In January, I wrote about the DHS new biometric ID cards. And in April I pointed to an EPIC analysis of the card.
In May, Phil Libin wrote a rather flawed commentary on the EPIC analysis on CNet.
We wrote a response.
Edited to add: Liben responded to our response.
James Mastros • June 8, 2005 12:29 PM
Don’t forget that “one in a million” means that there are 296 other Americans that show up the same as me, plus another 6,150 in the rest of the world.
Erik Carlseen • June 8, 2005 1:55 PM
It seems to me that it is difficult to concretely debate the security of the RFID portion of the card until the details on encryption, key exchanges, etc. are available. Of course, considering the parties involved (the gubment, its contractors, and the procurement processes twixt which they meet), it’s probably safe to assume the worst.
Severe criticism should be directed at CNet for not disclosing the fact that CoreStreet (of which Mr. Libin is president) makes access control devices based on fingerprint and PIN technologies – the very ones that he is defending in his piece.
Xavier Ashe • June 8, 2005 4:43 PM
It seems to me that it is difficult to concretely debate the security of the RFID portion of the card until the details on encryption, key exchanges, etc. are available.
Not really… most information security mechanisms have a life and a death. Some die quickly like WEP, others become outdated like DES and have a slow death. You have to have some way of updating the technology. I currently get a new drivers license every 6 years, but have had 3 different Wi-Fi products in the last two. The infrastructure supporting the technology is more important than the technology it’s self. That why we need to show the decision makers that no matter what technology they choose, it will die sooner or later and will need to be replaced. They need to plan for that now.
Filias Cupio • June 8, 2005 5:47 PM
@James:
Looking at it the other way: if 300 other Americans have the same BioID as you, and you can find out who they are, then you can choose which one is most advantageous to you to impersonate.
One in a billion is still bad: Any individual has about 30% chance of there being someone sharing their BioID. If they find out who it is, they have the option of impersonating them. One in a trillion or better sounds reasonable to me.
(It makes a big difference whether the system uses the biometric as identification, or just as verification. If you put your finger on a scanner somewhere and it says who you are, it becomes very easy to find out who shares your BioID. If you tell it who you are, and it checks your BioID to see whether you are lying, it is much harder – probably requires an insider who can scan the entire database.)
Changing topic: How to fingerprint hashes allow for variability in reading conditions? Any system mapping from a continuous space (finger print) to a discrete space (hashes) must have discontinuities. In the case of secure hashes, you can’t easily tell if two hashes represent points which are close together in fingerprint space.
I.e. two readings of your fingerprint could result in two different hashes, with no easy way for the system to know that they are ‘almost’ the same.
To me, the obvious answer is, when taking the reference print, apply a set of slight distortions to it, and take the hash of each one. Store the set, and later if a reader sends any of the stored hashes, accept this as a match. Is this how it is done? (Of course, now we have a false-positive vs false-negative trade-off on how many hashes we accept as being a match.)
Anonymous • June 8, 2005 10:06 PM
I’ve been reading the FIPS201 documents, and I think some wrong assumptions have been made.
Pointing out a flaw discovered by Johns Hopkins University and RSA Laboratories in a RFID device that has 40-bit proprietary encryption does not mean an ISO 7816 (contact only) smartcard using RSA-1024 has the same flaw.
If you read the FIPS 201 document, there are two types of interfaces, contact and contactless. The contactless interface only provides “SOME??? confidence of identity. A photo ID provides the same confidence as a contactless smart card. In other words, its main advantage is that a guard doesn’t have to be present. The card itself is “good enough??? for minimum security systems. Biometrics are only used in HIGH security systems, with contact cards, and never contactless. I know of no way to “steal??? the biometric information using the contactless interface. That data cannot be transmitted given the specifications of the interface.
There is also talk of error rates with biometrics. The biometric information on the card is first of all signed using PKI, so it can’t be modified. Second, the information can only be accessed once the PIN is used. If the wrong PIN is used too often, the card locks up. So for someone to misuse the card, they must (1) have the card, (2) have the same biometrics as the original owner of the card, and (3) must know the PIN. In addition, the attacker may have to know an additional key just to access the card.
For someone to “steal??? biometrics, they must meet all four conditions.
It would be far easier to steal fingerprints and photographs without using the card, but that by itself will not let you gain access to private keys stored in the card.
Arturo Quirantes • June 9, 2005 2:40 AM
One of the things that puzzles me is, where has it been proved that all fingerprints are equal, and therefore a good biometric?
IIRC, the largest test ever made was on 50.000 fingerprints for different invididuals. Not surprisingly, only a given fingerprint is equals to itself. But no comparisons were made with a) fingerprints from other fingers belonging to the same people, or b) different fingerprints made from the same finger.
So we don’t know really if my own fingerprints are more similar to each other than any other fingerprint. Moreover, what is appliccable to 50.000 fingerprints may not be scalable to a database ranging in the tens of millions.
Does anybody know about any large-scale tests ever made on this subjects (including the 50.000 fingerprints one, for which I do not have the reference)?
Maybe fingerprints are not distinctive anyway, and the C.S.I’ s “100% match” computer screens get them to grab the bad guy only by chance…
Joachim • June 9, 2005 6:07 AM
Aloha!
@Arthuro: The problem is that you can not be certain that the template stored in the ID for you macthes your own finger.
The reason for this is template aging. Template aging is a term for the fact that your fingerprint (the one on your finger) changes over time. This happens to all of us more or less rapidly. For most of us, having the fingerprint change enough to have problems matching the template takes years.
But, depending on what people do to their poor fingers, but also due to genetics some people will have their fingeprint change rapidly. Months rather than years.
Also, there is a fraction of the population (some percentage) that have such weak fingerprints that creating a distinct template and reading their fingerprint with a sensor is basically impossible. What will happen to this group with the new ID?
Finally, in Europe the new passports should contain biometric information. Things talked about are facial features, but also fingerprints. What I’m curious about is what will happen when (a) the pictory show that it’s you, the facial biometrics says that it’s you, but the fingperprint says that you’re not? Sounds like the stage for confusion and problems at customs.
What scares me are that the politicians I’ve talked to are not at all aware of the problems associated with biometrics (template aging etc), they belive that biometrics are basically a foolproof way of extending security in passports. Probably because the companies selling the systems forget to talk about the problems. And politicians whatch CSI too. 😉
Clive Robinson • June 9, 2005 7:41 AM
@Arturo Quirantes
I am not sure accademic records are kept about the occurance of similar Fingerprints (I have not seen any published data).
Trying to deduce the information might also be difficult. The reasons being that identification and cataloguing are different (almost) unrelated excercises, and it’s possible that fingerprints are out of the scene time line, imported on objects or even fake.
For a positive identification to be made an “expert” has to view the partial / finger print recovered at the scene and then compare it to a (suposedly) good copy of the suspects actual print (this would be like having the image of the print stored on the Bio Card compared to the real finger on the scanner).
For cataloguing, various prominent features of the fingerprint are entered into a database (this was once done by experts but is now being automated).
Likewise the scene fingerprint is coded and a search run, the DB returns likley matches (this is like storing a hash of the fingerprint on the ID card then rehashing the real finger on the scanner and making a comparison with the hash).
The likley matches should then be (if possible) positivly identified prior to the fingerprint becoming considered for evidence (this would not be possible if the ID card only stores a hash).
I have been told that it is not unknown to get hundreds of likley matches on a partial scene fingerprint (not surprising). Also that likley matches can often be substantialy different when viewed for positive identification (again not surprising, one expert might consider a feature more prominant than another).
There have been a number of cases where “positive identification” has not obtained a conviction. Usually this is due to the accused being able to prove beyond doubt that they could not have been at the scene at the time required.
The problem with this is it does not rule out a valid fingerprint left at the scene at some other time or imported on an object, so does not argue the case for similarity between positivly identified fingerprints.
It also does not rule out faked fingerprints the ability to do this was mentioned many years ago in a Sherlock Holmes story.
I have made fake fingerprints when I was a youngster (over a quater of a centry ago 😉 with,
1, the red wax from Edam Cheese (for the mold)
2, Rubber Solution glue (for the fake skin)
3, light machine oil (as the mold release)
4,a pair of surgical rubber gloves to bond the fake skin fingerprint to.
5, A little chicken fat to make the print
You also need the finger of the person whose print you are going to fake to take an impression with the wax.
From this you can see the technology to make fake fingerprints is not rocket science and can be done by the kid next door if given the right idea and access to the fingers of the “identity victim”.
Also see past Cryptogram and “Gummy Fingers” where a Prof. worked out a way using PhotoShop and UV PhotEtch Printed circuit board material to make a mold from the photo of a fingerprint.
So you have several problems that are going to cloud the issue of finding out how many fingerprints (or parts) are similar in the real world.
Likewise DNA BioID may suffer from the same issues. The curent method of DNA comparison is to,
1, get a DNA sample
2, chop it up into short lengths with enzimes
3, produce millions of copies from the choped up pieces
You do this for both the scene DNA and the suspects DNA. You then make the comparison. On the face of it it’s easy to belive the 4 billion to 1 or whatever the latest figure is that is quoted.
There are two problems with this, The first is are the arguments about the probability correct, the second is is it possible to fake somebodies DNA so the above test is positive for your identity victim.
In the early days the FBI kept a DB of DNA which was made available to accademics, there where reported cases of “duplictes” this was put down at the time to “data entry errors”. Also there was a story doing the rounds that DNA from an Amoznian Indian gave a positive match against an entry in the FBI DB.
So there may be a question as to what the probability realy is of a match after the test (ie is the test used responsible for duplicates). Only when a very large number of people have been tested can we start getting an answer to this.
The second problem is “can you fake somebodies DNA”, the answer to this depends on who you ask and how you ask them the question.
Usually you are told “It is not currently possible to clone human DNA in a meaningfull way”, which indicates a fluffed answer to a fluffed question.
If you asked, “If I had somebodies DNA and I know what enzimes and replication methods are used for the DNA testing by the Lab, can I use the same enzimes and replication to produce vast quantities of their DNA strands”. The answer to this question is usually yes.
If you then ask, “Are the strands stable with regard to time and temprature and other environmental factors if suspended in an apropriate solution” you will get a quite complex answer which varies upon who you ask, but is often yes with conditions.
If you then ask “If a small quantity of this replicated solution is accedently present when the Lab performs the test on the scene DNA is it going to effect the result”. Again the answer is usually yes.
If you then ask “If there was no compleate DNA present in the test, just the strands would the test show positive for the person whose DNA you replicated and put into suspension” You usually get a strange look on the persons face and a fluffed answer.
I have not seen any published papers on this so it’s possible that nobody has actually done any significant reseaurch yet. I susspect that if they did the answer would come back with a very qualified “Yes it’s possible to fake a positive test using somebodies replicated DNA”
clive robinson • June 9, 2005 9:04 AM
William Nuti of Symbol technologies, has been interviewed by Zdnet about his aim to fix the public perception of RFIDs
http://insight.zdnet.co.uk/communications/wireless/0,39020430,39201788,00.htm
He says (amongst other things),
“The key issue is one of education. When people understand how the technology works, they will no longer have a concern about privacy.”
“I actually think that a lot of education needs to be done on a worldwide basis with regard to RFID, because an RFID tag is nothing more than a talking barcode. It’s a serial number identifier that’s transmitted, and nothing more than that. So, there isn’t any risk of a privacy breach when all you’re receiving is a unique identifier,”
Ouch.
He does not go on to say that if every item you wear has it’s own unique identifier and the purchase was made on a Credit Card and that information has been recorded against one or more of the tags then you are positivly identified to every RFID reader you pass…
He then goes on to say,
“I spend a good amount of time educating world leaders in Washington DC, and around the world on RFID — the technology and why there shouldn’t be any concern with privacy.
”
I never knew that a sales pitch was education…
Ari Heikkinen • June 10, 2005 8:49 PM
And ofcourse this new card will use RF (sigh). When it comes to RF the first question people should ask is “is RF absolutely required for this application?”. If the answer is no, then it makes absolutely no sense to use it. Using RF where it’s not required and arguing that encryption will solve the security problems is like building a shooting range alongside a busy sidewalk and giving people who walk there bullet proof vests to protect them from getting accidentally shot.
Jerry • December 19, 2005 4:52 PM
The comments on DNA analysis posted by Clive Robinson at June 9, 2005 07:41 AM make too many unusual assumptions to simply be taken at face value. First, no one is seriously considering using DNA as a biometric for daily use in the near future. Equipment and chemicals aside, the analysis would take way too long for e.g. door entry. (This discussion started out with security, not crime evidence.)
Second, no one would be able to fool a forensic expert by faking a normal human DNA sample using laboratory equipment. A “DNA sample” is really DNA extracted from blood, semen, skin, etc. left at a crime scene. All of the questions leading to that scenario indicate a less than complete understanding of crime scene data collection. There’s a lot more to forensic and genetic science than you see in 4 minutes on an episode of CSI.
Third, a crime lab is not going to sequence all of the DNA in a sample left at a crime scene. That takes too long and costs too much. What they do is match several specific highly variable regions of human DNA. That is the main reason why the odds are only millions to one, not a perfect match. This is good enough to rule out as suspects individuals who do not match but not enough to ensure conviction based upon DNA evidence alone. No one who understand genetics would argue for DNA evidence as the sole piece of data.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • June 8, 2005 12:08 PM
National ID cards are going to be like WEP again…
The problem is you can’t throw away your Bio ID because sombody has found out what it is…
I would be interested to see what the rate of coincidence is on any of the BioID systems, I suspect that it is certainly going to be less than 1:1000000 unless the systems are properly implemented (and they rarely are).