9

Click here to load reader

How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

Embed Size (px)

Citation preview

Page 1: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

How to Attack Biometric Systems in Your Spare Time

Ahmed ObiedDepartment of Computer Science

University of Calgary2500 University Drive N.W.

Calgary, Alberta, Canada T2N 1N4

[email protected]

ABSTRACTBiometric systems were proposed and developed to pro-vide a better and stronger factor of authentication. Suchsystems authenticate individuals based on physical andbehavioral traits such as fingerprints, iris, face, palmprint, hand geometry, voice, etc. The use of biometrictraits to replace existing passwords or as access keyshas proven to be highly secure against physical attacks.It is a fact that malicious attacks are getting smarter,more widespread and increasingly difficult to detect,and dozens more are added to the menagerie each day.Attacking biometric systems physically is quite difficultindeed. However, by mounting digital attacks one cansee how biometric systems are vulnerable. We discussthe different types of software and hardware vulnera-bilities that exist in biometric systems, and show howbiometric template security can be compromised. Wepresent a new attack point at the application level thathas not been addressed and discussed in previous work.We also describe how biometric cryptosystems can over-come some of the disadvantages in traditional biometricrecognition systems, and show how such systems can beused effectively in Digital Rights Management (DRM)systems.

KeywordsBiometrics, Templates, Security, Privacy, Cryptogra-phy, Attacks, Hash Functions, Digital Rights Manage-ment Systems

1. INTRODUCTIONIn today’s highly technical world, access to restrictedcomputers, networks, services, areas, etc is usually donevia the use a token (e.g., key) or knowledge (e.g., pass-word). A password is something a user (or a group ofusers) knows and nobody elses, and a token is some-thing a user (or a group of users) has and nobody does.Traditional authentication systems that are based ontokens or knowledge have been used for many years de-spite their disadvantages. How many times have youtried to login to your email account to read important

email but the mail server refused to grant you accessbecause you simply forgot the password? How manytimes have you tried to go to your apartment or housebut you were not able to access it because you simplylost the keys? How many times you have been a vic-tim of identify theft because some person was able toget your password which you wrote down somewhereor found your keys which you left somewhere to gathersensitive information about you and impersonate you?The list of questions can go on and on with the existingauthentication schemes used in today’s highly technicalworld. So what can we do to overcome these problems?The answer to this question is surprisingly simple: weuse biometric technologies.

Almost everyone in the world have fingers, eyes, voice,hands, and a face. Have you ever forgotten any of thosebody parts? Not very likely! [8] What if we could usethose body parts instead of tokens and passwords to au-thenticate you? Wouldn’t that be more convenient andmore secure? The answer is simply yes. Humans haveused body characteristics such as face, voice, and gaitfor thousands of years to recognize each other [3] butonly recently humans started developing and deploy-ing biometric based systems to authenticate individuals.Biometrics is the science of establishing or determiningan identity [4] based on the physical or behavioral traitsof an individual such as fingerprints, iris, face, palmprint, hand vein, voice, keystroke, retina, facial ther-mogram, etc. Biometric systems are essentially patternrecognition systems that read as input biometric data,extract a feature set from such data, and finally com-pare it with a template set stored in a database. If theextracted feature set from the given input is close toa template set stored in the database then the user isgranted access.

The use of biometric systems has introduced a conve-nient, efficient, and secure alternative to traditional au-thentication schemes (e.g., token-based and knowledge-based). However, we must note that such systems aresusceptible to various types of security attacks that areaimed at undermining the integrity of the authentica-

Page 2: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

Sensor Feature Extractor Matcher Application Device

Stored Templates

Type 1 Type 2

Type 3

Type 4 Type 5

Type 6

Type 8

Type 7

Type 9

Figure 1: Biometric System and the nine different points of attack.

tion process by either circumventing the security af-forded by the system or deterring the normal function-ing of the system [4]. Such attacks are raising concernsas more and more biometric systems are being deployedand used in commercial, government and forensic appli-cations. This, along with the increase size of the popula-tion using these systems and the expanding applicationarea (visa, border control, health care, welfare distri-bution, e-commerce, etc) may lead to possible finance,privacy, and security breaches [12].

In this paper, we show an in-depth analysis of the differ-ent types of software and hardware vulnerabilities thatexist in biometric systems, and describe how such vul-nerabilities can be exploited. We present a new attackpoint at the application level of a biometric system. Wealso discuss the idea behind biometric cryptosystemsand show how such systems can be effectively used insome applications.

2. BIOMETRIC SYSTEM MODELTo fully understand how biometric systems can be at-tacked, we must first understand the biometric systemmodel and the different modules it consists of. Figure1 shows a generic biometric system and the eight differ-ent points of attack as proposed by [7]. We claim that a9th point of attack exists at the application level. Thisclaim will be discussed in section 4.1.9. Any biometricsystem consists of the following modules:

2.1 ScannerThe scanner module in a biometric system is used toscan and acquire the biometric data (e.g., fingerprint,hand vein, palm print, etc) of an individual in a formof an image, video, audio or some other signal. Thescanner module is vulnerable to a type 1 attack whichis discussed in section 4.1.1.

2.2 Feature ExtractorThe feature extractor module in a biometric system op-erates on the signal sent by the scanner module to ex-tract a feature set i that represents the given signal.The extracted feature set i is sent to the matcher for

processing. The feature extractor module is vulnerableto a type 3 attack which is discussed in section 4.1.3.

2.3 Stored TemplatesThe stored templates module in a biometric systemis usually a database that stores pre-acquired (usuallyduring users enrolment) feature sets called templates.These templates are queried by the matcher module tofind a match for a given feature set i. The databasethat stores the templates is vulnerable to a type 6 at-tack which is discussed in section 4.1.6.

2.4 MatcherThe matcher module in a biometric system is the mainmodule in such system. The matcher receives a featureset i from the feature extractor module and compares iwith the templates stored in the database. Match scoresare generated after each comparison and once all com-parisons are done, the matcher processes these matchscores in order to either determine or verify the identifyof an individual [4]. The matcher module is consideredthe main module in a biometric system because its thepart that makes the decision (“yes” if there is a matchor “no” if there is no match). The matcher is vulnerableto a type 5 attack which is discussed in section 4.1.5.

2.5 Application DeviceThe application device module in a biometric system re-ceives an answer from the matcher and acts accordingly.If the application device receives a “no” then it deniesaccess. If the application device receives a “yes” then itgrants access. The application device is vulnerable to atype 9 attack as we claim.

3. GENERIC SECURITY THREATSAny system (including biometric systems) are suscepti-ble to various types of threats. These threats are dis-cussed below:

3.1 Denial of ServiceAn adversary overwhelms computer and network re-sources to the point that legitimate users can no longeraccess the resources. For example, an adversary may

Page 3: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

Manufacturer Model Technology Date DifficultyIdentix TS-520 Optical Nov. 1990 First attemptFingermatrix Chekone Optical Mar. 1994 Second attemptDermalog DemalogKey Optical Feb. 1996 First attemptSTMicroelectronics TouchChip Solid state Mar. 1999 First attemptVeridicon FPS110 Solid stat Sep. 1999 First attemptIdenticator DFR200 Optical Oct. 1999 First attempt

Table 1: Attack at the scanner (adapted from [7]).

exploit a weakness in the TCP/IP stack’s 3-way hand-shake, and overwhelm an HTTP server with a largenumber of SYN packets with spoofed and unused IPaddresses to start the first step in the 3-way handshake.When the HTTP server tries to reply with a SYN/ACKpackets (second step in the 3-way handshake), the pack-ets will be sent to the spoofed and unused IP addresses.Since the IP addresses are unused (technically they donot exist), the packets will be traversing the network forquite a while before any router in the Internet startssending the HTTP server ICMP packets with the er-ror message “host unreachable”. This type of attackexhausts both the HTTP server and the network re-sources. If the adversary’s packets are sent very fastand by large numbers, the HTTP server can go downand no longer reply to any connection requests fromlegitimate users.

3.2 CircumventionAn adversary gains access to data or computer resourcesthat he may not be authorized to access. For example, ifa network service (e.g., telnet) in some network N has abug x (e.g., buffer overflow), an adversary can write anexploit for x to download (from some IP address on theInternet) and install a sniffer on the vulnerable machineto gather usernames and passwords. The adversary canuse these usernames and passwords to access other com-puters on network N and find confidential data.

3.3 RepudiationA legitimate user accesses the resources offered by anapplication and then claim that an intruder had cir-cumvented the system. For example, a bank clerk maymodify the financial records of a customer C and thendeny responsibility by claiming that an intruder couldhave possibly stolen from C [4].

3.4 Covert acquisitionAn adversary compromises and abuses the means ofidentification without the knowledge of a legitimate user.For example, a worker Wa can write his password on apiece of paper and leave it on his desk at work. Hisco-worker Wb finds the piece of paper and copies thepassword. Since Wb has the password of Wa then Wb

can use it to access Wa’s account.

3.5 Collusion

In any system, there are different user privileges. Userswith super-user privileges have access to all of the sys-tem’s resources. Collusion occurs when a user withsuper-user privileges abuses his privileges and modifiesthe system’s parameters to permit incursions by an in-truder. For example, a system administrator of a Linuxserver can open up a privileged port (between 1 and1024) on the server to give an intruder a chance toaccess the server easily. Privileged ports are usuallyknown as trusted ports so any traffic that is sent to aprivileged port usually passes through firewalls withoutany checking. It is often mentioned that the easiest wayto break a security system is to compromise the systemadministrator [5].

3.6 CoercionA legitimate user is forced to give an intruder access tothe system. For example, an ATM user could be forcedto give away her ATM card and PIN at gunpoint [5].

4. BIOMETRIC SECURITY THREATSFigure 1 shows a biometric system modules and ninedifferent points of attack. These points of attack arediscussed in detail below.

4.1 Points of Attack4.1.1 Type 1This point of attack is known as “Attack at the scan-ner”. In this attack, the attacker can physically destroythe recognition scanner and cause a denial of service asdescribed in section 3.1. The attacker can also createa fake biometric trait such as an artificial finger to by-pass fingerprint recognition systems, or inject an imagebetween the sensing element and the rest of the scannerelectronics to bypass facial recognition systems.

Putte and Keuning [6] mentioned that the problem withmost of the fingerprint scanners used these days is dis-tinguishing between a real finger and a well created arti-ficial (dummy) finger. The authors tested several finger-print scanners to check whether such scanners will ac-cept the dummy finger. Two methods were used to du-plicate a real finger: with and without the co-operationof the owner. With the co-operation of the owner, theauthors first created a plaster cast of the finger and thecast is then filled with silicon rubber to create a wafer-thin silicon dummy. The authors mentioned that the

Page 4: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

dummy can be glued to anyone’s finger without it be-ing noticeable to the eye. Without the co-operation ofthe owner, it is necessary to obtain a print of the fingerfrom a surface or a glass. The authors claim that everydental technician has the skills and equipment to createa dummy from a print of the finger. Putte and Keuningclaim that since 1990 several fingerprint scanners havebeen tested using dummy fingers and all tested scannersaccepted a dummy finger as a real finger. Table 1 showsin detail the scanner’s manufacturer, model, technology,date on which the scanners have been tested, and finallythe number of attempts required to get the dummy fin-ger accepted.

4.1.2 Type 2This point of attack is known as “Attack on the channelbetween the scanner and the feature extractor” or “Re-play attack”. When the scanner module in a biometricsystem acquires a biometric trait, the scanner modulesends it to the feature extractor module for processing.In this attack, the attacker intercepts the communica-tion channel between the scanner and the feature ex-tractor to steal biometric traits and store it somewhere.The attacker can then replay the stolen biometric traitsto the feature extractor to bypass the scanner.

4.1.3 Type 3This point of attack is known as “Attack on the featureextractor module”. In this attack, the attacker can re-place the feature extractor module with a Trojan horse.A Trojan horse program, named after the wooden arti-fact from Greek methodology that contained more thancould be seen on the surface, refers to an executablecode that is not a translation of the original programbut was added later, usually maliciously, and comes intothe system disguised as the original program [5]. Trojanhorses in general can be controlled remotely. Therefore,the attacker can simply send commands to the Trojanhorse to send to the matcher module feature values se-lected by him.

4.1.4 Type 4This point of attack is known as “Attack on the channelbetween the feature extractor and matcher”. This attackis similar to the attack described in section 4.1.2. Thedifference is that the attacker intercepts the communi-cation channel between the feature extractor and thematcher to steal feature values of a legitimate user andreplay them to the matcher at a later time.

An example of this type of attack would be what Adler[1] proposed. Adler presented an approach that ex-pands on the idea of Hill [2] and uses a “Hill Climb-ing Attack”. The author proposed an algorithm thatregenerates sample images from templates using onlymatch score results generated by the matcher module.Adler implemented a software that has access to a local

Synthetic TemplateGenerator

Attack Module

FingerprintMatcher

TemplateDatabase

To Other Modules

Figure 2: Attack System (adapted from [13])

database that contains facial images and a network ac-cess to 3 commercial face recognition servers to achievehis goals of synthetically reconstructing a face image.Adler’s algorithm begins with only the database ID ofthe target person. The algorithm starts by selectingan initial image from the local database and sendingthe initial image feature values to the matcher mod-ule. The matcher module generates match scores andbased on these match scores, the initial image is modi-fied. In every step, several facial images are multipliedwith a weight and added to the current candidate image.The modified image that generate the highest matchingscore is used as the new candidate image. This processis repeated several times until there is no major im-provement in the matching score. Once this happens,the current candidate image will have a good resem-blance to the target image.

A similar attack was proposed by Uludag and Jain [12].Uludag and Jain implemented an attack system as shownin figure 2 for a minutiae-based fingerprint authentica-tion system that uses a “Hill Climbing Attack”. Theattack system generates a minutiae set that results ina high matching score to gain access to the system inplace of a legitimate user. Minutiae points consist ofridge endings and ridge bifurcations. All minutiae basedsystems use the 2D location (x, y) of the minutiae andthe orientation θ associated with the minutiae as theattributes [12]. Uludag and Jain used the attributes ofthe minutiae (x, y, θ) in their attack system. To at-tack user’s i account, Uludage and Jain’s attack systemdoes the following (Assuming that there is a decisionthreshold value used by the fingerprint matcher moduleSthreshold that the attacking system does not know):

1. Generate a number of synthetic templates (T 1i , T 2

i ,T 3

i , ..., Tni ) where n is fixed.

Page 5: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

2. Send the generated templates in step 1 to the fin-gerprint matcher module and accumulate the cor-responding matching scores (S(Di, T

1i )), S(Di, T

2i ),

S(Di, T3i ), ..., S(Di, T

ni )) where Di is the tem-

plate corresponding to user i in the database andS(Di, T

ji ) is the matching score between Di and

T ji .

3. Declare (T besti ) to be the template resulting in the

highest matching score and (Sbest(Di)) to be thehighest matching score.

4. Modify T besti to obtain Tmodified

i by perturbingan existing minutia or adding a new minutia orreplacing an existing minutia or deleting an exist-ing minutia. For every time you create Tmodified

i ,check if the matching score S(Tmodified

i ) is largerthan Sbest(Di). If yes then change T best

i to Tmodifiedi

and change Sbest(Di) to S(Tmodifiedi ).

5. If the best matching score Sbest(Di) > Sthreshold

then the matcher will return “yes” and allow theattacking system to access user’s i account. Oth-erwise, if Sbest(Di) < Sthreshold then go to step4.

Uludag and Jain’s attack system was able to break threeaccounts at the 132nd, 271st, and 871st attempts (forsimulating an “easy” account, a “medium” account, anda “hard” account, respectively, in terms of the numberof access attempts necessary to break them) [12].

4.1.5 Type 5This point of attack is known as “Attack on the matcher”.This attack is similar to the attack described in section4.1.3. The difference is that the attacker replaces thematcher with a Trojan horse. The attacker can sendcommands to the Trojan horse to produce high match-ing scores and send a “yes” to the application to bypassthe biometric authentication mechanism. The attachercan also send commands to the Trojan horse to producelow matching scores and send a “no” to the applicationall the time causing a denial of service.

4.1.6 Type 6This point of attack is known as “Attack on the systemdatabase”. In this attack, the attacker compromises thesecurity of the database where all the templates arestored. Compromising the database can be done byexploiting a vulnerability in the database software orcracking an account on the database. In either way,the attacker can add new templates, modify existingtemplates or delete templates.

Hill [2] described a way to create an image of a fin-gerprint based on the information contained within the

#include <stdio.h>#include <stdlib.h>#include "biometric.h"

{

void password_authentication()

. .

}

.

int main(){

biometric_authentication();elseif (use_password_authentication()) password_authentication();

return EXIT_SUCCESS;}

if (use_biometric_authentication())

strcpy((char *)&pwd,get_pwd());

#define BUFFSIZE 256

char pwd[BUFFSIZE];

Figure 3: Vulnerable C code

stored template (reverse engineering). Hill used a neu-ral network classifier to predict the shape of the fin-gerprint based on minutiae points. The neural networktakes as input minutiae points (where each minutiaepoint is characterized using its 2D location, ridge, cur-vature and orientation) and predicts the fingerprint’sclass. Once the class has been predicted, a synthetic fin-gerprint image is generated. Hill’s proposed techniqueis observed to work on a database of 25 fingerprintsfrom arch class [4].

4.1.7 Type 7This point of attack is known as “Attack on the chan-nel between the system database and matcher”. Thisattack is again similar to the attack in section 4.1.2. Inthis attack, the attacker intercepts the communicationchannel between the database and matcher to eithersteal and replay data or alter the data.

4.1.8 Type 8This point of attack is known as “Attack on the chan-nel between the matcher and the application”. In thisattack, the attacker intercept the communication chan-nel between the matcher and the application to replaypreviously submitted data or alter the data.

Page 6: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

frame pointerreturn addressargcargv

frame pointerreturn address

Stack pointer

main stack frame

.text section

password_authentication code

OS code

Before attacking

After attacking..

.

stack frame

main code

passwod_authentication

Low memory

High memory

pwd(256 bytes)

Buffer growth

Stack pointer

Figure 4: Stack Smashing Attack

4.1.9 Type 9We claim that a 9th point of attack exists in biometricsystems. We call this attack “Attack on the applica-tion”. Bugs are a consequence of the nature of the pro-gramming task that no one can deny. It is a fact thatany software has at least one bug in it. Since biomet-ric authentication systems are not 100% accurate, mostof these systems use traditional authentication schemesas a backup. For instance, fingerprint readers shippedwith laptops these days force you to create a backuppassword that you can use to access the system if thefingerprint reader does not recognize you for some rea-son. If a thief tries to break into a house, he can usethe main entrance (door) to break into the house orhe can figure out another way to enter the house (e.g.,window). Therefore, instead of attacking the biometricsystem directly, one can indirect ways to attack it. Oneway is by using brute force attacks (e.g., dictionary at-tacks) that can be mounted against the application tofigure out the password. Another way would be to ex-ploit a bug in the application that does the passwordauthentication. If the application in a biometric systemsuffers from a critical bug (e.g., buffer overflow, doublefree, etc) then a skilled attacker can exploit this bug bysending the application a crafted input to change thecontrol flow of the program. By changing the flow ofthe program, the attacker can run code of his choosingwith the privileges that the running application have.If the attacker can run code of his choosing then thesecurity of all the modules in a vulnerable biometricsystem is compromised. For example, the attacker canrun code that will download a Trojan horse code fromthe Internet to replace the modules in the biometric sys-tem. The attacker can also run code that will install asniffer on the compromised system to make it easier tointercept the communication channels in the biometric

system.

In figure 3, we show a simple C code that can possi-bly be part of a biometric system code. The vulnerablepoints in the code are in the dashed boxes which clearlyshow that the program is vulnerable to a stack smash-ing attack. A 256 bytes local buffer has been declaredand the C function “strcpy” has been used to copy thegiven password into the local buffer. The C function“strcpy” does not do any bounds checking on the buffer(the same goes for other C functions like strcat, gets,etc). What do think will happen if we try to input 1024bytes into the buffer pwd? Of course a segmentationfault will occur. Segmentation faults occur when youtry to access an address that does not belong to yourprogram’s address space. Since we know that the buffergrows towards high memory (in little-endian architec-tures), then it is possible to overwrite the frame pointerand the return address in the password authenticationfunction’s stack frame. The return address in the pass-word authentication function’s stack frame points to theinstruction that follows the call to it in main. In ourcase, it points to “return EXIT SUCCESS” somewherein the .text section in memory. To be able to run a codeof our choosing which is 200 bytes long then out craftedexploit string (which will be in machine code) can beas follows: 56 bytes nop instructions (90 in machinecode) + 200 bytes code + 4 bytes nop instructions (tooverwrite the frame pointer) + address of pwd on thestack (4 bytes long). Figuring out the address of pwdon the stack can be done using trial and error. If wesuccessfully inject the exploit string into pwd then oncethe password authentication function is done execut-ing, there will be a jump to where the return addressis pointing to. Since we changed the return address topoint to pwd on the stack (say 0x12345678), then the

Page 7: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

Encrypted secret Released secret

Decryption

Key

MatchingYes

No

Deny AccessFingerprint

Figure 5: DRM system based on biometrics

following instruction: jmp 0x12345678 will be executedand the injected code in pwd will run (the nop instruc-tions only waste CPU cycles). The attack is shown infigure 4.

5. BIOMETRICS AND CRYPTOGRAPHYBiometric cryptosystems combine biometrics and cryp-tography at a level that allows biometric matching toeffectively take place in cryptographic domain, henceexploiting the associated higher security [12]. Thesesystems are gaining popularity since they can be usedeffectively in Digital Rights Management (DRM) sys-tems to make it hard to copy or share digital mediaillegally. Uludag, Pankanti, Prabhakar, and Jain [13]presented several methods that bind a cryptographickey with the biometric template of a user stored in adatabase in such a way that the key cannot be revealedwithout a successful biometric authentication. The ideais as follows (shown in Figure 5): suppose that Alice, alegitimate user, is enrolled on a DRM system that usesbiometric based authentication. If Alice wants to ac-cess a certain digital content C then she will have to gothrough the following steps (we will refer to the DRMsystem as SDRM ):

1. Alice selects the digital content C that she wantsto access.

2. The SDRM asks Alice to provide her sample bio-metric data.

3. Alice provides her sample biometric data and theSDRM tries to find a match in the database. SinceAlice is enrolled in the system then the SDRM willfind a match and release a key K.

4. The SDRM retrieves the content that Alice wantedto access but in an encrypted form E(C).

Scanner Hash(biometric data)

System Database

Scanner Hash(biometric data)

Matcher

Enrollement

Authentication

Figure 6: Using hash functions in biometric sys-tems

5. The SDRM uses the key K it released in step 3 todecrypt E(C) and obtain C.

6. The SDRM sends C to Alice.

Now suppose that Mallory, an illegitimate user, tries toimpersonate Alice to access a certain media content C.In step 3 above, Mallory will provide the SDRM with hersample biometric data but since Mallory is not enrolledin the system then the SDRM will not find a matchand hence deny Mallory from accessing C. Uludag,Pankanti, Prabhakar, and Jain [13] refer to the abovemethod of integrating biometrics into a cryptosystemas the method of biometric based key release. As youmight have noticed, the above method is vulnerable tomany different types of attacks (e.g., replay attacks,Trojan horse attacks, etc). To be able to improve theabove method, we need to ask ourselves the followingquestions (adapted from [13]):

1. Is it possible to design a biometric system suchthat if the biometric template in an applicationis compromised, the biometric signal itself is notlost forever and a new biometric template can beissued?

2. Is it possible to design a biometric template suchthat different applications are not able to use thesame biometric template, thus securing the bio-metric signal as well as preserving privacy?

3. Is it possible to generate/release a cryptographickey using biometric information such that the cryp-tographic key management is secure and conve-nient?

According to Uludag, Pankanti, Prabhakar, and Jain itis possible to integrate biometric matching and crypto-graphic techniques to solve all of the above problems.

Page 8: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

To solve questions 1 and 2 above, one can use a one-way hash function (e.g., MD5, SHA-1, etc). One-wayfunctions are known to be computationally infeasible toinvert so instead of storing the original biometric signal,say x, in the system database we store its transformedversion H(x). During authentication, the biometricsensor would morph the signal using the same trans-form H (figure 6) and the biometric matching would becarried out in the transformed space [13]. Since one-wayfunctions cannot be inverted then if H(x) ever gets com-promised, it will be impossible to get x. Furthermore,new biometric templates can always be issued using adifferent transform (function). One of the properties ofone-way functions is that it is computationally infea-sible to find x and y such that H(x) = H(y). There-fore, if the biometric signal x varies then the matcherwill have difficulty in carrying out the matching in thetransformed space and hence increase the authentica-tion error rate significantly.

To solve question 3 that was addressed earlier, we hidethe cryptographic key in the user’s biometric templateitself (e.g., via a trusted and secret bit-replacement al-gorithm that can replace, say, the least significant bitsof the pixel values/features of the biometric templatewith the cryptographic key [13]). All what the systemhas to do is extract the key from the biometric dataupon a successful biometric match and release it. Thesecurity of this method is highly dependent on the re-trieval algorithm and the secrecy of key hiding.

Many other approaches (e.g., the use of digital signa-tures, fuzzy commitment, etc) has been proposed toutilize the use of biometric cryptosystems. However,all of the proposed approaches still suffer from securityproblems.

6. CONCLUSIONBiometric systems provide a better and stronger fac-tor of authentication. Such system authenticate indi-viduals based on what they are (e.g., fingerprint, palmprint, etc) instead of what they know (e.g., password,PIN) or what they have (e.g., smartcard). Biometricsystems proved to be more effective and convenient forusers since they do not have to worry about forgettingpasswords or losing smartcards, etc. In traditional au-thentication systems, however, if someone compromisesyour password or smartcard then the system adminis-trator can revoke the password or smartcard and issueyou a new one. In biometric authentication systems,if someone compromises your biometric data templatethen it is lost forever. No one can issue you, for in-stance, a new fingerprint unless you figure out a way toreplace your fingers.

In this paper, we discussed in-depth the different typesof vulnerabilities that exist in biometric systems. Wepresented a new attack point at the application level

that allows the attacker to compromise the biometricsystem without going through the sensor module. Wedescribed how biometric cryptosystems can overcomesome of the disadvantages in traditional biometric au-thentication systems and improve their security. Fi-nally, we showed how biometric cryptosystems can beused effectively in Digital Rights Management (DRM)systems.

7. REFERENCES[1] A. Adler. Can images be generated from

biometric templates? In Biometric ConsortiumConference, 2003.

[2] C. Hill. Towards reconstructing fingerprints fromminutiae points, b.s. thesis, australian nationaluniversity,http://chris.fornax.net/biometrics.html. 1999.

[3] A. K. Jain, A. Ross, and S. Prabhakar. Anintroduction to biometric recognition. In Proc. ofIEEE Transactions on Circuits and Systems forVideo Technology, Special Issue on Image- andVideo-Based Biometrics, volume 14, pages 4 – 20,2004.

[4] A. K. Jain, A. Ross, and U. Uludag. Biometrictemplate security: Challenges and solutions. InProc. of 13the European Signal ProcessingConference (EUSIPCO), 2005.

[5] D. Maltoni, D. Maio, A. K. Jain, andS. Prabhakar. Handbook of FingerprintRecognition. Springer, 2003.

[6] T. Putte and J. Keuning. Biometrical fingerprintrecognition: don’t get your fingers burned. InProc. IFIP TC8/WG8.8, Fourth Working Conf.Smart Card Research and Adv. App., pages 289 –303, 2000.

[7] N. Ratha, J. H. Connell, and R. M. Bolle. Ananalysis of minutiae matching strenght. In Proc.Audio and Video-based Biometric PersonAuthentication (AVBPA), volume 5306, pages 223– 228, 2001.

[8] P. Reid. Biometrics for Network Security.Prentice Hall, 2003.

[9] A. Ross, J. Shah, and A. K. Jain. Towardsreconstructing fingerprints from minutiae points.In SPIE, Biometric Technology for HumanIdentification II, volume 5779, pages 68 – 80,2005.

[10] B. Schneier. The uses and abuses of biometrics.Comm. ACM, 42:136, 1999.

[11] C. Soutar. Biometric system security, whitepaper, bioscrypt, http://www.bioscrypt.com/.

Page 9: How to Attack Biometric Systems in Your Spare Timeahmed.obied.net/research/papers/biometric.pdfHow to Attack Biometric Systems in Your Spare Time Ahmed Obied Department of Computer

[12] U. Uludag and A. K. Jain. Attacks on biometricsystems: a case study in fingerprints. In Proc. ofSPIE, Security, Seganography and Watermarkingof Multimedia Contents VI, volume 5306, pages622 – 633, 2004.

[13] U. Uludag, S. Pankanti, S. Prabhakar, and A. K.Jain. Biometric cryptosystems: issues andchallenges. In Proc. of IEEE, volume 92, pages948 – 960, 2004.