Re: [ISN] Are Biometrics Hashable?

From: mea culpa (jerichoat_private)
Date: Tue May 05 1998 - 02:07:59 PDT

  • Next message: mea culpa: "Re: [ISN] Are Biometrics Hashable?"

    Forwarded From: Felix von Leitner <>
    Thus spake mea culpa (jerichoat_private):
    > [Moderator: I can't answer his question.. anyone else?]
    Maybe.  Let's see.
    > Forwarded From: Andrew McNaughton <andrewat_private>
    > I threw a couple of odds and ends of your stuff on biometrics at one of our
    > journalists, and he thought it was worth an article and asked me for some
    > primary material, which I've been hunting out.
    Public knowledge since over 30 years now is that the iris does not
    change.  Unless, of course, you use your eye.  Who exactly proved that
    eludes me, but it's written in my dictionary, so I trust that
    information.  If he's journalist, he should be able to find that out by
    > A question I've been trying to answer is whether anyone's come up with a
    > biometric which is sufficiently discrete to be put through a cryptographic
    > hash.
    You don't want to do that, because biometrics is always a statistical
    process.  You take a picture (and lose information due to aliasing and
    small resolution).  You then run a digital filter on the picture (and
    do some statistical process that loses even more information).  In the
    end, you get some extracted details that you try to match to the picture
    in the database.  Now, the weather might have changed, the lighting has
    What is the guy trying to achieve?  That you can do a fast database
    lookup?  Database access is not an issue with current systems.  That you
    have a has so you can't impersonate someone?  The iris picture _is_ a
    hash from the picture, albeit a very specialized one.
    At any rate, even if we used a hash, the biometric device would still
    have the original picture before taking the hash and could store it in a
    database.  You can't really to anything against that.
    > If a biometric was available which could be converted to some more or less
    > invariable character sequence then it would be possible to combine it with
    > a database specific string and produce a hash which was unique, and
    > verifiable as belonging to the individual, but which would not require
    > storing of the biometric itself or of anything which could be compared
    > against the key in another database, or be stolen and applied to another
    > database.
    I just asked a friend who knows more about biometrics than I do.
    While the irix does not change during the lifetime, it has some changes
    while under the influence of drugs, e.g. alcohol.  German banks have
    found out that their ATM machines (which they wanted to secure with
    biometrics) rejected drunk people.
    The biometrics stuff works like that:
      - you take a series of pictures of the eye
      - you apply adaptive wavelet transforms
      - you do some reduction and get a 1600 bytes data block
      - you require the user to present his smart card
      - the smart card reveals another 1600 bytes
      - the ATM compares these 1600 byte hashes
    Problems are:
      - you have to take a series of pictures to make sure the eye is still
        moving (that is, not dead).  This can unfortunately still be faked
        with electric impulses on a dead eye.
      - you have to make sure that nobody can fabricate a smart card for a
        person except you.  This is not trivial and will probably be done
        with second level security (high civil charges for misuse,
        additional security cameras, ...)
      - someone could fake the iris image by basically replaying a video
        tape with a special monitor before the camera.
        I heard that the IBM system is vulnerable to this attack.
    That's why institutions like nuclear power plants use more than one
    camera at different angles and combine iris biometrics with face
    biometrics and speech biometrics.  BTW: speech biometrics is not
    vulnerable to replay attacks.  Current systems tell you what you should
    say and then uses speech recognition to see if you really said what you
    were supposed to say.  Finally, it detects patterns in your speech and
    checks them against the database.
    > lists dozens of biometrics systems
    > with links.  The rest of the site also has some interesting stuff (This is
    > the Biometrics Consortium, which Wired pick as probably becoming a
    > regulatory body in the area at some stage).
    Huh?  "Wired" picks them?  Since when does Wired pick regulatory
    bodies?!  This is like letting USA Today choose the president!
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:38 PDT