Weekly Edition
Return to the Security page
| |||||||||||||
Biometrics for identificationUsing a fingerprint or other physical characteristic, called biometric data, for identity verification seems, at first glance, like a perfect solution to the problem. Unfortunately, there are some basic problems with using biometric information that way. If the biometric data can be gathered by others, it no longer makes such a good identifier. As part of a political protest against including fingerprints in passports, the Chaos Computer Club (CCC) published a fingerprint of German Home Secretary Wolfgang Schäuble. Schäuble is a supporter of collecting fingerprint data to combat terrorism. The club not only published the picture, but also a film that can be placed over a finger to deceive fingerprint scanners. A club spokesman has usage recommendations as reported in heise online:
We recommend that you use the film whenever your fingerprint is taken,
such as when you enter the US, stop over at Heathrow, or even when you
touch bottles at your local super market -- just to be on the safe side
It seems unlikely that CCC's distributed finger film will actually leave the Secretary's print on a glass surface, but more sophisticated versions of the same basic idea should be able to. Various folks have shown that using an image of someone's fingerprint can fool most scanners. Even sophisticated scanners can be spoofed when that image is placed over a live finger—with body temperature and pulse. The problem is that while a fingerprint is unique, it isn't secret. CCC got theirs from a sympathizer who picked it up from a glass used by the Secretary during a speech. Bruce Schneier is, as usual, ahead of the curve on this. In an article from nearly ten years ago, he drives home the point:
The moral is that biometrics work great only if the verifier can verify two
things: one, that the biometric came from the person at the time of
verification, and two, that the biometric matches the master biometric on
file. If the system can't do that, it can't work. Biometrics are unique
identifiers, but they are not secrets. (Repeat that sentence until it sinks
in.)
Other forms of biometric identification exist, but are susceptible to the same kinds of problems. A voiceprint or facial identification scanner could be fairly easily subverted by secretly recording or photographing the subject. Retinal scans are trickier, perhaps, but technology to remotely (and surreptitiously) read them will probably come along. In many cases, an attacker may not even need to go to that amount of trouble because they can just extract—or pay to have someone else extract—that information from some database. More and more of this kind of information is being gathered and centralized. The US has started fingerprinting all ten fingers of non-citizens who enter the country—other countries have started doing it in retaliation. One could hope the data retention policy for that information is similar to that of White House emails, but it is probably longer. Worse yet, it is probably stored with photographs, passport information, and signature of the subject. The key to using biometrics correctly is to repeat the Schneier mantra:
Biometrics are powerful and useful, but they are not keys. They are useful
in situations where there is a trusted path from the reader to the
verifier; in those cases all you need is a unique identifier. They are not
useful when you need the characteristics of a key: secrecy, randomness, the
ability to update or destroy. Biometrics are unique identifiers, but they
are not secrets.
Revocation of a biometric identifier is difficult or impossible—if it is even known to be compromised. One could potentially switch fingers for fingerprint identification, or even switch eyes—once. Switching voiceprint, face, or DNA if and when that gets used, will be essentially impossible. Biometrics suffer from the same failure mode as using the same password everywhere, unless you can somehow use a different characteristic for each biometrically "protected" dataset—hard to do with limited body parts. Biometric data does have its uses, but it has limitations as well. It seems seductively simple that your fingerprint is the same as you, but it isn't necessarily true. Now we just need to teach the politicians, which might be something that Schäuble is starting to learn. (Log in to post comments)
Biometrics for identification Posted Apr 3, 2008 2:53 UTC (Thu) by leonov (subscriber, #6295) [Link] > The US has started fingerprinting all ten fingers of non-citizens > who enter the country. You probably won't miss me, but this move is keeping one New Zealand citizen away from making any plans to visit the States anytime soon. Just way too 1984 for my tastes... (Of course, we're knowing for fumigating visitors to our country, so who am I to point the bone? :-)
Biometrics for identification Posted Apr 3, 2008 6:52 UTC (Thu) by Mithrandir (subscriber, #3031) [Link] +1 Though it's not just the fingerprints. It's the entire culture of fear. There are just too many other interesting countries in the world that don't have these cultural problems. I'm sure they don't miss me, and I don't miss going there. So I guess we're all happy.
Biometrics for identification Posted Apr 3, 2008 7:01 UTC (Thu) by kostas (guest, #5805) [Link] > You probably won't miss me, but this move is keeping one New Zealand citizen away from making > any plans to visit the States anytime soon. Just way too 1984 for my tastes... I made the same choice a week ago, so one less Cypriot citizen in the US ( and we are so rare!). The problem is that, if I'm not mistaken, the current EU directive requires that EU countries issue passports with the ability to store fingerprints, although actually storing them is not yet required. That will be coming soon and then no more traveling for me.
Biometrics for identification Posted Apr 3, 2008 10:28 UTC (Thu) by dd9jn (subscriber, #4459) [Link] You are right. However the fingerprints are stored on RFID chips in the passport or identity card. Fortunately these chips have high failure rates (sometimes caused by being bended when carried in a pocket, accidently put into the washing machine or a microwave) and thus there needs to be a backup scheme without the fingerprints; i.e. the plain old printed/glued-in picture.
Biometrics for identification Posted Apr 3, 2008 3:10 UTC (Thu) by mgh (guest, #5696) [Link] With the theft of fingerprints from a database the way is open for a criminal to leave someone elses finger prints at a crime scene. Interesting. The trouble with biometric passwords (eg. on laptops) is changing your password is challenging (generally people have 10 "passwords") and stealing/forging your password (biometric info) is trivial. How people can think that a method used for identifying people who inadvertantly leave their prints at a crime scene (ie. they didn't mean to) should become am alternative for a PASSWORD is beyond me. Maybe a scan and THEN a password would make slightly more sense?
Biometrics for identification Posted Apr 3, 2008 10:08 UTC (Thu) by ayeomans (subscriber, #1848) [Link] > With the theft of fingerprints from a database the way is open for a criminal to leave someone elses finger prints at a crime scene. Alternatively your lawyer could claim that one of a number of government agencies did it. And they may not need to "steal" the data either.
Biometrics for identification Posted Apr 4, 2008 17:13 UTC (Fri) by giraffedata (subscriber, #1954) [Link] The article implies that some people think a fingerprint is a password, but doesn't give any evidence of it. The idea never occurred to me. Are there security schemes or proposals that assume other people don't know my fingerprints?I know there are schemes where I'm supposed to put my finger in a scanner and someone could circumvent it just by bypassing the scanner and supplying my fingerprint description. But that's not the same thing. The assumption there is that the data collection is trustworthy, not that nobody but me could know my fingerprint.
Biometrics for identification Posted Apr 11, 2008 15:16 UTC (Fri) by robbe (guest, #16131) [Link] > Are there security schemes or proposals that assume other people don't know my fingerprints? Have you never seen someone who unlocks his or her laptop with a fingerprint reader (and no password, i.e. one-factor authentication)? I bet that they think this is secure because their fingerprint is just like a password. Otherwise it is pretty worthless against semi-interested attackers. I am starting to wonder how many laptops don't have the owner's fingerprints right there, on their surface...
Biometrics for identification Posted Apr 3, 2008 7:17 UTC (Thu) by pointwood (guest, #2814) [Link] Great reference to the White House case :D
Biometrics for identification Posted Apr 3, 2008 8:25 UTC (Thu) by james (subscriber, #1325) [Link] Looks like Jon's sense of humour is beginning to rub off on Jake.
Biometrics for identification Posted Apr 4, 2008 3:35 UTC (Fri) by sitaram (subscriber, #5959) [Link] seriously, until I saw this comment I thought it *was* Jon... :-) Nice going Jake -- now you're really part of LWN's editorial team!
Biometrics for identification Posted Apr 4, 2008 12:45 UTC (Fri) by nlucas (subscriber, #33793) [Link] There is only a small nitpick. While I usually understand John humor lines, this is a bit US centric, so I couldn't actually understand what he was talking about (even if I could guess).
Biometrics for identification Posted Apr 4, 2008 13:09 UTC (Fri) by pointwood (guest, #2814) [Link] I'm from Denmark. Yes, the story is American, but it was posted many places.
Biometrics for identification Posted Apr 4, 2008 13:43 UTC (Fri) by nlucas (subscriber, #33793) [Link] You are assuming I'm interested on what happens at the White House when watching the news (ok, starting a war is "interesting" news).
Biometrics for identification Posted Apr 4, 2008 14:30 UTC (Fri) by pointwood (guest, #2814) [Link] No, I didn't assume anything. All I'm saying is that I instantly knew what he meant even though I'm not a US citizen and thereby pointing out that even though it happened in the US, the story reached far beyond the US borders (happens pretty often on that fancy internet thingy). Besides, a bit of googlefoo would quickly lead you to articles about it.
Biometrics for identification Posted Apr 4, 2008 17:19 UTC (Fri) by nlucas (subscriber, #33793) [Link] My bad, I didn't make me explicit enough. I only noticed it was a joke after the comments about it. When reading the article it was just something I couldn't understand exactly what the writer was talking about but that wasn't important enough to care. Anyway, I said I was nitpicking on my original reply.
Biometrics for identification Posted Apr 4, 2008 17:56 UTC (Fri) by sitaram (subscriber, #5959) [Link] You're right, to some extent. However, the issue in question (the White House losing emails) was IT-related enough, esp. for people interested in stuff like privacy, data retention, etc., plus of course the general malfeasance of the present US government. Actually, this issue was big enough that I seem to recall at least one article (maybe more) about it in the local English newspaper here in Hyderabad, the city in India where I live. Regards, Sitaram
Uniqueness of fingerprints? Posted Apr 3, 2008 7:44 UTC (Thu) by espeer (guest, #39062) [Link] > The problem is that while a fingerprint is unique, it isn't secret. Is a fingerprint even guaranteed to be unique? http://biometrics.cse.msu.edu/Publications/Fingerprint/Pa... And, even if they are unique... What resolution does a typical fingerprint scanner operate at? Assuming a 2000 dpi 8 bit grayscale scanner, then we're looking at a resolution of approximately 2000x1000x256 = 512 million possible images. We have more than 6 billion people on the planet, so by the pigeon hole principle, at least 2 people will have the same fingerprint rendered by the scanner.
Uniqueness of fingerprints? Posted Apr 3, 2008 9:20 UTC (Thu) by jorism (subscriber, #21807) [Link] I think you mean 256^(2000*1000) which is A LOT...
Uniqueness of fingerprints? Posted Apr 3, 2008 9:31 UTC (Thu) by espeer (guest, #39062) [Link] Ah yes, that's more like it. I definitely typed that one up without thinking it through properly. My bad.
Uniqueness of fingerprints? Posted Apr 3, 2008 10:56 UTC (Thu) by filipjoelsson (subscriber, #2622) [Link] Doesn't matter. One fingerprint does not correlate with one valid image anyway, and not with two either. I don't know what the correlation is, but I would bet on thousands of valid images per fingerprint. The problem is that a fingerprint isn't even presumed to be unique for every living human (Wikipedia has three examples of false positives, from Europe and the US from 1997 to date, that is clearly a limited population, time and fingerprint database). And while the fingerprint has molecular resolution, an image of one hasn't - so uniqueness definitely drops quit a bit. So instead of one in 100 million, you may very well drop to one in 100 thousand. The pigeon hole principle certainly applies.
Uniqueness of fingerprints? Posted Apr 4, 2008 2:16 UTC (Fri) by kevinbsmith (guest, #4778) [Link] I went to wikipedia, hoping to read a cool article describing three pairs of people with identical fingerprints. Boy was I disappointed. This wikipedia article (http://en.wikipedia.org/wiki/Fingerprint) lists several cases where fingerprint evidence was misleading, but none of them were likely due to two people actually having the same fingerprint. One was a blatant clerical error, and one was simply shoddy police work. In a third case, DNA evidence freed the suspect, and later investigations concluded the police had misidentified the fingerprint. The final case had a police officer's fingerprints found at a crime scene where she claimed not to have been. Early fingerprint experts were of mixed opinions, but later examiners were overwhelmingly convinced that the fingerprint was not hers. The image may have been ambiguous and/or there may have been manipulation of the evidence. So while I'm not a fan of biometrics, and I don't have absolute faith in fingerprints, this particular article doesn't provide proof that there have been collisions.
Uniqueness of fingerprints? Posted Apr 3, 2008 9:56 UTC (Thu) by ayeomans (subscriber, #1848) [Link] See FBI Appendix F specifications in http://www.fbibiospecs.org/fbibiometric/docs/EBTS%20V8.00... 500 pixels per inch or 1000 ppi at 8 bits per pixel. Capture size 1.6" x 1.5" (600 Kpixels) for roll finger or 1" x 2" for thumb (500 Kpixels). But once you threshold the images, you effectively get rather less than 1 bit per pixel, as there's a lot of correlation between pixels. Also rotations all count the same. My fingers have more like 50 ridges per inch. But that's still a *lot* of possible values. After extracting the minutiae, there's rather less information held. One finger reader I have states the software extracts between 10 and 70 minutiae points, held as (x,y) vectors, in a transform claimed to be non-reversible. If coordinates are accurate to 6 bits, that means 10 x (6+6) bits = 120 bits minimum. Still allows for significantly more possible prints than the world population. See also Sir James Crosby's report, http://www.hm-treasury.gov.uk/media/6/7/identity_assuranc..., suggesting that only non-unique digital representations should be stored. This would allow the master copy in the database to be replaced with another version, so would provide some limited options to "change" a compromised fingerprint.
Uniqueness of fingerprints? Posted Apr 6, 2008 11:32 UTC (Sun) by man_ls (subscriber, #15091) [Link] Hmmm... doesn't the principle behind the Birthday paradox apply here? Even if there are 366 days in a year, the probability of two people having the same birthday reach 0.5 with a group of only 23 people. Therefore you would only need roughly the square root of the number of possibilities to find a collision.With 120 bits you are still safe, since the world population is about 2^32. But the security factor is not as high as it would seem. Surely we don't expect all values to be as likely, as with birthdays; if they tend to cluster around certain values (some kinds of fingerprint configurations are more probable than others) then collisions become increasingly likely.
Biometrics for identification Posted Apr 3, 2008 13:21 UTC (Thu) by pkern (subscriber, #32883) [Link] Last time I looked fingerprints of non-citizens under the Visa waiver programme (US-VISIT) were stored for 99 years. Well, so much for data retention.
Facial Recognition for verification *only* Posted Apr 3, 2008 13:22 UTC (Thu) by bjanz (guest, #1560) [Link] In 1997, I was the lead programmer for an OTC DL/ID (over-the-counter driver license and ID) system delivered to the State of West Virginia. Each "capture station" was equipped with a video camera, fingerprint camera, and signature pad. WV residents could refuse to give a fingerprint when getting a license, so we couldn't depend on fingerprint minutiae to confirm indentity. This was the first time that a state-level OTC DL/ID system used biometric information as a way to make an *issuance decision* rather than just confirm identity. We generated an identification "template" from each facial image captured by the video camera. When the same person came to get another document, we compared the new template against the stored template and used the result to either grant or deny issuance of the license. Both images were displayed on the screen so the operator could also see the current and "new" images. Operators couldn't override the system in cases where the template comparison indicated "no match". Local managers *could*, and a record of every override was uploaded to the central storage location in the capital. There was only one goal: to try to cut down on fraudulent license issuance. The original system issued to WV did not have the capability to search through images and return demographic data. Nor did it have the ability to display multiple historical images: only the "current image on file" could be displayed. Hence, it was intentionally limited in capabilities. Our image template was generated on an image taken at a specific distance from the camera, and the image was captured against a specific colored background. The same camera (or model), the same background, and the same distance from the camera (size of face within the image boundaries) had to be *identical* to the previous image. If any of the specifications differed, the resulting template wouldn't produce a suitable match against the template on file. And, even with all of those limitations, we still had a significant false-positive and false-negative error rate. Knowing what I knew then, and having closely followed the industry, I can say that we are probably still decades away from practical biometric "face in a crowd" identification systems. And, knowing what I do about how easily some of these mechanisms can be either faked or spoofed, I would also require *multiple* biometric identifications for legal identification. Some combination of multiple fingerprints, palm print, retinal check, signature, and facial template - at least 3 - should be required for legal (non-passport) purposes.
Biometrics for identification Posted Apr 3, 2008 15:35 UTC (Thu) by smoogen (subscriber, #97) [Link] I am guessing that someone will figure out a way to get retinal data via red-eye flashes and 200 megapixel cameras. In the end, "Something a person is" is probably the easiest factor of authentication to spoof... and should only be used as a 'factor' with multiple authentications... and other factors involved to be useful.
Biometrics for identification Posted Apr 3, 2008 15:37 UTC (Thu) by iabervon (subscriber, #722) [Link] "Revocation of a biometric identifier is difficult or impossibleĀif it is even known to be compromised." You're forgetting the Schneier's mantra. Biometric identifiers are always known to be as compromised as they can be. As soon as, or before, you use one for identification, it is compromised. Once anyone anywhere takes your fingerprints, or you touch some surface without wiping it off afterwards, somebody can get your fingerprints. It's meaningless to revoke a biometric identifier, because all of the possible replacements are also presumably known to potential attackers. The only security that comes from biometrics is the difficulty of making a convincing claim to really have the biometric (which ranges from very little for practically any automated device to quite high for a human).
Biometrics for identification Posted Apr 4, 2008 17:46 UTC (Fri) by giraffedata (subscriber, #1954) [Link] Both you and the article are starting from the assumption that a biometric identifier is a password, because that is the only way in which "compromised" means "known." Publishing a voiceprint does not compromise it as an identifier. Compromising it would mean someone somehow gets the ability to speak in that voice. (Maybe more believable would be that a bad guy finds a suitable voice double for a person of interest). Then you'd have to revoke it as an identifier, and yes, that would be a lot harder than revoking a compromised password.
down with biometrics; I like to keep my parts Posted Apr 3, 2008 18:35 UTC (Thu) by astrophoenix (guest, #13528) [Link] for some reason, all I can think about whenever biometrics come up, is worrying about someone cutting off my finger or ripping out my eyeball. never discount the stupidity of criminals!
down with biometrics; I like to keep my parts Posted Apr 4, 2008 22:58 UTC (Fri) by mpokrywka (subscriber, #43229) [Link] Heh, I loved Wesley Snipes "hacking" retinal scanner in Demolition Man... My favorite sci-fi book "Limes Inferior" by J. Zajdel (1982) had "glove makers" - criminals stripping victims hand skin to access fingerprint guarded "key/wallet" (unfortunately book were not translated to english). Lets hope biometrics won't be implemented in everyday's use...
Social security numbers Posted Apr 4, 2008 22:52 UTC (Fri) by quotemstr (subscriber, #45331) [Link] I've long believed that the core problem with social security numbers is that they're used for both identification and authentication. It's like letting unix users log in with only a username, then trying to prevent the users from leaking their names to each other. It'd be much safer to make all SSNs public, and let anyone use them for identification. To act on behalf of someone with a given SSN, you'd need the corresponding secret code. Since most places that record SSNs use them only for identification, this scheme would hugely reduce the incidence of identity theft.
behaviorally-based biometrics Posted Apr 10, 2008 13:35 UTC (Thu) by jabby (guest, #2648) [Link] During my undergraduate studies I developed a proof-of-concept program that used a neural network to recognize a user's typing style (as the cadence of keystroke timings from the keyboard). In the resulting paper [<http://dx.doi.org/10.1142/S146902680200052X>], I of course acknowledged that this is not intended to be a complete security/identification solution, but merely one option for inclusion in a set of methods. I imagine someone typing in their username and password and, in addition to validating the username and password, it validates the way in which they are typed. Other researchers have developed systems that constantly monitor the keystroke activity of the user while interacting with the system. If at any point the typing behavior changes, the system can react appropriately (going into lock-down mode or just sending an alert to an administrator. My system worked fairly well, usually requiring only one or two attempts at the typing challenge to be recognized and only rarely recognizing a false positive. With tuning, I'm sure it could have been improved. The point is that behaviorally-based biometrics are *slightly* better than physically-based ones in that it's harder to steal them and that they aren't entirely fixed. In the scenario of the keystroke timing recognition technique, the timings could potentially be stolen over the wire and a repeat attack might then gain access. But, combine that with some physical form of ID, like a keyfob, and a memorized passphrase or password and now you're talking. I also imagine the person's typing style changing over time, like their signature. The database of keystroke timings would have to be updated periodically with new samples from the authenticated user, perhaps gradually and automatically through some statistical recognition of a slight but acceptable deviation from the current set. I'm not arguing with the article at all. I am actually in complete agreement that physical attributes should never be treated like secret keys. I just wanted to point out a dichotomy in the realm of biometrics that might be worthy of separate consideration.
behaviorally-based biometrics Posted Apr 10, 2008 23:42 UTC (Thu) by nix (subscriber, #2304) [Link] Something I've wondered about for some time with these systems: what do you do if the user breaks an arm, or changes his keyboard, or is typing over a slow and laggy network?
|
|||||||||||||
