Bh Us 02 Smith Biometric
-
Upload
kandagatlamadhuri -
Category
Documents
-
view
217 -
download
0
Transcript of Bh Us 02 Smith Biometric
-
7/29/2019 Bh Us 02 Smith Biometric
1/42
S E C U R EC O M P U T I N G
July 2002 1R. Smith - Biometric Dilemma
The Biometric Dilemma
Rick Smith, Ph.D., CISSP
28 October 2001
-
7/29/2019 Bh Us 02 Smith Biometric
2/42
S E C U R EC O M P U T I N G
July 2002 2R. Smith - Biometric Dilemma
Outline
Biometrics: Why, How, How Strong Attacks, FAR, FRR, Resisting trial-and-error
Server-based Biometrics
Attacking a biometric server Digital spoofing, privacy intrusion, latent print reactivation
Token-based Biometrics
Physical spoofing Voluntary and involuntary spoofing
Summary
-
7/29/2019 Bh Us 02 Smith Biometric
3/42
S E C U R EC O M P U T I N G
July 2002 3R. Smith - Biometric Dilemma
Biometrics: Why?
Eliminate memorization Users dont have to memorize features of their voice, face,
eyes, or fingerprints
Eliminate misplaced tokens Users wont forget to bring fingerprints to work
Cant be delegated Users cant lend fingers or faces to someone else
Often unique Save money and maintain database integrity by eliminating
duplicate enrollments
-
7/29/2019 Bh Us 02 Smith Biometric
4/42
S E C U R EC O M P U T I N G
July 2002 4R. Smith - Biometric Dilemma
The Dilemma
They always look stronger and and easier to usethan they are in practice
Enrollment is difficult Easy enrollment = unreliable authentication
Measures to prevent digital spoofing make even more work foradministrators, almost a double enrollment process
Physical spoofing is easier than wed like Recent examples with fingerprint scanners, face scanners
-
7/29/2019 Bh Us 02 Smith Biometric
5/42
S E C U R EC O M P U T I N G
July 2002 5R. Smith - Biometric Dilemma
Biometrics: How?
Measure a physical trait
The users fingerprint,
hand, eye, face
Measure user behavior
The users voice, written
signature, or keystrokes
From Authentication 2002. Used by permission
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
6/42
S E C U R EC O M P U T I N G
July 2002 6R. Smith - Biometric Dilemma
Biometrics: How Strong?
Three types of attacks
Trial-and-error attack Classic way of measuring biometric strength
Digital spoofing Transmit a digital pattern that mimics that of a legitimate
users biometric signature
Similar to password sniffing and replay
Biometrics cant prevent such attacks by themselves Physical spoofing
Present a biometric sensor with an image that mimics theappearance of a legitimate user
-
7/29/2019 Bh Us 02 Smith Biometric
7/42
-
7/29/2019 Bh Us 02 Smith Biometric
8/42
S E C U R EC O M P U T I N G
July 2002 8R. Smith - Biometric Dilemma
Passwords: A Baseline
ExampleType ofAttack
AverageAttackSpace
Random 8-characterUnix password
Interactiveor Off-Line
245
Dictionary Attack Interactiveor Off-Line
215 to 223
Mouse Pad Search Interactive 21
to 24
Worst Case 21
-
7/29/2019 Bh Us 02 Smith Biometric
9/42
S E C U R EC O M P U T I N G
July 2002 9R. Smith - Biometric Dilemma
Biometric Authentication
Compares users signatureto previouslyestablished patternbuilt from that trait
Biometric pattern file instead of password file
Matching is alwaysapproximate, neverexact
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
10/42
S E C U R EC O M P U T I N G
July 2002 10R. Smith - Biometric Dilemma
Pattern Matching
We compare how closely a signature matchesone users pattern versus anothers pattern
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
11/42
S E C U R EC O M P U T I N G
July 2002 11R. Smith - Biometric Dilemma
Matching Self vs. Others
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
12/42
-
7/29/2019 Bh Us 02 Smith Biometric
13/42
S E C U R EC O M P U T I N G
July 2002 13R. Smith - Biometric Dilemma
Measurement Trade-Offs
We must balance the FAR and the FRR
Lower FAR = Fewer successful attacks Less tolerant of close matches by attackers
Also less tolerant of authentic matches
Therefore increases the FRR
Lower FRR = Easier to use Recognizes a legitimate user the first time
More tolerant of poor matches
Also more tolerant of matches by attackers Therefore increases the FAR
Equal error rate = point where FAR = FAR
-
7/29/2019 Bh Us 02 Smith Biometric
14/42
S E C U R EC O M P U T I N G
July 2002 14R. Smith - Biometric Dilemma
Trial and Error in Practice
ExampleType ofAttack
AverageAttackSpace
Biometric with 1% FAR Team 26
Biometric with 0.01% FAR Team 212
Biometric with One in a million Team 219
Higher security means more mistakes When we reduce the FAR, we increase the FRR
More picky about signatures from legitimate users, too
-
7/29/2019 Bh Us 02 Smith Biometric
15/42
S E C U R EC O M P U T I N G
July 2002 15R. Smith - Biometric Dilemma
Biometric Enrollment
How it works User provides one or more biometric readings
The system converts each reading into a signature
The system constructs the pattern from those signatures
Problems with biometric enrollment Its hard to reliably pre-enroll users
Users must provide biometric readings interactively
Accuracy is time consuming Take trial readings, build tentative patterns, try them out
Take more readings to refine patterns
Higher accuracy requires more trial readings
-
7/29/2019 Bh Us 02 Smith Biometric
16/42
S E C U R EC O M P U T I N G
July 2002 16R. Smith - Biometric Dilemma
Compare with Password orToken Enrollment
Modern systems allow users to self-enroll User enters some personal authentication information
Establish a user name
Establish a password: system generated or user chosen
Establish a token: enter its serial number
Password enrollment is comparatively simple
Tokens require a database associating serial
numbers with individual authentication tokens Database is generated by tokens manufacturer
Enrollment system uses it to establish user account
Tokens PIN is managed by the end user
-
7/29/2019 Bh Us 02 Smith Biometric
17/42
-
7/29/2019 Bh Us 02 Smith Biometric
18/42
S E C U R EC O M P U T I N G
July 2002 18R. Smith - Biometric Dilemma
Server-based biometrics
Boring but important
Some biometric systems require servers When you need a central repository
Identification systems (FBIs AFIS)
Uniqueness systems (community social service orgs)
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
19/42
S E C U R EC O M P U T I N G
July 2002 19R. Smith - Biometric Dilemma
Attacking Server Biometrics
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
20/42
S E C U R EC O M P U T I N G
July 2002 20R. Smith - Biometric Dilemma
Attacks on Server Traffic
Attack on privacy of a users biometrics Defense = encryption while traversing the network
Attack by spoofing a digital biometric reading Defense = authenticating legitimate biometric readers
Both solutions rely on trusted biometric readers
From Authentication 2002. Used by permission
-
7/29/2019 Bh Us 02 Smith Biometric
21/42
S E C U R EC O M P U T I N G
July 2002 21R. Smith - Biometric Dilemma
Trusted Biometric Reader
Blocks either type of attack on server traffic
Security objective reliable data collection
Must embed a cryptographic secret in every
trusted reader Increased development cost
Increased administrative cost administrators must keep thereaders keys safe and up-to-date
Must enroll both users and trusted readers Double enrollment
Database of device keys from biometric vendor
One device per workstation is often like one per user
Standard tokens are traditionally lower-cost devices
-
7/29/2019 Bh Us 02 Smith Biometric
22/42
S E C U R EC O M P U T I N G
July 2002 22R. Smith - Biometric Dilemma
Another Server Attack
Experiments in the US and Germany Willis and Lee of Network ComputingLabs, 1998
Reported in Six Biometric Devices Point The Finger At Security inNetwork Computing, 1 June 1998
Thalheim, Krissler, and Ziegler, 2002
Reported in Body Check, CT(Germany) http://www.heise.de/ct/english/02/11/114/
Attack on capacitive fingerprint sensors Measures change in capacitance due to presence or absence of
material with skin-like response
65Kb sensor collects ~20 minutiae from fingerprint Traditional techniques use 10-12 for identification
Attack exploits the fatty oils left over from the lastuser logon
S C
-
7/29/2019 Bh Us 02 Smith Biometric
23/42
S E C U R EC O M P U T I N G
July 2002 23R. Smith - Biometric Dilemma
Latent Finger Reactivation
Three techniques Oil vs. non-oil regions return difference as humidity increases
1. Breathe on the sensor (Thalheim, et al) You can watch the print reappear as a biometric image
Works occasionally
2. Use a thin-walled plastic bag of warm water More effective, but not 100%
Works occasionally even when system is set to maximum sensitivity
3. Dust with graphite (Willis et al; Thalheim et al) Attach clear tape to the dust
Press down on the sensor
Most reliable technique almost 100% success rate (Thalheim)
-
7/29/2019 Bh Us 02 Smith Biometric
24/42
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
25/42
S E C U R EC O M P U T I N G
July 2002 25R. Smith - Biometric Dilemma
What about Active
Biometric Authentication?
Some (Dorothy Denning) suggest the use of biometricsin which the pattern incorporates dynamicinformation uniquely associated with the user
Possible techniques
Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint reader
Challenge response that demands an unpredictable reply
Voice recognition that demands reciting an unpredictable phrase
Both are vulnerable to a dynamic digital attack based
on a copy of the users biometric pattern Ease of use issue
Requires more complex user behavior, which makes it harder to useand less reliable
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
26/42
S E C U R EC O M P U T I N G
July 2002 26R. Smith - Biometric Dilemma
Attacking Active Biometrics
A feasible dynamic attack uses the systems algorithms
to generate an acceptable signature
Example Attacker collects enough biometric samples from the victim to build a
plausible copy of victims biometric pattern During login, attacker is prompted for a spoken phrase from the victim
Attack software generates a digital message based on the users
biometric pattern
There may be a sequence of timed messages or a single message
it doesnt matter
If the server can predict what the answer should be,based on a static biometric pattern, so can the attacker
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
27/42
S E C U R EC O M P U T I N G
July 2002 27R. Smith - Biometric Dilemma
Token-Based Biometrics
Authenticate with biometric + embedded secret
From Authentication 2002. Used by permission
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
28/42
S E C U R EC O M P U T I N G
July 2002 28R. Smith - Biometric Dilemma
Token Technology
Resist copying and other attacks by storing theauthentication secret in a tamper-resistant package.
From Authentication 2002. Used by permission
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
29/42
S E C U R EC O M P U T I N G
July 2002 29R. Smith - Biometric Dilemma
Tokens ResistTrial-and-Error Attacks
ExampleType ofAttack
AverageAttackSpace
Reusable PasswordsInteractiveor Off-Line
21
to 245
Biometrics Team 26
to 219
One-Time Password Tokens Interactiveor Off-Line
219
to 263
Public Key Tokens Off-Line 263
to 2116
These numbers assume that the attackerhas not managed to steal a token
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
30/42
S E C U R EC O M P U T I N G
July 2002 30R. Smith - Biometric Dilemma
Biometric Token Operation
The real authentication is based on a secretembedded in the token
The biometric reading simply unlocks that
secret Benefits
User retains control of own biometric pattern
Biometric signatures dont traverse networks
Problems Biometric Tokens cost more Less space and cost for the biometric reader
The biometric serves as a PIN
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
31/42
S E C U R EC O M P U T I N G
July 2002 31R. Smith - Biometric Dilemma
Attacks on Biometric Tokens
If you can trick the reader, you can probablytrick the token
Digital spoofing shouldnt work
Weve eliminated the vulnerable data path
Latent print reactivation (remember?) Tokens should be able to detect and reject such attacks
Attacks by cloning the biometric artifact Voluntary cloning (the authorized user is an accomplice)
Involuntary cloning (the authorized user is unaware)
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
32/42
S E C U R EC O M P U T I N G
July 2002 32R. Smith - Biometric Dilemma
Voluntary finger cloning
1. Select the casting material Option: softened, free molding plastic (used by Matsumoto)
Option: part of a large, soft wax candle (used by Willis; Thalheim)
2. Push the fingertip into the soft material
3. Let material harden4. Select the finger cloning material
Option: gelatin (gummy fingers used by Matsumoto)
Option: silicone (used by Willis; Thalheim)
5. Pour a layer of cloning material into the mold6. Let the clone harden
Youre Done!
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
33/42
S E C U R EC O M P U T I N G
July 2002 33R. Smith - Biometric Dilemma
Matsumotos Technique
Only a few dollars worth of materials
-
7/29/2019 Bh Us 02 Smith Biometric
34/42
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
35/42
S E C U R EC O M P U T I N G
July 2002 35R. Smith - Biometric Dilemma
Involuntary Cloning
The stuff of Hollywood three examples Sneakers(1992) My voice is my password
Never Say Never Again(1983) cloned retina
Charlies Angels (2000)
Fingerprints from beer bottles
Eye scan from oom-pah laser
You clone the biometric without victims
knowledge or intentional assistance
Bad news: it works!
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
36/42
S E C U R EC O M P U T I N G
July 2002 36R. Smith - Biometric Dilemma
Cloned Face
More work byThalheim, Krissler, and Ziegler Reported in Body Check, CT (Germany)
http://www.heise.de/ct/english/02/11/114/
Show the camera a photograph or video clip
instead of the real face Video clip required to defeat dynamic biometric checks
Photo was taken without the victimsassistance (video possible, too)
Face recognition was fooled Cognitec's FaceVACS-Logon using the recommended Philips's
ToUcam PCVC 740K camera
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
37/42
S E C U R EC O M P U T I N G
July 2002 37R. Smith - Biometric Dilemma
Matsumotos 2nd Technique
Cloning a fingerprint from a latent print
1. Capture clean, complete fingerprint on a glass, CD,
or other smooth, clean surface2. Pick it up using tape and graphite
3. Scan it into a computer at high resoultion
4. Enhance the fingerprint image
5. Etch it onto printed circuit board (PCB) material6. Use the PCB as a mold for a gummy finger
S E C U R E M ki G Fi
-
7/29/2019 Bh Us 02 Smith Biometric
38/42
S E C U R EC O M P U T I N G
July 2002 38R. Smith - Biometric Dilemma
Making a Gummy Fingerfrom a Latent Print
From Matsumoto, ITU-T Workshop
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
39/42
S E C U R EC O M P U T I N G
July 2002 39R. Smith - Biometric Dilemma
The Latent Print Dilemma
Tokens tend to be smooth objects of metal orplastic materials that hold latent prints well
Can an attacker steal a token, lift the ownerslatent prints from it, and construct a workingclone of the owners fingerprint?
Worse, can an attacker reactivate a latent
image of the biometric from the sensor itself?
Answer: in some cases, YES.
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
40/42
S E C U R EC O M P U T I N G
July 2002 40R. Smith - Biometric Dilemma
Finger Cloning Effectiveness
Willis and Lee could trick 4 of 6 sensors testedin 1998 with cloned fingers
Thalheim et al could trick both capacitive andoptical sensors with cloned fingers Products from Siemens, Cherry, Eutron, Verdicom
Latent image reactivation only worked on capacitive sensors,not on optical ones
Matsumoto tested 11 capacitive and optical
sensors Cloned fingers tricked all of them
Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,Secugen, Ethentica
-
7/29/2019 Bh Us 02 Smith Biometric
41/42
S E C U R E
-
7/29/2019 Bh Us 02 Smith Biometric
42/42
S E C U R EC O M P U T I N G
Thank You!
Questions? Comments?
My e-mail:
http://www.visi.com/crypto
http://www.securecomputing.com
http://www.visi.com/cryptohttp://www.securecomputing.com/http://www.securecomputing.com/http://www.visi.com/crypto