Biometric Fingerprinting

1
Biometric Fingerprinting

• by Yevgeniy Markman
• CSC 650

2
Overview

• What is Biometrics?
• How does Biometric Fingerprinting work?
• Flaws in Biometric Fingerprinting.

3
Biometrics

• Derived from the Greek words bios meaning life
  and metron meaning measure.
• It is the science and technology of
  authentication by measuring the subject persons
  physiological or behavioral features.

4
Why use Biometrics?

• When compared to conventional authentication
  methods (such as ID cards or passwords)
• Its more convenient Dont have to worry about
  forgetting a password or losing a card.
• Much more secure Unlike guessing a password, or
  stealing an ID card, forging a physical feature
  (like a thumb print) is much more difficult.

5
Why choose fingerprinting?

• Fingerprints are the most widely used and have
  the longest history in real world law enforcement
  applications.
• Fingerprints are proven to be permanent and
  unique.
• Highly accurate identification software is
  currently available even for personal computers.
• Fingerprint sensors can be made super thin and
  small.
• Can be easily implemented on small computers.

6
How does it work?

• A fingerprint-based authentication system
  operates in two modes
• 1) Enrollment a fingerprint is scanned and is
  stored in a database as a template.
• 2) Authentication a fingerprint is scanned and
  is compared to the template in the database if
  they match, access is granted.

7
Enrollment Process

• Fingerprint sensor acquires a fingerprint
  image.
• 2. Features extractor extracts relevant
  features.
• The extracted features (a.k.a. template) along
  with users information is stored in a database.

8
Authentication Process

• System captures the fingerprint image.
• Extracts features.
• Attempts to match the input features to the
  template features in the database.
• If the similarity score is greater than the
  predetermined minimum, access is granted.

9
Enrollment / Authentication
10
Points of Vulnerability
11
Vulnerability Points

• Presenting fake biometrics at the sensor (such as
  a fake finger).

12
Vulnerability Points

• 2. Resubmitting previously stored digitalized
  biometrics signal (presenting an old copy of a
  finger print.

13
Vulnerability Points

• 3. Overriding the feature extraction process
  (feature extractor is attacked by Trojan horse
  and produces feature sets selected by intruder).

14
Vulnerability Points

• 4. The features extracted from the input signal
  are replaced with a fraudulent feature set. Only
  probable if the matcher is at a remote location.

15
Vulnerability Points

• 5. The matcher is attacked and corrupted so that
  it produces positive match scores.

16
Vulnerability Points

• 6. Tampering with stored templates hacker could
  try to modify templates to allow or disallow
  access.

17
Vulnerability Points

• 7. Attacking the channel between the stored
  templates and the matcher, resulting in modified
  templates as in Vul.Point 6.

18
Vulnerability Points

• 8. Overriding the final decision.

19
Protection Against Vulnerabilities

• Encrypted communication channels can eliminate
  remote attacks at point 4.
• Keeping the matcher and the database in a secure
  location can eliminate attacks at points 5, 6,
  and 7.
• Using cryptography can prevent attacks at point
  8.

20
Sensor Attacks

• Registered finger
• A legitimate user can be forced to press his
  finger against the sensor.
• An intruder can drug the legitimate user and use
  their finger.
• An intruder can detach the finger from the
  legitimate users body.
• Can be prevented by combining fingerprint scanner
  with PIN, password, or ID card.
• Could also have some kind of secret alarm to
  signal for help.
• Could also use two-persons control.

21
Sensor Attacks

• Other
• Can use residual fingerprint on the sensor
  surface to reactivate the fingerprint.
• Can be done by breathing on the sensors surface
  and placing a thing-walled, water-filled plastic
  bag on the sensors surface.
• Can also be done by dusting graphite powder and
  then pressing an adhesive film on the sensors
  surface.
• If using an optical sensor, add halogen lamp.
• To protect against attacks using reactivation of
  a latent fingerprint, use a sweeping sensor
  instead of an area sensor.

22
Sweeping Sensor
23
Sensor Attacks

• Twins fingerprint
• Fingerprints of identical twins are very similar
• If the matching algorithm is not complex enough,
  it is possible to gain access.
• Artificial fingerprint
• Made to imitate a real (living) fingerprint.
• Can be made out of gelatin, silicone, play-doh,
  clay, etc
• Two ways to make Directly make a mold of the
  finger, or use residual fingerprints to produce
  artificial fingerprints.
• Can be prevented using liveness detection.

24
Liveness Detection

• Ideally, liveness detection has two
  responsibilities
• Make sure the biometric sample being presented is
  alive.
• Make sure the biometric sample belongs to the
  live human being who was originally enrolled in
  the system (not just to any live human being).

25
Liveness Detection

• In regards to fingerprinting, liveness detection
  can be done in two ways.
• Using extra hardware to acquire life signs.
• Using the information already captured by the
  system to detect life signs.

26
Extra Hardware

• Using extra hardware, we can perform various
  test on the subject to detect liveliness.
• Temperature
• Can measure temperature of the epidermis (outer
  skin of finger).
• Average temperature is about 26-30oC, but when
  using a thin silicone artificial fingerprint, the
  result is decreased by a maximum of 2oC.
• Obviously, its not hard to bring an artificial
  fingerprint into working margins of the sensor.

27
Extra Hardware

• Optical Properties
• Can use optical properties of human skin to
  contrast other material.
• Properties such as absorption, reflection,
  scattering, and refraction under different
  lighting conditions (such as red, blue, green,
  infrared, laser lights).
• Unfortunately, gelatin artificial fingerprints
  have similar optical properties to human skin.

28
Extra Hardware

• Pulse
• The pulse in the tip of a finger can be detected.
• However, when using a wafer-thin artificial
  fingerprint, the underlying fingers pulse will
  be sensed.

29
Extra Hardware

• Blood Pressure
• Can use blood pressure to detect liveliness.
• The blood pressure device can be fooled by using
  a wafer-thin artificial fingerprint and the
  underlying fingers blood pressure.
• Electric Resistance
• Electric resistance of skin can range from few
  kilo-Ohms to several mega-Ohms depends on
  humidity sweaty or dry fingers.
• The working range is so large that saliva on a
  silicone artificial fingerprint can pass for
  liveliness.

30
Extra Hardware

• Detection Under Epidermis
• The fingerprint pattern is not only found on the
  epidermis, but also between the epidermis (outer
  skin) and the dermis (inner skin).
• Two types of sensors
• Electric Field sensor focuses on the higher
  electric conductivity of the underneath layer.
• Ultrasonic sensor focuses on the fact that
  underlying layer is softer and more flexible.
• These can be fooled by using two-layered
  artificial fingerprint.

31
Using Existing Information

• Skin Deformation
• Focuses on how human skin deforms when pressed
  against a surface.
• But then again, if the artificial fingerprint is
  thin enough, it will behave similarly.
• Pores
• Using high resolution image of the print, detects
  sweat pores (their size and position).
• It is difficult to duplicate exact size and
  position of sweat pores on artificial
  fingerprints but close resembling molds are
  possible.

32
Using Existing Information

• Perspiration
• Based on the detection of perspiration in a time
  progression of fingerprint images.
• Perspiration starts from pores, travels along the
  ridges, making the semi-dry regions between the
  pores moister (darker in the image).
• So far, this method is most effective and no
  known ways of fooling this test yet exist but
  tests are still being done.

33
Fingerprint Conclusion

• Fingerprinting is widely used
• Cheap
• Compact/small/portable
• Other biometric methods are harder to fool,
  however.
• Retinal scans, back-of-the-hand scans, etc.

34
Conclusion

• Biometrics has its advantages over conventional
  authentication methods
• More secure its harder to duplicate a
  fingerprint than it is to guess a password.
• More convenient its attached to you you dont
  have to worry about losing your ID card.
• The downside is that it is attached to you, and
  (unlike a password) you cannot change it or go
  out and get a new one, so if somebody does
  duplicate your fingerprint, thats that.

35
Questions