Breakthrough in biometric token replay
Scientists say it may now be possible to send information such as a
fingerprint over the Internet without it being intercepted.
The RAU-Standard Bank Academy for Information Technology has announced a
breakthrough in the replay of biometric tokens. This announcement was made
during the recent Information Security South Africa (ISSA) 2003 Conference which
took place in Johannesburg last week.
One of the major problems of sending any biometric token over a network, and
specifically a public network like the Internet, is that if the token is
intercepted (sniffed), it can be replayed even if the token had been encrypted.
This possibility of replaying such a token, of course gives rise to serious
risks, because the user cannot replace the token or choose a new one – the
specific biometric token is uniquely linked to the user. If a user’s right
thumb biometric token is compromised, he cannot choose another right thumb –
the token is permanently compromised.
Up to date it was not possible to recognize a replayed biometric token as
such. This is one of the main reasons why biometric tokens (fingerprints, iris
prints, retinal prints, palm prints etc) are not yet used as widely as the
technology of biometrics deserves. The Academy’s announcement solves this
problem.
At ISSA, the Academy demonstrated a system, known as BioVault, which solves
this inherent problem. The demonstration showed how a biometric token, in this
case a fingerprint, was sent over a network, and compromised by being
intercepted (sniffed) during transmission without the knowledge of the user.
The intercepted biometric
The intercepted biometric token was then replayed. When this sniffed token
was replayed with BioVault switched off, the replayed (masquerading) token was
accepted as an original.
When BioVault was switched on, the replayed (sniffed) token was immediately
rejected as a replay.
During the presentation, the audience was asked to provide fingerprints, and
in all cases, the proposed system worked as expected.
Solving this replay problem which has existed since the introduction of
biometrics, really opens up many new uses for biometrics.
No encryption at all is used in BioVault.
According to Prof Basie von Solms, the project leader of the project, the RAU
has taken out a provisional patent on the underlying algorithm used in BioVault.
At least two advanced post graduate projects are presently active to thoroughly
test the characteristics of BioVault, and then to expand its use.
The project team envisages that, with BioVault, biometrics can now really be
used in an e-commerce environment – even in the form of a digital signature.
This is presently being investigated as part of the research.
More Information:
Anyone interested in a demo of BioVault can contact prof Basie von Solms at basie@rkw.rau.ac.za
or at + 27 11 489 2843.
|
