Slashdot Mirror
Graphics Cards: the Future of Online Authentication?
Gunkerty Jeb writes "Researchers working on the 'physically unclonable functions found in standard PC components (PUFFIN) project' announced last week that widely used graphics processors could be the next step in online authentication. The project seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics. The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another. The implication of this discovery is that such differences can be used as physically unclonable features to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts."
see subject.
I could see this being a good thing, and a bad thing. If online accounts are using hardware to determine the user account, whats to stop someone from just "borrowing" your hardware and connecting to your account? Sure, they could still have user names passwords and such as backup, but then what would be the point of doing the hardware authenication? Plus how much of a pain in the ass would it be to upgrade your computer and notify the online account to expect changes in your hardware for the next time you login?
Bah, i think i'm rambling now... need coffee... or beer... beer sounds better
While the card's "identity" may be different, it doesn't matter if something can stand in for the hardware and provide a false ID.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I have a home Linux machine, my wife's machine, my laptop and my work machine.
How can I share my authentication amongst them ?
UPS Sucks
Replacing a computer would be problematic too.
Why not just admit that they've found the unbreakable DRM? Online authentication is a solved problem.
You can feed false information to the software that reads the characteristics of a graphics card just as you can fake an MAC address. I fail to see a substantial difference.
If this fingerprint is orders of magnitude beneath manufacturing controls, are the researchers sure that it persists over long time frames?
Will that graphics card have the same fingerprint the first day it is purchased as it does 2 years later after putting in hundreds of hours at high temperatures playing accelerated games?
It's not a good idea to use the particularities of a hardware production process as the theoretical basis for authentication.
You can feed false information to the software that reads the characteristics of a graphics card just as you can fake an MAC address. I fail to see a substantial difference.
"The more difficult question to answer at this point, she said, is whether someone could use software to emulate the differences in behavior between graphical processing units. Lange said the key is finding a way to guarantee, in an authentication process, that the party attempting to authenticate a user is communicating with an actual GPU and not software attempting to replicate its behavior and uniqueness. Lange went on to admit they aren’t quite there yet, which is why the product is not finished."
Not entirely true. Good security is based on 3 things:
- something only you have (your graphics card, a physical key)
- something only you know (a password)
- something only you are (biometrics, typing patterns)
As it stands today you usually have one of those things, the password. Adding in something difficult to spoof as the summary suggests is an improvement. So now you have to have a password and a graphics card with certain flaws.
I agree with your sentiments though. This is an interesting idea but seems awkward to implement.
Im registering 192.168.1.1 as myself.. Please dont anyone use it..
Every time I upgrade my graphics card, all of my games stop working.
I'm sure that there's something wrong with this, but I can't put my finger on it.
Lacking <sarcasm> tags,
That's cool in a nerdy sort of way. Ten years out of date, tough. I guess they didn't look at what's already available, what used to be available and is no longer used, and why. This sentence puts ten years out of date: "link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts" 1 person 1 account! Commodity software that's been widely available for many years already ties one account to on human user, across multiple devices, and without requiring special software on the client end. Consider the sites that get attacked, all day long, every day. Sites like Girls Gone Wild have tens of thousands of spoof attempts everyday. Sites like that have had an effective defense for many years. GGW, for example, uses the readily available Strongbox package which tracks the way the user users their mouse, among other things, to confirm that the user (human) really is who they say they are. Ten to fifteen years ago modern systems like Strongbox displaced earlier systems which assumed that 1 user = 1 device. These researchers are reinventing the steam engine.
Yes, in some cases multiple people share a device, but that percentage is low enough it won't matter.
Let me guess: you live alone. In a lot of households, especially with two parents and one or more children, everybody who lives there has a user account on one PC.
Not entirely true. Good security is based on 3 things:
- something only you have (your graphics card, a physical key)
- something only you know (a password)
- something only you are (biometrics, typing patterns)
As it stands today you usually have one of those things, the password. Adding in something difficult to spoof as the summary suggests is an improvement. So now you have to have a password and a graphics card with certain flaws.
I agree with your sentiments though. This is an interesting idea but seems awkward to implement.
From the perspective of the one doing the verification, that's something you know, something you know, and something you know.
Nobody comes out and physically inspects your graphics card or looks at your thumb print or asks you to present a key fob.
They all ask for the numbers programs of devices output. Keyfobs generate a specific code at a given time. Biometric scanners generate a hash given a specific input or any similar input. This GPU scanning program will do the same. These things are hard for an attacker to know, but they're not much better than a password. Someone can know your GPU fingerprint, your retina scan, or your keyfob's info in the verifier's database in much the same way they can know your password. Your shit gets hacked, the verifier's shit gets hacked, someone attacks you locally, someone is MITMing your ass, etc.
Good security is based on 1 thing: A human physically inspecting another human for each and every access request.
We don't have good security policies on the internet. We have very good security policies wherever rich and powerful people give a shit - bank vaults, nuclear missile silos, celebrity weddings. Good security is not possible on the internet because people refuse to pay or wait.
For most users, it goes like this (most important to least important): Cost, convenience, ability to spy on the ex or that bitch whore Tammy, peace of mind, weather bug and desktop buddies, security.
That's why you have multiple methods:
- Something you have can be stolen.
- Something you know can be coerced from you, retrieved via social engineering (ie: knowing your mother's maiden name or whatever), or whatever else.
- Something you are can be duplicated by replicating you (or at least, the portion of you that the scanner cares about.)
Its still not perfect -- its entirely possible that somebody will just kidnap you while you've got your physical token on you -- that covers two of the three. And unless you're extremely stubborn and motivated, it probably wouldn't be hard to coerce most people's passwords either.
The easiest from a computer perspective is the password -- that's why its the most common/used.
Security tokens are rapidly becoming available for many systems (especially with the advent of cell phone authenticators since everybody already has a cell phone -- you don't need to purchase/obtain and carry around however many additional trinkets.)
Biometrics is harder. First of all, biometrics itself isn't extremely accurate. Its good enough to limit possibilities but for really secure applications, you still want a person to go in and confirm (or pick from a list, as in a police database search) to ensure that you've got a match. Not that people aren't fallible as well, but at least there's someone to blame.
Secondly, biometric scanners aren't all that common yet. If touch screens become high enough density then perhaps they could be used for fingerprint ID. Cameras are likely already good enough to be used for retinal scans, but it would require the user to position the camera at the correct angle and whatnot which is pretty implausible if they're just loosely holding it in front of them (that's why real retinal scanners, including your optometrist's tools, have headrests -- they keep your eyes in relatively the correct position while its scanning.)
So we've got one.. we're moving towards two.. I think three-tier authentication is a while away yet though.
FWIW: If you read WP2 & WP3, I think they are just attempting to read some of the SRAM from inside the GPU for a source of what they call a "PUF" (physically uncloneable function). They hope to sprinkle some error-correction code and some magic crypto dust the uninitialized SRAM pattern to create a number that will be useable for attestation (basically to assure that it is the machine that you think it is).
This idea isn't new. A quick google search shows papers about using SRAMs as both PUFs and Random numbers going back in 2007 (they called them FERNs) http://people.cs.umass.edu/~kevinfu/papers/holcomb-FERNS-RFIDSec07.pdf
The major problems with this stuff is that...
Once you power up your system, something is gonna want to use that SRAM (GPU vendors aren't in the business of leaving big chunks of SRAM that they don't use for researchers to discover and use), so you have to take a snapshot after powerup, but before someone wants to use the GPU. This makes many avenues of attack available (e.g., you have to put that fingerprint somewhere, because the GPUs will shortly trounce all over it).
Secondly is the stability issue. Although some parts of the uninitialized SRAM is going to be statistically stable (power-up to 1 or 0 pretty reliably), some others are going to be pretty random (in fact other researchers are looking for highly unstable bits in SRAM powerup to be able to extract a random number for a nonce). Across temperature, and over time as the parts age, these bits will change (some stable ones will become random and some random ones may exhibit a strong bias one way or another). Without extensive characterization over age and temperature, this would be pretty unstable to use as a definitive ID.
Third, when GPU vendors notice that people are accessing SRAM before initalization, they will start wiping the memory on boot. This is to prevent this third-party ID usage model (because nobody wants to repeat the intel CPUID fiasco) and because now that GPUs are being used for general-purpose computing, any type of SRAM retention issues across power-up is a security risk. On a related note, there are in fact there are other researchers attempting to use SRAM retention to create a reasonably secure clock (google TARDIS: Time and Remanence Decay in SRAM).
If I had to speculate, about the only reasonable model for this (assuming the GPU vendors don't co-opt it or shut them out) is to create some sort of "ticket" system. Distill a timestamp and a challenge value with the PUF (and maybe even the "random" part of the SRAM for salt) down to a ticket using some cryptomagic. That ticket would be valid for a while, and you'd have to create a new ticket before it expired. Over a short enough time and temperature regime, a security system might be convinced that this temporary ticket is an acceptable substitute credential, but it would not really replace an actual authentication technique.
This stuff has also been researched extensively for 5 years or so. I don't know what these folks are really bringing to the table (other than they are looking at GPUs for big blocks of SRAM). Why be so secret? Maybe it's because they want to keep that funding coming. A quick google showed someone in 2009 even wrote an undergrad paper on the subject of SRAM/PUFs... http://www.wpi.edu/Pubs/E-project/Available/E-project-031709-141338/unrestricted/mqp_sram.pdf
It only involves receiving a SMS, and landlines in plenty of places can do this.
TFA doesn't mention how they calculate these metrics but (maybe naively) I assume it's deduced by measuring differences in performance for a given task?
This begs the question: what happens if the performance of your graphics card changes, say for example your GPU overheats or the fan gets clogged up with dust, surely that will change the results of the 'authentication' process?
Why is the first thing I thought about when I read this "another way for the MPAA/RIAA to track down copyright violators so they can send drone strikes"?
You are welcome on my lawn.
The actual website indicates it hasn't even been done yet, and is lighter on details than white bread.
It is complete BS, the website has no details and tons of press releases. Here is how much work they have done so far, about a dozen lines of text:
http://puffin.eu.org/WP1.html
http://puffin.eu.org/WP2.html
http://puffin.eu.org/WP3.html
I think they posted the release in hopes of letting the online community discuss ideas, and will then harvest those.
Lame.
https://www.accountkiller.com/removal-requested
Given that this is an issue of identities, I was thinking something. Why not use networking cards to do the authentication? Since IPv6 is getting slowly introduced, chances are that things will evolve there over time, w/ networking cards, which currently have a 48-bit MAC address, instead having a 64-bit interface ID 'address'. Now, that could have an encrypted version of one's ID, be it SS#, DL# or whatever stored in a random part of the ID. So that that way, it can be used in the event that online authentication is required. Note that the ultimate IPv6 address, if not autoconfigured, need not be derived from this.
I do agree w/ the parent that this would seem to mean that nobody could lend or borrow, say, an iPad or a laptop w/o handing over one's identity along w/ it. But this could help in other ways. Like for instance, most of us don't do major online purchases from internet kiosks - we do it from home or work. Therefore, it's not a bad assumption that if someone is doing a major online purchase w/ a credit card from a kiosk, it's probably using a stolen card.