Presentation is loading. Please wait.

Presentation is loading. Please wait.

S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28.

Published byAlia Stark Modified over 10 years ago

Similar presentations

Presentation on theme: "S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28."— Presentation transcript:

1

2 S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP rick_smith@securecomputing.com 28 October 2001

3 S E C U R E C O M P U T I N G July 20022R. Smith - Biometric Dilemma Outline Biometrics: Why, How, How StrongBiometrics: Why, How, How Strong –Attacks, FAR, FRR, Resisting trial-and-error Server-based BiometricsServer-based Biometrics Attacking a biometric serverAttacking a biometric server –Digital spoofing, privacy intrusion, latent print reactivation Token-based BiometricsToken-based Biometrics Physical spoofingPhysical spoofing –Voluntary and involuntary spoofing SummarySummary

4 S E C U R E C O M P U T I N G July 20023R. Smith - Biometric Dilemma Biometrics: Why? Eliminate memorization –Eliminate memorization – –Users don’t have to memorize features of their voice, face, eyes, or fingerprints Eliminate misplaced tokens –Eliminate misplaced tokens – –Users won’t forget to bring fingerprints to work Can’t be delegated –Can’t be delegated – –Users can’t lend fingers or faces to someone else Often unique –Often unique – –Save money and maintain database integrity by eliminating duplicate enrollments

5 S E C U R E C O M P U T I N G July 20024R. Smith - Biometric Dilemma The Dilemma They always look stronger and and easier to use than they are in practice Enrollment is difficultEnrollment is difficult –Easy enrollment = unreliable authentication –Measures to prevent digital spoofing make even more work for administrators, almost a “double enrollment” process Physical spoofing is easier than we’d likePhysical spoofing is easier than we’d like –Recent examples with fingerprint scanners, face scanners

6 S E C U R E C O M P U T I N G July 20025R. Smith - Biometric Dilemma Biometrics: How? Measure a physical trait The user’s fingerprint, hand, eye, faceThe user’s fingerprint, hand, eye, face Measure user behavior The user’s voice, written signature, or keystrokes From Authentication © 2002. Used by permission

7 S E C U R E C O M P U T I N G July 20026R. Smith - Biometric Dilemma Biometrics: How Strong? Three types of attacks Trial-and-error attackTrial-and-error attack –Classic way of measuring biometric strength Digital spoofingDigital spoofing –Transmit a digital pattern that mimics that of a legitimate user’s biometric signature –Similar to password sniffing and replay –Biometrics can’t prevent such attacks by themselves Physical spoofingPhysical spoofing –Present a biometric sensor with an image that mimics the appearance of a legitimate user

8 S E C U R E C O M P U T I N G July 20027R. Smith - Biometric Dilemma Biometric Trial-and-Error How many trials are needed to achieve a 50-50 chance of producing a matching reading? Typical objective: 1 in 1,000,000  2 19Typical objective: 1 in 1,000,000  2 19 Some systems achieve this, but most aren’t that accurate in practical settingsSome systems achieve this, but most aren’t that accurate in practical settings Team-based attackTeam-based attack –A group of individuals take turns pretending to be a legitimate user (5 people X 10 finger = 50 fingers)

9 S E C U R E C O M P U T I N G July 20028R. Smith - Biometric Dilemma Passwords: A Baseline

10 S E C U R E C O M P U T I N G July 20029R. Smith - Biometric Dilemma Biometric Authentication Compares user’s signature to previously established pattern built from that traitCompares user’s signature to previously established pattern built from that trait “Biometric pattern” file instead of password file“Biometric pattern” file instead of password file Matching is always approximate, never exactMatching is always approximate, never exact From Authentication © 2002. Used by permission

11 S E C U R E C O M P U T I N G July 200210R. Smith - Biometric Dilemma Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © 2002. Used by permission

12 S E C U R E C O M P U T I N G July 200211R. Smith - Biometric Dilemma Matching Self vs. Others From Authentication © 2002. Used by permission

13 S E C U R E C O M P U T I N G July 200212R. Smith - Biometric Dilemma Matching in Practice FAR = recognized Bob instead; FRR = doesn’t recognize me From Authentication © 2002. Used by permission

14 S E C U R E C O M P U T I N G July 200213R. Smith - Biometric Dilemma Measurement Trade-Offs We must balance the FAR and the FRR Lower FAR = Fewer successful attacksLower FAR = Fewer successful attacks –Less tolerant of close matches by attackers –Also less tolerant of authentic matches –Therefore – increases the FRR Lower FRR = Easier to useLower FRR = Easier to use –Recognizes a legitimate user the first time –More tolerant of poor matches –Also more tolerant of matches by attackers –Therefore – increases the FAR Equal error rate = point where FAR = FAR

15 S E C U R E C O M P U T I N G July 200214R. Smith - Biometric Dilemma Trial and Error in Practice Higher security means more mistakesHigher security means more mistakes –When we reduce the FAR, we increase the FRR –More picky about signatures from legitimate users, too

16 S E C U R E C O M P U T I N G July 200215R. Smith - Biometric Dilemma Biometric Enrollment How it worksHow it works –User provides one or more biometric readings –The system converts each reading into a signature –The system constructs the pattern from those signatures Problems with biometric enrollmentProblems with biometric enrollment –It’s hard to reliably “pre-enroll” users –Users must provide biometric readings interactively Accuracy is time consumingAccuracy is time consuming –Take trial readings, build tentative patterns, try them out –Take more readings to refine patterns –Higher accuracy requires more trial readings

17 S E C U R E C O M P U T I N G July 200216R. Smith - Biometric Dilemma Compare with Password or Token Enrollment Modern systems allow users to self-enrollModern systems allow users to self-enroll –User enters some personal authentication information –Establish a user name –Establish a password: system generated or user chosen –Establish a token: enter its serial number Password enrollment is comparatively simplePassword enrollment is comparatively simple Tokens require a database associating serial numbers with individual authentication tokensTokens require a database associating serial numbers with individual authentication tokens –Database is generated by token’s manufacturer –Enrollment system uses it to establish user account –Token’s PIN is managed by the end user

18 S E C U R E C O M P U T I N G July 200217R. Smith - Biometric Dilemma Biometric Privacy The biometric pattern acts like a passwordThe biometric pattern acts like a password But biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goesEach user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users can’t change biometrics if someone makes a copyUsers can’t change biometrics if someone makes a copy We can trace people by following their biometrics as they’re saved in databasesWe can trace people by following their biometrics as they’re saved in databases

19 S E C U R E C O M P U T I N G July 200218R. Smith - Biometric Dilemma Server-based biometrics Boring but importantBoring but important Some biometric systems require serversSome biometric systems require servers –When you need a central repository –Identification systems (FBI’s AFIS) –Uniqueness systems (community social service orgs) From Authentication © 2002. Used by permission

20 S E C U R E C O M P U T I N G July 200219R. Smith - Biometric Dilemma Attacking Server Biometrics From Authentication © 2002. Used by permission

21 S E C U R E C O M P U T I N G July 200220R. Smith - Biometric Dilemma Attacks on Server Traffic Attack on privacy of a user’s biometricsAttack on privacy of a user’s biometrics –Defense = encryption while traversing the network Attack by spoofing a digital biometric readingAttack by spoofing a digital biometric reading –Defense = authenticating legitimate biometric readers Both solutions rely on trusted biometric readers From Authentication © 2002. Used by permission

22 S E C U R E C O M P U T I N G July 200221R. Smith - Biometric Dilemma Trusted Biometric Reader Blocks either type of attack on server trafficBlocks either type of attack on server traffic Security objective – reliable data collectionSecurity objective – reliable data collection Must embed a cryptographic secret in every trusted readerMust embed a cryptographic secret in every trusted reader –Increased development cost –Increased administrative cost – administrators must keep the reader’s keys safe and up-to-date Must enroll both users and trusted readersMust enroll both users and trusted readers –“Double enrollment” –Database of device keys from biometric vendor –One device per workstation is often like one per user –Standard tokens are traditionally lower-cost devices

23 S E C U R E C O M P U T I N G July 200222R. Smith - Biometric Dilemma Another Server Attack Experiments in the US and GermanyExperiments in the US and Germany Willis and Lee of Network Computing Labs, 1998Willis and Lee of Network Computing Labs, 1998 –Reported in “Six Biometric Devices Point The Finger At Security” in Network Computing, 1 June 1998 Thalheim, Krissler, and Ziegler, 2002Thalheim, Krissler, and Ziegler, 2002 –Reported in “Body Check,” C’T (Germany) –http://www.heise.de/ct/english/02/11/114/ Attack on “capacitive” fingerprint sensorsAttack on “capacitive” fingerprint sensors –Measures change in capacitance due to presence or absence of material with skin-like response –65Kb sensor collects ~20 minutiae from fingerprint –Traditional techniques use 10-12 for identification Attack exploits the fatty oils left over from the last user logonAttack exploits the fatty oils left over from the last user logon

24 S E C U R E C O M P U T I N G July 200223R. Smith - Biometric Dilemma Latent Finger Reactivation Three techniquesThree techniques –Oil vs. non-oil regions return difference as humidity increases 1.Breathe on the sensor (Thalheim, et al) –You can watch the print reappear as a biometric image –Works occasionally 2.Use a thin-walled plastic bag of warm water More effective, but not 100%More effective, but not 100% –Works occasionally even when system is set to maximum sensitivity 3.Dust with graphite (Willis et al; Thalheim et al) Attach clear tape to the dustAttach clear tape to the dust –Press down on the sensor –Most reliable technique – almost 100% success rate (Thalheim)

25 S E C U R E C O M P U T I N G July 200224R. Smith - Biometric Dilemma This Shouldn’t Work According to Siemens – vendor of the “ID Mouse” used in those examples –According to Siemens – vendor of the “ID Mouse” used in those examples – –Authentication procedure remembers the last fingerprint used –System rejects a match that’s “too close” to the last reading as well as a match that’s “too far” from the pattern ObservationsObservations 1.Defense didn’t work in these experiments 2.Tape can be repositioned to create a ‘different’ reading 3.Hard to track through multiple biometric readers –Assume the user logs in at multiple locations over time –Then the latent image on some reader is not the most recent one accepted for login

26 S E C U R E C O M P U T I N G July 200225R. Smith - Biometric Dilemma What about “Active” Biometric Authentication? Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” information uniquely associated with the userSome (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” information uniquely associated with the user Possible techniquesPossible techniques –Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint readerMoving the finger around on the fingerprint reader –Challenge response that demands an unpredictable reply Voice recognition that demands reciting an unpredictable phraseVoice recognition that demands reciting an unpredictable phrase Both are vulnerable to a dynamic digital attack based on a copy of the user’s biometric patternBoth are vulnerable to a dynamic digital attack based on a copy of the user’s biometric pattern Ease of use issueEase of use issue –Requires more complex user behavior, which makes it harder to use and less reliable

27 S E C U R E C O M P U T I N G July 200226R. Smith - Biometric Dilemma Attacking Active Biometrics A feasible dynamic attack uses the system’s algorithms to generate an acceptable signature ExampleExample –Attacker collects enough biometric samples from the victim to build a plausible copy of victim’s biometric pattern –During login, attacker is prompted for a spoken phrase from the victim –Attack software generates a digital message based on the user’s biometric pattern There may be a sequence of timed messages or a single message – it doesn’t matterThere may be a sequence of timed messages or a single message – it doesn’t matter If the server can predict what the answer should be, based on a static biometric pattern, so can the attacker

28 S E C U R E C O M P U T I N G July 200227R. Smith - Biometric Dilemma Token-Based Biometrics Authenticate with biometric + embedded secret From Authentication © 2002. Used by permission

29 S E C U R E C O M P U T I N G July 200228R. Smith - Biometric Dilemma Token Technology Resist copying and other attacks by storing the authentication secret in a tamper-resistant package.Resist copying and other attacks by storing the authentication secret in a tamper-resistant package. From Authentication © 2002. Used by permission

30 S E C U R E C O M P U T I N G July 200229R. Smith - Biometric Dilemma Tokens Resist Trial-and-Error Attacks These numbers assume that the attacker has not managed to steal a token

31 S E C U R E C O M P U T I N G July 200230R. Smith - Biometric Dilemma Biometric Token Operation The “real” authentication is based on a secret embedded in the tokenThe “real” authentication is based on a secret embedded in the token The biometric reading simply “unlocks” that secretThe biometric reading simply “unlocks” that secret BenefitsBenefits –User retains control of own biometric pattern –Biometric signatures don’t traverse networks ProblemsProblems –Biometric Tokens cost more –Less space and cost for the biometric reader The biometric serves as a PIN

32 S E C U R E C O M P U T I N G July 200231R. Smith - Biometric Dilemma Attacks on Biometric Tokens If you can trick the reader, you can probably trick the tokenIf you can trick the reader, you can probably trick the token Digital spoofing shouldn’t workDigital spoofing shouldn’t work –We’ve eliminated the vulnerable data path Latent print reactivation (remember?)Latent print reactivation (remember?) –Tokens should be able to detect and reject such attacks Attacks by cloning the biometric artifactAttacks by cloning the biometric artifact –Voluntary cloning (the authorized user is an accomplice) –Involuntary cloning (the authorized user is unaware)

33 S E C U R E C O M P U T I N G July 200232R. Smith - Biometric Dilemma Voluntary finger cloning 1.Select the casting material –Option: softened, free molding plastic (used by Matsumoto) –Option: part of a large, soft wax candle (used by Willis; Thalheim) 2.Push the fingertip into the soft material 3.Let material harden 4.Select the finger cloning material Option: gelatin (“gummy fingers” used by Matsumoto)Option: gelatin (“gummy fingers” used by Matsumoto) Option: silicone (used by Willis; Thalheim)Option: silicone (used by Willis; Thalheim) 5.Pour a layer of cloning material into the mold 6.Let the clone harden You’re Done!

34 S E C U R E C O M P U T I N G July 200233R. Smith - Biometric Dilemma Matsumoto’s Technique Only a few dollars’ worth of materialsOnly a few dollars’ worth of materials

35 S E C U R E C O M P U T I N G July 200234R. Smith - Biometric Dilemma Making the Actual Clone You can place the “gummy finger” over your real finger. Observers aren’t likely to detect it when you use it on a fingerprint reader. (Matsumoto)

36 S E C U R E C O M P U T I N G July 200235R. Smith - Biometric Dilemma Involuntary Cloning The stuff of Hollywood – three examplesThe stuff of Hollywood – three examples –Sneakers (1992) “My voice is my password” –Never Say Never Again (1983) cloned retina –Charlie’s Angels (2000) Fingerprints from beer bottlesFingerprints from beer bottles Eye scan from oom-pah laserEye scan from oom-pah laser You clone the biometric without victim’s knowledge or intentional assistanceYou clone the biometric without victim’s knowledge or intentional assistance Bad news: it works!Bad news: it works!

37 S E C U R E C O M P U T I N G July 200236R. Smith - Biometric Dilemma Cloned Face More work by Thalheim, Krissler, and ZieglerMore work by Thalheim, Krissler, and Ziegler Reported in “Body Check,” C’T (Germany)Reported in “Body Check,” C’T (Germany)http://www.heise.de/ct/english/02/11/114/ Show the camera a photograph or video clip instead of the real faceShow the camera a photograph or video clip instead of the real face –Video clip required to defeat “dynamic” biometric checks Photo was taken without the victim’s assistance (video possible, too)Photo was taken without the victim’s assistance (video possible, too) Face recognition was fooledFace recognition was fooled –Cognitec's FaceVACS-Logon using the recommended Philips's ToUcam PCVC 740K camera

38 S E C U R E C O M P U T I N G July 200237R. Smith - Biometric Dilemma Matsumoto’s 2 nd Technique Cloning a fingerprint from a latent print 1.Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surface 2.Pick it up using tape and graphite 3.Scan it into a computer at high resoultion 4.Enhance the fingerprint image 5.Etch it onto printed circuit board (PCB) material 6.Use the PCB as a mold for a “gummy finger”

39 S E C U R E C O M P U T I N G July 200238R. Smith - Biometric Dilemma Making a Gummy Finger from a Latent Print From Matsumoto, ITU-T Workshop

40 S E C U R E C O M P U T I N G July 200239R. Smith - Biometric Dilemma The Latent Print Dilemma Tokens tend to be smooth objects of metal or plastic – materials that hold latent prints wellTokens tend to be smooth objects of metal or plastic – materials that hold latent prints well Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working clone of the owner’s fingerprint?Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working clone of the owner’s fingerprint? Worse, can an attacker reactivate a latent image of the biometric from the sensor itself?Worse, can an attacker reactivate a latent image of the biometric from the sensor itself? Answer: in some cases, YES.Answer: in some cases, YES.

41 S E C U R E C O M P U T I N G July 200240R. Smith - Biometric Dilemma Finger Cloning Effectiveness Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingersWillis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Thalheim et al could trick both “capacitive” and “optical” sensors with cloned fingersThalheim et al could trick both “capacitive” and “optical” sensors with cloned fingers –Products from Siemens, Cherry, Eutron, Verdicom –Latent image reactivation only worked on capacitive sensors, not on optical ones Matsumoto tested 11 capacitive and optical sensorsMatsumoto tested 11 capacitive and optical sensors –Cloned fingers tricked all of them –Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Secugen, Ethentica

42 S E C U R E C O M P U T I N G July 200241R. Smith - Biometric Dilemma Summary Traditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilitiesTraditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilities Networked biometrics require trusted readers that pose extra administrative headachesNetworked biometrics require trusted readers that pose extra administrative headaches We can build physical clones of biometric features that spoof biometric readersWe can build physical clones of biometric features that spoof biometric readers –Matsumoto needed $10 worth of materials and 40 minutes to reliably clone a fingerprint We can often build clones without the legitimate user’s intentional participationWe can often build clones without the legitimate user’s intentional participation

43 S E C U R E C O M P U T I N G July 200242R. Smith - Biometric Dilemma Thank You! Questions? Comments? My e-mail: Rick_Smith@securecomputing.com http://www.visi.com/crypto http://www.securecomputing.com

Download ppt "S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28."

Similar presentations

Penetration Testing Biometric System

Penetration Testing Biometric System
February 20021 Best Practices in Advancement Services Customer Service: Benchmarking with the Best Jennifer Houlihan Warwick Loyola Marymount University.

February Best Practices in Advancement Services Customer Service: Benchmarking with the Best Jennifer Houlihan Warwick Loyola Marymount University.
Summer 20021 Time, Rate, and Productivity Management of Operations Brad C. Meyer.

Summer Time, Rate, and Productivity Management of Operations Brad C. Meyer.
Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.

Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.
Welcome to CMPE003 Personal Computers: Hardware and Software Dr. Chane Fullmer Fall 2002 UC Santa Cruz.

Welcome to CMPE003 Personal Computers: Hardware and Software Dr. Chane Fullmer Fall 2002 UC Santa Cruz.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Biometrics By: Ashley Rodriguez. Biometrics An automated method of recognizing a person based on physical or behavioral traits. Consist of two main classes.

Biometrics By: Ashley Rodriguez. Biometrics An automated method of recognizing a person based on physical or behavioral traits. Consist of two main classes.
Vitaly Shmatikov CS 361S Biometric Authentication.

Vitaly Shmatikov CS 361S Biometric Authentication.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Challenges and Potential Research Areas In Biometrics.

Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Challenges and Potential Research Areas In Biometrics.
Section 2.3.5 – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.

Section – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.
By: Monika Achury and Shuchita Singh

By: Monika Achury and Shuchita Singh
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.
Biometrics II CUBS, University at Buffalo

Biometrics II CUBS, University at Buffalo
FIT3105 Biometric based authentication and identity management

FIT3105 Biometric based authentication and identity management
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today AuthenticationAuthentication –Elements/Actors –Strategies –Three Factors/Base.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today AuthenticationAuthentication –Elements/Actors –Strategies –Three Factors/Base.

Similar presentations

Ads by Google