Biometric For Authentication, Do we need it€¦ · Research projects: ASAP(ANR), LYRICS(ANR),...
36
Christophe Rosenberger GREYC Research Lab - France Biometric For Authentication, Do we need it ?
Transcript of Biometric For Authentication, Do we need it€¦ · Research projects: ASAP(ANR), LYRICS(ANR),...
Christophe Rosenberger
GREYC Research Lab - France
Biometric For
Authentication,
Do we need it ?
2
Le pôle TES et le sans-contact
OUTLINE
Introduction
User authentication
GREYC - E-payment & Biometrics
Introduction to biometrics
Usable biometric solutions
Perspectives
3
Introduction
E-transactions (© E-secure Transactions Cluster)
E-Secure transactions
4
Digital identity management
One individual has many identities.
Introduction
5
Le pôle TES et le sans-contact
User authentication:
Authentication methods are based on:
• We know [Secret]
• We own [Token, smartcard, RFID tag]
• We Are [Biometrics]
• The way we do things [Behavioral biometrics]
• The use of a reliable third party [Relationship]
They are called authentication factors.
Introduction
6
Digital identity management
One individual can have different authentication factors.
Introduction
7
Introduction
Trends
Trust in the identity of a user or a client
Guarantee security (difficult to compromise)
Respect the privacy
Facilitate the usability
8
Le pôle TES et le sans-contact
USER AUTHENTICATION
9
Solutions in the market
User authentication
10
Biometrics
The only one user authentication method
It is more easy to use It is much more difficult to attack or falsify
Le pôle TES et le sans-contact
User authentication
11
Le pôle TES et le sans-contact
GREYC RESEARCH LAB
E-payment & Biometrics
12
Le pôle TES et le sans-contact
ENSICAEN
School of engineering of Caen
~ 780 students
Department of Computer science :
E-payment & Computer security: only one in France
Strong partnerships with companies: Gemalto, Morpho, Fime...
13
Le pôle TES et le sans-contact
Laboratory staff: 7 CNRS researchers 25 Full professors
18 Associate professors
48 Assistant professors
79 PhD students 17 permanent staff
30 Engineers and post-doc
Research Group in Computer science, Automatics, Image processing and Electronics of Caen
Research topics: Electronics
Image processing
Algorithmic
Document analysis
Multi-agents
Robotics navigation
Automatics Computer security
Natural language processing
Biometrics
Cryptography
GREYC Research Lab
14
E-payment & Biometrics
Members (29): 3 full professors, 2 associate professors, 4 assistant professors, 4 permanent engineers, 8 PhD students, 2 Post-docs, 6 engineers. Research topics (2): Biometrics and Trust Application: E-payment Research projects: ASAP(ANR), LYRICS(ANR), PAY2YOU(FUI), CAPI(FUI), ADS+(FUI), INOSSEM(GE), LUCIDMAN(EUREKA)
15
E-payment & Biometrics
Le pôle TES et le sans-contact
Biometrics: Operational authentication that respects the privacy of users
Biometric authentication (palm veins, keystroke dynamics…)
Evaluation of biometric systems (usability, security…)
Protection of biometrics (cancelable biometrics, smartcards…)
GREYC Keystroke Keystroke dynamics
authentication
17
Le pôle TES et le sans-contact
Introduction to
biometrics
18
Biometrics
Biometric modalities:
Biological analysis:
EEG signal, DNA…
Behavioural analysis:
Keystroke dynamics, voice, gait, signature dynamics...
Morphological analysis:
Fingerprint, iris, palmprint, finger veins, face, ear…
19
Le pôle TES et le sans-contact
Biometrics
Biometric system: general architecture
Source ISO/IEC19794-1 Information technology — Biometric
data interchange formats — Part 1: Framework
20
Le pôle TES et le sans-contact
Usable biometric solutions
21
Le pôle TES et le sans-contact
Keystroke dynamics
Authentication based on passwords
Passwords can be shared between users Passwords are difficult to memorize
Passwords can be stolen
Passwords are vulnerable to guessing attacks
22
Le pôle TES et le sans-contact
Keystroke dynamics
Advantages
A two authentication factor method
knowledge of the password
password typing
Good acceptance invisible for a user (passphrase or password)
no privacy issues (easy to change the password)
avoid complex passwords difficult to remind
low cost solution none additional sensor
software based authentication method
R. Giot, M. El-Abed, B. Hemery, C. Rosenberger, "Unconstrained Keystroke Dynamics
Authentication with Shared Secret", Elsevier Journal on Computers & Security (IF 0.868),
Volume 30, Issues 6-7, Pages 427-445, September-October 2011
23
Le pôle TES et le sans-contact
Keystroke dynamics
How does it work ?
Record different times: PP (latency between two pressures), RR (latency between two releases), RP
(latency between one release and one pressure) and PR
(duration of a key press),
Use this feature vector to measure the similarity of
keystroke dynamics.
24
Keystroke dynamics
Some recent articles in the media
25
Demo
26
Signature dynamics
A signature
Usual method to authenticate a person (contract...)
Manual or automated verification
Existing sensors: tablet, scanner ...
Can be copied
27
Signature dynamics
Principle
Taking into account user’s behavior, Much more difficult to falsify,
Based on a method (signature) widely used and
recognized in a legal point of view.
28
Signature dynamics
Software
V. Alimi, C. Rosenberger, S. Vernois, "A mobile contactless point of sale enhanced by the NFC technology and a match-on-card signature verification algorithm", Smart Mobility Conference, 2011 V. Alimi, C. Rosenberger, S. Vernois, “A Mobile Contactless Point of Sale Enhanced by the NFC and Biometric Technologies”, International Journal of Internet Technology and Secured Transactions, To appear 2012
29
Voice recognition
Principle
Voice is a natural choice to authenticate a user (for a mobile phone or even a computer)
Dynamic authentication (to avoid the replay attack)
Free text speaker recognition is needed
30
Voice recognition
Verification process:
1. The user launches the android application
2. The application (offline) or server (online) generates a
challenge (random sentence)
3. The user says the specific sentence in the microphone
4. The application (offline) or server (online) matches the biometric capture
5. The application (offline) or server (online) verifies that the challenge has been said by the user
6. If everything is OK, the user’s identity is verified
31
Voice recognition
Software
M. Baloul, E. Cherrier, C. Rosenberger, "Challenge-based Speaker Recognition For Mobile Authentication", IEEE Conference BIOSIG, 2012.
32
Cancelable biometrics
Motivations :
It is not always possible to revoke a biometric data
Usable
Principle
Avoid to store the fingerprint image or minutiae
Better performance
Usable solution
33
Cancelable biometrics
Verification process:
Original Image
BioCode
BioHashing
The original image is not stored
The biocode is stored
It is not possible to compute the pattern or
retrieve the original image given the biocode
A biocode can regenerated (other seed)
The biohashing process improves
performance
seed
Salting with the seed
seed
Salting with the seed
Feature
extraction
Fingercode
34
Demo
R. Belguechi, E. Cherrier, C. Rosenberger, "Texture based Fingerprint BioHashing : Attacks and Robustness", IEEE/IAPR International Conference on Biometrics (ICB), p.7, 2012
Cancelable biometrics
35
Le pôle TES et le sans-contact
Perspectives
36
Le pôle TES et le sans-contact
Conclusion
Biometrics The ONLY ONE solution for user authentication
Many usable solutions exist
Speaker recognition (especially for mobile phone or
offpad)
Signature dynamics (authentication, dematerialized
documents)
Keystroke dynamics (authentication, monitoring, access
control...)
Cancelable biometrics (allowing online verification)
37
http://www.epaymentbiometrics.ensicaen.fr/
