CURTAIL ON BIOMETRICS BOOM BY SWETHA VASUDEVAN

1
CURTAIL ON BIOMETRICS BOOM BY
SWETHA VASUDEVAN
2
OVER VIEW

• What is Biometrics?
• Reason behind the Hype over Biometrics.
• Structure of Biometric Systems.
• Internal Factors External Factors Affecting the
  Growth of Biometrics.
• Conclusion.

3
WHAT IS BIOMETRICS?

• It is a science of using biological properties
  to identify individuals10. Divided in to two
  broad categories 3
• Physiological
  Behavioral
• 1. Iris
  1. Signature
• 2. Finger Print
  2. Key Stroke
• 3. Hand
  3. Voice
• 4. Face
  4. Gait
• 5. Voice
• 6. Retina
• 7. DNA
• 8. Even Odor, Earlobe
• Sweat pore, Lips

4
Reason Behind the Hype over Biometrics

• After the tragic 9/11 attack, security became the
  number one priority.
• Biometrics seemed as the perfect solution to
  prevent security fraud as its main advantage lies
  in the fact that the physical or behavioral
  traits can not be transferred to other
  individuals.
• Even today investments in biometrics are seen as
  the key investments to stop terrorism and ID
  theft.

5

• STRUCTURE OF BIOMETRIC SYSTEMS

6

BIOMETRIC SYSTEM STAGE ONE
ENROLLMENT CLIENT
SERVER
End User
Requests to Enroll
Capture Device Sensors
Enrolls User
Feature Extraction
DATA BASE Template Images
Restricted Files


7





STAGE TWO
VERIFICATION PROCESS
CLIENT
SERVER
Request to access Restricted
File
End User

• Provides Biometric Sample

Verification Form
Capture Device Sensors
Matcher Submitted Sample
Existing Sample from Data Base
Feature Extraction
DATA BASE Template
Images Restricted Files

No
Access Denied


Yes
Access Granted
Decision

List of Secure Files


8

• Factors that inhibit the growth of the biometric
  systems9
• Internal Factors
• External Factors

Cultural and Social Issues

Costs
Legal Issues

• BIOMETRIC SYSTEM
• User Threats
• Capture Threats
• Matcher Threats
• Storage Threats
• Retrieval Threats
• Threats to hardware Components
• Threats to software Components
• Network Threats
  

Privacy Issues
Ethical Issues
Acceptance
Health and Safety Issues

Lack of Standards
Usability
9
FACTORS INTERNAL TO THE BIOMETRIC
SYSTEM
10
Attacks to the biometric systems take place at
both the enrollment and the verification stage.
STEP
1
CLIENT
SERVER

Requests to Access Restricted file

End User

Provides Biometric Sample
Sends Verification Form

• User can provide a fake biometric sample. Fake
  finger prints, static iris images, static facial
  images are becoming increasingly common.

11
Using a severed finger to fool the biometric
system from the movie the 6th day8
12
How easy it is to prepare a gummy finger?
Free plastic used for finger print mold
Gelatin sheets used for Gummy finger


13
You are now all set to fool the biometric finger
print scanners!7
14
STEP 2

• Capture devices such as sensors acquire the raw
  biometric sample.
• Checks to see if the sample is good enough for
  feature extraction, else prompts the user to
  resubmit the sample.
• The sensors can be manipulated by resubmitting
  previously stored sample information of an
  authorized user. This attack is commonly known as
  Replay Attacks

15
STEP 3

• The feature extraction unit computes various
  feature values corresponding to the biometric
  sample provided by the user
• This unit can be compromised in such a way that
  it produces feature values selected by the user
  (attacker).

16
STEP 4
MATCHER Submitted Sample Existing
Sample from Data Base
Feature Extraction

• The extracted feature values are fed to the
  Matcher Unit
• The Matcher Unit uses certain Mathematical
  principles to compare the pattern extracted from
  the biometric sample provided with those stored
  in the templates
• It delivers score value for the comparison. For a
  prefect match the score value would be 100 11

17
STEP 4 Continued

• A user is granted access if this score is greater
  than the value called threshold
• This threshold value is determined and set by the
  system administrator.
• The Matcher Unit can be compromised to give
  artificially high score for a given biometric
  sample

18
STEP 5

• The Matcher Unit collects the biometric data
  already stored in the database for comparison
  purposes.
• The contents of the database can be modified, can
  be deleted or new data could be added by the
  attacker to suit his purpose.
• Thus the database would present the modified data
  to the matcher unit enabling it to produce false
  results.

19
STEP 5 -Continued

• Modifications can also be made to the data during
  transmission from the database to the matcher
  unit
• Either way, the matcher unit would eventually
  receive the modified false data.

20
STEP 6
No
Feature Extraction
MATCHER Submitted Sample Existing Sample
from Data Base
Access Denied
Yes
Access Granted
Decision
List of Secure Files

• The decision taken by the matcher unit can be
  modified
• The modified result of the decision unit would
  favor the attacker.
• The attacker would be granted access to the list
  of secure files stored in the database

21
In addition to this, the biometric system as a
whole is prone to

• Hardware component failures e.g. biometric
  sensors, integrated circuits, input/output
  hardware, computer etc.
• Software component failures e.g. virus attacks,
  exploiting software executables etc.
• Network threats, where attacker tampers
  connection between various components that make
  up the system.9

22

• FACTORS EXTERNAL TO THE
• BIOMETRIC SYSTEM

23

• Policy Legal
• Issues

• Well defined policy should be in place Educating
  users on how the data is stored, for what purpose
  it will be used, what security safeguards are in
  place to avoid database theft and other security
  vulnerabilities, what actions to take incase the
  biometric data is compromised etc.
• Sharing and selling of the data to outside
  organizations, government agencies etc. involves
  legal implications. Prior to making such
  decisions, the organizations must inform the
  users.

24

• Cultural
• Religious
• Issues

• Certain cultures and religions strictly prohibit
  upon photographing of individuals.
• Some are of the opinion that biometrics or any
  bodily ID systems are the Mark of the Beast.
  Here the beast refers to biometric systems
  themselves.5
• And he (the beast from the earth) causes all,
  both small and great, rich and poor, free and
  bond, to receive a mark in their right hand or in
  their foreheads
• -Revelation 13 Verse 16

25

• Acceptance

• Ethics
• Privacy

Health Safety Issues

• User acceptance is influenced by 2 most common
  factors namely Ethics/privacy issues and
  health/safety issues
• Ethics and Privacy People hesitate to
  voluntarily give their biometric samples due to
  the fear that the physical attributes scanned by
  these systems would be stored someplace else and
  used by government agencies for covert purposes
  with out their knowledge or consent. This
  violates the laws of ethics.

26

• One good example is the automated face
  recognition in public places which could be used
  to track everyone's movements without their
  knowledge. People may feel a loss of personal
  dignity.
• One other good reason as to why people are
  reluctant to use biometric systems is the
  increase in ID theft. Unfortunately, a person can
  not change his/her physical attributes. If it is
  lost, it is lost. Nothing can be done.
• Health and Safety Issues have lately become an
  area of highest concern. 5
• People using the biometric systems are concerned
  that they could contract some kind of sickness
  just by using the systems.

27

• This is because a sick person could use the
  system and could leave germs on the system thus
  transmitting the infection to others who use the
  system afterwards.
• Of all the biometric systems in use, Iris
  scanners are the ones people mostly object to. As
  the device points directly to ones eyes (which
  is the most sensitive part of our body), there is
  a fear that the device itself will produce some
  harm to the eyes like blindness, irritation and
  other related eye ailments.

28

• Costs

• By nature, biometric systems are highly
  sophisticated. The implementation and the
  equipment costs are high.
• The expense is incurred not only in hardware at
  each point of authentication, but also in the
  effort required to 'train' the system to
  recognize each individual user.
• It is found that requiring biometrics for access
  control would result in a hardware cost of
  approximately 150 per workstation for a
  biometric reader.

29

• Lack of Standards

• Biometric standards are still in the developing
  stage slowing down its growth.
• Interoperability is a major issue today as it
  enables the application development and system
  integration by using common standards for data
  formats as well as h/w and s/w interfaces.
• Standards offer some form of assurance in the
  integrity of the system through the use of common
  testing criteria and common security evaluation.
• It helps prevent vendor lock-in as it enables
  end-users to have a choice to switch between
  vendors without having to change the underlying
  application.

30

• Usability

• Accuracy is one of the major usability concerns
  with respect to biometric systems.
• Security can be compromised if these systems can
  not perform its task with accuracy.
• Accuracy of a biometric system is evaluated based
  on False Reject Rate, False Accept Rate and
  Crossover Rate.1
• Of the biometric devices available, Iris scanners
  have the highest accuracy rate (no false matches
  over 2 million comparison) 6
• Facial recognition devices have the lowest
  accuracy rates.

31

• A study conducted by NIST showed that the facial
  recognition devices had difficulty identifying
  women when compared to identifying men.4
• It also had difficulty recognizing younger people
  when compared to older people. The overall
  accuracy rate for these systems is around 73.

32

• CONCLUSION

33

• Clearly Biometrics is still in its infancy.
• Just like any other technology biometrics has its
  dark side as well.
• We have only seen the tip of an ice berg. There
  are lot of issues that still needs to be
  addressed.
• It is necessary to explore the pros and cons of
  biometrics before considering it as the sole
  solution for major security issues such as
  terrorist attacks.
• As a final thought I feel Biometrics is a
  technology still in the Making

34
REFERENCES

• Whitman, M.E. Mattord, H.J (2003), Principles
  of Information Security.Thompson, Boston, MA
• Attacks on Biometric Systems A Case Study in
  Finger Prints, retrieved on Nov 20,2004 from
  lthttp//biometrics.cse.msu.edu/EI5306-62-manuscrip
  t.pdfgt
• Department of defense Biometrics, retrieved on
  Nov 20, 2004 from lthttp//www.biometrics.dod.milgt
• Facial Recognition Systems New Accuracy Study,
  retrieved on Nov 21, 2004 from lthttp//talkleft.co
  m/new_archives/002184.htmlgt
• The Human Factors Involved When Implementing A
  Biometric System, retrieved on Nov 21, 2004 from
  lthttp//technologyexecutivesclub.com/artBiometrics
  HumanFactors.htmgt
• Iris Vs Finger Print, retrieved on Nov 21, 2004
  from lthttp//www.iridiantech.com/atwork/biometric.
  php?page2gt
• Importance of Open Discussion on Adversarial
  Analyses for Mobile Security Technologies A
  Case Study for User Identification, retrieved on
  Nov 21, 2004 from lthttp//www.itu.int/itudoc/itu-t
  /workshop/security/present/s5p4.htmlgt

35
REFERENCES- Cont

• 8. Common Methodology for Information Technology
  Security Evaluation, retrieved on Nov 24, 2004
  from lthttp//www.cesg.gov.uk/site/ast/biometrics/m
  edia/BEM_10.pdfgt
• 9. Definition of Biometrics, retrieved on Nov
  24, 2004 from ltwww.rsasecurity.com/rsalabs/faq/B.h
  tmlgt
• 10. Engineering calibrated Biometric Systems,
  retrieved on Nov 24, 2004 from lthttp//www.mitre.o
  rg/news/events/tech04/briefings/728.pdfgt