Security Fears in the field of Biometrics – A real inhibitor of diffusion

Introduction

Introduction

In order to highlight the concept of security concerns in biometric technologies, one needs to answer the following questions:

What is biometrics?

What biometric information is being captured during the enrolment process?

How is this information communicated to a centralised point?

Where is this information being kept?

What measures are in place to safeguard the biometric information being stored?

What is Biometrics?

Biometrics (ancient Greek: bios life, metron measure) introduces the technology and methods for uniquely recognizing individuals based upon one or more intrinsic physical or behavioural traits. By recording a mathematical representation of a unique biological characteristic (enrolling), future samples of similar characteristics could then be compared to the original sample to verify that they originate from the same person (verification).

A number of biological characteristics can be used to define uniqueness in humans. Of those that are primarily targeted for biometric applications, fingerprints, vein patterns, iris characteristics, facial traits, and voice patterns are the most popular.

All these modalities listed fall under the physiological characteristics category. Behavioural characteristics that can be used in biometrics include signature recognition, gait analysis, and typing biometrics or keystroke dynamics.

What biometric information is being captured during the enrolment process?

For both security and performance reasons, manufacturers of biometric access control devices make use of a principle called feature extraction' to retrieve the salient unique features of a person, without having to store an exact replica of whatever modality has been used.

For instance, with fingerprint biometrics, instead of recording an image of the person's fingerprint, information within that image that ensures uniqueness, would be mathematically extracted and stored against the person's identity.

This is called a template', and would typically include vectors and/or data points highlighting distinguishable unique features.

By using image processing algorithms, the software within the device is capable of identifying Ridge Endings (where the lines in the fingerprint terminates) and Ridge Bifurcations (where the lines split up into two). These are also known in the industry as minutia points.

By storing only the position and direction of the Ridge Endings and Ridge Bifurcations, the software is capable of capturing the uniqueness of each person, with a limited amount of data.

The same principle applies to all other biometric modalities, be it facial recognition, iris-, voice-, or subcutaneous vein patterns.

How is this information communicated to a centralised point?

Once the templates have been captured, it typically needs to be sent via a communication channel to a centralised point. One might argue that this is not necessary, and that information should always be retained on the device only. But the practical truth is that, with the exception of very small implementations, the last thing one wants is to re-enrol every person in the company on every device that will form part of this access-control perimeter.

Communication, be it RS232, RS485, TCP/IP, or customised protocols, will all be exposed to some level of hack ability'.

We have all seen how highly encrypted secure internet communications get compromised. Sending biometric templates over a network line will have at least the same level of risk exposure.

Where is this information being kept?

Once the templates reach its destination, how is it persisted? In flat files on a hard-drive? In a weakly protected set of tables where anyone who can Google, can find a way to access it? Or is it stored with an acceptable level of encryption in a well-designed digital vault?

But fears and concerns are real and often well-founded

Anecdotal evidence show that

Not all biometric devices make use of singular template extraction.

In other words it either stores the complete picture, or it stores enough of that picture, that a good resemblance of the original image (fingerprint/eye/face) could be reconstructed later.

Not all network communication is encrypted.

Even if it is not possible to access the biometric device to retrieve the biometric information, intercepting network packets is becoming child's-play if one has access to the right tools.

Not all databases are created equal

There are a number of solutions in the market that store their templates in plain digital files in a predetermined directory structure. Similarly, databases including those free' ones that we all have on our PCs - are a farce when it comes to its ability to really protect your data.

So what to do if I want to implement biometric technology in my company?

Make sure that your biometric devices do, in fact, perform template extraction. And confirm that these algorithms are done in a singular, irreversible format so that it is not possible to reverse-engineer the original image (fingerprint, eye, face, etc). One such a format that most of the leading biometric companies continuously strive to comply with, is the MINEX (Minutiae Inter Operability Exchange) standard. You can read more on this on the NIST (National Institute of Standards & Technology) web site at http://www.nist.gov/index.html

Limit the network communication to a minimum. Try to keep as much of the rules around who can go where, when, on the biometric device and leave the sending of fingerprint templates to only those occasions where it is absolutely necessary. This should, in fact, be limited to the time of initial take-on.

Protect your data. One can write books about database security. It is of no use if the templates reside in a 128-bit encrypted database, but your IT guy knows the password as he needs to perform daily backups of the database.

Human Dynamics

There is a definite concern in the use of biometrics as a unique identifier of a person.

Compromised security

If your password for your internet banking is discovered, you can simply change it. Similarly, if someone finds the piece of paper with your computer password written on it, you can always change it.

But should your biometric identification be compromised, what then?

Fear of Prosecution:

The strong association between fingerprints and law-enforcement have proven to be a major stumbling block in the successful adoption and infusion of biometric access control systems. What guarantees can you give your employees that you will not send their fingerprints to some form of centralised law-enforcement agency?

In South Africa, the Criminal Law (Forensic Procedures) Amendment Bill is currently on the table for scrutiny. This bill, ones promulgated, will path the way for combined access to the SAPS's AFIS system, Home Affair's HANIS system, and the Department of Transport's E-NATIS system.

Great news for most of us! But not for all of us

Summary

Biometric systems, be it applied in border control, law-enforcement, access control, or time & attendance, has the potential of simplifying our lives if we take cognisance of the fact that we are dealing with human beings. This technology has touch-points with human dynamics that has never before been executed. Not on this scale, anyway.

If we take a more holistic approach towards the implementation of this technology, we might find that it is more important to sell the concept to your staff, unions, and shop-stewards, than selling it to your board of directors.

Security Fears in the field of Biometrics A real inhibitor of diffusion

By: Liam Terblanche

POST COMMENT

Taking Social Security At 62 Focus On Office Security Systems Security Trojanspm Lx Uninstaller - How to Remove Security Trojanspm Lx? Remove My Security Shield Or Risk Compromising Your Security! Remove Security Suite - Get Rid of Security Suite the Easy Way Remove My Security Shield - Conduct a Quick My Security Shield Removal Securing AshMax Signups Very Rewarding Penny Securities - No cost Checklist USB Hard Drive Security Dedicated hosting 'provides security' USB Pen Drive Security - What You Need To Know Border Security Bill Signed By President Obama Increases H-1b And L-1b Visa Fee What Do They Teach In Security Guard Class?