Managing Secure Managing Secure Biometric SystemsBiometric Systems

Meghan ArmesMeghan Armes

IA ManagementIA Management

April 24, 2007April 24, 2007

OverviewOverview

Description/DefinitionDescription/Definition Why Use BiometricsWhy Use Biometrics Commonly Used BiometricsCommonly Used Biometrics

– Pros/ConsPros/Cons Security IssuesSecurity Issues Future ApplicationsFuture Applications ConclusionConclusion

Definition/Description Definition/Description of Biometricsof Biometrics Literally, “life measurement”Literally, “life measurement” Authentication mechanisms: Authentication mechanisms:

– Something you areSomething you are– Something you produceSomething you produce

Examples:Examples:– FingerprintsFingerprints– VoiceVoice– Hand topologyHand topology

Definition/Description of Definition/Description of BiometricsBiometrics

Technology scans human characteristicsTechnology scans human characteristics– Converts images to unique points of Converts images to unique points of

reference that are digitized and encryptedreference that are digitized and encrypted– Only 3 are considered “truly unique”:Only 3 are considered “truly unique”:

FingerprintsFingerprints Retina (blood vessel pattern)Retina (blood vessel pattern) IrisIris

– DNA/genetic material also unique, but not DNA/genetic material also unique, but not cost-effective or socially acceptedcost-effective or socially accepted

Why Use BiometricsWhy Use Biometrics

Takes advantage of some Takes advantage of some element that is inherent to the element that is inherent to the useruser

Used to authenticate users so Used to authenticate users so they can be authorized and given they can be authorized and given access to resourcesaccess to resources

Commonly Used Commonly Used BiometricsBiometrics FingerprintsFingerprints Palm scanPalm scan Hand geometryHand geometry Hand topologyHand topology ID cards (face ID cards (face

representation)representation)

Facial Facial recognitionrecognition

Retina scanRetina scan Iris scanIris scan Signature Signature

recognitionrecognition Voice Voice

recognitionrecognition

Commonly Used Commonly Used BiometricsBiometrics

Commonly Used Commonly Used BiometricsBiometrics Signature recognition/signature Signature recognition/signature

capture often used in retail storescapture often used in retail stores– Signatures are digitized, compared Signatures are digitized, compared

to database for validation or saved to database for validation or saved for referencefor reference

– Signatures can vary: age, fatigue, Signatures can vary: age, fatigue, speed with which they’re writtenspeed with which they’re written

Commonly Used Commonly Used BiometricsBiometrics Voice recognition captures analog Voice recognition captures analog

waveforms of human speechwaveforms of human speech– Compared to stored versionCompared to stored version– User given phrase they must read User given phrase they must read

each timeeach time– May vary: age, illness, fatigue, May vary: age, illness, fatigue,

background noisebackground noise

Commonly Used Commonly Used BiometricsBiometrics Keystroke pattern recognition: Keystroke pattern recognition:

timing between key signalstiming between key signals– User types in a known/given User types in a known/given

sequence of keystrokessequence of keystrokes– Can provide unique identification Can provide unique identification

when measured with sufficient when measured with sufficient precisionprecision

– Can vary: injury, fatigue, familiarity Can vary: injury, fatigue, familiarity with typing the known phrasewith typing the known phrase

Security Issues in Security Issues in BiometricsBiometrics

Three basic criteria of evaluating Three basic criteria of evaluating biometric technologies:biometric technologies:

1.1. False reject rate: percentage of False reject rate: percentage of authorized users denied accessauthorized users denied access

2.2. False accept rate: percentage of False accept rate: percentage of unauthorized users given accessunauthorized users given access

3.3. Crossover error rate: point at which the Crossover error rate: point at which the number of false rejections = number of number of false rejections = number of false acceptancesfalse acceptances

Security Issues in Security Issues in BiometricsBiometrics

False Reject Rate: result of failure False Reject Rate: result of failure in biometric devicein biometric device

Also called Type I errorAlso called Type I error Obstructs legitimate use (not Obstructs legitimate use (not

often seen as a serious threat, often seen as a serious threat, merely an annoyance)merely an annoyance)

Security Issues in Security Issues in BiometricsBiometrics

False Accept Rate: also a result of False Accept Rate: also a result of biometric device failurebiometric device failure

Type II errorType II error Serious security breach: avoid by Serious security breach: avoid by

using multiple authentication using multiple authentication measures to back up failing measures to back up failing devicedevice

Security Issues in Security Issues in BiometricsBiometrics

Crossover Error Rate (CER): Crossover Error Rate (CER): optimal outcome of biometrics-optimal outcome of biometrics-based systemsbased systems

CER used to compare biometrics, CER used to compare biometrics, varies among manufacturersvaries among manufacturers

Lower number is best (CER of 1% Lower number is best (CER of 1% is better than CER of 5%)is better than CER of 5%)

Security Issues in Security Issues in BiometricsBiometrics

Important to balance system’s Important to balance system’s effectiveness with intrusiveness effectiveness with intrusiveness and acceptabilityand acceptability

Increase in rate of effectiveness Increase in rate of effectiveness usually means decrease in rate of usually means decrease in rate of acceptabilityacceptability

Security Issues in Security Issues in BiometricsBiometricsEffective, Most to Effective, Most to LeastLeastRetina pattern recognitionRetina pattern recognition

Fingerprint recognitionFingerprint recognition

Handprint recognitionHandprint recognition

Voice pattern recognitionVoice pattern recognition

Keystroke pattern Keystroke pattern recognitionrecognition

Signature recognitionSignature recognition

Accepted, Most to Accepted, Most to LeastLeastKeystroke pattern Keystroke pattern recognitionrecognition

Signature recognitionSignature recognition

Voice pattern recognitionVoice pattern recognition

Handprint recognitionHandprint recognition

Fingerprint recognitionFingerprint recognition

Retina pattern Retina pattern recognitionrecognition

Security Issues in Security Issues in BiometricsBiometrics

Cost: biometric technology Cost: biometric technology averages more than $100/user just averages more than $100/user just for simple thumbprint readerfor simple thumbprint reader

Interoperability: systems come Interoperability: systems come from independent vendors so from independent vendors so systems are not standardizedsystems are not standardized

Social challenge: users unwilling to Social challenge: users unwilling to accept unfamiliar, invasive accept unfamiliar, invasive methodsmethods

Future Applications of Future Applications of BiometricsBiometrics

Integration in passports for the Integration in passports for the US, UK, and EUUS, UK, and EU

President Bush: future legal President Bush: future legal immigrants and visitors to the US immigrants and visitors to the US should expect to be card-indexed should expect to be card-indexed and fingerprintedand fingerprinted– ID card with digitized fingerprintsID card with digitized fingerprints

Future Applications of Future Applications of BiometricsBiometrics

Certification and Biometrics: the Certification and Biometrics: the Security Certified Program offers:Security Certified Program offers:– Public Key Infrastructure (PKI) and Public Key Infrastructure (PKI) and

Biometrics Concepts and PlanningBiometrics Concepts and Planning– PKI and Biometrics ImplementationPKI and Biometrics Implementation

ConclusionConclusion

Biometrics as authentication Biometrics as authentication devicedevice

Why use biometricsWhy use biometrics Commonly used biometricsCommonly used biometrics

– All have downsideAll have downside Security Issues in BiometricsSecurity Issues in Biometrics

– Effective vs. AcceptedEffective vs. Accepted Future applicationsFuture applications

SourcesSources

Management of Information Management of Information Security textbook, by Michael E. Security textbook, by Michael E. Whitman and Herbert J. Mattord, Whitman and Herbert J. Mattord, chapters 9 and 10chapters 9 and 10

http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/Biometric#United_StatesBiometric#United_States

QuestionsQuestions