DHS Biometric ID Cards

The Department of Homeland Security is considering a biometric identification card for transportation workers:

TWIC is a tamper-resistant credential that contains biometric information about the holder which renders the card useless to anyone other than the rightful owner. Using this biometric data, each transportation facility can verify the identity of a worker and help prevent unauthorized individuals from accessing secure areas. Currently, many transportation workers must carry a different identification card for each facility they access. A standard TWIC would improve the flow of commerce by eliminating the need for redundant credentials and streamlining the identity verification process.

I've written extensively about the uses and abuses of biometrics (Beyond Fear, pages 197-200). The short summary is that biometrics are great as a local authentication tool and terrible as a identification tool. For a whole bunch of reasons, this DHS project is a good use of biometrics.

Posted on January 19, 2005 at 8:55 AM • 10 Comments

Comments

JemaleddinJanuary 19, 2005 9:08 AM

Wait, the card just has the biometric information on it? So if you just create a similar card with your own biometric data on it, you can enter any airport you like? Doesn't sound like a good use of biometrics to me.

Why don't they store the biometrics off-site in a database and compare your biometrics to those in the database?

Israel TorresJanuary 19, 2005 9:58 AM

Not only would it contain biometric information it would also contain issuing trust information. In essence each card can be easily tracked and polled for validity and abuse.

Davi OttenheimerJanuary 19, 2005 11:25 AM

Thanks for mentioning this. I have been watching Europe and Britain wrangle with biometric IDs for months (http://www.theregister.co.uk/2005/01/19/browne_biometric_passports/). When you read the news, it's easy to forget that this was all probably started by American deadlines for machine-readable passports with biometric identifiers.

TWIC shows that America is also headed down a similar path domestically. While homeland security usually seems to approach standard-setting initiatives with great caution, the TWIC base (more than 12 million workers) runs the risk of becoming a quiet de facto standard. The sheer scale of spending on this project, and the subsequent install-base of equipment and experience will likely lead local, private sector, and even international groups to adopt the same solution.

So while you say TWIC might be a "good use" of biometrics, would you say it is also a good standard for the future of credentials/identification? Is this the new national ID card for Americans? Or would you call that a poor use of biometrics?

Nigel SedgwickJanuary 19, 2005 3:01 PM

Well, from the press release, there's a lot of high technology in the TWIC, including "magnetic stripe" (or is that strip) and "unique card serial number". However, there is not a mention of "digital signature", or "encryption".

Let's hope this is not the total truth about the underlying technology.

Without a digital signature, forgery of cards' digital contents would be possible, as would substitution of biometric templates. Let's assume digital signatures are there.

Without encryption, and adequate protection of decryption keys, the "infiltrator selection" attacks against the on-card biometric, as described in http://www.camalg.co.uk/pswmoc_040915a/... might well be possible. So let's hope it is better than the ICAO passport standard on these aspects (ie with encryption), and that not a single point-of-access equipment will be stolen and reverse engineered (or otherwise compromised) to obtain the decryption keys. Either that or the selected biometrics are so good that "infiltrator selection" would be impractical.

Then there is protection of the biometrics themselves: would that be fingerprints off beer glasses and a bit of geletine and ingenuity? Or would just a photgraph and some makeup suffice?

Finally, and irrelevantly, is there an automatic check on the Guilloche patterns? If so, what stops them being read with sufficient accuracy to replicate them, using equipment similar to that used to create them in the first place. Or are they there for checking by the highly trained security guards. Or will high-resolution photographs (visible, IR and UV) be taken of all cards for off-line checks?

OK, there is protection against the opportunist, who tries (with limited skill) to forge a card, or obtain access with one lost and found. It also makes attack more difficult for the informed and technically competent, but it does not look so horrendously difficult to me.

Is this protection against the world's best terrorists, or making life difficult for criminals with much more modest aspirations and abilities? Let's hope that DHS management know what they have actually bought!

omeronJanuary 20, 2005 3:14 AM

don't you think that cards holding fingerprint data are a security risk?
once you have the card you have the hashed match and the fingerprint (which is all over the card). all you have to do is to find a way to match the to bits of data. (this is ofcourse very different for any other type of biometrics).

omeronJanuary 20, 2005 3:15 AM

don't you think that cards holding fingerprint data are a security risk?
once you have the card you have the hashed match and the fingerprint (which is all over the card). all you have to do is to find a way to match the to bits of data. (this is ofcourse very different for any other type of biometrics).

David HeiseJanuary 20, 2005 10:41 AM

Now I'm no expert, but it seems to me that any biometric data has to be translated into an electronic form, and in my opinion any electronic form of data (regardless of its complexity) is by comparison to true biological data (i.e. cells, etc) VERY simple. Translating biometric data into electronic data is like saying I'm going to use a 128-bit encryption scheme with only 2-bits. The real solution should be using biology and chemistry completely to check biometric data and have the "biochemical checking organ" simply output an electronic signal (i.e. yes/no). Does a solution like this exist? Not that I know of. Is it possible with today's technology? If it isn't I would think it’s not far away.

David Heise,
Biomedical Engineer/Computer Scientist

g fibichJanuary 29, 2007 2:53 PM

Check out this website for a potential card info. Rush Limbuagh praised it, is it the future? It's called factor 4 and irongate card...

www. mydigitaldefense.com

EarlMarch 10, 2007 3:05 PM

This bio-crap is frightening to me. It puts under complete govt. control. This is but one more phase of setting up us citizens of America to a future dictatorship or a military-police state type of a government. Look at the SSN...when I was young SSN was required when you were old enough to work. We wake up one morning, yeqrs later, and guess what? At birth it is required. Why at birth? Simple....it is a national Govt ID card, so no matter what or where, Big Brother knows where we are and what we are doing...why is it required on job applications, bank contracts and many other thin gs? Why were "we the people" not told or given a chance to voice our opinions about a mandatory SSN at birth, or vote on it? We would have said no and the govt. wouldn't like that. Look at what Germany did before a dictatorship was formed. Look at the countless dictatorship governments around the world...they all have what the U.S. government is going to give us all, whether we like it or not...and that is a National ID Card with everything about our lives, from a littering ticket to credit history will be on it...how many times we were married...how many jobs we might have lost and why...you name it and it will be on the card. How many guns we have...ladies and gents, it will all be on there. This is one of the first things a government has to do to get complete control over it's citizens so we can be put under a police state or dictatorship. No country in the world has went beyond 200 years under a free democratic government...we are past due to have a big change in our type of government Believe me the "New World Government (Order) is coming and it will not be good. Terrorists can make any kind of an ID card that is required by the US, and they won't be stopped because we have a Bio-tech ID Card...but, this is how stupid the US government knows most of us are. The ones of us that can see through all the crap we are being told, haven't got the "numbers" to go to bat and stop the government from doing us in. It takes tens of millions...not millions to control our government.In closing...please do a lot of research with the computor and I will guarantee you, you will be shocked at what you find about our government. Check out the Freedom of Information Act 1 and Freedom of Information Act 2...it will take a lot of reading, but have a dictionary handy so you can look up maand really know what it is talking aboiut. A slight suspicion from Homeland security that you MAY or MIGHT seem suspicious, and they can do the Sneak and Peak,(that is the exact wording) they sneak into your home when you are gone and peek through everything from closets to bank statements to picture albums...it means everything...how many guns...it is all there people. And guess what? Mr Bush didn't let us vote on it...it is all done under the disguise of Homeland Security. Read those tow acts, if you do nothing else. That's all folks...enjoy the research....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..