Biometrics
advertisement
Biometrics Dale Gibler,B.S.,CMA,CCP Modified January 2001 Some typical biometrics Primarily Physical Features – Hand based • Fingerprint or fingerscan • Hand geometry – Face/eye • Facial recognition • Retinal scans • Iris scans Strong Behavioral Component – Voice recognition – Signature recognition , which includes *how* the signature is produced (pressure, speed, stroke order ) and not just how the signature looks Who is taking the lead? USA is not the most advanced user of this technology – Japan has been using retinal and/or iris scans for bank ID since before ‘97 – Malaysian airport uses face recognition for baggage claim “Blacklisting” Troublesome Patrons? Fifteen Netherland nightclubs are testing this system: – First time patrons register at a Kiosk input personal data, have their face and fingerprints scanned, and are issued a Smartcard with that info by mail – Repeat customers go to a second kiosk and swipe the card/present their face and fingerprints, and are matched against both a central blacklist and a “per-club” blacklist also info about prohibited hard drug dealer – Intrastat handles the databases (both blacklists and regular patrons) for the clubs Cost is high ($60K-$120K per club) – Possible side benefits include collection of demographics for patrons – Club owners promise not to release the data How does this work? Some aspects are quite similar to standard authentication procedures – Calibrate and store user information – Storage styles vary: • Common way in ‘99 was to emcrypt user biometric information and store it • Alternate method would be to store a validator for the biometric information (hash, MD, Unix-style validator) – Authenticate “as usual” • User “inputs” biometric info – (this might not be overt, and might not be a single event) • Proceed as with password techniques. Matches are statistical probabilities of Identifying information is not typed in, but instead is obtained by device – Characteristics usually “mapped” from analog to digital and not all of the original information is retained – Devices for most common biometrics are not likely to produce identical results or even identically repeatable results • Ex: fingerprint readers are somewhat dependent environmental factors such as the positioning of the finger, the “moisture” of the hand, oils, and occupational issues which may cause a print to be roughened over time [this is leaving out the question of discovered passwords Storage Requirements are Higher “Size” of the template as stored can be quite large in comparison with a password and is not necessarily directly tied to the accuracy Some typical template sizes: – – – – Fingerscan: 250 - 100 bytes Hand geometry: 9-20 bytes Iris: 512 bytes Retina: 96 bytes Customer Acceptance and Convenience Privacy issues are an even greater concern than for passwords because of the personal nature of a biometric Does reduce reliance on customer memory Often considered more convenient than a smartcard (nothing to carry or lose) Some of the collection means are invasive or hard to use Some enrollment styles are awkward or timeconsuming Some biometrics can change considerably over a lifetime (others are fairly stable except for accident or disease) Not all people can be identified by all biometrics – Ex: injuries, aging (or youth), disease Devices Usually Required The device collecting the data probably is proprietary and/or uses proprietary algorithms Patents protect much of the technology There may be considerable computation involved in computing a “validator” or template for storage (far beyond the Unix validator) Sometimes the biometric requires local installation of a specialized reader device but not all (such as for fingerprints, but not for voice, which is why Chase is using that) Population Acceptance “Chase's research found 95% of consumers would accept voice verification, compared with 80% accepting fingerprinting.” [1] "the first application of biometrics here was in 1968: a Wall Street brokerage used fingerprints to open the vault where the stock certificates were held. That application, cost $20,000 in 1968. It would probably cost $1,700 today, and by the year 2000, it'll probably cost just $300." -- ‘97 article [1] People have interesting preferences! According to the IBG's Consumer Response to Biometrics, people did not like facial scans as much as fingerprints as a substitute for a PIN in ATM, but both technologies rated between “somewhat comfortable” and “neutral” Reasons seemed to be these: – People don’t like to look at their own images in low resolution – People don’t like their picture taken – People don’t recognize “facial id” as an authenticator in the same way they recognize fingerprints – Facial scans don’t require consent (ie, hidden cameras) Big Business! “In 2000, total revenue for biometric hardware and software was $110 million, an increase of nearly 50% over a year ago. Total revenue is expected to grow to $594 million by 2003” [3] Who is using them? FCW.com January 4, 2001: “NASA’s Goddard Space Flight Center in Maryland wants its technicians and scientists to be "biometrically authenticated from the road or home," Europe “By the end of the forecast period in 2006, the fingerprint will account for nearly half of total sales in the biometric ID market, with voice authentication ranking in second position.” [6] Fingerprint Recognition Password and/or fingerprint Scan takes about 1 second Size roughly 250-1000 bytes for fingerprints (overall) Rayco Security Technically, most commercial use nowadays is finger scanning Finger print technology captures a representation of the finger; it involves storing the image of the finger and comparing. – Finger print storage can be close to 250 *K* bytes – AFIS “Automated Fingerprint Identification System” is the law enforcement tool used either to identify a fingerprint’s maker or to confirm prints Finger scan technology involves capturing /storing characteristics of the finger – Storage requirements usually 250-1000 bytes http://www.finger-scan.com/finger-scan_technology.htm Fingerprint Scanners The technology isn’t very expensive anymore - scanning devices can be purchased for less than $150. Precise Biometrics “IDMEE Scanner is a biometrics identification fingerprint scanning system designed to be a cost-effective biometrics security and convenience tool for individual computer workstations, networks, the Internet and OEM development. The IDMEE Scanner easily installs on a PC through a standard parallel port connection and is powered by either the PC’s keyboard or PS2 mouse connection. The IDMEE Scanner also has a RJ45 input port for an optional video camera, which can be used for performing visual face verification” www.biometrickey.com Using the scanner (from www.precisebiometrics.com) Speed and Accuracy Claims Most manufacturers claim high accuracy – False acceptance rates < 1 in 100,000 – False rejection rates < 1 in 100 Realtime speeds – <1 second to recognize – <5 seconds to enroll Issues: Storing Fingerprint data One concern with the original fingerprint devices was that they gave employer a representation of your fingerprint, which might be used in other contexts. Newer technologies don’t store the fingerprint -- “Vector Line Type” representations are one solution, where the characteristics are stored (not the representation). Stored characteristics in the Vector Line model are based on the common line forms of fingerprints - whorls, arches, etc The scan is converted from raster (dots) to a vector approx. Combined Systems The biomouse.com system’s BioMouse combines a scanner and a smartcard. The validation process here checks to be sure that the fingerprint matches that of the registered smartcard *bearer* partially intended to speed the process, partially intended to provide flexibility, and partially to provide some potential for privacy. Hand Geometry Rayco Hand geometry reader Hand Scans See [10] for more information – Not the most accurate but not bad; since hands tend to be similar, it doesn’t do well in a “discovery” (“identify”) mode – Storage requirements about 9-20 bytes – Usually a specialized reader device to measure aspects such as length, width, thickness, and surface area of the hand and fingers – Somewhat pricey - $1400+ Hotel Smartcard “Lock maintains an audit trail of the last 256 accesses including date, time, type of key card.” from Biometrics2000 Typing “Net Nanny cast its offering into the market with BioPassword LogOn for Windows NT. The client/server biometrics application recognizes a user's typing pattern and uses it to authenticate them to the network. The software uses a mathematical algorithm to record pressure, speed, and rhythm as a user types their user name and password. The typing pattern is compared against a template created when the software is initially installed” [3] (note software cost is under $90) Iris Scan Gather data by a camera within 3 feet of eye 512 byte IrisCode represents the visible characteristics of the eye It is claimed that the odds of the same IrisCode being returned by two different people is less than 1 in 10^(52) IrisCode includes “266 spots” to distinguish between irises (claim is most other biometrics have between 10-60 distinguishing spots) IrisCode may vary by as much as 25% for a given eye … but the odds of two different eyes being 75% similar is said to be 1 in 10^(16), so this seems acceptable Retinal Scan Template size small - 96 bytes Very accurate representation Changes likely only from degenerative diseases Fairly expensive - $2K range Harder to use than most and requires participant cooperation Combined Solutions and Spinoff businesses “Advanced Biometrics inc. is developing biometric track ball and mouse technology to be used in identification and authentication. – The track ball or mouse … maps the substructure of the human hand by measuring veins, deep creases, scars and fatty tissue density through infrared light. – … spun off a separate company, called DigiKnox, to be the central data storage warehouse for the potential millions of substructure scans. Officials said DigiKnox will purchase a bank to warehouse the database servers in an actual vault.” [7] BioAPI Organization started in ‘98 – “Achieve plug and play” between vendor implementations V 1.0 released March 2000 – Primitives for Enrollment, Verification, Identification – BSP (Biometric Service Provider) database interface – Primitives for capturing “samples” from client and enrollment/verification/ident on server BioAPI -- Enrollment Methodology – Capture of samples from device – Extract features of importance – Combine features to form a “template” using some algorithm (which is likely to be proprietary and device-specific) This is essentially the “password” BioAPI -- Verification Methodology – Capture of user samples from device – Extract features of importance – Combine features to form a “template” using some algorithm (which is likely to be proprietary and device-specific) – Compare to existing template for this user to determine whether it matches This is the “verification of user identity” step BioAPI -- Identification Methodology – Capture of user samples from device – Extract features of importance – Combine features to form a “template” using some algorithm (which is likely to be proprietary and device-specific) – Compare to existing population of templates to determine closest match and deduce user identity This is the “discovery of identity” step Biometric ID Record (BIR) Controversies - Schneier [4] “Biometrics is also lousy because biometric measurements are so easy to forge. It's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly.” Schneier “Which brings us to the second major problem with biometrics -- it doesn't handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation.” Schneier But Also: Saito [5] “How can we protect ourselves online without using a multitude of different passwords? Biometrics is the answer.” References NIST Biometrics Consortium Working Group – http://www.itl.nist.gov/div895/isis/bcwg/ Biometric Consortium – http://www.biometrics.org/ AVANTI Biometrics research site – http://homepage.ntlworld.com/avanti/ BioAPI – http://www.bioapi.org/ Precise Biometrics – http://www.precisebiometrics.org/ The Biometrics Digest – http://webusers.anet-stl.com/~wrogers/biometrics/ Book: – Biometrics - Advanced Identity Verification, J. Ashbourn Springer-Verlag, Oct 2000. Articles [1] Banking and biometrics – http://www.banking.com/aba/cover_0197.htm – ABA Banking Journal, January 1997. [2] Encrypted signatures enable paperless loan syndications – http://www.banking.com/aba/webnotes_0399.asp – ABA Banking Journal, March 1999. [3] Biometrics software aimed at improving Windows NT security – Inforworld.com, Dec 21, 2000 [4] Biometrics: Truths and Fiction – Bruce Schneier, TechTV, Dec 15, 2000 [5] William Saito on the Potential of Biometrics – Saito, TechTV, Dec 15, 2000 [6] Biometrics Devices Ready to Hit the Mass Market – Frost and Sullivan press release – 3584-11 - European Biometric Identification Markets More Articles [7] Advanced Biometrics gives security a hand – ZDNet November 30, 2000 [8] Biometrics Industry – April 1999 – http://www.livegrip.com/biometrics_industry.htm [9] Dutch Biometrics A Go-Go – Wired, November 8, 2000 [10] Daughen’s patents on iris scans – http://www.cl.cam.ac.uk/users/jgd1000,
