india's uid project: biometrics vulnerabilities & exploits
DESCRIPTION
Presentation of JTD in Camaign for No UID meeting in Delhi 25th AugustTRANSCRIPT
- 1. Biometrics Vulnerabilities & Exploits [email_address]
2. INTRODUCTION
- Old World methods of trust and authentication
-
- Personal introductions, documents
-
- Key role player is theauthenticator
- New World requirements
-
- Annonymous, large scale, short term relationships
-
- Key requirement is building up oftrust
- No defence mechanisms of older methods present in newer systems
3. Authentication by Technology
- Requires the exchange of certain FACTORS
- Requires an authority who can verify these factors
- Requires an authority who can providepermission to build a relationship and transact
4. ...Authentication by Technology
- Factors are classified into 3 types
- Ownership factor like cards, badges or keys
- Knowledge factor like user id, password and pins
- Inheritance factor like weight, height, face shape, color of eyes/hair, birth marks etc. all nicely encoded in a photo
5. Properties of different Factors 6. The Inheritance Factor - Biometrics
- The Subject of discussion for today is the Inheritance Factor Biometrics
- Implementation difficulties
- Vulnerabilities
- The authentication process and it's vulnerabilities, in brief
- Since the UIDAI has choosen the use of finger prints and iris as a means of authentication, we will be discussing only these factors
7. Finger Print Scanners
- Many variations on these basic techniques
- Variations are primarily to reduce cost, size and probably to overcome existing patents
- Some claims exist about the ability to sense below the dead skin surface. However for our vulnerability assements, these claims are trivially overcome
- Sensor technologies are not relevant to the scope of vulnerabilites and exploits
8. Fingerprint Readers 9. Iris Scanners
- Iris scanners use a Near Infra Red light
- Camera coupled with some autofocusing techniques (commonly used in autofocus cameras)
10. Iris scan - Base Technique 11. The Process
- All id systems involve an enrollment process and an authentication process, followed by an authorization process,to enter / exit / recieve / depoist etc
12. The Enrollement Process
- Capture image
- Process image
- Extract Features
- Create Template
- Save raw data in the case ofcriminal records
- Encryption
- Transmission
- De duplication and storage
13. The Authentication process
- Capture image
- Process image
- Extract Features
- Create Template
- Encryption
- Transmission
- Receive result
- UIDAI has not specified iris for authentication*
14. Threats faced by biometric systems
- Threat agents
-
- Only simple impostor, without much sophistication or resources. We shall leave out crossborder attack vectors, as pilfering state subsidies may not be their highest priority
- Threat Vectors
-
- Fake credentials and replay attacks
- System Weaknesses
-
- Extraction of digital keys, use of internal facilities of sensors
15. Desired Characteristics And Limitations
- Easy and accurate Digitization of the presented bio characteristic
- Time Invariant
- Environment Invariant
- Spoof proof
16. ... Limitations in enrollment / auth
- Easy and accurate Digitization neither easy nor accurate
- Too many wrong methods, results in unreproduceable template
- Guided enrollment useless for auth
- Very difficult for occasional users
- Manual overides = more holes
17. ... Limitations in enrollment / auth
- Time invariance a myth
-
- Ageing changes fingerprints (1)
-
- Skin ailments makes auth difficult if not impossible
-
- No large scale studies on heterogenous populations
-
- Will require frequent re-enrollment aka more holes
-
- No (available?) studies on irisvariations due to ageing
-
- Errors due to unknown causes (2)
18. ... Limitations in enrollment / auth
- Environment invariance a myth
-
- Water logged hands changes fingerprints machine readbility
-
- Dry skin changes fingerprints machine readbility
-
- Will require frequent re-enrollment aka more holes
-
- No (available?) studies on irisvariations due to harsh environments
-
- Inter device variations
19. ... Limitations in enrollment / auth
- Non- Spoofability
-
- Biometrics are the worst
-
- Fingeprints are spoofed by gummy finger techniqe
-
- Iris are spoofed by photographs
-
- Irisare spoofed by patterned contacts
20. Spoofing made easy - Fingerprints
- Uses common ingredients
- Fools all systems with greater than 60% repeatability
- Newer mateials and techniques even more effective
21. Spoofing made easy - Iris
- Buy from the net to create fake ids for sale
- PCB etching techniues for masqureading
- Older technique using high res photograph with pupil holes
22. Attack Vectors requiring skill
- Template reconstruction
-
- Biometric id systems store data as a templates, usually a few kilobytes in size. It has been shown that a biometric fingerprint system can be compromised by recreating the biometric using the stored template
-
- Template extraction and storage a feature of systems
23. ... Attack Vectors requiring skill
- Key duplication
-
- Trivial to break into the device andextract keys
-
- Addition deletion of keys a feature
-
- Even in locked down devices, the key can be recovered by simply copying the onboard flash to a pc and reusing thebackup in a device purchased from the market
24. ... Attack Vectors requiring skill
- Replay attack at sensor pins
-
- The sensor interfaces are relatively simple
-
- Produce raw data (Fig 4). It is possible to record all data, and then replay that data
-
- This attack requires some technical skill
-
- However once developed it can be mass produced and will be undetectable
25. Biometrics WORST CHARACTERISTIC
- Cannot be withdrawn
- Cannot be changed
- This violates the basic requirement of any id system
26. Inherent problems with Biometric Systems
- FAR - False Acceptance Rateindicates the number of wrong matches of a presented biometric mistakenly identyfying one person as another
- FRR - False Rejection Rate (also called False Non Match Rate)indicates the number of wrong rejects of a presented biometric.
- Best FAR of .00060 for fingerprints
- Best FAR of .000120 for Iris
- Best FRR of .0060 for fingerprints
- Best FRR of .0012 for Iris
27. ... Inherent problems with Biometric Systems
- FAR and FRR closely linked to template size
- Reducing FAR increase FRR
- Reducing FRR increases FAR
28. ... Inherent problems with Biometric Systems
- Requires very good power
- Requires very good telecommunications infrastructure
- Both of very poor quality in many areas
- Even in Maharshtra in the Konkan region, such infratructure is poor due to natural causes
-
- Hilly terrain
-
- RF shadow regions
-
- Heavy rains and lightning
29. Summary
- Biometrics as a unique id in an automated system has never been tested on a large scale
- The inherent characteristic ofbiometrics is it's irrevocability. This is in direct contradiction of any id / security system, where keys must be revocable and reissueable
- Fingerprints are easily spoofable
- Iris patterns are easily spoofable
- Biometrics are very susceptible to the natural biological processes of growth, ageing and environment
- Numerous technical vulnerabilities are availble for exploitation at the sensor-system interface