Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crypto with Epoxy Tokens, Glass Balls and Lasers

Posted by michael on from the truth-is-stranger-than-fiction dept.

Anonymous Coward writes "Scientists from MIT and ThingMagic have collaborated and developed an innovative crypto mechanism using epoxy tokens, glass spheres and lasers. They have actually created a physical one-way function that cannot be tampered, copied or faked! The full scoop can be found at MSNBC, and also at Nature, & TOI."

18 of 265 comments (clear)

  1. Old Technology, new twist by lynx_user_abroad · · Score: 5, Interesting
    IIRC, something similar to this (very low tech) was used to create tamper-evident seals on things like the boxes guarding equipment monitoring nuclear sites, etc.

    I think the process involved mixing a bunch of little tinfoil sparkles into a clear epoxy resin, applying the resulting glue as a seal, and photographing it from several angles. Simple to create, yet darn near impossible to duplicate a second time. If the blob is missing or different, something fishy is going on.

    --

    The thing about things we don't know is we often don't know we don't know them.

    1. Re:Old Technology, new twist by still_sick · · Score: 5, Funny

      So remember, the next time a nuclear scientist asks to borrow your elbow macaroni and glue-on sparkles, he might not be making a birthday card for his mom - he might be ensuring the security of the world!

      --
      ...Also, I didn't know Buggalo could fly.
    2. Re:Old Technology, new twist by Phil+Wherry · · Score: 4, Interesting

      A very similar technology been used for the identification of gems for quite a while. The idea is pretty much the same: shine a laser beam into the gem, then record the pattern generated by internal reflection/refraction. The technique has been around for at least twenty years, I believe. Still, the idea of a physical one-way hash function is interesting and quite likely useful.

    3. Re:Old Technology, new twist by theCat · · Score: 5, Interesting

      In the Middle Ages when you made a contract with someone it was written twice on the same parchment, at the top and at the bottom. Then the parchment was torn in half unevenly between the two versions of the contract and each party took one of the halves. In the future should the terms of the contract come into question they could verify that the contract each held was in fact the original by realigning them along the tear; the originals would of course match exactly and the veracity of the copy contained therein could be verified.

      The jagged edge of the contracts looked like teeth, Latin dent IIRC, and whoever held such a contract was said to be indentured

      Didn't require lasers, of course, but did require that the two parts be physically present and visually verified, so it is remarkably similar in principle. The fibers and surface imperfections of the parchment (thin leather) would have taken the place of the glass beads in this case.

      So, does the MIT patent fail due to prior art? ;-)

      --
      =^..^= all your rodent are belong to us
  2. hmm... by Quasar1999 · · Score: 4, Funny

    Can't be tampered with? Give me a hammer, I'll tamper with it... If I can't have the data, no one can!!!

    --

    ---
    Programming is like sex... Make one mistake and support it the rest of your life.
  3. To clarify the story submission by brunes69 · · Score: 5, Informative

    One thing know once you read the article(s), that really should have been included in the story submisstion, is this technology is more geared toward replacing things such as magnetic stripes on credit cards, and em cards, and whatnot. The tiny crystals that will replace these stripes produce a one-way function that is currently impossible to duplicate, so if widely adopted this would (at least temporailiy) make card couterfitting impossible. It is not describing a new encryption mechanism for your PC, or any software for that matter.

  4. Re:Obvious circumvention scheme by Remus+Shepherd · · Score: 5, Informative

    I thought of that also. But I read the article more closely, and they mention that different view angles would be used to generate different speckle patterns.

    A one-angle view of this token would not be secure, but a security mechanism that scanned the token through multiple angles would be very difficult to recreate. I don't know if they should be throwing around the word 'impossible', however.

    --
    Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
  5. Durability? by Anonymous Coward · · Score: 5, Insightful

    This seems like a really good system, one that for once is almost impossible to forge. However, it seems to have a major flaw: Durability. The Nature article states that "a token with a hole half a millimetre across drilled through it gives a speckle pattern clearly distinguishable from the original." So what happens when (not if!) the card gets scratched and worn? Will it immediately stop functioning? These secure cards won't be worth much if they have to be replaced every month because of wear and tear... and with the system they are using, error correction isn't an option (defeats the whole purpose of the tokens since tampering with them would then become possible).

    1. Re:Durability? by p3d0 · · Score: 4, Informative
      Too bad you didn't read the very next sentence. Here it is for you:
      Yet the process that transforms the speckle pattern into a string of digits can be modified to ignore accidental surface scratches.
      Even if this were not the case, why not just encase it in clear epoxy? Then when it gets scratched, you can polish it smooth.

      (Careful---you are in danger of becomming a Slashdot naysayer.)

      --
      Patrick Doyle
      I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
  6. In a related story.... by Tha_Big_Guy23 · · Score: 4, Funny

    McGuyver has made plans to begin work at MIT in their research department to create supercomputers from old ballpoint pens, and outdated telephone mechanisms.

    --
    If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
  7. I already have one of these in my wallet.. by gsfprez · · Score: 5, Funny

    actually, i have 3.

    there are 50 or so of em lying around at home, making my wife mad.

    so explain again why guitar picks are news?
    (my apologies to westsky in advance)

    --
    guns kill people like spoons make Rosie O'Donnell fat.
  8. Headline from Nature reads: by dr_dank · · Score: 5, Funny

    Cheap trick secures secrets

    Finally! Something to go hand-in-hand with my REO Speedwagon encryption algorithm.

    --
    Where does the school board find them and why do they keep sending them to ME?
  9. Shit by papasui · · Score: 4, Funny

    And all these years my family has been persecuted in Salem, MA and it turns out all they wanted was our crystal balls!

  10. And the marketing poeple. . . by dasboy · · Score: 5, Funny

    will bill this as "Cryptography with balls."

  11. ICBMs :) by the+bluebrain · · Score: 5, Informative

    I recall reading something very similar in I believe Scientific American (which is not searchable, unfortunately), oh, ages ago. Used to identify ICBMs / warheads / other missiles during arms reduction discussions between the US & Russia (might even have been so far back as to make that USSR). Basically a splash of epoxy with sparkles mixed in on some disasterously-expensive-to-replace part of the device, snap a photograph and/or hologram, and the device is reliably tagged.

    So it's become cheaper, cheap enough even for everyday use. However, the possible uses I can see are rather limited: local authentication, and pretty much nothing else.
    It's good for credit cards, but only if the card is physically read by the entity requestion authentication, and only if that entity is online (or has a local database of the speckle pattern of all cards worldwide, plus a magically updated revocation list).
    For any non-local authentication it doesn't seem much good ... unless of course Fritz [Hollings] gets his palladium-plated way and we at some point do get tamperproof, "trusted" hardware (... to play around with - I'm looking forward to that).

    So ... it raises the price of duplicating a unique physical dongle.

    But it definitely has nothing to do with crypto (i.e. encryption) ... what was the author of this /. article taking? I want some.

    --
    yes, we have no bananas
  12. What's really going on here by Animats · · Score: 5, Informative
    First, here's the thesis. The Nature article is lousy. (Nature used to be a prestigious journal in the life sciences, but when it gets into computing, the articles read like something from Popular Mechanix. But then, Popular Mechanix was a serious scientific journal a century ago.)

    This is an improvement on an idea from the 1980s called "quantum subway tokens". There have also been a few schemes involving 2D speckle patterns as unique, hard to forge data items. But they're not challenge/response, like this. Challenge/response devices exist (Sun's Java-powered jewelry, the Dallas Semiconductor button) but they're more complex. On the other hand, their readers are simpler than this optical system will require.

    The useful advancement in this thesis is in section 5.3.4, where the authors demonstrate that the registration of the scanning beam doesn't have to be extremely tight. You'd think this scheme would involve optical-bench precision, but it doesn't. (Well, actually it does, but not wavelength-precise optical bench precision. Still, it involves micrometers driven by computer-controlled stepping motors and a very rigid fixture. It's not a "just swipe the card" system.)

    The trouble with this system is that there's no public key associated with the object - only a huge number of possible challenge/response pairs. Validation at an untrusted reader is done by probing the object using challenges previously performed at a trusted reader. Those challenges are "used up" as the object is validated, because otherwise, they could be replayed. This is much less convenient than a public/private key system. It's more like one of those systems where you have a wallet card with a long list of challenge/response pairs for logging in. The only advantage here is that the object isn't copyable. It's still stealable, of course.

    It's kind of neat, but probably not commercially useful.

  13. Re:Impossible to Compromise? by Dr.+Spork · · Score: 4, Insightful
    You're right that it's secure in cases where you use one of these cards in a retail store--in the sense that no one without your card can pose as you. However, what is to prevent the stores from saving your diffraction pattern (not the speckle pattern on the card but instead the resulting image) and then "using" your card as much as they want?

    Also, if the connection between a store and the pattern validation server is ever intercepted, a hacker could just save your patterns and re-send them whenever they want to purchase pr0n or something. So I think the original poster was right: this is just like stealing credit card numbers. As long as validation is done by passing around a bunch of digital data, that will always be the point of weakness. Even now, the vast majority of credit card fraud happens not because somebody's magnetic strip gets duplicated, but because somebody's credit card numbers get stolen. It seems like making the physical cards harder to duplicate is barking up the wrong tree.

    The only solution I can see is this: There wouldn't be a unique resultant diffraction pattern that gets passed around, but rather a two-way conversation between the validation server and the card reader. The server would ask three random questions of the sort "what pattern is produced when the laser shines from angle 1, what about angle 2, etc. The problem with this is that the validation server would have to know what the right answers are to all of the possible questions, and that creates a problem: either there would be waay too much data stored for each card, or there would only be a limited number of "questions" the server could ask. In the latter case, a thief's computer could just memorize all the answers to the few questions, and produce them without the card whenever the validation server actually asks.

  14. Re:Remember the SGI Patent? #@ +1; Informative @# by micromoog · · Score: 5, Funny
    the crystal method is highly random and STATIC

    Yeah, I agree. That band sucks.