Biometrics in Information Security

From Computing and Software Wiki

By registering their biometric data ahead of time, travelers at Heathrow Airport in London, UK can go through an automated check in, using IRIS^[E2]

The word biometric originally comes from ancient Greek, “bios” – life + “metron” – measurement^[R1]. The classic definition of biometrics refers to the measurement of biological traits (i.e. the growth rates of bacteria) however this field of study is now referred to as Biostatistics. The contemporary field of biometrics refers to measurements of unique physical or behavioral traits in humans. In the vernacular of information security, biometrics falls mainly under confidentiality and availability because of its applications in identification and authentication.

In the process of biometric authentication, a mathematic model of a measurable trait (see Types of Measurements below) is converted into a unique signature, similar to the checksum of a file. This process refers to the identification phase of authentication, where an identity is bound to a subject. When the physical trait is measured again, the same signature should be produced and authentication of the subject is successful^[R2].

Despite its wide use as a quick and fairly reliable means of identification (see Applications below), there remains some criticism over biometric systems. Problems include susceptibility to replay attacks, and identity theft with more permanent consequences than a compromised password (see Problems with Biometric Systems below).

Types of Measurements

Biometric measurements can usually be divided into two main branches, Physiological - patterns in physical appearance or structure, and Behavioral - patterns in how something is done^[R2].

A thermographic image of a face^[E3]

Physiological

Eyes - Images of the iris or retina

Face - Electromagnetic or thermal scans

Hand/Fingers - Fingerprints, vein and palm geometry

DNA - Noncoding DNA pattern matching

Behavioral

Signature - Combinations of specific features of a signature (i.e. size of lines and loops in letters)

Voice - Patterns in tones and frequencies when a specific words are spoken

Keystroke - Patterns in how specific text is typed in (i.e. relative delays in different keystrokes)

In all biometric measurements, an original sample of the data is recorded as a digital signature and linked to an identity. This signature is stored, and used to compare to future signatures to ensure that the person giving the new sample matches the identity for the originally recorded data.

Applications

Biometric technology has two closely related applications, identification and authentication.

In the Identification stage, an existing identity (or person) is linked to a piece of stored biometric information. Identification is usually used as a deterrent against fraud, or as the first stage in authentication. An example of this is at the entrance gates in Disney Land. Along with their ticket, patrons are asked to provide a fingerprint scan which is linked to the ticket, so that only that person can use the ticket for re-entry. In this example, the biometric information of the person is linked to their ticket, and not their actual identity, which maintains anonymity while still preventing unwanted accesses to the park.

In the Authentication stage, a person provides a biometric sample which is compared to a database of signatures. If a match is made, the person is successfully authenticated with the identity linked to the biometric information. An example of this is a military system which has biometric information on all of its officers on file. In order to enter a specific room, an officer must provide fingerprints and an iris scan to confirm his identity. In this example, the officer's fingerprints and iris scans are being compared to original samples which he would have initially provided.

Problems with Biometric Systems

Replay Attacks - a replay attack occurs when an attacker captures a piece of secret data (i.e. a password, or a fingerprint) and uses that data to make subsequent accesses to the system. Biometric systems are vulnerable to replay attacks because by capturing authentication data, an attacker can produce the same signature stored in the database. By compromising a fingerprint or iris scan, an attacker can reuse that information to gain access to the system^[R2].

Identity Theft - Identity theft is always a consideration when considering an authentication system, however with biometric systems, the problem has larger repercussions. Normally, when an account has been compromised, the user name or password for the account can be reset. A fingerprint in a biometric system serves as the password, so when this information is compromised, the fingerprint cannot be changed (without cosmetic surgery). This means that once an identity is stolen, it has been stolen forever^[R1].

Dystopia - Many science fiction stories have addressed the problem of a society with an entrenched biometric infrastructure. As the technology becomes more widely used for quickly identifying people, more places will be gathering, storing and tracking biometric information. This may put true anonymity in the world in danger of extinction, which would have many political and social repercussions (Watergate would not exist without the anonymous "Deep Throat").