Beruflich Dokumente
Kultur Dokumente
Jtd1959@gmail.com
INTRODUCTION
• Old World methods of trust and
authentication
– Personal introductions, documents
– Key role player is the authenticator
• New World requirements
– Annonymous, large scale, short term
relationships
– Key requirement is building up of trust
• No defence mechanisms of older methods
present in newer systems
Authentication by Technology
• Requires the exchange of certain
FACTORS
• Requires an authority who can verify these
factors
• Requires an authority who can provide
permission to build a relationship and
transact
...Authentication by Technology
Factors are classified into 3 types
• Ownership factor like cards, badges or keys
• Knowledge factor like user id, password
and pins
• Inheritance factor like weight, height, face
shape, color of eyes/hair, birth marks etc.
all nicely encoded in a photo
Properties of different Factors
Table 1. Properties of different Factors
Factors Examples Desired Properties Available properties
Ownership factor Cards Unique and Shareable Yes
What you have Badges No Duplication Usually can be duplicated
Revocable Yes
Keys
Knowledge factor User ID Unique and Shareable Yes (within a particular
What you know context)
Password Hard to guess, easy to Usually the reverse
PIN remember.
Must be a secret
Inheritance factor Fingerprint Easily Digitized Discussed below
What you are Face Easily Verifiable
(Something Unique Iris Non Spoofable
about you) Voice Time Invariant
Retina Environment Invariant
The Inheritance Factor - Biometrics
The Subject of discussion for today is the
Inheritance Factor – Biometrics
• Implementation difficulties
• Vulnerabilities
• The authentication process and it's
vulnerabilities, in brief
• Since the UIDAI has choosen the use of
finger prints and iris as a means of
authentication, we will be discussing only
these factors
Finger Print Scanners
Most commonly used Finger Print scanners
Sensor Technology Scanner types Live finger Number of
detection fingers
Optical Swipe Conductivity Single
Capacitive Static contact Thermal Paired
Thermal Static non contact Both All
RF Resistive Capacitive
θ
Pupil detection:
circular edge detector
∂ I ( x, y )
max Gσ (r )
r , x0 , y 0 ∫
∂ r r , x0 , y0 2π r
ds
Segmenting sclera
r+δ φ +π /8
∂ 2
r∈[1.5 r0 ,1 0r0 ] ∂ r ∫ π δ r ∫
m ax I ( ρ , θ ) ρ dρ dθ
ρ = r−δ θ =φ −π / 8
Fig 8: An Iris with circular segmentation and the maths involved in deriving the 2048 bit value
The Process
• De duplication
and storage
The Authentication process
• Capture image
• Process image
• Extract Features
• Create Template
• Encryption
• Transmission
Fig 13: Comparison of minutae with stored template
• Receive result
• UIDAI has not
specified iris for
authentication*
Threats faced by biometric systems
• Threat agents
– Only simple impostor, without much
sophistication or resources. We shall
leave out crossborder attack vectors, as
pilfering state subsidies may not be their
highest priority
• Threat Vectors
– Fake credentials and replay attacks
• System Weaknesses
– Extraction of digital keys, use of internal
facilities of sensors
Desired Characteristics And
Limitations
• Easy and accurate Digitization of the
presented bio characteristic
• Time Invariant
• Environment Invariant
• Spoof proof
... Limitations in enrollment / auth
• Easy and accurate Digitization – neither
easy nor accurate
• Too many wrong
methods, results
in
unreproduceable
template
• Guided
enrollment
useless for auth
• Very difficult for
Fig 14: How not to place your finger on the sensor
occasional users
• Manual overides
= more holes
... Limitations in enrollment / auth
• Time invariance – a myth
– Ageing changes fingerprints (1)
– Skin ailments makes auth difficult if not impossible
– No large scale studies on heterogenous
populations
– Will require frequent re-enrollment – aka more
holes
– No (available?) studies on iris variations due to
ageing
– Errors due to unknown causes (2)
1) https://www.cerias.purdue.edu/apps/reports_and_papers/view/3155/
2)http://biometrics.nist.gov/cs_links/quality/workshopII/proc/Kim_Analysis_of_Effect_of_F
ingerprint_Sample_Quality_in_Template_Ageing.pdf
... Limitations in enrollment / auth
• Environment invariance – a myth
– Water logged hands changes fingerprints
machine readbility
– Dry skin changes fingerprints machine
readbility
– Will require frequent re-enrollment – aka more
holes
– No (available?) studies on iris variations due
to harsh environments
– Inter device variations
http://www.slideshare.net/bspalabs/2008-investigating-the-
relationship-between-fingerprint-image-quality-and-skin-
characteristics.
... Limitations in enrollment / auth
• Non- Spoofability
– Biometrics are the worst
– Fingeprints are spoofed by gummy finger
techniqe
– Iris are spoofed by photographs
– Iris are spoofed by patterned contacts
Spoofing made easy - Fingerprints
• Uses common
ingredients
• Fools all
systems with
greater than
60%
repeatability
• Newer
mateials and
techniques
even more
effective
http://cryptome.org/gummy.htm
Spoofing made easy - Iris
• Buy from the net to
create fake ids for
sale
Fig A.3-1: Spiderman returns • PCB etching
techniues for
masqureading
• Older technique
using high res
photograph with
pupil holes
http://www.visiondirect.com/lens/default.asp?
catid=10774&trx=LeftNav&trxp1=27087&trxp2=10774&trxp3=2
Attack Vectors requiring skill
• Template reconstruction
– Biometric id systems store data as a
templates, usually a few kilobytes in
size. It has been shown that a biometric
fingerprint system can be compromised
by recreating the biometric using the
stored template
– Template extraction and storage a
feature of systems
... Attack Vectors requiring skill
• Key duplication
– Trivial to break into the device and
extract keys
– Addition deletion of keys a feature
– Even in locked down devices, the key
can be recovered by simply copying the
onboard flash to a pc and reusing the
backup in a device purchased from the
market
... Attack Vectors requiring skill
• Replay attack at sensor pins
– The sensor interfaces are relatively
simple
– Produce raw data (Fig 4). It is possible
to record all data, and then replay that
data
– This attack requires some technical skill
– However once developed it can be
mass produced and will be
undetectable
Biometrics WORST CHARACTERISTIC
• Cannot be
withdrawn
• Cannot be changed
• This violates the
basic requirement
of any id system
Inherent problems with Biometric
Systems
• FAR - False Acceptance Rate indicates the
number of wrong matches of a presented
biometric – mistakenly identyfying one person
as another
• FRR - False Rejection Rate (also called False
Non Match Rate) indicates the number of
wrong rejects of a presented biometric.
• Best FAR of .00060 for fingerprints
• Best FAR of .000120 for Iris
• Best FRR of .0060 for fingerprints
• Best FRR of .0012 for Iris
... Inherent problems with Biometric
Systems
F A R (% )F R R (% ) A d ult F a lse F a ls e R e je c t
P o p u l a ti o na c c e p ta n c e ( M i l l i o n )
( M illio n ) ( M illio n )
F i n g e r p r i n t 0 .0 0 0 6 0 0 0 .0 0 6 0 850 0 .5 1 5 .1
Ir is 0 .0 0 0 1 2 0 0 .0 0 1 2 850 0 .1 1 .0 2