PowerBuilder Authors: Chris Pollach, Yeshim Deniz, Jayaram Krishnaswamy, Kevin Benedict, Avi Rosenthal

Related Topics: PowerBuilder, Cloud Security

PowerBuilder: Article

Pocket PowerBuilder and Biometric Security - The proof is in the fingerprint

Pocket PowerBuilder and Biometric Security - The proof is in the fingerprint

Security is always a hot topic. How do we make sure that data can be accessed only by those who are allowed to access it?

Working in conjunction with encryption, the current mainstream solution is passwords, which is not ideal. How many of us have seen passwords written down on paper, or guessed passwords as being names of spouses, children, and even pets. Password criteria can be very strict, for example, a minimum of eight characters and one must be uppercase and one a number. That usually creates a complex password that can't be easily guessed but can be easily forgotten. Then we have to reset passwords, either when users forget them or more than likely at regular intervals, say every 3-6 months. Isn't that a headache?

"Sorry that wasn't me!" Then there's the topic of nonrepudiation. At a high level, nonrepudiation is the ability to ensure that individuals cannot deny the authenticity of a message that originated from them. On the Internet, a digital signature ensures that an individual created a communication, since a digital signature can only be created by one person, and it ensures that a person cannot later deny that he or she created the communication. As no security technology is foolproof, security experts have warned that the digital signature alone may not always guarantee nonrepudiation. The use of multiple approaches has been suggested, and by grouping them together it would be difficult to repudiate. The search for an alternative or combined and more secure method has led to Biometric security.

Currently there are approximately 6.5 billion people on earth and each person, even an identical twin, has certain features that make him or her unique. DNA is probably the most scientific, next the retina, and, third, fingerprints. DNA scanners are complex and currently found only in medical establishments. Retina scanners are large, expensive, and need precise conditions in order to work. That leaves the good old fingerprint! Old is correct - the first fingerprint studies, for identification use, were conducted in 1880 by a Scottish physician, Dr. Henry Faulds; however, the first record of a crime being solved by fingerprint evidence is sometimes believed to be a murder in ancient Rome, where the killer left a bloody handprint. Gory indeed!

Fingerprints are also very forgiving as most fingerprint damage heals and, obviously, there are 10 to choose from. They're also constantly with us, so failing a removal (ouch!) it can be guaranteed that if the fingerprint matches, the owner is/was there. It's also very hard to counterfeit a fingerprint.

With the introduction of the 5000 series of iPAQs, HP has brought biometric security into the mainstream. These iPAQs contain an integrated fingerprint reader that works on thermal imaging, i.e., sensing the temperature differences between the troughs and valleys of a fingerprint (see Figure 1). In fact, this way of fingerprint reading is very accurate and probably one of the most reliable methods, nearly impossible to deceive with artificial fingerprints. This reader allows the device to accurately build a picture of the scanned finger.

Within the Pocket PC OS, HP has added extra functionality to the device that allows the scanned fingerprints to be made part of the initial/power on security, in addition to passwords. This keeps the data on the device safe; if too many incorrect attempts are made to access the Pocket PC, the device will "Hard Reset" and return to its initial factory state with no data or user-installed programs.

It would make sense for the HP development team to have an API into the biometric functionality and, indeed, this is the case. Better than that, they have also exposed it to developers of applications for the iPAQ Pocket PC. This is a C++ DLL that has a number of exposed methods but, as with most external functions, there are callbacks, complex linked structures, etc.

Reed Shilts of Pocket PowerBuilder Engineering in Concord, MA, wrote an adapter DLL to ease the use of the HP Biometric system. In fact, Reed has been spending all his free time making Pocket PowerBuilder work with third-party hardware and software, so we owe him a big thanks. (Note: An upcoming version of Pocket Builder will contain a native interface for the fingerprint scanner, removing the need for this adapter DLL and greatly simplifying everything.) There are a handful of details, like memory allocation responsibility, something Pocket PowerBuilder programmers typically don't have to worry about. But the API is pretty simple and explained in detail in the HTML file that accompanies the adapter along with its own sample.

The example and DLL can be found at at http://pocketpb.codexchange.

What is the process for using the Biometric Security? Well, let's take the two processes in turn...

Process to Enroll a Fingerprint

  1. Load BioAPI: PPB_BioAPI_Init
  2. Capture fingerprint: PPB_BioAPI_Capture
  3. Get capture buffer: PPB_BioAPI_CaptureBufferDetails
  4. Get fingerprint minutiae: PPB_BioAPI_RetrieveMinutiae
  5. Free capture buffer: PPB_BioAPI_FreeCaptureBuffer
  6. Unload BioAPI: PPB_BioAPI_Terminate
Process to Verify a Fingerprint
Same as above but the verification step - PPB_BioAPI_VerifyMatch - goes between steps 4 and 5.

Adapter DLL
If you don't care about the details of the adapter DLL, skip the next few paragraphs, but for those who like details, here we go...

The basic model for this adapter is that a scan (or capture) returns an unsigned long handle, which is then queried for various properties and data. When a fingerprint is captured, the intentions of its use help the various algorithms. In other words, a capture intended for "verification" is slightly different from a capture for "identification." In addition, once a fingerprint is captured, the internal algorithms rate the overall quality. This leads to the API for the actual capture method (see Listing 1).

As stated in Listing 1, the reference parameter "handle" is the key to accessing all the details of the data. For example, a fingerprint is actually represented by a set of "minutiae" that represent the details of the structure (the loops, whorls, etc.) of the fingerprint in a more abstract manner than a simple picture. To retrieve this abstract data set and store it in a database for later comparison, we use the "PPB_BioAPI_RetrieveMinutiae" method. This method needs memory that's allocated in the Pocket PowerBuilder memory space, but being a "foreign" DLL, it can't allocate the memory. Hence, we need to allocate an adequate amount of memory and pass in the base address of that memory block. The "PPB_BioAPI_CaptureBufferDetails" method tells us the actual length of the various data buffers, so allocating the memory and retrieving the minutiae are simplified.

Putting it all together, the low-level access into the adapter DLL is similar to Listing 2.

However, to make everybody's life easier, we provided the NVO "nvo_biometric_service" to hide the complexity of the adapter DLL. Looking into the NVO, you'll see a much higher quality version of code, which basically does things like this.

The PPB Biometric application example (see Figure 2), which can be downloaded from www.sys-con.com/pbdj/sourcec.cfm, allows the user to train/enroll 10 fingers as U.S. presidents (see Figure 3). The minutiae for each of the fingerprints are stored in an ASA 8 DB against the president selected (see Figure 4). When any finger is randomly scanned back into the application, the newly scanned minutiae is verified against the stored minutiae retrieved in turn from the database and, if a match is made, the correct president is displayed (see Figure 5).

Figure 2

Figure 3

Figure 4

Figure 5

More Stories By Ian Thain

As one of the Sybase Technical Evangelists, Ian regularly addresses technical audiences all over the world and his sessions are always very well attended. He also writes education classes, whitepapers, demos and articles for various Sybase products and publishes regularly in Journals such as SYS-CON's PBDJ and International Developer Magazine. He is also the Sybase Unwired Platform & PocketBuilder Evangelist and works closely with the team in Dublin, CA and Concord, MA on new features and demonstrations for the products. In his customer-facing Evangelist role, Ian is very involved with the design, production and testing of Enterprise class Unwired Solutions, that have been implemented using Sybase's Unwired tools for Sybase customers around the globe. In addition, Ian is a dedicated technical expert continually working with Sybase's key partners and clients to enhance the capabilities of the Unwired solutions that Sybase can offer to its customers. Ian can also be found on Twitter @ithain

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.