Biometrics -- Using Fingerprints for Authentication

1
Biometrics -- Using Fingerprints for
Authentication

• Todd Andel Cyndi Roberts
• CIS 5370 Computer Security
• Spring 2005
• 12 July 2020

2
Overview

• Authentication Overview
• Passwords, biometrics
• Fingerprints for authentication
• Features matching
• Live-scanning of fingerprints
• Attacks
• Disadvantages of fingerprint authentication
• Fake finger, Trojan horse, replay, coercion

3
Authentication Overview

• Authentication
• Process of verifying identity
• Supports both the confidentiality integrity of
  the CIA model

Confidentiality
Integrity
Ref class notes
4
Authentication Overview

• Passwords
• Most common
• In theory strong (e.g. 268 aprrox 21011)
• In practice weak (e.g. dictionary words, related
  words)

5
Authentication Overview

• Biometrics
• Physiological
• Iris
• Fingerprint (including nail)
• Hand (including knuckle, palm, vascular)
• Face
• Voice
• Retina
• DNA
• Even Odor, Earlobe, Sweat pore, Lips
• Behavioral (patterns)
• Signature
• Keystroke
• Voice
• Gait

Ref DoD Biometrics Management Office
6
Fingerprints for Authentication

• Two premises for fingerprint identification
• Fingerprint details are permanent
• Fingerprints are unique
• Recent challenges to this claim

Ref On the Individuality of Fingerprints
7
Features Matching

• Features of a fingerprint

• Matching Techniques
• Correlation based
• Ridge feature based
• Minutiae based

Ref On the Individuality of Fingerprints
8
Features Matching

• Minutiae matching
• Probability that two different fingerprints will
  share 12 of 36 minutiae points 6.1 x 10-8
• Quality of automated matching
• Based on number of matches ?
• verification vs. identification
• False positive imposter matches gt ?
• False negative valid user matches lt ?

9
Features Matching

• a valid match
• 39 points left
• 42 points right
• 36 matches
• b false positive
• 64 points left
• 65 points right
• 25 matches

Ref On the Individuality of Fingerprints
10
Live-scanning of Fingerprints

• Live-scan fingerprint sensing
• Three sensor types optical, solid-state,
  ultrasound

Ref Handbook of Fingerprint Recognition
11
Live-scanning of Fingerprints

• Optical Sensors
• Picture
• Frustrated total internal reflection (FTIR),
  optical fibers, electro-optical, direct reading

Ref Fingerprint Classification and Matching
Handbook of Fingerprint Recognition
12
Live-scanning of Fingerprints

• Solid-State Sensors
• Direct conversion to electronic signal
• Capacitive, thermal, electric field,
  piezoelectric

Ref Fingerprint Classification and Matching
Handbook of Fingerprint Recognition
13
Live-scanning of Fingerprints

• Ultrasound Sensors
• Based on acoustic signaling
• Not yet mature

Ref Handbook of Fingerprint Recognition
14
Attacks on Fingerprint Authentication Systems

• Attacks focus on the disadvantages of
  fingerprint- based recognition
• While distinctive, fingerprints are not secret
• Latent fingerprints are left on everything a
  person touches
• With only 10 fingerprints, if one is compromised
  by theft of a template, it can be replaced a very
  limited number of times (unlike a password that
  can be reset as often as desired)

Ref Handbook of Fingerprint Recognition
15
Fingerprint Authentication System Model
This model of a fingerprint authentication system
shows the 8 points of attack generally recognized
by security experts
Ref Handbook of Fingerprint Recognition
16
Attack at Fingerprint Scanner

• 1.Destruction of Scanner Surface
• 2.Fake Finger attack

Image a Rubber Stamp made from a finger print
image Image b Wafer thin plastic sheet
containing a three-dimensional replication of a
fingerprint
Ref Handbook of Fingerprint Recognition
17
Destruction of Scanner Surface

• Ruggedness is important
• Weather
• Keyless car entry system as opposed to
  e-Commerce application
• Glass/Plastic surfaces covered can be easily
  scratched or broken
• Chip-based sensors can be damaged by
  electrostatic discharge

18
Fake Finger Attacks

• Most common method is to build an accurate
  three-dimensional model using the latent print
  from a legitimate user.
• Latent fingerprints are formed when a thin film
  of sweat and grease are left on a surface. Can
  be colored with dye and lifted
• Legitimate user can be in collusion or coerced
• Models made using latex rubber membrane, glue
  impression, gelatin
• Research done in 2000 latent print used to
  produce silicone cement fake finger was
  accepted by 5 out of 6 commercial scanners on the
  first try. The sixth scanner accepted the print
  on the second try.

Ref Attacks on biometric systems a case study
in fingerprints
19
Trojan Horse Attacks

• Attack can be launched at scanner, feature
  extractor, matcher, or system database
• Program disguises itself as something else
• Device will not recognize that it is sending or
  receiving information from a source that is not
  trusted
• Generates false results

Ref Handbook of Fingerprint Recognition
20
Replay Attacks

• Information intercepted from communication
  channels between modules is re-issued at a later
  time in an attempt to fool the system
• Information moving across channels must be
  secured via
• Encryption and digital signatures
• Timestamp and challenge response
• Digitally signing fingerprint images/features

21
Attacks on Cancelable/Private Biometrics

• One of the most problematic vulnerabilities of
  biometrics
• Once a template or image is compromised, it
  cannot be reissued, updated, or destroyed
• Can be prevented by having template or image
  transformed into another representation by using
  a non-invertible transform such as a one-way hash
  function paired with a verification function

22
Attacks Using Coercion

• Legitimate users can be forced to identify
  themselves to a fingerprint-based recognition
  system
• This cannot be detected by fake finger detection
  modules or cryptographic techniques
• Could be prevented by having two fingerprints on
  file....one default, one for panic situations
  that would trigger security measures unnoticeable
  by thief

23
Summary

• Biometrics is a growing field with many exciting
  discoveries on the horizon
• However, until more secure systems can be
  developed, fingerprint recognition systems should
  be used in conjunction with another type of user
  identification to bolster their security

Ref On the Individuality of Fingerprints
24
References

• Department of Defense, Biometrics Management
  Office http//www.biometrics.dod.mil
• S. Pankanti, S. Prabhakar, and A. K. Jain, "On
  the Individuality of Fingerprints", IEEE
  Transactions on PAMI, Vol. 24, No. 8, pp.
  1010-1025, 2002.
• C. Barral, J.S. Coron, D. Naccache, Externalized
  Fingerprint Matching, Lecture Notes in Computer
  Science, Volume 3072, Jul 2004, Pages 309 315
• U. Uludag and A.K. Jain, "Attacks on biometric
  systems a case study in fingerprints", Proc.
  SPIE-EI 2004 , pp. 622-633, San Jose, CA, January
  18-22, 2004
• T. Matsumoto, H. Matsumoto, K. Yamada, and S.
  Hoshino,Impaact of Artificial Gummy Fingers on
  Fingerprint Systems, Proc. Of SPIE, Optical
  Security and Counterfeit Deterrence Techniques
  IV, vol 4677, pp.275-289, 2002
• D. Maltoni, et. Al, Handbook of fingerprint
  recognition, New York Springer, 2003
• A. K. Jain and S. Pankanti. Fingerprint
  classification and matching, In A. Bovik,
  editor, Handbook for Image and Video Processing.
  Academic Press, April 2000.
• G. Bebis, T. Deaconu, and M. Georgiopoulos,
  Fingerprint identification using Delaunay
  triangulation, 1999 Int. Conf. on Information
  Intelligence and Systems, pp. 452-459, 1999.

25
Questions