Upload
dayna-daniels
View
215
Download
0
Embed Size (px)
Citation preview
Biometric Biometric AuthenticationAuthentication
Presenter: Yaoyu, ZhangPresenter: Yaoyu, Zhang
PrefacePreface
We can authenticate an identity in three We can authenticate an identity in three ways: by something the user knows ways: by something the user knows (such as a password or personal (such as a password or personal identification number), something the identification number), something the user has (a security token) or something user has (a security token) or something the user is (a physical characteristic, the user is (a physical characteristic, such as a fingerprint, called a biometric). such as a fingerprint, called a biometric).
AbstractAbstract
Introduction to biometric authenticationIntroduction to biometric authentication Some related concepts Some related concepts Biometric MethodsBiometric Methods Can biometric authentication be fooledCan biometric authentication be fooled Some issues about Access ControlSome issues about Access Control
Biometric AuthenticationBiometric Authentication
Biometric AuthenticationBiometric Authentication Authentication based on body Authentication based on body
measurements and motionsmeasurements and motions It is easy bIt is easy because you always bring your ecause you always bring your
body with youbody with you Biometric Systems Biometric Systems
EnrollmentEnrollment Later access attemptsLater access attempts
Acceptance or rejectionAcceptance or rejection
Biometric Authentication SystemBiometric Authentication System
1. Initial Enrollment
2. Subsequent Access
User LeeScanning
ApplicantScanning
Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …
3. Match IndexDecision Criterion(Close Enough?)
Processing(Key Feature Extraction)
A=01, B=101, C=001
User LeeTemplate(01101001)
UserAccess Data(01111001)
Processing(Key Feature Extraction)
A=01, B=111, C=001
Biometric AuthenticationBiometric Authentication
Verification Versus IdentificationVerification Versus Identification
Verification: Are applicants who they claim to be? (compare with Verification: Are applicants who they claim to be? (compare with single template)single template)
Identification: Who is the applicant? (compare with all templates)Identification: Who is the applicant? (compare with all templates) More difficult than verification because must compare to many templatesMore difficult than verification because must compare to many templates
Watch list: is this person a member of a specific group (e.g., known Watch list: is this person a member of a specific group (e.g., known terrorists)terrorists)
Verification is good for replacing passwords in loginsVerification is good for replacing passwords in logins
Identification is good for door access and other situations where Identification is good for door access and other situations where entering a name would be difficultentering a name would be difficult
FARFAR
PrecisionPrecision False acceptance rates (FARs): Percentage False acceptance rates (FARs): Percentage
of unauthorized people allowed inof unauthorized people allowed in
Person falsely accepted as member of a groupPerson falsely accepted as member of a group
Person allowed through a door who should not Person allowed through a door who should not be allowed through itbe allowed through it
Very bad for securityVery bad for security
FRRFRR
PrecisionPrecision False rejection rates (FRRs): Percentage of False rejection rates (FRRs): Percentage of
authorized people not recognized as being authorized people not recognized as being members of the groupmembers of the group
Valid person denied door access or server login because Valid person denied door access or server login because not recognizednot recognized
Can be reduced by allowing multiple access attemptsCan be reduced by allowing multiple access attempts
High FRRs will harm user acceptance because users are High FRRs will harm user acceptance because users are angered by being falsely forbiddenangered by being falsely forbidden
Biometric AuthenticationBiometric Authentication
PrecisionPrecision Vendor claims for FARs and FRRs tend to be Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests exaggerated because they often perform tests under ideal circumstancesunder ideal circumstances
For instance, having only small numbers of users in For instance, having only small numbers of users in the databasethe database
For instance, by using perfect lighting, extremely For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in clean readers, and other conditions rarely seen in the real worldthe real world
Biometric AuthenticationBiometric Authentication
User Acceptance is CrucialUser Acceptance is Crucial
Strong user resistance can kill a systemStrong user resistance can kill a system Fingerprint recognition may have a criminal Fingerprint recognition may have a criminal
connotationconnotation Some methods are difficult to use, such as Some methods are difficult to use, such as
iris recognition, which requires the eye to be iris recognition, which requires the eye to be lined up carefully.lined up carefully.
These require a disciplined groupThese require a disciplined group
Biometric AuthenticationBiometric Authentication
Biometric MethodsBiometric Methods Fingerprint recognitionFingerprint recognition
Dominates the biometric market todayDominates the biometric market today
Based on a finger’s distinctive pattern of whorls, Based on a finger’s distinctive pattern of whorls, arches, and loopsarches, and loops
Simple, inexpensive, well-provenSimple, inexpensive, well-proven
Weak security: can be defeated fairly easily with Weak security: can be defeated fairly easily with copiescopies
Useful in modest-security areasUseful in modest-security areas
Biometric AuthenticationBiometric Authentication
Biometric MethodsBiometric Methods Iris recognitionIris recognition
Pattern in colored part of eyePattern in colored part of eye
Very low FARsVery low FARs
High FRR if eye is not lined up correctly can High FRR if eye is not lined up correctly can harm acceptanceharm acceptance
Reader is a camera—does not send light into the Reader is a camera—does not send light into the eye!eye!
Biometric AuthenticationBiometric Authentication
Biometric MethodsBiometric Methods Face recognitionFace recognition
Can be put in public places for Can be put in public places for surreptitious identification surreptitious identification (identification without citizen or (identification without citizen or employee knowledge). More later.employee knowledge). More later.
Hand geometry: shape of handHand geometry: shape of hand Voice recognitionVoice recognition
High error ratesHigh error rates Easy to fool with recordingsEasy to fool with recordings
Biometric AuthenticationBiometric Authentication
Biometric MethodsBiometric Methods Keystroke recognitionKeystroke recognition
Rhythm of typingRhythm of typing Normally restricted to passwordsNormally restricted to passwords Ongoing during session could allow continuous Ongoing during session could allow continuous
authenticationauthentication Signature recognitionSignature recognition
Pattern and writing dynamicsPattern and writing dynamics Biometric StandardsBiometric Standards
Almost no standardizationAlmost no standardization Worst for user data (fingerprint feature databases)Worst for user data (fingerprint feature databases) Get locked into single vendorsGet locked into single vendors
Biometric AuthenticationBiometric Authentication
Can Biometrics be Fooled?Can Biometrics be Fooled? Airport face recognitionAirport face recognition
Identification of people passing in front of a cameraIdentification of people passing in front of a camera
False rejection rate: rate of not identifying person as being in the databaseFalse rejection rate: rate of not identifying person as being in the database
Fail to recognize a criminal, terrorist, etc.Fail to recognize a criminal, terrorist, etc.
FRRs are badFRRs are bad
4-week trial of face recognition at Palm Beach International Airport4-week trial of face recognition at Palm Beach International Airport
Only 250 volunteers in the user database (unrealistically small)Only 250 volunteers in the user database (unrealistically small)
Volunteers were scanned 958 times during the trialVolunteers were scanned 958 times during the trial
Only recognized 455 times! (47%)Only recognized 455 times! (47%)
53% FRR53% FRR
Biometric AuthenticationBiometric Authentication
Can Biometrics be Fooled?Can Biometrics be Fooled? Airport face recognitionAirport face recognition
Recognition rate fell if wore glasses (especially tinted), looked Recognition rate fell if wore glasses (especially tinted), looked awayaway
Would be worse with larger databaseWould be worse with larger database
Would be worse if photographs were not goodWould be worse if photographs were not good DOD DOD ((Department of DefenseDepartment of Defense ))Tests indicate poor acceptance Tests indicate poor acceptance
rates when subjects were not attempting to evaderates when subjects were not attempting to evade 270-person test270-person test
Face recognition recognized person only 51 percent of timeFace recognition recognized person only 51 percent of time
Even iris recognition only recognized the person 94 percent of the Even iris recognition only recognized the person 94 percent of the time!time!
Biometrics Biometrics AuthenticationAuthentication
Can Biometrics be Fooled?Can Biometrics be Fooled? Other research has shown that evasion is Other research has shown that evasion is
often successful for some methodsoften successful for some methods
German c’t magazine fooled most face and German c’t magazine fooled most face and fingerprint recognition systemsfingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners 80 Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on from a latent (invisible to the naked eye) print on a drinking glassa drinking glass
Access ControlAccess Control
Access ControlAccess Control
Access control is the policy-driven limitation of Access control is the policy-driven limitation of access to systems, data, and dialogsaccess to systems, data, and dialogs
GoalsGoals
Prevent attackers from gaining access, stopping them if Prevent attackers from gaining access, stopping them if they dothey do
Provide appropriate limitations on the access rights of Provide appropriate limitations on the access rights of authorized usersauthorized users
Access ControlAccess Control
First StepsFirst Steps
Enumeration of ResourcesEnumeration of Resources
Sensitivity of Each ResourceSensitivity of Each Resource
Next, who Should Have Access?Next, who Should Have Access?
Can be made individual by individualCan be made individual by individual
More efficient to define by roles (logged-in users, More efficient to define by roles (logged-in users, system administrators, project team members, etc.)system administrators, project team members, etc.)
Access ControlAccess Control
Policy-Based Access Control and ProtectionPolicy-Based Access Control and Protection
Have a specific access control policy and an access protection Have a specific access control policy and an access protection policy for each resourcepolicy for each resource
For example, for a file on a server, for instance, limit For example, for a file on a server, for instance, limit authorizations to a small group, harden the server against attack, authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc.use a firewall to thwart external attackers, etc.
Focuses attention on each resourceFocuses attention on each resource
Guides the selection and configuration of firewalls and other Guides the selection and configuration of firewalls and other protectionsprotections
Guides the periodic auditing and testing of protection plansGuides the periodic auditing and testing of protection plans