Zachary Olson and Yukari HagioCIS 4360 Computer Security

November 19, 2008

A definitionBiometrics is a branch of computer security

centering on authenticating a person’s identity based on some physiological or behavioral characteristic unique to that person

Authentication system: verifies the identity of a user before allowing them access to the internal system

Stages of OperationEnrollment

Biometric data is collected for a known identityReference template is created and stored

AuthenticationIdentification: comparison of biometric data to

all available data files in a databaseVerification: comparison of biometric data to

previously stored version

A Better Approach to Security…Biometrics is seen as more secure than

traditional methods:Biometrics vs. PasswordsBiometrics vs. Tokens

Types of Biometric AuthenticationFingerprintsRetina / Iris ScansFacial RecognitionHand RecognitionDNA MatchingKeystroke Recognition

FingerprintsRidges vs. Valleys

Scanning MechanismsOptical ScannerCapacitance Scanner

Fingerprints (contd.)Analyzing a Fingerprint - Minutiae

Retina ScansSmall surfaceDetailed ScanSlow scan and compare

procedure

Iris ScansMore than 250 unique spotsCompares trabecular meshwork of the irisFast scansRequires a human eye

Facial RecognitionUses a video image to look at distances

between features and overall structureRequires a human faceDifficulties in finding the features in images

Hand RecognitionHand geometry not as unique as fingerprintsUses hand features and measurements

increases uniquenessMeasures up to 90 different points on the

hand including characteristics of the finger and features on the skin

Seen as less invasive than fingerprints

DNA MatchingComparison of a sample of a user’s DNA with

a stored sample of the real person’s DNADNA is readily available to collectComparison process is slow and not

completely automated

Keystroke RecognitionUses rhythm and manner in which characters

are typed into a keyboardTyping characteristics are unique to

individualsIndicators

Speed in words per minuteDelaysSpecific sequences of charactersTyping errorsSeek time and hold time

Issues / ConcernsData StorageAccuracyPhysical DangerPrivacy

Data StoragePermanence of Biometric data

Re-issue is not possibleBiometric data theft is permanent

Possible solution: decentralization of data storageStore part of each record in the central

database and the rest on a smart card with the individual user

Complete records become inaccessible to hackers

AccuracyNo perfect matches in biometricsAcceptance range of comparison algorithmsTypes of errors

False positives: accepting wrong identityFalse negatives: rejecting correct identity

Algorithm cut-off level is a compromise between the two error types

Physical DangerThieves might target property owners to

bypass biometric security measuresExample: in 2005, car thieves in Malaysia cut

off a man’s finger to bypass the fingerprint reader on his Mercedes Benz S Class

PrivacyQuestions

Should organizations or individuals control biometric information?

Can biometric information be used without individual consent?

Can law enforcement agencies demand biometric data from individuals for forensic purposes?

AnswersISO 17799Department of Health, Education, and Welfare

Examples of Biometrics UsageGovernments worldwide use biometrics for

passports and airport security.Police agencies use fingerprints and DNA for

identification and forensics.Financial institutions use palm/finger vein

authentication to secure ATMs.Companies use biometrics to keep time

records, secure locations and improve user convenience.

The Future of BiometricsSeptember 11, 2001 resulted in

unprecedented growth for the large-scale deployment of biometrics.

Biometrics is being incorporated into national passports worldwide.

Because of its advantages over traditional authentication methods, biometrics will continue to helm the endeavor for increased computer security.

References http://www.raysmallopt.co.uk/images/retinal-scan.gif http://img.dailymail.co.uk/i/pix/2008/05_03/FaceRecogL_468x352.jpg http://peninsulatime.com/hk2hand.gif http://www.csb.yale.edu/userguides/graphics/ribbons/help/dna_rgb.gif http://www.nlc.bc.ca/files/photos/newsreleases/241_webcsiprint.jpg http://www.core77.com/blog/images/about-biometrics.jpg http://img100.imageshack.us/img100/7820/imousepo7.jpg http://www.engadget.com/media/2006/03/palmsecure.jpg http://www.popsofa.com/wp-content/uploads/2007/12/smartscan-biometric-keyless-

entry-system.JPG http://www.avinashilingam.edu/images/biometric.jpg http://aftermathnews.files.wordpress.com/2007/11/pay_by_touch.jpg

http://www.biometrics.org/introduction.php http://en.wikipedia.org/wiki/Biometrics http://www.biometrics.dod.mil/Bio101/1.aspx http://computer.howstuffworks.com/fingerprint-scanner1.htm

References (contd.) http://www.aimglobal.org/technologies/biometrics/biometric_retinalscan.asp http://www.globalsecurity.org/security/systems/biometrics-eye_scan.htm http://ctl.ncsc.dni.us/biomet%20web/BMIris.html http://ctl.ncsc.dni.us/biomet%20web/BMFacial.html www.rand.org/pubs/documented_briefings/DB396/DB396.pdf http://www.cse.msu.edu/~cse891/Sect601/CaseStudy/DNABiometricIdentifier.pdf Langenderfer, J. & Linnhoff, S. (2005). The Emergence of Biometrics and Its Effect

on Consumers. The Journal of Consumer Affairs, 39, 314-38. Retrieved 9 November 2008 from H.W. Wilson database.

Barton, B., Byciuk, S., & Harris, C. (2005). The Emerging Cyber-Risks of Biometrics. Risk Management, 52, 26-8, 30-1. Retrieved 6 November 2008 from H.W. Wilson database.

Gates, K. (2006). Biometrics and Access Control in the Digital Age. NACLA Report on the Americas, 39, 35-40. Retrieved 12 November 2008 from H.W. Wilson database.

http://www.duke.edu/~rob/kerberos/authvauth.html