If details of countermeasures employed in biometric systems are publicised, it may
help attackers to avoid or defeat them. Similarly, if attackers know what
countermeasures are not employed, this will help them identify potential weaknesses
in the system, and direct attacks towards those weak areas.
The counter-argument is that public exposure of countermeasures and vulnerabilities
will lead to a more mature and responsible attitude from the biometrics community and
promote the development of more secure systems in the future. Generally, achieving
security through obscurity is not seen as a viable policy as it depends on the assumed
difficulty of analysis which is a hostage to fortune. For example the design of a “secure”
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
18
mechanism may fall into the hands of an attacker and, if the underlying security is not
adequate, compromise will result. Certainly in the traditional area of cryptography, the
philosophy that is normally adopted is to assume that an opponent will have knowledge
of the design of the cryptographic algorithm, but that knowledge should not
compromise the cryptographic security.
That is not to say that obscurity cannot provide any protection, rather that the protection
is invariably unpredictable and may be short-lived. If we wish to make biometric
devices and applications secure it is necessary to understand the threats and put in
place effective countermeasures, technical and procedural. A parallel may be drawn
with the field of IT vulnerabilities where the world has had time to come to terms with
the idea and not seek to suppress knowledge. Rather, the approach is to report
problems to the developers so that they can be fixed and patches issued. The balance
between (excessive) publicity and suppression has been struck, founded on pragmatic
principles based on experience. If and when biometrics are widely deployed, a similar
approach can be expected to be adopted.
Whatever the merits of the arguments, they are likely to be overtaken by events.
Suppression by governments or companies will not inhibit individual researchers and
consumer magazines from investigating the subject. Already in the biometrics area, a
number of ad-hoc security evaluations have been conducted and the results published.
The following table lists some of them.

Tags: alogrithm, Biometrics security, Biometrics-security, biometric_devices, biometric_security, biometric_systems, cryptographic_algorithm, cryptographic_security, Cryptography