A Key to Strengthening IT Security? Chaos

By Jean Jacques Raphael, CISA, CISM, ISO 27001 LI, Jean Claude Célestin and Eric Romuald Djiethieu, FCN

The Nexus  |  Monday, 09 September 2019

The chaos theory, a mathematics discovery first observed in the second half of the 20th century, aims to explain or even give some predictability to complex systems. At first glance, the chaos theory resembles most mathematical discoveries—a theoretical pursuit. Yet by using these chaotic systems, mathematicians find patterns (i.e., fully predictable mathematical models) named strange attractors. The chaos theory also identifies dimensions of space that are no longer whole, named fractals. These infinite replications of the same design are found everywhere in nature (e.g., blood vessels, broccoli flowers and mountain ranges). The chaos theory is used in weather forecasting, economics, to explain how brain cells increase and in IT cryptography. Introducing chaotic processes in technology may help address security challenges.

The chaos theory concepts can be used to find optimal solutions to critical security problems in information systems such as identity theft and counterfeiting and make information systems more secure. This can be illustrated through the example of a new electronic identification card. This card integrates chaotic processes in all aspects of its operation and design. It accounts for erratic microcircuits cabling, defects in the physical structure and multifrequency variations.

The chaos theory concepts can be used to find optimal solutions to critical security problems in information systems such as identity theft and counterfeiting and make information systems more secure

To strengthen and test the idea of digitalizing chaos to protect personal data and machines (e.g., PCs, planes and drones) from any accidental or malicious manipulation or to guarantee authenticity (e.g., for medicines, wines and perfumes), researchers designed a computer containing algorithms and chaos logic circuits that allow it to function according to the chaos theory. This computer is a polymer chip card with the dimensions of a credit card. The card stores the genetic, biometric and birth date data of a newborn child. This card will be an integral part of the life of its owner (from birth to death) and will help the owner to identify and authenticate his or her identity during certain crucial activities where the confidentiality, integrity and availability criteria are mandatory.

Chip Card Description

The chip is fabricated with a stable polymer that is inalterable and immutable by temperature or time. A refractory glass coating protects it from fire.

It is impossible to use sight and touch to distinguish between chip cards. If the cards are scanned with a laser beam of a few microns in diameter, differences are revealed. The scan shows that the chip cards have bumps and hollows. In addition, the machine that inserts the chip on cards varies the chip placement. For example, the chip of card 1 is placed 10 microns from the right side of the card, the chip of card 2 is placed 11 microns from the right side of the card and the chip of card 3 is placed at 12 microns from the right side of the card. These slight variations, undetectable to the naked eye, strengthen the uniqueness of each card. The machine that produces these cards can further strengthen their uniqueness by registering their creation time.

The genetic and biometric data of a newborn child are recorded and analyzed by an authentication server (AS) that stores information about the physical characteristics of the card, the child’s genetic and biometric data, and date of birth to the nearest millisecond. This AS is the property of the government and should be replicated throughout some government offices, such as hospitals and embassies. The chip card communicates with this AS each time this child’s identity must be authenticated. The biometric (fingerprint) and genetic (DNA) data are more than enough to authenticate the identity of the child.

A name or a Social Security Number (SSN) must be added to the card, but this information would not allow someone to conduct a fraudulent transaction by posing as this person.

Furthermore, the name and SSN of the person should be printed on the card because this is the only way of distinguishing the cards during mass data collection.

Because the genetic and biometric data are collected and analyzed on micron scales, they cannot be reproduced. The examination and storage of this phenomenal amount of information at these microscopic scales is possible due to the ability to save terabytes of data in smaller and smaller volumes.

Addressing Weaknesses With Biometric Security

One of the weaknesses of biometric-based security systems is that the data come from a sample that has been digitalized. The case is different for the researchers’ proposed system. The machine detects the relief (the surface roughness) of the card. Referring to layer 1 of the Open Systems Interconnection (OSI) model, the physical characteristics of the system (the card and the AS working together) are not limited only to electronic circulation or bandwidth. The machine’s authentication server checks the initial roughness on a card to be certain that it is the same card that it analyzed initially and kept in memory. If the machine does not find the same topography, it refuses to authenticate the transaction. Because this roughness is digitized (e.g., 1 indicates a hump, 0 indicates a hollow), this information is part of the encryption process or the key to decoding useful information. This roughness does not exist in current systems. The decoding ability ensures the system’s inviolability. Indeed, a man-in-the-middle exploit can still use a classic or quantum compiler, but it will never be able to determine if the bit that is isolated constitutes part of the physical medium of the information or represents a part of the information itself.

Self-Protection and Limited Compatibility

Before authorizing any transaction, the server verifies if a card, with intrinsic physical characteristics and all the information stored on it, is part of its database. The slightest space-time discrepancy results in the rejection of the transaction. This interaction between the card and authentication server takes place at the level of the physical layer of the OSI model. Other communication and upper-layer transport protocols are only considered after this unavoidable physical contact. In addition to these explicit parameters, other patterns that are undetectable by human understanding and invisible to human senses are stored on the authentication server.

Chaos Theory Cybersecurity Example

Using the researchers’ proposed card to make a withdrawal from an automatic teller machine (ATM) is a simple example to show the computer’s chaos theory functionality. Figure 1 shows how the researchers’ proposed red card (next to the person’s left hand) is used to make an ATM withdrawal:

  • The input is the customer-entered data (black bits). Other data (colored bits) are added to the transaction (card physical characteristics, a customer’s genetic and biometric data, and ATM location data).
  • The data are transmitted through the Internet as usual (black bits). Anyone in the middle who analyzes the flow through the Internet cannot determine which bits come from the customer and which bits pertain to biometric data or come from the card or the customer imprint.
  • After data arrive at the AS, a filter sorts the information by analyzing each bit according to its frequency (color). This operation allows the AS to authenticate the customer and to transmit to the bank server (BS) the data coming from the ATM and entered by the customer.
  • The bank server recognizes the customer and ATM data and approves the transaction by adding some information (green bits) to the response. The transaction is transmitted as usual through the Internet (bits in black).
  • In the output, a filter recovers the original color of each bit and the ATM releases the card and the cash to the customer.

Figure 1—ATM Card Withdrawal Using Chaos Theory Cybersecurity

Conclusion

All the tools (e.g., algorithms, circuits) to realize this digital card are currently under study. Theoretically, some are already designed. This card is designed to protect the user against identity theft and counterfeiting. It uses unique and inviolable data.

The card’s imprint, the spatio-temporal landmarks, and the genetic and biometric data of the owner are closely linked. By backing up these data on centralized authentication servers and on the card, the biometric and genetic data of the user are prevented from being in the wild or being handled dishonestly or uncontrollably by unauthorized and unknown people. Some say that the proposed system will never be tamperproof, but its goal is not to eradicate cybercrime. The goal of the system is to reduce fraud. Unlike existing systems, the probability of impunity (committing fraud and going unnoticed) becomes almost nil with the proposed system and building systems with chaos theories in mind can help reduce the likelihood of fraud.

Editor’s Note

This article is excerpted from an article that appeared in the ISACA Journal. Read Jean Jacques Raphael, Jean Claude Célestin and Eric Romuald Djiethieu’s full article, “Chaos to the Rescue: Strengthening IT Security,” in volume 4, 2019, of the ISACA Journal.

Jean Jacques Raphael, CISA, CISM, ISO 27001 LI

Is a lead implementer of IT security at OctoSafes Inc. He is a gold ISACA member and belongs to the Montreal (Quebec, Canada) Chapter.

Jean Claude Célestin

Manages practical work at the University of Ottawa (Canada).

Eric Romuald Djiethieu, FCNSP, ISO 27002 Foundation, ITIL v3

Is an IT security and telecommunication architect at Desjardins. He is also a cofounder of OctoSafes Inc.