BLAST
Section of Science and Technology Law
750 North Lake Shore Dr.
Chicago, IL 60610

Editor-in-Chief

Associate Print Editor

Associate Online Editor

Contact Section

Section of Science and Technology Law Officers

Chair

Chair-Elect

Vice Chair

Secretary

Budget Officer

Section Delegates

Immediate Past Section Chair

Section Past Chair Liaison

IN THIS ISSUE MAY 2001

• Greetings from the Chair
• Impact of Fraud on E-Commerce
• Information Security Committee Releases Draft "PAG" for Public Comment
• Will Biometrics Obsolete PKI?
• New FCC May Bring New Approach To Technology Issues
• Jurisprudent Therapy and the Role of Mental Health Science in Federal Sentencing
• Annual Meeting in Chicago

The PAG provides an overview of Public Key Infrastructures ("PKI), public key technology, and different PKI applications, such as digital signatures. The PAG also discusses specific technical, legal, business, and policy issues related to PKI operations. In addition, it offers a practical guide for the assessment of particular PKIs and their components. The PAG can enable people to undertake various kinds of assessments of the quality of a PKI, such as a potential purchaser of PKI products and services evaluating a potential vendor, an auditor undertaking an annual audit of a PKI, regulatory agencies overseeing the licensing of certification authorities, or entities accrediting certification authorities and their satisfaction of a set of requirements. The PAG is intended for a broad audience ranging from government, business, and legal professionals, to information technology professionals charged with developing, maintaining, and assessing PKIs, regardless of relative familiarity with PKI. Examples of individuals and organizations that may find the PAG useful include: providers of PKI products and services, auditors, relying parties, licensing and regulatory agencies, non-governmental accreditors and local organizations, repositories, and purchasers of PKI products and services. The ISC welcomes and encourages your participation! Please submit comments on or before October 15, 2001. The draft is available for downloading at the ABA ISC Intranet site (http://abaisc.intranets.com/r.asp?a=5&id=9669)

NOTICE: Next ISC meeting will be in Washington, D.C. in October, 2001. Please look for details on the ISC homepage (http://www.abanet.org/scitech/ec/isc/home.html).

Will Biometrics Obsolete PKI?

- Stephen Wilson, Director Policy & Strategy, beTRUSTed Asia Pacific

A wide range of biometric authentication methods is now on the market and has captured the imagination of many in information security. Biometrics have great intuitive appeal, for they promise absolute identification for high risk applications. The newer technologies are very sophisticated; biometrics are sexy! Yet many enthusiasts overlook some fundamental limitations of biometrics. Non-experts all too frequently get caught up in the excitement and may be left with the impression that biometrics are about to obsolete PKI. This paper shows that this is fundamentally unlikely to happen. While biometrics provide robust access control, they generally do not provide the signature function needed for persistent authentication of electronic documents. For auditability and good evidentiary weight, public key based digital signatures remain the state-of-the-art. This paper argues that the best applications of biometrics in e-business are alongside - not in place of - PKI.

What are biometrics?
The term biometrics refers to any number of technologies that rely on measuring a physical characteristic of a part of someone's body in order to positively identify them. The idea is associated with so-called "three factor authentication" where someone is identified first by what they know (a password), second by what they have (a card or token), and third by what they are. Commercial instances of the technology include measurements of fingerprints, voice, iris, retina, hand shape, and facial geometry.

How do they work?
In all cases, biometric authentication involves scanning the chosen part of the body, reducing the scan to a set of numerical values, and comparing the result with a previously registered reference set or "template." The trick is to pick out certain characteristic markers (often known as "loci") that can be algorithmically distilled down each time to the same set of values - more or less - within a very large space of possible values. Thus the set should for practical purposes be unique.

The template has to be stored somewhere so that it can be recalled each time users present themselves. Storage on a central server is economical but requires careful design of the link with remote user systems and encryption of the template to prevent eaves-dropping and subsequent replay attack. Some new biometric mechanisms securely store a copy of the template locally, within the biometric measurement device itself.

Inaccuracies are inevitable in biometric measurement. The conditions under which scanning occurs change from place to place, there can be noise in the process, and the body part itself can change through disease or simply aging. Therefore, the raw data going into the distillation process are never the same.

To make sure that a more or less consistent set of values results each time, biometric algorithms have to throw much of the raw data away. But this leads to a chance - hopefully small - that two different people can generate the same biometric measurement. This issue is carefully addressed in the design of every biometric device.

"The Sensitivity/Specificity tradeoff"
In a highly specific biometric system, the chance of two people generating the same measurement is designed to be very small. The price paid for specificity however is the chance that a legitimate user will occasionally be rejected - an error known as a false negative. On the other hand, a highly sensitive system will rarely fail to detect the legitimate user. But by the same token it becomes more likely that an impostor will be able to fool the algorithm - known as a false positive.

The sensitivity/specificity tradeoff is managed in the design of every biometric authentication mechanism. The system will be deliberately biased one way or another, depending on whether the application is more tolerant of the risk of impersonation or the risk of user inconvenience.

Limitations of biometrics
The sensitivity/specificity tradeoff is not a problem in itself - it is a risk management issue - but there are significant limitations in how biometrics can be applied in e-business.

No signature
The great majority of biometric technologies are for access control only and provide no mechanism for signing electronic documents. In a sense, once it "gets you through the door," a biometric doesn't let you leave your mark on anything you do. In any simple access control system, whether it be based on passwords or biometrics, there only can be indirect or circumstantial evidence from system logs indicating who initiated which transactions, with consequential dilution of evidentiary weight.

The notable exception to this is signature dynamics, a new technology based on capturing a hand-written signature on a special digitising tablet. Some argue that signature dynamics is clearer than PKI with respect to the ceremony of signing a document. But being manual, this approach cannot scale up for high volume routine transactions. This incidentally precludes the use of signature dynamics to sign digital certificates; if a third party certificate were needed to validate a signature dynamics user, ironically that certificate would probably have to be signed by a public key technique!

Closed groups only
A biometric only can authenticate you to a service which has access to your reference template - and thus, in a sense, which already knows you. This limits biometrics to closed user groups. Yet the greatest value of Internet business lies in the promise of dealing automatically and confidently with parties we have never met. In contrast, public key certificates issued by trusted third parties allow us to build more sophisticated, open trust models, which do not depend on any prior relationship between the parties.

The catastrophic risk of identity theft
Perhaps the most fundamental problem with all biometrics in general is the enormous difficulty of dealing with identity theft. In the event that an attacker manages to steal your template or otherwise manages to faithfully duplicate your biometric data, you risk being disenfranchised from that system forever.

Some pundits have suggested that revocation of certain biometrics could be made possible if the sensitivity of the measurement done at registration is deliberately reduced. For instance, a fingerprint system with say 50 loci available to it might only use a subset of 40 of them to generate the template. In the event of compromise, a new template could be taken using a different subset of loci. This is a radical type of compromise, trading off an overall reduction in security for the sake of recovering from identity theft.

In a PKI, the compromise of a user's private key is dealt with by revocation and re-keying. But there is no equivalent recovery mechanism available with biometrics. Once compromised, they are rendered useless - forever.

Conclusion
By themselves, few, if any, biometric methods can meet the principal needs for document authentication in e-business. A biometric typically provides only access control; it cannot bind the user to individual transactions. Further, like a password, a biometric authenticates you only to a service which already knows you, and so biometrics are difficult to apply in open systems where there might be no prior dealing between parties. Thus biometric authentication cannot obsolete PKI, the chief benefit of which is persistent authentication of electronic transactions. Public key and biometric technologies should instead be seen as complementary. Perhaps the most anticipated application of biometrics should be for the protection of private keys, replacing PINs for activating smartcards and similar devices.