bh us 02 smith biometric

Information about bh us 02 smith biometric

Published on March 24, 2008

Author: Silvestre

Source: authorstream.com

Content

The Biometric Dilemma:  The Biometric Dilemma Rick Smith, Ph.D., CISSP [email protected] 28 October 2001 Outline:  Outline Biometrics: Why, How, How Strong Attacks, FAR, FRR, Resisting trial-and-error Server-based Biometrics Attacking a biometric server Digital spoofing, privacy intrusion, latent print reactivation Token-based Biometrics Physical spoofing Voluntary and involuntary spoofing Summary Biometrics: Why?:  Biometrics: Why? Eliminate memorization – Users don’t have to memorize features of their voice, face, eyes, or fingerprints Eliminate misplaced tokens – Users won’t forget to bring fingerprints to work Can’t be delegated – Users can’t lend fingers or faces to someone else Often unique – Save money and maintain database integrity by eliminating duplicate enrollments The Dilemma:  The Dilemma They always look stronger and and easier to use than they are in practice Enrollment is difficult Easy enrollment = unreliable authentication Measures to prevent digital spoofing make even more work for administrators, almost a “double enrollment” process Physical spoofing is easier than we’d like Recent examples with fingerprint scanners, face scanners Biometrics: How?:  Biometrics: How? Measure a physical trait The user’s fingerprint, hand, eye, face Measure user behavior The user’s voice, written signature, or keystrokes From Authentication © 2002. Used by permission From Authentication © 2002. Used by permission Biometrics: How Strong?:  Biometrics: How Strong? Three types of attacks Trial-and-error attack Classic way of measuring biometric strength Digital spoofing Transmit a digital pattern that mimics that of a legitimate user’s biometric signature Similar to password sniffing and replay Biometrics can’t prevent such attacks by themselves Physical spoofing Present a biometric sensor with an image that mimics the appearance of a legitimate user Biometric Trial-and-Error:  Biometric Trial-and-Error How many trials are needed to achieve a 50-50 chance of producing a matching reading? Typical objective: 1 in 1,000,000  219 Some systems achieve this, but most aren’t that accurate in practical settings Team-based attack A group of individuals take turns pretending to be a legitimate user (5 people X 10 finger = 50 fingers) Passwords: A Baseline:  Passwords: A Baseline Biometric Authentication:  Biometric Authentication Compares user’s signature to previously established pattern built from that trait “Biometric pattern” file instead of password file Matching is always approximate, never exact Pattern Matching:  Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © 2002. Used by permission Matching Self vs. Others:  Matching Self vs. Others From Authentication © 2002. Used by permission Matching in Practice:  Matching in Practice FAR = recognized Bob instead; FRR = doesn’t recognize me From Authentication © 2002. Used by permission Measurement Trade-Offs:  Measurement Trade-Offs We must balance the FAR and the FRR Lower FAR = Fewer successful attacks Less tolerant of close matches by attackers Also less tolerant of authentic matches Therefore – increases the FRR Lower FRR = Easier to use Recognizes a legitimate user the first time More tolerant of poor matches Also more tolerant of matches by attackers Therefore – increases the FAR Equal error rate = point where FAR = FAR Trial and Error in Practice:  Trial and Error in Practice Higher security means more mistakes When we reduce the FAR, we increase the FRR More picky about signatures from legitimate users, too Biometric Enrollment:  Biometric Enrollment How it works User provides one or more biometric readings The system converts each reading into a signature The system constructs the pattern from those signatures Problems with biometric enrollment It’s hard to reliably “pre-enroll” users Users must provide biometric readings interactively Accuracy is time consuming Take trial readings, build tentative patterns, try them out Take more readings to refine patterns Higher accuracy requires more trial readings Compare with Password or Token Enrollment:  Compare with Password or Token Enrollment Modern systems allow users to self-enroll User enters some personal authentication information Establish a user name Establish a password: system generated or user chosen Establish a token: enter its serial number Password enrollment is comparatively simple Tokens require a database associating serial numbers with individual authentication tokens Database is generated by token’s manufacturer Enrollment system uses it to establish user account Token’s PIN is managed by the end user Biometric Privacy:  Biometric Privacy The biometric pattern acts like a password But biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users can’t change biometrics if someone makes a copy We can trace people by following their biometrics as they’re saved in databases Server-based biometrics:  Server-based biometrics Boring but important Some biometric systems require servers When you need a central repository Identification systems (FBI’s AFIS) Uniqueness systems (community social service orgs) Attacking Server Biometrics:  Attacking Server Biometrics From Authentication © 2002. Used by permission Attacks on Server Traffic:  Attacks on Server Traffic Attack on privacy of a user’s biometrics Defense = encryption while traversing the network Attack by spoofing a digital biometric reading Defense = authenticating legitimate biometric readers Both solutions rely on trusted biometric readers From Authentication © 2002. Used by permission Trusted Biometric Reader:  Trusted Biometric Reader Blocks either type of attack on server traffic Security objective – reliable data collection Must embed a cryptographic secret in every trusted reader Increased development cost Increased administrative cost – administrators must keep the reader’s keys safe and up-to-date Must enroll both users and trusted readers “Double enrollment” Database of device keys from biometric vendor One device per workstation is often like one per user Standard tokens are traditionally lower-cost devices Another Server Attack:  Another Server Attack Experiments in the US and Germany Willis and Lee of Network Computing Labs, 1998 Reported in “Six Biometric Devices Point The Finger At Security” in Network Computing, 1 June 1998 Thalheim, Krissler, and Ziegler, 2002 Reported in “Body Check,” C’T (Germany) http://www.heise.de/ct/english/02/11/114/ Attack on “capacitive” fingerprint sensors Measures change in capacitance due to presence or absence of material with skin-like response 65Kb sensor collects ~20 minutiae from fingerprint Traditional techniques use 10-12 for identification Attack exploits the fatty oils left over from the last user logon Latent Finger Reactivation:  Latent Finger Reactivation Three techniques Oil vs. non-oil regions return difference as humidity increases Breathe on the sensor (Thalheim, et al) You can watch the print reappear as a biometric image Works occasionally Use a thin-walled plastic bag of warm water More effective, but not 100% Works occasionally even when system is set to maximum sensitivity Dust with graphite (Willis et al; Thalheim et al) Attach clear tape to the dust Press down on the sensor Most reliable technique – almost 100% success rate (Thalheim) This Shouldn’t Work:  This Shouldn’t Work According to Siemens – vendor of the “ID Mouse” used in those examples – Authentication procedure remembers the last fingerprint used System rejects a match that’s “too close” to the last reading as well as a match that’s “too far” from the pattern Observations Defense didn’t work in these experiments Tape can be repositioned to create a ‘different’ reading Hard to track through multiple biometric readers Assume the user logs in at multiple locations over time Then the latent image on some reader is not the most recent one accepted for login What about “Active” Biometric Authentication?:  What about “Active” Biometric Authentication? Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” information uniquely associated with the user Possible techniques Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint reader Challenge response that demands an unpredictable reply Voice recognition that demands reciting an unpredictable phrase Both are vulnerable to a dynamic digital attack based on a copy of the user’s biometric pattern Ease of use issue Requires more complex user behavior, which makes it harder to use and less reliable Attacking Active Biometrics:  Attacking Active Biometrics A feasible dynamic attack uses the system’s algorithms to generate an acceptable signature Example Attacker collects enough biometric samples from the victim to build a plausible copy of victim’s biometric pattern During login, attacker is prompted for a spoken phrase from the victim Attack software generates a digital message based on the user’s biometric pattern There may be a sequence of timed messages or a single message – it doesn’t matter If the server can predict what the answer should be, based on a static biometric pattern, so can the attacker Token-Based Biometrics:  Token-Based Biometrics Authenticate with biometric + embedded secret From Authentication © 2002. Used by permission Token Technology:  Token Technology Resist copying and other attacks by storing the authentication secret in a tamper-resistant package. From Authentication © 2002. Used by permission Tokens Resist Trial-and-Error Attacks:  Tokens Resist Trial-and-Error Attacks These numbers assume that the attacker has not managed to steal a token Biometric Token Operation:  Biometric Token Operation The “real” authentication is based on a secret embedded in the token The biometric reading simply “unlocks” that secret Benefits User retains control of own biometric pattern Biometric signatures don’t traverse networks Problems Biometric Tokens cost more Less space and cost for the biometric reader The biometric serves as a PIN Attacks on Biometric Tokens:  Attacks on Biometric Tokens If you can trick the reader, you can probably trick the token Digital spoofing shouldn’t work We’ve eliminated the vulnerable data path Latent print reactivation (remember?) Tokens should be able to detect and reject such attacks Attacks by cloning the biometric artifact Voluntary cloning (the authorized user is an accomplice) Involuntary cloning (the authorized user is unaware) Voluntary finger cloning:  Voluntary finger cloning Select the casting material Option: softened, free molding plastic (used by Matsumoto) Option: part of a large, soft wax candle (used by Willis; Thalheim) Push the fingertip into the soft material Let material harden Select the finger cloning material Option: gelatin (“gummy fingers” used by Matsumoto) Option: silicone (used by Willis; Thalheim) Pour a layer of cloning material into the mold Let the clone harden You’re Done! Matsumoto’s Technique:  Matsumoto’s Technique Only a few dollars’ worth of materials Making the Actual Clone:  Making the Actual Clone You can place the “gummy finger” over your real finger. Observers aren’t likely to detect it when you use it on a fingerprint reader. (Matsumoto) Involuntary Cloning:  Involuntary Cloning The stuff of Hollywood – three examples Sneakers (1992) “My voice is my password” Never Say Never Again (1983) cloned retina Charlie’s Angels (2000) Fingerprints from beer bottles Eye scan from oom-pah laser You clone the biometric without victim’s knowledge or intentional assistance Bad news: it works! Cloned Face:  Cloned Face More work by Thalheim, Krissler, and Ziegler Reported in “Body Check,” C’T (Germany) http://www.heise.de/ct/english/02/11/114/ Show the camera a photograph or video clip instead of the real face Video clip required to defeat “dynamic” biometric checks Photo was taken without the victim’s assistance (video possible, too) Face recognition was fooled Cognitec's FaceVACS-Logon using the recommended Philips's ToUcam PCVC 740K camera Matsumoto’s 2nd Technique:  Matsumoto’s 2nd Technique Cloning a fingerprint from a latent print Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surface Pick it up using tape and graphite Scan it into a computer at high resoultion Enhance the fingerprint image Etch it onto printed circuit board (PCB) material Use the PCB as a mold for a “gummy finger” Making a Gummy Finger from a Latent Print:  Making a Gummy Finger from a Latent Print From Matsumoto, ITU-T Workshop The Latent Print Dilemma:  The Latent Print Dilemma Tokens tend to be smooth objects of metal or plastic – materials that hold latent prints well Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working clone of the owner’s fingerprint? Worse, can an attacker reactivate a latent image of the biometric from the sensor itself? Answer: in some cases, YES. Finger Cloning Effectiveness:  Finger Cloning Effectiveness Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Thalheim et al could trick both “capacitive” and “optical” sensors with cloned fingers Products from Siemens, Cherry, Eutron, Verdicom Latent image reactivation only worked on capacitive sensors, not on optical ones Matsumoto tested 11 capacitive and optical sensors Cloned fingers tricked all of them Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Secugen, Ethentica Summary:  Summary Traditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilities Networked biometrics require trusted readers that pose extra administrative headaches We can build physical clones of biometric features that spoof biometric readers Matsumoto needed $10 worth of materials and 40 minutes to reliably clone a fingerprint We can often build clones without the legitimate user’s intentional participation Thank You!:  Thank You! Questions? Comments? My e-mail: [email protected] http://www.visi.com/crypto http://www.securecomputing.com

Related presentations


Other presentations created by Silvestre

Music and TOK
15. 01. 2008
0 views

Music and TOK

CAP08Lesson7
08. 05. 2008
0 views

CAP08Lesson7

VALENTINI WANKA 1165498491
07. 05. 2008
0 views

VALENTINI WANKA 1165498491

LSE Olympics slides
02. 05. 2008
0 views

LSE Olympics slides

2007525222912917
30. 04. 2008
0 views

2007525222912917

2005511164441155
24. 04. 2008
0 views

2005511164441155

2005317110534 9
22. 04. 2008
0 views

2005317110534 9

cooperation latvia
17. 04. 2008
0 views

cooperation latvia

B4 Qian 0215
15. 04. 2008
0 views

B4 Qian 0215

ZigBee Master
08. 04. 2008
0 views

ZigBee Master

Health Care Waste
18. 01. 2008
0 views

Health Care Waste

numbergendercase
11. 01. 2008
0 views

numbergendercase

cis bhs fhs foodborne 36957 7
12. 01. 2008
0 views

cis bhs fhs foodborne 36957 7

opinion
13. 01. 2008
0 views

opinion

ConsBeh Pt 2of3 PsyInfl
13. 01. 2008
0 views

ConsBeh Pt 2of3 PsyInfl

Child Protection
17. 01. 2008
0 views

Child Protection

biosummer04 yang keynote
17. 01. 2008
0 views

biosummer04 yang keynote

Satellite Testing
17. 01. 2008
0 views

Satellite Testing

COEL ExtRev
16. 01. 2008
0 views

COEL ExtRev

rabenhorstDRCS
19. 01. 2008
0 views

rabenhorstDRCS

Vermont Challenge poster Ding
21. 01. 2008
0 views

Vermont Challenge poster Ding

Cocoaine Chapter 6
22. 01. 2008
0 views

Cocoaine Chapter 6

AFEI NCO presentation
23. 01. 2008
0 views

AFEI NCO presentation

dubaitwo
24. 01. 2008
0 views

dubaitwo

Decision Making 10 06 p
05. 02. 2008
0 views

Decision Making 10 06 p

SCHLEGEL Thomas
12. 02. 2008
0 views

SCHLEGEL Thomas

crager xmastree1
22. 01. 2008
0 views

crager xmastree1

EDEA 630 Chapter 12 PowerPoint
28. 01. 2008
0 views

EDEA 630 Chapter 12 PowerPoint

Chapter 14
29. 01. 2008
0 views

Chapter 14

Activating Your Heart
29. 01. 2008
0 views

Activating Your Heart

Rome UPU PostCode StefanLindholm
17. 01. 2008
0 views

Rome UPU PostCode StefanLindholm

OS0607 YWANG what is good soil
22. 01. 2008
0 views

OS0607 YWANG what is good soil

CellPhones
30. 01. 2008
0 views

CellPhones

Keeoing Fit and Healthy
07. 02. 2008
0 views

Keeoing Fit and Healthy

Metamorphism
10. 01. 2008
0 views

Metamorphism

AW1
21. 01. 2008
0 views

AW1

MLA Documentation
14. 02. 2008
0 views

MLA Documentation

pps 308
14. 02. 2008
0 views

pps 308

Generic
22. 02. 2008
0 views

Generic

220 L13 Constantine
25. 02. 2008
0 views

220 L13 Constantine

48 The Hearts of the Children
08. 03. 2008
0 views

48 The Hearts of the Children

TZ Course and trip
14. 03. 2008
0 views

TZ Course and trip

injury guidelines
15. 03. 2008
0 views

injury guidelines

College Prep for HS Students
19. 03. 2008
0 views

College Prep for HS Students

ATTC 1981 2007
16. 03. 2008
0 views

ATTC 1981 2007

lenovo
14. 04. 2008
0 views

lenovo

Peds Indonesia
14. 01. 2008
0 views

Peds Indonesia

Trish Skillman Presentation
16. 01. 2008
0 views

Trish Skillman Presentation

KKurani 2 14 07
08. 02. 2008
0 views

KKurani 2 14 07

condon
09. 01. 2008
0 views

condon

anthony russell
10. 01. 2008
0 views

anthony russell

Marketingweek2
04. 02. 2008
0 views

Marketingweek2

SGP03
28. 02. 2008
0 views

SGP03

HKPresentationJmSeig neur
10. 04. 2008
0 views

HKPresentationJmSeig neur

s3 Calzadilla Sarmiento
22. 01. 2008
0 views

s3 Calzadilla Sarmiento

Budzet Mon 2007 ang
07. 03. 2008
0 views

Budzet Mon 2007 ang

Villeneuve Can Rpt
24. 01. 2008
0 views

Villeneuve Can Rpt

GlobalIT Class4
31. 03. 2008
0 views

GlobalIT Class4

icongo a z funds raise
15. 02. 2008
0 views

icongo a z funds raise

bredden först
07. 02. 2008
0 views

bredden först

habitat cluj
23. 01. 2008
0 views

habitat cluj

caringsocietypostKuu rne nov01
20. 02. 2008
0 views

caringsocietypostKuu rne nov01

MELL ASU 0708CCPOverview
10. 01. 2008
0 views

MELL ASU 0708CCPOverview

SETA 2 ETHICAL ATTITUDEs
17. 01. 2008
0 views

SETA 2 ETHICAL ATTITUDEs

Flex Benefit Coordinator
09. 01. 2008
0 views

Flex Benefit Coordinator

filmteaching
05. 02. 2008
0 views

filmteaching