jump to navigation

First day of Nordsec 09 October 15, 2009

Posted by tcarlyle in Biometrics, identity management, SIM Cards, trust, Uncategorized.
Tags: , , , , , , ,
add a comment

I’m bloging directly from the Nordsec 09 conference here in Oslo. So far it has passed one day and a half and the programme has been quite interesting. There has been a more strong focus on identity and privacy, and, moreover more “high-level” presentations than the conference last year. As the conference programme has been quite extensive I must assume not having payed full attention to all presentations and specially the ones that didn’t have slides as supporting material. I’ll cover in this post just a bit of my impressions around the first day.

The first day was mainly about identity and privacy.  We started with a great presentation from Drummond Reed from the Information Card Foundation. He end up spending some of time explaining IdM as the concept was not familiar for the whole public, then he talked a bit on the challenges to using the open ID standards by the governments, in special in the USA. He also mentioned the issue of having a branding competition on the websites towards the several OpenID providers. It was pretty interesting to see that the US government is going for an exisiting open IdM standard and also to know that apparently a lot of the companies that seemed to be competing for IdM ownership seem to be cooperating more. At least, as far as I got there are several new players joining the OpenID (although it is not clear if they are just offering authentication tokens or if they are also accepting other OpenID tokens) and the Information card has become a common format shared between Cardspace, Higgins and other selectors.

There was a presentation about Identity Theft from the Ministry of Justice and the Police of Norway. The presentation was mainly on how biometrics could help to prevent Identity Theft. As the usage of biometrics in his speech was not characterized if it was for identification or authentication as I mentioned in a post in the blog, it generated a lot of questions around the dangers of impersonating someone using a copy of the biometric template which could be gathered through a fingerprint left in a glass for example. This generated some discussion around storage of the biometric template and issues around biometrics in unsupervisioned scenario which the speech could have maybe addressed and made itself even more interesting.

Later we had a presentation of Tor-Hjalmar Johannessen from Telenor presenting arguments towards having an e-ID centric model on the SIM with very logical arguments. He bases it in the massive presence of sim cards, its security, the fact that they already represent an excellent working case of IdM (roaming is single-sign-on), new enhacements to the SIM as a hardware and software platform and others. I had already seen other of this presentations on the topic and I’ve read a few of his papers for my Master Thesis. Therefore, it was not something completly new for me, but it already introduced the audience in the topic which will be good for my presentation on Friday =)

Other 2 presentation that specially called my attention were the one about “Privacy risks in Web 2.0” from Roar Thon from the Norwegian National Security Authority and the one about the future e-voting system in Norway. The first one was a bit more on the need of creating awareness around how much private information we are publishing and distributing. It was interesting to see tha the  Norwegian National Security Authority is interested in that and also on some numbers presented. In fact the presentation opened the point of the lack of attribution of social networks relations which is something Ill discuss in my presentation.

I think I’ve never stopped to think so much about the complexities around e-voting and the presentation from Christian Bull gave a great overview. There are issues on the fact that you are not over a supervisioned environment and this could lead to vote selling or coertion, or on making sure that every vote is counted but it is not possible to trace who voted in who, and there it goes. He presented a few neat features to counter some difficulties of the e-voting and the system sounds very promissing. It was also nice to see that they plan to make it open source so the system security can be assessed and they will submit it to common criteria evaluation (or a similar one, I dont quite remember).

I’m not sure if the presentations are going to be published in the conference website, but in case it will I write it here.

Biometrics and SIM May 24, 2009

Posted by tcarlyle in Biometrics, identity management, SIM Cards.
1 comment so far

I know I said I would not post so soon, but here it goes a small post on Biometrics (reusing the text from my thesis =D)


Biometrics corresponds to the recognition of an individual based on the measurement and analysis of his physical and behavioral aspects. Some biometric techniques include: fingerprint, iris scan, face recognition, DNA, hand geometry, voice recognition and hand-writing patterns. The biometric information can enhance identity, verification and authentication mechanisms as it consists into a unique feature that can identify a user. 


In fact biometrics is massively deployed in the several physical identity cards that carry a picture of the owner. This picture, a facial biometric, is aimed to present something that can be used for a visual verification on the side of the agent.


One of the biggest concerns about the usage of biometric information is the case where the biometric template, the synthesis of the biometric characteristics, is stolen. Since the biometric template can’t be revoked, a user can’t revoke his fingerprint or have his iris reissued, this is a very important topic to be taken into account. A solution for that is the storage of the fingerprint information in a secure environment, such as a smart card. It enables the possibility of employing match-on-card (MOC) identification without the need of transmitting the biometric information outside of the card. Inside the card, the biometric information can serve as one of the authentication factors complementing or replacing passwords. 


Despite MOC solutions on the regular smart cards, for example the Portuguese e-ID, there are already deployments on the SIM Card. As shown in the article”Beefing up security with biometrics” from Card Technology Today, May, 2008, the memory needed to store the biometric information is not so high, specially if you take into account the new high-density smart cards. A facial image can require 20KB while the iris image can require 30KB and a fingerprint 8KB. If instead of using the image, the biometric template is used, the size requirements are reduced by around 90% or less. 


What security experts such as Bruce Schneier and Steve Riley discuss is that biometrics should not be used as an authentication secret, but as identity information. By that, the identity, biometric data publicly known, identifies the user, but in order to obtain authorization in a system, a secret is used. This argument is based on the fact that biometrics can be tampered: they can be scanned, they are left when people touch objects, people can be filmed without their consent. Moreover, differently from the secret, the biometric can’t be revoked.


The MOC solution in the smart card mentioned before has the biometric in a context that is hard to characterize between identity or authorization secret. It is something in between, since the biometric information is actually the input to authenticate the person which has the card, but the biometric alone is powerless and the card can be revoked. I woud say that it is secure enough for most of the day-to-day purposes since it combines “what you are” with “what you have” and it can be revoked.  It seems harder once it is easier to steal (or guess) a password than a fingerprint(hopefully not your finger as in those sci-fi  action movies) . 

If you have any comments around the MOC security, please write. I’ll consider them when revising the thesis =)