Forwarded From: Felix von Leitner <leitnerat_private-berlin.de> Thus spake mea culpa (jerichoat_private): > [Moderator: I can't answer his question.. anyone else?] Maybe. Let's see. > Forwarded From: Andrew McNaughton <andrewat_private> > I threw a couple of odds and ends of your stuff on biometrics at one of our > journalists, and he thought it was worth an article and asked me for some > primary material, which I've been hunting out. Public knowledge since over 30 years now is that the iris does not change. Unless, of course, you use your eye. Who exactly proved that eludes me, but it's written in my dictionary, so I trust that information. If he's journalist, he should be able to find that out by himself. > A question I've been trying to answer is whether anyone's come up with a > biometric which is sufficiently discrete to be put through a cryptographic > hash. You don't want to do that, because biometrics is always a statistical process. You take a picture (and lose information due to aliasing and small resolution). You then run a digital filter on the picture (and do some statistical process that loses even more information). In the end, you get some extracted details that you try to match to the picture in the database. Now, the weather might have changed, the lighting has changed. What is the guy trying to achieve? That you can do a fast database lookup? Database access is not an issue with current systems. That you have a has so you can't impersonate someone? The iris picture _is_ a hash from the picture, albeit a very specialized one. At any rate, even if we used a hash, the biometric device would still have the original picture before taking the hash and could store it in a database. You can't really to anything against that. > If a biometric was available which could be converted to some more or less > invariable character sequence then it would be possible to combine it with > a database specific string and produce a hash which was unique, and > verifiable as belonging to the individual, but which would not require > storing of the biometric itself or of anything which could be compared > against the key in another database, or be stolen and applied to another > database. I just asked a friend who knows more about biometrics than I do. While the irix does not change during the lifetime, it has some changes while under the influence of drugs, e.g. alcohol. German banks have found out that their ATM machines (which they wanted to secure with biometrics) rejected drunk people. The biometrics stuff works like that: - you take a series of pictures of the eye - you apply adaptive wavelet transforms - you do some reduction and get a 1600 bytes data block - you require the user to present his smart card - the smart card reveals another 1600 bytes - the ATM compares these 1600 byte hashes Problems are: - you have to take a series of pictures to make sure the eye is still moving (that is, not dead). This can unfortunately still be faked with electric impulses on a dead eye. - you have to make sure that nobody can fabricate a smart card for a person except you. This is not trivial and will probably be done with second level security (high civil charges for misuse, additional security cameras, ...) - someone could fake the iris image by basically replaying a video tape with a special monitor before the camera. I heard that the IBM system is vulnerable to this attack. That's why institutions like nuclear power plants use more than one camera at different angles and combine iris biometrics with face biometrics and speech biometrics. BTW: speech biometrics is not vulnerable to replay attacks. Current systems tell you what you should say and then uses speech recognition to see if you really said what you were supposed to say. Finally, it detects patterns in your speech and checks them against the database. > http://www.biometrics.org/examples.html lists dozens of biometrics systems > with links. The rest of the site also has some interesting stuff (This is > the Biometrics Consortium, which Wired pick as probably becoming a > regulatory body in the area at some stage). Huh? "Wired" picks them? Since when does Wired pick regulatory bodies?! This is like letting USA Today choose the president! Felix -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:38 PDT