Biometrics into the NET with Smartphones
BioMetrics into the Net with Smart Phones / Why not use Biometrics for Internet (T5D)
Convener: Shin, Takashima, Yamada
Notes-taker(s): Christopher Arnold
Tags for the session - technology discussed/ideas considered:
Toshiba - Biometric data transfer over the internet
ACBio - International Standard
Internet enabler for Biometrics
Smartphone for authentication device
Authentication Context for Biometrics
Data format standard for biometrics in internet
Toshiba started and standardization May 2009
Fingerprint, finger vein, palm vein, facial image used as verifier of identity
Biometrics currently used for passport, drivers license, ATM (In Japan)
But not supported in internet as a wide protocol. Why?
Passwords get attacked by phishing, key logging, Impersonation by stollen passwords
Device paired authentication:
For token, Tamper resilience is good. But if the IC card is stollen with pin. Often forgotten as passwords
Biometrics Good on impersonation, good on operation. Without ACBio weak on internet.
Q: There is an "equal error rate" for passwords. False negatives and false positives are equal. So that's why we still use passwords today.
ACBio addresses data format for the evidence data of biometric authentication
BioMetrics typically not used on internet. Why?
Unfair use case in music. (Compromised device or inappropriate rights)
Block special devices used to impersonate others
Possible leakage of biometric data leaked from site?
Should user register biometric info for each service?
Send binary evidence information securely over the internet to a verification server with ACBio.
Debate: hash security and location of pairing of evidence with stored biometric challenge.
Storage template (Portable Device, IC Card) offer comparison to sample data.
Client application puts in data, validation sent to server. Then validated against ACBio validation server.
Two streams combined. Evidence data of device and sample are paired.
Comparison result is validated later
Q: Passwords can have an untrusted device and use the hash algorithm?
X.509 certificate of the BPU
Report on BPU
Control value block
Biometrc process block
Data type and hash value of input
Data type and hash value of output
BRT certificate information block
Certificate for the registered template
Challenge from validator in order to prevent replay attacks.
BPU=Biometric processing Unit
BRT=Biometric Reference Template
Means to prevent compromised devices to all systems that use the central revocation list
Current operating standard: ISO/IEC 24761
There is a standard now, but not operationalization
Plan to partner to realize the scheme.
Two OEMs in Japan considering. One carrier.
Debate: Software vendors who want to use ACBio to pass "Liveness tested palm vein" liveness detection
Other models are paired NFC chip to computer (Embed validation server in car in case loss of internet service.)
Possible tie into Car entry or location based Door unlock