Originally Published: Thursday, 30 August 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Biometrics: Just in a James Bond Flick? Not Anymore!

We all know that Linux is growing in popularity with embedded device makers of all kinds. Due to a variety of compelling factors Linux may well be the operating system behind all kinds of items of technology you use every day, without even knowing it. Security systems will be one of those. This article provides a brief overview of the new science of biometrics and how it is shaping up in the security technology sector.

Out from the world of geeks and James Bond movies Biometry is the New-kid-on-the-Block‚ With the potential to change the way modern security systems are going to work, this technology is certainly powerful and here to stay.

Without further ado lets take a plunge into the hi-tech world of Biometrics.

The word 'Biometry' basically comprises of two words : bio + metry. The word 'bio' refers to life or a living being and the word 'metry' refers to 'measurement'. So 'Biometric' can be summed up as: the science of measurement of physical attributes(unique) to a living being (for authentication /authorization.)

These systems are one level up from traditional methods of authentication like passwords or security access cards because they ensure that the person trying to log on is actually the valid user and not just someone who is trying to impersonate an identity after he/she found an access card lying below your office desk or password written on a piece of paper as a reminder in case of a memory lapse.

Biometrics find a range of usage, like in hospitals, by law enforcement agencies, corporate solutions, VPNs solutions, limiting access to a private and sensitive database behind the corporate firewalls, in airports etc.

All biometric devices follow a general logic pattern for authentication, which can be summarized as:

1 Taking Input : First step involves taking an input like a fingerprint scan, eacan, iris scan etc from an user.

2 Processing Input : After capturing the image, the biometric recognition software digitizes and encrypts the input. This type of encryption, called Hashing or One way encryption is also present in Unix and does not allow the encrypted data to be decrypted (although, the encryption can still be cracked‚ if its weak).

3 Storage : This digitized and encrypted biometric input is stored in a database for comaprision, authorization or rejection.

4 : Authentication : When a User logs on, his or her biometric input (voice pattern, retina scan, facial scan etc) is taken and matched with the existing database of biometric values.

if the match is positive : grant access to the resource if the match is negative : deny/lock access to the guarded resource

One important thing to know here is that these biometric systems do not record actual images of fingerprints, faces, etc. Instead, they process and store only mathematical models representing those attributes.

A couple of terms are associated with Biometric devices and are important to understand: a) False Acceptance Rate (FAR) : The rate at which an intruder can be recognized as a valid user.

If a vendor's FAR is quoted as 3% it means that three out of 100 users attempts to bypass the biometric device's security will succeed.

b) False Reject Rate (FRR) : The rate at which a valid user is rejected by the system. So a FRR of 3% means that three out of 100 valid users attempts will be rejected by the biometric device.

So the better biometric device (security wise) is the one with low FAR and FRR. Types of Biometric Systems The main characteristic that separates one biometric device from the other is the type of biometric input under consideration.

Based on this we have following types of biometric systems:

Fingerprinting

Fingerprinting is one of the oldest and widely known biometric.

Fingerprinting technology uses fineprint scanners connected to a computer. The Process of authentication is simple. A fingerprint snapshot taken by the scanner is reduced to a pattern of data points called minutiae or a template. and stored in the database.

This biometric technology is being used by the County of LA for helping the judiciary and law-enforcement agencies in precisely and accurately identifying suspects based on the huge database of live scanned fingerprints.

Hand Geometry

Biometry using Hand geometry has been in place for the last 20 years. Here, a video camera takes an image of the upper and side portions of your hand and stores it in a database using compression and encryption techniques.

You might be tempted to ask : "what about dust or scars or cuts on the hand?"

Well, modern biometric systems are slowly maturing so topics like these are not much of a bother now, although they have been issues in the past, of course. This system is being used in major International airports and immigration facilities as well as in hospitals and other places.

In fact, Olympic Village officials employed this equipment in Atlanta in 1996 to track athletes and staff.

An example hand-geometry product might be: ID-3D Handkey system from Recognition Systems, Inc.,

Iris and Retina Scanning

Some of the latest in biometric technology are retinal and iris scans

Retinal scans: The biometric input here is a snapshot of the pattern of your eye-veins, taken by shooting a low-intensity beam of light into the eyeball. A minus point to this technology is that users are required to stand close to the device and focus on a target, which makes the system a bit less adaptable.

Iris scans use a camera to photograph the iris in the front of the eye. Unlike retinal vein patterns, which can change as an individual gets older, the iris is unique and does not change during a person's lifetime. Like fingerprints, no two individual iris structures are alike.

Users can stand as far as three feet away from the camera.

By the way.... retinal and iris scans are some of the most hassle free and accurate performers available today in the biometric world.

Voice Recognition

Voice authenticators use a telephone or microphone to record a user's voice pattern. This voice pattern, which is based on the inflection points of your speech (like..the way you talk..) serves as a biometric input to validate an individual. Voice recognition systems are a good solutions in the scenarios where your budget is low and you have large number of users to be validated. This is because these systems rely more on softwares and low cost hardware.

These devices are expected to adapt to background noise and different types of microphones available in the market.

Product: Veritel's voicecrypt 2.01

Facial Recognition

Facial recognition biometrics, one of the fastest growing areas in biometrics, involves taking a photographic image of a face and using it to measure characteristics like the distance between facial features or the dimensions of the features themselves (shape of nose).

Some of these biometric devices require a user to move his or her face so that the system knows that an actual 'live ' user is there and somebody is not using a photo of a valid user to gain illegal entry.

Products: Visionics' FaceIt NT, Miros's TrueFace Network

This technique has wide usage like digitizing the photographic images of the face and encoding them on a smart-card. This smart-card may be read by a biometric reader guarding the resource. This biometric reader can match the biometric input on the smart card with its central database and grant or deny access.

Properties and Vulnerabilities of Biometric Security Systems

One important property of biometric systems is what i call : 'Sensitivity-Security balance'. If you approach this logic mathematically, it can be put forward as: the sensitivity of a biometric system is a direct function of the level of security it provides. In other words if you increase the sensitivity of a biometric system you will effectively make it ruder and sterner to your authentication/authorization requests, leading to greater security. But this also causes higher erroneous rejections of authorized users: increased FRR.

Setting the sensitivity lower makes the product more forgiving but simultaneously decreases the security level adding to the fear of an invalid user spoofing or impersonating somebody else: Increases FAR.

These biometric systems are very adaptable. They can integrate with your existing operating systems (Linux, Unix, WinNT) and existing authentication and authorization applications. For example, authentication tokens generated from a biometric device can be transmitted to a WinNT domain controller or any other authentication server for user validation and authorization. Apart from that biometric inputs can also be used as encryption keys providing more robust and secure encryption.

Vulnerabilities

Before reading this article (especially this portion of the article) I need to say that this information is not meant to make you a biometric hacker but just to make you aware of the potential security hazards. So just consider it as a short primer on attacks commonly related to bypassing the biometric devices.

At the same time, you have to know that most of these security issues are under consideration by the biometric device manufacturers and quite a few of these issues might have already been taken care of by the time you read this.

Fooling the Face Recognition Biometric

Fooling the face recognition system can make one perform silly antics in front of the biometric-cameras. Tactics like using disguises/masks, changing a haircut, growing or shaving a beard, or even making faces at the computer have been tried.

Fooling Fingerprint Recognition

Taking a valid users finger print on a sheet of a transparent material (like, (umm, say..a very thin plastic sheet) and sticking that plastic-imprint on your finger (above a very thin padding) is a common technique used to defeat fingerprint recognition devices. And, no, that's not just in the movies.

Pressure variations on fingerprint scanners should also be considered.

Fooling Voice Authentication

Playing a recorded voice of a valid user or for that matter mimicking the voice of a valid user often still works with voice authentication.

Lets wish best of luck to celebrities like Mr Devanand, Shatrughan Sinha, whose voice is frequently mimicked. Let's hope they don't get into any trouble with biometric systems!

All the techniques mentioned here have been tried by people across the world, on biometric systems set to low sensitivity, with moderate success rates. As with any security system both those trying to gain access and those trying to prevent access are both working hard on the same properties of the system just from, obviously, different perspectives. Biometric security is not yet perfect, but is getting better every day.

If biometric systems are to survive the test of time they will need to address the technical flaws, pricing issues and equally important, privacy issues. If these challenges are met, Biometrics will become more consumable and find a place in society like other beautiful pieces of technology.

Shashank Pandey aka ~ AcE ~ reach_shash@linuxmail.org