Simple Web Security

I came across this interesting discussion on whether or not companies should allow their employees to forward email to GMail.  Most of the concern is with security, as businesses share a lot of confidetial information through e-mail: Design docs, intellectual property, client information, even passwords into various servers.  Some say that even if the IT administrators disallow it, some employeees will figure out a way around it – they always do.

However, the answer to this question would be a lot easier if the company was already using end-to-end encryption for their e-mail, because the messages would still be encrypted on Google’s servers.

I recently attended a conference on information security where the President of our company was giving a presentation on biometric security. Since our version of biometrics uses fingerprints a number of fingerprint related questions came up. One of them surprised me so I thought I’d do a short blog post on the subject. Folks were concerned that we “stored their fingerprints” and might be able to use them for some nefarious purpose. That’s a reasonable concern particularly because we say that we store fingerprints but in fact, we don’t actually store an image of the fingerprint. It would be big, hard to use and very slow to access.

All the fingerprint verification security systems I know of actually use a “template” as opposed to using an actual image of the fingerprint. So what’s a template? Your fingerprint is made up of the fine “friction ridges” on your fingertips. You have similar ridges on your palms and even on the soles of your feet. Scientists believe that they are there to aid in grasping objects and possibly to amplify the vibrations that allow you to discern fine textures on a surface. Whatever their reason, they appear to be unique to each individual; even identical twins don’t share fingerprints. The details of the shape of the ridges, the places where they start and end and the way that they split and join are called “minutiae”. Most of these features are found near the center of your fingerprint. When a fingerprint is scanned a gray-scale image is captured and a sophisticated computer program identifies the key minutiae and how they relate to one another and produces a mathematical representation of your fingerprint called a template. The template is easy for the computer to deal with where an actual image would be very clumsy. You could think of your template as a complex and long digital password.

For the folks at the conference who were concerned about a security system saving their fingerprints, well, they can relax. The thing that’s saved isn’t an image of the fingerprint and just as importantly, the template cannot be used to backward engineer an image of your fingerprint. The template is a brand new entity that was created using data from your fingerprint but just like a picture of a leaf isn’t a leaf; a template isn’t your fingerprint.

A nice article on the history of fingerprints can be found at http://www.onin.com/fp/fphistory.html

Being able to easily recognize people has never been a gift of mine.  Many times I’ve been stopped in a store, or on the street, by someone that knows me, and I scratch the inside of my head, trying to figure out how I should know this person.  Is she someone from church, is she the teller at the bank I always see, maybe the Subway sandwich artist?  I put on a forced smile, and say how nice it is to see her, and have a good day, and see you soon.  Oh, well.

Security, whether in our homes, schools, or our computer networks, is all about recognition.  Bank robbers, at least the smarter ones (if there is such a kind), try to disguise themselves so that they won’t be recognized from the surveillance footage.  Politicians, on the hand, want to be recognized, and, of course, re-elected next November.

Recognition is both an art and a science.  Humans have the amazing capacity to recognize each other through a complex processing of many sensory inputs.  From a person’s facial characteristics, tenor of the voice, and behavioral cues, we know who a person is.  Some of us are better at this than others, but it’s remarkable how good we really are at it.  The field of biometrics is all about automating the recognition process so that machines can do it based on pre-defined algorithms.  But algorithms aren’t particularly intuitive, and relying on computers to recognize us, whether through passwords or biometrics, will never be perfect.

Because we live in a digital wild west, we want our computer systems to recognize us before we impart any personal information or authorize a financial transaction.  Most often we do this with a user name and a password.  If the words we provide are recognized by the computer system, we’re in.  We could do the same thing with any number of attributes that are uniquely “ours”.  One of those is, of course, our fingerprint.  Computers can recognize us when we present a fingerprint because no one else has one like ours.  The cost of doing this has gone way down, and the accuracy of recognition has gone way up.  It’s no wonder that biometric recognition is quickly becoming a mainstream technology!