Lezione su Biometria e Sicurezza 20/11/2008 - Comlab

Transcript

Biometrics
Introduction and Error Control Coding Applications
Università degli studi Roma Tre – Facoltà di Ingegneria Elettronica – Dipartimento di Elettronica Applicata
Summary
•
Introduction
•
Biometrics Security Issues
– Attacks
– Privacy Concerns
– Existing Solutions for Improved Security
• Encryption
• Template Cancelability
•
Error Control Coding Applications
– examples
Summary
•
Introduction
•
– Attacks
• Encryption
•
– examples
What is/are biometrics?
• Biometrics refers to methods devoted to the recognition of the
identity of a person, using his
– physiological (a physical attribute unique to a person) or
– behavioral (traits which are learnt from a person)
characteristics
• The biometrics can be acquired with
– active partecipation of the user (active biometrics),
– without active partecipation of the user (passive biometrics).
Biometric traits
Most commonly used biometrics
Other biometric identifiers
• Physiological characteristics
– Fingerprint
– Iris
– Face
– Hand geometry
• Physiological characteristics
– DNA
– Ear shape
– Odor
– Retina
– Skin reflectance
– Thermogram
• Behavioral characteristics
– Signature
– Voice
• Behavioral characteristics
– Gait
– Keystroke
– Lip motion
Biometric traits: market (2005)
Why biometrics?
• Conventional systems
– Passwords: Something you know
• short pw: easy to guess
• long pw: difficult to remember.
– Physical cards: Something you have
• easy to be lost,
• easy to be robbed.
• Biometric systems: Something you are
• Advantages:
– Eliminates repudiation,
– Enhances security
• cannot be borrowed, cannot be guessed, cannot be forgotten, cannot
be lost, cannot be copied, ....
Biometrics applications
• Controlled access to physical locations:
– border control (VISA program),
– buildings,
– rooms (employee tracking…), etc
• Controlled access to virtual locations:
– electronic data security,
– access to istitutional/private’s networks.
– access to data, etc
• Transactional security / e-commerce:
– ATM’s, credit cards, etc
• Forensic:
– corpse
identification,
criminal
identification, missing children, …
investigation,
terrorist
Biometrics applications: examples
• Airport access control
– Schipol airport (The Netherlands)
– Ben Gurion (Israel)
– JFK (USA)
• Smart gun (fingerprint),
• Biometrics to unlock hotel rooms (iris/fingerprint),
• Gas stations (Galp Energia SGPS, Lisbon) (fingerprint),
• Credit cards
– Fingerprint reader embedded
– Microphone embedded
Biometric features requirements
• Universality: each person should have the characteristic.
• Uniqueness: any two persons should be different in terms of the
characteristic.
• Permanence: the characteristic should be sufficiently invariant
(with respect to the matching criterion) over a period of time.
• Collectability: the characteristic should
measurable with some practical device.
be
quantitatively
• Performance: the use of the characteristic must ensure good
performance.
• Acceptability: the public should have no strong objection to the
measuring/collection of the characteristic.
• Circumvention: the characteristic should be robust to attacks.
Biometric features: comparison
Overview of a biometric system
• A biometric authentication system
is composed by two subsystems:
– Enrollment subsystem
– Authentication subsystem
• Enrollment stage
– Storage of users’ templates
• Authentication stage:
– Verification stage
• one to many search
– Identification stage
• one to one search
Authentication subsystem
Main modules of a biometric system
• Sensor module
– Sensor which captures the biometric data
• Feature extraction module
– In which the acquired data is processed to extract a set of salient
and discriminatory features
• Matcher module
– In which the features extracted during recognition are compared
against the stored template
– Also include a decision making module for either verification or
identification
• System database module
– Which is used to store the templateof the enrolled users
• A central database can be used as well as a distributed
database (smartcards)
Biometrics: System accuracy
• The accuracy of a biometric system can be only estimated:
– False Match (FM) also called False Acceptance (FA)
• Deciding that two biometrics are from the same identity, while they
come from different identities
• False Match rate (FMR) also called False Acceptance rate (FAR)
– probability of accepting an intruder
– False Non-Match (FNM) also called False Rejection (FR)
• Deciding that two biometrics are not from the same identity, while
they are from the same identity
• False Non-Match rate (FNMR) also called False Rejection rate (FRR)
– probability of rejecting a genuine individual
System accuracy: specifics
• In some forensic applications (i.e. criminal identification) FNMR is the
critical design issue.
– FNMR has to be low: we do not want to miss a criminal.
• In some highly secure access control application the FMR is the
critical design issue.
– FMR has to be low: we want to deterr impostors.
• In civilian application we need to consider both FMR and FNMR.
– for example, in ATM applications:
• a false match would imply money loss,
• a high FNMR might lead to a customers loss.
Summary
•
Introduction
•
– Attacks
• Encryption
•
– examples
Security Issues
• Security of biometrics data is an essential parameter in the design of
the authentication system
• Biometric systems disadvantages:
– if a biometric is compromised once, it is compromised forever
– a biometric cannot be replaced (a new credit card could be
issued)
– the number of biometric features is limited (one face, ten fingers,
etc.)
– biometric data do not allow revocation
Privacy Issues
• Privacy is the ability to keep other people out of your life, to be selfdetermined, and to have full control of your personal information.
• Biometrics raises some privacy concerns:
– Misuse of Data (Function Creep)
• Health/Lifestyle: Specific biometric data are linked with
sensitive information about a person (race, gender, health
problems) → denial of health insurance, employment
Is a person able to control the information on himself/herself?
• Law Enforcement: The database may be available for law
• Tracking of Individuals: The template database may be cross
referenced against other databases (ex.: hospitals/police DB)
Security issues: points of attack
•
•
•
•
•
•
•
•
Type
Type
Type
Type
Type
Type
Type
Type
1:
2:
3:
4:
5:
6:
7:
8:
A fake biometric is presented at the sensor
Illegal intercepted data is resubmitted (replay)
Feature detector is replaced by a Trojan horse program
Legitimate features are replaced with synthetic features
Matcher is replaced by a Trojan horse program
Templates in database are modified
Template is intercepted and altered in the channel
Matching result (e.g.: accept/reject) is overridden
Sensor Level: Coercive Attack
• Coercive attack: the true biometric is presented but in some
unauthorized manner
– a genuine user is forced by an attacker to identify himself to an
authentication system
• possible countermeasure is the detection of stress
– the biometric is “removed” from the owner
• In Malaysia, a violet gang chopped off a car owner’s finger to
get round the car’s hi-tech security system (2005)
• In Italy, a dead woman’s finger was chopped off in order to
grant access to a biometric-secured bank
– possible countermeasure is the detection of liveness
Sensor Level: Synthetic Biometrics
• Access was granted 75% of the time using gummy fingers
Spoof Detection – Multi-Spectral Imaging
• If
a
very
thin
latex
membrane is placed over a
real finger, optical readers
capture only image surface
topography
• MSI
can
see
through
membranes in order to
acquire the real fingerprint
features
Spoof Detection – Deformation Estimates
• Live finger
• Dummy finger
• Estimate deformation among all possible (genuine) live vs. live and
gummy vs. live pairs; 82% accuracy
Liveness Detection
• Fingerprint Liveness Detection
– Temperature
– Optical Properties
– Pulse
– Blood Pressure
– Electric Resistance
– Relative Dielectic Permettivity
– Detection under epidermis (ultrasonic and electric field sensor)
Other Attacks at the Sensor Level
• Replay attack: a recorded version of the true data is presented to the
sensor
– Recorded voice, photograph instead of true face, etc.
• Impersonation attack: unauthorized individuals changes his/her
biometric to appear like an authorized individual:
– Face and voice are particularly subject to this kind of attack
– A fingerprint can be copied. However the process requires a good
fingerprint, high resolution scanner, a three dimensional printing
device
Attacks at the Interconnecting Channels
• Attack on the channel between the sensor and the biometric system
– This would imply to exclude the sensor by injecting a signal in the
system
• Potential countermeasures: encryption, time-stamping
• Attack on the channel between the feature extractor and the matcher
• Attack on the channel between the matcher and the application
device: overriding the output of the matching module.
• Attack on the channel between the central or distributed database
and the authentication system.
Attacks at the System’s Key Points
• Feature extractor:
– the feature extractor can be forced to supply a pre-selected value
• Matcher: production of an artificially high or low match score. The
output of the matcher module can be:
– hard match
– probability of match (the final decision is left to the application)
• Attack on the database itself. This treat can lead to:
–
–
–
–
authorization of a fraudolent individual
denial of service to the person with the corrupted template
removal of a person from a screening list
privacy attacks
Fingerprint Reconstruction from Minutiae Template
• How much information does the minutiae distribution reveal about
the original fingerprint?
• Given a minutiae template
• Estimate ridge flow
• Predict class
• Reconstruct fingerprint
• Reconstruced Artifacts were matched with the true fingerprint with
23% success
Attacks at the DBs: Template Protection
• Cryptographic Techniques (Encryption)
– Template protection using keys
• Watermarking: embedding of relevant information in biometrics
– Embed of biometric information in biometric data
– Authentication information in biometric data (tampering)
• Steganography
– Hide the template in a carrier (cover) image
Template Encryption
• Store or transfer only encrypted template E, encrypted with the
secret key KE
E = ENCRYPT (T, KE)
• Decrypt the template only when necessary with the appropriate
decryption key, KD
T = DECRYPT (E, KE)
• Template is secure while encrypted
• Matcher needs the original templates: decrypted templates are still
vulnerable to attacks
Hash Functions
• Hashing
– Instead of storing the original password P, a hashed values
P1’=H(P1) is stored instead.
– The user is authenticated if H(P2) = P1’.
– It is computationally hard to recover P given H(P)
• Problem with biometrics
– Biometric data has high uncertainty
– Matching is inexact/probabilistic
Hashing functions should be error tolerant
Cancelable Biometrics
• Biometic data is intentionally distorted (with
function) to create a biometric template
a non-invertible
• New impressions undergoes the same distortion and are compared to
the templates
Cancelable Biometrics: Properties
• Advantages
– True biometric no kept in the database
– Each application uses a separate transform
– If stolen, you can be reissued a new biometric
• Disadvantages
– Transformation may not preserve distance
• two similar impression of the same fingerprint may map too
far points in the transformed space
• Requirements
– renewability (solution for the privacy concerns)
• diversity: it should not be allowed to cross-match an user over
different databases
• revocability: it should be possible to reissue a compromised
template
– security: it should not be possible to obtain the original biometric
(secrecy)
– performance: there shouldn’t be significant degradation
Cancelable Biometrics
Template Protection
Biometric Cryptosystem
Key Binding
•
•
Features Transformation
Key Generation
Salting
NonNon-Invertible
Transform
Biometric Cryptosystem
– Key Binding Schemes
• binding of biometric data with keys in a cryptographic framework
• use ol helper data (fuzzy commitment) or chaff entities (fuzzy vault)
– Key Generation Schemes
• generation of cryptographic keys directly from the biometric data
• very low discriminability and entropy for the keys
Feature Transformation
– Salting Schemes
• application of invertible functions, governed by random keys
• requires the secure storage of the employed keys
– Non-Invertible Transform Schemes
• application of non-invertible functions to the original data
• same dedicated matchers of the original domains: generation of scores
Summary
•
Introduction
•
– Attacks
• Encryption
•
– examples
Biometric key binding cryptosystems: Fuzzy Commitment
y = x⊕c
c
y
ca
y
c a = xa ⊕ y → k a
x
xa
Fuzzy commitment: template protection
• Fuzzy Commitment offers
– Template protection
• It is not possible to retrieve the original template from the
stored data
– Template cancelability
• If the database is compromised, by changing the token the
stored data can be renewed
– Template renewability
• By changing the token, multiple data can be obtained from the
same biometrics.
Fuzzy Vault: locking
• Fuzzy Vault consists in
– placing a secret S in a vault,
– securing it by means of a set of unordered data A
Fuzzy Vault: Unlocking
• Fuzzy Vault unlocking:
– Another set of unordered data A’ can be used
– If the two sets A and A’ overlaps the user can identify the many
points of the vault lying on the polynomial
– If the point number is sufficient the polynomial can be identified by
using Lagrange Interpolation
Summary
• Introduction
• Biometrics Security Issues
– Attacks
• Encryption
• Error Control Coding Applications
– examples
Schema di Enrollment
• Caratteristiche
– Analisi delle Statistiche delle Feature
– Selezione delle Feature Affidabili
– Protezione dei template e loro rinnovabilità
– Adattività del sistema alle caratteristiche degli utenti
• Non viene memorizzato nessun dato originale
– è impossibile risalire ai dati originali
memorizzati.
sfruttando
quelli
Estrazione e Binarizzazione Feature
• Ipotesi:
– s = 1, 2, …, S soggetti registrati
– i = 1, 2,…, I acquisizioni per
ogni soggetto
– estrazione un vettore di K
feature da ogni dato acquisito: fis
• Valutazione di:
– Media Intra-Classe
– Media Inter-Classe
1I s
µ = ∑ fi
I i =1
1 S s
µ= ∑µ
S s=1
s
• Conversione dei vettore di feature in stringhe binarie
0
s
b [k] = 
1
if µs[k] ≤ µ[k]
if µs[k] > µ[k]
0
B [i, k] = 
1
s
if fis[k] ≤ µ[k]
if fis[k] > µ[k]
Selezione delle Feature
• La variabilità delle caratteristiche
biometriche
impone
l’uso
di
statistiche robuste rispetto ad essa
– selezione
delle
componenti
stabili
del
vettore
s
rappresentativo b [k]
• Utilizzo di indicatori di stabilità delle feature indipendenti dalle
distribuzioni dei dati
– R [k] = 1 −
s
1
– Rs[k] =
2
(
)
s
s
∑iI=1 B [i, k] ⊕ b [k]
I
µ[k] − µs[k]
σs[k]
s
s
• Ottenimento del vettore rappresentativo r (con K’ elementi) da b
Protezione dei Template
• Utilizzo di codici a correzione
d’errore per garantire
– Protezione
– Rinnovabilità
– Gestione della variabilità
• Messa in sicurezza dei dati
– Generazione di un messaggio binario casuale m
– Codifica del messaggio tramite codici BCH: generazione della
parola di codice c
– Generazione del template da memorizzare: FCs = xs ⊕ cs
• Memorizzazione dei dati:
– versione hash del messaggio m
– media inter-classe µ
– indice delle feature affidabili FCs
– template securizzato RF s
Rinnovabilità!
Approccio Adattativo
• Selezione della capacità correttiva
dei codici in base alle caratteristiche
di variabilità degli utenti
– Una elevata variabilità intraclasse comporterà la selezione di
un codice ad elevata capacità
correttiva
• Analisi distribuzione Intra-classe
– Vengono calcolate le distanze di Hamming tra:
s
• Il vettore rappresentativo dell’utente Di
• Tutti i vettori binari ottenuti a partire dalle acquisizioni
effettuate in enrollment
1 I s
s
– Viene calcolata la distanza di Hamming media: D = ∑ Di
I i =1
• Tale distanza viene utilizzata per determinare la capacità correttiva
da applicare: ECC = Ds + ∆ 

ECC

Schema di Autenticazione
• Replica dei passi effettuati in Enrollment
s
– f% : vettore delle feature estratte
% s: vettore delle feature binarizzato tramite confronto con µ
– b
% s: feature affidabili selezionate in base a RF s(dopo lo zero-padding)
– x
% s ⊕ FCs : parola di codice (potenzialmente corrotta)
– c% s = x
% s: decodifica della parola di codice (conoscendo ECC )
– m
% s ) e h(ms )
– Autenticazione: confronto tra h(m
Riconoscimento della Firma
• La
ad
–
–
firma è uno dei dati biometrici, insieme ai volti ed alle impronte,
esser stato usato prima dell’avvento del computer
E’ la caratteristica comportamentale maggiormente impiegata
Particolarmente adatta per applicazioni commerciali
•
Principali debolezze
– Stabilità nel tempo della firma
• Influenzata da condizioni fisiche
ed emozionali
•
Principali punti di forza
– Difficile da imitare se registrata con
le caratteristiche dinamiche
– Elevato valore legale
– Elevata accettabilità da parte degli
utenti (l’acquisizione è percepita
come non invasiva e non pericolosa)
Modalità e caratteristiche
• Il riconoscimento basato sulle firme può essere di tipo:
– Statico (off-line): documenti stampati
– Dinamico (on-line): dispositivi elettronici
•
Approcci per il riconoscimento dinamico:
– Basati su un modello
• Neural Networks, Hidden Markov
Models
– Basati sull’estrazione delle Feature
• Parametri
Globali
or
Locali:
Numero
di
tratti,
Tempo
d’esecuzione, Lunghezza, Velocità,
Accelerazione, etc.
Riconoscimento dell’iride
• Come per le impronte, la struttura
non è legata ad aspetti genetici
• Non si ha distorsione elastica tra
una acquisizione e l’altra (a parte la
dilatazione della pupilla)
• Gli attuali sistemi di acquisizione
sono
in
grado
di
acquisire
l’immagine dell’iride anche in
presenza di occhiali e lenti a
contatto
• Gli attuali sistemi di acquisizione
forniscono immagini dove il raggio
dell’iride varia tra 80-140 pixel
– Sufficiente
dettaglio
della
struttura complessa dell’iride
Collaretto
Area Ciliare
Macchie
Area Pupillare
Iride: Processing
• Processing
– Localizzazione
– Compensazione illuminazione
– Isolamento iride
– Normalizzazione
– Filtraggio (Filtri di Gabor)
– Metodi di binarizzazione differenti
Risultati Sperimentali: Firme
• Metodo Non Adattativo
● Metodo Adattativo
K’=50
K’=40
K’=50
K’=40
• Miglioramento delle prestazioni ottenibile selezionando le feature
maggiormente stabili
Confronto con altri Metodi
• Confronto con altri metodi
– Riconoscimento senza protezione
– Riconoscimento con protezione (basata su segmentazione)
–
–
C. Vielhauer, R. Steinmetz, “Handwriting: Feature Correlation Analysis for Biometric
Hashes”, EURASIP Journal on Applied Signal Processing, Special issue on Biometric Signal
Processing 2004 (4), pp: 542-558 (2004).
H. Feng, C.W. Chan, “Private Key Generation from On-line andwritten Signatures”,
Information Management and Computer Security, pp: 159-164 (2002).

Lezione su Biometria e Sicurezza 20/11/2008 - Comlab

Transcript

Documenti analoghi

Amendment #2 - ORC Sportboat Europeans Championship 2016

20100428Programma (20100428ProgrammaFesta)

notice to graduating students pc

Attività

Università degli Studi di Catania University of Hertfordshire Laurea

Mobilità e applicazioni per i “runners”.

UNIVERSITA` DEGLI STUDI e-CAMPUS FACOLTA` DI INGEGNERIA

Gideon Kunda: L`ingegneria della cultura. Controllo, appartenenza e

ix conference of the biometric society

Islami Kleidi nato il 4/11/1983 Educazione Laurea specialistica