Chapter 12 – Thwarting Attacks

dashingincestuousSecurity

Feb 22, 2014 (2 years and 9 months ago)

56 views

Chapter 12


Thwarting Attacks

Leandro A. Loss

Introduction


Benefits of Biometric Authentication:


Convenience (e.g. recall password, keep cards)


Security (e.g. cracked password, stolen cards)



Introduces different security weaknesses:



Objective: Identify security weak points, keeping in
mind the
security versus convenience

trade
-
off

Pattern Recognition Model

Sensor

Template

Extractor

Matcher

Application

Enrollment

Template

Database



11 basic points of attack that plague biometric authentication systems

Attacking Biometric Identifiers

Sensor

Template

Extractor

Matcher

Application

Coercive attack

The true biometric is presented but in a unauthorized
manner;

Impersonation
attack

An unauthorized individual changes his or her
biometrics to appear like an authorized one;

Replay attack

A recording of true data is presented to the sensor.

Attacking Biometric Identifiers


Coercive Attack Examples



A genuine user is forced by an attacker to identify him
or herself to an authentication system;


The system should detect coercion instances reliably without
endangering lives (stress analysis, guards, video recording)
.



The correct biometric is presented after physical
removal from the rightful owner;


The system should detect “liveness” (movements of iris,
electrical activity, temperature, pulse in fingers.


Attacking Biometric Identifiers


Impersonation Attack Examples



Involves changing one’s appearance so that the
measured biometric matches an authorized person;


Voice and face are the most easily attacked;


Fake fingerprints or even fingers have been reported.



Changes one’s appearance to cause a false negative
error in screening systems;


disguises or plastic surgeries;



Combination of multiple biometrics makes replications
more difficult, specially when synchronization is analyzed
(works well for the first case);



No defense suggestions for the second case;

Attacking Biometric Identifiers



Replay Attack Examples


Re
-
presentation of previously recorded biometric
information (tape or picture);


Prompt random text to be read;


Detect tri
-
dimensionality or require change of expression.

Front
-
end attacks

Sensor

Template

Extractor

Matcher

Application

B

A

C

D

(A) Replay attack

A recording of true data is transmitted to Extractor;

(A) Electronic


Impersonation

Injection of an image created artificially from
extracted features;

(B) Trojan Horse

Extracted features are replaced;

(C) Communication

Attacks during transmission to remote matcher;

(D) Trojan Horse

Match decision is manipulated.

Front
-
end attacks

(A) Channel between sensor and biometric system


Replay Attacks:



circumventing the sensor by injecting recorded signal in the
system input (easier than attacking the sensor);



digital encryption and time
-
stamping can protect against
these attacks.


Electronic Impersonation Attacks:



Injection of an image created artificially from extracted
features;



e.g. An image of an artificial fingerprint created from
minutia captured from a card;



No defense suggested.

Front
-
end attacks

(B) Template Extractor


Trojan Horse Attacks:



The features are replaced after extracted (assuming the
representation is known);



The extractor would produce a pre
-
selected feature set at
some given time or under some condition;



No defense suggested.

Front
-
end attacks

(C) Transmissions between Extractor and Matcher


Communication Attacks:



Specially dangerous in remote matchers;



No defense suggested.

Front
-
end attacks

(D) Matcher


Trojan Horse Attacks:



Manipulations of match decision;



e.g. A hacker could replace the biometric library on a computer
with a library that always declares a true match for a particular
person;



No defense suggested.

Circumvention

Sensor

Template

Extractor

Matcher

Application

Collusion

Use of and/or agreement with “super
-
users”;

Covert Acquisition

Biometric stolen without the user knowledge, but
just parametric data used;

Denial

An authentic user be denied by the system;

“Overriding of the matcher’s output”

Circumvention

Collusion




Some operators have super
-
user status, which allows them to
bypass the authentication process;



Attackers can gain super
-
user status by:

-

Stealing this status;

-

Agreement with operator;

Circumvention

Covert Acquisition




Biometric stolen without the user knowledge;



Only the parametric data is used to override matcher (so
different from impersonation);

Circumvention

Denial




A authentic user identifies him or herself to the system but is
denied such an access (a False Rejection is evoked);



Not considered fraud because no unauthorized access
was granted;



But it disrupts the functioning of the system.

Back
-
end attacks

Sensor

Template

Extractor

Matcher

Application

Enrollment

Template

Database

D

C

E

A

B

(A) All seen so far

Enrollment has all the stages above;

(B) Communication
Attack

Attacks during transmission between matcher and
central or distributed database;

(C) Communication
Attack

Attacks during transmission from enrollment stage
to central or distributed database;

(D) Viruses, Trojans,...

(E) Hacker’s Attack

Modification or deletion of registers and

gathering of information
;

Back
-
end attacks

(A) Enrollment Attacks









Same vulnerable points of the others;




With collusion between the hacker and the supervisor of the
enrollment center, it is easy to enroll a created or stolen

identity;




Enrollment needs to be more secure than authentication and
is best done under trusted and competent supervision.

Sensor

Template

Extractor

Matcher

Template

Database

Enrollment

Back
-
end attacks

(B) Transmissions between Matcher and Database


Communication Attacks:



Remote central or distributed databases;



Information is attacked before it reaches the matcher.

Back
-
end attacks

(C) Transmissions between Enrollment and Database


Communication Attacks:



Remote central or distributed databases;



Information is attacked before it reaches the database.

Back
-
end attacks

(D) Attacks to the Application


Back
-
end attacks

(E) Attacks to the Database




Hacker’s Attack



Modification or deletion of registers:



Legitimate unauthorized person;



Denial of authorized person;



Removal of a known “wanted” person from screening list.




Privacy Attacks:



Access to confidential information;



Level of security of different systems;



Passwords x Biometrics.

Other attacks



Password systems are vulnerable to brute force attacks;



The number of characters is proportional to the bit
-
strength
of password;




Biometrics: equivalent notion of bit
-
strength, called
intrinsic
error rate
(chapter 14);

Other attacks



Hill Climbing:


Repeatedly submit biometric data to an algorithm with
slight differences, and preserve modifications that result
in an improved score;


Can be prevented by



Limiting the number of trials;



Giving out only yes/no matches.


Other attacks



Swamping:


Similar to brute force attack, exploiting weakness in the
algorithm to obtain a match for incorrect data.


E.g. Fingerprints:


Submit a print with hundreds of minutiae in the hope
that at least the threshold number of them will match the
stored template;


Can be prevented by normalizing the number of
minutiae.


Other attacks



Piggy
-
back:


An unauthorized user gains access through simultaneous
entry with a legitimate user (coercion, tailgating).



Other attacks



illegitimate enrollment:


Somehow an attacker is enrolled (collusion, forgery).


Combining Smartcards and
Biometrics

Biometrics


reliable authentication;

Smartcards


store biometrics and other data;


Suggestion: valid enrolled biometrics + valid card;


Benefits:



Authentication is done locally


cuts down on communication
with database;



The information never leaves the card


secure by design;



Attacks occur locally and are treated locally;



Keeps privacy;

Challenge
-
Response Protocol

Dynamic authentication
-

prevents mainly
Replay Attacks
;


The system issues a challenge to the user, who must respond
appropriately (prompted text


increases the difficulty of
recorded biometrics’ use);


It will demand more sophisticated attacks and block the casual
ones;


Extension:

E.g. Number projected in the retina, that must be typed.

Cancellable Biometrics

Once a biometric identifier is somehow compromised, the identifier is
compromised forever;


Privacy:




A hacked system can give out user’s information (medical history
and susceptibility);


Proscription:


Biometric information should not be used for any other purpose than
its intended use;


Concerns

1.
Not an extra bit of information should be collected;

2.
Data integrity

and
data confidentially

are two important issues;

3.
Cross
-
matching: matching against law enforcement databases;

4.
Biometric cannot change (issue a new credit card number, etc).

Cancellable Biometrics

Cancellable biometrics

is a technique that alleviate some of these concerns.



Biometrics are distorted by some non
-
invertible transform.


If one representation is compromised, another one can be generated.


Signal domain distortions:


Distortion of the raw biometric signal:


Morphed fingerprint;


Split voice signal and scramble pieces;




Feature domain distortions:


Distortion of preprocessed biometric signal (template):


Fingerprint minutiae (S={(xi, yi,
θ
i
); i=1,…,M});




x
1

x
2

x
3

X
1

X
2

X
3

Cancellable Biometrics

Relation to compression and encryption




Signal Compression:


the signal temporarily loses its characteristics;



Encryption:


Secure transmission: signal is restored after it;


Cancellable Biometrics:


Signal loses definitely its characteristics;


It’s desirable that the distorted signal is impossible to be restored.

Questions?