Re: [Speechsc] stealing biometric tokens
"Judith Markowitz" <judith@jmarkowitz.com> Sat, 19 July 2008 16:51 UTC
Return-Path: <speechsc-bounces@ietf.org>
X-Original-To: speechsc-archive@optimus.ietf.org
Delivered-To: ietfarch-speechsc-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FD5F3A6927; Sat, 19 Jul 2008 09:51:47 -0700 (PDT)
X-Original-To: speechsc@core3.amsl.com
Delivered-To: speechsc@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA6A03A677D for <speechsc@core3.amsl.com>; Sat, 19 Jul 2008 09:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2, MSGID_FROM_MTA_HEADER=0.803]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0YkL-GNIVUI for <speechsc@core3.amsl.com>; Sat, 19 Jul 2008 09:51:43 -0700 (PDT)
Received: from omr12.networksolutionsemail.com (omr12.networksolutionsemail.com [205.178.146.62]) by core3.amsl.com (Postfix) with ESMTP id DF9543A6927 for <speechsc@ietf.org>; Sat, 19 Jul 2008 09:51:42 -0700 (PDT)
Received: from mail.networksolutionsemail.com (ns-omr12.mgt.hosting.dc2.netsol.com [10.49.6.75]) by omr12.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id m6JGqIsx020820 for <speechsc@ietf.org>; Sat, 19 Jul 2008 12:52:18 -0400
Message-Id: <200807191652.m6JGqIsx020820@omr12.networksolutionsemail.com>
Received: (qmail 3328 invoked by uid 78); 19 Jul 2008 16:52:18 -0000
Received: from unknown (HELO JMarkowitz) (judith@jmarkowitz.com@24.148.43.175) by ns-omr12.lb.hosting.dc2.netsol.com with SMTP; 19 Jul 2008 16:52:18 -0000
From: Judith Markowitz <judith@jmarkowitz.com>
To: 'William Meisel' <wmeisel@tmaa.com>, 'Eric Burger' <eburger@standardstrack.com>, speechsc@ietf.org
Date: Sat, 19 Jul 2008 11:52:12 -0500
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcjohHcBCAgkC3qnpUS673kuAg263wBOUV0g
In-Reply-To: <C4A558C5.1697E%wmeisel@tmaa.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Subject: Re: [Speechsc] stealing biometric tokens
X-BeenThere: speechsc@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Speech Services Control Working Group <speechsc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/speechsc>, <mailto:speechsc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/speechsc>
List-Post: <mailto:speechsc@ietf.org>
List-Help: <mailto:speechsc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/speechsc>, <mailto:speechsc-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: speechsc-bounces@ietf.org
Errors-To: speechsc-bounces@ietf.org
Hi Bill, The attached article presents the picture in about as simplistic and naïve a way as possible. Consequently, it leads the reader to false conclusions. Biometrics can be faked (called "spoofing") but it is generally not a trivial process and, in most cases, it is done with the raw biometric data. That is, fingerprint or face (etc.) images and voice recordings. It is much harder to re-engineer a biometric model/template, although that is not impossible. There are a number of ways to capture raw biometrics. The best way is to hack a database that stores them. Other methods involve capture at the sensor and on the transmission channel. If you look at these approaches to capturing biometrics you can easily see a theme: security. You also see that the security that is needed (and too often missing) has nothing really to do with biometrics, itself. It is the same kind of security that is missing for PIN and password systems. So, it doesn't really help much to have multi-factor authentication if all of them are captured in transit or stolen from a hacked database. In short, if government and private industry would take the time and spend the money to secure their networks, databases, and other systems many of these threats would be eliminated. That's why the data interchange format that I'm working on with the American National Standards Institute includes encryption and supports other security. Judith Markowitz -----Original Message----- From: speechsc-bounces@ietf.org [mailto:speechsc-bounces@ietf.org] On Behalf Of William Meisel Sent: Thursday, July 17, 2008 10:15 PM To: Eric Burger; speechsc@ietf.org Subject: Re: [Speechsc] Just to see if anyone is still out there Am I missing something, or does the linked article (and the referenced professor) simply misunderstand biometric id? Having the biometric token (a fingerprint is the example) should neither allow the thief to recreate the fingerprint (assuming it is features of the fingerprint that are encoded--hopefully without announcing what each feature is) nor allow the thief to access the system, since they would need to have the finger (not the token) to do so. It would not be necessary for the individual to reenroll a new finger. The same is true of speaker authentication. -- Bill Bill Meisel President, TMA Associates Publisher & Editor, Speech Strategy News (818)708-0962 www.tmaa.com > From: Eric Burger <eburger@standardstrack.com> > Date: Thu, 17 Jul 2008 08:07:08 -0400 > To: <speechsc@ietf.org> > Subject: [Speechsc] Just to see if anyone is still out there > > For the folks who care about biometrics: > http://www.networkworld.com/newsletters/sec/2008/071408sec1.html?nlhtsecstra t= > ts_071508&nladname=071508securitystrategiesal > _______________________________________________ > Speechsc mailing list > Speechsc@ietf.org > https://www.ietf.org/mailman/listinfo/speechsc > Supplemental web site: > <http://www.standardstrack.com/ietf/speechsc> _______________________________________________ Speechsc mailing list Speechsc@ietf.org https://www.ietf.org/mailman/listinfo/speechsc Supplemental web site: <http://www.standardstrack.com/ietf/speechsc> _______________________________________________ Speechsc mailing list Speechsc@ietf.org https://www.ietf.org/mailman/listinfo/speechsc Supplemental web site: <http://www.standardstrack.com/ietf/speechsc>
- [Speechsc] Just to see if anyone is still out the… Eric Burger
- Re: [Speechsc] Just to see if anyone is still out… Judith Markowitz
- Re: [Speechsc] Just to see if anyone is still out… William Meisel
- Re: [Speechsc] stealing biometric tokens Judith Markowitz
- Re: [Speechsc] Just to see if anyone is still out… Eric Burger