1 figure 2-8: access cards magnetic stripe cards smart cards have a microprocessor and ram more...
TRANSCRIPT
1
Figure 2-8: Access Cards
Magnetic Stripe Cards
Smart Cards Have a microprocessor and RAM
More sophisticated than mag stripe cards
Release only selected information to different access devices
2
Figure 2-8: Access Cards
Tokens Small device with constantly-changing password
Or device that can plug into USB port or another port
RFIDs (Radio-Frequency IDs) Can be detected and tested without physical contact
Allows easier access; used in Tokyo subways
New
New
3
Figure 2-8: Access Cards
Card Cancellation Requires a central system
PINs Personal Identification Numbers
Short: about 4 digits
Can be short because attempts are manual (10,000 combinations to try with 4 digits)
Should not choose obvious combinations (1111, 1234) or important dates
Provide two-factor authentication
4
Figure 2-9: Biometric Authentication
Biometric Authentication
Authentication based on body measurements and motions
Because you always bring your body with you
Biometric Systems (Figure 2-10)
Enrollment
Later access attempts
Acceptance or rejection
5
Figure 2-10: Biometric Authentication System
1. Initial Enrollment
2. Subsequent Access
User LeeScanning
ApplicantScanning
Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …
3. Match IndexDecision Criterion(Close Enough?)
Processing(Key Feature Extraction)
A=01, B=101, C=001
User LeeTemplate
(01101001)
UserAccess Data(01111001)
Processing(Key Feature Extraction)
A=01, B=111, C=001
6
Figure 2-9: Biometric Authentication
Verification Versus Identification
Verification: Are applicants who they claim to be? (compare with single template)
Identification: Who is the applicant? (compare with all templates)
More difficult than verification
Verification is good for replacing passwords in logins
Identification is good for door access and other situations where entering a name would be difficult
7
Figure 2-9: Biometric Authentication
Precision
False acceptance rates (FARs): Percentage of unauthorized people allowed in
Person falsely accepted as member of a group
Person allowed through a door who should be allowed through it
Very bad for security
8
Figure 2-9: Biometric Authentication
Precision
False rejection rates (FRRs): Percentage of authorized people rejected
Valid person denied door access or server login
Can be reduced by allowing multiple access attempts
High FRRs will harm user acceptance
9
Figure 2-9: Biometric Authentication
Precision
Vendor claims for FARs and FRRs tend to be exaggerated because they often perform tests under ideal circumstances
For instance, having only small numbers of users in the database
For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in the real world
10
Figure 2-9: Biometric Authentication
User Acceptance is Crucial Strong user resistance can kill a system
Fingerprint recognition may have a criminal connotation
Some methods are difficult to use, such as Iris recognition, which requires the eye to be lined up carefully.
These require a disciplined group
11
Figure 2-9: Biometric Authentication
Biometric Methods Fingerprint recognition
Simple, inexpensive, well-proven
Weak security: can be defeated fairly easily with copies
Useful in modest-security areas
Face recognition Can be put in public places for surreptitious
identification (identification without citizen or employee knowledge). More later.
12
Figure 2-9: Biometric Authentication
Biometric Methods Iris recognition
Pattern in colored part of eye
Very low FARs
Somewhat difficult to use: must line up eye exactly or will be rejected
High FRR if eye is not lined up correctly can harm acceptance Hand geometry: shape of hand
Voice recognition High error rates Easy to fool with recordings
13
Figure 2-9: Biometric Authentication
Biometric Methods
Keystroke recognition Rhythm of typing Normally restricted to passwords Ongoing during session could allow
continuous authentication
Signature recognition Pattern and writing dynamics
14
Figure 2-9: Biometric Authentication
Biometric Standards
Almost no standardization
Worst for user data (fingerprint feature databases)
Get locked into single vendors
15
Figure 2-9: Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition mostly has false positives
4-week trial of face recognition at Palm Beach International Airport
Only 250 volunteers in the user database (unrealistically small)
Volunteers were scanned 958 times during the trial
Only recognized 455 times!
Recognition rate fell if wore glasses (especially tinted), looked away
Would be worse with larger database
Would be worse if photographs were not good
16
Figure 2-9: Biometric Authentication Can Biometrics be Fooled?
DOD Tests indicate poor acceptance rates when subjects were not attempting to evade
270-person test
Face recognition recognized person only 51 percent of time
Iris recognition only recognized 94 percent of the time.
Other research has shown that evasion is often successful for some methods
German c’t magazine fooled most face and fingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on a drinking glass