Simple Web Security

I recently attended a conference on information security where the President of our company was giving a presentation on biometric security. Since our version of biometrics uses fingerprints a number of fingerprint related questions came up. One of them surprised me so I thought I’d do a short blog post on the subject. Folks were concerned that we “stored their fingerprints” and might be able to use them for some nefarious purpose. That’s a reasonable concern particularly because we say that we store fingerprints but in fact, we don’t actually store an image of the fingerprint. It would be big, hard to use and very slow to access.

All the fingerprint verification security systems I know of actually use a “template” as opposed to using an actual image of the fingerprint. So what’s a template? Your fingerprint is made up of the fine “friction ridges” on your fingertips. You have similar ridges on your palms and even on the soles of your feet. Scientists believe that they are there to aid in grasping objects and possibly to amplify the vibrations that allow you to discern fine textures on a surface. Whatever their reason, they appear to be unique to each individual; even identical twins don’t share fingerprints. The details of the shape of the ridges, the places where they start and end and the way that they split and join are called “minutiae”. Most of these features are found near the center of your fingerprint. When a fingerprint is scanned a gray-scale image is captured and a sophisticated computer program identifies the key minutiae and how they relate to one another and produces a mathematical representation of your fingerprint called a template. The template is easy for the computer to deal with where an actual image would be very clumsy. You could think of your template as a complex and long digital password.

For the folks at the conference who were concerned about a security system saving their fingerprints, well, they can relax. The thing that’s saved isn’t an image of the fingerprint and just as importantly, the template cannot be used to backward engineer an image of your fingerprint. The template is a brand new entity that was created using data from your fingerprint but just like a picture of a leaf isn’t a leaf; a template isn’t your fingerprint.

A nice article on the history of fingerprints can be found at http://www.onin.com/fp/fphistory.html

Fingerprints have been recognized as a unique means of identification since ancient times. The ancient Chinese used fingerprints to sign legal documents¹. In the 1850s Sir William James Herschel was probably the first European who understood the value of fingerprints for identification. It obviously wasn’t an original idea but Herschel started using fingerprints while he was an officer in the British Army stationed in India². Herschel used fingerprints and whole hand prints on contracts during the time of the British Raj. Sir William’s biggest contribution was probably the fact that he realized that everyone has a unique fingerprint that never changes. He documented his own fingerprints over his lifetime to prove this.

About 50 years later Sir Francis Galton³, who we usually credit as being responsible for the modern study of fingerprints and fingerprint identification, developed a way to classify fingerprints so that it became practical for a person’s identity to the found in a directory of fingerprints. Galton’s system is basically the one we use today. The idea is that we first identify one or more large features in a fingerprint and then go on to compare the minutia that makes one fingerprint different from all others.

If you stop for a moment to consider, Galton’s classification system is what we would call a “sort” in computer terms. First we look at the larger classes, upon which we may have indexes, and then we look at the details to find a result. Fingerprints lend themselves to computer classification, digitization and abstraction. Since there is a lot of data in a fingerprint modern digital fingerprint recognition systems use “feature extraction”. Feature extraction simplifies the description of the data by creating combinations of variables that will accurately describe the fingerprint as data.

In practice we don’t record or save the actual fingerprint image. An abstraction of the image is reduced to a number of discrete data points that describe the fingerprint in a statistical, rather than a physical, form. This abstraction makes it almost impossible for the fingerprint to be reverse engineered and used fraudulently.

Because of all these factors fingerprints make an ideal basis for positive identification that allows us to authenticate the sender of an email and also the recipient. SendItSecure uses a combination of biometric authentication and state of the art encryption to deliver a secure email system that is easy to use and can be deployed in a medium sized company in a single day. For more information go to… www.SendItSecure.com .

1 – http://encarta.msn.com/encyclopedia_761573439/Fingerprinting.html

2 – http://en.wikipedia.org/wiki/William_James_Herschel#cite_ref-HersFD_0-3

3 – http://en.wikipedia.org/wiki/Francis_Galton

Being able to easily recognize people has never been a gift of mine.  Many times I’ve been stopped in a store, or on the street, by someone that knows me, and I scratch the inside of my head, trying to figure out how I should know this person.  Is she someone from church, is she the teller at the bank I always see, maybe the Subway sandwich artist?  I put on a forced smile, and say how nice it is to see her, and have a good day, and see you soon.  Oh, well.

Security, whether in our homes, schools, or our computer networks, is all about recognition.  Bank robbers, at least the smarter ones (if there is such a kind), try to disguise themselves so that they won’t be recognized from the surveillance footage.  Politicians, on the hand, want to be recognized, and, of course, re-elected next November.

Recognition is both an art and a science.  Humans have the amazing capacity to recognize each other through a complex processing of many sensory inputs.  From a person’s facial characteristics, tenor of the voice, and behavioral cues, we know who a person is.  Some of us are better at this than others, but it’s remarkable how good we really are at it.  The field of biometrics is all about automating the recognition process so that machines can do it based on pre-defined algorithms.  But algorithms aren’t particularly intuitive, and relying on computers to recognize us, whether through passwords or biometrics, will never be perfect.

Because we live in a digital wild west, we want our computer systems to recognize us before we impart any personal information or authorize a financial transaction.  Most often we do this with a user name and a password.  If the words we provide are recognized by the computer system, we’re in.  We could do the same thing with any number of attributes that are uniquely “ours”.  One of those is, of course, our fingerprint.  Computers can recognize us when we present a fingerprint because no one else has one like ours.  The cost of doing this has gone way down, and the accuracy of recognition has gone way up.  It’s no wonder that biometric recognition is quickly becoming a mainstream technology!