Biometrics role in cybersecurity IASA · 2018-05-02 · Biometrics Application Categories...
Transcript of Biometrics role in cybersecurity IASA · 2018-05-02 · Biometrics Application Categories...
RoleofBiometricsinCybersecurity
SamYouness
Agenda
• Biometricsbasics• Howitworks• Biometricsapplicationsandarchitecture• Biometricdevices• BiometricsConsiderations• Theroadahead
TheBasics• Everydayweneedtoidentifyourselveswhenwedothingslike:• Useabankautomatictellermachine(PIN#)• Useapersonalorcorporatecomputingdevices• Entertheofficebyscanningabadge,punchingacode,orusingkey• Usepasswordstoaccessonlineservices(e.g.onlinebanking,Netflix,Amazon)• Usepasswordtoaccessouremail• Providepassportordriverslicenseasproofofidentity• Andmanymoreexamples
• Thereisanessentialneedtoaccuratelyidentifyanindividualtominimizethepossibilityofsecuritybreachesandthreats
WhyBiometrics?• Traditionalsecurityguards(passwords,pins,etc.)haveseriousissues• Securitykeys,suchas,IDcards,keys,etc.alsohavetheirissues,suchasgettinglost,copied,etc.• Isbiometricstheanswer?• Itispartofthepersonandnoteasilycompromisedthroughtheft,collusion,orloss• Simplifiesusermanagementleadingtocostsavings• Noneedtorememberpasswordsorpins• Useraccountscannotbeshared• Easytouse.
BiometricsModalities• Physiological(notlikelytochangeovertime):
• Fingerprints,Fingerlength• Iris/Retina• Facialimageandgeometry(2Dand3D)• Handgeometry• Veinpattern• DNA
• Behavioral(maychangeovertime):• Voice• Gait• Odor• Signature• Keystrokeandmousemovesdynamics
HowBiometricsWork
Enrollment
Biometricsample Distinguishedfeaturesofthesample
Digitaltemplateofthesample
Enrollment TemplateExtraction TemplateStorage
Biometricsample Distinguishedfeaturesofthesample
Digitaltemplateofthesample
LiveCapture
TemplateExtraction TemplateComparisonSearch/Match
ComparisonAlgorithm
MATCH NOMATCH
BiometricsProcessesSecureDevice
TrustedCo
mpu
ter
ImageCapture FeatureExtraction SecureStorage TemplateMatching
MATCH NOMATCH
BiometricSystemAccuracy
• ROC:receiveroperatingcharacteristic• FMR:falsematchrate• FNMR:falsenon-matchrate• Matchingthreshold– T• Higherquantitiesofdata(e.g.morefingerprints)andhigher-quality(highlyconsistent)samplesarerequiredforone-to-manysearchprocessesascomparedtoone-to-onematchingforverification.
BiometricsApplicationCategories• Verification
• One-to-onebiometricidentificationtoprovidephysicalorlogicalacces conrol• Comparesagainstatemplatestoredlocally(PC,smartphone,etc.)oronaserver• ActsasapasscodeorPIN
• Identification• One-to-manysearchtoassesswhetheranindividual’sbiometricsarepresentinadatabaseorgallerythatcontainsaverylargenumberofbiometricrecords
• Morecomputingintensive tohelpidentifyaperson• DuplicateChecking
• Matchingeachandeverytemplatetoalltemplatesinagallery• Determinesifindividualsarerepresentedmorethanonceinadatabase• Usedtodetectfraud– enrollmentinmultiplesocialbenefitsprograms,etc.
ExampleBiometricApplications• Verification• Logicalaccesstodevices(computer/networklogon)• Dumbterminals– clientserveraccess• Internete-commerce• Smartcardaccess
• Identification• Accesstofacility• Bordercontrolidentification
• DuplicateChecking• Frauddetection
DevicesandSensors• Mechanicalorelectronicsystemsthatareusedtoenrollandcapturerawbiometricsamplesinaformthatcanbedigitizedandconvertedintoadigitalbiometrictemplate• Examplesinclude:
• Fingerprintsensors:• Capacitivearebasedonsiliconchipsthatdetectelectriccurrentswhenthefingerridgesmakecontact.Theycanusefullfingerorswipetechniques
• Opticalsensorsuseprismlightsourceandlightsensor• Lightemittingandmultispectralsensors
• Digitalcameras– forfacialrecognition:• consumer- gradedigitalSLRs,pocketcameras,andwebcams• 60PPIarerequiredfor1:1matchingand90PPIfor1:nmatching• Consistencyisthemostimportantfactor
• Iriscameras– foririsrecognition:• Requiresaninfraredimageoftheiristooptimizetheimagecontrastsoastofacilitatemachinebasedanalysis.
• Off-the-shelfcamerasaren’tyetusedforirisimagecapture,andaspecialcameraisrequired• Microphones– forvoicerecognition:usedfor1:1identificationandconsistencyisveryimportantforthesescenarios
Standardization
• Buildingstandardswhichallbiometricsvendorsadheretoisstillachallengedespitetheworkofseveralnationalandinternationalorganizationsoverthepasttwodecades• Biometricstemplateextractionandcomparisonistypicallyproprietarytoeachvendor.Thispreventsusingaproductfromonecompanytocomparetemplatesgeneratedbyproductsfromanother.• OneexceptiontothisareMINEX-certifiedminutiae-basedfingerprinttemplategeneratorandmatchingalgorithms.Thiscategoryoftemplatesandmatchingalgorithmshasbeendeveloped,tested,andcertifiedbyNISTtobeinteroperablefor1:1verificationtobeusedoncompactcardsandtraveldocuments
BiometricsStandards• ISO/IECJTC1/SC37
• 119publishedISOstandards• 29standardsunderdevelopment• 29participatingmembers• 13observingmembers• Differentworkinggroupsaddressing:
• Strategy• Harmonizedvocabulary• Technicalinterfaces• Datainterchangeformats• Technicalimplementationsofbiometricsystems• Testingandreporting• Cross-jurisdictionalandsocietalaspectsofbiometrics
• NationalInstituteofStandardsandTechnology(NIST)• Researchonthevariousbiometricmodalities:fingerprint,face,iris,voice,DNA,andmultimodal
• Standardsdevelopmentatthenationalandinternationallevel• Technologytestingandevaluation,whichleadstoinnovation• NISTpartners:DOJ/FBI,DOD,DOS,IntelligenceCommunity
BiometricsConsiderations
• Cost• Security– obfuscationofbiometricsmayoccur• Privacy/intrusiveness• Sizeforstorage(imagesandtemplates)• Convenience• Speed• Accuracy• Connectivity&compatibility
Questions?
SamYounessSamisaseasonedprofessionalwithmorethan21yearsofdeepexperienceinbusinessandIT,includingarchitecturevisioncreationandbuildingindustry-widestrategiestoachievethatvision.Samhassuccessfullydeliveredalargenumberofarchitectures,solutionsandprojectstobetterenablecustomerbusiness. SamisfluentinbothlanguagesofbusinessandIT.Heisaresultdriventechnicalleaderwithapassionforexcellence.Heisarelationshipbuilderwithoutstandingcommunicationskills.Technicallymindedbutalwayscommerciallyaware.Samisanestablishedauthorandcontributorofseveralbooksandotherpublicationscoveringdifferenttopicsinareasofdatamanagement,programminglanguages,solutionbuilding,andsecurity.Heisakeynotespeakerinhighlevelindustryconferencesandenduserevents.