Security fears in the field of biometrics – a real inhibitor of diffusion

Introduction L 1

In to show the concept of security in biometric technologies, one must answer the following questions: 1 L

  • What is biometrics?
  • Which biometric information is captured during the registration process?
  • How is this information communicated to a central point?
  • When is this information stored?
  • What measures have been taken to secure the biometric data is stored?

What is biometrics? L 1

Biometrics (ancient Greek: bios life, metron measure) introduces the technology and methods for recognizing individuals unique based on one or more intrinsic physical or behavioral characteristics. By including a mathematical representation of a unique biological feature (registration), the future samples of similar characteristics can then be compared with the original sample to verify that they come from the same person (verification). L 1

A some biological characteristics can be used to define unique in man. Of those who are primarily focused on applications of biometrics, fingerprints, vein patterns, iris features, facial features and voice patterns are the most popular.

All these modalities listed under physiological features category. Behavioural features that can be used in biometrics signature recognition, gait analysis, and typing or keystroke biometrics dynamics.

What biometric information is captured during the registration process? L 1

For both security and performance reasons, manufacturers of biometric access control devices use a principle called "feature extraction" to striking unique features of a person without injuring an exact replica of the modality used.


For example is fingerprint biometrics, rather than recording an image of the fingerprint of the person, information within that image that ensures uniqueness, it would mathematically be extracted and saved to the person identity.

This called a 'template' and would typically include vectors and / or data points mark various unique features.

By by algorithms for image processing, the software in the device is capable of identifying Ridge Endings (where the lines in the fingerprint ends) and Ridge bifurcations ( where the lines to split into two). These are also known in the industry as minutiae points. L 1

By storing only the position and direction of the Ridge and Ridge Endings bifurcations, the software is able to capture the uniqueness of each person, with a limited amount data.

The same principle applies to all other biometric modalities, it the face, iris, voice, or subcutaneous vein patterns.

How is this information communicated to a central point? L 1

Once the templates are included, it must normally be sent through a communication channel to a central point. One could argue that this is not necessary, and that information must be maintained on the device only. But the practical truth is that, except for very small deployments, the last thing they want is to re-enroll every person in the company on any device that some of these access-control perimeter.

will vormen

Communication, RS232, RS485, TCP / IP, or custom protocols, all are exposed to a certain degree of "to hack". L 1

We have all seen how high encrypted secure internet communications compromised biometric templates via a network transmission line will have -. At least - the same level of risk exposure.

Where is this information stored? L 1

Once the templates on the destination, how is it persisted? In a flat file on a hard drive? In a weakly protected set of tables where anyone who can Google, can find a way to access? Whether it is saved with an acceptable level of encryption in a well-designed digital locker? L 1

But fears and concerns are real and often well-founded L 1

Anecdotal show proof that

  • Not all biometric devices use the singular template extraction.

In other words - to either save the complete image, or save enough of that image, which is a good likeness of the original image (finger / eye / face) can be reconstructed later.

  • Not all network communication is encrypted.

Even if it is not possible to use the biometric device to collect the biometric information access, interception of network packets is still Child's-play if one has access to the right tools.

  • Not all databases are created equal

There are a number of solutions in the market for storage of templates in their regular digital files in a predefined directory structure Likewise, databases -. Including those "free" ones that everything we have on our PCs - are a farce when it comes to its ability to truly protect your data.

So what to do if I want to implement biometric technologies in my company? L 1

  • Make sure your biometric devices do, in fact, perform template extraction. and confirm that these algorithms are done in a unique, irreversible format so it is not possible to reverse-engineering of the original image (fingerprint, eye, face, etc). Such a format that most of the leading biometric companies continuously strive to meet, the Minex (Minutiae Interoperability Exchange) standard. You can read more about this on the NIST (National Institute of Standards &; Technology) website
  • Limit the communications network to a minimum. Try to follow the rules around who can go where, when, on the biometric device, and sending fingerprint templates to only those occasions where it is absolutely necessary. This would in fact be limited to the time of the first take-over.
  • Protect your data. One can write books about database security. It is of no use as the templates residing in a 128-bit encrypted database, but your IT guy knows the password when he needs to perform daily backups of the database.

Human Dynamics L 1

There is a clear concern in the use of biometrics as a unique identifier of a person.

unsafe security L 1

If password to your online banking is discovered, you can easily change Likewise. "If someone finds the piece of paper with writing on your computer password, you can always change you it.

But biometric identification in jeopardy, what then? L 1

fear of persecution : L 1

The strong association between fingerprints and law enforcement have proven a major obstacle to the successful adoption and infusion of biometric access control systems. What guarantees can you give your employees that you do not send their fingerprints to police a form of centralized legislation? L 1

In South Africa, criminal justice (forensic procedures) Amendment Bill is currently on the table for review. This bill, which proclaimed, the path the way for unified access to the SAPS AFIS system, Home Affair's Hanis system, and the Ministry of Transport, E-Natis system.

Great news for most of us! But not all of us ... L 1

Summary L 1

Biometric systems, whether implemented at border controls, law enforcement, access control, or time and attendance, has the potential of simplifying our lives if , we take note of the fact that we are dealing with human beings. This technology has touch-points with the human dynamics that have never before been performed. Not on this scale, we anyway.

If a more holistic approach to implementing this technology, we can find that's more important to sell the concept to your staff, trade unions and shop stewards, then sell to your board of directors .

Liam is the Technical Director and CIO at Accsys (Pty) Ltd. Starting out his career as an electronic engineer at Iscor, he gained vast experience in mission-critical database implementations. Liam has a keen interest in signal processing applications, biometrics and related algorithms, artificial intelligence, and software development. He is an outspoken open-source proponent and has been involved in numerous open-source projects.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites

Leave a Reply

Spam protection by WP Captcha-Free