S E C U R E
C O M P U T I N G
July 2002
1
R. Smith
-
Biometric Dilemma
The Biometric Dilemma
Rick Smith, Ph.D., CISSP
rick_smith@securecomputing.com
28 October 2001
S E C U R E
C O M P U T I N G
July 2002
2
R. Smith
-
Biometric Dilemma
Outline
•
Biometrics: Why, How, How Strong
–
Attacks, FAR, FRR, Resisting trial
-
and
-
error
•
Server
-
based Biometrics
•
Attacking a biometric server
–
Digital spoofing, privacy intrusion, latent print reactivation
•
Token
-
based Biometrics
•
Physical spoofing
–
Voluntary and involuntary spoofing
•
Summary
S E C U R E
C O M P U T I N G
July 2002
3
R. Smith
-
Biometric Dilemma
Biometrics: Why?
•
Eliminate memorization
–
–
Users don’t have to memorize features of their voice, face,
eyes, or fingerprints
•
Eliminate misplaced tokens
–
–
Users won’t forget to bring fingerprints to work
•
Can’t be delegated
–
–
Users can’t lend fingers or faces to someone else
•
Often unique
–
–
Save money and maintain database integrity by eliminating
duplicate enrollments
S E C U R E
C O M P U T I N G
July 2002
4
R. Smith
-
Biometric Dilemma
The Dilemma
They always look stronger and and easier to use
than they are in practice
•
Enrollment is difficult
–
Easy enrollment = unreliable authentication
–
Measures to prevent digital spoofing make even more work for
administrators, almost a “double enrollment” process
•
Physical spoofing is easier than we’d like
–
Recent examples with fingerprint scanners, face scanners
S E C U R E
C O M P U T I N G
July 2002
5
R. Smith
-
Biometric Dilemma
Biometrics: How?
Measure a physical trait
•
The user’s fingerprint,
hand, eye, face
Measure user behavior
•
The user’s voice, written
signature, or keystrokes
From
Authentication
© 2002. Used by permission
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
6
R. Smith
-
Biometric Dilemma
Biometrics: How Strong?
Three types of attacks
•
Trial
-
and
-
error attack
–
Classic way of measuring biometric strength
•
Digital spoofing
–
Transmit a digital pattern that mimics that of a legitimate
user’s biometric signature
–
Similar to password sniffing and replay
–
Biometrics can’t prevent such attacks by themselves
•
Physical spoofing
–
Present a biometric sensor with an image that mimics the
appearance of a legitimate user
S E C U R E
C O M P U T I N G
July 2002
7
R. Smith
-
Biometric Dilemma
Biometric Trial
-
and
-
Error
How many trials are needed to achieve a 50
-
50
chance of producing a matching reading?
•
Typical objective: 1 in 1,000,000
2
19
•
Some systems achieve this, but most aren’t
that accurate in practical settings
•
Team
-
based attack
–
A group of individuals take turns pretending to be a legitimate
user (5 people X 10 finger = 50 fingers)
S E C U R E
C O M P U T I N G
July 2002
8
R. Smith
-
Biometric Dilemma
Passwords: A Baseline
Example
Type of
Attack
Average
Attack
Space
Random 8
-
character
Unix password
Interactive
or Off
-
Line
2
45
Dictionary Attack
Interactive
or Off
-
Line
2
15
to 2
23
Mouse Pad Search
Interactive
2
1
to 2
4
Worst Case
2
1
S E C U R E
C O M P U T I N G
July 2002
9
R. Smith
-
Biometric Dilemma
Biometric Authentication
•
Compares user’s
signature
to previously
established
pattern
built from that trait
•
“Biometric pattern” file instead of password file
•
Matching is
always
approximate,
never
exact
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
10
R. Smith
-
Biometric Dilemma
Pattern Matching
We compare how closely a signature matches
one user’s pattern versus another’s pattern
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
11
R. Smith
-
Biometric Dilemma
Matching Self vs. Others
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
12
R. Smith
-
Biometric Dilemma
Matching in Practice
FAR = recognized Bob instead; FRR = doesn’t recognize me
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
13
R. Smith
-
Biometric Dilemma
Measurement Trade
-
Offs
We must balance the FAR and the FRR
•
Lower FAR = Fewer successful attacks
–
Less tolerant of close matches by attackers
–
Also less tolerant of authentic matches
–
Therefore
–
increases the FRR
•
Lower FRR = Easier to use
–
Recognizes a legitimate user the first time
–
More tolerant of poor matches
–
Also more tolerant of matches by attackers
–
Therefore
–
increases the FAR
Equal error rate = point where FAR = FAR
S E C U R E
C O M P U T I N G
July 2002
14
R. Smith
-
Biometric Dilemma
Trial and Error in Practice
Example
Type of
Attack
Average
Attack
Space
Biometric with 1% FAR
Team
2
6
Biometric with 0.01% FAR
Team
2
12
Biometric with “One in a million”
Team
2
1
9
•
Higher security means more mistakes
–
When we reduce the FAR, we increase the FRR
–
More picky about signatures from legitimate users, too
S E C U R E
C O M P U T I N G
July 2002
15
R. Smith
-
Biometric Dilemma
Biometric Enrollment
•
How it works
–
User provides one or more biometric readings
–
The system converts each reading into a signature
–
The system constructs the pattern from those signatures
•
Problems with biometric enrollment
–
It’s hard to reliably “pre
-
enroll” users
–
Users must provide biometric readings interactively
•
Accuracy is time consuming
–
Take trial readings, build tentative patterns, try them out
–
Take more readings to refine patterns
–
Higher accuracy requires more trial readings
S E C U R E
C O M P U T I N G
July 2002
16
R. Smith
-
Biometric Dilemma
Compare with Password or
Token Enrollment
•
Modern systems allow users to self
-
enroll
–
User enters some personal authentication information
–
Establish a user name
–
Establish a password: system generated or user chosen
–
Establish a token: enter its serial number
•
Password enrollment is comparatively simple
•
Tokens require a database associating serial
numbers with individual authentication tokens
–
Database is generated by token’s manufacturer
–
Enrollment system uses it to establish user account
–
Token’s PIN is managed by the end user
S E C U R E
C O M P U T I N G
July 2002
17
R. Smith
-
Biometric Dilemma
Biometric Privacy
•
The biometric pattern acts like a password
But biometrics are
not
secrets
•
Each user leaves artifacts of her voice,
fingerprints, and appearance wherever she
goes
•
Users can’t change biometrics if someone
makes a copy
•
We can trace people by following their
biometrics as they’re saved in databases
S E C U R E
C O M P U T I N G
July 2002
18
R. Smith
-
Biometric Dilemma
Server
-
based biometrics
•
Boring but important
•
Some biometric systems require servers
–
When you need a central repository
–
Identification systems (FBI’s AFIS)
–
Uniqueness systems (community social service orgs)
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
19
R. Smith
-
Biometric Dilemma
Attacking Server Biometrics
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
20
R. Smith
-
Biometric Dilemma
Attacks on Server Traffic
•
Attack on privacy of a user’s biometrics
–
Defense = encryption while traversing the network
•
Attack by spoofing a digital biometric reading
–
Defense = authenticating legitimate biometric readers
Both solutions rely on trusted biometric readers
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
21
R. Smith
-
Biometric Dilemma
Trusted Biometric Reader
•
Blocks either type of attack on server traffic
•
Security objective
–
reliable data collection
•
Must embed a cryptographic secret in every
trusted reader
–
Increased development cost
–
Increased administrative cost
–
administrators must keep the
reader’s keys safe and up
-
to
-
date
•
Must enroll both users
and
trusted readers
–
“Double enrollment”
–
Database of device keys from biometric vendor
–
One device per workstation is often like one per user
–
Standard tokens are traditionally lower
-
cost devices
S E C U R E
C O M P U T I N G
July 2002
22
R. Smith
-
Biometric Dilemma
Another Server Attack
•
Experiments in the US and Germany
•
Willis and Lee of
Network Computing
Labs, 1998
–
Reported in “Six Biometric Devices Point The Finger At Security” in
Network Computing
, 1 June 1998
•
Thalheim, Krissler, and Ziegler,
2002
–
Reported in “Body Check,”
C’T
(Germany)
–
http://www.heise.de/ct/english/02/11/114/
•
Attack on “capacitive” fingerprint sensors
–
Measures change in capacitance due to presence or absence of
material with skin
-
like response
–
65Kb sensor collects ~20 minutiae from fingerprint
–
Traditional techniques use 10
-
12 for identification
•
Attack exploits the fatty oils left over from the last
user logon
S E C U R E
C O M P U T I N G
July 2002
23
R. Smith
-
Biometric Dilemma
Latent Finger Reactivation
•
Three techniques
–
Oil vs. non
-
oil regions return difference as humidity increases
1.
Breathe on the sensor (Thalheim, et al)
–
You can watch the print reappear as a biometric image
–
Works occasionally
2.
Use a thin
-
walled plastic bag of warm water
•
More effective, but not 100%
–
Works occasionally even when system is set to maximum sensitivity
3.
Dust with graphite (Willis et al; Thalheim et al)
•
Attach clear tape to the dust
–
Press down on the sensor
–
Most reliable technique
–
almost 100% success rate (Thalheim)
S E C U R E
C O M P U T I N G
July 2002
24
R. Smith
-
Biometric Dilemma
This Shouldn’t Work
•
According to Siemens
–
vendor of the
“ID Mouse” used in those examples
–
–
Authentication procedure remembers the last fingerprint used
–
System rejects a match that’s “too close” to the last reading
as well as a match that’s “too far” from the pattern
•
Observations
1.
Defense didn’t work in these experiments
2.
Tape can be repositioned to create a ‘different’ reading
3.
Hard to track through multiple biometric readers
–
Assume the user logs in at multiple locations over time
–
Then the latent image on some reader is
not
the most
recent one accepted for login
S E C U R E
C O M P U T I N G
July 2002
25
R. Smith
-
Biometric Dilemma
What about “Active”
Biometric Authentication?
•
Some (Dorothy Denning) suggest the use of biometrics
in which the pattern incorporates “dynamic”
information uniquely associated with the user
•
Possible techniques
–
Require any sort of non
-
static input that matches the built
-
in pattern
•
Moving the finger around on the fingerprint reader
–
Challenge response that demands an unpredictable reply
•
Voice recognition that demands reciting an unpredictable phrase
•
Both are vulnerable to a dynamic digital attack based
on a copy of the user’s biometric pattern
•
Ease of use issue
–
Requires more complex user behavior, which makes it harder to use
and less reliable
S E C U R E
C O M P U T I N G
July 2002
26
R. Smith
-
Biometric Dilemma
Attacking Active Biometrics
A feasible dynamic attack uses the system’s algorithms
to generate an acceptable signature
•
Example
–
Attacker collects enough biometric samples from the victim to build a
plausible copy of victim’s biometric pattern
–
During login, attacker is prompted for a spoken phrase from the victim
–
Attack software generates a digital message based on the user’s
biometric pattern
•
There may be a sequence of timed messages or a single message
–
it doesn’t matter
If the server can predict what the answer should be,
based on a static biometric pattern, so can the attacker
S E C U R E
C O M P U T I N G
July 2002
27
R. Smith
-
Biometric Dilemma
Token
-
Based Biometrics
Authenticate with biometric + embedded secret
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
28
R. Smith
-
Biometric Dilemma
Token Technology
•
Resist copying and other attacks by storing the
authentication secret in a tamper
-
resistant package.
From
Authentication
© 2002. Used by permission
S E C U R E
C O M P U T I N G
July 2002
29
R. Smith
-
Biometric Dilemma
Tokens Resist
Trial
-
and
-
Error Attacks
Example
Type of
Attack
Average
Attack
Space
Reusable Passwords
Interactive
or Off
-
Line
2
1
to 2
45
Biometrics
Team
2
6
to 2
19
One
-
Time Password Tokens
Interactive
or Off
-
Line
2
19
to 2
63
Public Key
Tokens
Off
-
Line
2
63
to 2
116
These numbers assume that the attacker
has
not
managed to steal a token
S E C U R E
C O M P U T I N G
July 2002
30
R. Smith
-
Biometric Dilemma
Biometric Token Operation
•
The “real” authentication is based on a secret
embedded in the token
•
The biometric reading simply “unlocks” that
secret
•
Benefits
–
User retains control of own biometric pattern
–
Biometric signatures don’t traverse networks
•
Problems
–
Biometric Tokens cost more
–
Less space and cost for the biometric reader
The biometric serves as a PIN
S E C U R E
C O M P U T I N G
July 2002
31
R. Smith
-
Biometric Dilemma
Attacks on Biometric Tokens
•
If you can trick the reader, you can probably
trick the token
•
Digital spoofing shouldn’t work
–
We’ve eliminated the vulnerable data path
•
Latent print reactivation (remember?)
–
Tokens should be able to detect and reject such attacks
•
Attacks by cloning the biometric artifact
–
Voluntary cloning (the authorized user is an accomplice)
–
Involuntary cloning (the authorized user is unaware)
S E C U R E
C O M P U T I N G
July 2002
32
R. Smith
-
Biometric Dilemma
Voluntary finger cloning
1.
Select the casting material
–
Option: softened, free molding plastic (used by Matsumoto)
–
Option: part of a large, soft wax candle (used by Willis; Thalheim)
2.
Push the fingertip into the soft material
3.
Let material harden
4.
Select the finger cloning material
•
Option: gelatin (“gummy fingers” used by Matsumoto)
•
Option: silicone (used by Willis; Thalheim)
5.
Pour a layer of cloning material into the mold
6.
Let the clone harden
You’re Done!
S E C U R E
C O M P U T I N G
July 2002
33
R. Smith
-
Biometric Dilemma
Matsumoto’s Technique
•
Only a few dollars’ worth of materials
S E C U R E
C O M P U T I N G
July 2002
34
R. Smith
-
Biometric Dilemma
Making the Actual Clone
You can place the “gummy finger” over your real finger.
Observers aren’t likely to detect it when you use it on a
fingerprint reader. (Matsumoto)
S E C U R E
C O M P U T I N G
July 2002
35
R. Smith
-
Biometric Dilemma
Involuntary Cloning
•
The stuff of Hollywood
–
three examples
–
Sneakers
(1992) “My voice is my password”
–
Never Say Never Again
(1983) cloned retina
–
Charlie’s Angels
(2000)
•
Fingerprints from beer bottles
•
Eye scan from oom
-
pah laser
•
You clone the biometric without victim’s
knowledge or intentional assistance
•
Bad news: it works!
S E C U R E
C O M P U T I N G
July 2002
36
R. Smith
-
Biometric Dilemma
Cloned Face
•
More work by
Thalheim, Krissler, and Ziegler
•
Reported in “Body Check,” C’T (Germany)
http://www.heise.de/ct/english/02/11/114/
•
Show the camera a photograph or video clip
instead of the real face
–
Video clip required to defeat “dynamic” biometric checks
•
Photo was taken without the victim’s
assistance (video possible, too)
•
Face recognition was fooled
–
Cognitec's FaceVACS
-
Logon using the recommended Philips's
ToUcam PCVC 740K camera
S E C U R E
C O M P U T I N G
July 2002
37
R. Smith
-
Biometric Dilemma
Matsumoto’s 2
nd
Technique
Cloning a fingerprint from a
latent
print
1.
Capture clean, complete fingerprint on a glass, CD,
or other smooth, clean surface
2.
Pick it up using tape and graphite
3.
Scan it into a computer at high resoultion
4.
Enhance the fingerprint image
5.
Etch it onto printed circuit board (PCB) material
6.
Use the PCB as a mold for a “gummy finger”
S E C U R E
C O M P U T I N G
July 2002
38
R. Smith
-
Biometric Dilemma
Making a Gummy Finger
from a Latent Print
From Matsumoto, ITU
-
T Workshop
S E C U R E
C O M P U T I N G
July 2002
39
R. Smith
-
Biometric Dilemma
The Latent Print Dilemma
•
Tokens tend to be smooth objects of metal or
plastic
–
materials that hold latent prints well
•
Can an attacker steal a token, lift the owner’s
latent prints from it, and construct a working
clone of the owner’s fingerprint?
•
Worse, can an attacker reactivate a latent
image of the biometric from the sensor itself?
•
Answer: in some cases, YES.
S E C U R E
C O M P U T I N G
July 2002
40
R. Smith
-
Biometric Dilemma
Finger Cloning Effectiveness
•
Willis and Lee could trick 4 of 6 sensors tested
in 1998 with cloned fingers
•
Thalheim et al could trick both “capacitive” and
“optical” sensors with cloned fingers
–
Products from Siemens, Cherry, Eutron, Verdicom
–
Latent image reactivation only worked on capacitive sensors,
not on optical ones
•
Matsumoto tested 11 capacitive and optical
sensors
–
Cloned fingers tricked all of them
–
Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,
Secugen, Ethentica
S E C U R E
C O M P U T I N G
July 2002
41
R. Smith
-
Biometric Dilemma
Summary
•
Traditional FAR and FRR statistics don’t tell the
whole story about biometric vulnerabilities
•
Networked biometrics require trusted readers
that pose extra administrative headaches
•
We can build physical clones of biometric
features that spoof biometric readers
–
Matsumoto needed $10 worth of materials and 40 minutes to
reliably clone a fingerprint
•
We can often build clones without the
legitimate user’s intentional participation
S E C U R E
C O M P U T I N G
July 2002
42
R. Smith
-
Biometric Dilemma
Thank You!
Questions? Comments?
My e
-
mail:
Rick_Smith@securecomputing.com
http://www.visi.com/crypto
http://www.securecomputing.com
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Commentaires 0
Connectez-vous pour poster un commentaire