Wave Systems Corp. (fka WAVXQ)

[Countryboy]

Biometrics Becomes A Commodity

02/01/2006
URL: http://www.itarchitect.com/shared/article/showArticle.jhtml?articleId=177100820

Biometrics has been called the future of IT security for years, but that future never seems to arrive. Last year, there were signs that this was about to change. Almost all laptop vendors began shipping models with built-in fingerprint readers, and biometric desktop keyboards also became an option from companies such as IBM and Microsoft.

The growth of biometrics is driven mostly by the failure of passwords. As computers increase in power, breaking dictionary passwords through brute force techniques becomes easier. At the same time, the increasing number of systems that each person must log in to is making passwords more difficult to remember. An unalterable physical characteristic that can't be forgotten or lost seems like a much better choice.

Maybe so, but IT departments considering biometrics need to keep three things in mind. First, forget about DNA sequencing or retina scans unless you're in the military or law enforcement. For the foreseeable future, fingerprints are the only physical biometrics set for widespread use in authentication--and even then, fingerprint readers will be far from ubiquitous.

Second, biometrics needs to be part of a multifactor authentication architecture, combined with passwords or hardware. This is partly because a biometric factor on its own acts only as an identifier--it's closer to a publicly known username than a secret password--and partly because today's cheap fingerprint scanners aren't reliable enough to be used alone.

Last and most importantly, physical biometrics is best used only for local physical security, not for direct access to networked resources. Transferring fingerprints over the Internet introduces risks, and a central store of private biometric data represents a valuable target for attackers. Instead, biometrics can be used indirectly: For instance, a server can be accessed via a digital certificate or one-time password that's stored on a local hardware device such as a smartcard, USB dongle, or Trusted Platform Module (TPM). That hardware can in turn be locked biometrically.

FACE OFF

When the IT security industry talks about a biometric factor, it's nearly always referring to fingerprints. Although other biometric measurements are used routinely in law enforcement, computer systems require much greater accuracy because they're intended to work without human supervision.

For example, many law enforcement agencies are beginning to deploy automated face recognition systems. In theory, these can help identify criminal suspects in a crowd. In practice, however, a very high false positive rate means the majority of faces picked out from a crowd are innocent, so every positive match needs to be flagged and shown to a human police officer, who must then decide whether the person identified looks enough like the suspect to warrant further investigation. The same can't happen automatically.

DNA authentication is a science-fiction favorite and set to remain that way. Superficially it seems like a good idea: Unlike most other biometrics, DNA is already digital, so a match can be made with 100 percent certainty. The problem is that DNA sequencing is very expensive and relies on chemical reactions that take hours, making it useless for most applications.

DNA also has severe privacy implications because it reveals more than just identity. At minimum, samples from two individuals will show how closely they're related. Depending on the genes chosen, samples can also reveal whether someone has a specific medical problem, or how likely they are to suffer from a particular disease in the future.

Apart from fingerprints, the one biometric factor that might go mainstream is the voiceprint. A voiceprint is a unique frequency pattern within a person's voice that's determined by the shape of that person's vocal tract. As a biometric measure, that has the opposite weakness of DNA: It's too easy to analyze and fake. A simple voiceprint identification system can be fooled with a tape recording, and much of the same research that helps produce efficient codecs for VoIP and cell phones also helps attackers impersonate other people's voices.

Nevertheless, voiceprints can still be used in combination with other methods. An Interactive Voice Recognition (IVR) system or a human call center agent can ask a person to repeat a specific random word or phrase, and then ask for a password. Credit card giant Visa International is using an IVR voiceprint system from Vocent Solutions to authenticate its own employees, but only as one part of a multifactor system. Like many biometrics vendors, Vocent warns that its software isn't reliable enough to be used alone.

THE WRONG HANDS

Voiceprints are the most extreme example, but all biometrics--fingerprints included--suffer from the same problem: They're hard to keep private. This has frustrated criminals since the 19th century, and it's set to frustrate IT departments in the 21st. Furthermore, the problem is getting worse as repositories of biometric data become widespread. Biometric authentication suffers from an inverse network effect: The more it's used, the less useful it becomes. Authenticating to everything with the same fingerprint isn't much more secure than using the same password for everything--and it's potentially much worse because there are only 10 to choose from.

For this reason, IT departments considering biometrics must take precautions to ensure the privacy of the user's fingerprint. They must also make sure the print hasn't already been compromised by some other system to which the same user has authenticated. "People focus too much on the device that the end user sees," says Rebecca Bace, a former NSA cryptographer who is now CEO of consultancy Infidel. "But they ignore what happens to the data afterward, and that's more important."

Because the fingerprint isn't necessarily secret, high-security applications should only treat it as an identifier, not the sole means of authentication. It needs to be combined with a password, or better yet some kind of hardware device carried by the user. Microsoft even includes the following disclaimer in the instruction manual for its biometric keyboard: "The fingerprint reader is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or to protect sensitive data."

The privacy problems with fingerprints aren't as great as they seem because most biometric templates don't try to store an entire fingerprint. Instead, they keep track only of minutiae points, the locations on a print where different ridges cross, twist, or end. A typical fingerprint contains more than 100 such points, but most authentication systems only record 20 or less, so a fingerprint can't be reconstructed from a biometric template.

However, this doesn't mean there are no privacy risks. If the fingerprint scanner doesn't produce the minutiae points itself, a scan of the actual fingerprint will be transferred to a PC. Even if it does map the minutiae points itself, the points themselves could be sniffed in transit--and while this won't severely compromise the individual's privacy, it will compromise security.

PRINT OUT

The best way to protect user privacy is to ensure that biometric templates are never transmitted across a network or stored in a central database. This can be done by combining the biometric factor with a hardware device. Instead of sending fingerprints all the way to a server, users authenticate to local hardware, which in turn authenticates to a network using PKI.


The most obvious such hardware to use is the PC itself. To ensure that an attacker can't access either private keys or the biometric template, both can be stored on the TPM, a cryptographic coprocessor that includes some flash memory and a random number generator. All decryption and signing operations take place on the TPM itself, so private keys never leave the chip. Almost all new laptops aimed at the business market now include a TPM as standard, and it's beginning to be offered on many desktops as well.

Fingerprint readers are now following the same trajectory, starting in laptops and spreading to desktops. Fujitsu shipped the first laptop with a fingerprint reader in 2004. Since then it has been joined by most other major manufacturers, including Dell, HP, Sony, and Toshiba. Lenovo, which inherited a biometric ThinkPad from IBM, has also introduced a desktop PC with a fingerprint reader on the keyboard. Most vendors OEM their fingerprint hardware from specialist vendors Zvetco Biometrics and AuthenTec, which also sell standalone USB fingerprint readers so that existing PCs can be upgraded to handle biometrics.

It isn't a coincidence that both TPMs and fingerprint readers started out in laptops. Both are driven primarily by the need to encrypt data in case the laptop is stolen, and vendors see them as a natural fit together. Lenovo even gives potential customers a disclaimer similar to Microsoft's, warning that without a TPM, fingerprint readers are more about convenience than security.

The TPM is soldered permanently into a PC, so it doesn't help authenticate users who need to access a network through multiple machines. These users must carry their private keys and biometric templates on some other piece of hardware, usually a smartcard. To ensure that neither leak out, the NIST recommends that the smartcard itself perform the biometric authentication, using a system known as Match-on-Card.

Match-on-Card is more flexible than the TPM, but it requires that every PC include an integrated smartcard and fingerprint reader. (Two separate readers aren't good enough because this would mean exposing the biometric data to the PC.) The first such hardware was released by Precise Biometrics in December 2005, with Litronic planning to release a version early this year.

One risk with Match-on-Card is that if a card is stolen, a skilled hacker might be able to make it reveal its private keys without the correct fingerprint, or perhaps substitute the stored fingerprint template with someone else's. The other drawback is that smartcards have a relatively limited processing and memory capability, so the biometric match is likely to be less accurate than one performed on a PC.

FINGERS CROSSED

The biometrics industry got a big boost in December when the Federal Financial Institutions Examination Council (FFIEC) issued new rules requiring all online banks to use multifactor authentication by 2007. However, this doesn't mean your bank's Web site is going to start asking for a fingerprint anytime soon. After all, HIPAA mandates two-factor authentication for sensitive health records, and that hasn't led to widespread adoption of biometrics--or any strong authentication techniques for that matter.

"The health insurance legal system quickly decided that a username and password were two factors," complains Ravi Ganesan, CEO of TriCipher, which sells real two-factor authentication. "Regulatory compliance and security sometimes intersect, but they're separate."

The FFIEC was careful to make sure that banks don't have the same loophole as health insurers, but others may exist. A cookie stored in a user's Web browser can count as a second factor, provided it gets there through some method other than the user entering their regular username and password. For example, a customer could call the bank to get a one-time password to set the cookie, though the process would have to be repeated whenever the user clears the browser's cache.

Banks that want more security than cookies still have other options before they get to biometrics (see "Two-Factor Authentication On the Web" left). The same goes for IT departments. Smartcards and tokens have the advantage of being well-understood, and both are widely supported by major security vendors--most of whom haven't yet shown much interest in fingerprints or other biometrics. VeriSign has rejected them and actively competes against biometrics with its USB tokens. RSA Security has a similar strategy, though has formed an alliance with Precise to support customers who want to use both tokens and fingerprints simultaneously.

SECURING THE SNEAKERNET

Though PCs are only now beginning to incorporate fingerprint readers, portable storage devices have had them for much longer. It's easy to see why: A USB flash drive is extremely easy to lose, yet can easily store all of a medium-sized business's trade secrets and private customer data.

Sony shipped the first flash drive with a built-in fingerprint reader more than five years ago, when USB storage was still fairly unusual. Since then it's been joined by numerous other vendors, and biometric drives have become a commodity. Typically costing about $50 more than a similarly sized USB drive without biometrics, most can store prints from 10 different fingers and have the option of requiring a password in addition to (or instead of) a fingerprint.

As with ordinary flash drives, capacities are increasing all the time. The largest so far is a 4GB model from Memory Experts, with most vendors scaling from 128MB to 2GB. For users who need to carry more data, LaCie and Kanguru Solutions also sell portable hard drives with built-in fingerprint readers in capacities of up to 120GB and 400GB, respectively. From the PC's perspective, these work in the same way as flash drives, connecting and drawing power from the USB port. They can be divided into secure and insecure partitions, allowing access to non-sensitive data without authentication.

Unlike standalone biometric keyboards, biometric flash and hard drives do serve a useful security function. Even the cheapest consumer model will prevent a technologically challenged thief from accessing data on a stolen drive. However, not all of them actually encrypt stored data, so the level of security provided differs.

For example, LaCie sells two versions of its biometric hard disk. One simply uses the fingerprint for access control, so a computer forensics expert willing to dismantle the drive could read its contents without having the correct fingerprint. The other version encrypts all data using a fingerprint-derived AES key, making it much more difficult to hack. It's not completely secure because someone might find a way to extract the key, but the same applies to a smartcard, a TPM, or any other device when an attacker has physical possession.

The other caveat is that most fingerprint-secured storage devices are useful only for securing data in transit; they aren't meant to serve as a replacement for network authentication tokens. Although biometric templates and AES keys don't leave the drive, any data stored has to when it's accessed. Even most drives that include AES hardware only use it for encrypting stored data, not for network challenges and responses. So if the drive contains passwords or private keys, these must be decrypted and transferred to a PC for processing, during which time they're vulnerable to spyware.

The exception is Sony's Fingerprint Identity Unit (FIU) series of flash drives, which is based on smartcard-derived hardware and includes most of the same PKI functions. Like a smartcard or TPM, it can generate random RSA key pairs, with the private key never leaving the drive. This should be as secure as a TPM-based laptop or a Match-on-Card architecture, but with the advantage that it can work on any PC with a USB slot. The biggest problem is that it means trusting security to a company that has admitted to installing a rootkit on millions of its customers' PCs.

BIOMETRIC LOCK-IN

The other drawback of all fingerprint-based authentication systems is a lack of interoperability. Match-on-Card at present requires cards, readers, and back-end software made by Precise or one of its licensees, and competitors that copy the architecture will be similarly proprietary. Likewise, Sony's FIU line requires Sony software.

The TPM is actually a standard, so it could act as an interoperability layer. Every PC manufacturer uses its own custom hardware and software on the client, but the link between the TPM and the network or server can be standardized. However, the standard still isn't supported widely, and no OS recognizes it natively. Networks whose PCs aren't all from the same vendor will need third-party TPM authentication software, which so far is only available from Wave Systems.

Standards will evolve over the next few years, and the TPM will get support from Windows Vista late this year. But in one sense, complaints about a lack of standards show that fingerprint authentication is making real progress. It demonstrates that unlike other biometrics, the technology is real and has reached the stage where interoperability becomes an issue.

The Password as a Biometric Factor

Back in the 1940s, wartime Morse code operators realized they were listening to more than just dots and dashes. Even though they lacked a voice link and didn't even know what the encrypted messages they were transferring meant, they were able to identify each other with almost perfect accuracy. This was because each operator tapped the transmit button with a unique rhythm that was almost impossible for others to imitate.

Forty years later, Stanford researchers realized the same phenomenon could be applied to any keyboard. In fact, classical music listeners already do it subconsciously when they distinguish one concert pianist from another. And it isn't just Morse code operators and classical pianists: Everyone who uses a computer or phone has a unique method of typing or dialing that can serve as a biometric factor. The Stanford group filed a patent on its use in an authentication system, but that patent expires this month.

The technology is already being commercialized by BioPassword, a start-up targeting both Windows PCs and Web-based applications. The company sells software that measures the time between keystrokes as a person enters a username and password, essentially turning that username and password into a biometric factor.

BOARDING PASS

This system has two great advantages over other biometric systems. The obvious one is that it requires no special hardware, or even user awareness. People just enter a password. Less obviously, the biometric factor depends on both the person and the password, so there are no privacy risks. Unlike a fingerprint, it can easily be changed if someone does manage to intercept it or hack into the biometric store.

There are some drawbacks, however. The system is vulnerable to hardware keyboard sniffers, which can intercept the times between keystrokes just as well as the password itself. And although users don't have to carry around an extra device or give up personal information, they do experience some inconvenience.

To ensure an accurate reading, users need to type their password 10 times whenever they change it--and they must repeat the process if they plan to access the system through more than one type of device. BioPassword says people have similar enough typing patterns for the same template to work on a cramped laptop as on an ergonomic workstation, but not a smartphone or a BlackBerry, even one with a Qwerty layout.

BioPassword is already shipping software for Windows PCs that integrates with both XP's own login screen and Active Directory. The company plans to have one for Web-based applications in March and says it's talking to several financial institutions. These firms like the software because it's still password-based, but qualifies as two factors under the new FFIEC rules for online transactions.

Keystroke timing is a better fit for the Web compared to physical biometrics, but it's still not ideal. Web browsers don't normally measure time between keystrokes, so users must install a plug-in. BioPassword currently gives people a choice of ActiveX or Flash, though it may offer Java or JavaScript in the future.

Plug-ins and the need for actual key presses prevent surfers from using copy and paste or the password-caching tools built into most browsers. This might seem useful from a security perspective, but can have unintended consequences. If a lot of sites adopt it, people will likely choose very weak passwords or use the same one for every site.