Now, common sense will tell us that biometrics is all about only unique identifiers, but not secrets. A security expert will tell you that it is better to choose different authentication mechanisms for different systems. Do you use the same lock and key for your car and safety-vault? But with biometrics, you can use the same thumb to allow entry into your office, open confidential documents, read your e-mail, and buy stuff online. Will you want your thumb to be the single point of access and hence failure?

Fingerprint readers can serve better only if someone else monitors them when they are used. It is easy to fake a fingerprint with a Rs 50-investment. (See box story for how it could be done.)

So, given the fact that it is inexpensive and easy to fake a fingerprint, these readers are not suitable for online transactions where no monitoring is possible.

Before we look at implementation issues of biometrics, here are more facts.

(The Economist, December 4, 2003)

Implementation issues

Many of the biometric products have turned out to be snake-oil security. It is because of implementation errors and technological bottlenecks. Much of the algorithms remain closed and claims of 128-bit security have not been borne out completely.Human beings are quite good not only in identifying unique over-tones and understanding different accents but also at separating background noise from the speech. So, to perform all this, it will need heavy number crunching on the much-awaited 64-bit processors. Windows Longhorn looks promising in delivering this functionality, but it is still a long way to go and remains to be tested for its efficiency and accuracy.

Meanwhile, the US Government's decision to use biometrics for passports/visas has drawn a lot of criticism from the security community. One argument goes this way: Suppose this magically effective face-recognition software is 99.99 per cent accurate. That is, if someone is a terrorist, there is a 99.99 per cent chance that the software indicates `terrorist,' and if someone is not a terrorist, there is a 99.99 per cent chance that the software indicates `non-terrorist.' Assume that 1 in 10 million flyers, on average, is a (known!) terrorist.

Is the system any good? No. It will generate 1,000 false alarms for every one real terrorist. And every false alarm still means that the security people go through all of their security procedures. Because the population of non-terrorists is so much larger than the number of terrorists, the test is useless.

If a `1 in 10 million' error-rate is not acceptable, biometric manufacturers go on to sell with claims that the "error-rate goal is 1-in-50000."

Any security product/mechanism should not be tested on how it succeeds, but on how it fails. With simpler and cheap faking mechanisms possible, one should look for how good a product is in not letting in an unauthorised user.

Some products claim that they can "recognise even the muddiest fingerprints". Then obviously their error-rate will be high and approximations in the algorithm make them weaker against attack.

How do they fail?

Fingerprint readers that use capacitive sensors could be fooled in a number of ways if an authorised user hasn't cleaned the sensor after fingering it. A latent print on many capacitive sensors can be revived by, for instance, breathing on it, applying graphite powder, or pressing a plastic carrier bag with water in it up against the sensor. (A capacitive sensor uses electrical current to measure fingerprint parameters and to then generate an image of the ridges and valleys that make up the fingerprint.)

The graphite powder method works with lifted prints too — follow your target to the pub, grab his glass after he's finished with it, dust a print with graphite, lift it with tape, and you're ready to go.

Optical sensors don't fare any better. They can be fooled with silicone fingers made from an impression in wax and also with backlit graphite print-copies on tape. (An optical sensor uses a charged couple device (CCD) camera. The camera uses light to illuminate the ridges and valleys of the finger and then takes a picture of the fingerprint.)

Iris scanners too may be fooled with a picture of an enrolled user's eye with a hole in the middle through which the attacker's pupil is visible. The facial recognition systems will perfectly recognise still images and video clips of users that were shown to it on a laptop's screen.

As security experts, we always find ourselves trying to secure interfaces, be it between two modules of a single application, two different applications, two computers on a network and of course a human and a computer. The last has always been the challenge. Before a computer can give access to a human, before it can provide any of its resources to him, it has to authenticate him. Since computers are not fit enough to identify a human as well as we can, we brought in authentication systems they are good at - one-time passwords, digital certificates, etc. By using biometrics, we are back to the problem of protecting the interface between the human and the computer.

In the long term, biometrics, by its very nature, will compromise privacy. If and when face-recognition technology improves to the point where surreptitious cameras can routinely recognise individuals, privacy, as it has existed in the public sphere, will be wiped out.

Cryptographic algorithms (such as RSA, AES, DES) that secure almost all the confidential data and authenticate users have been left open for public analysis and criticism.

This is exactly what is lacking in biometric systems. Organisations that make a move from time-tested technologies such as the public key system to biometric systems should ask themselves these questions and understand the difference between security and perceived security.

Picture by K. Ramesh Babu

(The author is Security Consultant, Odyssey Technologies Ltd, and can be reached at rlkanth@odysseytec.com)

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page