CSC362, Information Security the last category for authentication methods is Something I am or do, which means some physical or behavioral characteristic that uniquely identifies the user and can be used effectively to authorize access this is the realm of biometrics is derived from an automated system that uses biological, physiological, or behavioral characteristics to authenticate automatically the identity of an individual based on a previous enrollment or registration process biometrics is often touted as having these advantages over competing methods: doesn t require remembering a password or carrying a token security levels meet or exceed those of token authentication there is a great variety of characteristics, properties, or behaviors that qualify for development into biometric systems 1
here is a partial listing of commercial and research prototypes available today voice recognition infrared facial fingerprints thermography facial recognition iris recognition ear recognition EKG or EEG (walking) gait odor keystroke dynamics DNA signature dynamics there are several criteria that can be used to compare/contrast different sources and methods retinal scan hand/finger geometry subcutaneous blood vessel imaging. Biometric Parameters Universality: What is the distribution of this property in the population? Ideally, every person should possess it Uniqueness: No two individuals should possess the same attributes for that characteristic Permanence: The characteristic or behavior should not change significantly over time. Biometric Parameters Collectability: The characteristic should be something quantitatively measurable Resistance to Circumvention: How easily can impostors fool the system? Performance: Ease of use, speed, accuracy, and robustness of the technology. 2
Biometric Parameters User Acceptance: Is the target audience willing to use these types of authentication systems? some individuals may have personal, moral, and/or religious objections to the use of this technology like other authentication methods, biometric systems require two steps registration. The external entity presents an identifier to the security system, which catalogs and stores it. usually, a one- time process verification. Periodically, the external entity presents the authentication information to gain access to the computer entity usually, a many- times process have been studied as a means of identifying individuals since the late nineteenth century Sir Francis Galton was one of its pioneers who studied fingerprints scientifically a fingerprint represents the structure of the pattern of the skin where dark areas denote raised ridges and the white areas valleys between them. 3
registration typically incorporates an optical sensor that reads the print and produces a digital image this is the data collection stage the digital version of the original image is seldom used for actual authentication a new digital image is produced using an adaptive feature extraction algorithm its goal is to produce a template, which typifies important features in the fingerprint the fingerprint registration process after the template is registered, the verification process matches stored templates with those generated from the user s verification scan during authentication For example, features can be identified using minutiae- based pattern matching. It relies on specific location and direction of so- called minutiae points. 4
the registration/verification process is never perfect for any biometric scheme that maps some physical characteristic into a digital representation in verification, the system must compare a current sample of the individual s characteristics with a template stored in its database it would be rare to find an exact match between the two instead, the system uses an algorithm to generate a matching score that quantifies the similarity within some level of tolerance any automated biometric system is therefore susceptible to two types of errors false acceptance rates (FAR). the rate that the system incorrectly matches an input pattern to a non- matching template false positives false rejection rates (FRR). the rate that the system fails to detect a match between an input pattern and a matching template false negatives if the match scores used for acceptance are set lower, the FRR goes down while the FAR goes up 5
if the match score is set higher, then the FAR goes down while the FRR goes up FRR affects the usability of the system, and FAR represents its security risk System 3 in the chart is the higher performing system because, for any given FAR, it has the lowest FRR the Receiver Operating Characteristic (ROC) Curve depicts the relationship between error rates in biometric systems ROC curves can be used to calculate another performance value called the Equal Error Rate (EER). i.e., where FAR = FRR advantages economical commonplace, accepted reliable disadvantages injuries to prints can affect verification can be spoofed requires physical contact dirt, oil, etc. can degrade system performance which system has better overall performance based on these ROC Curves? 6
Signature Recognition the earliest signature recognition systems were developed in the latter half of the 20 th century these were based on static signature recognition, which treats the signature as a graphic figure the geometric features of the signature are measured and encoded for the template matches are based on how much the graphics resemble each other signature forgery Dynamic Signature Recognition capturing behavioral or dynamic features of a signature offers greater accuracy the data captured focuses on direction, stroke, pressure, shape, and timing Facial Recognition Facial Recognition long considered the Holy Grail for automated system, its chief advantage is that it can register the individual using passive acquisition i.e., the subject does not have to perform any directed action ASIDE: for example, in 2014, The Guardian reported on Operation Optic Nerve, which was a joint effort of the UK GCHQ and the NSA the project collected millions of still images of Yahoo! webcam chats in bulk these data sweeps used facial recognition to flag subjects of interest from their databases early methods were based on selected geometric features of the face these proved too brittle as an accurate measure due to problems with lighting and facial positioning systems today use algorithms that capture statistically invariable features of the subject s face e.g., principal component analysis (PCA) 7
Facial Recognition advantages template storage is easy no physical contact with the system is necessary verification can be passive without the subject s awareness disadvantages facial traits change over time may not be unique changing conditions can affect verification facial expression, lighting conditions, etc. Iris Recognition Iris Recognition the human iris is a thin circular structure in the eyes that is responsible for controlling the diameter and size of the pupils iris color is a variable property for humans brown, green, blue, grey, and hazel sometimes violet or pink each iris has its own distinct pattern 8
Iris Recognition Iris Recognition advantages very accurate chance that two irises match is 1 in 10 billion people iris rarely changes over lifespan verification is fast disadvantages equipment is expensive high quality images can spoof a person an individual must keep head steady and still for accurate scanning Retinal Scan Recognition the retina is the lining at the back of the eye that covers 65% of the eyeball s inner surface it contains photo- sensitive rod and cone cells the complex network of blood vessels in the retina are unique for each individual this pattern remains unchanged except in cases of degenerative diseases Retinal Scan Recognition for both registration and verification, the person must remove any glasses or eye ware, place their eye close to the scanner and stare at a specific point 9
Speaker/Voice Recognition Speaker/Voice Recognition used for over 50 years, there are two basic approaches: text dependent. the individual is registered using a prescribed text text independent. speaker is usually unaware that his or her voice is being registered not to be confused with speech recognition Speaker/Voice Recognition advantages easy to implement existing equipment can be employed (e.g., telephony) disadvantages sensitive to quality of equipment and noise can be spoofed replay attack Keystroke Recognition keystroke recognition systems analyze the person s typing behavior including speed and rhythm 10
Comparing Biometric Technologies Biometric Method Universality Uniqueness Permanence Collectability Circumvention Performance Acceptance Fingerprint Medium High High Medium High High Medium Face Recognition High Low Medium High Low Low High Iris Recognition High High High Medium High High Low Retinal Scan High High Medium Low High High Low Keystroke High Low Low High High Medium High Signature High High Medium Medium Low Medium Medium Dynamics Voice Recognition Medium Low Low Medium Low Low High 11