Nelson Minar wrote: >>An idea from some folks at MIT apparently where a physical token >>consisting of a bunch of spheres embedded in epoxy is used as an >>access device by shining a laser through it. > > > I have the pleasure of knowing one of the researchers, Ravi Pappu. > He's smart and a real expert on holography and optics. > > >>On the surface, this seems as silly as biometric authentication -- you >>can simply forge what the sensor is expecting even if you can't forge >>the token. Does anyone know any details about it? > > > The Nature News piece claims > attempting to mimic the speckle pattern using some other optical > system, such as a hologram, is completely impractical. > http://www.nature.com/nsu/020916/020916-15.html > That's obviously not a complete answer, but it suggests that the > problem has at least been thought about. > > More details are here: > http://web.media.mit.edu/~pappu/htm/res/resPOWF.htm > http://web.media.mit.edu/~pappu/htm/pubs/PappuPhDThesis01.pdf > > Ravi's PhD has a section on replay attacks - section 10.3, page 135. > The claim there is you can't store all possible challenge/response > pairs because the keyspace is too big and that the actual system is > too complex to simulate.
Sounds to me like you have to store a double spend database to avoid a replay attack (surely it isn't feasible for the verifier to choose the orientation with sufficient accuracy to elicit a particular response, therefore it will have accept valid responses from the vicinity, which will allow replays). And a double spend DB for this kind of thing sounds big and expensive. And slow to search. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]