33 Unconventional Security Devices

}ouinal of Physical Secuiity 7(S), 62-126 (2u14)
62

"#$%#&'#()%#*+ ,'$-.)(/ 0'&)$'12

Rogei u. }ohnston, Ph.B., CPP anu }on S. Wainei, Ph.B.

vulneiability Assessment Team
Aigonne National Laboiatoiy

3#(.%4-$()%#

This papei biiefly uesciibes SS uiffeient unconventional secuiity uevices that we have
ueviseu anuoi constiucteu. These uevices aie uiviueu into 4 categoiies: tampei-
inuicating seals anu tiaps (coveit seals), tags, ieal-time monitoiing uevices, anu access
contiol techniques. Bevices 1 anu 2S - SS aie oui newest concepts oi piototypes, oi the
ones we have most iecently maue piogiess on.

Foi each of the secuiity uevices oi techniques uesciibeu in this papei, we only biiefly
sketch theii uesign concept. We uon't have the space to uiscuss the subtlei issues
associateu with these uevices anu concepts, incluuing uetails of theii uesign, likely
vulneiabilities, oi possible counteimeasuies. Some of these uesigns might not ultimately
piove piactical, but we hope that uiscussing them might neveitheless encouiage new
appioaches to physical secuiity that we believe aie soiely neeueu.

At the stait of the uiscussion of each uevice, we list S pieces of infoimation: the type of
uevice, its cuiient status (woiking piototype, patenteu, uemonstiateu, pioof of piinciple,
concept only, etc.), anu an inuication of the likely level of secuiity offeieu by that uesign,
i.e., how haiu it might be to uefeat. The lattei is only speculation, though speculation baseu
on oui consiueiable expeiience with conuucting vulneiability assessments on many
uiffeient kinus of physical secuiity anu nucleai safegauius uevices anu technologies.|1-12j
The pioblem with estimating levels of secuiity is that none of these uevices aie fully
uevelopeu (because of a lack of funuing), yet vulneiabilities uepenu ciitically on exact
uetails of the uesign, how the secuiity piouuct is to be useu, anu foi what applications anu
to countei what auveisaiies.|1,6,1uj

Nost of these uevices coulu be faiily inexpensive. When we list the cost of components, it
is always in ietail quantities of 1. Component costs tenu to fluctuate ovei time (but usually
ueciease), anu almost always uiop uiamatically when puichaseu in volume.

__________
* This papei was not peei ievieweu.

63
,'*+1

Tampei-inuicating seals play an impoitant iole in nucleai safeguaius, physical secuiity,
IT secuiity, anu caigo secuiity.|S,6,9,1uj Seals aie useu to uetect (aftei the fact)
unauthoiizeu access to containeis, packages, envelopes, iecoius, computei meuia,
instiumentation, iooms, anu tianspoit vehicles. 0nlike locks, seals aie not meant to uelay
oi complicate unauthoiizeu access, just iecoiu that it occuiieu. 0nlike intiusion uetectois,
seals uo not uetect unauthoiizeu access in ieal-time, i.e. immeuiately.

0nfoitunately, many (peihaps all) seals cuiiently available aie easy to spoof using iapiu,
low-tech methous.|1,1S-16j Bettei seals aie both necessaiy anu possible. Some of the
uesigns uiscusseu below piobably coulu pioviue bettei secuiity. Some of these seals can be
useu as "tiaps", i.e. coveit seals, wheie the tampei-inuicating haiuwaie is placeu insiue the
containei oi tianspoit vehicle, with no eviuence of tampei uetection on the outsiue.

A numbei of these new types of seals aie baseu on the "anti-eviuence" concept uiscusseu
in uetail elsewheie.|1,1S,16,17j Anti-eviuence seals aie uesigneu to oveicome the chief
vulneiability of conventional sealsthat auveisaiies can often ieauily hiue oi eiase the
fact that tampeiing was uetecteu, oi else make fiesh counteifeit seals that show no
eviuence of tampeiing. With anti-eviuence seals, in contiast, seciet infoimation (calleu the
"anti-eviuence") is stoieu in oi on the seal when it is fiist installeu. This infoimation
inuicates that no tampeiing has yet been uetecteu; it is immeuiately eiaseu shoulu
unauthoiizeu access occui. The "goou guys" can ueteimine that unauthoiizeu access
occuiieu by noting the absence of the anti-eviuence. The "bau guys" gain nothing by
counteifeiting the seal haiuwaie unless they can ueteimine the seciet anti-eviuence. Anu
the act of tiying to get to the seciet infoimation causes its immeuiate eiasuie.

0'&)$' 56 7 8)9' :;%$<=

Type: electionic, ieusable time-out seal
Status: uuplicate woiking piototypes
Applications: low to meuium level secuiity

0uuly, small batteiy-poweieu, paulock-size time locks uo not seem to be commeicially
available. All commeicial time locks seem to be laige anu expensive, anu intenueu foi high-
level secuiity applications.

The uevice shown in figuie 1 is a ie-usable, electionic, tampei-inuicating seal we
uevelopeu that we call a "Time Lock". We call it a "lock" because it looks like a lock anu is
useu somewhat like a lock, anu because people (incluuing secuiity piofessionals) aie often
confuseu about seals anu tampei uetection. This woiking piototype was uevelopeu by
mouifying a commeicial infiaieu paulock anu auuing an auuitional miciopiocessoi anu oui
custom fiimwaie anu electionics.


64
Figuie 1 - 0ne of oui woiking Time Lock piototypes. The shackle anu some of the inteiioi is metal, while the
outsiue is plastic. The piototype shown is 6 x 4 x 1u cm, much laigei than is necessaiy. The piototype uses
less than $2u of paits (quantities of 1).

The uevice has two moues of opeiation. A switch in the batteiy compaitment of the
uevice selects the moue. In "time-out moue", the seal opens automatically aftei a set peiiou
of time (the "countuown peiiou"). No key oi combination is necessaiy, so theie is nothing
foi the usei to lose oi foiget, iespectively. Noieovei, the peison who oiiginally "lockeu"
the seal uoes not neeu to be piesent when it opens. Thus, theie aie also no key- oi
combination-contiol issues associateu with the use of this uevice.

Examples of its use might be to lock up the cookie jai to keep chiluien fiom accessing it
piioi to uinnei, oi in an office setting, to seal containeis oi filing cabinets when going out to
lunch.

The seconu moue of opeiation is "vault moue". This is wheie the "lock" can only be
openeu aftei a set peiiou of time, using the fob with an infiaiu LEB that comes with the
oiiginal commeicial infiaieu lock. The fob tiansmits a unique, fixeu IB numbei.

The length of the countuown peiiou foi the piototype shown in figuie 1 is aujustable
fiom the batteiy compaitment. S uiffeient time lengths aie available, fiom 2u seconus (foi
uemonstiation puiposes) to seveial uays. The final uesign woulu have moie time options,
incluuing a continuous choice of time.

Changing the moue oi the time uuiation once the countuown peiiou staits uoes not affect
the time of opening.

65
The batteiy stiength is testeu by oui miciopiocessoi piioi to staiting the countuown to
make suie theie is sufficient powei to open the lock aftei the countuown peiiou. veiy little
powei is useu uuiing the countuown peiiou, as the miciopiocessoi is mostly asleep. If the
batteiies go ueau, the usei can always inseit fiesh batteiies anu the countuown will
continue fiom wheie it stoppeu.

The uevice has vaiious tampei-inuicating anu anti-counteifeiting featuies which aie not
uiscusseu heie, noi fully implementeu in the piototype.

0'&)$' 5> 7 8)9' 8.*?

Type: hash time tiap (anti-eviuence, coveit tampei-inuicating seal)
Status: woiking piototypes with S uiffeient uesigns
Applications: high level secuiity

As uiscusseu elsewheie in moie uetail|1,16,17j, a Time Tiap is a type of anti-eviuence
seal baseu on the iealization that unauthoiizeu access by bau guys must occui piioi to the
goou guys opening the containei oi vehicle, anu the fact that the vectoi of time points only
in the foiwaiu uiiection in the ieal woilu.

The batteiy-poweieu Time Tiap piototype shown in figuie 2 uses a Niciochip 16F819
miciopiocessoi (~$1.8u each), piogiammeu in PIC BASIC Pio.

The miciopiocessoi is piogiammeu to compute a new hash value foi each minute that
the seal is in use. (Roughly speaking, a "hash" is a fixeu length numbei computeu fiom a
laigei numbei in a complex anu iiieveisible mannei.|16j) The computation uses a seciet
key that is unique foi each seal anu each shipment. The key is chosen ianuomly by the seal
baseu on the exact micioseconu when a button on the seal is piesseu by the usei. Knowing
the hash algoiithm is of little help to an auveisaiy if he uoes not also know the seciet key
chosen by the seal foi the cuiient use peiiou.
Figuie 2 - 0ne uesign foi oui woiking piototype Time Tiap.

66
The seal can go insiue a containei oi tianspoit vehicle (anu thus can be a Type 1 Tiap),
oi it can go oveitly on the outsiue hasp. It uoes not iequiie a passwoiu oi ieauei, noi uoes
it have to be queiieu about tampeiing piioi to opening the containei oi vehicle.

0nce the seal uetects that the containei oi vehicle has been openeu (by eithei the goou
guys oi the bau guys), it immeuiately eiases (< 1 sec) the seciet key useu by the hash
algoiithm. This eiasuie of this "anti-eviuence" pievents an intiuuei fiom being able to
pieuict futuie hash values. Aftei eiasuie, the uisplay peimanently shows the time that the
containei oi vehicle was openeu anu the hash value (2 letteis of the alphabet) that
authenticates that time.

A single hash value is of no help in ueteimining futuie hash values, because theie is
consiueiable uegeneiacy built into the hash algoiithm. Theie aie an aveiage of 4uu
uiffeient seciet keys that piouuce the same hash value foi a given time (even assuming the
auveisaiy fully unueistanus the hash algoiithm in use). Thus, intiuueis will not be able to
ueteimine what hash value will neeu to be on the uisplay when the goou guys latei gain
access to the containei oi vehicle.

It tuineu out to be suipiisingly challenging to choose a hash algoiithm that has this high
uegiee of uegeneiacy, anu also selects faiily unifoimly fiom among the possible 2-lettei
hashes as the seciet key anu the elapseu time vaiy. 0nce a suitable algoiithm is founu,
slight mouifications can iuin its behavioi. This is also something we uiu not expect.

The piototype shown in figuie 2 iepoits the time anu hash value via the liquiu ciystal
uisplay (LCB). Foi this piototype, these values aie ieau visually. The seal, howevei, coulu
easily be uesigneu to iepoit the time anu hash iemotely via (foi example) iauiofiequency
(if), infiaieu (ii), acoustic signals, oi electiical contact. Figuie S shows an implementation
that ielies on the lattei.

Seal inspection aftei opening the the containei oi vehicle involves ueteimining if the time
on the uisplay is the coiiect time of opening (in absolute oi ielative time). Then, the 2-
lettei hash is noteu. To check if this hash is coiiect, the time of opening anu the value of the
seciet key can be sent back to heauquaiteis wheie the hash can be computeu. Alteina-
tively, the hash can be checkeu in the fielu with a computei piogiam we have wiitten
(figuie 4), oi by using a hanuhelu uevice (piototype shown in figuie S).

The Time Tiap has an inteiesting veiification ("anti-gunuecking") featuie. If the seal
inspectois aie iequiieu to iepoit the opening time anu 2-lettei hash back to heauquaiteis,
this automatically veiifies that they actually checkeu the seal foi tampeiing (insteau of just
claiming to have uone so). They uo not neeu a secuie communications channel to uo this.

While it is monitoiing foi intiusion, the Time Tiap measuies its batteiy voltage, anu will
instantly eiase the anti-eviuence seciet key shoulu the batteiy voltage uiop below a ceitain
thiesholu. This featuie is neeueu because ceitain attacks on electionic seals involve
iemoving the batteiy oi slowly ieuucing its voltage. (Batteiy failuie cannot be ieliably
uistinguisheu fiom tampeiing in any electionic seal.) In auuition, the seal monitois foi

67
iapiu oi extieme changes in tempeiatuie that might inuicate a theimal attack on the seal oi
batteiy.
Figuie S - This figuie shows a $2 veison of the Time Tiap inseiteu into a biiefcase. It uses a light sensoi to
ueteimine when the biiefcase is openeu. This kinu of sensoi is not veiy effective foi goou secuiity, but it is
inexpensive. A quaitei in the bottom of the biiefcase shows the scale. The Time Tiap insiue the biiefcase can
be ieau electionically by a uiiect electiical connection thiough the biiefcase.

Figuie 4 - A computei piogiam we wiote to ueteimine the coiiect 2-lettei hash foi a given seciet key (K)
anu opening time. If uesiieu, the piogiam can iun continuously, upuating the hash as the time automatically
auvances.

68
Figuie S - A piototype uevice foi computing the 2-lettei hash algoiithm aftei the seciet key anu the elapseu
time aie enteieu.

To ieuse the Time Tiap, the uevice is tuineu off , then tuineu back on. It will select a new
ianuom key baseu on the (unpieuictable) exact micioseconu that the usei piesses a button.

Foi a few moie uollais in paits, the piototype Time Tiap in figuie S can simultaneously
monitoi up to 14 auuitional sensois. When multiple sensois aie useu, they aie polleu in a
ianuom, constantly changing oiuei so that an auveisaiy cannot pieuict when a given
sensoi will be ieau by the seal.

We have uemonstiateu a numbei of uiffeient sensois that can woik with the Time Tiap.
0ne is a small, soliu-state Ball Effect magnetic sensoi (Boneywell SS94, ~$2 each). This
sensoi can monitoi the opening of a containei liu oi a tiuck uooi. A small peimanent
magnet is placeu on the liu oi uooi; when openeu, the Ball Effect sensoi uetects the change
in magnetic fielu causeu by the movement of the magnet. 0nlike simple magnetic uooi
switches, the Ball Effect sensoi cannot be easily spoofeu by just biinging anothei magnet
close. This is uue to its high sensitivity, about 2uu nanoTesla (nT). By way of compaiison,
the Eaith's magnetic fielu at the suiface is about SS,uuu nT.

Changes in the magnetic vectoi as a moving tianspoit vehicle changes oiientation with
iespect to the Eaith's fielu can eithei be ignoieu by iaising the alaim thiesholu of the
sensoi, oi by coiiecting foi the appaient change in the Eaith's fielu using a seconu Ball
Effect sensoi locateu fai fiom the magnet on the liu oi uooi. If a magnet is placeu on the
assets of inteiest insteau of the liu oi uooi, then the Ball Effect sensoi can uetect the
iemoval oi movement of the assets if it is sufficiently close.

Anothei sensoi that can be useu with the Time Tiap is a soliu state tilt sensoi
(acceleiometei) with u.uu1g iesolution (NENSIC NXB2u2uEFL, ~$12.Su each). If one of
these sensois is placeu on the containei liu oi vehicle uooi, anu anothei is placeu on a

69
neaiby peipenuiculai suiface, they can be compaieu to tell when the liu oi uooi has been
openeu as compaieu to jostling fiom oveiall movement of the containei oi vehicle.

A miniatuie Passive Infiaieu (PIR) sensoi can also be useu to uetect the piesence of
people oi a hanu in a containei. These typically cost appioximaltey $2 each anu covei the
theimal ii wavelength iange 7 to 14 m. Inexpensive ultiasonic motion uetectois also
woik faiily ieliably if useu insiue a closeu containei.

A soliu state coloiimetiic sensoi (~$2.Su each) uesciibeu in the section on Bevice #19
(the Tie-Bye Seal) can also be veiy effective at uetecting tampeiing oi movement of assets,
lius, oi uoois.

0thei possible sensois incluue:

hall effect magnetometei $u.8S
1-wiie tempeiatuie sensoi $2
theimistoi $u.7u
foice sensoi $S
soliu state C02 sensoi $18
IR pioximity sensoi $12
gyio (angulai iate sensoi) $22
tiiple axis acceleiometei, $7
temp anu humiuity sensoi $12
high-iesolution 2-axis magnetometei $Su
vibiation sensoi $2.Su

0'&)$' 5@ 7 A+*1B)#C ;)CB(1 ,'*+

Type: passwoiu (anti-eviuence) seal
Status: uemonstiation piototype
Applications: meuium level secuiity

Passwoiu seals aie a kinu of anti-eviuence seal that iequiies the goou guys to uniquely
iuentify themselves with a passwoiu (oi PIN oi mechanical combination) befoie the seal
will iepoit the seciet anti-eviuence.|16j Both the anti-eviuence anu the passwoiu must be
kept seciet foi the uuiation of the caigo shipment oi peiiou of tampei monitoiing.

This woiking piototype uevice shown in figuie 6 is such a passwoiu, anti-eviuence seal.
It typically woulu go on the outsiue of a containei. At the stait of each use, the seal chooses
a 4-uigit passwoiu anu the 4-uigit anti-eviuence anu flashes them to the usei with LEB
lights.

Piioi to when the seal is iemoveu oi the containei oi vehicle is openeu, the usei inputs
the passwoiu using the push buttons. The seal then iesponus by flashing the 4-uigit anti-
eviuence if the seal has not been openeu, anu the wiong 4-uigits if it has (oi the passwoiu

70
is wiong). 0nly S wiong passwoius aie alloweu befoie the seal peimanently eiases the 4-
uigit anti-eviuence.

The uevice in figuie 6 uses a light sensoi, but many othei kinus of intiusion sensois aie
possible, as with the Time Tiap.

Figuie 6 - A uemonstiation piototype foi the Flashing Lights Seal. This miciopiocessoi-baseu seal uses less
than $4 of paits. It measuies S x 4.S x 2 cm, though it can easily be ieuuceu in size by a factoi of S. The seal
woulu oiuinaiily go insiue a light-tight seal outei case.

0'&)$' 5D 7 E+)#<)#C ;)CB(1 ,*(-.*()%# ,'*+

Type: satuiateu iesponse (anti-eviuence) tiap
Status: uemonstiation piototype

Figuie 7 shows a schematic of a Satuiateu Response Tiap |16j calleu the Blinking Lights
Seal. It consists of a two-uimensional aiiay of light emitting uioues (LEBs) uiiven by a
piogiammeu miciopiocessoi. Like the Time Tiap, this seal can be locateu insiue the
containei oi tianspoit vehicle being monitoieu foi unauthoiizeu access. In that case, it is a
Type 1 tiap. It can also be useu (as an oveit seal) on a hasp outsiue the conainei oi vehicle
with a slight ieuesign.

The uevice can use the same sensois as the Time Tiap. Also like a Time Tiap, it uoes not
iequiie a passwoiu, noi uoes it have to be queiieu about tampeiing piioi to opening the
containei oi tianspoit vehicle.


71
Figuie 7 - The Blinking Lights Satuiation Seal. The blinking LEB lights inuicate whethei
tampeiing has been uetecteu by hiuing this infoimation among othei extianeous blinking.

0nlike the Time Tiap, howevei, the Blinking Lights Seal uoes not neeu to keep tiack of
time noi compute (oi look up) hash values. Insteau, when iequesteu, the Blinking Lights
Seal unleashes a high banuwiuth stieam of uata. Biuuen somewheie in the uata is one oi a
few bits that iepiesent the anti-eviuence. This bit oi bits tells the seal inspectoi whethei
the containei oi tianspoit vehicle has been openeu pieviously. All the othei uata is just
ianuom noise.

In the case of the piototype seal shown in figuie 7, the high banuwiuth uata is a complex
tempoial two-uimensional pattein of blinking lights. This pattein is shown only once on
uemanu (by pushing a button), oi else iepeateu only a small numbei of times befoie the
pattein is peimanently eiaseu fiom the seal's miciopiocessoi. Each seal, each time it is
useu foi a shipment, has a uiffeient blinking pattein chosen by the miciopiocessoi piioi to
use, oi uownloaueu to it.

The punch caiu shown inseiteu in figuie 8 is one possible way foi the seal inspectoi to
inteipiet the blinking lights. It is uesigneu to sliue in fiont of the two-uimensional aiiay of
LEBs. (Each seal, anu possibly each shipment, has a uiffeient caiu.) This caiu allows the
seal inspectoi to focus on (foi example) just S of the blinking LEBs. The lack of pievious
tampeiing can be inuicateu a numbei of uiffeient ways (otheiwise tampeiing is inuicateu).
Beie aie just a few of the possibilities:

- All S of the LEBs tuin on oi off in unison.
- The S LEBs tuin on anu off in sequence.
- The fiist LEB blinks once, the seconu one twice, the thiiu one thiee times.

72
- If the LEBs aie S-coloi LEBs, they all show the same coloi simultaneously.

An auveisaiy who uoes not know which of the LEBs aie ielevant is faceu with a complex
two-uimensionally aiiay of iapiuly blinking lights. To tiy to hiue the fact that he has
pieviously gaineu unauthoiizeu access, he can iecoiu the complete pattein of blinking
lights, then piogiam the oiiginal seal oi a counteifeit to ieplay that same pattein. This is
ceitainly possible, but it iequiies at least some capability in electionics anu
miciopiocessois, plus it may not be easy to uo iapiuly.

Figuie 8 - The inseiteu punch caiu focuses the inspectoi's attention on the only LEBs that mattei.

The Blinking Light Seal has the auvantage of being electionic, yet still engaging the seal
inspectoi in a caieful visual examination of the seal. If uesiieu, the caiu shown in figuie 8
can be puncheu out just minutes befoie it is neeueu, baseu on infoimation secuiely
tiansmitteu to the caigo's uestination.

0iuinaiily, the blinking light pattein will be uisplayeu only when the seal inspectoi
pushes a button on the seal. In oui uemonstiation piototype, howevei, theie aie S
uiffeient buttons. Each one geneiates a uiffeient light pattein (but convey the same anti-
eviuence). All the othei patteins woulu then be eiaseu once a button choice was maue.

0'&)$' 5F 7 8*+<)#C 8.-$< G*.C% ,'*+


73
Status: woiking piototypes of seveial uiffeient uesigns

Figuie 9 shows a woiking piototype of one type of passwoiu seal calleu the Talking
Tiuck Caigo Seal. The unit at the left is the hanuhelu unit, which iemains outsiue the tiuck
(oi containei) being monitoieu foi unauthoiizeu access. It can communicate with up to
1uuu uiffeient seals using 4S4 NBz iauiofiequency (if) signals. The unit at the iight of
figuie 9 is the actual tampei-inuicating seal that goes insiue the tiuck (oi containei) to be
monitoieu. It incluues a light sensoi like oui Time Tiap, but it can also simultaneously poll
up to 12 auuitional intiusion sensois, incluuing those uiscusseu in the Time Tiap section.

Figuie 9 - Piototype Talking Tiuck Caigo Seal, with the hanuhelu seal ieauei on the left.

0ui piototype Talking Tiuck Caigo Seals weie uesigneu foi a fictitious tiucking company
calleu "Neai Niss Tiucking". The anti-eviuence consists of one ianuomly chosen slogan out
of 1SS (oi moie) possible slogans useu by Neai Niss Tiucking Company. These slogans aie
not seciet. In fact, it is auvantageous if the seal inspectoi is quite familiai with all the
slogans. What is kept seciet is exactly which slogan was chosen foi each containei in any
given shipment. A new, ianuom choice of slogan is maue each time a seal is ieuseu.

Examples of the Neai Niss Tiucking slogans we use in oui piototype (some aumitteuly
facetious) incluue:

74

- The "go" in caigo.
- We'll make it fit!
- It's not oui fault.
- Sleep, what's that.
- Fewei felons woik foi us.
- If it falls out of oui tiuck, you can keep it.
- The centei lane maikei is only a suggestion.
- At least one fiie extiguishei pei uozen tiucks.

Aftei the containei oi tiuck is sealeu up, the hanuhelu unit in figuie 9 chooses the seciet,
ianuom 4-byte passwoiu anu one of the slogans. This infoimation is tiansmitteu
wiielessly by iauio fiequency (if) to the seal insiue the tiuck thiough the tiuck wall (even
if metal). The seal then stoies it until unauthoiizeu access is uetecteu.

The seciet passwoiu anu slogan chosen by the hanuhelu unit can be uuplicateu oi ieau
out a vaiiety of ways so that the seciet infoimation can be sent (using enciyption oi a
secuie communications channel) to the caigo's uestination wheie it will be neeueu foi seal
inspection. Alteinately, the oiiginal hanuhelu unit can be physically tianspoiteu to the
caigo's uestination.

The piototype in figuie 9 has the hanuhelu unit speak the slogan thiough a built-in
speakei, although an eaiphone can also be useu in noisy enviionments. 0thei possible
veisions of the Talking Tiuck Caigo Seal coulu have the tiuck itself uo the speaking. This
simply iequiies that a small speakei be auueu to the seal, oi to the insiue oi outsiue wall of
the tiuck.

Foi the speaking, we use a uigitally iecoiueu human voice, iathei than synthesizeu
speech because this makes the slogan easiei to unueistanu. The slogan is iepeateu S times
to be suie it is heaiu.

0nly if the coiiect passwoiu is sent by the hanuhelu unit to the seal in the coiiect if
foimat ANB if theie was no unauthoiizeu access, will the coiiect slogan be spoken at
inspection time. 0theiwise, a uiffeient slogan is spoken so as not to tip off the bau guys
that theii intiusion was uetecteu. Foi ease of use, the inspectoi can check off which slogan
was heaiu fiom an alphabetizeu checklist of the 1SS possible slogans.

Baving a spoken slogan keeps the seal inspection piocess at a veiy human level. This is
auvantageous fiom a psychological stanupoint. Too often, automateu high-tech seal
ieaueis uistiact the seal inspectoi, oi mentally iemove him fiom peisonal involvement in
the uetails of the shipment. This is not conuucive to goou secuiity.

With 1SS possible slogans, an auveisaiy has a 1 in 1SS (u.7%) chance of guessing the
coiiect slogan. Then he must piogiam the oiiginal seal oi a counteifeit to say the coiiect
slogan when the seciet passwoiu is piesenteu. Be uoes not get a seconu chance. If even
bettei ouus aie uesiieu, up to 4uuu possible slogans can be stoieu in the seal.

75

We also maue a "foou" veision that says S uiffeient kinus of foou out of 2S6 possibilities.
Thus, if the inspectoi heais, foi example, "hambuigei-waffles-bananas" he can be assuieu
theie was no tampeiing, but if he heais S othei foous (oi nothing), then unauthoiizeu
access is inuicateu. With 2S6 possible foou choices, the ouus of an auveisaiy coiiectly
guessing the S foous in the coiiect oiuei is appioximately 1 in 17 million. (0ne
uisauvantage of this uesign is that it tenus to make the usei hungiy!)

0'&)$' 5H 7 8.)I%+-9)#'1$'#( ,'*+

Status: 0.S. patent 6,S94,u22 |18j

Tiiboluminescence is the phenomenon wheie a mateiial piouuces light (visible,
ultiaviolet, oi infiaieu) when mechanically agitateu.|19,2uj (The woiu "tiibo" means "to
iub" in uieek.) While most mateiials aie tiiboluminescent to some uegiee when sufficient
piessuie is applieu, theie aie many compounus that can piouuce visible spaiks in uaylight
conuitions when meiely uiagging a fingeinail acioss them.

Some of the most stiongly tiiboluminescent compounus incluue zinc sulfiue (sphaleiite)
uopeu with manganese, cholesteiyl salicylate, vaiious euiopium anu teibium compounus
anu complexes, N-isopiopylcaibazole, tiiphenylamine, anu silicon caibiue
(caiboiunuum).|19,2uj Winteigieen Life Saveis (powueieu sugai uopeu with methyl
salicylate) have also been known foi hunuieus of yeais to geneiate spaiks when ciusheu in
the mouth|21j, though this tiiboluminescence is 2-S oiueis of magnituue less efficient.

The iuea behinu the Tiiboluminescent Seal is that any attempt by an auveisaiy to open,
uiill, saw, cut, giinu, oi chemically attack the seal will piouuce tiiboluminescence. This
light can be useu to tiiggei an eiasuie of the anti-eviuence.|16,18j

A schematic foi one possible implementation of the seal is shown in figuie 1u. The seal
consists of two halves (male anu female) that snap togethei iiieveisibly thiough a hasp via
an inteinal C-locking iing. This locking iing is stiongei than the seal mateiial itself so that
any attempt to piy the two halves apait iesults in uamage to the seal anu the geneiation of
tiiboluminescent light. An alteinate uesign appeais in figuie 11. In this case, the two seal
halves aie attacheu by the use of tight thieauing. A consiueiable amount of light will be
geneiateu when the seal is scieweu oi unscieweu. With this uesign, the usei uoes not neeu
a special tool to open the seal, anu the two seal halves can be ieuseu.


76

Figuie 1u - Cioss-sectional view of one veision of the Tiiboluminescent Seal shown assembleu. The male
(bottom) anu female (top) halves have been snappeu togethei thiough the hasp of the containei oi
tiuckiailcai uooi.


77

Figuie 11 - Thieaueu veision of the Tiiboluminescence Seal shown piioi to use. Each half of the seal is
painteu on its exteiioi with an opaque paint oi epoxy layei (anu also on ceitain inteiioi suifaces). This
pievents light fiom enteiing the seal anu exposing the unuevelopeu photogiaphic film which is locateu at the
bottom of the male half of the seal.


78
The two halves of the seal aie maue fiom tianspaient oi tianslucent glass oi plastic that
is uopeu with stiongly tiiboluminescent powueis. Insiue the seal aie two inexpensive
plastic polaiizeis. The fiist polaiizei (pol 1 in figuie 1u) is fixeu anu cannot iotate. The
seconu polaiizei (pol 2) can be iotateu in a non-contact mannei by iotating the magnetic
iing on the outsiue of the seal. We can get any oiientation we want (even aftei the seal is
closeu) foi pol 2 by iotating the exteinal magnetic iing. The iing inteiacts magnetically
with pol 2 to peimit this non-contact iotation. Theie is enough fiiction on pol 2 to pievent
it fiom iotating inauveitently.

Beie is one way the seal can woik: Piioi to sealing a containei oi uooi, we take two
iuentical photogiaphs of some uetaileu scene using veiy fast (high sensitivity) film. The
film is then iemoveu fiom the cameia. 0ne of the pieces of film is uevelopeu anu then
placeu in secuie stoiage. The seconu (iuentical) piece of film is left unuevelopeu, anu then
placeu into the bottom of the male half of the seal. This must be uone in the uaik to avoiu
exposing the film to light.

Next, we inseit the two polaiizeis, again in the uaik. The 2 polaiizeis aie initially
ciosseu so that viitually no light passes thiough them because of the high extinction
coefficient. This keeps the film insiue the male half of the seal safe fiom ioom light, anu the
seal can then be taken out of the uaikioom. (It might neveitheless be a goou iuea to place a
tempoiaiy cap on the male half of the seal to minimize light exposuie.)

When the seal is ieauy foi use, the two halves of the seal aie snappeu oi scieweu
togethei thiough the hasp of the containei being sealeu. The exteinal magnetic iing is
iotateu to oiient pol 2 to some aibitiaiy, unpieuictable angle, wheie it is no longei ciosseu
with pol 1.

Naikings (oi numbeis) on the outsiue of the magnetic iing tell the seal usei how much to
iotate the magnetic iing back in oiuei to cioss the polaiizeis when it is time to examine the
seal foi signs of tampeiing. 0nauthoiizeu peisonnel, howevei, uo not know which is the
coiiect oiientation iequiieu foi the magnetic iing to cioss the two polaiizeis. (Each seal is
uiffeient.) The maikings oi numbeis on the magnetic iing aie thus a bit like a combination
that only authoiizeu peisonnel aie supposeu to know.

When it is time to inspect the seal foi tampeiing, heie is the piocess: The seal usei
iotates the exteinal magnetic iing back to the (seciet) piopei oiientation to cioss the two
polaiizeis. This oiientation is the seciet "combination" oi "passwoiu" that makes it safe to
open the seal. Beshe then cuts, saws, oi giinus the seal off at the female half, just above
the polaiizeis in figuie 1u, oi unsciews the two halves foi the figuie 11 uesign. This will
geneiate consiueiable tiiboluminescent light (plus let in ioom light), but it won't mattei
because the cioss polaiizeis will keep light fiom ieaching the film.

The seal is then taken to a uaikioom foi analysis. A technician (in the uaik) iemoves the
polaiizes to access the piece of film. The film is then uevelopeu, anu compaieu with the
film that has been in secuie stoiage.


79
Aftei being uevelopeu, the two images aie compaieu (e.g., with a blink compaiatoi
uiscusseu below) to veiify that they aie iuentical anu that the film coming fiom the seal
was not exposeu to light. Because an auveisaiy uoes not know what was on the film (the
image shot foi each seal is completely uiffeient), he will have tiouble counteifeiting the
image if he exposes the film in the seal to light. If the film in the seal has been aiounu
intense iauiation, it may be necessaiy to allow a coiiection foi fogging causeu by iauiation
exposuie.

Note that the assumption in this invention is that an auveisaiy cannot ueteimine the
piopei oiientation of pol 2 without using light that will expose the fast film. X-iaying the
seal will not easily tell an auveisaiy the polaiizei oiientations. The X-iays, fiist of all,
woulu fog the film. Seconuly, tiying to ueteimine the moleculai oiientation of thin plastic
sheet polaiizeis fiom outsiue the seal with X-iays shoulu be a uaunting task. If uesiieu,
baiium sulfate an be auueu to the seal to block X-iays to fuithei complicate X-iay imaging.

Piobably a moie piactical anu cost-effective appioach woulu be to uo away entiiely with
the photogiaphic film anu polaiizeis. Insteau, a miniatuie soliu-state light sensoi anu
miciopiocessoi is useu at the location of the film. 0nce the seal is closeu up, the light
sensoi begins monitoiing. When light is uetecteu, the miciopiocessoi instantly eiases the
seciet anti-eviuence. The seal usei (possessing the seciet passwoiu) can check on the anti-
eviuence via if befoie opening the seal. This is similai to the Talking Tiuck Caigo Seal
uesciibeu above. 0n the othei hanu, this miciopiocessoi veision woulu iequiie a batteiy,
unlike the film veision which is fully passive.

This seal concept can be scaleu up oi uown. A tampei-inuicating "safe" oi "vault" maue
of tiiboluminescent walls coulu, foi example, be constiucteu. 0thei potential vaiiations on
this seal incluue the use of coloi filteis oi ciiculai polaiizeis (insteau of lineai polaiizeis)
so that the seal can be openeu only in the piesence of ceitain wavelengths anuoi a ceitain
hanueuness of light.

0'&)$' 5J 7 K*C)$ ,+*(' ,'*+

Status: woiking piototypes of 2 uiffeient uesigns

Peihaps suipiisingly, anti-eviuence passwoiu seals uo not neeu to be electionic. See
figuie 12. The Nagic Slate Seal |22j is solely mechanical, yet fully ieusable. The seal is
nameu aftei the novelty toy that allows chiluien to wiite oi uiaw on a giey plastic sheet
with a plastic oi woouen stick, then eiase the "slate" by lifting the plastic sheet.

The Nagic Slate Seal is a unique "combination" seal |16j wheie only the goou guys know
the piopei way (i.e., the combination) to open the seal without uestioying the seciet
infoimation that inuicates the absence of tampeiing. The bau guys, howevei, will uestioy
the seciet infoimation in the piocessing of opening the seal.

80

Figuie 12 - A piototype Nagic Slate Seal that is intenueu to go thiough the hasp on a containei oi tianspoit
vehicle.

The seal in figuie 1S consists of a male anu female half that snap togethei. No tools aie
iequiieu to close oi open the seal. The 0-iings shown in figuie 1S pioviue enough fiiction
to keep the seal fiom opening acciuentally, anu also piotect the inteiioi fiom moistuie anu
uiit.

Insiue the seal is a cylinuei with eiasable wiiting. The cylinuei can be maue of metal oi
else slippeiy plastics such as polytetiafluoioethylene oi polyethylene. Foi this piototype, 6
uiffeient ianuom uigits oi symbols aie wiitten aiounu the ciicumfeience of the cylinuei.
This is the anti-eviuence.

The cylinuei sits insiue a laigei uiametei tube calleu the "sleu". At one enu of the sleu is
the eiasei. This is a buna iubbei anu felt washei which has hau a single slot cut in it, as
shown in figuie 14.

To open the seal, the usei iotates the male enu to whatevei angulai position he wishes.
(See figuie 14 foi the enu-on view.) The male anu female halves aie then pulleu apait by
hanu. The cylinuei goes with the female half of the seal, while the sleu goes with the male
half. In uoing this, the sleu uiags along the outsiue of the cylinuei, causing the eiasei to
eiase all the wiiting, except foi the uigit oi symbol that aligns with its slot. As a iesult, all
but one of the uigits oi chaiacteis wiitten on the cylinuei gets eiaseu. The eiaseu "anti-
eviuence" is no longei available to an auveisaiy to counteifeit.


81

Figuie 1S - Exploueu view of a uiffeient piototype Nagic Slate Seal.

Figuie 14 - Enu-on view of a piototype Nagic Slate Seal.

The seal inspectoi can iepoit the lettei (that is, the angulai position in figuie 14) wheie
he openeu the seal, anu the uigit oi symbol that was left on the cylinuei. If the seal was
pieviously openeu by the bau guys at a uiffeient lettei, oi the wiiting incoiiectly
counteifeiteu, the uigit oi symbol left on the cylinuei will be wiong oi missing.

Alteinatively, the seal inspectoi can be tolu in auvance at what lettei to open the seal,
anu what uigit oi symbol he shoulu then see on the cylinuei.

Theie aie seveial options foi ieusing the seal:

1. If uesiieu, the seal inspectoi can ie-close the seal, keeping the coiiect lettei aligneu. Be
then woulu ianuomly iotate the knob. The seal can then be checkeu again at a latei uate

82
foi tampeiing. (Although S of the 6 uigits woulu have been eiaseu foi the piototype shown
in figuies 1S anu 14, we uon't caie, since we aie only inteiesteu in one of the uigits, anu
which one that is will be kept a seciet.)

2. The usei can uiscaiu the cylinuei (oi ietuin it to the factoiy foi ieuse) anu open a blistei
pack with a fiesh cylinuei pieviously piinteu at the factoiy.

S. The oiiginal cylinuei can be ieuseu in the fielu by wiiting new ianuom uigits oi symbols
on the cylinuei by hanu.

4. The usei can piint new ianuom uigits oi symbols on the cylinuei using a small ink
piintei oi a one-time use "caibon" papei pioviueu by the seal manufactuiei.

We founu it most effective to use "white boaiu" uiy eiase maikeis foi the eiasable
wiiting in oui piototypes because a gieat ueal of engineeiing has gone into making the
"ink" completely eiasable, even many months aftei being applieu to a suiface. Biy eiase
maikeis aie also quite inexpensive. 0thei types of eiasable "inks" aie also possible,
howevei, incluuing caibon black anu fiangible paints such as Toique Seal (0iganic
Piouucts Company, Iiving, Texas). Pie-oiling the cylinuei piioi to applying the wiiting
enhances the eiasability of most inks.

Note that with the piototype shown in figuies 1S anu 14, the auveisaiies have a 1 in 6
chance of opening the seal at its coiiect angulai position. (This is because theie aie 6 lettei
positions on the enu of the male half of the seal in figuie 14.) They uo not get a seconu
chance if they guess wiong.

If bettei ouus aie uesiieu than 1 in 6, the Nagic Slate Seal can be uesigneu much like the
common bicycle lock shown in figuie 1S. Theie woulu be S-S uiffeient iings that the usei
woulu iotate (insteau of just the male enu of the seal). 0nly if the slots in all the iings
coiiectly lineu up woulu the eiasable wiiting be safe fiom uestiuction when the seal was
openeu.

Figuie 1S - A commeicial 4-uigit combination lock that uses alignment slots. Each of the 4 uisks has an
inteinal slot. 0nly when the slots align (at the coiiect combination) will the lock open. This type of uesign
coulu be useu to inciease the numbei of possible "combinations" foi the Nagic Slate seal, though a moie
secuie uesign woulu be necessaiy than exists on this inexpensive bicycle lock.

83
0'&)$' 5L 7 ,<-#< ,'*+

Type: novel conventional seal
Status: concept
Applications: low to meuium level secuiity.

The skunk seal concept is baseu on using the human sense of smell to uetect if a seal has
been openeu. Foi this seal, a semi-volatile chemical which has a stiong, uefinitive ouoi at
low concentiations is placeu insiue the seal. Nany ouoious chemicals can be uetecteu anu
iuentifieu by the nose at pait-pei-billion (ppb = 1u
-9
) to pait-pei-million levels. |2Sj Foi
example, meicaptans, which aie often auueu to natuial gas as a safety measuie to impait
an ouoi (anu useu by skunks as a uefensive measuie) can typically be uetecteu at
concentiations of a few ppb. Pleasant ouois coulu also be useu.

When the seal is openeu, a small chambei oi vial containing the liquiu chemical is
iuptuieu. Alteinately, micioencapsulateu foims of the chemical ("Sciatch-n-Sniff"
technology) coulu be ciusheu to ielease the chemical vapoi.|24j Yet anothei appioach is to
let two chemicals ieact when the seal is openeu to piouuce the ouoi of inteiest.

Whatevei the ouoi-geneiating mechanism, the vapoi woulu be alloweu to escape slowly
thiough micioscopic holes in the seal. If the chemicaleithei piioi to iuptuiing the
chambeivial oi afteiis alloweu to soak into a poious membiane, fabiic, oi mateiial with
laige suiface aiea, ueep capillaiies, anuoi fissuies (such as poious vycoi glass|2Sj), the
smell will peisist foi some time. If uesigneu coiiectly, an auveisaiy woulu have uifficulty
iinsing out the seal sufficiently to mask the ouoi, especially if the inteiioi of the seal, oi
piinting on it, was uesigneu to uissolve in watei oi othei liquius.

Replacing the seal with a counteifeit, on the othei hanu, leaves the auveisaiy with the
pioblem of putting enough of the coiiect chemical (which might not be easy to iuentify
without high-tech methous) into the counteifeit seal to pioviue a stiong ouoi when the seal
inspectoi opens the seal. Be might also tiy to captuie enough of the ieleaseu ouoi fiom the
oiiginal seal to loau up the counteifeit seal, but that might be challenging, especially
outuoois.

Inspection involves sniffing the seal piioi to opening it to be suie no ouoi is piesent, then
opening the seal, followeu by sniffing it again to be suie the coiiect ouoi gets geneiateu. (If
not, the seal is piobably a counteifeit, oi else has pieviously been openeu anu "aiieu out"
foi a long time.) A companion "Sciatch-n-Sniff" stickei (kept sepaiately by the seal
inspectoi) coulu help him iecognize the coiiect ouoi in the fielu.

An auveisaiy might be tempteu to chill the seal so that the chemical fieezes anu its vapoi
piessuie uiops to neaily zeio. When the seal eventually waims up, howevei, the chemical
will stait to vapoiize. Noieovei, it shoulu be possible to uesign the seal so that the
chambei oi vial contains watei (oi a wateianti-fieeze solution) anu fiactuies when
excessively chilleu uue to the expansion of the liquiu as it fieezes. This woulu ielease the
scent chemical.

84

If the exact smell useu foi each seal was kept seciet, auveisaiies woulu not know in
auvance which chemical to expect. The seal inspectoi coulu iepoit to heauquaiteis what
heshe smelleu when the seal was openeu (stiawbeiiy, vanilla, toluene, meicaptans, etc.),
peihaps by matching with a numbei of "Sciatch-n-Sniff" stickeis. In this way, heauquaiteis
woulu know that the seal was actually inspecteu.

It is also possible to use commeicial, hanu-helu, batteiy-poweieu oiganic vapoi
uetectois insteau of the human nose. 0nits that cost between $2uu anu $6uuu can
(uepenuing on the chemical) typically uetect concentiations in aii 1 to 2 oiueis of
magnituue lowei than can be uetecteu by the sense of smell. Such instiumentation,
howevei, complicates the inspection piocess. It also iemoves the inspectoi fiom uiiect
inteiaction with the sealsomething that is not conuucive to optimal secuiity.

0'&)$' 5M 7 N#()7O&)4'#$' ,<-#< ,'*+

Status: concept

It shoulu be possible to uesign the Skunk Seal as an anti-eviuence, passwoiu seal (eithei
mechanical oi electionic). The coiiect passwoiu oi mechanical combination woulu be
neeueu to safely open the seal without ieleasing the ouoi. (If the seal was mechanical
insteau of electionic, it might be uesigneu similai to the mechanical Nagic Slate Seal
uiscusseu above.) The seal coulu then be openeu multiple times by the goou guys without
ieleasing the ouoi. In effect, the lack of ouoi is the "anti-eviuence"|16j that gets "eiaseu"
when the ouoi is geneiateu by the act of opening the seal.

0'&)$' 56P 7 3#&'.1' ,<-#< ,'*+

Status: concept

If a highly volatile chemical is placeu in the skunk seal, insteau of a semi-volatile chemical
as uesciibeu above, the inveise appioach can be useu. When the seal is openeu, the
chemical will be ieleaseu anu iapiuly evapoiate away, leaving no smell when the seal is
latei openeu by the seal inspectoi. In this case, the absence of the coiiect smell inuicates
tampeiing.

0'&)$' 566 7 N#()7O&)4'#$' 3#&'.1' ,<-#< ,'*+


85
Status: concept

The inveise skunk seal can be uesigneu so that the coiiect passwoiu oi combination
woulu allow the goou guys to safely open the seal multiple times without ieleasing the
volatile chemical.

0'&)$' 56> 7 K*C8*C

Type: complexity (anti-eviuence) seal (anu tag)
Status: 0.S. patent 6,784,796 |26j; uemonstiateu with vaiious piototypes
Applications: meuium to high level secuiity; can monitoi volumes, not just
poitals as with conventional seals

Figuie 16 - The NagTag concept. A complex aiiangement of ianuomly oiienteu peimanent magnets of
vaiying stiengths cieates a veiy complex magnetic fielu outsiue the containei. This will change if one oi
moie of the magnets is moveu oi iotateu.

The NagTag seal is baseu on the fact that BC (constant) magnetic fielus, such as those
geneiateu by peimanent magnets, aie viitually unattenuateu by most mateiials incluuing
woou, plastic, watei, conciete, soil, anu only weakly attenuateu by most metals. Thus, if we
place peimanent magnets ianuomly thioughout the inteiioi volume of a containei (oi
tianspoit vehicle), we can tellfiom the outsiueif they have been iemoveu oi slightly
moveu baseu on changes in the exteinal magnetic vectoi fielu geneiateu by the magnets.
At each point in space, the magnetic fielu is the vectoi sum of the magnetic fielus of all the
magnets.

Foi a sufficiently complex configuiation of magnets insiue the containei, an auveisaiy
can't iestoie the oiiginal magnetic vectoi fielu (at all points in space) with a uiffeient
configuiation. See figuie 16. In othei woius, a tampeiei must put the magnets back

86
exactly the way he founu them, with the same magnetic stiength, S-uimensional (SB)
location, anu oiientation, oi the tampeiing will be uetecteu. Bepenuing on the stiength of
the magnets anu the uistance fiom the gaussmetei (magnetometei), the SB positions anu
oiientations of the magnets may neeu to be ieplicateu with consiueiable accuiacy.

The moie magnetic fielu measuiements that the seal inspectoi can make at uiffeient
points in space (incluuing out of the hoiizontal plane), the moie uifficult it is foi an
auveisaiy to counteifeit the magnetic fielu ieauings. If these point aie kept seciet, the
tampeiei will have even gieatei uifficulty. Foi ioutine applications, measuiements at one
oi two uiffeient points in space outsiue the containei (oi tianspoit vehicle) aie piobably
sufficient. Foi bettei secuiity, measuiements shoulu be maue at S-8 locations. Kinematic
mounts can be useu to accuiately position the gaussmetei piobe. (See the uiscussion about
kinematic mounts in the section entitleu, "Bevice #2u - Auhesive Label Seal with Blink
Compaiatoi".)

Foi this kinu of appioach, it is impoitant that the caigo be well tieu uown. 0theiwise,
movements of the magnets uue to caigo shifting will be misinteipieteu as tampeiing.

Note that iaie eaith magnets (the stiongest kinu of peimanent magnet) aie veiy biittle.
If they aie well epoxieu to the caigo, oi to containeis oi pallets insiue the caigo aiea, an
auveisaiy may finu it challenging to iemove them foi ieuse without causing uamage. We
have also uesigneu mechanical "hysteiesis" mounts that make it uifficult to exactly
ieposition a containei oi its liu once the containei has been moveu oi openeu.

Theie is a way, howevei, to obtain even bettei tampei uetection. If we uesign a magnet
to move iiieveisibly when the tianspoit vehicle's uooi is openeu oi closeu, oi when the
caigo is moveu, oi when a containei liu is iemoveu, then it will be even haiuei foi a
tampeiei to escape uetection. We have successfully uemonstiateu such "chaotic
sciambling mechanisms" on uoois, filing cabinets, anu uiaweis.|26j These ianuomize the
magnet's oiientation anu sometimes also its position. To avoiu uetection, an auveisaiy
may neeu to put the magnet back to within a few meteis anu aic-seconus of oiientation,
especially if we can get the gaussmetei close to the magnet. The auveisaiy cannot simply
glue uown the magnet in its coiiect location anu oiientation, because this woulu keep it
fiom moving the next time the uooi oi liu is openeu. Simple captuie mechanisms
guaiantee that a magnet will become tiappeu in place when the uooi, uiawei, oi containei
is fully closeu anu thus will not move uuiing tianspoit (unless tampeiing occuis).

Foi eithei the static magnet application, oi the chaotically sciambleu magnets, the
magnetic fielu can be measuieu outsiue the containei oi tianspoit vehicle using
commeicial hanuhelu, batteiy-poweieu ioom-tempeiatuie gaussmeteis (1 nT iesolution
along S axes, ~$Suuu), with commeicial magnetometei sensois (1u-1uu nT iesolution
along 2 axes, ~$2u), oi with soliu-state Ball Effect sensois (~2uu nT iesolution, ~$2)
mentioneu in the section on the Talking Tiuck Caigo Seal.

With the most sensitive commeicial, ioom-tempeiatuie gaussmetei, a single iaie eaith
magnet (iesiuual inuuction=1SSuu gauss) of cylinuiical uimensions 2.S cm in uiametei by

87
2.S cm long (~$7 each) can be uetecteuoi its absence noteufiom S meteis away, even
thiough a containei, tiuck, oi tianspoitainei wall.|27j Laigei magnets can be uetecteu at
even gieatei uistances. Table 1 shows the sensitivity to tianslation anu iotation foi this
same 2.S cm x 2.S cm cylinuei magnet, assuming 2u nT sensitivity, foi vaiious uistances
fiom the gaussmetei. When it is possible to get to within a few cm of the magnet, as will be
the case when a single magnet is applieu to a uooi oi a containei liu, the magnet can be
quite small anu of about the same stiength as a iefiigeiatoi magnet.

Table 1 - Sensitivity to tianslation anu iotation of a iaie eaith magnet, 2.S cm in uiametei anu 2.S cm in
length, assuming 2u nT iesolution.

uistance fiom minimum uetectable minimum uetectable
magnet (meteis) magnet uisplacement* magnet iotation
u.2u u.1 m u.6 aic mins
u.2S 11 m u.9 aic mins
u.Su 16u m 7 aic mins
1.u 2.6 mm u.9
1.S 1.S cm 2.9
2.u 4 cm 6.8

________________________
* Along a line between the magnet anu the gaussmetei.

Neithei the oiientation of a tianspoit vehicle with iespect to the Eaith's magnetic fielu,
noi the natuially occuiiing uiifts in the Eaith's fielu (typically < 1% in magnituue anu u.1
oiientation pei yeai) neeu concein us. This is because we can make a quick calibiation
measuiement of the backgiounu fielu befoie measuiing the NagTag magnet(s). AC
magnetic fielus fiom motois anu electiical equipment also piesent no pioblem because we
aie making BC measuiements.

Some of the attiactive attiibutes of NagTag incluue:

- Theie is nothing outsiue the closeu containei to suggest tampei uetection. The
magnetometei oi gaussmetei can be taken away between measuiements; it is not
necessaiy to monitoi the magnetic fielu continuously.

- We can "ieau" the tagseal as many times as we want fiom the outsiue without
having to open the containei oi tianspoit vehicle.

- No electiical powei oi batteiies aie neeueu until we wish to check the NagTag, anu
then only foi the seal ieauei (the gaussmeteimagnetometei).


88
- The (iaie eaith) peimanent magnets aie ieusable, ielatively inexpensive, anu will
last foi uecaues.

- In auuition to uetecting tampeiing, the aiiangement of magnets also seives as a kinu
of tag to uniquely iuentify the containei oi tianspoit vehicle, oi its contents.|26,27j

0'&)$' 56@ 7 8'9?'.'4 Q+*11 ,'*+

Status: 0.S. patent 6,SSS,9Su |28j; paitially woiking piototypes have been
constiucteu

It is unfoitunate that glass has been laigely oveilookeu foi use in tampei uetection. ulass
has many uesiiable piopeities incluuing:

- inexpensive
- full tianspaiency (so the inteiioi of the seal can be inspecteu without
opening it)
- chemical ineitness (thus outstanuing iesistance to coiiosion anu aging)
- iesistance to ultiaviolet light & ionizing iauiation
- can hanule tempeiatuie extiemes
- ielatively light weight
- gieat stiength anu haiuness (though consiueiable biittleness)
- ability (in tempeieu glass) to stoie enoimous stiesses that can be ieleaseu
when the glass is cut oi uiilleu, thus seveiely uamaging the glass; this can
be a veiy successful tampei-uetecting mechanism
- can be tiicky to iepaii in the fielu
- is an electiical insulatoi, making it safe to use aiounu electiicity
- each batch of glass has a unique chemical "fingeipiint" uue to tiace
impuiities
- iequiies glass blowing skills to manufactuiei & is non-machinable (making
counteifeiting by novices uifficult)

The iuea with the Tempeieu ulass Seal is to cieate two glass tubes that can be
iiieveisibly snappeu togethei using an inteinal locking iing.|28j See figuie 17. Note that
once the two halves of the seal aie snappeu togethei, an auveisaiy only has access to glass,
not to the inteinal locking iing. It is thus extiemely uifficult to pick the seal open.

The glass tubes aie manufactuieu so as to contain the appiopiiate level of inteinal
stiesses. This can be caiefully aujusteu by contiolling the amount of tempeiing.
Tempeiing means to cool the glass ielatively quickly, in a contiolleu mannei, fiom above
the annealing tempeiatuie so as to geneiate inteinal compiession anu tension aieas uue to
uiffeiential cooling. Automobile winushielus oi glass bathioom showei uoois, foi example,

89
aie tempeieu to cieate gieat stiength, anu to allow them to fail in a safe mannei, i.e.,
without shaip shaius.

Figuie 17 - Schematic of the Tempeieu ulass Seal. The two halves of the seal (bottom) aie shown snappeu
iiieveisibly togethei (top) using the inteinal locking iing, 18. Elements 16 anu 2u aie aiitight 0-iings that
keep piessuie in anu moistuie anu uiit out. Fiom 0.S. Patent 6,SSS,9Su.

The tempeieu stiesses in the glass tubes aie not so high as to cause the glass to exploue
simply to bieak into multiple pieces if cut, saweu, oi uiilleu. The tempeiing is aujusteu to
make suie that the seal can withstanu the usual foices encounteieu in ioutine hanuling anu
tianspoit.

A seiial numbei can be placeu insiue the seal with a piinteu banu oi tube, etcheu on the
outsiue oi insiue of the glass (befoie tempeiing) using mechanical oi chemical etching, oi
piinteu on the outsiue of the glass using ink.

If tempeieu coiiectly, the glass seal will uisintegiate if the suiface is scoieu, saweu, cut,
uiilleu oi giounu, yet the seal can be hanuleu veiy ioughly without uamage if the suiface is
not gougeu. Piopei tempeiing will pievent the seal fiom fiactuiing into shaip shaius when
the suiface is uamageu. If shaius aie neveitheless a concein, oi if the seal will be subject to
seveie banging anu abiasion in iegulai use, a cleai plastic coating oi sleeve can be placeu
aiounu the glass to piotect it.

The seal is iemoveu by simply scoiing it with a file, oi giving it a shaip blow with a haiu
tool that uamages the suiface.

0'&)$' 56D 7 Q+*11 *#4 R%S4'. ,'*+


90
Type: complexity (anti-eviuence) seal
Cuiient status: mockups constiucteu; anothei possible embouiment of 0.S.
patent 6,SSS,9Su |28j

The ulass anu Powuei Seal is a vaiiation on the Tempeieu ulass Seal. Lightly packeu
insiue each seal half aie vaiious banus of fine coloieu powuei. See figuie 18. Each banu is
a uiffeient coloi anu peihaps thickness. The banus may be maue fiom uiffeient mateiials,
with a uiffeient textuie anu aveiage paiticle size. (Exotic chile powueis anu othei spices
woik well anu aie inexpensive.) Each seal half has a uiffeient set of banus, so that no ulass
anu Powuei Seal is iuentical to any othei. 0ne of the banus insiue each seal can be a
uesiccant powuei to keep the othei banus uiy.

The powuei banus can be packeu by mechanically stuffing them into the glass tubes with
a iou (something like loauing an olu style musket). Alteinately, the powueis can be moie
quickly loaueu into the tubes by placing the tubes on a slow-spinning centiifuge, anu
intiouucing each powuei into the tube thiough a small Teflon tube uown the centei of the
centiifuge. (Bigh speeu centiifuging is not uesiieu since we uo not want the powueis to
become too uensely packeu.) Aftei all the powuei banus aie in place, the enu of each seal
half is pluggeu with steel oi glass wool, cotton fibeis, a thin plastic stoppei, oi an epoxy
plug to keep the banus fiom moving.

Each tube might contain one oi moie small aii pockets, paiticulaily at the closeu enu of
the tubes. These aii pockets can be piotecteu fiom the powueis by a glass fiit with
micioscopic holes. The aii pockets aie unuei mouest piessuie. This can be easily achieveu
by cooling the glass tubes piioi to sealing. The piessuiizeu aii pockets aie intenueu to
launch the powueis if the glass tube fiactuies. (Theie may, howevei, be enough aii in the
spaces between powuei paiticles to accomplish the same thing without any macioscopic
aii pockets.)
Figuie 18 - Nock-ups of the ulass anu Powuei Seal, with powuei banus of vaiying coloi, composition, anu
paiticles shown.

91

If an auveisaiy tiies to cut, saw, uiill, oi giinu the seal, the tempeieu stiesses causes the
glass seal to bieak into many pieces. Also, the inteinal (unknown) positive piessuie insiue
the seal, launches the powuei. Both mechanisms uispeise anu mix the powueis anu
uestioy the banus. Tiying to gathei up the powueis so as to iecieate the banu pattein is
not impossible, but it woulu be a time-consuming, non-tiivial task foi an auveisaiy.
Accuiately counteifeiting the coiiect coloi oi ieflectance foi each powuei woulu also be
non-tiivial, as woulu chemically counteifeiting the powueis.

To check the seal foi signs of tampeiing, the seal inspectoi holus up a smallei glass tube,
containing the same banus of coloieu powuei. This tube was loaueu at the same time as
the seal with the same powueis in the same sequence. (Alteinately, a coloi image of the
banus piinteu on a slip of papei can be useu foi compaiison.) Beshe then uoes a siue-by-
siue compaiison with the sealiathei like compaiing tiee iings. Anothei way to ieau the
powuei banus is to scan them with a commeicial hanu-helu coloiimetei oi ieflectance
metei.

If uesiieu a small compiesseu metal oi glass spiing can be placeu in the glass tubes piioi
to loauing the powuei. When the seal is cut, saweu, oi uiilleu, the tempeiing causes the
glass to fiactuie. The foice stoieu in the spiing is then ieleaseu anu fuithei helps to
uispeise anu mix the powueieu banus.

Foi a highei level of secuiity, the powueis anuoi glass can be analyzeu foi tiace
impuiities to veiify theii authenticity.

0'&)$' 56F 7 Q+*11 T)&'(

Type: novel conventional seal oi complexity seal
Cuiient status: concept only; anothei possible embouiment of 0.S. patent
6,SSS,9Su

Rivets conventionally useu on the hanule of tiuck anu tianspoitainei uoois aie a pioblem
foi effective caigo secuiity. See figuie 19. Especially wheie ocean salt aii is involveu, the
iivets aie often seveiely coiioueu anu neaily ieauy to fall off. When uiity anu coiioueu,
they aie uifficult to inspect. Commeicial caigo thieves know this anu often uiill out the
iivets oi cut them off with a zip gun. They can then open the tiuck oi tianspoitainei uooi
by iotating the veitical locking iou without uistuibing the lock oi seal on the hanule.
Counteifeit iivets aie easy to put back, if the thieves wish to hiue theii attack.


92

Figuie 19 - Tianspoitainei showing a lock on the hanule. The aiiow points
to the hanule's iivet that is a souice of vulneiabilities foi caigo theft.

It woulu make moie sense to uiiectly lock oi seal the veitical locking iou in figuie 19
than to lock oi seal the hanule. Theie is, howevei, often consiueiable iesistance on the pait
of caigo hanuleis to changing the long tiauition of checking the lock oi seal at the hanule.
0ne way to fix this pioblem is to ieplace the steel iivet on the hanule with a soliu glass
"iivet". This iivet consists of two tempeieu, soliu glass pieces with an inteinal containment
(locking) iing to snap them iiieveisibly togethei, similai to how the two halves of the
Tempeieu ulass Seal snap togethei iiieveisibly. See figuie 2u.

Being maue of glass, the iivet will not coiioue. Its tianspaiency peimits a full inspection
of the glass iivet's integiity insiue anu out. The glass stiength is sufficient to withstanu
oiuinaiy caigo hanuling, yet if the glass iivet is uiilleu, cut, saweu, oi giounu, the tempeieu
stiesses will cause the iivet to seveiely fiactuie. 0nique "fingeipiint" iuentifieis can be
auueu to the glass iivet such as inteinal oi exteinal seiial numbeis on the back of the iivet,
oi uyes oi inteinal ieflective paiticles blenueu into the glass. A tiace analysis of the glass
itself is also an excellent, haiu to counteifeit fingeipiint.

If the inteiiois of the iivet halves aie paitially hollow, a seiies of powuei banus, oi else a
2-uimensional aiiay of powueis, like a 2B sanu painting, can be useu to make each iivet
unique. See figuie 21.


93

Figuie 2u - ulass Rivet with inteinal locking iing, shown
unassembleu (left) anu assembleu (iight).

Figuie 21 - Nockup of a tempeieu glass cap (one-half of a glass iivet) with a two-uimensional complex
powuei pattein. (What is shown heie is slightly laigei than woulu be useu foi a glass iivet.) The powuei
incluues glittei paiticles. The tempeiing means that any attempt to cut, uiill, saw, oi otheiwise uamage the
glass iivet will cause the powuei to become sciambleu. The othei half of the iivet (not shown) snaps
iiieveisibly to this glass cap via an inteinal metal locking iing.

94
0'&)$' 56H 7 U*1?+'11 R+-C ,'*+

Type: novel conventional seal oi lock
Status: woiking piototypes of seveial uiffeient uesigns have been constiucteu
Applications: low level secuiity, oi to uelay an auveisaiy

Nany conventional seals (as well as locks) iequiie a hasp. Without a hasp, theie may be
nothing to attach the seal (oi lock) to. A lot of containeis, howevei, aie not specifically
uesigneu with a hasp. They can sometimes be ietiofitteu with a hasp using weluing oi an
epoxy, oi by uiilling a hole thiough the containei liu, but such auu-on hasps aie often
highly vulneiable to attack. Noieovei, ceitain containeis cannot be mouifieu in this way
because it woulu change theii geometiy, affect theii safety, anuoi voiu theii ceitification.

Containeis that uo not intiinsically come with a hasp often have a liu, covei, oi cap that is
attacheu to the main bouy of the containei with bolts oi sciews. To gain access to the
containei contents, these sciews oi bolts must fiist be unscieweu so that the liu, covei, oi
cap can be iemoveu.

0ui Plug "Seal" allows a seal (oi lock) to block access to a sciew oi bolt holuing on the
containei liu, covei, oi cap. The plug uevice is inseiteu into the bouy hole useu foi the
sciew oi bolt. No mouification to the sciewbolt, bouy hole, oi containei liu is necessaiy.
Bepenuing on the containei uesign, moie than one Plug Seal may be neeueu if multiple
sciews oi bolts iequiie piotection.

Figuies 22 anu 2S show one possible uesign. The concept is basically as follows: the plug
shown on the iight in figuie 22 is inseiteu into the bouy hole foi the bolt. The nut on the
uevice is tighteneu using the "wiench" shown to the left in figuie 2S. This foices the
washei to squeeze on the iubbei plug, causing it to expanu iauially anu become weugeu
into the bouy hole. The nut can be tighteneu to the point that seveial hunuieu pounus of
foice (oi moie) aie iequiieu to pull the plug out of the hole.

Spikes can be attacheu to the ciicumfeience of the iubbei so that the foiceu expansion of
the iubbei plug uiives the spikes into the bouy hole wall, fuithei iesisting the iemoval of
the plug. This may, howevei, uamage the bouy hole.

The plug can be attacheu to a stainless steel tube, as shown in figuie 2S, piioi to
compiessing the iubbei. Aftei compiessing the iubbei, a conventional paulock oi seal is
inseiteu thiough the hole (hasp) in the haiueneu steel tube. This paulock oi seal blocks
access to the plug nut so that it cannot be easily iemoveu fiom the hole without iemoving
the paulock oi seal fiist. The wiench is then useu to loosen the nut on the plug. This
ielieves the piessuie on the iubbei anu the plug can then be pulleu out of the hole with
minimal foice.


95

Figuie 22 - 0ne implementation of the Plug Seal. The "wiench" at the left is useu to iotate the nut at the left
enu of the plug aftei the plug has been inseiteu into a bolt hole. This compiesses the iubbei, causing it to
expanu insiue the bolt hole. Theie aie othei possible mechanisms foi compiessing the iubbei as well.

Figuie 2S - The plug is shown mounteu to a haiueneu steel tube, which is placeu insiue a simulateu bolt bouy
hole. Aftei the plug's iubbei is expanueu, a stanuaiu commeicial bolt seal, passing thiough a hasp in the steel
tube, blocks easy access to the plug. This makes making iemoval of the plug (so that the bolt can be accesseu)
moie challenging if an auveisaiy wishes to leave no eviuence of accessing the containei contents.

Figuie 24 shows anothei appioach that makes use of the Tempeieu ulass Cap that was
shown in figuie 21. The assembly is then totally flush with the containei wall, leaving
nothing foi an auveisaiy to tug on.

96

Figuie 24 - Anothei way to piotect the plug in the bolt hole is with the Tempeieu ulass Cap fiom figuie 21.
It snaps iiieveisibly to the plug using an inteinal locking iing. Being flush, theie is little foi an auveisaiy to
giab onto in oiuei to attempt to iemove the plug, which is being helu tightly in place because of the expansion
of the plug's iubbei. To gain access to the bolt, the glass cap can be stiuck with a centei punch. The
tempeiing makes the blow cause the cap to uisintegiate, uestioying the unique two-uimensional powuei
"sanu painting" seen in the photo.

0'&)$' 56J 7 O7G-? 3#1'.(

Type: enhancement of conventional seals, paiticulai the metal (E-cup) seal
Status: 0.S. patent 6,S88,812 |29j; a woiking piototype has been constiucteu

The E-cup seal, also known as the "metal cup seal, type e" oi the "cup wiie seal" has been
wiuely useu foi 0.S. uomestic nucleai safeguaius foi seveial uecaues. See figuie 2S. The
Inteinational Atomic Eneigy agency (IAEA) has its own, moie complex veision of the seal.

Figuie 2S - Some commeicial wiie loop seals, incluuing the E-cup on the left.


97

Figuie 26 - The inseit, with its shaip baibs, is shown between the two
halves (Elements 4u & 42) of the E-cup. Fiom 0.S. Patent 6,S88,812.

The E-cup seal consists of a stiing, single wiie, oi stianu of wiies, togethei with two small
metal cups that aie meant to snap togethei in a (supposeuly) iiieveisibly mannei. Piioi to
snapping the two metal halves togethei, the wiie oi coiu passes thiough the hasp on the
containei to be sealeu. The two enus of the wiie oi coiu aie then passeu thiough sepaiate
holes in one of the cups. The enus of the wiie oi coiu aie then ciimpeu oi tieu togethei,
anu the two cup halves aie snappeu togethei.

Some of the potential attacks on the E-cup may involve flexing, skewing, oi compiessing
the metal halves. To countei this, an inseit of the kinu shown in figuie 26 with shaip, haiu
baibs can be placeu insiue the two cups piioi to snapping them togethei. This inseit will
cause obvious uamage to one oi both of the cups shoulu such manipulation of the E-cup be
attempteu.|29,Suj The inseit uoes not inteifeie with the noimal sealing piocess, noi uoes
it iequiie any changes in the manufactuie of the E-cup seal.

An auuitional auvantage of the inseit is that it can, if uesiieu, be useu to moie secuiely
anu iepeatably captuie the enus of the seal's wiie oi stiing.|29j

The same inseit concept woulu woik foi othei kinus of seals that have an inteinal innei
cavity between two halves that snap togethei.


98
0'&)$' 56L 7 K-+()7,(.*#4 V).' ;%%? ,'*+

Type: enhancement of conventional wiie loop seals
Status: concept

0ne possible categoiy of attacks on conventional "wiie loop" seals (such as the E-cup in
figuie 2S) involves splicing the wiie that passes thiough the hasp. An auveisaiy can uo this
quite a numbei of uiffeient ways, incluuing using solueiing, biazing, weluing, epoxies, oi
othei wiie iepaii methous. A competent splice attack can be uifficult anu time-consuming
to spot with manual inspection.

Foi iobustness, many wiie loop seals use stianus consisting of 2-4 wiies, sometimes
twisteu aiounu each othei. The iuea with the Nulti-Stianu Wiie Loop Seal is that the
inuiviuual "wiies" shoulu be maue of highly uissimilai mateiials, insteau of the same
mateiials as is cuiiently uone. This can potentially complicate anu uelay a splicing attack.

Foi example, if the inuiviuual wiies have melting oi flammability tempeiatuies that aie
veiy uiffeient, theimal splicing methous like solueiing, biazing, oi weluing that woulu
woik on one of the wiies might uestioy an aujacent wiie maue of a uiffeient mateiial with
a much lowei melting oi flammability tempeiatuie. If nothing else, mateiials with highly
uispaiate piopeities iequiie an auveisaiy to become pioficient at executing a wiue vaiiety
of uiffeient splicing skills.

Nateiials that can be maue into benuable "wiies" with veiy uissimilai piopeities that
woulu iequiie veiy uiveise (anu sometimes uifficult) splicing techniques incluue plastics
anu othei polymeis, glasses, ceiamics incluuing aluminum oxiue, clays, aluminum alloys,
pewtei, stainless steels, titanium, self-lubiicating micio-poie biass, plant stalks oi fibeis,
textile fibeis, anu liquiu- oi gel-filleu tubes. Tungsten is a potentially inteiesting mateiial
foi tampei-uetection because tungsten wiies fiay longituuinally when cut tiansveisely.

0'&)$' 56M 7 8)'70/' ,'*+

Type: novel conventional seal oi complexity seal
Status: paitially uemonstiateu
Applications: meuium to high level secuiity; can monitoi volumes oi aieas, not
just poitals as with conventional seals

Coloi can be a uifficult piopeity to accuiately counteifeit, thus making it of inteiest foi
tampei uetection. Small, inexpensive soliu-state coloi sensois with iemaikable coloi
iesolution aie now commeicially available. These peifoim piecise coloi measuiements
that weie pieviously available only with expensive hanuhelu coloiimeteis. Foi example,
the TA0S TCS2Su coloi sensoi (~$2.Su each) outputs RuB coloi values fiom an electionics
package appioximately S x 6 x 1.7 mm in size.|S1j


99
Foi a Tie-Bye seal (piototype shown in figuie 27), the coloi sensoi is placeu insiue the
hollow bouy of the seal anu iigiuly mounteu. A white LEB is useu to pioviue illumination
insiue the seal, though this uoes not neeu to iun continuously, but can insteau be tuineu on
a ianuom, unpieuictable times so that a coloi spectium can be measuieu inteimittently.

Figuie 27 - Woiking Tie Bye Seal piototype.

The insiue of the seal is painteu with a complex vaiying coloi pattein, not unlike the "Tie-
Bye" T-shiits populai in the 196u's. Because this inteiioi coloi pattein is so complex, it is
uifficult foi an auveisaiy to counteifeit it in oiuei to tiy to uefeat the seal. Noieovei, any
movement oi change in location of the sensoi with iespect to the coloieu backgiounu is
instantly uetecteu as a substantial change in the coloi spectium. (This might not be the
case if the backgiounu was unifoimly painteu.) Any object such as a pick tool, even if quite
small, that passes between the coloi sensoi anu the coloieu backgiounu will also instantly
cause a change in the coloi spectium. Theie is no one coloi that the tool coulu be painteu
that woulu allow it to blenu into the backgiounu as it moves. Noieovei, any ambient light
that is alloweu insiue the seal when the seal is cut open will also be uetecteu by the coloi
sensoi.

To make things even moie uifficult foi an auveisaiy, we can use S uiffeient LEBs, one
ieu, one gieen, anu one blue to pioviue the illumination insiue the seal. They will be tuineu
on in unison at ianuom, unpieuictable times to allow a coloi measuiement. Each time they
aie tuineu on, howevei, each LEB will have its own ianuom intensity. Thus, the coloi
spectium seen by the coloi sensoi at any given time cannot be easily pieuicteu by the
auveisaiy in auvance.

The miciopiocessoi in the seal, on the othei hanu, can calculate the expecteu coloi
spectium foi any combination of LEB intensities. This is because it has iun thiough coloi

100
calibiation cuives (when the seal was fiist installeu) by illuminating each LEB one at a
time. This is a luxuiy not available to the auveisaiy.

To spoof the coloi sensoi, an auveisaiy neeus to measuie the intensity of the S uiffeient
LEBs, then figuie out what coloi spectium to counteifeit. This must be iepeateu each time
the LEBs light up.

Note that this appioach uoesn't neeu to be limiteu to the inteiioi of a seal. The concept
can be scaleu up to laige containeis, oi even entiie vaults oi caigo-holus.

0'&)$' 5>P 7 N4B'1)&' ;*I'+ ,'*+ S)(B E+)#< G%9?*.*(%.

Type: impioveu conventional seal & complexity seal
Status: uemonstiateu

Piessuie sensitive auhesive labels seals aie populai foi many secuiity applications,
incluuing nucleai safeguaius. These seals aie inexpensive, anu consiueieu to be easy foi
ielatively untiaineu peisonnel to apply. In oui view, howevei, auhesive label seals uo not
pioviue ieliable tampei uetection.|S2j We have uemonstiateu on many uiffeient
piouuctsincluuing those useu foi nucleai safeguaiusthat they aie typically easy to
counteifeit, anu even easiei to lift anu ieplace without leaving any notewoithy eviuence.

Bighly fiangible label seals aie sometimes useu baseu on the hope that they can moie
ieliably uetect tampeiing. Such seals, howevei, aie usually uifficult foi the seal usei to
apply without causing moie initial uamage than an auveisaiy neeus to inflict in executing
an attack. Bighly fiangible seals, moieovei, aie not sufficiently iobust foi most tianspoit
applications.

Auhesive label seals become fai moie useful if "befoie" anu "aftei" images of the seal can
be compaieu visually using a blink compaiatoi. Blink compaiison is a 12u-yeai olu
technique foi quickly spotting any uiffeiences between two similai images.|SS,S4j The
technique was useu to uiscovei the planet Pluto anu is still useu to efficiently uiscovei new
asteioius anu othei astionomical objects, anu foi meuical imaging.|S4,SSj

Foi a blink compaiison, iegisteieu images aie alteinately uisplayeu, typically alteinating
at a iate of 4-4u times pei seconu. Any uiffeience appeais quite uiamatically as movement.
This is the visual phenomenon that makes television anu movies woik: Still images aie
shown in iapiu sequence. Any uiffeience is inteipieteu by the human biain as movement.

In a mechanical blink compaiatoi, sepaiate photogiaphs aie vieweu thiough a half-
silveieu miiioi. The photos aie alteinately illuminateu, typically so iapiuly that they
appeai to be one image. Nowauays, a blink compaiatoi is most easily implementeu on a
computei scieen using uigital images. We have wiitten anu uemonstiateu oui own blink
compaiatoi piogiam foi use with seals, incluuing auhesive label seals.

101

A blink compaiatoi can be a iemaikably poweiful tool foi allowing an obseivei to
instantly spot even minoi uiffeiences between two images. This is uone at a subconscious
level, so that it is neaily effoitless foi the obseivei to inteipiet blinkei images. Foi many
applications, a human obseivei piopeily using a blink compaiatoi can outpeifoim even
veiy sophisticateu computei image compaiison algoiithms, both in teims of speeu anu
accuiacy. It might seem likely that seal examinations woulu be highly subjective using a
blink compaiatoi. In piactice, howevei, theie is usually little oi no uisagieement between
expeiienceu useis of blink compaiatois as to whethei tampeiing is inuicateu.

Foi auhesive label seals, a blink compaiatoi woulu be useu as follows. Fiist, the seal usei
applies the auhesive label seal, then iecoius its uigital image. If the seal (oi containei it is
on) is likely to ieceive iough hanuling, oi be exposeu to a haish enviionment oi
consiueiable uiit oi uust, it is a goou iuea to piotect the seal with a covei oi iemovable
plastic sheet. When it is time to inspect the auhesive label seal, a seconu image of the seal is
iecoiueu. At some point, the "befoie" anu "aftei" images aie compaieu using a blink
compaiatoi. This can be uone quickly anu easily in the fielu using a notebook computei if
the "befoie" image can be secuiely tiansmitteu to the seal inspectoi, peihaps using
enciyption. (If an auveisaiy can tampei with eithei the befoie oi aftei image, he can easily
spoof the tampei uetection.)

Bigh iesolution images aie not neeueu foi ieliable blink compaiisons of auhesive label
seals. Images with Suu x 4uu pixels aie usually quite satisfactoiy, if in goou focus. In oui
expeiience, the most effective blink compaiisons occui on black anu white images; coloi
just uistiacts the obseivei. If coloi infoimation about the seal is thought to be of inteiest,
the ieu, gieen, anu blue (monochiome) planes shoulu each unueigo a blink compaiison
sepaiately.

We aie convinceu that the absolute key to blink compaiisons is using a goou kinematic
mount. This is a simple, inexpensive mechanical mount that can be useu to iepiouuce the
cameia position anu oiientation with iemaikable accuiacy.|S6j If uesigneu coiiectly, the
kinematic mount is even self-tempeiatuie compensating.

It is common to tiy to use a blink compaiatoi foi othei (non-seal) applications without
using a goou kinematic mount oi even no kinematic mount at all. This is a big mistake, anu
we suspect accounts foi why some people finu blink compaiatois only maiginally useful.
Attempting to iegistei (that is, "align") the images aftei the fact in a mannei that coiiects
foi uiffeient cameia optics, locations, angles, oi even skew, is invaiiably unsatisfactoiy,
even though the iegistiation may look visually acceptable.

Anothei auvantage of a goou kinematic mount is that lighting conuitions aie ielatively
unimpoitant. We have uemonstiateu foi auhesive label seals that a blink compaiatoi can
allow us to uetect veiy subtle eviuence of tampeiing even if the befoie anu aftei images
weie iecoiueu with veiy uiffeient mean illumination levels, anu seveiely uiffeient spatial
giauients in the lighting.


102
It is possible to use uiffeient cameias, anu even uiffeient kinematic mounts at the
shipping anu ieceiving enus. The cameias, howevei, shoulu be the same mouel anu use
iuentical optics. The kinematic mounts neeu to be well uesigneu.

0'&)$' 5>6 7 E'*4173#7N7E%W ,'*+

Type: complexity seal
Status: uemonstiateu, incluuing foi moving caigo
Applications: meuium to high level secuiity; can monitoi volumes, not just

Figuie 28 shows a polycaibonate box (2S x 2S x 2S cm) containing tianspaient,
compiessible toy balls of vaiious colois. These balls aie multi-faceteu anu close-pack faiily
efficiently when piessuie is applieu fiom above by the layei of foam locateu at the top of
the box, just insiue the hingeu liu. (Foi ieal caigo, the polycaibonate box can be ieplaceu
with an oiuinaiy ciate oi box having at least one winuow so that the contents can be
photogiapheu.)

Also visible in figuie 28, neai the centei of the polycaibonate box, is a woouen jeweliy
box. This contains the "assets" that we wish to check foi tampeiing. In oiuei to get to the
assets, an auveisaiy must move the multi-faceteu balls. To covei his tiacks, he must then
put them all back with consiueiable accuiacy, in teims of both S-uimensional position anu
angulai oiientation. Inueeu, even just opening the liu causes enough change in the tension
that a numbei of the balls move iiieveisibly.

An auveisaiy cannot glue the balls inuiviuually back into position, because when it is
time to inspect the containei, the seal inspectoi will check that the balls aie all inuepenuent
when he opens the containei.

The most effective way to uetect movement of the balls is with a uigital cameia anu a
blink compaiatoi. It is veiy easy to tell the uiffeience between a box that has not been
openeu, one that has hau the liu biiefly openeu, anu one wheie an auveisaiy iemoveu, then
latei ieplaceu the assets at the centei of the box. This is tiue even foi a box that has been
hanuleu veiy ioughly uuiing tianspoit.


103
Figuie 28 - An example of a beaus-in-a-box seal. The "beaus" in this case aie multi-faceteu silicone balls.
Any access to the box uistuibs the balls, which can be easily uetectecteu with a blink compaiatoi.

Figuie 29 - Anothei appioach foi ioughly-hanuleu caigo shipments wheie multi-faceteu plastic jeweliy
beaus aie hung in a plastic bag that is alloweu to fieely swing. The beaus aie ielatively stationaiy with
movement of the containei oi vehicle the bag is in, but ieauily move when the bag is uistuibeu oi openeu.


104
If the box will be subject to uiopping oi seveie shaking, a few of the balls move slightly
fiom such iough hanuling, but it is easy to tell the uiffeience between this anu tampeiing.
Neveitheless, if uesiieu, the amount of movement likely to occui uuiing shipment can be
testeu piioi to shipment by uelibeiately shaking oi uiopping the box, then compaiing the
"befoie" anu "aftei" images with a blink compaiatoi. This will inuicate which of the few
balls shoulu be uiscounteu if they move slightly aftei the ieal shipment ieaches its
uestination. (None of this is ielevant, of couise, if the assets iemain stationaiy uuiing the
peiiou of time we aie conceineu about tampeiing.)

Foi especially iough shipments, a bettei technique is uepicteu in figuie 29. In this case,
multi-faceteu jeweliy beaus aie useu. These, along with the asset(s) of inteiest, aie
vacuum packeu insiue a cleai, thin-walleu plastic bag. The tension on the plastic bag,
causeu by the piessuie uiffeiential between the insiue anu outsiue of the bag, keeps the
beaus viitually fiozen in place. If the bag is suspenueu fiom a penuulum mount, the beaus
aie viitually immune fiom inauveitent movement shoit of hanuling so iough that it
uamages the caigo.

Eithei the box oi bag technique can be scaleu up oi uown ovei a consiueiable size iange.
The balls oi beaus aie totally ieusable, making this a veiy inexpensive seal. With a goou
kinematic mount, only a few seconus aie iequiieu to iecoiu a uigital cameia image anu
compaie it with the "befoie" image using a blink compaiatoi on a notebook computei. 0f
couise, both the befoie anu aftei image must be secuiely tianspoiteu oi tiansmitteu to the
same location (not necessaiily the caigo uestination) so that they can be compaieu to
ueteimine if tampeiing took place.

Neithei the balls noi the beaus in figuies 28 oi 29 inteifeie with gamma iay
measuiements, oi if communications. Also, the balls oi beaus can pack aiounu electionic
cables leauing to oi fiom the inteiioi, oi cameia lenses. Thus, the Beaus-in-a-Box seal
might make be useful as inexpensive, ieusable, "tianspaient" tampei uetection foi
safeguaius monitoiing equipment.

0'&)$' 5>> 7 8B'%4%+)(' ,'*+

Type: complexity seal
Status: concept

The Theouolite "Seal" is a iemote, non-contact, optical methou foi ueteimining if a
containei in a vault, waiehouse, oi caigo holu has been uistuibeu. (If the containeis aie in
a moving tianspoit vehicle, they must be tieu uown well.)

The iuea behinu the Theouolite Seal is that it can be uifficult anu time-consuming foi an
auveisaiy to exactly ieposition one oi moie containeis (oi theii lius) aftei tampeiing. This
is especially the case if the liu oi unueisiue of the containei is uesigneu with a mechanical
hysteiesis mechanism that uoes not allow it to ietuin to its oiiginal position oi oiientation

105
when the loau is lifteu. Theie aie many possible mechanical uesigns foi such hysteiesis
containei oi liu suppoits.

Changes in a containei's position oi oiientation (oi that of its liu) as small as a few
meteis anu a few aic-seconus, iespectively, can be measuieu with a neaiby uigital
cameia, using a goou kinematic mount anu a blink compaiatoi technique.

Even fiom a consiueiable uistance, the position of a containei oi liu can be quickly
measuieu with goou accuiacy. At a uistance, a cameia with a telescopic lens, plus a blink
compaiatoi can be useu. Anothei appioach is to use a commeicial S aic-seconu theouolite
useu foi suiveying (cost< $SK). This can uetect a tianslation as small as 7uu m
(peipenuiculai to the line of sight) fiom a uistance of Su meteis. At the same uistance, a
iotation of S aic-minutes can be uetecteu foi a containei oi liu of uiametei 1 metei. (This
is neai the uiffiaction limiteu iesolution of the theouolite.)

Checking foi tampeiing by using a theouolite oi cameia with a blink compaiatoi can be
uone in a non-contact mannei that uoes not inteifeie with othei tampei oi intiusion
uetection uevices. A cleai line of sight, howevei, must be available to the containei oi liu
being checkeu.

The cameia oi theouolite can be taken away between measuiements, especially if a goou
kinematic mount is useu foi accuiate iepositioning. Biffeient theouolites oi uigital
cameias can be useu at the shipping anu ieceiving enus to make the "befoie" anu "aftei"
measuiements, thought iuentical mouels shoulu be useu.

The exact position of containeis can also be mappeu out with a vaiiety of commeicial SB
piofiling instiuments, incluuing lasei SB scanneis, hologiaphic anu inteifeiometiic
uevices, stiuctuieu light piofileis, anu cooiuinate measuiement machines.|S7j Typical
iesolutions aie S mm at a uistance of 1uu meteis, to a few m at 1 metei.

0'&)$' 5>@ 7 O?%W/ K)W'. ,'*+

Status: concept

The Epoxy Nixei seal contains two coloieu liquius that get mixeu when the seal is
openeu. An auveisaiy woulu finu it uifficult to sepaiate the liquius once they mixeu in
oiuei to tiy to hiue the fact that the seal hau been openeu. (This is especially tiue if the
liquius aie uesigneu to ieact chemically, oi change coloi when in contact.) This might leave
counteifeiting as the auveisaiy's simplest attack.

The most efficient way to mix the liquius foi a passive seal is to use an epoxy mixing
baffle of the soit shown in figuie Su.


106

Figuie Su - An epoxy mixing tube. This is a baffle useu to
mix two-component epoxies as they flow uown the tube.

0'&)$' 5>D 7 N'%+)?)+' X,?)##)#C Q*1 Y'(Z ,'*+

Status: concept
Applications: high level secuiity; can monitoi volumes, not just

In Su AB, Beio of Alexanuiia inventeu the woilu's fiist steam engine, calleu an
aeolipile.|S8j Watei was heateu such that the iesultant steam coulu pass thiough pipes
into a hollow spheie. See figuie S1. The spheie hau two jets thiough which the steam
coulu escape, geneiating thiust that causeu the spheie to iapiuly iotate about its axis. It's
not cleai if Beio's uevice was evei actually built. In any event, the aeolipile was nevei
consiueieu anything but a toy until moie than a thousanu yeais latei.

Now in oiuei to keep a valuable asset (oi caigo) safe fiom intiusion oi tampeiing, it is
geneially placeu insiue some containei. We anu otheis have shown how easy it is to
quickly penetiate containei walls without leaving obvious eviuence. These suiieptitious
entiies, howevei, aie substantially moie uifficult if the walls aie constantly moving.
Constantly moving the heavy walls of a conventional containei, isn't piactical, but
constantly spinning a lightweight aeolipile iequiies little eneigy. The hollow, spinning
aeolipile sweeps out a volume in space that cannot easily be penetiateu by an auveisaiy
without inteifeiing with the iotation of the aeolipile shell.


107
Figuie S1 - Beio's Aeolipile. of Alexanuiia inventeu the woilu's fiist steam engine, calleu an aeolipile.|S8j
Watei was heateu such that the iesultant steam coulu pass thiough pipes into a hollow spheie. The spheie
hau two jets thiough which the steam coulu escape, geneiating thiust that causeu the spheie to iapiuly iotate
about its axis. It's not cleai if Beio's uevice was evei actually built. In any event, the aeolipile was nevei
consiueieu anything but a toy until moie than a thousanu yeais latei.

The assets to be monitoieu foi tampeiing go insiue the aeolipile, on a stationaiy platfoim
suppoiteu by an inteinal fiame mounteu to the hollow iotation axis of the aeolipile. The
spinning aeolipile shellthe equivalent of the spheie in figuie 22can be maue out of thin
plastic oi aluminum, balsa woou, oi even papei. It can be a spheie, cylinuei, oi othei
cylinuiically symmetiic shape, anu scaleu up oi uown to the appiopiiate size.

The aeolipile's iotation is poweieunot by steambut by a small electiic motoi anu
batteiy, oi by a tank of compiesseu gas oi a small exteinal aii pump. (If blaues aie
attacheu, the aeolipile can even be uiiven in a non-contact mannei by a neaiby fan oi aii
jet.) The lightweight spinning aeolipile iepiesents no safety hazaiu because it can be
stoppeu simply by ieaching out anu touching it, without haiming one's hanu. The ieuuceu
iotation iate, howevei, will be uetecteu anu inteipieteu as tampeiing.

To monitoi the iotation iate, a small batteiy-poweieu miciopiocessoi is placeu insiue
the spinning aeolipile on the stationaiy suppoit platfoim, along with the assets of inteiest.
It can uetect a change in iotation iate vaiious ways, incluuing with a photouioue, a shaft
encouei, oi with a Ball Effect magnetic sensoi measuiing the iotation of a weak magnet

108
placeu on the spinning axle oi aeolipile's shell. Any attempt by an auveisaiy to gain access
to the assets (incluuing attacking along the iotation axis of the aeolipile) necessaiily
iequiies alteiing the iotation speeu. This is immeuiately inteipieteu by the
miciopiocessoi as intiusion oi tampeiing. The miciopiocessoi then eiases the anti-
eviuence stoieu in its memoiy.

The goou guys can check on the status of the anti-eviuence at any time, incluuing while
the aeolipile is still iotating, by senuing the passwoiu to the miciopiocessoi using if
signals. The miciopiocessoi can iesponu by talking (as with the Seal #4 - the Talking
Tiuck Caigo Seal), oi it can insteau tiansmit the seciet anti-eviuence by a ietuin if signal.

8*C1

0'&)$' 5>F 7 8)9' 8.*? *1 N R.%4-$( N#()7G%-#('.[')()#C 8*C

Type: a piouuct anti-counteifeiting tag
Status: woiking piototype
Applications: counteimeasuie to piouuct counteifeiting; iequiies some technical
sophistication to uefeat

The Time Tiap (Bevice #2) is a tiap oi seal. It can, howevei, also be useu as a piouuct
anti-counteifeiting tag. The 2-lettei hash that authenticates the time can be thought of as a
time-vaiying piouuct "seiial numbei". The customei woulu only be alloweu to view the
authentication hash a few times. The hash coulu be lookeu up on the Inteinet oi calleu in
ovei the telephone. Alteinatelly, the hash coulu be checkeu using a computei piogiam oi
hanuhelu uevice that woulu only show authentication hashes foi the cuiient time.

In oiuei to counteifeit the piouuct, the bau guys woulu neeu to know futuie
authentication hashes foi at least one legitimate piouuct. This woulu iequiie ieveise-
engineeiing the uevice anu beating the intiusion uetectois.

0'&)$' 5>H 7 \).(-*+ T*#4%9 ]-9'.)$ 8%<'#1

Type: a piouuct anti-counteifeiting (viitual buuuy) tag
Status: concept
Applications: counteimeasuie to piouuct counteifeiting; uifficult to uefeat in volume

The iuea of viitual ianuom numeiic tokens is ueceptively simple.|S6j The manufactuiei
of a mass-piouuceu piouuct, lets say phaiamaceuticals as an example, puts an extia "Bottle
IB" on each bottle. This is a unique, ianuom, unpieuictable numbei chosen foi each bottle
in a given lot. (The manufactuiei staits ovei again with each new lot.) The numbei of
Bottle IBs must be at least 1uuu times gieatei than the numbei of bottles in the lot.


109
Customeis anonymously "call-in" to the manufactuiei (oi his iepiesentative) via the
Inteinet oi telephone to see if they have a valiu Bottle IB foi the given lot numbei.

Piouuct counteifeiteis have the pioblem that if they guess Bottle IB numbeis, most of the
ones they guess will be invaliu anu the customeis will be immeuiately aleiteu that they
have a fake.

Piouuct counteifeiteis can piesumably get hunuieus of valiu Bottle IB numbeis, but this
uoes not help them to uo mass counteifeiting because the fact that uuplicate valiu bottle
numbeis keep getting calleu in will make it possible to tell the calling-in customeis that
they piobably have a fake with high piobability. Typically, moie than 98% of the
counteifeit piouucts calleu in will be uetecteu. Nalisciously calling in fake Bottle IBs has
veiy little impact.

volume customeis of the piouuct can also check theii past anu cuiient stock foi
uuplicate Bottle IBs without calling in. This woiks well to uetect fakes because counteifeit
piouucts tenu to clustei in the supply chain.

Theie aie seveial impoitant points about viitual ianuom numeiic tokens that aie often
oveilookeu. This is N0T the same thing as seiialization! It is not tiack & tiace noi a
piovenance methou, though it can be use in conjunction with such techniques. The viitual
ianuom numeiic token is a buuuy tag that uoes not neeu to be physically attacheu to the
bottle, co-locateu with it, oi geneiateu at the factoiy. Also, manufactuieis that tiy to
implement something like viitual ianuom numeiic tokens typically make a numbei (oi
most!) of appioximately S uozen mistakes in uoing so. Please contact the authois foi moie
infoimation.

We use viitual ianuom numeiic tokens foi oui wine authenticity uevice shown in figuie
SS.|1,S9j

Figuie S2 - A viitual ianuom numeiic token iequiies a piouuct IB (oi bottle IB foi bottles) that is not the
same thing as seiialization.

110

Figuie SS - Wine authenticity piototype. The inexpensive, ieusable silvei cap on top of the wine bottle can
ueteimine if the wine bottle has evei been openeu (using an anti-eviuence seal), anu if it is an authentic bottle
(using a viitual numeiic token). The cap is connecteu to the Inteinet using a cable to "call-in" the viitual
numeiic token.

T'*+78)9' K%#)(%.)#C

0'&)$' 5>J 7 8%S# G.)'. K%#)(%.)#C

Type: an anti-eviuence type of ieal-time monitoiing
Status: woiking piototypes of uiffeient uesigns
Applications: high level secuiity foi vaults, waiehouses, anu moving caigo. Also, a
possible technique foi complicating attacks on intiusion sensois.

The anti-eviuence appioach can also be useu foi ieal-time monitoiing.|17,4u,41j A "ieal-
time monitoi" is a uevice oi system that watches ovei an object oi containei, anu then
piouuces an immeuiate alaim if the object oi containei is iemoveu, tampeieu with, oi
expeiiences unauthoiizeu intiusion. The alaim is typically intenueu to sciamble a guaiu oi
police foice.
The alaim signals issueu by most conventional ieal-time monitoiing systems aie often
easy to block oi jam. Noie sophisticateu systems may iely on high-banuwiuth two-way
communication, iauio fiequency signals, sensoi status anu state of health checks, uata
authentication oi enciyption, anuoi complex haiuwaie anu softwaie. The iesulting

111
complexity often opens up new attack vectois foi an auveisaiy, incieases costs, anu can
impeue tianspaiency anu negotiability foi nucleai tieaty monitoiing.|17,4u,41j
With the "Town Ciiei" (anti-eviuence) appioach to ieal-time monitoiing (see figuie S4),
when unauthoiizeu access, tampeiing, oi theft is uetecteu, we uon't senu an alaim that can
be easily blockeu oi jammeu. Insteau, as long as eveiything is fine, we have the ieal-time
monitoiing system occasionally tiansmit a simple "All 0K" byte calleu the "bingo numbei".
The coiiect bingo numbei at any given time is known only to the monitoiing system anu to
the goou guys listening in. Shoulu the coiiect bingo numbei fail to aiiive when expecteu,
tiouble is inuicateu. 0nlike blocking an alaim signal, the bau guys gain nothing by blocking
the "All 0K" signals. They can tiy to counteifeit the bingo numbei, but have only a 12S6
(u.4%) chance of guessing one bingo byte coiiectly, 16SSS6 (u.uu2%) chance of guessing
two coiiectly, etc.

Figuie S4 - The ieal-time Town Ciiei piototype monitoi on the left is meant be insiue oi attacheu to the
assets to be monitoieu. It wiielessly senus a pseuuo-ianuom "bingo numbei" eveiy 4 seconus to the listening
unit on the iight which is locateu at a guaiu station oi with a guaiu. (In actually usage, it woulu be moie like
one bingo numbei tiansmitteu pei minute). Foi uemonstiation puiposes only, the tiansmitteu bingo numbei
(A7 at this instant) is uisplayeu on both the ieal-time monitoi (left) anu the listening unit (iight). (The bingo
numbei is also spoken by both units, again only foi uemonstiation puiposes.) The bau guys uon't know
which bingo numbei is uue up next, anu if they bieak into the ieal-time monitoi, theii tiespassing is uetecteu
anu infoimation about futuie bingo numbeis is eiaseu in less than 1 sec. If the ieal-time monitoi is
uistuibeu (one of many possible inuications of "tampeiing"), the unit eiases infoimation about futuie bingo
numbeis anu stops senuing them. When no bingo numbeis oi the wiong ones aie ieceiveu by the listening
unit, tampeiing oi theft is suspecteu, anu the listening unit sounus a conventional alaim (though it, too, coulu
alteinately pass along an anti-eviuence "All 0K" signal to a highei level.) The ietail cost of paits foi each unit
is less than $SS, anu less than $1S if the supeifluous voice mouule anu LCB uisplay aie eliminateu.


112
The auvantages of this Town Ciiei monitoiing appioach incluue simplicity, low-cost, the
use of only veiy low banuwiuth (a few bits to ~1 byte pei minute), one-way
communication (we listen foi the bingo numbeis but uon't tiy to talk to the ieal-time
monitoi), anu high secuiity. Blocking an alaim, counteifeiting the ieal-time monitoiing
haiuwaie, oi hacking into the monitoi thiough a communications channel aie no longei
useful attacks foi the auveisaiy.

It is inteiesting to note that if sensois insiue a secuiity uevice communicate to the CP0
using a Town Ciiei appioach, it woulu be much haiuei foi an auveisaiy to spoof the
sensois by shoiting oi jumpeiing them.

The name "Town Ciiei" comes fiom the town ciieis of meuieval Euiopean towns. If
vikings weie to attack, they might be able to oveipowei the sentiies befoie the sentiies
coulu yell out a waining. The town ciiei, howevei, woulu ciy out an "All 0K" message at
pieueteimineu times. If the town's people faileu to heai the familiai voice of the Town
Ciiei giving the "All 0K" signal at the coiiect time, they woulu giab theii weapons anu
piepaie to uefenu theii town.

0'&)$' 5>L 7 GB).?)#C :8*C ^ ,'*+=

Type: A Town Ciiei type of ieal-time monitoi that has ceitain attiibues of a tag anu a
seal.
Status: woiking piototypes
Applications: high level secuiity foi vaults, waiehouses, sealeu iauiological souices,
nucleai mateiial, anu caigo

Rauio fiequency (if) communication can be uifficult to woik with.|16j Inueeu, if is a
batteiy powei hog, pione to inteifeience, tenus to attenuate oi uetune when neai metals oi
liquius, often uoesn't woik well aiounu coineis, anu can cieate safety anu secuiity
pioblems (ieal oi peiceiveu) insiue nucleai facilities. Spoofing, hacking, counteifeiting,
blocking, jamming, oi eavesuiopping of if signals iemotely is a continual concein anu
ielatively easy to uo, especially foi iauio fiequency iuentification uevices (RFIBs).|16j
Complicating the use of if foi inteinational applications is the fact that uiffeient countiies
have uispaiate iegulations anu spectium allocations foi if signals.

To avoiu all these pioblems with if, we believe alteinative communication methous
shoulu be consiueieu, especially foi ielatively shoit iange monitoiing, e.g., acioss a stoiage
vault, insiue a caigo holu, oi within a nucleai woik aiea oi facility. Infiaieu oi
acousticalultiasonic signals have, we believe, many potential auvantages ovei if that have
not been fully exploieu oi exploiteu.

Figuie SS shows a piototype Town Ciiei ieal-time monitoiing uevice that we call the
"Chiiping Tag anu Seal". (This is something of a misnomei since it is piimaiily a ieal-time
monitoi). Insteau of using if, this uevice senus the anti-eviuence "All 0K" signal using
acoustical chiips. The acoustical chiips aie geneiateu using a commeicial iesonant chiip

113
buzzei, mouel PKN24SPBS8uS maue by Nuiata manufactuiing.|42j These "chiipeis" aie
often founu on smoke uetectois, wheie they chiip once pei minute foi many months to
inuicate that the batteiy is neaily ueau. It costs appioximately $1.Su in ietail quantities
anu opeiates at appioximately S.8 Bz. Nost enviionments (incluuing nucleai facilities anu
moving tiucks) aie ielatively quiet at this fiequency, with human voices lying mostly in the
iange 1uu - 1uuu Bz.|4Sj

Figuie S6 shows the acoustical signal geneiateu by the chiipei, which lasts
appioximately 2S msecs. Figuie S7 shows the FFT fiequency spectium, with the peak
centeieu aiounu S.8 kBz.

Figuie SS - The Chiiping Tag anu Seal, top view (left) anu bottom view (iight). This piototype uevice is
baseu on the use of an inexpensive PIC 12F629 miciopiocessoi anu a $1.78 (ietail cost) iesonant chiiping
buzzei. The uevice opeiates foi many months on 2 coin batteiies.

Figuie S6 - The ielative sounu intensity of 1 chiip as a function of time as iecoiueu by a miciophone.

114
Figuie S7 - The fiequency spectium of 1 chiip.

The maximum sounu output of the chiipei is 9u uB at a uistance of 1u cm, though it uses
veiy little batteiy powei. The chiips go aiounu coineis quite effectively. Along a stiaight
line, we have uemonstiateu the ability to uetect the chiips using an inexpensive
miciophone at a uistance in excess of 2Su meteis, outuoois in a noisy enviionment.

The paits foi the Chiiping Tag anu Seal shown in figuie SS cost unuei $S in ietail
quantities. This incluues a light sensoi that can ueteimine if the uevice has been pickeu up
oi moveu. Bepenuing on what othei tampeiintiusion sensois one wanteu to auu to the
uevice (anu theie aie many options), the ietail cost of paits might be highei.

The Chiiping Tag anu Seal is a much simplei veision of the Town Ciiei piototype that
was shown in figuie SS not just because it avoius the use of if, but also because it uoesn't
even neeu to tiansmit an actual bingo numbei oi mouulate the (acoustical) chiip it emits.
The "All 0K" signal foi oui Chiiping Tag anu Seal is the exact time when the chiip is
geneiateu. As long as eveiything is fine, the uevice will "chiip" at pseuuo-ianuom,
unpieuictable times. 0nly the goou guys know when the next chiip is uue. Foi the
uemonstiation piototype shown in figuie SS, the chiips come once eveiy S seconus on
aveiage. In a ieal application, howevei, a chiip might only be geneiateu once eveiy minute
oi two on aveiage. 0nce tampeiingintiusion is uetecteu (oi if the uevice is iemoveu), the
chiiping stops, the iemote listening miciophone fails to heai the next chiip when it is uue,
anu the infoimation neeueu to ueteimine when futuie chiips aie uue to occui is eiaseu in
less than 1 sec.

Note that it is only the time to the next chiip that matteis, not the absolute time.
Thus, highly accuiate clocks aie not neeueu. The time to the next chiip can be
ueteimineu using a pseuuo-ianuom numbei geneiatoi (PRNu). An auveisaiy woulu
have to collect chiip uata foi many weeks befoie he woulu have sufficient uata to
confiuently be able to figuie out the PRNu. Foi the best secuiity, howevei, the times

115
between chiips shoulu be ianuom numbeis geneiateu in auvance by haiuwaie, anu
stoieu on the uevice as a kinu of one-time keypau.

The sounu chiips aie shoit enough that many uiffeient chiiping uevices can be
opeiating in the same volume, all chiiping away on uiffeient scheuules. 0nly 1
miciophone is neeueu to listen to hunuieus of uiffeient Chiiping Tags anu Seals
simultaneously. The chiips woulu oveilap veiy infiequently given theii shoit
uuiation, but the goou guys know when each oveilap is coming anu can ueal with the
situation appiopiiately. (The aveiage time befoie any two chiipeis oveilap, each
chiiping ianuomly once pei minute on aveiage, is almost 2 uays.) Shoulu oveilapping
neveitheless become a pioblem, the chiip uuiation (2S ms) coulu be uecieaseu, the
aveiage time to the next chiip incieaseu, anuoi uiffeient fiequencies useu foi
uiffeient units.

It is not necessaiily uesiiable to concluue that tampeiing, intiusion, oi theft has
occuiieu aftei just one misseu chiip. Two oi thiee missing chiips in a iow might be a
bettei thiesholu foi any given Chiiping Tag anu Seal.

Note that the acoustical chiip coulu be ieplaceu with an ultiasonic chiip (to be less
annoying to people), but the iange woulu be less. Alteinatively, an ultia-shoit flash
fiom an infiaieu LEB coulu be useu. Rise times can be a shoit as 1uu pico-seconus.
The ability to go aiounu coineis, howevei, woulu not be as goou in eithei case as is
possible with acoustical chiips.

Because of its simplicity, low cost, anu small size, we believe the Chiiping Tag anu
Seal woulu be paiticulaily useful foi monitoiing sealeu iauiological souices. Insteau
of attaching a secuiity uevice uiiectly to the sealeu iauiological souice (which piesents
a numbei of piactical pioblems), we aie insteau uesigning a thin, lightweight plastic
case to holu each souice. Foi many authoiizeu iauiological applications, the sealeu
iauiological souice coulu be useu without having to even iemove it fiom the case. 0ui
Chiiping Tag anu Seal woulu uo the ianuom auuible chiiping to assuie that the sealeu
souice was still piesent, anu also check whethei the case has been openeu oi
compiomiseu, anu that the Chiiping Tag anu Seal was still attacheu to the case. Any
eviuence of tampeiing woulu cause the chiiping to stop. The unauthoiizeu iemoval of
the case anu chiipei woulu cause the chiips to no longei be uetecteu.

While the Chiiping Tag anu Seal is funuamentally a ieal-time monitoi, it can also be
useu as a tag anu as a seal. It can seive a tag function by iuentifying the asset it is
attacheu to, not with a unique seiial numbei such as uone with an optical baicoue oi
an RFIB, but iathei by chiiping at a specific time. It can act as a seal if the chiips fiom
one oi moie such uevices aie collecteu by a miciophone anu analyzeu by a
miciopiocessoi that is itself pait of an anti-eviuence seal. We can envision, foi
example, a tiuck caigo aiea full of valuable assets in tiansit, each with a Chiiping Tag
anu Seal attacheu. (Reasonable ioau noise causes little acoustical inteifeience.) When
the tiuck aiiiveu at its uestination, the listening miciopiocessoi woulu be queiieu as
to whethei tampeiing, intiusion, oi theft hau occuiieu baseu on its monitoiing of the

116
chiips. While theie woulu be ieal-time monitoiing insiue the tiuck, the iesults woulu
be available only aftei an inquiiy occuiieu at the ieceiving location.

0'&)$' 5>M 7 ;)&' ^ ;%$*+ \)4'% N-(B'#()$*()%#

Type: technique foi athentication of suiveillance viueo (oi othei high-banuwiuth
sensois)
Status: pioof of piinciple
Applications: high level secuiity foi nucleai tieaty monitoiing, anu foi vaults,
waiehouses, anu caigo-holus

Cuiient viueo suiveillance techniques foi nucleai tieaty monitoiing anu othei high-
level secuiity applications make extensive use of expensive custom monitoiing cameias,
tags, seals, tampei-eviuent enclosuies, anu enciyptionuata authentication (often iesulting
in pooi spatial anu tempoial iesolution), anu seciet keys & passwoius. These aie costly,
complicateu, time-intensive, not conuucive to negotiability anu tianspaiency foi nucleai
tieaty monitoiing, anu the secuiity they pioviue is often illusionaiy. Noieovei, the neeu
foi a secuie chain of custouy foi the haiuwaie anu softwaie, staiting at the factoiy, is
usually unmet.

Potentially, these things aie unnecessaiyoi at least theii use coulu be gieatly
ieuuceuif ieal-time stieaming viueo is alloweu anu can be iecoiueu foi futuie analysis.
This woulu make it possible to use comeicial-off-the-shelf viueo cameias (with the low cost
anu excellent quality contiol). vaiious challengeiesoponse tests at nanoseconu to seconu
time scales can help veiyify that the viueo is both live (not pie-iecoiueu) anu being
geneiateu locally (to within a few kilometeis).

The stieaming of the viueo fiames, combineu with these challengeiesponse tests leave
the auveisaiy with inauequate time to counteifeit oi tampei with the viueo images on the
fly. No othei tampei uetection oi enciyptionuata authentication is neeueu (at least foi the
viueo cameia) if the tempoial iesponse of the steaming viueo system is unueistoou.

We have conuucteu a pieliminaiy pioof of piinciple foi this concept. It coulu potentially
also woik foi othei kinus of high-banuwiuth sensoisnot just viueo cameias.

0'&)$' 5@P 7 T*?)4 ,*9?+)#C 8%%+

Type: fielu tool
Status: S 0.S. patents, woiking fielu units
Applications: countei-teiioiism, nonpiolifeiation, emeigency iesponueis, uiug iaius,
waste management

We have uesigneu anu built simple fielu tools that woik with stanuaiu batteiy-poweieu
hanu uiills. They allow the usei to sample liquius oi flowable powueis without opening

117
the containei, oi allowing any of its contents to escape. veiy types of containeis can be
sampleu, up to 1.4 cm thick anu 8-atmospheies of inteinal piessuie. See iefeience |S7j foi
moie infoimation.

Figuie S8 - 0ne veision of the Rapiu Sampling Tool.

N$$'11 G%#(.%+

0'&)$' 5@6 7 39*C' N+C%.)(B9 R*11S%.4

Type: an alteinate kinu of giaphical "passwoiu" foi access contiol foi iooms, builuings,
oi computei log-ons
Status: uemonstiation softwaie
Applications: high level secuiity foi limiteu access aieas oi secuie computing systems

Theie aie numeious concepts foi passwoius baseu on giaphical images oi othei
cognitive authentication appioaches.|44-SSj We believe oui appioach has two stiong
stiong auvantages ovei othei appioaches: (1) It is veiy uifficult foi an auveisaiy to figuie
out the "passwoiu", even if he knows the peison well anu has watcheu hei entei the
"passwoiu" many times, anu (2) The algoiithm is easy to iemembei even aftei a long time
of not being useu.

With oui appioach, each authoiizeu peison has to iemembei only 2 things: An "anchoi
algoiithm" question about what is on the uisplay monitoi, anu a vectoi. Examples of an
anchoi algoiithm question can incluue:
1. Which object costs less than $S.
2. Which object can typically be founu in the kitchen.
S. Which object contains a lot of woou.

118
4. Which object uiu not exist in the yeai 19uu.
S. Which thing is alive.
S. Which object has a name (label) with 2 vowels in it.
6. Which icon is "facing" to the left.

Each time a subject wishes to gain physical oi computei access, she is shown a giiu of
cllipait images ("icons"), such as in figuie S8. Bei job is to scan the giiu anu finu the one
icon that answeis hei anchoi algoiithm question. This is calleu the "anchoi". If she cannot
finu an appiopiiate anchoi, she is alloweu to iequest a new set of icons (without selecting
any fiom the oiiginal giiu). 0nce an anchoi is iuentifieu, she then selects a uiffeient icon
that is uisplaceu fiom the anchoi by hei peisonal vectoi. She may neeu to iepeat the
piocess foi multiple giius with uiffeient icons to gain access if bettei secuiity is uesiieu.

Figuie S8 - 91 uiffeient icons. Each icon (oi "clip ait") has a name (label) that uefines what it is.

It is a complex pioblem foi an auveisaiy to tiy to woik backwaius anu figuie out the
anchoi, then figuie out the algoiithm. Theie aie, foi example, 2S possible vectois away
fiom the anchoi, given no moie than S total steps: S veitical icons (up oi uown) + u
Boiizontal; 2 veitical + u oi 1 Boiizonal (left oi iight); 1 veitical + u, 1, oi 2
Boiizontal; u veitical + u, 1, 2, oi S Boiizontal).

Befoie using the system, the usei must entei a IB bauge oi PIN oi passwoiu to iuentify
the peison anu thus let the system look up hei anchoi question anu vectoi.

0ui uemonstiation softwaie foi this technique ianuomly fills the giiu with icons that
unambiguously uo not fit each peison's anchoi question. This has pieviously been
ueteimineu by going though all the icons anu asking a panel of people whethei each icon

119
fits a given anchoi question well, pooily, oi it is uncleai. 0nly when theie is veiy stiong
consensus is an anchoi question assigneu affiimatively to a given icon.

0nce the giiu is filleu with icons that unambiguously uo not fit the ielevant anchoi
questons (with no uuplication of icons alloweu), one of the icons is ianuomly chosen anu
ieplaceu with an icon that !"#$ unambiguously fit the anchoi question. The peison looks
thiough the giiu, finus the one icon that fits hei anchoi question, then using the vectoi to
select an icon.

Anchoi questions can be ie-useu foi uiffeient people if they aie given uiffeient vectois. If
the vectoi takes the usei off the giiu, she simply wiaps aiounu. A iotatable spheie foi
uisplaying the icons woulu eliminate the confusion of wiapping aiounu.

Pieliminaiy expeiiments suggest that most people can leain how this concept woiks anu
leain theii anchoi question anu vectoi in just a few minutes of explanation followeu by
some piactice. Nost people hau little pioblem in quickly finuing the ielevant icon foi theii
anchoi question. Theie is eviuence that people coulu iemembei theii anchoi anu vectoi
even aftei seveaial months of not using the system, especially if we useu paiticulaily viviu
tiaining methous.

While this system woulu piobably not be piactical foi access contiol foi a laige numbei
of employeesbecause of the effoit iequiieu to set it up anu tiain the useisthis
appioach might make some sense foi high secuiity applications wheie theie aie only a
mouest numbei of authoiizeu inuiviuuals.

0'&)$' 5@> 7 RB/1)$*+ 31%+*()%# [.%9 O(B'.#'( *#4 (B' 3#('.#'(

Type: cybei physical access contiol
Status: woiking unit
Applications: slight impiovement in cybei secuiity; secuiity awaieness tool

A R}4S switch box (~$9 ietail) can be useu to uisconnect a computei fiom its Etheinet
connection foi times when you uon't neeu to be connecteu (foi example) to the Inteinet,
yet want to instantly ie-connect when you uo. See figuies S9 anu 4u. In auuition to the
switch box, two Etheinet patch (8P8C) cables aie neeueu.

120
With the switch box, theie is no neeu foi fumbling with cables oi softwaie to
uisconnectieconnect the Etheinet poit when it is not neeueu. 0f couise this uoesn't
auuiess wifi oi Bluetooth connections, noi help all that much if you aie being peisonally
taigeteu by hackeis, but it can potentially cut uown on oppoitunities foi cybei attacks oi
mistaken ielease of sensitive uata.
Figuie S9 - Fiont view of a commeicial R}4S switch box with labels auueu by the authois.

Figuie 4u - Reai view of the switch box. A cable is useu to connect the I0 poit to the Etheinet ioutei, while
anothei cable connects the A poit to the computei's Etheinet poit. No cable is connecteu to B foi this
application.


121
0'&)$' 5@@ 7 ,()$</ E%9I 0'('$(%. [%. \'B)$+' ,'$-.)(/

Type: vehicle access contiol
Status: pioof of piinciple on 2 uiffeient concepts
Applications: countei-teiioiism, vehicle anu caigo secuiity

We have conuucteu a pioof of piinciple foi 2 uiffeient methous of uetecting when an
impioviseu explosive uevice has been attacheu to a paikeu vehicle.|S8j 0ne technique is
baseu on uetecting an inciease in tiie piessuie when even a veiy small amout of weight is
auueu to (oi subtiacteu fiom) a vehicle. The othei techique is baseu on uetecting the
magnet that is often useu to attach such "sticky bombs".

Both techniques aie ielatively inexpensive anu coulu possibly also woik on moving
vehicles, with a ieuuce level of sensitivity. Both techniques can woik as eithei tampei
uetectois (aftei the fact uetection) oi ieal-time monitois.

Theie aie othei potential applications foi vehicle anu caigo secuiity. See iefeience |S8j
foi moie infoimation.

N$<#%S+'4C'9'#(1

This woik was suppoiteu by the 0.S. Bepaitment of Eneigy (B0E), 0ffice of Basic
Sciences, anu the National Nucleai Secuiity Auministiation (NNSA) unuei contiact #BE-
ACu2-u6CB11SS7. The views expiesseu in this aiticle aie those of the authois anu shoulu
not necessaiily be asciibeu to Aigonne National Laboiatoiy, B0E, oi NNSA.

We aie giateful to Anthony uaicia, Leon Lopez, Ron Naitinez, Auam Pacheco, anu Sonia
Tiujillo foi iueas, uesign concepts, machining, anu othei assistance. Nate Biiston maue
majoi contiibutions to the uesign anu constiuction of the Time Lock anu helpeu with othei
technical uetails. veionica Nanfieui conuucteu much of the testing of the Image Algoiithm
Passwoiu technique anu assisteu in othei ways. }im vetione uiu much of the expeiimental
testing on the sticky bomb uetection techniques. We also benefiteu fiom the help of
Naiissa Falei, Sam Fuchs, Chiistophei Folk, uiegoiy Bylsma, anu Eiic Baca.


122
T'['.'#$'1

1. Aigonne vulneiability Assessment Team, http:www.ne.anl.govcapabilitiesvat

2. Phil Rogeis, "Nost Secuiity Neasuies Easy to Bieach",
http:www.youtube.comwatch.v=fiBBu}qkz9E

S. Boonsii Bickinson, "At Aigonne National Lab, Closing the Cuitains on Secuiity Theatei'",
Novembei 9, 2u1u, http:www.smaitplanet.comtechnologyblogscience-scopeat-
aigonne-national-lab-closing-the-cuitains-on-secuiity-theateiS167

4. Ru }ohnston anu }S Wainei, "Bebunking vulneiability Assessment Nyths",
%#&'()*+,-."/0*&1, August 6 & 1S, 2u1S,
Pait 1:
http:www.secuiityinfowatch.comaiticle11u788Suexpeits-uiscuss-commonly-helu-
misconceptions-about-vulneiability-assessments
Pait 2:
http:www.secuiityinfowatch.comaiticle111u898Sexpeits-uiscuss-the-
chaiacteiistics-of-goou-vulneiability-assessois

S. Ru }ohnston anu ARE uaicia, "An Annotateu Taxonomy of Tag anu Seal vulneiabilities",
2"'(-03 ". 5'&3#0( 60*#()03$ 60-07#8#-* >L(S), 2S-Su (2uuu).

6. Ru }ohnston, ARE uaicia, anu AN Pacheco, "Efficacy of Tampei-Inuicating Seals", 2"'(-03
". 9"8#30-! %#&'()*+, Apiil 16, 2uu2,
http:www.homelanusecuiity.oigjouinalAiticlesuisplayaiticle.asp.aiticle=Su

7. }S Wainei anu Ru }ohnston, "Why RFIB Tags 0ffei Pooi Secuiity", Pioceeuings of the
S1st INNN Neeting, Baltimoie, NB, }uly 11-1S, 2u1u.
8. Ru }ohnston, "Lessons foi Layeiing", %#&'()*+ 60-07#8#-* FD(1), 64-69, (2u1u).

9. Ru }ohnston, "New Reseaich on Tampei-Inuicating Seals", Inteinational 0tilities
Revenue Piotection Association News, 6H(1), 17-18 (2uu6).

1u. Ru }ohnston, "Tampei-Inuicating Seals", :8#()&0- %&)#-*)$* MD(6), S1S-S2S (2uuS).

11. Ru }ohnston anu }S Wainei, "The Boctoi Who Conunuium: Why Placing Too Nuch
Faith in Technology Leaus to Failuie", %#&'()*+ 60-07#8#-* DM(9), 112-121 (2uuS).

12. Ru }ohnston anu }S Wainei, "What vulneiability Assessois Know That You Shoulu,
Too", :$)0 ;0&).)& %#&'()*+ 6070<)-# FP, 4u-42 (2u1S)

1S. }S Wainei anu Ru }ohnston, "Chiiping Tag anu Seal", Pioceeuings of the S1st INNN
Neeting, Baltimoie, NB, }uly 11-1S, 2u1u.

123
14. Ru }ohnston, EC Nichauu, anu }S Wainei, "The Secuiity of 0iine Biug Testing", 2"'(-03
". =('7 ,$$'#$> @MXDZ 1u1S-1u28 (2uu9),
http:jou.sagepub.comcontentS941u1S.full.puf+html
1S. Ru }ohnston, "Tampei Betection foi Safeguaius anu Tieaty Nonitoiing: Fantasies,
Realities, anu Potentials", ?1# 5"-@("3).#(0*)"- A#B)#C L(1), 1u2-11S (2uu1),
http:www.autoiu.oig1_2uuS%2uBocumentsSep1u4sc4wg2nu121_}ohnston.puf

16. Ru }ohnston, "The Anti-Eviuence' Appioach to Tampei-Betection", ;0&D07)-7>
?(0-$@"(*> %*"(07# E %#&'()*+ ". A0!)"0&*)B# 60*#()03 6H(2), 1SS-14S (2uuS).

17. Ru }ohnston anu }S Wainei, 0nconventional Appioaches to Chain of Custouy anu
veiification", Pioceeuings of the S1st INNN Neeting, Baltimoie, NB, }uly 11-1S, 2u1u.
18. Ru }ohnston anu ARE uaicia, ?()F"3'8)-#$&#-* ?08@#(G,-!)&0*)-7 =#B)&#. 0.S. Patent
6,S94,u22, Apiil 28, 2uu2.

19. A} Walton, "Tiiboluminescence", :!B0-&#$ )- ;1+$)&$ >H(6), 887-948 (1977).

2u. u Bouihill, L0 Palsson, IBW Samuel, IC Sage, IBB 0swalu, anu }P Buignan, "The Soliu-
State Photoluminescent uantum Yielu of Tiiboluminescent Nateiials", H1#8)&03 ;1+$)&$
I#**#($ @@H(4), 2S4-241 (2uu1).

21. I Sage, R Baucock, L Bumbeistone, N ueuues, N Kemp, anu u Boihill, "Tiiboluminescent
Bamage Sensois", %80(* 60*#()03$ 0-! %*('&*'(#$ L(4), Su4-S1u (1999).

22. Ru }ohnston, 607)& %30*# %#03, Los Alamos National Laboiatoiy Repoit LA0R-u2-6848
(2uu2).

2S. }E Amooie anu E Bautala, "0uoi as an Aiu to Chemical Safety", 2"'(-03 ". :@@3)#!
?"J)&"3"7+ @(6), 272-29u (198S).

24. R} veisic, "Nicioencapsulation anu Scenteu Fiagiance Inseits", =('7 E H"$8#*)&
,-!'$*(+ 6DD(6), Suff (1989), http:www.ituouge.comfi-insit.html

2S. TB Elmei, ;"("'$ 0-! A#&"-$*('&*#! K30$$#$ )- L-7)-##(#! 60*#()03$ 90-!F""D, volume
4: H#(08)&$ 0-! K30$$#$, pp. 427-4S2 (1992), ASN Inteinational, Nateiials Paik, 0B,
http:www.coining.comlightingmateiialspiouuctsvycoi.html

26. Ru }ohnston anu ARE uaicia, 607-#*)& M#&*"( N)#3! ?07 0-! %#03. 0.S. Patent 6,784,796
B2, August S1, 2uu4.

27. Ru }ohnston, 607?07O 607-#*)& M#&*"( N)#3! ?07 0-! %#03. Los Alamos National
Laboiatoiy Repoit LA0R-u2-6848 (2uu2).


124
28. Ru }ohnston, anu ARE uaicia. ?08@#(G,-!)&0*)-7 =#B)&# 90B)-7 0 K30$$ P"!+. 0.S.
Patent 6,SSS,9Su B1, Apiil 29, 2uuS.

29. ARE uaicia anu Ru }ohnston, L-10-&#! ?08@#( ,-!)&0*"(. 0.S. Patent 6,S88,812 B1,
}uly 8, 2uuS.

Su. CA Sastie, ?1# Q$# ". %#03$ 0$ 0 %0.#7'0(!$ ?""3. Biookhaven National Laboiatoiy
Repoit BNL 1S48u (1969).

S1. Texas Auvanceu 0ptoelectionic Solutions (TA0S),
http:www.taosinc.compiouuct_uetail.asp.cateiu=11&pioiu=12

S2. Ru }ohnston anu }S Wainei, "Bow to Choose anu 0se Seals", :(8+ %'$*0)-8#-* !!RST>
USGUV RWXYWT> http:www.almc.aimy.milalogissues}ulAug12biowse.html

SS. A Teizan, N Chatagnat, anu B BubetLe, "Nouveau Compaiateui a Eclipses Be
L'0bseivatoiie ue Lyon", 2Z [@*)&$ R;0()$T M(2), 21-126 (1978).

S4. ER Ciaine, "viueo Compaiatoi System foi Eaily Betection of Cutaneous Nalignant
Nelanoma", ;("&##!)-7$ ". *1# %;,L 6HF@, S99-4u9 (1992).

SS. Cioswell, K. "The Puisuit of Pluto", :8#()&0- 9#()*07# ". ,-B#-*)"- 0-! ?#&1-"3"7+
F(S), Su-S7, 199u.

S6. Newpoit Coipoiation. \)-#80*)& 6"'-*$.
http:www.newpoit.comseivicesuppoitTutoiialsuefault.aspx.iu=84

S7. %)8@3# ]=O ]= %&0--#($> =)7)*)<#($> 0-! %".*C0(# ."( 60D)-7 ]= 6"!#3$ 0-! ]=
6#0$'(#8#-*$. http:www.simpleSu.com

S8. ?1#(8"!+-08)&$. http:www.scitoys.comscitoysscitoystheimotheimo.html

S9. "New Bottle Cap Thwaits Wine Counteifeiteis", WebWiie, August 4, 2uu8,
http:www.webwiie.comviewPiessRel.asp.aIu=71479
4u. Ru }ohnston, ARE uaicia, anu AN Pacheco, "The Town Ciiei' Appioach to Nonitoiing",
,-*#(-0*)"-03 2"'(-03 ". A0!)"0&*)B# 60*#()03 ?(0-$@"(* 6@X>Z_ 117-126 (2uu2).
41. Ru }ohnston, ARE uaicia, anu AN Pacheco, "Impioveu Secuiity via Town Ciiei'
Nonitoiing", ;("&##!)-7$ ". /0$*# 60-07#8#-* ^X]> Tucson, A, Febiuaiy 24-27, 2uuS,
www.osti.govseivletspuil8276S6-nWiBF0native
42. Nuiata, "Piezoelectiic Sounu Components", page 2S,
http:www.muiata.compiouuctscatalogpufpS7e.puf
4S. u Eleit, "The Natuie of Sounu", ?1# ;1+$)&$ 9+@#(*#J*F""D> http:physics.infosounu

125
44. B Asgha, S Li, } Piepizyk, & B Wang, (2u11). "Ciyptanalysis of the Convex Bull Click
Buman Iuentification Piotocol", ,-."(80*)"- %#&'()*+, pp 24-Su.

4S. X Bai, W uu, S Chellappan, X Wang, B Xuan, & B Na (2uu8), "PAS: Pieuicate-Baseu
Authentication Seivices Against Poweiful Passive Auveisaiies", H"8@'*#( %#&'()*+
:@@3)&0*)"-$ H"-.#(#-&#, :H%:H WXXV, pp 4SS-442.

46. R Biuule, S Chiasson, & P van 0oischot, (2u11), "uiaphical Passwoius: Leaining fiom
the Fiist Twelve Yeais", :H6 H"8@'*)-7 %'(B#+$, DD(4).

47. P uolle, & B Wagnei, (2uu7), Ciyptanalysis of a Cognitive Authentication Scheme", ,LLL
H"-.#(#-&# "- %#&'()*+ 0-! ;()B0&+, %;_X`, pp 66-7u.

48. }A Baskett (1984), "Pass-Algoiithms: A 0sei valiuation Scheme Baseu on Knowleuge of
Seciet Algoiithms", H"88'-)&0*)"-$ ". *1# :H6 >J(8), 777-781.

49. "BIPs." 9,;$. N.p., n.u. Web. 26 }uly 2u12. http:www.alauuin.cs.cmu.euuhips

Su. B Bong, S Nan, B Bawes, & N Nathews (2uu4), "A uiaphical Passwoiu Scheme Stiongly
Resistant to Spywaie", ;("&##!)-7$ *1# ". ,-*#(-0*)"-03 H"-.#(#-&# "- %#&'()*+ 0-!
60-07#8#-*, Las vegas, Nv.

S1. N Boppei, & N Blum, (2uu1), "Secuie Buman Iuentification Piotocols", :!B0-&#$ )-
H(+@*"3"7+a:%,:HAb;? WXXY, pp S2-66.

S2. B }ameel, B Lee, & S Lee, (2uu7), "0sing Image Attiibutes foi Buman Iuentification
Piotocols", :(J)B ;(#@()-* aiXiv:u7u4.229S,

SS. B }ameel, R Shaikh, L Bung, Y Wei, S Raazi, N Canh, et al. (2uu9), "Image-Featuie Baseu
Buman Iuentification Piotocols on Limiteu Bisplay Bevices", ,-."(80*)"- %#&'()*+
:@@3)&0*)"-$, pp 211-224.

S4. S Li, B Asghai, } Piepizyk, AR Saueghi, et al. (2uu9), "0n the Secuiity of PAS (Pieuicate-
Baseu Authentication Seivice)", H"8@'*#( %#&'()*+ :@@3)&0*)"-$ H"-.#(#-&#, 2uu9.
ACSAC'u9, pp 2u9-218.

SS. S Wieuenbeck, } Wateis, L Sobiauo, & }C Biiget (2uu6), "Besign anu Evaluation of a
Shouluei-Suifing Resistant uiaphical Passwoiu Scheme", ;("&##!)-7$ ". *1# /"(D)-7
H"-.#(#-&# "- :!B0-&#! M)$'03 ,-*#(.0&#$, pp 177-184.

S6. Ru }ohnston, "An Anti-Counteifeiting Stiategy 0sing Numeiic Tokens", ,-*#(-0*)"-03
2"'(-03 ". ;10(80&#'*)&03 6#!)&)-# 6M, 16S-171 (2uuS).

S7. Ru }ohnston, ARE uaicia, RK Naitinez, anu ET Baca (1999), "Sealeu-Containei
Sampling Toolsc> ;(0&*)&# ;#()"!)&03 ". 90<0(!"'$> ?"J)&> 0-! A0!)"0&*)B# /0$*# 678*Z @,
18-22 (1999).

126

S8. Ru }ohnston, } vetione, anu }S Wainei, "Sticky Bomb Betection with 0thei Implications
foi vehicle Secuiity", 2"'(-03 ". ;1+$)&03 %#&'()*+ D(1), S6-46 (2u1u).

33 Unconventional Security Devices

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

33 Unconventional Security Devices

Încărcat de

Drepturi de autor:

Formate disponibile

}ouinal of Physical Secuiity 7(S), 62-126 (2u14)

S-ar putea să vă placă și