Biometrics Week 2 Flashcards
What is authentication?
Is the process of verifying or determining the user’s identity.
A natural recognition capability for human being.
Automated authentication assign the task of authentication to machine for greater security, efficiency, and convenience.
Authentication can be?
Verification: Am I who I claim I am?
Or
Identification: who am I? (for finding a “wolves in a sheep clothes”)
Authentication can be Based on Different Concepts:
Knowledge
Possession
Biometrics
Any combination of the three
Knowledge Based Authentication
Something you know:
a password, pass-phrase, PIN…
Works reliably if they are not easily guesses, disclosed…
Problem with Knowledge based Approach
Problem:
difficult to remember,
easily guessed by imposters
Can be stolen or forgotten
Can be shared: a limited degree of accountability with transferability of credentials.
More than 15% of people seem to write their PIN on their ATM card
Possession Based Authentication
Something you have:
identity document, a token, a key, a card,..
Solve some of the problems with knowledge-based authentication forms:
No need to remember password
A limited degree of accountability with transferability of credentials.
The owner can tell if the card or token is stolen
Problem with possession-based approach
Possession could be:
lost,
stolen
shared
misplaced
forgotten
Benefits of Biometrics
Convenient: nothing to lose or remember
Can’t be guessed, stolen, shared or lost
Non-repudiation: Links an access to a person, not to a password or a card.
Protects against identity theft
Higher perceived degree of security
Security Levels combos:
Know Have Are
Have Are
Know Have
Know
Major Factors Influencing the Adoption of Biometrics
Security
Higher security through non-repudiation
Can not be stolen/ easily reproduced/guessed
Convenience
Integral and distinctive part of human being
Set it up once and forget about it
Cost/Technology
Higher return on investment through higher protection
Drop in the price of biometric sensors
The underlying technology is becoming more mature
Products have attained higher level of accuracy and throughput
Why Convergence?
Streamlined Provisioning/de-Provisioning
Single Point of enrollment
Lowered risk of penetration
Ease of Use
Shared Credentials
Reduced Cost
Lowered risk of credential sharing
Common Security Policies
Improved Accountability
Better Audit capability
Policies commensurate with overall corporate objectives
Compliance with Regulatory Processes
Biometrics Based Authentication
Biometrics = bio (life) + metrics (to measure)
Deals with automated methods of verifying or recognizing living persons based on their:
Biological characteristics (e.g., face, fingerprint, iris, hand geometry, retina)
Behavioral characteristic (e.g., signature, gait)
Combined (e.g., Voice)
No human involved in the authentication process
Should be done in real-time
Criteria for a Biometric Solution to be Applied for Authentication
Universality or Availability
Every person should have the characteristic
Uniqueness or Distinctiveness
Different persons should have different characteristics
Also referred to as having the discriminatory power
Permanence or Robustness
The characteristic should be time invariant
Should not change with varying operating condition
Collectable or Accessibility
The characteristic should be measurable quantitatively within reasonable time frame
Performance
It should be practical to collect and measure, and it should give an acceptable identification rate.
Acceptability
Users should not have an objection to collect/measure
Circumvention
Should not be too easy to fool
Applications of Biometrics Systems
Forensics
Government
Commercial
Taxonomy of uses of Biometrics Systems
Positive identification
Verifies that the submitted sample is from an individual known to the system
exp. Access to a budlings, access to a mobile device,..
Negative identification
Exp. Verifies that the submitted sample is from an individual not known to the system
Exp. Uses for preventing duplicate in welfare.
Basic Functions of a Biometric System
Capture
The process of measuring the biometric characteristics of a person using a sensing device
Process
The process of converting the biometric feature into a numeric format (template) that can be stored into the database
Enrolment
Registering a biometric template of a person in a database
Identification
Finding the template in a database that matches the live template at hand.
Verification
One-to-one process: matching a live template against a single stored template
Voice
Different from speech recognition
Based on the analysis of voice patterns and characteristics such as pitch, tone,..
Voice signal is transformed and digitized
Speaker verification can be:
Text-dependent, text-independent, language independent, language dependent
Can be used for authentication over phone
Weaknesses
Background noise (airplanes)
Voice can be affected by the person’s health, emotion, …
It can be mimicked, recorded and re-played.
Lengthy enrollment
Attacks:
Tape recordings
Identical twins or people with sound-alike
Facial Recognition
A very natural process to human being
Analyze the unique shape, pattern, and position of facial features
Can be based on still or video images
Face biometrics can be applied covertly, and without person’s cooperation
2D Facial Recognition
A template can be created from a standard webcam
There is no contact with a sensor
Can be done from a far distance
Highly affected by lighting, position, eyeglasses, facial expressions
Relies heavily on controlled environment resulting in a high failure rate
Technologies for face recognition
Eigen face approach: Face appearance
Feature geometry: feature-based method
Neural network
3D Facial Recognition
Uses real-time capture of three-dimensional images of a subject’s face
The uniqueness of the person’s cranio-structure (skull curvature,..) is extracted and stored as a biometric template
Not affected by lighting, background colors, facial hair or makeup,
Uses structured light in near-infrared range where a projector shoots an invisible structured light pattern onto the face, and a video camera records the pattern distorted by the face’s surface geometry
A 3D mesh of the face is created by means of triangulation
Iris Recognition
Measures the features associated with the random texture of the colored part of the eye
Based in visible features i.e.
rings, furrows, freckles, and the corona
Requires cooperation from the user
Weakness:
fear and discomfort, proprietary acquisition devices.
Highly accurate
Very stable over-lifetime
It works perfectly even with glasses and contacts
It can be affected though by some diseases such as cataracts.
Iriscode
Uses near infrared sensors at a distance of 6 inch to 2 ft
You can measure up to 255 unique features. Features and their locations are used to form the iriscode, which is the digital template
Iris picture can be captured using a normal CCD camera with a resolution of 512 dpi or higher
Different Iriscodes care compared using Exclusive OR
Retina Scan
Based on the vascular structure at the back of the eye:
The pattern of blood vessels that emanate from the optic nerve and disperse throughout the retina depends on individuals and never change
An infrared light source is shone through the eye’s pupil to luminate the retina
Extremely accurate and secure
No two retinas are the same even for identical twins
It is considered intrusive, it can reveal some medical conditions, such as hypertension
Requires the user to remove eyeglasses
Long capture time, with 5-15 sec.
Most Significant Test Measures of Biometrics Systems
False Matching Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE)
Equal-Error-Rate (EER)
False Matching Rate (FMR)
Also referred to as False Acceptance Rate (FAR)
The ratio between numbers truly non-matching samples, which are matched by the system and total numbers of test.
It is the probability that a user making a false claim about her identity will be verified as that false identity
It usually tell you the strength of the matching algorithm
False Non-Match Rate (FNMR)
Also referred to as False Rejection Rate (FRR)
The ratio between numbers truly matching samples, which are not matched by the system and total numbers of test.
It is the probability that a user making a true claim about her identity will be rejected as herself.
It usually tell you the accuracy and robustness of the matching algorithm
Failure to Enroll (FTE)
It is the probability that a user attempting to biometrically enroll will be unable to.
Vendors usually use the Rule of Three.
It usually tell you the coverage for the population that the biometric system has.
Equal-Error-Rate (EER)
The point on the error rate diagrams where the false match and false non-match are equal
Can be computed from the crossover point of FRR/FAR or using the Receiver Operating Characteristics (ROC).
What is Convergence?
Formal Cooperation between (at least) two separate security functions
Streamlined Provisioning/de-Provisioning
Shared Authentication Credentials
Common Security Policies
Where is Convergence?
Commercial
Proprietary Enterprise Systems
Federal
FIPS 201/PIV
Standards driven
Open interoperable system
Physical Access Control
Support multi-factor authentication in many combinations
Fingerprint biometrics
Face biometrics
Proximity cards
Smart cards
Personal Identification Numbers (PIN)
Logical Access Control
Multi-factor Authentication
Solution that uses a wide range of strong authentication methods.
Enterprise Network Logon
for desktop and network security.
Enterprise-level Single Sign On for
Windows and Web applications.
Managed by a robust and extensible Role- Based Access
Control Policy Engine.
Common Credentials
/Policies) use?
Both physical and logical control
Benefits – Converged System
Common policies across physical and logical access
Role-based Authorization
Harmonized security privileges
Centralized Enrollment Processes
Similar models for Commercial and Government systems
A range of Authentication Factors can be coordinated
Authentication factors can be “cascaded”
Events can be coordinated
Smart Cards
Card with the capability to store and/or process information for a particular application
Can store financial, personal, and specialized information
Types of smart cards
Memory: only memory card;
more storage than the magnetic strip
Microprocessor: Memory, processor, and co-processor to support cryptography
Driving Factors for the Smart Cards
Declining cost in the price of smart cards
From $15 in the 1980’s to couple of dollars in 2000, to sub-dollars now
Fears that magnetic strip cards can’t provide the necessary security against fraud and security breaches.
Forms of Smart Cards
Smart cards come in two forms
Contact
Contact-less.
May contain its own battery,
Most of the times, the power is supplied by an inductive loop
Contact Smart cards
Identified by its gold connector plate
ISO Standard (7816-2) defined eight contacts,
Though only 6 are actually used:
8 metallic pads on the surface:
Vcc: supply voltage - generally, 5 volts.
GND: ground reference
RST: Reset is the signal line that is used to initiate the state of card- Reset the microprocessor
Clock: used drive the logic of the IC (Clock Signal)
Vpp: used for the high voltage signal that is necessary to program the EPROM memory.
Serial input/output (SIO) connector: used to receive commands and interchanges data with the outside world.
2 RFU: reserved for future use.
Smart Card Hardware
Microprocessor unit (MPU) 32-bit RISC
I/O Control: manage the flow of data in/out of the card
RAM: for temporary storage
ROM for Chip OS (COS) or Mask
EEPROM: Application memory
(Electrically erasable programmable ROM)
For permanent application data storage
Chip OS (COS)
A Chip OS is required to:
Manage data in/out of the card
Manage of files
Access the data and function
Management of card security
Maintain reliability, interrupt, data consistency, error recovery
A COS can be
General purpose COS for all applications
Dedicated COS for specific applications
No standard COS