Slashdot Mirror
Hashing Out the Next Step in Biometric Security
ergo98 writes "CNN is running a story about biometric hashing. Using this technique, biometric inputs (such as facial characteristics) are altered based upon individual characteristics in a hopefully one-way process. The goal is to continue to reduce the risk of a back-end data exposure."
I don't like this. Say that someone discovers the "password" (the hash), then you're done. You can't change it (unless you grow a moustache). Same goes with fingerprints, etc. I think a password (passphrase) is much more practical.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
The goal is to continue to reduce the risk of a back-end data exposure. Surely you didn't think that photocopying your ass wouldn't get patented, did you.
are reluctant to adopt biometrics because they're afraid a crook will rip out their eyes.
Seriously.
They cited Demolition Man.
For real.
Heck, they need billion dollar research grants to figure out these "techniques"? Bubba, Sparky and his pals downtown would irreversibly alter an individual's facial characteristics given $100.00, 10 minutes and enough motivation.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Now instead of the crackers finding out my password and stealing my data, they'll have to kill me to get the fingerprint scan as well.
Oh joy, the wonders of modern technology.
"The goal is to continue to reduce the risk of a back-end data exposure." Just make sure no-one rolls your ass over an inked stamp-pad and then plonks it on a piece of paper then proceeds to steal your "identity" via plastic surgery..
"The goal is to continue to reduce the risk of a back-end data exposure."
Decide for yourself.
Please send all hate mail to: 2135 N. Kenmore, Chicago, IL 60613
The goal is to continue to reduce the risk of a back-end data exposure.
...if they start using your back-end for biometric identification and really, I don't want to go near that scanner after someone else has used it.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
I have a very hard time believing it is possible to encrypt something one way. It is only a matter of time before some genius figures out a way to reverse it.
The goal is to continue to reduce the risk of a back-end data exposure.
Sure, today they promise that they only want to do biometrics on my face and fingers. But its just the tip of the slippery slope. You know we can't trust them. Just like the social security cards used to all say "not to be used for identification" and look what good that did.
I say that if we don't fight these biometric overlords, it is only a matter of time before they are forcing us to sit naked on copiers so they can xerox our asses! Make a stand now while you still have some dignity, and your pants!
When information is power, privacy is freedom.
As it says in this summary of the AP article making the rounds today, sounds like the makings of a bad episode of 24:
- cancelable-biometrics-outsmarting-gummy-bear-attac ks-and-enhancing-privacy.html --
http://www.privsecblog.com/archives/biometrics-67
~~~
Dude, you MUST study basic cryptography. Even MD5 is one way. Sure, you can guess WHICH strings can produce a determinate hash. But of those thousands (maybe millions) of combinations, can you really guess which one was ACTUALLY used?
Anyway, the RSA is constantly working on getting better and better hashes. We got SHA-256, SHA-512 and SHA-1024. And these are way more advanced than SHA1.
Unless of course, you're running quantum cryptography.
Anyway, all it has to be done to create a "virtually unbreakable" hash is to make it large enough so that it can't be "cracked", so to speak. When SHA-2 collisions are found, we'll have SHA-3 and its variants, which will probably be 2048, 4096, 8192 bits... and so on.
It seems like DNA already is a fairly unique method of hashing.
This actually seems easy to do. Combining various biological inputs to derive a unique identitfier.
It doesn't seem like a GOOD idea quite yet, but it certainly seems like something that companies will pursue since I'm sure there are people willing to pay money for it.
Ignore Alien Orders
Say what you will about passwords, the thing is the require *NO* extra equipment to keep running(well, a keyboard, but you probably need that for other purposes anyway) However, all sorts of biometric scanners need equipment to keep running, equipment that will fail one day, and of course it will be the day that you have to log into your account to fix a critical problem in a critical production system....
Monstar L
I often wonder if computers will survive the inevitable backlash when we completely lose all privacy. Things always get a lot worse before they get better and we keep heading there. Professional politicians should have taught us enough about trust that we would not listen to these corporations too. Just like social security numbers and everything else to date, biometric data will be abused eventually, you can be sure of it. Just wait for the skeptical generation to die off.
:P
Maybe global warming will get us all first though
-1 OT
A story that is still relavent whenever biometrics is brought up:
http://www.hindustantimes.com/news/7242_1301216,00 180008.htm
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Combine your data plus each provider's own distortion = password plus salt.
Most biometric systems are flawed in the fact that people change. I suppose the only system that isn't too flawed, is a retinal system because if you screw your eye over, you probably have bigger problems to deal with than your files. What do you do when you get a cut on your finger, burn it on the stove,...walk into a wall. For the system to make files more secure than short password they require many data points samples from the source. That means more chances for [something as simple as] swelling from hitting your head to screw up the decoding. "Hey Timmy how's it goin" "awww shucks, bad I guess" "Why's that" "Remember yesterday when you smashed me in the face with that iron rebar, well, now it'll be a week till I can use my computer again" So how does one avoid this, you have a backup password that you can use, but oh wait, doesn't that completely contradict the point of biometric security.
Defeating biometric security.
The solution here (echoed by other posts) isn't all that new are amazingly innovative. In the end, it's a nifty hack for preventing database theft/back-end/internal theft. There *is* concern about that (I personally predict that it's inevitable that someone will get their hands on a major biometric database...for instance, a datatape that holds the photographs for an entire state's DMV license-state ID archive.)
However, the complexity in stealing the back-end pales in comparison to stealing the actual biometric itself (since, after all, just you walking around makes your face easily photographed, or you touching things leaves your fingerprints everywhere.) This nifty hash system can't change that.
Crooks aren't that smart. After Mercedes implemented fingerprint readers in some of their cars, there were several reports that some owners got their fingers cut off by thieves. These fingers, of course, could not start the car (no self-respecting fingerprint reader relies on fingerprint alone anymore), but that was not much of a relief for folks whose fingers got cut off.
keep your data away from my backend thanks
This, like all other "undefeatable" biometric systems will get hacked six ways to Sunday.
Even the mighty RFID chip under the skin will fail as hackers and evil doers don't take no for an answer.
In the end, when the people are BEGGING to be protected from the evil doers, BIG BROTHER will step in with the ultimate biometric system, the "Soul Sucker Chip" whereby part of your soul is taken and stored in the Universal Comparator, aka "The Approver". Every transaction, every movement will be handled by the "The Approver". When you wish to do something, to go somewhere, to buy/sell/trade something, to read something, to speak something, what is left of your soul will be compared to the database and "The Approver" will determine instantly if your requested action is permitted.
Finally, people will be safe and secure. And only when people are totally safe and totally secure will they have "true freedom"(TM)
Based on ClamAV, GNAA AntiSpyware uses ClamAV's AntiVirus definitions combined with our own Spyware signatures to eliminate the two single largest security threats to any computer user. The first public release of GNAA AntiSpyware can be expected in mid-September. This is a free product and we need your help! We need more examples of websites that exploit holes (such as flaws in old versions of Sun's Java Runtime Environment) so that we may better protect users from these threats. Please e-mail any links you come across to rucas@gnaa.us. Thank you for your time and your support.
Isn't the biometric profile a hash in the first place? (i.e. generating a unique profile based on a person's characteristics) So this proposal of generating a biometric profile based on a distortion is applying a salt to hash a hash? Is hashing a hash more secure? It also seems to perpetuate a big problem in the biometric industry that exists right now - no interoperability for profiles, thus ensuring that you're locked in to a vendor.
ooo ooo what about retnal scan, hand print scan., DNA analisis (takes 24 hours last time i checked) and password all just to get into the computer... wouldnt that be fun... by the time the DNA analisis was complete you would have to start all over again cause you would walk away after 24 hours
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
Any system where a credential can't be changed is broken.
The only biometric I've seen with promise uses fingernail etchings. If your password is compromised, zero the old etching and use another fingernail. About 30K of data fits, apparently.
I'd still prefer a private key on disk or SecureID token.
1) Install a "face reader" authentication device.
2) Put a "Acne Trouble? click here" link and force to buy lots of acne cream
3) ???
4) Profit!!!
First of all, lets link to the research on how hashes are reversed:
0 3/adler-2003-fr-templates.pdf
Fingerprint Readers: http://chris.fornax.net/biometrics.html
Face Recognizers
http://www.site.uottawa.ca/~adler/publications/20
Both attacks are based on the idea that the algorithms are necessarily fuzzy, and as such emit not just an oracular "match/not match" but a weighting regarding how accurate the matching is. As such, you basically can perturb the underlying data slightly, run it through the algorithm, and then see if you got closer or farther from the source biometric.
Fingerprint reversal already creates viable (if not completely accurate) candidates. Faces? Well, see the PDF, but they can be made recognizable. (You just, widen the brow, shrink the nose, widen the mouth, whatever incrementally until you achieve match.)
Now, suppose you add a warping factor to faces. Does this help? The stored biometric must contain the warping parameters (since the incoming image must be similarly modified), so we're left with two possibilities:
1) The warping is severe -- not only does the resulting image bear no resemblance to a human face, but so much pixel intermixing has occurred that it'd be near meaningless to invert the warp vectors to try to get back to a meaningful face.
2) The warping isn't so severe, and you can just invert the stored vectors.
Case 1 is what they're implying, but Case 1 doesn't allow for significant features above and beyond what's created by the vector field itself. In other words, almost any face would match, if the warp vectors were irreversable. Put another way -- if the face detection algorithm is able to find a feature, we're able to reverse back to what the feature looks like, and if we're not able to reverse back, we almost certainly can't have a face detector find the feature.
My assumption, then -- and again, this is without seeing detailed research (I happily discount the examples CNN provided...it can't be _that_ bad) -- is that this technique doesn't work against hot/cold style attacks against the biometric algorithm. If the researchers care to clarify -- please mail me, or respond!
--Dan
The silly thing about this article in particular was the popup walkthrough.
They show a fingerprint scanner, and how the print gets warped before being stored. Then along comes John Q. Hacker, who manages to hack the database, extract the stored (and presumably encrypted) fingerprint data, build a fake fingerprint out of that data... and BOOM! He is foiled because of that warping step.
Wow, that hacker went to a huge amount of work just to get that fingerprint data.. meanwhile, the user is happily going about her day, leaving copies of this "secret" all over the place. If the hacker can't lift a print from her car door, or the office building door handle, anything around her home, etc.. well, we know there's a nice full print sitting there on the scanner!
Okay, suppose she wears gloves at all times, and wipes the scanner while holding the door open with her foot. Well, if we're assuming the hacker can get into the database, he can just start collecting fingerprints from *anyone* in the system. Then he has multiple examples of input and output of the warping process. Isn't that enough to build a rough guess of what the target's fingerprint will look like when unwarped? He doesn't even need to get it exactly, since we're dealing with a fuzzy-recognition thing here.
I find it interesting that IBM choose to distort the date in their biometric scanners before storage. Since the type of distortion is likely to be secret, proprietary, or just plain difficult to duplicate it effectively locks in any organization into the IBM scanners. Since their system database would only contain IBMs hashes of biometric data buying even one none IBM scanner would require rescanning every user.
Now perhaps I am jumping to conclusions and IBM has implemented some kind of removable card interface for hashing but I find that doubtful. Moreover, hashing biometric data is of questionable benefit in any case. Most biometric data is more easily collectable by simple investagatory techniques (covert photography, dusting for prints) than reconstructing a face from the security data. Moreover, since biometric characteristics are necessarily unchangeable potential hackers could merely use the data from some other less secure biometric security system one of your users also uses. Heck, creating a fake biometric id system and using social engineering to get someone to use it would be way easier than reversing these hashes.
Furthermore designing a secure hash to accomodate the inexact nature of biometric identification seems difficult. By it's very nature a secure hash cannot be guaranteed to map similar inputs to similar hashs. Thus either the hash will be insecure, the system too prone to false negatives to be usefull, or the biometric data must first be rounded to exact values (or for borderline cases just hash both possible ways to round). Yet a rounding scheme which avoids too many false negatives will significantly reduce the 'password' space.
In a normal system the sensor would report all the biometric measurments to the authorization server which would compare the measurements to the stored measurements and see if they are sufficently close to an authorized user. Since a secure hash can't be 'close enough' the measurements must be rounded sufficently to always give the same value for the same user. The net result will be a reduction, not increase, in security. I actually suspect IBM isn't using a secure hash in the cryptographic sense.
A more promising option in my opinion would be to implement a distinct algorithm in the sensor to check that the person had normal human features. Thus even if a hacker steals the biometric info and attempts to produce a fake he must not only duplicate those particular measurements but incorporate them into an image/texture which is otherwise human normal. Since these two algorithms can use different information it would be difficult to defeat. Furthermore since the human detection can be isolated in the sensor no vendor incompatibility issues arise and the algorithm can even be upgraded.
If you liked this thought maybe you would find my blog nice too:
When using passphrases, people often wonder about users who leave their credentials on their monitor. What do you do when people leave their DNA all over their keyboard (that's skin fragments, you pervert).
Its relatively easy to spread someone elses DNA all over a crime scene (google 'DNA spray'). I don't think it'd be that difficult to do with DNA based biometrics.
There surely is a lot of hype and hot air surrounding this, but ultimately it only comes down to having something to uniquely identify an individual. So why use something we are (fingerprints or retina scans) instead of something we know or have (passwords, passphases, and tokens)?
This is particularly true when crytographic research goes on in public, while this biometric stuff is closed and proprietary. Can we tell how secure the protocols and algorithms are? Not a chance. Given that it is highly likely that this proprietary stuff is way less secure than public stuff that has been subjected to all sorts of attacks, I don't see why these devices should be trusted.
... a backend compromise
So you can't turn a hash of my fingerprints back into my fingerprints.
Big deal.
You can still collate my hashed fingerprint in THIS database with my hashed fingerprint in THAT database etc. etc. until you stumble on a database that has my hashed fingerprint and my name.
In other words, all the data-mining junk still works. You can still track me, SPAM me, sell my information, even find out my name and where I live.
Using hash functions in biometric identification has been already around for awhile. Working everyday examples can be found for example from http://www.deltabit.fi/. They're used in hospitals, homes, even fitness centers.
In their appliance no fingerprints are saved to anywhere (!), only the numerical value, which is product of one-way-only hash function. I repeat, no image of one's finger print is stored anywhere, it's not even possible with the equipment used. You simply can not reverse the numerical value back to fingerprint - not even if you knew all the mathematichal functions used.
Additional note: their appliance detects also dead fingers (prevents cutting of fingers) and use of fake fingerprint layers on top of fingers (like that gelatine stuff used by old'n'famous 007). Works also in freezing temperatures (normal here in Finland, at least in winter times ;-)
I personally am very skeptical about everything that can be used in Big Brother way, but I find this device something genious. Just keeps me wondering why they didn't implement anything like this to passports (instead of that unreliable facial recognition).beep
... did it gave a "not enough breakdance skillz to enter" error?
Any sufficiently advanced intelligence is indistinguishable from stupidity.
In my school's library, they have a fingerprint scanner instead of library cards (which I still think is bizarre overkill and no better than cards for stopping theft).
They gave me a sheet of paper to sign, with small print that most people probably ignore. As I was interested, I looked through to find out how they protect my information. It turns out that they store a "hash" of the fingerprint which cannot be used to recover the print except by a method which only certain people at the company which sold the system know.
So rather than a real secure hash, my fingerprint is protected by security through obscurity. I suspect it's much more like weak encryption than a hash, and that anyone who was really interested could get my fingerprint out, if they had the library's software available to reverse engineer.
There's very little motive in a school, but if this type of system spreads to offices or even banks, there are going to be real problems.
# cat
Damn, my RAM is full of llamas.
cut biometrics some slack. just use it like you would a spam filter. Don't make the biometrics require 100% accuracy. Heck, for desktop users maybe 50% accuracy would work, and then require a simple password. if someone looks somewhat like a specific user, and knows that their password is "fluffy", sure, let them have the limited access. Now, if you're talking about a system admin, then get that accuracy up to 95 - 100%.
...if everyone everywhere was totally honest and always told the truth at all times? Now I fully realise that nobody is about to make this happen any time soon, and from that perspective I think it is interesting to note that with human institutions the more pervasive the influence and control they have over us the more they seem to be disposed toward lying. There is just *so* much stuff around us today that is necessary because so many are dishonest to a greater or lesser degree. If we all woke up one morning and this wasn't the case then I think it would take quite some getting used to.
how many people would think "Read the Article" points are for people who should read the article instead of for people who have read the article? Mods would have a harder time, and would be trolled even more.
I've been a long time an advocate of NOT using biometric (confirmed by many slashdot posters in this topic) until recently...
The three categories are listed again as something you: HAVE, REMEMBER, and ARE.
Perhaps, we're a bit hasty in throwing out the biometric equation as being harshly non-revokable (no amount of hashing marketspeak can shake that solid notion).
What if "ARE" is being used as a first-line of defense, albiet a very weak defense. It would make the whole authentication/authorization more casual and quicker for general consumer market.
Such a step may entail:
1. Pull out smartcard
2. Press thumb over scanpad
3. Enter in PIN, releases unique RSA for this 1 transaction
4. Scan smartcard over point of sales
This would solve nearly all of the ease-of-use issue, in fact, I seem to recall this kind of program is being rolled out in certain parts of Europe.
Now, next step is to RSA'sified our SSN. Particularly a unique one for each financial institution. And later, for each transaction.
Would this cutup be a bane to our credit history? Not really, the government would have to categorizes these transactions and then broker the information selectively to our (ahem) favorite credit bureau.
Many corporations, particularly umbrellas-type, that share finacial information would HATE this. But it goes a VERY long way to protecting our individualism without resorting to VERY expensive law-enforcement with minimal re-infrastructure.
Because anyone can and will steal the digital artifact. For figerprints, the digital aftifact can be generated from any of the thousands of latent prints you leave around everyday. My solution is that trusted readers cryptographically sign the hash + challenge. You can then check with a registrar how secure the reader model is supposed to be, if that specific device is known to have been compromised, etc.