Date: 1/8/98 7:50:31 PM From: PHILIP BRASS Subject: RE: [NTSEC] Biometric User Authentication Tech - long To: ("Vin McLellan "@LOCAL) To: ("Tagg Maiwald "@LOCAL) CC: ("NT Security Mailing List "@LOCAL) TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- My thanks to you Vin for posting an extremely informative email. I would also like to thank Tagg Maiwald, and also two other responders, Alain Bissig, who suggested I check out http://www.activcard.com for a token/smartcard type solution, and also Kurt Buff, who suggested I check out http://www.iosoftware.com for a figerprint solution that is integrated with NT logon, and uses the Sony figerprint identification unit. My understanding is that at Comdex, there was a company there which had a fingerprint reader which actually checked the finger temperature or blood flow or something, to make sure it hadn't been severed (ewww!). The second part of my question, which no one answered, is still a mystery to me. Does anyone know of network cards which encrypt at the packet level? I seem to recall hearing about these somewhere, and the idea was you set a symmetric password into the BIOS of every card, and set the same password for all your network hardware, and then noone could sniff your network from a machine not controlled by you (unless they pried open one of your machines and took the NIC out). I would assume such a card would use DES or something like that. So I think Vin has more than answered my questions about biometrics, but I would still like to hear something about encrypting network cards. If there are none out there, then it seems like it would be a great idea to develop them. I wonder how hard it is to DES or triple-DES at 10Mbits and 100Mbits... Phil > -----Original Message----- > From: Vin McLellan [SMTP:vin@shore.net] > Sent: Thursday, January 08, 1998 12:46 PM > To: Tagg Maiwald > Cc: NT Security Mailing List; PHILIPB@Omnicell.com > Subject: [NTSEC] Biometric User Authentication Tech - long > > > TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net > Contact ntsecurity-owner@iss.net for help with any problems! > ---------------------------------------------------------------------- > ----- > > Philip Brass queried the List: > > >> I am trying to find information about NT-compatible security > hardware > >> such as logon devices (Security Dynamics SecurID would be an > example). > >> I am especially interested in information about biometric logon > devices > >> and encrypting network cards. If anyone knows of vendors for this > kind > >> of equipment (aside from Security Dynamics) please let me know. > > SDTI has a rather special situation, since Microsoft added an > undocumented call in NT to support their ACE/SecurID authentication. > Prominent Microsoft/NT officials like Carl Karanan have also publicly > recommended SecurID for high-security NT networks. I know of no other > third-party security product that NT has been adapted to support. > (Although > symmetric and public key algorithms from RSA, an SDTI subsidiary, are > woven > into NT throughout the Microsoft product line, crypto seems a special > case, > not really a parallel.) > > Tagg Maiwald responded to Mr. > Brass > by referring him to The National Registry, Inc. -- a good source, > since > NRI's Secure Authentication Facility (SAF) family of products, > available > for a variety of platforms including NT, have absorbed some of the > newest > developments, in both fingerprint imaging and voice authentication. > (See: > http://www.nrid.com) > > See also KeyTronic at -- a big > keyboard > manufacture which (like NRI) is expected offer any day a much less > expensive fingerprint reader which will use new technology from > Veridicom, > Lucient's first technology spin-off since was itself split from Bell > Labs, > on KeyTronic keyboards. > (See: http://www.veridicom.com/) By rumor, these finger-image readers > are > expected to priced at under $300, with the potential for rapid price > drops > with volume manufacturing. > > Tagg also noted: > > > Really, it is rarely dependent upon the hardware itself to be > >compatible > >with Windows NT. > > True enough, but with the growth in the NT market (and > particularly, the popularity of NT standardization in government at > all > levels) none of the app vendors who develop or promote biometric > solutions > will slight the NT users. Guaranteed! > > >That being said, there are a few companies out there that offer such > >products > > > Mostly, medical and info-secure centers are the primary > consumers > >of this > >technology; since, during its present infancy, effective technology > is > >prohibitively expensive for casual implementations. > > Whoa! That's just not true. I respectfully suggest Tagg is about > three years out of date with his information on biometric > technologies, > price/performance, and the market -- which means he might as well be > sending in a commentary from Mars. > > Biometric authentication technologies (using a digitized record > of > "something one is") are blazing into the market like a swarm of > comets: > with new and rapidly improving technologies and a price/performance > curve > that seems to be approaching Moore's Law (as the previously-modular > circuitry is integrated in silicon.) > > Lucient, IBM, Oki, Novell, and Thomson-CSF, among others, have > made > huge investments in this area in just the past year. > > As an example, it is widely expected that one of the new hotshot > digital finger-imaging technologies -- Veridicom's technology, > developed by > Lucient/Bell Labs here in the US, or the new "thermal imaging" > FingerChip > tech from Thomson-CSF Semiconducteurs Specifiques (TCS) in France -- > could > soon drop to $100 per scanner with volume manufacturing. That's low > enough > to expect it to be incorporated in mid-range laptops, for example. > > (The Lucient and Thomson breakthroughs both seem to use a single > chip-sensor to capture the finger-image. On these chips, tiny > capacitive > sensors capture the fingerprint image by measuring the differences in > electrical charges between the fields and ridges of the skin. This is > far > beyond the "advanced" optical scanning tech that Tagg described.) > > Actually, it's unclear to me whether the most important advances > have been in the innovative finger-imaging technology, or in advanced > one-chip designs (and manufacturing processes they permit.) Clearly, > however, the sky is falling in biometric pricing! Three years ago, > the > typical biometric reader was priced at about $2,000. I would not be > surprised to see the mean price for popular biometric readers hit $200 > in > 1998. > > Among the most savvy commentators on the rapidly evolving > biometric > tech are the Biometric Consortium (a group of federal agency reps who > have > paced the industry with their efforts to develop effective benchmarks, > http://www.vitro.bloomington.in.us:8080/~BC/ ) and the leading US > state-level social service agencies, many of which appear to be deeply > committed to this technology. > > For an awesome display of buyer savvy -- the dream or the > nightmare > of vendor salemen;-)-- check out the last couple issues of Dave > Mintie's > newsletter for the Biometrics in Human Services User Group at: > http://www.dss.state.ct.us/faq/dihsug.htm > > See also the Association For Biometrics: > http://www.vitro.bloomington.in.us:8080/~BC/afb > > and the Human Identification System Project, at: > http://www.asti.dost.gov.ph/~shoreadm/HIS.html > > International Biometric Group, Inc., at: > http://www.biometricgroup.com > > And don't miss the incredibly informative Connecticut Biometric Web > Page: > http://www.dss.state.ct.us/digital.htm > > Market demand for an ID authentication mechanism that requires > nothing but the physical body of the person whose identity is being > matched > against a pre-recorded digital record seems to be most notably fueled > by an > enormous government demand in the US (and doubtless elsewhere) for > better > ID authentication to control fraud (double dipping, within a state and > multi-state) in social services and welfare payment systems, as well > as an > apparent demand for new and supplementary systems for ID and > authentication > to more effectively support immigration and border traffic controls. > Both > the US and the European Union seem to be making major committments in > both > categories. Benefit fraud in the US is estimated at $10 billion > annually, > according to the GAO; with comparable figures likely in other > industrialized nations. That's a lot of political capital (and > surveys > seem to reveal widespread support for technology which supports > anti-fraud > programs among recipients, as well as in the body politic.) I presume > military personnel applications are also being widely considered, > although > I haven't heard of any big contracts. > > Token-based authentication systems (like ACE/SecurID) for large > systems and networks will remain a dominant IT technology for some > time, I > think, but largely because that technology is so inbedded in the > dominant > network technologies and has made such strides in developing the > authentication servers to support the administration of tokens for > large > corporate user groups. > > Security Dynamics (SDTI) -- for which I've been a consultant for > years -- has also moved to dramatically broaden its technical base by > buying RSA Data Security (http://www.rsa.com) -- the leading US > developer > and vendor of cryptography, symmetric & public key -- and Dynasoft, > the > Swedish firm which developed the BoKS single-signon technology which > major > financial institutions like Citibank, Chase, and Wells Fargo have > recently > made major committments in. See: http://www.securid.com > > Security Dynamics is integrating the BoKS multi-server SSO > technology into its popular ACE/SecurID authentication servers and > interweaving RSA crypto throughout its product line. This year, SDTI's > ACE/Servers will begin to support cryptographic key and X509 > certificate > management and support. In many IP environments, the attraction of a > public-key crypto infrastructure (PKI) goes far beyond user > authentication, > since if offer not only (smartcard/token-based) two-factor > authentication, > but also machine-to-machine and process authentication, encryption for > confidentiality, and digital signatures for message-integrity checks > and > non-repudiation. (We have only begun to see the power of digital > signatures > unfold, both within bureaucracies, in business-to-business > transactions, > and in e-commerce.) > > Withall, there is a dynamo bursting into the (NT) market with > new > biometrics implementations. Tagg suggested that voice recognitions > was "on > the way out," but Novell has a very different idea of its potential. > Finger-imaging using a variety of new sensor technologies is hot right > now, > and new designs seem to allow major price breaks with high-volume > manufacturing-- but IBM is still very active in developing > hand-geometry > technologies (and product under federal contracts from INS) and > iris-imaging like that used by IriScanand Sensar (which, unlike > retina-scans, can be picked up on the surface of the eye, from a > camera two > or three feet away,) and full-face image recognition (e.g., > Visionics's > Face-it) have also been associated with major breakthroughs, new > price/performance ratios, and new customer categories. > > It remains to be seen how cautiously the vendors package their > technologies. Companies new to security and overly confident in their > technology tend to rely too much or wholly on their widgets and the > ability > of their neural nets or somesuch to differentiate between, for > instance, a > living eyeball and one forcibly removed from a potential > financial-fraud > victim. Personally, I can't see trusting a biometric identifier which > is > not reinforced by one of the other two factors by which a computer can > authenticate a pre-registered identity: ie., "something you know" > (like a > password, perhaps reinforced for transit by EKE protocols,) and/or > "something held," as in a physical token.) Soon, I presume, > high-security > apps will require three-factor authentication in place of the now > industry-standard two for "strong authentication." > > I also like to keep an eye on Canadian firms, like Mytec, > because > Canada -- like most of Europe -- has a legal system that places a > higher > value on personal data and gives its citizens a property claim on data > about them that American citizens sold off to the finance and credit > companies long ago. Mytec's use of biometrics often seems to me > inherently > more protective of what is, after all, a digitized representation of a > physical characteristic that can not be changed like a password, if > the > security or integrity of an authentication system is breached. > > I expect to see European applications modeled on the same > traits, > and it will be informative to compare the handling of user data in > products > from US vendors against the norm in the EC countries. > > Pardon the burden on the bandwith, this is longer than I had > planned. Below is my list of vendors of biometric authentication tech. > It > is doubtless US-centric and painfully light on Asian and European > developers, but such is life. I think I originally swiped much of > this > list from a collection of URLs developed by the security mavens at the > Connecticut (US) Social Services Department. An impressive team, > there. I > hope it will be as helpful and useful to others as it has been for me. > > Suerte, > _Vin > > Vin McLellan > The Privacy Guild > > --- > Vendors of Biometric Authentication Technology & Products > -------------------------------------------------------------- > > (1) Finger-Imaging Technologies > > http://www.nrid.com/ The National Registry > > http://eastview.org.ImEdge/ Edgelit Holography Fingerprint > > http://www.fingerprint.com/ Fingerprint Technologies > > http://www.fpusa.com/ Fingerprint USA > > http://www.w3bit.com/www_star.html Startek Engineering, Inc. > > http://mytec.com Mytec > > http://www.identix.com/ Identix > > http://www.printrakinternational.com/ Printrak International > > http://www.camneuro.stjohns.co.uk/ Cambridge Neurodynamics > > http://www.cogentsystems.com/ Cogent Systems > > http://www.identicator.com/ Identicator Corporation > > http://www.xcheck.com/ Crosscheck Corp. > > http://www.biometricID.com/ Biometric Identification, Inc. > > http://www.east-shore.com/ East Shore Technologies > > http://www.mbnet.or.jp/melsys/fingre03.html Mitsubishi Electric Corp. > > http://www.gotnet.net/home/idyou Identification Systems > > http://www.netid.com/ Net-ID, Inc. > > http://www.veridicom.com/ Veridicom > > http://www.vitrix.com/ Vitrix, Inc. > > http://www.parlant.com/ideas/ideas.htm IDeas International > > http://www.iosoftware.com I/O Software, Inc > > mailto:tommi@morpho.wa.com North American Morpho Systems > > http://www.tcs.thomson-csf.com/standard/finger.htm Thomson-CSF > > http://www.marketplace.unisys.com/bioware UNISYS, Inc > > > (2) Facial Imaging > > http://www.viisage.com/ Viisage Technology > > http://www.miros.com/ Miros > > http://www.wp.com/IVS_face/ Intelligent Vision Systems > > http://www.faceit.com/ Visionics > > http://www.cjis.com/ CJIS > > (3) Facial/Voice > > http://www.keywareusa.com/ Keyware USA > > > (4) Handwriting > > http://www.penop.com/ PenOp > > http://www.aeat.co.uk/ AEA's Check Match & Countermatch > > http://hwr.nici.kun.nl/ Handwriting Recognition Group > > http://www.quintetusa.com/ Quintet Signature Verification > > > (5) Iris scan > > http://www.iriscan.com/ IriScan > > http://www.sensar.com/ Sensar > > > (6) Hand Geometry > > http://www.recogsys.com/ Recognition Systems > > > (7) Veincheck > > http://innotts.co.uk/~joerice/ Veincheck Biometric Homepage > > Vin McLellan + The Privacy Guild + > 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 > -- <@><@> -- >