Biometrics

veryard projects > security > biometrics

we offer

news and comment

techniques

on this website

consultancy

management briefings

independent advice on tools and methods

November 2003 The British home secretary announces that biometrics are 100% reliable as a method of identification.

> Plan to phase in ID cards

We believe this is a grave mistake. Such technological claims cannot be proved, and have a history of being disproved. Biometric impersonation may be difficult and expensive today - but who is to say it will always be difficult and expensive?

If someone abuses my credit card, I can get a new card number. But if someone manages to abuse my biometrics, I can't so easily change my fingerprints or my eyeballs. Biometric repudiation only happens in James Bond films.

	Mug shots
	Fingerprint
	Iris scans
	Voice recognition

Biometric Impersonation

veryard projects > security > biometrics > impersonation

If my personal identity depends on maintaining a few secrets, then my entire life is threatened if these secrets are published on the web, or derivable from web souces.

Impersonation can be enabled by access to the secret identification keys that are used by systems to identify people, and this leads to undermining the control and audit purposes of the systems that use these keys.

There are many systems with which I interact, which deploy various mechanisms to determine and confirm my identity. These are typically based on keys of various kinds – from passwords, through personal data (such as mother’s maiden name), to biometrics such as fingerprints and iris scans. These keys can be held in various ways – for example, stored in a person’s brain or smartcard, or instantiated in a person’s body.

These mechanisms rely on the secrecy of the data used. But this secrecy is very hard to maintain. Every time my fingerprints, iris or smartcard are scanned for security purposes, or my voice recorded, this captures some data that is used to identify me. Every time I am called to the phone in a retail store to confirm my identity, I am forced to utter some of my identifying data to the credit card operator in front of the assistant and other customers. Every time I use a glass in a pub, someone has the chance to record my fingerprints. Over time, I should expect these data to leak out. And given enough time, a really clever and determined investigator might even be able to discover my mother’s maiden name.

If other people have access to these data, they can impersonate me. Tsutomu Matsumoto, a Japanese mathematician and cryptographer, has recently shown how easy and cheap it is to fool a fingerprint scanner by imprinting the required fingerprint onto a gelatine finger. Although the vendors of biometric devices may claim total reliability, such claims are impossible to prove; it is safer to assume that any biometric device can be spoofed – and probably will be.

If a secure installation, such as a nuclear power plant, relies on employee biometric data to control entry, then what happens when an employee’s biometric data are stolen and published on an anti-nuclear website? Perhaps all employees are required to wear cotton gloves and dark glasses when in insecure places – such as restaurants. (But of course, this makes them even more obvious as targets.)

Identity and Impersonation

Biometric Repudiation / Revocation

veryard projects > security > biometrics > repudiation

Whenever impersonation is discovered or demonstrated; this leads in turn to a further repudiation of the key – with repudiation either by the system or by the impersonated individual. (Such repudiation is often called revocation.)

But this is a problem when the keys are biometric ones. Let us suppose that an airline has installed a cockpit security system, which only allows someone to fly a plane if his iris scan matches the one on his licence. If a terrorist organization has stolen the iris scan of a particular airline pilot, and has issued several of its members with contact lenses imprinted with this iris scan, together with forged licences, then the system may no longer be able to accept the iris scan of this pilot as sufficient identification. The pilot repudiates his iris scan, as it were. However, if this pilot is to continue working as a pilot – something we may assume to be of value both to him and to the organization – he now needs some other mechanism for gaining access to the cockpit.

Biometric data are practically impossible to change – even if I discover that they have been published somewhere. I can change passwords, but I can’t so easily change or repudiate my iris, fingers or mother. If my identity is constituted by such identifiers, it must presumably remain the same throughout my adult life.

Biometric - More Material

veryard projects > security > biometrics > material

	Some of the material on this page is extracted from an article published by CBDi Forum, September 2002 [abstract]. Full article available to subscribers.
	Identity and Security Signature as Token of Identity

Biometric Links

veryard projects > security > biometrics > links

A Google search for "Biometrics" will be dominated by pro-biometric websites. Loads of government, technology vendor and mostly like-minded consortia. [click here for a critique of google] Here is a much smaller but perhaps better balanced selection.

Government	UK [Home Office] [Biometrics Working Group] [Office of the E-Envoy] US [Biometric Consortium]
Industry	[IBIA.org]
Consortia	[Biometric Foundation]
Academic (Technical)	[TIBS.org]
Independents (Critical)	[Bruce Schneier] [Ross Anderson]

veryard projects > security > biometrics