Biometric Security

26 April 2018

A lot of projects I am seeing are starting to use biometric elements to secure the system. Biometric credentials are fundamentally different to other credentials because they are not absolute. Many of these try to use the biometric in the same way as a password, this is the wrong approach. Hence the refrain “A biometric is your username not your password.”

A sensor will make a reading and this is then compared with a template, and result in a measurement of the degree of match. Usernames, passwords, keys (not physical) are all binary in that they either match exactly or not.

But most biometric systems do not directly store the recording of the physical measurement, but a template. That is a set of characteristics of the biometric. So a fingerprint reader analyses the image of the print and finds a number of unique points or minutiae features. where ridges divide, stop, or have small islands. The template that is stored will be a list of these minutiae and their location rather than an image.

This means that for a biometric credential there is a level of confidence that the reading is from the same person. When the system is set up we must set the minimum confidence level that we will accept. This is driven by a number of factors.

  1. How often the attempt is detected as false when it is the same person. This is called the False Negative Rate, or False Non-Match Rate (FNMR).
  2. How often the system accepts an attempt by a different person. This is the False Positive Rate, or False Match Rate (FMR).
  3. How many fail attempts we allow before locking the system.

The higher we set the threshold the lower the FMR, but this increases the FNMR, and if we have a low number of attempts we may lock out legitimate users. But if the threshold is low, then we will be letting in attackers more easily, especially if the number of fail attempts allowed is high.

The Birthday Problem

There is a parlour game where you ask everyone in the room the call out the date (day/month) of their birthday, and if you have about 25 people the odds are better than even that you will find 2 people with the same day. Because there are 365 days in a year we think that the probability of a match would need ~150 people. But what we are really doing is saying what is the probability of everyone having a different birthday.

How is this relevant? If we are using a biometric credential, how many templates are we comparing it against for a match. if you are using a fingerprint to unlock a phone or a laptop, you will only have a at most a couple of your fingers registered. If we are using the biometric to identify and individual from hundreds or thousands, then we quickly get into a Birthday Problem situation. If we are designing a security system it should first identify the individual, and then compare the biometric with that individual’s template.

Identification and Authorisation

These terms are often confused, so lets start with a definition.

Identification, The presentation of a unique data that selects a specific account on the system.
Authorisation, The presentation or verification a credential that permits actions on the system under a specific account.

So in the old world your username is the Identification, and the password provides Authorisation to log on. A biometric credential can provide Identification. But sometimes all we need is identification. A contactless card transaction you present your card for identification, and for small transactions that is enough.

Many applications of biometric systems assume that because we have identified the account, that a separate authorisation step is not necessary. This may be true for low value (or low risk) applications, but not for many other applications.

What is different about Biometrics

Because a biometric credential is based on reading a physical characteristic of the body we cannot change or invalidate that reading. We can choose a different component to present, ie a different finger to a scanner. This is why we cannot treat a biometric as a password.

Secondly this data is not secret, we leave fingerprints everywhere, they can be copied from high resolution photographs, and facial recognition systems have been foiled with pictures, or masks.

Lastly the process of reading a biometric depends on a set of hardware and software that is open to attack. Because hardware must perform the reading, many systems also contain the templates, and the processing to compare the reading to the template. An attack could replace the biometric reader with a simple device to say there was a match, so the integrity of the this subsystem needs to be assured.

This is why Apple have been clamping down on repairs that replace the fingerprint sensor on their phones. A hacked sensor could tell the phone that every finger matches.

Data Protection

Biometric data is clearly personal and so needs to be processed and stored according to Data Protection requirements (Like GDPR & HIPPA).

For example from hand geometry the level of testosterone exposure during pregnancy can be determined by the relative lengths of the first and third fingers. https://en.wikipedia.org/wiki/Digit_ratio this has been correlated with a number of health and lifestyle factors like Sexual orientation.

Further Reading
https://pages.nist.gov/800-63-3/sp800-63b.html
https://privacyinternational.org/node/1454

Advertisements

How to use a computer

25 April 2018


I am often asked for advice on doing various things on a computer and I assume that they are doing everything else securely, and then I find that they don’t have the basics right. So here is my guide to doing the basics right.

Don’t use Windows

OK so some people still haven’t upgraded to a Linux distribution, and I have hit brick walls in trying to convince some of my friends to do this. But this is one of the best things you can do to improve your security. OK keep a separate partition with windows for playing games, everything else is better on Linux.

Update, Update, Update

Make sure that you keep all your software up-to-date, not just the operating system, all those other bits and pieces of software need updating.

When you install software always do this by adding a repository to your package manager, that way when you do your apt full-update everything is updated in one go. (this is one of the main reasons why Linux is better)

Backup, Backup, Backup

All computers can fail, taking your data with them, so you need to make sure the rule of 3 is followed. All data should have 3 copies, the live version, a backup version, and a remote backup.

Use a password Manager

We are just frail humans and we can not remember a different, complex password for every site we need or want a password on. The only way to remember all these passwords is to use a password manager. There are better and worse managers out there but you are much safer using a bad password manager than not using one at all.


Evolving internet protocols TLS 1.3, HTTP/2, QUIC, & DOH

5 January 2018

There is a must read blog article by Mark Nottingham on the APNIC Site

Internet Protocols are Changing

Now, significant changes to the core Internet protocols are underway. While they are intended to be compatible with the Internet at large (since they won’t get adoption otherwise), they might be disruptive to those who have taken liberties with undocumented aspects of protocols or made an assumption that things won’t change.

Finally, we are in the midst of a shift towards more use of encryption on the Internet, first spurred by Edward Snowden’s revelations in 2015. That’s really a separate discussion, but it is relevant here in that encryption is one of best tools we have to ensure that protocols can evolve.


A neat data sharing technique

2 June 2017

We needed to share some data with another company, and this related to Credit card transactions. But we did not want to share the actual card numbers (PANs), what to do. What we came up with is quite neat, and can probably be used by others.

The external company collects the card numbers they want information on, they encrypt these with RSA with a key they generate and do not share. They send these encrypted numbers to us, we further encrypt them with our own RSA key and jumble the order of the entries, then send them back. So now they have a set of PANs double encrypted.

We perform an extract of the relevant transactions and encrypt the PANs with our RSA key, and send these as well. Now the recipients of these can encrypt these with their key and because RSA is a commutative function, can match up the two sets to see if the PANs they sent to us were used in the extracted transactions.

We have added a daily salt to these encryptions so that correlations can’t be used to work out which encrypted PANs map to the original PANs, and we bulk up the transactions so that individual transactions cannot be identified.

A friend of mine wrote up the proof of this:

Let Nv = our Key Modulus

Let E = our Operand (a number greater than 1, which is carefully chosen…)

So our Public Key, Vp = the couplet (Nv, E)

[Ignoring the Private Key as it’s not important…]

Similarly

Let Ng = their Key modulus

F = their operand

So their public key Gp = couplet (Ng, F)

Let X = a PAN

Let Encrypt(K,M) be the RSA encryption algorithm of encrypting message M using key K

To encrypt the PAN using our Public Key: Cv = Encrypt( Vp, X)

This is actually Cv = X^E mod Nv

Then encrypt again using their Public Key: Cvg = Encrypt(Gp, Cv)

This is actually Cvg = Cv^F mod Ng

Similarly, encrypt the PAN using their Public Key: Cg = Encrypt (Gp, X)

This is actually Cg = X^F mod Ng

Then encrypt again using our Public Key: Cgv = Encrypt(Vp, Cg)

This is actually Cgv = Cg^E mod Nv

So Cvg = CvF mod Ng

= (X^E mod Nv)F mod Ng

= X^EF mod Nv mod Ng

= X^FE mod Ng mod Nv

= (X^F mod Ng)^E mod Ny

= Cg^E mod Ny

= Cgv
i.e.

1. it doesn’t matter whether we encrypt with our key first or second, we get the same answer.

2. this means that the RSA algorithm is a commutative encryption algorithm

And so if we produce a value Cvg and they produce value Cgv and the values are the same, we can deduce that both organisations encrypted the same PAN, and nobody is actually sharing any PANs in the process.


Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at amazon.com not amason.com amaz0n.com amazom.com arnazon.com

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.


The #IPBill aka #Snooperscharter second letter

26 November 2015

Here is my second letter to My MP. This is the important one as they rarely see your first letter.

Dear Alok Sharma,

I thank you for your reply to my letter (ref: CRM12097), while your response tries to clarify some aspects of this bill you fail to address any of this issues that I raised.

I would like to explain just a few of the issues I, an others in the Cyber Security community, have with the Investigatory Powers Bill. Firstly the bulk collection of data.

Bulk collection of data records “meta data” is not equivalent to a phone bill. This implies that it only relates to a small part of a citizens life and interactions. In the case of the Internet we are living our lives where all our actions and thoughts travel on the Internet in some form. And this is rapidly expanding, from smart phones reporting location, activity, and biomedical information to our homes becoming automated and reporting machines that we live in. The “meta-data” of these interactions is vast and detailed view of our lives.

If you want a simple parallel it is equivalent to the information collected by the East German Stasi, collected and stored, and could be searched and analysed.

It is amoral in a free society to collect and store this level of information on citizens, whatever the justification.

Secondly the the storage and analysis of this data does not help the police, or GCHQ in performing their roles. If this is to protect us against terrorism it will not work. All of the recent terrorist attacks have been performed by persons known to the police. No cases of terrorism have been identified from bulk analysis of data. If this data truly was able to do this then we should demand extraordinary proof that this is the case, and subject this to public scrutiny. Where the NSA has been challenged to do this they have failed to provide a single case where access to bulk data was instrumental.

The simple argument here is that if the terrorists of all previous actions were known to the police but they were unable to spot this from the data they have, how does adding more data to the pile help.

This collection will be expensive and hamper the development of businesses in the UK. The Snowden revaluations mainly reflected on the operation of the NSA, and those revelations had, and are having a major impact on US businesses that sell technology solutions, especially internationally. This bill will have an even worse impact on UK businesses than the current revelations have already had.

The collection of useful data is easily bypassed by citizens. The entertainment industry has been trying to detect and prosecute people for copyright infringing activities for 10 years. This has taught much of the population how to use technologies like VPNs, and TOR. When these are used data collected under these Bulk collection schemes is useless.

The collection of this data is probably illegal under the European Convention on Human Rights. The recent ruling on the data retention directive, should alert you the the fact that the basic human rights are being infringed by the current collection schemes, and so this will probably be illegal under a similar challenge when it eventually comes. It would certainly not be legal under the American constitution.

Next I would like to discuss encryption. In your letter you say that you do not want to break encryption, The point in my letter was specifically about end-to-end encryption. This is where the service provider is unable to decrypt messages. The Bill states that service provider must comply with a warrant, and provide decrypted information. So what does this mean for services where the service provider is unable to do this? This implies that you will ban such services. If you think that this will help catch criminals, and not seriously harm UK businesses you don’t understand the issues.

End-to-end encryption uses the same technologies that secure connections to services providers. These are widely available technologies in open source products. These will be used whatever the law states.

I hope that this will help you understand how deeply flawed this bill is and and convince you not to support this. I have only covered a couple of issues with this bill, there are many more that I have not covered here.

Yours sincerely,

Stuart Ward


Investigatory Powers Bill

21 November 2015

One of the problems in our political system is that most of the members of parliament, and their advisor’s, pundits, and the politically active population have little knowledge or understanding of the technical infrastructure that runs our world. A combination of the lack of interest in politics by technical people, and the lack of education in scientific disciplines of our politicians.

We on the technical side, dare I call us geeks, now need to get involved in the political discussion. The second round of the crypto wars s upon us with the combination of people saying they don’t care about interception, and the week voice of those of us who do understand and care in speaking up, if we don’t speak up we will loose.

Can I urge all of you out there to write to your MP! It is not hard, but if we all do it, we can start to reclaim the internet for the good of the future.

Here is what I have sent, awaiting a reply.

Re: Investigatory Powers Bill
Dear Alock Sharma

I am very concerned about this new bill and the massive encroachment into the public right to privacy it enshrines. This has rightly earned the nickname “The Snoopers Charter”

If you want access to my data Get A Warrant!

The bill seems to retrospectively enshrine into law the massive, and probably illegal, interception of the internet by GCHQ. Prevent any disclosure of the extent of that interception and prevent anyone leaking information about that from using a public interest defence.

The only reason we know anything about these activities is because of whistle-blowers, who have endured political witch-hunts as a result of revealing these illegal activities.

The “Going Dark” argument, that the Police are unable to investigate crimes because of the improvements in security of the internet is a very spurious one. It implies that there has been total surveillance of the population in the past (and present) and this needs to continue.

If the police need access to end-to-end encrypted communication that can get a warrant and cease the device, view the decrypted messages.

The idea that a law can ban end-to-end encryption is as ridiculous as the claim from David Cameron to ban encryption, or mandate back-doors in all systems. The security profession has told you many times that inserting back doors safely into encryption software is imposable. (see Keys under dormats)

If you want access to my data Get A Warrant!

Banning end-to-end encryption will not stop the bad guys using it. How to do this, and the programs to do it are all publicly available and open source. All you will do is hamper UK law abiding citizens in using these, and kill the security software industry in this country.

There are also the sections allowing the Police, and GCHQ to break the Computer Misuse act, by hacking into any computer or device they wish. There is no justification for allowing this extreme power. The government should be working to improve our security not undermining it.

What we want from an investigatory powers bill is something like:

1. Full disclosure of all interception programs, and the number of cases involved
2. Disclosure after a reasonable amount of time that my data has been intercepted.
3. Independent oversight of All cases by someone like the RIPA Interception Commissioner
4. All cases to be authorised by an individual warrant authorised by a judicial person.

What we want is the law as it applies to everything else, should apply to the internet. Searching my data should be the same as searching my house, or searching my person. It is the same amount of intrusion, it should have the same controls.

I trust that you will NOT vote for this bill and will argue against it in the House.

Yours Sincerely

Stuart Ward