pablos.
Projects
  Biometrics
  Encrypted Filesystems
  Hackerbot
  Legacy High School
  OpenSSL-PGP
  SWOT
  SeaHack
  SeattleWireless
  Shmoocon
  The Shmoo Group
  Zola
  Dmitry Sklyarov
  Fort Nocs
  Xigo
  CodeCon
  IRMR
  YanaTV
  Aikido
pablos@kadrevis.com
Biometrics
Working with security technologies gives you a great appreciation for how difficult it is to effectively secure anything. As typical security measures became more transparent to me, I've become disheartened by the thin veneer of security that is often employed simply to make people feel safe. This applies to everything, banks, airports, computers, door locks, cash machines, the army, whatever. As more and more transactions of all types are conducted online, solving security problems has become even more crucial. One particularly elusive solution is key management, having average people keep track of their keys. This is exactly like keeping track of your car keys, but with greater implications. All the same concerns exist, losing your keys, copying your keys (legitimately, or not) breaking your keys, loaning them out, etc. To be honest about the state of technology, nobody who knows what they're talking about has a good, practical solution.

Sadly, a lot of folks are looking to biometric technologies as the panacea to a wide range of security problems. This is bound to create more security problems than it solves, regardless of the technology in use (fingerprinting, retina, iris, face scans, or anything else). In the future, I'll post more detailed criticisms here explaining why.

I can envision a single usage pattern in which biometrics would be acceptable, and this pivots on putting profile data in full posession and control of their subjects. For instance, If I had a smart card with a fingerprint reader built in and my profile was created & stored on the card. I've been watching the market for years and never seen any such product released. Keep checking back here and I'll let you know when one exists. Until then, I believe everyone should flatly refuse the use of biometric technologies in any shape or form.

Update 2006-10-1: Privaris claims to have done things the right way. I haven't looked at their product yet, but they explicity state in product literature that the fingerprint profile is loaded onto the FOB and stays there.

Related Notes:

Bertillonage - An interesting bit of criminal history about early biometrics, the Bertillonage system used before fingerprinting.
Markus Kuhn on c't article - Markus Kuhn commenting on the May 2002 c't report about biometric device insecurity.

Related Links:

Biometrics: Truths and Fictions - Bruce Schneier on Biometrics in the August 1998 Crypto-Gram
ACLU Press Release on Visionics - Don't believe the recent hype around Visionics' facial recognition technology.
The Register Covers ACLU Research on Visionics - This is The Register's article about the ACLU's interest in Visionics.
Why Dorothy Denning Loves Biometrics - Dorothy Denning is a noisy crypto expert who sold out to the feds long ago. She previously supported the Clipper Chip (key escrow) and is now carelessly pushing biometrics.
Fingerprint Scanners in Thriftway - Seattle Grocery store binds fingerprints to payment cards. I'll go take a look tomorrow.
Gummy Fingers - Cryptome archive of Tsutomu Matsumoto's work on gummy fingers.
Fingerprint Follies and the Superman/Clark Kent Biometric Conundrum - Heavily linked article about biometrics spurred by Matsumoto's work.
Biometric Access Protection Devices and their Programs Put to the Test - May 2002 c't article on Biometric device insecurity. Translated to English from German.
Dan's Data on Faking Fingerprints - Article about how to foola DigitalPersona U.are.U Personal Fingerprint Scanner
Using putty to fool fingerprint readers - A handy HOWTO about using putty to defy fingerprint readers.