P t t d bi t i f Id tit T tP t t d bi t i f Id tit T tProtected biometrics for Identity TrustProtected biometrics for Identity Trust
RISE - Awareness of Biometrics and Security EthicsyBy Nicolas DELVAUX
[email protected], 5th of January 2010
0DOCUMENT INTERNE - Equipe Marketing / 20 février 2010
SAFRAN AT A GLANCE
An international high technology groupMore than 12 billion Euros sales in 2007 (At December 31, 2007)
58 200 employees in over 30 countries 58,200 employees in over 30 countries (At September 30, 2008)
Three branches of activity:- Aerospace propulsion- Aircraft equipment- Defense Security
Sagem Sécurité: worldwide leading positionsMulti modal biometrics solutions ID l ti ID solutionsBiometric terminals (access control)Automated fingerprint identification systemsSecure ID documents including biometric features (passports, H&ID cards,
driving licenses)
11
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Agenda
1. An Identity use case - from Passport to e-Passport: a short survey1
2. Identity : a new field for organised crime
3. Biometrics for identity : strategies for trustworthy framework
4. Conclusion
33
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
An Identity use case -
from Passport to e-Passport: a short survey
4DOCUMENT INTERNE - Equipe Marketing / 20 février 2010
Travel document : passport usage
Process for identity verification:1 T th ti t th t l d t i iti t1. To authenticate the travel document: issuer, securities, etc…2. To check document personalisation3 To check the link between document data and holder3. To check the link between document data and holder
Majors identity’s issuesj y Fake travel documents Genuine travel document with fraudulent personalisation Stolen travel document with photo substitutionStolen travel document with photo substitution
Impostor using similarity with the genuine travel document holder
55
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Challenging issues for checking process
Genuine document Facial similarity
66
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Identity on e-Passport: more authentication factors
ICAO 9303 introduces major updatesEl t i t th ti t th i t l d t d i f tiElectronic: to authenticate the genuine travel document and information
consistency by electronic signatureBiometrics features: face (M), fingerprint and iris to link the document and
the holder
To know: PINTo be:
biometrics
1 2 34 5 6
To have: token biometrics
7 8 9* 0 #
77
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Identity : a new field for organised crimey g
8DOCUMENT INTERNE - Equipe Marketing / 20 février 2010
Biometric authentication
Biometrics technologies is not restricted to law enforcement Since 90’s: large scale civil application for civil registry, welfare, etc.Since 90 s: large scale civil application for civil registry, welfare, etc.
Need for ID fraud prevention US: $50 billions / year
(source: Javelin Strategy & Research Survey – 2007)
UK £1 7 billi / UK: £1.7 billions / year (source: 2006 Home office report)
France: France: € 6.2 Billions / year for welfare organizations€ 474 Millions for 212,762 victims in 2008,
(source CREDOC, June 2009)
99
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Biometrics as Security Enhanced Technology for Identity
Identity management is a security target for the future
Biometrics: individual authentication or identification based onphysiological / behavioral traits of individuals Many modalities : fingerprint, face, iris, vein, DNA.. Different performances and no « silver bullet » modality or technology Common characteristics: Universality, Uniqueness, Permanence, Collectabilityy, q , , y
As any stage, use of biometrics can potentially raise privacy & securiy concerns: Misuse / Abuse breach function Creep Misuse / Abuse, breach,function Creep Collected without consent: collected from a trace, from a data base,
Nobody can revoke his/her biometrics Protection schemes are essential!
1010
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
ISO/IEC JTC1 SC37Reference ArchitectureBiometrics protection issues
Data Collection
Data Storage
Matching Decision Comparison
Attacks
Presentation
Matchi ng
Signal P i Match?
Template
T l t
Matching Score(s)
Identity Claim
EnrolmentDatabase
Candidate?
Compare
Presentation
Biometric Characteristics
Template Creation
Processing Template
Match/ Non -match
Features
Threshold Candidate List
Sensor Quality Control Verified?
Decision Criteria
Features
Re-acquire
Segmentation Feature Extraction
Identified?
Compression
Sample Sample
Expansion
Verification Identification
p
Transmission
Transmission Channel
Enrolment Verification Identification
1111
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Biometrics for identity :
strategies for trustworthy framework
13DOCUMENT INTERNE - Equipe Marketing / 20 février 2010
Biometrics protection: technological approaches Secure token
Pros: an evaluated solutionCons: what happens whenCons: what happens when
token is cracked?Cryptography
Pros: reliable solutionsCons: ready for all your live
Multi-modalitiesPros: statics and dynamics mixturePros: statics and dynamics mixtureCons: increase complexity only
Crypto-biometricsPros: revocability capabilityCons: accuracy & irreversibility
1414
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
An implementation on bio-encryption
Fingerprintbiometrybiometry
Multivendor Generation ofMultiple + revocable
identities based on theMultivendorinteroperability
Minutiae
Generation ofprotected
pseudo identities
identities based on thesame fingerprint
MinutiaeVendor A
Minutiae
Templateprotection H
ash ID1
ID3MinutiaeVendor B
ID2
Identities are not invertible
1515
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Biometrics protection: Legal ApproachesSolution providers in EU
Needs more developments
EU: legal Data Protection framework
Needs more developments Depending MS:
from prior authorisation to simple notification
Directive 95/46 on personal data protection
Interpretation by DPA principles: “PROPORTIONALITY PRINCIPLE”
Systematic warnings about biometrics d t bprotection
National transposition in (27) laws different perceptions I t MS
databases
Deployment discrepancy & different identity management diff t l l f t t In most MS:
no specific provisions on biometrics Some MS:
biometric data as sensitive data
different level of trust
biometric data as « sensitive data » or only when reveal racial, ethnic origins or health
Needs of dedicated legal decision
1616
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Principles of proportionality: uses cases
Time attendance Access control in sport stadium
Access control in swimming pool At school (Fingerprint)
1717
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Conclusion
T d t t Id tit
Identity is a major value in society
To demonstrate Identity: Travel document: authentication factors by a tokenNeed of an additional authentication factor: biometrics modalities Long-term mechanisms for a worldwide trust
N d f h i l d l l i hNeeds of technical and legal consistent approachesProtect identity for citizen privacyProtect identity for trusted relationshipProtect identity for trusted relationshipSecurity against abuse, misuse and corruption of identity Privacy and Security shall become “a positive-Sum Paradigm”
1919
Sagem Sécurité / DTS / ND / RISE – 05 Jan 2010
Th k f ti !Th k f ti !Thank you for your patience!Thank you for your patience!
Protected biometrics for identity trustyRISE - Awareness of Biometrics and Security Ethics
By Nicolas [email protected]@ g
Hong-Kong, 5th of January 2010
20DOCUMENT INTERNE - Equipe Marketing / 20 février 2010