Biometrics—Risks and Controls - ISACA

licoricebedsSécurité

22 févr. 2014 (il y a 3 années et 1 mois)

70 vue(s)

I
N F O R MA T I O N
S
Y S T E MS
C
O N T R O L
J
O U R N A L
,V
O L U ME
4,2 0 0 4
Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
M
odern biometric technologies claim to provide an
answer to the authentication problem of password-
and token-based systems,which is the fact that
knowledge,as well as the possession of an item,does not
distinguish a person uniquely. However,deployment of a
security architecture incorporating biometric technologies
hides many pitfalls,increasing the duties of the IS auditor who
must be aware of the risks and countermeasures related to such
technologies.
A simplified description of the biometric authentication
process is presented in figure 1.
During the enrollment procedure,the userÕs physical or
behavioral characteristics are captured by the sensor. The
feature extractor selects a subset of the characteristics,which
is encoded by applying a one-way function to create the
biometric template. The template is stored to be compared in
the future to the one created during an authentication
procedure. The comparison between the stored template and
the one produced during authentication is realized by a
matching algorithm that produces a match score. The match
score is forwarded to the application,which deploys a decision
algorithm for granting access or not to the user. The false
acceptance rate (FAR) and the false rejection rate (FRR) are
two parameters that calibrate the operation of the system. The
FAR
1
is the probability that the biometric system will
incorrectly identify an individual or fail to reject an impostor.
The FRR is the probability that the biometric system will fail
to identify a legitimate user or fail to verify a legitimately
claimed identity of a user.
Guidelines Toward Security
Designing and deploying security architectures that
incorporate biometrics is not an easy task. Questions must be
answered,such as:
¥ Which is the most suitable biometric technology to protect
the specific application?
¥ Where will the biometric templates be storedÑin a central
database or in smart cards?
¥ How will the components of the system communicate
with each other,and what technologies can protect the
communication channels?
¥ What performance and security levels are chosen?
¥ What policies and procedures will protect the system?
The IS auditors who are responsible for ensuring the
existence of adequate security controls during all phases of the
systems development life cycle,or for its security evaluation,
can deploy general audit techniques. Security-related standards
provide excellent guidelines for organizing and ensuring
system security and include:
¥ Control Objectives for Information and related Technology
(C
OBI
T)
¥ ISO/IEC17799,ITÑCode of Practice for Information
Security Management
¥ ISO/IEC15408,Evaluation Criteria for IT SecurityÑ
Common Criteria
More specific standards in the biometric area are:
¥ ANSI X9.84,Biometric Information Management and
Security
¥ Best Practices in Testing and Reporting Performance of
Biometric Devices
2
These standards are good starting points for secure systems
incorporating biometrics,with respect to the protection of personal
biometric data. However,at some point,IS auditors will be forced
to conduct a risk analysis to ensure that security controls
implemented by the security administrator are adequate. To
successfully complete this task,IS auditors will need access to a
database of common risks regarding biometrics,followed by the
corresponding controls. These risks and countermeasures follow.
Risks and Controls
Spoofing and Mimicry Attacks
Poor biometric implementations are vulnerable to spoofing
and mimicry attacks. An artificial finger made of commercially
available silicon or gelatin,can deceive a fingerprint biometric
sensor.
3
Pictures and speech synthesis tools can deceive face
and voice recognition systems. Auditors must ensure that
vitality detection features,such as the relative dielectric
constant,conductivity,heartbeat,temperature,blood pressure,
detection of vitality under the epidermis,or spontaneous
dilation and constriction of the pupil,are integrated in the
biometric device. If these features are not present,
compensating controls must be applied,such as the
deployment of multimodal biometrics (e.g.,combination of
face and lips movement recognition) or the implementation of
interactive techniques (e.g.,the request for the user to say a
specific phrase).
Server SideÑFake Template Risks
Server-based architectures,where the biometric templates
are stored centrally,foster the threat that an impostor can insert
a template in the system under someone elseÕs name.
Distributed architectures (template storage in a smart card) are
preferred.
4
In that case,the template is stored in a tamper-
resistant memory module that is write-once and erased or
destroyed if altered. When this scenario is not an option,strong
security controls must protect the server,including encryption
of the templates,system and network security controls,and a
strong security policy followed by detailed procedures based
on the standards mentioned previously.
Biometrics—Risks and Controls
By Christos K. Dimitriadis,CISA,CISM,and Despina Polemi,Ph.D.
Sensor Template Storage Medium
Matching
Applicator
Enrollment
Authentication
Feature Extractor
Figure 1ÑSimplified Biometric
Authentication Process
Communication Links Risks
Data could be captured from the communication channel,
between the sensor and the feature extractor,the feature
extractor and the matching algorithm,and the matching
algorithm and the application to be replayed at another time to
gain access. This is also called electronic impersonation.
During system development,the IS auditor should request the
integration of the parts of the system into a hardware security
module,decreasing this type of risk. An example is the
biometric smart card that has an embedded fingerprint sensor
and matching mechanism. Similar security levels are addressed
in integrated terminal devices,such as personal digital
assistants (PDAs) or mobile phones. If this is not an option,
challenge and response can address this risk. An additional
control is the introduction of a rule to discard a signal when it
is identical to the stored template or to the last measurement
that was conducted.
Cross-system Risk
Using a template in two or more applications with different
security levels tends to equalize security levels by decreasing
the higher security level to the lower one. Depending on the
criticality of application,IS auditors should verify the
deployment of custom encoding algorithms to ensure the
creation of custom templates per user for each application.
Another option is combining existing biometric-encoding
algorithms with one-way hash functions to ensure templates
produced for a specific user in the specific system are unique.
5
This feature also provides for revocation to the system in case
an impostor compromises a template.
Component Alteration Risks
An attack can be realized with a Trojan Horse on the feature
extractor,the matching algorithm or the decision algorithm of
the system,acting as a manipulator of each componentÕs
output. IS auditors should define security controls,such as
write-once memory units that host the feature extraction
program and the matching algorithm,and integrate systems to
a hardware security module. Additional controls include
developing a strong security policy controlling the operation of
the system to protect it from exposure to manipulating attempts.
Enrollment,Administration and System Use Risks
Poor enrollment,system administration and system use
procedures increase the systemÕs risk factor. During the
enrollment phase,raw biometric data and biometric templates
can be compromised,and databases can be altered or filled
with imprecise data. Poor system administration procedures
might lead to altered system configuration files with increased
FAR,making false acceptance easier and security weaker.
Similarly,users might exceed authority,threatening the system.
IS auditors should ensure the establishment of detailed
procedures and controls as extensions of the systemÕs security
policy,forcing,for example,segregation of duties,job rotation
procedures,logging facilities,alteration or anomaly detection
mechanisms.
Noise and Power Loss Risks
Off-limit power fluctuation or flooding of a biometric sensor
with noise data,for example flashing light on an optical sensor,
changing the temperature or humidity of the fingerprint sensor,
spraying materials on the surface of a sensor or vibrating the
sensor outside its limits,might cause biometric devices to fail. IS
auditors should ensure security policies that incorporate security
controls that will make the system environment as controlled as
possible. These controls depend on the nature of the application.
Power and Timing Analysis Risks
Capturing the power consumption of a chip can reveal the
software code running on the chip,and even the actual
command.
6
Simple power analysis and differential power
analysis techniques
7
are deployed for such purposes and are
capable of breaking cryptographic algorithms,such as DES,by
using statistical software. The same strategy can be followed
for breaking the matching mechanism of the biometric system.
The secret key or biometric template will appear as the peaks
of a diagram projecting the result of applying the appropriate
software to the power consumption measurement. Timing
attacks are similar and measure the processing time instead of
the power consumption.
IS auditors should ensure that all necessary controls are in
place. These include the use of microcontrollers with lower
power consumption and noise generators for power blurring.
Regarding timing attacks,the algorithm and program code
have to be designed as time-neutral. These technological
countermeasures must be included in the biometric system.
Residual Characteristic Risk
The residual biometric characteristic of a previous user on
the sensor may be sufficient to allow access to an impostor.
The attack can be realized on a fingerprint sensor with a
residual fingerprint from the previous measurement by
pressing a thin plastic bag of warm water on the sensor; by
breathing on the sensor; or by using dust with graphite,
attaching a tape to the dust and pressing the sensor.
8
Even
when a specific rule in the login algorithm is in place for
declining exactly the same measurement,repositioning the tape
to provide a slightly different input would deceive the system.
IS auditors should conduct a technology assessment. Some
fingerprint sensors require the user to sweep the finger on the
sensor,thus avoiding this risk. In general,deploying interactive
authentication is an adequate control for this type of risk.
Similar TemplateÑSimilar Characteristics Risk
A fraudulent user who has a similar template or
characteristic to a legitimate user might deceive the system,
especially in identification applications where there is a one-to-
many template comparison. IS auditors should ensure the
maturity of the encoding algorithm,which should deploy
functions that produce unique outputs from different inputs,as
well as the FAR of the biometric device. Auditors should
examine the results of independent testing based on biometric
performance evaluation standards
9
or rely on the evaluation
assurance level (EAL) of a certified product by the common
criteria. For security applications,the biometric system should be
calibrated to produce a FAR less than or equal to 0.001 percent.
Brute Force Attack Risk
This type of attack is based on trial and error.
10
The impostor
is continuously attempting to enter the system by sending
incrementally increased matching data to the matching function
until a successful score is accomplished. This method is most
effective in systems that implement identification rather than
verification,since the biometric measurement is compared to a
great number of templates,making the system weaker (as the
number of users increases),due to the increased probability of
I
N F O R MA T I O N
S
Y S T E MS
C
O N T R O L
J
O U R N A L
,V
O L U ME
4,2 0 0 4
I
N F O R MA T I O N
S
Y S T E MS
C
O N T R O L
J
O U R N A L
,V
O L U ME
4,2 0 0 4
the existence of similar templates or characteristics among the
population. Biometrics,however,are more resistant to this attack
than are traditional systems,since the impostor has to insert the
data to the system. IS auditors should ensure that traditional
controls are in place,such as the automatic locking of the userÕs
account after a specified number of attempts.
Risk Control Table
Identified risks and controls for biometrics are summarized
in figure 2.
Auditing or evaluating the development of a security
architecture incorporating biometrics requires a risk assessment
process,including the definition of appropriate controls for
mitigating risks. Combining well-known methodologies and
tools,such as C
OBI
T,with specific guidelines on biometric
systems and a database of biometric-specific risks and
corresponding controls,can ensure a high level of security,
guiding IS auditors toward success.
Endnotes
1
IST-1999-20078,2002,Business environment of biometrics
involved in e-commerce,expertnet.gr/bee
2
Wayman,J.L.; A.J. Mansfield;Best practices of testing and
reporting performance of biometric devices,2002,
www.cesg.gov/uk/site/ast/biometrics/media/BestPractice.pdf
3
Matsumoto,T.; H. Matsumoto; K. Yamada; S. Hoshino;
Impact of artificial fingers on fingerprint systems,
Proceedings of SPIE,2002,volume 4677,Yokohama;
Van der Putte,T.; J. Keuning; Biometrical fingerprint
recognitionÑDonÕt get your fingers burned,IFIP TC8/WG8.8
Fourth Working Congress on Smart Card Research and
Advanced Applications,Kluwer Academic Publishers,
2000,p. 289-303
4
Op. cit.,IST-1999-20078
5
Sudan,M.,A. Jules; A Fuzzy Vault Scheme,IEEE
International Symposium on Information Theory,IEEE Press,
Lausanne,Switzerland,p. 408
6
Gandolfi,K.; C. Mourtel; F. Olivier; Electromagnetic
Analysis:Concrete Results,Cryptographic Hardware and
Embedded Systems CHES 2001,volume 2162 of Lecture
Notes in Computer Science,p. 251-261,Springer-Verlag
7
Kocher,P.; J. Jaffe; B. Jun; Introduction to Differential Power
Analysis and Related Attacks,1998,www.cryptography.com/
technology/dpa/DPATechnicalInfo.PDF
8
Op.cit.,IST-1999-20078
9
Op.cit.,Wayman
10
Bolle,R.M.; J.H. Connell; N.K.Ratha; Biometric Perils and
Patches,Pattern Recognition,2002,volume 35,no. 12,
p. 2727-2738
Christos K. Dimitriadis,CISA,CISM
is manager of the security architecture design and development
department of Expertnet SA. He specializes in prevention,
detection and response,and IT security mechanisms,and is an
expert in biometric technologies.
Despina Polemi,Ph.D.
is a professor in the informatics department of the University
of Piraeus. From 1991 to 1996,she was assistant professor
(tenure track) in the State University of New York at
Farmingdale in the department of mathematics. She has
published more than 40 works. She has been the project
leader/technical manager in security projects of various
programs such as National Security Agency (NSA),Dr. Nuala
McGann Drescher Foundation,Greek Ministry of Defence,
INFOSEC,TELEMATICS for Administrations,IST Program.
She participated in the EC security projects of the programs
COST,ACTS,IST Program and NATO. She is an evaluator
and invited expert in the Fifth Framework IST Program in the
security area,and she is a member of IEEE.
Figure 2ÑBiometrics Risks and Controls
Risk Controls
Spoofing—Mimicry Vitality detection, multimodal biometrics,
interactive authentication
Server side—Fake Well-implemented security policy
template risks incorporating encryption technologies and
intrusion prevention, detection and
response controls; storage of the template
in a secure smart card
Communication links System integration into one hardware
risks—Replay and security module, interactive
bypass attacks risks authentication, rejection of identical
signals
Cross-system risk Custom biometric-encoding algorithms,
deployment of hash functions
Component alteration System integration into one hardware
risks security module, well-implemented
security policy
Enrollment, administration Well-designed and implemented
and system use risks security policy and procedures
Noise and power loss Well-implemented security policy
risks
Power and timing Noise generators, low power
analysis risks consumption chips in the biometric device
Residual characteristic Technology assessment, interactive
risk authentication
Similar template—Similar Technology assessment and calibration
characteristics risk review
Brute force attack risk Traditional controls, account lock after a
number of attempts
Information Systems Control Journal,formerly the IS Audit & Control Journal,is published by the Information Systems Audit and Control Association,Inc..Membership in the association,a voluntary
organization of persons interested in information systems (IS) auditing,control and security,entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers.They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees,and from opinions endorsed by authors' employers,or the editors of this Journal.Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2004 by Information Systems Audit and Control Association Inc.,formerly the EDP Auditors Association.All rights reserved.ISCA
TM
Information Systems Control Association
TM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee.For other copying,reprint or republication,permission must be obtained in writing from the
association.Where necessary,permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC),27 Congress St.,Salem,Mass.01970,to photocopy articles
owned by the Information Systems Audit and Control Association Inc.,for a flat fee of US $2.50 per article plus 25¢ per page.Send payment to the CCC stating the ISSN (1526-7407),date,volume,
and first and last page number of each article.Copying for other than personal use or internal reference,or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org