/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsBreak-ins at high-security installations and networks have
been a perennial cause of nightmares for many network administrators and
security experts. Companies lose millions of dollars annually in
password-related downtime, lost productivity and help-desk costs, some even
leading to security breaches. Lengthy and complex passwords are not fool-proof.
Miscreants use sophisticated algorithms to hack through passwords. And users
sometimes forget the password themselves. Enter biometrics, a technology where
the password for entry is...you.
Biometrics measures and analyzes your unique, measurable
characteristics for automatically recognizing your identity. The five most
common characteristics are fingerprint, hand, eye, face and voice, with further
innovations being done in ear shape, DNA, keystroke or typing rhythm, and body
odor. Implications: a computing world without passwords. And a rosy future for
help desks too, as estimates put the password-related calls among all IT-related
problems at 50%.
Biometrics made easy
There are two stages in biometric identification: enrollment
and verification. During enrollment, a sample of your biometric–finger or hand
print, scans of the retina or iris, or recordings of your voice–is acquired.
This is done when you register into the biometric system. For subsequent
comparisons, some unique characteristics of this sample are then extracted to
create a biometric template. This is nothing more than a collection of numbers,
which record a small amount of information, compared to the original measurement
of the biometric. An updated sample is then verified.
Biometric systems are used for two purposes–identification
and authentication. Biometric identification matches an individual against a
large set of system users, whereas authentication simply verifies that the
individual is who he or she claims to be.
Biometric cryptography–the real power
Passwords are the most common technique in cryptography–techniques
used to hide information in storage or transit, most often associated with
scrambling ordinary text into ciphertext (encryption), then back again
(decryption).
But passwords are vulnerable on account of several reasons:
some users tend to use simple, easily-remembered words, phrases and personal
data as passwords. Still dangerous, some write them down. Then, there is a lack
of direct connection between the password and the user.
/dq/media/post_attachments/d57f920815f4102359575d1bbf038431e3a6fcad9f4543ed0fab5cc40eecc452.jpg)
Here’s
where biometrics comes in. It offers a new mechanism for security by using a
biometric to secure the cryptographic key–a variable value that is applied to
a block of ordinary text to produce encryption text. Access is guarded by
biometric authentication, one that is unique to each individual. Biometric
authentication thus offers convenience (as the user no longer has to remember a
password), and tighter identity confirmation (since only the valid user can
release the key).
Among the various methods to secure a key with a biometric,
is one where the biometric image is captured and the corresponding template is
sent to a secure location for comparison. If verified, the key is released from
the secure location and access is given. This method would work well in an
application where the templates and keys are stored in a location physically
separated from the image capture device, most common in ATMs and smart cards
that use biometrics.
A second method involves hiding the cryptographic key within
the enrollment template itself. When successfully authenticated, the key from
the appropriate location would be simply extracted and released into the system.
Unfortunately, this implies that the cryptographic key will be retrieved from
the same location in a template each time a different user is authenticated by
the system. Thus, if an attacker could determine the location that specify the
key, the attacker could reconstruct the embedded key from any of the other users’
templates.
Biometrics equipments are costly. Though a fingerprint
scanner can cost between $30 and $100, an iris recognition device can cost up to
$7,000. However, costs have scaled down now. Moreover, equipment such as those
used for image acquisition have been used for long in other applications.
/dq/media/post_attachments/fd39e3c13a6eafe6f81bfccd48e29f75b92a9d15ad74a859f3cf937e9f1474d6.jpg)
Another
problem is integration. A major amount of work is to be done in integrating
biometrics with other software, like e-business suites. Almost every biometrics
company is strong in hardware but has been weak on integrating its applications
with banking, access control and e-business software.
There have been efforts to address this. The BioAPI
Consortium, a group of over 50 companies formed in 1998 by Compaq, IBM,
Identicator Technology, Microsoft, Miros and Novell, is working with the
biometrics industry to develop standards. The consortium plans to provide
standardized application programming interfaces (APIs) that can be incorporated
into operating systems and application software.
Fingerprint and hand geometry equipment make up 60% of global
use, while other methods are catching up. Again on a global scale, the Yankee
Group, a Boston-based consulting firm, estimates that sales of biometric devices
would grow at higher than 40% per year, while Frost & Sullivan predicts a
market close to $170 million in 2003.
BIJESH KAMATH
in New Delhi