Crypto with Epoxy Tokens, Glass Balls and Lasers

Anonymous Coward writes "Scientists from MIT and ThingMagic have collaborated and developed an innovative crypto mechanism using epoxy tokens, glass spheres and lasers. They have actually created a physical one-way function that cannot be tampered, copied or faked! The full scoop can be found at MSNBC, and also at Nature, & TOI."

Old Technology, new twist

[lynx_user_abroad]

IIRC, something similar to this (very low tech) was used to create tamper-evident seals on things like the boxes guarding equipment monitoring nuclear sites, etc.

I think the process involved mixing a bunch of little tinfoil sparkles into a clear epoxy resin, applying the resulting glue as a seal, and photographing it from several angles. Simple to create, yet darn near impossible to duplicate a second time. If the blob is missing or different, something fishy is going on.

Re:Old Technology, new twist

[still_sick]

So remember, the next time a nuclear scientist asks to borrow your elbow macaroni and glue-on sparkles, he might not be making a birthday card for his mom - he might be ensuring the security of the world!

Re:Old Technology, new twist

[theCat]

In the Middle Ages when you made a contract with someone it was written twice on the same parchment, at the top and at the bottom. Then the parchment was torn in half unevenly between the two versions of the contract and each party took one of the halves. In the future should the terms of the contract come into question they could verify that the contract each held was in fact the original by realigning them along the tear; the originals would of course match exactly and the veracity of the copy contained therein could be verified.

The jagged edge of the contracts looked like teeth, Latin dent IIRC, and whoever held such a contract was said to be indentured

Didn't require lasers, of course, but did require that the two parts be physically present and visually verified, so it is remarkably similar in principle. The fibers and surface imperfections of the parchment (thin leather) would have taken the place of the glass beads in this case.

So, does the MIT patent fail due to prior art? ;-)

To clarify the story submission

[brunes69]

One thing know once you read the article(s), that really should have been included in the story submisstion, is this technology is more geared toward replacing things such as magnetic stripes on credit cards, and em cards, and whatnot. The tiny crystals that will replace these stripes produce a one-way function that is currently impossible to duplicate, so if widely adopted this would (at least temporailiy) make card couterfitting impossible. It is not describing a new encryption mechanism for your PC, or any software for that matter.

Re:Obvious circumvention scheme

[Remus+Shepherd]

I thought of that also. But I read the article more closely, and they mention that different view angles would be used to generate different speckle patterns.

A one-angle view of this token would not be secure, but a security mechanism that scanned the token through multiple angles would be very difficult to recreate. I don't know if they should be throwing around the word 'impossible', however.

Durability?

This seems like a really good system, one that for once is almost impossible to forge. However, it seems to have a major flaw: Durability. The Nature article states that "a token with a hole half a millimetre across drilled through it gives a speckle pattern clearly distinguishable from the original." So what happens when (not if!) the card gets scratched and worn? Will it immediately stop functioning? These secure cards won't be worth much if they have to be replaced every month because of wear and tear... and with the system they are using, error correction isn't an option (defeats the whole purpose of the tokens since tampering with them would then become possible).

I already have one of these in my wallet..

[gsfprez]

actually, i have 3.

there are 50 or so of em lying around at home, making my wife mad.

so explain again why guitar picks are news?
(my apologies to westsky in advance)

Headline from Nature reads:

[dr_dank]

Cheap trick secures secrets

Finally! Something to go hand-in-hand with my REO Speedwagon encryption algorithm.

And the marketing poeple. . .

[dasboy]

will bill this as "Cryptography with balls."

ICBMs :)

[the+bluebrain]

I recall reading something very similar in I believe Scientific American (which is not searchable, unfortunately), oh, ages ago. Used to identify ICBMs / warheads / other missiles during arms reduction discussions between the US & Russia (might even have been so far back as to make that USSR). Basically a splash of epoxy with sparkles mixed in on some disasterously-expensive-to-replace part of the device, snap a photograph and/or hologram, and the device is reliably tagged.

So it's become cheaper, cheap enough even for everyday use. However, the possible uses I can see are rather limited: local authentication, and pretty much nothing else.
It's good for credit cards, but only if the card is physically read by the entity requestion authentication, and only if that entity is online (or has a local database of the speckle pattern of all cards worldwide, plus a magically updated revocation list).
For any non-local authentication it doesn't seem much good ... unless of course Fritz [Hollings] gets his palladium-plated way and we at some point do get tamperproof, "trusted" hardware (... to play around with - I'm looking forward to that).

So ... it raises the price of duplicating a unique physical dongle.

But it definitely has nothing to do with crypto (i.e. encryption) ... what was the author of this /. article taking? I want some.

What's really going on here

[Animats]

First, here's the thesis. The Nature article is lousy. (Nature used to be a prestigious journal in the life sciences, but when it gets into computing, the articles read like something from Popular Mechanix. But then, Popular Mechanix was a serious scientific journal a century ago.)

This is an improvement on an idea from the 1980s called "quantum subway tokens". There have also been a few schemes involving 2D speckle patterns as unique, hard to forge data items. But they're not challenge/response, like this. Challenge/response devices exist (Sun's Java-powered jewelry, the Dallas Semiconductor button) but they're more complex. On the other hand, their readers are simpler than this optical system will require.

The useful advancement in this thesis is in section 5.3.4, where the authors demonstrate that the registration of the scanning beam doesn't have to be extremely tight. You'd think this scheme would involve optical-bench precision, but it doesn't. (Well, actually it does, but not wavelength-precise optical bench precision. Still, it involves micrometers driven by computer-controlled stepping motors and a very rigid fixture. It's not a "just swipe the card" system.)

The trouble with this system is that there's no public key associated with the object - only a huge number of possible challenge/response pairs. Validation at an untrusted reader is done by probing the object using challenges previously performed at a trusted reader. Those challenges are "used up" as the object is validated, because otherwise, they could be replayed. This is much less convenient than a public/private key system. It's more like one of those systems where you have a wallet card with a long list of challenge/response pairs for logging in. The only advantage here is that the object isn't copyable. It's still stealable, of course.

It's kind of neat, but probably not commercially useful.

Re:Remember the SGI Patent? #@ +1; Informative @#

[micromoog]

the crystal method is highly random and STATIC

Yeah, I agree. That band sucks.