What do the Cold Boot Crypto Attack, DVD Players, and MiFare tell us about the Future of Biometrics?

Last week Slashdot pointed me to an “interesting” article in The Standard:
Understanding anonymity and the need for biometrics.

In fact, I found the article to be rather upsetting. Not because of the article’s thesis that strong authentication through a national ID program would not necessarily pose a threat to privacy; but rather, because of their naive (and irresponsible) handling of the realities of the biometric authentication challenge. They gloss over the real security challenges with creating a national biometric infrastructure. Here are the two quotes that are most misleading:

  • Confusing privacy with anonymity has delayed implementation of robust, virtually tamper-proof biometric authentication to replace paper-based forms of ID that neither assure privacy nor reliably prove identity.”
  • “This emerging technology makes it virtually impossible to assume someone else’s unique identity.”

The problem that the authors are glossing over is that no such technology exists today, and it is unlikely to ever exist. Now, to be fair, I am assuming that a critical success factor for any national biometric program, as described, would be that the authentication devices have to be available, and usable, anyplace paper-based IDs can be used today. This of course implies that the authenticator must be an inexpensive, commodity device, easy to purchase, maintain, and operate. Such a device would have to be even more ubiquitous than the electronic credit card machine.

The problem is that the authenticator itself may be in the possession of the attacker (Perhaps after you authenticate your legitimate purchase the clerk desires to use your identity herself…). In the history of security controls, when the attacker has unsupervised at-will physical access, the attacker wins. Here are a few examples:

  • Defeated copy protection on DVDs ( more & more info)
  • Cold Boot Crypto Attack on hard disk encryption (more info)
  • MiFare RFID Cards (more info)
  • Skimming devices attached to ATM machines to steal card and PIN data (more info)

Of course, all of these systems worked in the lab. But when a security system is widely deployed, it has to withstand an enormous amount of scrutiny, and minor flaws will be exploited. And of course, the greater the financial gain, the greater the time and energy attackers invest in trying to defeat the system. The authors of the article ignore these issues, idealistically assuming biometrics will just work.

Now, of course there are lots of examples where biometrics work very effectively. But I would propose that biometric authentication is most useful when the authentication device is physically secure and the authentication itself is supervised. The MiFare example above also demonstrates two other issues:

  • The system chose not to implement a reviewed and standard cryptographic algorithm – always a bad idea
  • MiFare was able to sell 1 billion cards and authenticators before the system failed

The cost of investing in a national biometric authentication program, and then having the security fail, is enormous. Can you imagine deploying a biometric authentication infrastructure to every bank, police car, restaurant, shop, etc. and then having video on YouTube of it being defeated ?

– Erik

BTW, Maybe the attacker doesn’t even need to tamper with the device -> ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

2 thoughts on “What do the Cold Boot Crypto Attack, DVD Players, and MiFare tell us about the Future of Biometrics?

  1. robert

    The latter point being raised is critically important, because all these systems will be compromised and fail. The system then just gets “improved”, with the new biometric or technology being sold as the silver bullet, until it too is then also compromised. This cycle continues until we are at a point where every identity document must use multiple biometrics with multiple RFID. This may make Digimarc and the companies making the devices happy, but will not improve security for more than the very short run. Systems must be devised where identification is only one part of a secure system, with the acknowledgement that it is not a 100% secure document that can never be compromised. Even implantable identification can be compromised. Identification can only go so far as a stand alone effort to help with security, and efforts to go past a reasonable level of identification are coutnerproductive in the long run. There will never be “tamper proof” identification.

Comments are closed.