Biometric For Authentication, Do we need it€¦ · Research projects: ASAP(ANR), LYRICS(ANR),...

Preview:

Citation preview

Christophe Rosenberger

GREYC Research Lab - France

Biometric For

Authentication,

Do we need it ?

2

Le pôle TES et le sans-contact

OUTLINE

Introduction

User authentication

GREYC - E-payment & Biometrics

Introduction to biometrics

Usable biometric solutions

Perspectives

3

Introduction

E-transactions (© E-secure Transactions Cluster)

E-Secure transactions

4

Digital identity management

One individual has many identities.

Introduction

5

Le pôle TES et le sans-contact

User authentication:

Authentication methods are based on:

• We know [Secret]

• We own [Token, smartcard, RFID tag]

• We Are [Biometrics]

• The way we do things [Behavioral biometrics]

• The use of a reliable third party [Relationship]

They are called authentication factors.

Introduction

6

Digital identity management

One individual can have different authentication factors.

Introduction

7

Introduction

Trends

Trust in the identity of a user or a client

Guarantee security (difficult to compromise)

Respect the privacy

Facilitate the usability

8

Le pôle TES et le sans-contact

USER AUTHENTICATION

9

Solutions in the market

User authentication

10

Biometrics

The only one user authentication method

It is more easy to use It is much more difficult to attack or falsify

Le pôle TES et le sans-contact

User authentication

11

Le pôle TES et le sans-contact

GREYC RESEARCH LAB

E-payment & Biometrics

12

Le pôle TES et le sans-contact

ENSICAEN

School of engineering of Caen

~ 780 students

Department of Computer science :

E-payment & Computer security: only one in France

Strong partnerships with companies: Gemalto, Morpho, Fime...

13

Le pôle TES et le sans-contact

Laboratory staff: 7 CNRS researchers 25 Full professors

18 Associate professors

48 Assistant professors

79 PhD students 17 permanent staff

30 Engineers and post-doc

Research Group in Computer science, Automatics, Image processing and Electronics of Caen

Research topics: Electronics

Image processing

Algorithmic

Document analysis

Multi-agents

Robotics navigation

Automatics Computer security

Natural language processing

Biometrics

Cryptography

GREYC Research Lab

14

E-payment & Biometrics

Members (29): 3 full professors, 2 associate professors, 4 assistant professors, 4 permanent engineers, 8 PhD students, 2 Post-docs, 6 engineers. Research topics (2): Biometrics and Trust Application: E-payment Research projects: ASAP(ANR), LYRICS(ANR), PAY2YOU(FUI), CAPI(FUI), ADS+(FUI), INOSSEM(GE), LUCIDMAN(EUREKA)

15

E-payment & Biometrics

Le pôle TES et le sans-contact

Biometrics: Operational authentication that respects the privacy of users

Biometric authentication (palm veins, keystroke dynamics…)

Evaluation of biometric systems (usability, security…)

Protection of biometrics (cancelable biometrics, smartcards…)

GREYC Keystroke Keystroke dynamics

authentication

17

Le pôle TES et le sans-contact

Introduction to

biometrics

18

Biometrics

Biometric modalities:

Biological analysis:

EEG signal, DNA…

Behavioural analysis:

Keystroke dynamics, voice, gait, signature dynamics...

Morphological analysis:

Fingerprint, iris, palmprint, finger veins, face, ear…

19

Le pôle TES et le sans-contact

Biometrics

Biometric system: general architecture

Source ISO/IEC19794-1 Information technology — Biometric

data interchange formats — Part 1: Framework

20

Le pôle TES et le sans-contact

Usable biometric solutions

21

Le pôle TES et le sans-contact

Keystroke dynamics

Authentication based on passwords

Passwords can be shared between users Passwords are difficult to memorize

Passwords can be stolen

Passwords are vulnerable to guessing attacks

22

Le pôle TES et le sans-contact

Keystroke dynamics

Advantages

A two authentication factor method

knowledge of the password

password typing

Good acceptance invisible for a user (passphrase or password)

no privacy issues (easy to change the password)

avoid complex passwords difficult to remind

low cost solution none additional sensor

software based authentication method

R. Giot, M. El-Abed, B. Hemery, C. Rosenberger, "Unconstrained Keystroke Dynamics

Authentication with Shared Secret", Elsevier Journal on Computers & Security (IF 0.868),

Volume 30, Issues 6-7, Pages 427-445, September-October 2011

23

Le pôle TES et le sans-contact

Keystroke dynamics

How does it work ?

Record different times: PP (latency between two pressures), RR (latency between two releases), RP

(latency between one release and one pressure) and PR

(duration of a key press),

Use this feature vector to measure the similarity of

keystroke dynamics.

24

Keystroke dynamics

Some recent articles in the media

25

Demo

26

Signature dynamics

A signature

Usual method to authenticate a person (contract...)

Manual or automated verification

Existing sensors: tablet, scanner ...

Can be copied

27

Signature dynamics

Principle

Taking into account user’s behavior, Much more difficult to falsify,

Based on a method (signature) widely used and

recognized in a legal point of view.

28

Signature dynamics

Software

V. Alimi, C. Rosenberger, S. Vernois, "A mobile contactless point of sale enhanced by the NFC technology and a match-on-card signature verification algorithm", Smart Mobility Conference, 2011 V. Alimi, C. Rosenberger, S. Vernois, “A Mobile Contactless Point of Sale Enhanced by the NFC and Biometric Technologies”, International Journal of Internet Technology and Secured Transactions, To appear 2012

29

Voice recognition

Principle

Voice is a natural choice to authenticate a user (for a mobile phone or even a computer)

Dynamic authentication (to avoid the replay attack)

Free text speaker recognition is needed

30

Voice recognition

Verification process:

1. The user launches the android application

2. The application (offline) or server (online) generates a

challenge (random sentence)

3. The user says the specific sentence in the microphone

4. The application (offline) or server (online) matches the biometric capture

5. The application (offline) or server (online) verifies that the challenge has been said by the user

6. If everything is OK, the user’s identity is verified

31

Voice recognition

Software

M. Baloul, E. Cherrier, C. Rosenberger, "Challenge-based Speaker Recognition For Mobile Authentication", IEEE Conference BIOSIG, 2012.

32

Cancelable biometrics

Motivations :

It is not always possible to revoke a biometric data

Usable

Principle

Avoid to store the fingerprint image or minutiae

Better performance

Usable solution

33

Cancelable biometrics

Verification process:

Original Image

BioCode

BioHashing

The original image is not stored

The biocode is stored

It is not possible to compute the pattern or

retrieve the original image given the biocode

A biocode can regenerated (other seed)

The biohashing process improves

performance

seed

Salting with the seed

seed

Salting with the seed

Feature

extraction

Fingercode

34

Demo

R. Belguechi, E. Cherrier, C. Rosenberger, "Texture based Fingerprint BioHashing : Attacks and Robustness", IEEE/IAPR International Conference on Biometrics (ICB), p.7, 2012

Cancelable biometrics

35

Le pôle TES et le sans-contact

Perspectives

36

Le pôle TES et le sans-contact

Conclusion

Biometrics The ONLY ONE solution for user authentication

Many usable solutions exist

Speaker recognition (especially for mobile phone or

offpad)

Signature dynamics (authentication, dematerialized

documents)

Keystroke dynamics (authentication, monitoring, access

control...)

Cancelable biometrics (allowing online verification)

37

http://www.epaymentbiometrics.ensicaen.fr/

Recommended