[10821] in cryptography@c2.net mail archive
[Fwd: c't: unsupervised biometric scanners more toys than serious
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri May 31 11:44:11 2002
Date: Thu, 30 May 2002 11:02:28 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Cryptography <cryptography@wasabisystems.com>
This is a multi-part message in MIME format.
--------------070809060302040909070106
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
--------------070809060302040909070106
Content-Type: message/rfc822;
name="c't: unsupervised biometric scanners more toys than serious security measures"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="c't: unsupervised biometric scanners more toys than serious security measures"
X-Sieve: cmu-sieve 2.0
Return-Path: <ukcrypto-admin@chiark.greenend.org.uk>
Received: from mailgate.algroup.co.uk (localhost [127.0.0.1])
by scuzzy.ben.algroup.co.uk (Postfix) with SMTP id 8D5134DB32
for <ben@scuzzy.ben.algroup.co.uk>; Wed, 29 May 2002 18:17:40 +0000 (GMT)
Received: (qmail 26910 invoked by uid 1002); 29 May 2002 18:17:39 -0000
Received: (qmail 11831 invoked by uid 1007); 29 May 2002 18:17:38 -0000
Received: from ukcrypto-admin@chiark.greenend.org.uk by mailgate with qmail-scanner-1.01 (. Clean. Processed in 0.068085 secs); 29 May 2002 18:17:38 -0000
Received: from chiark.greenend.org.uk (mail@212.135.138.206)
by mailgate.algroup.co.uk with SMTP; 29 May 2002 18:17:38 -0000
Received: from localhost (chiark.greenend.org.uk) [127.0.0.1] (list)
by chiark.greenend.org.uk with esmtp (Exim 3.12 #1)
id 17D7zi-0000Lm-00 (Debian); Wed, 29 May 2002 19:16:22 +0100
Received: from mta1.cl.cam.ac.uk (wisbech.cl.cam.ac.uk) [128.232.0.15] (exim)
by chiark.greenend.org.uk with esmtp (Exim 3.12 #1)
id 17D7zg-0000LR-00 (Debian); Wed, 29 May 2002 19:16:20 +0100
Received: from mta1.cl.cam.ac.uk ([128.232.0.15]) ident exim
by chiark.greenend.org.uk (SAUCE v0.7.9)
with esmtp id sauce-3522-1022696-1; 29 May 2002 18:16:20 +0000 (GMT)
Received: from trillium.cl.cam.ac.uk
([128.232.8.5] helo=cl.cam.ac.uk ident=[VpScchhUA9zIF/zA3VMVLGsbU7e8qeHh])
by wisbech.cl.cam.ac.uk with esmtp (Exim 3.092 #1)
id 17D7zg-0007Zc-00
for ukcrypto@chiark.greenend.org.uk; Wed, 29 May 2002 19:16:20 +0100
X-Mailer: exmh version 2.5+CL 07/13/2001 with nmh-1.0.4
To: ukcrypto@chiark.greenend.org.uk
Subject: c't: unsupervised biometric scanners more toys than serious security measures
In-reply-to: Your message of "Mon, 20 May 2002 09:18:39 PDT."
<92456F6B84D1324C943905BEEAE0278E01341071@RED-MSG-10.redmond.corp.microsoft.com>
X-URL: http://www.cl.cam.ac.uk/~mgk25/
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Date: Wed, 29 May 2002 19:16:20 +0100
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
Message-Id: <E17D7zg-0007Zc-00@wisbech.cl.cam.ac.uk>
Reply-To: ukcrypto@chiark.greenend.org.uk
Sender: ukcrypto-admin@chiark.greenend.org.uk
Errors-To: ukcrypto-admin@chiark.greenend.org.uk
X-Mailman-Version: 1.1
Precedence: bulk
List-Id: UK Cryptography Policy Discussion Group <ukcrypto.chiark.greenend.org.uk>
X-BeenThere: ukcrypto@chiark.greenend.org.uk
An even more fatal blow to off-the-shelf *unsupervised* biometric
identification products was given recently by three authors in an
article in the well-respected German computer magazine c't:
Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle --
Biometrische Zugangssicherungen auf die Probe gestellt. c't 11/2002,
Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002.
An online English translation is now available on
http://heise.de/ct/english/02/11/114/
The team tested:
- six products involving capacitive fingerprint scanners
(Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom)
- two optical (Cherry, Identix) fingerprint scanners
- one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 sensor)
- Authenticam by Panasonic
- an iris scanner that is currently being marketed in the USA
and is scheduled to enter the European market in the near future
- FaceVACS- Logon, a technical solution for recognizing faces
developed by the Dresdner Cognitec AG
The authors "were able, aided by comparatively simple means, to outwit
all the systems tested" and concluded that "the products in the versions
made available to us were more of the nature of toys than of serious
security measures" and that "business should not treat the security
needs of its customers quite so thoughtlessly".
It is worth stressing that none of the deception techniques used are
really applicable in a *supervised* two-factor application, for example
where a border control or social benefits officer watches someone using
the finger or iris scanner in order to confirm the identity information
stored in a presented smartcard. The relevance of these attacks to the
discussion about the use of biometric features in a national identity
infrastructure is unfortunately sometimes misrepresented. I am still
convinced that both iris scanning and finger print recognition in a
*supervised* scan can be made easily several orders of magnitude more
reliable than human photo/face comparisons.
What currently marketed sensors lack is a really robust detection
technique for whether the detected signal comes from live human tissue,
and this still looks very much like an open research problem. Parts of
suitable solutions might be:
- tests of various involuntary reactions that require significant
effort to simulate, for example, is the iris pattern deforming
correctly when the pupils contract because of illumination?
- test whether the body part is functional, i.e. can the fingerprint
be detected from a finger that is typing fluently on a keyboard
or can the pupil inside the contracting iris read text at the same
time?
- is it possible to build low-cost spectrographic cameras/scanners that
can distinguish materials and tissues by using hundreds instead of
just three (red/green/blue) wavelength bands, etc.
Markus
--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
--------------070809060302040909070106--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
