Costs set to rule out register of fingerprints

Ian Batten ukcrypto at chiark.greenend.org.uk
Wed, 30 Jan 2008 10:42:50 +0000 

On 30 Jan 08, at 1025, James Davis wrote:

> Paul Vigay wrote:
>
>> What's the point of that? If making a fake passport you can still  
>> ensure
>> that the passport fingerprint data signature matches the bearer.
>
> I'd hope that the issuer signs the data before placing it on the card.

That's going to involve issuing public keys relating to every  
passport issuing authority to everyone who might have reason to need  
to verify a passport, which essentially means everyone, including  
people with very well-resourced spook agencies.  That's not a trivial  
task, and doing it securely is genuinely difficult.

The attack tree would revolve around being able to get a fake  
signature verification key into the system or obtaining the signature  
making key for a genuine pair: given the number of `insider' attacks  
on passport issuing authorities, that doesn't  strike me as overly  
hard for a sufficiently motivated and resourced attacker.   And as  
you'll be providing both the public key and examples of signatures to  
every government in the world (and even if you didn't provide the  
public key to your favourite bete noir country, you can't prevent it  
leaking via mutual friendly countries), do you want to bet your  
signature algorithm and technique against, say, a fully resourced  
joint attack by the Chinese and Russian governments?

If the verification process becomes founded around ``check  
fingerprints against passport, check signature of fingerprint data  
against PKI'', then the physical quality of the fake passport   
matters less.   If I can get a fake key into circulation, or  
compromise a genuine key, poor quality (from a physical perspective)  
passports can be manufactured in bulk and all made to pass what is  
seen as a more stringent test.  This drives high-end cottage-industry  
forgers out of business and makes it a mass production enterprise.

If my attack was compromising a genuine key, are you prepared to  
stomach invalidating thousands, perhaps millions of already-issued  
passports?

So my contention would be that digitally-signed biometrics are a  
substantial target for hostile governments, who would be quite keen  
to be able to manufacture convincing fake passports.

ian