Computer science 653 lecture 3 biometrics
1 / 46

Computer Science 653 --- Lecture 3 Biometrics - PowerPoint PPT Presentation

  • Uploaded on

Computer Science 653 --- Lecture 3 Biometrics. Professor Wayne Patterson Howard University Fall 2009. Biometrics. Something You Are. Biometric “You are your key”  Schneier. Examples Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Science 653 --- Lecture 3 Biometrics' - tybalt

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer science 653 lecture 3 biometrics

Computer Science 653 --- Lecture 3Biometrics

Professor Wayne Patterson

Howard University

Fall 2009

Something you are
Something You Are

  • Biometric

    • “You are your key” Schneier

  • Examples

    • Fingerprint

    • Handwritten signature

    • Facial recognition

    • Speech recognition

    • Gait (walking) recognition

    • “Digital doggie” (odor recognition)

    • Hand recognition

    • Keystroke

    • Iris patterns

    • DNA

    • Many more!




Why biometrics
Why Biometrics?

  • Biometrics seen as desirable replacement for passwords

  • Cheap and reliable biometrics needed

  • Today, a very active area of research

  • Biometrics are used in security today

    • Thumbprint mouse

    • Palm print for secure entry

    • Fingerprint to unlock car door, etc.

  • But biometrics not too popular

    • Has not lived up to its promise (yet)

Ideal biometric
Ideal Biometric

  • Universal applies to (almost) everyone

    • In reality, no biometric applies to everyone

  • Distinguishing distinguish with certainty

    • In reality, cannot hope for 100% certainty

  • Permanent physical characteristic being measured never changes

    • In reality, want it to remain valid for a long time

  • Collectable easy to collect required data

    • Depends on whether subjects are cooperative

  • Reliable, robust, user-friendly

  • Safe

Effectiveness vs reliability

Surveys indicate that in order of effectiveness, biometric devices rank as follows:

1. Retina pattern devices

2. Fingerprint devices

3. Handprint devices

4. Voice pattern devices

5. Keystroke pattern devices

6. Signature devices

In order of personal acceptance, the order is just the opposite:

1. Keystroke pattern devices

2. Signature devices

3. Voice pattern devices

4. Handprint devices

5. Fingerprint devices

6. Retina pattern devices

Effectiveness vs. Reliability

Identification vs authentication
Identification vs. Authentication devices rank as follows:

  • Identification:

    • Identify the subject from a list of many possibles

    • E.g. fingerprint from a crime scene to FBI

  • Authentication:

    • One to one

    • A subject claims to be Wayne

      • Only need to check against database for “Wayne”

Biometric modes
Biometric Modes devices rank as follows:

  • Identification Who goes there?

    • Compare one to many

    • Example: The FBI fingerprint database

  • Authentication Is that really you?

    • Compare one to one

    • Example: Thumbprint mouse

  • Identification problem more difficult

    • More “random” matches since more comparisons

  • We are interested in authentication

    • A subject claims to be Wayne

      • Only need to check against database for “Wayne”

Enrollment vs recognition
Enrollment vs Recognition devices rank as follows:

  • Enrollment phase

    • Subject’s biometric info put into database

    • Must carefully measure the required info

    • OK if slow and repeated measurement needed

    • Must be very precise for good recognition

    • A weak point of many biometric schemes

  • Recognition phase

    • Biometric detection when used in practice

    • Must be quick and simple

    • But must be reasonably accurate

  • THINK: Compile time vs. runtime

Cooperative subjects
Cooperative Subjects devices rank as follows:

  • We are assuming cooperative subjects

  • In identification problem often have uncooperative subjects

  • For example, facial recognition

    • Proposed for use in Las Vegas casinos to detect known cheaters

    • Also as way to detect terrorists in airports, etc.

    • Probably do not have ideal enrollment conditions

    • Subject will try to confuse recognition phase

  • Cooperative subject makes it much easier!

    • In authentication, subjects are cooperative

Biometric errors
Biometric Errors devices rank as follows:

  • Fraud rate versus insult rate

    • Fraud  user A mis-authenticated as user B

    • Insult  user A not authenticate as user A

  • For any biometric, can decrease fraud or insult, but other will increase

  • For example

    • 99% voiceprint match  low fraud, high insult

    • 30% voiceprint match  high fraud, low insult

  • Equal error rate: rate where fraud == insult

    • The best measure for comparing biometrics

Error rates face recognition
Error rates: devices rank as follows:Face Recognition

  • Drivers’ licenses, passports, etc.

  • How good are we at identifying strangers on a photo

  • Westminster study: four types of credit cards with photos:

    • Good-good (genuine and recent)

    • Bad-good (genuine, older, different clothing

    • Good-bad (from a pile, one that looked most like the subject)

    • Bad-bad (random, same sex and race as subject)

  • Experienced cashiers

    • None could tell the difference between bad-good and good-bad

    • Some could not even distinguish good-good and bad-bad

Fingerprint history
Fingerprint History devices rank as follows:

  • 1823  Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns

  • 1856  Sir William Hershel used fingerprint (in India) on contracts

  • 1880  Dr. Henry Faulds article in Nature about fingerprints for ID

  • 1883  Mark Twain’s Life on the Mississippi a murderer ID’ed by fingerprint

Fingerprint history1
Fingerprint History devices rank as follows:

  • 1888  Sir Francis Galton (cousin of Darwin) developed classification system

    • His system of “minutia” is still in use today

    • Also verified that fingerprints do not change

  • Some countries require a number of points (i.e., minutia) to match in criminal cases

    • In Britain, 15 points

    • In US, no fixed number of points required

Fingerprint comparison
Fingerprint Comparison devices rank as follows:

  • Examples of loops, whorls and arches

  • Minutia extracted from these features

  • Ridge endings, bifurcations

Loop (double)



Fingerprint biometric
Fingerprint Biometric devices rank as follows:

  • Capture image of fingerprint

  • Enhance image

  • Identify minutia

Fingerprint biometric1
Fingerprint Biometric devices rank as follows:

  • Extracted minutia are compared with user’s minutia stored in a database

  • Is it a statistical match?

Matching devices rank as follows:

Hand geometry
Hand Geometry devices rank as follows:

  • Popular form of biometric

  • Measures shape of hand

    • Width of hand, fingers

    • Length of fingers, etc.

  • Human hands not unique

  • Hand geometry sufficient for many situations

  • Suitable for authentication

  • Not useful for ID problem

Hand geometry1
Hand Geometry devices rank as follows:

  • Advantages

    • Quick

    • 1 minute for enrollment

    • 5 seconds for recognition

    • Hands symmetric (use other hand backwards)

  • Disadvantages

    • Cannot use on very young or very old

    • Relatively high equal error rate

Iris patterns
Iris Patterns devices rank as follows:

  • Iris pattern development is “chaotic”

  • Little or no genetic influence

  • Different even for identical twins

  • Pattern is stable through lifetime

Iris recognition history
Iris Recognition: History devices rank as follows:

  • 1936  suggested by Frank Burch

  • 1980s  James Bond films

  • 1986  first patent appeared

  • 1994  John Daugman patented best current approach

    • Patent owned by Iridian Technologies

Iris scan
Iris Scan devices rank as follows:

  • Scanner locates iris

  • Take b/w photo

  • Use polar coordinates…

  • Find 2-D wavelet trans

  • Get 256 byte iris code

Measuring iris similarity
Measuring Iris Similarity devices rank as follows:

  • Based on Hamming distance

  • Define d(x,y) to be

    • # of non match bits/# of bits compared

    • d(0010,0101) = 3/4 and d(101111,101001) = 1/3

  • Compute d(x,y) on 2048-bit iris code

    • Perfect match is d(x,y) = 0

    • For same iris, expected distance is 0.08

    • At random, expect distance of 0.50

    • Accept as match if distance less than 0.32

Iris codes are based on hamming distance
Iris Codes are based on Hamming Distance devices rank as follows:

  • Definition of Hamming distance between strings

  • Let a, b be two bitstrings of common length n. Use ai, bi (i=1,…,n) to denote the individual bits.

  • The Hamming distance of a and b, denoted dH(a,b) =  (ai XOR bi ).

  • In other words, add one to the distance function for each position in which the bit values differ.

Iris scan error rate
Iris Scan Error Rate devices rank as follows:


Fraud rate

: equal error rate


Attack on iris scan
Attack on Iris Scan devices rank as follows:

  • Good photo of eye can be scanned

    • Attacker could use photo of eye

  • Afghan woman was authenticated by iris scan of old photo

    • Story is here

  • To prevent photo attack, scanner could use light to be sure it is a “live” iris

Equal error rate comparison
Equal Error Rate Comparison devices rank as follows:

  • Equal error rate (EER): fraud == insult rate

  • Fingerprint biometric has EER of about 5%

  • Hand geometry has EER of about 10-3

  • In theory, iris scan has EER of about 10-6

    • But in practice, hard to achieve

    • Enrollment phase must be extremely accurate

  • Most biometrics much worse than fingerprint!

  • Biometrics useful for authentication…

  • But ID biometrics are almost useless today

Biometrics the bottom line
Biometrics: The Bottom Line devices rank as follows:

  • Biometrics are hard to forge

  • But attacker could

    • Steal Alice’s thumb

    • Photocopy Bob’s fingerprint, eye, etc.

    • Subvert software, database, “trusted path”, …

  • Software attacks: manipulate the database

  • Also, how to revoke a “broken” biometric?

  • Broken password can be revoked

    • How do you revoke a fingerprint?

  • Biometrics are not foolproof!

  • Biometric use is limited today

  • That should change in the future…

Hot research
Hot Research devices rank as follows:

  • Intense area of research right now --- see, e.g., “On the Development of Digital Signatures for Author Identification,” R. Williams, S. Gunasekaran, W. Patterson, Proceedings of the First International IEEE Conference on Biometrics: Theory, Applications, Systems (BTAS ’07), September 27, 2007, Crystal City, VA

More on measurement techniques
More on Measurement Techniques devices rank as follows:

  • Let us suppose that we have a new biometric measurement system.

  • We’ll call it the “eyeball” system.

  • That is, we are going to “eyeball” people and classify them as to whether or not they have:

  • 1. hair 5. no missing teeth

  • 2. mustache 6. two ears

  • 3. ten fingers 7. male / female gender

  • 4. two eyes 8. two legs

Classifying the eyeball values
Classifying the “Eyeball” Values devices rank as follows:

  • Each of the eight characteristics has a binary value.

  • Thus we could record the complete biometric result for an individual as a bitstring with 8 bits:

    • 0110 1010

  • With the appropriate convention of 0 or 1 for each reading.

The database
The Database devices rank as follows:

  • We compile our database.

  • Obviously, since there are only 28 = 256 different values, our biometric system could not be used with a population of 257 or more.

  • Suppose we have 100 people in our universe.

  • Then, we have to further assume that their biometric measurements would produce 100 different bitstrings.

  • If that’s the case, we could use the system.

  • If not --- that’s another problem.

Storing the records
Storing the Records devices rank as follows:

  • We could use the bioetric measure as a key, and when we verify the reading, we can hash into a file (or use some other file management technique) to get the subject’s record.

  • Suppose for example that we wish to use this eyeball system for recognition.

  • We have a company with 100 employees, and we want to eyeball each as they come in in the morning.

Two readings
Two Readings devices rank as follows:

  • Suppose also that among the employees with the same values for hair, mustache, fingers, eyes, teeth and ears, we have one male and one female, and one person with only one leg. So we have:

    • 1100 1010

    • 1100 1001

  • One fine morning, someone shows up and is recorded as

    • 1100 1011

What do we do
What Do We Do? devices rank as follows:

  • There are several possibilities:

    • 1. The “eyeballer” may have made a mistake on 7 (gender);

    • 2. The “eyeballer” may have made a mistake on 8 (legs);

    • 3. The “eyeballer” may have made a mistake on some other reading;

    • 4. The “eyeballer” may be correct and the person is an impostor (or a visitor);

    • 5. The person being measured may have changed a value.

  • With only this information, we can’t proceed any further.

Hamming weight
Hamming Weight devices rank as follows:

  • Recall the Hamming distance

  • The “Hamming weight” of a string x, Hw(x) = dH(x,0) where 0 is the zero string.

  • Examples of Hamming distance:

    • dH(1100 1010, 1100 1001) = 2

    • dH(1100 1010, 1100 1011) = 1.

  • In biometric pattern recognition, if dH (observed string, database entry x) = 0, then we accept the observed reading as representing x.

Maximum likelihood estimation
Maximum Likelihood Estimation devices rank as follows:

  • Suppose that the only two entries for items 1-4 in the eyeball system were:

    • x = 1011 0000

    • y = 1011 1110

  • Then, if we had a reading of

    • z = 1011 1100

  • We could compute H(x,z) = 2 and H(y,z)=1.

Maximum likelihood estimation1
Maximum Likelihood Estimation devices rank as follows:

  • Suppose that the only two entries for items 1-4 in the eyeball system were:

    • x = 1011 0000

    • y = 1011 1110

  • Then, if we had a reading of

    • z = 1011 1100

  • We could compute H(x,z) = 2 and H(y,z)=1.

Maximum likelihood estimation2
Maximum Likelihood Estimation devices rank as follows:

  • Using the hypothesis of “maximum likelihood,” that is the assumption that errors in individual readings are equally likely, there is a greater likelihood that ONE error had occurred rather than TWO.

  • Thus, we would want to accept z as a reading of y with one error; rather than a reading of x with two errors.

Something you have
Something You Have devices rank as follows:

Something you have1
Something You Have devices rank as follows:

  • Something in your possession

  • Examples include

    • Car key

    • Laptop computer

      • Or specific MAC address

    • Password generator

      • We’ll look at this next

    • ATM card, smartcard, etc.

Password generator
Password Generator devices rank as follows:

  • Alice gets “challenge” R from Bob

  • Alice enters R into password generator

  • Alice sends “response” back to Bob

  • Alice has pwd generator and knows PINs

1. “I’m Alice”

3. PIN, R

2. R

4. F(R)

5. F(R)





2 factor authentication
2-factor Authentication devices rank as follows:

  • Requires 2 out of 3 of

    • Something you know

    • Something you have

    • Something you are

  • Examples

    • ATM: Card and PIN

    • Credit card: Card and signature

    • Password generator: Device and PIN

    • Smartcard with password/PIN

Single sign on
Single Sign-on devices rank as follows:

  • A hassle to enter password(s) repeatedly

    • Users want to authenticate only once

    • “Credentials” stay with user wherever he goes

    • Subsequent authentication is transparent to user

  • Single sign-on for the Internet?

    • Microsoft: Passport

    • Everybody else: Liberty Alliance

    • Security Assertion Markup Language (SAML)

Web cookies
Web Cookies devices rank as follows:

  • Cookie is provided by a Website and stored on user’s machine

  • Cookie indexes a database at Website

  • Cookies maintain state across sessions

  • Web uses a stateless protocol: HTTP

  • Cookies also maintain state within a session

  • Like a single sign-on for a website

    • Though a very weak form of authentication

  • Cookies and privacy concerns