Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Thwarting Attacks Leandro A. Loss. Introduction Benefits of Biometric Authentication: –Convenience (e.g. recall password, keep cards) –Security.

Published byKerry Edwin Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 12 Thwarting Attacks Leandro A. Loss. Introduction Benefits of Biometric Authentication: –Convenience (e.g. recall password, keep cards) –Security."— Presentation transcript:

1 Chapter 12 Thwarting Attacks Leandro A. Loss

2 Introduction Benefits of Biometric Authentication: –Convenience (e.g. recall password, keep cards) –Security (e.g. cracked password, stolen cards) Introduces different security weaknesses: Objective: Identify security weak points, keeping in mind the security versus convenience trade-off

3 Pattern Recognition Model Sensor Template Extractor MatcherApplication Enrollment Template Database 11 basic points of attack that plague biometric authentication systems

4 Attacking Biometric Identifiers Sensor Template Extractor MatcherApplication Coercive attackThe true biometric is presented but in a unauthorized manner; Impersonation attack An unauthorized individual changes his or her biometrics to appear like an authorized one; Replay attackA recording of true data is presented to the sensor.

5 Attacking Biometric Identifiers Coercive Attack Examples –A genuine user is forced by an attacker to identify him or herself to an authentication system; The system should detect coercion instances reliably without endangering lives (stress analysis, guards, video recording). –The correct biometric is presented after physical removal from the rightful owner; The system should detect “liveness” (movements of iris, electrical activity, temperature, pulse in fingers.

6 Attacking Biometric Identifiers Impersonation Attack Examples –Involves changing one’s appearance so that the measured biometric matches an authorized person; Voice and face are the most easily attacked; Fake fingerprints or even fingers have been reported. –Changes one’s appearance to cause a false negative error in screening systems; disguises or plastic surgeries; –Combination of multiple biometrics makes replications more difficult, specially when synchronization is analyzed (works well for the first case); –No defense suggestions for the second case;

7 Attacking Biometric Identifiers Replay Attack Examples –Re-presentation of previously recorded biometric information (tape or picture); Prompt random text to be read; Detect tri-dimensionality or require change of expression.

8 Front-end attacks Sensor Template Extractor Matcher Application B AC D (A) Replay attackA recording of true data is transmitted to Extractor; (A) Electronic Impersonation Injection of an image created artificially from extracted features; (B) Trojan HorseExtracted features are replaced; (C) CommunicationAttacks during transmission to remote matcher; (D) Trojan HorseMatch decision is manipulated.

9 Front-end attacks (A) Channel between sensor and biometric system Replay Attacks: circumventing the sensor by injecting recorded signal in the system input (easier than attacking the sensor); digital encryption and time-stamping can protect against these attacks. Electronic Impersonation Attacks: Injection of an image created artificially from extracted features; e.g. An image of an artificial fingerprint created from minutia captured from a card; No defense suggested.

10 Front-end attacks (B) Template Extractor Trojan Horse Attacks: The features are replaced after extracted (assuming the representation is known); The extractor would produce a pre-selected feature set at some given time or under some condition; No defense suggested.

11 Front-end attacks (C) Transmissions between Extractor and Matcher Communication Attacks: Specially dangerous in remote matchers; No defense suggested.

12 Front-end attacks (D) Matcher Trojan Horse Attacks: Manipulations of match decision; e.g. A hacker could replace the biometric library on a computer with a library that always declares a true match for a particular person; No defense suggested.

13 Circumvention Sensor Template Extractor Matcher Application CollusionUse of and/or agreement with “super-users”; Covert AcquisitionBiometric stolen without the user knowledge, but just parametric data used; DenialAn authentic user be denied by the system; “Overriding of the matcher’s output”

14 Circumvention Collusion Some operators have super-user status, which allows them to bypass the authentication process; Attackers can gain super-user status by: - Stealing this status; - Agreement with operator;

15 Circumvention Covert Acquisition Biometric stolen without the user knowledge; Only the parametric data is used to override matcher (so different from impersonation);

16 Circumvention Denial A authentic user identifies him or herself to the system but is denied such an access (a False Rejection is evoked); Not considered fraud because no unauthorized access was granted; But it disrupts the functioning of the system.

17 Back-end attacks Sensor Template Extractor Matcher Application Enrollment Template Database D C E A B (A) All seen so farEnrollment has all the stages above; (B) Communication Attack Attacks during transmission between matcher and central or distributed database; (C) Communication Attack Attacks during transmission from enrollment stage to central or distributed database; (D) Viruses, Trojans,... (E) Hacker’s AttackModification or deletion of registers and gathering of information;

18 Back-end attacks (A) Enrollment Attacks Same vulnerable points of the others; With collusion between the hacker and the supervisor of the enrollment center, it is easy to enroll a created or stolen identity; Enrollment needs to be more secure than authentication and is best done under trusted and competent supervision. Sensor Template Extractor Matcher Template Database Enrollment

19 Back-end attacks (B) Transmissions between Matcher and Database Communication Attacks: Remote central or distributed databases; Information is attacked before it reaches the matcher.

20 Back-end attacks (C) Transmissions between Enrollment and Database Communication Attacks: Remote central or distributed databases; Information is attacked before it reaches the database.

21 Back-end attacks (D) Attacks to the Application

22 Back-end attacks (E) Attacks to the Database Hacker’s Attack Modification or deletion of registers: Legitimate unauthorized person; Denial of authorized person; Removal of a known “wanted” person from screening list. Privacy Attacks: Access to confidential information; Level of security of different systems; Passwords x Biometrics.

23 Other attacks Password systems are vulnerable to brute force attacks; The number of characters is proportional to the bit-strength of password; Biometrics: equivalent notion of bit-strength, called intrinsic error rate (chapter 14);

24 Other attacks Hill Climbing: Repeatedly submit biometric data to an algorithm with slight differences, and preserve modifications that result in an improved score; Can be prevented by Limiting the number of trials; Giving out only yes/no matches.

25 Other attacks Swamping: Similar to brute force attack, exploiting weakness in the algorithm to obtain a match for incorrect data. E.g. Fingerprints: Submit a print with hundreds of minutiae in the hope that at least the threshold number of them will match the stored template; Can be prevented by normalizing the number of minutiae.

26 Other attacks Piggy-back: An unauthorized user gains access through simultaneous entry with a legitimate user (coercion, tailgating).

27 Other attacks illegitimate enrollment: Somehow an attacker is enrolled (collusion, forgery).

28 Combining Smartcards and Biometrics Biometrics – reliable authentication; Smartcards – store biometrics and other data; Suggestion: valid enrolled biometrics + valid card; Benefits: Authentication is done locally – cuts down on communication with database; The information never leaves the card – secure by design; Attacks occur locally and are treated locally; Keeps privacy;

29 Challenge-Response Protocol Dynamic authentication - prevents mainly Replay Attacks; The system issues a challenge to the user, who must respond appropriately (prompted text – increases the difficulty of recorded biometrics’ use); It will demand more sophisticated attacks and block the casual ones; Extension: E.g. Number projected in the retina, that must be typed.

30 Cancellable Biometrics Once a biometric identifier is somehow compromised, the identifier is compromised forever; Privacy: A hacked system can give out user’s information (medical history and susceptibility); Proscription: Biometric information should not be used for any other purpose than its intended use; Concerns 1.Not an extra bit of information should be collected; 2.Data integrity and data confidentially are two important issues; 3.Cross-matching: matching against law enforcement databases; 4.Biometric cannot change (issue a new credit card number, etc).

31 Cancellable Biometrics Cancellable biometrics is a technique that alleviate some of these concerns. Biometrics are distorted by some non-invertible transform. If one representation is compromised, another one can be generated. Signal domain distortions: Distortion of the raw biometric signal: Morphed fingerprint; Split voice signal and scramble pieces; Feature domain distortions: Distortion of preprocessed biometric signal (template): Fingerprint minutiae (S={(xi, yi, θi); i=1,…,M}); x 1 x 2 x 3 X1X1 X2X2 X3X3

32 Cancellable Biometrics Relation to compression and encryption Signal Compression: the signal temporarily loses its characteristics; Encryption: Secure transmission: signal is restored after it; Cancellable Biometrics: Signal loses definitely its characteristics; It’s desirable that the distorted signal is impossible to be restored.

33 Questions?

Download ppt "Chapter 12 Thwarting Attacks Leandro A. Loss. Introduction Benefits of Biometric Authentication: –Convenience (e.g. recall password, keep cards) –Security."

Similar presentations

Biometrics: Fingerprint Technology Calvin Shueh Professor Stamp CS265.

Biometrics: Fingerprint Technology Calvin Shueh Professor Stamp CS265.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Chapter 9 Creating and Maintaining Database Presented by Zhiming Liu Instructor: Dr. Bebis.

Chapter 9 Creating and Maintaining Database Presented by Zhiming Liu Instructor: Dr. Bebis.
Security Challenges of Biometric Systems

Security Challenges of Biometric Systems
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
Biometric Authentication Andrea Blanco Binglin Li Brian Connelly.

Biometric Authentication Andrea Blanco Binglin Li Brian Connelly.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Authors: Anil K. Jain, Arun Ross and Sharath Pankanti Presented By: Payas Gupta.

Authors: Anil K. Jain, Arun Ross and Sharath Pankanti Presented By: Payas Gupta.
Biometric Cryptosystems Presenters: Yeh Po-Yin Yang Yi-Lun.

Biometric Cryptosystems Presenters: Yeh Po-Yin Yang Yi-Lun.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Chapter 1 – Introduction

Chapter 1 – Introduction
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
Introduction to Fingerprint Biometrics By Tamar Bar.

Introduction to Fingerprint Biometrics By Tamar Bar.
Biometrics Technology Jie Meng. What is Biometrics ? Biometrics is the science and technology of measuring and analyzing biological data. In information.

Biometrics Technology Jie Meng. What is Biometrics ? Biometrics is the science and technology of measuring and analyzing biological data. In information.
Biometrics II CUBS, University at Buffalo

Biometrics II CUBS, University at Buffalo
FIT3105 Biometric based authentication and identity management

FIT3105 Biometric based authentication and identity management
Biometric Authentication: Security Issues M. Fahim Zibran February 23, 2009.

Biometric Authentication: Security Issues M. Fahim Zibran February 23, 2009.
Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.

Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.

Similar presentations

Ads by Google