biometrics

cryptography at summitsecurity.org cryptography at summitsecurity.org
Fri Jan 25 17:55:42 EST 2002


Hi ...
I think it's safe to say that any system can be made wothless by improper
or inadequate implementation and that's no more or less true for biometrics
than anything else.  The "moderator's note" doesn't define "the entire
system physically secure" but it comes to my mind that rather trivially a
sensor system (iris reader, fingerprint reader etc.) can be immunized from
the suggested attack of "generating images and sending them" by the sensor
device possessing a cryptographic secret -i.e. a private key-, and the
business end of the system performing sufficient "client authentication" on
the sensor device to satisfy whatever security requirements exist.

[Moderator's note: If the iris reader is not in the physical control
of the actor depending on it for authentication, it can be broken
into, its cryptographic secret stolen, and then used to forge a "live
eye" claim sent to the actor. You can also replace part of the device
and feed it whatever analog or digital signal it is expecting from the
other part of the device to mean "Bob".

There is no such thing as a "tamper proof" device, and that goes
double for anything distributed to consumers and left in their sole
possession for indefinite periods Alice cannot be sure it is Bob if
Frank can spend time physically attacking the reader so that he can
send Bob's iris print whether Bob is there or not. A physical
measurement of a subject is NOT a secret. It cannot be treated as a
secret. Biometrics cannot be used except if Alice completely and
reliably has physical control over the device she is using to identify
Bob. Anyone claiming otherwise is simply wrong. --Perry]

Then you are dealing with the problem of forging, or detecting the forging,
of "is-ness" (what do you mean by "is" your honor?).  In other words, has
something been presented to the sensor that it recognizes as valid but
which is not?  But I'd assert that biometric sensors can be made as immune
as one wants to pay for to forged stimuli.  Or combinations of sensors can
be used if you really care that much - pulse, heat, fingerprint
combinations and so forth.  

[Moderator's note: who is to say there is even a sensor at the other
end and not just a computer program telling you "This is Bob's iris"?
You cannot know. Combinations of sensors that aren't there are no
better than one sensor that isn't there. Combinations of sensors that
are having artificial signals injected are no better than one. --Perry]

But to say that "if you don't do biometric systems right they're not very
good" doesn't seem to add much to understanding how to make them good.

[Moderator's note: the implicit assumption is you can make them good. --Perry]

At 07:22 PM 1/25/02 +0100, Jaap-Henk Hoepman wrote:
>
>As much as i have my doubts about biometric systems i cannot let the below
>pass. 
>
>On Wed, 23 Jan 2002 21:11:23 +0100 "Perry E. Metzger"
<perry at wasabisystems.com> writes:
>> However, as soon as you lose physical control over the device doing
>> the measurements or their communications path biometrics become worse
>> than useless. As one example, they're useless for authenticating
>> over-the-net bank account access -- the device on your desk that your
>> bank helpfully provides to scan your eye might not even be attached
>> when the cracker's software helpfully provides forged information down
>> the line. "Liveness" tests are not useful if you don't even know if
>> the biometric hardware at the other end is intact. Anything in a
>> user's location is by definition untrustworthy in this sense.
>
>Of course (and i think Dorothy mentioned this too), the measuring device and
>it's connection to the veryfying system must be properly protected. In
case of
>the system Perry describes, a secure and fresh (ie fresh session key) link
>should be setup between the measuring device and the bank, so that
>eavesdropping _and_ replay/forgery is impossible. Even though most biometric
>systems may not implement this (i simply don't know), this is not a
weakness of
>biometric systems per se.
>
>[Moderator's note: er, HUH? How does the link being realtime assure
>that the remote side isn't simply generating iris images and sending
>them to you? It doesn't. Biometrics are worthless except when the
>entire system is completely physically secure. --Perry]

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list