Pocket PowerBuilder and Biometric Security - The proof is in the fingerprint

By Ian Thain	Article Rating:
December 3, 2003 02:00 PM EST	Reads:	11,675

Related
Print
Email
Feedback
Add This
Blog This

Security is always a hot topic. How do we make sure that data can be accessed only by those who are allowed to access it?

Working in conjunction with encryption, the current mainstream solution is passwords, which is not ideal. How many of us have seen passwords written down on paper, or guessed passwords as being names of spouses, children, and even pets. Password criteria can be very strict, for example, a minimum of eight characters and one must be uppercase and one a number. That usually creates a complex password that can't be easily guessed but can be easily forgotten. Then we have to reset passwords, either when users forget them or more than likely at regular intervals, say every 3-6 months. Isn't that a headache?

"Sorry that wasn't me!" Then there's the topic of nonrepudiation. At a high level, nonrepudiation is the ability to ensure that individuals cannot deny the authenticity of a message that originated from them. On the Internet, a digital signature ensures that an individual created a communication, since a digital signature can only be created by one person, and it ensures that a person cannot later deny that he or she created the communication. As no security technology is foolproof, security experts have warned that the digital signature alone may not always guarantee nonrepudiation. The use of multiple approaches has been suggested, and by grouping them together it would be difficult to repudiate. The search for an alternative or combined and more secure method has led to Biometric security.

Currently there are approximately 6.5 billion people on earth and each person, even an identical twin, has certain features that make him or her unique. DNA is probably the most scientific, next the retina, and, third, fingerprints. DNA scanners are complex and currently found only in medical establishments. Retina scanners are large, expensive, and need precise conditions in order to work. That leaves the good old fingerprint! Old is correct - the first fingerprint studies, for identification use, were conducted in 1880 by a Scottish physician, Dr. Henry Faulds; however, the first record of a crime being solved by fingerprint evidence is sometimes believed to be a murder in ancient Rome, where the killer left a bloody handprint. Gory indeed!

Fingerprints are also very forgiving as most fingerprint damage heals and, obviously, there are 10 to choose from. They're also constantly with us, so failing a removal (ouch!) it can be guaranteed that if the fingerprint matches, the owner is/was there. It's also very hard to counterfeit a fingerprint.

With the introduction of the 5000 series of iPAQs, HP has brought biometric security into the mainstream. These iPAQs contain an integrated fingerprint reader that works on thermal imaging, i.e., sensing the temperature differences between the troughs and valleys of a fingerprint (see Figure 1). In fact, this way of fingerprint reading is very accurate and probably one of the most reliable methods, nearly impossible to deceive with artificial fingerprints. This reader allows the device to accurately build a picture of the scanned finger.

Within the Pocket PC OS, HP has added extra functionality to the device that allows the scanned fingerprints to be made part of the initial/power on security, in addition to passwords. This keeps the data on the device safe; if too many incorrect attempts are made to access the Pocket PC, the device will "Hard Reset" and return to its initial factory state with no data or user-installed programs.

It would make sense for the HP development team to have an API into the biometric functionality and, indeed, this is the case. Better than that, they have also exposed it to developers of applications for the iPAQ Pocket PC. This is a C++ DLL that has a number of exposed methods but, as with most external functions, there are callbacks, complex linked structures, etc.

Reed Shilts of Pocket PowerBuilder Engineering in Concord, MA, wrote an adapter DLL to ease the use of the HP Biometric system. In fact, Reed has been spending all his free time making Pocket PowerBuilder work with third-party hardware and software, so we owe him a big thanks. (Note: An upcoming version of Pocket Builder will contain a native interface for the fingerprint scanner, removing the need for this adapter DLL and greatly simplifying everything.) There are a handful of details, like memory allocation responsibility, something Pocket PowerBuilder programmers typically don't have to worry about. But the API is pretty simple and explained in detail in the HTML file that accompanies the adapter along with its own sample.

CIO, CTO & Developer Resources

The example and DLL can be found at at http://pocketpb.codexchange.

What is the process for using the Biometric Security? Well, let's take the two processes in turn...

Process to Enroll a Fingerprint

Load BioAPI: PPB_BioAPI_Init
Capture fingerprint: PPB_BioAPI_Capture
Get capture buffer: PPB_BioAPI_CaptureBufferDetails
Get fingerprint minutiae: PPB_BioAPI_RetrieveMinutiae
Free capture buffer: PPB_BioAPI_FreeCaptureBuffer
Unload BioAPI: PPB_BioAPI_Terminate

Process to Verify a Fingerprint
Same as above but the verification step - PPB_BioAPI_VerifyMatch - goes between steps 4 and 5.

Adapter DLL
If you don't care about the details of the adapter DLL, skip the next few paragraphs, but for those who like details, here we go...

The basic model for this adapter is that a scan (or capture) returns an unsigned long handle, which is then queried for various properties and data. When a fingerprint is captured, the intentions of its use help the various algorithms. In other words, a capture intended for "verification" is slightly different from a capture for "identification." In addition, once a fingerprint is captured, the internal algorithms rate the overall quality. This leads to the API for the actual capture method (see Listing 1).

As stated in Listing 1, the reference parameter "handle" is the key to accessing all the details of the data. For example, a fingerprint is actually represented by a set of "minutiae" that represent the details of the structure (the loops, whorls, etc.) of the fingerprint in a more abstract manner than a simple picture. To retrieve this abstract data set and store it in a database for later comparison, we use the "PPB_BioAPI_RetrieveMinutiae" method. This method needs memory that's allocated in the Pocket PowerBuilder memory space, but being a "foreign" DLL, it can't allocate the memory. Hence, we need to allocate an adequate amount of memory and pass in the base address of that memory block. The "PPB_BioAPI_CaptureBufferDetails" method tells us the actual length of the various data buffers, so allocating the memory and retrieving the minutiae are simplified.

Putting it all together, the low-level access into the adapter DLL is similar to Listing 2.

However, to make everybody's life easier, we provided the NVO "nvo_biometric_service" to hide the complexity of the adapter DLL. Looking into the NVO, you'll see a much higher quality version of code, which basically does things like this.

The PPB Biometric application example (see Figure 2), which can be downloaded from www.sys-con.com/pbdj/sourcec.cfm, allows the user to train/enroll 10 fingers as U.S. presidents (see Figure 3). The minutiae for each of the fingerprints are stored in an ASA 8 DB against the president selected (see Figure 4). When any finger is randomly scanned back into the application, the newly scanned minutiae is verified against the stored minutiae retrieved in turn from the database and, if a match is made, the correct president is displayed (see Figure 5).