Biometrics Week 2 Flashcards
What is authentication?
Is the process of verifying or determining the user’s identity.
A natural recognition capability for human being.
Automated authentication assign the task of authentication to machine for greater security, efficiency, and convenience.
Authentication can be?
Verification: Am I who I claim I am?
Or
Identification: who am I? (for finding a “wolves in a sheep clothes”)
Authentication can be Based on Different Concepts:
Knowledge
Possession
Biometrics
Any combination of the three
Knowledge Based Authentication
Something you know:
a password, pass-phrase, PIN…
Works reliably if they are not easily guesses, disclosed…
Problem with Knowledge based Approach
Problem:
difficult to remember,
easily guessed by imposters
Can be stolen or forgotten
Can be shared: a limited degree of accountability with transferability of credentials.
More than 15% of people seem to write their PIN on their ATM card
Possession Based Authentication
Something you have:
identity document, a token, a key, a card,..
Solve some of the problems with knowledge-based authentication forms:
No need to remember password
A limited degree of accountability with transferability of credentials.
The owner can tell if the card or token is stolen
Problem with possession-based approach
Possession could be:
lost,
stolen
shared
misplaced
forgotten
Benefits of Biometrics
Convenient: nothing to lose or remember
Can’t be guessed, stolen, shared or lost
Non-repudiation: Links an access to a person, not to a password or a card.
Protects against identity theft
Higher perceived degree of security
Security Levels combos:
Know Have Are
Have Are
Know Have
Know
Major Factors Influencing the Adoption of Biometrics
Security
Higher security through non-repudiation
Can not be stolen/ easily reproduced/guessed
Convenience
Integral and distinctive part of human being
Set it up once and forget about it
Cost/Technology
Higher return on investment through higher protection
Drop in the price of biometric sensors
The underlying technology is becoming more mature
Products have attained higher level of accuracy and throughput
Why Convergence?
Streamlined Provisioning/de-Provisioning
Single Point of enrollment
Lowered risk of penetration
Ease of Use
Shared Credentials
Reduced Cost
Lowered risk of credential sharing
Common Security Policies
Improved Accountability
Better Audit capability
Policies commensurate with overall corporate objectives
Compliance with Regulatory Processes
Biometrics Based Authentication
Biometrics = bio (life) + metrics (to measure)
Deals with automated methods of verifying or recognizing living persons based on their:
Biological characteristics (e.g., face, fingerprint, iris, hand geometry, retina)
Behavioral characteristic (e.g., signature, gait)
Combined (e.g., Voice)
No human involved in the authentication process
Should be done in real-time
Criteria for a Biometric Solution to be Applied for Authentication
Universality or Availability
Every person should have the characteristic
Uniqueness or Distinctiveness
Different persons should have different characteristics
Also referred to as having the discriminatory power
Permanence or Robustness
The characteristic should be time invariant
Should not change with varying operating condition
Collectable or Accessibility
The characteristic should be measurable quantitatively within reasonable time frame
Performance
It should be practical to collect and measure, and it should give an acceptable identification rate.
Acceptability
Users should not have an objection to collect/measure
Circumvention
Should not be too easy to fool
Applications of Biometrics Systems
Forensics
Government
Commercial
Taxonomy of uses of Biometrics Systems
Positive identification
Verifies that the submitted sample is from an individual known to the system
exp. Access to a budlings, access to a mobile device,..
Negative identification
Exp. Verifies that the submitted sample is from an individual not known to the system
Exp. Uses for preventing duplicate in welfare.
Basic Functions of a Biometric System
Capture
The process of measuring the biometric characteristics of a person using a sensing device
Process
The process of converting the biometric feature into a numeric format (template) that can be stored into the database
Enrolment
Registering a biometric template of a person in a database
Identification
Finding the template in a database that matches the live template at hand.
Verification
One-to-one process: matching a live template against a single stored template
Voice
Different from speech recognition
Based on the analysis of voice patterns and characteristics such as pitch, tone,..
Voice signal is transformed and digitized
Speaker verification can be:
Text-dependent, text-independent, language independent, language dependent
Can be used for authentication over phone
Weaknesses
Background noise (airplanes)
Voice can be affected by the person’s health, emotion, …
It can be mimicked, recorded and re-played.
Lengthy enrollment
Attacks:
Tape recordings
Identical twins or people with sound-alike
Facial Recognition
A very natural process to human being
Analyze the unique shape, pattern, and position of facial features
Can be based on still or video images
Face biometrics can be applied covertly, and without person’s cooperation
2D Facial Recognition
A template can be created from a standard webcam
There is no contact with a sensor
Can be done from a far distance
Highly affected by lighting, position, eyeglasses, facial expressions
Relies heavily on controlled environment resulting in a high failure rate
Technologies for face recognition
Eigen face approach: Face appearance
Feature geometry: feature-based method
Neural network
3D Facial Recognition
Uses real-time capture of three-dimensional images of a subject’s face
The uniqueness of the person’s cranio-structure (skull curvature,..) is extracted and stored as a biometric template
Not affected by lighting, background colors, facial hair or makeup,
Uses structured light in near-infrared range where a projector shoots an invisible structured light pattern onto the face, and a video camera records the pattern distorted by the face’s surface geometry
A 3D mesh of the face is created by means of triangulation
Iris Recognition
Measures the features associated with the random texture of the colored part of the eye
Based in visible features i.e.
rings, furrows, freckles, and the corona
Requires cooperation from the user
Weakness:
fear and discomfort, proprietary acquisition devices.
Highly accurate
Very stable over-lifetime
It works perfectly even with glasses and contacts
It can be affected though by some diseases such as cataracts.
Iriscode
Uses near infrared sensors at a distance of 6 inch to 2 ft
You can measure up to 255 unique features. Features and their locations are used to form the iriscode, which is the digital template
Iris picture can be captured using a normal CCD camera with a resolution of 512 dpi or higher
Different Iriscodes care compared using Exclusive OR
Retina Scan
Based on the vascular structure at the back of the eye:
The pattern of blood vessels that emanate from the optic nerve and disperse throughout the retina depends on individuals and never change
An infrared light source is shone through the eye’s pupil to luminate the retina
Extremely accurate and secure
No two retinas are the same even for identical twins
It is considered intrusive, it can reveal some medical conditions, such as hypertension
Requires the user to remove eyeglasses
Long capture time, with 5-15 sec.
Most Significant Test Measures of Biometrics Systems
False Matching Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE)
Equal-Error-Rate (EER)
False Matching Rate (FMR)
Also referred to as False Acceptance Rate (FAR)
The ratio between numbers truly non-matching samples, which are matched by the system and total numbers of test.
It is the probability that a user making a false claim about her identity will be verified as that false identity
It usually tell you the strength of the matching algorithm
False Non-Match Rate (FNMR)
Also referred to as False Rejection Rate (FRR)
The ratio between numbers truly matching samples, which are not matched by the system and total numbers of test.
It is the probability that a user making a true claim about her identity will be rejected as herself.
It usually tell you the accuracy and robustness of the matching algorithm
Failure to Enroll (FTE)
It is the probability that a user attempting to biometrically enroll will be unable to.
Vendors usually use the Rule of Three.
It usually tell you the coverage for the population that the biometric system has.
Equal-Error-Rate (EER)
The point on the error rate diagrams where the false match and false non-match are equal
Can be computed from the crossover point of FRR/FAR or using the Receiver Operating Characteristics (ROC).
What is Convergence?
Formal Cooperation between (at least) two separate security functions
Streamlined Provisioning/de-Provisioning
Shared Authentication Credentials
Common Security Policies
Where is Convergence?
Commercial
Proprietary Enterprise Systems
Federal
FIPS 201/PIV
Standards driven
Open interoperable system
Physical Access Control
Support multi-factor authentication in many combinations
Fingerprint biometrics
Face biometrics
Proximity cards
Smart cards
Personal Identification Numbers (PIN)
Logical Access Control
Multi-factor Authentication
Solution that uses a wide range of strong authentication methods.
Enterprise Network Logon
for desktop and network security.
Enterprise-level Single Sign On for
Windows and Web applications.
Managed by a robust and extensible Role- Based Access
Control Policy Engine.
Common Credentials
/Policies) use?
Both physical and logical control
Benefits – Converged System
Common policies across physical and logical access
Role-based Authorization
Harmonized security privileges
Centralized Enrollment Processes
Similar models for Commercial and Government systems
A range of Authentication Factors can be coordinated
Authentication factors can be “cascaded”
Events can be coordinated
Smart Cards
Card with the capability to store and/or process information for a particular application
Can store financial, personal, and specialized information
Types of smart cards
Memory: only memory card;
more storage than the magnetic strip
Microprocessor: Memory, processor, and co-processor to support cryptography
Driving Factors for the Smart Cards
Declining cost in the price of smart cards
From $15 in the 1980’s to couple of dollars in 2000, to sub-dollars now
Fears that magnetic strip cards can’t provide the necessary security against fraud and security breaches.
Forms of Smart Cards
Smart cards come in two forms
Contact
Contact-less.
May contain its own battery,
Most of the times, the power is supplied by an inductive loop
Contact Smart cards
Identified by its gold connector plate
ISO Standard (7816-2) defined eight contacts,
Though only 6 are actually used:
8 metallic pads on the surface:
Vcc: supply voltage - generally, 5 volts.
GND: ground reference
RST: Reset is the signal line that is used to initiate the state of card- Reset the microprocessor
Clock: used drive the logic of the IC (Clock Signal)
Vpp: used for the high voltage signal that is necessary to program the EPROM memory.
Serial input/output (SIO) connector: used to receive commands and interchanges data with the outside world.
2 RFU: reserved for future use.
Smart Card Hardware
Microprocessor unit (MPU) 32-bit RISC
I/O Control: manage the flow of data in/out of the card
RAM: for temporary storage
ROM for Chip OS (COS) or Mask
EEPROM: Application memory
(Electrically erasable programmable ROM)
For permanent application data storage
Chip OS (COS)
A Chip OS is required to:
Manage data in/out of the card
Manage of files
Access the data and function
Management of card security
Maintain reliability, interrupt, data consistency, error recovery
A COS can be
General purpose COS for all applications
Dedicated COS for specific applications
No standard COS
Security Features of Smart Card
Card level protection by several passwords
Card get reset in case of hardware attack
File level security
Secret password based
A second password based
External authentication
Encrypted
Mutual authentication
Mandatory – PIV Card Storage - Interoperability
Two Index Fingers
Templates generated from segmented 10-print enrollment images
Stored as ANSI/INCITS 378 templates
PIV Card fingerprint templates
Interoperable PIV Card fingerprint templates can only be read through the contact interface following entry of a PIN
PIV Card Interoperability
PIV Card used for Logical and Physical Access
Logical Access primarily based on PKI
PIN required for access to private key and other data
Physical Access systems typically not configured for PKI
Physical Access systems typically based on contactless readers for throughput and durability
Questions/Concerns
How to achieve interoperability across both logical and physical access whilst meeting the demands of both environments?
PAC Biometric Readers – contactless interface
Interoperable PIV Card fingerprint templates can only be read through the contact interface following entry of a PIN
However, the card holder unique ID (CHUID) can be read from the contactless interface and without a PIN
Also, Agency-specific data (biometric template) can be written to PIV Card and accessed via contactless interface
Can appropriate biometric PAC Scenarios for FIPS 201 be established using the CHUID and biometric template?
PAC Biometric Readers – Operational biometric templates
SP 800-76, Sec. 1.2 states:
“…for both logical and physical access applications, and for applications using biometric data stored either on or off the PIV Card, this document neither requires nor precludes the use of:
The PIV Card fingerprint templates;
Specific authentication paradigms such as match-on-card;
Data from other biometric modalities (e.g., hand geometry, iris, etc.);
Data formatted according to other standards;
Data whose format is proprietary or otherwise undisclosed.”
PAC Biometric Readers – PIN
Biometric Industry Association Viewpoint:
PIN entry is not necessary for Minutiae templates
Previous privacy issues related to full fingerprint images
Biometric Templates stored on PIV Card are digitally signed
A live version of the biometric sample is required for verification
Mutual Authentication between card and reader can provide template privacy
Consider 2-factor Authentication Use Cases with Contactless Access to PIV Card and Biometrics
Summary scenarios
Read off slides
Authentication can be Based on Different Concepts:
Knowledge
Possession
Biometrics
Any combination of the three
Biometrics Based Authentication
Biometrics = bio (life) + metrics (to measure)
Deals with automated methods of verifying or recognizing living persons based on their:
Biological characteristics (e.g., face, fingerprint, iris, hand geometry, retina)
Behavioral characteristic (e.g., signature, gait)
Combined (e.g., Voice)
No human involved in the authentication process
Should be done in real-time
Facial Recognition
Most Significant Test Measures of Biometrics Systems
False Matching Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE)
Equal-Error-Rate (EER)
Fingerprints how it works
Based on the ridges of the fingers
Very mature technology especially in forensic applications
Can use live-scan or inked impression
Fingerprints consideration
Fingerprints don’t change over time
Things to consider:
Small population might not be able to use it because of cuts, scars, occupational requirement.
Requires a contact with a sensor
Highly associated with law enforcement
Attacks on Fingerprints
Finger decapitation
“Gummy” fingers
Defenses
Measure physical properties of a live finger (pulse, oxygen level).
Friction Skin Anatomy
Minute ridges with furrows between them are present on the inside surface of hands and feet of human beings.
Such a structure, called friction skin, allows for:
Good grip
Good sense of touch
Exudation of perspiration
The structure and function of friction skin is different from other skin that covers our fingertips:
Not covered by hair
Does not contain oil glands
It contains a high concentration of nerve endings and sweat glands
A lack of pigmentation
Permanence and Uniqueness of Fingerprints
Fingerprints are permanent marks on the skin. They are formed at the fetal stage and stay the same throughout lifetime.
Fingerprints of an individual are “unique” features of the individual; different person, even identical twins, have distinctive fingerprints.
Around 4% of the human population though might be born without fingerprints or their fingerprints might have deteriorated
Applications of FP: Government
Criminal records
Finger prints for diplomats and military personnel
National identity card
E-voting
Applications of FP: Forensic
Link a person to the crime place
Link person to previous records (history)
Applications of FP: Civil and Commercial Applications
Banking
Welfare
Smartcards
Access Control
Time and Attendance
Fingerprint Authentication System
Sensing
Feature extraction
Matching
Fingerprint Sensing
Taking an imprint of the fingertip
On-line acquisition or off-line fingerprint acquisition using the ink-technique.
Nowadays, live-scan is the most widely fingerprint acquisition technique used.
Off-Line Acquisition
Adv: possibility of producing rolled impression
Specifications for a Good Fingerprint
Considerations
Resolution
Area
Dynamic range
Image quality
Signal to Noise
FP Scanning: Scanners
Sweep and touch systems
Live-Scan
3 Main categories:
Optical sensors
Solid-state sensors or silicon sensors
Ultra-sound sensors.
Additional
Multispectral
3-D touchless
Feature Extraction
A fingerprint is produced when a fingertip is pressed against a smooth surface producing ridges (black in the picture) and valleys (white).
Levels of Fingerprint Features
Level 1: refers to macroscopic patterns formed by the flow of the ridges
Level 2: refers to major ridge path deviations, also known as minutiae.
Level 3: refers to intrinsic or innate ridge formations: the alignment and shape of each ridge unit, pore shape, and relative pore positions).
Level 1 Features–Singularities
Singularities are regions where ridges assumes distinctive shapes:
– Loop, delta, whorl, core
FP Classification
Used as index for searching a large DB of fingerprints.
FP can be broadly classified into:
Left and right loop, whorl, Arch and tented Arch
Fingerprint Class Distribution
5% of the FP have Arch type
65% of the FP have Loop type
30% of the FP have Whorl type
Level 2: Minutiae.
Minutia: refers to various ways that a ridge can be discontinued
For each minutia, we keep:
the x,y coordinates
The angle of the tangent line to the ridge with the x-axix
The FBI model considers only termination and bifurcation minutiae
Level 3: Sweat Pores
Steps for Feature Extraction
Local Ridge Orientation
Local Ridge Frequency
Singularity Detection
Segmentation
Fingerprint Enhancement
Binarization
Thinning
Feature Extraction
Fingerprints: Strength and advantages
Fingerprints are unique
Fingerprints are not time-variant
A very mature and proven core technology
It can provide a high level of accuracy
It can be deployed in a range of environments
Uses ergonomic and easy-to-use devices
Numerous sources (ten fingers) available for collection
Fingerprints: Disadvantages or weaknesses
Associated with crime control/investigation
Require user cooperation
Cuts and scars will affect fingerprints
Sensor interoperability
Hygiene: Important to keep capture surface clean
Most devices are unable to enroll some small percentage of users
What can we learn from a Speech?
Message,
Language,
Speech disorders/pathologies,
Emotional state, and
Speaker identity
Voice Biometric: Automated use of voice as the biometric trait to recognize speakers
‘Speaker Identity’ in the Speech Signal
Physiological factors: Vocal tract characteristics, articulatory organs: dimension of vocal cavities, length of vocal tract and folds, etc.
Linguistic Habits: phonological, prosodic (emotional state of the speaker, sarcasm, focus,…), linguistic and semantic habits (influenced by geographic, family, socio-cultural and professional factors)
Multiple Level of Speaker Individuality in a Speech
Idiolectal: how a speaker use a specific linguistic system
Considered as a linguistic pattern unique among speakers
Determining factors include:
Family, level of education, sociological, region,…
Phonotactics: describes the use by each speaker of the phonemes units and possible realizations available.
Not all languages have same phonemes
Key in foreign language training
Advantages of Speaker Verification
Automatic and natural (unlike fingerprinting),
Low cost of input device: Can use standard microphone or telephone set
Low cost of processing using DSP technology,
Telemetric - Most suited modality over the telephone
User friendly - non-invasive, lacks the negative perceptions associated with other biometrics such as fingerprint
Can collect samples from uncooperative subjects.
Can be combined with challenge/response techniques
Disadvantages of Speaker Verification
Affected by pathological changes in physical characteristics (cold)
Less unique than fingerprints, iris,, retina,…DNA.
more susceptible to replay attacks than other biometrics.
Its accuracy is challenged by low-quality capture devices, ambient noise, channel, distortion and so on.
Temporal drift
The large size of the template limits the number of potential applications.
EXAMPLE QUESTIONS
A natural recognition capability for a human being is known as?
AUTHENTICATION
T or F Verification confirms who am I?
FALSE
Authentication can be based off the following concepts:
Possesion
Biometrics
Knowledge
What is not a problem for posssesiop based authetication compared to knowledge based?
No need to remember the password
A major drawback of knowledge based?
Can be guessed by imposters
Which of these options is not a biological characteristic: Gait. hand geometry, face, fingerprint
Gait
T/F: In biometric authenttication no human is involved in the authetication process
True
What is meant by Non-repudent in biometric system authetication
Access is linked to a person
What is a predesesor to modern biometric systems/tech?
Antropometry
Which of the following is not a criterion for biometric features: )Accesibility. Permanence. Circumvention, Universality)
Universality
List 5 basic functions of biometric systems sequentially:
Capture, Process, Enrollment. Identification, Verification
Verification is considered 1 to many T/F?
False
Identification “ Am i who I claim to be?” T/F
False
What is convergance in relation to biometric tech in support of identification and access control?
Formal cooperation between atleast 2 seperate security functions
A key selling point of integration of biometric tech in access control/time and attendence measures is?
Clear return on investment
Convergance allows for?
Streamlined provisioning. Shared credentials, common security policies
Contact smart card ISO standard (7816-2) defined how many contracts?
8
Contact smart card ISO standard (7816-2) , how many are actually being used?
6
Chip OS is required for smart card tech to ensure?
Data access and functionality
In implementing a biomtric solution when do u consider a smart card?
Security and confidentiality of the record is important
What is not an advantage of smart card tech?
Scalability of the solution
Smart cards under development can do all the processing on the card?TF
True
