biometrics - Furman Universitycs.furman.edu/~tallen/cscX362/materials/biometrics.pdf · Biometrics...

2/23/17

1

BiometricsCSC362, Information Security

Biometric Authentication

• the last category for authentication methods is

• Something I am or do, which means some physical or behavioral characteristic that uniquely identifies the user and can be used effectively to authorize access

• this is the realm of biometrics


• is derived from an automated system that uses biological, physiological, or behavioral characteristics to authenticate automatically the identity of an individual based on a previous enrollment or registration process• biometrics is often touted as having these advantages over competing methods:• doesn’t require remembering a password or carrying a token• security levels meet or exceed those of token authentication


• there is a great variety of characteristics, properties, or behaviors that qualify for development into biometric systems

2/23/17

2


• here is a partial listing of commercial and research prototypes available todayvoice recognition infrared facial

thermographyfingerprints

facial recognition iris recognition ear recognition

EKG or EEG (walking) gait odorkeystroke dynamics DNA signature dynamics

retinal scan hand/finger geometry subcutaneous blood vessel imaging.


• there are several criteria that can be used to compare/contrast different sources and methods

Biometric Parameters

• Universality: What is the distribution of this property in the population? Ideally, every person should possess it

• Uniqueness: No two individuals should possess the same attributes for that characteristic

• Permanence: The characteristic or behavior should not change significantly over time.


• Collectability: The characteristic should be something quantitatively measurable

• Resistance to Circumvention: How easily can impostors fool the system?

• Performance: Ease of use, speed, accuracy, and robustness of the technology.

2/23/17

3


• User Acceptance: Is the target audience willing to use these types of authentication systems?• some individuals may have personal, moral, and/or religious objections to the use of this technology


• like other authentication methods, biometric systems require two steps• registration. The external entity presents an identifier to the security system, which catalogs and stores it.• usually, a one-‐time process

• verification. Periodically, the external entity presents the authentication information to gain access to the computer entity• usually, a many-‐times process

Fingerprints

• Fingerprints have been studied as a means of identifying individuals since the late nineteenth century• Sir Francis Galton was one of its pioneers who studied fingerprints scientifically

a fingerprint represents the structure of the pattern of the skin where dark areas denote raised ridges and the white areas valleys between them.

2/23/17

4

Fingerprints

• registration typically incorporates an optical sensor that reads the print and produces a digital image• this is the data collection stage• the digital version of the original image is seldom used for actual authentication• a new digital image is produced using an adaptive feature extraction algorithm• its goal is to produce a template, which typifies important features in the fingerprint

Fingerprints

• the fingerprint registration process

Fingerprints

For example, features can be identified using minutiae-‐based pattern matching. It relies on specific location and direction of so-‐called “minutiae points.”

Fingerprints

• after the template is registered, the verification process matches stored templates with those generated from the user’s verification scan during authentication

2/23/17

5

Biometrics

• the registration/verification process is never perfect for any biometric scheme that maps some physical characteristic into a digital representation• in verification, the system must compare a current sample of the individual’s characteristics with a template stored in its database• it would be rare to find an exact match between the two• instead, the system uses an algorithm to generate a matching score that quantifies the similarity within some level of tolerance

Biometrics

• any automated biometric system is therefore susceptible to two types of errors• false acceptance rates (FAR). the rate that the system incorrectly matches an input pattern to a non-‐matching template• “false positives”

• false rejection rates (FRR). the rate that the system fails to detect a match between an input pattern and a matching template• “false negatives”

Biometrics

• if the match scores used for acceptance are set lower, the FRR goes down while the FAR goes up

2/23/17

6

Biometrics

• if the match score is set higher, then the FAR goes down while the FRR goes up

Biometrics

• FRR affects the usability of the system, and FAR represents its security risk• System 3 in the chart is the higher performing system because, for any given FAR, it has the lowest FRR

the Receiver Operating Characteristic (ROC) Curve depicts the relationship between error rates in biometric systems

Biometrics

• ROC curves can be used to calculate another performance value called the Equal Error Rate (EER).• i.e., where FAR = FRR

which system has better overall performance based on these ROC Curves?

Fingerprints

advantages• economical• commonplace, accepted• reliable

disadvantages• injuries to prints can affect verification• can be spoofed• requires physical contact• dirt, oil, etc. can degrade system performance

2/23/17

7

Signature Recognition

• the earliest signature recognition systems were developed in the latter half of the 20thcentury• these were based on static signature recognition, which treats the signature as a graphic figure• the geometric features of the signature are measured and encoded for the template• matches are based on how much the graphics resemble each other

signature

forgery

Dynamic Signature Recognition

• capturing behavioral or dynamic features of a signature offers greater accuracy• the data captured focuses on• direction,• stroke,• pressure, • shape, and• timing

Facial Recognition

• long considered the Holy Grail for automated system, its chief advantage is that it can register the individual using passive acquisition• i.e., the subject does not have to perform any directed action

• ASIDE: for example, in 2014, The Guardian reported on Operation Optic Nerve, which was a joint effort of the UK GCHQ and the NSA• the project collected millions of still images of Yahoo! webcam chats in bulk• these data sweeps used facial recognition to flag subjects of interest from their databases

Facial Recognition

• early methods were based on selected geometric features of the face• these proved too brittle as an accurate measure due to problems with lighting and facial positioning• systems today use algorithms that capture statistically invariable features of the subject’s face• e.g., principal component analysis (PCA)

2/23/17

8

Facial Recognition

advantages• template storage is easy• no physical contact with the system is necessary• verification can be passive• without the subject’s awareness

disadvantages• facial traits change over time•may not be unique• changing conditions can affect verification• facial expression, lighting conditions, etc.

Iris Recognition

• the human iris is a thin circular structure in the eyes that is responsible for controlling the diameter and size of the pupils• iris color is a variable property for humans• brown, green, blue, grey, and hazel• sometimes violet or pink

• each iris has its own distinct pattern

Iris Recognition

2/23/17

9

Iris Recognition Iris Recognition

advantages• very accurate• chance that two irises match is 1 in 10 billion people

• iris rarely changes over lifespan• verification is fast

disadvantages• equipment is expensive• high quality images can spoof a person• an individual must keep head steady and still for accurate scanning

Retinal Scan Recognition

• the retina is the lining at the back of the eye that covers 65% of the eyeball’s inner surface• it contains photo-‐sensitive rod and cone cells• the complex network of blood vessels in the retina are unique for each individual• this pattern remains unchanged except in cases of degenerative diseases

Retinal Scan Recognition

• for both registration and verification, the person must remove any glasses or eye ware, place their eye close to the scanner and stare at a specific point

2/23/17

10

Speaker/Voice Recognition

• used for over 50 years, there are two basic approaches:

• text dependent. the individual is registered using a prescribed text• text independent. speaker is usually unaware that his or her voice is being registered

• not to be confused with “speech recognition”



advantages

• easy to implement• existing equipment can be employed (e.g., telephony)

disadvantages

• sensitive to quality of equipment and noise• can be spoofed• replay attack

Keystroke Recognition

• keystroke recognition systems analyze the person’s typing behavior including speed and rhythm

2/23/17

11

Comparing Biometric Technologies

Biometric Method Universality Uniqueness Permanence Collectability Circumvention Performance Acceptance

Fingerprint Medium High High Medium High High MediumFace Recognition High Low Medium High Low Low HighIris Recognition High High High Medium High High Low

Retinal Scan High High Medium Low High High LowKeystroke High Low Low High High Medium HighSignature Dynamics

High High Medium Medium Low Medium Medium

Voice Recognition Medium Low Low Medium Low Low High

biometrics - Furman Universitycs.furman.edu/~tallen/cscX362/materials/biometrics.pdf · Biometrics...

Documents

Transcript of biometrics - Furman Universitycs.furman.edu/~tallen/cscX362/materials/biometrics.pdf · Biometrics...