Quintet Inc.: SignCrypt: Biometric Verification

Quintet Inc.: SignCrypt: Biometric Verification

by Paul Grosse - February 1999

Introduction

With sensitive data to protect and a user population that is continually pushing for a single sign-on solution, a method of authentication that is stronger than simple password/user ID or tokens is clearly the only way forward. Password/user ID combinations are infinitely reproducible and the PIN number that is associated with a token can be socially engineered out of the authorised user before the token is stolen - these first two levels of authentication are manifestly inadequate when important data is involved.

The third level of authentication, biometric verification - verifying that the user is who he says he is by making measurements of some physical variable - looks at what the user is, not restricting the authentication to something the user knows (but may have told someone else) or has (or used to have). Choosing which set of variables to examine - how intrusive the authentication process will necessarily be - depends on the importance and use of the data and the user population that is going to use it.

Quintet has chosen to use electronic signature verification for a number of reasons:

The transient nature of a signature makes it difficult to reproduce in real time;
Users do not need to learn how to do anything that is different to the way that they sign their names to start with;
The fact that no two signatures are ever exactly the same means that the fine details within a given signature can be used as the basis for a session encryption key - the fact that there are so many variables that influence a particular signature and few, if any, can be measured, gives a session key the chaotic nature that is required to make it unpredictable; and,
A signature represents the intent of the user. Although it does not matter what the user writes as long as it is the same words each time, a signature has a symbolic meaning for the user.

Products

Some biometric verification methods can be quite intrusive - retina scans for example - and quite expensive to implement on an every-workstation basis. Getting the users population to feel comfortable using a system can represent a significant hurdle if the intrusion imposed by the system is seen as unwarranted by the users themselves. Other, simpler biometric methods are vulnerable to spoofing although putting two methods together can make them more reliable. By getting the user to sign his name with a stylus on a digitiser and then comparing the dynamics of that signature against a standard template, Quintet has a good foundation upon which to build a number of products that make use both of the similarities and the differences between successive signatures from the same user.

A normal, two dimensional signature on a piece of paper tells little of the person who wrote it or of how they wrote it - failing to disclose whether it took a few seconds or a few minutes to write, it is merely a static record of where the pen happened to be sometime during its travels. By adding a third dimension, time, the way that the signature is formed is added into the picture thus making it almost impossible to copy the signature for the purposes of authentication.

Quintet's Electronic Signature Verification products work by the user enrolling himself with the software by writing six, reasonably consistent sample signatures. The data collected from these is then analysed and the results put through an algorithm that creates a signature reference template - the algorithm working one-way only thus making it impossible to synthesise the signature from the template data. The template itself is just over 2500 bits long and can be stored on a floppy disc which then acts as a token thus providing yet another level of security with storing the information on a smart card instead as an alternative.

SignCrypt

Hand-held PCs provide an extremely practical means of collecting data in the field and then, back in the office, transferring it onto a workstation without having to type it all in again - flow-rates, tank levels and temperatures on industrial sites, laboratory test results, on-the-road sales force information, minutes of meetings, notes and so on. However, the fact that their portability makes them so useful also makes them an ideal target for theft.

Quintet's solution to this problem is SignCrypt which runs on all Microsoft Windows Platforms and requires only a digitiser and stylus to input the signature - these components are already part of a hand-held PC and for a PC workstation on the desk, they take up less room than a smartcard reader. By using a signature for authentication, the user does not have to remember any passwords or do anything that he cannot already do. In addition, the fact that the signature is input using a digitiser and stylus means that the signature can be in any language, the signature does not have to be legible, merely consistent.

When the enrolled user wishes to create or modify a file, the software examines the signature, creating the signature template which is then compared with the signature reference template to authenticate the user. If successful, further information about the signature, derived from the fine details that change each time the user signs his name, is used to create a session key that is then used to encrypt the data using DES.

When trying to find a suitable encryption key for a session, one serious weakness in any entirely computerised random number generation system is that any result is entirely predictable - so-called pseudo-random numbers which, although they may look random, are not random at all and can, given a little bit of information, be predicted. A hacker with the algorithm - there is no reason to suspect that they should not have obtained a copy of it - only needs to look at the data from a few sessions and using a little cryptographic knowledge and time, can work out the next key.

The only way of creating a session key that cannot be predicted feasibly must use an independent, external (non-digital) source of information that is of a sufficiently chaotic nature - that is to say that it is influenced by conditions that are out of the control of the computer and therefore cannot be predicted just by looking at the computer. The fact that a human being, influenced in an unpredictable way by parameters such as mental state, temperature, posture, time of day and even what he had for dinner, will never produce two signatures that are exactly the same and therefore, the results of fine analysis of these variations provides the basis of the session keys for SignCrypt.

When the user needs to decrypt a file, again, they sign their name but this time, the general analysis of the signature is used to authenticate them rather than the analysis of the fine details - the file is decrypted using the verified key.

Platforms

SignCrypt
all Microsoft Windows platforms

Pricing

SignCrypt	for Windows CE 2.0	$29.95
	for Windows 95/98/NT	$75 to $150

Opinion

Authentication can be broken down, into three types: What you know - passwords and User IDs; What you have - tokens; and, What you are. Passwords and User IDs are easy to recognise as they are often seen written on labels stuck to monitors - in at least one case, the User ID, password and a complete, step by step description of the procedure of how to use the Sales Order Processing System was printed out by the IT department and fixed to a wall facing an outside, ground-floor window for all to see. Tokens are not much better because, although they produce a series of pseudo random numbers that are virtually impossible to predict, it is possible for the hacker to socially engineer the PIN number out of the user before he steals it. The only way of ensuring that the person operating the computer is who he says he is, is to verify the user himself by making some sort of measurement of the user and comparing that against a set of enrolment data.

There are a number of types of biometric verification of which some examples are: Face - the geometry of the face is examined using a camera; Fingerprint - the user presents his finger to a special reader; Hand and Finger Geometry - a combination of face and fingerprint techniques; Handwriting - the user signs his name on a digitiser; Iris - the user has to have a close-up picture taken of his eye; Retina - the user has to put his head up to a special device in order to let the machine look at the back of his eye; Vein - the patterns of veins are recorded; Voice - the user says a pass phrase. Clearly, retina and iris are the most intrusive and most robust and face is the least intrusive but can suffer from glasses, beards, disguises and so on although the use of neural networks largely eliminates these influences, and of course, serial combinations of methods can lead to a more secure system than one that uses just one method of verification.

The use of a signature as authentication is an ideal, single method as it is not too intrusive, does not involve expensive equipment, and implicitly reinforces the agreement between the user and the employer regarding computer security policy, each time he authenticates himself - making the user sign his name in order to carry out an act of data encryption or decryption adding a psychological element that may be enough to preclude the unauthorised actions of borderline cases.

Using a signature, as this product does, provides enough consistency to authenticate the user and enough sample to sample variation to give different keys. The use of the finer details of the signature in order to provide a truly chaotic source of input for key generation makes any session key prediction impossible - there are too many variables that influence the exact characteristics of a signature. Even two signatures made only seconds apart will produce different keys but be recognisable as being made by the same person.

An additional advantage of using a signature is that it is a standard mark that does not have to be translated into any recognisable name. It does not matter if Mr J Doe's signature makes it look as though his name is 'Mr I Dee', in fact it does not matter whether or not it is written in English - Arabic, Kanji, Cyrillic, or any other character set - most signatures are illegible anyway. The consistency is the important factor and the language independence that arises from this is a strong point in the method's favour.

All biometric methods (as indeed all other authentication methods) can be spoofed - there is no such thing as a one hundred percent secure authentication system - the object is to make is as difficult as possible. By looking at the way the signature is written instead of just the final pattern of the signature, an extra dimension is added. Any hacker who thinks that he can just look at the inexorable wearing that will occur on the screen of a hand-held PC will soon find out that he still has to figure out information to which he has no access - the dynamics of the act of signing.

Strengths

The system is language independent. As most signatures are not meant to be read - merely looked at - the language does not matter. Whatever language the user signs his name in, it is the consistency of the signature that matters - this point making the software applicable to use in any country.
No extra hardware required for palm-tops. The most vulnerable of all machines to casual stealing already has built in the hardware for this product. No extra little boxes with cables to get lost and broken makes it self contained and a lot easier to use.
Signature characteristics may be embedded in a credit card magnetic strip or stored on a smart card. This extra level of authentication, adding another level of authentication makes the system even more powerful. The biggest weakness with single sign-on systems is the authentication and using Electronic Signature Verification together with a smart card could make single sign-on a feasible option in some cases where the data on the system is important - this is an area in which development is expected in the near future.

Weaknesses

it is possible that a user's hand writing will change when they have an accident or other traumatic experience - these people stand a higher risk of not being able to gain access to their data. If an employee has an accident and his data is required while he is off work, this system may lock out the authorised user. In addition, in some cases, on returning to work, the user may find that the system does not recognise him.
The DES implementation in this product is only 56 bits long. Although this makes it suitable for export under the US cryptography export restrictions, 56 bits is crackable by brute force on a reasonable sized network in only a few days - it has to be considered what type of person is most likely to steal the PC or copy the data from it and what resources they are going to have available to them.
Electronic Signature Verification is still open to social engineering as close but subtle observation of the user by a hacker over a period of time may give away enough information for the hacker to break in. With sensitive and valuable data, companies should always be aware that their user population could be under attack without them realising that anything is going on - making the users aware of any warning signs and telling them what to do should they consider that they are under attack.

Conclusions

Relatively unintrusive biometric verification such as Quintet's SignCrypt provide a good way of securing data on machines that are made vulnerable by the very fact that they are so small and portable without complications arising from language incompatibilities. Using the digitiser and stylus that are already incorporated in the machines means that there are no extra parts to buy, train users how to use, mislay or get broken. Making them use their signature additionally puts the psychological barrier of non-repudiation between them and malicious use of the equipment.

Data secured with SignCrypt is reasonably secure - an attack by trying to sign in the same way as the authorised user is almost certainly doomed to failure - although the limitation of 56 bit DES does make the data less secure against nontrivial brute-force attack should the data files be copied onto another machine for cracking at leisure.

The company's technology has been tested and endorsed by the big names in hand held PCs and Quintet's customers include banks, government agencies, computer manufacturers and other corporations with large computer installations both in the US and in the Far East. The company's board's background is based in engineering, computer systems and business, encompassing a wide but relevant field of experience gained at high profile companies.

Company Profile

Incorporated in 1994, Quintet Inc. was formed in order to provide a biometric solution to the problems of authentication although it has not limited itself to this and it has expanded into complimentary, authentication systems. A privately held company with its head quarters in Cupertino, California, it now has 9 employees in addition to a number of consultants on its books.

Quintet's representation is not limited to the US but extends to the far east. Its strategic partners include: SAIC (Science Applications International Corporation); Oberthur (Smartcards - USA); Ramgate (IT - Malaysia); Data General (Government unit); and, NTT/NEL (Japan).

Quintet's product portfolio consists of: SignCrypt - reviewed here which protects data stored on hand-held, laptop and desktop PCs using Electronic Signature Verification and smartcards; Q-Safe - a product that uses Electronic Signature Verification to authenticate users of safe deposit boxes in addition to keeping trail audits and other accounting information; Q-Lock - used to control access to system resources on Microsoft Windows NT; and, FileGuard - a system designed to monitor files specified by the user, looking for changes and access.

The company's core product, its signature verifications software, has received: NIST (National Institute of Standards and Technology) Certification for it DES implementation; 3 patents in the USA with 6 more drafted for submission; and, NTT endorsement of its technology. Using a digitiser and stylus (these already being part of a hand-held PC), the user's signature is analysed and used to authenticate them. In addition, the software is able to use the natural differences between successive signatures to provide a random key for encryption purposes. The company's technology has been tested and endorsed by Microsoft and endorsed by Philips, Hewlett-Packard and Hitachi.

Quintet's customers cover banks, government agencies, computer manufacturers and other corporations with large computer installations and include: IRE (Information Resource Engineering Inc.) in its SafeNet Virtual Private Network (VPN); NTT/ExWAY (Smartcards); Japan IDT (2D barcode systems); Spark OnLine; IISI (Government and Banks - Taiwan); and, CS Tech (Government and Banks - Malaysia).

Quintet's board has a sound background in engineering and computer systems, with founder members drawing from experience at CDC, ITT/STC, Marconi, National Semiconductor, Ricoh, Zymos and so on. Years of their research has resulted in patents for Electronic Signature Verification including anti-spoofing technology. With the authentication part of the security market pushing towards single sign-on - biometric verification being the only way of identifying a user - they are well on their way to achieving their major corporate objective which is to become 'the supplier of choice' for authentication technologies and software security products for the computer and communications industries.

In the US:
Quintet Inc.
10670 North Tantau Avenue
Cupertino
California 95014
US
Tel: +1 408 777 7630
Fax: +1 408 777 0889
Email: info@quintetusa.com
WWW: http://www.quintetusa.com/

Back to the Internet Security Index

Back to the Index