2014-08-20 (W) SecMN Gathering

Last night I went to a gathering hosted by Minnesota Security Professionals who were hosting a night talking about biometrics. I will share what I learned.

Security is interesting but I do not have a lot of experience and I have nothing on these guys. That said, they were an amazing group. I walked in and this behemoth shook my hand, introduced himself, told me a bit about the group and told me where I could order drinks. This man could probably tear me limb from limb then stuff me into a hand-murdered bear.

I sat at a table with another person who was there for the first time. She actually worked as a network security professional so her interests were more professional but her and I talked a bit about security as a concept rather than protocols. Also at the table was the presenter of that evening's talk, who was also eager to chat up a new guy.

Going into the gathering I had no idea what to expect. I wasn't sure if these were going to be security dogs and bouncers. Maybe a bunch of cypher-punks. Perhaps even a group of malicious neckbeards meeting under an ambiguous name to avoid suspicion while wearing tinfoil hats. Nope, these were people on the smart edge of technology meeting to hear stories, network, hang out, get the scoop, and have a beer. Some people even got work credit for attending.

Biometrics is identifying people by traits unique to them. Recognizing your friend by the way he walks or answers the phone is employing biometrics. Cool. Recognizing someone's face, biometrics.

There are two types, physical, "What you are," and behavioral, "What you do."

Physical biometrics touched on during the lecture. Pun intended.
  • Fingerprints
  • Palm prints
  • Iris pattern
  • Retina pattern
  • Vascular pattern.
  •  DNA sequence
  • Ear geometry
  • Hand geometry
  • Brain waves
  • Thermography
  • Cardiac pattern
  • Odor
  • Skin texture

Behavioral biometrics covered in the lecture.
  • Gait, walking pattern
  • Voice
  • Keystroke style
  • Signature
The behavioral biometrics are also factored with physical biometrics and not considered as reliable. DARPA, for example, challenged people create software in 2000 that could identify people by their walking pattern but if someone filled their shoes with gravel the software could no longer work. Plus, I don't think it would work on the Fremen.

Iris patterns were the most impressive bit covered by the speaker. Iris patterns can be quickly matched, taken with an IR camera, and much of India is working toward a universal identification system where iris scanning is commonplace. If iris scanning were standard at my bank I would feel a bit better.

The last part I wanted to talk about was the templates used by biometric security. When a fingerprint is sent to the FBI for identification they don't compare the image to a bunch of other images. The process is to extract the important vectors from the image and match those vectors to the vectors of other templates. Someone made the comparison of taking a hash from the image which the speaker said is not entirely accurate but I think it makes the point. He also stressed that the original cannot be duplicated from a template so if someone steals all the fingerprint templates they can't recreate anything.

Enough background.

Minnesota Security Professionals had a meeting which I attended since the topic was biometrics. The purpose was to learn about different methods of identifying a person to a computer. Purely digital methods, such as RFID, and passwords, are in use while fingerprints and iris scanning are feasibly and economical. Other modalities were covered as well as their advantages and flaws.

During personal conversation with another attendee over using NFC as a method of vehicle entry she mentioned the approach to security should make the system slightly stronger than the desire to break it. NFC car entry to a fifteen year old car is logical.

 Notes page 1

 Notes page 2

 Notes page 3

Journal page

A list showing of all the final posts of COMPLETED projects.

This disclaimer must be intact and whole. This disclaimer must be included if a project is distributed.

All information in this blog, or linked by this blog, are not to be taken as advice or solicitation. Anyone attempting to replicate, in whole or in part, is responsible for the outcome and procedure. Any loss of functionality, money, property or similar, is the responsibility of those involved in the replication.

All digital communication regarding the email address 24hourengineer@gmail.com becomes the intellectual property of Brian McEvoy. Any information contained within these messages may be distributed or retained at the discretion of Brian McEvoy. Any email sent to this address, or any email account owned by Brian McEvoy, cannot be used to claim property or assets.

Comments to the blog may be utilized or erased at the discretion of the owner. No one posting may claim claim property or assets based on their post.

This blog, including pictures and text, is copyright to Brian McEvoy.