Biometric Authentication Systems
Author: paris2K
Tuesday, 21 January 2003, 23:49 GMT
Reader Comments | Add your opinion
Biometric Authentication Systems. It sounds difficult, but it isn't. You all know what an authentication system is. It's a method for a computer to decide whether you are whom you say you are, and thus a method to let you into a certain system or deny you acces to it. (In this case one should not merely think of one's own computer but also of e-commerce for example, creditcard use, etc.) Most of the time, authentication is done by the use of a password and username combination. (Sometimes by trusted ip-addresses or other things, but that's beside my point.) And well, as far as the "biometric" part is conceirned; biometric means: the measurement of life for statistical or actuarial purposes. (Or that's what the Concise English Dictionary tells me). In this case we are just talking about a combination of machinery and physical characteristics of a human being that together form an authentication system. The most obvious of these systems are, like you have all seen 'm in movies; the fingerprint- or iris-scan systems.
----[ 1.2 How It Works
Of course there are many differences between the different biometrical authentication systems, but all systems basically work by the same principle. To be able to recognise if a person is who he claims to be, the system will need to compare a sample of the physical structure of a person with a sample that was taken earlier. To make sure the system can make a comparison one first has to "signup" with the system. This process is called enrollment.(1) A biometric sample is taken of the user, which then can later on be used to compare with, when a user requests to be authenticated.(4) The sample (which is called "biometric template") that is taken during enrollment is saved into the system (3) and after that the system has something to compare a user with when he tries to authenticate.(4) When the given biometric sample matches the one in the system, you are authenticated and get acces (7) and when there isn't a match; you don't (8). Th whole process of authentication can also be monitored. In this case, the process of trying to be authenticated, is send to an outside network, another computer, etc (9). This is done in a same manner as some IDS's monitor acces-attempts.
----[ 1.3 Different Techniques
Let me explain to you what kind of biometric techniques exist to verify that a person (in this case a computer user) is who he claims to be. Allthough Im sure my list is not exhaustive, I will discuss the most common examples of biometric authentication systems. I will only shortly discuss the different techniques as it is quite obvious how they work, because in the bases, all biometric authentication systems work in the same manner.
--[ 1.3.1 Finger-Scan
Basically this is a technology, where you use an apparatus connected to your computer, that scans your finger and so recognises that you are you. If it recognises you, you are granted acces, if not you are not. But, there is a difference between the well known finger-print technique used by law-enforcement and the finger-scan technique. The fingerprint system used to make an inkt-copy of the top of your finger, where your fingerprint is, and after that, law-enforcement could always compare your fingerprint with the image of it, that they had taken on an earlier date. This way it could be established who you are, or prints from a crime-scene could be compared with a finger-print database of known criminals. Nowadays law-enforcement doesnt use ink anymore; they make a high resolution picture of your fingerprint. And this is where the fingerprint system differs from the finger-scan system. Finger-scan technology also uses the fingerprint but only uses small amounts of specific information from it. The amount of bytes used to save a finger-scan is about 250 up to a thousand bytes, whereas an exact copy of the fingerprint uses 250 kilobytes. So in fingerprinting an exact copy is made, but with a fingerscan there's no exact copy saved and thus there can not be an actual reconstruction of the fingerprint from the saved information.
--[ 1.3.2 Iris-Scan
Another wellknown biometric authentication system is the iris-scan The idea is comparable to the finger-scan. The eye contains a certain structure which is different for all human beings and thus can be used to authenticate a person. With the use of normal or ultra-violet light, it's possible to distinguish patterns in the "trabecular meshwork", a tissue that devides the iris in a radial fashion. Not only this, but also other recognisable things like freckles, rings and other specific chracteristics are encoded into a 512 byte Iriscode which is the iris-scan's equivalent of the fingerprint. Allthough in basics the iris-scan has always been a bigger and more expensive system, it has proven to be very accurate. It has been used so far in high-security facilities and on a trial bases at ATM machines, correctional facilities and airports.
--[ 1.3.3 Facial-Scan
Contrary to what some of you may have expected there is no link with any sexual activity here ;-) The facial-scan technique makes uses of specific characteristics of the human face. It compares data from certain parts of the face with your face during a scan. Only certain parts of the face are used in this technique (the upper outlines of the eye sockets, the areas around the cheekbones, and the sides of the mouth) because these parts are hard to change with plastic surgery. And so, in this case it wouldn't matter if you would lose some weight, become a bit thin or change your hairdo. The facial-scan technology works fine at a 320x240 resolution and 3,5 frames per second, which means it can be used with normal pc video equipment!
--[ 1.3.4 Hand-Scan
The hand-scan technology is fairly accurate but doesn't use as much data as the finger-scan or iris-scan methods do. It uses a 32 thousand pixel digital camera to measure the width, length and thickness of the hand and the fingers. Over 90 different measurements are taken and all this is saved in a 20 bytes template. There are already many hand-scan devices on the market, many of which can be used with your normal home-pc.
--[ 1.3.5 Voice-Scan
The voice-scan technology makes use of the fact that no voice is like any other. The authentication device records the voice of a user and is able to recognise this voice on a later day, because of the specific characteristics of a human voice. It's important that for both the first voicerecording and later recognition, the same equipment is used under basically the same circumstances, because things like sound-/recording-equipment quality, echo's, background noise, etc. influence the recognition system. One of the advantages of voice-scan technology over other biometric authentications systems,is that it requires no expensive equipment. It can be used with a normal computer and soundcard.
----[ 1.4 Advantages of Biometric Authentication
An important question one should ask whenever a new technique arises, is whether we have use for it. Or, in other words, what are the advantages of biometrical authentication systems? Well, the main difference between a "normal" authentication system and a biometrical one, is the fact that the biometrical system authenticates the user. It does, what authentication systems were actually designed to do. Whereas a "normal" authentication system merely checks whether the password/username-combination is correct, the biometrical system actually checks if it is really you, who's logging on to the computer, or trying to gain acces. This is, because the biometrical authentication system checks for certain physical chracteristics of a human being, which are not (or hardly) changable. One can not give his retina to another user, or his fingerprint. Another can not steal one's retina or fingerprint like he could his password or keycard. (Despite the funny eyballs stuck on a pen in movies!) So first of all, the specific data one has that gives him acces to a secured area, can not be given away or stolen as easy as with normal authentication systems and second of all, biometric authentication systems are designed to work only with living biological part of the human body. So chopped off fingers or popped out eyes will basically get you nowhere. And even if it would work, keep in mind what this means for the hacker; to steal one's password is one thing, but to take out someone's eye or chop off someone's finger? Well, Im not sure how bad you guys have ever wanted into a certain system, but I assume this is where it stops for most of you. (Or at least I hope so.)
Other advantages of a biometric authentication system are the fact that a user can not loose or forget his retina, his fingerprint or his voice. Where keycards, keys and passwords can be easily lost or forgotten, these can not.
Also there's a possible advantage of speed. It just takes less time to get your eye scanned then it does to type in both a password and a username, or to get out the right key or keycard and get acces. Allthough this seems like just a minor advantage, it could be important in certain situations.
----[ 1.5 Hacking
As said before, it isn't likely that a hacker would go or even be able to take that specific biological chracteristic from a user, that he needs to get into the system. Simply said; you can't chop of someone's finger or take out someone's eye to just gain acces to a system. Well, you can but you won't. But, biometric authentication systems do have a weakness. They are vulnerable to spoofing attacks. The data that passes through the system (including the biometric samples) is not encrypted in any way, so far. This means that if an attacker would be able to get its hand on this data (by using sniffers for example) he would also be able to spoof his way into a system. And of course there's the software side of the story. Biometric authentication system are driven by software. Software is made by humans. Humans make mistakes. It, in contrary to the technique of biometric authentication, is nothing new. A few exaples of vulnerabilities in biometric authentication software can be found here, for those interested:
http://neworder.box.sk/showme.php3?id=5433
http://neworder.box.sk/smsread.php?newsid=4552
http://www.gcn.com/vol20_no6/reviews/3808-1.html
http://homepage.ntlworld.com/avanti/vulnerable.htm
----[ 1.6 Conclusion
Biometric authentication systems strive to make computers and networks more secure. They eliminate the risks that come with using password, PIN's and other normal authentication methods. Allthough right now the systems might be somewhat expensive, there are also some really affordable systems that can be used in combination with a personal computer, right at home. There are some major advantages to these new kinds of authentication, but right now there are also a lot of disadvantages. The technique of biometric authentication needs to develop a bit more, before it can be securely used. Right now, when you have some extra cash, and you do find this interesting you can even get a nice finger-scan authentication device for about 60 dollars. Im sure we'll see more of biometric authentication in the future.
----[ 1.7 Bibliography
As sorry as I am to admit it to you, I have not invented biometric authentication systems. I do not work with them; I just find them interesting. It's with that idea in mind that I started writing this article. I thought it would be interesting for others too, to know what biometric authentication systems are and how they work. And I tried to explain this in an understandable fashion. I have visited many sites about this topic and used many of them to write this paper. In this section I will list these sites, so you know what sources I used for this article and to give them teh recognition they deserve as being the sources for my article. And it could serve as a refference list for those of you who thought the article was interesting and want to read more about biometric authentication systems.
BiometricID.org
http://www.biometricid.org/
Express Computer
http://www.expresscomputeronline.com/20020415/focus2.shtml
Imagis Technologies
http://www.imagistechnologies.com/
International Biometric Group
http://www.ibgweb.com/
International Systems Technologies
http://www.istbiometrics.com/
Nuance
http://www.nuance.com/
Network World Fusion
http://www.nwfusion.com
Biometric Consortium
http://www.biometrics.org/
Eyenetwatch.com
http://www.eyenetwatch.com/Biowebserver/fingerprint_authentication.htm
----[ 1.8 Afterword
I think biometric authentication systems are interesting, so I wrote about it. That's basically it guys. I hope some of you had fun reading this and maybe got interested in this technique. If you have any questions or nasty comments feel free to contact me. Feel free to check out my website and keep an eye on it and Neworder for new articles. Have fun,
Kind Regards,
Paris2K
 Add IT Observer Reviews to your
RSS newsreader or
Reader Comments:
|
|
