Re: [Speechsc] stealing biometric tokens
"Judith Markowitz" <judith@jmarkowitz.com> Sat, 19 July 2008 18:54 UTC
Return-Path: <speechsc-bounces@ietf.org>
X-Original-To: speechsc-archive@optimus.ietf.org
Delivered-To: ietfarch-speechsc-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E16B3A68B1; Sat, 19 Jul 2008 11:54:12 -0700 (PDT)
X-Original-To: speechsc@core3.amsl.com
Delivered-To: speechsc@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78D573A68B1 for <speechsc@core3.amsl.com>; Sat, 19 Jul 2008 11:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[AWL=-1.044, BAYES_05=-1.11, GB_I_LETTER=-2, J_CHICKENPOX_82=0.6, MSGID_FROM_MTA_HEADER=0.803]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slxjmMsZy0bP for <speechsc@core3.amsl.com>; Sat, 19 Jul 2008 11:54:10 -0700 (PDT)
Received: from omr5.networksolutionsemail.com (omr5.networksolutionsemail.com [205.178.146.55]) by core3.amsl.com (Postfix) with ESMTP id B4FFE3A6870 for <speechsc@ietf.org>; Sat, 19 Jul 2008 11:54:09 -0700 (PDT)
Received: from mail.networksolutionsemail.com (ns-omr5.mgt.netsol.com [10.49.6.68]) by omr5.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id m6JIsgEV017608 for <speechsc@ietf.org>; Sat, 19 Jul 2008 14:54:44 -0400
Message-Id: <200807191854.m6JIsgEV017608@omr5.networksolutionsemail.com>
Received: (qmail 808 invoked by uid 78); 19 Jul 2008 18:54:42 -0000
Received: from unknown (HELO JMarkowitz) (judith@jmarkowitz.com@24.148.43.175) by ns-omr5.lb.hosting.dc2.netsol.com with SMTP; 19 Jul 2008 18:54:42 -0000
From: Judith Markowitz <judith@jmarkowitz.com>
To: 'William Meisel' <wmeisel@tmaa.com>, 'Eric Burger' <eburger@standardstrack.com>, speechsc@ietf.org
Date: Sat, 19 Jul 2008 13:54:36 -0500
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcjohHcBCAgkC3qnpUS673kuAg263wBOUV0gAAKcw2YAAY2+IA==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <C4A777E2.16A3C%wmeisel@tmaa.com>
Subject: Re: [Speechsc] stealing biometric tokens
X-BeenThere: speechsc@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Speech Services Control Working Group <speechsc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/speechsc>, <mailto:speechsc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/speechsc>
List-Post: <mailto:speechsc@ietf.org>
List-Help: <mailto:speechsc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/speechsc>, <mailto:speechsc-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: speechsc-bounces@ietf.org
Errors-To: speechsc-bounces@ietf.org
I agree that it is difficult to reverse engineer biometric templates/models. It isn't impossible, but it takes work. The article conflates a number of things which reveals some basic misunderstandings about biometric systems. The start of the article refers to stealing "biometric scans." That could mean anything - from what is captured at the device to the stored model/template. Other portions of the article suggest that the writer is talking about templates. If you can capture and reuse raw data then you don't have to deal with processed data, such as templates. This is not difficult to do. In 2002, Professor Tsutomu Matsumoto of Yokohama National University conducted a test in which eleven optical and silicon fingerprint sensors accepted artificial fingers in at least sixty percent of attempts. Matsumotos primary method of spoofing the systems was to create an impression of an actual fingerprint using gelatin derived from organic animal material - materials akin to "gummy bear" candy. A group that opposes the use of fingerprints in German passports lifted the fingerprint of the German Secretary of the Interior Wolfgang Schäuble from a drinking glass he used at a restaurant and published it on the Internet. Most criminals won't take the trouble to try to pick up individual fingerprints. It isn't cost effective. They will go after unprotected systems to get a lot of data that they can use or sell. This has become big business. That's why I highlighted the need for encryption and other security to prevent capture of raw biometric data. If an attacker is capturing UNENCRYPTED data from the sensor or the network, for example, you have a problem. If a database that stores unencrypted raw data for all ten fingerprints is compromised then you have a big problem. Unfortunately, a lot of organizations do store raw data and too many of them don't secure the data. Given that the US is now requiring that foreign visitors to enroll all ten fingerprints theft of raw data for all ten of your fingerprints is not an entirely unlikely scenario. I can see other countries following the US' approach. I just went to Japan and had to submit two fingerprints just to enter the country as a tourist without a visa. These policies have helped drive the development of "cancelable" biometrics. Voice is inherently cancelable if you use text-dependent technology so it has some advantages over some of the other biometrics. This gets me back to MRCP V2. I was delighted to see coverage of security in the draft standard. I would like to see stronger warnings and better guidance related to security for both speaker biometrics and speech recognition. Don't forget that speech recognition often transmits sensitive data, such as account numbers. Judith Markowitz -----Original Message----- From: William Meisel [mailto:wmeisel@tmaa.com] Sent: Saturday, July 19, 2008 12:52 PM To: Judith Markowitz; 'Eric Burger'; speechsc@ietf.org Subject: Re: [Speechsc] stealing biometric tokens Hi, Judith. I agree that ideally the solution is to provide adequate security for any authentication data, and I hope solutions that insure every company does so are eventually adopted. The cited article really addresses a different subject. It says that biometric identification, when stolen, is worse than having a PIN stolen because a PIN can be changed, but a fingerprint can't (or a voice can't). The article even talks about enrolling a different finger. I think the basic assumption of the article is flawed. It assumes that one can steal the stored biometric identifier and use that to authenticate oneself as another. If the company stores the original image of a fingerprint or the original recording of a voice, then I guess (with some effort), the voice or fingerprint could be recreated. However, with speaker verification and with fingerprints (in fact, with every pattern recognition application I've been involved with since I wrote a book on it in 1972, the process of storing "features" of the voice or fingerprint or any other pattern is highly lossy and can't be reversed,in part because one wants to identify the pattern in the presence of a lot of variation and thus capture only largely invariant features. When challenged on the telephone to say a password, having the features stored by the speaker verification system wouldn't do one any good. I hate to to have government agencies and companies left with the misimpression that storing biometric data is somehow more dangerous (and possibly creates more liability) than storing PINs. -- Bill Bill Meisel President, TMA Associates Publisher & Editor, Speech Strategy News (818)708-0962 www.tmaa.com > From: Judith Markowitz <judith@jmarkowitz.com> > Date: Sat, 19 Jul 2008 11:52:12 -0500 > To: William Meisel <wmeisel@tmaa.com>, 'Eric Burger' > <eburger@standardstrack.com>, <speechsc@ietf.org> > Subject: RE: [Speechsc] stealing biometric tokens > > Hi Bill, > The attached article presents the picture in about as simplistic and naïve a > way as possible. Consequently, it leads the reader to false conclusions. > > Biometrics can be faked (called "spoofing") but it is generally not a > trivial process and, in most cases, it is done with the raw biometric data. > That is, fingerprint or face (etc.) images and voice recordings. It is much > harder to re-engineer a biometric model/template, although that is not > impossible. > > There are a number of ways to capture raw biometrics. The best way is to > hack a database that stores them. Other methods involve capture at the > sensor and on the transmission channel. > > If you look at these approaches to capturing biometrics you can easily see a > theme: security. You also see that the security that is needed (and too > often missing) has nothing really to do with biometrics, itself. It is the > same kind of security that is missing for PIN and password systems. So, it > doesn't really help much to have multi-factor authentication if all of them > are captured in transit or stolen from a hacked database. > > In short, if government and private industry would take the time and spend > the money to secure their networks, databases, and other systems many of > these threats would be eliminated. That's why the data interchange format > that I'm working on with the American National Standards Institute includes > encryption and supports other security. > > Judith Markowitz > > -----Original Message----- > From: speechsc-bounces@ietf.org [mailto:speechsc-bounces@ietf.org] On Behalf > Of William Meisel > Sent: Thursday, July 17, 2008 10:15 PM > To: Eric Burger; speechsc@ietf.org > Subject: Re: [Speechsc] Just to see if anyone is still out there > > Am I missing something, or does the linked article (and the referenced > professor) simply misunderstand biometric id? Having the biometric token (a > fingerprint is the example) should neither allow the thief to recreate the > fingerprint (assuming it is features of the fingerprint that are > encoded--hopefully without announcing what each feature is) nor allow the > thief to access the system, since they would need to have the finger (not > the token) to do so. It would not be necessary for the individual to > reenroll a new finger. > > The same is true of speaker authentication. > > -- Bill > > Bill Meisel > President, TMA Associates > Publisher & Editor, Speech Strategy News > (818)708-0962 > www.tmaa.com > > > > >> From: Eric Burger <eburger@standardstrack.com> >> Date: Thu, 17 Jul 2008 08:07:08 -0400 >> To: <speechsc@ietf.org> >> Subject: [Speechsc] Just to see if anyone is still out there >> >> For the folks who care about biometrics: >> > http://www.networkworld.com/newsletters/sec/2008/071408sec1.html?nlhtsecstra > t= >> ts_071508&nladname=071508securitystrategiesal >> _______________________________________________ >> Speechsc mailing list >> Speechsc@ietf.org >> https://www.ietf.org/mailman/listinfo/speechsc >> Supplemental web site: >> <http://www.standardstrack.com/ietf/speechsc> > > > _______________________________________________ > Speechsc mailing list > Speechsc@ietf.org > https://www.ietf.org/mailman/listinfo/speechsc > Supplemental web site: > <http://www.standardstrack.com/ietf/speechsc> > > _______________________________________________ Speechsc mailing list Speechsc@ietf.org https://www.ietf.org/mailman/listinfo/speechsc Supplemental web site: <http://www.standardstrack.com/ietf/speechsc>
- Re: [Speechsc] stealing biometric tokens Judith Markowitz
- Re: [Speechsc] stealing biometric tokens William Meisel