Biometric technologies are already in place such that access control to buildings and/or computer networks may be driven by fingerprint, iris and facial recognition. Will the time come when we can catch would-be intruders and terrorists due to their behaviourral traits as well?
Recent blockbuster movie 'The Matrix: Reloaded' posits a world where sentient machines control deluded human beings who passively exist in a drip-fed virtual environment. This may well be science fiction at its very best, but in the real world digital technology really is moving in this direction.

The Information Technology (IT) industry is already able to digitise the most minute aspect of human physiology, from fingerprints through to iris and voice recognition. In the future, it will probably be able to digitise our behaviour as well. All of which has significant implications for the international security industry authorities, whose aim is to 'gate keep' buildings and computer networks by admitting friends and colleagues while banishing would-be unwanted intruders.

It must be said that the guts of today's biometric technologies are the computer languages in which security professionals are able to define what they record, matching it against pre-assembled authentication data. And it's here where one such IT 'tongue' – namely Abstract Syntax Notation 1, or ASN.1 for short – is making a real difference.

ASN.1: the main points
ASN.1 was first established as a standard as long ago as 1984, and is deployed within signalling systems (SS7) for most telephone calls, package tracking, credit card verification and digital certificates, as well as in so many of the most commonly used software packages.

According to independent UK specialist and former Salford University lecturer Professor John Larmouth, a key value of the system is that with the latest ASN.1 developments any messages may be encoded such that they can then be read easily by both people and computers. In other words, they don't rely solely on baffling binary code that takes human users hours to wade through and then translate into something which they might then comprehend.

"In practical terms, using IT security kits that employ ASN.1 – and in particular the new variant recently unveiled by UN Agency the International Telecommunications Union – would enable a network gate-keeping system to be established relatively easily using a standard web browser," states Larmouth. "In terms of their ability to diagnose attacks and intercept messages that have been sent, that could make life a whole lot easier for security professionals."

Plainly put, ASN.1 makes it much simpler for IT security managers to install filters that can trigger easily understood computer alarms when a computer system has been compromised, probably through an attack via the Internet.

There's more... The new ASN.1 may also be able to bridge the difference between rival standards for biometric systems. Take fingerprint analysis, for instance. There are two rival standards, one German, the other American. Until now it has been difficult, even impossible, to get two systems using these standards working together. The new ASN.1 provides programmers with a sophisticated and flexible programming tool that should enable them to make these systems talk to each other. It will also enable a multinational corporation, with branches in Europe and the USA, to set up a centralised fingerprint analysis gate-keeping system, guarding access to its computer systems on a more or less worldwide basis.

The utility and user-friendliness of the updated ASN.1 will also be of value to manufacturers who will, claims Professor Larmouth, be able to speed up their development of biometric kit since a good many electronic components use its language.

"As a result, the amount of new code required would be relatively small," suggests Larmouth. "Biometric applications will then come to the market a good deal quicker than might otherwise have been the case."

Speaking the same language
So far so good, but as with any new commercially useful technology, there's always the risk that it might be abused by criminals who don't play by the rules. Crucially, the updated ASN.1 allows computers to talk to computers. It's like booking a flight on the Internet. Key in the flight information and the credit card number and, hey presto, you have wings!

Just how convenient would it be if you could tell your PC where you wanted to go on holiday and when, giving it a maximum budget, and it could then use a programme to search, find and book the flight for you?

Previous computing protocols have restricted the amount of communications that may be carried out between two computers without a human operator being involved, but not with ASN.1 improved. An ITU Briefing Note states: "It brings ASN.1 into the age of digital communication by allowing interoperability between computing platforms sharing XML. XML is used to describe information for the database of a web page. For instance, if you have a car for sale on a web page, it may be tagged using XML and subsequently found by search engines when 'Cars for Sale' is the search driver."

Sounds great... but here's the trick. Hackers are way more effective when they use hacking programmes that allow them, for example, to run thousands of passwords a second by a protected web site. What if a program compiled a range of hacking software, and the new computing language enabled a hacker to order a PC to hack into a site by any means and then do whatever they chose?

"It's when a human being uses a computer to attack a system that the human being can win," adds Professor Larmouth. "As a result, the development of this 'web services' side of ASN.1 has been much more security conscious than was the case with earlier versions."

Can we prosecute behaviour?
Biometric invention continues apace. That said, it remains the case that there's no reliable product on the market that can usefully analyse behaviour in crowds, such as trying to pick out a possible thief, assassin or terrorist at a public event. Rest assured that work is underway with this very goal in mind.

In theory, it's possible to encode anything that's human. Biometrics is essentially all about translating human forms into a computer language and, if it can be done for fingerprints and irises, so too it can be done for behaviour.

Possibly, a behavioural template might be built up that can be translated into computer coding – when that code is matched on the ground, an alarm is triggered. This is the technology of the future. It may be a decade away – by which time the sophistication of computer notation such as ASN.1 would be far more developed than it already is. Watch this electronic space for details.

National ID cards: are they a workable solution for UK plc?

Home secretary David Blunkett's bold plans for a national ID card are gathering momentum. In a letter to the Deputy Prime Minister John Prescott that was leaked to the national press, the latest proposal appears to be for an obligatory card for everyone over the age of 16 – a card that’s coming under increasing scrutiny from a security and privacy perspective due to the Government’s intention for it to contain biometric data (such as fingerprint information and iris scans) that will be held on a central, national database.

Representatives at Ubizen – a managed security specialist responsible for delivering the electronic ID card scheme in Belgium – are concerned that the UK Government is perhaps a tad too ambitious in its plans to use biometric technology as a means of authenticating UK citizens’ identities.

“For the purpose it should serve, there’s no real reason why biometric information should be included on the UK ID card,” states Bart Vansevenant, director of European security strategies and an expert in the area following Ubizen’s involvement in the Belgian trials. “The point of an ID card is to prove that a person is who they say they are,” he adds. The debate continues on page 48...

National ID cards: significant planning and trialling is a prerequisite...

In continuing the debate on ID cards, Ubizen’s director of European security strategies Bart Vansevenant told SMT: “If your name and date of birth aren’t sufficient proof of who you are, then you’re probably using the cards to close your multi-million dollar bank account. Further authentication may be needed. Think about it, though. If you’re requested to prove your identity, when are you ever asked to leave a fingerprint? Or have the iris of your eye scanned? Not even once a year.”

In Belgium, the Government has chosen a Public Key Infrastructure solution complete with digital signatures. “Biometric data can be replicated or forged,” states Vansevenant. “If the system is compromised, and a fingerprint is faked, what can you do? Fingerprints are difficult to replace!”

Management of the national ID card project will also re-open debates about who has access to what information. “The project will have to be contracted out, so yet again we’ll be faced with issues about a private sector company holding details on the general public,” suggests Mike Davis, senior analyst at research group Butler. “The Information Commissioner will have to look at the rules and restrictions in place, including the Civil Service Code, because there’ll be thousands of people with varying degrees of access. The scheme will demand significant planning and trialling. Bitter experience tells us that the Government will go hell for leather without the necessary piloting because this is an area where we’ve had problems in the past.”

Security is not just a question of who can see what data. There are also a host of issues surrounding the validity of that data. “With a single identity card and lots of associated data sharing, it will be almost impossible for an outside organisation to audit whether whatever precautions the Government says are in place are indeed actually there,” comments Peter Sommer, research fellow at the London School of Economics. “If the ID cards are to have biometric data on them, then we have to make sure that the right data is associated with each card. That would be a huge undertaking, with much scope for error.”

According to Sommer, one implication of all this is the creation of more reliable fake IDs. “Once someone is able to obtain a card containing false information, there’ll probably be no means by which that information might be queried.”

Source

SMT

Postscript

Keith Nuthall is a technical journalist specialising in global security issues