Re: [ISN] Are Biometrics Hashable?

From: mea culpa (jerichoat_private)
Date: Fri May 08 1998 - 01:18:58 PDT

  • Next message: mea culpa: "[ISN] Should Feds Trust Windows NT?"

    Forwarded From: andrewat_private (Andrew McNaughton)
    >Forwarded From: Felix von Leitner <>
    >> Forwarded From: Andrew McNaughton <andrewat_private>
    >> A question I've been trying to answer is whether anyone's come up with a
    >> biometric which is sufficiently discrete to be put through a cryptographic
    >> hash.
    >You don't want to do that, because biometrics is always a statistical
    >process.  You take a picture (and lose information due to aliasing and
    >small resolution).  You then run a digital filter on the picture (and
    >do some statistical process that loses even more information).  In the
    >end, you get some extracted details that you try to match to the picture
    >in the database.  Now, the weather might have changed, the lighting has
    Iris scans have (according to Iriscan's pages anyway) enough information in
    them that one could afford to lose a high proportion of it and still easily
    avoid false positives.  False negatives are more of a problem due to
    various factors as mentioned by you and Gene Spafford.
    >What is the guy trying to achieve?  That you can do a fast database
    >lookup?  Database access is not an issue with current systems.  That you
    >have a has so you can't impersonate someone?  The iris picture _is_ a
    >hash from the picture, albeit a very specialized one.
    The goal I have in mind is to produce a code which can be used to verify
    identity, but cannot be linked with another database.
    >At any rate, even if we used a hash, the biometric device would still
    >have the original picture before taking the hash and could store it in a
    >database.  You can't really to anything against that.
    True up to a point.  Try this scenario
    The reader displays a database specific code to the scanned person on a
    panel (human readable text naming the database), which would be combined
    with the iris image and a secret key as well, known to the database system,
    and provided to the reader.  The bundle then gets hashed to produce a code
    which is then passed out of the reader to whatever system lies beyond, and
    stored in the database.
    Supposing that this arrangement were required by law, it being a crime to
    possess raw biometric identification data outside of a licensed device.  Of
    course illegal devices would come about, and collect images which could be
    used to fool the system (assuming a suitably reponsive image of an eye
    could be presented).  A camera mounted in the street could probably collect
    the data to crack accounts at every ATM in the vicinity.  Identity theft
    would not be impossible, though it would be a great deal more difficult
    than with Social Security Numbers.
    What would be acheived though is a system whereby users can identify
    themselves, without providing a key to link databases collected for
    separate purposes.  It's more a question of controlling the actions of
    businesses and government departments who run the databases rather than
    thwarting criminals.
    >The biometrics stuff works like that:
    >  - you take a series of pictures of the eye
    >  - you apply adaptive wavelet transforms
    >  - you do some reduction and get a 1600 bytes data block
    >  - you require the user to present his smart card
    >  - the smart card reveals another 1600 bytes
    >  - the ATM compares these 1600 byte hashes
    The stuff I looked at at suggests that their final
    comparison is just a count of the number of bits in the data block that
    don't match.  The technical problem is to produce a code which is
    comparable after a cryptographically secure hash.
    I'm not a cryptographer, but I suspect that this is awkward.  Perhaps the
    database and secret keys could be rolled into the iris image or the wavelet
    transform process?
    >Problems are:
    >  - you have to take a series of pictures to make sure the eye is still
    >    moving (that is, not dead).  This can unfortunately still be faked
    >    with electric impulses on a dead eye.
    >  - you have to make sure that nobody can fabricate a smart card for a
    >    person except you.  This is not trivial and will probably be done
    >    with second level security (high civil charges for misuse,
    >    additional security cameras, ...)
    >  - someone could fake the iris image by basically replaying a video
    >    tape with a special monitor before the camera.
    >    I heard that the IBM system is vulnerable to this attack.
    Iriscan use light response to avoid replay attacks.  I imagine it could be
    fooled by a system which doctored the images in response.  In a way, using
    biometrics is a bit like a password system where people walk around with
    their passwords tattooed on their foreheads for all to see.  What security
    exists in it is somewhat akin to the difficulty of forging a banknote.
    >That's why institutions like nuclear power plants use more than one
    >camera at different angles and combine iris biometrics with face
    >biometrics and speech biometrics.  BTW: speech biometrics is not
    >vulnerable to replay attacks.  Current systems tell you what you should
    >say and then uses speech recognition to see if you really said what you
    >were supposed to say.  Finally, it detects patterns in your speech and
    >checks them against the database.
    It's still a race between the identification system and the speech
    synthesiser.  No doubt it works, but if the attacker knows enough about
    what the recognising system is looking for The necessary features can
    presumably be layed over the top of someone else's voice.
    >> lists dozens of biometrics systems
    >> with links.  The rest of the site also has some interesting stuff (This is
    >> the Biometrics Consortium, which Wired pick as probably becoming a
    >> regulatory body in the area at some stage).
    >Huh?  "Wired" picks them?  Since when does Wired pick regulatory
    >bodies?!  This is like letting USA Today choose the president!
    Yeah, yeah.  I don't know wired's source, but it seems sufficiently
    plausible to pass on.  This paragraph was snipped out of something passed
    to a journalist.  Saying it's from other reporters means it needs to be
    verified before it can be used as opposed to being something I have gotten
    from source and paraphrased myself.
    Andrew McNaughton
    Andrew McNaughton                                          =
    ++64 4 389 6891                 Any sufficiently advanced  =
    andrewat_private               bug is indistinguishable  =             from a feature.         =                -- Rich Kulawiec  =
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:40 PDT