I don't watch much TV. I don't have time for it and even if I did, there is not much to enjoy. I like movies and the occasional sporting event, but other than that, nadda. Perhaps if there were the Math Channel where I could watch a 24 hour marathon of the explanation of Wiles proof of Fermat's Last Theorem or a three part mini-series on "Measuring the bounds of computation" or even a weekend movie like "Big Leo's Excellent Adventure", I might be interested. The commercials on the Math Channel would be for banks or credit cards and have inside jokes such as "I went out for dinner the other night and paid with my credit card. I found out I was over the limit. Boy was I embarrassed. Fortunately, the amount of the bill was the quantity (a perfect square divided by 100 and multiplied by the eighth Fibonacci number and subtracted from the ninth Lucas number). After the appropriate transforms, I was able to reconstruct the bill making the total 5 cents. I gave the waiter a quarter and told him to keep the 20 cent tip."
Seriously, I was watching TV and I saw this commercial for IBM. Two guys are sitting at what appears to be an airport or a coffee shop (it's hard to tell the difference these days) and the one who is using his ThinkPad swipes his finger on a biometric device. The other guy in the commercial says something witty, such as "Hey, don't you have to put in a password?" Do you mean to tell me that we now have devices that can identify me uniquely? Welcome to the 21st century. Even Microsoft has a reader here. The page even states:
"Have you ever sat there, staring at your screen, wondering which password you set?
- Was it your dog's name?
- Your birthday backwards?
- Your best friend's nickname?
Wonder no more. Microsoft has developed a convenient solution for replacing all those passwords with something you don't have to worry about forgetting: your fingerprint."
This is perfectly safe, right? In fact it sounds downright easy, so it may even improve the security because of that fingerprint thingy. Let's review the facts.
In the study of security, there is a notion of authorization. Authorization is the ability to use something. I am authorized to drive my car because I own it and I have a valid driver's license. The notion of authentication is also used in security. This is usually in the form of a challenge. Upon request of a resource, I challenge you to demonstrate that you are authorized to use the resource. This is authentication. My car keys are my authentication that allows me to drive my car. Note that I can be authorized for a resource without proper authentication. I am authorized to drive my brother's car, but I cannot authenticate myself in the use of my brother's car without his keys. My daughter has her temporary driving permit and is authorized to drive my car with an adult present in the vehicle. She is authenticated to drive my car with my car keys (she doesn't get her own set of keys until she turns 30). Likewise, I am authorized to use my computer, but I must authenticate myself through a challenge. This challenge for most Windows computers is in the form of a user ID and password. The biometric device reduces the likelihood that you will misplace or outright lose your authentication information.
Let's introduce one more idea as taken from RA: functional dependence. Functional dependence can be stated simply as the dependence of an attribute on one and only one other attribute. The zip code that I live in determines my state of residence; therefore state is functionally dependent on zip code. My instance of fingerprint on my right index finger is functionally dependent on the instance of me (or more properly the instance of my finger should it become severed, dismembered or otherwise). Hmmmmmmmmmm
Now I've been taught by all of the security experts that I must change my password on a regular basis for any authorized resource that requires authentication with a password. I should use a password that is difficult, i.e. not subject to simple word search attacks.
Now maybe it's me, but there seem to be two things in direct conflict here. I should change my password regularly, but I can substitute a device with biometrics for my password where the biometric measure is unchanging and has functional dependence on the instance of me. Ummmmmm. Hang on with that. Isn't this biometric stuff secure? It magically takes my fingerprint, so I can trust it. It is impervious to attack, right? Which practice is better, change your password a lot, or use a static digitized version of your fingerprint that you will never change? (unless you use that device in your kitchen called a stove and burn them off or something)
If we skip forgery attacks, i.e. someone is able to recreate your fingerprint and apply it on the biometric device, a considerable remaining attack is the representation of the fingerprint in byte form in memory after the biometric device has collected the data. If this is collected in memory in the PC, it is subject to all of the typical spyware/virus/other attacks. It is just another piece of data that can be collected and manipulated by a determined adversary. If the path between collection and authentication is not sufficiently protected (in hardware or by other means), the data is subject to attack.
Now I am not advocating an attack here. I don't own a ThinkPad or a Microsoft Fingerprint Reader. I haven't attempted to collect the byte code for a biometric data observation. I do think this stuff is cool. But I don't think that it is secure. In fact I would argue that this stuff provides for a false feeling of security for the user of the device. I'm unaware of any attack on these devices or this method of authentication. I suspect that those that work on these types of hacks/breaks would prefer a sense of security for the user.
I suppose I should be a good scalper and do some research here to determine the efficacy of such an attack. Maybe a threat model is appropriate as well. I just think that there is vulnerability.
In the meantime, I'll be watching for people who want to change their password on their biometric laptops in coffee shops and airports by swiping their big toe or some other body part that will give a unique ID . . .