Cryptanalysis is the art of deciphering encrypted communications without knowing the proper keys. Some of the more important cryptanalytic techniques are:
Cipher text only attack: This is the situation where the attacker does not know anything about the contents of the message, and must work from cipher text only. In practice it is quite often possible to make guesses about the plain text contents of messages, as many types of messages have fixed-format headers. Even ordinary letters and documents begin in a very predictable way. It may also be possible to guess that some cipher text block contains a common word.
Known plain text attack: The attacker knows or can guess the plain text for some parts of the message. The task is to decrypt the rest of the cipher text blocks using this information. This may be done by determining the key used to encrypt the data, or via some shortcut.
Chosen plain text attack: The attacker is able to have any text he likes encrypted with the unknown key. The task is to determine the key used for encryption. Some encryption methods, particularly RSA, are extremely vulnerable to chosen-plain text attacks. When such algorithms are used, extreme care must be taken to design the entire system so that an attacker can never have chosen plain text encrypted.
Man-in-the-middle attack: This attack is relevant for cryptographic communication and key exchange protocols. When two parties are exchanging keys for secure communications (e.g., using Diffie-Hellman), an adversary puts himself between the parties on the communication line. The adversary then performs a separate key exchange with each party, decrypts communications, and encrypts them again for sending to the other party. The parties think that they are communicating securely, but in fact the adversary is hearing everything.
Man-in-the-middle attacks can be averted if each party computes a cryptographic hash function of the key exchange (or at least the encryption keys), signs it using a digital signature algorithm, and sends the signature to the other. The recipient then verifies that the signature came from the other party, and that the hash in the signature matches the one computed locally.
Timing Attack: This attack is based on repeatedly measuring the exact execution times of modular exponentiation operations. It is relevant to at least RSA, Diffie-Hellman, and Elliptic Curve methods.
Cryptography
alogrithm, Cryptography, cryptosystems
Users may be concerned that the use of biometric authentication will increase the
danger that they will find themselves targeted by ruthless criminals who are intent on
gaining entry to the assets protected by the biometric. With non-biometric
authentication, cards, keys, and passwords could be stolen and used by criminals
without the presence of the user. If biometrics are employed so that the physical
presence of the user is required, this may place the user at more risk.
It is hard to produce a definitive analysis of the situation, in the absence of any long
term experience with widely deployed biometric systems. One is left to a speculative
consideration on likely scenarios and outcomes. Nowadays, even low grade crimes
are frequently accompanied with physical assault (e.g. muggings) for small gains such
as cash, mobile phones or credit cards. If biometrics were used to provide
authentication for (say) credit card transactions and mobile phone calls, would this
increase or decrease the likelihood or degree of violence employed? It could
reasonably be argued that petty criminals usually go for “hit and run†attacks and don’t
want to hang around forcing victims to go to ATM machines and withdraw cash etc.
For this type of crime, it seems likely that biometric authentication would act as a
deterrent.
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
23
For serious, organised crime, violence is endemic and may be used directly against
victims or their families and friends. Again, it is not clear that the use of biometrics
would make a significant difference to the frequency or degree of coercion and
violence used.
Solutions
Contrary to the concern expressed, the use of biometrics may actually serve to reduce
the likelihood of coercion, because in many cases it would be likely to increase the risk
of arrest for the perpetrator.
Effective liveness checks would act as a countermeasure to the successful use of
cadavers or severed limbs etc. and hence to the motivation for such attempts.
The use of biometrics (and other electronic authentication) provides an opportunity for
the use of duress codes to allow a transaction to take place but alert the authorities
that it is involuntary.
Biometrics security
biometric, Biometrics security, Biometrics-security, biometric_authentication, biometric_security, biometric_systems, Cryptography, Encryption, mooted
If details of countermeasures employed in biometric systems are publicised, it may
help attackers to avoid or defeat them. Similarly, if attackers know what
countermeasures are not employed, this will help them identify potential weaknesses
in the system, and direct attacks towards those weak areas.
The counter-argument is that public exposure of countermeasures and vulnerabilities
will lead to a more mature and responsible attitude from the biometrics community and
promote the development of more secure systems in the future. Generally, achieving
security through obscurity is not seen as a viable policy as it depends on the assumed
difficulty of analysis which is a hostage to fortune. For example the design of a “secureâ€
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
18
mechanism may fall into the hands of an attacker and, if the underlying security is not
adequate, compromise will result. Certainly in the traditional area of cryptography, the
philosophy that is normally adopted is to assume that an opponent will have knowledge
of the design of the cryptographic algorithm, but that knowledge should not
compromise the cryptographic security.
That is not to say that obscurity cannot provide any protection, rather that the protection
is invariably unpredictable and may be short-lived. If we wish to make biometric
devices and applications secure it is necessary to understand the threats and put in
place effective countermeasures, technical and procedural. A parallel may be drawn
with the field of IT vulnerabilities where the world has had time to come to terms with
the idea and not seek to suppress knowledge. Rather, the approach is to report
problems to the developers so that they can be fixed and patches issued. The balance
between (excessive) publicity and suppression has been struck, founded on pragmatic
principles based on experience. If and when biometrics are widely deployed, a similar
approach can be expected to be adopted.
Whatever the merits of the arguments, they are likely to be overtaken by events.
Suppression by governments or companies will not inhibit individual researchers and
consumer magazines from investigating the subject. Already in the biometrics area, a
number of ad-hoc security evaluations have been conducted and the results published.
The following table lists some of them.
Biometrics security
alogrithm, Biometrics security, Biometrics-security, biometric_devices, biometric_security, biometric_systems, cryptographic_algorithm, cryptographic_security, Cryptography
Many encryption algorithms are publicly available to allow cryptographers to analyse
and verify the strength of the encryption. Biometric algorithms are not readily available
for review and are thus an unknown factor.
Biometric algorithms do not generally fulfil the same purpose as cryptographic
algorithms. Rather, they represent the encoding rules for the biometric feature set to
derive a template in order to provide a means of distinguishing between the features
of enrolled users of the system. The purpose of the biometric algorithm is functional
rather than security related, though there may be security connotations
If an analyst (or an attacker) wishes to understand the working of the algorithm, then the
task is likely to be easier if the algorithm is publicly available. An impostor might wish
to examine the algorithm to determine how the biometric ? template mapping works,
and what elements are more and less important to the authentication process. This
knowledge could aid the construction of an artefact intended to spoof the system,
particularly if the approach was to be that of an artificially constructed image rather
than a copy of a known legitimate image. An undisclosed algorithm would make this
process more difficult (security through obscurity) but is unlikely to resist a determined
attack that might involve reverse engineering of the algorithm. Conversely, a publicly
available algorithm may help to highlight potential weaknesses and thereby assist in
their eradication (i.e. as for the case of password algorithms)
Biometrics security
algorithm, artefact, biometric, Biometrics security, Biometrics-security, encryption_algorithms, eradication, mapping_works, reverse_engineering, security_through_obscurity, spoof
This is a sometimes heard expression of concern about the potential misuse of
biometric data stored on central databases. It refers to the threat to privacy that such
centralised collections of personal data could pose if compromised.
Biometric data are regarded as personal data and hence subject to the controls
appropriate to personal data. There is a perceived fear that biometric data may be
shared between applications, perhaps without the knowledge or consent of the
subjects. This concern may be amplified if biometric images are stored, rather than the
coded template data only, particularly for large-scale public applications where there
may be perceived Orwellian overtones. This area is addressed in the UK by the Data
Protection Act -1998 (DPA), which applies to biometric data just as much as to other
personal data. Codes of conduct may be needed to provide specific interpretation of
the DPA for biometric applications.
Biometric data are not usually held in isolation. They are typically associated with other
personal data that may form part of the identification and authentication process itself,
or subsequently for access control permissions. Associated data is normally not
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
15
unique to biometric authentication systems, and is commonly stored centrally on nonbiometrics
applications, not apparently eliciting equivalent concern.
Solutions
A potential solution is seen in the storing of personal data on secure tokens or smart
cards that are held by the users themselves. The assumption is that this will obviate the
need for a central database of biometric data, and therefore negate any privacy
concerns. This is attractive because it promotes the idea of anonymous authentication.
However, anonymous authentication has its limits and may not be tenable in many
circumstances. For example in government applications, it will typically not be
sufficient to know that the person applying for the benefit payment/passport/driving
licence is who they claim to be. It will also be necessary to check that they are entitled
to the service or payment requested and not enrolled multiple times under different
identities. To do this a central database of claimants will almost certainly be needed,
even if a token or smart card is used as part of the authentication process. In these
cases, the privacy protection advantage ascribed to user-held tokens or smart cards
will be largely illusory.
To mitigate the risk of functional creep, the biometric data can be bound to the
application through the use of cryptographic signature techniques.
Biometrics security
Authentication, biometric, Biometrics security, Biometrics-security, biometric_applications, biometric_authentication, biometric_data, biometric_security, Cryptography, signature-techniques
A digital signature is a block of data that was created using a secret key, and for which a public key can be used to verify that the signature was generated using the corresponding private key. The algorithm used to generate the signature must be such that without knowing the secret key, it is not possible to create a signature that would verify as valid.
Digital signatures are used to
-
verify that a message really comes from the claimed sender (assuming that only the sender knows the secret key corresponding to his/her public key)
-
time-stamp documents
A trusted party signs the document and its time stamp with his/her secret key, thus testifying that the document existed at the stated time.
-
testify (or certify) that a public key belongs to a particular person
This is done by signing the combination of the key, and the information about its owner, by a trusted key. The reason for trusting that key may again be that it was signed by another trusted key. Eventually, some key must be a root of the trust hierarchy (that is, it is not trusted because it was signed by somebody, but because you believe a priori that the key can be trusted). In a centralized key infrastructure, there are very few roots in the trust network (e.g., trusted government agencies). Such roots are also called certification authorities. In a distributed infrastructure, there need not be any universally accepted roots, and each party may have different trusted roots (such as the party’s own key and any keys signed by it). This is the web of trust concept used in, for example, PGP.
A digital signature of an arbitrary document is typically created by computing a message digest from the document, and concatenating it with information about the signer, a time stamp, and/or other data. The resulting string is then encrypted using the private key of the signer, using a suitable algorithm. The resulting encrypted block of bits is the signature. It is often distributed together with information about the public key that was used to sign it.
To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it purports to belong to (using the web of trust or a priori knowledge), and then decrypts the signature using that person’s public key. If the signature decrypts properly and the information matches that of the message (proper message digest, etc.), the signature is accepted as valid.
Several methods for making and verifying digital signatures are freely available. The most widely known algorithm is RSA.
Cryptography
alogrithm, cryptograhy, Cryptography, digital-signatures
There are two classes of key-based algorithms, symmetric (or secret-key) and asymmetric (or public-key). The difference is that symmetric algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key.
Symmetric or private key algorithms are a very secure solution for an individual or small organization, but ineffective on a larger scale. Common symmetric algorithms are RC4 and DES.
Public key systems allow a cryptosystem to be maintained by a group of users. These systems rely on one-way functions, functions which are easy to calculate but hard to invert or reverse without prior knowledge. Each user has a private key that is kept secret and a public key that is publicly known. The best known public key system is RSA.
Many modern cryptographic protocols use a combination of public-key cryptography and symmetric cryptography to obtain the benefits of both: public-key algorithms to exchange a symmetric key, and symmetric algorithms to quickly encrypt or decrypt data.
Cryptography
alogrithm, Cryptography, cryptography-alogrithm
Biometric systems may be initially adequately secure, but become less so with
passing time. This could be because critical security parameters such as threshold
settings become maladjusted, or sloppy enrolment procedures lead to poor enrolment
quality. Some biometric systems are self-adaptive which means that the templates are
updated each time a user accesses the system. This feature is intended to maintain
the system performance (essentially to stop the false rejection rate increasing) if the
users’ biometric characteristics change over time. Such updating may result in the
reference templates becoming weaker (easier for an impostor to attack) without
supervisors being aware of anything untoward. The problem may be exacerbated if
coupled with sloppy user behaviour which results in poor quality images that translate
into weaker templates.
An impostor, working in collusion with an enrolee, could gradually “train†the system
away from the enrolee’s template onto the impostor’s template.
Solutions
The risks can be countered through system audit and testing. If security relevant events
are logged, then changes in security parameters can be audited. Suspicious events
such as persistent authentication failures can also be checked. If the system is
capable of checking its own performance, then it could monitor the template
separation of enrolled users and flag conditions where the separation becomes
inadequate. Clearly, these measures are likely to be more difficult to apply in large
distributed systems where logs and templates may also be distributed.
Biometrics security
Biometrics security, Biometrics-security, biometric_systems, critical_security, enrolment_procedures, false_rejection_rate, flag_conditions, impostor, maladjusted, security_parameters, system_performance, templates
Elliptic curve key pairs must be generated during the operation of each of the schemes specified in this
document. The key pair generation process requires a secure random or pseudorandom number generator.
Design of secure random and pseudorandom number generators is notoriously difficult and implementers
should therefore take care to pay attention to this aspect of their system design.
Once a key pair has been generated, it is often necessary to convey the public key in an authentic manner
to other entities. One way of achieving this authentic distribution is to have the key certified by a trusted
Certification Authority within a Public Key Infrastructure.
In many schemes it is desirable for an entity to receive assurance that an elliptic curve public key is valid
or partially valid before they use the public key to, say, verify a signature. This process can help prevent
small subgroup attacks and other attacks based on the use of an invalid public key.
Cryptography
Cryptography, Elliptic-curve, Elliptic-curve-key-pairs
This is related to the covert use of biometrics (see “Can my biometric be collected
covertly?†previously), and to functional creep in applications. It is important to realise
that authentication does not necessarily imply consent, and it is consent which is the
issue of concern here. Any application could be affected though the concern will grow
with wider deployment of biometric systems and the opportunities and motivation for
sharing biometric data increase.
It is unlikely that biometric applications using different technologies could share
biometric data between them which will act as one limiting factor. Depending on future
template and image standards, applications using similar technologies from different
vendors may or may not be able to share data. The desire for integration and
interoperability of biometric systems is likely to grow and will act as a driver for
standardisation.
Functional creep and data sharing are not concerns that are limited to biometric
systems. They are common experiences in the modern world with interconnection of
systems, and address and lifestyle information is routinely traded as marketing
commodities. Biometric data may therefore be seen as just one more example, but its
intrinsically personal nature coupled with its role in defining and authenticating identity
may render it peculiarly sensitive.
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
22
This is likely to become an increasing problem with the growth in use of biometrics for
authentication. With the widespread use of networked applications, the opportunities
for sharing data will increase and controls will be harder to enforce.
Solutions
Legal and procedural constraints are the first line of defence against functional creep
and covert capture. The Data Protection Act requires that applications storing and
processing personal data adhere to the principles and that the purpose and operation
of the system is declared, not only to the Information Commissioner, but also to the
users. Changes in functionality are not allowed unless approved by the resubmission
and registration of the system.
Audit trails can provide users with evidence of proper implementation of the system
privacy policy and any violations that may have occurred.
Technology can provide solutions by cryptographic binding of templates to specific
applications, but successful employment will also depend on strict procedural
enforcement. It should be noted that, typically, biometric data will exist (transiently) in
clear form within the biometric system to allow the matching process to take place.
Biometrics security
biometric, Biometrics security, Biometrics-security, biometric_applications, biometric_data, biometric_security, biometric_systems, Cryptography, Encryption, mooted
Valuable assets are traditionally protected by secrecy, typically secret passwords.
Biometric features are often readily observed and do not possess equivalent secrecy.
They may also be captured with varying degrees of difficulty.
This is a variation on the spoofing concern. It is certainly true that the source biometric
features are not secret, but the argument as expressed is based on an incorrect
premise. In fact, biometric security does not depend on the secrecy of the basic
biometric features (people readily rely on biometric identification in its human form in
day-to-day use). Rather, it depends on the integrity of the authentication mechanism
which, in the context of issue raised here, translates into the difficulty of capturing the
biometric features of a target and then constructing an artefact that will spoof the
system. This can be contrasted with a password which, once disclosed, is trivial to
exploit.
Biometrics security
artefact, Authentication, Biometrics security, Biometrics-security, biometric_features, biometric_identification, biometric_security, secrecy, secret_passwords, spoofing
Elliptic curve points should be converted to octet strings as described in this section. Informally, if point
compression is being used, the idea is that the compressed y-coordinate is placed in the leftmost octet
of the octet string along with an indication that point compression is on, and the x-coordinate is placed
in the remainder of the octet string; otherwise if point compression is off, the leftmost octet indicates
that point compression is off, and remainder of the octet string contains the x-coordinate followed by the
y-coordinate. Formally the conversion routine is specified as follows:
Input: A point P on an elliptic curve over Fq defined by the field elements a;b.
Output: An octet string M of length mlen octets where mlen = 1 if P = O, mlen = d(log2 q)=8e+1 if
P 6= O and point compression is used, and mlen = 2d(log2 q)=8e+1 if P 6= O and point compression is
not used.
Actions: Convert P to an octet string M = M0M1 : : :Mmlenô€€€1 as follows:
1. If P = O, output M = 0016.
2. If P = (xP;yP) 6= O and point compression is being used, proceed as follows:
2.1. Convert the field element xP to an octet string X of length d(log2 q)=8e octets using the conversion
routine specified in Section 2.3.5.
2.2. Derive from yP a single bit ˜ yP as follows (this allows the y-coordinate to be represented
compactly using a single bit):
2.2.1. If q = p is an odd prime, set ˜ yP = yP (mod 2).
2.2.2. If q = 2m, set ˜yP = 0 if xP = 0, otherwise compute z = zm􀀀1xm􀀀1 +���+z1x+z0 such
that z = yP:xP
􀀀1 and set ˜ yP = z0.
2.3. If ˜ yP = 0, assign the value 0216 to the single octet Y. If ˜yP = 1, assign the value 0316 to the
single octet Y.
2.4. Output M =Y kX.
3. If P = (xP;yP) 6= O and point compression is not being used, proceed as follows:
3.1. Convert the field element xP to an octet string X of length d(log2 q)=8e octets using the conversion
routine specified in Section 2.3.5.
3.2. Convert the field element yP to an octet string Y of length d(log2 q)=8e octets using the conversion
routine specified in Section 2.3.5.
3.3. Output M = 0416 kX kY.
Cryptography
Cryptography, EllipticCurvePoint