Biometrics - PAC-ITGS

wispsyndicateSecurity

Feb 23, 2014 (3 years and 6 months ago)

102 views

1

Biometrics


What you need to know




What are Biometrics?


Biometrics establish identity by recognising an individual's physiological
characteristics, in particular those
-

such as fingerprints
-

that are innate to the person,
are unique and do not change
over time. Early biometric technologies were based on
manual recording and referencing of data but data collection, analysis and matching is
increasingly automated. Digital biometric schemes centre on pattern recognition
based on acquiring biometric data f
rom an individual, extracting a feature set from the
acquired data, and comparing that set against a template in one or more databases.


In principle any physiological or behavioural characteristic can form the basis of a
biometrics scheme if it satisfies
the following requirements
-


Universality

-

every individual should have the characteristic (eg fingerprints)

Distinctiveness

-

any two individuals should be sufficiently different in terms of the
characteristic

Persistence

-

the characteristic should rem
ain sufficiently unchanged over a life (in
practice, unchanged during adulthood)

Collectability

-

it should be feasible to readily determine and quantify the
characteristic


Outside the laboratory a biometric scheme should satisfy other requirements
-


Acc
eptability

-

individuals should accept use of a specific biometric identifier

Performance

-

encompassing factors such as accuracy, speed (including time
preparing people for encounters with the technology) and the resources required to
achieve the desired
recognition

Scalability
-

the scheme should encompass more than one individual, in some
circumstances involving millions of individuals

Non
-
invasiveness

-

allowing capture of information without damaging an individual's
physical integrity and ideally witho
ut special preparation by/of an individual

Robustness

-

it should accommodate environmental and operational variation (eg the
Technology copes with noise, humidity, individuals whose occupations obscure
particular identifiers)

Cirumvention

-

the scheme sho
uld be similarly resistant to deliberate manipulation
by those seeking to evade or delay recognition (ideally harder to circumvent than
systems that it replaces/supplements).

2

What make up Biometrics?


Biometrics schemes have thus encompassed recognition o
n the basis of fingerprint,
voice, retina and iris, patterns, facial geometry, earlobe patterns, thermal imaging of
body parts (head, torso, hand), gait (walking style), antibody signatures, subcutaneous
bloodvessel patterns, typing/writing style, DNA, blo
od chemistry, heart rhythm and
even body odour.


In practice no biometric measure fully has all the ideal properties
. As discussed
later in this note identifiers change over time (or merely become harder to identify as
people age), not all individuals have

all characteristics, 'acceptability' is in the mind of
the user, some identifiers are not readily captured (or captured with the desired
accuracy) and there are substantial similarities between individuals.



Three uses of biometrics


Biometrics has three

broad uses
-


1.

Verification
, ie confirming another identifier such as a password, PIN or
photograph

2.

Identification
, providing a discrete identifier (or identifiers) that are
independent of what the individual knows/remembers (eg a password) or what
the ind
ividual carries (eg an identity document or card)

3.

Screening
, enabling surveillance and sorting of groups of people (eg finding a
person in a crowd or selecting travellers for detailed examination of passports)


Reliable user authentication is essential. Th
e consequences of insecure authentication
in a banking or corporate environment can be catastrophic, with loss of confidential
information, money, and compromised data integrity. Many applications in everyday
life also require user authentication, includin
g physical access control to offices or
buildings, e
-
commerce, healthcare, immigration and border control, etc.


Currently, the prevailing techniques of user authentication are linked to passwords,
user IDs, identification cards and PINs (personal identifi
cation numbers). These
techniques suffer from several limitations: Passwords and PINs can be guessed, stolen
or illicitly acquired by covert observation.


In addition, there is no way to positively link the usage of the system or service to the
actual user
. A password can be shared, and there is no way for the system to know
who the actual user is. A credit card transaction can only validate the credit card
number and the PIN, not if the transaction is conducted by the rightful owner of the
credit card.


Th
is is where biometrics systems provide a more accurate and reliable user
authentication method


3

Why are biometrics secure?


Unique
: The various biometrics systems have been developed around unique
characteristics of individuals. The probability of 2 peopl
e sharing the same biometric
data is virtually nil.

Cannot be shared
: Because a biometric property is an intrinsic property of an
individual, it is extremely difficult to duplicate or share (you cannot give a copy of
your face or your hand to someone!).

Ca
nnot be copied
: Biometric characteristics are nearly impossible to forge or spoof,
especially with new technologies ensuring that the biometric being identified is from
a live person.

Cannot be lost
: A biometric property of an individual can be lost only i
n case of
serious accident.


4

Biometrics are not the perfect solution to security of data
but they are a start




Julian Ashbourn, author of Practical Biometrics: From Aspiration to
Implementation (Berlin: Springer 2004), comments that



We must be especia
lly wary of attaching too much significance
to the word 'biometrics'. ... Biometrics do not prove that you are
who you say you are. Biometrics will not defeat terrorism.
Biometrics do not enhance privacy. Biometrics will not rid the
world of organised crim
e. Biometrics will not prevent identity
theft. Biometrics will not solve the issue of large scale economic
migration. Biometrics will do none of these things. Intelligently
conceived policies and good government will go a long way to
achieving such worthy
goals, but it is the intelligently conceived
policies and good government which will make the difference


not the biometrics. A biometric is simply a useful aid with
which to facilitate personal identity verification, itself a small
component of a larger
raft of measures and processes which,
together, form an intelligent security, border control and
provision of social services policy. Any single initiative must
stand on its own merits, without using the word 'biometrics' as a
crutch.




Issues with using
Biometrics


Four key issues with the use of biometric systems, three of them are related to the
reliability of the technology and system, whilst the other issue pertains to privacy.
These four issues are as follows:
-




Recognition Errors



Compromised Biomet
ric Data



Vulnerability of the Biometric System to Attack



Invasion of Privacy

5

Recognition errors


There are two basic types of recognition errors: the false accept rate (FAR) and the
false reject rate (FRR). A False Accept is when a nonmatching pair of bio
metric data
is wrongly accepted as a match by the system. A False Reject is when a matching pair
of biometric data is wrongly rejected by the system. The two errors are
complementary: When you try to lower one of the errors by varying the threshold, the
ot
her error rate automatically increases. There is therefore a balance to be found, with
a decision threshold that can be specified to either reduce the risk of FAR, or to
reduce the risk of FRR.


In a biometric authentication system, the relative false acce
pt and false reject rates can
be set by choosing a particular operating point (i.e., a detection threshold). Very low
(close to zero) error rates for both errors (FAR and FRR) at the same time are not
possible. By setting a high threshold, the FAR error ca
n be close to zero, and similarly
by setting a significantly low threshold, the FRR rate can be close to zero. A
meaningful operating point for the threshold is decided based on the application
requirements, and the FAR versus FRR error rates at that opera
ting point may be quite
different. To provide high security, biometric systems operate at a low FAR instead of
the commonly recommended equal error rate (EER) operating point where FAR =
FRR.


Compromised biometric data


Paradoxically, the greatest strengt
h of biometrics is at the same time its greatest
liability. It is the fact that an individual's biometric data does not change over time:
the pattern in your iris, retina or palm vein remain the same throughout your life.
Unfortunately, this means that sho
uld a set of biometric data be compromised, it is
compromised forever. The user only has a limited number of biometric features (one
face, two hands, ten fingers, two eyes). For authentication systems based on physical
tokens such as keys and badges, a com
promised token can be easily canceled and the
user can be assigned a new token. Similarly, user IDs and passwords can be changed
as often as required. But if the biometric data are compromised, the user may quickly
run out of biometric features to be used
for authentication.


Vulnerable points of a biometric system


The first stage involves scanning the user to acquire his/her unique biometric data.
This process is called enrollment. During enrollment, an invariant template is stored
in a database that repr
esents the particular individual.


To authenticate the user against a given ID, this template is retrieved from the
database and matched against the new template derived from a newly acquired input
signal.


This is similar to a password: You first have to
create a password for a new user, then
when the user tries to access the system, he/she will be prompted to enter his/her
password. If the password entered via the keyboard matches the password previously
stored, access will be granted.

6

Attacks


There are
seven main areas

where attacks may occur in a biometric system:




Presenting fake biometrics or a copy at the sensor, for instance a fake finger or
a face mask. It is also possible to try and resubmitting previously stored
digitized biometrics signals such
as a copy of a fingerprint image or a voice
recording.



Producing feature sets preselected by the intruder by overriding the feature
extraction process.



Tampering with the biometric feature representation: The features extracted
from the input signal are re
placed with a fraudulent feature set.



Attacking the channel between the stored templates and the matcher: The
stored templates are sent to the matcher through a communication channel.
The data traveling through this channel could be intercepted and modifie
d
-

There is a real danger if the biometric feature set is transmitted over the
Internet.



Corrupting the matcher: The matcher is attacked and corrupted so that it
produces pre
-
selected match scores.



Tampering with stored templates, either locally or remote
ly.



Overriding the match result.

7

Privacy Issues Surrounding Biometric Technology


By Thomas Boggo


The terrorist attacks on the World Trade Center have provoked in
-
depth discussion
and study of existing security measures, their deficiencies, and how to en
hance
security to prevent similar terrorist attacks from occurring in the future. Biometric
technology has risen to the top of the list as a possible solution. The government is not
the only entity exploring biometric security systems. The financial servic
es industry
see biometrics as a way to curb identity theft. Biometrics are intrinsic physical
characteristics used to identify individuals. The most commonly used biometric is
fingerprints but others include, handprints, facial features, iris & retinal sca
ns, and
voice recognition.


Soon after 9/11 there were calls for the issuance of national ID cards containing
biometric information on an RFID chip implanted on the card. The argument is that
national ID cards will increase security by identifying individu
als with their unique
fingerprints which are much more difficult to counterfeit than standard photo ID
cards. There is also a movement toward biometric passports. It looks like biometric
passports are coming soon. National ID cards may follow.


Biometric i
dentification is nothing new. Humans have been identifying other humans
biometrically since the beginning of time. You recognize people you know by their
facial features, their voice, and other biometric features. What's new is introducing
technology into
the mix that compares a given biometric with a stored database of
biometrics to verify the identity of an individual. An individual place their finger on a
fingerprint scanner and the image is compared with the database to verify the person's
identity. Pro
mising as it is, biometric technology has not been without hiccups but
biometrics are advancing quickly and becoming more and more prevalent in security
systems.


Fingerprints are the most commonly used biometric identifiers. The National Institute
of Stan
dards and Technology (NIST) conducted a study that showed single fingerprint
biometric systems had a 98.6 percent accuracy rate. The accuracy rate rose to 99.6
percent when 2 fingerprints were used and an almost perfect 99.9 percent when 4 or
more fingerpr
ints were used. The study results show that biometric identification is
nearly perfect which is not surprising given the uniqueness of human fingerprints.


The US
-
VISIT program, which is an acronym for United States Visitor & Immigrant
Status Indicator Tec
hnology, currently requires foreign visitors to the US to present a
biometric passport containing 2 fingerprints and a digital photo for identification
purposes before being granted admission to the U.S. Of course the biometrics are
compared against a vast

network of government databases full of known and
suspected terrorists and other criminals.


On the surface biometric technology may sound like a panacea but it's use has raised
significant privacy concerns that need to be addressed. Here are six major pr
ivacy
concerns: storage, vulnerability, confidence, authenticity, linking, and ubiquity.


8

Critics wonder how the data will be stored and how vulnerable it will be to theft or
abuse. Confidence issues center around the implications of false positives and fa
lse
negatives. Can the biometric data be used to link to other information about the
individual such as marital status, religion, employment status, etc.? And finally
ubiquity. What are the implications of leaving electronic "bread crumbs" to mark a
trail
detailing every movement an individual makes?


Until these issues are addressed, privacy advocates will lead a charge to resist
biometric technology claiming it as a way for the government to assume a "Big
Brother" type of rule as described in George Orwel
l's novel 1984. But protest as they
may, it's likely national security concerns and the ability of biometric systems to
enhance the security of US border and possibly prevent another major terrorist attack
will win out over privacy concerns.


Thomas Boggo
is a freelance writer specializing in emerging technologies. You can
read more articles on Biometric Technology & Biometric Security Systems at
http://www.105biometrictechnology.com/


Article Source: http://EzineArticles.com/?expert=Thomas_Boggo