CPSC 467b: Cryptography and Computer Security

Similar documents
This tutorial also provides a glimpse of various security issues related to biometric systems, and the comparison of various biometric systems.

International Biometrics & Identification Association

Research Article. ISSN (Print)

1/10/12. Introduction. Who are you?? Person Identification. Identification Problems. How are people identified?

Why Biometrics? Why Biometrics? Biometric Technologies: Security and Privacy 2/25/2014. Dr. Rigoberto Chinchilla School of Technology

Introduction-cont Pattern classification

1/12/12. Introduction-cont Pattern classification. Behavioral vs Physical Traits. Announcements

4/2/14. Who are you?? Introduction. Person Identification. How are people identified? People are identified by three basic means:

The Open Biometrics Initiative and World Card

Hong Kong General Chamber of Commerce Roundtable Luncheon 13 April 2016 Collection and Use of Biometric Data

Biometrics & Accessibility

SUMMARY INTRODUCTION. xiii

Biometrics from a legal perspective dr. Ronald Leenes

Biometric Authentication

PRIVACY IMPLICATIONS OF BIOMETRIC DATA. Kevin Nevias CISSP, CEH, CHFI, CISA, CISM, CRISC, CGEIT, CCNA, G /20/16

SECURE REMOTE VOTER REGISTRATION

Biometrics Overview. Introduction. Biometrics is a general term used alternatively to describe a characteristic or a process. As a characteristic:

Biometrics: primed for business use

Biometrics Technology for Human Recognition

AADHAR BASED ELECTRONIC VOTING SYSTEM USING BIOMETRIC AUTHENTICATION AND IOT

Opinion 3/2012 on developments in biometric technologies

MoneyPad, The Future Wallet

Computer Security Seminar Biometrics. Aviv Abramovich Spring 2015 University of Haifa

An overview of the European approach to the cross-jurisdictional and societal aspects of biometrics

Secured Electronic Voting Protocol Using Biometric Authentication

Running head: GAP ANALYSIS OF THE DEPARTMENT OF HOMELAND 1

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

Case Study. MegaMatcher Accelerator

DESIGN AND ANALYSIS OF SECURED ELECTRONIC VOTING PROTOCOL

LATEST IN BIOMETRIC TECHNOLOGY IN THE SERVICE OF TRAVEL SECURITY. Presented By: Cristian Morosan - University of Houston

LEGISLATION. The "BIOMETRIC AND SOCIAL SECURITY NUMBER RELIGIOUS EXEMPTION ACT"

Here s our nickel tour of biometrics well, okay, that d be a dollar or

Identity Verification in Passport Issuance

INTRODUCTION BACKGROUND. Chapter One

BIOMETRICS - WHY NOW?

[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the , 2011]

Biometrics How to Put to Use and How Not at All?

Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

Policy Framework for the Regional Biometric Data Exchange Solution

PRESENTATION TITLE. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Prepared by Space and Naval Warfare Systems Center Atlantic

The Application of Biometrics in Critical Infrastructures Operations: Guidance for Security Managers

Blind Signatures in Electronic Voting Systems

Biometric Technology for DLID

Machine Readable Travel Documents: Biometrics Deployment. Barry J. Kefauver

Subpart A General Provisions

Recommended Practice 1701 l

BIOMETRICS 101. Facial Recognition in Oregon

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

CRS Report for Congress

Biometrics how to put to use and how not at all?

The Angola National ID Card

MACHINE READABLE TRAVEL DOCUMENTS (MRTDs)

BIOMETRIC TECHNOLOGIES IN EMERGENCY MANAGEMENT: THE CASE OF HOTELS

GI-Edition. Proceedings. Lecture Notes in Informatics. Robert Krimmer, Rüdiger Grimm (Eds.) 3 rd international Conference on Electronic Voting 2008

Consumer Attitudes About Biometric Authentication

Biometrics. Version Prepared by: Michael Davis- Hannibal. Softcon Software Control Services (Pty) Ltd.

Biometrics: New Laws and Potential Litigation Implications

HOW CAN BORDER MANAGEMENT SOLUTIONS BETTER MEET CITIZENS EXPECTATIONS?

Biometrics how to put to use and how not at all?

The Upcoming International Biometric Vocabulary Standard

Position Paper IDENT Implementation for U.S. VISIT

Additional Case study UK electoral system

COUNCIL OF THE EUROPEAN UNION. Brussels, 11 November /04 LIMITE VISA 203 COMIX 684 NOTE

Background and Status of the Tanzania National ID System

Smart Voting System using UIDAI

Secure Voter Registration and Eligibility Checking for Nigerian Elections

BIOMETRIC AUTHENTICATION SYSTEMS AND SERVICE DELIVERY IN HEALTHCARE SECTOR IN KENYA

The Case for implementing a Bio-Metric National ID for Voting and/or to replace the Social Security Card

TWELFTH SESSION OF THE FACILITATION DIVISION THE MALAYSIAN ELECTRONIC PASSPORT

1. Delete the words and registration. 3. Delete the word person and substitute therefor the word individual.

International Journal of Research and Review E-ISSN: ; P-ISSN:

e-passports: Uses, Limitations, and Impact on Simplifying Passenger Travel Initiatives

Case: 1:16-cv Document #: 1 Filed: 03/04/16 Page 1 of 16 PageID #:1 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS

CORPORATE HEADQUARTERS

Biometric Authentication: How Do I Know Who You Are?

5/6/2009. E toll Database. Census Database. Database. Database. Consumer Balance and Bill Subscriptions. Mobile Connections.

IDEMIA Identity & Security. Providing identity assurance to. secure & simplify lives N.A.

SMART VOTING. Bhuvanapriya.R#1, Rozil banu.s#2, Sivapriya.P#3 Kalaiselvi.V.K.G# /17/$31.00 c 2017 IEEE ABSTRACT:

Singapore's Automated Clearance using Biometrics

Data Breach Charts. November 2017

TRUE IDENTITY IBORDERS BIOTHENTICATE: SECURING BORDERS WITH BIOMETRICS POSITIONING PAPER

Biometrics Glossary. Introduction. Glossary Terms

GDPR in access control and time and attendance systems using biometric data

Privacy Policy & Terms of Use

OFFICIAL POLICY. Policy Statement

BILL, Explanatory. (These notes form no part of the Bill but are intended only to indicate its general purport)

Acceptance of Biometrics: Things That Matter That We Are Ignoring

REPORT VOLUME 6 MAY/JUNE 2017

Enhanced Driver s Licence (EDL) and Enhanced Identification Card (EIC) Program

European Biometrics Portal. Biometrics in Europe. Trend Report

Acceptance of Biometric in the Kingdom of Saudi Arabia by Bushra Mohamed Elamin Elnaim

CHAPTER 2 LITERATURE REVIEW

REVISOR PMM/NB A

Emerging Biometric Data Risks

Emergence of multimodal biometrics at the Border Biometrics Institute Asia-Pacific Conference

CASE STUDY 2 Portuguese Immigration & Border Service

The Biometric Devil's in the Details

DOD Capstone Concept of Operations for Employing Biometrics in Military Operations

Georgia Computer System Protection Act

Transcription:

CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 23 April 11, 2012 CPSC 467b, Lecture 23 1/39

Biometrics Security and Privacy of Biometric Authentication CPSC 467b, Lecture 23 2/39

Biometrics CPSC 467b, Lecture 23 3/39

Authentication factors There are three kinds of factors used for authentication: Something you know: e.g., a password or a PIN number Something you have: e.g., a token or a cell phone Something you are: e.g., a fingerprint or an iris pattern CPSC 467b, Lecture 23 4/39

Using authentication factors One, two, or even three factors can be required in order to authenticate a user. Two factor authentication is an approach which requires to present two different factors for authentication. For example: A password and a USB token A fingerprint and a smart card A credit card and a signature CPSC 467b, Lecture 23 5/39

CPSC 467b, Lecture 23 6/39

Biometrics Biometrics 1 is the science of establishing the identity of an individual based on physical, chemical, or behavioral attributes of the person. 1 A. K. Jain, P. Flynn, A. Ross, Handbook of Biometrics Springer, 2007 CPSC 467b, Lecture 23 7/39

Biometric modes Identification is a process of establishing subject s identity. Who are you? One to many comparison Authentication is a process of verifying subject s identity. Is that really you? One to one comparison We will focus on biometric authentication. CPSC 467b, Lecture 23 8/39

Pros & cons of biometric authentication Pros: Biometric characteristics uniquely identify an individual Higher degree of security: biometric traits cannot be lost, forgotten, or shared Always available! Cons: Biometric traits cannot be changed. If stolen, can be used to impersonate individual Usability and acceptability issues Privacy concerns CPSC 467b, Lecture 23 9/39

Basic biometric terms 2 Biometric characteristic physiological or behavioral property of an individual Biometric sample analog or digital representation of biometric characteristics before any processing is applied Biometric feature information extracted from a biometric sample Biometric template stored biometric features for the purpose of a comparison 2 M. U. A. Bromba, http://www.bromba.com/faq/biofaqe.htm CPSC 467b, Lecture 23 10/39

Suitable biometric characteristics A biometric characteristic suitable for authentication purposes should have the following properties: 3 Universality everyone should have it Uniqueness it should be different for every person Permanence it should not change with time Collectability it can be quantitatively measured In practice, acceptability is also an important requirement. 3 R. Clarke, Human identification in information systems: Management challenges and public policy issues, Information Technology & People, Vol. 7, No. 4, pp. 6-37, 1994 CPSC 467b, Lecture 23 11/39

Types of biometric characteristics Physiological: Fingerprint Face Iris Retina Hand Ear Behavioral: Voiceprint Keystroke Signature Gait CPSC 467b, Lecture 23 12/39

Comparison of biometric characteristics 4 Biometrics Universality Uniqueness Permanence Collectability Acceptability Face High Low Medium High High Fingerprint Medium High High Medium Medium Hand Medium Medium Medium High Medium Ear Medium Medium High Medium High Iris High High High Medium Low Retina High High Low Low Low Odor High High High Low Medium DNA High High High Low Low Voice Medium Low Low Medium High Gait Medium Low Low High High Keystrokes Low Low Low Medium Medium Signature Low Low Low High High 4 A. Jain, R. Bolle, and S. Pankanti, Introduction to Biometrics http://www.cse.msu.edu/~cse891/sect601/textbook/1.pdf CPSC 467b, Lecture 23 13/39

Biometric protocol A biometric-based protocol consists of two phases: Enrollment phase Acquisition of biometric sample(s) Creation of a biometric template Storage of a biometric template Verification phase Acquisition of biometric sample(s) Comparison with a biometric template Decision CPSC 467b, Lecture 23 14/39

Diagram of a biometric system 5 5 Image retrieved from http://en.wikipedia.org/wiki/biometrics CPSC 467b, Lecture 23 15/39

Acquisition of a biometric sample 4 It is a critical part of the enrollment process and will determine the performance of the entire system. Quality assessment: assessing the suitability of the input data Segmentation: separation of the input data into foreground (object of interest) and background (irrelevant information) CPSC 467b, Lecture 23 16/39

Creation of a biometric template A biometric template is a representation of the features from a biometric sample. Feature extraction: key features of the biometric sample are located, selected, measured and encoded. Characteristic Fingerprint Signature Facial geometry Iris Hand geometry Voice Odor Keyboard strokes Features Finger lines, pore structure Pressure and speed differentials Distance of specific facial features (eyes, nose, mouth) Iris pattern Measurement of fingers and palm Tone or timbre Chemical composition of one s odor Rhythm of keyboard strokes CPSC 467b, Lecture 23 17/39

Example: Fingerprint features 7 Common patterns Less common patterns Minutia are extracted from these features. CPSC 467b, Lecture 23 18/39

Example: Extracting fingerprint features 7 1. Capture an image of a fingerprint 2. Enhance the image 3. Identify minutia CPSC 467b, Lecture 23 19/39

Storage of a biometric template 6 The acceptance of biometric system depends on how secure the templates are. There are four major locations for storing templates: Portable tokens Central databases Sensors Individual workstations 6 A. Patrick and S. Mu, Usability and Acceptability of Biometric Security Devices, National Research Council of Canada CPSC 467b, Lecture 23 20/39

Comparison with a biometric template Each time a user wants to authenticate, the first two steps of the enrollment phase are repeated (acquisition and creation of template). Freshly extracted features are compared with those saved in the reference template. How similar the two samples should be to authenticate a user? CPSC 467b, Lecture 23 21/39

Example: Comparing fingerprint features 7 1. Obtain a fresh fingerprint 2. Extract minutia and create a template 3. Compare with the minutia from the stored template 7 M. Stamp, Information Security Principles and Practice, Wiley, 2006 CPSC 467b, Lecture 23 22/39

Matching fingerprints 8 United Kingdom employs a 16-point minimum match Australia mandates a 12-point minimum match Canada uses no minimum point standard In the US, state jurisdictions set their own minimum point standards FBI has no minimum number that must be identified to declare an absolutely him match, but does rely on a 12-point quality assurance standard Following the ruling of Judge Louis H. Pollak, experts cannot tell juries that two fingerprints are a match, they can only can testify about how the prints were obtained and the similarities and differences between them. 8 S. P. Duffy, Experts May No Longer Testify That Fingerprints Match The Legal Intelligencer, January 9, 2002 CPSC 467b, Lecture 23 23/39

Authentication decision Unlike other authentication methods, biometric authentication does not yield a definitive authentication decision. A decision is made based on how close (similar) is the biometric template obtained in the enrollment phase to the one obtained in the verification phase. If the system is too lenient, it will result in a high number of false acceptances; if too strict, there will be a high number of false rejections. Both are bad! CPSC 467b, Lecture 23 24/39

Biometric errors False Acceptance Rate (FAR) Frequency that a user A is authenticated as user B Security relevant measure Target rate: 0.5% False Rejection Rate (FRR) Frequency that an authorized user is denied access Usability relevant measure Target rate: 5.0% False to Enroll Rate (FER) Frequency that a user cannot enroll into the system Usability relevant measure Target rate: 5.0% CPSC 467b, Lecture 23 25/39

Comparing biometric systems Equal Error Rate (EER) the rate at which both FAR and FRR are equal. It is a quick to compare the performance of biometric systems. In general, the system with the lowest EER is most accurate. CPSC 467b, Lecture 23 26/39

Equal Error Rate 7 CPSC 467b, Lecture 23 27/39

Comparison of biometric systems 9 Finger Voice Iris Face EER 2 3.3% < 1% 4.1 4.6% 4.1% FER 4% 2% 7% 1% FAR 2.5% < 1% 6% 4% FRR 0.1% < 1% 0.001% 10% 9 G. Huntington, Huntington Ventures Ltd. http://www.authenticationworld.com/authentication-biometrics/index.html CPSC 467b, Lecture 23 28/39

Comparison of biometric systems 10 Face Fingerprint Hand Iris Keystrokes Voice EER N/A 2% 1% 0.01% 1.8% 6% FAR 1% 2% 2% 0.94% 7% 2% FRR 10% 2% 2% 0.99% 0.1% 10% Subjects 37437 25000 129 1224 15 30 Face: varied light, indoor /outdoor Fingerprint: rotation and exaggerated skin distortion Hand: with rings and improper placement Iris: indoor environment Keystrokes: during 6 months period Voice: text dependent and multilingual 10 D. Bhattacharyya, R. Ranjan, F. Alisherov, and M. Choi, Biometric Authentication: A Review, International Journal of u- and e- Service, Science and Technology, 2009 CPSC 467b, Lecture 23 29/39

Security and Privacy of Biometric Authentication CPSC 467b, Lecture 23 30/39

Privacy & security concerns Concerns with biometrics: 11 Unauthorized access to biometric data Unauthorized disclosure of biometric data to third parties Use of biometric data for other than intended purpose Collection of biometric data without the knowledge of the individual 11 B. Wirtz, Biometric Systems 101 and Beyond, Secure - The Silicon Trust Quarterly Report, Fall 2000 CPSC 467b, Lecture 23 31/39

Source of the privacy & security issues Recall, that biometric characteristics uniquely identify an individual and cannot be changed. If Eve obtains Alice s biometric data, she can convince Bob that she s her and there is not much Alice can do. 12 Therefore, security of biometric data is extremely important. 12 Intentional oversimplification CPSC 467b, Lecture 23 32/39

If McDonald s offered a free Big Mac in exchange for a DNA sample, there d be lines around the block. Bruce Schneier CPSC 467b, Lecture 23 33/39

Security issues in a biometric system CPSC 467b, Lecture 23 34/39

Biometric security Recall, that authentication is done by comparing a freshly obtained biometric sample with a biometric template created during enrollment. This approach implies that both biometric data must be made available to a verifying party. Securing biometric data is much easier if a sample is obtained and verified on a stand-alone system. Remote biometric authentication is very challenging biometric data can be intercepted during transmission or stolen from the verifying party. CPSC 467b, Lecture 23 35/39

New approach to remote biometric authentication 13 Based on two-factor authentication: combination of possession-based authentication and biometrics. A new way to handle biometric data: users identity is created with respect to a special blinding factor, not the biometric data itself. The verifying party has access only to the blinding factor. Identity verification is based on the difference between biometric data obtained in the enrollment phase and data provided in the verification phrase. Suitable for authentication based on any biometric characteristic. 13 E. Syta, G. Gallegos García, M. Fischer, A. Silberschatz, Strong, Theft-proof, and Privacy-preserving Biometric Authentication, unpublished work CPSC 467b, Lecture 23 36/39

Protocol properties It is secure against a loss of a smart card. The smart card stores only the blinded biometric sample. If an attacker steals Peggy s card, he does not learn anything about her biometric data. It is secure against eavesdroppers. A passive attack will see a stream of blinded differences between two readings of Peggy s biometric data. CPSC 467b, Lecture 23 37/39

Protocol properties It is secure against a dishonest server. An authentication server does not store or receive any biometric data. Users identity is first linked to a blinding factor seed and then to the next state of pseudo-random number generator used to verify the difference between two biometric readings. If the server is compromised, then all that is learned is the PRNG sequence. But even with that information, the sequence of messages sent by the legitimate user does not contain the biometric data but only their difference. CPSC 467b, Lecture 23 38/39

Additional Resources More information on biometrics: NIST, ITL, Introduction to Biometrics, http://biometrics.nist.gov NIST, ITL, Fingerprint Biometrics, http://fingerprint.nist.gov NIST, ITL, Face Biometrics, http://face.nist.gov NIST, ITL, Iris Biometrics, http://iris.nist.gov CPSC 467b, Lecture 23 39/39

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback