Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Standards for New Biometric ID Card Published

Posted by ScuttleMonkey on from the new-face-theft-ring dept.

rts008 writes "eWEEK is reporting that NIST has published the biometric data specs on the new Federal ID cards for employees and contractors that will be issued in October. From the article: 'Specifically, the guidelines state that two fingerprints must be stored on the card as "minutia templates," mathematical representations of fingerprint images. [...] Guidelines require that all biometric data to be embedded in the CBEFF (Common Biometric Exchange Formats Framework) structure. This ensures that all biometric data will be digitally signed and uniformly encapsulated. This format will apply not only to PIV cards, but also to any other biometric records kept by federal government agencies.'" The published standards [PDF] are also available from the NIST web site.

11 of 129 comments (clear)

  1. Fingerprints? by Old+Spider · · Score: 4, Interesting

    But... fingerprints can be stolen. How does storing someone's fingerprint on these cards make them better than any other form of ID? If the image of your fingerprints is on the card, then anyone who has stolen your card can make fake fingerprints... and likely a fake card with thier photo on it and with your fingerprint data. I mean, if they stored your retina patterns and maybe even a snapshot of your brain structure, then I could believe these cards are worth the trouble, but something tells me these new cards are nothing more than a way for whomever is making them to get some government cash by way of a false sense of security. What a joke.

    1. Re:Fingerprints? by cdrguru · · Score: 4, Interesting

      Making "fake" fingerprints isn't all that simple.

      Sure, if you need a fingerprint that withstands some sort of cursory optical examination, that can be done without too much trouble.

      But, if they are actually using any of the better techniques, like a guy with an ink roller or a sensor that isn't optically based, you can forget about faking it.

      Actually, even just having someone watching as your fingerprint is read is going to deter about 90% (maybe 99%) of fake attempts. You don't get to use a fake finger or most things on your finger if someone is actually watching and looking for that. Not 100% certain, for sure, but nowhere near as weak as you seem to think.

    2. Re:Fingerprints? by MrAnnoyanceToYou · · Score: 4, Insightful

      Unfortunately, as soon as fingerprints are on cards, along with other biometrics, the cards themselves become much more trusted. One of the dangers of security is the appearance of things being more secure than the actual method. Ergo, much more trusted despite only marginally more effective security. This means that when you get the key to the castle, you have one to all the doors. Not good. This is a case of the added value of having such identification on a card being trumped by the reality that if someone gets their hands on it and the ability to use it your financial life is not going to go well for a seriously long time.

      Making a security system more complex does not disallow it from being broken, it simply puts more complex holes in it. The reason anyone wants biometrics on a card is to take advantage of the gathered information, and has nothing to do with wanting more effective fraud reduction.

      --
      My little site.
    3. Re:Fingerprints? by Reaperducer · · Score: 4, Informative

      But... fingerprints can be stolen. How does storing someone's fingerprint on these cards make them better than any other form of ID? If the image of your fingerprints is on the card, then anyone who has stolen your card can make fake fingerprints

      It doesn't sound like they're storing the actual finger prints, but a mathematical representation of them. Which could mean some kind of one-way mathematical hash, like many computers have for passwords. I'm not saying it's perfect, but I don't see how it's possible to take a set of numbers and create someone else's fingerprints. Sounds like someone's dishing out warm steaming bowls of FUD for breakfast.

      --
      -- I'm old enough to have lived through six different meanings of the word "hacker."
  2. India's richest temple has already implmented this by ravee · · Score: 5, Interesting

    Biometrics is widely used in India's richest temple at Tirupati(which is also worlds richest one). Infact, if the devotees have to get into the temple, they have to get their finger print copied to a database using biometrics and they are alloted a time to enter the temple. This is because over quarter million people daily visit the temple and crowd control is a big job for the administration.

    --
    Linux Help
    for all things on Linux
  3. Brilliant idea! by David+Horn · · Score: 4, Funny

    I know, let's make people carry around a card with copies of their fingerprints and retinal scans on it. You know, just in case they forget to bring along their hands or eyeballs.

    --
    PocketGamer.org - For the gamer on the go!
  4. Re:No thank you by mcheu · · Score: 5, Insightful

    According to the description, this card is for a new government employee ID. I'm Canadian, so I don't know for sure how this is for the US, but up here, if you work for the government, your government department is already going to have a lot of your personal information. While it's not required for all public service jobs, some positions require to get at least a minimal security clearance, and depending on how high a clearance you need to get, you might get fingerprinted. The only thing new here is that they're encoding all that digitally onto your staff ID card.

    It should be rediculously easy to avoid getting one of these cards: Just don't apply for a government job.

  5. Re:Why store them on the card? by Agelmar · · Score: 5, Insightful

    You're missing the fact that the biometric data (actually, likely all data on the card) is signed. Think of it this way:

    The issuer of the card has a certificate issued for that purpose. When the card issuer creates your card, they store your biometric information and a signature of that information on the card. If anyone tries to change the biometric information, the signature is no longer valid. Assuming that the certificate uses strong encryption and that the private part of the certificate's signing key is protected (which are both reasonable assumptions), then the data integrity is ensured.

    This makes a lot of practical sense. If you want to pull everything from a centralized database, then your readers all have to be networked. This means that each reader next to every door in the building must be networked, and while that's fine for many situations, in some areas it's not practical. With the signed data on the card, the user can present their card which contains their biometrics and access credentials, the reader can verify this locally, and then act accordingly. Of course you still need to have a way to publish the root certificate and CRLs from time to time, but it does give you more flexibility.

  6. Minutia Templates by Epicyon · · Score: 5, Informative
    What is being stored is the mathmatical representation of the fingerprint, not an image of the fingerprint itself.

    It is not possible to recreate the image of a fingerprint from the template.

  7. Project website by Midnight+Warrior · · Score: 4, Informative

    For those seeking to follow the actual PIV program for federal employees/contractors, check out their home page.

  8. Re:No thank you by drDugan · · Score: 4, Insightful

    Just don't apply for a government job

    Sorry, it's not that easy. Two problems with this. First, the class of workers that work for/in the gov.t is a huge group, and we have every reason to believe that this class will grow in size.

    Second, you run a slippery slope accepting things you disagree with, even if they don't affect you personally. If it's OK for gov't workers, next it will be OK for everyone. Next everyone will need a biometric ID to use a bank, or travel. Next if you have an outstanding issue with the government, -- oops, no money, can't travel, you're outta-luck buddy. Next Canada will say -- it's OK in the US, we should do that here. etc etc etc...