Bio Metric System Security

8/8/2019 Bio Metric System Security

1/57

1

Anil K. Jain

Michigan State [email protected]

http:/ / biometrics.cse.msu.edu

Biometric System SecurityBiometric System Security


2/57

2

Introduction

Biometric System Architecture

Attacks against Biometric Systems

Taxonomy of Attacks

Attack Examples

Solutions to Attacks

Liveness Detection

Challenge/Response

Watermarking

Summary

OutlineOutline


3/57

3

Enrollment: Users biometric data is captured and a salient

feature set is extracted; these features are associated with theuser identity and stored as a template in a database

Authentication: Users biometric data is captured and theextracted feature set is compared with either (i) all thetemplates in the database (identification), or (ii) the templatesassociated with a claimed identity (verification)

Enrollment

Sensor Feature Extractor DatabaseUser

identity

Authentication

Sensor Feature Extractor DatabaseUser

identity

Matcher

retrieved identityaccept/reject

Biometric System OperationBiometric System Operation


4/574

The number of installed biometric systems in bothcommercial and government sectors is increasing

The size of the population that uses these systems isincreasing (tens of millions in the US VISIT program)

New application areas are emerging (visa, border control,e-commerce, health care records, entertainment )

Hence, the potential damage resulting from securitybreaches in biometric systems can be enormous

Security analysis of biometric systems is critical

Biometric System SecurityBiometric System Security


5/575

Circumvention: An attacker gains access to the systemprotected by biometric authentication

Privacy attack: Attacker accesses the data that she was notauthorized (e.g., accessing the medical records of another user)

Subversive attack: Attacker manipulates the system (e.g.,submitting bogus insurance claims)

Repudiation: An attacker denies accessing the system

A bank clerk modifies the financial records and later claims thather biometric data was stolen and denies that she is responsible

Contamination (covert acquisition): An attacker illegallyobtains biometric data of genuine users and uses it to accessthe system

Lifting a latent fingerprint and constructing a synthetic finger

Maltoni et al. 2003 &Uludag, Jain 2004 (1)

Six major types of threats

Types of ThreatsTypes of Threats


6/57

6

Collusion: A user with wide super user privileges (e.g.,system administrator) illegally modifies the system

Coercion: An attacker forces a legitimate user to access thesystem (e.g., using a fingerprint to access ATM at a gunpoint)

Denial of Service (DoS): An attacker corrupts the biometricsystem so that legitimate users cannot use it

A server that processes access requests can bebombarded with many bogus access requests, to thepoint where the servers computational resources can not

handle valid requests any more.

Maltoni et al. 2003 &Uludag, Jain 2004 (1)

Types of ThreatsTypes of Threats


7/57

7

Sensor

Feature extractor

Matcher Database

Decision

1

2

3

4

5

8

76

Adapted from Ratha et al. 2001 (1)

Points of attack for a generic biometric system

Attacks Against Biometric SystemsAttacks Against Biometric Systems


8/57

8

Attack 1: A fake biometric (e.g., an artificial finger) is presentedat the sensor

Attack 2: Illegally intercepted data is resubmitted (replay)

Attack 3: Feature detector is replaced by a Trojan horse program

It produces feature sets chosen by the attacker

Attack 4: Legitimate features are replaced with a syntheticfeature set

Attack 5: Matcher is replaced by a Trojan horse program

It produces scores chosen by the attacker

Attack 6: Templates in the database are modified, removed, or

new templates are added Attack 7: The transferred template information is altered in the

communication channel

Attack 8: The matching result (e.g., accept/reject) is overridden

Attacks Against Biometric SystemsAttacks Against Biometric Systems


9/57

9

Attack 1: Synthetic Biometric Submission

No detailed system knowledge or access privileges is necessary Digital protection mechanisms (e.g., encryption) are not

applicable

Putte, Keuning 2000: 6 fingerprint verification systems attacked

5 out of 6 accepted the dummy finger in the first attempt

Dummy finger created withcooperation of the user in a fewhours with liquid silicon rubber

Dummy finger created from a lifted

impression of the finger withoutcooperation of the user in eighthours with silicon cement

Attack ExamplesAttack Examples


10/57

10

Attack 1: Synthetic Biometric Submission

Matsumoto et al. 2002:

11 fingerprint verification systems attacked withartificial gelatin fingerprints

Gelatin fingers accepted with a probability of 67-100%

With cooperation (fingerpressed to plastic mold)

Without cooperation (residualfingerprint lifted from a glass)

live gelatin mold gelatin


11/57

11

Malaysia car thieves steal finger, by Jonathan

Kent, BBC NewsPolice in Malaysia are hunting for members of a violentgang who chopped off a car owner's finger to get round thevehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint

recognition system. Accountant K. Kumaran's ordeal began whenhe was run down by four men in a small car as he was about to getinto his Mercedes in a Kuala Lumpur suburb. The gang, armed withlong machetes, demanded the keys to his car. It is worth around$75,000 second-hand on the local market, where prices are highbecause of import duties.

The attackers forced Mr. Kumaran to put his finger on the securitypanel to start the vehicle, bundled him into the back seat anddrove off. But having stripped the car, the thieves becamefrustrated when they wanted to restart it. They found they againcould not bypass the immobiliser, which needs the owner'sfingerprint to disarm it. They stripped Mr. Kumaran naked and lefthim by the side of the road - but not before cutting off the end ofhis index finger with a machete.

Police believe the gang is responsible for a series of thefts in thearea.

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

Attack 1: Dislocated Biometric Submission

k 2 S


12/57

12

Attack 2: Bypass Sensor

Soutar 2002:

Hill-climbing attack for a simple image recognition system

Matching: Template images create correlation filters,these filters are then used with input images.

Attack: Synthetic images are input to the system:

At each iteration, randomly alter the gray level (8bits) of 64 pixels: if matching score improves, keepthe new image

Continue till the system is compromised

Unknown template image Initial input image Image after 7 millioniterations

Att k 2 B S


13/57

13

Attack 2: Bypass Sensor

Adler 2003:

Hill-climbing attack for three well known commercialface recognition systems

Attack:

Select an initial image from a local database,based on the highest matching score

At each iteration, successively add an eigenfacemultiplied with 6 constants (-3c, -2c, -c, c, 2c,

3c) to the current synthetic image: keep thechange that results in the best matching scoreimprovement

Crop the gray scale values if they are outside theimage capacity (8 bit 0-255 values areallowed)

Continue till the system is compromised

I i i l S S t 2 S t 3I i i l S S t 2 S t 3


14/57

14

Target

Initial System 1 System 2 System 3

Target

Initial System 1 System 2 System 3

Each row correspondsto images at the200th, 500th and

4000th

iterations


15/57

S t Bl k


16/57

16

iD : Database template corresponding to user ij

iT : jth synthetic template generated for user i

1 1 1

2 2 2

ij ij ij

j j ji i i

j j ji i ij

i

n n nj j ji i i

r c

r cT

r c

=

( , )ji iS D T : Matching score between Di &Tij

ijn : Number of minutia in Tij

TemplateDatabase

Output

Attack System Target System

FingerprintMatcher

SyntheticTemplateGenerator

AttackModule

j

iT

iD

( , )j

i iS D T

System BlockDiagram

Attack Steps


17/57

17

Attack Steps

Step 1 (Initial guess): Generate a fixed number (say 100) of

synthetic templates: Ti1, Ti2 , , Ti100 with 25 minutiae

Step 2 (Try all initial guesses): Attack user account with thetemplates; accumulate the matching scores: S(Di,Ti

1), S(Di,Ti2),

, S(Di,Ti100)

Step 3 (Choose the best): Pick the best guess (Tibest) and the

corresponding score (Sbest(Di))

Step 4 (Modify): Modify Tibest by

(A) perturbing an existing minutia

(B) adding a new minutia

(C) replacing an existing minutia; and

(D) deleting an existing minutia

Update Tibest and Sbest(Di), if score improves

Step 5 (Loop): Repeat Step 4 until success (Sbest(Di) > Sthreshold)

or until a predefined umber of attempts is reached

Modifying the Input Template


18/57

18


(A) Perturb an existing minutiae: Pick a minutiae randomly:

With 0.5 probability, perturb the location (randomly to aneighboring cell); leave the angle intact

With 0.5 probability, perturb the angle (randomly to a

neighbor angle quantum); leave the location intact We want to see the effect of a single move operation

perturb location perturb angle


19/57

19

(B) Add a new minutiae:

Add a randomly generated (r,c, ) minutiae to thecurrent synthetic template

(C) Replace an existing minutiae with a new minutiae:

Pick a minutiae randomly and delete it. Add arandomly generated (r,c, ) minutiae to the currentsynthetic template

(D) Delete an existing minutiae:

Pick a minutiae randomly and delete it


Fingerprint Class Prior Probabilities


20/57

20

Fingerprint Class Prior P robabilities

Attacker guesses the class of the target template accordingto the prior probabilities:

P(ATA) = 0.066, P(LL) = 0.338, P(RL) = 0.317, P(W) = 0.279

Arch Tented arch Left loop

Right loop WhorlMaltoni et al. 2003

core

delta

Class-conditional Minutiae Presence Probabilities


21/57

21

Class conditional Minutiae Presence Probabilities

Minutiae can be generated with uniform spatial probabilityon a 2D grid

Inter-ridge distance is 9 pixels, 300x300 target images have33x33 blocks: hence, uniform probability dictates that aminutia can occur in any block with 0.00092 probability


22/57

22

Experiment:

NIST 4 database; contains fingerprint images for 4classes: LL, RL, W, T

For each of the 4 classes:

Find the minutiae locations (r,c)

Find the core location

Register images based on core

Estimate the spatial probability of minutiae byaccumulating the minutiae evidence on a 2D grid,using registered minutiae sets

Class-conditional Minutiae Presence Probabilities

Minutiae Presence Probabilities for Left Loop


23/57

23

Minutiae Presence Probabilities for Left Loop

Original (histogram-based) smoothed

3x3 box filter is used for smoothing the original PDF s

f


24/57

24

smoothed

Minutiae Presence Probabilities for Right Loop

Original (histogram-based)

Mi ti P P b biliti f Wh l


25/57

25

smoothed

Minutiae Presence Probabilities for Whorl


Minutiae Presence Probabilities for Arch


26/57

26

smoothed

Minutiae Presence Probabilities for Arch


Minutiae Presence Probabilities: 2D images


27/57

27

Minutiae Presence Probabilities: 2D images

LL RL

W ATA

Fingerprint Orientation Fields


28/57

28

LL

RL

g p

Used to estimate the orientation of the synthetic minutiae

Fingerprint Orientation Fields


29/57

29

W

ATA

g p

Experimental Results


30/57

30

160 users, 4 impressions/finger; used VERIDICOM capacitive

sensor, 500 dpi, 300x300 images; avg. # of minutiae = 25 Operating point of the system: FAR = 0.1%, GAR = 87.6%

FAR & FRR vs.threshold

ROCcurve

operating

point

threshold=12.22



31/57

31

FAR=0.1% implies that, on the average, 1 in 1,000imposter attempts will be accepted as a genuine match

Attacker broke all the 160 user accounts with much fewerthan 1,000 attempts/account

The minimum, mean, and the maximum number ofrequired attempts are: 128, 195, and 488, respectively

The minimum, mean, and the maximum number of

minutiae in the templates that broke the accounts are: 10,14.2, and 21

The minimum, mean and the maximum number ofmatching minutiae between the original template and the

templates that broke the accounts are: 5, 6.8, and 10


Histogram of Number of Attempts


32/57

32

Attempt #: minimum: 128, mean: 195, maximum: 488

Needed to Crack an Account

Sample Account: account# 11


33/57

33

Original image with minutiae

Progression of matching scores

Synthetic () and original (o) minutiae

Account broken at iteration# 192: originaltemplate has 16 minutia; synthetictemplate has 10 minutia; 5 minutiaematch; final matching score: 13.3.

Evolution of the Synthetic Template


34/57

34

Original image withminutiae

Best initial guess(score: 5.6)

Iteration 192(score: 13.3)

Iteration 125(score: 7)



Attacks 6 & 7: Generate Biometric from Template Data


35/57

35

Attacks 6 & 7: Generate Biometric from Template Data

Hill 2001:

Synthetic images generated from reverse engineeredminutiae template data from a commercial (undisclosed)fingerprint authentication system:

Author accessed unencrypted template data from acomputer hard drive

The format of the accessed template discovered bytrial/error and by introducing controlled changes in

input images. For each minutiae, its 2D location,angle and ridge curvature was found

Orientation field of the target image estimated basedon core and delta point locations.

Lines starting at minutiae points are drawn, bytaking into account the orientation field

Synthetic images are not very realistic, but still theywere accepted as genuine template images

Hill 2001:


36/57

36

Target images Synthetic images

Attack 6 & 7: Generate Biometric from Template Data


37/57

37

Ross et al. 2005:

Synthetic images are generatedfrom minutiae location andangle:

Use minutia triplets andestimate orientation fieldsinside the triangles usingminutiae angles at 3 vertices

A neural network is used toestimate the fingerprint classfrom features of minutiaepairs

Estimated orientation fieldsare used as inputs to Gabor-like filters to generatesynthetic images

?

Ross et al 2005:


38/57

38

Original image Synthetic imageEstimated orientation field

Ross et al. 2005:

Solutions to AttacksSolutions to Attacks


39/57

39

Solution to Attack 1: Fingerprint Liveness Detection

Hardware-based systems:

Temperature: The temperature of the epidermis is about8-10 0C above the room temperature

Conductivity: Typical skin conductivity is nearly 200 kOhm.

Dielectric constant: Relative Dielectric Constant of humanskin (in the range 20-50) is different from that of silicon

Heart Beat: Can be used against fingers from cadavers

Lumidigm: Analyzes signals thatare backscattered from skin layerswhen illuminated with multiplewavelengths of visible and near-

infrared light

Solution to Attack 1: Fingerprint Liveness Detection


40/57

40

Derakhshani et al. 2003:

Software-based system

Static (periodicity of sweat pores along the ridges) anddynamic (sweat diffusion pattern along the ridges over

time) features are used for liveness detection Input to liveness detection module is 5 sec. video of the

finger

Live fingers, fingers from cadavers, and dummy fingers

made up ofplay dough are used in the experiments Neural network is trained for classification:

Static method leads to an Equal Error Rate (EER) of

nearly 10%; dynamic methods lead to EER of11-39% False accept: cadaver/dummy finger classified as live

False reject: live finger classified as cadaver/dummy

Derakhshani et al. 2003: Image @ t=0 s. Image @ t=5 s.


41/57

41

Live finger

Cadaver finger

Dummy finger

Solution to Attack 2: Eliminate Replay


42/57

42

Ratha et al. 2001 (1): A challenge-response based system guarantees that image

is really coming from the fingerprint sensor (i.e., theattacker has not bypassed the sensor):

Server generates a pseudo-random challenge aftertransaction gets initiated by the client

Secure server sends the challenge to intelligent sensor

The sensor acquires the fingerprint image andcomputes the response to the challenge

The challenge can be the checksum of a segment of theimage, a set of samples from the image, etc.

The response and the sensed image are sent to theserver

The validity ofresponse/image pair is checked

Ratha et al. 2001 (1):


43/57

43

Assume that the challenge C is: Image pixel values atlocations (10,10), (20,20) and (50,50)

The sensor computes the response to the challenge using theimage it acquires (I): assume this response is: C(I) = 100,

85, 240 Assume an attacker is replaying a previously intercepted

image (I*), bypassing the sensor image (I)

Server computes C(I*) = 120, 60, 110

Since C(I) C(I*), validity check fails

Solution to Attacks 2 & 4: Eliminate Hill-Climbing

S t 2002


44/57

44

Soutar 2002:

Do not reveal the actual matching scores; only reveal acoarsely quantized version:

This may render the hill-climbing based attackinfeasible or impossible

Unknowntemplate image

Initial input image

Images after 7 millioniterations

Withoutquantization

Withquantization

Soln. to Attacks 6 & 7: Protect Templates via CancelableBiometrics


45/57

45

Ratha et al. 2001 (2):

Apply repeatable (but noninvertible) distortions to thebiometric signal or the feature vector:

If a specific representation of biometric template iscompromised, replace that distortion with another onefrom a distortion database.

Every application can use different distortions (e.g.,health care, visa) so the privacy concerns related todatabase sharing between institutions can be addressed

image morphing block scrambling

Solutions to Attacks 6 & 7: Watermarking Templates


46/57

46Paper watermark and mold used to generate the watermark

Digital Watermarking:

Embed extra information (e.g., origin, access level,destination) into the host data itself.

Applications: Copyright protection, authentication, datamonitoring, transmission of value-added services

Traditional Watermarking:

Digital Watermarking in Biometrics


47/57

47

Yeung, Pankanti 1999:

Use fragile watermarking (if the image is altered,watermark is changed) of fingerprint images to verifyintegrity:

The decoded mark can indicate image alteration after it has

been marked by an authorized agent (i.e., a secure sensor) Watermark insertion: Merge input image I(i,j) with a

watermark image W(i,j) to produce the watermarkedimage I(i,j):

Each pixel is input to a watermark extraction WX() functionto yield extracted watermark value b(i,j). If b(i,j) is equal toW(i,j), the processing moves to the next source pixel. If not,the value of pixel at (i,j) is modified until they are equal.

Watermark extraction: Apply WX() to the watermarkedimage I(i,j) to produce output watermark image b(i,j).

The tampering of the watermarked image leads to distortionsin the decoded watermark image.


48/57


49/57

Fi i t

Jain, Uludag 2003:


50/57

50

Fingerprint analysisFingerprint

image

Watermark encoder Secret keyE-face coeff.

Watermarked fingerprint

Database

Watermark decoder Secret key

Authentication

Decision

Recovered face imageReconstructed fingerprint

Watermark Embedding


51/57

51

( ) ( ) ( ) ( )

( ) ( )

( )

, ,

, , 2 1 , 1 1 ,

SD GM

WM

P i j P i j

P i j P i j s P i j q i jA B

= + + +

),( jiPWM : watermarked pixel value

),( jiP : original pixel values: watermark bit value ([0,1])

q: watermark embedding strength

),( jiPSD

: standard deviation around (i,j)

: weight for SD

: weight for GM

),( ji : feature factor ([0,1])

Locations: generated randomly;generator is initialized with secretkey.

Redundancy: every bit isembedded to multiple locations.

Reference bits: Two bits (0 & 1)are also embedded in addition to

watermark data.),( jiP

GM

: gradient magnitude at (i,j)

Watermark Decoding


52/57

52

Secret key used in encoding generates locations:

( ) ( ) ( ) ( )

++ +=

==

jiPkjiPjkiPjiPWM

kWM

kWM

,2,,8

1,

2

2

2

2

( )jiP , : estimated pixel valuehost image (e.g., fingerprint)reconstruction

( ) ( )jiPjiPWM

,, = : watermarked-estimated pixel difference

: difference average for an individual watermark bit

0R

1R : difference averages for two reference bits, 0 and 1, respectively,

: estimated watermark bit

decoded data(e.g., eigen-facecoefficients)

+

>=otherwise.0

2if1

10

s

RR



53/57

53

input face

watermark face

eigen-facecoefficients

minutiae overlaid host

fingerprint

minutiae feature image

ridge feature image watermarked image

watermarked image

reconstructed face

minutiae

overlaid

reconstructed

fingerprint


54/57

54

minutiae featurebased

ridge feature

based

watermarkedoriginal Inverted difference

-

-

=

=

SummarySummary


55/57

55

Security of biometric systems is of major concern

An attack on a biometric system can result in loss ofprivacy, monetary damage, and security breach

Biometric systems are vulnerable to a number of attacks

These attacks are rather simple to implement and aremore successful than biometric experts imagined

Solutions to these attacks exist, but there is still room forimprovement.

New security problems associated with biometric systems

may be identified as their use becomes more widespread In spite of this, biometric systems offer better security than

existing approaches and serve as a deterrent

Ratha et al 2001 (1): N K Ratha J H Connell and R M Bolle An analysis

ReferencesReferences


56/57

56

Ratha et al. 2001 (1): N.K. Ratha, J.H. Connell, and R.M. Bolle, An analysisof minutiae matching strength, Proc. AVBPA 2001, pp. 223-228.

Maltoni et al. 2003: D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar,Handbook of Fingerprint Recognition, Springer, 2003.

Uludag, Jain 2004 (1): U. Uludag and A.K. Jain, Attacks on biometricsystems: a case study in fingerprints, Proc. SPIE-EI 2004, Security,

Steganography and Watermarking of Multimedia Contents VI, vol. 5306, pp.622-633.

Putte, Keuning 2000: T. Putte and J. Keuning, Biometrical fingerprintrecognition: dont get your fingers burned, Proc. IFIP TC8/WG8.8, Fourth

Working Conf. Smart Card Research and Adv. App., pp. 289-303, 2000. Matsumoto et al. 2002: T. Matsumoto, H. Matsumoto, K. Yamada, and S.

Hoshino, Impact of Artificial Gummy Fingers on Fingerprint Systems, Proc.of SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677,pp. 275-289, 2002.

Soutar 2002: C. Soutar, Biometric system security,http://www.bioscrypt.com/assets/security_soutar.pdf

Adler 2003: A. Adler, Sample images can be independently restored fromface recognition templates, http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf

Uludag Jain 2004 (2): U Uludag and A K Jain Fingerprint Minutiae Attack

ReferencesReferences


57/57

57

Uludag, Jain 2004 (2): U. Uludag and A.K. Jain, Fingerprint Minutiae AttackSystem, The Biometric Consortium Conference, Virginia, September 2004.

Hill 2001: C.J. Hill, Risk of masquerade arising from the storage ofbiometrics, B.S. Thesis, http://chris.fornax.net/biometrics.html

Ross et al. 2005: A. Ross, J. Shah, A. Jain, Towards Reconstructing

Fingerprints From Minutiae Points, Submitted to SPIE Biometrics Conference,2005.

Derakhshani et al. 2003: R. Derakhshani, S.A.C. Schuckers, L.A. Hornak, andL.O. Gorman, Determination of vitality from a non-invasive biomedicalmeasurement for use in fingerprint scanners, Pattern Recognition, vol. 36,

pp. 383-396, 2003.

Ratha et al. 2001 (2): N.K. Ratha, J.H. Connell, and R.M. Bolle, Enhancingsecurity and privacy in biometrics-based authentication systems, IBMSystems Journal, vol. 40, no. 3, pp. 614-634, 2001.

Yeung, Pankanti 1999: M.M. Yeung and S. Pankanti, Verification watermarkson fingerprint recognition and retrieval,Proc. SPIE EI 1999, vol. 3657, pp.66-78.

Jain, Uludag 2003: A. K. Jain and U. Uludag, Hiding biometric data, IEEE

Trans. PAMI, vol. 25, no. 11, pp. 1494-1498, November 2003.

Bio Metric System Security

Documents