Levels of security according to the easiness to steel biometric data
Arshad Noor
arshad.noor at strongauth.com
Wed Apr 16 23:42:02 EDT 2008
A paper was presented at the NIST/OASIS-sponsored IDtrust
conference in Gaithersburg, MD last month, that attempts
to start quantifying how authentication technology can be
graded based on their ability to resist attacks. The
paper - Identity Protection Factor (IPF) - and all others
from the conference are available at:
http://middleware.internet2.edu/idtrust/2008/program.html
Arshad Noor
StrongAuth, Inc.
Philipp Gühring wrote:
> Hi,
>
>> QUESTION: Does anybody knows about the existence of a
>> security research in area of grading the easiness to
>> steel biometric data.
>
> There are several relevant threats:
> * Accidental leaking the biometric data (colour-photos for face, fingerprints
> on glasses for fingers, public documents for human signature)
> * Intentional stealing of biometric data (cellphone cameras, hidden
> cameras, ...)
>
>
>> For example, I guess that stealing information of
>> someone's "face" is easier than stealing information
>> about someone's "fingerprints",
>
> Depends.
> Stealing fingerprints is easy if you hand the target person a glass of water.
> With "face" you have to differentiate between the different kinds of faces.
> Taking colour photos of faces is easy. Taking infrared photos of faces, or
> taking 3D scans of faces, ... is much harder.
>
>> but stealing information about someone's "retina"
>> would be much harder.
>
> Yes, stealing retina is harder. (It's even harder in the normal usage ...)
>
>> Such a scale can be useful in the design of secure
>> protocols and secured information systems.
>
> Yes. Choosing the right biometrics for the right application, implementing it
> correctly and educating/training the users properly can be challenging.
>
> But in the end, you can steal any biometric data if you really want to.
> (Take a look at the film Gattaca to see how this can be done in practice.
> I didn't noticed any technically really unrealistic things in the film
> Gattaca.)
>
> Another important question is whether you can apply a faked/copied biometric
> at a certain place. It could be difficult to mount an attack with a full face
> mask at a guarded entrypoint. But applying fake fingerprints is far less
> noticable for guards.
> (It might be easy to steal the face, but you can't apply it due to all entries
> being guarded)
>
> Tamper evidence, Tamper protection, Tamper proof, Tamper resistance ...
>
> As usual, it depends on your threat-models, on your environment, on your
> resources, on your enemies, ...
>
> Best regards,
> Philipp Gühring
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list