Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #25 Securing Biometrics Systems - II November 21, 2005
Outline l Solutions to Attacks on Biometrics Systems l Smart Cards. PKI and Biometrics
References l http: //www. research. ibm. com/journal/sj/403/ratha. html l http: //www. citer. wvu. edu/members/publications/files/Ross. Multibiom etric_CACM 04. pdf l http: //www. smartcardalliance. org/about_alliance/Smart_Card_Biome tric_report. cfm l http: //www. bioscrypt. com/assets/security_soutar. pdf l Digital watermarking based secure multimodal biometric system: Vatsa, M. ; et al, Systems, Man and Cybernetics, 2004 IEEE International Conference Volume 3, pp 2983 -87 l Palm. Hashing: a novel approach for cancelable biometrics; ce. Information Processing Letters Volume 93 , #1, 2005 Tee Connie et al. l http: //www. acm. org/~hlb/publications/dig_wtr/dig_watr. html
Solutions to Attacks on Biometrics Systems l Information Hiding / Digital Watermarking l Image-based Challenge Response Method l Cancelable Biometrics l Multi-Biometrics
Digital Watermarking/Information Hiding l A digital watermark is a digital signal or pattern inserted into a digital image. l Since this signal or pattern is present in each unaltered copy of the original image, the digital watermark may also serve as a digital signature for the copies. l A given watermark may be unique to each copy (e. g. , to identify the intended recipient), or be common to multiple copies (e. g. , to identify the document source). l In either case, the watermarking of the document involves the transformation of the original into another form. l This distinguishes digital watermarking from digital fingerprinting where the original file remains intact, but another file is created that "describes" the original file's content.
Digital Watermarking/Information Hiding l As a simple example, the checksum field for a disk sector would be a fingerprint of the preceding block of data. l Similarly, hash algorithms produce fingerprint files. l Digital watermarking is also to be contrasted with public-key encryption, which also transform original files into another form. l It is a common practice nowadays to encrypt digital documents so that they become un-viewable without the decryption key. l Unlike encryption, however, digital watermarking leaves the original image or (or file) basically intact and recognizable. l In addition, digital watermarks, as signatures, may not be validated without special software. l Further, decrypted documents are free of any residual effects of encryption, whereas digital watermarks are designed to be persistent in viewing, printing, or subsequent re-transmission or dissemination.
Digital Watermarking/Information Hiding l Two types of digital watermarks may be distinguished, depending upon whether the watermark appears visible or invisible to the casual viewer. l Visible watermarks are used in much the same way as their bond paper ancestors, where the opacity of paper is altered by physically stamping it with an identifying pattern. l This is done to mark the paper manufacturer or paper type. l One might view digitally watermarked documents and images as digitally "stamped". l Invisible watermarks, on the other hand, are potentially useful as a means of identifying the source, author, creator, owner, distributor or authorized consumer of a document or image. l For this purpose, the objective is to permanently and unalterably mark the image so that the credit or assignment is beyond dispute.
Digital Watermarking/Information Hiding l In the event of illicit usage, the watermark would facilitate the claim of ownership, the receipt of copyright revenues, or the success of prosecution. l Watermarking has also been proposed to trace images in the event of their illicit redistribution. l Whereas past infringement with copyrighted documents was often limited by the unfeasibility of large-scale photocopying and distribution, modern digital networks make large-scale dissemination simple and inexpensive. l Digital watermarking makes it possible to uniquely mark each image for every buyer. l If that buyer then makes an illicit copy, the illicit duplication may be convincingly demonstrated.
Digital Watermarking/Information Hiding l In both Web-based and other on-line transaction processing systems, it is undesirable to send uncompressed fingerprint images to the server due to bandwidth limitations. l A typical fingerprint image is of the order of 512 × 512 pixels with 256 gray levels, resulting in a file size of 256 Kbytes. This would take nearly 40 seconds to transmit at 53 Kbaud. l Unfortunately, many standard compression methods, such as JPEG (Joint Photographic Experts Group), have a tendency to distort the high-frequency spatial and structural ridge features of a fingerprint image. l This has led to several research proposals regarding domain- specific compression methods. l As a result, an open Wavelet Scalar Quantization (WSQ) image compression scheme proposed by the FBI has become the de facto standard in the industry, because of its low image distortion even at high-compression ratios
Digital Watermarking/Information Hiding l Typically, the compressed image is transmitted over a standard encrypted channel as a replacement for (or in addition to) the user's PIN. l Yet, because of the open compression standard, transmitting a WSQ compressed image over the Internet is not particularly secure. l If a compressed fingerprint image bitstream can be freely intercepted (and decrypted), it can be decompressed using readily available software. l This potentially allows the signal to be saved and fraudulently reused
Digital Watermarking/Information Hiding l One way to enhance security is to use data-hiding techniques to embed additional information directly in compressed fingerprint images. l For instance, if the embedding algorithm remains unknown, the service provider can look for the appropriate standard watermark to check that a submitted image was indeed generated by a trusted machine (or sensor). l Several techniques have been proposed in the literature for hiding digital watermarks l Most of the research, however, addresses issues involved in resolving piracy or copyright issues, not authentication. l One study involves examining the accuracy after an invisible watermark is inserted in the image domain. l Another solution operates directly in the compressed domain and causes no performance degradation.
Digital Watermarking/Information Hiding l The approach is motivated by the desire to create on-line fingerprint authentication systems for commercial transactions that are secure against replay attacks. l To achieve this, the service provider issues a different verification string for each transaction. l The string is mixed in with the fingerprint image before transmission. l When the image is received by the service provider it is decompressed and the image is checked for the presence of the correct one-time verification string. l The method proposed hides such messages with minimal impact on the appearance of the decompressed image. l Moreover, the message is not hidden in a fixed location (which would make it more vulnerable to discovery) but is, instead, deposited in different places based on the structure of the image itself.
Digital Watermarking/Information Hiding l In another approach a multimodal biometrics system is designed using watermarking algorithms with two levels of security for simultaneously verifying an individual and protecting the biometric template. l Iris template is watermarked in face, such that the face is visible for verification and the watermarked iris is used to cross authenticate the individual and secure the biometrics data as well. l The accuracy of the multimodal biometrics system is around 96. 8%. l This system is also resistant to common attacks on biometric templates.
Challenge/Response l Besides interception of network traffic, more insidious attacks might be perpetrated against an automated biometric authentication system. l One of these is a replay attack on the signal from the sensor l A method to thwart such attempts has been proposed based on a modified challenge/response system. l Conventional challenge/response systems are based either on challenges to the user, such as requesting the user to supply the mother's maiden name, or challenges to a physical device, such as a special-purpose calculator that computes a numerical response. l The modified approach is based on a challenge to the sensor. l The sensor is assumed to have enough intelligence to respond to the challenge.
Challenge/Response l Silicon fingerprint scanners can be designed to exploit the proposed method using an embedded processor. l Note that standard cryptographic techniques are not a suitable substitute. l While these are mathematically strong, they are also computationally intensive and could require maintaining secret keys for a large number of sensors. l Moreover, the encryption techniques cannot check for liveness of a signal. l A stored image could be fed to the encryptor, which will encrypt it. l Similarly, the digital signature of a submitted signal can be used to check only for its integrity, not its liveness.
Challenge/Response l The approach computes a response string, which depends not only on the challenge string, but also on the content of the returned image. l The changing challenges ensure that the image was acquired after the challenge was issued. l The dependence on image pixel values guards against substitution of data after the response has been generated. l Example: A transaction is initiated at the user terminal or system l First, the server generates a pseudorandom challenge for the transaction and the sensor. l Note that we assume that the transaction server itself is secure. l The client system then passes the challenge on to the intelligent sensor.
Challenge/Response l Now, the sensor acquires a new signal and computes the response to the challenge that is based in part on the newly acquired signal. l Because the response processor is tightly integrated with the sensor (preferable on the same chip), the signal channel into the response processor is assumed ironclad and inviolable. l It is difficult to intercept the true image and to inject a fake image under such circumstances.
Cancelable Biometrics l Deploying biometrics in a mass market, like credit card authorization or bank ATM access, raises additional concerns beyond the security of the transactions. l One such concern is the public's perception of a possible invasion of privacy. l In addition to personal information such as name and date of birth, the user is asked to surrender images of body parts, such as fingers, face, and iris. l These images, or other such biometric signals, are stored in digital form in various databases. l This raises the concern of possible sharing of data among law enforcement agencies, or commercial enterprises. l When a credit card number is compromised, the issuing bank can just assign the customer a new credit card number. When the biometric data are compromised, replacement is not possible.
Cancelable Biometrics l In order to alleviate this problem, the concept of “cancelable biometrics. ” has been introduced l It consists of an intentional, repeatable distortion of a biometric signal based on a chosen transform. l The biometric signal is distorted in the same fashion at each presentation, for enrollment and for every authentication. l With this approach, every instance of enrollment can use a different transform thus rendering cross-matching impossible. l If one variant of the transformed biometric data is compromised, then the transform function can be changed to create a new variant (transformed representation) for re-enrollment as a new person. l In general, the distortion transforms are selected to be noninvertible. l So even if the transform function is known and the resulting transformed biometric data are known, the original (undistorted) biometrics cannot be recovered.
Cancelable Biometrics l Example distortion transforms: distortion transforms can be applied in either the signal domain or the feature domain. l That is, either the biometric signal can be transformed directly after acquisition, or the signal can be processed as usual and the extracted features can then be transformed. l Moreover, extending a template to a larger representation space via a suitable transform can further increase the bit strength of the system. l Ideally the transform should be noninvertible so that the true biometric of a user cannot be recovered from one or more of the distorted versions stored by various agencies.
Cancelable Biometrics l The techniques for transforming biometric signals differ from simple compression using signal or image processing techniques. l While compression of the signal causes it to lose some of its spatial domain characteristics, it strives to preserve the overall geometry. l That is, two points in a biometric signal before compression are likely to remain at comparable distance when decompressed. l This is usually not the case with distortion transforms. l This technique also differs from encryption. l The purpose of encryption is to allow a legitimate party to regenerate the original signal. l In contrast, distortion transforms permanently obscure the signal in a noninvertible manner.
Cancelable Biometrics l A a novel cancelable biometric approach, known as Palm. Hashing, to solve the non-revocable biometric issue has been proposed. l The proposed method hashes palmprint templates with a set of pseudo-random keys to obtain a unique code called palmhash. l The palmhash code can be stored in portable devices such as tokens and smartcards for verification. l Multiple sets of palmhash codes can be maintained in multiple applications. l Thus the privacy and security of the applications can be greatly enhanced. l When compromised, revocation can also be achieved via direct replacement of a new set of palmhash code.
Multi-Biometrics l Some of the limitations imposed by unimodal biometric systems (that is, biometric systems that rely on the evidence of a single biometric trait) can be overcome by using multiple biometric modalities l Such systems, known as multibiometric systems, are expected to be more reliable due to the presence of multiple, fairly independent pieces of evidence. l These systems are also able to meet the stringent performance requirements imposed by various applications. l Multibiometric systems address the problem of non-universality, since multiple traits can ensure sufficient population coverage. l Furthermore, multibiometric systems provide anti-spoofing measures by making it difficult for an intruder to simultaneously spoof the multiple biometric traits of a legitimate user.
Multi-Biometrics l By asking the user to present a random subset of biometric traits, the system ensures a live user is indeed present at the point of data acquisition. l Thus, a challenge-response type of authentication can be facilitated using multibiometric systems. l A variety of factors should be considered when designing a multibiometric system. l These include the choice and number of biometric traits; the level in the biometric system at which information provided by multiple traits should be integrated l the methodology adopted to integrate the information; and the cost versus matching performance trade-off. l The choice and number of biometric traits is largely driven by the nature of the application, the overhead introduced by multiple traits (computational demands and cost, for example), and the correlation between the traits considered.
Smartcards, PKI and Biometrics l Biometric technologies are defined as automated methods of identifying or authenticating the identity of a living person based on unique physiological or behavioral characteristics. l Biometric technologies, when used with a well-designed ID system, can provide the means to ensure that an individual presenting a secure ID credential has the absolute right to use that credential. l Smart cards have the unique ability to store large amounts of biometric and other data, carry out their own on-card functions, and interact intelligently with a smart card reader. l Secure ID systems that require the highest degree of security and privacy are increasingly implementing both smart card and biometric technology.
Smartcards, PKI and Biometrics l In an ID system that combines smart card and biometric technologies to verify the identity of individuals, a "live" biometric image (e. g. , scan of a fingerprint or hand geometry) is captured at the point of interaction and compared to a stored biometric image that was captured when the individual enrolled in the ID system. l Smart cards provide the secure, convenient and cost-effective ID technology that stores the enrolled biometric template and compares it to the "live" biometric template. l When combined with PKI technologies such as encryption and digital signatures, biometrics adds an extra level of authentication for access-restricted areas. l A Public-Key Infrastructure (PKI) is a combination of hardware, software, policies and procedures. l It provides the basic security required to carry out electronic business so that users who do not know each other, or are widely distributed, can communicate securely using a chain of trust.
Smartcards, PKI and Biometrics l Since biometric information distinguishes one person from the next, hacker-prone data once guarded with only a password becomes virtually impenetrable by adding an iris scan, fingerprint or voiceprint into the security mix. l For example, the integrity and authenticity of a financial transaction can be preserved if the end-user digitally signs the message with a private key. l The financial institution then validates the digital signature using the end-user’ s public key l The integrity and authenticity of the end-user’s public key is preserved in a digital certificate that is issued by a trustworthy Certification Authority (CA). l In addition, the financial institution can increase the degree of assurance that the end-user really did sign the message if access to the private key is protected using a biometric.
Smartcards, PKI and Biometrics l A secure ID system using smart card and biometric technology provides: l Enhanced privacy, securing information on the card, allowing the individual to control access to that information and removing the need for central database access during identity verification. l Improved security, protecting information and processes within the ID system and actively authenticating the trust level of the environment before releasing information. l Improved ID system performance and availability through local information processing and contactless ID card and reader implementations. l Improved system return on investment through the flexibility and upgradability that smart cards provide, allowing support of different authentication methods and multiple, evolving applications.
Скачать презентацию Introduction to Biometrics Dr Bhavani Thuraisingham The University
6ada78c1e6fcfde2af832aea290e5e10.ppt