Top Banner
Biometric Security [email protected]
27

Biometric Security [email protected]. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Dec 17, 2015

Download

Documents

Cameron May
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Biometric Security

[email protected]

Page 2: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS2

Problem

People use weak passwords

People write the pin code on their bank card

Biometrics cannot be “forgotten” and you do not have to “think of it”

Page 3: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS3

Personal Identification

Associating an individual with an identity: Something you have

» Token, smart card

Something you know» Password, pin

Something you are:» Physiological» Behavioural

Page 4: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS4

Forms of Identification

Authentication (aka Verification)» Am I who a claim to be?

Recognition (aka Identification)» Who am I?

» Harder than Authentication (why?)

Page 5: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS5

Physiological or Behavioural?

[Jai00] A. K. Jain, L. Hong, and S. Pankanti. Biometric identification. Commun. ACM, 43(2):90-98, Feb 2000. http://doi.acm.org/10.1145/328236.328110

Page 6: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Sample Application Areas

Forensic Civilian Commercial

Criminal investigation

National ID ATM (India), POS (AH)

Corpse identification Driver's license

(Oklahoma)

Credit card

(Singapore)

Parenthood determination

Welfare disbursement

Laptop login

IIS6

Page 7: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS7

Verification

Verification is easier than identification…

Page 8: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS8

Two examples

Hand geometry

Fingerprint

Page 9: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS9

Hand Geometry (Hand Key)

Page 10: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS10

Measure your Right hand

Page 11: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS11

FBI classification

What is your right hand index finger?

Arch Whorl Loop Accidental

Page 12: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS12

Fingerprint matching

Ridge thinning & extraction

Minutiae (bifurcation, end point) detection

Ridge based alignment & overlaying

Page 13: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS13

Desired Characteristics

Biometric» Universal» Unique» Permanent» Collectable

System» Performance» Acceptability» Circumvention

[Put00] T. van der Putte and J. Keuning. Biometrical fingerprint recognition: Don't get your fingers burned. In 4th Int. IFIP wg 8.8 Conf. Smart card research and advanced application (CARDIS), pages 289-303, Bristol, UK, Sep 2000. Kluwer Academic Publishers, Boston, Massachusetts. http://www.keuning.com/biometry/Biometrical_Fingerprint_Recognition.pdf

Watch this video

Page 14: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Some Comparisons

Biome-trics

Univer-sality

Unique-ness

Perma-nence

Collec-tability

Perfor-mance

Accep-tability

Circum-vention

Face high low med. high low high low

Finger

print

med. high high med. high med. high

Hand Geo-metry

med. med. med. high med. med. med.

Iris high high high med. high low high

Signa-ture

low low low high low high low

Voice Print

med. low low med. low high low

IIS14

Page 15: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Biometrics is not perfect

High False Accept rate is bad for high security applications -- dangerous

High False Reject rate is bad for high usability applications -- annoying

accept reject

Alice is recognised as Alice true

Bob is recognised as Alice false

Alice is not recognised as Alice false

Bob is not recognised as Alice true

IIS15

Page 16: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS16

Receiver Operating Characteristics

Low False Reject Rate HighLow

Fals

e A

ccep

t R

ate

H

igh

Page 17: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Security

Page 18: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS18

Attacks

How many templates do you have?

Page 19: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS19

Template protection

Requirements» Diversity (no cross matching of data bases for privacy)

» Revocability (easy to replace template)

» Security (hard to obtain the original)

» Performance (matching must be robust)

Why does encryption not work?

Two examples» Non-invertible transforms

» Fuzzy commitment

[Jai08] A. K. Jain, K. Nandakumar, and A. Nagar. Biometric template security. EURASIP Journal on Advances in Signal Processing, 2008:579416, 2008.

http://dx.doi.org/10.1155/2008/579416

Page 20: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS20

Non invertible transform

User specific transformation (revocability)

Locally smooth translation outside mather tolerance (performance)

Globally non smooth (security)

[Rat06] N. Ratha, J. Connell, R. M. Bolle, and S. Chikkerur. Cancelable biometrics: A case study in fingerprints. In 18th Int. Conf. on Pattern Recognition (ICPR), volume 4, pages 370-373, Honkong, China, Aug 2006. IEEE Computer Society. http://dx.doi.org/10.1109/ICPR.2006.353

“crumple”

Page 21: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS21

Example

Fuzzy commitment

Idea» Use biometric template : x

» As a corrupted code word : c = x-δ

The commitment is» Hash code word for security : h(c)

» Leave distance in clear for fuzziness : δ

Verification» Measure : x’» Compute: c’ = decode (x’- δ)

» Match if h(c’) = h(c)[Jue99a] A. Juels and M. Wattenberg. A fuzzy commitment scheme. In 6th ACM conf. on Computer and communications security (CCS), pages 28-36, Kent Ridge Digital Labs, Singapore, 1999. ACM. http://doi.acm.org/10.1145/319709.319714

100 200

100

2

00

3

00

x x’

c

δ

δ

c’?c’?

Page 22: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

Template protection application

[Buh07] I. R. Buhan, J. M. Doumen, P. H. Hartel, and R. N. J. Veldhuis. Secure ad-hoc pairing with biometrics: SAfE. In 1st Int. Workshop on Security for Spontaneous Interaction (Ubicomp 2007 Workshop Proceedings), pages 450-456, Innsbruck, Austria, Sep 2007. http://www.comp.lancs.ac.uk/iwssi2007/papers/iwssi2007-02.pdf

Page 23: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS23

Secure ad-hoc pairing

Suppose two people meet» Who have never met before

» There is no TTP and/or they are not online

» They are not technical

» They would like to exchange data

» Concerned about eavesdropper

How to do this?» Biometrics

» Shielding function as fuzzy extractor

» Protocol with novel “related key attack”

Page 24: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS24

Idea: Take each other’s photo

ma=0110... mb=1101...

wa wb

mb=decode( , )Alice has ma,mb

ma=decode( , )Bob has ma,mb

Enroll-ment

Verifi-cation

wb wa

radio

Page 25: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS25

Coping with noise

Problem:

» Alice gets m’b close to mb but not the same

» The same for Bob...

Solution:» During enrollment calculate error profiles

» Cryptanalysis using those profiles to recover the correct key

» More work for eavesdropper

Page 26: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS29

Usability

Compare Pin to SAFE

30 subjects: questionnaire + interview

Mainly CS

Results

Page 27: Biometric Security Pieter.Hartel@utwente.nl. IIS 2 Problem People use weak passwords People write the pin code on their bank card Biometrics cannot be.

IIS30

Conclusions

Identification or verification Complements password and

token Systems getting affordable Biggest problems:

» Performance» Public acceptance

Biometrics is fun