Invention of forge-proof ID to revolutionise security

Invention of forge-proof ID to revolutionise security
Electronically stimulating an atomically random system, represented above by a key, produces a unique pattern that can be used for authentication or identification purposes whilst being fundamentally unclonable.

Scientists have discovered a way to authenticate or identify any object by generating an unbreakable ID based on atoms.

The technology, which is being patented at Lancaster University and commercialised through the spin-out company Quantum Base, uses next-generation to enable the unique identification of any product with guaranteed security.

The research published today in Nature's Scientific Reports uses atomic-scale imperfections that are impossible to clone as they comprise the unmanipulable building blocks of matter.

First author Jonathan Roberts, a Lancaster University Physics PhD student of the EPSRC NOWNANO Doctoral Training Centre, said: "The invention involves the creation of devices with unique identities on a nano-scale employing state-of-art quantum technology. Each device we've made is unique, 100% secure and impossible to copy or clone."

Current solutions such as anti-counterfeit tags or password-protection base their security on replication difficulty, or on secrecy, and are renowned for being insecure and relatively easy to forge. For example, current anti-counterfeiting technology such as holograms can be imitated, and passwords can be stolen, hacked and intercepted.

The ground-breaking atomic-scale devices do not require passwords, and are impervious to cloning, making them the most secure system ever made. Coupled with the fact that they can be incorporated into any material makes them an ideal candidate to replace existing authentication technologies.

Writing in Nature's Scientific Reports, the researchers said: "Simulating these structures requires vast computing power and is not achievable in a reasonable timescale, even with a quantum computer. When coupled with the fact that the underlying structure is unknown, unless dismantled atom-by-atom, this makes simulation extremely difficult.

"While inhomogeneity in the fabrication of nanostructures often leads to unpredictable behaviour of the final device, which is normally undesirable, we have proposed and demonstrated a potential use for the quantum behaviour of atomically irreproducible systems."

The reported Q-ID device, which uses an electronic measurement with CMOS compatible technology, can easily be integrated into existing chip manufacturing processes, enabling cost effective mass-production. The new devices also have many additional features such as the ability to track-and-trace a product throughout the supply chain, and individual addressability, allowing for marketing and quality control at the point of consumption.

Dr Robert Young, the research leader at Lancaster University and co-founder of Quantum Base said: "One could imagine our devices being used to identify a broad range of products, whether it is authentication of branded goods, SIM cards, important manufacturing components, the possibilities are endless."

The use of inexpensive nanomaterials and their ability to be produced in large quantities has resulted in smaller, more power efficient devices that are future-proof to cloning.

Phil Speed co-founder of Quantum Base said "Q-IDs markedly increase the security gap between the good guys and the bad guys; this is truly a step change in authentication and authorisation. Lancaster and Quantum base have created devices that are the smallest, the most secure and the cheapest possible today and we are looking forward to talking to prospective markets and customers alike to bring this new, cutting edge, great British technology into mass market adoption."

Explore further

Quantum communications go thin and light

More information: J. Roberts et al. Using Quantum Confinement to Uniquely Identify Devices, Scientific Reports (2015). DOI: 10.1038/srep16456
Journal information: Scientific Reports

Citation: Invention of forge-proof ID to revolutionise security (2015, November 10) retrieved 21 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Nov 10, 2015
Watch for hackers getting in between the device and the reader (much like they employ fake keypads overlayed on ATMs)

In the end hacking is not about getting the key. It is about opening the lock*. And at some point there's always that final bit that says "access granted" or "access denied". If you can manipulate that bit all the previous security measures are moot.

(* or not even that: it is ultimately about getting the thing behind the lock).

Nov 10, 2015
It has the problem of repeatability: can you measure it accurately every time, can the "code" get damaged by chemical, mechanical wear... what if you bend the object - does the signature change?

These considerations require that the object has to be measured as a close match instead of an exact match to an earlier record. You have to allow error.

Now this is a huge problem, because secure password systems use what's called a hash function. The original password isn't saved anywhere - the password goes through a one-way math function that turns "password" into "d123jjw3oe3kjlsd" style gibberish. If the hash code matches with what was stored then the password is correct. That means you can't steal the password from a server because the server doesn't have it.

With a "close match" comparison, this is not possible because a close match generates a completely different hash. It means you can steal the signature, and generate not an exact clone but a "close enough" clone.

Nov 10, 2015
Watch for hackers getting in between the device and the reader (much like they employ fake keypads overlayed on ATMs)

Exactly, and since the signature is stored on some computer system for comparison purposes, where it can be stolen from, a hacker can simply bypass the scanner and send the stolen signature pretending to be the scanner. They don't necessarily need the actual object at hand.

Nov 11, 2015
This only sounds usable in the physical world or maybe in some very special situation where "infinite" attacks are allowed.

In most of the world (not TV) other than for an extremely stupid password/person it doesn't matter. Lets imagine that someone has a computer that can try a trillion passwords a seconds. And you have a bank account password of 20 digits, how long does it take for the computer to break in? Forever. The reason is the bank is going to lock the account after about 3 password ties. It is pointless to worry about other trillion - 3 tries, in that second.
But what about a machine they have psychical access to?
First of the machine has to be capable to accept a trillion tries a second, and few devices can, but on top of that programmers aren't stupid even a millisecond delay that the user would never notice defeats this.

So how do real hack happen?
They look for weaknesses in the system as the other people have pointed out.
You hack the websites, networks...

Nov 11, 2015
But what about a machine they have psychical access to?

They read and dump the contents of the memory of the machine onto a different machine with faster access and then try to crack it at a trillion tries per second.

They aren't going to try playing by your rules. If you have physical access to hardware, all encryptions are eventually broken. That's why there shouldn't be anything worth stealing in the machine's memory in the first place - only hash codes, never the actual passwords or ID signatures, because otherwise all the data is protected by just a single master key.

But since you can't turn a signature, like a crystal lattice, or a fingerprint, or an image of your retina, or indeed a handwritten signature into a reliably repeatable code that you'd get exactly every time, you can't hash it, so you have to store the actual signature on the machine that does the comparison.

That means the signature can be stolen and simply replayed.

Nov 11, 2015
not enough information given here to understand how this would be used, or to answer/debunk the questions that have been asked.

Nov 11, 2015
@Eikka, I agree they are not going to play by your rules, and that is really the cornerstone to what I was trying to say. Once they have physical access they are most likely going to use other hacking techniques, they are not going to try an exhaust search. You attack a systems weakest point, not its strongest.

BTW not including a quantum computer (which doesn't exist yet) if they can do 100 trillion guesses per second. It would take 11.52 thousand trillion centuries to do the search for a 20 character password.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more