Glossary of Common Biometric and Security Related Terms - Some definitions provided by Wikipedia and used under fair-use license.
iGuard uses Advanced Encryption Standard (AES), also known as Rijndael, which is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analyzed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardization process.
The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael", a portmanteau comprising the names of the inventors. Rijndael is pronounced a bit like "Rhine dahl", with a long "i" and a silent "e". (Wikipedia.org)
How secure is 128bit AES Encryption? Assuming that you could build a supercomputer that could "crack" a single DES (Data Encryption Standard) key in a second (i.e., by using a brute force method to try 255 keys per second), then it would take that supercomputer approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. Grab a cup of coffee, pack a lunch - this will take a while. "According to the NIST - AES has the potential to remain secure well beyond the next twenty years."
Algorithm A limited set of well-defined instructions to solve a task, which leads reliably from a given starting point to a corresponding identifiable end point. It can also be described as a systematic procedure for carrying out a calculation or solving a problem in a limited number of stages. Many algorithms can be implemented as computer programs. In biometric systems, specific algorithms are used, for example, to indicate how a smart card determines whether the input fingerprint matches the template stored on the card or in the database.
ANSI 378 Refers to interoperability standard for fingerprint templates developed by the American National Standards Institute (ANSI). The US governmental requires the use of ANSI 378 templates for Homeland Security Directive (HSPD-12) and Personal Identity Verification (PIV). The US Federal requirements for ANSI 378 are designed to ensure that all employees and contractors are able to use their badges for identification and access to all government facilities.
Automated Fingerprint Identification System (or AFIS) is a system to automatically match one or many unknown fingerprints against a database of known prints. This is done for miscellaneous reasons, not the least of which is because the person has committed a crime. With greater frequency in recent years, AFIS like systems have been used in civil identification projects. The intended purpose is to prevent multiple enrollment in an election, welfare, DMV or similar system. The FBI manages a fingerprint identification system and database called IAFIS, which currently holds the fingerprints and criminal records of over fifty-one million criminal record subjects, and over 1.5 million civil (non-criminal) fingerprint records. US Visit currently holds a repository of over 50 million persons, primarily in the form of two-finger records (by 2008, US Visit is transforming to a system recording FBI-standard tenprint records). (Wikipedia.org)
Authentication Any systematic method of confirming the identity of an individual. Some methods are more secure than others. Simple authentication methods include user name and password, while more secure methods include token-based one-time passwords. The most secure authentication methods include layered or "multi-factor biometric procedures. This is independent of authorization.
1-factor authentication The classic fingerprint-without-card technology is simple and in many cases what serves our customers’ basic needs best. The fingerprint reader solution replaces codes or passwords.
Multi-Factor Authentication: More than one method
3-factor authentication A product with 3-factor authentication, combines smart card, fingerprint and PIN code.
Authorization The administration of person-specific rights, privileges, or access to data or corporate resources.
Biometrics The automatic recognition of persons based on unique combinations of measurable physical or behavioral characteristics. Examples include fingerprints, iris scanning, face and voice recognition, or hand geometry. All of these biometric techniques are differentiated by speed, durability, reliability, and cost effectiveness. Fingerprints are generally considered the most practical biometric identifier in use today.
Biometric Authentication Mode The way biometric data (e.g. fingerprints) is used for authentication. The mode chosen for a biometric installation depends on the specific needs of a site, where either convenience or security may be emphasized. BioCert fingerprint devices may use either of two biometric authentication modes, identification or verification.
Biometric template Biometric templates are representations of a fingerprint or other biometric using series of numbers and letters. Templates are created using sophisticated algorithms, a mathematical process.
Contactless card Smart cards or memory cards which communicate by a radio signal. The range is normally up to 10 cm from the reader.
Dual Interface Card Dual interface cards have contact and contact less interfaces for data and transmission in both directions.
Encryption Making information unreadable/difficult-to read for unauthorized persons.
Enrolling The process of collecting biometric data from the individual, which is later, processed and stored as a template.
False Acceptance Rate Also known as FAR. Measures how frequently unauthorized persons are accepted by the system due to erroneous matching. Potentially serious. The FAR of BioCert devices is currently about .001%.
False Rejection Rate Also known as FRR. Measures how frequently registered users are rejected by the system. This usually amounts to nothing more than inconvenience, since it requires users to try again. The FRR of BioCert devices is currently about .01% and is usually improved by educating users on correct usage of fingerprint recognition devices, especially in high security environments.
FIPS 201 Federal Information Processing Standards 201 creates the framework from the smart card security for PIV IDs.
The US General Services Administration’s (GSA) Approved Products List (APL), is an important requirement in the procurement process for the US Federal Government Homeland Security Presidential Directive 12 (HSPD-12). By fall this year all US Government agencies must initiate the deployment of smart card based ID cards, the so-called PIV (Personal Identity Verification) Cards.
GSA APL In order to eliminate the need for every agency to test and certify products to implement into HSPD-12, The General Services Administration (GSA) was asked to create an Approved Products List (APL). The GSA APL will serve as the buying guide for all of the US Federal Government Agencies. As agencies begin to implement their HSPD-12 and PIV solutions they will use the GSA APL to provide assurance that the products they are purchasing meet guidelines and technical specifications.
HSPD-12 Abbreviation for US Federal government's Homeland Security Presidential Directive, which is a set of requirements for government agencies to improve their security infrastructure.
Identification Also known as one-to-many or 1:n comparison. Authentication mode that compares the current biometric data set against all other reference data of persons previously recorded in the system. This method does not require any accompanying information to be provided with the fingerprint. It is user-friendly but inherently slower and less secure than the verification mode.
ISO International Organization for Standardization.
Latent Fingerprint Latent fingerprints are "left over" fragments usually caused by the build-up of oily residues on the optic sensor window after repeated use. The technique used by BioCert devices to defeat "faked" fingerprints also prevents latent fingerprints from being incorrectly validated by the system.
Matching Biometric data (e.g. fingerprints) are matched to another sample to confirm a person’s identity (authentication). For example, BioCert biometric systems use optic scanners to collect fingerprint minutiae, then create mathematical templates based on that information for storage. New input fingerprints are scanned and compared to the stored samples. If the minutiae matching threshold is met, the person is authenticated.
Matching Method Algorithms for iGuard Fingerprint ID Systems:
Minutiae Based Method: Minutia based algorithms compare several minutia points (ridge ending, bifurcation, and short ridge) extracted from the original image stored in a template with those extracted from a candidate fingerprint. Similar to the pattern-based algorithm, the minutia-based algorithm must align a fingerprint image before extracting feature points. This alignment must be performed so that there is a frame of reference. For each minutia point, a vector is stored into the template in the form:
- mi = (type,xi,yi,θi,W)
- mi is the minutia vector
- type is the type of feature (ridge ending, bifurcation, short ridge)
- xi is the x-coordinate of the location
- yi is the y-coordinate of the location
- θi is the angle of orientation of the minutia
- W is a weight based on the quality of the image at that location
It is important to note that an actual image of the print is not
stored as a template on the iGuard or on the smartcard. Only a representation of a subset of the minutia data and their relative locations is stored as the Fingerprint Information Record or FIR.
Before the matching process begins, the candidate image must be aligned with the template coordinates and rotation. Features from the candidate image are then extracted and compared with the information in the template. Depending on the size of the input image, there can be 10-100 minutia points in a template. A successful match typically only requires 7-20 points to match between the two fingerprints.(Wikipedia.org)
Pattern Matching Method: Pattern based algorithms compare the basic fingerprint patterns (arch, whorl, and loop) between a previously stored template and a candidate fingerprint. This requires that the images be aligned in the same orientation. To do this, the algorithm finds a central point in the fingerprint image and centers on that. In a pattern-based algorithm, the template contains the type, size, and orientation of patterns within the aligned fingerprint image. The candidate fingerprint image is graphically compared with the template to determine the degree to which they match.(Wikipedia.org)
Mifare Mifare is an interface for contact less smart cards and smart card readers. It has been developed by Philips and influencing the ISO14443 Standard.
Minutiae The unique, measurable physical characteristics scanned as input and stored for matching by biometric systems. For fingerprints, minutiae include the starting and ending points of ridges, bifurcations and ridge junctions among other features.
NIST Abbreviation for the National Institute for Standardization of Technology, which is an agency of the US Federal Government which establishes standards and guidelines for private and public sector purposes.
PIV-card Personal Identity Verification Card required to be issued to all US Federal employees and contractors under HSPD-12.
SHA-1 SHA-1, published in 1995, is a hash algorithm designed by the NSA. The size of the output of this algorithm is 160 bits. In 2005, a theoretical method was published to find collisions in SHA-1 with effort smaller than that required for brute force on average (263 instead of 280steps).
Smart card A smart card is a plastic card, which holds a processing chip – like those found in computers. The chip on the card is designed to protect the information stored on it using various security mechanisms.
Strong Passwords (Wikipedia) - A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, that successfully guessing it will require too long a time. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. A student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time.
Examples of stronger passwords include:
- [email protected]
These passwords are longer and use combinations of lower and upper case letters, digits, and symbols. They are unlikely to be in any password cracking word list and are sufficiently long to make direct brute force search impractical in some systems. Note that some systems do not allow symbols like #, @ and ! in passwords and they may be hard to find on different keyboard layouts. In such cases, adding another letter or number or two may offer equivalent security.
Template The biometric reference pattern of a person stored for matching. BioCert devices convert fingerprint minutiae into mathematical templates, so actual fingerprint images are not stored and cannot be reconstructed based on template data.
Tokens A physical device that an authorized user of computer services is given to aid in authentication. Hardware tokens are often small enough to be carried in a pocket or purse. Some may store cryptographic keys, like a digital signature, or biometric data, like a fingerprint.
Types of Fingerprint Readers There are several different types of fingerprint readers that are each designed for a different task with varying functionality and reliability. They are generally divided into two segments - Optical and Capacitance which refers to the technology being used to capture the minutiae or pattern matching data and are either Touch Sensors or Swipe Sensors which refers to the method of obtaining the fingerprint data.
- Passive capacitance - A passive capacitance sensor uses the principle outlined above to form an image of the fingerprint patterns on the dermal layer of skin. Each sensor pixel is used to measure the capacitance at that point of the array. The capacitance varies between the ridges and valleys of the fingerprint due to the fact that the volume between the dermal layer and sensing element in valleys contains an air gap. The dielectric constant of the epidermis and the area of the sensing element are known values. The measured capacitance values are then used to distinguish between fingerprint ridges and valleys. (Wikipedia.org)
- Active capacitance - Active capacitance sensors use a charging cycle to apply a voltage to the skin before measurement takes place. The application of voltage charges the effective capacitor. The electric field between the finger and sensor follows the pattern of the ridges in the dermal skin layer. On the discharge cycle, the voltage across the dermal layer and sensing element is compared against a reference voltage in order to calculate the capacitance. The distance values are then calculated mathematically, using the above equations, and used to form an image of the fingerprint. Active capacitance sensors measure the ridge patterns of the dermal layer like the ultrasonic method. Again, this eliminates the need for clean, undamaged epidermal skin and a clean sensing surface. (Wikipedia.org)
- Live layer capacitance scanning - This method of scanning sends an RF current through the surface of the skin or Epithelial layers of dead skin cells to the live skin cell layer. As we age, our skin becomes thinner, less resilient and the individually identifiable characteristics of our fingerprints become harder to read. This fact makes elderly individuals more susceptible to False Rejection Rate based upon the sensors inability to get a good quality print. In 1998, AuthenTec developed a unique semiconductor-based fingerprint reader that uses small RF signals to detect the fingerprint ridge and valley pattern. The RF electronic imaging mechanism called (TruePrint technology ) works by reading the fingerprint pattern from the live, highly-conductive layer of skin that lies just beneath the skin's dry outer surface layer. AuthenTec's TruePrint-based sensors are less affected by common skin surface conditions -- including dry, worn, calloused, dirty or oily skin -- that can impair the ability of other sensors to acquire accurate fingerprint images. That makes TruePrint sensor technology capable of acquiring everyone's fingerprint under virtually any condition.
- Optical Scanner - Optical fingerprint imaging involves capturing a digital image of the print using visible light. This type of sensor is, in essence, a specialized digital camera. The top layer of the sensor, where the finger is placed, is known as the touch surface. Beneath this layer is a light-emitting phosphor layer which illuminates the surface of the finger. The light reflected from the finger passes through the phosphor layer to an array of solid state pixels (a charge coupled device) which captures a visual image of the fingerprint. A scratched or dirty touch surface can cause a bad image of the fingerprint. A disadvantage of this type of sensor is the fact that the imaging capabilities are affected by the quality of skin on the finger. For instance, a dirty or marked finger is difficult to image properly. Also, it is possible for an individual to erode the outer layer of skin on the fingertips to the point where the fingerprint is no longer visible. However, unlike capacitive sensors, this sensor technology is not susceptible to electrostatic discharge damage.(Wikipedia.org)
- Swipe Sensors - This is a sensor whereby the finger is swiped over the sensor in one fluid motion.
- Touch Sensors - This is a sensor whereby the finger is placed on the sensor in a static fashion.
Verification Also known as one-to-one or 1:1 comparison. The verification procedure confirms whether the person in question is actually the person they claim to be. The person’s current biometric data are compared only with their own reference data. This authentication mode requires another unique identifier such as a User ID, PIN, or smart card. Verification is inherently faster and more secure than the identification method.