'Uncrackable' Document and Product Security?

Curunculus writes "The Engineer reports that a unique 'fingerprint' formed by microscopic surface imperfections on almost all paper documents, plastic cards and product packaging could be used as a cheaper method to combat fraud. One of the developers, Professor Cowburn commented: "The beauty of this system is that there is no need to modify the item being protected in any way with tags, chips or inks; it's as if documents and packaging have their own unique DNA. This makes protection covert, low-cost, simple to integrate into the manufacturing process and immune to attacks against the security feature itself." This system is now being commercialised via Ingenia Technology, a spin off company."

Fraud prevention?

[Joe+Random]

From the article:

Using the optical phenomenon of 'laser speckle', researchers examined the fine structure of different surfaces using a focused laser, and recorded the intensity of the reflection. The technique was tried on a variety of materials including matt-finish plastic cards, identity cards and coated paperboard packaging and resulted in clear recognition between the samples. This continued even after they were subjected to rough handling including submersion in water, scorching, scrubbing with an abrasive cleaning pad and being scribbled on with thick black marker.

So let me get this straight; I can scrub on one of these "fingerprinted" document until the letters wear off, write whetever I want on it with a black marker, and it will pass the verification check? Doesn't that kind of prevent the entire purpose of fingerprinting documents in the first place?

"Well Mr. Random, while it is quite unusual to see a tax rebate check of *ahem* eleventy-billion dollars, the article passed all verification checks. We've deposited the amount into your account. Have a nice day."

Re:TFA indicates it is flawed

[Raindance]

To be fair, it isn't clear whether this is a "the quantity of uniquely identifiable information just isn't there" flaw or an "instrument precision" flaw. Most probably, nobody knows.

So, I wouldn't count it out just yet.

Also, I'm not so sure on your comment,
"Unless they can bump that number into the billions or more, it's pointless because it's too easy to manufacture a duplicate of any given document that has an identical fingerprint just by brute force."

In some circumstances, yes, you'll be able to see the original document you're trying to forge, and get a "pretty decent fingerprint match". On some documents you don't-- and in that case, this system *will* stop you if implimented correctly.

How much data again?

[ka9dgx]

<ASSUME>So, let start with some assumptions:

• 1 sample for every cm^2 of document
• A4 sized documents.
• Capability to register up to 1 trillion documents

</ASSUME>

Now, on with the math. First, we figure out how many samples we're going to possibly accomodate, as an address space:
Total surface area (21.0 cm * 29.7 cm * 10 E^12) * 1 Sample / cm^2 --> 623,700,000,000,000 Samples

This results in a 50 bit address space, if we were able to just sequentially number the samples. Since we have to work with what we're given, lets just assume we can get by with 256 bits/sample.

This results in the need to store (256 bits sample) * (1 byte / 8 bits) * (21 cm * 29.7 cm / document) * (1 sample / cm^2) --> 19958.4 bytes/ document.

So, in order for this to work we need to store about 20k/page. In order to authenticate documents, your stored database would be approximately 20 Gigabytes/ million documents, and indexing isn't going to help much.

That's a lot of work, and it seems to me it would be quicker, easier, and far more efficient in general to store duplicates of the originals in a secure location.

--Mike--