We live in digitised, connected societies, in an Internet of Things (IoT) world where our reliance on software, hardware, and the networks that connect us, grows exponentially. Our increasing global reliance on what we hope and assume are secure networks, is profound. The threat of large-scale cyber-attack has become a strategic priority for all governments who continually rely on network solutions to ensure the running and security of their nations. With increased dependency on intelligent, interconnected devices in every aspect of our lives, it becomes imperative to provide security and privacy. The majority of public and private networks and systems underpinning global data security, IoT and E-commerce are using security protocols based on existing mathematical complexity. These protocols are vulnerable to intelligent attack; attacks which are increasing in success day by day.
Unlike a paper-based ID such as most driver’s licenses and passports, a digital ID can be authenticated remotely over digital channels. For example, a digital ID could be issued by a national or local government, by a consortium of private or nonprofit organizations, or by an individual entity. This definition also applies regardless of the specific technology used to perform digital authentication, which could range from the use of biometric data to passwords, PINs, or smart devices and security tokens.
Digital identification, or “digital ID,” can be authenticated unambiguously through a digital channel, unlocking access to banking, government benefits, education, and many other critical services. Governments seek to digitize their citizens in an effort to universalize government services, while the banking, travel, and insurance industries aim to create more seamless processes for their products and services.
Digital Ids provide many advantages and minimize human execution error, unauthorized credential use, and the exclusion of individuals. Digital ID could meaningfully reduce those risks by minimizing opportunity for manual error or breaches of conduct. For example, for conventional ID programs, reconciliation of data between databases may be impossible or error prone, while digital ID programs can more readily integrate data sources and implement data quality checks and controls. High-assurance digital ID programs also reduce the risk of forgery and unauthorized use, which are relatively easier with conventional IDs, like driver’s licenses and passports.
Furthermore, some risks associated with conventional IDs will manifest in new ways as individuals use digital interfaces. For example, individuals without sufficient technological access or savvy and those who do not trust a digital ID system could be completely excluded, unless alternative manual options also exist. The risks and potential for misuse of digital ID are real and deserve careful attention. The Aadhaar program, India’s national digital ID framework—the world’s largest—was recently shown to be compromised. For a digital ID system to work without becoming an easy target for hacking, it should be decentralized and otherwise adhere to recognized principles for good digital security.
Gartner says, “Through 2018, over 50% of Internet of Things (IoT) device manufacturers will not be able to address threats from weak authentication practices.” According to Accenture, “Attackers are getting smarter. Criminals are evolving new business models, such as ransomware-as-a-service, which mean that attackers are finding it easier to scale cyber crime globally.”
The problem with passwords is that they are just too vulnerable, be that from weak construction, reuse or data breaches. In the world of supply chain product authentication issues of theft and interception come to the fore when passwords are on the security debate agenda. Things are not a whole heap better when it comes to holograms or QR codes, to be honest, where imitation is rife. The current supply chain authentication solutions like anti-counterfeit tags or password-protection, which base their security credentials on being difficult to replicate or secrecy, are not as secure as they should be. They are subject to imitation, theft, hacking and interception .
Solving the supply chain counterfeit problem has taken on a whole new level of urgency in the new COVID-19 pandemic reality. Criminal enterprise has seized the despicable opportunity the global demand for medicines and medical supplies that the pandemic has presented, and the illicit trade in counterfeit goods has exploded as a result. Therefore Researchers are looking for ‘unbreakable’ product authentication methodology that promised to make counterfeiting impossible.
Good digital ID requires the following four attributes:
Verified and authenticated to a high degree of assurance: High-assurance digital ID meets both government and private-sector institutions’ standards for initial registration and subsequent acceptance for a multitude of important civic and economic uses, such as gaining access to education, opening a bank account, and establishing credentials for a job. High-assurance authentication maintains these same standards each time the digital ID is authenticated. This attribute does not rely on any particular underlying technology. A range of credentials could be used to achieve unique high-assurance authentication and verification, including biometrics, passwords, QR codes, and smart devices with identity information embedded in them.
Unique: With a unique digital ID, an individual has only one identity within a system, and every system identity corresponds to only one individual. This is not characteristic of most social media identities today, for example.
Established with individual consent: Consent means that individuals knowingly register for and use the digital ID with knowledge of what personal data will be captured and how they will be used.
Protects user privacy and ensures control over personal data: Built-in safeguards to ensure privacy and security while also giving users access to their personal data, decision rights over who has access to that data, with transparency into who has accessed it.
Physical Unclonable Functions or (PUFs) use device unique random patterns to differentiate chips from each other. PUFs, are designed to be impossible to duplicate, clone or predict. This makes them very suitable for applications such as secure key generation and storage, device authentication, flexible key provisioning and chip asset management. PUFs are actively stimulated and executed to exploit the randomness in their behavior. A good way to look at a PUF is as a device fingerprint.
The noisy behavior of this device fingerprint is also utilized to the advantage of the system. The noise entropy is harvested to create strong, independent random numbers with high entropy. Strong independent random number generators are needed in all kinds of cryptographic
protocols and are often the weakest link in a cryptographic implementation.
However, even existing PUF (Physically Unclonable Functions) based security solutions such as SRAM or Delay PUFs, which rely on classical properties, have been successfully cloned.
Lancaster University start-up Quantum Base’s atomic-scale devices don’t need passwords and, according to the company, are impervious to cloning. Quantum Q-IDs, our electronic quantum EPUF devices use unique arrangements of atoms and imperfections in these nano structures to create 100% unclonable devices, which are simple, small and cheap. The U.K. company that claims its patented Q-ID optical authentication tags are impossible to copy because each nano-scale device contains 1,000 trillion atoms. This, Quantum Base says, would take the most powerful scanning probe microscopes on the planet about the age of the universe, 13 billion years give or take, to produce an identical clone.
IsoLab at Lancaster University is a suite of 3 laboratories where vibration, noise and electromagnetic disturbance have been drastically reduced, creating an ultra-clean environment for measurement and characterization. This is where scientists have created a family of simple, practical, scalable security devices based on state-of-the art quantum technologies. Commercialized by spinout company Quantum Base, these include the ‘unclonable’ identity tags Q-ID
Quantum Base claims these atomic-scale Q-ID optical tags the most secure system ever made as they are created by harnessing the randomness of quantum materials. In other words, the creation of unique atomic-scale digital IDs that are based upon the irregularities that can be found in one-atom-thick “2D materials” such as graphene. Quantum physics amplifies the anomalies, which makes them impossible to fingerprint. Because of the nano-scale we are talking about here, less than 1000th of a human hair in size, they can easily be incorporated onto the surface of any product or tag, any QR-code or hologram to create a truly unique fingerprint.
Quantum Base also says that Q-IDs can be mass-produced using existing processes and incorporated into any material. To add to the Holy Grail status being summoned up here, faking of supply chains using lengthy artificial chains of organizations would become a thing of the past as every chain would be transparent: the Q-ID code can be scanned using a smartphone app to match it to the manufacturer database. If a batch of goods were to be stolen, the graphene identity tags could simply be “switched off” at any point to ensure supply chain integrity.
The secret sauce behind the Q-IDs sits in the idea that, at the atomic scale, everything is unique: moving single atoms around to clone a specific tag structure is virtually impossible thanks to PUFs. Physically unclonable functions (PUFs) bring forward the idea that is using the no-cloning theorem from quantum mechanics, unique fingerprints can be derived. Just getting your head around PUFs would need another deep-dive article, but thankfully there’s an excellent PUF primer to be found here.
Quantum Base insists that optical quantum PUFs provide “100% absolute authentication” that simply cannot be cloned, copied or simulated because, and I’m repeating myself here I know, everything is unique at the atomic scale. Of course, this depends somewhat on your definition of unique, but I’m guessing most people would go along with 1,000,000,000,000,000 atoms being pretty damn hard to copy. Damn hard to copy isn’t the same as unbreakable or unclonable, though, and those are what is being claimed by Quantum Base.
Dr. Mark Carney, a mathematician and security researcher with a particular interest in quantum security describes PUFs used in authentication, as the notion that an individual chip can be characterized and then the responses from that chip can be compared along the supply chain to ensure it’s the same one. “Even if the attacker gains some data about the chip’s characterization,” Dr. Carney says, “they are bound to generate more error or variation than the chip, and in theory, you can detect this given a large enough sample.” This would be done through a process of challenge-response pairs or CRPs.
However, Dr. Carney adds, “the security is intrinsically tied to the precise mechanics and physicality of the thing – and PUFs don’t have a great track record.” Indeed, there have been known side-channel attacks taking advantage of “lazy” implementations and some theoretical attacks using Machine Learning to predict the CRP values. Professor Ben Varcoe from Leeds University, an expert in cavity quantum electrodynamics and continuous-variable quantum key distribution said, “I personally think that a PUF is an interesting concept, as it provides a unique identifier,” he says, “the problem as Mark has suggested is that if the identifier can be used in any type of ‘record and replay’ scenario, it is useless, or at least only useful the first time, while also being vulnerable to hardware attacks.”
Professor Varcoe tells that while there have been some methods suggested in which the PUF is a complex function so harder to replicate, there would still be a time limit on the amount of security provided. “It’s better to have a code that changes with time,” he says, “even if it is quantum.” That said, Professor Varcoe agrees that it “certainly seems to be the case that no two quantum dots are identical and therefore it would be hard to create a quantum dot with that exact property,” and the “concept of allowing a consumer to use a mobile phone to authenticate is extremely interesting.” His one quibble is that, for authentication application purposes, it’s essential that the signal cannot be replicated by a counterfeiter. “If the forgers aim is to create a copy of an artwork protected with the quantum dots,” he explains, “then the forger only needs to create a signal that would fool a smartphone – there is no reason to actually create a new set of quantum dots.”
One option, he suggests, would be to create a reflection (rainbow) hologram that mimics the pattern, which is challenging, but not impossible. Smartphone camera limitations could come into play here as fooling the camera is more achievable than replicating the quantum mechanics.
References and Resources also include: