Biometrics

clearsleepingbagΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

87 εμφανίσεις

Biometric Security

Pieter.Hartel@utwente.nl

IIS

2

Problem


People use weak passwords


People write the pin code on their bank card



Biometrics cannot be “forgotten” and you do
not have to “think of it”

IIS

3

Personal Identification

Associating an individual with an identity:


Something you have

»
Token, smart card


Something you know

»
Password, pin


Something you are:

»
Physiological

»
Behavioural


IIS

4

Forms of Identification


Authentication (aka Verification)

»
Am I who a claim to be?


Recognition (aka Identification)

»
Who am I?

»
Harder than Authentication (why?)

IIS

5

Physiological or Behavioural?

[Jai00] A. K. Jain, L. Hong, and S. Pankanti. Biometric identification. Commun. ACM, 43(2):90
-
98, Feb 2000.
http://doi.acm.org/10.1145/328236.328110

Sample Application Areas

Forensic

Civilian

Commercial

Criminal
investigation

National ID

ATM (India),
POS (AH)

Corpse
identification

Driver's
license

(Oklahoma)

Credit card

(Singapore)

Parenthood
determination

Welfare
disbursement

Laptop login

IIS

6

IIS

7

Verification

Verification is easier than identification…

IIS

8

Two examples


Hand geometry


Fingerprint

IIS

9

Hand Geometry (Hand Key)

IIS

10

Measure your Right hand

IIS

11

FBI classification


What is your right hand index finger?

Arch Whorl Loop Accidental

IIS

12

Fingerprint matching


Ridge thinning & extraction


Minutiae (bifurcation, end point) detection


Ridge based alignment & overlaying

IIS

13

Desired Characteristics


Biometric

»
Universal

»
Unique

»
Permanent

»
Collectable


System

»
Performance

»
Acceptability

»
Circumvention


[Put00] T. van der Putte and J. Keuning. Biometrical fingerprint recognition: Don't get your fingers
burned. In 4th Int. IFIP wg 8.8 Conf. Smart card research and advanced application (CARDIS),
pages 289
-
303, Bristol, UK, Sep 2000. Kluwer Academic Publishers, Boston, Massachusetts.
http://www.keuning.com/biometry/Biometrical_Fingerprint_Recognition.pdf

Watch this video

Some Comparisons

Biome
-
trics

Univer
-
sality

Unique
-
ness

Perma
-
nence

Collec
-
tability

Perfor
-
mance

Accep
-
tability

Circum
-
vention

Face

high

low

med.

high

low

high

low

Finger

print

med.

high

high

med.

high

med.

high

Hand
Geo
-
metry

med.

med.

med.

high

med.

med.

med.

Iris

high

high

high

med.

high

low

high

Signa
-
ture

low

low

low

high

low

high

low

Voice
Print

med.

low

low

med.

low

high

low

IIS

14

Biometrics is not perfect



High False Accept rate is bad for high security
applications
--

dangerous


High False Reject rate is bad for high usability
applications
--

annoying

accept

reject

Alice is recognised as Alice

true

Bob is recognised as Alice

false

Alice is not recognised as Alice

false

Bob is not recognised as Alice

true

IIS

15

IIS

16

Receiver Operating
Characteristics

Low False Reject Rate High

Low False Accept Rate High

Security

IIS

18

Attacks



How many templates do you have?

IIS

19

Template protection


Requirements

»
Diversity (no cross matching of data bases for privacy)

»
Revocability (easy to replace template)

»
Security (hard to obtain the original)

»
Performance (matching must be robust)


Why does encryption not work?


Two examples

»
Non
-
invertible transforms

»
Fuzzy commitment

[Jai08] A. K. Jain, K. Nandakumar, and A. Nagar. Biometric template security. EURASIP Journal
on Advances in Signal Processing, 2008:579416, 2008.
http://dx.doi.org/10.1155/2008/579416

IIS

20

Non invertible transform


User specific transformation (revocability)


Locally smooth translation outside mather tolerance
(performance)


Globally non smooth (security)

[Rat06] N. Ratha, J. Connell, R. M. Bolle, and S. Chikkerur. Cancelable biometrics: A case study
in fingerprints. In 18th Int. Conf. on Pattern Recognition (ICPR), volume 4, pages 370
-
373,
Honkong, China, Aug 2006. IEEE Computer Society.
http://dx.doi.org/10.1109/ICPR.2006.353

“crumple”

IIS

21

Example












Fuzzy commitment


Idea

»
Use biometric template :
x

»
As a corrupted code word :
c = x
-
δ


The commitment is

»
Hash code word for security : h(c)

»
Leave distance in clear for fuzziness : δ



Verification

»
Measure : x


»
Compute: c


= decode (x

-

δ)

»
Match if h(c

) = h(c)

[Jue99a] A. Juels and M. Wattenberg. A fuzzy commitment scheme. In 6th ACM conf. on
Computer and communications security (CCS), pages 28
-
36, Kent Ridge Digital Labs,
Singapore, 1999. ACM.
http://doi.acm.org/10.1145/319709.319714

100 200

100 200 300

x x’

c

c’?

c’?

Template protection
application

[Buh07] I. R. Buhan, J. M. Doumen, P. H. Hartel, and R. N. J. Veldhuis. Secure ad
-
hoc pairing
with biometrics: SAfE. In 1st Int. Workshop on Security for Spontaneous Interaction (Ubicomp
2007 Workshop Proceedings), pages 450
-
456, Innsbruck, Austria, Sep 2007.
http://www.comp.lancs.ac.uk/iwssi2007/papers/iwssi2007
-
02.pdf

IIS

23

Secure ad
-
hoc pairing


Suppose two people meet

»
Who have never met before

»
There is no TTP and/or they are not online

»
They are not technical

»
They would like to exchange data

»
Concerned about eavesdropper


How to do this?

»
Biometrics

»
Shielding function as fuzzy extractor

»
Protocol with novel

related key attack


IIS

24

Idea: Take each other’s photo

m
a
=0110...

m
b
=1101...

w
a

w
b

m
b
=decode( , )

Alice has m
a
,m
b

m
a
=decode( , )

Bob has m
a
,m
b

Enroll
-

ment

Verifi
-

cation

w
b

w
a

radio

IIS

25

Coping with noise


Problem:

»
Alice gets m

b

close to m
b

but not the same

»
The same for Bob...


Solution:

»
During enrollment calculate error profiles

»
Cryptanalysis using those profiles to recover the
correct key

»
More work for eavesdropper

IIS

29

Usability


Compare Pin to SAFE


30 subjects: questionnaire + interview


Mainly CS


Results

IIS

30

Conclusions


Identification or verification


Complements password and
token


Systems getting affordable


Biggest problems:

»
Performance

»
Public acceptance


Biometrics is fun