Utimaco, based in Germany but with offices across Europe and further afield, was founded in 1983 and is well established as a provider of information security products. Its comprehensive portfolio caters for encryption, PKI and certificates, virtual private networks and more. Given this background it was perhaps inevitable that sooner or later it would turn its attention to biometrics.

The SafeGuard Biometrics product may be thought of as either a standalone Windows biometric log-on enhancement, or as part of a more sophisticated security infrastructure, in combination with other SafeGuard products. The basic premise is to combine fingerprint biometrics and chip cards for advanced personal identity verification, and integrate this into the Windows NT or Windows 2000 environments.

This idea in itself is not new and there are other vendors who offer this facility. The SafeGuard product, however, does offer some interesting variation. Firstly, the 'match on card' or MOC facility that undertakes the biometric template matching process on the chip card itself, obviates the need for external processing and the passing back and forth of template data, which in itself introduces the potential for compromise. Secondly, the well-considered modular approach of the whole SafeGuard product range and the integration of biometrics into this broader picture. This provides the IT security professional with a wide range of options available from a single source.

It is worth mentioning the presentation of the SafeGuard Biometrics product, which is generally very good, with a proper manual in a hard cover ring binder and outer box to sit on your shelf, together with a neatly packaged biometric reader and CD-ROM in a proper jewel case. Such attention to detail, while not guaranteeing performance, does inspire confidence and gives the impression that this is a well-considered product offering from a vendor who takes such things seriously. The biometric device packaged with SafeGuard Biometrics is the familiar combination chip card and fingerprint reader from Precise Biometrics, a well-established device with a history of reliability. The chip cards utilize the MioCOS card operating system from Finnish company Miotec and feature the Atmel processor with 32/64Kb of EEPROM.

The SafeGuard software consists of an Enrolment Station and Biometric Logon Extensions (BioGINA) and is easily installed under Windows 2000. Having installed the software, the administrator will need to consider an appropriate enrolment process. While this could be undertaken remotely by the users themselves, I would not recommend this approach personally for a variety of reasons. A supervised enrolment at a dedicated enrolment center where users can be issued with cards and enrolled with proper explanation and training is preferable, and may well save time in the long run. Initially, the chip card is accessed via the user PIN in the conventional manner, and then the user creates biometric templates for one or more fingerprints. This entails the typical process of giving multiple samples (three in this case) that are averaged in order to create a representative biometric template against which live samples will be matched at the time of verification. This is achieved via intuitive dialogues that also aid positioning of the finger on the sensor.

Having successfully enrolled the user's biometric reference data onto the chip card, the default is to deactivate the user PIN facility, necessitating use of the biometric at all times. This default, however, may be over-ridden if you wish to keep the PIN active as well. This will be a policy decision for the administrator to consider. Provision is also made for an administrator to clear the biometric data from a given chip card and establish new PIN numbers accordingly, although this facility needs to be explicitly enabled via a registry setting configuration. Overall, the relationship between chip card and biometric seems to be well-considered and is logical in its configuration. If you are seriously considering a product of this type to enhance your network security, then it is likely that you are familiar with the concept of system policies. Utimaco provides a template file that you can use in conjunction with the Windows System Policy Editor or the Microsoft Management Console. This will help you configure your system around the SafeGuard Biometrics product, although you would be well advised to consult the appropriate Microsoft documentation before getting too carried away.

Whether you think it will be worth investing in such a product will no doubt depend upon your perceived risk in terms of network access. To equip a large workforce with the SafeGuard Biometrics product could be a costly exercise and one that you would not undertake lightly. You may decide, however, that for a certain critical area or group of personnel such a solution would be beneficial. This might especially be the case for remote workers where you could make good use of the synergy with other SafeGuard products in order to provide secure remote access using a VPN and certificates. In this instance the biometric would provide authenticated access to the chip card.

As previously stated, there are other products out there that offer similar functionality, but the SafeGuard Biometrics product is a little unusual in taking the 'match on card' approach to verifying the biometric template and this may well be of interest to some users. Furthermore, Utimaco is well-established in the information security sector and the synergy between SafeGuard Biometrics and its other products should not be overlooked. If you are looking into the feasibility of using biometrics for network access and further exploring the potential for integration within a PKI environment, then it would be well worth taking a closer look at this product.
   

SC On-Line
SC Magazine
www.scmagazine.com