Forwarded From: Felix von Leitner <leitner@math.fu-berlin.de>
Thus spake mea culpa (jericho@dimensional.com):
> [Moderator: I can't answer his question.. anyone else?]
Maybe. Let's see.
> Forwarded From: Andrew McNaughton <andrew@squiz.co.nz>
> I threw a couple of odds and ends of your stuff on biometrics at one of our
> journalists, and he thought it was worth an article and asked me for some
> primary material, which I've been hunting out.
Public knowledge since over 30 years now is that the iris does not
change. Unless, of course, you use your eye. Who exactly proved that
eludes me, but it's written in my dictionary, so I trust that
information. If he's journalist, he should be able to find that out by
himself.
> A question I've been trying to answer is whether anyone's come up with a
> biometric which is sufficiently discrete to be put through a cryptographic
> hash.
You don't want to do that, because biometrics is always a statistical
process. You take a picture (and lose information due to aliasing and
small resolution). You then run a digital filter on the picture (and
do some statistical process that loses even more information). In the
end, you get some extracted details that you try to match to the picture
in the database. Now, the weather might have changed, the lighting has
changed.
What is the guy trying to achieve? That you can do a fast database
lookup? Database access is not an issue with current systems. That you
have a has so you can't impersonate someone? The iris picture _is_ a
hash from the picture, albeit a very specialized one.
At any rate, even if we used a hash, the biometric device would still
have the original picture before taking the hash and could store it in a
database. You can't really to anything against that.
> If a biometric was available which could be converted to some more or less
> invariable character sequence then it would be possible to combine it with
> a database specific string and produce a hash which was unique, and
> verifiable as belonging to the individual, but which would not require
> storing of the biometric itself or of anything which could be compared
> against the key in another database, or be stolen and applied to another
> database.
I just asked a friend who knows more about biometrics than I do.
While the irix does not change during the lifetime, it has some changes
while under the influence of drugs, e.g. alcohol. German banks have
found out that their ATM machines (which they wanted to secure with
biometrics) rejected drunk people.
The biometrics stuff works like that:
- you take a series of pictures of the eye
- you apply adaptive wavelet transforms
- you do some reduction and get a 1600 bytes data block
- you require the user to present his smart card
- the smart card reveals another 1600 bytes
- the ATM compares these 1600 byte hashes
Problems are:
- you have to take a series of pictures to make sure the eye is still
moving (that is, not dead). This can unfortunately still be faked
with electric impulses on a dead eye.
- you have to make sure that nobody can fabricate a smart card for a
person except you. This is not trivial and will probably be done
with second level security (high civil charges for misuse,
additional security cameras, ...)
- someone could fake the iris image by basically replaying a video
tape with a special monitor before the camera.
I heard that the IBM system is vulnerable to this attack.
That's why institutions like nuclear power plants use more than one
camera at different angles and combine iris biometrics with face
biometrics and speech biometrics. BTW: speech biometrics is not
vulnerable to replay attacks. Current systems tell you what you should
say and then uses speech recognition to see if you really said what you
were supposed to say. Finally, it detects patterns in your speech and
checks them against the database.
> http://www.biometrics.org/examples.html lists dozens of biometrics systems
> with links. The rest of the site also has some interesting stuff (This is
> the Biometrics Consortium, which Wired pick as probably becoming a
> regulatory body in the area at some stage).
Huh? "Wired" picks them? Since when does Wired pick regulatory
bodies?! This is like letting USA Today choose the president!
Felix
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue May 5 10:17:01 1998