[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Speechsc] stealing biometric tokens

Hi Bill, 
The attached article presents the picture in about as simplistic and naïve a
way as possible. Consequently, it leads the reader to false conclusions. 

Biometrics can be faked (called "spoofing") but it is generally not a
trivial process and, in most cases, it is done with the raw biometric data.
That is, fingerprint or face (etc.) images and voice recordings. It is much
harder to re-engineer a biometric model/template, although that is not
impossible. 

There are a number of ways to capture raw biometrics. The best way is to
hack a database that stores them. Other methods involve capture at the
sensor and on the transmission channel.  

If you look at these approaches to capturing biometrics you can easily see a
theme: security. You also see that the security that is needed (and too
often missing) has nothing really to do with biometrics, itself. It is the
same kind of security that is missing for PIN and password systems. So, it
doesn't really help much to have multi-factor authentication if all of them
are captured in transit or stolen from a hacked database. 

In short, if gFrom speechsc-bounces at ietf.org  Sat Jul 19 09:51:47 2008
Return-Path: <speechsc-bounces at ietf.org>
X-Original-To: speechsc-archive at optimus.ietf.org
Delivered-To: ietfarch-speechsc-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 1FD5F3A6927;
	Sat, 19 Jul 2008 09:51:47 -0700 (PDT)
X-Original-To: speechsc at core3.amsl.com
Delivered-To: speechsc at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id DA6A03A677D
	for <speechsc at core3.amsl.com>; Sat, 19 Jul 2008 09:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599, GB_I_LETTER=-2, MSGID_FROM_MTA_HEADER=0.803]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id m0YkL-GNIVUI for <speechsc at core3.amsl.com>;
	Sat, 19 Jul 2008 09:51:43 -0700 (PDT)
Received: from omr12.networksolutionsemail.com
	(omr12.networksolutionsemail.com [205.178.146.62])
	by core3.amsl.com (Postfix) with ESMTP id DF9543A6927
	for <speechsc at ietf.org>; Sat, 19 Jul 2008 09:51:42 -0700 (PDT)
Received: from mail.networksolutionsemail.com
	(ns-omr12.mgt.hosting.dc2.netsol.com [10.49.6.75])
	by omr12.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id
	m6JGqIsx020820
	for <speechsc at ietf.org>; Sat, 19 Jul 2008 12:52:18 -0400
Message-Id: <200807191652.m6JGqIsx020820 at omr12.networksolutionsemail.com>
Received: (qmail 3328 invoked by uid 78); 19 Jul 2008 16:52:18 -0000
Received: from unknown (HELO JMarkowitz) (judith at jmarkowitz.com@24.148.43.175)
	by ns-omr12.lb.hosting.dc2.netsol.com with SMTP;
	19 Jul 2008 16:52:18 -0000
From: "Judith Markowitz" <judith at jmarkowitz.com>
To: "'William Meisel'" <wmeisel at tmaa.com>,
	"'Eric Burger'" <eburger at standardstrack.com>, <speechsc at ietf.org>
Date: Sat, 19 Jul 2008 11:52:12 -0500
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcjohHcBCAgkC3qnpUS673kuAg263wBOUV0g
In-Reply-To: <C4A558C5.1697E%wmeisel at tmaa.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Subject: Re: [Speechsc] stealing biometric tokens
X-BeenThere: speechsc at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Speech Services Control Working Group <speechsc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/speechsc>,
	<mailto:speechsc-request at ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/speechsc>
List-Post: <mailto:speechsc at ietf.org>
List-Help: <mailto:speechsc-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/speechsc>,
	<mailto:speechsc-request at ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: speechsc-bounces at ietf.org
Errors-To: speechsc-bounces at ietf.org

Hi Bill, 
The attached article presents the picture in about as simplistic and naïve a
way as possible. Consequently, it leads the reader to false conclusions. 

Biometrics can be faked (called "spoofing") but it is generally not a
trivial process and, in most cases, it is done with the raw biometric data.
That is, fingerprint or face (etc.) images and voice recordings. It is much
harder to re-engineer a biometric model/template, although that is not
impossible. 

There are a number of ways to capture raw biometrics. The best way is to
hack a database that stores them. Other methods involve capture at the
sensor and on the transmission channel.  

If you look at these approaches to capturing biometrics you can easily see a
theme: security. You also see that the security that is needed (and too
often missing) has nothing really to do with biometrics, itself. It is the
same kind of security that is missing for PIN and password systems. So, it
doesn't really help much to have multi-factor authentication if all of them
are captured in transit or stolen from a hacked database. 

In short, if government and private industry would take the time and spend
the money to secure their networks, databases, and other systems many of
these threats would be eliminated. That's why the data interchange format
that I'm working on with the American National Standards Institute includes
encryption and supports other security. 

Judith Markowitz

-----Original Message-----
From: speechsc-bounces at ietf.org [mailto:speechsc-bounces at ietf.org] On Behalf
Of William Meisel
Sent: Thursday, July 17, 2008 10:15 PM
To: Eric Burger; speechsc at ietf.org
Subject: Re: [Speechsc] Just to see if anyone is still out there

Am I missing something, or does the linked article (and the referenced
professor) simply misunderstand biometric id? Having the biometric token (a
fingerprint is the example) should neither allow the thief to recreate the
fingerprint (assuming it is features of the fingerprint that are
encoded--hopefully without announcing what each feature is) nor allow the
thief to access the system, since they would need to have the finger (not
the token) to do so. It would not be necessary for the individual to
reenroll a new finger.

The same is true of speaker authentication.

-- Bill 

Bill Meisel
President, TMA Associates
Publisher & Editor, Speech Strategy News
(818)708-0962
www.tmaa.com




> From: Eric Burger <eburger at standardstrack.com>
> Date: Thu, 17 Jul 2008 08:07:08 -0400
> To: <speechsc at ietf.org>
> Subject: [Speechsc] Just to see if anyone is still out there
> 
> For the folks who care about biometrics:
>
http://www.networkworld.com/newsletters/sec/2008/071408sec1.html?nlhtsecstra
t=
> ts_071508&nladname=071508securitystrategiesal
> _______________________________________________
> Speechsc mailing list
> Speechsc at ietf.org
> https://www.ietf.org/mailman/listinfo/speechsc
> Supplemental web site:
> &lt;http://www.standardstrack.com/ietf/speechsc&gt;


_______________________________________________
Speechsc mailing list
Speechsc at ietf.org
https://www.ietf.org/mailman/listinfo/speechsc
Supplemental web site:
&lt;http://www.standardstrack.com/ietf/speechsc&gt;


_______________________________________________
Speechsc mailing list
Speechsc at ietf.org
https://www.ietf.org/mailman/listinfo/speechsc
Supplemental web site:
&lt;http://www.standardstrack.com/ietf/speechsc&gt;


overnment and private industry would take the time and spend
the money to secure their networks, databases, and other systems many of
these threats would be eliminated. That's why the data interchange format
that I'm working on with the American National Standards Institute includes
encryption and supports other security. 

Judith Markowitz

-----Original Message-----
From: speechsc-bounces at ietf.org [mailto:speechsc-bounces at ietf.org] On Behalf
Of William Meisel
Sent: Thursday, July 17, 2008 10:15 PM
To: Eric Burger; speechsc at ietf.org
Subject: Re: [Speechsc] Just to see if anyone is still out there

Am I missing something, or does the linked article (and the referenced
professor) simply misunderstand biometric id? Having the biometric token (a
fingerprint is the example) should neither allow the thief to recreate the
fingerprint (assuming it is features of the fingerprint that are
encoded--hopefully without announcing what each feature is) nor allow the
thief to access the system, since they would need to have the finger (not
the token) to do so. It would not be necessary for the individual to
reenroll a new finger.

The same is true of speaker authentication.

-- Bill 

Bill Meisel
President, TMA Associates
Publisher & Editor, Speech Strategy News
(818)708-0962
www.tmaa.com




> From: Eric Burger <eburger at standardstrack.com>
> Date: Thu, 17 Jul 2008 08:07:08 -0400
> To: <speechsc at ietf.org>
> Subject: [Speechsc] Just to see if anyone is still out there
> 
> For the folks who care about biometrics:
>
http://www.networkworld.com/newsletters/sec/2008/071408sec1.html?nlhtsecstra
t=
> ts_071508&nladname=071508securitystrategiesal
> _______________________________________________
> Speechsc mailing list
> Speechsc at ietf.org
> https://www.ietf.org/mailman/listinfo/speechsc
> Supplemental web site:
> &lt;http://www.standardstrack.com/ietf/speechsc&gt;


_______________________________________________
Speechsc mailing list
Speechsc at ietf.org
https://www.ietf.org/mailman/listinfo/speechsc
Supplemental web site:
&lt;http://www.standardstrack.com/ietf/speechsc&gt;


_______________________________________________
Speechsc mailing list
Speechsc at ietf.org
https://www.ietf.org/mailman/listinfo/speechsc
Supplemental web site:
&lt;http://www.standardstrack.com/ietf/speechsc&gt;