Levels of security according to the easiness to steel biometric data

Philipp Gühring pg at futureware.at
Wed Apr 2 12:46:44 EDT 2008


> QUESTION: Does anybody knows about the existence of a
> security research in area of grading the easiness to
> steel biometric data.

There are several relevant threats:
* Accidental leaking the biometric data (colour-photos for face, fingerprints 
on glasses for fingers, public documents for human signature)
* Intentional stealing of biometric data (cellphone cameras, hidden 
cameras, ...)

> For example, I guess that stealing information of
> someone's "face" is easier than stealing information
> about someone's "fingerprints",

Stealing fingerprints is easy if you hand the target person a glass of water.
With "face" you have to differentiate between the different kinds of faces.
Taking colour photos of faces is easy. Taking infrared photos of faces, or 
taking 3D scans of faces, ... is much harder.

> but stealing information about someone's "retina"
> would be much harder.

Yes, stealing retina is harder. (It's even harder in the normal usage ...)

> Such a scale can be useful in the design of secure
> protocols and secured information systems.

Yes. Choosing the right biometrics for the right application, implementing it 
correctly and educating/training the users properly can be challenging.

But in the end, you can steal any biometric data if you really want to.
(Take a look at the film Gattaca to see how this can be done in practice. 
I didn't noticed any technically really unrealistic things in the film 

Another important question is whether you can apply a faked/copied biometric 
at a certain place. It could be difficult to mount an attack with a full face 
mask at a guarded entrypoint. But applying fake fingerprints is far less 
noticable for guards.
(It might be easy to steal the face, but you can't apply it due to all entries 
being guarded)

Tamper evidence, Tamper protection, Tamper proof, Tamper resistance ...

As usual, it depends on your threat-models, on your environment, on your 
resources, on your enemies, ...

Best regards,
Philipp Gühring

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list