biometrics:
untruths and the truth

by Dario Forte
<[email protected]>

Dario Forte is an Italian system administrator. He is CCSE and CCSA CheckPoint Certified and is a USENIX-SAGE-CSI individual member. In Italy he moderated the independent forum of Windows NT Security and CheckPoint Firewall-1.


This is a journey through the new authentication mechanisms.

At a time when there is talk of "certainty of access," of authentication of the users of a service, biometrics offers a solution.

Introduction

Biometric information -- patterns of unique physiological and behavioral traits -- can be used to authenticate access to given critical resources. Any organization may have strategic resources requiring protection. These can range from so-called sensitive data (data covered by laws concerning rights to privacy, for example), to mission-critical financial or commercial data, to military or legal information.

In addition to protecting data, an authentication mechanism based on biometrics can permit selective (and therefore sufficiently safe) access to given rooms or structures for which there is an intrusion risk.

System Components

A biometric authentication device is made up of three components:

• A database of biometric data. As you would expect, this is a large store of physiological and/or behavioral data. The stored information is compared with the input given at the time of access.
• Input procedures and devices. These are the systems (biometric readers, means for carrying the information, etc.) that connect the would-be guest with the validation system.
• Output and graphical interfaces. This is the front end. It is used to enter and display part of the access data and to obtain responses from the system.

Types of Biometric Data

We have described the components of a biometric authentication system. Now we shall explain the types of physiological and behavioral information that can be authenticated.

Possible physiological data include:

• retina prints
• fingerprints and palm prints
• voice prints
• keyboard input measurements
• iris recognition

At the moment, some feel that recognition of the retina is adequate both from the point of view of safety and, importantly, from that of the bandwidth required for an on-line transaction. It has been calculated that a network of devices for biometric authentication will take up about 32 Kb/sec. If a system's available bandwidth is 128 Kb/sec, biometric authentication alone would eat up 25 percent of the total. Enough bandwidth must be reserved for other services, ranging from electronic mail to videoconferencing.

For fingerprint recognition, Compaq Computer Corporation is offering its Fingerprint Identification Technology at under one hundred dollars. Guaranteed to be compatible with Compaq Deskpro, Armada PCs, and Professional Workstations, it is currently in the testing phase for security applications in the Windows NT environment, and experiments are being carried out on domain access as a replacement for conventional passwords. The fingerprint reader is placed near the video terminal and linked to a serial port. It can be integrated with SmartCard use.

In addition to fingerprint scanning, voice recognition, and, in some military applications, dynamic measurements of character entry via a keyboard, biometric recognition can be based on the patterns of the iris. The iris of the eye has a unique and visible structure which is not currently possible to duplicate. It has been ascertained that the human iris can identify an individual as accurately as his DNA. What is more, the iris is stable throughout an individual's lifetime.

Iris recognition is considered to be "just short of infallible," definitely more foolproof than fingerprint recognition. The pattern of the iris can be compared with the information contained in an IrisCode database, with over 266 options for each record. The scanning method is definitely one of the most transparent, since no physical contact with the scanner is required.

The most crucial operation in iris recognition is the scan for the record in the database. Strange as it may seem, the best results are achieved with a black-and-white camera. According to IrisScan, the developer of iris recognition technology, black-and-white scanning eliminates the possibility of incorrect recognition due to such factors as narcotic or prescription drug use or colored contact lenses.

Reliability

What risk of error is there when using biometrics to control accesses? Many believe the risk to be infinitesimal. Others are concerned, not so much about possible counter- feiting of the physiological data of an individual, as about error on the part of the scanners.

Scanner manufacturers deny the imputation. At the Sicur 98 meeting in Madrid, Norberto Cartagena, sales manager of Ultra Scan of Miami, Florida, a firm that has been active in the United States for over ten years, stated that at least for fingerprints, the scanners currently available are reliable. Cartagena does not deny the need to optimize some of their features; however, he sees this as part of the normal product up-dating roadmap.

Biometrics and the Internet

An interesting step forward in integration between biometric devices and information systems linked to the Internet has been made by iNTELiTRAK Technologies Inc. Their CITADEL GateKeeper has recently received security certification from the ICSA (formerly NCSA). The objective is to enable authentication of users of the Internet, an intranet, or an extranet, not by password or other such standard means, but by voice-pattern recognition.

CITADEL GateKeeper works as follows:

• The remote user links up with the authentication service via IP network or by telephone.
• Once the link has been established, she follows the authentication instructions. (It is worth noting that the voice input may be provided through a Sound Blaster-compatible microphone.)
• Gatekeeper carries out an analysis of the voice, comparing it with its authentication database, which can also interact with, among other things, X509V3 digital certificates. If a match is found, the system permits access to the information structures. If not, it follows an administrator-defined procedure to report an intrusion attempt.

Combining biometrics with conventional authentication methods carried out by, for example, a firewall or RADIUS server reduces the success rate of sniffers to a minimum. The system is fairly simple to use and also to integrate. The only concern lies in the error rate of the biometric recognition method. However, when the scanning and voice-pattern sampling, as well as the voice recognition, are carried out at different frequencies, maximum granularity should be attained.

Administration of Biometric Systems

Security operators recommend that the biometric database be administered by the security manager rather than a database administrator and that remuneration be directly proportional to the type of strategic resource being protected. This ensures both optimal safeguarding of the operator and a sense of responsibility for the project.

To Hash or Not to Hash?

Hashing, or calculating a numerical value for an input, usually based on the length of the datum in question, is intended to ensure the integrity of the hashed number during transmission via a network. Generally speaking, cryptographic algorithms are used to generate these functions and to code them. Hashing functions are currently used by programs such as PGP. It has been asked recently whether hashing functions should or could be added to biometric databases. Most experts feel that methods such as iris recognition are sufficiently safe, in particular when combined with the use of SmartCards.

Has the Time Come for Biometrics?

I recently talked with Cyril G. Reif, Director of Industry Technology, Financial Services Industry, at Sun Microsystems. Reif, who manages world-level accounts for Sun, reported on some comments heard from people in the banking sector. "Although the banking world does not exclude future use of biometrics in ATMs [Automatic Teller Machines], it is somewhat doubtful about this possibility, basically for reasons of lack of flexibility of use. They may possibly be used in the future; however, systems based on a Java SmartCard and on X509 digital signatures, which are currently the standard, are thought to be sufficiently safe."

In a recent interview in Foster City, Stephen Schapp, Deputy Chairman, Emerging Electronic Payments, of Visa International, confirmed that it is possible to have electronic payment methods interact with biometric authentication devices. Schapp himself, however, expressed some doubt about the use of authentication based on fingerprints, at least for ATMs. He felt that the scanning, checking, and authentication procedures would today require too much of the bank WAN's bandwidth. On the other hand, Schapp felt that it would be possible to use retina scanning in the future, although the applications based on this type of method require optimization.

Pilot implementations of this type have already been started by Visa International in the framework of the now famous Visa Open Platform project, introducing a suite of financial services based on new-generation SmartCards. Visa has implemented a Java-language software layer between the operating system of the card and the applications. This layer acts as a bonding agent between the components described above, enabling multiple uses of a single SmartCard in electronic commerce.

In the past two months I've been traveling around Europe seeking to increase my knowledge of biometric products. I'm torn between two scenarios: digital fingerprint applications and iris recognition. Fingerprint-recognition vendors such as Siemens, Digital Persona, and Compaq are pushing their products hard, but customers are wary of the possibility of scanning errors. Iris-recognition vendors such as Iriscan, Sensar, Olivetti, and WangGlobal offer a very interesting alternative, yet one that threatens excessively high costs for ATM implementation. My personal conclusion: we'll need to wait another eight to ten months for a solid biometric system -- a reasonable period in the IT world.