Re: unforgeable optical tokens?
At 03:31 PM 9/24/02 -0400, Steven M. Bellovin wrote: ... A fair number of years ago, I saw something like this proposed for non-proliferation seals on nuclear reactors. The scheme then (I believe I saw it in Science News) was that International Atomic Engergy Agency inspectors would use a length of randomly-twisted multi-strand fiber optic cable and use it to seal a door that they opened to verify that the reactor in question wasn't being used to build weapons. Wasn't there another idea along these lines proposed for currency counterfeit resistance? Something about embedding optical fibers into the paper in some somewhat random way, and digitally encoding a signature on the resulting pattern somehow? --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
At 09:24 AM 9/21/02 -0400, Derek Atkins wrote: ... This isn't security -- this is a small-form-factor physical ROM. This read-only data crystal. The fact that they cannot be duplicated easily just means that you cannot use these tokens for real data storage. Imagine if they _were_ replicable.. Imagine keeping a terabyte of backup data on one of these tokens! Well, you can get a nice (provable) level of security from a big memory device like this, if the entries are random, and if there is a strict limit on how quickly you can read information out of it. Bruce Schneier and I did a paper on this several years ago. (Though I'm sure a bunch of other people had used the same idea in their own systems before) Let's seeAuthenticating Secure Tokens Using Slow Memory Access, at the USENIX workshop on smartcard technology in 1999. The big question is under what conditions it's possible to read out a significant fraction of the data. If you have a secure token that refuses to respond to a memory query in less than a second, then the answer is pretty simple. For this device, it's not so clear. It might be that the device can't be read out by a compromised terminal (assuming there are one day terminals for these devices), but it may still be readable by someone who steals the device and takes it apart in a lab or something. -derek --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
In message [EMAIL PROTECTED], [EMAIL PROTECTED] .cmu.edu writes: Perry E. Metzger wrote: An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. I can't dig up the memory, but I think I heard of a similar idea -- random structure in transparent solid, difficult to copy -- used in some kind of tag or seal for nuclear security. Can anyone remind me what this might have been? A fair number of years ago, I saw something like this proposed for non-proliferation seals on nuclear reactors. The scheme then (I believe I saw it in Science News) was that International Atomic Engergy Agency inspectors would use a length of randomly-twisted multi-strand fiber optic cable and use it to seal a door that they opened to verify that the reactor in question wasn't being used to build weapons. They then shine a light in one end, and photograph the other. When they come back, the repeat the photographic process, so that they can see if anyone has removed their seal -- say, to get at the irradiated, plutonium-containing fuel rods. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
At 5:11 PM -0700 9/20/02, David Wagner wrote: Perry E. Metzger wrote: But if you can't simulate the system, that implies that the challenger has to have stored the challenge-response pairs because he can't just generate them, right? That means that only finitely many are likely to be stored. Or was this thought of too? I believe the idea is that there are gazillions of possible challenges. The challenger picks a thousand randomly in advance, scans the token from the corresponding thousand different angles to get the thousand responses, and stores all them. Then, later, the challenger can select one of his stored challenges, pass it to a remote entity, and demand the correct answer. Of course, a challenger must never re-use the same challenge twice. If the challenger selects several of his stored challenges, and asks the token reader to return a secure hash of the answers (in order), no information will be leaked about the response to any individual challenge. This procedure will allow the challenger to perform a large number of verifications with a relatively small number of stored challenge-response pairs. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Bill Frantz wrote: If the challenger selects several of his stored challenges, and asks the token reader to return a secure hash of the answers (in order), no information will be leaked about the response to any individual challenge. This procedure will allow the challenger to perform a large number of verifications with a relatively small number of stored challenge-response pairs. I don't think this works. A malicious reader could remember all the challenges it gets and record all the responses it measures (before hashing). If the number of possible challenges is small, the malicious reader might learn the entire challenge-response dictionary after only a few interactions. From that point on, the malicious reader would be able to spoof the presence of the token. (Of course, if malicious readers aren't a threat, then you don't need fancy uncloneable tokens. A simple cryptographic key written on a piece of paper suffices.) So I think you really do need to use a different challenge every time. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
It might be possible to get the same effect using a conventional silicon chip. I have in mind a large analog circuit, something like a multi-stage neural network. Random defects would be induced, either in the crystal growing process or by exposing the wafer at one or more stages with a spray of pellets or chemicals. The effect would be to cut wires and alter component values such as resistances, zener diode break down voltages, transistor gains. Critical parts of the circuit would be protected by a passivation layer or would simply designed with larger geometries to make them less sensitive. Multiple inputs would be driven by D/A converters, either in parallel or through a charge coupled analog shift register. There would be enough stuff' in the middle to make it impractical to characterize the entire circuit from the inputs. One could use very small geometries for the network and still get high circuit yield since defects are something we want. The advantage of this approach over a optical system is that it would be very easy to interface with existing technology -- smart cards, RF ID, dongles, etc. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
David Wagner wrote: What is it, then? The ultimate pokemon card! Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Sun, 22 Sep 2002, Hadmut Danisch wrote: It's just a gadget of the type you can't make a similar one again, and that's what it can be used for. Forget about networks and challenge response in context of this token. Security is far more than just the cryptographical standard methods. There's security beyond cryptography. So don't have this limited view. Here's a potential application: consider it as a door key. Every time the user sticks it into the lock, the lock issues two challenges. The first challenge is randomly selected; the lock just reads and stores the result. The second is for authentication: it issues the same challenge it issued for the first challenge last time, reads the result and compares it to the result it stored last time. If it's a match, the lock opens. This is not really applicable to remote authentication, because in *remote* authentication, someone has to be *signalled* that the authentication succeeded, whereupon the *signal* becomes just another message that has to be protected using conventional crypto and protocols. But for *local* authentication, it's got some good stuff going for it. But consider the door lock application: There's no way for the attacker (or the key-holder either) to know what challenge out of zillions has been issued or what response out of zillions has been stored. The door never had to send any of that information over a network, so Eve can't get it and Mallory can't replay or duplicate it; presumably it is stashed inside tamper-resistant hardware somewhere in the lock. Superficially, this resembles a smartcard key where the challenge is a string and the response is the string encrypted according to a key held on the smartcard. But it's not subject to side channel attacks like power measurement to extract its key for the encryption operation the way smartcards are. And it is far more resistant to duplication, even to an attacker who knows its internal structure (key) and has the fab infrastructure. And it is many orders of magnitude faster. You shine lasers on it at particular angles and at particular points on its surface for a challenge; its response is at your sensors in a nanosecond or less. No smartcard is anywhere near that fast. And you can go swimming with it, which you can't do with a smartcard; no need to ever have it out of your posession, even when you're in the shower. If you want to make whole computers that are tamper-resistant, you could extend the door key metaphor to the computer itself; with your key in it, it can read its hard drive and do computer- like things. Without your key in it, it's just a sealed lump of metal and glass with some buttons on it. In an operating system for such a machine, everything would be encrypted. The boot sector would be encrypted using the same protocol as the door key above, with a different key for every bootup. For the rest of the machine, instead of storing any encryption or decryption keys anywhere, you'd store challenges for the token and use its responses for the keys. And every (say) tenth time you touched something, you'd generate a new challenge, get a new key from the token, and re-encrypt the plaintext with the new key. That way even if a thief gets your machine, they can extract zero information from it unless they get your keytoken too. If your machine ever goes missing, and you still have the keytoken in your posession, you have no security worries; likewise if the keytoken ever goes missing, but you still have your machine. It's only if *both* of them go missing that you have a problem. hmmm. It becomes more rococo, but of course, it also makes it easy to create a machine that can only be used with *all* of two or more keytokens inserted; just the thing for mutually suspicious parties to store confidential shared data on. Anyway; it's nothing particularly great for remote authentication; but it's *extremely* cool for local authentication. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
bear wrote: Anyway; it's nothing particularly great for remote authentication; but it's *extremely* cool for local authentication. Local authentication still has several optical issues that need to be answered, and which may limit the field usefullness of a device based on laser speckle. For example, optical noise by both diffraction and interference effects is a large problem -- a small scratch, dent, fiber, or other mark (even invisible, but producing an optical phase change) could change all or most all of the speckle field. The authors report that a 0.5mm hole produces a large overall change -- which can be easily understood since the smaller the defect, the larger the spatial effect (Fourier transform). But temperature/humidity/cycle differences might be worse -- any dilation or contraction created by a temperature/humidity/cycle difference between recording time (in lab conditions) and the actual validation time (in field conditions) would change the entire speckle field in a way which is not geometric -- you can't just scale it up and down to search for a fit. Also, one needs to recall that this is not a random field -- this IS a speckle field. There is a definite higher probability for bunching at dark and white areas (because of the scatter's form, sine function properties, laser coherence length, etc). This intrinsic regularity can be used to reduce the search space to a much lower space than what I saw suggested. Taking into account loss of resolution by vibration and positioning would also reduce the search space. Finally, the speckle field will show autocorrelation properties related to the sphere's size and size distribution, which will further reduce randomness. In fact, this is a standard application of speckle: to measure the diameter statistics of small spheres. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
--- begin forwarded text Status: RO User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Sun, 22 Sep 2002 14:40:58 +0100 Subject: Re: unforgeable optical tokens? From: David G.W. Birch [EMAIL PROTECTED] To: Bob Hettinga [EMAIL PROTECTED], Digital Bearer Settlement List [EMAIL PROTECTED] On 20/9/02 6:09 pm, Perry e-said: A couple of places have reported on this: http://www.nature.com/nsu/020916/020916-15.html An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. I remember being shown a similar system from a Dutch company four or five years ago. Same idea, except that they were using the alignment of fibres trapped in the resin (rather than bubbles). It's an interesting way of making an unforgeable token, but I think its practical applications are more in brand protection (labels for designer sunglasses and so on) rather than in cryptography. Regards, Dave Birch. -- -- My own opinion (I think) given solely in my capacity -- as an interested member of the general public. -- -- mail dgw(at)birches.org, web http://www.birches.org/dgwb --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Barney Wolff wrote: Actually, it can. The server can store challenge-responses in pairs, then send N as the challenge and use the N+1 response (not returned) as the key. But why bother? What does this add over just using crypto without their fancy physical token? The uncloneability of their token is irrelevant to this purpose. You might as well just carry around a piece of paper, or a floppy disk, with a list of keys on it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Perry E. Metzger wrote: An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. I can't dig up the memory, but I think I heard of a similar idea -- random structure in transparent solid, difficult to copy -- used in some kind of tag or seal for nuclear security. Can anyone remind me what this might have been? -- Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/ (finished Ph.D., woohoo; looking for good work in the Seattle area) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Not really. Illuminating the device at different locations and angles is certainly not as good as a cryptographical challenge. Since the location and angle is done by some mechanical device, the numers of locations and angles is certainly small I think you're right here; in order for the challenges to be reproducable, the locations / angles that the reader uses would have to be discrete, probably by some sort of stepper motor. However, if the readers are autonomous (and each one needs to see the physical token once in order to identify it later,) then every reader could be calibrated differently, and would therefore use one relatively small subset of locations / angles out of a large number of subsets. and once you are in posession of the token (e.g. as a clerk ini the shop), it might be possible to generate a complete table of all location/angle/response triples. I wonder if an analysis of the diffraction patterns produced by passing light though a token like this would provide enough information to reconstruct the internal 3-D shape... it strikes me as being a problem similar to X-ray crystallography. Ian Clelland [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
[EMAIL PROTECTED] writes: I can't dig up the memory, but I think I heard of a similar idea -- random structure in transparent solid, difficult to copy -- used in some kind of tag or seal for nuclear security. Can anyone remind me what this might have been? This isn't security -- this is a small-form-factor physical ROM. This read-only data crystal. The fact that they cannot be duplicated easily just means that you cannot use these tokens for real data storage. Imagine if they _were_ replicable.. Imagine keeping a terabyte of backup data on one of these tokens! Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/ (finished Ph.D., woohoo; looking for good work in the Seattle area) -derek PS: My Master's degree is from the Media Lab, so I can vouch for the fact that reasonable work is done there ... ;) -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Sat, Sep 21, 2002 at 12:11:17AM +, David Wagner wrote: I find the physical token a poor replacement for cryptography, when the goal is challenge-response authentication over a network. In practice, you never really want just challenge-response authentication; you want to set up a secure, authenticated channel to the other party, which means you probably also need key distribution functionality. The physical token suggested here doesn't help with that at all. That's the main problem of judging this token: Don't compare it with cryptographical methods. This token is not a matter of cryptography, because there's no secret and no exchange of information. No challenge, no response, no calculation, no stored information, nothing. Therefore it is completely useless in context of computer networks, which - after all - do nothing else than carrying informations. That token can't perform a challenge-response authentication, because it's a piece of plastic and glas, it doesn't listen to your challenge and it won't give you an answer. It's just a gadget of the type you can't make a similar one again, and that's what it can be used for. Forget about networks and challenge response in context of this token. Security is far more than just the cryptographical standard methods. There's security beyond cryptography. So don't have this limited view. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
At 12:07 PM 9/20/02 -0400, Perry E. Metzger wrote: A couple of places have reported on this: http://www.nature.com/nsu/020916/020916-15.html An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. On the surface, this seems as silly as biometric authentication -- you can simply forge what the sensor is expecting even if you can't forge the token. Does anyone know any details about it? This kind of thing has been done as conformal coatings in nuke-tracking work. Also diamond-tracking. The idea is you have a complex, optically-coupled-state (metal flakes or spheres in clear paint/epoxy; crystal flaws) which you can read out but not duplicate. This kind of 'unduplicable' conformal coating may appear on US-bound Canadian trucks, too. Certify in the great white north, spray, measure, drive, re-measure, pass, look ma, no long lines at the border. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
unforgeable optical tokens?
A couple of places have reported on this: http://www.nature.com/nsu/020916/020916-15.html An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. On the surface, this seems as silly as biometric authentication -- you can simply forge what the sensor is expecting even if you can't forge the token. Does anyone know any details about it? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Perry E. Metzger wrote: But if you can't simulate the system, that implies that the challenger has to have stored the challenge-response pairs because he can't just generate them, right? That means that only finitely many are likely to be stored. Or was this thought of too? According to the article at http://www.msnbc.com/news/810083.asp : We have about a terabit a one followed by twelve zeros of information contained in a pennys worth of material, said Gershenfeld. ... In practice, the combination of laser light inputs and resulting speckle pattern outputs for each token could be stored on a secure database. The token could then be read at a terminal that queries the database and authenticates the tokens identity. I don't know just how practical this would be, in practice... BTW, I think the Science article cited in the above article on Pappu's web site is available to Science subscribers (of which I'm not) at http://www.sciencemag.org/cgi/search?volume=firstpage=author1=Gershenfeld%2C+Nauthor2=Pappu%2C+Rtitleabstract=fulltext=fmonth=Octfyear=1995tmonth=Septyear=2002hits=10sendit.x=30sendit.y=6sendit=Search (The above URL may have been munged...) M. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
I see several applications where these tokens could be really useful where biometric methods are completely useless. Main advantage seems to be that these tokens are extremely cheap. There are heaps of applications where these tokens seem to be just perfect. For a bit of perspective, this work comes out of a research lab that has worked with a variety of technologies for digital IDs for physical objects. Barcodes, RFID tags, smart cards, etc - all are ways to give a physical object a unique sequence. What's interesting about these optical tokens is that they are supposedly unforgeable, and they are very cheap. By contrast barcodes can be copied too easily. Smartcards are too expensive. Physical security tokens are the most prosaic application of this capability. Think tracking applications, object recognition on a wearable computer, ... Things That Think. [EMAIL PROTECTED] . . . .. . . . http://www.media.mit.edu/~nelson/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Fri, Sep 20, 2002 at 02:17:11PM -0400, Trei, Peter wrote: It appears to have replay resistance *between* readers - ie, the data from reader A would be useless to spoof reader B, since the two readers will illuminate the device at different locations and angles. Not really. Illuminating the device at different locations and angles is certainly not as good as a cryptographical challenge. Since the location and angle is done by some mechanical device, the numers of locations and angles is certainly small, and once you are in posession of the token (e.g. as a clerk in the shop), it might be possible to generate a complete table of all location/angle/response triples. Another question is how the reader verifies the token. There must be some description of the token which allows to verify the token. Is it possible to generate the token respones without actually having the token? (are token and verfication information a public/private key pair?). I see the reader as a weak point, a second one is that the device does not provide a signature. Even if the device was replay proof, it's not possible to distinguish between payment of 20 or 40 Euro. There are plenty of good applications for such a token, but credit cards and payment are certainly not. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
Perry E. Metzger wrote: But if you can't simulate the system, that implies that the challenger has to have stored the challenge-response pairs because he can't just generate them, right? That means that only finitely many are likely to be stored. Or was this thought of too? I believe the idea is that there are gazillions of possible challenges. The challenger picks a thousand randomly in advance, scans the token from the corresponding thousand different angles to get the thousand responses, and stores all them. Then, later, the challenger can select one of his stored challenges, pass it to a remote entity, and demand the correct answer. Of course, a challenger must never re-use the same challenge twice. I find the physical token a poor replacement for cryptography, when the goal is challenge-response authentication over a network. In practice, you never really want just challenge-response authentication; you want to set up a secure, authenticated channel to the other party, which means you probably also need key distribution functionality. The physical token suggested here doesn't help with that at all. It seems to me the real value of the physical token is that it provides a piece of hardware that is (hopefully) very expensive to clone. That's an interesting capability to have in your bag of tricks. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Sat, Sep 21, 2002 at 12:11:17AM +, David Wagner wrote: I find the physical token a poor replacement for cryptography, when the goal is challenge-response authentication over a network. In practice, you never really want just challenge-response authentication; you want to set up a secure, authenticated channel to the other party, which means you probably also need key distribution functionality. The physical token suggested here doesn't help with that at all. Actually, it can. The server can store challenge-responses in pairs, then send N as the challenge and use the N+1 response (not returned) as the key. -- Barney Wolff I'm available by contract or FT: http://www.databus.com/bwresume.pdf - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]