[SIMSOFT] machine shop -Biometrics Slouches Toward the Mainstream

[R. A. Hettinga]

--- begin forwarded text


Status: RO
To: rah at shipwright.com
From: Simson Garfinkel <simsong at lcs.mit.edu>
Date: Wed, 25 Sep 2002 23:03:40 -0400
Sender: simsoft-admin at nitroba.com
Subject: [SIMSOFT] machine shop -Biometrics Slouches Toward the Mainstream

Dear Friends,

I'm happy to announce that I've started a new column with CSO Magazine, a
new publication from IDG. You can find out more about CSO Magazine on the
company's website, http://www.csoonline.com/

My first column is on biometrics. You can find it at
http://www.csoonline.com/read/090402/machine.html ;
I've reprinted it below

Machine Shop
Biometrics Slouches Toward the Mainstream
Badge Cams
Steganography Tools		Biometrics Slouches Toward the Mainstream
The systems are getting cheaper, but accuracy and acceptance kinks remain
BY SIMSON GARFINKEL
WITH FACE recognition systems turning up in airports, palm geometry
scanners installed at "secure" Exodus hosting  facilities, and Panasonic
selling the Authenticam iris recognition system for less than $200,
biometrics have finally moved from the laboratory to the marketplace.
Indeed, the International Biometrics Group pegs the market at $524 million
in 2001, growing to $729 million in 2002. But if you screen out the hype,
you'll soon discover that few of those applications have progressed beyond
technology demonstrations and early adopters. Having lived with a
voice-print lock on my front door for seven years, I have a few words of
advice to CSOs: Step slowly when deploying biometric systems within your
organization. Instead of using biometrics to let people log in to their
computer systems, start by using them to control physical access to
buildings and high-security areas. Finally, make sure that you have a
backup for when the system fails-because eventually, it will.

Fingerprints Everywhere
As the name implies, biometrics involves measuring the human body. In
theory, any aspect of the body that is different for each person and that
can be consistently measured can serve as a unique identifier. In practice,
the biometrics being deployed can be packaged into readers costing $300 or
less, which today means principally fingerprint-, iris- or
voice-recognition systems.



Automatic fingerprint identification systems have been used with great
success by law enforcement agencies since the 1980s. Fingerprints are by
far the most widely used biometric today, and the most widely respected.
Most people take it as a matter of faith that each person has his own
unique fingerprint and that a computer can rapidly search out one person's
fingerprint from a database of millions. Indeed, we have become so enamored
with the concept of fingerprints that the word is popping up all over:
DNA-based identification systems are known as DNA fingerprinting; and the
MD5 message digest code is commonly referred to as the fingerprint for a
file.

But it's important to realize that the fingerprint systems that have been
developed and refined for law enforcement are not the fingerprint readers
that are making their way onto desktop computers. Law enforcement agencies
use trained technicians to record fingerprints with ink and paper on
10-print cards; those cards are then digitized using an optical scanner and
analyzed using proprietary algorithms. Pen-and-ink systems obviously can't
work in a corporate desktop environment, so a number of companies have
tried to create so-called "live-scan" readers that will scan a fingerprint
directly from a finger into the computer. The catch: Those readers don't
work for everybody. "Many live-scan fingerprint readers have a hard time
getting a good fingerprint on, for example, people who have dry skin," says
Charles Wilson, a biometric expert at the National Institute of Standards
and Technology. Those readers can also fail with thin skin or shallow
ridges-traits common among the elderly. Depending on the reader, roughly
one person in 1,000 may not scan successfully.

Iris identification is even more accurate than fingerprints, thanks to the
tremendous detail and variation in each person's eyes. However, there is
again a small percentage of people who cannot use those systems, because,
for example, of an inability to stabilize their iris, says James L. Wayman,
director of Biometric Research at San Jose State University.

Biometrics can also be fooled by sudden changes in a person's body-cut your
finger, and you might not be able to log in. For all of those reasons and
many more, every biometric that's deployed in a real-life setting needs to
have some kind of back door to let people in who can't, for whatever
reason, properly authenticate.

Authentication Vs. Identification
Biometrics can be used in two different ways. The technology can be used to
authenticate an individual by comparing a biometric reading from a person
with a single stored template, the so-called "one-to-one" application. A
biometric-enabled ATM might check to see if the iris of the person who is
trying to withdraw money matches the iris for the account holder that's on
file. Used in this manner, biometrics can be exceedingly
accurate-especially if it is used in conjunction with a second factor, such
as a smart card, PIN or password.

Alternatively, biometrics can be used to identify a person from a database
of thousands or millions-the so-called "one-to-many" application. This is
the way that biometric face ID systems from companies such as Viisage and
Visionics (now called Identix) are being used at airports to scan for known
terrorists. The computer has a database of known bad guys, and it consults
the entire database as each potential traveler walks by. Those systems are
inherently less accurate than one-to-one because the chances of a mismatch,
or "false positive," are proportional to the size of the database.

On the surface, biometrics seem like the perfect tools for authenticating
computer users. The fingerprint systems developed and refined for law
enforcement are not the fingerprint readers that are making their way onto
desktop computers.  Unlike passwords, a biometric print can't be
forgotten-no more passwords written on yellow sticky notes-and bioprints
can't be shared, sold or stolen by social engineering. Indeed, that's one
of the reasons that I bought an ECCO voice-print lock for my front door: I
was renting out a spare room in the house, and with the biometric reader, I
never had to change my house's locks.

But biometrics are not foolproof: A person's bioprint can be captured,
copied and then fraudulently submitted for verification. For this reason,
readers need to have some sort of built-in security to make sure that they
are actually performing a live scan; encryption should be used to protect
data as it travels from the reader to the database; and the verification
software should reject attempts that are too close a fit. Meanwhile,
experienced biometric scientists know that they should never use a
fingerprint scanner that doesn't have a pulse detector or some other way to
detect the culpable use of a severed digit.

Be very wary if you hear a company boasting about its system for "biometric
encryption." Because a biometric print will never read exactly the same way
twice, biometric encryption systems need some form of error correction so
that encrypted data can actually be decrypted at a later point in time.
This error correction makes it easier for an attacker to "guess" the
correct encryption key, since a close guess will be corrected. An even
bigger problem with those systems: If your key is compromised, there is no
way to change your fingerprint.

Better for Doors Than Windows
That's why I'm a big fan of using biometrics for physical access
control-such as the front door lock that I had for so many years. Besides
preventing people from sharing or duplicating keys, the lock made it clear
to visitors that I took security seriously.

Deploy a fingerprint-based time-card reader at a supermarket and you can be
sure that clerks won't be punching each other's time cards. Likewise, a
hand geometry reader installed at an airport will prevent an $8/hour
employee from giving the access code to a terrorist or selling a card for a
few thousand dollars (and then reporting the card "lost" a few hours
later). Even better, those systems are sold today as sealed, stand-alone
units, which makes them both more reliable and more resistant to attack
than bioprint readers on Internet-connected computers.

Within the coming months, expect to see live-scan fingerprint readers
turning up in laptops and cell phones. Integration done by the manufacturer
will reduce cost-ultimately to $25 or less-and increase the chances that
those systems will actually work as intended. If they do, and if they are
accepted by end users, then biometrics might take off in the coming years.
If not, biometrics will probably be sent back to the labs for another
decade of R&D.

Simson Garfinkel, CISSP, is a technology writer based in the Boston area.
He is also CTO of Sandstorm Enterprises, an information warfare software
company.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com