1. Jason Tortorete COSC 316

2.  Concept: Access Control  CISSP and Access Control Framework  Biometric Applications and Functionality  Verification and Identification  Modality  Wolf Attack  Define  Probability  Questions/Closing

3.  The flow of information between a subject and an object  Subject: user/program/process that requires use of an objects resources  Life imitates art  AI  “Thinking” robotics and emotional/conversational cyborgs  Minority Report  Police use holographic data screens (Microsoft and NY)  City-wide surveillance  Dimensional maps and database feeds used to monitor citizen movements  Deployment of systems allowing broad and autonomous surveillance  Protect access and resources  Biometrics as a panacea?  Research hacker reports (vulnerable)  Biometric security circumvention and fundamental constraints seem to fall on deaf ears

4.  Certified Information System Security Professional certification track  Convey the significance of the principle of access control  Access Control is Domain One of Ten  Represents the security industries gold standard of certification 4 functions that drive access controls  Identification - Method in which a system requests information from an entity (username)  Authentication - Often a second piece of information requested (pass or PIN)  Authorization - Permits or denies requests  Accountability – All subjects be recorded and logged The classic “who”, “what”, and “when”

5.  Biometrics?  Bio-living creature  Metrics-ability to measure in a quantitative manner  Context  In security: describes both characteristics and processes  Measurable traits (both behavioral and physiological)  Leverage unique identifiers for the purposes of subject identification

6.  Verification  Confirming or denying a subjects claimed identity  Digitized biological sample in the form of an image  Sample associated with specific identity within that system-determines all future access attempts  Verification is synonymous with one-to-one  Identification asks : “Is the requesting subject in fact who they claim to be?”  Verification asks : “Do I know who this subject is?”

7.  Modality or class of biometric attribute  Four major classes: (leverage biological biometrics)  Fingerprint recognition  Hand geometry recognition  Iris recognition  Facial recognition

8.  Fingerprint recognition:  Comprised of random ridges and valleys (islands, dots, bifurcations, and ending ridges)

9.  Hand geometry:  taking a three dimensional image of the hand in order to capture and compare hand structure (lacks uniqueness of fingerprint or iris)

10.  Facial recognition:  Leverage the uniqueness of the human face (distance between eyes, width of the nose, cheekbones, and chin)  Problems with lighting

11.  Iris recognition:  Uses infrared illumination (IR)  Extremely high resolution images of the iris (colored portion)  Extremely high success rate and highly effective.  Costly  All classes are best implemented with another method

12.  Exploitation:  Stems from the fact that biometric technology and the security it provides is probabilistic in nature.  The wolf attack uses this fact to circumvent biometric based security mechanisms by exploiting them.  Three industry recognized classifications of biometric based threats: 1) Intentional impersonation 2) Unexpectedly high FAR 3) Backdoor creation

13.  Why Wolf?  A wolf is an input value that that can be falsely accepted as a match with multiple templates  Wolves are fed into the system and are used to impersonate a victim and trick the system  WAP or Wolf Attack Probability is defined as a maximum success probability with one wolf sample

14.  What exactly a wolf attack is/does?  A created biometric sample that shows a high degree of similarity to the majority of the systems templates  Therefore, the outcome’s statistical success is not confirmed or denied by the MCP (minutiae collision probability) but instead is estimated using a WAP  Resulting in a huge increase in attack success  In other words, the systems logarithms are barraged with minutiae (all the variations and inputs possible) to comply with the existing templates

15.  The point:  Unlike security mechanisms, such as an open encryption standard, where someone can easily gain full knowledge of the internal workings (without that knowledge leading a comprise of the math that protects that system), biometrics do so and give the attacker a huge advantage.  Biometric security systems are the future and therefore, biometric based system attacks are as well.  Questions?

16.  Biometric identification systems. (2012). Retrieved from http://www.sciencelov.com/?p=2937 http://www.sciencelov.com/?p=2937  Biometrics Identity Management Agency. (n.d.). Biometrics Identity Management Agency Overview. Retrieved November 29 2012, from http://www.biometrics.dod.mil/ http://www.biometrics.dod.mil/  CNN Money. (2012). Hackers’ next target: Your eyeballs. Retrieved from http://money.cnn.com/2012/07/26/technology/iris-hacking/index.htm http://money.cnn.com/2012/07/26/technology/iris-hacking/index.htm  Das, R. (2006). An introduction to biometrics A concise overview of the most important biometric technologies. Retrieved from http://www.biometricnews.net/publications/biometrics_article_introduction_to_bio metrics.pdf http://www.biometricnews.net/publications/biometrics_article_introduction_to_bio metrics.pdf  Major flaws in biometric security products. (2002). Retrieved from http://www.outlaw.com/page-2624 http://www.outlaw.com/page-2624