ENTROPY OF FINGERPRINT SENSORS

Do different fingerprint sensors affect the entropy of a fingerprint? RESEARCH QUESTION/HYPOTHESIS

Industry has been pushing for biometrics to replace passwords More convenient, but are biometrics still as secure as a traditional password? STATEMENT OF THE PROBLEM

The purpose is to discover whether or not different fingerprint sensors will produce different results for entropy across the same subjects and the same finger in all trials STATEMENT OF PURPOSE/SCOPE

LITERATURE REVIEW

Biometrics refers to the identification of an individual based on singular physiological or behavioral traits A biometric factor must be measurable, permanent in nature, and unique to an individual Examples include fingerprints, face, hand geometry and iris etc. BIOMETRICS

Passwords are secret based authentication, meaning that the person being authenticated has to have the knowledge of the password They can be guessed by brute force attack methods PASSWORDS

Entropy, in the case of biometrics, refers to the randomness of the biometric sample as it is collected and converted into a template Unlike passwords, which can be changed or varied in length, each unique biometric sample has only one possible character key associated with it BIOMETRICS AND PASSWORDS

What makes a fingerprint unique is the pattern, made up of the various ridges, bifurcations and endings. Each line has a specific beginning and an end, or sometimes splits into two lines MINUTIAE

Shannon coined the term entropy in information theory Since been used in cryptography as a measure of the difficulty of guessing a password or secret key SHANNON’S THEORY

When relating entropy and passwords, the higher the entropy, the longer the password needs to be ENTROPY AND PASSWORDS

The logic of defining entropy of a user selected password is an estimate. The first character is taken to be 4 bits of entropy The entropy of the next 7 characters are 2 bits per character The 9th through the 20th character is 1.5 bits per character For characters 21 and above entropy is 1 bit per character An additional 6 bits of entropy is added for the composition rule. The composition rule requires lower-case, upper-case, and non-alphabetic characters USER SELECTED PASSWORDS 94 CHARACTERS

3 bits of Entropy for the first character 2 bits of Entropy for the next three characters 1 bit of Entropy for the rest of the characters USER SELECTED PASSWORDS 10 CHARACTERS

RANDOMLY SELECTED PASSWORDS

METHODOLOGY

151 Subjects 107 male 44 female Each supplied their right index finger 6 times on 8 different sensors All sensors produced consistent image sizes DATA COLLECTION

SENSORS

DatarunArea (Pixels)Type x428Thermal Swipe x480Optical Touch x357Optical Touch x300Capacitive Touch x480Optical Touch x292Optical Touch x270Capacitive Swipe x360Capacitive Touch HARDWARE USED

VeriFinger SDK v5 Extract minutiae data Megamatcher Used for ground truthing Visual Studio (C#) Used for Entropy calculations Filemaker 13 Used to manage the samples SOFTWARE USED

Created data runs to only include those subjects who successfully supplied 6 samples across all 8 sensors Extracted the data from the database and processed the images through VeriFinger SDK 5.0 to extract the minutiae information Subjects were removed from all 8 data runs if one of their samples were unable to extract minutiae DATA MANAGEMENT

VeriFinger SDK V.5 outputted the minutiae data including the x, y, theta, and type of minutiae point x and y are the location of the point in the image Theta is the angle of the minutiae point Theta is classified as either 1, 2, 3, or 4 depending on the angle Type is either ridge ending or bifurcation Ending = 1 Bifurcation = 2 MINUTIAE DATA

Angle 1: 0° - 89° Angle 2: 90° - 179° Angle 3: 180° - 269° Angle 4: 270° - 359° 14 32

Keyspace needs to be determined Based on two parameters Possible pixel locations, denoted by L, which is the surface area of the image (varied between data runs) Possible characteristics about a minutiae point, denoted by C, which is defined by type and angle as defined earlier ENTROPY CALCULATION

RESULTS

SAMPLES FROM EACH SENSOR The same subject across all 8 sensors

DatarunType Angle 1 Angle 2 Angle 3 Angle 4EndBifa1enda1bifa2enda2bifa3enda3bifa4enda4bif avg minutiaeentropy entropy per minutiae 1761 Thermal Swipe Optical Touch Optical Touch Capacitive Touch Optical Touch Optical Touch Capacitive Swipe Capacitive Touch ENTROPY CALCULATIONS TABLE

The highest minutiae count was produced by a thermal swipe sensor Optical touch sensors seem to provide a higher average minutiae count than capacitive touch sensors A capacitive sensor provided the highest entropy per minutiae but least average minutiae. SENSOR RESULTS

MINUTIAE VS. CHARACTER LENGTH

Probability of Minutiae Location

ENTROPY AND PASSWORD LENGTH User ChosenRandomly Chosen 94 Char. Alphabet10 Char. Alphabet 94 Char. Datarun Avg. Minutiae EntropyNo Checks Dict. & Composition Rule

The first three columns are entropy calculations based on the data runs The next columns output a password length equal to the entropy of the data run There are also other conditions under which the password has constraints, such as being out of 94 possible characters or 10 EXPLANATION

CONCLUSIONS

When analyzing the data there seemed to be some scanners that had a very low quality image but high minutiae This could have to do with the scanner type specifically or rather a function image quality, or image size CONCLUSIONS

REFERENCES