Cyber Security at the Movies: Rogue One (Part II: Authentication)

by Paul Curzon, Queen Mary University of London

[Spoiler Alert]

In a galaxy far, far away cyber security matters quite a lot. So much so, in fact, that the whole film Rogue One is about it. The plot is all about the bad guys trying to keep things secret, and the good guys trying to steal them. It is the story of how the rebels manage to steal the plans to the Death Star, allowing Luke Skywalker a shot at destroying it. Protecting information is everything. Controlling who has access is key! Unfortunately, the Empire screws up!

The Empire have lots of physical security to protect their archive - armies of Stormtroopers, locks, big hefty doors, guarded perimeters (round a whole planet), not to mention ensuring their archive is NOT directly connected to galaxy-wide network...but what about the rest of their security system? Once Jyn and Cassian have made it past all that physical security what then? They need to prove to the system that they are allowed to access the data (which of course they aren't). They need to authenticate! Authentication is about how you tell who a person is and so what they are, and are not, allowed to do. The Empire do have an authentication system protecting their archives. They even went for a high-tech solution. To gain access you have to have the right handprint. Luckily, for the rest of the series, it turned out to be easy for Jyn to subvert.

Sharing a secret

Authentication is based on the idea that those allowed in (a computer, a building, a network,...) possess something that no one else has. Often it is a shared secret. That is all a password is: a secret known to only you and the computer. The PIN you use to lock your phone or to get money from a cashpoint are shared secrets (shared between you and your phone or you and your bank). So are the stereotypical greetings of spies: "The snow is deep on Hoth"... "Only at this time of year". You find shared secrets used as authentication in stories as old as the Arabian Nights - the secret phrase shared between cave and those allowed in, "Open Sesame", magically opens the door! If no one else knows the secret, the fact you can have it tells the thing or other person asking you to authenticate that it really is you. You can be allowed in. The trouble with this kind of authentication is that secrets can be hard to remember and if we write them down or tell them to someone else they no longer work as a secret.

A secure token

A different kind of authentication system is based on physical things or 'tokens'. Only if you possess one of the tokens can you get in. Your door key provides this kind of check on your identity. A key is a physical alternative to magic words to open a door! Your bank card provides this kind of authentication system too. It works as long as only people allowed them, actually do possess the tokens. The problem here is that tokens can be forged. They have to be impossibly hard to copy to be at all secure. They can also be stolen or lost (and you can forget to take them with you when you set off to save the Galaxy).

Biometrics

Biometrics, as used by the Empire, gets round the problems of shared secrets and physical tokens. They are a form of authentication that relies on a feature unique to each person like their fingerprint. Other kinds rely on the uniquness of the pattern in your iris, your voice prints, or moe futuristically your DNA: the genetic blue print that makes you you. They have the advantage that you can't lose them or forget them. They can't be stolen or inadvertently given to someone else. Of course for each galactic species, from Ewok to Wookie, you may need to use a completely different feature, unique to each member of their species.

Just because Biometrics are high-tech, doesn't mean they are foolproof, as the Empire found out to its cost. Just like physical tokens, if a biometric can be copied, and a copy can fool the system, then it can be broken. In Rogue One the rebels didn't even need to copy the necessary hand print. They just killed a person who had access and put their hand against the reader. Ping and they were in. If it works when the person is dead it's not much different to the person being a token that someone else can possess. In real life 21st century Japan, for example, at least one unfortunate driver had his finger cut off by thieves stealing his car as it used his fingerprints as a car key! Biometric readers need to be able to tell whether the thing being read is connected to a live body or not.

The right side of the door

Of course if the person with access is there and can be coerced, biometrics are not much help. Perhaps all Cassian needed to do was hold a blaster to the archivist's head to have the same effect. If a person with access is handy and willing to help it may not matter whether they have to be alive or not (except of course to them).

Part of the flaw in the Empire's system, is that archivist appeared to spend his time outside the security perimeter. You could get to him and his console without any form of authentication. A better system would have had him working on the other side of the door i.e., on the other side of the authentication system - combining physical security with authenitcation. We see this kind of system in the film, 'Butch Cassidy and the Sundance Kid'. Money is transferred by train in a safe. The safe is inside a locked railway wagon, and the person who can open the door is inside the wagon, not outside. He only opens the door when he is sure the person outside is allowed in. Sadly for him the physical security of the train isn't good enough - the outlaws just blow the door off.

Anything one can do two can do better (maybe)

So what else could the Empire have done better? Well they could have used 'Multi-factor authentication'. Why not ask for more than one piece of evidence before you allow someone in? We use this all the time. You use the combination of password and user id to get in to a computer, for example. Of course the userid isn't very secret so its not a great improvement. It is one better than your phone, though, that just asks for a PIN. Your bank cashpoint does better, asking for two different kinds of authentication. It asks for both a shared secret (something you know - your PIN) and a physical token (something you possess - your bank card) to get money. Banks try to do some thing similar for Internet shopping, asking you to provide both the card number from the front of the card and the security code from the back. Of course that isn't as good. If you have stolen, seen or copied the card you have both pieces of information, anyway, so all it does is prove you have possessed the card in the past. A better system is to require you access from a registered machine (like your phone) as well as provide a card number or secret code. FOr that to work you need it to be impossible for someone else's machine to pretend it's yours. All you have actually done is passed the onus to your machine to authenticate itself!

Had the Empire asked for both a biometric and a shared secret like a code for the vault, say, the rebels would have been stuffed the moment they kiled the guy on the door. Alive, he might still have let them in of course - which is why he was the wrong side of the door. You have to be careful in your choice of factors too. Had the two things been a key and handprint, the archive would have been no more secure than with the handprint alone. Kill the guard and you have both the key and the handprint.

We are in!

So the rebels accessed the archive. That leads to a bigger problem with the Empire's security. Once in they had access to everything. There were no further checks. That is very bad security, especially for something so vitally important. Individual areas and even items should have been separately protected by the authentication system, so that getting in to the archive is not enough. The index that allowed documents to be looked up could have required authetication too. Once the rebels had found the file containing the schematics for the Death Star, they could access it and even beam it across the Galaxy. Anyone who had the file could then read it without any authentication at all. If each file had been separately protected with a secure authentication system then, the Empire could have foiled the rebel plot.

So even when Jyn got the file it should then have been impossible to open without authenticating again. Even your computer can do that. You can set an individual password on individual files. Suppose someone does steal an important file, copying it to a stick, because you leave your desk without locking the screen perhaps. If the file itself was password protected the information would still be safe. The risk here is that if you require more passwords than a person can remember, legitimate people might end up losing access.

Security levels are one way to help. Rather than require lots of passwords, you group documents into clearance levels. Everyone's authentication also links them to a clearance level. The more trusted you are the higher your level of clearance and the more you can see. Only if you have "Top Secret" clearance are you able to access "Top Secret" documents. When you authenticate you should only be given access to documents of your clearance level or lower. The Empire needed security levels! They would then need a way to ensure information can never be leaked to a lower clearance level area though (like beaming it across the galaxy). That's the tricky thing about security, solve one problem and you may just give yourself a new weakness.

Removing Clearance

There is another part of the Empire's authentication system that is flawed. Long before the rebels get to the archive itself, they have to get through the security cordon around the planet. They seem to have got asome of it right. The ship itself acted as a physical token. Only known ships are allowed in (so not rebel ships). As the ship used was a stolen one that wasn't a problem for the rebels though. The ship also came with a shared secret - an access code. The rebels knew that too, as their pilot was a defector who therefore knew the code. They still worried, rightly, that the code might have been cancelled though. The Empire knew the defector had scarpered and were looking for him. An authentication system needs a built in way for access rights to be revoked< That way if secrets or tokens (or hands) are stolen, or the person holding them is no longer trusted, then they cease to work. That's why hotels use electronic cards as keys for room doors. A card's digital access rights on an electronic lock can be cancelled the moment the guest has (or should have) left. That beats an old fashioned key. If a guest walks off with one of those, the hotel has to change the lock to stop them using it to return later. For the Empire, it isn't the technical part of the security that lets them down, though. It's the human factor. No one apparently thought to cancel the ship's rights or the access code when it was stolen. Good security includes good processes too. There needed to be an automatic system for revoking clearance, that kicked in to action the moment the ship disappeared.

So if you ever invent something as important to your plans as a Death Star, don't just rely on physical security and a simple authentication system to protect it, For that matter, don't put your trust in your mastery of the Force alone either, as Darth Vader discovered to his cost. Instead of a rebel planet, your planet destroying planet may just be destroyed itself, along with your plans for galactic domination.