Biometrics

"Jim Watt" <_way> wrote in message
news:...
> On Sun, 30 Nov 2003 17:23:00 -0000, "Simon"
> <simon.smith@(remove)yahoo.co.uk> wrote:
>
> >That's not strictly true (although 'cut off' could perhaps be re-phrased
> >'scooped out'!).
>
> Yes but the patten would be lost in the process.
>
> fingers can be cut off and used.

Hmm. I shudder at reality mimic the "art" that far (numerous SF books, that
is)

IIRC, most currently usable scans involve the pattern of blood vessels &
capillaries on the retina (blame me for looking too far ahead ;o) This
should remain intact as long as the accompanying organ does.

IIRC, (rather experimental) iris recognition has the possibility of being
much more accurate but.. erm.. is somewhat new. With implementations that
suffer from the same flaws a fingerprint recognition.

Again, my fault for the mistake. Retinal scanning is, AFAIK, the planned
technique for the new UK ID card. As much as there is a plan..

H1K

Hairy One Kenobi

On Sun, 30 Nov 2003 23:28:39 -0000, "Hairy One Kenobi"
<abuse@[127.0.0.1]> wrote:

>> Yes but the patten would be lost in the process.
>>
>> fingers can be cut off and used.
>
>Hmm. I shudder at reality mimic the "art" that far (numerous SF books, that
>is)
>
>IIRC, most currently usable scans involve the pattern of blood vessels &
>capillaries on the retina (blame me for looking too far ahead ;o) This
>should remain intact as long as the accompanying organ does.
>
>IIRC, (rather experimental) iris recognition has the possibility of being
>much more accurate but.. erm.. is somewhat new. With implementations that
>suffer from the same flaws a fingerprint recognition.
>
>Again, my fault for the mistake. Retinal scanning is, AFAIK, the planned
>technique for the new UK ID card. As much as there is a plan..
>
>H1K

The difference is that a finger or thumb can be cut off and used
which is bad news if you are a living person, and also a weakness
if a print is used to authenticate someone claiming benefits who is
dead.

I believe that the patten in the retina used would degrade quickly
after death or (agghh) so its not an attractive option.

The UK are being coy about exactly what 'biometric data' will
be encoded into the card, but the idea is to authenticate it back
to a database to make forgery difficult. I rather expect they want
to have everyone's DNA on file, but although they have the
sampling method non intrusive, fast and easy, the analysis is
still a lengthy laboratory job.

However, watching BBC Parliament indicates that the project is
alive and well and being steamrollered along.

If you are interested a good place to read about the plans
would be on http://www.parliament.uk where the record
of proceedings is searchable.

of course its a 'benefit card' identity card sounds too much
like what the johnny foreigners are obliged to carry and show
to the police.

Mind you I am old enough to have a UK identity card from
the last issue.
--
Jim Watt http://www.gibnet.com

Jim Watt

Simon wrote:
> Thanks - I think I'll look at pre-boot encryption/decryption systems instead
> although I get the feeling that if somebody wants in then they will get in
> no matter what!
>
> It's a sad world.

Okay, there are some good articles and books on the subject, but I have
a few things to contribute to this discussion.

Basically, it all comes down, once again, to who has you in their
sights, and how much of a target you are.

If someone will invest enough in it, they will eventually get in to
anywhere. But you can make their life very difficult.
So pretty much - yes, nothing is really impossible, as long as we follow
the rules of physics, and then some.

Myself, I like biometric systems.

It is true that finger-print based biometric systems are somewhat
unreliable for a few reasons, some of which include relatively easy
faking, there are very few duplicates (0.who-knows-how-many-zero's...1
per cent of the world's population has the same fingerprint, probably 1
out of a million, 10 million or 100 million people - I am bad with
statistics). Then there are the problems of how secure your system is,
based on how many minuteas you use? If too many you may not be
identified tomorrow, and if too few.. the rest of the world can pass for
being you.
I can go on for quite a bit about all this and a lot more, but you get
my drift.

Every system has its downsides.

The whole point is to use the biometric system along with another system.
That way you double the technology, and it is more difficult, to a
level, to get in.
For example, password + finger print.
Something you know + something you are.

As a security minded person when I hear the word laptop though, I start
sweating. I can't even begin to imagine the loss of information caused
world-wide by people simply forgetting the laptop somewhere.

My two cents.
--
Gadi Evron.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

Gadi Evron

On Mon, 01 Dec 2003 18:45:32 GMT, Gadi Evron <>
wrote:

>As a security minded person when I hear the word laptop though, I start
>sweating. I can't even begin to imagine the loss of information caused
>world-wide by people simply forgetting the laptop somewhere.

Indeed I knew a software developer who left his laptop with six months
work on a bar, and it vanished. he had to go hide in Australia

Backups are of course a good idea ...
--
Jim Watt http://www.gibnet.com

Jim Watt

Gadi Evron <> writes:
> Every system has its downsides.
>
> The whole point is to use the biometric system along with another system.
> That way you double the technology, and it is more difficult, to a
> level, to get in.
> For example, password + finger print.
> Something you know + something you are.

simple scenario is large segment of population that write their PIN
number on their debit cards. So the issue is it is more difficult for
a crook to steal a debit card ... and

1) use that debit card by entering the PIN written on the card

or

2) use that debit card by lifting a latent print from the card,
duplicating that print ... and when they go to use the card, entering
the duplicating latent print ... and hope that it is the one that is
suppose to be used

part of the issue is the proliferation of "something you know"
shared-secret infrastructures requiring a unique shared-secret for
every different security domain.

lots of past discussions about three factor authentication as part of
security paradigm ... and comparison of something you know plus
something you are .... along with differentiation between
shared-secret and non-shared-secret paradigm

http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#keygen2 Welome to the Internet, here's your private key
http://www.garlic.com/~lynn/aadsm14.htm#23 Maybe It's Snake Oil All the Way Down
http://www.garlic.com/~lynn/aadsm14.htm#39 An attack on paypal
http://www.garlic.com/~lynn/aadsm14.htm#48 basic question: semantics of "map", "tie", etc in PKI
http://www.garlic.com/~lynn/aadsm15.htm#32 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#33 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#37 VS: On-line signature standards
http://www.garlic.com/~lynn/aepay11.htm#53 Authentication white paper
http://www.garlic.com/~lynn/aepay11.htm#55 FINREAD ... and as an aside
http://www.garlic.com/~lynn/2001c.html#39 PKI and Non-repudiation practicalities
http://www.garlic.com/~lynn/2001g.html#11 FREE X.509 Certificates
http://www.garlic.com/~lynn/2001g.html#38 distributed authentication
http://www.garlic.com/~lynn/2001j.html#44 Does "Strong Security" Mean Anything?
http://www.garlic.com/~lynn/2001j.html#52 Are client certificates really secure?
http://www.garlic.com/~lynn/2001k.html#61 I-net banking security
http://www.garlic.com/~lynn/2002c.html#7 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002e.html#18 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002e.html#36 Crypting with Fingerprints ?
http://www.garlic.com/~lynn/2002f.html#22 Biometric Encryption: the solution for network intruders?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002i.html#65 privileged IDs and non-privileged IDs
http://www.garlic.com/~lynn/2002n.html#30 Help! Good protocol for national ID card?
http://www.garlic.com/~lynn/2002o.html#57 Certificate Authority: Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#67 smartcard+fingerprint
http://www.garlic.com/~lynn/2003h.html#29 application of unique signature
http://www.garlic.com/~lynn/2003i.html#1 Two-factor authentication with SSH?
http://www.garlic.com/~lynn/2003m.html#51 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003o.html#29 Biometric cards will not stop identity fraud

--
Anne & Lynn Wheeler | - http://www.garlic.com/~lynn/
Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm

Anne & Lynn Wheeler

Anne & Lynn Wheeler wrote:

> part of the issue is the proliferation of "something you know"
> shared-secret infrastructures requiring a unique shared-secret for
> every different security domain.

Indeed. Every solution has its failure point, soft spot, or
imperfection, which is why not relying on just one solution is.. IMO,
better.
However, you are right, but I'd rather think my security is not based on
everything being a secret, but even if it was widely known I would still
be secure.

Personally I'd rather keep everything related to my security a secret..
OK.. not everything *evil grin*.

^^ But that's the human factor, what do I want my clients/employees/the
world to know, or think they know?
What do I want them to do or not do?
What do I do if they do and thus cause a security issue, or worse, don't
and thus rendering some of my security invalid.

ID's can be copied or created, radio signals can be faked.. etc.

How much are you willing to invest?

If in order to enter your building you need an ID to verify how you look
like, which is actually a smart card that will carry some identification
to be checked (PKI) and a monitor that will show the guard your real
face (in contrast with the one on your card), then some biometric issues..
And THEN to enter a room you need your finger print or smart card...
(one of the two?).

To use your PC you need your PKI friendly system + passwd.

It never ends, but where do we draw the line?

I should stress that physical security is AS important as any firewall
you may install, if not more.
You can invest millions, and then somebody would just show up, break
into your office and take whatever he or she wants.

To sum it up, see the horizon? You can go as far beyond it with your
security as you like, be reasonable and asses the situation right, and
then some.

Don't use security as an excuse or as a cover for you ass before the
management. If you are serious about security and still remember it is
not there just for being there (although now that starts to slowly
change as well) but for people to keep working && be secure, just keep
it serious, see what happens (before it does, preferably ).

You'll be alright (I hope).

And handcuff that laptop to your wrist! !! ! !!! !
--
Gadi Evron.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

Gadi Evron

Simon wrote:
> I've been thinking about buying a PCMCIA fingerprint reader for my laptop
> but I am wondering how effective they actually are. Do they operate as a
> pre-boot system or merely for individual users post-boot?
>
> Also, if somebody were to obtain my fingerprint, would they be able to
> simply produce a photocopy (or whatever) and use that to gain access?
>
> Much is made of these biometric security systems but how good are they
> really?
>
> Thanks in anticipation.
>
> SS
>

I would combine it with a PCMCIA smartcard reader and a smartcard to
store fingerprint templates on it. The smartcard can also have account
information and certificates for SSO.

So my fingerprint templates are not stored in some database,
and if the card gets stolen I revoke the certificates.

As a matter of fact this is how I eased logging on to my laptop a bit,
using a fingerprint reader from Precise Biometrics (not a PCMCIA yet, a
USB PB100MC) and a smartcard reader from Omnikey (Cardman 4000).
Smartcard from Miotec (Atmel chip, Miocos 2.0 OS), software by Utimaco
(SafeGuard Biometrics + some more).

The harddisk is of course encrypted completely, I still need to enter a
PBA password. So
what I know (the PBA password) is combined with
what I have (the smartcard (and the laptop ;-.))) and
what I am (the fingerprint).

Groetjes
John

Yes, I work for Utimaco

John