20-07-2012, 10:57 AM
SECURE BIOMETRIC SYSTEMS
SECURE BIOMETRIC SYSTEMS.pdf (Size: 2.49 MB / Downloads: 103)
Abstract
Traditional personal authentication systems that are based on knowledge (e.g.,
password) or physical tokens (e.g., ID card) are not able to meet strict security per-
formance requirements of a number of modern applications. These applications gen-
erally make use of computer networks (e.g., Internet), a®ect a large portion of popu-
lation, and control ¯nancially valuable and privacy-related tasks (e.g., e-commerce).
Biometrics-based authentication systems that use physiological and/or behavioral
traits (e.g., ¯ngerprint, face, and signature) are good alternatives to traditional meth-
ods. These systems are more reliable (biometric data can not be lost, forgotten, or
guessed) and more user-friendly (there is nothing to remember or carry). In spite
of these advantages of biometric systems over traditional systems, there are many
unresolved issues associated with the former. For example, how secure are biometric
systems against attacks? How can we guarantee the integrity of biometric templates?
How can we use biometric components in traditional access control frameworks? How
can we combine cryptography with biometrics to increase overall system security?
Introduction
Biometrics and Security
With the proliferation of large-scale computer networks (e.g., Internet), the increasing
number of applications making use of such networks (e.g., e-commerce, e-learning),
and the growing concern for identity theft problems, the design of appropriate per-
sonal authentication systems is becoming more and more important. Systems that
have the ability to authenticate persons (i) accurately, (ii) rapidly, (iii) reliably, (iv)
without invading privacy rights, (v) cost e®ectively, (vi) in a user-friendly manner,
and (vii) without drastic changes to the existing infrastructures are desired. Note
that some of these requirements con°ict with the others. The traditional personal
authentication systems that make use of either a (secret) piece of knowledge (e.g.,
password) and/or a physical token (e.g., ID card) that are assumed to be utilized only
by the legitimate users of the system are not able to meet all of these requirements.
Biometrics-based personal authentication systems that use physiological and/or behavioral traits (e.g., ¯ngerprint, face, iris, hand geometry, signature, voice . . . )
(see Fig. 1.1) of individuals have been shown to be promising candidates for either
replacing or augmenting these traditional systems [22, 34]. They are based on entities
(traits) that are actually bound with the individual at a much deeper level than, for
example, passwords and ID cards. As a result, they are more reliable since biometric
information can not be lost, forgotten, or guessed easily. They lead to increased user
convenience: there is nothing to remember or carry.
Architecture of the Proposed Attack System
Basic Structure
The proposed system attacks a minutiae-based ¯ngerprint authentication system. A
minutiae-based system is chosen as the test bed because minutiae information is used
in most of the commercial ¯ngerprint authentication systems. Hence, observed results
can provide insights for securing them.
In typical minutiae-based ¯ngerprint authentication systems, discontinuities in
the °ow of ridges (ridge bifurcations and endings) constitute the minutiae. Fig. 2.6
shows a sample ¯ngerprint image with overlaid minutiae, and close-up views of these
two types of minutiae. Generally, the minutiae type information is not used as a
feature in the ¯ngerprint matchers since the changes in ¯nger pressure on the sensor
can change one type of minutia into the other. The majority of minutiae based
systems use the location (c; r) (denoting column and row indices, respectively) of the
minutiae and orientation µ associated with the minutiae as features; but some systems
use additional information such as ridge °ow around the minutiae and ridge counts
between the minutiae.
Consistent with this approach, we use (c; r; µ) attributes for each minutia. This
is also in accordance with the proposed minutiae template exchange format of Bolle
et al. [4], which excludes proprietary features, and encompasses only the location,
orientation, and type of the minutia.
Information Available to the Attacker
As explained above, the attacker needs to observe the matching scores during the
hill-climbing procedure. Note that this assumption is not very restrictive; a majority
of the commercial systems reveal the matching scores. But it should be noted that
if the templates are encrypted before the matcher accepts them, this attack is not
feasible without the knowledge of the correct decrypting key(s).
In situations where the matcher just outputs the decision (accept/reject), but not
the matching score, the attacker can only submit randomly generated templates. In
this case, the performance of the attack will be determined by the Receiver Operating
Characteristics (ROC) operating point of the attacked biometric system. For example,
if the system False Accept Rate (FAR) is set to 0:1%, the attacker can break a
biometric account by trying 1,000 synthetic templates, on the average. It is shown
later in the experimental results section that if the matching scores are available then
our attacker can break the accounts with a signi¯cantly fewer number of attempts.