Wes Kussmaul

Wes Kussmaul RSS Feed

 1273 Main Street
Waltham, MA 02451
USA
781-373-1723
Chief Executive Officer
Village.com
http://www.village.com/
  weblog bio interview articles Ask Wes  

Home » Experts » Wes Kussmaul's Weblog » Your fingerprint cannot be stolen

 

579

July 23, 2006

Your fingerprint cannot be stolen

...if a biometric access control system is done right, that is. Most, however, are done wrong. A big part of the reason is that very few people - journalists included - have been exposed to the right way to do biometric access control, as witness this article with a common theme:

http://www.zdnetasia.com/toolkits/0,39047352,39376855-39094240p,00.htm

Never allow your fingerprint - or iris or retina image for that matter - to be sent over a communication line.

Of course most biometric access control systems do just that. Your precious identitfying information - which, unlike a password, cannot be changed if it is compromised - is sent over networks to be matched with biometric records in a database. If the image of your fingerprint or eyeball is stolen in that process, you're hosed.

So what's the right way to do biometrics?


How does one construct a biometric access control system in such a way that unique personal imagery cannot be stolen?

Let's look at how Tabelio does it.

First, put the biometric reader - fingerprint in the case of Tabelio - onto a token which you own and carry in your pocket.

Second, put a processor in that token, so that the matching of your fingerprint with the "database" in the token - a database of one image - is done on the token itself. The image of your finger never leaves the token.

How then does the token communicate your identity to the server or PC that needs to know? That's the third important ingredient: PKI. You'll recall that in a PKI system, every identified entity gets a pair of "keys" or numbers that are mathematically related to each other -- they're used to make and solve puzzles. Specifically, any puzzle that was made using one of the keys can only be solved using the other key in the pair. We arbitrarily choose one of the two keys to be your public key and the other to be your private key. As the name implies, you can give your public key out freely. Publish it on your website, put it into directories, share it freely with all your friends and colleagues.

The private key, as you might guess, must be kept secret. We suggest that you put it into that token, with any backups put on a CD and kept in a bank vault or in a safe under your floorboards.

For practical reasons many find that they must keep their private keys on their hard drives. Oh, let us quickly find a way to dispense with that very ill-advised practice. An unknown number of the PCs in this world that are protected using best practices are in fact wide open to the mysterious owners of botnets.

So we have confined our private key in our token, whose operating system is quite brain dead: it only knows how to drive its hardwired fingerprint reader, compare its output with a database of precisely one fingerprint, issue a yes-or-no verdict; and if that verdict is "yes" then allow the private key to be used to solve the puzzle; and send the solution to the puzzle back to the querying party. There are no APIs for this operating system, no fancy doodads that can be subverted by an attacker. Its job description is like that of an elevator operator.

So you start to see how these three elements - fingerprint reader on token, fingerprint-comparing processor inside token, and PKI - allow you to present your fingerprint to be used to unequivocally establish that you are the person they seek, while at the same time providing no means for anyone to capture that fingerprint.

You can do the same with an iris scanner, although at present they tend to require a lot more electric power than fingerprint readers and so an iris scan token tends to be a rather bulky design. Also, it takes some dexterity on the part of the user to get a good iris scan. Expect these problems to be solved in the next few years.

Here's another reason for doing it this way: systems that rely upon comparing the fingerprint or iris of the user with a database of thousands or millions of others just do not work. Vendors of such systems depend upon naive government and healthcare customers for their livelihood.

PKI on the other hand works. In fact the purported difficulty of deploying PKI is due almost entirely to the fact that it works. You can't fudge PKI. If it's properly architected it works beautifully. But that requires the architect to exercise real architectural skills, which means more than knowing what software connects to what hardware or other software.

Posted on July 23, 2006 at 04:14 PM

 


TRACKBACK

TrackBack URL for this entry:

 

Village.com

Kolabora Live! Calendar of Events

Powered by RobinGood's Master New Media Home News Radars Tools Reviews How To Experts About Privacy Contact