140 likes | 237 Views
Section 2.3.5 – Biometrics. Biometrics. Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.
E N D
Biometrics • Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits. • Generally, biometric systems incorporate some sort of sensor or scanner to read in biometric information and then compare this information to stored templates of accepted users before granting access. Image from http://commons.wikimedia.org/wiki/File:Fingerprint_scanner_in_Tel_Aviv.jpg used with permission under the Creative Commons Attribution 3.0 Unported license
Requirements for Biometric Identification • Universality. Almost every person should have this characteristic. • Distinctiveness. Each person should have noticeable differences in the characteristic. • Permanence. The characteristic should not change significantly over time. • Collectability. The characteristic should have the ability to be effectively determined and quantified.
Biometric Identification Reader Biometric Feature vector Comparison algorithm Reference vector matches doesn’t match
CIT 380: Securing Computer Systems Biometric Measurement Possible Outcomes: • Correct person accepted • Imposter rejected • Correct person rejected (False Rejection) • Imposter accepted (False Acceptance)
CIT 380: Securing Computer Systems False Positives and Negatives Tradeoff between • False Accept Rate • False Reject Rate • Crossover Error Rate
Candidates for Biometric IDs • Fingerprints • Retinal/iris scans • DNA • “Blue-ink” signature • Voice recognition • Face recognition • Gait recognition • Let us consider how each of these scores in terms of universality, distinctiveness, permanence, and collectability… Public domain image from http://commons.wikimedia.org/wiki/File:Fingerprint_Arch.jpg Public domain image from http://commons.wikimedia.org/wiki/File:Retinal_scan_securimetrics.jpg Public domain image from http://commons.wikimedia.org/wiki/File:CBP_chemist_reads_a_DNA_profile.jpg
CIT 380: Securing Computer Systems Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised.
CIT 380: Securing Computer Systems Brandon Mayfield • Fingerprints found in 2004 Madrid bombing. • Brandon arrested May 6, 2004. • FBI claimed “100 percent positive” match. • Held under a false name. • Then transferred to unidentified location. • Spanish police identify fingerprint as belonging to an Algerian man May 21, 2004. • Brandon released May 25, 2004.
Eye Biometrics • Iris Scan • Lowest false accept/reject rates of any biometric. • Person must hold head still and look into camera. • Retinal Scan • Cataracts and pregnancy change retina pattern. • Lower false accept/reject rates than fingerprints. • Intrusive and slow. CIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Physiological DNA Face recognition Hand geometric Scent detection Voice recognition Behavioral Gait recognition Keyboard dynamics Mouse dynamics Signatures Other Types of Biometrics
CIT 380: Securing Computer Systems Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? • Retina changes during pregnancy. • Fingerprint damage due to work/pipe smoking. • Young and old people have fainter fingerprints. Is it accurate in the installed environment? • Is someone observing fingerprint or voiceprint checks? • i.e., did you collect biometric from the person?
CIT 380: Securing Computer Systems Biometrics can be compromised. Unique identifiers, not secrets. • You can change a password. • You can’t change your iris scan. Examples: • You leave your fingerprints every place. • It’s easy to take a picture of your face. Other compromises. • Use faux ATM-style devices to collect biometrics. • Obtain all biometric templates from server.
CIT 380: Securing Computer Systems Use and Misuse of Biometrics Employee identification. • Employee enters login name. • System uses fingerprint to verify employee is who he claims to be. • Problem: Does biometric match the employee? Criminal search (Superbowl 2001) • System uses face recognition to search for criminals in public places. • Problem: Does any biometric in database match anyone in a crowd of people? • Assume system is 99.99% accurate and 1 in 10million people is a terrorist. Result: 1000 false positives for each terrorist.