Radio ID locks lost laptops

By Eric Smalley, Technology Research News

The best security is the kind you don't have to think about. Researchers at the University of Michigan have taken that adage as their guide in developing an encryption system that could reduce the security risk from lost or stolen laptops.

The researchers' Zero-Interaction Authentication system combines two well-known security techniques: a hardware token that authorizes the person holding it to use a particular computer, and encryption software that locks and unlocks files on a computer. The user wears the token in the form of a watch or piece of jewelry.

Although most people would agree that securing data on a laptop is a good idea, if the system requires them to periodically re-enter their passwords or otherwise interrupt their work, "they'll figure out ways to work around it, or turn it off," said Brian Noble, an assistant professor of electrical engineering and computer science at the University of Michigan. "One of our philosophical touchstones is to make sure that there's no reason for the user to know [the security system] is there," he said.

Although ID cards with magnetic stripes are a good way to control access to buildings and rooms, when the technique is used for computers, many people simply leave the card in their computer's card reader, said Noble.

Under the researchers' scheme, the user enters a password into his laptop or handheld computer at the start of the day to link his token to the computer. Until the computer is turned off and as long as the token remains within a few feet of the computer, the files remain unlocked.

The computer and token communicate via radio signals, which are encrypted to prevent anyone from eavesdropping on and duplicating them. The token transmits encryption keys, which are binary numbers, that unlock a second set of encryption keys on the laptop. Those keys lock and unlock the files on the computer.

The computer continuously checks for the presence of the token, and if it fails to receive the token's signal, it locks all the files. The files lock within five seconds of the user walking away, and unlock in just over six seconds once he comes back into range. These times are short enough to keep the security system from entering the user's awareness, according to Noble.

The two-part key process is central to keeping the locking times short. Because the communications link between the token and the computer is slow, it would take too much time for the token's keys to lock and unlock the files directly. It takes much less time to lock and unlock an encryption key than an entire data file.

The linchpin of the system is, of course, the token, so if the user loses it he's locked out of his own data. "If you lose the token and you haven't escrowed the keys, then the [data on the] laptop is junk," said Noble.

You can leave a copy of the token's keys in escrow, say with your system administrator, and the escrow authority can generate a new token for you, he said. "In the meantime, the laptop is not usable," he added.

Similar technologies exist, according to Dan Wallach, an assistant professor of computer science at Rice University. "The main advantage here is the focus on usability, making the security happen where the user doesn't even notice it," he said.

The researchers' technology cannot work alone; it requires techniques for encrypting software, Wallach pointed out.

Practical applications for the technology will take between one and five years to develop, said Noble. The biggest challenge is probably going to be building a small enough token with a long enough battery life, he said.

The researchers' also plan to expand the idea to applications and other services beyond the file system, said Noble. This brings up a number of questions, he said. For example, in a ubiquitous computing environment where everything from your car to your whiteboard is computerized and networked together, how do the rules of the game change if you have a token that authenticates you in a 10-meter bubble, he said. "Just what are the implications of having authentication be a very short-term and transient property?"

Noble's research colleague is Mark Corner. They are scheduled to present the research at the International Conference on Mobile Computing and Networking (Mobicom '02) during the week of September 23rd in Atlanta. The research was funded by Intel Corporation, Novell, Inc., the National Science Foundation (NSF) and the Defense Advanced Research Projects Agency (DARPA).

Timeline:   1-5 years
Funding:   Corporate, Government
TRN Categories:   Cryptography and Security; Wireless Communication
Story Type:   News
Related Elements:  Technical paper, "Zero-Interaction Authentication," International Conference on Mobile Computing and Networking, Atlanta, September 23-28, 2002




Advertisements:



September 4/11, 2002

Page One

Chip juggles droplets

Software turns reading into writing

Radio ID locks lost laptops

Quantum software gets the picture

Laser blasts make memory

News:
Research News Roundup
Research Watch blog

Features:
View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link
Advertisements:







Ad links: Clear History

Buy an ad link
 
Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN


© Copyright Technology Research News, LLC 2000-2006. All rights reserved.