Biometrics Authentication Bruce Maggs Biometric Identifiers • • • • • • • • Fingerprints, palm prints Palm veins Hand shape Facial image DNA Iris, retinal images Odor Etc. 2 Fingerprints https://en.wikipedia.org/wiki/Fingerprint#/media/File:Fingerprints_taken_b y_William_James_Herschel_1859-1860.jpg 3 Fingerprint Minutiae • Two classes of algorithms: minutaie matching and image comparison. https://www.fbi.gov/about-us/cjis/fingerprints_biometrics/biometric-center-ofexcellence/files/fingerprint-recognition.pdf 4 FBI Database • “Integrated Automated Fingerprint Identification System” • What is included in IAFIS: Not only fingerprints, but corresponding criminal histories; mug shots; scars and tattoo photos; physical characteristics like height, weight, and hair and eye color; and aliases. • https://www.fbi.gov/about-us/cjis/fingerprints_biometrics/iafis/iafis • Includes fingerprints for over 70 million criminals and 34 million other civilians. • 27 minute processing time for criminal inquiry, 72 minutes for civil 5 Creating Fake Fingerprints • Relatively easy to do given access to a real fingerprint. • But in 2014 Jan Krissler demonstrated that he could create a fake fingerprint from a high-resolution photograph of Germany’s Federal Minister of Defense Ursula von der Leyden! http://www.ibtimes.com/hacker-demonstrates-how-fake-fingerprint-sensors-usingregular-photographs-1769408 6 Retinal Scans • More difficult to collect than fingerprints. https://en.wikipedia.org/wiki/Retina#/media/File:Fundus_photograph_of_normal_left_eye.jpg 7 DNA • 99.9% of DNA is identical in every human! • Tests focus on loci where differences are likely to occur. • Original DNA is not compared directly: first, copies are made using Polymerase Chain Reaction (PCR) • FBI estimates probability of a coincidental match at 1 in 108 trillion, but other estimates are much lower. https://sasha949.files.wordpres s.com/2010/05/3642508132_3 f7c649f62_o.jpg http://www.nij.gov/topics/forensics/evidence/dna/basics/pages/analyzing.aspx 8 Implanted Chips • RFID (Radio-Frequency Identification) chip https://en.wikipedia.org/wiki/Radio-frequency_identification#/media/File:Microchip_rfid_rice.jpg https://en.wikipedia.org/wiki/Microchip_implant_(human)#/media/File:RFID_hand_2.jpg 9 RFID Technologies • Electromagnetic induction: when a changing magnetic field passes over the antenna, a current is induced on the chip. • Inductive coupling: Chip adjusts its antenna, perturbing the magnetic field, which reader senses (up to about 10cm). http://rfid-handbook.de/downloads/images/hf-kommunikationsprinzip.png 10 More on RFID Technology • Reflective backscatter: chip alters reflection of a radio wave. • Active RFID: batteries in the chip are used generate a radio signal, boosting transmission range, e.g., up to tens of meters. 11 Turing Test A test of a computer’s ability to behave in a way that is indistinguishable from a human being. Turing proposed natural language conversations. 12 “Reverse” Turing Test or “CAPTCHA” • A test that can distinguish a human from a computer. • CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart 13 “Captchas” http://www.captcha.net/ Easy to generate, difficult for a computer to solve. U.S. Patent 6195698: Method for selectively restricting access to computer systems. Mark D. Lillibridge, Martin Abadi, Krishna Bharat, Andrei Z. Broder. Filed April 13, 1998, published February 27, 2001. von Ahn, Luis; Blum, Manuel; Hopper, Nicholas J.; Langford, John (May 2003). CAPTCHA: Using Hard AI Problems for Security. EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques 14 Polygraph / Lie Detector • Measures physiological responses to questions, such as heart rate, blood pressure, perspiration http://abcnewspapers.com/2012/07/07/new-business-detects-between-truth-and-lies/ 15 Scientific Validity? • “CONCLUSION: Polygraph testing yields an unacceptable choice for DOE employee security screening between too many loyal employees falsely judged deceptive and too many major security threats left undetected. Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening in federal agencies.” The Polygraph and Lie Detection, Committee to Review the Scientific Evidence on the Polygraph. Division of Behavioral and Social Sciences and Education. Washington, DC: The National Academies Press. 2003 • Not admissible in court. • But accuracy is better than chance when focused on • specific incidents. Subject’s believe in validity may lead to truthfulness. 16