Hmm. That last post was actually supposed to be about something completely different, but the 'preamble' just grew and grew until it was pretty much a post in its own right. So here's what I was going to ask you about in the first place: fingerprint biometrics.
Whatever the scepticism about iris, palm, ear and/or DNA-based biometric systems, fingerprint biometrics feeature prominently in the ID Cards programme, which calls for all 10 of an applicant's fingerprints to be captured at enrolment.
One of yesterday's participants was Andy Smith, Chief Security Architect for the ID Cards programme. When asked, he confirmed that the ID card will hold encrypted images of two of the holder's fingerprints. They will be actual pictorial images, he said, not templates (i.e. abstract representations derived from the pictorial image). Let me say right at the outset that I do not know much about the details of fingerprint biometrics, so this is a genuine request for information, and certainly not intended as an implied criticism of any sort. (For instance. I don't know whether the encryption in question is symmetric or public key, and that makes a difference to some of the risk profile).
It seems to me, first, that there is an inherent risk in encrypting the fingerprint images themselves and storing them on the card for its lifetime. The security of that encryption must be measured on the assumption that the encrypted data could be copied off the card and then subjected to an exahustive attack at the attacker's leisure. The initial, relatively crude "jelly finger" attacks on fingerprint biometric systems have been countered, but who knows what tricks and technology the attackers will apply to the problem next, to spoof metrics such as pulse and body heat. Also, once cracked, possession of the keys in question might enable an attacker to replace the original images with apparently validly-encrypted images of their own choosing.
Second, depending on whether symmetric or public key encryption is in use, there are issues with distributing the keys in question to all those parties who need to be able to verify the fingerprints. If symmetric, there's a riks that a malicious recipient could generate spurious validly-encrypted images. If PKI-based, that risk is lower, but there's an implied key-mamagement burden in the distribution and management of certified public keys from each issuing authority.
For all I know, the IPS, Foreign OFfice, Consular Services and so on may have long since cracked the problem of key management in distributed cross-border systems - but these days things probably need to move a little faster and more frequently than a Queen's Messenger on a commercial airliner.
Third, I asked why store the fingerprint images themselves, rather than capturing the biometric, hashing it or a template, and then signing that and writing it to the card. The answer (and here's where I'd be grateful for your comments) was that cryptographic hashes are too sensitive to bit-level discrepancies between the image capture at enrolment and the subsequent image capture at verification time.
My problem with that assertion is that if it is really true, I can't see how non-human fingerprint matching could ever work in the first place.
Any ideas?
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}