1 / 27

Biometric Security

Biometric Security. Pieter.Hartel@utwente.nl. Problem. People use weak passwords People write the pin code on their bank card Biometrics cannot be “forgotten” and you do not have to “think of it”. Personal Identification. Associating an individual with an identity: Something you have

ringo
Download Presentation

Biometric Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Biometric Security Pieter.Hartel@utwente.nl

  2. Problem • People use weak passwords • People write the pin code on their bank card • Biometrics cannot be “forgotten” and you do not have to “think of it” IIS

  3. Personal Identification Associating an individual with an identity: • Something you have • Token, smart card • Something you know • Password, pin • Something you are: • Physiological • Behavioural IIS

  4. Forms of Identification • Authentication (aka Verification) • Am I who a claim to be? • Recognition (aka Identification) • Who am I? • Harder than Authentication (why?) IIS

  5. Physiological or Behavioural? [Jai00] A. K. Jain, L. Hong, and S. Pankanti. Biometric identification. Commun. ACM, 43(2):90-98, Feb 2000. http://doi.acm.org/10.1145/328236.328110 IIS

  6. Sample Application Areas IIS

  7. Verification Verification is easier than identification… IIS

  8. Two examples • Hand geometry • Fingerprint IIS

  9. Hand Geometry (Hand Key) IIS

  10. Measure your Right hand IIS

  11. FBI classification • What is your right hand index finger? Arch Whorl Loop Accidental IIS

  12. Fingerprint matching • Ridge thinning & extraction • Minutiae (bifurcation, end point) detection • Ridge based alignment & overlaying IIS

  13. Desired Characteristics • Biometric • Universal • Unique • Permanent • Collectable • System • Performance • Acceptability • Circumvention Watch this video [Put00] T. van der Putte and J. Keuning. Biometrical fingerprint recognition: Don't get your fingers burned. In 4th Int. IFIP wg 8.8 Conf. Smart card research and advanced application (CARDIS), pages 289-303, Bristol, UK, Sep 2000. Kluwer Academic Publishers, Boston, Massachusetts. http://www.keuning.com/biometry/Biometrical_Fingerprint_Recognition.pdf IIS

  14. Some Comparisons IIS

  15. Biometrics is not perfect • High False Accept rate is bad for high security applications -- dangerous • High False Reject rate is bad for high usability applications -- annoying IIS

  16. Receiver Operating Characteristics Low False Accept Rate High Low False Reject Rate High IIS

  17. Security

  18. Attacks • How many templates do you have? IIS

  19. Template protection • Requirements • Diversity (no cross matching of data bases for privacy) • Revocability (easy to replace template) • Security (hard to obtain the original) • Performance (matching must be robust) • Why does encryption not work? • Two examples • Non-invertible transforms • Fuzzy commitment [Jai08] A. K. Jain, K. Nandakumar, and A. Nagar. Biometric template security. EURASIP Journal on Advances in Signal Processing, 2008:579416, 2008. http://dx.doi.org/10.1155/2008/579416 IIS

  20. Non invertible transform “crumple” • User specific transformation (revocability) • Locally smooth translation outside mather tolerance (performance) • Globally non smooth (security) [Rat06] N. Ratha, J. Connell, R. M. Bolle, and S. Chikkerur. Cancelable biometrics: A case study in fingerprints. In 18th Int. Conf. on Pattern Recognition (ICPR), volume 4, pages 370-373, Honkong, China, Aug 2006. IEEE Computer Society. http://dx.doi.org/10.1109/ICPR.2006.353 IIS

  21. Fuzzy commitment Example • Idea • Use biometric template : x • As a corrupted code word : c = x-δ • The commitment is • Hash code word for security : h(c) • Leave distance in clear for fuzziness : δ • Verification • Measure : x’ • Compute: c’ = decode (x’- δ) • Match if h(c’) = h(c) x x’ δ δ 100 200 300 c c’? c’? 100 200 [Jue99a] A. Juels and M. Wattenberg. A fuzzy commitment scheme. In 6th ACM conf. on Computer and communications security (CCS), pages 28-36, Kent Ridge Digital Labs, Singapore, 1999. ACM. http://doi.acm.org/10.1145/319709.319714 IIS

  22. Template protection application [Buh07] I. R. Buhan, J. M. Doumen, P. H. Hartel, and R. N. J. Veldhuis. Secure ad-hoc pairing with biometrics: SAfE. In 1st Int. Workshop on Security for Spontaneous Interaction (Ubicomp 2007 Workshop Proceedings), pages 450-456, Innsbruck, Austria, Sep 2007. http://www.comp.lancs.ac.uk/iwssi2007/papers/iwssi2007-02.pdf

  23. Secure ad-hoc pairing • Suppose two people meet • Who have never met before • There is no TTP and/or they are not online • They are not technical • They would like to exchange data • Concerned about eavesdropper • How to do this? • Biometrics • Shielding function as fuzzy extractor • Protocol with novel “related key attack” IIS

  24. wb wa Idea: Take each other’s photo Enroll- ment ma=0110... mb=1101... wa wb radio mb=decode( , ) Alice has ma,mb Verifi- cation ma=decode( , ) Bob has ma,mb IIS

  25. Coping with noise • Problem: • Alice gets m’b close to mb but not the same • The same for Bob... • Solution: • During enrollment calculate error profiles • Cryptanalysis using those profiles to recover the correct key • More work for eavesdropper IIS

  26. Usability • Compare Pin to SAFE • 30 subjects: questionnaire + interview • Mainly CS • Results IIS

  27. Conclusions • Identification or verification • Complements password and token • Systems getting affordable • Biggest problems: • Performance • Public acceptance • Biometrics is fun IIS

More Related