S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP [email protected] 28.

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G

1R. Smith - Biometric DilemmaJuly 2002

The Biometric DilemmaThe Biometric Dilemma

Rick Smith, Ph.D., CISSPRick Smith, Ph.D., CISSP

[email protected][email protected]

28 October 200128 October 2001

July 2002 2R. Smith - Biometric Dilemma

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G OutlineOutline

• Biometrics: Why, How, How StrongBiometrics: Why, How, How Strong– Attacks, FAR, FRR, Resisting trial-and-errorAttacks, FAR, FRR, Resisting trial-and-error

• Server-based BiometricsServer-based Biometrics• Attacking a biometric serverAttacking a biometric server

– Digital spoofing, privacy intrusion, latent print reactivationDigital spoofing, privacy intrusion, latent print reactivation

• Token-based BiometricsToken-based Biometrics• Physical spoofingPhysical spoofing

– Voluntary and involuntary spoofingVoluntary and involuntary spoofing

• SummarySummary


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometrics: Why?Biometrics: Why?

• Eliminate memorization – Eliminate memorization – – Users don’t have to memorize features of their voice, face, Users don’t have to memorize features of their voice, face,

eyes, or fingerprintseyes, or fingerprints

• Eliminate misplaced tokens – Eliminate misplaced tokens – – Users won’t forget to bring fingerprints to workUsers won’t forget to bring fingerprints to work

• Can’t be delegated – Can’t be delegated – – Users can’t lend fingers or faces to someone elseUsers can’t lend fingers or faces to someone else

• Often unique – Often unique – – Save money and maintain database integrity by eliminating Save money and maintain database integrity by eliminating

duplicate enrollmentsduplicate enrollments


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G The DilemmaThe Dilemma

They always look stronger and and easier to use They always look stronger and and easier to use than they are in practicethan they are in practice

• Enrollment is difficultEnrollment is difficult– Easy enrollment = unreliable authenticationEasy enrollment = unreliable authentication– Measures to prevent digital spoofing make even more work for Measures to prevent digital spoofing make even more work for

administrators, almost a “double enrollment” processadministrators, almost a “double enrollment” process

• Physical spoofing is easier than we’d likePhysical spoofing is easier than we’d like– Recent examples with fingerprint scanners, face scanners Recent examples with fingerprint scanners, face scanners


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometrics: How?Biometrics: How?

Measure a physical traitMeasure a physical trait

• The user’s fingerprint, The user’s fingerprint, hand, eye, facehand, eye, face

Measure user behaviorMeasure user behavior

• The user’s voice, written The user’s voice, written signature, or keystrokessignature, or keystrokes

From Authentication © 2002. Used by permission



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometrics: How Strong?Biometrics: How Strong?

Three types of attacksThree types of attacks• Trial-and-error attackTrial-and-error attack

– Classic way of measuring biometric strengthClassic way of measuring biometric strength

• Digital spoofingDigital spoofing– Transmit a digital pattern that mimics that of a legitimate Transmit a digital pattern that mimics that of a legitimate

user’s biometric signatureuser’s biometric signature– Similar to password sniffing and replaySimilar to password sniffing and replay– Biometrics can’t prevent such attacks by themselvesBiometrics can’t prevent such attacks by themselves

• Physical spoofingPhysical spoofing– Present a biometric sensor with an image that mimics the Present a biometric sensor with an image that mimics the

appearance of a legitimate userappearance of a legitimate user


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometric Trial-and-ErrorBiometric Trial-and-Error

How many trials are needed to achieve a 50-50 How many trials are needed to achieve a 50-50 chance of producing a matching reading?chance of producing a matching reading?

• Typical objective: 1 in 1,000,000 Typical objective: 1 in 1,000,000 221919 • Some systems achieve this, but most aren’t Some systems achieve this, but most aren’t

that accurate in practical settingsthat accurate in practical settings

• Team-based attackTeam-based attack– A group of individuals take turns pretending to be a legitimate A group of individuals take turns pretending to be a legitimate

user (5 people X 10 finger = 50 fingers)user (5 people X 10 finger = 50 fingers)


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Passwords: A BaselinePasswords: A Baseline

Example

Type of Attack

Average Attack Space

Random 8-character Unix password

Interactive or Off-Line

245

Dictionary Attack Interactive or Off-Line

215 to 223

Mouse Pad Search Interactive 21 to 24

Worst Case 21


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometric AuthenticationBiometric Authentication• Compares user’s Compares user’s signaturesignature to previously to previously

established established patternpattern built from that trait built from that trait• ““Biometric pattern” file instead of password fileBiometric pattern” file instead of password file• Matching is Matching is alwaysalways approximate, approximate, nevernever exact exact



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Pattern MatchingPattern Matching

We compare how closely a signature matches We compare how closely a signature matches one user’s pattern versus another’s patternone user’s pattern versus another’s pattern



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Matching Self vs. OthersMatching Self vs. Others



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Matching in PracticeMatching in Practice

FAR = recognized Bob instead; FRR = doesn’t recognize meFAR = recognized Bob instead; FRR = doesn’t recognize me



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Measurement Trade-OffsMeasurement Trade-Offs

We must balance the FAR and the FRRWe must balance the FAR and the FRR• Lower FAR = Fewer successful attacksLower FAR = Fewer successful attacks

– Less tolerant of close matches by attackersLess tolerant of close matches by attackers– Also less tolerant of authentic matchesAlso less tolerant of authentic matches– Therefore – Therefore – increases the FRRincreases the FRR

• Lower FRR = Easier to useLower FRR = Easier to use– Recognizes a legitimate user the first timeRecognizes a legitimate user the first time– More tolerant of poor matchesMore tolerant of poor matches– Also more tolerant of matches by attackersAlso more tolerant of matches by attackers– Therefore – Therefore – increases the FARincreases the FAR

Equal error rate = point where FAR = FAREqual error rate = point where FAR = FAR


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Trial and Error in PracticeTrial and Error in Practice

Example

Type of Attack


Biometric with 1% FAR Team 26

Biometric with 0.01% FAR Team 212

Biometric with “One in a million” Team 219

• Higher security means more mistakesHigher security means more mistakes– When we reduce the FAR, we increase the FRRWhen we reduce the FAR, we increase the FRR– More picky about signatures from legitimate users, tooMore picky about signatures from legitimate users, too


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometric EnrollmentBiometric Enrollment

• How it worksHow it works– User provides one or more biometric readings User provides one or more biometric readings – The system converts each reading into a signatureThe system converts each reading into a signature– The system constructs the pattern from those signaturesThe system constructs the pattern from those signatures

• Problems with biometric enrollmentProblems with biometric enrollment– It’s hard to reliably “pre-enroll” usersIt’s hard to reliably “pre-enroll” users– Users must provide biometric readings interactivelyUsers must provide biometric readings interactively

• Accuracy is time consumingAccuracy is time consuming– Take trial readings, build tentative patterns, try them outTake trial readings, build tentative patterns, try them out– Take more readings to refine patternsTake more readings to refine patterns– Higher accuracy requires more trial readingsHigher accuracy requires more trial readings


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Compare with Password or Compare with Password or

Token EnrollmentToken Enrollment

• Modern systems allow users to self-enrollModern systems allow users to self-enroll– User enters some personal authentication informationUser enters some personal authentication information– Establish a user nameEstablish a user name– Establish a password: system generated or user chosenEstablish a password: system generated or user chosen– Establish a token: enter its serial numberEstablish a token: enter its serial number

• Password enrollment is comparatively simplePassword enrollment is comparatively simple• Tokens require a database associating serial Tokens require a database associating serial

numbers with individual authentication tokensnumbers with individual authentication tokens– Database is generated by token’s manufacturerDatabase is generated by token’s manufacturer– Enrollment system uses it to establish user accountEnrollment system uses it to establish user account– Token’s PIN is managed by the end userToken’s PIN is managed by the end user


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometric PrivacyBiometric Privacy

• The biometric pattern acts like a passwordThe biometric pattern acts like a passwordBut biometrics are But biometrics are notnot secrets secrets

• Each user leaves artifacts of her voice, Each user leaves artifacts of her voice, fingerprints, and appearance wherever she fingerprints, and appearance wherever she goesgoes

• Users can’t change biometrics if someone Users can’t change biometrics if someone makes a copymakes a copy

• We can trace people by following their We can trace people by following their biometrics as they’re saved in databasesbiometrics as they’re saved in databases


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Server-based biometricsServer-based biometrics

• Boring but importantBoring but important• Some biometric systems require serversSome biometric systems require servers

– When you need a central repositoryWhen you need a central repository

– Identification systems (FBI’s AFIS)Identification systems (FBI’s AFIS)

– Uniqueness systems (community social service orgs)Uniqueness systems (community social service orgs)



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Attacking Server BiometricsAttacking Server Biometrics



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Attacks on Server TrafficAttacks on Server Traffic

• Attack on privacy of a user’s biometricsAttack on privacy of a user’s biometrics– Defense = encryption while traversing the networkDefense = encryption while traversing the network

• Attack by spoofing a digital biometric readingAttack by spoofing a digital biometric reading– Defense = authenticating legitimate biometric readersDefense = authenticating legitimate biometric readers

Both solutions rely on trusted biometric readersBoth solutions rely on trusted biometric readers



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Trusted Biometric ReaderTrusted Biometric Reader

• Blocks either type of attack on server trafficBlocks either type of attack on server traffic• Security objective – reliable data collectionSecurity objective – reliable data collection• Must embed a cryptographic secret in every Must embed a cryptographic secret in every

trusted readertrusted reader– Increased development costIncreased development cost– Increased administrative cost – administrators must keep the Increased administrative cost – administrators must keep the

reader’s keys safe and up-to-datereader’s keys safe and up-to-date

• Must enroll both users Must enroll both users andand trusted readers trusted readers– ““Double enrollment”Double enrollment”– Database of device keys from biometric vendorDatabase of device keys from biometric vendor– One device per workstation is often like one per userOne device per workstation is often like one per user– Standard tokens are traditionally lower-cost devices Standard tokens are traditionally lower-cost devices


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Another Server AttackAnother Server Attack

• Experiments in the US and Germany Experiments in the US and Germany • Willis and Lee of Willis and Lee of Network ComputingNetwork Computing Labs, 1998 Labs, 1998

– Reported in “Six Biometric Devices Point The Finger At Security” in Reported in “Six Biometric Devices Point The Finger At Security” in Network ComputingNetwork Computing, 1 June 1998, 1 June 1998

• Thalheim, Krissler, and Ziegler, Thalheim, Krissler, and Ziegler, 20022002– Reported in “Body Check,” Reported in “Body Check,” C’TC’T (Germany) (Germany)

– http://www.heise.de/ct/english/02/11/114/http://www.heise.de/ct/english/02/11/114/

• Attack on “capacitive” fingerprint sensorsAttack on “capacitive” fingerprint sensors– Measures change in capacitance due to presence or absence of Measures change in capacitance due to presence or absence of

material with skin-like responsematerial with skin-like response– 65Kb sensor collects ~20 minutiae from fingerprint65Kb sensor collects ~20 minutiae from fingerprint– Traditional techniques use 10-12 for identificationTraditional techniques use 10-12 for identification

• Attack exploits the fatty oils left over from the last Attack exploits the fatty oils left over from the last user logonuser logon


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Latent Finger ReactivationLatent Finger Reactivation

• Three techniquesThree techniques– Oil vs. non-oil regions return difference as humidity increasesOil vs. non-oil regions return difference as humidity increases

1.1. Breathe on the sensor (Thalheim, et al)Breathe on the sensor (Thalheim, et al)– You can watch the print reappear as a biometric imageYou can watch the print reappear as a biometric image

– Works occasionallyWorks occasionally

2.2. Use a thin-walled plastic bag of warm water Use a thin-walled plastic bag of warm water • More effective, but not 100%More effective, but not 100%

– Works occasionally even when system is set to maximum sensitivityWorks occasionally even when system is set to maximum sensitivity

3.3. Dust with graphite (Willis et al; Thalheim et al)Dust with graphite (Willis et al; Thalheim et al)• Attach clear tape to the dustAttach clear tape to the dust

– Press down on the sensorPress down on the sensor

– Most reliable technique – almost 100% success rate (Thalheim)Most reliable technique – almost 100% success rate (Thalheim)


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G This Shouldn’t WorkThis Shouldn’t Work

• According to Siemens – vendor of the According to Siemens – vendor of the “ID Mouse” used in those examples – “ID Mouse” used in those examples –

– Authentication procedure remembers the last fingerprint usedAuthentication procedure remembers the last fingerprint used– System rejects a match that’s “too close” to the last reading System rejects a match that’s “too close” to the last reading

as well as a match that’s “too far” from the patternas well as a match that’s “too far” from the pattern

• ObservationsObservations1.1. Defense didn’t work in these experimentsDefense didn’t work in these experiments2.2. Tape can be repositioned to create a ‘different’ readingTape can be repositioned to create a ‘different’ reading3.3. Hard to track through multiple biometric readersHard to track through multiple biometric readers

– Assume the user logs in at multiple locations over timeAssume the user logs in at multiple locations over time– Then the latent image on some reader is Then the latent image on some reader is notnot the most the most

recent one accepted for loginrecent one accepted for login


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G What about “Active” What about “Active”

Biometric Authentication?Biometric Authentication?

• Some (Dorothy Denning) suggest the use of biometrics Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” in which the pattern incorporates “dynamic” information uniquely associated with the userinformation uniquely associated with the user

• Possible techniquesPossible techniques– Require any sort of non-static input that matches the built-in patternRequire any sort of non-static input that matches the built-in pattern

• Moving the finger around on the fingerprint readerMoving the finger around on the fingerprint reader– Challenge response that demands an unpredictable reply Challenge response that demands an unpredictable reply

• Voice recognition that demands reciting an unpredictable phraseVoice recognition that demands reciting an unpredictable phrase

• Both are vulnerable to a dynamic digital attack based Both are vulnerable to a dynamic digital attack based on a copy of the user’s biometric patternon a copy of the user’s biometric pattern

• Ease of use issueEase of use issue– Requires more complex user behavior, which makes it harder to use Requires more complex user behavior, which makes it harder to use

and less reliableand less reliable


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Attacking Active BiometricsAttacking Active Biometrics

A feasible dynamic attack uses the system’s algorithms A feasible dynamic attack uses the system’s algorithms to generate an acceptable signatureto generate an acceptable signature

• ExampleExample– Attacker collects enough biometric samples from the victim to build a Attacker collects enough biometric samples from the victim to build a

plausible copy of victim’s biometric patternplausible copy of victim’s biometric pattern

– During login, attacker is prompted for a spoken phrase from the victimDuring login, attacker is prompted for a spoken phrase from the victim

– Attack software generates a digital message based on the user’s Attack software generates a digital message based on the user’s biometric patternbiometric pattern

• There may be a sequence of timed messages or a single message There may be a sequence of timed messages or a single message – it doesn’t matter– it doesn’t matter

If the server can predict what the answer should be, If the server can predict what the answer should be, based on a static biometric pattern, so can the attackerbased on a static biometric pattern, so can the attacker


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Token-Based BiometricsToken-Based Biometrics

Authenticate with biometric + embedded secretAuthenticate with biometric + embedded secret



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Token TechnologyToken Technology

• Resist copying and other attacks by storing the Resist copying and other attacks by storing the authentication secret in a tamper-resistant package.authentication secret in a tamper-resistant package.



S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Tokens Resist Tokens Resist

Trial-and-Error AttacksTrial-and-Error Attacks

Example

Type of Attack


Reusable Passwords Interactive or Off-Line 21 to 245

Biometrics Team 26 to 219

One-Time Password Tokens Interactive or Off-Line

219 to 263

Public Key Tokens Off-Line 263 to 2116

These numbers assume that the attacker These numbers assume that the attacker has has notnot managed to steal a token managed to steal a token


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Biometric Token OperationBiometric Token Operation

• The “real” authentication is based on a secret The “real” authentication is based on a secret embedded in the tokenembedded in the token

• The biometric reading simply “unlocks” that The biometric reading simply “unlocks” that secretsecret

• BenefitsBenefits– User retains control of own biometric patternUser retains control of own biometric pattern– Biometric signatures don’t traverse networksBiometric signatures don’t traverse networks

• ProblemsProblems– Biometric Tokens cost moreBiometric Tokens cost more– Less space and cost for the biometric readerLess space and cost for the biometric reader

The biometric serves as a PINThe biometric serves as a PIN


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Attacks on Biometric TokensAttacks on Biometric Tokens

• If you can trick the reader, you can probably If you can trick the reader, you can probably trick the tokentrick the token

• Digital spoofing shouldn’t workDigital spoofing shouldn’t work– We’ve eliminated the vulnerable data pathWe’ve eliminated the vulnerable data path

• Latent print reactivation (remember?)Latent print reactivation (remember?)– Tokens should be able to detect and reject such attacksTokens should be able to detect and reject such attacks

• Attacks by cloning the biometric artifact Attacks by cloning the biometric artifact – Voluntary cloning (the authorized user is an accomplice)Voluntary cloning (the authorized user is an accomplice)– Involuntary cloning (the authorized user is unaware)Involuntary cloning (the authorized user is unaware)


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Voluntary finger cloningVoluntary finger cloning

1.1. Select the casting materialSelect the casting material– Option: softened, free molding plastic (used by Matsumoto)Option: softened, free molding plastic (used by Matsumoto)

– Option: part of a large, soft wax candle (used by Willis; Thalheim)Option: part of a large, soft wax candle (used by Willis; Thalheim)

2.2. Push the fingertip into the soft materialPush the fingertip into the soft material

3.3. Let material hardenLet material harden

4.4. Select the finger cloning materialSelect the finger cloning material• Option: gelatin (“gummy fingers” used by Matsumoto)Option: gelatin (“gummy fingers” used by Matsumoto)

• Option: silicone (used by Willis; Thalheim)Option: silicone (used by Willis; Thalheim)

5.5. Pour a layer of cloning material into the moldPour a layer of cloning material into the mold

6.6. Let the clone hardenLet the clone harden

You’re Done!You’re Done!


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Matsumoto’s TechniqueMatsumoto’s Technique

• Only a few dollars’ worth of materialsOnly a few dollars’ worth of materials


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Making the Actual CloneMaking the Actual Clone

You can place the “gummy finger” over your real finger. You can place the “gummy finger” over your real finger. Observers aren’t likely to detect it when you use it on a Observers aren’t likely to detect it when you use it on a fingerprint reader. (Matsumoto)fingerprint reader. (Matsumoto)


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Involuntary CloningInvoluntary Cloning

• The stuff of Hollywood – three examplesThe stuff of Hollywood – three examples– SneakersSneakers (1992) “My voice is my password” (1992) “My voice is my password”– Never Say Never AgainNever Say Never Again (1983) cloned retina (1983) cloned retina– Charlie’s AngelsCharlie’s Angels (2000) (2000)

• Fingerprints from beer bottlesFingerprints from beer bottles• Eye scan from oom-pah laserEye scan from oom-pah laser

• You clone the biometric without victim’s You clone the biometric without victim’s knowledge or intentional assistanceknowledge or intentional assistance

• Bad news: it works!Bad news: it works!


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Cloned FaceCloned Face

• More work byMore work by Thalheim, Krissler, and ZieglerThalheim, Krissler, and Ziegler• Reported in “Body Check,” C’T (Germany) Reported in “Body Check,” C’T (Germany)

http://www.heise.de/ct/english/02/11/114/http://www.heise.de/ct/english/02/11/114/

• Show the camera a photograph or video clip Show the camera a photograph or video clip instead of the real faceinstead of the real face– Video clip required to defeat “dynamic” biometric checksVideo clip required to defeat “dynamic” biometric checks

• Photo was taken without the victim’s Photo was taken without the victim’s assistance (video possible, too)assistance (video possible, too)

• Face recognition was fooledFace recognition was fooled– Cognitec's FaceVACS-Logon using the recommended Philips's Cognitec's FaceVACS-Logon using the recommended Philips's

ToUcam PCVC 740K cameraToUcam PCVC 740K camera


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Matsumoto’s 2Matsumoto’s 2ndnd Technique Technique

Cloning a fingerprint from a Cloning a fingerprint from a latentlatent print print

1.1. Capture clean, complete fingerprint on a glass, CD, Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surfaceor other smooth, clean surface

2.2. Pick it up using tape and graphitePick it up using tape and graphite

3.3. Scan it into a computer at high resoultionScan it into a computer at high resoultion

4.4. Enhance the fingerprint imageEnhance the fingerprint image

5.5. Etch it onto printed circuit board (PCB) materialEtch it onto printed circuit board (PCB) material

6.6. Use the PCB as a mold for a “gummy finger”Use the PCB as a mold for a “gummy finger”


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Making a Gummy Finger Making a Gummy Finger

from a Latent Printfrom a Latent Print

From Matsumoto, ITU-T Workshop


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G The Latent Print DilemmaThe Latent Print Dilemma

• Tokens tend to be smooth objects of metal or Tokens tend to be smooth objects of metal or plastic – materials that hold latent prints wellplastic – materials that hold latent prints well

• Can an attacker steal a token, lift the owner’s Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working latent prints from it, and construct a working clone of the owner’s fingerprint?clone of the owner’s fingerprint?

• Worse, can an attacker reactivate a latent Worse, can an attacker reactivate a latent image of the biometric from the sensor itself?image of the biometric from the sensor itself?

• Answer: in some cases, YES.Answer: in some cases, YES.


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Finger Cloning EffectivenessFinger Cloning Effectiveness

• Willis and Lee could trick 4 of 6 sensors tested Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingersin 1998 with cloned fingers

• Thalheim et al could trick both “capacitive” and Thalheim et al could trick both “capacitive” and “optical” sensors with cloned fingers“optical” sensors with cloned fingers– Products from Siemens, Cherry, Eutron, VerdicomProducts from Siemens, Cherry, Eutron, Verdicom– Latent image reactivation only worked on capacitive sensors, Latent image reactivation only worked on capacitive sensors,

not on optical onesnot on optical ones

• Matsumoto tested 11 capacitive and optical Matsumoto tested 11 capacitive and optical sensorssensors– Cloned fingers tricked all of themCloned fingers tricked all of them– Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,

Secugen, EthenticaSecugen, Ethentica


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G SummarySummary

• Traditional FAR and FRR statistics don’t tell the Traditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilitieswhole story about biometric vulnerabilities

• Networked biometrics require trusted readers Networked biometrics require trusted readers that pose extra administrative headachesthat pose extra administrative headaches

• We can build physical clones of biometric We can build physical clones of biometric features that spoof biometric readersfeatures that spoof biometric readers– Matsumoto needed $10 worth of materials and 40 minutes to Matsumoto needed $10 worth of materials and 40 minutes to

reliably clone a fingerprintreliably clone a fingerprint

• We can often build clones without the We can often build clones without the legitimate user’s intentional participationlegitimate user’s intentional participation


S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G

Thank You!Thank You!

Questions? Comments?Questions? Comments?

My e-mail:My e-mail:

[email protected][email protected]

http://www.visi.com/cryptohttp://www.visi.com/crypto

http://www.securecomputing.comhttp://www.securecomputing.com

S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP [email protected] 28.

Documents

s e c u r e c o

p u t i n g

biometric dilemma rick

far slide

biometric serverattacking

biometric sensor

permission slide

users pattern