4. Memorandum submitted by
Cambridge Algorithmica Limited
INTRODUCTION
1. My comments come principally through
my technical expertise in the field of biometrics, and also through
some additional expertise in the fields of computer security and
communications security.
INFORMATION ON
THE AUTHOR'S
TECHNICAL BACKGROUND
2. My technical experience spans 29 years
since graduating from Imperial College in Physics (BSc, ARCS in
1974); I also have a degree in Computer Science (MTech, Brunel
1980). I am a member of: the Institution of Electrical Engineers,
the British Computer Society and the Institute of Acoustics. I
work on pattern matching and digital signal processing, through
my personal trading company (Cambridge Algorithmica Limited),
undertaking technical consultancy and contract research and development.
This work is principally in the fields of biometrics, automatic
speech recognition and data modems. Much of my work has been for
the UK Government, and is of a highly technical nature. In the
field of biometrics, I personally have worked on speaker verification/identification,
dynamic (hand-written) signature verification and multi-modal
biometric combination.
3. In the middle of last year, I was appointed
to the British Standards Institute Committee IST/44 on Biometric
Standards, in the capacity of Principal UK Expert.
OVERVIEW OF
THE GOVERNMENTAL
CONTEXT
4. The Government deserves credit for its
decision to tackle the large and growing problem of identity-related
fraud. In particular, the provision of a National Identity Scheme
(NIdS) is an excellent approach. Furthermore, the Government's
intention to make available the NIdS for non-governmental applications
(particularly business/commercial use to reduce financial fraud)
will be a generally useful service to the public.
5. However, as has been pointed out by many
critics of the Government's proposals, there are political, legal
and technological difficulties. My expert contribution is primarily
on the technological issues.
6. The proposed NIdS[1]
has some serious technical shortcomings. There are technical solutions
to remove or mitigate most of these. However, this is at increased
cost; there is also contingent need for practical procedures that
are more onerous to operate. I am optimistic that careful consideration
now, within the wider political and social context, will allow
implementation of a viable NIdS that is effective and beneficial
to society as a whole.
PRINCIPAL POINTS
ON APPLICATION
OF BIOMETRIC
AND OTHER
TECHNOLOGY
7. There should be separate biometrics
for Detection of Multiple Applications (DMA) and for Point of
Use (PoU) Authentication. The technical requirements for these
are substantially different; they are better handled by biometric
systems designed primarily for these different purposes. Potential
cost reductions from exploiting commonality should be viewed as
secondary; otherwise performance and practicality will be compromised.
8. Biometric templates should be held
centrally, not on ID Cards. Storing templates or reference
patterns[2]
on ID Cards makes the whole system more vulnerable to several
forms of attack. These risks can be reduced or avoided, probably
at lower overall cost, by storing templates on a central database
and forwarding biometric samples, taken at the PoU, to a central
computer for authentication.
9. Multi-modal biometrics are necessary
for adequate overall performance. For Detection of Multiple
Applications (DMA), no known single biometric device is adequate.
Use of two or more different and well-chosen biometric devices,
together with multi-modal combination, should provide sufficient
performance. Multi-modal biometrics also offer improved universality[3]
and make sophisticated attack more difficult. These latter benefits
are also important for PoU authentication.
10. Smart cards are vulnerable to forgery;
excessive reliance should not be placed on them. Despite the
best efforts of card manufacturers, it will eventually be possible
to access the data content and reverse engineer any smart card
(see, for example, [7] and [8]); forged cards can then be produced.
Though this will be at a price, it will not be beyond the means
of organised crime. Cryptographic techniques do give further protection;
however, practical constraints make on-card encrypted information
more vulnerable than encrypted information transmitted over communications
networks.
11. PoU authentication is available without
compulsory carrying of ID Cards. A registered person's identity
can be verified, by biometric check, even if they do not have
their card with them. Their full name and address will, almost
invariably, be adequate for a claimed identity; verification of
one or more biometric samples against their centrally held template(s)
will confirm their identity.[4]
For less secure use, without a biometric device being available,
obviously a quick visual check can be made against an ID Card
displaying a photograph (and other details such as sex and age).
12. Registration stations on non-government
sites may be too vulnerable. These sites and their NIdS staff
are likely targets for identity fraud attacks. It is questionable
whether sufficient security can be provided at registration stations
located on non-government sites.
13. Deterrence of fraudsters requires
timely DMA and the threat of immediate arrest. Biometric detection,
of applications in multiple identities, is not foolproof. High
risk of detection and severe penalties, together, form the deterrent.
Given the likelihood of being unable to trace fraudsters after
they leave the registration site, DMA checks need to be made before
then; this requires fast matching on NIdS central computers. Also,
immediate arrest and detention must be practical.
FURTHER INFORMATION
ON DETECTION
OF MULTIPLE
APPLICATIONS (DMA)
14. The Government's paper [3] gives some
useful analysis. As they point out, checking against 50 million
previously registered persons, needs a very low False Match Rate
(FMR); otherwise, there would be an unmanageably high number applications
requiring additional manual checks. However, it seems unlikely
that the Government's estimated False Non-Match Rate (FNMR) of
5% to 10% of fraudulent applications would provide sufficient
deterrence. This is especially if they propose that applications
would not be subjected to biometric check until after the applicant
has left the site.
15. Use of multi-modal biometrics (eg a
combination of iris scan, multiple fingerprints and perhaps other
physical biometrics[5])
would give both low FMR and low FNMR, thus providing adequate
deterrence against DMA.
16. In addition, universality is improved.
Those unable (or unwilling) to offer each single type of biometric
should be able to provide say 2 out of 3. Finally, circumvention
by self-mutilation is likely to be much less successful against
multi-modal biometric DMA.
17. To support DMA before the applicant
leaves the registration site, matches against all previously registered
persons need to be done within say 20 minutes (during which time
other aspects of registration could be undertaken). For this,
towards the end of the initial registration of the bulk of the
population (at some 2,000 registration sites and assuming three
individual biometrics), the central NIdS computer would need to
be able to match biometric samples at the rate of about 250 million
per second. This is high, but not beyond practicality. Note that
the overall throughput is only about 4.2 times higher than that
required for later matching; this is assuming that matching 24
hours per day seven days per week keeps up with applications arriving
every 20 minutes, from each registration site during a 40 hour
working week.
FURTHER INFORMATION
ON POINT
OF USE
(POU) AUTHENTICATION
18. It is assumed in the Government's current
plan that PoU biometric templates or reference patterns will be
stored on the ID Card, which will be a smart card with sufficient
digital memory for this. The PoU terminal/computer will capture
the biometric sample and match it against the decrypted template
obtained from the ID Card.
19. My recommended alternative is for templates
to be stored only on the central NIdS computer; then one or more
biometric samples captured at the PoU are transmitted[6]
to the central NIdS computer for matching. This approach has several
technical advantages.
20. Attack against the biometric template
is more difficult. If stored on the ID Card, the decrypted
template is vulnerable following card theft. This is because PoU
computers must be able to access it for matching (and such terminals
are vulnerable to reverse engineering). One simple attack is similar
to exhaustive search: find which person (in your organised crime
syndicate) has the best match against the template on each stolen
card; then that person uses the card (pre-block) to perpetrate
fraud.
21. Additional cost of smart card.
Without the need to store template data, a lower cost smart card
can be used.
22. Multi-modal biometrics. With
template storage on the card, this option becomes more expensive.
Storage of multiple templates on the central NIdS computer is
much less expensive.
23. Encryption vulnerabilities. It
is assumed that data stored on the ID Card would be encrypted,
using a trapdoor encryption algorithm.[7]
The same key (or a modest number through some key compartmentation
scheme) is used for every card; breaking the key creates a widespread
vulnerability that is very expensive to overcome. For an encrypted
communications system, each link can use a different key and keys
can be changed frequently; thus, if there is compromise of a crypto
key, damage is much more limited. The cryptographic strength is
less, for trapdoor encryption algorithms.
24. Substitution of biometric template.
If the encryption key for the trapdoor encryption algorithm is
compromised, fraudsters would be able to create (without limit)
fake ID Cards containing their own biometric templates.
FURTHER INFORMATION
ON CHOICE
OF BIOMETRIC
DEVICES
25. The Government's choice of biometrics
for DMA, of iris or multiple fingerprints, is good. However, using
just one is unlikely to give (simultaneously) adequate FMR and
FNMR. Both should be used together for DMA. In addition, any physical
biometric selected for PoU could also be used to improve DMA,
always or in cases where matching of the primary DMA biometrics
was inconclusive.
26. Face recognition is less obviously a
good choice. There are alternative physical biometrics, such as
hand geometry, ear lobe geometry and vein patterns in the hand.
Current levels of performance for face are variable, and not obviously
better than the competition. In addition, there are behavioural
aspects to face, including choice of hair style and use of makeup;
ageing is also more problematic than with other biometrics. Face
is not suitable as a primary biometric for DMA, and so should
only be part of the NIdS if chosen for the PoU. The choice of
face by The International Civil Aviation Organisation (ICAO) for
Machine-Readable Travel Documents (MRTD) should itself be reconsidered.
Whilst compatibility with ICAO MRTDs is desirable, it is not the
only factor. This is especially considering the extra flexibility
given by multi-modal biometrics. For the UK NIdS and at this early
stage, it seems premature to choose face to the exclusion of all
other PoU biometrics.
27. At the PoU, one or two fingerprints
is also a good choice. If fingerprint templates were those captured
for DMA, this would reduce enrolment time at registration stations.
28. Behavioural biometrics should be acceptable
for PoU, in some cases, as a matter of convenience. In particular,
for credit/debit card transactions (surely a major application),
hand-written signature has known advantages (see [9] and [10])
including widespread public acceptability, reasonable performance
and (in one form: acoustic emission) a very low cost sensor.
COMMENT IN
1995
29. I made extensive comments [9] (not
printed) on the green paper issued by the previous Conservative
Government. A non-technical presentation was made to the Association
for Biometrics, based on those comments [10] (not printed).
30. Although the technology has advanced,
the majority of these comments still apply. One particular change
is the addition of iris recognition to the available physical
biometrics that are well tried and acceptable to the public. This
is a key point, given the excellent performance of iris recognition.
31. Public acceptability of biometrics,
and the need for NIdS, has also improved. Whether compulsory registration
with an NIdS is acceptable to the general public remains an open
question in my mind. Certainly, I would not be happy without significant
legal safeguards, against government misuse and over-zealous public
officials.
Nigel Sedgwick
January 2004
REFERENCES
[1] Identity Cards: The Next Steps,
Cm 6020, November 2003.
[2] Identity Cards: A Summary of Findings
from the Consultation Exercise on Entitlement Cards and Identity
Fraud, Cm 6019, November 2003.
[3] Feasibility Study on the Use of Biometrics
in an Entitlement Scheme, version 3 February 2003, National
Physical Laboratory.
[4] Answers to Top Questions on Identity
Cards, Home Office Website, 11 November 2003.
[5] Identity Fraud: A Study, Cabinet
Office, July, 2002.
[6] Uncorrected Transcript of Oral Evidence
taken before the Home Affairs Committee, The United Kingdom Parliament,
11 December 2003.
[7] On a New Way to Read Data from Memory,
David Samyde, Sergei Skorobogatov, Ross Anderson and Jean-Jacques
Quisquater, Workshop on Cryptographic Hardware and Embedded Systems,
August 2002 (CHES 2002).
[8] Camera Flash Opens Up Smart Cards,
Will Knight, New Scientist, 13 May 2002.
[9] Comment on Green Paper on Identity
Cards, letter by Nigel Sedgwick (Cambridge Algorithmica Limited),
to the Government's Identity Card Green Paper Unit, 30 September
1995.
[10] Some Issues for a National Identity
CardBiometric Roles, presentation by Nigel Sedgwick
(Cambridge Algorithmica Limited), to the Association for Biometrics,
22 November 1995.
1 As far as one can judge from the descriptions in
the public domain (see references [1] to [6]). Back
2
Templates or reference patterns are (or are created from) the
biometric sample(s) given during enrolment. Back
3
Universality is a highly desirable feature of a biometric device:
that all persons can provide samples and are willing to. Unfortunately
however, there is some lack of universality of biometrics; there
are genetic traits that make iris recognition less effective;
fingerprints are degraded in some occupations; etc. Back
4
Possession of the ID Card provides additional protection. However,
verification using multi-modal biometrics forms an adequate substitute,
up to any chosen level of security. Back
5
It should be noted that multi-modal combination can benefit from
inclusion of biometrics that have poor performance, relative to
the other biometrics used. Back
6
Transmission of some information is necessary where validation
of the card is done (as it surely must be to protect against fake
and blocked cards). Presumably this will be done over the Internet,
or a private government network that uses the same (TCP/IP) protocols.
With care, the total amount of data would still be sent in a single
packet, with negligible extra communications load and transmission
delay. Back
7
Otherwise, biometric templates could be substituted easily. Back
|