Safety
The key aspect of our project was to send data in a secure way which involves a great deal of safety measures to be taken. As our project involves dealing with genetically modified organisms (GMO), our main working place was the microbiological laboratory. Unlike other laboratories, this one comes with extra measures that people need to be made aware of. Taking into account the fact that our main microorganism used is Vibrio natriegens, a non-pathogenic organism, we operated in a lab classified as ML 1 (Risk level 1) provided by the University of Groningen. Due to the fact that a number of members of our team come from non-biological fields of study, a proper training in operating with GMO was provided under the supervision of the Biosafety Officer. Moreover, all the team members took part, to ensure that the best safety practices and protocols were clear and fully provided to everyone.
Safety by Design
Moving on, from basic safety of the workplace, we had to take into account, the safety measures that were of concern for the project itself. We had the opportunity to be trained in this part by the Dutch Governmental Institute for Public Health and Environment (RIVM). This involved discussions with experts on several topics that helped us shape properly the Safe Design of our idea.
In terms of possible risks, the following factors we addressed:
- The bacteria was handled by experienced lab personnel.
- Therefore, safety measures involved in this step were mainly following good laboratory practice.
- We planned the engineering of the bacterial strain to contain itself in case of spill or accident.
- We identified the most critical point, which is sending the printed bacteria to the recipient of the message. We addressed the safety issue in two aspects, first, the design of our engineered bacteria, and second, by considering the law and policy of sending biohazard material.
After the first training session and presenting our general outline to experts from RIVM, we realized that there is another aspect of safety we needed to address: the data security. Therefore, a new division of the safety aspect was thought, in the following:
I. Biological safety
1. Auxotrophic Strain
We created an auxotrophic strain so that in case of an accident, the bacteria will not be able to grow in the environment. Secondly, the use of auxotrophic strains can be seen as a marker, replacing the need of antibiotic resistance gene in the bacteria, therefore minimizing the possibility of spreading antibiotic resistance through horizontal gene transfer to bacteria in the environment.
2. Packaging is key!
For this part, we were advised to contact experts in the logistic area. Thus, we reached out to courier companies that deal with such aspects, but we also discussed this matter with our Biosafety Officer. The take-away from both pieces of expertise was that the most important line of defense against spill and accident is a solid packaging. Recommended packaging includes double containment, first, the tube/device containing the bacteria and secondly a box of cardboard to contain the tube/device. In between the first and the second containment, there should be an absorbing material to absorb in case of spill. Moreover, it is also important to put a correct label on the package so it can be handled accordingly. Our bacteria strain falls into the category of non-pathogenic, GMO organism, labeled as UN 1845. Since our bacteria is not pathogenic, the safety requirement for transport is relatively less strict. The courier company itself shows readiness to handle biological deliver as they have trained personnel in critical points throughout the world to handle biological material. However, it should be noted that these materials are to be delivered by regular network meaning that it would also be handled by regular driver.
3. Microorganism survival
It has been pointed out by our Biosafety Officer that we need to take into account how long our bacteria can survive at room temperature during the delivery or if we need to devise extra measures to keep the bacteria alive but not growing. Thus, we planned to do a survival test for our bacteria for 1,2,3 and 4 days to design the best shipping method of the bacteria.
II. Data safety
Data security is an important aspect of sending information. The key measure is encryption, for which there are a number of methods and algorithms.
In the development of our project, we have considered multiple options such as:
- Modifying the masking function of the QR code
- Using symmetric/asymmetric encryption by considering elements such as password or digital signature
During our process, we had discussions with people that are engaged actively in theoretical, as well as in the practical part of cybersecurity that provided valuable insight in how should we make our date safer. In the following the 2 parts that concern our data security will be further presented.
1. Encryption Methods - AES
AES (Advanced Encryption System) is a symmetric key encryption cipher and it is mostly seen as the landmark for encrypting data. AES is NIST-certified, and in terms of use, it can be regarded as a standard freely available for public, private, commercial, or non-commercial purposes. Being symmetric, this translates to the fact that the same key used to encrypt the data is used to decrypt it.
Benefits for security:
- Require much less computational power
- Symmetric ciphers are much more useful for bulk encrypting large amounts of data
- Most CPU manufacturers have now integrated the AES instruction set into their processors
- The hardware boost improves AES performance on many devices as well as improving their resistance to side-channel attacks
- Transparent selection process helped create a high level of confidence in AES among security and cryptography experts
- U.S. government stated that AES has a valuable usage for protecting classified information, and it soon became the default encryption algorithm for protecting classified information as well as the first publicly accessible and open cipher approved by the NSA for top-secret information.
AES comprises three block ciphers: AES-128, AES-192 and AES-256. Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-, 192- and 256-bits, respectively. For our project, we have chosen AES-128. This encryption system is unbreakable when implemented properly. In terms of cryptosecurity, one can indicate the quantification of an algorithm strength through cryptographic strength. This is given as the effective strength in bits of a security primitive (the key), or differently said, the amount of tries necessary to break the key.
For AES 128, it is indicated that the effective strength is 2126 trials or 126 bits (the best attack). The time that is necessary to crack it is 1018 years. The most powerful supercomputer in the world relating to 2017 was the Sunway TaihuLight in China and in terms of speed. it had the capability of 93.02 petaflops. Despite this, even for this supercomputer, it would still take approximately 885 quadrillion years to brute force a 128-bit AES key.
Another important security feature, with respect to the key strength is the Landauer limit. This reflects the minimum amount of energy required to erase 1 bit of information. The formula is:
L1 = kT ln2
Where:
- Ll - Landauer limit
- k- Boltzmann constant ( 1,38 * 10-21 J/K)
- T – temperature (K)
- ln 2 = 0,69315
Simply flipping through the possible values for a 128 bit symmetric key it would require 2128 − 1 bit flips on a conventional processor. The Landauer Limit can be applied to estimate the energy required as ~1018 J ≈ 30 gigawatts of power/1 year.
This is equal to 30×109 W×365×24×3600 s = 9.46×1017 J or 262.7 TWh (which is >1% of the world's energy) production.
Having these facts considered, AES 128 is the suitable choice for us in securing the data that we want to send, before introducing it in the QR code.
The key would be sent via a letter, also holding the password to access the information.
2. QR Code
Regarding data sharing, one of the methods used is through a QR (Quick Response) code. This functions as a 2D matrix code that conveys information by the arrangement of its dark and light elements in columns and rows. The standard that contains regulations regarding the QR code can be found in ISO/IEC 18004:2006(E).
QR codes can be used for multiple purposes. One can encode up to 4000 alphanumeric characters and these are usually used for coding website links, URL, small texts, images etc.
General security issues:
- QR codes cannot be hacked, but there can be a manipulation of action without the modification of the actual code
- The URL that the QR code contains can be repurposed (e.g. to a different company)
- There are high number of free apps that allow QR code creating that could be used to produce QR codes that could control cell phones, gain access to photos, messages, listen to private conversations etc.
- Identity and data theft
- Attack vectors – SQL injections: if a scanning application uses a database to store scanned entries, this injection can bypass authentication mechanisms
Security issues that we have taken into account for our iGEM project:
- Getting access to the growing conditions
- Reading the QR code with any application
- Unauthorized access to the information encoded in the QR code
In order to enhance the level of safety in the data sending, before encoding the information we used the AES 128 to generate a fixed string of characters and that string was used to generate de QR code. Therefore, even if someone manages to scan and crack the QR code, it will end up with a random string of characters with no meaning.
To sum up, our project involves a double layer of safety both physical from the biological part, as well as digital in terms of the AES and QR code.