Even a chimp can write code

Saturday, February 05, 2005

Security through viral propagation

Traditionally, we have had two sets of security procedures, one to control physical access to facilities and another to control access to software systems and networks. Increasingly, governments and companies are looking to unify these security measures and blur the line between cyber and physical security. The challenge of merging digital and physical security may have been tackled before. Although, how effectively, we don't quite know. The Economist reports that the world's largest lock-maker, Assa Abloy is working with Core Street, a Cambridge, MA based software company, to create a single security system that controls both your access to files, servers and networks, and to physical facilities like labs, rooms, warehouses etc.

So what? Hasn't this been attempted before? Card readers on door locks have been used to authenticate and authorize access to facilities. Typically, these readers are hooked onto networks that connect to a server hosting the access control list (ACL) and validation software. So how much of a leap is it to merge cyber and physical security? Besides, this sort of network can be very expensive. An electronic lock, says the Economist, can cost upto $5000, most of it being the cost of network wiring. Wiring up all of the door locks of say, a nuclear power plant or an airport becomes extremely costly, prohibitvely so for installations with smaller budgets. The solution these guys have devised attempts to solve that problem by using the cards themselves as the network.

The access to the ACL is decentralized and the most current copy is available to a small percentage of connected doors. Whenever you swipe a card through one of these connected doors, the access control list is transferred onto your card in encrypted form. As you walk through unconnected doors, the card lets the doors read the level of access. These unconnected doors can overwrite their copy with the newer ACL read from your card. These doors can then pass on the ACL to other cards that pass through. As people keep moving through doors, so does the ACL via viral propagation.

I would think strategic placement of connected doors and a strong encryption of ACLs on cards are key (for lack of a better word) to this security model working effectively. The idea is interesting although with my experience writing (secure and) security software, I must admit I am not totally convinced it is foolproof. This model makes the door locks about as secure as the software systems and networks. Whether the latter were more secure to begin with, is debatable.

Email this | Bookmark this


  • In most cases, it will be hard to get business acceptance to this - mostly due to the possibity of false positives.

    If employee X is fired, the usual business requirement is that he is immediatly locked out of all doors. Not only floors 12-15 where your company have offices, but also the seldomly visited storage, server, router & network rooms down in the basement.

    Wi-fi solutions are much more usable. Power is everywhere and with good encryption it's as safe as wiring.

    By Anonymous Anonymous, at February 7, 2005 at 3:34 AM  

Post a Comment | Home | Inference: my personal blog