Accelerating the Development of Biometric Standards

dashingincestuousSécurité

23 févr. 2014 (il y a 3 années et 4 mois)

53 vue(s)

Defining Biometrics


Biometrics

are automated methods
of recognizing a person based on a
physiological or behavioral
characteristics

(Biometrics Consortium)

Implementation Areas


Identification


Security


Airport face recognition systems


Criminal investigations


AFIS (Automated Fingerprint Identification System)


Fraud control


Authentication


Access control


Employee hand scans


Validation of transactions


Bank withdrawals with fingerprint instead of PIN input


Example Biometrics


Physiological


Hand based


Fingerprint or fingerscan


Hand geometry


Face/eye


Facial pattern recognition


Retinal scans


Iris scans


Behavioral


Voice recognition


Signature or keystroke recognition (includes
“invisible factors” such as pressure, speed, stroke
order. rather than just appearance)

Fingerprint Storage and Scans


Finger print technology captures a
representation of the finger; it
involves storing the image of the
finger and comparing.



Finger print storage can be close to
250 *K* bytes


AFIS “Automated Fingerprint
Identification System” is the law
enforcement tool used either to
identify a fingerprint’s maker or to
confirm prints


Finger scan technology involves
capturing /storing characteristics of
the finger


Storage requirements usually 250
-
1000 bytes

http://www.finger
-
scan.com/finger
-
scan_technology.htm

Issues: Storing Fingerprint data


One concern with the original
fingerprint devices was that they
gave employer a representation of
your fingerprint, which might be
used in other contexts.


Newer technologies don’t store the
fingerprint
--

“Vector Line Type”
representations are one solution,
where the characteristics are stored
(not the representation).


Stored characteristics in the Vector
Line model are based on the
common line forms of fingerprints
-

whorls, arches, etc

The scan is converted from raster

(dots) to a vector approx.

Hand Geometry

Rayco Hand geometry reader

Devices Usually Required


The device collecting the data probably is proprietary
and/or uses proprietary algorithms, so systems are
not really interoperable


Patents protect much of the technology


Installation and servicing of devices like retina and
iris scanners may add considerable cost to a
biometrics implementation


There may be considerable computation involved in
computing a “validator” or template for storage (far
beyond the Unix validator) that will add to the “wait
time” for a match


Biometric Process Overview

Enrollment:

Verification:

Present

Biometric


Capture

Process

No Match

Match

Capture

Process

Present

Biometric


Store

Compare

Requires enrollment, storage, and real time matching of results


all of which raise issues for performance and acceptance

Matches are statistical
probabilities of <1


Identifying information is not typed in, but instead is obtained
by device


Characteristics usually “mapped” from analog to digital
and not all of the original information is retained


Devices for most common biometrics are not likely to
produce identical results or even identically repeatable
results


Ex: fingerprint readers and hand scanners are
somewhat dependent environmental factors such as
the positioning of the finger, the “moisture” of the hand,
oils, etc.

Every System Needs Fine
-
Tuning

The FFR and FAR Challenge


False Rejection Rate (FFR)


The more precise the system is at matching characteristics,
the more likely that it will have a high FFR


Pros: reduced chance of imposters spoofing the system


Cons: legitimate users are stopped and subject to delay or
worse; frequent false rejections slows the overall throughput
and creates user resistance


False Acceptance Rate (FAR)


Ensuring that all legitimate users will be accepted makes it
highly likely that imposters will slip in unnoticed


Pros: system performance is high and delays are few


Cons: may negate the whole purpose of the system

(unless the purpose is mainly deterrence)


There is no perfect balance


Standards are needed to move biometric data from one
system/type of network to another and to validate that a
particular implementation can be extended


Standards support interoperability and data interchange



Standards are split between industry consortiums (e.g.,
BioAPI Consortium) and ISO and national (Government)
standards Technical Committees

Biometric Standards


Mobile fingerprint sensor to ATM machine



Security Options (e.g., plain, or
encrypted)



Integrity Options

(e.g., signed)



Patron (e.g., BioAPI) Header
Version



Biometric Type (e.g., facial features)


Record
Data Type

(e.g., processed)


Record
Purpose

(e.g., enroll)




Record Data
Quality


Creation Date

(of the biometric
data)


Creator (entity that created the
biometric data object)



Format Owner

(CBEFF
Requirement)


Format Type


Header

Biometric Specific
Memory Block

Signature

Data Elements and
Header Fields

One Standards Effort

Standard Bio Header

Standard Bio Header

Standard Bio Header

Standard Bio Header

Standard Bio Header

Standard Bio Header

Standard Bio Header

Signature

Data

Data

Data

Type=Multi Bio

Type=Finger

Type=Iris

Standardized Headers Allow for Different Types of
Data To Be Exchanged by Compatible Systems

Another Standards Effort:

BioAPI
-

An Open Systems Interface Standard

for Biometric Integration

A biometric API standard defines a generic way of
interfacing to a broad range of biometric technologies
.

Benefits:



Easy substitution of biometric
technologies



Use of biometric technology
across multiple applications



Easy integration of multiple
biometrics using the same
interface



Rapid application
development
-

increased
competition (tends to lower
costs)

Biometric

Device

Biometric

Device

Biometric

Service

Provider

Biometric

Service

Provider

Biometric

Device

Biometric

Service

Provider

BioAPI Interface

Application

User Point of View:

You Want My What???


While they are more convenient than a smart card
or PIN (nothing to memorize or lose), privacy
issues are an even greater concern than for
passwords because of the personal nature of a
biometric


Some of the collection means and enrollment
processes (collecting the original biometric) are
seen as invasive or hard to use


Some biometrics can change considerably over a
lifetime and not all people can be identified by all
biometrics



Are User Fears Justified?


Acceptance Issues and What Can Go Wrong


Fingerprint scans


Fingerprint readers


Iris scans


Retinal scans


Voice recognition


Face pattern recognition

Some Acceptance Research


According to the
IBG's
Consumer Response to
Biometrics
, people did not like facial scans as much as
fingerprints as a substitute for a PIN in ATM, but both
technologies rated between “somewhat comfortable”
and “neutral”


Reasons seemed to be these:


People don’t like to look at their own images in low
resolution


People don’t like their picture taken


People don’t recognize “facial id” as an authenticator
in the same way they recognize fingerprints


Facial scans don’t require consent (ie, hidden
cameras) raising privacy concerns

The Ultimate Identity Theft?



Which brings us to the second major problem
with biometrics
--

it doesn't handle failure very
well. Imagine that Alice is using her
thumbprint as a biometric, and someone
steals it. Now what? This isn't a digital
certificate, where some trusted third party can
issue her another one. This is her thumb. She
only has two. Once someone steals your
biometric, it remains stolen for life; there's no
getting back to a secure situation.


Schneier