Biometric Security

26 April 2018

A lot of projects I am seeing are starting to use biometric elements to secure the system. Biometric credentials are fundamentally different to other credentials because they are not absolute. Many of these try to use the biometric in the same way as a password, this is the wrong approach. Hence the refrain “A biometric is your username not your password.”

A sensor will make a reading and this is then compared with a template, and result in a measurement of the degree of match. Usernames, passwords, keys (not physical) are all binary in that they either match exactly or not.

But most biometric systems do not directly store the recording of the physical measurement, but a template. That is a set of characteristics of the biometric. So a fingerprint reader analyses the image of the print and finds a number of unique points or minutiae features. where ridges divide, stop, or have small islands. The template that is stored will be a list of these minutiae and their location rather than an image.

This means that for a biometric credential there is a level of confidence that the reading is from the same person. When the system is set up we must set the minimum confidence level that we will accept. This is driven by a number of factors.

  1. How often the attempt is detected as false when it is the same person. This is called the False Negative Rate, or False Non-Match Rate (FNMR).
  2. How often the system accepts an attempt by a different person. This is the False Positive Rate, or False Match Rate (FMR).
  3. How many fail attempts we allow before locking the system.

The higher we set the threshold the lower the FMR, but this increases the FNMR, and if we have a low number of attempts we may lock out legitimate users. But if the threshold is low, then we will be letting in attackers more easily, especially if the number of fail attempts allowed is high.

The Birthday Problem

There is a parlour game where you ask everyone in the room the call out the date (day/month) of their birthday, and if you have about 25 people the odds are better than even that you will find 2 people with the same day. Because there are 365 days in a year we think that the probability of a match would need ~150 people. But what we are really doing is saying what is the probability of everyone having a different birthday.

How is this relevant? If we are using a biometric credential, how many templates are we comparing it against for a match. if you are using a fingerprint to unlock a phone or a laptop, you will only have a at most a couple of your fingers registered. If we are using the biometric to identify and individual from hundreds or thousands, then we quickly get into a Birthday Problem situation. If we are designing a security system it should first identify the individual, and then compare the biometric with that individual’s template.

Identification and Authorisation

These terms are often confused, so lets start with a definition.

Identification, The presentation of a unique data that selects a specific account on the system.
Authorisation, The presentation or verification a credential that permits actions on the system under a specific account.

So in the old world your username is the Identification, and the password provides Authorisation to log on. A biometric credential can provide Identification. But sometimes all we need is identification. A contactless card transaction you present your card for identification, and for small transactions that is enough.

Many applications of biometric systems assume that because we have identified the account, that a separate authorisation step is not necessary. This may be true for low value (or low risk) applications, but not for many other applications.

What is different about Biometrics

Because a biometric credential is based on reading a physical characteristic of the body we cannot change or invalidate that reading. We can choose a different component to present, ie a different finger to a scanner. This is why we cannot treat a biometric as a password.

Secondly this data is not secret, we leave fingerprints everywhere, they can be copied from high resolution photographs, and facial recognition systems have been foiled with pictures, or masks.

Lastly the process of reading a biometric depends on a set of hardware and software that is open to attack. Because hardware must perform the reading, many systems also contain the templates, and the processing to compare the reading to the template. An attack could replace the biometric reader with a simple device to say there was a match, so the integrity of the this subsystem needs to be assured.

This is why Apple have been clamping down on repairs that replace the fingerprint sensor on their phones. A hacked sensor could tell the phone that every finger matches.

Data Protection

Biometric data is clearly personal and so needs to be processed and stored according to Data Protection requirements (Like GDPR & HIPPA).

For example from hand geometry the level of testosterone exposure during pregnancy can be determined by the relative lengths of the first and third fingers. https://en.wikipedia.org/wiki/Digit_ratio this has been correlated with a number of health and lifestyle factors like Sexual orientation.

Further Reading
https://pages.nist.gov/800-63-3/sp800-63b.html
https://privacyinternational.org/node/1454

Advertisements

Cracking the Hacking Team

6 July 2015

The somewhat notorious Hacking Team seem to have been subject to an attack of using their own tools. This points to the use of poor passwords, and reusing password on multiple systems.

The other lesson here is to have tools looking for ex-filtration of data, at least to detect when something has gone wrong.

We should be able to learn something here…

http://www.net-security.org/secworld.php?id=18592

“Hacking Team appears to have committed two of the classic mistakes in security: Never use simple passwords and never reuse passwords. For a security company that’s this high profile, there’s no excuse for these sins. We don’t know yet how the attackers got into HT’s systems, but given the poor passwords that have been revealed in the documents, it could have been as simple as brute-forcing the passwords on a few system,” Martin McKeay, Akamai senior security advocate, commented for Help Net Security.

“The other major mistake made by HT was not noticing that 400Gb of data was leaving their systems. Extrusion detection for an organization that specializes in malware and monitoring should be one of the defenses they concentrate on, because it’s what other people would use to detect their tools. Expect your tools to be used against you is a basic warfare tenet.”

And I have now fallen into the trap of the miss use of the word “Hacking” in a negative context.