Re: REVIEW: "Biometrics for Network Security", Paul Reid
From: Bruce Barnett (spamhater103+U041004162047_at_grymoire.com)
Date: 4 Oct 2004 20:48:48 GMT
"Richard S. Westmoreland" <firstname.lastname@example.org> writes:
I was asking about the author's opinion, because this should be an
indication of his bias and thoroughness to a topic. I'm not a
biometric expert, but biomterics can't solve every problemn in
isolation. An unbiased writer would cover these issues. But the
world is filled with people who think their technology will solve
every problem in the world.
> That should prevent any kind of replay attack, and streamline the process
> without the need of an additional smart card.
Well, how does one know the reader is trusted? I can walk up to a
Trojan'ed reader, and it can capture my thumbprint and replay it at a
>The data is
>decrypted at the server along with the ID (using the server side's expected
>ID), the ID is matched up in the database to confirm validity of the
This also requires the reader to be connected to the server in order
to be authenticated. If the network is down, or disconnected, the
person cannot be authenticated. So that's two potential problems.
I'm not trying to pick a fight. I was interested in the book, and I
wanted to see how well he covers the issues. For instance, biometrics
is just one of three factors that can be used for authentication
(something you know, something you have, and someone you are). And if
only biometrics is used, then this isn't always adequate. Bruce
Schneier made some good comments about the problems of using
biometrics for authentication.
Two of the points he covers (my web proxy is down. Otherwise I'd give
you a reference) are:
Biometrics is PUBLIC information
Biometrics cannot be changed.
Once the fingerprint template is captured, it can be replayed. It's
not secret information. You can't revoke it and re-issue it to the end
Smartcards aren't the best solution to every problem, because they
cost more than thumbs. (:-)
But when combined with biometrics, they provide stronger authentication.
The way I understand it, you can do biometrics/smarcards in at least
three general categories.
1) The template is stored on the server.
Advantage: No smartcard or token is needed
Problem: Replay attacks, and inability to authenticate if disconnected
Advantage: The template is fetched from the card, not the
server. So the authentication can be done
Problem: a smartcard is needed with enough memory to store the
template Also - there is a danger of a replay attack
3) Match-on-Card - The algorithm to match the template is on the card,
as well as the template. Once this is done, the data in the card
can be unlocked, and the private key on the card can be used to
authenticate the individual. Usually the card will lock itself up
if too many bad attempts are made.
Problem: Getting the algorithm to work on a smartcard (cpu,
code size, etc.) Some companies tell me they do it, or are
planning to do it.
Advantage: Strong authentication, and inability to replay the
authentication sequence because the private key isn't known or
revealed - ever.
Smartcard also have problems. The software I am using doesn't
authenticate the reader. So the PIN can be stolen, and if the card is
then stolen, you are out of luck.
Another approach is the Sony Puppy - which as I understand it combines
a smartcard and thumbprint reader into one device. You take it with
you to authenticate yourself.
This Match-on-Card is what I believe the US Government want to use
with their Common Access Card. It only makes sense.
Are you telling me that these issues aren't covered in the book you
reviewed? Oh well.
>> Sending unsolicited commercial e-mail to this account incurs a fee of
>> $500 per message, and acknowledges the legality of this contract.
> Ever made any money from this? ;-)
Well, I feel better. Others have made money, with the right legal
threats. It also shuts up the dimwit harvesters when I point out that
each of my e-mail addresses is unique, and ALWAYS tagged with this
message. The flames to my ISP quickly die when they realize I did not
grant them permission to harvest my address, and that I didn't
-- Sending unsolicited commercial e-mail to this account incurs a fee of $500 per message, and acknowledges the legality of this contract.