Generally speaking biological defenses are of two types: perimeter and internal. The skin, for example, is part of the perimeter defense; the immune system is the internal defense. The development of computer security has focused on a perimeter defense, in our opinion. We are exploring the development of an internal defense, focusing on hardware.

The immune system is based on authentication. Each cell has surface characteristics that identify it as "self." The T cells take advantage of this by alerting the system when a "non-self" has been found. The non-self is surrounded, ingested by phagocytosis, and expelled from the body. At the cellular level there is no mercy.

Our objective is to develop the hardware equivalent of such biometric authentication. We do not want to rely upon a digital key. Rather, we want to use a characteristic that is a feature of the material itself. With this technology in place we can develop internal, distributed security.

Hardware biometric authentication should detect hardware substitution attacks and malicious agents without using digital keys. This advance is important for at least the following reasons:

1. Reduce the "protected volume" in highly-secure, static systems. If chip A authenticates chip B, then chip B can be outside the protected volume since chip A can detect a substitution attack on chip B.

2. Provide an internal defense for hardware. We do not believe that we can consider computer systems secure without developing an internal defense similar to the biological immune system. After all, even primitive creatures, such as sponges, can differentiate self from non-self.

3. Provide an authentication scheme to detect masquerading entities in large systems and networks with cooperating agents. This technology will validate requests and data from remote agents using a unique "hardware heartbeat" instead of a digital key.

If a chip detects a substitution attack, it cannot ingest the non-self chip as a phagocyte can. However, the chip can notify other chips of the detection and in concert these chips can isolate the non-self chip. An isolated chip is, in effect, expelled. We presume that there would be some other chip that could assume the function of the compromised chip.

One of the tools that such authentication provides is the ability to weave a web of defense, so to speak. Since in this system there need not be just one chip that authenticates all the others, it should be unclear to the adversary which chips can be successfully attacked. The web may be small or large but the adversary has no way of knowing. Similarly, two, otherwise- identical systems could use a different web of defense. If the adversary were able to capture one entire system it might reveal little about the defense of the second.

The commercial marketplace is moving into this area. For example, there are authentication techniques that key off of the time that a signal rises to a "1" in a string of bits. The adversary can copy the string of bits but not the timing.

We believe that this technology will have a profound impact on identification and security. As networks continue to expand, like one-celled animals evolving into trillion-celled animals, we believe biometric authentication will have increasingly broad application in validating remote agents.

We are in the initial stages of our research. We do not now know what features of a chip are amenable to biometrics. Temperature is a possibility; current is another; timing appears very likely to be a third, given the technology appearing in the marketplace. The bulk of our efforts will be to assess these and other features. Our goal is to find a feature (or combined set of features) that provides a chip signature. The feature should be outside the control of the production process (if it were not, then the adversary could produce a duplicate on the first try).

We are also interested in expanding the notion of system to include the personnel. To this end we are pursuing authentication via keystroke dynamics, enabling what we call a "secure keyboard." Similarly, we are interested in the limits of readily available but low-security technology such as techniques to protect firearms by requiring a ring or watch to be in close proximity of the gun. Could a highly secure system be developed from these low-security components?

There are some immediate concerns about this research:

1. How are hardware parts to be replaced without opening a door to the adversary? If the authentication process allows for a re-calibration to accommodate a new piece of hardware, then what prevents the adversary from using this "back door?" If, on the other hand, hardware pieces cannot be replaced, then what allows the resulting systems to break the resulting barriers of size and lifetime?

2. If software is allowed to change independently of hardware, what protection against attack does hardware authentication provide? If software is not allowed to change, does this so limit the size and lifetime of the resulting system as to make it of insignificant use?

3. Since people control the creation of all computer hardware, the characteristics for authentication must be outside the design process (otherwise the adversary could design a masquerade). We believe that this means that hardware signatures in a given system will be unique. The design of the T cell assumes that all signatures are within a narrow range. How does one design the equivalent of a T cell when the signatures are all significantly different?

4. There is a relationship between prey and predator in the biological world that does not always exist in the computer world. The biological predator that eliminates its prey is also eliminated. The same is not always true of computer predators. In times of war, for example, extinction may be the adversary's objective.

It is our belief that the principles underlying biological security will provide important advances in computer security. However, the road to that objective is not clear. We are eager to hone these ideas at a workshop with people interested in information survival.

Back to the Table of Contents
   [8]