biometrics

Phillip H. Zakas pzakas at toucancapital.com
Wed Jan 23 11:34:13 EST 2002 


> Perry E. Metzger writes:
> 
> In general, I have to say that biometrics are useless for the majority
> of day to day authentication tasks I have to deal with, because the
> unit I'm authenticating from (say, my laptop computer) can simply lie
> to the counterparty at will about what it is measuring.
> 
> However, as soon as you lose physical control over the device doing
> the measurements or their communications path biometrics become worse
> than useless. 

I completely concur with this view.  Biometrics are well on their way to
replacing passwords (the traditional view of biometrics...debatable),
but they have not increased security in the process.  In any classic
'red team' attack on a network or database or workstation, etc. secured
by biometric identification there are two approaches to pursue:

1.  Replace the intended biometric data, stored in the authentication
database, of a known person with your own biometric data so that when
you authenticate the database matches your data instead of the data of
the original person -- as far as the system is concerned you are that
person and have all of their access rights.  Auth databases are often
centralized and available to query/access from all kinds of places (not
the least of which are the authentication stations) and it's often true
these databases aren't well protected in a network.  Of course, it
doesn't require a stretch of the imagination to realize this attack can
be used for all kinds of auth data stored in any kind of database.

2.  Sniff packets/signals over the wire during an authentication session
and use stuff as simple as tcpdump and tcpreplay to replay the
authentication sequence...you'd be surprised how often this trick works.
And of course this type of attack works extremely well against
card-based access systems.

So the issue in my mind is not whether biometrics can measure the
'liveliness' of the object being detected...this isn't even (in my
opinion) rocket science.  Rather, it's this: how secure and trustworthy
the ENTIRE security system, and how secure and trustworthy are the
things being protected.  (And I don't think defense in depth is an
answer either...layers help but they don't address fundamental security
problems in poor network/OS/DB/process/opsec/etc. designs.)
 
phillip




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list