Another Biometric: Vein Patterns

Interesting:

In fact, vein recognition technology has one fundamental advantage over finger print systems: vein patterns in fingers and palms are biometric characteristics that are not left behind unintentionally in every-day activities. In tests conducted by heise, even extreme close-ups of a palm taken with a digital camera, whose RAW format can be filtered systematically to emphasize the near-infrared range, were unable to deliver a clear reproduction of the line pattern. With the transluminance method used by Hitachi it is practically impossible to read out the pattern unnoticed with today's technology. Another side effect of near-infrared imaging also has relevance to security: vein patterns of inanimate bodily parts become useless after few minutes, due to the increasing deoxidisation of the tissue. Even if someone manages to obtain a person's vein pattern, there is no known method for creating a functioning dummy, as is the case for finger prints, where this can be achieved even with home-made tools, as demonstrated by the german computer magazine c't. As in the case with vendors of finger print systems, Hitachi and Fujitsu do not disclose information on liveness detection methods used in their products.

Besides the considerably improved forgery protection, the vendors of vein recognition technology claim further advantages. Compared to finger print sensors, vein recognition systems are said to deliver false rejection rates (FRR) two orders below that of finger print systems when operating at a comparable false acceptance rate (FAR). This can be ascribed to the basic structure of vein patterns having a much higher degree of variability than finger prints.

This is all interesting. I don't know about the details of the technology, but the discussions of false positives, false negatives, and forgeability are the right ones to have. Remember, though, that while biometrics are an effective security technology, they're not a panacea.

Posted on August 8, 2007 at 7:02 AM • 32 Comments

Comments

KiloAugust 8, 2007 7:27 AM

Surely the location and path of veins moves with muscle mass.
Then again, what's the probability you'll be scanning someone who exercises ? 1 in 200?
Perfect for today's obese society.

JakeSAugust 8, 2007 7:44 AM

Bruce is right: the discussions are the right ones to have ... except that the assumption behind the whole concept is not discussed. The assumption is that your vein patterns are unique, and not only unique, but so different from everyone else's that vein recognition technology can reliably distinguish your vein patterns from those of every one of the other 7 billion people. What evidence is there to support that assumption?

MikeAugust 8, 2007 8:51 AM

Dakota State University where I am getting my masters in Information Assurance, use both iris and vein recognition biometrics. However, the vein recognition system is a two factor authentication system: the vein patterns and a code. I personally think that two factor authentication is much better. It helps eliminate false positive readings.

Mr. MikeAugust 8, 2007 8:59 AM

The question is not the biometric. Even if is the most perfect system on earth, it is nothing but a unique key for a database. How do you ensure the integrity of the database? What does one do if there is an error, corruption, or deliberate tampering of the records? That's the white elephant in the room that is ignored when one talks biometrics.

Also, the sensor does nothing but reduce the pattern down to 1's and 0's. If you can capture that pattern, you can then bypass or modify the sensor and replay it down the line. It requires a bit more sophistication, but can be done. It is not any more difficult than side-channel attacks on cryptographic systems that we hear about today. Yes, it is an attack at the hardware level, but it is still an attack method.

Jarrod FratesAugust 8, 2007 9:06 AM

I thought there was already a fingerprint reader that supplemented its detection mechanism with the locations of the two arteries in the finger being scanned. It was touted as the most difficult to defeat, as it used the fingerprint, artery position, and temperature to minimize the chances of a detached or artificial finger being used. I think it was mentioned about he same time as the students from Europe were proving the gelatin fingertip method of duplication. I'll have to see if I can find it.

miwAugust 8, 2007 9:07 AM

The detection relies on the scattering of light. A suitably etched mirror/reflector should be able to produce a comparable image on the detector. So the no forgery claim seems a bit strong.

Grant GouldAugust 8, 2007 9:09 AM

Plus, after reading the veins in your palm, it can tell you your fortune! Surely palmistry fits into your general preference for behavioural profiling, right? "Your life line looks short -- perhaps you're a suicide bomber?"

BravoAugust 8, 2007 9:15 AM

My veins sit quite high to the surface (like bodybuilders, although I don't lift any weights) and they vary how they look quite regularly. At one extreme they may bulge from my arms, at the other they visible, but not sticking out that far. Would such a system be able to handle such changes?

JakeSAugust 8, 2007 9:18 AM

Mike (not Mr. Mike!) - two-factor authentication, requiring something you've got (your veins) and something you know (your code) is more secure omly if your code is a password that only you know; if your code is like a user-id, which other people could know, then it doesn't count as two-factor authentication.

There are two ways of using biometrics:
Type 1: You simply present your biometric (fingerprint/ veins/ iris/ whatever) to the system and it says "OK, you're Mike, you can go in". This is what you see in films, but it's hardly ever used in the real world because it's much more difficult, and more prone to error, because of the assumption that I mentioned above - that your biometric is unique in the world.
Type 2: You say to the system "I claim to be Mike" and present your biometric, and it says "OK, your biometric matches what I have on file for Mike, you can go in". This is relatively easy because the system has only to compare key points in your biometric with what's on file for you, with a reasonably low (but not zero) probability that someone claiming to be you will fit the comparison points.
Type 2 isn't two-factor authentication unless you say "I claim to be Mike" and present your biometric AND type your secret code.

Ian RingroseAugust 8, 2007 9:29 AM

“The assumption is that your vein patterns are unique, and not only unique, but so different from everyone else's that vein recognition technology can reliably distinguish your vein patterns from those of every one of the other 7 billion people.��?

Maybe, however what you combine it with “something you have��?, e.g. a “chip card��?, or “something you know��?, .e.g. you UserName. So you have to enter your UserName and then it just checks if the vein patterns matches the pattern for that user.

Provided is very hard to FIND someone that has the same vein pattern then any given person, then it may well be good enough.

dragonfrogAugust 8, 2007 10:47 AM

One other assumption that should be, but often isn't, taken for granted in these schemes:

The system that is requesting authentication must be a trusted system all the way to the hardware that's attached to it. If an attacker can unplug the biometric scanner and plug in his own device in its place, the system can be broken.

The device an attacker plugs in could include a biometric logger and/or replayer - you scan your finger, and now the attacker can be you anywhere he can plug in his hardware.

The gadgets shown look like removable devices on a cord, at a guess USB devices. They'd only really work if they were built into a tamper-resistant shell, like the keypad of an ATM.

Another thing that gives me the screaming heebie-jeebies with biometrics - what happens if these things become commonplace? Even suppose I trust my own company's biometric database not to be cracked at any time, and not one of my authenticating systems to have a hardware or software biometric-logger planted on it (which, for the record, I don't). I still know I don't trust every employee's previous N employers to be as secure. If one of those employers (/banks/governments/libraries/futuristic nightclubs) mishandled one of my employees' biometric information, I'm stuck using compromised authenticators to authenticate them with. Even if no one can make a fake vein-pattern, or plug in a compromised biometric reader, they can just bide their time and hang onto the data. Sooner or later either someone on my end will slip up and let them plug in their own biometric replay device, or prop construction techniques will advance.

MikeAugust 8, 2007 10:54 AM

JakeS: You may have a point. I present my biometrics and a "password" that is given to me by the administrator. So perhaps it isn't really two factor by your definition. However, the "password" does help prevent false positives.

greenupAugust 8, 2007 11:10 AM

Finger vein biometric has been up-and-coming for some time, I'm surprised Bruce just now tripped over it. Currently the technology is (of course) expensive, and not widely supported by manufacturers. I think there is only one, (Hitachi) and they currently have a limited number of devices. I've been hoping they'd come up with something in a fob/token/USB format, with smartcard capabilities (certificates; encryption/signing.)(Note to Mr Mike: this kind of device would kill replay attacks, and is inherently two-factor (Have/Am), but could easily be extended to THREE, though typing a password on the computer WOULD be subject to replay.) but I'm guessing that a more likely product (someday) will be a thumbdrive, with encrypted storage, since there is more market appeal for such products.

One of their earlier or prototype devices did "palm vein" authentication, and supposedly had the feature that you didn't have to actually touch it, which from a hygenic standpoint, is fantastic. Doors and security access points are huge disease vectors, allowing The Flu to ravage companies. Hospitals are an even better market, though, as they have even more germ concerns, and higher security issues as well. (particularly with HIPAA)

Another set of points that I think are important: Whether or not vein patterns are absolutely unique across the 7 billion humans available is not sufficient to dismiss this technology. It is much more important to scrutinize the false positive/false negative numbers, because EVEN IF vein patterns are unique, if the device can't reliably identify people, it's worthless. On the flip side, if vein patterns are NOT universally unique, but are Sufficiently unique, it might not matter that there are 5, or even 500 other humans that have the same vein pattern as me, because they {aren't trying to get in the same doors I would want to, aren't claiming to be me before being scanned, holding my fob, ...}

Yes, I know adding multiple-factor identification is muddying the waters of this authentication discussion, but really, even fingerprints are not Universally unique, they are just Sufficiently unique.

EamAugust 8, 2007 12:18 PM

@dragonfrog: I imagine the biometric data could be encrypted in the database. Maybe a SHA hash if the readings are exact, or symmetric encryption based on a password if two-factor authentication is used. I do agree that you're basically hosed if someone installs a vein-logger in the hardware, though.

@Carly Simon: Thanks for writing that song about me.

SnapperooAugust 8, 2007 12:46 PM

I used to work at the Kodak Research Laboratories in Harrow in the UK, and one of my colleagues called Andy Green had a working prototype of a back-of-the-hand vein scanner in 1987.

greenupAugust 8, 2007 1:09 PM

@dragonfrog: there is a way to devise authentication so that you could trust biometric identification systems, but it is unlikely to become popular.

As I suggested in an earlier post, get a smart card fob, with a biometric reader built in. At a door, you would plug in your fob and put your finger on it. Your biometrics would never leave the fob, but be used to enable the smart card part to sign a message sent from the central server, using a private key that also has never left the fob. (generated internally) Your biometrics are never exposed, and even the private key used to actually do the "logging in" is never exposed.

I used to have a java ring that had the capability to generate keypairs with the private key never leaving the device, and I used to think it was stupid because that meant that if the device died, I would forever lose access to anything that was encrypted or accessed using it. The real truth of the matter was that it had the capability of being really secure, and I just needed to work on my backup policies.

Unfortunately, few humans currently need to be that secure, that they carry a biometric reader in their pocket, that functions only as a key. When ideas like this someday come to reality, they will probably be mingled with RFID or thumbdrive or PIM functions that would introduce weaknesses. If the liability structure of credit cards wasn't so messed up, good security like this could revolutionize the industry, because I think it could put the hammer down on fraud. Unfortunately, the technology isn't available at the merchants, who don't get to issue the cards, but have to eat the losses from fraud, and can't charge extra when they do a riskier transaction. (which would encourage consumers to move to more assured payment methods)

dragonfrogAugust 8, 2007 1:29 PM

@FooDoo

I used to know a lady who once brought a ferret from Australia to Canada, undetected, in her blouse. The ferret was neither tranquilized, nor de-musked. Apparently some of her fellow passengers were curious who was wearing the heavy perfume.

She's fairly chesty, and wore a loose blouse. That was the only special measure she took.

TruebloodAugust 8, 2007 2:12 PM

I've looked at an Identica unit at a trade show last year; it reads the vein pattern off the back of your hand. It's fast, and seems as reliable as an HGU in terms of false-negatives.
The only real down side I saw was that I had to place my (rather large) hand in the exact same orientation within the reader for it to read the enrolled portion. If that makes sense.

marcosdumayAugust 8, 2007 2:39 PM

Nice, finaly a biometric system that may recognize me.

I always have problems with fingerprint readers because I have "weak" fingerprints. I have problems with some retina scanners because I use contact lenses (altough retina scanners are expensive, so very few places use them - the good ones even more so).

But, anyway, because those systems simply don't work I've never had problems jumping trough rouletes and asking people to let me in.

Christoph ZurniedenAugust 8, 2007 3:43 PM

> while biometrics are an effective security technology, they're not a panacea.

I doubt that they are an effective security technology in the first place. The numbers of false positives and false negatives are several magnitudes larger in contrast to correctly hashed passwords and hardware keys. Even if you assume the extreme small failure rate (both false positives and negatives) of 7:10^9 (actual number are in the range of 1:10^6 up to 1:10^7 for the best designs in ideal conditions) even a simple MD5-hash has only 1:1.2*10^24.

> [...] vein recognition technology can reliably distinguish your vein patterns from those of every one of the other 7 billion people.

That would be insufficient. These are the seven billions today which is a different set than the seven billions tomorrow. I don't have the necessary birth- and deathtables at hand so I can't give any good assumptions about the number, but it's obvious that any biometrics have a variable that is a function of time and grows exponentially. You can be quite sure that there is noone with you veins today, but what is in twenty years? You can't simply change your biometrics today.
And even if you can change your biometrics tomorrow easily the designs today are based on the unchangability of the biometrics. That means, that biometrics are useless untill they are easily changable _and_ the designer know that _and_ design accordingly. Then and not before are you able to use the "what you are".

CZ

Eric NormanAugust 8, 2007 4:38 PM

I've asked this many times before; I have yet to see it addressed.

What are you going to do if biometric data is compromised?

Chop off and replace someone's fingers? Replace their eyeballs? Bury them since they're now a non-person? What?

greenupAugust 8, 2007 6:45 PM

@Eric Norman, on the topic of "stolen biometric data", I think the best answer is to not make this a single-mode authentication. It's not possible to have "unbreakable security" in the electronic realm any more than in the physical realm; it's a matter of making it difficult enough that it's not worth the hassle.

In the case of this technology, Mallory has to steal the data, then simulate it sufficiently to please the scanner. (and if the scanner is in a public area, possibly having to do so covertly) Alternately, after stealing it, Mallory has to break in to the security system by software or wire clippers, and execute a replay attack with the correct protocol to not trip any other alarms.

Those hoops might be difficult, but will probably get easier if technology like this becomes widespread. Fortunately, the good guys rarely stand still either.

Use multiple factors of identification, so the bad guys are required to simulate or break them all at once.

The way I like is to use a token or fob, so that you can have the the biometric data locally, and it never resides in a huge database where it can be stolen. Have the device communicate with asymmetric cryptography (public/private keypairs) to the security system. For military-grade security, additionally require a pin or passphrase;

All of these things do not prevent an attacker from getting in, they just make it more expensive, difficult, slow, etc, and hopefully if they DO still try to get past all the measures, hopefully an auditing component will catch an irregular pattern of activity after a while.

At some point, breaking all of the measures becomes more difficult than going back to the basics and fooling the basic registration process. Why try to fool the scanner with a fake vein pattern if you can figure out how to get a new fob issued for john doe and sent to a new address?

A lot of this is related to a strange quote I heard lately: "authentication is no longer a binary decision, it's all shades of gray". It sounds horrible, but the more I have considered it, the more it makes sense. 99.999% belief in someone's identity is not 100%. With enough time, money, and other resources, someone could use plastic surgery, private eyes, and other techniques to even replace my wife without my knowing. For a while. It would be easier to replace my grandma; I only talk to her two or three times a year, mostly on the phone. Would emptying my bank account or stealing my corporate secrets (HA! as if I have any) be worth any of those measures? Not even close. The attackers will use a more efficient method like going through my garbage for account numbers, and I don't have to worry about anybody stealing my wife's body and simulating it. (Unless they want to be the most beautiful woman on the planet, that is.)

Nigel SedgwickAugust 9, 2007 2:48 AM

From my past experience, it seems that no biometric ever turns out to be quite as good as the early claims. Despite that, there do seem to be some advantages with vein scans, including not leaving a trail of them behind one in the normal course of living.

The sceptic in me would like some objective evidence as to performance. This should be, for preference, by independent assessors. It certainly should include ROC curves (False Match Rate (FMR) against False Non-Match Rate (FNMR)) and with specified rate (or rates) for Failure to Enrol and for Failure to Acquire.

Does anyone know of any such evaluations for these devices, and links to them?

Best regards

Joe RiceAugust 9, 2007 9:13 AM

The biowatch is the way forward for vein biometrics. I am the originator and inventor of vein biometrics and this is the biometric method I am putting my money on. Biowatches should be available from next year so look out for them.

I invented vein pattern recognition after having my bankcards and identity stolen at Kodak’s Annesley plant in England in 1983.

I originally proposed the biowatch at the 1999 biometric summit in Washington DC but the audience was so wedded to fingerprints and iris patterns and large database techniques that my proposals were spurned and ignored. I was even challenged by a member of the UK home Office party (who appear particularly weeded to large biometric databases) on how could this be so good when she had never heard of it.

Read about my biowatch proposal here:
http://www.biometricwatch.com/BW_41_May_2007/...

My 1999 talk to the Biometric Summit
http://groups.google.com/group/...

The vein pattern home page which I have had hosted at various ISP since 1996
http://homepage.ntlworld.com/joseph.rice/

Nigel SedgwickAugust 9, 2007 11:24 AM

Thanks to Joe Rice for a good set of information along the lines that I was looking for. This is http://www.biometricgroup.com/reports/public/... the International Biometrics Group report from September 2006 (though one has to register to be able to view it).

The first 17 pages give nearly all the useful information, including ROC curves (DET curves). There are other ROC curves (same data organised by equipment) on pages 70, 73 and 77.

The attempt-level Equal Error Rates are (approximately only for Fujitsu): Hitachi 2%; Fujitsu 3%.

Very interestingly, the ranking of performance reverses for the transaction-level performance (I think of 3 measurements, again approximately only for Fujitsu): Hitachi 1.4%; Fujitsu 0.34%.

This latter point makes me suspect Fujitsu use a different multi-presentation fusion algorithm than "best of 3". I have not yet had the opportunity to see if this is explained in the report.

Also of particular interest are the low rates for Failure to Enrol (FtE) and Failure to Acquire (FtA) for vein matching, compared to those rates typically seen for iris recognition and fingerprint recognition. This is a distinct advantage; if equivalent FtE and FtA were obtained for all the biometric modalities, that of vein would certainly obtain a more significant advantage in terms of ROC results.

Best regards

STMAugust 10, 2007 4:26 PM

In fact there are several companies with commercially available Vein Technology products, among them Hitachi & Bionics (finger vein, or FV), Fujitsu (palm vein, PV).

Hitachi's FV technology has an install base on over 30,000 ATMs in Japan, with an additional 80,000 ATMs being converted to use this technology in the near future (70% of all ATMs in Japan), curently handling up to 1 million transactions daily.

The reliability of FV has been established by both its practical use and in lab studies. Hitachi claims to have false positive / false negative stats. of 1/1 million and 8/1 billion, results that place it into the "virtually no false negative/positive" range. As an additional benefit, the rate of “false registration��? (the problem of “peanut-butter sandwich syndrome using finger print technology) is also “very low��? because there is no needed “contact��? with reading surface.

Dirt, muscle structure and surface abnormalities have no bearing on the uniqueness or recognizability of the vein structure.

And it is impossible to capture or replicate an FV image without physical participation and presence of the subject. This is both the value and the liability of vein technology.

Privacy issues can be closely guarded since personal participation to register one's vein image is absolutely necessary. This technology is ideally suited if:

1. Very High level of security is required
2. Participants are all willing subjects

On the other hand, since no high-value vein image database of target subjects exists and non can be created without target subjects' willing participation, the technology's value for National Security is limited.

Consequently, current commercial interest in vein technology in the US appears low.

Of course, as with ANY security system, the data and the network require their own security considerations & review. There is no sense having a 2 ton bank-vault door guarding a chicken-wire enclosure.

But there is no doubt about it, Vein Image technology IS a two ton bank vault door.

Nigel SedgwickAugust 11, 2007 10:25 AM

Having read further into the IBG report referenced in my comment above http://www.schneier.com/blog/archives/2007/08/... it seems the transaction error rates are from a combination of multi-presentational fusion (ie different pictures of the same vein pattern, or iris) and multi-instance fusion (ie pictures of different vein patterns or irises from the same person, eg left and right eye, left and right palm vein pattern, or first and middle finger vein pattern).

It remains interesting, and a matter of technical concern, that improvement from single instance (attempt) to multi-presentational and multi-instance (transaction) for the Hitachi finger vein biometric and the iris scan are significantly worse than the improvement for the Fujitsu palm vein pattern.

For the Hitachi and IrisGuard devices, the transactional FMR/FNMR rates are for the best matching of 3 presentations each of the 2 biometric instances; for Fujitsu, a undisclosed fusion algorithm internal to the device is used. In Appendix A, there are scores for a different fusion algorithm for the Hitachi finger vein patterns; however, this performs worse than for the highest-scoring presentation/instance.

From this, I would deduce that there is scope for better biometric fusion for both the Hitachi and IrisGuard devices, such that the relative ranking of the 3 devices would be the same for the single-instance/presentation attempts and for the multi-instance/presentation transactions.

Best regards

Christoph ZurniedenAugust 11, 2007 2:19 PM

> This technology is ideally suited if:
> 1. Very High level of security is required

That is a very bold statement, but I haven't found any arguments supporting it. An old adage says: Extraordinary statements need extraordinary proof.

> But there is no doubt about it, Vein Image technology IS a two ton bank vault door.

No, it's the chicken-wire. It's good for seperating chicken and foxes if installed correctly but I wouldn't secure the family jewels with it.
OK, it's exagerated and unfair to call the product chicken-wire but I didn't invent that comparison and if the numbers given are correct it is the best product today.

Biometrics have their applications, for example to identify naked (no "what you have") and unconscious or dead (no "what you know") humans (the instruments used to measure biometrics seem to be exclusively developed and tested for humans. Most probably because there cheaper ways to do it for animals (e.g. RFID)).

CZ

amali claraDecember 10, 2012 1:54 AM

hai iam amali clara. And iam doing finger vein recognition as my final year project.. could you please tel me.. in what way the vein structures of people are said to be unique?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..