The greatest smartphone app...

Saturday, 02 February, Year 5 d.Tr. | Author: Mircea Popescu

... may be something that uses the built-in camera to take a picture of your eye (the iris, specifically) and then uses that picture to seed a software random number generator on the basis of which it then creates you a PGP keypair, the public part thereof displayed as a QR, readily available to be emailed and so forth, whereas the private part is never displayed or even retrievable. As long as you hold that phone and remember your password you can use the key, and that's that.

This would allow for the fast and cheap creation of PGP keypairs (the significant entropy contained in the iris helping you get through the usual limitations of time needed to collect entropy) which could in principle be very short lived, as short lived as perhaps a few hours.

The concept could be expanded. For instance the only sensible way to open bank accounts that are accessible online is and will remain for you to register your PGP public key with the bank, along with your ID and whatever other paperwork they need. Having this smartphone application at the ready would allow you to create extremely secure short lived keys, good for perhaps that one day out of the entire month when you pay bills, among other very useful applications.

It doesn't even have to stop there, with decent eye recognition technology built in you could just as well get rid of the passphrase completely. Taking it one step further, you could even have a hardware item (which isn't a smartphone) that has two modes of operation. In mode 1, it takes a picture of your eye and creates a keypair, then encodes the eye ident data with the public key and stores the whole. In mode 2, it takes a picture of your eye, verifies that it matches the saved info and proceeds to either encrypt, decrypt or sign for you. The device recognises whether it has to operate in mode 1 or 2 by whether it has eye ident data stored (and once in mode 2 it can never be moved back to mode 1, or at least not easily, but in any case not without destroying the private key).

Obviously the strength of the entire thing would depend on the cryptographic strength of the app, but in principle this coupling of item + knowledge (since your passphrase is useless without your phone and your phone is useless - for this purpose - without your passphrase) correctly implemented would transform a smartphone into an actually useful item, for the first time in the history of smartphones. It's certainly the only thing that would make me contemplate buying one, at least from what I've heard and seen so far.

Anyone actually doing this ?

Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

32 Responses

  1. When a compromised camera or other device in the loop lifts the photo of your iris right off the wire, where do you go to get a new iris? This is why biometric authentication is bunk, now and forever: the impossibility of key revocation.

  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 2 February 2013

    A but mind, this isn't biometric authentication at all. The use of the iris data is simply to seed a RNG.

    (And, I guess, in the expanded version to recognise that the same iris is looking at is as was recorded when the key was born. Seeing how the recognition is tied to the dongle and only good for an otherwise arbitrary key, it doesn't really hit the problems you're describing, does it ?)

  3. The problem exists in all cases where data derived from your body structure hits a wire. If it is on a wire, something can, in principle, read and save it. And play it back at a later time. And eventually will. Whether you are using it as a PRNG seed or the key itself does not matter.

  4. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 2 February 2013

    No, actually, that's the very definition of a hash function, in that context : a function which takes something that matters and turns it into something that doesn't matter. As long as there's not an inverse f' (y) = x, as long as you can't then take the results and reconstruct the PRNG's seed, it's indifferent what it was seeded with I daresay.

  5. If it doesn't matter what you seed with, why use iris scanners? The point of doing so is, as I understand it, to be able to re-create the seed at a later time if necessary. But when you scan your retina, the resulting bits are not magical un-copyable bits. They are ordinary bits, which can be saved, covertly, to a storage device (perhaps by a compromised scanner) and played back at a later time by the enemy, just as if you had voluntarily lent him your eye. Whereas conventional passwords and keys can be revoked should you find that they were compromised.

  6. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 2 February 2013

    Cause they contain a lot of entropy (I think). What can you do to get enough entropy for a 2-4k RSA key out of a single 1-2-5 Mpixel shot ? Take a picture of drywall ?

    The idea isn't to recreate the seed at all, in fact I'd be very much surprised if two self-administered shots to the eye would result in even identifiably similar items. Maybe worth some bathroom experimenting, finally we have a good excuse to do what the chicks do in there. FOR SCIENCE!

    Obviously all this iris picture taking may present some side risks, such as for instance a perv acquiring a large collection of people's irises (much in the same way large scale self-shot booty has resulted in humongous private collections of tits and asses). It's not entirely clear to me this is actually a bad thing : having large volumes of irises available in public would actually constitute great protection against any future Leviathanesque attempt to use them seriously.

  7. Still shots of an iris are actually mostly worthless, because serious iris scanners look for a pulse and the characteristic deformations. So the key in this case consists of a sequence of frames, showing correctly pulsating blood vessels. I like your scheme of posting iris shots voluntarily to destroy the possibility of their use in earnest, but you will need to post the kind of bits which actually come out of a professional ($10K+) iris scanner, rather than still shots.

    High-quality entropy itself, on the other hand, is quite cheap, if you know where to look (lava lamp plus Von Neumann's unbiasing algorithm.) Or a noise diode (included on many PC chipsets, and certain embedded CPUs.) Or, for the truly classy, a Geiger tube.

  8. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 2 February 2013

    You don't get that many bits out of a lava lamp tho. But at least for the Japanese Geiger tubes are probably much better a solution than what I propose.

  9. Iris scanners aren't entirely useless. They are just what the doctor ordered for controlling entrance to a guarded facility, where an actual human will fire a rifle at you if you tarry by the door and try to take apart the eyepiece in an attempt to get at the wiring and inject false bits. Or for identifying captured prisoners, just the same as traditionally done with fingerprints. But biometric-anything is absolutely worthless in application to gadgets which can be diddled at one's leisure at home. The enemy can simply remove the optics and inject a previously captured bitstream (downloaded from your compromised scanner, or one in a public place,) and there will be no way for the machine on the other end of the network to know about it.

  10. Re: Geiger tubes: you can get arbitrarily many bits of entropy from background radiation, depending on your timer resolution.

  11. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 2 February 2013

    It'd have to be a good tube for resolution to be settable quite that arbitrarily. But that aside : it'd seem superficially that the cost of injecting captured bitstreams into some dood's gutted phone is larger than both the likely revenue and than the other already available means to achieve the same end.

    The idea was for practical, cheap and relatively sound crypto for mass consumption, not for indefeasible crypto.

  12. The entropy one gets from the Geiger tube comes in the time dimension (i.e. the periods between clicks.) Virtually any tube will do. Sample using a digital counter which shifts its output to a register (and clears) upon each click. Afterwards don't forget to apply Von Neumann unbiasing. If you want very high resolution, build the circuit from multi-GHz emitter-coupled logic. (Total cost: $50 or so.) The low bits will be highly entropic. For a very high bit rate, obtain a small radioactive source (a standard smoke detector capsule will do nicely.)

  13. Retinal scanners (and fingerprint readers) are a terrible idea for mass consumption - not only due to the irrevocable keys, but from the illusion of security (thanks, Hollywood) that they bring. A cheap biometric sensor is in fact worse than the state of the art re: passwords and such. Witness how few commercially-sold fingerprint readers pass the "sausage test." You get what you pay for, and consumers are not prepared to pay for serious hardware.

  14. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 3 February 2013

    I thought we debunked the irrevocable keys part for this implementation. It may also be worth the mention that the vast majority of items that are any good today (such as I dunno... the car ?) ended up any good by being really sucky and then put into mass production. Which fixes everything. Cellphones also sucked back in the late 80s when I had to carry around a 9lb piece of shit that lasted for all of three hours talktime.

  15. I'm pretty sure you wouldn't like a flash or java applet to manage ur pgp keys.

  16. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 3 February 2013

    There must be some smartphone out there running linux.

  17. Sure, all of them, android is built with a linux kernel. There's also jewbuntu for smartphones.

    There seems to be some effort on the internets into transforming smartphones from phones into very tiny futile computers.

    Dey has shiny menus but no calls, which ofc is not a problem for solitary assburgers.

  18. My thoughts are somehow similar to Stanislav's. Why would you necessarily use photos of the iris as a seed for the RNG? It would probably work, but I'm guessing that using for example a set of randomly-taken frames of nothing in particular would work as well -- ok, maybe a drywall would suck, but one could try grandma's tapestry or something out the window. In fact, combining data from the camera, accelerometer and microphone (maybe GPS too, or tactile input locations) should yield good enough entropy, for some definitions of "good enough".

    Another problem would be that, from my experience at least, phone cameras take crappy pictures in low-light environments. The fun thing here is that sensor noise might actually help, but taking a still of the eye (or anything else for that matter) in a room that isn't very well lit would probably give an image that's too dark for practical purposes.

    The idea is worth exploring though. A guy from Cluj has a paper on using sensors from the phone to generate random numbers and some guys from Brno have a public paper on randomness in mobile devices. There's probably more in journals and such, but I'm too lazy/busy to research it.

  19. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 3 February 2013

    Well... this is where I have to admit that I just pulled that iris thing out of my ass, cause I thought it sounded kinda cool.

    Thanks for the links tho.

  20. Influencere care esti influencer

    Now what?

  21. Mircea Popescu`s avatar
    Mircea Popescu 
    Wednesday, 6 February 2013

    Um... Wow ?

  22. Re: #20:

    "Silent Circle" Co. is an NSA shill. Proof: it has not only not been suppressed by the NSA (which has total de-facto jurisdiction over American and allied crypto products), but is being advertised on Metro trains in Washington, D.C. Totally mainstream.

    Mainstream commercial crypto (esp. anything touted as "easy to use") is guaranteed to be back-doored, weak-keyed, or a crock of shit in some other, more subtle way.

  23. Mircea Popescu`s avatar
    Mircea Popescu 
    Wednesday, 6 February 2013

    I was thinking reading the article that suspiciously enough it mentions the guy's PGP history but does not say the thing actually uses PGP. I don't see why anyone'd think it did, but nice try anwyay.

  24. To be fair, the company site claims that the product is PGP-based. But, who really knows? See:

  25. Mircea Popescu`s avatar
    Mircea Popescu 
    Thursday, 7 February 2013


  26. Gud, now i's gonna be able to encrypt all ma kfc receipts, dam cops and state, dey always lookin into ma stuff ya know.

  27. Mircea Popescu`s avatar
    Mircea Popescu 
    Thursday, 7 February 2013

    It's not for you.

  28. Re: #27:

    Actually, it is *exactly* for him. That is to say, a U.S. government honeypot is just what the doctor ordered for plebes with delusions of importance. Of course when they come for his drug stash, gun, bricks of plastique, etc. there will be a plausible story (a tip from a stoolie, or the like) that does not involve broken crypto in any way.

  29. Mircea Popescu`s avatar
    Mircea Popescu 
    Thursday, 7 February 2013

    Ya but he doesn't entertain delusions of importance. He entertains delusions of equality.

    The difference is that the pleb with delusions of importance falsely imagines that some banal stupidity he engages in makes him unique, special or apart, whereas the pleb with delusions of equality falsely imagines that everyone else limits himself to the banal stupidities he engages in. The former is paranoia, the latter plain laziness.

  30. It’s not for you.

    But it will be available on iphone/android markets, so it's for teh pleb.

    It’s a game-changer that will almost certainly make life easier and safer for journalists, dissidents, diplomats, and companies trying to evade state surveillance or corporate espionage.

    I hope they aren't actually serious about these faux dramatique tv/news stories and that some retarded journalist or somali or palestinian or christian lolkorean would need such.

    Silent Mail will offer encrypted e-mail on Silent Circle’s private, secure network

    through Silent Circle’s custom HD network


    Cei mai multi utilizatori ai internetului au impresia ca securitatea lor depinde de pastrarea secreta a anumitor elemente irelevante, precum poza, adresa, scl.

    Pe baza acestor informatii poate apoi incepe sa va atace. Ce inseamna asta ? Deocamdata doua lucruri. Ca interesele comerciale va vor face oferte care sa ia tot mai bine in calcul, si sa profite cat mai amplu de slabiciunile exploatabile pe care armata de psihologi preocupati de mintea fraierului consumatorului le pot descoperi

    Corporatismul este un mod particular de implementare al socialismului, in care nu statul, ca reprezentant al intregului grup social, ci anumite corporatii, ca reprezentanti ai unor sub grupuri, vor rezolva problemele indivizilor.

    Amiquotintisrite, Mircea?

  31. Thank you for ur attention.

  1. [...] for smartphones and smartwatches? Let’s lift the covers of history and peek back to February 2013, a full 7 months before Apple released the iPhone 5S, to one illuminating conversation in [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.