Privacy and Security

dashingincestuousSecurity

Feb 22, 2014 (3 years and 3 months ago)

60 views

IDTrust 2011:

Privacy and Security
Research Challenges for
Biometric Authentication



Moderator: Elaine Newton, PhD

NIST

elaine.newton@nist.gov

2

A Generic Biometric System

Image from: Newton, Elaine.
Biometrics and Surveillance: Identification, De
-
Identification, and Strategies for Protection of Personal Data
.
PhD Dissertation, Carnegie Mellon University, Dept of Engineering and Public Policy, ProQuest UMI, May 2009.

3

Notional Histogram of

Genuines (Blue) and Imposters (Red)

Similarity Scores

Frequency

False Non
-
Matches

False
Matches

4

NIST Biometric Testing


Fingerprint


Ongoing Proprietary Fingerprint Test (PFTII) and
MINEX (MINutiae EXchange) testing using various
databases of 120K+ subjects


Software development kit (SDKs)

based testing


Face


Data from grand challenges and vendor tests


DOS Database of 37K subjects


Algorithm
-
based testing


Iris


Data from grand challenges and vendor tests


Algorithm
-
based testing

Authentication Use Case
Comparison

For law enforcement,
immigration, etc.


Enrollment and
subsequent recognition
attempts


highly controlled


Supervised / Attended


Successful recognition


Answers the question, “Has
this person been previously
encountered?”


Is a unique pattern

For online transactions,
e.g. banking, health, etc.


Enrollment


Less controlled


Probably not in person


Subsequent recognition
attempts


Unattended


Successful recognition


Answers the question,
“How confident am I that
this is the actual claimant?”


Is a tamper
-
proof rendering
of a distinctive pattern



Passwords v. Biometric Data


P: Known only to the end
-
user


B: Potentially known by anyone who can encounter the individual in
-
person or
virtually



P: Can be (easily) changed if compromised and periodically renewed to
mitigate risk


Can be lengthened to increase security


B: A pattern with some degree of robustness over time that can be used to
distinguish individuals



P: Many possibilities for users to choose different credentials for different
domains, which could be randomly generated or otherwise have no
personally identifying information


B: A presentation of the same biometrics for any application, and many can
be used for identification



P: Deterministic


B: Probabilistic


8

Biometric Security Issues

Figure by Nalini Ratha, IBM

Thank you


And now for our panel:

Ross Micheals, PhD

Terry Boult, PhD

Stephanie Schuckers, PhD