Week 5 - Biometrics and Access Control Basics Flashcards
A personal characteristic of a Human Being that is used to verify and confirm the presence of that individual from a previous enrolled sample
biometric verification
A personal characteristic of a Human Being that is used to identify that individual in a population using a set of previously enrolled samples
biometric identification
physiological characteristics
- Fingerprint
- Iris patterns
- Retinal Pattern
- Facial features
- Hand Geometry
- DNA
Behavioral characteristics
traits that are learned or acquired, such as:
- Hand Signature - Keystroke dynamics
Various biometric characteristics are called…
Modalities
Biometric Technologies using multiple characteristics are called…
Multimodal
Biometric Sample / Data
The unprocessed image or recording of a physiological or behavioral characteristic. Sample Types are:
Fingerprint: Fingerprint image
Voice recognition: Voice recording
Facial recognition: Facial Image
Iris recognition: Iris Image . Retina-scan: Retina Image
Hand geometry: 3-D image of top and sides of hand and fingers
Signature verification: Image of signature and record of related dynamics measurements
Keystroke biometrics: Recording of characters typed and record of related dynamics measurements
How does DNA differ as biometric
DNA requires a tangible physical sample as opposed to an impression, image, or recording.
DNA matching is not done in real-time, and currently not all stages of comparison are automated.
DNA matching does not employ templates or feature extraction, but rather represents the comparison of actual samples
Regardless of the above differences, DNA is a type of biometric inasmuch as it is the use of a physiological characteristic to verify or determine identity.
Acquisition Devices
Read, Scan or Collect Data about biological characteristic that is being measured. The output is called the Biometric Sample. (e.g., Fingerprint Sensors or scanners for gathering fingerprints)
Signal Processing Algorithms
Perform a series of quality control activities to improve the quality of the acquired biometric sample
Template Generators
Generate Templates with a standards-based or Proprietary template format using the in-built feature extraction algorithms
Matchers with Matching Algorithms
Compare templates generated from acquired samples (verification template) to existing templates in storage (enrollment template) to generate a score
Compare score against a chosen threshold (Configuration parameter) to arrive at a Match or No-Match decision
Chosen threshold for biometric matching
Configuration parameter
Enrollment Phase Processes
Enrollment Phase (Processes)
- User Submission - Data Capture (Acquisition)
- Image or Signal processing – Feature
Extraction
- Template Generation
- Standardized Templates
Determinants
Used to asses quality of samples
Design Determinant
Quality of Acquired Input Samples
- Better Sensor Design - Better User Interface Design - Standards Compliance
Non-Design Determinant in Biometrics
Improve Quality of Analysis
- Initiating Reacquisition from a user
- Real-time selection of best Sample
- Selective invocation of different processing methods
Feature Extraction
The automated process of locating and encoding distinctive characteristics from a biometric sample in order to generate a template
Closely held secret
Characteristics used in Feature Extraction include:
Fingerprint: Location and direction of ridge endings and ridge bifurcations on fingerprint (called Minutiae points)
Voice recognition: Frequency, cadence and duration of vocal pattern
Facial recognition: Relative position and shape of nose, position of cheekbones
Iris recognition:Furrows and striations in iris
Retina-scan: Blood vessel patterns on retina
Biometric Template
A comparatively small but highly distinctive file derived from the features of a user’s biometric sample or samples, used to perform biometric matches.
When is a template created?
A template is created after a biometric algorithm locates features in a biometric sample
Enrollment templates
created upon the user’s initial interaction with a biometric system, and are stored for usage in future biometric comparisons
Verification templates
generated during subsequent verification attempts, compared to the stored (enrollment) template, and generally discarded after the comparison
Biometric template interoperability
Biometric templates are not interoperable - a template generated in vendor A’s fingerprint system for a person may not match when compared to a template generated in vendor B’s fingerprint system for the same person.
To make the Templates interoperable, ANSI and ISO have developed Standardized formats for templates pertaining to various biometric characteristics.
Two processes in biometric data matching
Identification and Verification
Matching of a single live sample with large number (may be millions) of stored samples is called
Identification or 1-to-n or 1-to-many matching
Matching of a single live sample with a single stored sample is called
Verification or 1-to-1 matching
Biometric Identification
The process of determining a person’s identity by performing matches against multiple biometric templates
Identification systems are designed to determine identity based solely on biometric information
There are two types of identification systems: positive identification and negative identification
Positive Identification
Find a match for a user’s biometric information in a database of biometric information
Negative Identification
Compares 1-to-Many but designed to ensure that a person is not present in a database
Biometric Veification
The process of establishing the validity of a claimed identity by comparing a verification template to an enrollment template.
Biometric Matching
Comparison between the match or verification template (created using submitted sample) with reference or enrollment template that is stored in the database to determine the degree of similarity or correlation
Results in score
Threshold
The threshold is a pre-determined value that limits what is acceptable or not for a system
If the score exceeds the threshold, the result is a match;
When resource has low value, the threshold is set low
Score
A number indicating the degree of similarity or correlation of a biometric match
Technology Evaluation
- Evaluates the performance of the underlying technology
- Evaluates correct matching rates between a combination of Fingerprint Extractors and Fingerprint Matchers
- Give a large sample of known matching pairs and see how well a matcher performs
Scenario Evaluation
Assesses how well a biometric technology works under
a given scenario – Large number of human samples
Biometric System Performance Metrics
False Match Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE) Rate
False Match Rate (FMR)
The probability that a given user’s verification template will be incorrectly judged to be a match for a different user’s enrollment template.
Also referred to as false acceptance rate
Informally speaking a high FMR will get unauthorized persons IN instead of rejecting them
False Non-Match Rate (FNMR)
The probability that a user’s verification template will be incorrectly judged to not match that same user’s enrollment template
Also referred to as false rejection rate
Keeps the Good Guy OUT
Failure to Enroll (FTE) Rate
The probability that a given user will be unable to enroll in a biometric system due to insufficiently distinctive biometric sample(s) – Any sample collected does not meet the necessary quality criteria
Correlation between Metrics
Decreasing the FMR, or making the system less susceptible to imposters, results in an increased likelihood that legitimate users will be rejected (FNMR)
Decreasing the FTE by allowing a higher percentage of subject to enroll successfully leads to higher FNMR, as users with low-quality biometric samples have an increased presence in the system.
Biometric Data in PIV Program
Ten Fingerprints
Face Image
Images of two fingers (or Irises if not collectable)
IMP-1
Combined plain impression of the four fingers on the right hand (no thumb)
IMP-2
Combined plain impression of the four fingers on the left hand (no thumb)
IMP-3
Combined impression of the two thumbs
Confidentiality
refers to the need to keep information secure and private
Integrity
refers to the concept of protecting information from being improperly altered or modified by unauthorized users
Availability
refers to the notion that information is available for use when needed
Every organization typically has a unique set of requirements that dictate the circumstances and conditions under which users are permitted access to resources. These requirements are called….
access control policies
the third part of an access control system that uses a set of components that work together to bring about policy preserving access (or enforce access control policies) is called…
Access control mechanism
Components of access control mechanism
include access control data for expressing policies and representing attributes, as well as a set of functions for tracking access requests, and for computing and enforcing access decisions over those requests in accordance with policies
access control models
To facilitate building a robust access control mechanism, access control models are used as an intermediary between access control policies and mechanisms. Models help to define policies in a formal way without redundancies and contradictions.
Authorizations are expressed using four basic notions
user, subject, operation and permission
user
a person who interfaces with the computer system
subject
A computer process acting on behalf of a user is referred to as a subject
object
An object can be any resource accessible on a computer system – files, databases, individual records or devices such as printers.
operation
An operation is an active process invoked by a subject (e.g., read, write). A subject can invoke multiple operations (deposit, withdraw in an ATM)
Permissions
Permissions (or privileges) are rights to perform some operation on a given object.
access control matrix
In an access control matrix, the state of an access control system is defined by the triple (S,O,A)
S – set of subjects, O – set of objects and A – access matrix
Rows correspond to subjects (S)
Columns correspond to objects (O)
Each matrix entry A[s,o] is a set of allowed operations (rights)
An access control matrix is an interesting construct but rarely implemented as such in an access control system due to: (a) for a system with large number of users and objects, matrix will become very large and (b) Matrix will be sparsely populated
access control enforcement
The basic function of the access control system is to ensure that only the operations specified by the matrix can be enforced. This basic function is called access control enforcement.
Access Control List (ACL)
In Object or Resource-centric representation (ACL) authorizations are expressed by attaching a list of authorized users and permitted operations (permissions) to each object/ resource.
Capability List
In User or Subject-centric representation (Capability List) authorizations are expressed by attaching a list of objects/resources and allowed operations on those objects/resources for each user or subject. The list thus represents the complete capability possessed by the designated user or subject.
On the other hand, it is difficult to review the subjects that can access a particular object
Biometric Enrollment Processes
- user submission - data capture
- image or signal processing - feature extraction
- Template Generation
- Matching phase
Decreasing the FMR, or making the system less susceptible to imposters, results in
an increased likelihood that legitimate users will be rejected (FNMR)
Decreasing the FTE by allowing a higher percentage of subject to enroll successfully leads to
higher FNMR, as users with low-quality biometric samples have an increased presence in the system.
