Are Biometrics the Key to Data Security?

Page 2 of 3

You Really Are Special! 
Body odor notwithstanding, biometrics certainly has its critics and has generated its share of controversy over the years. Naysayers suggest that biometric technology creates an Orwellian-like world where a totalitarian corporate Big Brother monitors and tracks one's every move. One need only recall the infamous 2001 "Snooper Bowl" in which thousands of unsuspecting football fans were secretly subjected to facial-recognition scans upon entering Raymond James Stadium in Tampa Bay. This early mainstream experiment in biometric security garnered fierce criticism from people who railed against the technology as invasive. Of course, this was months before the horrific attacks on the World Trade Center that same year. Since then, outrage over biometric solutions to security have cooled somewhat as people have been more than willing to sacrifice privacy for security. While the privacy issue is still very much with us, the biometrics industry has been steadily gaining ground, with government security contracts proliferating in the hope of stopping future terrorist attacks. 

Proponents of biometric security claim that the technology makes privacy even more of a concern by fashioning a security device around the unique, unduplicatable characteristics of human physiology. Diverse as snowflakes, we carry with us our own inborn passwords in the figure of inimitable physiological characteristics. Yet as Dr. Colin Soutar, CTO of Bioscrypt, a provider of finger scanning technology, points out, "You don't really want to rely on the biometric being a secret; it's not like a password. What you really want to rely on is making sure that there's a live rendition of it being presented at the input sensor. It's a different paradigm than the password-based or secret-based type scenario insomuch as the input mechanism is very particular. It's not something you can do remotely. With a biometric you've actually got to interface with this particular sensor, and as long as you've got live-ness detection capabilities in that sensor then you're mitigating the risk of any attack." Of course, regardless of where one stands in this debate, it is clear that biometrics is not only transforming science fiction into fact, but it is fast becoming a feasible data security business solution. 

Of course, even with all the controversy surrounding biometrics, it's important to realize that it's been with us for quite a while. In the 1920s, the FBI in connection with law enforcement began using fingerprints to create a database of known criminals. Since then, biometric fingerprint technology has continued to be seen as a practical and effective way of keeping track of who's who and for verifying that a person is who they say they are. As Dr. Soutar points out, the "fingerprint is quite well-known, quite easy to use, and it works well. It's also something that people are somewhat familiar with. The one good thing about a fingerprint system is it's proactive; the person deliberately and explicitly participates in the process by putting their finger down on the sensor. They know that they're engaging in the system, as opposed to being watched at a distance." As opposed to retina and facial scans, fingerprints are the least invasive biometric and are also the most commonly used in data security. 

Sounds good, but what if an attacker attempts to gain access to data by physically manipulating the finger of the authentic user? No problem, says Dr. Soutar, who explains that if the physical characteristic is being manipulated against the user's will, "it's possible to enroll what we call a ‘duress' finger." For instance, "perhaps normally you use your right index finger, you can use your left index finger as the ‘duress' finger. So, as you're being forced to open the door you'd present the left finger and it would actually open the door since it was enrolled as well, but it would also indicate to the system that this was being done under duress so security would respond in the appropriate manner." 

And if someone steals your finger? Biometric technologies have got that covered, too, unless of course the digit in question is surgically grafted onto a new hand—because verification is contingent on the finger being alive. As Dr. Soutar says, "Instead of just looking for something that looks like a fingerprint on the surface, [the sensor] will look at the absorbed or reflected spectral characteristics—it will shine different wavelengths of light on the finger to determine whether that skin is alive or not. Other methods include looking at blood flow and conductivity, which are all very particular to live skin versus dead skin." This would also counter such low-tech and decidedly less violent hacking (no pun intended) attempts such as fashioning gummy bears into fingerprints.


Tales from Decrypt
Data and information security typically utilizes public-key technology, which is generally only as secure as the private key—usually a password. Very basically, the public key encrypts and the private key decrypts data. Biometrics adds an extra layer to this traditional security by requiring a physical component, or biometric, to be introduced as well. Gregory J. Chevalier, SVP of CryptoMetrics, explains that while biometrics can bring a higher level to authenticating identity, it does nothing to physically protect the private key on its own. He explains that "in the hacking community they've determined how to get at the private key, given that they have access to the physical asset—no different than the ability to determine a password if you have the passphrase."

To counter this, Chevalier says that CryptoMetrics "does two things: uses biometric technology for the release of that private key, but more importantly, it separates the key from the data, such that if [we] lose that physical asset to the hacking community, they have no ability to get at the private key." Chevalier claims that "the only way to do this is to use a trusted biometric device," which, according to him, "has two characteristics: the biometric match actually takes place on the device, [and the] device has storage capacity." When CryptoMetrics encrypts that file and establishes a private key, it then sends it wirelessly through a Bluetooth transaction to that trusted device, which then stores that private key. Chevalier says, "It cannot be released until the software calls for it and the user is present with the biometric authentication to release it." 

Bioscrypt's Dr. Soutar explains that "the classic security paradigm looks at the different points where a signal can be interjected, and there's really two generalized points in a biometric system. One is somewhere along one of the interfaces where an image or a template is being passed from one point to another—that's where we use encryption to protect those links and data storage. The other point in a biometric system is the input sensor itself, [but] the sensor manufacturers have been working very diligently over the last four years or so to mitigate those types of risks." 

Bioscrypt, with more than ten years in the field, combines its experience with physical access control and merges it with logical access control. According to the company's director of corporate development and communications, Matthew Bogart, "We provide an access control solution that facilitates or converges physical and logical. We're able to unify an identity across an enterprise using the biometric as the single credential; that is, one enrollment to gain access to both facilities and PCs." The company's main focus is on fingerprint scan technology, as Dr. Soutar says, "Our core competency is in finger recognition algorithms." 

Combining biometrics with traditional cryptography is also one of Bioscrypt's strengths. As Dr. Soutar says, "The notion of biometric encryption is a very particular way of combining cryptography with biometrics. Conventional cryptography and standard encryption techniques like AES (Advance Encryption Standard) or Triple DES (Data Encryption Standard) are often used to protect the biometric information either in storage or in transit. That protects the digital data side of it by bringing traditional cryptography techniques into it. The last thing the security industry needs to see is the biometrics industry coming up with new cryptographic algorithms. It's better to use ones that are established and standardized." 

Page 2 of 3