ID locks lost laptops
Technology Research News
The best security is the kind you don't
have to think about. Researchers at the University of Michigan have taken
that adage as their guide in developing an encryption system that could
reduce the security risk from lost or stolen laptops.
The researchers' Zero-Interaction Authentication system combines two well-known
security techniques: a hardware token that authorizes the person holding
it to use a particular computer, and encryption software that locks and
unlocks files on a computer. The user wears the token in the form of a
watch or piece of jewelry.
Although most people would agree that securing data on a laptop is a good
idea, if the system requires them to periodically re-enter their passwords
or otherwise interrupt their work, "they'll figure out ways to work around
it, or turn it off," said Brian Noble, an assistant professor of electrical
engineering and computer science at the University of Michigan. "One of
our philosophical touchstones is to make sure that there's no reason for
the user to know [the security system] is there," he said.
Although ID cards with magnetic stripes are a good way to control access
to buildings and rooms, when the technique is used for computers, many
people simply leave the card in their computer's card reader, said Noble.
Under the researchers' scheme, the user enters a password into his laptop
or handheld computer at the start of the day to link his token to the
computer. Until the computer is turned off and as long as the token remains
within a few feet of the computer, the files remain unlocked.
The computer and token communicate via radio signals, which are encrypted
to prevent anyone from eavesdropping on and duplicating them. The token
transmits encryption keys, which are binary numbers, that unlock a second
set of encryption keys on the laptop. Those keys lock and unlock the files
on the computer.
The computer continuously checks for the presence of the token, and if
it fails to receive the token's signal, it locks all the files. The files
lock within five seconds of the user walking away, and unlock in just
over six seconds once he comes back into range. These times are short
enough to keep the security system from entering the user's awareness,
according to Noble.
The two-part key process is central to keeping the locking times short.
Because the communications link between the token and the computer is
slow, it would take too much time for the token's keys to lock and unlock
the files directly. It takes much less time to lock and unlock an encryption
key than an entire data file.
The linchpin of the system is, of course, the token, so if the user loses
it he's locked out of his own data. "If you lose the token and you haven't
escrowed the keys, then the [data on the] laptop is junk," said Noble.
You can leave a copy of the token's keys in escrow, say with your system
administrator, and the escrow authority can generate a new token for you,
he said. "In the meantime, the laptop is not usable," he added.
Similar technologies exist, according to Dan Wallach, an assistant professor
of computer science at Rice University. "The main advantage here is the
focus on usability, making the security happen where the user doesn't
even notice it," he said.
The researchers' technology cannot work alone; it requires techniques
for encrypting software, Wallach pointed out.
Practical applications for the technology will take between one and five
years to develop, said Noble. The biggest challenge is probably going
to be building a small enough token with a long enough battery life, he
The researchers' also plan to expand the idea to applications and other
services beyond the file system, said Noble. This brings up a number of
questions, he said. For example, in a ubiquitous computing environment
where everything from your car to your whiteboard is computerized and
networked together, how do the rules of the game change if you have a
token that authenticates you in a 10-meter bubble, he said. "Just what
are the implications of having authentication be a very short-term and
Noble's research colleague is Mark Corner. They are scheduled to present
the research at the International Conference on Mobile Computing and Networking
(Mobicom '02) during the week of September 23rd in Atlanta. The research
was funded by Intel Corporation, Novell, Inc., the National Science Foundation
(NSF) and the Defense Advanced Research Projects Agency (DARPA).
Timeline: 1-5 years
Funding: Corporate, Government
TRN Categories: Cryptography and Security; Wireless Communication
Story Type: News
Related Elements: Technical paper, "Zero-Interaction Authentication,"
International Conference on Mobile Computing and Networking, Atlanta,
September 23-28, 2002
Chip juggles droplets
reading into writing
Radio ID locks lost laptops
gets the picture
Laser blasts make memory
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link