Among other things, the paper identifies six principles for identification systems:

• Achieve real security or other goals
• Accuracy
• Inclusion
• Fairness and equality
• Effective redress mechanisms
• Equitable financing for systems

From the Executive Summary:

How can these principles be honored in practice? That’s where the "due diligence" process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.

In the pages that follow, we apply this due diligence process to some recurring technical problems with current and proposed identification programs. And we discover—as you’ll see toward the end of the report—that ID programs that rely on "shared secrets," such as Social Security numbers or your mother’s maiden name, are becoming more insecure due to the increased use of identification. Similarly, ID programs based on biometrics such as fingerprints or iris scans are not the "silver bullets" that some proponents claim they are, but rather could become compromised rapidly if deployed in haphazard ways.

We then apply our progressive principles and due diligence insights to two current examples of identification programs. The first details why it would be bad policy to require government-issued photo ID for in-person voting. The second shows the basically sound policy rationale for the Transportation Worker Identification Card, used for workers with access to security-critical port facilities. By examining one identification program that is reasonable, and one that is not, our analysis shows the usefulness of the Progressive Principles for Identification Systems.

I participated in the panel discussion announcing this report, along with Jim Harper (Director of Information Policy Studies at the Cato Institute).

Those so-called Afghan National Auxiliary Police (ANAP), all formerly in the service of local warlords, had received two months of training by Dutch and American soldiers and were now the first line of defense against the Taliban.

Arming tribesmen was a risky idea. True, this sort of tribal initiative had been effective in Iraq. But NATO commanders feared that Afghan loyalties to their warlords ran too deep. NATO was “arming people who were not necessarily in line with the [Afghan] government,” U.S. Brig. Gen. Robert Cone told Wired.com.

So, last month, NATO fired the auxiliary cops and scrapped the tribal strategy, leaving gaping holes in Afghanistan's defenses. The fix? Marines, of course, armed with fingerprint pads, iris scanners and electronic databases.

With these biometric tools, the Marines are planning to recruit new cops who have no ties to tribal warlords. “We know there are some shadow police and some militia-type police,” Lt. Col. Ray Hall, the Marine commander, said. “Once we go through the vetting process, we'll have everybody screened … so that problem should go away.”

That means scanning every new recruit's unique iris “eye prints,” logging their thumb prints and feeding it all into a growing, but still very spotty, national database linked to criminal and intelligence records. If a cop has any known warlord ties, he's disqualified from serving.

CIA teams used FBI biometrics while hunting for known Al Qaeda operatives in Afghanistan in 2001, and since then, the military has gathered data on almost every Afghan it comes in regular contact with.

There's one more problem. Not all the military databases can talk to one another. “We haven't standardized,” said Larry Schneider, a Northrop Grumman VP who last year was working on collapsing many biometrics systems into just one.

Until everyone is looking at the same data, seditious Afghan cops will probably keep falling through the cracks.

Here's the story directly from the Chaos Computer Club (in German), and its Engligh-language guide to lifting and using fingerprints. And me on biometrics from 10 years ago.

In fact, I found the article to be rather upsetting. Not because of the article’s thesis that strong authentication through a national ID program would not necessarily pose a threat to privacy; but rather, because of their naive (and irresponsible) handling of the realities of the biometric authentication challenge. They gloss over the real security challenges with creating a national biometric infrastructure. Here are the two quotes that are most misleading:

• “Confusing privacy with anonymity has delayed implementation of robust, virtually tamper-proof biometric authentication to replace paper-based forms of ID that neither assure privacy nor reliably prove identity.”
• “This emerging technology makes it virtually impossible to assume someone else’s unique identity.”

The problem that the authors are glossing over is that no such technology exists today, and it is unlikely to ever exist. Now, to be fair, I am assuming that a critical success factor for any national biometric program, as described, would be that the authentication devices have to be available, and usable, anyplace paper-based IDs can be used today. This of course implies that the authenticator must be an inexpensive, commodity device, easy to purchase, maintain, and operate. Such a device would have to be even more ubiquitous than the electronic credit card machine.

The problem is that the authenticator itself may be in the possession of the attacker (Perhaps after you authenticate your legitimate purchase the clerk desires to use your identity herself…). In the history of security controls, when the attacker has unsupervised at-will physical access, the attacker wins. Here are a few examples:

• Defeated copy protection on DVDs ( more & more info)
• Cold Boot Crypto Attack on hard disk encryption (more info)
• MiFare RFID Cards (more info)
• Skimming devices attached to ATM machines to steal card and PIN data (more info)

Of course, all of these systems worked in the lab. But when a security system is widely deployed, it has to withstand an enormous amount of scrutiny, and minor flaws will be exploited. And of course, the greater the financial gain, the greater the time and energy attackers invest in trying to defeat the system. The authors of the article ignore these issues, idealistically assuming biometrics will just work.

Now, of course there are lots of examples where biometrics work very effectively. But I would propose that biometric authentication is most useful when the authentication device is physically secure and the authentication itself is supervised. The MiFare example above also demonstrates two other issues:

• The system chose not to implement a reviewed and standard cryptographic algorithm - always a bad idea
• MiFare was able to sell 1 billion cards and authenticators before the system failed

The cost of investing in a national biometric authentication program, and then having the security fail, is enormous. Can you imagine deploying a biometric authentication infrastructure to every bank, police car, restaurant, shop, etc. and then having video on YouTube of it being defeated ?

- Erik

BTW, Maybe the attacker doesn’t even need to tamper with the device -> ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

Art of Information Security would love your feedback !

What do the Cold Boot Crypto Attack, DVD Players, and MiFare tell us about the Future of Biometrics?