unforgeable optical tokens?

bear bear at sonic.net
Sun Sep 22 14:46:06 EDT 2002 


On Sun, 22 Sep 2002, Hadmut Danisch wrote:

>It's just a gadget of the type "you can't make a similar one again",
>and that's what it can be used for. Forget about networks and
>challenge response in context of this token.
>
>Security is far more than just the cryptographical standard methods.
>There's security beyond cryptography. So don't have this limited
>view.

Here's a potential application: consider it as a door key.  Every
time the user sticks it into the lock, the lock issues two challenges.
The first challenge is randomly selected; the lock just reads and
stores the result.  The second is for authentication: it issues the
same challenge it issued for the first challenge last time, reads
the result and compares it to the result it stored last time. If
it's a match, the lock opens.

This is not really applicable to remote authentication, because
in *remote* authentication, someone has to be *signalled* that
the authentication succeeded, whereupon the *signal* becomes just
another message that has to be protected using conventional crypto
and protocols.  But for *local* authentication, it's got some
good stuff going for it.

But consider the door lock application: There's no way for the
attacker (or the key-holder either) to know what challenge out
of zillions has been issued or what response out of zillions
has been stored. The door never had to send any of that
information over a network, so Eve can't get it and Mallory
can't replay or duplicate it; presumably it is stashed inside
tamper-resistant hardware somewhere in the lock.

Superficially, this resembles a smartcard key where the challenge
is a string and the response is the string encrypted according to
a key held on the smartcard.  But it's not subject to side channel
attacks like power measurement to extract its key for the encryption
operation the way smartcards are. And it is far more resistant to
duplication, even to an attacker who knows its internal structure
("key") and has the fab infrastructure. And it is many orders of
magnitude faster.  You shine lasers on it at particular angles
and at particular points on its surface for a challenge; its
response is at your sensors in a nanosecond or less.  No smartcard
is anywhere near that fast. And you can go swimming with it, which
you can't do with a smartcard; no need to ever have it out of your
posession, even when you're in the shower.

If you want to make whole computers that are tamper-resistant,
you could extend the "door key" metaphor to the computer itself;
with your key in it, it can read its hard drive and do computer-
like things.  Without your key in it, it's just a sealed lump
of metal and glass with some buttons on it. In an operating system
for such a machine, everything would be encrypted.  The boot sector
would be encrypted using the same protocol as the "door key" above,
with a different key for every bootup.

For the rest of the machine, instead of storing any encryption or
decryption keys anywhere, you'd store challenges for the token
and use its responses for the keys.  And every (say) tenth time
you touched something, you'd generate a new challenge, get a new
key from the token, and re-encrypt the plaintext with the new
key. That way even if a thief gets your machine, they can extract
zero information from it unless they get your keytoken too.

If your machine ever goes missing, and you still have the keytoken
in your posession, you have no security worries; likewise if the
keytoken ever goes missing, but you still have your machine.  It's
only if *both* of them go missing that you have a problem.

hmmm.  It becomes more rococo, but of course, it also makes it
easy to create a machine that can only be used with *all* of
two or more keytokens inserted; just the thing for mutually
suspicious parties to store confidential shared data on.

Anyway; it's nothing particularly great for remote authentication;
but it's *extremely* cool for local authentication.

				Bear




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list