RIT professor recommends tougher computer security measures to beat hackers

Dec 03, 2008

Hackers beware. A Rochester Institute of Technology professor knows how to thwart sophisticated and determined intruders from stealing personal and corporate information. His secret? Anchor your online activities to the physical world.

RIT scientist and entrepreneur Roger Dube takes a close look at user authentication and computer security in his recently published book "Hardware-Based Computer Security Techniques to Defeat Hackers: From Biometrics to Quantum Cryptography" (Wiley).

Intended for information technology professionals and others responsible for implementing computer security, "Hardware-Based Computer Security Techniques to Defeat Hackers" is a complete review of different types of hardware technology that can protect computer systems.

"There are steps you can take to protect your computer so you can be certain an application you bring up is authentic and hasn't been replaced with something, for instance, that contains a Trojan horse—a virus that masquerades as a normal program," says Dube, research professor in RIT's Chester F. Carlson Center for Imaging Science, and president and chief scientist of Digital Authentication Technologies Inc.

"The protection that is available today is largely based on algorithms and secrets," Dube adds. "And the problem with secrets is that they have to be shared before they can be used. Poorly constructed secrets can be guessed, making systems vulnerable to attack. And poorly protected secrets can be stolen outright."

A recent example of this weakness made the news when a hacker gained access to Gov. Sarah Palin's Yahoo! account, weeks before the election, by pretending to be the Republican vice presidential candidate. The hacker used Palin's personal information reported in the news to answer the security question protecting her e-mail account.

Software approaches to computer security provide limited protection, Dube says. The problem is that encrypted keystrokes hiding the password/secret are transmitted over the Internet, and these passwords can be intercepted and broken.

Pseudo random number generators, algorithms that are often used to create passwords or disguise a password as a jumble of symbols and numbers, are inherently predictable and can be cracked. The commonly used two-factor form of authentication— username plus password, PIN number or pass phrase—is fragile. Today, more robust security systems require users to present their name and password, and something unique to themselves. The nation protects its top secrets with software and hardware security technologies considered to be astronomically difficult to break, Dube notes.

"You cannot use an algorithm to generate a true random number," Dube says. "It's going to be predictable because it's a calculation. It will create a number that looks random, but if a hacker commandeers the 'seed' condition, they've broken the code completely."

According to Dube, only hardware-based security applications can provide the strongest security systems possible—pattern-free and unpredictable. These methods connect a system or a person to the physical world, ensuring confidentiality and authenticity of communication in ways software applications cannot.

"We needed to tie our security system to something that has its roots in the physical world, rather than to make it purely algorithmic. The advantage is that you can find all kinds of random sources in the physical world that are completely pattern free, but the disadvantage is that they typically involved a piece of hardware. Until recently people have been reluctant to add another piece of hardware or to carry something around. But when the loss becomes too much, hardware-based protection becomes the answer."

In his book, Dube details security systems that generate "passwords" from the physical world such as advanced biometrics (fingerprint scanning and iris and retinal scans) and tokens, such as smart cards embedded with a secure electronic chip. He also discusses location technologies that determine if remote servers are legitimate or carefully constructed fakes commonly used in phishing attacks, as well as geolocation technologies, such as global positioning system technology. The book also discusses the potential vulnerabilities of each of these technologies.

Dube's own computer-security research focuses on location technologies and satellite timing signals. Contractors for the U.S. Department of Defense tested the security system Dube developed for Digital Authentication Technologies Inc. and found it robust.

"The technology gives us location awareness, but doesn't tell us where on the surface of the Earth we are," Dube says. "It's double safe in that way."

Source: Rochester Institute of Technology

Explore further: Index ranks Japan Asia's most efficient innovator (Update)

add to favorites email to friend print save as pdf

Related Stories

Europe's new age of metals begins

43 minutes ago

ESA has joined forces with other leading research institutions and more than 180 European companies in a billion-euro effort developing new types of metals and manufacturing techniques for this century.

Recommended for you

Index ranks Japan Asia's most efficient innovator (Update)

Sep 12, 2014

A new index ranks Japan as the most efficient among Asian countries in turning the building blocks of creativity into tangible innovations that benefit their economies and people while Myanmar, Pakistan and Cambodia are least ...

Making travel quick, safe for cars, bikes, walkers

Sep 10, 2014

Cellphones that warn drivers when people are crossing in front of them. Bicycles and cars that communicate with traffic lights. Sensors in cars that quickly alert other drivers to black ice, potholes or other ...

Tech giants bet on 'smart home' revolution

Sep 10, 2014

It's long been the stuff of science fiction, but tech giants hope the "smart home", where gadgets talk to each other and the fridge orders the milk, will soon become reality.

User comments : 0