Biometrics

spotlessstareSecurity

Nov 29, 2013 (3 years and 10 months ago)

58 views

1
1
Biometrics
Xiaojun Qi
2
Definition of Biometrics
• The techniques for automatically identifying
an individual based on his unique physical or
behavioral characteristics are called
biometrics
.
• They are the future of identification!
3
Types of Biometrics
• There is a variety of different biometrics:
– Fingerprints
– Face
– Iris
– Voice
– Signature geometry (not just the look of the signature,
but the pen pressure, signature speed, etc.)
– Hand geometry
– DNA
– Keystroke dynamics (i.e., typing patterns)
• The technologies are different. Some are more
reliable, and they’ll all improve with time
.
4
Why Biometrics?
• Biometrics are seductive!
– Your voiceprint unlocks the door of your house.
– Your iris scan lets you into the corporate
offices.
– You are your own key.
• Unfortunately, the reality is not that simple!
5
Biometrics Database
• In order to be useful, biometrics must be
stored in a database.
– Alice's voice biometric works only if you
recognize her voice; it won't help if she is a
stranger.
– You can verify a signature only if you
recognize it.
– Banks keep signature cards. Alice signs her
name on a card when she opens the account,
and the bank can verify Alice's signature
against the stored signature to ensure that the
check was signed by Alice
.
6
Good Properties of Biometrics
• Biometrics are hard to forge: it's hard to
put a false fingerprint on your finger, or
make your iris look like someone else's.
• Some people can mimic others' voices,
and Hollywood can make people's faces
look like someone else, but these are
specialized or expensive skills.
• When you see someone sign his name,
you generally know it is he and not
someone else.
2
7
Biometrics: Abuses
• On the other hand, some biometrics are easy to
steal.
• Imagine a remote system that uses face
recognition as a biometric.
– In order to gain authorization, take a Polaroid picture
of yourself and mail it in. Later, we’ll compare the
picture with the one we have in file.
• What are the attacks here?
– Take a Polaroid picture of Alice when she's not
looking. Then, at some later date, mail it in and fool
the system. The attack works because while it is hard
to make your face look like Alice's, it's easy to get a
picture of Alice's face. And since the system does not
verify when and where the picture was taken--only
that it matches the picture of Alice's face on file--we
can fool it.
8
Biometrics: Abuses (Cont.)
• A keyboard fingerprint reader can be
similar.
– If the verification takes place across a
network, the system may be un-secure.
– An attacker won't try to forge Alice's real
thumb, but will instead try to inject her digital
thumbprint into the communications.
9
Biometrics: Uses and Vulnerability
• The moral is that biometrics work well only
if the verifier can verify two things:
– The biometric came from the person at the
time of verification.
– The biometric matches the master biometric
on file.
• If the system can't do that, it can't work.
• Biometrics are unique identifiers, but they
are not secrets. You leave your
fingerprints on everything you touch, and
your iris patterns can be observed
anywhere you look.
10
Biometrics: Uses and Vulnerability
(Cont.)
• Biometrics also don't handle failure well.
– Imagine that Alice is using her thumbprint as
a biometric, and someone steals the digital
file.
– Now what? This isn't a digital certificate,
where some trusted third party can issue her
another one.
– This is her thumb. She has only two. Once
someone steals your biometric, it remains
stolen for life; there's no getting back to a
secure situation.
11
Biometrics: Uses and Vulnerability
(Cont.)
• Biometrics are powerful and useful, but they are
not keys.
• They are not useful when you need the
characteristics of a key: secrecy, randomness,
the ability to update or destroy.
• They are useful as a replacement for a PIN, or a
replacement for a signature (which is also a
biometric).
• They can sometimes be used as passwords: a
user can't choose a weak biometric in the same
way they choose a weak password.
12
Biometrics: Uses and Vulnerability
(Cont.)
• Biometrics are useful in situations where
the connection from the reader to the
verifier is secure: a biometric unlocks a
key stored locally on a PCM-CIA card, or
unlocks a key used to secure a hard drive.
In those cases, all you really need is a
unique hard-to-forge identifier.
• But always keep in mind that biometrics
are not secrets.
3
13
Biometrics: Guideline
• Biometrics are necessarily common
across different functions.
– Just as you should never use the same
password on two different systems, the same
encryption key should not be used for two
different applications.
– If my fingerprint is used to start my car, unlock
my medical records, and read my electronic
mail, then it's not hard to imagine some very
unsecure situations arising.
14
Police Video Cameras Taped
Football Fans
• As each person passed through the four main
stadium gates, a camera captured dozens of
images, which were fed into computers. The
computers compared the portraits against a
database assembled from law enforcement
agency filed by a Massachusetts company,
Viisage Technology Inc., which markets the
software.
• The digitized images were constructed using
128 facial characteristics -- everything from the
width of a nose to the angle of a cheekbone.
15
Police Video Cameras Taped
Football Fans
(Cont.)
• The courts have ruled that there is no
expectation of privacy in a public setting.
• The vast majority of the public, they
welcome anything they can utilize to make
their visit safer and do a preemptive strike
on crime.
16
Comparative Biometric
Testing and Evaluation
• http://www.biometricgroup.com/reports/public/compa
rative_biometric_testing.html
• To assess the real-world performance of leading
biometrics technologies, and to provide deployers,
technology firms, and government agencies with
objective information on biometrics system
capabilities, IBG (International Biometric Group) has
conducted independent, scenario-based
Comparative Biometric Testing since 1999.
• Past and present test sponsors include Honeywell,
Microsoft, American Airlines, Lockheed Martin, EDS,
Fidelity Investments, Star Systems, and the
Financial Services Technology Consortium.
17
References
• D. G. Dupont. SEEN BEFORE: To guard against
terrorism, the Pentagon looks to image-recognition
technology. Scientific American, December 1999.
• S. Pankanti, R. M. Bolle, and A. Jain. Biometrics:
the future of identification.IEEE Computer Special
Issue on Biometrics. Vol. 33 No. 2, February 1999.
• P. J. Phillips, A. Martin, C. L. Wilson, and M.
Przybocki. An introduction to evaluating biometric
systems,IEEE Computer Special Issue on
Biometrics. Vol. 33 No. 2, February 1999.
(See also Facial Recognition Vendor Test 2000, at
http://www.frvt.org//DLs/FRVT_2000.pdf)
18
References
• Washington Post:2/1/01 Police Video Cameras
Taped Football Fans
http://www.washingtonpost.com/ac2/wp-
dyn/A9757-2001Jan31?language=printer
• Your Face Is Not a Bar Code:Arguments
Against Automatic Face Recognition in Public
Places,P. Agre, 7 September 2001.
• Bruce Schneier, Biometrics: Uses and abuses,
Inside Risks 110 CACM 42, 8, August 1999.
http://www.csl.sri.com/neumann/insiderisks.html
• A. Ross and A. Jain. Information fusion in
biometrics. Pattern Recognition Letters. Vol. 24,
pp. 2115-2125, 2003.