Hiroki Morimoto's presentation on Biometrics

collarlimabeansΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 4 μήνες)

75 εμφανίσεις

Biometrics

Hiroki Morimoto

Overview


Definition


Advantages/Disadvantages and Ideal Biometrics


Usage and System of Biometrics


Current application in real world


Biometrics Errors


Possible Attacks


Examples


Fingerprint


Hand Geometry


Iris Scan


Voice Recognition


Conclusion


References

Definition


Biometrics

refers to methods for uniquely
recognizing or verifying a person based upon
one or more physical characteristics or
behavioral traits


Biometrics

identifies the person by what he or
she is, not by what she knows (i.e. passwords)
nor what he has (i.e. ID cards)


Behavioral based


Behavioral
-
based methods

perform the
identification task by recognizing people's
behavioral patterns


Examples:


signatures, keyboard typing, and voice print


Advantage:


they are sometimes more acceptable to users and
generally cost less to implement


Disadvantage:


they all have high variations, which are difficult to cope
with.


they can be difficult to measure because of influences such
as stress, fatigue, or illness,.

Physiological based


Physiological
-
based methods

verify a
person's identity by means of his or her
physiological characteristics


Examples:


fingerprint, iris pattern (eye blood vessel pattern), palm
geometry, DNA, or facial features


Advantages:


in general, physiological traits are more stable because most
physiological features are virtually nonalterable


difficult to forge.


Disadvantages:


some of them are time consuming


some people don't feel comfortable with it

Comparison


Generally, physiological characteristics provide higher recognition
accuracy than behavioral features


average error rate of behavioral methods is 10 to 100 times higher than
physiological one


Intrusiveness: measure of users psychological discomfort


Convenience: measure of users physical discomfort


There is tradeoff between these two factors and error rate


Why Biometrics?


Biometrics seen as desirable replacement for
passwords and IDs


Users no longer have to


remember passwords


carry IDs


worry about losing/forgetting them


update them


More Secure because difficult to steal and forge


Need no human resource expenses due to
lockout or password reset. Thus, it decreases
system management cost

Why Biometrics? (cont)



Very active area of research


Total revenue likely to reach $1 billion in
the year 2003


It offers two important features:


Fraud detection
: easy to discover multiple
registration


Fraud deterrence
: introduce the
psychological effect not to do multiple
registration


Problems of Biometrics


Biometrics are not widely accepted because


Some devices are still costly and time consuming


Some people find their use as intrusive and/or
invasive


Privacy and confidentially issues of bio records


It can be a single point of failure so that secondary
way must be provided (such as password/ID)



Cancelation, erase, and reset are (almost) impossible.
Thus, once it is stolen or opened to public, all other
systems can be accessed/attacked


Forgeries are possible


Ideal Biometric


Universality



everyone should have the characteristic


In reality, no biometric applies to everyone


Uniqueness



distinguish with certainty


In reality, cannot hope for 100% certainty


Permanence



physical characteristic being measured never
changes


In reality, want it to remain valid for a long time


Collectability



easy to collect required data


Depends on whether subjects are cooperative


Acceptability



degree of approval of a technology.


In reality, everyone doesn’t feel comfortable with it


Safety



assurance of confidentially and Integrity of collected data


Still is a current subject


Circumvention



ease of use of a substitute


Tradeoff between cost and goal

Biometrics Usage


Identification



Who goes there?


Compare one to many


Example: The FBI fingerprint database


Authentication



Is that really you?


Compare one to one


Example: Thumbprint mouse


Identification problem more difficult (high error
rate)



Because more “random” matches since more
comparisons


Authentication needs less computational
resources

Biometrics Strategy


The common basic process of a biometrics system:



Enrollment:

capture raw data


Feature Extraction
: encode the raw data into the distinctive
characteristics on the specific system


Template Creation
: system specific template is created


A template is a small file derived from the distinctive features of a
user's bio data


There are two types of template:


Enrollment template
: generated during the user’s first interaction
and stored in the enrollment database for future use


Matching template
: generated during identification/authentication
attempts, to be compared with the enrollment template and
discarded each time


Biometrics Matching
: two temples compare statistically to
determine the degree of correlation. The resulting score is
compared against the threshold to determine math or mismatch

Enrollment vs. Recognition


Enrollment phase


Subject’s biometric info put into database


Must carefully measure the required info


OK if slow and repeated measurement needed


Must be very precise for good recognition


A weak point of many biometric schemes


Recognition phase


Biometric detection when used in practice


Must be quick and simple


But must be reasonably accurate


Biometrics in our world


In the past, it was used to protect
highly sensitive information


Now it is more familiar to us


Palm print for secure entry


West Virginia University implemented it
at 2002 in a dominant building


McDonald’s use for timekeeping of
workers


Fingerprint to unlock car door and log
into the computer

Application of Biometrics


Biometrics application can be categorized
in horizontal categories and vertical
markets

Biometrics Categories


Citizen Identification


identify/authenticate citizens interacting with government agencies


PC/Network Access


secure access to PCs, Network and other computer resource


Physical Access / Time and Attendance


secure access to a given area at a given time


Surveillance and Screening


identify/authenticate individual presence in a given location


Retail ATM / Point of Sale


provide identification/authentication for in
-
person transactions for goods/services


E
-
Commerce / Telephon


provide identification/authentication for remote transactions for goods/services


Criminal Identification


identify/verify individual in law enforcement application


* Descending order of estimated annual revenues generated 2003
-
2007

Biometrics Markets


Government Sector


Travel and Transportation


Financial Sector


Health Care


Law Enforcement


* Descending order of estimated annual
revenues generated
2003
-
2007

Market Share of Biometrics

Errors


False acceptance rate
: user
A

miss
-
authenticated as
user
B


Sometime called type1 error, fraud rate, ...



FAR = 1


sensitivity = 1


TPR



sensitivity, true positive rate (TPR), is the percentage that an
authorized person is admitted



False rejection rate
: user
A

not authenticated as user
A


Also known as type2 error, insult rate, …



FRR = 1


specialty = 1


TNR


specificity, true negative rate (TNR), is the percentage that an
unauthorized person is correctly rejected

Errors


A good system should have both low FRR
(high sensitivity) and low FAR (high
specificity)


However, for any biometric, there is
tradeoff


can decrease one, but other will increase


Tradeoff is illustrated by so
-
called
receiver operation characteristic
(ROC) curves

or by the
detection error
tradeoff (DET) curves


(a) ROC, (b) (DET)



FAR is plotted against FRR by varying the threshold


For examples:


at (*), FAR and FRR are equal about
20
%


at (o), FRR is
10
% and FAR is
50
%.


Dropping threshold will move the operating point toward the right of both
curves,


which means the system will be less sensitive and more specific


Raising the threshold is vise versa

Errors


Equal error rate:

rate where FAR ==
FRR


The best measure for comparing biometrics

Attacks


Mainly, there are three possible attacks:


Presenting artificial created samples


Eavesdropping the communication between the
sensor device and the system


Exploiting the template database



The first scenario has proven to be the easiest
and the most successful


The other two can help to obtain data required
to create the artificial sample

Fingerprints


Fingerprints have four important features:
loops, whorls, arches, and tents


Thus, extracting these features to create
the minutiae

Loop

Whorl

Arch

Tent

Implementation of fingerprints

Implementation Steps

1.
Capture image of fingerprint

2.
Enhance image

3.
Identify minutia

Implementation of fingerprints

1.
Compares the extracted minutiae with the data in
the database

2.
The result is calculated by graph mating statically


Features of Fingerprints


Advantages:


Its EER of about
5
%


Unique even for identical twins (not genetics dependent)



Popular, cheap, ease of use, quick, …



Disadvantages:


Not permanent and universal due to injury, aging or other
factors


Less acceptable because it is often associated with ”forensic
application”



Attack:


Extracting/Reproducing achieved by using bond and gelatin


i.e. the Japanese mathematician, T. Mastumoto, succeeded in
fooling a finger print device using an artificial gelatin finger

Hand Geometry


Hand Geometry

is a popular form of biometric:


Widely used for authentication but not useful for identification






Implementation of Hand Scan

1.
Take a picture to capture a silhouette
image

2.
Top and side views of hand are captured

3.

Measures shape of hand/fingers


Width, length, curvature, and thickness


Features of Hand Geometry


Advantages:


Ease of use


Wide public acceptance



Disadvantages:


Hands are not unique


Not permanent because of growing, injury, and so on



Attack:


Creating the artificial hand is very easy


Iris Scan


Iris Scan

is utilized in highly
-
secure facilities such as bank or
military


Implantation:


Scan eye with infrared rays


Create the b/w photo of iris


Apply
2
-
D wavelet translation


Change the data of iris into
256
bytes iris code


Compare the created matching template with enrollment template
in the database with hamming distance

Features of Iris


Advantages:


Safe because it shows smallest error rate (EER of about
10
-
6
)

and it is difficult to spoof


Very unique (more random than fingerprint) and little or no
genetic influence (phenotypic)



Permanent where pattern is stable through lifetime and
protected/cleared by cornea and eyelid


Very quick



Disadvantages:


Low Acceptability because some think it is intrusive and invasive



Attack:


Attacks by using high
-
quality photo/image have succeeded

Voice Recognition


Sometimes called
speaker recognition


Voice Recognition is both a behavioral and a
physiologically based method


behavioral: motion of mouse, pronunciation


physiological: vocal tract


Mostly used for remote authentication due to
its availably of device to collect sample


i.e. telephone network, computer microphone

Implementation of Voice
Recognition

1.
Speaker says pass
-
phrase (fixed) or
repeats a word (prompted)


2.
Components of the voice are broken
down into three categories called
phonemes:


pitch, intonation, and pronunciation


sometimes more: duration, loudness, etc…

3.
Compare statistically


Features of Voice Recognition


Advantages:


Can be combined with password
-
based method (verbal information) by
asking/answering question such as “what is your name?” or “how old
are you?”


Very quick and easy to collect sample



Disadvantages:


Not universal


Not permanent and reliable because it is sensitive to its background and
environment; illness, emotion, aging, device, and one’s environment


Need larger storage for its template



Attack:


Can impersonates an authenticated user’s voice


Record and playback the voice

Conclusion


The attacker uses very easy and
inexpensive means to crack biometrics
systems


No cut off finger or artificial eyes as shown
Hollywood movie


Templates and bio record databases need
the highest possible degree of protection
because renewing, resetting, and/or
cancelling them are impossible

Conclusion


Rapid advances on technology/algorithm as well
as the availability of industry standards will
certainly assure a bright future


High needs for countries worldwide to protect
border, people, organization, and resources


However, will this be the end of traditional
system (i.e. password) ?


No because biometrics is not the perfect solution


Biometrics shows the tradeoff between ease of use
and security


Therefore, current/future trend of security
features combination of different technologies

References


Anderson R. “Security Engineering.”
2001
.


Biometrics.gov.
http://www.biometrics.gov/


Boatwright, M. and Luo, X. “What Do We
Know About Biometrics Authentication?”
2007
.


Bubeck, U. and Sanchez, D. “Biometrics
Authentication”
2003
.


Pfleeger, C. and Pfleeger, S. “Security in
Computing.”
2007
.