The following text is copyright 1998 by
Network World, permission is hearby given for reproduction, as long as
attribution is given and this notice is included.
It's so hard to know you
By Scott Bradner
The biggest computer and
network security problem yet to be solved
is coming up with a
sure way to determine who a particular user is.
Most computer
technology users are not individually identified
beyond having
physical access to a PC. This is far from sufficient in
business
environments or on the Internet.
In these cases most
users prove their identity by knowing a few facts.
Knowledge of a log
name and password, often buried deep in some
auto-login script,
is all that differentiates one user from another. If
you use a security
system like this and if I were to find out your
logname-password
combination, I could pretend to be you. Your
system would not be
able to keep me from doing anything that you
are permitted to do.
Many approaches are
being tried to augment this loose level of
identification. Most
common is the use of physical tokens along with
some piece of
knowledge.
Automated teller
machine cards are a simple example of this.
Someone stealing
your card would not be able to use it without
knowing the
associated personal identification number. One problem
with this type of
system is that people can lose their cards. It would
seem to be ideal to
be able to use something that the individual would
have a very hard
time losing, such as a body part.
There has been a lot
of work on biometrics, the technology of using
physical
characteristics to identify individuals. All sorts of systems
are available using
fingerprints, voice recognition, hand profiles and
retinal scans. (You've
probably seen the retinal scan units - you look
into a little hole
and if you are not the right person it pokes you in the
eye.) Unfortunately,
a consistent problem with biometrics systems is
that they have a
high reject ratio - they tend to misidentify people too
often.
In the early 90s
John Daugman, then an assistant professor at
Harvard University,
showed me results from some of his experiments
involving the use of
iris scans to identify people. He showed that
these scans could
produce very reliable identification.
Since then, John has
moved to Cambridge University across the
pond, and perfected
his ideas. His technology compresses
information about an
iris to just 256 bytes, permitting easy storage of
the data and
scanning of databases holding information on large
numbers of
individuals. His technology is now starting to show up in
the marketplace.
Iris scans seem like
a good candidate for computer and network
security since they
are much more definable than fingerprints and do
not change as people
age. (It is also a bit harder to al- ter one's iris if
one wants to hide
his or her identity.)
One additional
advantage is that iris checkers can include a light that
varies in intensity
to normalize the pupil diameter. This can make the
categorization of
people even more accurate as well as ensure that Joe
is still attached to
his eyeball. Attempting to log on with dissociated
body parts could be
a problem with fingerprint or hand profile
systems.
Disclaimer: Other
than in the medical school, Harvard does not look
longingly at eyes,
i.e. the above are my own observations.