biometrics - furman universitycs.furman.edu/~tallen/cscx362/materials/biometrics.pdf · biometrics...
TRANSCRIPT
2/23/17
1
BiometricsCSC362, Information Security
Biometric Authentication
• the last category for authentication methods is
• Something I am or do, which means some physical or behavioral characteristic that uniquely identifies the user and can be used effectively to authorize access
• this is the realm of biometrics
Biometric Authentication
• is derived from an automated system that uses biological, physiological, or behavioral characteristics to authenticate automatically the identity of an individual based on a previous enrollment or registration process• biometrics is often touted as having these advantages over competing methods:• doesn’t require remembering a password or carrying a token• security levels meet or exceed those of token authentication
Biometric Authentication
• there is a great variety of characteristics, properties, or behaviors that qualify for development into biometric systems
2/23/17
2
Biometric Authentication
• here is a partial listing of commercial and research prototypes available todayvoice recognition infrared facial
thermographyfingerprints
facial recognition iris recognition ear recognition
EKG or EEG (walking) gait odorkeystroke dynamics DNA signature dynamics
retinal scan hand/finger geometry subcutaneous blood vessel imaging.
Biometric Authentication
• there are several criteria that can be used to compare/contrast different sources and methods
Biometric Parameters
• Universality: What is the distribution of this property in the population? Ideally, every person should possess it
• Uniqueness: No two individuals should possess the same attributes for that characteristic
• Permanence: The characteristic or behavior should not change significantly over time.
Biometric Parameters
• Collectability: The characteristic should be something quantitatively measurable
• Resistance to Circumvention: How easily can impostors fool the system?
• Performance: Ease of use, speed, accuracy, and robustness of the technology.
2/23/17
3
Biometric Parameters
• User Acceptance: Is the target audience willing to use these types of authentication systems?• some individuals may have personal, moral, and/or religious objections to the use of this technology
Biometric Authentication
• like other authentication methods, biometric systems require two steps• registration. The external entity presents an identifier to the security system, which catalogs and stores it.• usually, a one-‐time process
• verification. Periodically, the external entity presents the authentication information to gain access to the computer entity• usually, a many-‐times process
Fingerprints
• Fingerprints have been studied as a means of identifying individuals since the late nineteenth century• Sir Francis Galton was one of its pioneers who studied fingerprints scientifically
a fingerprint represents the structure of the pattern of the skin where dark areas denote raised ridges and the white areas valleys between them.
2/23/17
4
Fingerprints
• registration typically incorporates an optical sensor that reads the print and produces a digital image• this is the data collection stage• the digital version of the original image is seldom used for actual authentication• a new digital image is produced using an adaptive feature extraction algorithm• its goal is to produce a template, which typifies important features in the fingerprint
Fingerprints
• the fingerprint registration process
Fingerprints
For example, features can be identified using minutiae-‐based pattern matching. It relies on specific location and direction of so-‐called “minutiae points.”
Fingerprints
• after the template is registered, the verification process matches stored templates with those generated from the user’s verification scan during authentication
2/23/17
5
Biometrics
• the registration/verification process is never perfect for any biometric scheme that maps some physical characteristic into a digital representation• in verification, the system must compare a current sample of the individual’s characteristics with a template stored in its database• it would be rare to find an exact match between the two• instead, the system uses an algorithm to generate a matching score that quantifies the similarity within some level of tolerance
Biometrics
• any automated biometric system is therefore susceptible to two types of errors• false acceptance rates (FAR). the rate that the system incorrectly matches an input pattern to a non-‐matching template• “false positives”
• false rejection rates (FRR). the rate that the system fails to detect a match between an input pattern and a matching template• “false negatives”
Biometrics
• if the match scores used for acceptance are set lower, the FRR goes down while the FAR goes up
2/23/17
6
Biometrics
• if the match score is set higher, then the FAR goes down while the FRR goes up
Biometrics
• FRR affects the usability of the system, and FAR represents its security risk• System 3 in the chart is the higher performing system because, for any given FAR, it has the lowest FRR
the Receiver Operating Characteristic (ROC) Curve depicts the relationship between error rates in biometric systems
Biometrics
• ROC curves can be used to calculate another performance value called the Equal Error Rate (EER).• i.e., where FAR = FRR
which system has better overall performance based on these ROC Curves?
Fingerprints
advantages• economical• commonplace, accepted• reliable
disadvantages• injuries to prints can affect verification• can be spoofed• requires physical contact• dirt, oil, etc. can degrade system performance
2/23/17
7
Signature Recognition
• the earliest signature recognition systems were developed in the latter half of the 20thcentury• these were based on static signature recognition, which treats the signature as a graphic figure• the geometric features of the signature are measured and encoded for the template• matches are based on how much the graphics resemble each other
signature
forgery
Dynamic Signature Recognition
• capturing behavioral or dynamic features of a signature offers greater accuracy• the data captured focuses on• direction,• stroke,• pressure, • shape, and• timing
Facial Recognition
• long considered the Holy Grail for automated system, its chief advantage is that it can register the individual using passive acquisition• i.e., the subject does not have to perform any directed action
• ASIDE: for example, in 2014, The Guardian reported on Operation Optic Nerve, which was a joint effort of the UK GCHQ and the NSA• the project collected millions of still images of Yahoo! webcam chats in bulk• these data sweeps used facial recognition to flag subjects of interest from their databases
Facial Recognition
• early methods were based on selected geometric features of the face• these proved too brittle as an accurate measure due to problems with lighting and facial positioning• systems today use algorithms that capture statistically invariable features of the subject’s face• e.g., principal component analysis (PCA)
2/23/17
8
Facial Recognition
advantages• template storage is easy• no physical contact with the system is necessary• verification can be passive• without the subject’s awareness
disadvantages• facial traits change over time•may not be unique• changing conditions can affect verification• facial expression, lighting conditions, etc.
Iris Recognition
• the human iris is a thin circular structure in the eyes that is responsible for controlling the diameter and size of the pupils• iris color is a variable property for humans• brown, green, blue, grey, and hazel• sometimes violet or pink
• each iris has its own distinct pattern
Iris Recognition
2/23/17
9
Iris Recognition Iris Recognition
advantages• very accurate• chance that two irises match is 1 in 10 billion people
• iris rarely changes over lifespan• verification is fast
disadvantages• equipment is expensive• high quality images can spoof a person• an individual must keep head steady and still for accurate scanning
Retinal Scan Recognition
• the retina is the lining at the back of the eye that covers 65% of the eyeball’s inner surface• it contains photo-‐sensitive rod and cone cells• the complex network of blood vessels in the retina are unique for each individual• this pattern remains unchanged except in cases of degenerative diseases
Retinal Scan Recognition
• for both registration and verification, the person must remove any glasses or eye ware, place their eye close to the scanner and stare at a specific point
2/23/17
10
Speaker/Voice Recognition
• used for over 50 years, there are two basic approaches:
• text dependent. the individual is registered using a prescribed text• text independent. speaker is usually unaware that his or her voice is being registered
• not to be confused with “speech recognition”
Speaker/Voice Recognition
Speaker/Voice Recognition
advantages
• easy to implement• existing equipment can be employed (e.g., telephony)
disadvantages
• sensitive to quality of equipment and noise• can be spoofed• replay attack
Keystroke Recognition
• keystroke recognition systems analyze the person’s typing behavior including speed and rhythm
2/23/17
11
Comparing Biometric Technologies
Biometric Method Universality Uniqueness Permanence Collectability Circumvention Performance Acceptance
Fingerprint Medium High High Medium High High MediumFace Recognition High Low Medium High Low Low HighIris Recognition High High High Medium High High Low
Retinal Scan High High Medium Low High High LowKeystroke High Low Low High High Medium HighSignature Dynamics
High High Medium Medium Low Medium Medium
Voice Recognition Medium Low Low Medium Low Low High