Biometric identificationBozhidar Bozhanov
● @bozhobg● http://techblog.bozho.net● http://blog.bozho.net
Biometrics● Detecting inherent characteristics
○ fingerprints○ iris○ palm veins○ face○ voice○ DNA
● Unique and unchangeable
Usage● Border inspections● Access control
○ Home door unlocking● Smartphone unlocking● Looks cool in movies
Fingerprint● Binarization, thinning, extraction● Minutia (pl. minutae)
○ Ridge ending○ Ridge bifurication○ Fingerprint template
● Other methods○ Feature extraction
● MINEX (template standard)
Fingerprint
griaulebiometrics.com
binarization thinning
Storing and comparing● Original / enhanced image● Coordinates of the minutae● Other features● Fuzzy hash, locality-sensitive hash
○ “Percentage hash”○ Collisions are needed
Problems...● Bad images, dirty scanners, injured skin...
“A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera.” The Register, “Gummi bears defeat fingerprint sensors”
“The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing.” Bruce Schneier
Iris● Detection of around 200 points● Same storage methods as fingerprints● Only patented algorithms
DNA, veins, voice, face...● Using many in combination● Expensive scanners (DNA, veins)
○ But Kuwait takes DNA from everyone● Lack of uniqueness and high error rate
(voice, face)
Reconstructing● ...possible
○ based on minutae, points, features○ except if fuzzy / locality senstive hash is used
● => storing in centralized databases is dangerous
In-person verification● Easy faking+● Automated check=● Fraud
N-th factor● Secure identification is
○ something you have + ○ something you know +○ something you are
● e.g. smartcard with PIN + fingerprint (matched on the card)
Border inspections● ICAO biometric passports
○ Contain images of the face and fingerprints (soon maybe iris) (JPEG2000)
○ Integrity - with QES of the issuing authoroity● Fingerprints are read without PIN
○ ...but by a “trusted” terminal● And are compared to the person’s fingerprints● => fake/someone else’s document?
Problems● Centralized databases with images of
fingerprints● Contactless reading of fingerprints
○ 3 versions of the protocol have been demonstrated to have security issues
○ Complex scheme for certificate management. Certificates expire in 24 hours.
BSI
● ...but the chip doesn’t have a clock○ 1 leaked terminal certificate○ => all fingerprints in all passports in the world are
easy targets○ ...if the central databases don’t leak before that
● experts - “well, I can get your fingerprint from anywhere”○ in high-res?
bioID - No go● You can’t change your fingerprint/iris/DNA● Databases leak sooner or later● Easy to fake (gummi bears!)● They are used to unlock phones => unlock
○ email○ e-banking○ ...everything
Applications● 2nd factor● Border inspections with match-on-card
verification● Future?
“Free flight of the thought”● Let’s imagine...
○ Cheap and exact biometric readers● Then…
○ ID = hash(fingerprint) + hash(iris) + hash(DNA) + hash(password)
● I am 66a1aa2b4add3d8775751b81adb86e476d0a735188c2e8582be0920b2a3e55ea
● I can prove it○ scanner + app
● Distributed global electronic identity○ something I am + something I know
Fraud?● How do we guarantee that the hash is a
result of our biometrics?● biometrics+password-> KDF -> private key
(ephemeral)○ KDF (key derivation function)○ Sign challenge with the private key
Anonymity● Hashes don’t have names● Guarantees identity● Aliases for different contexts (multiple
passwords?)● Example: distributed ride-sharing with
distributed reputation system ontop of a global anonymous identity
Conclusion● Only biometrics - no● Biometrics in clear form - no● Biometrics in databases - no● 2nd factor, match-on-card - okay● Future applications
Thank you
Resourceshttp://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://www.griaulebiometrics.com/en-us/book/understanding-biometrics/types/feature-extraction/minutiae
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=12
https://en.wikipedia.org/wiki/Key_derivation_function
http://techblog.bozho.net/electronic-machine-readable-travel-documents/
http://techblog.bozho.net/identity-in-the-digital-world/
http://europe.newsweek.com/kuwait-becomes-first-country-world-collect-dna-samples-all-citizens-and-449830?rm=eu
Top Related