speckled light pattern that can be observed from any angle as output. Since the position of the glass beads in the epoxy will be different for all cards, each glass and epoxy smear will have a different hash function that can be used to tell them apart.

There's no encryption/decryption going on here, just hashing, but that is an important concept in the field of cryptography.

The main application of this is to replace magnetic stripes on credit cards. Currently, the machine-readable part of a credit card produces a small amount of static output (16 or so decimal digits) and is easy to copy with readily available equipment. By switching to these new chips, the number and complexity of possible outputs that the card can produce would be increased and the output-producing device would be more difficult to duplicate.

For example, right now your electronics-geek waiter could slip your credit card through her palm pilot with home-made magnetic reader attachment on her way back to the register. Later, she could take a used or invalid credit card, and write your magnetic pattern onto the bar. Credit card machines wouldn't be able to tell the difference between the original and the duplicate, so she effectively stole your credit card and you wouldn't know until the bill came.

If you were using a glass and epoxy chip, there would be several problems with duplicating this kind of attack.

1. The waiter would have to read 125 gigabytes (1Tb=1TB/8=~125GB) of data into her intermediate storage device in a few seconds. That's a lot of fast memory to pack into a small space. Copying only a few possible outputs wouldn't work, as only the credit card company would know exactly which (laser position, card output) data pairs it had on file for use in a challenge-response protocol.

2. Assuming the waiter could read out the entire card before handing it back to you, she would have a hard time duplicating it later. She would have to construct a physical object taking laser position as input and producing specific light patterns as output. While hooking up a credit card shaped I/O device to a laptop with the 125GB database would be possible, chances are somebody would notice a suspicious person plugging their laptop into an ATM. Also, considering that the laptop would have to sift through 125GB of data before it could tell the I/O device to output a certain light pattern, whereas the true card would produce the "right answer" at the speed of light, a timeout function on the card reader would be effective in preventing this kind of attack.

Um... not so fast?

[QuantumWeasel]

In fairness, I disclose that I have not read the Nature paper. Have any of our resident holographers taken a stab at this? I couldn't find my copy of Goodman's book or notes from Leith and Upatnieks to save my life. But there is a whole sub-field of holography dedicated to speckle patterns. And it "magically" does all the hard work of inversion within a sufficient sub-space of the one-way hash-function implemented by the token. Seems to me that if you had access to the resultant speckle pattern(s) (one for each angle and wavelength of illumination used for authentication) and a photopolymerizable material moldable into the geometry of the "token," then you could synthetically create a functionally equivalent volume hologram. (In fact, more than one, as holography experts will explain in detail the requirements for uniqueness.) You don't even need access to the token you wish to forge! All you need is the set of all readout patterns actually on file. Forgery definitely requires more sophistication than magstripes. But it is doable in the lab. Hey, I'm only an optical physicist. (Really.) But what do I know?

Re:Obvious circumvention scheme

[onomatomania]

The articles weren't clear on this, but I got the impression that the "input angle" was constantly changed. That's the whole point, the device encrypts the input data (whatever angle the laser enters the thing) to the output of a specle pattern. To cheat you would need to have a mapping of "input X equals output Y" for however many different inputs are possible. That was what they meant about "storing terabytes of data in a small place" I believe.

The downside of course is that since you can only create one copy of each fob, you have to first record a number of input/output pairs in a database somewhere before you send it to the user. This is the real killer I believe, because for this to be useful you would need a very large large number of possible inputs, and each one would take up storage space at the database. But, storage is cheap, especially as time advances. Security of this database, however, would be an issue.

This also explains why "reversing" the device would be hard. Sure, it might be mathematically possible to take an output speckle pattern and come up with an arrangement of spheres to produce that pattern. Suppose you could even manufacture that resultant device (which they say is currently impossible.) This doesn't help you, though, since it would have to respond with the correct pattern not only to the one input agle you designed it for, but any arbitraty input angle (to the limit of however much data is recorded in the database.) So the problem is not finding a configuration that successfully maps A to B, it's finding one that maps A1 to B1, A2 to B2, A3 to B3, etc, which is much harder -- especially since it seems that changing the sphere coordinates even the slightest would alter the output significantly. Think about it, the amount of information in a speckle pattern is a lot less than the amount of information stored in the precise number and locations of the spheres. In other words, a given speckle pattern maps to a very large number of possible sphere configurations. The great challenge of breaking this would be finding a single configuration common to a number of speckle patterns, to the limit of the amount of data stored in the database. Their paper probably demonstrates that this is theoretically equivalent to brute-forcing hard crypto.

If only a single input laser angle were used, I don't see the point of this.