|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Thursday, 30 August 2001||Author: Shashank Pandey|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
Biometrics: Just in a James Bond Flick? Not Anymore!
We all know that Linux is growing in popularity with embedded device makers of all kinds. Due to a variety of compelling factors Linux may well be the operating system behind all kinds of items of technology you use every day, without even knowing it. Security systems will be one of those. This article provides a brief overview of the new science of biometrics and how it is shaping up in the security technology sector.
Without further ado lets take a plunge into the hi-tech world of Biometrics.
The word 'Biometry' basically comprises of two words : bio + metry. The word 'bio' refers to life or a living being and the word 'metry' refers to 'measurement'. So 'Biometric' can be summed up as: the science of measurement of physical attributes(unique) to a living being (for authentication /authorization.)
These systems are one level up from traditional methods of authentication like passwords or security access cards because they ensure that the person trying to log on is actually the valid user and not just someone who is trying to impersonate an identity after he/she found an access card lying below your office desk or password written on a piece of paper as a reminder in case of a memory lapse.
Biometrics find a range of usage, like in hospitals, by law enforcement agencies, corporate solutions, VPNs solutions, limiting access to a private and sensitive database behind the corporate firewalls, in airports etc.
All biometric devices follow a general logic pattern for authentication, which can be summarized as:
1 Taking Input : First step involves taking an input like a fingerprint scan, eacan, iris scan etc from an user.
2 Processing Input : After capturing the image, the biometric recognition software digitizes and encrypts the input. This type of encryption, called Hashing or One way encryption is also present in Unix and does not allow the encrypted data to be decrypted (although, the encryption can still be cracked‚ if its weak).
3 Storage : This digitized and encrypted biometric input is stored in a database for comaprision, authorization or rejection.
4 : Authentication : When a User logs on, his or her biometric input (voice pattern, retina scan, facial scan etc) is taken and matched with the existing database of biometric values.
if the match is positive : grant access to the resource if the match is negative : deny/lock access to the guarded resource
One important thing to know here is that these biometric systems do not record actual images of fingerprints, faces, etc. Instead, they process and store only mathematical models representing those attributes.
A couple of terms are associated with Biometric devices and are important to understand: a) False Acceptance Rate (FAR) : The rate at which an intruder can be recognized as a valid user.
If a vendor's FAR is quoted as 3% it means that three out of 100 users attempts to bypass the biometric device's security will succeed.
b) False Reject Rate (FRR) : The rate at which a valid user is rejected by the system. So a FRR of 3% means that three out of 100 valid users attempts will be rejected by the biometric device.
So the better biometric device (security wise) is the one with low FAR and FRR. Types of Biometric Systems The main characteristic that separates one biometric device from the other is the type of biometric input under consideration.
Based on this we have following types of biometric systems:
Fingerprinting technology uses fineprint scanners connected to a computer. The Process of authentication is simple. A fingerprint snapshot taken by the scanner is reduced to a pattern of data points called minutiae or a template. and stored in the database.
This biometric technology is being used by the County of LA for helping the judiciary and law-enforcement agencies in precisely and accurately identifying suspects based on the huge database of live scanned fingerprints.
You might be tempted to ask : "what about dust or scars or cuts on the hand?"
Well, modern biometric systems are slowly maturing so topics like these are not much of a bother now, although they have been issues in the past, of course. This system is being used in major International airports and immigration facilities as well as in hospitals and other places.
In fact, Olympic Village officials employed this equipment in Atlanta in 1996 to track athletes and staff.
An example hand-geometry product might be: ID-3D Handkey system from Recognition Systems, Inc.,
Retinal scans: The biometric input here is a snapshot of the pattern of your eye-veins, taken by shooting a low-intensity beam of light into the eyeball. A minus point to this technology is that users are required to stand close to the device and focus on a target, which makes the system a bit less adaptable.
Iris scans use a camera to photograph the iris in the front of the eye. Unlike retinal vein patterns, which can change as an individual gets older, the iris is unique and does not change during a person's lifetime. Like fingerprints, no two individual iris structures are alike.
Users can stand as far as three feet away from the camera.
By the way.... retinal and iris scans are some of the most hassle free and accurate performers available today in the biometric world.
These devices are expected to adapt to background noise and different types of microphones available in the market.
Product: Veritel's voicecrypt 2.01
Some of these biometric devices require a user to move his or her face so that the system knows that an actual 'live ' user is there and somebody is not using a photo of a valid user to gain illegal entry.
Products: Visionics' FaceIt NT, Miros's TrueFace Network
This technique has wide usage like digitizing the photographic images of the face and encoding them on a smart-card. This smart-card may be read by a biometric reader guarding the resource. This biometric reader can match the biometric input on the smart card with its central database and grant or deny access.
Setting the sensitivity lower makes the product more forgiving but simultaneously decreases the security level adding to the fear of an invalid user spoofing or impersonating somebody else: Increases FAR.
These biometric systems are very adaptable. They can integrate with your existing operating systems (Linux, Unix, WinNT) and existing authentication and authorization applications. For example, authentication tokens generated from a biometric device can be transmitted to a WinNT domain controller or any other authentication server for user validation and authorization. Apart from that biometric inputs can also be used as encryption keys providing more robust and secure encryption.
At the same time, you have to know that most of these security issues are under consideration by the biometric device manufacturers and quite a few of these issues might have already been taken care of by the time you read this.
Pressure variations on fingerprint scanners should also be considered.
Lets wish best of luck to celebrities like Mr Devanand, Shatrughan Sinha, whose voice is frequently mimicked. Let's hope they don't get into any trouble with biometric systems!
All the techniques mentioned here have been tried by people across the world, on biometric systems set to low sensitivity, with moderate success rates. As with any security system both those trying to gain access and those trying to prevent access are both working hard on the same properties of the system just from, obviously, different perspectives. Biometric security is not yet perfect, but is getting better every day.
If biometric systems are to survive the test of time they will need to address the technical flaws, pricing issues and equally important, privacy issues. If these challenges are met, Biometrics will become more consumable and find a place in society like other beautiful pieces of technology.
Shashank Pandey aka ~ AcE ~ email@example.com