Biometrics is not for authentication, folks!

The capacity of people to persist in their delusions never seizes to amaze me.

A yet another researcher is wondering why biometric authentication does not work: “Ten to twenty per cent of utterances collected by voice biometrics systems are not strong identifiers of the individual that spoke them…”, says Dr. Clive Summerfield.

There is a serious problem with biometrics, and maybe this problem is not voiced sufficiently loud, since we have the same thing again and again. The problem is: biometric characteristics cannot be changed. Everybody knows that, right? The logical consequence of that is: the biometric data can be successfully used to identify a person but cannot be used to authenticate a person. Let me repeat that:

The biometric data can be used to identify but not to authenticate a person.

It works very well as a means of identifying someone and that is how we used it for so many years quite successfully (what do you think your picture in the passport is?) But in order to use it to authenticate a person, to be an authentication token, the person must be able to change it. Must be able to change the biometric data, period. There is no other way. And almost all research in biometrics rotates around this silly subject: how to change the immutable? After twenty years of this circus it should be obvious to everyone and their dog but no-o-o…

Biometric data is successfully used for identification for thousands of years precisely because it is difficult to change. And biometric data could never be used for authentication because it is so hard to change. It is that simple and still we have hundreds of people around the globe deny the obvious.

Here is a simple rule of thumb: if a “security specialist” talks about providing authentication based on biometric data – run for your life!… -->

continue reading →

RSA: 99.8% Security

The folks over at École Polytechnique of Lausanne have published a very interesting paper titled “Ron was wrong, Whit is right“. This is not too mathematical for a cryptanalitical paper and understandable even to someone without crypto background. It is more of an investigation into the properties of the public keys available publically on the internet. The guys explain how by collecting a large number of keys from the internet in very proper and official ways and analyzing them they were able to find collisions that basically allow one person to impersonate another not to mention some basically weak keys that offer no security at all. Fascinating stuff.

A cool comment is all the way at the bottom says:

“The lack of sophistication of our methods and findings make it hard for us to believe that what we have presented is new, in particular to agencies and parties that are known for their curiosity in such matters. It may shed new light on NIST’s 1991 decision to adopt DSA as digital signature standard as opposed to RSA, back then a “public controversy”.

Which is probably true, you know…… -->

continue reading →

Traveling light

Some people take security seriously by traveling light to China and Russia. An excellent routine is to erase the devices when you travel somewhere at all. Why carry all the important things that can get stolen? Keep it at home and take only the necessary – that is not only for security but a common sense too.

But you can get too paranoid. When the article mentions that “a thermostat in one of its corporate apartments were still communicating with an Internet address in China” you cannot help going like “yeah, right!” A healthy amount of paranoia is, well, healthy but this is taking the fear levels too far. Not to worry, soon your refrigerator will be reporting to China what you ate for breakfast back in California. Be scared.… -->

continue reading →

Software Security Philosophy

What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?

I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.

This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.

I know that this is a very broad definition and it encompasses many areas traditionally thought to be … -->

continue reading →