The Biometric Dilemma

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

68 views

S E C U R E

C O M P U T I N G

July 2002

1

R. Smith
-

Biometric Dilemma

The Biometric Dilemma

Rick Smith, Ph.D., CISSP

rick_smith@securecomputing.com

28 October 2001

S E C U R E

C O M P U T I N G

July 2002

2

R. Smith
-

Biometric Dilemma

Outline


Biometrics: Why, How, How Strong


Attacks, FAR, FRR, Resisting trial
-
and
-
error


Server
-
based Biometrics


Attacking a biometric server


Digital spoofing, privacy intrusion, latent print reactivation


Token
-
based Biometrics


Physical spoofing


Voluntary and involuntary spoofing


Summary

S E C U R E

C O M P U T I N G

July 2002

3

R. Smith
-

Biometric Dilemma

Biometrics: Why?


Eliminate memorization




Users don’t have to memorize features of their voice, face,
eyes, or fingerprints


Eliminate misplaced tokens




Users won’t forget to bring fingerprints to work


Can’t be delegated




Users can’t lend fingers or faces to someone else


Often unique




Save money and maintain database integrity by eliminating
duplicate enrollments

S E C U R E

C O M P U T I N G

July 2002

4

R. Smith
-

Biometric Dilemma

The Dilemma

They always look stronger and and easier to use
than they are in practice



Enrollment is difficult


Easy enrollment = unreliable authentication


Measures to prevent digital spoofing make even more work for
administrators, almost a “double enrollment” process



Physical spoofing is easier than we’d like


Recent examples with fingerprint scanners, face scanners

S E C U R E

C O M P U T I N G

July 2002

5

R. Smith
-

Biometric Dilemma

Biometrics: How?

Measure a physical trait



The user’s fingerprint,
hand, eye, face

Measure user behavior



The user’s voice, written
signature, or keystrokes

From
Authentication

© 2002. Used by permission

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

6

R. Smith
-

Biometric Dilemma

Biometrics: How Strong?

Three types of attacks


Trial
-
and
-
error attack


Classic way of measuring biometric strength


Digital spoofing


Transmit a digital pattern that mimics that of a legitimate
user’s biometric signature


Similar to password sniffing and replay


Biometrics can’t prevent such attacks by themselves


Physical spoofing


Present a biometric sensor with an image that mimics the
appearance of a legitimate user

S E C U R E

C O M P U T I N G

July 2002

7

R. Smith
-

Biometric Dilemma

Biometric Trial
-
and
-
Error

How many trials are needed to achieve a 50
-
50
chance of producing a matching reading?



Typical objective: 1 in 1,000,000


2
19



Some systems achieve this, but most aren’t
that accurate in practical settings



Team
-
based attack


A group of individuals take turns pretending to be a legitimate
user (5 people X 10 finger = 50 fingers)

S E C U R E

C O M P U T I N G

July 2002

8

R. Smith
-

Biometric Dilemma

Passwords: A Baseline



Example

Type of
Attack

Average
Attack
Space

Random 8
-
character
Unix password

Interactive
or Off
-
Line

2
45

Dictionary Attack

Interactive
or Off
-
Line

2
15
to 2
23

Mouse Pad Search

Interactive

2
1
to 2
4

Worst Case


2
1



S E C U R E

C O M P U T I N G

July 2002

9

R. Smith
-

Biometric Dilemma

Biometric Authentication


Compares user’s
signature

to previously
established
pattern

built from that trait


“Biometric pattern” file instead of password file


Matching is
always

approximate,
never

exact

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

10

R. Smith
-

Biometric Dilemma

Pattern Matching

We compare how closely a signature matches
one user’s pattern versus another’s pattern

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

11

R. Smith
-

Biometric Dilemma

Matching Self vs. Others



From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

12

R. Smith
-

Biometric Dilemma

Matching in Practice

FAR = recognized Bob instead; FRR = doesn’t recognize me

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

13

R. Smith
-

Biometric Dilemma

Measurement Trade
-
Offs

We must balance the FAR and the FRR


Lower FAR = Fewer successful attacks


Less tolerant of close matches by attackers


Also less tolerant of authentic matches


Therefore


increases the FRR


Lower FRR = Easier to use


Recognizes a legitimate user the first time


More tolerant of poor matches


Also more tolerant of matches by attackers


Therefore


increases the FAR

Equal error rate = point where FAR = FAR

S E C U R E

C O M P U T I N G

July 2002

14

R. Smith
-

Biometric Dilemma

Trial and Error in Practice



Example

Type of
Attack

Average
Attack
Space

Biometric with 1% FAR

Team

2
6

Biometric with 0.01% FAR

Team

2
12

Biometric with “One in a million”

Team

2
1
9




Higher security means more mistakes


When we reduce the FAR, we increase the FRR


More picky about signatures from legitimate users, too

S E C U R E

C O M P U T I N G

July 2002

15

R. Smith
-

Biometric Dilemma

Biometric Enrollment


How it works


User provides one or more biometric readings


The system converts each reading into a signature


The system constructs the pattern from those signatures


Problems with biometric enrollment


It’s hard to reliably “pre
-
enroll” users


Users must provide biometric readings interactively


Accuracy is time consuming


Take trial readings, build tentative patterns, try them out


Take more readings to refine patterns


Higher accuracy requires more trial readings

S E C U R E

C O M P U T I N G

July 2002

16

R. Smith
-

Biometric Dilemma

Compare with Password or
Token Enrollment


Modern systems allow users to self
-
enroll


User enters some personal authentication information


Establish a user name


Establish a password: system generated or user chosen


Establish a token: enter its serial number


Password enrollment is comparatively simple


Tokens require a database associating serial
numbers with individual authentication tokens


Database is generated by token’s manufacturer


Enrollment system uses it to establish user account


Token’s PIN is managed by the end user

S E C U R E

C O M P U T I N G

July 2002

17

R. Smith
-

Biometric Dilemma

Biometric Privacy


The biometric pattern acts like a password

But biometrics are
not

secrets



Each user leaves artifacts of her voice,
fingerprints, and appearance wherever she
goes


Users can’t change biometrics if someone
makes a copy


We can trace people by following their
biometrics as they’re saved in databases

S E C U R E

C O M P U T I N G

July 2002

18

R. Smith
-

Biometric Dilemma

Server
-
based biometrics


Boring but important


Some biometric systems require servers


When you need a central repository


Identification systems (FBI’s AFIS)


Uniqueness systems (community social service orgs)

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

19

R. Smith
-

Biometric Dilemma

Attacking Server Biometrics



From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

20

R. Smith
-

Biometric Dilemma

Attacks on Server Traffic


Attack on privacy of a user’s biometrics


Defense = encryption while traversing the network


Attack by spoofing a digital biometric reading


Defense = authenticating legitimate biometric readers

Both solutions rely on trusted biometric readers

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

21

R. Smith
-

Biometric Dilemma

Trusted Biometric Reader


Blocks either type of attack on server traffic


Security objective


reliable data collection


Must embed a cryptographic secret in every
trusted reader


Increased development cost


Increased administrative cost


administrators must keep the
reader’s keys safe and up
-
to
-
date


Must enroll both users
and

trusted readers


“Double enrollment”


Database of device keys from biometric vendor


One device per workstation is often like one per user


Standard tokens are traditionally lower
-
cost devices

S E C U R E

C O M P U T I N G

July 2002

22

R. Smith
-

Biometric Dilemma

Another Server Attack


Experiments in the US and Germany


Willis and Lee of
Network Computing

Labs, 1998


Reported in “Six Biometric Devices Point The Finger At Security” in
Network Computing
, 1 June 1998


Thalheim, Krissler, and Ziegler,
2002


Reported in “Body Check,”
C’T

(Germany)


http://www.heise.de/ct/english/02/11/114/


Attack on “capacitive” fingerprint sensors


Measures change in capacitance due to presence or absence of
material with skin
-
like response


65Kb sensor collects ~20 minutiae from fingerprint


Traditional techniques use 10
-
12 for identification


Attack exploits the fatty oils left over from the last
user logon

S E C U R E

C O M P U T I N G

July 2002

23

R. Smith
-

Biometric Dilemma

Latent Finger Reactivation


Three techniques


Oil vs. non
-
oil regions return difference as humidity increases

1.
Breathe on the sensor (Thalheim, et al)


You can watch the print reappear as a biometric image


Works occasionally

2.
Use a thin
-
walled plastic bag of warm water


More effective, but not 100%


Works occasionally even when system is set to maximum sensitivity

3.
Dust with graphite (Willis et al; Thalheim et al)


Attach clear tape to the dust


Press down on the sensor


Most reliable technique


almost 100% success rate (Thalheim)

S E C U R E

C O M P U T I N G

July 2002

24

R. Smith
-

Biometric Dilemma

This Shouldn’t Work


According to Siemens


vendor of the

“ID Mouse” used in those examples




Authentication procedure remembers the last fingerprint used


System rejects a match that’s “too close” to the last reading
as well as a match that’s “too far” from the pattern


Observations

1.
Defense didn’t work in these experiments

2.
Tape can be repositioned to create a ‘different’ reading

3.
Hard to track through multiple biometric readers


Assume the user logs in at multiple locations over time


Then the latent image on some reader is
not

the most
recent one accepted for login

S E C U R E

C O M P U T I N G

July 2002

25

R. Smith
-

Biometric Dilemma

What about “Active”
Biometric Authentication?


Some (Dorothy Denning) suggest the use of biometrics
in which the pattern incorporates “dynamic”
information uniquely associated with the user


Possible techniques


Require any sort of non
-
static input that matches the built
-
in pattern


Moving the finger around on the fingerprint reader


Challenge response that demands an unpredictable reply


Voice recognition that demands reciting an unpredictable phrase


Both are vulnerable to a dynamic digital attack based
on a copy of the user’s biometric pattern


Ease of use issue


Requires more complex user behavior, which makes it harder to use
and less reliable

S E C U R E

C O M P U T I N G

July 2002

26

R. Smith
-

Biometric Dilemma

Attacking Active Biometrics

A feasible dynamic attack uses the system’s algorithms

to generate an acceptable signature


Example


Attacker collects enough biometric samples from the victim to build a
plausible copy of victim’s biometric pattern


During login, attacker is prompted for a spoken phrase from the victim


Attack software generates a digital message based on the user’s
biometric pattern


There may be a sequence of timed messages or a single message


it doesn’t matter

If the server can predict what the answer should be,
based on a static biometric pattern, so can the attacker

S E C U R E

C O M P U T I N G

July 2002

27

R. Smith
-

Biometric Dilemma

Token
-
Based Biometrics

Authenticate with biometric + embedded secret

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

28

R. Smith
-

Biometric Dilemma

Token Technology


Resist copying and other attacks by storing the
authentication secret in a tamper
-
resistant package.

From
Authentication

© 2002. Used by permission

S E C U R E

C O M P U T I N G

July 2002

29

R. Smith
-

Biometric Dilemma

Tokens Resist

Trial
-
and
-
Error Attacks



Example

Type of
Attack

Average
Attack
Space

Reusable Passwords

Interactive
or Off
-
Line

2
1
to 2
45

Biometrics

Team

2
6
to 2
19

One
-
Time Password Tokens

Interactive
or Off
-
Line

2
19
to 2
63

Public Key
Tokens

Off
-
Line

2
63
to 2
116



These numbers assume that the attacker

has
not

managed to steal a token

S E C U R E

C O M P U T I N G

July 2002

30

R. Smith
-

Biometric Dilemma

Biometric Token Operation


The “real” authentication is based on a secret
embedded in the token


The biometric reading simply “unlocks” that
secret


Benefits


User retains control of own biometric pattern


Biometric signatures don’t traverse networks


Problems


Biometric Tokens cost more


Less space and cost for the biometric reader

The biometric serves as a PIN

S E C U R E

C O M P U T I N G

July 2002

31

R. Smith
-

Biometric Dilemma

Attacks on Biometric Tokens


If you can trick the reader, you can probably
trick the token


Digital spoofing shouldn’t work


We’ve eliminated the vulnerable data path


Latent print reactivation (remember?)


Tokens should be able to detect and reject such attacks



Attacks by cloning the biometric artifact


Voluntary cloning (the authorized user is an accomplice)


Involuntary cloning (the authorized user is unaware)

S E C U R E

C O M P U T I N G

July 2002

32

R. Smith
-

Biometric Dilemma

Voluntary finger cloning

1.
Select the casting material


Option: softened, free molding plastic (used by Matsumoto)


Option: part of a large, soft wax candle (used by Willis; Thalheim)

2.
Push the fingertip into the soft material

3.
Let material harden

4.
Select the finger cloning material


Option: gelatin (“gummy fingers” used by Matsumoto)


Option: silicone (used by Willis; Thalheim)

5.
Pour a layer of cloning material into the mold

6.
Let the clone harden

You’re Done!

S E C U R E

C O M P U T I N G

July 2002

33

R. Smith
-

Biometric Dilemma

Matsumoto’s Technique


Only a few dollars’ worth of materials

S E C U R E

C O M P U T I N G

July 2002

34

R. Smith
-

Biometric Dilemma

Making the Actual Clone

You can place the “gummy finger” over your real finger.
Observers aren’t likely to detect it when you use it on a
fingerprint reader. (Matsumoto)

S E C U R E

C O M P U T I N G

July 2002

35

R. Smith
-

Biometric Dilemma

Involuntary Cloning


The stuff of Hollywood


three examples


Sneakers

(1992) “My voice is my password”


Never Say Never Again

(1983) cloned retina


Charlie’s Angels

(2000)


Fingerprints from beer bottles


Eye scan from oom
-
pah laser


You clone the biometric without victim’s
knowledge or intentional assistance


Bad news: it works!

S E C U R E

C O M P U T I N G

July 2002

36

R. Smith
-

Biometric Dilemma

Cloned Face


More work by

Thalheim, Krissler, and Ziegler


Reported in “Body Check,” C’T (Germany)

http://www.heise.de/ct/english/02/11/114/


Show the camera a photograph or video clip
instead of the real face


Video clip required to defeat “dynamic” biometric checks


Photo was taken without the victim’s
assistance (video possible, too)


Face recognition was fooled


Cognitec's FaceVACS
-
Logon using the recommended Philips's
ToUcam PCVC 740K camera

S E C U R E

C O M P U T I N G

July 2002

37

R. Smith
-

Biometric Dilemma

Matsumoto’s 2
nd

Technique

Cloning a fingerprint from a
latent

print


1.
Capture clean, complete fingerprint on a glass, CD,
or other smooth, clean surface

2.
Pick it up using tape and graphite

3.
Scan it into a computer at high resoultion

4.
Enhance the fingerprint image

5.
Etch it onto printed circuit board (PCB) material

6.
Use the PCB as a mold for a “gummy finger”

S E C U R E

C O M P U T I N G

July 2002

38

R. Smith
-

Biometric Dilemma

Making a Gummy Finger
from a Latent Print

From Matsumoto, ITU
-
T Workshop

S E C U R E

C O M P U T I N G

July 2002

39

R. Smith
-

Biometric Dilemma

The Latent Print Dilemma


Tokens tend to be smooth objects of metal or
plastic


materials that hold latent prints well



Can an attacker steal a token, lift the owner’s
latent prints from it, and construct a working
clone of the owner’s fingerprint?


Worse, can an attacker reactivate a latent
image of the biometric from the sensor itself?



Answer: in some cases, YES.

S E C U R E

C O M P U T I N G

July 2002

40

R. Smith
-

Biometric Dilemma

Finger Cloning Effectiveness


Willis and Lee could trick 4 of 6 sensors tested
in 1998 with cloned fingers


Thalheim et al could trick both “capacitive” and
“optical” sensors with cloned fingers


Products from Siemens, Cherry, Eutron, Verdicom


Latent image reactivation only worked on capacitive sensors,
not on optical ones


Matsumoto tested 11 capacitive and optical
sensors


Cloned fingers tricked all of them


Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,
Secugen, Ethentica

S E C U R E

C O M P U T I N G

July 2002

41

R. Smith
-

Biometric Dilemma

Summary


Traditional FAR and FRR statistics don’t tell the
whole story about biometric vulnerabilities


Networked biometrics require trusted readers
that pose extra administrative headaches


We can build physical clones of biometric
features that spoof biometric readers


Matsumoto needed $10 worth of materials and 40 minutes to
reliably clone a fingerprint


We can often build clones without the
legitimate user’s intentional participation

S E C U R E

C O M P U T I N G

July 2002

42

R. Smith
-

Biometric Dilemma

Thank You!

Questions? Comments?


My e
-
mail:

Rick_Smith@securecomputing.com

http://www.visi.com/crypto


http://www.securecomputing.com