13-05-2014, 04:29 PM
A False Rejection Oriented Threat Model for the Design of Biometric Authentication Systems
A False Rejection Oriented Threat .pdf (Size: 125.69 KB / Downloads: 11)
Abstract
For applications like Terrorist Watch Lists and Smart Guns, a false
rejection is more critical than a false acceptance. In this paper a new threat model
focusing on false rejections is presented, and the “standard” architecture of a
biometric system is extended by adding components like crypto, audit logging,
power, and environment to increase the analytic power of the threat model. Our
threat model gives new insight into false rejection attacks, emphasizing the role
of an external attacker. The threat model is intended to be used during the design
of a system.
Introduction.
Biometric authentication systems are used to identify people, or to verify the
claimed identity of registered users when entering a protected perimeter. Typ-
ical application domains include airports, banks, military installations, etc. For
most of these systems the main threat is an authorized user gaining access to the
system. This is called a false acceptance threat.
Currently, new applications that have a completely different threat model are
emerging. For example, Terrorist Watch List applications and Smart Guns ap-
plications are characterized by the fact that a false rejection could lead to life
threatening situations.
Terrorist watch list applications currently use facial recognition or fingerprint
recognition [1]. Watch lists are mainly used in airports to identify terrorists. For
this application, the main threat is a false rejection which means that a potential
terrorist on the list is not recognized. A false acceptance results in a convenience
problem, since legitimate subjects are denied access and their identity needs to
be examined more carefully to get access.
Related Work.
Like all security systems, biometric systems are vulnerable to attacks [6,12]. One
specific attack consists of presenting fake inputs such as false fingerprints [2] to
a biometric system. To analyze such threats systematically various threat mod-
els have been developed. We discuss the most important models: the Biomet-
ric Device Protection Profile (BDPP) [4], the Department of Defense & Fed-
eral Biometric System Protection Profile for Medium Robustness Environments
(DoDPP) [7], the U.S. Government Biometric Verification Mode Protection Pro-
file for Medium Robustness Environments (USGovPP) [10] and Information Technology-
Security techniques -A Framework for Evaluation and Testing of Biometric Tech-nology (ITSstand) [3]. In the sequel we refer to these three protection profiles and
the ITSstand simply as “the standards.
Attacks trees and 3W trees
In this section we argue that 3W trees are a useful tool to provide focus for ana-
lysts working with attack trees during the design phase of a system.
Attack trees offer a method of analyzing attacks [14]. The root of the tree is iden-
tified with the goal of compromising a system. The goals of the children of a node
could be the compromise of a sub-system or a contribution thereof, and so on re-
cursively. There are two types of nodes: the goal of an and-node depends on the
goals of all its children, and the goal of the or-node depends on at least one of the
children [8]. There are commercial tools to support analysis working with attack
trees; for example the SecurITree tool from http://www.amenaza.
The main advantage of attack trees is that they help the designer by visualizing
possible attack scenarios. If there are many possible attacks, or if there are many
components that are subject to attack, an attack tree may become large. In this
case the visualisation is ineffective. However by attacker profile based pruning,
support tools allow the designer to focus on attacks relevant to specific attacker
profiles. Another useful feature of the tools is that while constructing a tree the
designer can document the changes and also the reason for changes made by
annotating nodes.
Conclusions
Existing biometric protection profiles and standards by and large define the same
set of attacks. However, their focus is mainly on false acceptance attacks. Attacks
that result in a false acceptance or false rejection are often put in the same class.
Threats that could only lead to a false rejection are largely ignored.
In new applications like Terrorist Watch Lists or Smart Guns, false rejection at-
tacks are more important than false acceptance attacks. We propose 3W trees as
a flexible tool to highlight false rejection or false acceptance attacks dependingon the type of application. Our threat model gives new insight into false rejection
attacks emphasizing the role of an external attacker.