Fingerprinting Paper

This could make an enormous difference in security against forgeries:

The scientists built a laser scanner that sweeps across the surface of paper, cardboard, or plastic, recording all of the unique microscopic imperfections that are a natural part of manufacturing such materials.

This scan serves as a fingerprint which, the scientists said, has two surprising properties: The fingerprints are robust, surviving scorching, dousing in water, crumpling, and scribbling over with pens. And these fingerprints depend on structures that are so complex and so small -- on the scale of between one tenth and one ten-thousandth the diameter of a human hair -- that nobody on the planet will be able to copy one for the foreseeable future. Unlike other methods such as using holograms or special inks, the fingerprint is already there.

Scientific American has more details:

All nonreflective surfaces are rough on a microscopic level. James D. R. Buchanan and his colleagues at Imperial College London report today in the journal Nature on the potential for this characteristic to "provide strong, in-built, hidden security for a wide range of paper, plastic or cardboard objects." Using a focused laser to scan a variety of objects, the team measured how the light scattered at four different angles. By calculating how far the light moved from a mean value, and transforming the fluctuations into ones and zeros, the researchers developed a unique fingerprint code for each object. The scanning of two pieces of paper from the same pack yielded two different identifiers, whereas the fingerprint for one sheet stayed the same even after three days of regular use. Furthermore, when the team put the paper through its paces--screwing it into a tight ball, submerging it in cold water, baking it at 180 degrees Celsius, among other abuses--its fingerprint remained easily recognizable.

The team calculates that the odds of two pieces of paper having indistinguishable fingerprints are less than 10-72. For smoother surfaces such as matte-finished plastic cards, the probability increases, but only to 10-20. "Our findings open the way to a new and much simpler approach to authentication and tracking," co-author Russell Cowburn remarks. "This is a system so secure that not even the inventors would be able to crack it since there is no known manufacturing process for copying surface imperfections at the necessary level of precision."

To ensure the security of currency, you could fingerprint every bill and store the fingerprints in a large database. Or you can digitally sign the fingerprint and print it on the bill itself. The fingerprint is large enough to use as an encryption key, which opens up a bunch of other security possibilities.

This idea isn't new. I remember currency anti-counterfeiting research in which fiber-optic bits were added to the paper pulp, and a "fingerprint" was taken using a laser. It didn't work then, but it was clever.

Posted on August 12, 2005 at 10:30 AM • 44 Comments

Comments

DennisAugust 12, 2005 10:54 AM

"opens up a bunch of other security possibilities"....could be an interesting followup post, imho....

Peter PearsonAugust 12, 2005 11:09 AM

Around 15 years ago, a company named Light Signatures wanted to authenticate stock certificates by measuring fine details in the paper, computing a digital signature of that fingerprint, and printing the digital signature on the certificate.

The Swiss music-box industry reached the pinnacle of music-box inventiveness at about the time the phonograph was invented. It's the same story. "Daddy, what's a stock certificate?"

wontworkAugust 12, 2005 11:11 AM

This wouldn't work for currency, unless you can provide a very easy way to check the fingerprint. Remember all the one-sided color copies being passed? Currency security has to be simple and obvious in every day use (which is why the feel and texture of the paper is so important. hard to copy and intuitive to check)

Joe BuckAugust 12, 2005 11:23 AM

wontwork, the process uses a laser scanner. Supermarkets and many other stores already have a laser scanner at every checkout station, to scan bar codes. If the same scanners could be adapted via software to read the "fingerprint" of a piece of paper and cross-check it with a digital signature printed as a bar code on the same piece of paper, then every store could have this.

Alex YoungAugust 12, 2005 11:24 AM

I can't help but feel they're being a little optimistic in their statement that "nobody on the planet will be able to copy one for the foreseeable future". It could very well be that for certain materials, it would be possible to use the known fingerprint as a target and slowly deform the faked surface to match it - it might even be as simple as using a higher powered laser to write back the fingerprint onto the document. You've only got to fool the reader, after all, not create a perfect replica.

HansAugust 12, 2005 11:28 AM

What's to stop the counterfeiter from buying one of the same laser fingerprint scanners, scanning each of his bogus bills, and then imprinting each one with the appropriate signature?

Tim VailAugust 12, 2005 11:33 AM

Hans,

I'd imagine that they would use a public key/digital signature cryptographic algorithm. Even though you know the algorithm, if you don't know their secret key, it is mathematically impractical to make a signature that would verify with the public key.

AlAugust 12, 2005 11:35 AM

The article said "to ensure the authenticity of important documents such as passports and birth certificates". I'm not sure about this: if you can torture the paper in the way described in the article and still keep the signature, why can't you also modify a passport in a way that keeps the signature?

RampoAugust 12, 2005 11:35 AM

@Hans:

"What's to stop the counterfeiter from buying one of the same laser fingerprint scanners, scanning each of his bogus bills, and then imprinting each one with the appropriate signature?"

The fingerprint is signed by a known authority.

Tim VailAugust 12, 2005 11:46 AM

The article did not talk about sanding the paper. What if someone wanted to void the document by destroying the fingerprint area?

Davi OttenheimerAugust 12, 2005 11:57 AM

Hmmm, not much different than scanning your hand with lasers and recording the imperfections...

I'm still waiting for the ultra-expensive laser body scans that are used to produce clothes for movies come down in price so we can all get clothes made daily by computers:

http://www.cyberware.com/

1) step into shower
2) get body scan
3) step out of shower
4) choose fabric colors/textures
5) watch computerized sewing machines generate form-fitted clothing
6) wear
7) recycle

And then I wonder about coupling these static three-dimensional shapes from body laser scans with the motion given by two-dimensional video (e.g. "gait" signatures) and how that might give better accuracy in recognition...

Average Joe #1August 12, 2005 12:42 PM

"This idea isn't new. I remember currency anti-counterfeiting research in which fiber-optic bits were added to the paper pulp, and a "fingerprint" was taken using a laser. It didn't work then, but it was clever."

The general concept of exploiting uncontrollable imperfections/variations for authentication is not new. Biometrics is a good example.

I remember reading about a similar technique for tamper detection. The uncontrollable imperfections/variations involved are that of the seal. (I think I read that years ago on sci.crypt. If this rings a bell and anyone has a reference, please post the it here.)

Davi OttenheimerAugust 12, 2005 12:54 PM

@ Tim Vail

A "fingerprint" might be generated by reading the data of imperfections and then feeding the results (the message) through a hashing function to produce a message "digest". Any modifications to the imperfections, such as sanding, would result in a different message and therefore a different digest -- the fingerprint would not match. At least that's the theory.

WhatsupAugust 12, 2005 12:56 PM

@Tim - "The article did not talk about sanding the paper. What if someone wanted to void the document by destroying the fingerprint area?"

Interesting DOS attack, especially if the modification is done is a way that is undetectable to the human eye, yet detectable by the laser/reader. In the case of using this technique for currency, all currency exchange would require verification by the laser/scanning device (i.e. everyone would have to have some form of personal, pocketable scanner/reader device to verify currency before they accept it).

Davi OttenheimerAugust 12, 2005 1:00 PM

Oh, wait, did you mean what is to stop someone from entirely destroying/voiding the value of the paper? This process does nothing to prevent someone from lighting a torch and voiding whole warehouses of fingerprints, let alone one...not sure that's what you meant though.

Davi OttenheimerAugust 12, 2005 1:12 PM

@ Whatsup

"Interesting DOS attack"

Not sure why that would be any more interesting than any other form of destruction. In terms of currency, what is the difference between sanding to destroy value and just burning to destroy value. Embarrasment? Presumably you would have had to pay for the currency in the first place, so what's the virtue in destroying it before you pass it on? Counterfeiting is the real issue because you create value from nothing, not the other way around...

WhatsupAugust 12, 2005 1:29 PM

@Davi

The interesting part, as with any DOS attack, is preventing someone from using/having something of value. In this case, there is a difference between "sanding" a document in an undetectable way to destroy a digital signature and "burning" a document to non-existance.

In the former case, the owner would think they have something of value (to the human eye it would look fine), but they would not, since the digital signature would fail when the document is scanned. In some cases, the person may not realize their valuble document is worthless until years later. To prevent this type of attack would require that all such documents be scanned before acceptance (i.e. a personal scanner device, making deployment far less practical).

In the latter case, the owner would know their document has no value since burning would destroy the document to the point of non-existance (they wouldn't have the document any longer).

Davi OttenheimerAugust 12, 2005 1:35 PM

@ Whatsup

I see, similar to counterfeiting except the person destroying the currency is actually paying face value for the currency and then hoping that someone, somewhere down the line will be unable to use it...so if scanners are infrequent, then there will be no effect, and if they are frequent then the destruction will be easily traced. Still not sure where this takes us.

Chung LeongAugust 12, 2005 1:37 PM

@Alex Young

Very good point. I can imagine a technique whereby you first print out the forgery. Then you stray on a layer of organic polymer. Using a modified fingerprint reader, you can change the refractive property of the polymer by adjusting the intensity of the laser to produce 1s and 0s as necessary. The process is analogous to how CD-R works.

In fact, we can go one step further and start mass-manufacturing fingerprint stickers with a injection molding machine. If the microscopic pits on a CD can be reproduced this way, the surface of paper can't be that hard.

WhatsupAugust 12, 2005 2:04 PM

@Davi

I think it is important not to equate the DOS being discussed to counterfeiting.

Counterfeiting is about creating a new document with the goal to convince someone it is a document "original", usually for monetary gain.

With this DOS, one is taking a document "original" and denying its value.

While this applies to currency, it could also apply to other types document "originals" (loans, certificates, etc.) that are scanned/signed in this manner.

This could manifest itself as "do-badders" disrupting an economy as well as a potential for criminals for financial gain.

The prevention for this type of DOS attack would be for everyone to have a personal scanner/reader to verify documents (frequent, no effect). If there is only partial use of scanners/readers (i.e. only merchants have the scanners/readers), there would be potential for problems (in-frequent, big effect).

James MastrosAugust 12, 2005 2:11 PM

I do rather wonder about caveats that aren't being considered. The list of things they did to the paper is impressive, but afterwords "its fingerprint remained easily recognizable", not the same, and thus it'd require postprocessing to get something you can sign and check if it's exactly the same, which in turn would increase the probably of two bits of paper having the same fingerprint.

Also, they haven't tried the sort of real-world issues that would plauge a real bit of paper. What happens when you take a piece of paper, and put it in a book for 20 years, as might happen to a birth certificte? What about having it in a box in a damp basement, on it's side with room to turn?

What if it's a bit of plastic, like a credit card, getting swiped and shoved in and out of slots? Plastic is already harder to fingerpint this way, will small scratches and dings do more to modify the fingerprint there?

Bill McGonigleAugust 12, 2005 3:23 PM

You'd probably want a couple thousand private keys, such there there isn't one "world's most valuable key". If you lose one, you invalidate that key and people have to redeem their bad bills.

The banks would have a scanner to run all their bills through which would destroy the bill on the spot and wire-transfer money to the bank to replace it.

A cash register could update to the Mint's CRL on a nightly basis or so.

We destroy some fraction of our currency yearly to make souvenirs for Mint visitors, so this isn't really a problem, especially if you have a couple thousand keys.

Anyway, distribute those keys among the various Mint locations to minimize the damage from a physical assault.

Still, if you're trying to buy gas and you find out your last $20 became invalid last night, well, that sucks.

albert bAugust 12, 2005 4:44 PM

@Chung Leong

if i understand, you're saying one could copy a valid (say) $100 bill by making a paper facsimile (bearing the original's serial number), and applying a polymer layer which produces the same output when scanned as the original $100 bill.

could the polymer layer resemble paper? i.e. could this layer be made to have the same "look and feel" as paper?

Davi OttenheimerAugust 12, 2005 5:06 PM

@ Whatsup

"potential for criminals for financial gain"

What's the gain. Do they blackmail someone by threatening to destroy the fingerprints?

Your conclusion is interesting as it is the opposite of what I was concluding prior. If everyone has scanners, then why would destruction work? It would be discovered relatively quickly and easily, and probably traced back to the person who tried to destroy its value. And without scanners, destroying the fingerprint is irrelevant to the value of the currency, which would continue to trade at face value.

ChrisAugust 12, 2005 6:06 PM

Since it's basically tiny scratches in the paper that are being read, the only way to add them to a document is by moving a brush of some sort along the paper. It would probably be barcode-oid for various reasons, and inserted at the mint on a roll of lithoperf. (That's a cylinder that has blades on it; it's used to perforate paper. It can also be used to cut, but the US Mint doesn't do that.)

So, in essence, you could make a brush and run that along your homemade $20 bill to have it register as valid.

Now, if every bill from the US Mint is read in its natural form rather than having a paperprint inserted onto it, then that's a database of billions of entries. It'd probably be diverse enough that your laserprinted bill matches at least one other, though probably of a different denomination. But there's no practical way to audit currency with that system.

Slayton I. MustgoAugust 12, 2005 6:14 PM

I recall a tagging system (for to-be destroyed missles?) using glitter embedded in acrylic. The glitter would be randomly distributed in position and orientation, so illuminating it at different angles would give different reflections. Hard to counterfeit, because it would involve manipulating position and orientation of hundreds of tiny particles in 3-dimensions. Sounds like the same principle.

JungsonnAugust 12, 2005 7:34 PM

Its exactly like "the tagging system" with the random seeded glitters, this however is hard to check because the light and angle on wich it is produce has to be the same at the reader. Sure it's possible but that reader would cost much.

But in every method their is always the unforseen weak link, that will break it. If you can build it, you can break it.

So why not make electronic money instead of fooling around with lasers on disturbances on old paper.

qualityAugust 12, 2005 10:23 PM

OT, but since Asa Dotzler of Mozilla keeps deleting me from his blog, this is just to publicize.

I asked a very simple question in an Ask Asa: Who was responsible for the testing/QA failure that led to a security regression in Firefox 1.0.4, how will they be censured, and what is being done to prevent a similar recurrence.

He didn't answer and has deleted every comment I post, in which I've said the same thing. I think it's a fair question. Not answering is pretty crappy, but censoring just because he spends too much time being 'visible' and not enough time actually doing QA is truly pathetic.

Asa isn't the funloving guy his blog projects, he can be a complete idiot too. Spread the word.

I know this doesn't fit into your rose-tinted view of prominent open source projects with 'many eyeballs' having better security, but it's true.

The sad fact is that the entity investing most in automatic code checking tools, mandatory design and test cycles, mandatory threat modeling, regular code audits, etc. is Microsoft. Mozilla security practices are rubbish and the sooner someone like yourself publicizes the failure the better it will be.

Roy OwensAugust 13, 2005 8:20 AM

People with crooked legal minds will find ways to profit from the DOS. All they have to do is get their hands on the documents (surreptitiously if necessary) to secretly sabotage them, and later challenge the authenticity. Scanning will 'prove' the documents to be forgeries.

Target? A will. A land deed. Title to a ship. It just goes on ....

Gopi FlahertyAugust 13, 2005 1:39 PM

Remember that forged document that was added to the National Archives awhile back, I think in the UK?

One suggestion for a conspiratorial coverup involved putting detectably forged documents in the archive, which covered events that had actually happened but that you wished to cover up.

The ability to convert a document into a forgery in a difficult to detect way - the theoretical sandpaper attack against these fingerprints - could provide all sorts of interesting new opportunities for manipulating historical records.

Stronger authentication is generally a good thing, but it brings with it many risks. The most obvious risk is a lack of clarity on the reliability of the authentication.

There are also other issues. People don't always understand what the authentication means - in the context of historical archives, for example, the authentication doesn't mean the event happened, but merely that a process was followed to authenticate the document.

DonAugust 13, 2005 9:03 PM

I see the DOS as applying to early, expensive and rare scanners. When large numbers of authentic bills are incorrectly rejected, pretty soon the scanner project will be abandoned, thus preserving traditional counterfeiting technology.

yitzAugust 14, 2005 5:28 AM

@bruce
i emailed you about this two weeks ago? if we just want to tip you off to a particular article/technology or something is there a better way to do that than by email ?

RonKAugust 14, 2005 5:46 AM

I kind of think that Alex Young is correct and the ability to forge these fingerprints could be developed if it were to become profitable enough.

The sanding DOS attack might be interesting as a part of a larger con game. E.g., someone is convinced by a "friendly" con man that he would profit by paying money to a second con man, the "friendly" con man inspects his money while invalidating it, then when he tries to pay the second con man with the invalid money he is put into an uncomfortable situation and squeezed for much more money. Not being a con man I have no idea what the details might be...

Steve G.August 14, 2005 8:15 AM

This topic was also discussed on Kim Cameron's Identity weblog (http://www.identityblog.com/). It's clear that security of information and identity security are intertwined, since one's identity is made up of information about the person.

On an aside, there was a short story about a DOS attack intended to disrupt New York City - the story (can't recall the name) had some nefarious group planning havoc by introducing oversized subway tokens that would jam in the turnstiles, causing irate, frustrated travelers. When one expects to be able to use something to get something (e.g., identity or cash card to get access or money) and can't because the "token" doesn't match the expected input, people get very upset.

jat42August 14, 2005 11:33 AM

Re: DOS attack

1. A general DOS attack could generally undermine the system. If machines regularly reject bills that everyone believes to be good,
then the machines become untrusted, not the bills. (Think about the last time a vending machine rejected your bill. Did you value the bill any less.)

2. On the "white hat" side, "sanded" bills would be good for things like paying ransoms to less than technically competent crooks.

another_bruceAugust 14, 2005 1:13 PM

hidden agenda alert: there would have to be a central repository of the fingerprints for each piece of currency. when the federal reserve delivers a bill to a bank, this could easily be noted in a database. you cash your paycheck and get that bill, this too is noted. three weeks later you get a letter from your health insurance carrier. its records show that you bought a pound of bacon and two sixpacks of beer with that bill, and in order to equitably distribute the carrier's costs, your next quarterly premium is going up by $75.
i know counterfeiting exists, but i have never been touched by it. people passing fake bills here in rural oregon eventually get caught. i value the anonymity of cash, i know there are elements in government who see this anonymity as bad, and i desire that my bacon and beer purchases remain private.

Rob MayfieldAugust 14, 2005 5:27 PM

two previous entries spring to mind:
http://www.schneier.com/blog/archives/2005/06/...
http://www.schneier.com/blog/archives/2005/07/...

of course as always, trust needs to be established at the time any fingerprinting takes place.

one wonders what other surfaces would allow similar applications - wood, metal, plastic (which our banknotes are made from - http://www.noteprinting.com/banknotes.html - of course you'd hardly need to fingerprint them when you could just as easily add a dozen or so rfid tags, a barcode or two, and the odd hologram ...)

WhatsupAugust 15, 2005 10:02 AM

@Davi

I think we are mostly on the same track regarding the frequency of scanners. There are 3 cases. 1) everyone has a scanner (frequent), 2) some people have scanners (infrequent), 3) no one has a scanner. I agree that in case #1 (frequent), a DOS type attack would be detected as everyone would verify a document before accepting it (therefore, having no effect). In case #2 (infrequent), since not everyone would have the ability to verify documents before accepting them, there is a potential for DOS attacks (therefore, a big effect). Case #3 is not really plausible, since if one is digitally signing documents, someone would have to have a scanner/reader or it would be pointless.

Regarding DOS style attacks, other posters have provided various good comments.

On a side note, discussion of the scanners/readers reminds me of a retail store I observed that was using a felt tip style pen to verify $20 bills. I don't know the details of how this works, but the clerk would swipe the bill with the pen before accepting it. There was never any identifiable mark on the bill, so I would assume that only conterfeit bills would give some visual indication. The interesting part was the security of the verifying pen, as in there was none. While the clerks were obviously trained to verify the bills (and even place them under the tray in the register, apparently to hide them), the verifying pen was simply placed on the counter next to the register. I thought, how easy would it be for a conterfeiter to replace their verifying pen with one that contained something like just water that would leave no mark on a conterfeit bill.

In the context of this thread, where everyone would be required to have their own personal scanners/readers/verifiers to make fingerprinting documents feasible, there would need to be some "authority" to issue these scanners, as well as some very clear way to keep them secured. That is, they would have to be sealed devices, with tamper detection, probably biometrically tied to the owner, and issued by "official" authorities. Otherwise, one could simply issue bad scanners, replace someone's scanner, or modify the scanner in some way so that it always reports "good".

asquiAugust 15, 2005 11:26 AM

I'm quite impressed that they managed to get three day's "normal use" out of a single sheet of paper!

My sheets only last one meeting, or two at best.

KeithAugust 15, 2005 2:54 PM

"This idea isn't new. I remember currency anti-counterfeiting research in which fiber-optic bits were added to the paper pulp, and a "fingerprint" was taken using a laser. It didn't work then, but it was clever."

Actually, the technique worked very well. It just wasn't very well suited for currency. Money lives a hard life!

There's been a lot of work done over the years on the use of random patterns as unique identifiers, but none of the solutions developed in these projects has ever made it into actual use. The patent that Peter Pearson pointed out really complicated any attempts at licensing random pattern technology.

The reflective particle technology that was developed for counting mobile ICBMs was tested and underwent extensive vulnerability assessments, but it wasn't used in the actual treaty.

One of the most recent "fingerprinting" technology projects used the magnetic and electrical property perturbations from welding the lid on a stainless steel can to uniquely identify the container and verify that the weld has not been opened.

There are a bunch of solutions based on random patterns, but the right problem just hasn't come along yet.

Most of the work was done so long ago that the papers are no longer easily available on line.

KeithAugust 15, 2005 8:54 PM

"This idea isn't new. I remember currency anti-counterfeiting research in which fiber-optic bits were added to the paper pulp, and a "fingerprint" was taken using a laser. It didn't work then, but it was clever."


There were some extremely clever people who worked on that project. The original idea for the optical fibers and the reflective particles for the tags came from Don Bauder, and the idea for using digital signatures to print the pattern results on the notes came from Gus Simmons. Both were working at Sandia National Labs at the time.

KeithAugust 15, 2005 9:05 PM

@ Jungsonn

"Its exactly like "the tagging system" with the random seeded glitters, this however is hard to check because the light and angle on wich it is produce has to be the same at the reader. Sure it's possible but that reader would cost much."


With today's digital cameras and inexpensive computers, the cost of the reader would be much more reasonable than the system developed in the 80's for treaty verification. It used analog video cameras, a frame-grabber, and an 8 MHz '286 computer. It was a challenge getting that system to work at -40 degrees so that it would work at the Russian sites.

The alignment requirement wasn't as critical as you might think. Most operators could easily position the read head on the tag.

ZomboidAugust 19, 2005 6:51 AM

Earliest reference I could find (but not in electronic form):
D.W. Bauder, "An Anti-Counterfeiting Concept for Currency Systems", Research Report PTK-11990, Sandia National Labs, 1983.

Several companies and universties are currently investigating the subject of "unclonable" physical properties: Microsoft, Philips Electronics, ThingMagic, MIT, University of Louven, ...
Does anyone know of more organisations?

Some more recent references.
- R. Pappu, B. Recht, J. Taylor, N. Gershenfeld, "Physical One-Way Functions", Science Vol.297, p2026, Sept.2002
- B. Gassend, D. Clarke, M. van Dijk, S. Devadas, "Silicon Physical Random Functions", Proc. 9th ACM Conf. on Computer and Communications Security, Nov.2002
- P. Tuyls, B. Skoric, S. Stallinga, A.H.M. Akkermans, W. Ophey, "Information-theoretic security analysis of Physical Uncloneable Functions", Proc. 9th Conf. on Financial Cryptography and Data Security (2005),
LNCS 3570, p.141
- D. Kirovski, "Toward an automated verification of certificates of authenticity", ACM Electronic Commerce, 2004

ZomboidAugust 19, 2005 7:41 AM

in response to Chung Leong

> I can imagine a technique whereby you first print out the forgery.
> Then you stray on a layer of organic polymer.
> Using a modified fingerprint reader, you can change the refractive property of the polymer by adjusting the intensity of the laser to produce 1s and 0s as necessary.
> The process is analogous to how CD-R works.

That could be feasible, since the detectors do not measure a complete speckle pattern but merely the light intensity at four angles.
However, when a human verifies a document he also looks at it with his own eyes. The organic polymer will be detected, right?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..