Levels of security according to the easiness to steel biometric data

Arshad Noor arshad.noor at strongauth.com
Wed Apr 16 23:42:02 EDT 2008

A paper was presented at the NIST/OASIS-sponsored IDtrust
conference in Gaithersburg, MD last month, that attempts
to start quantifying how authentication technology can be
graded based on their ability to resist attacks.  The
paper - Identity Protection Factor (IPF) - and all others
from the conference are available at:


Arshad Noor
StrongAuth, Inc.

Philipp Gühring wrote:
> Hi,
>> QUESTION: Does anybody knows about the existence of a
>> security research in area of grading the easiness to
>> steel biometric data.
> There are several relevant threats:
> * Accidental leaking the biometric data (colour-photos for face, fingerprints 
> on glasses for fingers, public documents for human signature)
> * Intentional stealing of biometric data (cellphone cameras, hidden 
> cameras, ...)
>> For example, I guess that stealing information of
>> someone's "face" is easier than stealing information
>> about someone's "fingerprints",
> Depends.
> Stealing fingerprints is easy if you hand the target person a glass of water.
> With "face" you have to differentiate between the different kinds of faces.
> Taking colour photos of faces is easy. Taking infrared photos of faces, or 
> taking 3D scans of faces, ... is much harder.
>> but stealing information about someone's "retina"
>> would be much harder.
> Yes, stealing retina is harder. (It's even harder in the normal usage ...)
>> Such a scale can be useful in the design of secure
>> protocols and secured information systems.
> Yes. Choosing the right biometrics for the right application, implementing it 
> correctly and educating/training the users properly can be challenging.
> But in the end, you can steal any biometric data if you really want to.
> (Take a look at the film Gattaca to see how this can be done in practice. 
> I didn't noticed any technically really unrealistic things in the film 
> Gattaca.)
> Another important question is whether you can apply a faked/copied biometric 
> at a certain place. It could be difficult to mount an attack with a full face 
> mask at a guarded entrypoint. But applying fake fingerprints is far less 
> noticable for guards.
> (It might be easy to steal the face, but you can't apply it due to all entries 
> being guarded)
> Tamper evidence, Tamper protection, Tamper proof, Tamper resistance ...
> As usual, it depends on your threat-models, on your environment, on your 
> resources, on your enemies, ...
> Best regards,
> Philipp Gühring

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list