• Training news
  • E-Academy in the press
  • 2009 news archive
  • 2008 news archive
  • 2007 news archive
  • 2006 news archive
  • 2005 news archive
  • 2004 news archive
  • 2010
  • 2011
  • 2012

• Bookmark and share
  • Technorati favourite
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Stumble Upon

• Recent pages
  • Web Design with XHTML, HTML and CSS Level 1
  • Adobe Photoshop CS5 Level 2
  • Adobe Illustrator CS5 Level 2
  • Adobe Flash CS5 Level 3
  • Adobe Dreamweaver CS5 Level 3

Biometrics - coming to a LAN near you, soon

Everyone tells us that Biometrics is the future of computer security. But Biometrics is here, now. The hardware is here. The software is here. What is everyone waiting for?

01 April 2004

It's been interesting to watch the emergence of support for biometric devices within mainstream computer operating systems. You're probably familiar with the concepts of Extensible Application Protocol (EAP) over Transport Layer Security (TLS) and the flexibility of Authentication and Encryption bolt-ons like IPSEC with Authentication Header (AH) and or Encapsulated Security Payload (ESP). In fact, Windows 2000 and Windows 2003 both embrace these technologies and even provide you with third-party off-disk manufacturer support - for example Secure Dynamics, for smart Card Readers. There's no lack of technology. Windows can handle it. So why is the promulgation of actual devices and the wide spread use of such biometric authentication, authorisation or physical entry taking so long?

With a simple thumbprint server room entry lock rolling out at approx £350, clearly cost is still something of an issue. However, so is the apparent lack of concise guidelines on methods of use in a practical application. In many ways, Biometrics is still a solution looking for a problem.

We recently reviewed a book published by Springer, "Guide to Biometrics" (ISBN 0-387-40089-3) which was very thorough and quite unashamedly academic in approach. To be fair, it explores the mathematical corridors of False Error Rates (FER) versus False Acceptance Rate (FAR) versus mean Cross-over Error Rate (CER) - in short, plain English "how many of your staff will be left out in the rain against how many non-employees will saunter straight through your new security?" in real professional depth.

Clearly the Smart Card is a fairly easy bet in terms of adopting a companywide authentication (both LAN and remote) policy, storing as it does, the server-issued digital certificate. This whole procedure is made easier if Active directory is in place with user certificate enrolment. A sound knowledge of Public Key Infrastructure (PKI) - including the setting up of Root Certificate Servers and Subordinate Servers - is absolutely vital (and, to help with this, Microsoft now offers a PKI course). What was the main issue surrounding the powerful IPSEC over L2TP - Network Address Translators corrupting the packets as they attempt to do their job and open and replace the source IP address - has been solved in Windows 2003 by the use of a further UDP wrapper. Microsoft has also tightened the shutting down of all IP traffic by leaving only Internet Key Exchange (IKE) open - whereas hitherto at least three ports (IKE, QofS and Kerboros) were left open. IKE is vital, of course, to establish a security association to agree the level of IPSEC co-operation.

Other Biometric technology will need a further push if we are to see widespread adoption at SME or even SOHO level. Some of the key remaining areas of concern are:

Enrolment policies

What are we aiming to achieve? Server sign-on or physical security? Are we 'matching' versus 'searching'? A large database of faces to which our user is matched (employee database) but what about visitors? Or a small database of potential threat personnel (terrorist database) - what happens when we get a match false or otherwise? How long will enrolment take, per person, and how big will the resultant database and therefore match time take? Take the following example (from the source book above): i. Assume a system that checks each person's face against a negative db N of n=25 alleged terrorists. ii. Use a best case False Positive Rate (FPR) for face of 0.001 (=0.1%) iii. If 300 people tried to board an aircraft 7 of those will likely match! (25*300 =7,500 matches are performed which gives 0.001 * 7,500 = 7 false positives). Further, for each additional terrorist face added to the database on average 0.3 people per flight will be falsely flagged).

Interface usability

No matter how well you plan you will get some resistance by staff, or public, if the interface is not user friendly. The rate of Failure to Enrol (FTE) and Failure to Use (FTU) may increase because of this. There are also issues regarding cleanliness (where handprints are required etc), the time it takes to enrol into the database, and any perceived health hazards (using relatively untested retina scan technologies for example).

Device Security

If we need to employ yet more technology (for example CCTV) to watch the biometric device, then this may become cost preclusive. Equally the cost of protection of the database entries against attack or impersonation may also be an issue. The advent of protection profiles, as used in certification, may go some way to assist impersonation at the device. In the meantime you might need to look at dual or even multiple authentication - i.e. combining who you are, with what have you got (thumbprint, smart card) and what do you know (perhaps a PIN).

Privacy of data

Clearly, this is an area that warrants careful consideration to ensure that civil liberties are not infringed, that databases are purged of legacy records and that personnel are assured that the database is not being sold on to third parties! There are many practical solutions which are commercially available right now. Most currently involve the use of a combined token, token reader, biometric device, rank engine, match template and sample database of enrolled biometrics, watched over and controlled by a host biometric scalable application. The main emerging bio flavours are: a. Fingerprints: The fingerprint is scanned electronically to create a reference template, either the minutiae or an image is captured. (For this, the database can be quite large.) b. Hand geometry: This method involves a 3D image of the hand to produce the template. (Actually, this only needs quite a small database with good network transmission and storage.) c. Iris recognition: Infrared scans are used to distinguish the iris from the pupil and sclera. Detail of the trabecula meshwork of the iris is then stored. (This can be susceptible to change by illness or different light conditions entering the iris.) d. Facial recognition: An image of the whole face is taken and stored and involves plotting geometric points and or grey-scale analysis of pixels - and can include thermal analysis. e. Voice recognition: The dynamics of vocal annunciation of vocal, tract, mouth and nasal cavities are stored and then compared to a live sample; not to be confused with speech recognition. f. Signature verification: The dynamics inherent in a signature which may include a stored image of the signature itself; it is in widespread use already in low key verification methods such as credit card confirmation. When it comes to Biometric APIs or software for planning purposes there are already a fair few on the market. A few examples (in no particular order or recommendation) are as follows

Pentakis

This is a biometric planning software tool which is GUI-driven and addresses scalability, cost, population profile and user psychology. It runs behind a Borland database engine.

Bantam Program Manager

This is essentially a rollout program manager toolset, specifically for management and control of enrolment programme, training and follow-up. It can be used for a standalone implementation but is scalable over the whole organisation rollout. It has pretty good report generation wizards.

BioAPI helper

There are already a few applications which give programmers detailed information of current bioAPI specifications; CBEFF Helper utilities for software developers are also readily available.

In summary, the biometric technology is starting to gather a head of steam and large-scale organisations are already embracing it, especially now that the server operating systems (such as Windows 2003) readily support it. ATMs, Prisons and Voting Systems are all being trialled but the bioAPIs are starting to percolate downwards and become a serious cost-centred solution to enterprise- and medium-size companies.

It's really just a question of when and how, not if. So, I'll see you sometime soon, stuck out in the rain, desperately pressing my eye against an iris reader!