Post on 16-Jan-2016
Managing Secure Managing Secure Biometric SystemsBiometric Systems
Meghan ArmesMeghan Armes
IA ManagementIA Management
April 24, 2007April 24, 2007
OverviewOverview
Description/DefinitionDescription/Definition Why Use BiometricsWhy Use Biometrics Commonly Used BiometricsCommonly Used Biometrics
– Pros/ConsPros/Cons Security IssuesSecurity Issues Future ApplicationsFuture Applications ConclusionConclusion
Definition/Description Definition/Description of Biometricsof Biometrics Literally, “life measurement”Literally, “life measurement” Authentication mechanisms: Authentication mechanisms:
– Something you areSomething you are– Something you produceSomething you produce
Examples:Examples:– FingerprintsFingerprints– VoiceVoice– Hand topologyHand topology
Definition/Description of Definition/Description of BiometricsBiometrics
Technology scans human characteristicsTechnology scans human characteristics– Converts images to unique points of Converts images to unique points of
reference that are digitized and encryptedreference that are digitized and encrypted– Only 3 are considered “truly unique”:Only 3 are considered “truly unique”:
FingerprintsFingerprints Retina (blood vessel pattern)Retina (blood vessel pattern) IrisIris
– DNA/genetic material also unique, but not DNA/genetic material also unique, but not cost-effective or socially acceptedcost-effective or socially accepted
Why Use BiometricsWhy Use Biometrics
Takes advantage of some Takes advantage of some element that is inherent to the element that is inherent to the useruser
Used to authenticate users so Used to authenticate users so they can be authorized and given they can be authorized and given access to resourcesaccess to resources
Commonly Used Commonly Used BiometricsBiometrics FingerprintsFingerprints Palm scanPalm scan Hand geometryHand geometry Hand topologyHand topology ID cards (face ID cards (face
representation)representation)
Facial Facial recognitionrecognition
Retina scanRetina scan Iris scanIris scan Signature Signature
recognitionrecognition Voice Voice
recognitionrecognition
Commonly Used Commonly Used BiometricsBiometrics
Commonly Used Commonly Used BiometricsBiometrics Signature recognition/signature Signature recognition/signature
capture often used in retail storescapture often used in retail stores– Signatures are digitized, compared Signatures are digitized, compared
to database for validation or saved to database for validation or saved for referencefor reference
– Signatures can vary: age, fatigue, Signatures can vary: age, fatigue, speed with which they’re writtenspeed with which they’re written
Commonly Used Commonly Used BiometricsBiometrics Voice recognition captures analog Voice recognition captures analog
waveforms of human speechwaveforms of human speech– Compared to stored versionCompared to stored version– User given phrase they must read User given phrase they must read
each timeeach time– May vary: age, illness, fatigue, May vary: age, illness, fatigue,
background noisebackground noise
Commonly Used Commonly Used BiometricsBiometrics Keystroke pattern recognition: Keystroke pattern recognition:
timing between key signalstiming between key signals– User types in a known/given User types in a known/given
sequence of keystrokessequence of keystrokes– Can provide unique identification Can provide unique identification
when measured with sufficient when measured with sufficient precisionprecision
– Can vary: injury, fatigue, familiarity Can vary: injury, fatigue, familiarity with typing the known phrasewith typing the known phrase
Security Issues in Security Issues in BiometricsBiometrics
Three basic criteria of evaluating Three basic criteria of evaluating biometric technologies:biometric technologies:
1.1. False reject rate: percentage of False reject rate: percentage of authorized users denied accessauthorized users denied access
2.2. False accept rate: percentage of False accept rate: percentage of unauthorized users given accessunauthorized users given access
3.3. Crossover error rate: point at which the Crossover error rate: point at which the number of false rejections = number of number of false rejections = number of false acceptancesfalse acceptances
Security Issues in Security Issues in BiometricsBiometrics
False Reject Rate: result of failure False Reject Rate: result of failure in biometric devicein biometric device
Also called Type I errorAlso called Type I error Obstructs legitimate use (not Obstructs legitimate use (not
often seen as a serious threat, often seen as a serious threat, merely an annoyance)merely an annoyance)
Security Issues in Security Issues in BiometricsBiometrics
False Accept Rate: also a result of False Accept Rate: also a result of biometric device failurebiometric device failure
Type II errorType II error Serious security breach: avoid by Serious security breach: avoid by
using multiple authentication using multiple authentication measures to back up failing measures to back up failing devicedevice
Security Issues in Security Issues in BiometricsBiometrics
Crossover Error Rate (CER): Crossover Error Rate (CER): optimal outcome of biometrics-optimal outcome of biometrics-based systemsbased systems
CER used to compare biometrics, CER used to compare biometrics, varies among manufacturersvaries among manufacturers
Lower number is best (CER of 1% Lower number is best (CER of 1% is better than CER of 5%)is better than CER of 5%)
Security Issues in Security Issues in BiometricsBiometrics
Important to balance system’s Important to balance system’s effectiveness with intrusiveness effectiveness with intrusiveness and acceptabilityand acceptability
Increase in rate of effectiveness Increase in rate of effectiveness usually means decrease in rate of usually means decrease in rate of acceptabilityacceptability
Security Issues in Security Issues in BiometricsBiometricsEffective, Most to Effective, Most to LeastLeastRetina pattern recognitionRetina pattern recognition
Fingerprint recognitionFingerprint recognition
Handprint recognitionHandprint recognition
Voice pattern recognitionVoice pattern recognition
Keystroke pattern Keystroke pattern recognitionrecognition
Signature recognitionSignature recognition
Accepted, Most to Accepted, Most to LeastLeastKeystroke pattern Keystroke pattern recognitionrecognition
Signature recognitionSignature recognition
Voice pattern recognitionVoice pattern recognition
Handprint recognitionHandprint recognition
Fingerprint recognitionFingerprint recognition
Retina pattern Retina pattern recognitionrecognition
Security Issues in Security Issues in BiometricsBiometrics
Cost: biometric technology Cost: biometric technology averages more than $100/user just averages more than $100/user just for simple thumbprint readerfor simple thumbprint reader
Interoperability: systems come Interoperability: systems come from independent vendors so from independent vendors so systems are not standardizedsystems are not standardized
Social challenge: users unwilling to Social challenge: users unwilling to accept unfamiliar, invasive accept unfamiliar, invasive methodsmethods
Future Applications of Future Applications of BiometricsBiometrics
Integration in passports for the Integration in passports for the US, UK, and EUUS, UK, and EU
President Bush: future legal President Bush: future legal immigrants and visitors to the US immigrants and visitors to the US should expect to be card-indexed should expect to be card-indexed and fingerprintedand fingerprinted– ID card with digitized fingerprintsID card with digitized fingerprints
Future Applications of Future Applications of BiometricsBiometrics
Certification and Biometrics: the Certification and Biometrics: the Security Certified Program offers:Security Certified Program offers:– Public Key Infrastructure (PKI) and Public Key Infrastructure (PKI) and
Biometrics Concepts and PlanningBiometrics Concepts and Planning– PKI and Biometrics ImplementationPKI and Biometrics Implementation
ConclusionConclusion
Biometrics as authentication Biometrics as authentication devicedevice
Why use biometricsWhy use biometrics Commonly used biometricsCommonly used biometrics
– All have downsideAll have downside Security Issues in BiometricsSecurity Issues in Biometrics
– Effective vs. AcceptedEffective vs. Accepted Future applicationsFuture applications
SourcesSources
Management of Information Management of Information Security textbook, by Michael E. Security textbook, by Michael E. Whitman and Herbert J. Mattord, Whitman and Herbert J. Mattord, chapters 9 and 10chapters 9 and 10
http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/Biometric#United_StatesBiometric#United_States
QuestionsQuestions