Presentation is loading. Please wait.

Presentation is loading. Please wait.

S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28.

Similar presentations


Presentation on theme: "S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28."— Presentation transcript:

1

2 S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28 October 2001

3 S E C U R E C O M P U T I N G July 20022R. Smith - Biometric Dilemma Outline Biometrics: Why, How, How StrongBiometrics: Why, How, How Strong –Attacks, FAR, FRR, Resisting trial-and-error Server-based BiometricsServer-based Biometrics Attacking a biometric serverAttacking a biometric server –Digital spoofing, privacy intrusion, latent print reactivation Token-based BiometricsToken-based Biometrics Physical spoofingPhysical spoofing –Voluntary and involuntary spoofing SummarySummary

4 S E C U R E C O M P U T I N G July 20023R. Smith - Biometric Dilemma Biometrics: Why? Eliminate memorization –Eliminate memorization – –Users don’t have to memorize features of their voice, face, eyes, or fingerprints Eliminate misplaced tokens –Eliminate misplaced tokens – –Users won’t forget to bring fingerprints to work Can’t be delegated –Can’t be delegated – –Users can’t lend fingers or faces to someone else Often unique –Often unique – –Save money and maintain database integrity by eliminating duplicate enrollments

5 S E C U R E C O M P U T I N G July 20024R. Smith - Biometric Dilemma The Dilemma They always look stronger and and easier to use than they are in practice Enrollment is difficultEnrollment is difficult –Easy enrollment = unreliable authentication –Measures to prevent digital spoofing make even more work for administrators, almost a “double enrollment” process Physical spoofing is easier than we’d likePhysical spoofing is easier than we’d like –Recent examples with fingerprint scanners, face scanners

6 S E C U R E C O M P U T I N G July 20025R. Smith - Biometric Dilemma Biometrics: How? Measure a physical trait The user’s fingerprint, hand, eye, faceThe user’s fingerprint, hand, eye, face Measure user behavior The user’s voice, written signature, or keystrokes From Authentication © Used by permission

7 S E C U R E C O M P U T I N G July 20026R. Smith - Biometric Dilemma Biometrics: How Strong? Three types of attacks Trial-and-error attackTrial-and-error attack –Classic way of measuring biometric strength Digital spoofingDigital spoofing –Transmit a digital pattern that mimics that of a legitimate user’s biometric signature –Similar to password sniffing and replay –Biometrics can’t prevent such attacks by themselves Physical spoofingPhysical spoofing –Present a biometric sensor with an image that mimics the appearance of a legitimate user

8 S E C U R E C O M P U T I N G July 20027R. Smith - Biometric Dilemma Biometric Trial-and-Error How many trials are needed to achieve a chance of producing a matching reading? Typical objective: 1 in 1,000,000  2 19Typical objective: 1 in 1,000,000  2 19 Some systems achieve this, but most aren’t that accurate in practical settingsSome systems achieve this, but most aren’t that accurate in practical settings Team-based attackTeam-based attack –A group of individuals take turns pretending to be a legitimate user (5 people X 10 finger = 50 fingers)

9 S E C U R E C O M P U T I N G July 20028R. Smith - Biometric Dilemma Passwords: A Baseline

10 S E C U R E C O M P U T I N G July 20029R. Smith - Biometric Dilemma Biometric Authentication Compares user’s signature to previously established pattern built from that traitCompares user’s signature to previously established pattern built from that trait “Biometric pattern” file instead of password file“Biometric pattern” file instead of password file Matching is always approximate, never exactMatching is always approximate, never exact From Authentication © Used by permission

11 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © Used by permission

12 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Matching Self vs. Others From Authentication © Used by permission

13 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Matching in Practice FAR = recognized Bob instead; FRR = doesn’t recognize me From Authentication © Used by permission

14 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Measurement Trade-Offs We must balance the FAR and the FRR Lower FAR = Fewer successful attacksLower FAR = Fewer successful attacks –Less tolerant of close matches by attackers –Also less tolerant of authentic matches –Therefore – increases the FRR Lower FRR = Easier to useLower FRR = Easier to use –Recognizes a legitimate user the first time –More tolerant of poor matches –Also more tolerant of matches by attackers –Therefore – increases the FAR Equal error rate = point where FAR = FAR

15 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Trial and Error in Practice Higher security means more mistakesHigher security means more mistakes –When we reduce the FAR, we increase the FRR –More picky about signatures from legitimate users, too

16 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Biometric Enrollment How it worksHow it works –User provides one or more biometric readings –The system converts each reading into a signature –The system constructs the pattern from those signatures Problems with biometric enrollmentProblems with biometric enrollment –It’s hard to reliably “pre-enroll” users –Users must provide biometric readings interactively Accuracy is time consumingAccuracy is time consuming –Take trial readings, build tentative patterns, try them out –Take more readings to refine patterns –Higher accuracy requires more trial readings

17 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Compare with Password or Token Enrollment Modern systems allow users to self-enrollModern systems allow users to self-enroll –User enters some personal authentication information –Establish a user name –Establish a password: system generated or user chosen –Establish a token: enter its serial number Password enrollment is comparatively simplePassword enrollment is comparatively simple Tokens require a database associating serial numbers with individual authentication tokensTokens require a database associating serial numbers with individual authentication tokens –Database is generated by token’s manufacturer –Enrollment system uses it to establish user account –Token’s PIN is managed by the end user

18 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Biometric Privacy The biometric pattern acts like a passwordThe biometric pattern acts like a password But biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goesEach user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users can’t change biometrics if someone makes a copyUsers can’t change biometrics if someone makes a copy We can trace people by following their biometrics as they’re saved in databasesWe can trace people by following their biometrics as they’re saved in databases

19 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Server-based biometrics Boring but importantBoring but important Some biometric systems require serversSome biometric systems require servers –When you need a central repository –Identification systems (FBI’s AFIS) –Uniqueness systems (community social service orgs) From Authentication © Used by permission

20 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Attacking Server Biometrics From Authentication © Used by permission

21 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Attacks on Server Traffic Attack on privacy of a user’s biometricsAttack on privacy of a user’s biometrics –Defense = encryption while traversing the network Attack by spoofing a digital biometric readingAttack by spoofing a digital biometric reading –Defense = authenticating legitimate biometric readers Both solutions rely on trusted biometric readers From Authentication © Used by permission

22 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Trusted Biometric Reader Blocks either type of attack on server trafficBlocks either type of attack on server traffic Security objective – reliable data collectionSecurity objective – reliable data collection Must embed a cryptographic secret in every trusted readerMust embed a cryptographic secret in every trusted reader –Increased development cost –Increased administrative cost – administrators must keep the reader’s keys safe and up-to-date Must enroll both users and trusted readersMust enroll both users and trusted readers –“Double enrollment” –Database of device keys from biometric vendor –One device per workstation is often like one per user –Standard tokens are traditionally lower-cost devices

23 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Another Server Attack Experiments in the US and GermanyExperiments in the US and Germany Willis and Lee of Network Computing Labs, 1998Willis and Lee of Network Computing Labs, 1998 –Reported in “Six Biometric Devices Point The Finger At Security” in Network Computing, 1 June 1998 Thalheim, Krissler, and Ziegler, 2002Thalheim, Krissler, and Ziegler, 2002 –Reported in “Body Check,” C’T (Germany) –http://www.heise.de/ct/english/02/11/114/ Attack on “capacitive” fingerprint sensorsAttack on “capacitive” fingerprint sensors –Measures change in capacitance due to presence or absence of material with skin-like response –65Kb sensor collects ~20 minutiae from fingerprint –Traditional techniques use for identification Attack exploits the fatty oils left over from the last user logonAttack exploits the fatty oils left over from the last user logon

24 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Latent Finger Reactivation Three techniquesThree techniques –Oil vs. non-oil regions return difference as humidity increases 1.Breathe on the sensor (Thalheim, et al) –You can watch the print reappear as a biometric image –Works occasionally 2.Use a thin-walled plastic bag of warm water More effective, but not 100%More effective, but not 100% –Works occasionally even when system is set to maximum sensitivity 3.Dust with graphite (Willis et al; Thalheim et al) Attach clear tape to the dustAttach clear tape to the dust –Press down on the sensor –Most reliable technique – almost 100% success rate (Thalheim)

25 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma This Shouldn’t Work According to Siemens – vendor of the “ID Mouse” used in those examples –According to Siemens – vendor of the “ID Mouse” used in those examples – –Authentication procedure remembers the last fingerprint used –System rejects a match that’s “too close” to the last reading as well as a match that’s “too far” from the pattern ObservationsObservations 1.Defense didn’t work in these experiments 2.Tape can be repositioned to create a ‘different’ reading 3.Hard to track through multiple biometric readers –Assume the user logs in at multiple locations over time –Then the latent image on some reader is not the most recent one accepted for login

26 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma What about “Active” Biometric Authentication? Some (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” information uniquely associated with the userSome (Dorothy Denning) suggest the use of biometrics in which the pattern incorporates “dynamic” information uniquely associated with the user Possible techniquesPossible techniques –Require any sort of non-static input that matches the built-in pattern Moving the finger around on the fingerprint readerMoving the finger around on the fingerprint reader –Challenge response that demands an unpredictable reply Voice recognition that demands reciting an unpredictable phraseVoice recognition that demands reciting an unpredictable phrase Both are vulnerable to a dynamic digital attack based on a copy of the user’s biometric patternBoth are vulnerable to a dynamic digital attack based on a copy of the user’s biometric pattern Ease of use issueEase of use issue –Requires more complex user behavior, which makes it harder to use and less reliable

27 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Attacking Active Biometrics A feasible dynamic attack uses the system’s algorithms to generate an acceptable signature ExampleExample –Attacker collects enough biometric samples from the victim to build a plausible copy of victim’s biometric pattern –During login, attacker is prompted for a spoken phrase from the victim –Attack software generates a digital message based on the user’s biometric pattern There may be a sequence of timed messages or a single message – it doesn’t matterThere may be a sequence of timed messages or a single message – it doesn’t matter If the server can predict what the answer should be, based on a static biometric pattern, so can the attacker

28 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Token-Based Biometrics Authenticate with biometric + embedded secret From Authentication © Used by permission

29 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Token Technology Resist copying and other attacks by storing the authentication secret in a tamper-resistant package.Resist copying and other attacks by storing the authentication secret in a tamper-resistant package. From Authentication © Used by permission

30 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Tokens Resist Trial-and-Error Attacks These numbers assume that the attacker has not managed to steal a token

31 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Biometric Token Operation The “real” authentication is based on a secret embedded in the tokenThe “real” authentication is based on a secret embedded in the token The biometric reading simply “unlocks” that secretThe biometric reading simply “unlocks” that secret BenefitsBenefits –User retains control of own biometric pattern –Biometric signatures don’t traverse networks ProblemsProblems –Biometric Tokens cost more –Less space and cost for the biometric reader The biometric serves as a PIN

32 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Attacks on Biometric Tokens If you can trick the reader, you can probably trick the tokenIf you can trick the reader, you can probably trick the token Digital spoofing shouldn’t workDigital spoofing shouldn’t work –We’ve eliminated the vulnerable data path Latent print reactivation (remember?)Latent print reactivation (remember?) –Tokens should be able to detect and reject such attacks Attacks by cloning the biometric artifactAttacks by cloning the biometric artifact –Voluntary cloning (the authorized user is an accomplice) –Involuntary cloning (the authorized user is unaware)

33 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Voluntary finger cloning 1.Select the casting material –Option: softened, free molding plastic (used by Matsumoto) –Option: part of a large, soft wax candle (used by Willis; Thalheim) 2.Push the fingertip into the soft material 3.Let material harden 4.Select the finger cloning material Option: gelatin (“gummy fingers” used by Matsumoto)Option: gelatin (“gummy fingers” used by Matsumoto) Option: silicone (used by Willis; Thalheim)Option: silicone (used by Willis; Thalheim) 5.Pour a layer of cloning material into the mold 6.Let the clone harden You’re Done!

34 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Matsumoto’s Technique Only a few dollars’ worth of materialsOnly a few dollars’ worth of materials

35 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Making the Actual Clone You can place the “gummy finger” over your real finger. Observers aren’t likely to detect it when you use it on a fingerprint reader. (Matsumoto)

36 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Involuntary Cloning The stuff of Hollywood – three examplesThe stuff of Hollywood – three examples –Sneakers (1992) “My voice is my password” –Never Say Never Again (1983) cloned retina –Charlie’s Angels (2000) Fingerprints from beer bottlesFingerprints from beer bottles Eye scan from oom-pah laserEye scan from oom-pah laser You clone the biometric without victim’s knowledge or intentional assistanceYou clone the biometric without victim’s knowledge or intentional assistance Bad news: it works!Bad news: it works!

37 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Cloned Face More work by Thalheim, Krissler, and ZieglerMore work by Thalheim, Krissler, and Ziegler Reported in “Body Check,” C’T (Germany)Reported in “Body Check,” C’T (Germany)http://www.heise.de/ct/english/02/11/114/ Show the camera a photograph or video clip instead of the real faceShow the camera a photograph or video clip instead of the real face –Video clip required to defeat “dynamic” biometric checks Photo was taken without the victim’s assistance (video possible, too)Photo was taken without the victim’s assistance (video possible, too) Face recognition was fooledFace recognition was fooled –Cognitec's FaceVACS-Logon using the recommended Philips's ToUcam PCVC 740K camera

38 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Matsumoto’s 2 nd Technique Cloning a fingerprint from a latent print 1.Capture clean, complete fingerprint on a glass, CD, or other smooth, clean surface 2.Pick it up using tape and graphite 3.Scan it into a computer at high resoultion 4.Enhance the fingerprint image 5.Etch it onto printed circuit board (PCB) material 6.Use the PCB as a mold for a “gummy finger”

39 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Making a Gummy Finger from a Latent Print From Matsumoto, ITU-T Workshop

40 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma The Latent Print Dilemma Tokens tend to be smooth objects of metal or plastic – materials that hold latent prints wellTokens tend to be smooth objects of metal or plastic – materials that hold latent prints well Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working clone of the owner’s fingerprint?Can an attacker steal a token, lift the owner’s latent prints from it, and construct a working clone of the owner’s fingerprint? Worse, can an attacker reactivate a latent image of the biometric from the sensor itself?Worse, can an attacker reactivate a latent image of the biometric from the sensor itself? Answer: in some cases, YES.Answer: in some cases, YES.

41 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Finger Cloning Effectiveness Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingersWillis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Thalheim et al could trick both “capacitive” and “optical” sensors with cloned fingersThalheim et al could trick both “capacitive” and “optical” sensors with cloned fingers –Products from Siemens, Cherry, Eutron, Verdicom –Latent image reactivation only worked on capacitive sensors, not on optical ones Matsumoto tested 11 capacitive and optical sensorsMatsumoto tested 11 capacitive and optical sensors –Cloned fingers tricked all of them –Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Secugen, Ethentica

42 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Summary Traditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilitiesTraditional FAR and FRR statistics don’t tell the whole story about biometric vulnerabilities Networked biometrics require trusted readers that pose extra administrative headachesNetworked biometrics require trusted readers that pose extra administrative headaches We can build physical clones of biometric features that spoof biometric readersWe can build physical clones of biometric features that spoof biometric readers –Matsumoto needed $10 worth of materials and 40 minutes to reliably clone a fingerprint We can often build clones without the legitimate user’s intentional participationWe can often build clones without the legitimate user’s intentional participation

43 S E C U R E C O M P U T I N G July R. Smith - Biometric Dilemma Thank You! Questions? Comments? My


Download ppt "S E C U R E C O M P U T I N G July 20021R. Smith - Biometric Dilemma The Biometric Dilemma Rick Smith, Ph.D., CISSP 28."

Similar presentations


Ads by Google