A Discussion on Biometrics
From: P.T. Ong
Date: Tue, 25 Nov 2003 09:17:20 +0800
My responses are italicized:
At 01:49 AM 11/25/2003, Perry G. wrote:
Thank you for the response. After our lunch, I started pondering your comments re: the problems associated with biometrics and pretty much doped out the issues you raise in this an your prior email, which, tome, is gratifying. However, I do have a couple of questions that you may be able to clarify and that I am fairly certain would also be raised by others confronted with the issues you raise. The first pertains to your follow-up point. I am assuming that your statement that biometrics are not strongly physicalized and, therefore, prone to the same mischief as other unphysicalized authentication structuresrefers to the digital representation of the physical attribute (I'm sorry this seems obvious, but I want to make sure I'm not misinterpreting your statement.)
Yes. That is correct. Biometrics are like passwords. They can be sniffed digitally, etc. If they are stored in a database, the database can be broken into ... from anywhere on the Internet.The second question is perhaps more important as it is likely constitute the primary rebuttal to your assertions. I agree that once a physical parameter of an individual is digitized and becomes a long password that this digital instantiation becomes vulnerable. However, if the authentication system insists that the stored (and presumably protected) digital value must by compared with the original human attribute (ex. iris, retina, or fingerprint) and must successfullymatch, than where does the risk lie.
Yes. Good concept. Insist that the digital value is compared to the original human attribute. When that is possible, biometrics has a chance of working ... so long as the database is not compromised, and false biometrics are inserted. However, this is not possible for the *vast* majority of digital authentication purposes because the authenticator is half way around the world from the authenticatee, with no idea of what the physical set up is at the authenticatee's end.
So, my main concern with using biometrics at door entrances and immigration checkpoints involve not the correctness of authentication [i.e. biometric source], but the security and legal problems that would result if the database is ever compromised either by (1) injection of false information, or, (2) theft of the data.
The 2nd case is the most scary for national databases. If the perpetrator gets the data, and a process is engineered to convert the digital back to the physical, the perpetrator can make anyone appear to have been at any place. Think about the legal implications! "Your honor, I know my fingerprint was on the gun, but my company's [or state's, or country's] biometric database was stolen a year ago!"This of course leaves out the six sigma aspect (I suspect reliability may actually be the issue here), but as long as the password isn't accepted as the single authentication object and must always be used in conjunction with the human attribute then it becomes important to understand where significant risk may still exist (I hope I'm not missing something obvious here!)
BTW, it's too late to worry about storing only one-way hashes. For example, California's DMV has been capturing mugshots and thumbprints of every driver in California for decades.
If it does not authenticate reliably, what's the point of having it be an authentication factor?!! How desirable is an authentication scheme that works on a Bayesian curve?! Not very, I would think.
I hope this is clear. I think being able to clarify this point is critical to achieving accept of you fundamental assertion which I understand and agree with.
I think it's important to be clear on what assets we are trying to protect from which attack modes. I am, in the main, interested in cyber access to digital assets. I believe for these cases, at best biometrics give an unrealistic sense of security, just like password systems.
In cases where there is control of the physical access points, where the risk of database compromise might be worth the possibility of detecting the criminal element, biometrics could be used. But, even then, I worry about the finality of the result if that database is ever compromised -- you can never "unsteal" information.