Why Biometric Authentication is (Frequently) a Bad Idea

Architecture & Design, Authentication, Best Practices, Identity Theft, PKI, Privacy, Social Engineering No Responses »
Feb 272009

Authentication Basics 101

First, some three-point lists to re-hash the elements of authentication, mainly for my own memory-jogging purposes.

An individual who wants to gain access to data or facilities goes through a three-stage process:

  • Identification (”Hi I’m Bob!  Let me in!”)
  • Authentication (”OK, I verify that you are indeed Bob.”)
  • Authorization (”Bob, I verify that you are among those permitted to enter.”)

Authentication can be done using any combination of the following three ingredients:

  • something you know (e.g. password, PIN code)
  • something you have (e.g. key, smart card)
  • something you are (e.g. fingerprint)

It’s been a given for a while that two-factor authentication is a good way of massively raising security of information or premises at a comparatively low cost, by reducing the impact from losing or disclosing any part of the authentication process.  If I drop my access badge on the train, big deal, because I also need a secret passcode to enter the office.

Some Problems (PKI / Certificate Example)

As a quick side-track, during every single PKI-related project involving token-based authentication (usually smart cards) that I’ve ever worked on, two major issues inevitably arose:

First, how do we adapt peoples’ credentials to changing circumstances.  For example, the subject marries and changes their name.  Signing keys used in authentication certificates can be expired or revoked, even though this requires maintenance of a functioning certificate revocation list, something a lot of enterprises don’t seem to be capable of, and which can be technically daunting in any case once you start dealing with multiple thousands of revoked certificates.  However, data signed and encrypted before the expiration or revocation date must be accessible or verifiable in perpetuity, no matter if Jane Smith is now called Jane Smith-Jones.

Continuing the certificate example, this is solved by using something like friendly names on certificates (where the user’s name is not part of the certificate’s LDAP distinguished name (DN), or unique numerical identifiers that are mapped to an actual name in a database accessible by other applications that use the certificate.  There are many ways to skin a cat, or a user who changes their name.  However, this falls squarely into the “bad planning” department that seems to be an attribute of many PKI deployments; architects often don’t make allowance for future requirements, such as extended key attributes (thanks for the tip, Arjo), thus raising the need for additional certificate rollouts and system redesigns.

Second, what happens when the user loses his chip card?  No problem, get him a new one.  Even better, prevent him from losing it in the first place, by combining his authentication token with something he is definitely not going to forget, like the bathroom access pass or his lunch card (but whatever you do, please PLEASE don’t put the company logo or address on his access badge.)

What to do, though, when he’s on a service visit to a missile silo at the North Pole, or with a client in Colombia, and can’t access his laptop?  What about one-man branch offices in Timbuktu?  This is where we start facing increasingly complicated problems with issuing emergency credentials via cell phones (a great medium for secondary authentication — they’re tied to a person, they’re at least somewhat secure against casual attackers via GSM encryption and PIN code access, and they’re one of the least likely items to be forgotten at home.)

Moving beyond the scope of digital certificates, biometric authentication offers a tempting solution for both of the above problems..  Passports can be forgotten, passwords extorted, and unless you’re using a system that doesn’t check for heat or blood flow (useful in the case of the Malaysian Mercedes owner several years ago whose fingers were severed by robbers to gain access to his fingerprint-protected car) or which can be fooled by fake biometric credentials, biometric authentication immediately and reasonably reliably identifies and authenticates a user in one go.  Unless he loses his hands or voice or has his eyes gouged out, but that eventuality doesn’t look so nice in the authentication product marketing brochure, so we’ll conveniently ignore it.

Passwords are Annoying

Passwords have their own problems; I agree that people should use pass phrases instead of passwords whenever possible [1],[2].  Furthermore, I believe that excessively strict password complexity and rotation rules lead people to do stupid things like (with all due respect to Bruce Schneier) writing down passwords in obvious places.  Very few individuals have the time, knowledge or intelligence to write down passwords in a way that keeps them safe (plus, the “YOUR PASSWORD WILL EXPIRE IN 5 DAYS” warnings on Windows workstations tend to catch people when they’re most stressed and hurried to log in and get to their meeting.  Furthermore, password vaults tend to be impractical if, like me, you access similar resources from different workstations, laptops, interfaces, etc.

Biometric authentication gets around all this; in the case of a lot of low-end applications, such as unlocking laptops, it is a thoroughly convenient mechanism that allows administrators to get around the expense and complexity of dealing with things like BIOS/startup authentication, or the aforementioned user failings in dealing with password security rules.

So Where’s the Problem?

There are a number of classic arguments against biometric technology — principal among them being that, in case of identity theft, it is not possible for a user to change his credentials, ever.  My major objection to most uses of biometric authentication, however, is the excessive trust placed in it, combined with the absence of non-repudiation.  While most technologies involved are technologically sound and deployed in a well-meaning manner, these related failings bear the probability of inevitable negative, unintended side effects.

By virtue of its perception as an advanced, “futuristic” technology, there is a tendency to ascribe some degree of infallibility to biometric authentication.  Errors are viewed as improbable; since there are no longer external factors (knowledge or objects) involved in authentication transactions, the person logging in with a thumbprint must perforce be the owner of the thumb who was registered as such.

As an analogy, DNA matching by police suffers from a similar weakness; first, we cannot discount concerns about false positives.  Even if there is a one-in-a-billion chance that a DNA sample from a crime scene matches an innocent person as well as the perpetrator, statistically this may be acceptable, but wouldn’t it suck if you were that innocent person?  Is this tolerable?  Furthermore, as the John Schneeberger case demonstrates, even if the technology were flawless, completely circumventing the context within which DNA matching functions, by means of such shenanigans as introducing fake DNA, the entire usefulness of an otherwise good system is thrown out the window.  This is similar to the famous analog hole argument about why media digital rights management is a fundamentally broken concept; even if the hardware and software works just fine, a method completely out of its scope will render its deployment irrelevant.

In the case of biometric authentication, there are a number of conceivable (and, in my case, for lack of greater expertise, purely theoretical) situations where its employment breaks down; this xkcd cartoon demonstrates one such eventuality in a fairly insightful manner.  Given that many people will be subconsciously awed and intimidated by the cool sci-fi retinal scanners at airports, or palm readers in front of offices, this translates into a disregard for the possibility that something will go wrong with the system — dangerous because, even if the security of the system itself were flawless (which no system is) it can probably be circumvented, somehow.  This brings us to the second, and greater danger, that of the lack of non-repudiation in biometric authentication.

By means of overview, digital identifiers are used in two related but different ways to determine the authenticity of data — signing tells the recipient of data, “the information you received is the same that was sent, and it is I who sent it.”  This comes in the form of MD5 checksums, PGP signatures, etc., or in archaic terms, the royal seal on an envelope — in x.509 terminology, signing keys with an authentication bit set in their certificate containers are normally used for certificate authentication (as the key is used to sign a set of credentials transmitted to an application and to guarantee their inviolability.)

Non-repudiation means that a recipient of information can be assured that the originator cannot deny that he provided certain information; the recipient can prove that something not only originated with a given person, but that person is not able to reneg on the information.  Signatures on credit card slips or notarized contracts are the most common real-world examples of this.  There is a subtle difference between the two — signing assures the recipient that information and sender data are correct, non-repudiation guarantees the recipient that the sender will abide by the terms of the information received.

Authentication by biometrics introduces the idea of non-repudiation into a transaction where it usually has no business.  A user is first identified, then authenticated.  Both of these components of the authentication transaction three-step process take place using the same single medium — part of the user’s body.  This is bad.  As the user is identified as who he is, the authentication process suddenly and automatically includes an audit trail — which cannot, by definition, be contested.

When John Smith, average employee, sits down to log into his company workstation, he enters his username and password.  Even though his username may be “smithj”, which is tied his employer’s Active Directory to his username and photo, the disconnect between the person and the authentication framework means that he is not treated as an individual, but rather as an anonymous construct that possesses, hopefully legitimately, John Smith’s authentication credentials.  Can I prove that someone did not steal John Smith’s username and password?  Not really.  Maybe he wrote it down — perhaps that’s a firing offense in itself, but there is at least the reasonable doubt that it was he who logged in.

Not so with biometric ID.  The moment he swipes his palm across the door entry plate, or looks into the airport retina scanner, even if there is some doubt that it is, indeed, John Smith requesting authorization, that doubt enters the realm of the statistically irrelevant.  Fine for criminal prosecution, but decidedly suboptimal if you are John Smith who spent his Sunday in bed with a book rather than breaking into his workplace with a fiendishly clever copy of his thumbprint, or by jury-rigging the actual scanner with a battery and a bunch of wires.  The fact that it was a physical part of John Smith that was used (in the mind of the authentication system) to open the door or unlock the workstation means that the audit trail automatically associates him with his action.

This extends to a person’s movements between countries, his use of a cell phone, his travel in a car, his purchasing habits — all of which can be plausibly denied and repudiated if physical or virtual items, such as passports and PIN codes, are used to authenticate the user.  Identity theft at this point may be unlikely, but fatal for the victim.

How to Fix This

Biometric authentication is not fundamentally bad.  It has its place, if properly planned and implemented, and if the consequences of its use are known.

For example, authentication can be insular and local.  That is, the process does not register a user’s physical characteristics anywhere centrally, but rather uses a locally cached checksum of, say, a thumbprint to unlock a laptop or smart card — similar to what many Windows-based thumbprint login mechanisms already use.  A kerberos exchange is made with a domain controller, as with a username/password or smart card login, but the actual physical characteristic is not associated in its “raw” form with any central user profile.

Second, biometric authentication must absolutely under no circumstances be tied to audit trails; the tracking of a user’s actions and movements is information desired by law enforcement, human resources, marketing wonks, scammers and any other number of other parties, but there is no reason to tie a user himself, through his physical qualities, to his actions.  I want to be able to deny that I used my credit card in Indonesia last Tuesday; the moment this ability falls due to the authority of a retinal verification for a card transaction that was somehow falsified, I have a huge problem.

Next, such authentication must not cause anyone to come to harm.  As with the Mercedes example above — people are (usually) more important than objects or data.  If you evaluate your security needs and believe it’s a good idea to force someone to go through a burly Secret Service guy to get to the nuclear launch codes, that makes sense.  However, endangering someone’s safety for a car or laptop when it’d get stolen anyway, no matter what they do, would be callous and pointless.

Lastly, authentication credentials must not be tied to any other stored instance of a person’s biometric information.  This sounds paranoid, but physical characteristics, since as we see above these are refutable only with difficulty, and credentials can’t be changed.  The instant someone is able to abuse biometric credentials, a user’s entire financial credibility, his workplace history, and any number of other valuable combinations of reputation and resources may suffer.

Posted by john at 7:50 am

Blatant Plug: m0n0wall + PCEngines WRAP / ALIX

Crypto, Firewalls No Responses »
Feb 182009

One of my recent projects had me shepherd the development and rollout of an embedded firewall for medical / clinical diagnostic devices in compliance with U.S. HHS / FDA rules on patient data privacy.  Without going into details, a number of new, long-awaited requirements have sprung up within the past few years requiring data protection technology and processes in environments handling sensitive patient information.

This creates a bit of a conundrum for medical device and software manufacturers, insofar as all medical products, not just drugs, must undergo a massive, periodic set of verification and validation tests in order to ensure that they actually do what they’re supposed to, and will not result in minor side effects like genital herpes, limb removal or spontaneous combustion.  Validation is expensive — bringing a drug to market can cost nearly $1 billion;  any changes, upgrades or additions must go through punishing testing procedures.  The same applies to clinical devices — MRI scanners, blood testers, and the myriad of associated machinery — plugs, cables, batteries — anything that somehow processes or plays a role in the processing of patient data.  Fine.

For IT systems, this is a bit of an issue, especially in light of increased connectivity of hospital and other medical products.  When to re-validate?  Software upgrade?  New feature set?  Security patch?  Antivirus pattern udpate?  As we all know, bugs lurk everywhere, and even innocuous changes could bring about unwanted effects in poorly privilege-separated systems.  This becomes worse when consumer operating systems start being used to run task-specific machinery; common development platforms keep costs down and allow for faster and broader-ranging feature implementation, but despite the inevitable whining about security-through-obscurity-is-not-real-security, having an off-the-wall operating system cuts both ways, in that it may hide flaws less likely to be spotted by peer review, but also often requires targeted intrusion attempts in order to break.

So given that clinical validation and revalidation of upgraded software so as to ensure continued reliability can cost anywhere around $500,000 a pop in time, resources and grief, offloading network security is a good thing.  Despite the discrediting of eggshell models of network security (I still firmly believe that any system should be able to survive if exposed on an open network, even if this is not necessarily wise), if it’s simply not feasible to secure everything, you might as well protect it.  The difficulties in validating and maintaining such systems, though, make it desirable to keep things as simple as possible.

Enter m0n0wall and WRAP / ALIX.  This is the most killer hardware/security platform combo I’ve seen.  I have a few of these on the older WRAP board running for years now without a hitch.  They are incredibly robust, simple, without moving parts, and tolerant; my WRAP boards have been dropped, drenched, plugged into massively off-spec power supplies and otherwise abused.  There’s a mini-PCI slot for a wireless card, and newer ALIX boards have VGA-out, sound, USB and serial.

M0n0 has a friendly interface, a great support community and a tremendously motivated developer behind it.  Anyone familiar with basic firewall or crypto terminology will figure it out instantly; it’s fast, lightweight and has never crashed on me.  My only bitch is that changing an inbound NAT rule does not automatically adjust associated firewall rules, but that’s a pretty minor thing.   Best of all, it’s FreeBSD-based and conducive to hacking.

Posted by john at 12:02 pm

SSL / SSH and MTU Problems

Crypto, Network Security, Standards 2 Responses »
Feb 162009

A colleague of mine recently encountered mysterious issues with SSL connections that dropped large numbers of packets, while cleartext pages loaded fine.  After a bit of digging, he found that decreasing his DSL router’s MTU size from 1410 to 1400 seemed to do the trick.

I did some looking around, and found this page from Primus Telecom (Australia) that describes the problem well.

When you access a website or essentially do anything on the Internet, your computer places the information into packets, the size of which is determined by the MTU (Maximum Transmission Unit). On an Ethernet network the default MTU size is 1500 bytes, which is what most routers on the Internet will accept, the problem however occurs when we introduce protocol overheads.

Because there are a number of different protocols your data packets may be encapsulated into, the size of the MTU can increase at different places in the network. If the packet is already close to 1500 bytes when it leaves your ADSL router, it may become larger than 1500 by the time it gets to its destination, which means it will be fragmented, or split up.

Encryption protocols generally can’t handle packet fragmentation, though this is more by design, rather than as a fault, as fragmentation may introduce a point of insecurity, and allow the encryption to be broken or intercepted.

The overhead mentioned consists of datagram encapsulation, for example, and is added by routers along the way.

When using SSL / SSH, the sending machine will set the IP “do not fragment” (DF) header bit to “1″.  Ideally, traffic is sent via the largest size that does not fragment; RFC 1191 describes a technique to use the DF header to discover the PMTU (path MTU, this maximum size.)  Lowering it on first hop after your sending machine will do the trick, though.

Posted by john at 11:17 pm

Backtrack 4 Beta Released

Development, Forensics, Network Security, Pen Testing No Responses »
Feb 112009

Max Moser just sent an announcement about the release of BackTrack 4 to the ZOG security list.  I’ve played with earlier versions of this, and while at the time it didn’t boot well on my ThinkPad X21 (works fine meanwhile) it’s a pretty awesome toy.  I can’t imagine that you’d want to hide a powered-down device in someone’s network and then PXEBoot it… =)

The Remote Exploit Development Team is happy to announce the release of BackTrack 4 Beta.
We have taken huge conceptual leaps with BackTrack 4, and have some new and exciting features.
The most significant of these changes is our expansion from the realm of a Pentesting LiveCD towards a full blown “Distribution”.

Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be upgraded in case of update. When syncing with our BackTrack repositories, you will regularly get security tool updates soon after they are released.

Some of the new features include:

* Kernel 2.6.28.1 with better hardware support.

* Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.

* Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!

* SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.

* MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.

* The latest mac80211 wireless injection pacthes are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.

* Unicornscan – Fully functional with postgress logging support and a web front end.

* RFID support

* Pyrit CUDA support…

* New and updated tools – the list is endless!

With all these changes, PLUS the usual goodies and surprises we have in BackTrack, we are truly excited about this new release.

We consider the Beta to be stable and usable. Some tools were kept back from this version, and will be soon added to the repositories.

Get it at http://www.remote-exploit.org

Posted by john at 10:29 am
© 2010 Chakraborty Software Suffusion WordPress theme by Sayontan Sinha