Bh Us 02 Smith Biometric

7/29/2019 Bh Us 02 Smith Biometric

1/42

S E C U R EC O M P U T I N G

July 2002 1R. Smith - Biometric Dilemma

The Biometric Dilemma

Rick Smith, Ph.D., CISSP

[email protected]

28 October 2001


2/42



Outline

Biometrics: Why, How, How Strong Attacks, FAR, FRR, Resisting trial-and-error

Server-based Biometrics

Attacking a biometric server Digital spoofing, privacy intrusion, latent print reactivation

Token-based Biometrics

Physical spoofing Voluntary and involuntary spoofing

Summary


3/42



Biometrics: Why?

Eliminate memorization Users dont have to memorize features of their voice, face,

eyes, or fingerprints

Eliminate misplaced tokens Users wont forget to bring fingerprints to work

Cant be delegated Users cant lend fingers or faces to someone else

Often unique Save money and maintain database integrity by eliminating

duplicate enrollments


4/42



The Dilemma

They always look stronger and and easier to usethan they are in practice

Enrollment is difficult Easy enrollment = unreliable authentication

Measures to prevent digital spoofing make even more work foradministrators, almost a double enrollment process

Physical spoofing is easier than wed like Recent examples with fingerprint scanners, face scanners


5/42



Biometrics: How?

Measure a physical trait

The users fingerprint,

hand, eye, face

Measure user behavior

The users voice, written

signature, or keystrokes

From Authentication 2002. Used by permission



6/42



Biometrics: How Strong?

Three types of attacks

Trial-and-error attack Classic way of measuring biometric strength

Digital spoofing Transmit a digital pattern that mimics that of a legitimate

users biometric signature

Similar to password sniffing and replay

Biometrics cant prevent such attacks by themselves Physical spoofing

Present a biometric sensor with an image that mimics theappearance of a legitimate user


7/42


8/42



Passwords: A Baseline

ExampleType ofAttack

AverageAttackSpace

Random 8-characterUnix password

Interactiveor Off-Line

245

Dictionary Attack Interactiveor Off-Line

215 to 223

Mouse Pad Search Interactive 21

to 24

Worst Case 21


9/42



Biometric Authentication

Compares users signatureto previouslyestablished patternbuilt from that trait

Biometric pattern file instead of password file

Matching is alwaysapproximate, neverexact



10/42



Pattern Matching

We compare how closely a signature matchesone users pattern versus anothers pattern



11/42



Matching Self vs. Others



12/42


13/42



Measurement Trade-Offs

We must balance the FAR and the FRR

Lower FAR = Fewer successful attacks Less tolerant of close matches by attackers

Also less tolerant of authentic matches

Therefore increases the FRR

Lower FRR = Easier to use Recognizes a legitimate user the first time

More tolerant of poor matches

Also more tolerant of matches by attackers Therefore increases the FAR

Equal error rate = point where FAR = FAR


14/42



Trial and Error in Practice


AverageAttackSpace

Biometric with 1% FAR Team 26

Biometric with 0.01% FAR Team 212

Biometric with One in a million Team 219

Higher security means more mistakes When we reduce the FAR, we increase the FRR

More picky about signatures from legitimate users, too


15/42



Biometric Enrollment

How it works User provides one or more biometric readings

The system converts each reading into a signature

The system constructs the pattern from those signatures

Problems with biometric enrollment Its hard to reliably pre-enroll users

Users must provide biometric readings interactively

Accuracy is time consuming Take trial readings, build tentative patterns, try them out

Take more readings to refine patterns

Higher accuracy requires more trial readings


16/42



Compare with Password orToken Enrollment

Modern systems allow users to self-enroll User enters some personal authentication information

Establish a user name

Establish a password: system generated or user chosen

Establish a token: enter its serial number

Password enrollment is comparatively simple

Tokens require a database associating serial

numbers with individual authentication tokens Database is generated by tokens manufacturer

Enrollment system uses it to establish user account

Tokens PIN is managed by the end user


17/42


18/42



Server-based biometrics

Boring but important

Some biometric systems require servers When you need a central repository

Identification systems (FBIs AFIS)

Uniqueness systems (community social service orgs)



19/42



Attacking Server Biometrics



20/42



Attacks on Server Traffic

Attack on privacy of a users biometrics Defense = encryption while traversing the network

Attack by spoofing a digital biometric reading Defense = authenticating legitimate biometric readers

Both solutions rely on trusted biometric readers



21/42



Trusted Biometric Reader

Blocks either type of attack on server traffic

Security objective reliable data collection

Must embed a cryptographic secret in every

trusted reader Increased development cost

Increased administrative cost administrators must keep thereaders keys safe and up-to-date

Must enroll both users and trusted readers Double enrollment

Database of device keys from biometric vendor

One device per workstation is often like one per user

Standard tokens are traditionally lower-cost devices


22/42



Another Server Attack

Experiments in the US and Germany Willis and Lee of Network ComputingLabs, 1998

Reported in Six Biometric Devices Point The Finger At Security inNetwork Computing, 1 June 1998

Thalheim, Krissler, and Ziegler, 2002

Reported in Body Check, CT(Germany) http://www.heise.de/ct/english/02/11/114/

Attack on capacitive fingerprint sensors Measures change in capacitance due to presence or absence of

material with skin-like response

65Kb sensor collects ~20 minutiae from fingerprint Traditional techniques use 10-12 for identification

Attack exploits the fatty oils left over from the lastuser logon

S C


23/42



Latent Finger Reactivation

Three techniques Oil vs. non-oil regions return difference as humidity increases

1. Breathe on the sensor (Thalheim, et al) You can watch the print reappear as a biometric image

Works occasionally

2. Use a thin-walled plastic bag of warm water More effective, but not 100%

Works occasionally even when system is set to maximum sensitivity

3. Dust with graphite (Willis et al; Thalheim et al) Attach clear tape to the dust

Press down on the sensor

Most reliable technique almost 100% success rate (Thalheim)


24/42

S E C U R E


25/42



What about Active

Biometric Authentication?

Some (Dorothy Denning) suggest the use of biometricsin which the pattern incorporates dynamicinformation uniquely associated with the user

Possible techniques

Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint reader

Challenge response that demands an unpredictable reply

Voice recognition that demands reciting an unpredictable phrase

Both are vulnerable to a dynamic digital attack based

on a copy of the users biometric pattern Ease of use issue

Requires more complex user behavior, which makes it harder to useand less reliable

S E C U R E


26/42



Attacking Active Biometrics

A feasible dynamic attack uses the systems algorithms

to generate an acceptable signature

Example Attacker collects enough biometric samples from the victim to build a

plausible copy of victims biometric pattern During login, attacker is prompted for a spoken phrase from the victim

Attack software generates a digital message based on the users

biometric pattern

There may be a sequence of timed messages or a single message

it doesnt matter

If the server can predict what the answer should be,based on a static biometric pattern, so can the attacker

S E C U R E


27/42



Token-Based Biometrics

Authenticate with biometric + embedded secret


S E C U R E


28/42



Token Technology

Resist copying and other attacks by storing theauthentication secret in a tamper-resistant package.


S E C U R E


29/42



Tokens ResistTrial-and-Error Attacks


AverageAttackSpace

Reusable PasswordsInteractiveor Off-Line

21

to 245

Biometrics Team 26

to 219

One-Time Password Tokens Interactiveor Off-Line

219

to 263

Public Key Tokens Off-Line 263

to 2116

These numbers assume that the attackerhas not managed to steal a token

S E C U R E


30/42



Biometric Token Operation

The real authentication is based on a secretembedded in the token

The biometric reading simply unlocks that

secret Benefits

User retains control of own biometric pattern

Biometric signatures dont traverse networks

Problems Biometric Tokens cost more Less space and cost for the biometric reader

The biometric serves as a PIN

S E C U R E


31/42



Attacks on Biometric Tokens

If you can trick the reader, you can probablytrick the token

Digital spoofing shouldnt work

Weve eliminated the vulnerable data path

Latent print reactivation (remember?) Tokens should be able to detect and reject such attacks

Attacks by cloning the biometric artifact Voluntary cloning (the authorized user is an accomplice)

Involuntary cloning (the authorized user is unaware)

S E C U R E


32/42



Voluntary finger cloning

1. Select the casting material Option: softened, free molding plastic (used by Matsumoto)

Option: part of a large, soft wax candle (used by Willis; Thalheim)

2. Push the fingertip into the soft material

3. Let material harden4. Select the finger cloning material

Option: gelatin (gummy fingers used by Matsumoto)

Option: silicone (used by Willis; Thalheim)

5. Pour a layer of cloning material into the mold6. Let the clone harden

Youre Done!

S E C U R E


33/42



Matsumotos Technique

Only a few dollars worth of materials


34/42

S E C U R E


35/42



Involuntary Cloning

The stuff of Hollywood three examples Sneakers(1992) My voice is my password

Never Say Never Again(1983) cloned retina

Charlies Angels (2000)

Fingerprints from beer bottles

Eye scan from oom-pah laser

You clone the biometric without victims

knowledge or intentional assistance

Bad news: it works!

S E C U R E


36/42



Cloned Face

More work byThalheim, Krissler, and Ziegler Reported in Body Check, CT (Germany)

http://www.heise.de/ct/english/02/11/114/

Show the camera a photograph or video clip

instead of the real face Video clip required to defeat dynamic biometric checks

Photo was taken without the victimsassistance (video possible, too)

Face recognition was fooled Cognitec's FaceVACS-Logon using the recommended Philips's

ToUcam PCVC 740K camera

S E C U R E


37/42



Matsumotos 2nd Technique

Cloning a fingerprint from a latent print

1. Capture clean, complete fingerprint on a glass, CD,

or other smooth, clean surface2. Pick it up using tape and graphite

3. Scan it into a computer at high resoultion

4. Enhance the fingerprint image

5. Etch it onto printed circuit board (PCB) material6. Use the PCB as a mold for a gummy finger

S E C U R E M ki G Fi


38/42



Making a Gummy Fingerfrom a Latent Print

From Matsumoto, ITU-T Workshop

S E C U R E


39/42



The Latent Print Dilemma

Tokens tend to be smooth objects of metal orplastic materials that hold latent prints well

Can an attacker steal a token, lift the ownerslatent prints from it, and construct a workingclone of the owners fingerprint?

Worse, can an attacker reactivate a latent

image of the biometric from the sensor itself?

Answer: in some cases, YES.

S E C U R E


40/42



Finger Cloning Effectiveness

Willis and Lee could trick 4 of 6 sensors testedin 1998 with cloned fingers

Thalheim et al could trick both capacitive andoptical sensors with cloned fingers Products from Siemens, Cherry, Eutron, Verdicom

Latent image reactivation only worked on capacitive sensors,not on optical ones

Matsumoto tested 11 capacitive and optical

sensors Cloned fingers tricked all of them

Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,Secugen, Ethentica


41/42

S E C U R E


42/42


Thank You!

Questions? Comments?

My e-mail:

[email protected]

http://www.visi.com/crypto

http://www.securecomputing.com
http://www.visi.com/cryptohttp://www.securecomputing.com/http://www.securecomputing.com/http://www.visi.com/crypto

Bh Us 02 Smith Biometric

Documents