Welcome to Issue 2 of The Internet Security Conference Newsletter, Insights. Insights provides commentaries and educational columns, authored by some of the best minds in the security community, who have agreed to teach and speak at The Internet Security Conference, April 24-28, at the Fairmont Hotel in San Jose, CA.
The editorial calendar at this time includes columns and contributions from:
TISC is about sharing clue, and so is the newsletter. I promise you we will do our best to provide something *useful* each issue. If we don't, complain directly to me. I'd also like to hear and share your comments on the columns we push, and on topics you'd like to read about or see at TISC.
'Nuf said.
This issue's column is about biometrics. Well, they're far more advanced and far less expensive than the kinds we've seen in Bond films of the Connery vintage. And they are more readily distributed and portable than ever. Stephen Kent discusses some of the logistics and practical matters we should consider in applying biometrics in internetworking environments.
Happy reading and warm regards always,
Dave Piscitello
Biometric authentication technology has long been a staple in spy and sci-fi movies. In fact, this technology has been used successfully in high security contexts as part of physical access control systems. Biometrics includes analysis of fingerprints, voice prints, hand geometry, iris and retinal scans, even keyboard and handwritten signature dynamics. Now biometric authentication systems are becoming more affordable and a number of companies are offering the technology for use in corporate networks. However, a close examination of the principles that underlie this technology suggests that it may be inappropriate for user authentication in a network (e.g., Internet or intranet) environment. Let's examine how biometric authentication in a network environment works, so that we can understand its limitations.
First, a user registers with the biometric authentication system. This usually entails scanning the biometric in question multiple times, to establish a reference template against which future authentication attempts will be measured. The template is a distillation of the biometric feature measurements captured during this registration procedure. Later, when a user attempts to login, the biometric captured during the login process will be compared against this template. The comparison process essentially involves scoring the captured biometric against the values that make up the template. Note that every time a biometric is captured, the values are likely to be somewhat different. This is largely a result of imprecision in the capture (measurement) technique, but for some biometrics, it also represents changes in the biometric itself, e.g., variations in handwriting or speech patterns. Thus the scoring process does not require an exact match, but rather requires that the score is high enough to distinguish the real user from an imposter. In many systems, an administrator has the ability to tune the scoring threshold. This may be necessary to avoid too many false negatives (i.e., rejecting authentic user login attempts due to capture inaccuracies), but it also opens the door to tuning the system into a range where false positives (accepting invalid user logins) become a problem.
During the registration procedure the user's account is established, binding the template to a user ID. This procedure must be effected in a secure fashion, i.e., there must be a high degree of confidence that the user being registered is accurately identified and that the biometric data being captured is associated with that user. The template created during registration is usually stored on an authentication server. Once registration has been completed, a user authenticates himself by effecting biometric capture at a workstation, and forwarding the result, along with a purported user ID, to a server.
When a biometric is transmitted over a network to an authentication server it must be encrypted, to prevent it from being intercepted by an eavesdropper. Unless such protection is provided, the biometric, which has been reduced to a bit string, is just as vulnerable to being sniffed as a static password. Unlike a static password, a biometric should not be guess-able, by an attacker, and that makes it superior. However, biometrics are not really secret quantities. We deposit fingerprints on everything we touch, our voice may be recorded and analyzed, etc. So, in a high threat environment, a biometric authentication system might be unacceptable because of the ability of adversaries to acquire biometric data surreptitiously. This sort of concern may not be an issue in most enterprise environments, if we assume that the attackers are hackers effecting an attack from a distance. However, since insider attacks are commonplace in such environments, it behooves us to remain aware of opportunities for an employee to acquire biometric data for co-workers.
A more serious concern arises because of the insecurity typically surrounding the capture mechanism. What is transmitted to a server is a bit string that purports to be a biometric. But, using the biometric technology available for the desktop today, there is little assurance that the bit string has been acquired through a biometric capture process. To ensure that the transmitted data really does come from a biometric capture process, the equipment that effects the capture must be able to protect the data against forgery, e.g., by digitally signing it before delivering it to the PC to which the capture device is attached. In turn, the key used to sign the data must be unique to the device in question, and the device should exhibit a reasonable degree of tamper resistance. For example the device might be required to meet the cryptographic key protection criteria established by FIPS 140-1 at level 3 (a level of security attained by a growing number of small hardware crypto modules). But none of the biometric capture devices available today offer significant protection for cryptographic keys contained inside, e.g., none have been certified to meet any level of FIPS 140-1 security. Thus it may be easy for an attacker to create a bit string and submit it as though it were a biometric, even if we do not assume that an attacker has had the opportunity to gain physical access to the biometric data of a user.
How might an attacker acquire such data without being anywhere near the user? Remember the authentication server from above. In it are stored the templates for all of the users that can be authenticated by the server. The templates must be stored in what is essentially unencrypted form since the server must compare the captured biometric against template values, to score it. Thus a violation of security at the authentication server can result in disclosure of all the templates stored there. With knowledge of template data and the algorithm used for scoring, an attacker can work backwards to generate a bit string that will appear to be a valid biometric scan for the user in question.
Now, if biometric authentication were to become popular, it is likely that a user's biometric data might appear in a number of servers, maintained by various organizations who have elected to use this approach for authentication. A security breach at any of these servers would compromise the user's biometric data, thus enabling attackers to pose as that user for any system that relied on the same biometric. This scenario, by itself, might discourage widespread adoption of biometric authentication technology in network environments. Users might object to registering for biometric authentication, knowing that a security breech at any server could compromise their login security for many systems. Unlike an authentication system based on passwords or cryptographic keys, one cannot simply change a user's biometric!
So, are biometrics safe and in any contexts? As I noted in the beginning of this article, biometrics have been used successfully as a component of physical access control mechanisms for years. In these environments one can physically secure the biometric capture, to prevent the sort of attacks described above. The use of biometrics for purely local user authentication, as in Apple's voice authentication feature of OS 9, avoids some of these problems as well. Using a biometric to logically "unlock" a personal cryptographic token, e.g., a smart card, is also not subject to the same set of attacks. (However, a token might be covered with the user's fingerprints, making that particular biometric less attractive in this context!)
An intriguing potential use for biometrics in the computer environment is not as an authentication mechanism per se, but as part of what Mike Reiter and his colleagues at Lucent call "password hardening." This scheme, described in a paper presented at the ACM security conference in November of 1999, is designed to increase the level of entropy (randomness) in a password by adding in biometric factors. In this way one can use a password to protect a cryptographic key which is used to authenticate the user in an IPsec or SSL context, or for encrypting storage on a laptop. This scheme may be attractive when the keys are stored on a computer, and subject to offline attacks, or even when a crypto token is involved, since most are not very tamper resistant. This scheme uses several algorithms, including secret sharing, to make it harder for an attacker to guess the user's password, even assuming that the attacker has access to the files encrypted (indirectly) by this key. The work is still in a preliminary stage, but it looks promising.
[Editor's Note: Anticipating you might want to see the password hardening paper Steve refers to, I asked for--and received!--URLs: