Escolar Documentos
Profissional Documentos
Cultura Documentos
COMPUTING
July 2002
SECURE
COMPUTING
Outline
Summary
July 2002 R. Smith - Biometric Dilemma 2
SECURE
COMPUTING
Biometrics: Why?
Eliminate memorization
Users dont have to memorize features of their voice, face, eyes, or fingerprints
Cant be delegated
Users cant lend fingers or faces to someone else
Often unique
Save money and maintain database integrity by eliminating duplicate enrollments
July 2002
SECURE
COMPUTING
The Dilemma
They always look stronger and and easier to use than they are in practice Enrollment is difficult
Easy enrollment = unreliable authentication Measures to prevent digital spoofing make even more work for administrators, almost a double enrollment process
SECURE
COMPUTING
Biometrics: How?
From Authentication 2002. Used by permission From Authentication 2002. Used by permission
July 2002
SECURE
COMPUTING
Digital spoofing
Transmit a digital pattern that mimics that of a legitimate users biometric signature Similar to password sniffing and replay Biometrics cant prevent such attacks by themselves
Physical spoofing
Present a biometric sensor with an image that mimics the appearance of a legitimate user
July 2002 R. Smith - Biometric Dilemma 6
SECURE
COMPUTING
Biometric Trial-and-Error
How many trials are needed to achieve a 50-50 chance of producing a matching reading?
Typical objective: 1 in 1,000,000 219 Some systems achieve this, but most arent that accurate in practical settings
Team-based attack
A group of individuals take turns pretending to be a legitimate user (5 people X 10 finger = 50 fingers)
July 2002
SECURE
COMPUTING
Passwords: A Baseline
Example Type of Attack Interactive or Off-Line Interactive or Off-Line Interactive Average Attack Space 245 215 to 223 21 to 24 21
Random 8-character Unix password Dictionary Attack Mouse Pad Search Worst Case
July 2002
SECURE
COMPUTING
Biometric Authentication
Compares users signature to previously established pattern built from that trait Biometric pattern file instead of password file Matching is always approximate, never exact
July 2002
SECURE
COMPUTING
Pattern Matching
We compare how closely a signature matches one users pattern versus anothers pattern
July 2002 R. Smith - Biometric Dilemma 10
SECURE
COMPUTING
July 2002
11
SECURE
COMPUTING
Matching in Practice
SECURE
COMPUTING
Measurement Trade-Offs
We must balance the FAR and the FRR Lower FAR = Fewer successful attacks
Less tolerant of close matches by attackers Also less tolerant of authentic matches Therefore increases the FRR
SECURE
COMPUTING
Example Biometric with 1% FAR Biometric with 0.01% FAR Biometric with One in a million
SECURE
COMPUTING
Biometric Enrollment
How it works
User provides one or more biometric readings The system converts each reading into a signature The system constructs the pattern from those signatures
SECURE
COMPUTING
Password enrollment is comparatively simple Tokens require a database associating serial numbers with individual authentication tokens
Database is generated by tokens manufacturer Enrollment system uses it to establish user account Tokens PIN is managed by the end user
July 2002 R. Smith - Biometric Dilemma 16
SECURE
COMPUTING
Biometric Privacy
The biometric pattern acts like a password But biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users cant change biometrics if someone makes a copy We can trace people by following their biometrics as theyre saved in databases
July 2002 R. Smith - Biometric Dilemma 17
SECURE
COMPUTING
Server-based biometrics
July 2002
18
SECURE
COMPUTING
July 2002
19
SECURE
COMPUTING
July 2002
20
SECURE
COMPUTING
Blocks either type of attack on server traffic Security objective reliable data collection Must embed a cryptographic secret in every trusted reader
Increased development cost Increased administrative cost administrators must keep the readers keys safe and up-to-date
July 2002
SECURE
COMPUTING
Attack exploits the fatty oils left over from the last user logon
July 2002 R. Smith - Biometric Dilemma 22
SECURE
COMPUTING
Three techniques
Oil vs. non-oil regions return difference as humidity increases
SECURE
COMPUTING
Observations
1. Defense didnt work in these experiments 2. Tape can be repositioned to create a different reading 3. Hard to track through multiple biometric readers Assume the user logs in at multiple locations over time Then the latent image on some reader is not the most recent one accepted for login
July 2002
24
SECURE
COMPUTING
Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates dynamic information uniquely associated with the user Possible techniques
Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint reader Challenge response that demands an unpredictable reply Voice recognition that demands reciting an unpredictable phrase
Both are vulnerable to a dynamic digital attack based on a copy of the users biometric pattern Ease of use issue
Requires more complex user behavior, which makes it harder to use and less reliable
July 2002 R. Smith - Biometric Dilemma 25
SECURE
COMPUTING
A feasible dynamic attack uses the systems algorithms to generate an acceptable signature Example
Attacker collects enough biometric samples from the victim to build a plausible copy of victims biometric pattern During login, attacker is prompted for a spoken phrase from the victim Attack software generates a digital message based on the users biometric pattern There may be a sequence of timed messages or a single message it doesnt matter
If the server can predict what the answer should be, based on a static biometric pattern, so can the attacker
July 2002 R. Smith - Biometric Dilemma 26
SECURE
COMPUTING
Token-Based Biometrics
SECURE
COMPUTING
Token Technology
Resist copying and other attacks by storing the authentication secret in a tamper-resistant package.
July 2002 R. Smith - Biometric Dilemma 28
SECURE
COMPUTING
These numbers assume that the attacker has not managed to steal a token
July 2002 R. Smith - Biometric Dilemma 29
SECURE
COMPUTING
The real authentication is based on a secret embedded in the token The biometric reading simply unlocks that secret Benefits
User retains control of own biometric pattern Biometric signatures dont traverse networks
Problems
Biometric Tokens cost more Less space and cost for the biometric reader
SECURE
COMPUTING
If you can trick the reader, you can probably trick the token Digital spoofing shouldnt work
Weve eliminated the vulnerable data path
SECURE
COMPUTING
2. Push the fingertip into the soft material 3. Let material harden 4. Select the finger cloning material
Option: gelatin (gummy fingers used by Matsumoto) Option: silicone (used by Willis; Thalheim)
5. Pour a layer of cloning material into the mold 6. Let the clone harden
Youre Done!
July 2002 R. Smith - Biometric Dilemma 32
SECURE
COMPUTING
Matsumotos Technique
SECURE
COMPUTING
You can place the gummy finger over your real finger. Observers arent likely to detect it when you use it on a fingerprint reader. (Matsumoto)
July 2002 R. Smith - Biometric Dilemma 34
SECURE
COMPUTING
Involuntary Cloning
You clone the biometric without victims knowledge or intentional assistance Bad news: it works!
July 2002
35
SECURE
COMPUTING
Cloned Face
Show the camera a photograph or video clip instead of the real face
Video clip required to defeat dynamic biometric checks
Photo was taken without the victims assistance (video possible, too) Face recognition was fooled
Cognitec's FaceVACS-Logon using the recommended Philips's ToUcam PCVC 740K camera
July 2002
36
SECURE
COMPUTING
Cloning a fingerprint from a latent print 1. Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surface 2. Pick it up using tape and graphite 3. Scan it into a computer at high resoultion 4. Enhance the fingerprint image 5. Etch it onto printed circuit board (PCB) material 6. Use the PCB as a mold for a gummy finger
July 2002
37
SECURE
COMPUTING
July 2002
38
SECURE
COMPUTING
Tokens tend to be smooth objects of metal or plastic materials that hold latent prints well
Can an attacker steal a token, lift the owners latent prints from it, and construct a working clone of the owners fingerprint? Worse, can an attacker reactivate a latent image of the biometric from the sensor itself?
Answer: in some cases, YES.
July 2002 R. Smith - Biometric Dilemma 39
SECURE
COMPUTING
Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Thalheim et al could trick both capacitive and optical sensors with cloned fingers
Products from Siemens, Cherry, Eutron, Verdicom Latent image reactivation only worked on capacitive sensors, not on optical ones
SECURE
COMPUTING
Summary
Traditional FAR and FRR statistics dont tell the whole story about biometric vulnerabilities Networked biometrics require trusted readers that pose extra administrative headaches We can build physical clones of biometric features that spoof biometric readers
Matsumoto needed $10 worth of materials and 40 minutes to reliably clone a fingerprint
We can often build clones without the legitimate users intentional participation
July 2002 R. Smith - Biometric Dilemma 41
SECURE
COMPUTING
Thank You!
Questions? Comments? My e-mail: Rick_Smith@securecomputing.com http://www.visi.com/crypto http://www.securecomputing.com
July 2002 R. Smith - Biometric Dilemma 42