Crypto with Epoxy Tokens, Glass Balls and Lasers

Anonymous Coward writes "Scientists from MIT and ThingMagic have collaborated and developed an innovative crypto mechanism using epoxy tokens, glass spheres and lasers. They have actually created a physical one-way function that cannot be tampered, copied or faked! The full scoop can be found at MSNBC, and also at Nature, & TOI."

To clarify the story submission

[brunes69]

One thing know once you read the article(s), that really should have been included in the story submisstion, is this technology is more geared toward replacing things such as magnetic stripes on credit cards, and em cards, and whatnot. The tiny crystals that will replace these stripes produce a one-way function that is currently impossible to duplicate, so if widely adopted this would (at least temporailiy) make card couterfitting impossible. It is not describing a new encryption mechanism for your PC, or any software for that matter.

Re:Obvious circumvention scheme

[Remus+Shepherd]

I thought of that also. But I read the article more closely, and they mention that different view angles would be used to generate different speckle patterns.

A one-angle view of this token would not be secure, but a security mechanism that scanned the token through multiple angles would be very difficult to recreate. I don't know if they should be throwing around the word 'impossible', however.

ICBMs :)

[the+bluebrain]

I recall reading something very similar in I believe Scientific American (which is not searchable, unfortunately), oh, ages ago. Used to identify ICBMs / warheads / other missiles during arms reduction discussions between the US & Russia (might even have been so far back as to make that USSR). Basically a splash of epoxy with sparkles mixed in on some disasterously-expensive-to-replace part of the device, snap a photograph and/or hologram, and the device is reliably tagged.

So it's become cheaper, cheap enough even for everyday use. However, the possible uses I can see are rather limited: local authentication, and pretty much nothing else.
It's good for credit cards, but only if the card is physically read by the entity requestion authentication, and only if that entity is online (or has a local database of the speckle pattern of all cards worldwide, plus a magically updated revocation list).
For any non-local authentication it doesn't seem much good ... unless of course Fritz [Hollings] gets his palladium-plated way and we at some point do get tamperproof, "trusted" hardware (... to play around with - I'm looking forward to that).

So ... it raises the price of duplicating a unique physical dongle.

But it definitely has nothing to do with crypto (i.e. encryption) ... what was the author of this /. article taking? I want some.

What's really going on here

[Animats]

First, here's the thesis. The Nature article is lousy. (Nature used to be a prestigious journal in the life sciences, but when it gets into computing, the articles read like something from Popular Mechanix. But then, Popular Mechanix was a serious scientific journal a century ago.)

This is an improvement on an idea from the 1980s called "quantum subway tokens". There have also been a few schemes involving 2D speckle patterns as unique, hard to forge data items. But they're not challenge/response, like this. Challenge/response devices exist (Sun's Java-powered jewelry, the Dallas Semiconductor button) but they're more complex. On the other hand, their readers are simpler than this optical system will require.

The useful advancement in this thesis is in section 5.3.4, where the authors demonstrate that the registration of the scanning beam doesn't have to be extremely tight. You'd think this scheme would involve optical-bench precision, but it doesn't. (Well, actually it does, but not wavelength-precise optical bench precision. Still, it involves micrometers driven by computer-controlled stepping motors and a very rigid fixture. It's not a "just swipe the card" system.)

The trouble with this system is that there's no public key associated with the object - only a huge number of possible challenge/response pairs. Validation at an untrusted reader is done by probing the object using challenges previously performed at a trusted reader. Those challenges are "used up" as the object is validated, because otherwise, they could be replayed. This is much less convenient than a public/private key system. It's more like one of those systems where you have a wallet card with a long list of challenge/response pairs for logging in. The only advantage here is that the object isn't copyable. It's still stealable, of course.

It's kind of neat, but probably not commercially useful.

Re:Durability?

[p3d0]

Too bad you didn't read the very next sentence. Here it is for you:

Yet the process that transforms the speckle pattern into a string of digits can be modified to ignore accidental surface scratches.

Even if this were not the case, why not just encase it in clear epoxy? Then when it gets scratched, you can polish it smooth.

(Careful---you are in danger of becomming a Slashdot naysayer.)