SECURE

COMPUTING

The Biometric Dilemma

Rick Smith, Ph.D., CISSP rick_smith@securecomputing.com 28 October 2001

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

Outline

Biometrics: Why, How, How Strong

Attacks, FAR, FRR, Resisting trial-and-error

Server-based Biometrics Attacking a biometric server

Digital spoofing, privacy intrusion, latent print reactivation

Token-based Biometrics Physical spoofing

Voluntary and involuntary spoofing

Summary
July 2002 R. Smith - Biometric Dilemma 2

SECURE
COMPUTING

Biometrics: Why?

Eliminate memorization
Users dont have to memorize features of their voice, face, eyes, or fingerprints

Eliminate misplaced tokens

Users wont forget to bring fingerprints to work

Cant be delegated
Users cant lend fingers or faces to someone else

Often unique
Save money and maintain database integrity by eliminating duplicate enrollments

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

The Dilemma

They always look stronger and and easier to use than they are in practice Enrollment is difficult
Easy enrollment = unreliable authentication Measures to prevent digital spoofing make even more work for administrators, almost a double enrollment process

Physical spoofing is easier than wed like

Recent examples with fingerprint scanners, face scanners
July 2002 R. Smith - Biometric Dilemma 4

SECURE
COMPUTING

Biometrics: How?

From Authentication 2002. Used by permission From Authentication 2002. Used by permission

Measure a physical trait The users fingerprint, hand, eye, face

Measure user behavior The users voice, written signature, or keystrokes

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

Biometrics: How Strong?

Three types of attacks Trial-and-error attack

Classic way of measuring biometric strength

Digital spoofing
Transmit a digital pattern that mimics that of a legitimate users biometric signature Similar to password sniffing and replay Biometrics cant prevent such attacks by themselves

Physical spoofing
Present a biometric sensor with an image that mimics the appearance of a legitimate user
July 2002 R. Smith - Biometric Dilemma 6

SECURE
COMPUTING

Biometric Trial-and-Error

How many trials are needed to achieve a 50-50 chance of producing a matching reading?

Typical objective: 1 in 1,000,000 219 Some systems achieve this, but most arent that accurate in practical settings
Team-based attack
A group of individuals take turns pretending to be a legitimate user (5 people X 10 finger = 50 fingers)

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

Passwords: A Baseline
Example Type of Attack Interactive or Off-Line Interactive or Off-Line Interactive Average Attack Space 245 215 to 223 21 to 24 21

Random 8-character Unix password Dictionary Attack Mouse Pad Search Worst Case

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

Biometric Authentication

Compares users signature to previously established pattern built from that trait Biometric pattern file instead of password file Matching is always approximate, never exact

From Authentication 2002. Used by permission

July 2002

R. Smith - Biometric Dilemma

SECURE
COMPUTING

Pattern Matching

From Authentication 2002. Used by permission

We compare how closely a signature matches one users pattern versus anothers pattern
July 2002 R. Smith - Biometric Dilemma 10

SECURE
COMPUTING

Matching Self vs. Others

From Authentication 2002. Used by permission

July 2002

R. Smith - Biometric Dilemma

11

SECURE
COMPUTING

Matching in Practice

From Authentication 2002. Used by permission

FAR = recognized Bob instead; FRR = doesnt recognize me

July 2002 R. Smith - Biometric Dilemma 12

SECURE
COMPUTING

Measurement Trade-Offs

We must balance the FAR and the FRR Lower FAR = Fewer successful attacks
Less tolerant of close matches by attackers Also less tolerant of authentic matches Therefore increases the FRR

Lower FRR = Easier to use

Recognizes a legitimate user the first time More tolerant of poor matches Also more tolerant of matches by attackers Therefore increases the FAR

Equal error rate = point where FAR = FAR

July 2002 R. Smith - Biometric Dilemma 13

SECURE
COMPUTING

Trial and Error in Practice

Type of Attack Team Team Team Average Attack Space 26 212 219

Example Biometric with 1% FAR Biometric with 0.01% FAR Biometric with One in a million

Higher security means more mistakes

When we reduce the FAR, we increase the FRR More picky about signatures from legitimate users, too
July 2002 R. Smith - Biometric Dilemma 14

SECURE
COMPUTING

Biometric Enrollment

How it works
User provides one or more biometric readings The system converts each reading into a signature The system constructs the pattern from those signatures

Problems with biometric enrollment

Its hard to reliably pre-enroll users Users must provide biometric readings interactively

Accuracy is time consuming

Take trial readings, build tentative patterns, try them out Take more readings to refine patterns Higher accuracy requires more trial readings
July 2002 R. Smith - Biometric Dilemma 15

SECURE
COMPUTING

Compare with Password or Token Enrollment

Modern systems allow users to self-enroll

User enters some personal authentication information Establish a user name Establish a password: system generated or user chosen Establish a token: enter its serial number

Password enrollment is comparatively simple Tokens require a database associating serial numbers with individual authentication tokens
Database is generated by tokens manufacturer Enrollment system uses it to establish user account Tokens PIN is managed by the end user
July 2002 R. Smith - Biometric Dilemma 16

SECURE
COMPUTING

Biometric Privacy

The biometric pattern acts like a password But biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users cant change biometrics if someone makes a copy We can trace people by following their biometrics as theyre saved in databases
July 2002 R. Smith - Biometric Dilemma 17

SECURE
COMPUTING

Server-based biometrics

Boring but important Some biometric systems require servers

When you need a central repository Identification systems (FBIs AFIS) Uniqueness systems (community social service orgs)

From Authentication 2002. Used by permission

July 2002

R. Smith - Biometric Dilemma

18

SECURE
COMPUTING

Attacking Server Biometrics

From Authentication 2002. Used by permission

July 2002

R. Smith - Biometric Dilemma

19

SECURE
COMPUTING

Attacks on Server Traffic

Attack on privacy of a users biometrics

Defense = encryption while traversing the network

Attack by spoofing a digital biometric reading

Defense = authenticating legitimate biometric readers

Both solutions rely on trusted biometric readers

From Authentication 2002. Used by permission

July 2002

R. Smith - Biometric Dilemma

20

SECURE
COMPUTING

Trusted Biometric Reader

Blocks either type of attack on server traffic Security objective reliable data collection Must embed a cryptographic secret in every trusted reader
Increased development cost Increased administrative cost administrators must keep the readers keys safe and up-to-date

Must enroll both users and trusted readers

Double enrollment Database of device keys from biometric vendor One device per workstation is often like one per user Standard tokens are traditionally lower-cost devices
R. Smith - Biometric Dilemma 21

July 2002

SECURE
COMPUTING

Another Server Attack

Experiments in the US and Germany

Willis and Lee of Network Computing Labs, 1998
Reported in Six Biometric Devices Point The Finger At Security in Network Computing, 1 June 1998

Thalheim, Krissler, and Ziegler, 2002 Reported in Body Check, CT (Germany)

http://www.heise.de/ct/english/02/11/114/

Attack on capacitive fingerprint sensors

Measures change in capacitance due to presence or absence of material with skin-like response 65Kb sensor collects ~20 minutiae from fingerprint Traditional techniques use 10-12 for identification

Attack exploits the fatty oils left over from the last user logon
July 2002 R. Smith - Biometric Dilemma 22

SECURE
COMPUTING

Latent Finger Reactivation

Three techniques
Oil vs. non-oil regions return difference as humidity increases

1. Breathe on the sensor (Thalheim, et al)

You can watch the print reappear as a biometric image Works occasionally

2. Use a thin-walled plastic bag of warm water

More effective, but not 100% Works occasionally even when system is set to maximum sensitivity

3. Dust with graphite (Willis et al; Thalheim et al)

Attach clear tape to the dust Press down on the sensor Most reliable technique almost 100% success rate (Thalheim)
July 2002 R. Smith - Biometric Dilemma 23

SECURE
COMPUTING

This Shouldnt Work

According to Siemens vendor of the ID Mouse used in those examples

Authentication procedure remembers the last fingerprint used System rejects a match thats too close to the last reading as well as a match thats too far from the pattern

Observations
1. Defense didnt work in these experiments 2. Tape can be repositioned to create a different reading 3. Hard to track through multiple biometric readers Assume the user logs in at multiple locations over time Then the latent image on some reader is not the most recent one accepted for login

July 2002

R. Smith - Biometric Dilemma

24

SECURE
COMPUTING

What about Active Biometric Authentication?

Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates dynamic information uniquely associated with the user Possible techniques
Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint reader Challenge response that demands an unpredictable reply Voice recognition that demands reciting an unpredictable phrase

Both are vulnerable to a dynamic digital attack based on a copy of the users biometric pattern Ease of use issue
Requires more complex user behavior, which makes it harder to use and less reliable
July 2002 R. Smith - Biometric Dilemma 25

SECURE
COMPUTING

Attacking Active Biometrics

A feasible dynamic attack uses the systems algorithms to generate an acceptable signature Example
Attacker collects enough biometric samples from the victim to build a plausible copy of victims biometric pattern During login, attacker is prompted for a spoken phrase from the victim Attack software generates a digital message based on the users biometric pattern There may be a sequence of timed messages or a single message it doesnt matter

If the server can predict what the answer should be, based on a static biometric pattern, so can the attacker
July 2002 R. Smith - Biometric Dilemma 26

SECURE
COMPUTING

Token-Based Biometrics

From Authentication 2002. Used by permission

Authenticate with biometric + embedded secret

July 2002 R. Smith - Biometric Dilemma 27

SECURE
COMPUTING

Token Technology

From Authentication 2002. Used by permission

Resist copying and other attacks by storing the authentication secret in a tamper-resistant package.
July 2002 R. Smith - Biometric Dilemma 28

SECURE
COMPUTING

Tokens Resist Trial-and-Error Attacks

Example Type of Attack Interactive or Off-Line Team Interactive or Off-Line Off-Line Average Attack Space 21 to 245 26 to 219 219 to 263 263 to 2116

Reusable Passwords Biometrics One-Time Password Tokens Public Key Tokens

These numbers assume that the attacker has not managed to steal a token
July 2002 R. Smith - Biometric Dilemma 29

SECURE
COMPUTING

Biometric Token Operation

The real authentication is based on a secret embedded in the token The biometric reading simply unlocks that secret Benefits
User retains control of own biometric pattern Biometric signatures dont traverse networks

Problems
Biometric Tokens cost more Less space and cost for the biometric reader

The biometric serves as a PIN

July 2002 R. Smith - Biometric Dilemma 30

SECURE
COMPUTING

Attacks on Biometric Tokens

If you can trick the reader, you can probably trick the token Digital spoofing shouldnt work
Weve eliminated the vulnerable data path

Latent print reactivation (remember?)

Tokens should be able to detect and reject such attacks

Attacks by cloning the biometric artifact

Voluntary cloning (the authorized user is an accomplice) Involuntary cloning (the authorized user is unaware)
July 2002 R. Smith - Biometric Dilemma 31

SECURE
COMPUTING

Voluntary finger cloning

1. Select the casting material

Option: softened, free molding plastic (used by Matsumoto) Option: part of a large, soft wax candle (used by Willis; Thalheim)

2. Push the fingertip into the soft material 3. Let material harden 4. Select the finger cloning material
Option: gelatin (gummy fingers used by Matsumoto) Option: silicone (used by Willis; Thalheim)

5. Pour a layer of cloning material into the mold 6. Let the clone harden

Youre Done!
July 2002 R. Smith - Biometric Dilemma 32

SECURE
COMPUTING

Matsumotos Technique

Only a few dollars worth of materials

July 2002 R. Smith - Biometric Dilemma 33

SECURE
COMPUTING

Making the Actual Clone

You can place the gummy finger over your real finger. Observers arent likely to detect it when you use it on a fingerprint reader. (Matsumoto)
July 2002 R. Smith - Biometric Dilemma 34

SECURE
COMPUTING

Involuntary Cloning

The stuff of Hollywood three examples

Sneakers (1992) My voice is my password Never Say Never Again (1983) cloned retina Charlies Angels (2000) Fingerprints from beer bottles Eye scan from oom-pah laser

You clone the biometric without victims knowledge or intentional assistance Bad news: it works!

July 2002

R. Smith - Biometric Dilemma

35

SECURE
COMPUTING

Cloned Face

More work by Thalheim, Krissler, and Ziegler

Reported in Body Check, CT (Germany) http://www.heise.de/ct/english/02/11/114/

Show the camera a photograph or video clip instead of the real face
Video clip required to defeat dynamic biometric checks

Photo was taken without the victims assistance (video possible, too) Face recognition was fooled
Cognitec's FaceVACS-Logon using the recommended Philips's ToUcam PCVC 740K camera

July 2002

R. Smith - Biometric Dilemma

36

SECURE
COMPUTING

Matsumotos 2nd Technique

Cloning a fingerprint from a latent print 1. Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surface 2. Pick it up using tape and graphite 3. Scan it into a computer at high resoultion 4. Enhance the fingerprint image 5. Etch it onto printed circuit board (PCB) material 6. Use the PCB as a mold for a gummy finger

July 2002

R. Smith - Biometric Dilemma

37

SECURE
COMPUTING

Making a Gummy Finger from a Latent Print

From Matsumoto, ITU-T Workshop

July 2002

R. Smith - Biometric Dilemma

38

SECURE
COMPUTING

The Latent Print Dilemma

Tokens tend to be smooth objects of metal or plastic materials that hold latent prints well

Can an attacker steal a token, lift the owners latent prints from it, and construct a working clone of the owners fingerprint? Worse, can an attacker reactivate a latent image of the biometric from the sensor itself?
Answer: in some cases, YES.
July 2002 R. Smith - Biometric Dilemma 39

SECURE
COMPUTING

Finger Cloning Effectiveness

Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Thalheim et al could trick both capacitive and optical sensors with cloned fingers
Products from Siemens, Cherry, Eutron, Verdicom Latent image reactivation only worked on capacitive sensors, not on optical ones

Matsumoto tested 11 capacitive and optical sensors

Cloned fingers tricked all of them Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Secugen, Ethentica
July 2002 R. Smith - Biometric Dilemma 40

SECURE
COMPUTING

Summary

Traditional FAR and FRR statistics dont tell the whole story about biometric vulnerabilities Networked biometrics require trusted readers that pose extra administrative headaches We can build physical clones of biometric features that spoof biometric readers
Matsumoto needed $10 worth of materials and 40 minutes to reliably clone a fingerprint

We can often build clones without the legitimate users intentional participation
July 2002 R. Smith - Biometric Dilemma 41

SECURE
COMPUTING

Thank You!
Questions? Comments? My e-mail: Rick_Smith@securecomputing.com http://www.visi.com/crypto http://www.securecomputing.com
July 2002 R. Smith - Biometric Dilemma 42