• Save
Fingerprint Biometrics vulnerabilities
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,605
On Slideshare
1,532
From Embeds
73
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
2
Likes
1

Embeds 73

http://www.tech-stratagem.com 54
http://tech-stratagem.com 10
http://localhost 9

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 Biometric Template Security BIOMETRIC TEMPLATE SECURITY University of Glamorgan: | Farhan Liaqat
  • 2. University of Glamorgan University of Glamorgan Prifysgol Morgannwg Faculty of Advanced Technology STATEMENT OF ORIGINALITYThis is to certify that, except where specific reference is made, the work described inthis project is the result of the investigation carried out by the student, and that neitherthis project nor any part of it has been presented, or is currently being submitted incandidature for any award other than in part for the M.Sc. award, Faculty of AdvancedTechnology from the University of Glamorgan. Signed...........………………………………………………………... (Student) Page | 2
  • 3. University of Glamorgan Table of ContentsABSTRACT .......................................................................................................................................................... 6CHAPTER 1.......................................................................................................................................................... 7 INTRODUCTION .................................................................................................................................................. 7 1. Introduction .......................................................................................................................................... 8 Summary ....................................................................................................................................................... 9CHAPTER 2........................................................................................................................................................ 10 INTRODUCTION TO BIOMETRICS SYSTEM THREATS AND VULNERABILITIES ............................................... 10 2.1 History of Biometrics Systems ....................................................................................................... 12 2.2 Biometrics Traits ............................................................................................................................... 13 2.2.1 Requirements for Biometrics Traits .................................................................................................... 13 2.2.3 Comparison of Biometrics Trait and Technology ............................................................................. 16 2.3 Biometrics User Authentication ....................................................................................................... 17 2.4 A Standard Biometric System ........................................................................................................ 18 2.5 Threats to Finger Print Biometric System .................................................................................... 21 2.6 Threat Vectors ................................................................................................................................ 21 2.7 Types of Attacks ............................................................................................................................. 22 2.7.1 Physical Attacks ............................................................................................................................. 22 2.7.2 Computer Based Attacks ................................................................................................................ 23 2.7.3 Template Attacks ............................................................................................................................ 24 Summary ..................................................................................................................................................... 25CHAPTER 3........................................................................................................................................................ 26 PREVIOUS WORK AND LIMITATIONS .............................................................................................................. 26 3 Different Approaches ......................................................................................................................... 27 Summary ..................................................................................................................................................... 28CHAPTER 4........................................................................................................................................................ 29 FINGERPRINT SENSOR AND IMAGE ................................................................................................................. 29 4.1 Biometric Scanners ........................................................................................................................ 30 4.1.1 Optical Sensors .............................................................................................................................. 31 4.2 Fingerprint Image.......................................................................................................................... 32 4.2.1 Resolution ...................................................................................................................................... 32 4.2.2 Area ................................................................................................................................................ 32 4.2.3 Number of Pixels ........................................................................................................................... 32 4.2.4 Dynamic Range (or depth)............................................................................................................. 33 4.2.5 Geometric Accuracy ....................................................................................................................... 33 4.2.6 Image Quality ................................................................................................................................. 33 4.3 Fingerprint Structure..................................................................................................................... 33 4.4 Fingerprint image Security............................................................................................................ 34 Summary ..................................................................................................................................................... 34CHAPTER 5........................................................................................................................................................ 36 DESIGN AND IMPLEMENTATION ...................................................................................................................... 36 5. Device and Software............................................................................................................................ 37 5.1.1 Computer ............................................................................................................................................ 37 5.1.2 Fingerprint Reader ............................................................................................................................ 38 5.1.3 Software Development Kit (SDK) ...................................................................................................... 38 5.2. Griaule Software Development Kit (SDK)........................................................................................... 38 5.3. Steganography...................................................................................................................................... 39 5.3.1. What is Steganography Used for? .................................................................................................... 39 5.3.2. Steganography and Biometric Fingerprint Image ........................................................................... 40 Page | 3
  • 4. University of Glamorgan 5.4. Steganography Using .Net Algorithms and Techniques ..................................................................... 40 5.5. Generation of Steganography in .Net .................................................................................................. 40 5.6. Fingerprint Image and Steganography ............................................................................................... 41 5.6.2 Application Structure ......................................................................................................................... 41 5.6.2 Application Process ............................................................................................................................ 41 5.6.2.1 Enrolment Process .......................................................................................................................... 42 5.6.2.2 Conversion of Image ....................................................................................................................... 42 5.6.2.3 Steganography................................................................................................................................. 43 5.6.2.4 Stego Library ................................................................................................................................... 44 5.6.3 Decoding the Image ........................................................................................................................... 45 5.6.4 Development Limitations ................................................................................................................... 46 5.7 Fingerprint and Byte Stream ................................................................................................................ 46 5.7.1 Application structure.......................................................................................................................... 46 5.7.2 Application Process ............................................................................................................................ 47 5.7.2.1 Enrolment Process .......................................................................................................................... 47 5.7.2.2 Random Number Generation ......................................................................................................... 47 5.7.2.3 Verification Process ........................................................................................................................ 48 5.7.2.4 Template Attack and Verification ................................................................................................... 49 5.7.2.5 Securing the Template .................................................................................................................... 50 5.7.3 Application Limitations and Advantages .......................................................................................... 50 Summary ..................................................................................................................................................... 51CHAPTER 6........................................................................................................................................................ 52 RESULTS AND CONCLUSION ............................................................................................................................ 52APPENDIX A...................................................................................................................................................... 55APPENDIX B ...................................................................................................................................................... 57 REFERENCES .................................................................................................................................................... 57 Page | 4
  • 5. University of Glamorgan Table of FiguresFIGURE 2 BIOMETRICS DEVICE MARKET 2003 ...................................................................................................... 11FIGURE 1 FORECAST FOR BIOMETRICS MARKET 2003........................................................................................... 11FIGURE 3 BRETILLON MEASUREMENT SYSTEM (YORK 2003) ............................................................................... 12FIGURE 4 BRETILLON FINGERPRINT CARD (FIGURE 4) (YORK 2003) .................................................................... 13FIGURE 5 DIFFERENT HUMAN TRAITS (FIGURE 5) .................................................................................................... 14FIGURE 6 TABLE 1 BIOMETRICS TRAIT .................................................................................................................... 16FIGURE 7 - TABLE 2 TRAITS COMPARISON ............................................................................................................... 16FIGURE 8 AN EXAMPLE OF BIOMETRIC ATM MACHINE ........................................................................................... 18FIGURE 9 BIOMETRIC SYSTEM COMPONENTS ........................................................................................................ 18FIGURE 10 A SAMPLE FINGER PRINT INPUT .......................................................................................................... 19FIGURE 11 POSSIBLE AREAS OF VULNERABILITIES BASED ON (N.K. RATHA 2001) .............................................. 21FIGURE 12 OPTICAL SENSOR ................................................................................................................................. 31FIGURE 13 FINGERPRINT TEMPLATE RESOLUTION ................................................................................................ 32FIGURE 14 FINGERPRINT RIDGES ........................................................................................................................... 33FIGURE 15 DELL INSPIRON .................................................................................................................................... 37FIGURE 16 MICROSOFT FINGERPRINT READERS ................................................................................................... 38FIGURE 17 ENROLMENT PROCESS ......................................................................................................................... 42FIGURE 18 ENROLMENT PROCESS ......................................................................................................................... 42FIGURE 19 IMAGE CONVERSION ............................................................................................................................ 43FIGURE 20 CREATING STEGO FILE......................................................................................................................... 44FIGURE 21 DECODING THE IMAGE ......................................................................................................................... 45FIGURE 22 ENROLMENT PROCESS ......................................................................................................................... 47FIGURE 23 RANDOM NUMBER ............................................................................................................................... 48FIGURE 24 VERIFICATION PROCESS ....................................................................................................................... 49FIGURE 25 ATTACK ............................................................................................................................................... 49FIGURE 26 SECURING TEMPLATE .......................................................................................................................... 50FIGURE 27 ALGORITHM ......................................................................................................................................... 56 Page | 5
  • 6. University of GlamorganAbstractTechnology is becoming an essential part of human life as it increases the attention towardssecurity and privacy. A person logs into several systems in a day and every log, authenticatesor identifies him into the system. Biometrics provides a reliable and natural solution to verifya user or to identify a person. The confidence to accept biometric will depend on theguarantee from the designer that the application is robust with low error rates and security.But as much biometric systems are authentic, the vulnerabilities remain present. This studyparticularly aims towards template security, explaining how biometric systems thoroughlyenlighten the various threats and point of attacks, describing the structure of template andhow it is acquired. Leading toward the solution for the template attacks, the solutionsuggested in this paper is robust and customizable providing backward compatibility basedon previous studies. Page | 6
  • 7. University of GlamorganC hapter 1 Introduction Page | 7
  • 8. University of Glamorgan1. IntroductionThere have been many events in the world, which directed attention towards security andsafety. Most of the attention to security is regarding passengers in airports. However, there isone more type of threat which is not visible to a normal person. Hackers, who attack a systemuse some techniques modify the information and then manipulate the system to compromisewith the security.The growth of information technology has been explosive. Technology was nevermishandled in order to access other’s personal information, but now we can evidently see thepropagation of misusing technology in order to penetrate in to every human activity.Computers have helped human being to explore new horizons in many areas of studies likehuman genome, artificial intelligence and application which helped in enhancing human life.From a small sales application to big financial solutions all information is secured ondatabase servers and can be accessed from anywhere. Computer systems, and theirinterconnecting networks, are also prey to vandals, malicious egotists, terrorists, and an arrayof individuals, groups, companies, and governments intent on using them to further theirown ends, with total disregard for the effects on innocent victims. Apart from attacks oncomputer networks externally there are methods of destruction which are unintentional.Computer security can be defined as a state in which a person cannot compromise with asystem or cannot damage a system intentionally and it is free from external threats. Thepurpose of information system security is to optimize the performance of an organizationwith respect to the risks to which it is exposed. Security is not only important for OperatingSystems and Networks but we have to secure the physical access to the system as well.This study begins with introduction to biometrics. Biometrics refers to identify a personbased on his physical or behavioural characteristics. Biometrics is adopted today in most ofthe organizations from attendance of employees to border clearance. This study goes to thegreater depth from the origin of biometrics, history and modern technologies, explaining howthe physical and behavioural characteristics are categorised and the mechanism of typicalbiometrics system in brief. Later, describing the threats on biometric system which is the corepart of this study. No doubt biometric is very strong and authentic to identify or verify aperson but still it is vulnerable. These threats have been explained in Second chapter.The main emphasise of the study is on fingerprint biometrics system which has beenimplemented vastly over the years. This is due to the fact that it is cheap, accurate and easy toimplement as compared to other biometric systems available in market. In order to spreadbiometrics it is important to ensure security integrity of the product. Fingerprint is not onlybeing used in US or Europe It is also being implemented in south Asia and Middle East now.Once a product is famous in market the vulnerability increases. Vulnerabilities are ofdifferent nature with regards to biometrics.Biometric threats are also interlinked with computers as well, because at a level theinformation is stored on computer based databases. Hacker can attack the database and stealthe template that holds the important information. Hence, the template is the core part of thebiometric system. The third chapter is going to focus more on the work of other authors,describing what they have implemented so far and will also highlight the limitations and Page | 8
  • 9. University of Glamorganweaknesses. This study is based on these hypothetical literature and concepts to securebiometrics. The fourth chapter will keep main focus on the template, which will explain howthe template is acquired and which sensor is being used in this study. It will also explain themechanism of the sensor and how the image is acquired. Finally will cover, what are thecharacteristics of a template. This information will help us to understand the weaknesses andhow to overcome the weakness of the computer based biometric vulnerabilities.After carefully understanding the current biometrics system, and threats, this study provides asolution based on combination of different technologies and previous research in chapter five.This solution will provide more security to the biometrics system which is very necessary. Asbiometric traits are the features of human being this cannot be replaced or altered.SummaryThis chapter explains about the structure of this paper. It begins explaining the origin andreason why it is important to work on biometric template. Biometric template which is notonly the soul of the system but it can be used against the system. This study will prevent thehackers or attackers to replace and modify the template. The solution proposed in this study isnot only efficient and robust but also cheap and easy to implement and provides a backwardcompatibility as it is on software level. All topics are explained step by step helping tounderstand the biometric system and solution for the threats. Page | 9
  • 10. University of GlamorganC hapter 2 Introduction to Biometrics System Threats and Vulnerabilities Page | 10
  • 11. University of GlamorganCurrently, information is mainly secured by using password or some memorable informationfrom the end user. This type of authentication system is not secure because if someone canretrieve a bit of information out of end user they can access their bank accounts and personalcomputers. These weaknesses in standard validation systems can be avoided if we can usehuman body for validation.The word biometrics originated from the Greek language, Bio means life and Metron meansmeasures. Modern day technology companies are trying to embed biometrics system with inhardware and gadgets.Biometrics is being used almost and it has some befits e.g. reduced cost, easy and simple userfor end user, less need for system support and improved security for the business owners.Now a day it is being used in many organizations and with many devices e.g. ATM’s,Passport authentication, border controls, ID cards, Computer system user ID authentication,Physical access control and fraud prevention.With the passage of time government and organization are looking forward to improve andimplement biometrics systems for better security. Forecast growths in the market ofbiometrics systems have showed a huge change since 1999. $2,500.00 $2,000.00 $1,500.00 Millions of Dollar $1,000.00 $500.00 $0.00 1999 2000 2001 2002 2003 2004 2005 Figure 1 Forecast for Biometrics Market 2003There are many biometrics systems available in the market which I am going to discuss lateron but fingerprint scanning systems is amongst the leading ones. In 2001 it was half of themarket was claimed by the fingerprint scanning devices. According to Dan riley, vicepresident of SecuGen “One of the main reasons was because fingerprint identification andverification is a very old, tried-and-tested technology, with lots of confidence in thetechnology and the ability to develop excellent-quality, low-cost solutions,” (Biometrics2001). Finger Scan Voice Scan 10% 49% 15% Signature Scan 12% Iris Scan 1% 6% 3% 4% Figure 2 Biometrics Device Market 2003 Page | 11
  • 12. University of GlamorganThe reason why finger print biometrics system are being used so widely all over the world isbecause it is one of the earliest methods implemented to identify a person. Nevertheless, thereare still some organizations that do not adopt this mechanism as they think it is not veryauthentic. Companies are trying to improve and evolve it which we are going to discuss lateron.As we speak about the cost of biometrics devices fingerprint are once again the cheapest oneswhich are available in market and can purchase from 60$ to 130$ in market from manydifferent vendors. Comparatively, iris scan is four to six time expensive than fingerprintscanners. According to British National Physical Laboratory facial scan has become thirdlargest amount revenue in world. (Biometrics 2001)2.1 History of Biometrics SystemsBiometrics has been previously related to forensics science. Modern day biometrics system ismore related to forensics than security purpose. According to CSI survey 15% out of 687organizations are using biometrics system.Early references to biometrics, as a method to identify a person were around thousand yearback. East Asian potters use to place their finger print on products as a brand identity. Inancient Egypt trusted traders were identified based on certain characteristics such as height,eye colour and complexion. (JD.JR., Biometrics Background 2000)Biometrics was not very famous as field in late 18th Century when to police clerks from Parisfound a solution that taking measurement of different body parts of adult can identify theconvicted criminals as the body parts of adult don’t change overtime and can be used toidentify later on. (Record 2002)The Bretillon system, also known as bretillonage and anthropometry has been widelyaccepted. It is used around the world for decades depict a series of Bretillon measurements asthey were used in USA at the beginning of 20th century. The measurements included thewidth and length of the head and of the right ear, the breadth of the outstretched arms, thelength of the left foot, the left form arm and the left little finger as well as the body and trunkheights. (Canton 2203) Figure 3 Bretillon Measurement System (York 2003) Page | 12
  • 13. University of GlamorganAn abrupt end to the use of anthropometrics was caused by an incident in 1903, when twoidentical twins, that in later investigation were discovered to be separated at birth, wereregistered at the united state penitentiary at Leavenworth, Kansas with measurement as closeenough to identify as one person. They looked exactly the same so the identification was onlypossible only using fingerprints. (Canton 2203) Figure 4 Bretillon Fingerprint Card (Figure 4) (York 2003)In 1891 the inspector general of Bengal police, Sir Edward Henry, got interested in the workof Sir Francis Galton and others considering fingerprints as a mean of identification. In 1896an order was issued by Henry, which in addition to Bretillon finger prints should be takenfrom every prisoner. With the help of his assistant he was able to make classification systemallowing thousand of fingerprints to be easily filled, searched and traced. Henry was assignedas Assistant Commissioner of Scotland Yard in 1901 where the first finger print bureau wasestablished in the same year. After the failure of anthropometry in 1903, the Henryfingerprint system quickly gained worldwide acceptance as the means of identifyingcriminals. It is still used in much the same way today (Record 2002).Automated means of human recognition first appeared as an application for physical accessin the early 1970s. One of the first commercially available biometrics system was a fingermeasurement device called identimat, which was installed n 1972 to serve a wall streetcompany, Shearson Hamil, as a time keeping and monitoring application. (JD.JR., N.M andP.T, Biometrics Identity Assurance in The Information Age 2003)2.2 Biometrics TraitsThere have been many human characteristics used to identify human for biometrics application. Tocategorize human characteristics some question come in mind, what are the requirements? Are thereany general identifiers? What are the technologies can they meet the general requirements? Thissection is going to cover the answers to these questions.2.2.1 Requirements for Biometrics TraitsThere are some general requirements which should meet to qualify with a Biometric system. • Universality: Every Human Has. • Uniqueness : This Means That Trait Should Be Different From Person to Person • Permanente : The Trait Should Not Change With Time • Collectability: The Trait Can Be Measured Page | 13
  • 14. University of GlamorganAccording to (A.K., S and S 1999) there are some more factors which should be considered forcategorizing traits. • Performance: To achieve the best possible identification environmental factors should be consider with the combination of minimum cost. • Acceptability: Future user should accept the system. • Circumvention Resistance: It should be difficult to fool with the system. • Cost Effectiveness: Maintenance and installation should be in reasonable cost.We cannot find all the characteristics or requirements in a single biometrics device but eachsystem or device has its own strength and qualities.2.2.2 Classification of Biometrics TraitsAccording to the National Institute of Standards (2003) Biometrics system is divided into twocategories of biological measurements. • Physiological Characteristics • Behavioral Characteristics Figure 5 Different Human Traits (Figure 5) i. Physiological CharacteristicsThese traits are obtained from the human anatomy e.g. DNA, Fingerprint, and Face, Iris or theretina. Data is generated by the analysis and the measurement of structure of the human bodyparts.It is important to understand that physiological traits are not necessarily genetically determined;therefore, a differentiation between genotype and phenotype features must be made. (Daugman1999) • Genotype There are about 1% people in world, that have similar genetic code or in other words we can say they are monozygotic twins. An example which we have discussed of west Page | 14
  • 15. University of Glamorgan brothers, in genetics monozygotic twins share all their characteristics like blood group, DNA structure and gender etc. • Phenotype These are the features which are unique unlike to genotypic features. In the west brothers for example finger prints were use to identify them. Fingerprints and iris are one of the examples of phenotypic characteristics.Some features can expose both genotype and phenotype factors of a human like face whichchanges throughout the age, but still identical twins can look similar in any stage of age. ii. Behavioral CharacteristicToday if we want to open a bank account in the UK, they require our signatures on a device andlater on if you want to make a query regarding your account they match your signature with thestored information on the computer. Human has some behaviors which are unique from person toperson. According to International Biometrics Group “Behavioural characteristics are based onan action taken by a person. (Group 2003) Behavioural biometrics, in turn, is based onmeasurements and data derived from an action, and indirectly measure characteristics of thehuman body. Voice recognition, keystroke-scan, and signature-scan are leading behaviouralbiometric technologies. One of the defining characteristics of a behavioural biometric is theincorporation of time as a metric – the measured behaviour has a beginning, middle andend.” (Group 2003)Humans, learn their behaviour or are trained hence it can be changed. By the passage of timewith the growth of age prominent changes also occur in the behaviour of human so itbecomes more difficult to achieve them. (JD.JR., N.M and P.T, Biometrics IdentityAssurance in The Information Age 2003) Still behavioural characteristics can be used asbiometrics traits even if they are not permanent. Below in the given table you can see thecategorization of biometrics traits in groups. There are some traits which are not used widelyin the table e.g. Blood Chemistry and body odour. But we are going to study commonly usedtraits in detail. Category Biometrics Trait Hands Fingerprints Palm Prints Hand Geometry Hand, Palm and Wrist Vein Patterns Spectroscopy Skin Analysis Nail bed Scanning Head and Face Face Recognition Iris Retina Ear Shape and Size Other Physical Characters Body Salinity Blood Chemistry Body Odor Page | 15
  • 16. University of Glamorgan DNA 3D Thermal Imaging Neural Wave Analysis Behavioral Characteristics Gait Pattern Voice Recognition Signature Recognition Keystroke Dynamics Figure 6 Table 1 Biometrics Trait2.2.3 Comparison of Biometrics Trait and TechnologyTo get a better understanding of why some technologies are more preffered and are being usedwidely in market, we have to create a table based on analysis and perception of (A.K, R and S,BIOMETRIC- Personal Identification in Network Society 1999) and (Corporation 2002). Perform effective Accepta Perman Univers resistan Circum vention Unique Collect ability Cost- bility ance ence ality ness ness Characteristics Finger Print Med Hi Hi Med Hi Med Med Med Hand Geo. Med Med Med Hi Med Med Med Med Retina Hi Hi Med Low Hi Low Hi Low Iris Hi Hi Hi Med Hi Low Hi Low Face Hi Low Med Hi Low Hi Low Med Vascular Pat. Med Med Med Med Med Med Hi Med DNA Hi Hi Hi Low Hi Low Low Low Ear Shape Med Med Hi Med Med Hi Med ? Body Odor Hi Hi Hi Low Low Med Low ? Facial Thermo. Hi Hi Low Hi Med Hi Hi Med Voice Med Low Low Med Low Hi Low Hi Signature Low Low Low Hi Low Hi Low Med Keystroke Low Low Low Med Low Med Med Hi Gait Pattern Med Low Low Hi Low Hi Med ? Figure 7 - Table 2 Traits ComparisonIn the table we can see that the comparison is based on available technologies based on availablebasic eight requirements. They have been compared using “Hi”, “Med” and “Low”. Question Page | 16
  • 17. University of Glamorganmark indicates that the data is not available. Cost effectiveness of biometrics system has not beencalculated yet of some technologies.From the above chart we can conclude many results as explained below. • Behavioral biometrics performance is not as good as we compare it to physiological. • Permanent traits are DNA, Iris, Retina Body odor and Fingerprint. • DNA and Facial Thermograph shows better performance in the chart, Body Odor shows that it is unique permanent and universal. Iris and DNA can make a very strong biometric. But some technologies still need improvement like Body Odor. • Biometrics system like DNA and Iris are expensive comparatively Fingerprint and Hand Geometry are cheaper. • Acceptability is higher when information or data is gathered without the information of end user e.g. Facial Thermograph and ear shape recognition. User mostly likes to provide identity which they are familiar with like voice recognition and signature dynamics.2.3 Biometrics User AuthenticationIn early days to identify a person some sort of physical information used to be stored. Thisinformation was in several formats e.g. Picture, Physical measurements, Fingerprint or a picture.Modern days same methods are used in a different way, these information are kept into a databaseand then cross matched to verify a person.But sometimes due to injuries or accident we cannot authorize a person. In one case a person hadhis burnt his finger accidentally hence the prints were damaged so when he tried to scan his fingerfrom the device it was not allowing him to do so.People, have the tendency to leave their information where ever they go e.g. latent finger prints onsurfaces, recorded voice print and video recording of face can generate bogus authentications.Secondly a trained attacker can intercept the information stored in the database and replace themwith the fake one. Therefore, accurate information is only possible if the system can ensure thatthe information stored in the system is of the live people. (JD.JR., N.M and P.T, BiometricsIdentity Assurance in The Information Age 2003)Even though biometric technologies are far from being an authentication panacea, they represent avery promising method, especially when combined with other authentication techniques. (A.K, Rand S, BIOMETRIC- Personal Identification in Network Society 1999)Again, it has been demonstrated that every system created by human is defeated by human. Interms of authentication techniques, all factors suffer from fundamental weaknesses. (JD.JR., N.Mand P.T, Biometrics Identity Assurance in The Information Age 2003)Every authentication system can be cracked e.g. Information like password and pins can behacked. Properties like cards can be stolen and biometric information can be swapped bysomeone.Some systems accept two types of authentication token based a knowledge based. For instance,when we need to make a transaction from the ATM, we have to swipe in the card then enter thepin. In 1999 25% people write down their pins on the card and due to these companies had to facehug loss. (Anil K. Jain 1999)Now suppose we replace the pin with biometrics authentication. Let’s take Iris scan, as a personalidentifier some companies already tried to use it as a replacement of PINs. Page | 17
  • 18. University of Glamorgan Figure 8 An Example of Biometric ATM MachineThere might be some complications like position problem of user but if it is implements it will befar stronger then PINs.2.4 A Standard Biometric SystemApart from the technologies, whether it is an iris, finger print or DNA all biometric devicesfollow almost similar mechanism I m going to explain it in detail below. A biometrics systemis based on five basic subsystem according to (Jhon D. 2003) and (J.L. Wayman n.d.) For i.e.acquisition, transmission, signal processing, data storage and decision policy. Data Signal Decision Policy Matching Review Pattern Biometric matching Match ? Quality Score Presentation Quality Control Accept ? Sensor Extraction Sample Sample Template Yes/No Transmission Data Storage Compression Templates Expansion Sample` Transmission Images Channel Based on (John D. Woodward 2003; J.L. Wayman August 2002) Figure 9 Biometric System Components Page | 18
  • 19. University of Glamorgan i. Data Acquisition(James Wayman 2004) States that biometric data flow begins with the collection ofphysiological and behavioural characteristics and every biometric system is based on twoassumptions. • Uniqueness: Biometric trait is distinctive among all human beings. • Repeatability: Measurements can be repeated over time Figure 10 A Sample Finger Print InputA sensor is used to measure characteristic of an individual. For each system biometric systemis standardize so if information is collected from one system can be matched on other systemsas well. The information captured by the sensor is stored into database as a template. Everytemplate has its own attributes depending on what type of trait is being used or read by thesensor. ii. TransmissionThe captured template is stored in a standard format e.g. image acquired by the sensor issaved as JPEG (Join Photographic Expert Group) facial images, WSQ (Wavelet/ScalarQuantization) for fingerprint and CELP (Code Excited Linear Predication) is used for voicedata. This information is then transmitted to data processing so it can be saved in thedatabase. Sometimes the sensor is located somewhere else and data processing is somewhereelse. During the transmission of the data compression is done to save the bandwidth. Due tocompression the quality can be poor. Developments in technologies are introducing newmethods of compression so loss can be reduced. iii. Signal ProcessingAs described in Figure 10, signal processing is performed in three steps, initially it is amechanism in which the template is created from the information that is received from thesensor. • Feature Extraction • Quality Control • Pattern Matching iv. Feature ExtractionIt is a mechanism in which the biometrics system extracts the required information out of thetrait from a particular biometric device. In this scenario, it is an iris scanner which willbe Page | 19
  • 20. University of Glamorganobserve how the feature extraction works with it. This task is performed by localizing the iris,pupil and both eyelid boundaries, excluding pupil and eyelashes from the photo and creatingan iris mapping that are invariant to size, distance, magnification and pupil dilation. After thatan iris code is generated(Daugman 1999) we will discuss it later. v. Quality ControlAfter the feature extraction a quality check is performed which calculates the score output. Ifthe received signal from the device is insufficient and there is some incomplete information.For e.g. If there is some dust on the sensor or some metal is on the sensor, automatically arequest is sent back to the user for rescan. There have been many major updates in qualitychecking in biometrics system in past few years. vi. Pattern MatchingAfter the extraction and quality check pattern matching is performed, if there is a mismatchwith the data, the enrolments takes place. This is the process in which new user enrolshimself and the information is stored in the data base along some external information passedby the system owner or administrator.There are two types of enrolments further in one case if user claims about an identity then thematch is 1:1 otherwise system has to perform a 1: N match. In which the pattern is matchedwith all the available templates in database. As a result of matching the decision policysystem checks the score which is a measurement of similarity between the database templatesand the one extracted from the device. vii. Data StorageAfter signal processing these templates are stored to a database management system so whena user enrol system can make a comparison, Databases for biometrics systems varies fromsystems to systems depending on the nature of application.For systems which are based on 1:1 matching. Templates are stored on something which canbe in possession of an individual e.g. magnetic strip cards or smart cards. When someonetries to identify them the system asks for a token and then verifies the image with thetemplate on the card. The database is used in such cases as well.In 1: N matching systems a centralized database is designed. These kinds of systems performbetter and also the occurrence of faults and errors can be vastly reduced. These databases aredivided then into smaller partitions. In this way the templates are matched with correspondinginformation in the database instead of whole database. viii. Decision PolicyThis subsystem determines the results of the match whether they are right or wrong. Theseresults are based on quality score and matching score received from the signal process. Forsome systems, it can be very simple but for alternatives it can be sophisticated e.g. a simplesystem might have a matching score and if a signal generates the highest score it is matched. Page | 20
  • 21. University of GlamorganIn a sophisticated system there can be many factors i.e. time variant threshold, user dependantand high score.2.5 Threats to Finger Print Biometric SystemWhen a hacker attacks a typical system it is difficult from a biometric security system. InDenial of Service Attack and attacker corrupts the authentication so the users cannot use it.Hacker bombards so many bogus access requests on biometric system, an onlineauthentication server that processes access request to a point where the server’s resourcescannot handle any more queries. In circumvention, an attacker gains access of the system bydestroying the authentication application. This threat can lead us to the modification of dataor access to the information which is not allowed to access by external users. (Maltoni 2005)In contamination attacker copies the biometric information of a user e.g. a fingerprint fromthe surface and use that print to access biometric security system or access the information. Inrepudiation attacker denies that he accessed the system and can argue that False Accept Ratephenomenon associated with biometric system might caused the problem. In collusionlegitimate user with wide privilege to the system is that attacker (System Administrator)(Maltoni 2005).2.6 Threat VectorsUnderstanding how biometrics is categorized based upon the physical properties. Similarlybiometrics attacks are performed on the system at different levels, some of these attacks areon physical level and with the personal contact with biometric system e.g. bogus biometricattack is a type of physical attack in which attacker uses latent fingerprint and use it on thesystem to compromise with security. After compromising the security it can manipulate thesystem steal personal information of a person and let access to unauthorized people to acertain area. This section will explain how many types of attacks can be performed on whichstage during a biometric process which has been explained above in detail.We have discussed some types of attack above; according to (N.K. Ratha 2001) there areabout eight types of attacks which can be performed on a typical biometric system. Thesepossible attacks areas are called threat vectors. 1 Sensor ` 2 7 6 3 Feature Extraction 4 5 Matcher Template Database 8 Decision Figure 11 Possible Areas of Vulnerabilities Based on (N.K. Ratha 2001) Page | 21
  • 22. University of GlamorganComputer systems have been the target of attacks from a variety of sources almost since theywere first used. Early examples of exploitation were generally related to fraud. In more recenttimes, hackers, organised crime and a variety of other cyber-criminals have attackedcomputer systems. Information systems also have to deal with viruses, worms and Trojansseeking to disrupt systems or steal data. Again, this is not unique to biometric systems andthere are now well-established standards, frameworks, policies and process as well aslegislative support, for the protection of information systems. The most important factors areproper systems and security design and proper implementation and on-going management,rather than the use of biometrics per se. (Roberts November 2005)The first threat to biometrics technology was recognized by several authors (D, et al. 2003)(A.K., S and S 1999) (G.L and F 2003). When an authentication is used on large scale, thereference database has to be made available to many different verifiers, who in general,cannot be trusted. Especially in a network environment, attacks on database pose a seriousthreat. It was shown explicitly by Matsumoto et al (G.L. and F 2003). that using informationstolen from database, artificial biometrics can be constructed to impersonate people.Construction of artificial biometrics is possible if only a part of the template is available. Hill(A, A.K and J 2003) showed that if only a minute template of a fingerprint is available, it ispossible to successfully construct artificial biometrics that pass authentication.The second threat was addressed by Schneier (S and A.K 2002). The problem is conciselyparaphrased by: “Theft of biometrics is theft of identity.”The threat is caused by the fact that biometrics contains sensitive personal information. It isshown by the author (A.K, R and S, BIOMETRIC- Personal Identification in NetworkSociety 1999) (T and F n.d.) (X and L 2003) That a fingerprint contains certain geneticinformation.2.7 Types of AttacksSchneier (B 1999) compares traditional security systems with biometric systems. The lack ofsecrecy (e.g. leaving fingerprint impression on the surface we touch), and non replace ability(e.g., once the biometric data is compromised, there is no way to return to a secure situation,unlike replacing a key or password) are identified as the main problems of biometric systems.(D, et al. 2003) Describe the typical threats, for genetic authentication application, which mayresult in quite different effects for traditional and biometrics-based systems. In Denial ofService (DoS), an attacker corrupts the authentication system so that legitimate users cannotuse it, for a biometric authentication server that processes access request (via retrievingtemplate from a database and performing matching with the transferred biometric data).Biometrics attacks have been categorized in three sections according to their nature as below.2.7.1 Physical AttacksThese attacks are mainly on the biometric devices sensor or biometric readers. Most of theseattacks have been performed on fingerprint biometric system. Page | 22
  • 23. University of Glamorgan i. False EnrolmentThe accurate data of legitimate user is enrolled, if it is fake then data will be accurate but itwill be matched incorrectly. For example a passport application once registered the systemdata will identify it and give privileges to the system ii. Bogus Physical BiometricsWe have numerously seen in the movies, when someone tries to access a security areabreaking a biometric system. Person uses a fingerprint left from some surface. This vector ismost prominent one from all. This attack is performed without any technical knowledge it isvery cheap and easy in modern days when we have digital cameras. These attacks are madeonly on iris, palm and fingerprint biometrics systems.• Bogus Digital Biometrics When we talk about biometrics attacks, masquerade attacks are on the top of list. They are fake digital patterns which are used to break biometrics systems. Second ones are reference attacks in which attacker gathers technical information of a biometrics system and has digital copies of the templates to replace them from the database or during the enrolment.• Latent Print Reactivation Human sweats glands produce oil which sweats from hands. When someone touches surface marks of print are left on it. These prints can be copied and used on biometrics devices. These types of attacks are done on finger and palm print reader.2.7.2 Computer Based AttacksIn this type of attack mainly the target is computer system i.e. server, databases or networksconnected with the system.i. Override Feature ExtractionIn this type of attack hackers interfere with the feature extraction process, this attack is alsoused to disable a system or for DoS. It is usually conducted on hardware or softwarefirmware.ii. System ParametersIn such kind of attacks system parameters are changed. If someone changes the percentage orscore of FAR (False Acceptance Rate) that will result that poor quality data can be verified.iii. Match overrideIn these types of attacks, matching decisions are changed or ignored. Parameters are changedby authorised person only or the hacker should have access to the system.iv. Decision OverrideThis is also called a bypass attack which ignores all the process. In this type of attack the Page | 23
  • 24. University of Glamorgandecision is changed data is injected the decision. In this type of attack some physicaltempering may be involve.v. Modification of RightsIf someone gets unauthorised access to system administration accounts and creates a userwith admin privileges. This can cause a DoS attack.vi. Systems InterconnectionsIf two systems are interconnected it is possible to get two types of threats, one is from theexternal system which is interconnected with biometrics system and second one is thenetwork which is connecting the two systems. Usually these kinds of threats are handling bythe people administrating biometrics systems.vii. System WeaknessesWeaknesses and Flaws in the design of a system may create some vulnerability. Some timeorganizations use customization and integrate their Biometrics security system with thesecondary system. These weaknesses maybe occur in• Operating Systems i.e. Server or clients• Storage Management i.e. Operating Systems• Biometrics Software• Database• Sensors• System ConfigurationsThese problems are noticeable in other technologies as well as biometric systems but we haveto accept these as weaknesses which may lead hacker to compromise with the system.viii. Denial of Service AttackDoS are the worst vector threat. They vary in different types of attack from power loss tosystem attacks design to corrupt biometrics security systems. Changes in the environmentalcondition dust or light can change the quality of biometrics sensor reading. Adding electricalor radio frequency can corrupt the data e.g. spilling liquid on sensor or introducing portablelight to the sensor. DoS attacks are usually noisy and they can be noticed easily.2.7.3 Template AttacksThese attacks are mainly on templates and are usually on databases. The nature of theseattacks is modification of template and then attacker compromise with the system. i. Reuse of ResidualIn some biometric systems templates are stored in temporary memory after extraction. Ifhacker gains access to the memory, they can copy the information and use it next time. Page | 24
  • 25. University of Glamorgan ii. Data InjectionThis type of attack both the system and stored data are compromised. If attackers gains accessto the system, it would be easier to manipulate data in the database as it is not encrypted. Forthese types of attack system and template knowledge is essential. iii. Template ModificationTemplates are stored on different media (Cards, Tokens or Biometrics Devices). In this typeof attack hacker modifies or adds information to the storage media. In this type of scenarioinformation is added and then unauthorised access is allowed by providing a false ID. iv. False Data InjectionThis type of attack takes places in three steps. The attack can also be placed in the categoryof man in middle attack. First the data is intercepted when sensor transfers the information toprocessing system. Mostly this is don’t on physical level e.g. data is stored on a card or RFIDand it is unencrypted first. Secondly, the data is modified and then finally the signal isreplayed. Encryption of the data increases the complication of the data and also is used as adefence strategy. v. Synthesised Feature VectorHill Climbing is a technique which is mentioned in various articles on biometric security.According to (Anil K. Jain 2005) in this technique false biometrics information is injectedinto the system but every time the changes into templates are made which can increase thematching score. In this technique access to system match score and communication channelsis necessary.(Anil K. Jain 2005)Templates attack is different from above mentioned two attacks as they can be secured byseveral security measures. If a template is copied once system can compromise to someextent which can grant access to attacker to any level. This paper will mainly focus ontemplate attacks.SummaryThis chapter explains traits, mechanism of biometric system and threats to biometric systems.Biometrics is divided based or different properties called biometric traits, which arecategorized under physical and behavioural traits. Mechanism of biometric system has beenexplained in depth from the acquisition of biometric trait to storage in database andverification of a user. By understanding in detail a typical biometric system threats can beoutlined. These threats are further segmented based on their nature. • Physical • Computer Based • Templates AttackTemplates attacks are most dangerous attack in biometric system. As if a template is acquiredand attacker can compromise with the system then nothing can be done on physical andcomputer based security. Page | 25
  • 26. University of GlamorganC hapter 3 Previous Work and Limitations Page | 26
  • 27. University of Glamorgan3 Different ApproachesAnalysing the above mentioned attacks, an attacker can clandestinely obtain biometric data oflegitimate users e.g. lifting a latent fingerprint and constructing a three-dimensional mouldand use to access system. Further the biometric data associated with specific application canbe used to another unintended application e.g. it can be used to retrieve medical records.Cross application usage of biometric can be more often as many organizations preferbiometric applications. (D, et al. 2003)The problem may arise from the above mentioned attacks on biometrics systems are raisingconcerns as more and more biometrics systems are being deployed both commercially and ingovernment applications. (Enhanced Border Security and Visa Entry Reform 2002) This isalong with the increase in the size of the population using these systems and the expandingapplication areas i.e. visa, border control, health care, e-commerce etc. may lead to privacyand security related breaches.As I have discussed several types on attacks on biometric system. There are some attacksmentioned above which are mainly related to biometric templates. The template is the core ofa biometric system. In this paper I am going to propose a system which will reduce the threatsto template modification or bogus attack on a fingerprint biometric system.Several work has been done on biometric template security, but not been implementedpractically in any biometric technology. In order to prevent hill climbing attack Southar (Cn.d.) has suggested the use of coarsely quantized match scores by the matcher. HoweverAdler (A. A May 2004), demonstrated that it is still possible to estimate the unknownenrolled image although the number of iterations required to converge is significantly highernow.Yeung and Pankanti (M and S 1999) describe an invisible fragile watermarking technique todetect regions in a fingerprint image that has been tampered by the attacker. In the proposedscheme the chaotic mixing procedure is employed to transform visually perceptiblewatermark to a random-looking textured image in order to make it resilient against attacks.This mixed image is then embedded in fingerprint image. The author shows that the presenceof the watermark does not affect the feature extraction process. The use of watermark alsoimparts copyright capability to identifying the origin of the raw fingerprint image.IBM is one of the leading vendors in biometrics industry. Many of IBM products have builtin fingerprint sensors i.e. laptops. IBM suggested that if the techniques presented here fortransforming biometric signals differ from simple compression using signal or imageprocessing techniques. While compression of the signal causes it to lose some of its spatialdomain characteristics, it strives to preserve the overall geometry. (N.K., J.H. and R.M. 2001)That is, two points in a biometric signal before compression are likely to remain atcomparable distance when decompressed. This is usually not the case with our distortiontransforms. Our technique also differs from encryption. The purpose of encryption is to allowa legitimate party to regenerate the original signal. In contrast, distortion transformspermanently obscure the signal in a noninvertible manner (N.K., J.H. and R.M. 2001). Page | 27
  • 28. University of GlamorganFerri (L, et al. 2002) proposed an algorithm to embed dynamic signature features into faceimage present on ID cards. These features are transformed into a binary stream aftercompression (used in order to decrease the amount of payload data). A computer generatedhologram converts this stream into the data that is finally embedded into blue channel of theimage. During verification the signature features hidden in the face image are recovered andcompared against the signature obtained on-line, Ferri (L, et al. 2002) report that anymodification of the face image can be detected, thereby disallowing the use of fake ID cards.On the other hand Jain and Uludag suggest the use of steganography principles to hidbiometric data in host image. This is particularly useful in distributed systems where rawbiometric data may have to be transmitted over a non secure communication channel.Embedding biometric data in an innocuous host image prevents an eavesdropper fromaccessing sensitive template information. The author also discusses novel application wherein the facial features of a user are embedded in a host fingerprint image. In this scenario, thewatermarked fingerprint image of a person may be stored in a smart card issued to that personat an access control site. The fingerprint of the person possessing the card will first becompared with the fingerprint present in the smart card. The eight coefficients hidden in thefingerprint image can then be used to reconstruct the user face thereby serving as a secondsource of authentication (A.K and U, Hiding Biometric Data 2003).Pros and ConsIn summary, their published work attempts to deal with the biometric template security issue.Some of them address how to handle biometric based key schemes. The most promisingapproaches tolerate the variations in biometric solutions, but few of them are practicallyfeasible for biometric template as the rate of matching biometric template decrease with thevariations.This paper will work on the purposed solution provided by Jain and Uludag mentioned.Steganography can be used to hide encryption inside the template. Steganography will bediscussed in detail in chapter five. This paper will introduce an application which will usesteganography with fingerprint biometric template on software template. This is easy androbust also it can be used with previous hardware.SummarySecurity has been concern since long time and people have been working on it. Similarlygoes with biometrics. Authors directed our attentions to different threats and providedpossible solutions over the years. Some of the solutions were implemented practically butresults were not desired. Improvements have been made in such areas specifically talkingabout fingerprint biometrics watermarking and steganography helped a lot in encryption ofbiometrics. Page | 28
  • 29. University of GlamorganC hapter 4 Fingerprint Sensor and Image Page | 29
  • 30. University of GlamorganModern day organizations are developing their own solutions for business purpose. Thesebusinesses are running on internet and millions of users are logging into the websitepurchasing products and spending money over the internet through credit cards. There is noproper authentication system available for end user over the web apart for traditional securityasking for memorable question or security pin etc. In this section I am going to explain anddesign a solution for modern business, which can be implemented easily and integrated withany software and hardware of fingerprint biometric system, also providing moreauthentication and security to the product.Indeed, a growing number of financial services firms’ are strongly considering the use ofbiometrics technology, sooner rather than later, because of heightened security concernssparked by the Sept. 11 terrorist attacks and skyrocketing fraud rates. Biometric identificationsystems use individuals unique physical or behavioural characteristics, such as fingerprintsor voice patterns, to identify them. (Mearian n.d.)According to Meridien Research Inc. in Newton, Mass., consumer fears and losses due tofraud are a strong enough incentive for institutions to invest large sums of money inbiometrics. And with 500,000 cases of identity theft in the U.S. each year, consumers areready to accept biometrics at the cost of increased privacy and more intrusive methods ofidentification, according to a recent report by Meridien. (Mearian n.d.)Many software vendor organizations are providing solutions for e business to protect identitytheft. These solutions are software based totally and any fingerprint hardware can integratewith them. These software integrations are quite simple and flexible. Companies can usebiometrics system in any department and for any purpose. Similarly this biometric softwarecan be use over the internet. Suppose a customer needs to get online and purchase a productfrom a web site. At the time of payment when the verification is required customer is using abiometric verification by using fingerprint scanner, instead of providing information relatedto its bank account. This can prevent the attacker from getting information of the user andreduce the risk to identity theft. This type of solution is not expensive as now a day’s manyhardware vendors are providing built in fingerprint sensors.The question which arise here is that how much secure is this type of solution over internet,considering the above mentioned attacks on a biometric system in chapter two. An attackercan perform a DOS attack on the system or decision override. Also can inject new templateinto the system and make changes to the template information inside database. First of all themain threat is to be point out. As mentioned above mostly attacks are done on templates andfive types of template attacks are available.4.1 Biometric ScannersBefore continuing further, a question arises that what is this fingerprint template which hasbeen stated so many times. Most of the personal recognition systems do not store fingerprintimage itself but store only numeric data after extracting the feature from the image.Sometimes it may be important to save the acquired image into the database.The first fingerprint scanner was introduced about thirty years back. Before that ink techniquewas used this is still being used by law and enforcement agencies. AFIS has created adatabase over the years which contains both fingerprint images acquired offline and live scanscanners. (D, et al. 2003) Page | 30
  • 31. University of GlamorganThe offline fingerprint is usually taken by spreading black ink on the finger and then theimpression is taken on a paper. This impression is later on converted into digital format withthe resolution of 500 dpi. (D, et al. 2003)For live scan fingerprint scanners are used. Most important part of the scanner is sensor.There are three types of fingerprint sensors are available in the market. Optical solid state andultrasound (D, et al. 2003) in this paper optical sensor will be discussed only.4.1.1 Optical SensorsIn this paper more emphasis will be on optical sensor as it will be used further. A simpleoptical sensor is based on three components 1. Prism 2. Light 3. CCD or CMOS Figure 12 Optical SensorThis is the oldest and most live fingerprint scanning technique used today. The finger touchesthe top side of the glass prism, but when the ridges touch the surface the valleys remains on acertain distance as shown in the image. Light is illuminated from the left side from lightemitting diodes. The light is then reflected randomly from the prism and focused through alens on CCD or CMOS. (D, et al. 2003)When the finger is very dry, it does not make a uniform contact with the sensor surface. Toimprove the formation of fingerprints from dry fingers, whose ridges do not contain sweatparticles, some scanner producers use silicon coating, which favours the contact of the skinwith the prism. With the aim of reducing the cost of optical devices plastic is nowadays oftenused instead of glass for prism and lenses, and CMOS cameras are mounted instead of moreexpensive CCDs. (D, et al. 2003) Page | 31
  • 32. University of Glamorgan4.2 Fingerprint ImageAfter the impression is taken from the sensor, it is then converted into image file which is inmost of the cases is in .Jpeg format. There are some parameters for the characterisation offingerprint image which is as following.4.2.1 ResolutionThis indicates the number of dots or pixels per inch (dpi). 500 dpi is the minimum resolutionstandard for FBI-complaint scanners and is met by many commercial devices. 250 to 300 dpiis probably the minimum resolution that allows the extraction algorithms to locate theminutiae in fingerprint patterns. Minutiae play a primary role in fingerprint matching, sincemost of the algorithms rely on the coincidence of minutiae to declare whether the twofingerprint impressions are of the same finger. (D, et al. 2003) Figure 13 Fingerprint Template ResolutionIn Figure 13, there are samples of same fingerprint image in different resolutions. It is clearthat decreasing the resolution size of image can affect the matching algorithm.4.2.2 AreaThe size of rectangular area sensed by a fingerprint scanner is a fundamental parameter. Thelarger the area is the more ridges and valleys are captured and more distinctive the fingerprintbecomes. An area greater than or equal to (1 X 1) as per FBI standards permits a full plainfingerprint impression. Recently companies are reducing the area to reduce cost and to have asmaller device size. (D, et al. 2003)4.2.3 Number of PixelsThe numbers of pixels can be simply derived by the resolution and the area. A scannerworking with r dpi over an area can be expressed by. (D, et al. 2003)Height (h) × width (w) inch2 = rh × rw pixels Page | 32
  • 33. University of Glamorgan4.2.4 Dynamic Range (or depth)This denotes the numbers of bits used to encode the intensity value of each pixel. Colourinformation is not useful for fingerprint recognition and therefore almost all the availablefingerprint scanners acquire greyscale images. The FBI standard for pixel bit depth is 8 bits,which yields 256 levels of gray. Actually, some sensors capture only 2 or 3 bits of realfingerprint information and successively stretch the dynamic range to 8 bits in software. (D,et al. 2003)4.2.5 Geometric AccuracyThis is usually specified by the maximum geometric distortion introduced by the acquisitiondevice, and expressed as a percentage with respect to x and y directions. Most of the opticalfingerprint scanners introduce geometric distortion which, if not compensated, alters thefingerprint pattern depending on the relative position of the finger on the sensor surface. (D,et al. 2003)4.2.6 Image QualityIt is not easy to precisely define the quality of a fingerprint image, and it is even moredifficult to decouple the fingerprint image quality from the intrinsic finger quality or status.In fact when the ridge prominence is very low, for example a manual workers and elderlypeople, when the fingers are too moist or to dry, when they are incorrectly presented to thesensor. Most of the scanners produce a poor quality image. (D, et al. 2003)4.3 Fingerprint StructureA fingerprint usually appears as a series of dark lines that represent the high, peaking portion of thefriction ridge skin, while the valley between these ridges appears as white space capacitive and arethe low, shallow portion of the friction ridge skin. Fingerprint identification is based primarily onthe minutiae, or the location and direction of the Ridge endings and bifurcations (splits) along aridge path. (http://cte1401-01.sp00.fsu.edu/holly.html n.d.) Figure 14 Fingerprint RidgesThe image presents an example of fingerprint features. The types of information that can becollected from a fingerprints friction ridge impression include the flow of the friction ridges, thepresence or absence of features along the individual friction ridge paths and their sequence, andthe intricate detail of a single ridge. Recognition is usually based on the first and second levels ofdetail or just the latter. Page | 33
  • 34. University of Glamorgan4.4 Fingerprint image SecurityAs it has been mentioned above, some of the some techniques were suggested by severalauthors in chapter 2. These solutions have not been implemented yet on any biometricssystem or to some extent they have been implemented but not available in market. This studywill provide a basic understanding of the structure and mechanism of fingerprint biometricand template, which will lead us toward the solution for securing the template. The idea is touse steganography with in biometric template to hide encrypted information to verify alongwith the biometric template. In this way if an attacker attacks a and manipulate the biometrictemplate it will not compromise with the system. The reason will be the template used toattack the system lacks the encrypted information which is stored in database.SummaryIt is necessary to understand the system before suggesting a solution. This chapter focuses onhow fingerprints are acquired and what are its components and how can we secure it. Addingsteganography in template is a challenge as it can affect matching algorithm. With theknowledge of template structure it can be clear how we can embed a key inside the imagewithout disturbing the template features. Also it will help to decide whether changes can bemade on hardware level. Page | 34
  • 35. University of Glamorgan Page | 35
  • 36. University of GlamorganC hapter 5 Design and Implementation Page | 36
  • 37. University of GlamorganAs mentioned above the aim of this study is to design an application which can increase thesecurity in fingerprint biometric systems i.e. security of biometric template. This hypothesiscan be achieved by creating a small module which can embed encrypted information into thetemplate and then decode it at the time of verification. The encrypted key will be stored in thedatabase separately for verification purpose. If the attacker replaces the template it can reducethe risk that template will compromise as lack of the computer generated encrypted key.To prove the hypothesis two applications are developed on different technologies. Oneapplication is on Microsoft VB .Net and Microsoft Access. The second application is onVisual C# and Microsoft SQL Server. The concept is same but both work on differentapproach which is explained in detail below.5. Device and SoftwareThe required Devices and Software is as following: • Computer for application development running Microsoft windows operating system • A biometric fingerprint reader with optical sensor. • Biometric software development kit (SDK) compatible with windows and fingerprint reader.The specifications of these devices are as following.5.1.1 ComputerThe computer which will be used in this study is a laptop machine specifications are asfollowing.Name DellModel Inspiron 6400Processor Speed 1.86 GHz Intel T2130 Genuine Figure 15 Dell Inspiron Page | 37
  • 38. University of Glamorgan5.1.2 Fingerprint ReaderThe Microsoft Fingerprint Reader has a small, efficient design. The device is almost threeinches long, and a little over an inch wide, and a quarter inch high with a weight of slightlymore than an ounce. The reader screen itself is a little over an inch long, and slightly less thaninch wide. A split red/silver circle encompasses the plastic reader screen. The reader itself isa slightly sticky plastic material. When the keyboard is on, the reader lights up in the sameway the bottom of the optical mouse do. Figure 16 Microsoft Fingerprint Readers5.1.3 Software Development Kit (SDK)The Software Development Kit (SDK) used in this application is from Griaule for visualbasic 2005 .Net.5.2. Griaule Software Development Kit (SDK)The SDK which is used in this study is Griaule Fingerprint SDK. It is the most efficient SDKavailable in marker at the moment which can be integrated into several languages and workswith many sensors. Some features of SDK are as following. • Plug and play for Microsoft fingerprint device. • Easy integration with applications • Very small template size 1KB approximately • Image can be stored along with the template • 1:1 and 1:N matching capabilities • Microsoft .Net support • FVC2006 recognised Page | 38
  • 39. University of GlamorganFVC compared several SDK and Griaule SDK results were highly accurate and stable inmatching with low error rates. Secondly Griaule provides easy integration with hardware andlanguage. One feature which Griaule SDK provides is storing image along with the templatein the database. Storing image of the fingerprint can help in embedding information usingsteganography.Before moving further it is important to understand what steganography is and how it can beused in securing template.5.3. SteganographySteganography is really nothing new, as it has been around since the times of ancient Rome.For example, in ancient Rome and Greece, text was traditionally written on wax that waspoured on top of stone tablets. If the sender of the information wanted to obscure the message- for purposes of military intelligence, for instance - they would use steganography: the waxwould be scraped off and the message would be inscribed or written directly on the tablet,wax would then be poured on top of the message, thereby obscuring not just its meaning butits very existence (Johnson 1995)According to Dictionary.com, steganography (also known as "steg" or "stego") is "the art ofwriting in cipher, or in characters, which are not intelligible except to persons who have thekey; cryptography" (Dictionary.com n.d.). In computer terms, steganography has evolved intothe practice of hiding a message within a larger one in such a way that others cannot discernthe presence or contents of the hidden message (Howe 1993 - 2001). In contemporary terms,steganography has evolved into a digital strategy of hiding a file in some form of multimedia,such as an image, an audio file (like a .wav or mp3) or even a video file.5.3.1. What is Steganography Used for?Like many security tools, steganography can be used for a variety of reasons, some good,some not so good. Legitimate purposes can include things like watermarking images forreasons such as copyright protection. Digital watermarks (also known as fingerprinting,significant especially in copyrighting material) are similar to steganography in that they areoverlaid in files, which appear to be part of the original file and are thus not easily detectableby the average person. (Schneier 1996) Steganography can also be used as a way to make asubstitute for a one-way hash value (where you take a variable length input and create a staticlength output string to verify that no changes have been made to the original variable lengthinput) (Schneier 1996). Further, steganography can be used to tag notes to online images (likepost-it notes attached to paper files). Finally, steganography can be used to maintain theconfidentiality of valuable information, to protect the data from possible sabotage, theft, orunauthorized viewing (Radcliff 2002).Unfortunately, steganography can also be used for illegitimate reasons. For instance, ifsomeone was trying to steal data, they could conceal it in another file or files and send it outin an innocent looking email or file transfer. Furthermore, a person with a hobby of savingpornography, or worse, to their hard drive, may choose to hide the evidence through the useof steganography. And, as was pointed out in the concern for terroristic purposes, it can beused as a means of covert communication. Of course, this can be both a legitimate and anillegitimate application. (Westphal 2003) Page | 39
  • 40. University of Glamorgan5.3.2. Steganography and Biometric Fingerprint ImageUnderstanding the idea of steganography, it can be quite useful to secure fingerprint image inthe database from attacker. Let’s suppose,5.4. Steganography Using .Net Algorithms and TechniquesThere are three different techniques you can use to hide information in a cover file:• Injection (or insertion)Using this technique, you store the data you want to hide in sections of a file that are ignoredby the processing application. By doing this you avoid modifying those file bits that arerelevant to an end-user—leaving the cover file perfectly usable. For example, you can addadditional harmless bytes in an executable or binary file. Because those bytes dont affect theprocess, the end-user may not even realize that the file contains additional hiddeninformation. However, using an insertion technique changes file size according to the amountof data hidden and therefore, if the file looks unusually large, it may arouse suspicion. (Weissnd)• SubstitutionUsing this approach, you replace the least significant bits of information that determine themeaningful content of the original file with new data in a way that causes the least amount ofdistortion. The main advantage of that technique is that the cover file size does not changeafter the execution of the algorithm. On the other hand, the approach has at least twodrawbacks. First, the resulting stego file may be adversely affected by quality degradation—and that may arouse suspicion. Second, substitution limits the amount of data that you canhide to the number of insignificant bits in the file. (Brainos nd)5.5. Generation of Steganography in .NetIn the substitution techniques, a very popular methodology is the LSB (Least Significant Bit)algorithm, which replaces the least significant bit in some bytes of the cover file to hide asequence of bytes containing the hidden data. Thats usually an effective technique in caseswhere the LSB substitution doesnt cause significant quality degradation, such as in 24-bitbitmaps.For example, to hide the letter "a" (ASCII code 97 that is 01100001) inside eight bytes of acover, you can set the LSB of each byte like this: 10010010 01010011 10011011 11010010 10001010 Page | 40
  • 41. University of Glamorgan 00000010 01110010 00101011The application decoding the cover reads the eight Least Significant Bits of those bytes to re-create the hidden byte—that is 0110001—the letter "a." As you may realize, using thistechnique let you hide a byte every eight bytes of the cover. Note that theres a fifty percentchance that the bit youre replacing is the same as its replacement, in other words, half thetime, the bit doesnt change, which helps to minimize quality degradation.5.6. Fingerprint Image and Steganography5.6.2 Application StructureClassesClasses used in this application are as below• InputBox.cs• DBClass.cs• Util.csThese classes are provided with fingerprint SDK samples and provide method to acquireimage from sensor and extract features.References• AxGrFingerXLib• GrFingerXLib• Stdole• System• System.Data• System.Drawing• System.Windows.Form• System.XML• stego5.6.2 Application ProcessApplication will mainly start from enrolment process of the finger. User will place the fingeron sensor and image will be acquired in application from the sensor. After the acquisition ofthe image SDK normally extracts the features of the image which is called template andstores the template in the database. To achieve the goal this method is modified. Page | 41
  • 42. University of Glamorgan5.6.2.1 Enrolment ProcessEnrolment process takes place when user place finger on the sensor and image is acquired bythe application into the image box. Once the enrolment process takes place image format isconverted which is explained further. Encrypted Text Template Image with key Database Figure 17 Enrolment Process Figure 18 Enrolment Process5.6.2.2 Conversion of ImageAfter the image is acquired it is converted from 8 bit format to 24 bit due to the stegorequirements from the library.Bitmap bm8bit = new Bitmap(sfdImage.FileName);Bitmap bm24bit = new Bitmap(bm8bit.Width, bm8bit.Height,System.Drawing.Imaging.PixelFormat.Format24bppRgb); Page | 42
  • 43. University of GlamorganGraphics g = Graphics.FromImage(bm24bit);After the image is converted into 24 bit format text are embedded using steganographytechniques. Figure 19 Image Conversion5.6.2.3 SteganographyOnce the image is ready and in 24 bit format cover file is created which will be explained innext section. Message and password is assigned to the file and after that the file is createdusing encode button as shown in figure. Page | 43
  • 44. University of Glamorgan Figure 20 Creating Stego File5.6.2.4 Stego LibraryThis library is developed by Giuseppe Naccarato and Alessandro Lacava. Provides a simpleAPI to encode an image and decode it using simple method. There are two interfaces toperform this taskIcoverFilel: This method requires three parameter stego file name message to hide andpassword. This method hides the message inside the stego file.If the code in project is over the method mention above can be seen in these lines and explainthe usage. ICoverFile cover = new BMPCoverFile(pic); // Create the stego file cover.CreateStegoFile(stegoFile, message, password); Page | 44
  • 45. University of Glamorgan Result("Message hidden successfully"); Image stegoPic = new Bitmap(stegoFile); FitPic(stegoPic, picStegoFileEnc); picStegoFileEnc.Image = new Bitmap(stegoPic); stegoPic.Dispose();IStegoFile: This method extract hidden message from the file. This method has been used inproject on following lines this opens the stego file and displays the hidden message into thetext box as shown in image below. // Open the stego file IStegoFile stego = new BMPStegoFile(stegoFile, password); // Show the hidden message txtMessageDec.Text = stego.HiddenMessage;5.6.3 Decoding the ImageImage decoding is reverse of steganography process as mention above in section stego library how itis performed in the application. Password and the file path are provided in the option box. After clickon the decode button it shows the hidden value in the text box. Figure 21 Decoding the Image Page | 45
  • 46. University of Glamorgan5.6.4 Development Limitations• Image Size First issue during the development was to change the image resolution. Microsoft Fingerprint reader produces an image of 256 colours. For steganography the method used in this application the requirement of image was of 24 bit. For this purpose the small module was written to convert the image from 256 colours to 24 bit.• Image Storage Next challenge in this application was the storage of image in the access database. Access has some limitations in data types. Image features extracted into template can be stored into database using OLE Object data type. Due to this it was difficult to store image in access as compare to SQL server which will be explained further later on.• Verification Process In verification process user will place finger on the sensor. Image will be acquired in application. Now at this stage multiple verifications will take place. As there are some limitations which are explained.5.7 Fingerprint and Byte StreamThis application is designed using Microsoft Visual C# and Microsoft SQL server 2005.Griaule SDK is again used in the same way with the small modification of DB Class.5.7.1 Application structureClassesThese are the main classes used in the application• InputBox.cs• DBClass.cs• Util.csThese classes are provided with SDK by Griaule. Which provide default method to addinformation in database and to manipulate the features of the image in the image box; theseclasses also provide flexibility for programming end.References• AxGrFingerXLib• GrFingerXLib• Stdole• System• System.Data• System.Drawing Page | 46
  • 47. University of Glamorgan• System.Windows.Form• System.XML5.7.2 Application ProcessThis application will also work on same procedure as mentioned above in previous topic.5.7.2.1 Enrolment ProcessThe process of this application is similar to previous one. Application will start fromenrolment process. User will place finger on biometric device and image will be acquired bythe SDK in application. Template features will be auto extracted. When user will click onenrolment button application will store template and image in the Database. Image will bestore in binary format at the end of the information system based encrypted text will beembedded into the image. Figure 22 Enrolment Process5.7.2.2 Random Number GenerationThe main function in this application is a random number which is generated through a smallmodule. The main template manipulation is using the SDK DB Class. A random number isgenerated 0 to 255 using the code shown below decimal encrypt; Random rand = new Random (); encrypt = 1 + rand.Next(255); Page | 47
  • 48. University of GlamorganOnce the number is generated a byte array is created of image file. This is shown below asfollowing byte [] tempimg = new byte[arrImage.Length+1]; Array.Copy(arrImage,tempimg,arrImage.Length); enc =(byte)encrypt; tempimg[arrImage.Length]=enc;The random number which is converted into byte array is attached with the image byte arrayduring the insertion process in database field. With this functionality it becomes the part ofthe image and there are no changes in the image or the template value. Figure 23 Random NumberIn this example it is shown that a number is generated 33 randomly and it has been shown in messagebox.5.7.2.3 Verification ProcessWhen user will click on identify button it will match the template in database and retrieve theimage from the database. At this point verification will take process twice. The databaseimage will be again manipulated and feature will be extracted and match again with thetemplate if the result is positive then the key which is randomly generated and is embedded inthe image will be matched against the record nside the database. Page | 48
  • 49. University of Glamorgan Figure 24 Verification ProcessAfter verification of the template application matched the encrypted value which was 33 anddisplayed a message in log “Image contains the encrypted value”.5.7.2.4 Template Attack and VerificationThe most interesting part in the application is attack section which explains the attack on template insimple manner. In this method after the enrolment application generates and ID. Simply scan thefinger and attack on the specific ID it will replace the template in database. In this example theenrolled fingerprint is on ID 21. Now attack will take place and scan a different finger for ID 21 andupdate the records as shown in image. Figure 25 AttackIn the log section it displays the message that image on ID 21 was been updated successfully. Page | 49
  • 50. University of Glamorgan5.7.2.5 Securing the TemplateNow after the attack it is clear that the template has been replaced in the database. Now if attackertries to compromise with the system. System will verify the template but show the original image inthe second image box.If closely observe the both fingerprint they are different for each other which displays thedifference that template alteration can be stopped in the database if small effort is done on theapplication side. Also in the log box it shows that encrypted value is in the image and imageis verified. The encrypted value is retrieved from the image when it is loaded into the imagebox using same byte stream method the last bytes of the images are extracted and the valuewhich is embedded in the image is verified against the database. When both values match andresults are positive it is displayed in the log box the image has the value and it is theauthenticate image. Even if attacker replaces the template it won’t be authenticated. Thisresult proves that this application has achieved its goals and desired results. Figure 26 Securing Template5.7.3 Application Limitations and AdvantagesAs mentioned above before application fails to perform verification on the second image boxdue to the limitation in SDK. But the beauty of the application is the byte stream functionwhich reduces the risk of attacks on the template. Here question can be raised what if thehacker attacks the database and retrieves image and the key value from the database. It issimple in case if this happens hacker needs the logic to add byte stream in the database and Page | 50
  • 51. University of Glamorganhow to retrieve the key from the image which is in byte format unreadable unless the processis reversed. This concludes that it can make difficult for attacker to compromise with thesystem.SummaryDeveloping a solution on hardware or software level can be easy if logic of the operations isclear. This chapter explains the development of two applications on different technologies onbackend. There were some limitations but it is not impossible to achieve the task. Resultsshow the main objective of this study was achieved though the full application was notdeveloped. Also demonstration of attack explains that the results were desired. Page | 51
  • 52. University of GlamorganC hapter 6 Results and Conclusion Page | 52
  • 53. University of GlamorganEvaluation of the SoftwareThis project has proven to be a success to achieve the proposed objective. Though somefunctionality are missing in steganography approach, which were due to limitation in accessdatabase and SDK. The priority of developing application was VB .Net but it was later onreplaced with c# during the project because of the flexibility and object handling due theobject oriented nature of the language and access to base classes.The binary data application produced more desired results due to the technology which wasadopted on the back end. It made easier to store image in the database and also allows theapplication to run on network. But the application lacks the function of second verificationwhich is due to limitation from SDK. The limitation was in the process of verification of theimage in the second image box.Other than that application shows how we can hide information in the image usingsteganography and decrypt the information as well. The binary method is interesting as wellwhich adds the information along with the image details without changing the image features.The results are quite positive and after the change in the image there is no problem inmatching the fingerprint in database. Attacking the database and replacing the templateexplains the concept and shows how it is possible to avoid template attacks in simple manner.If there is some flexibility in SDK a complete application can be developed to securetemplate using software method which is flexible easy and can be integrated with hardwareeasily this approach can be used with any language. Page | 53
  • 54. University of GlamorganConclusionNow a day security is holding the main priority all over the world. Banks, airports and otherorganizations including hospitals are adopting biometric systems. Many biometrics systemswere introduced in market and they have been implemented as well.But the question still arises in mind that is this secure? In this study it has been explainedthere are several threats and methods to attack a biometric system. To improve the securitymeasure it is necessary to improve the system by using several methods which areunpredictable. Also multiple methods can be combined and they can be used to securebiometric information.It is not necessary to design solutions on low level or on hardware level unless it is ahardware application which runs standalone. For devices such as Microsoft fingerprint readerand other plug and play sensor these approaches can be adopted. Many solutions are alreadyavailable in the market which is free of cost. Combining different method on application levelcan increase the security with very small effort.This project also explains a simple attack on database to replace template. Which shows thattemplate is not guarantee of security and authentication. To improve biometric security it isimportant to do multiple verifications and use multiple methods to hide information whichcannot be decrypted easily.In future we can use both approaches in one application for the verification system usingsteganography and binary information storage as well. Either, we can us steganography andadd it in the image with the binary information rather than storing it separately in the table.However, this it can be complicated to retrieve from the image unless the attacker has theencrypted key to verify.It is also clear that embedding text in the image or adding bytes in the stream either ways itdoes not affect the quality of matching and extraction system. Even changing image from 8bit to 24 bit provides the better results on software level. This does not disturb the matchingalgorithm of SDK to verify the template which is another plus point.SDK is important part in this application Griaule SDK is very robust and accurate. It has a lotof flexibility and good integration with SQL server database and c# programming languageworks fine with hardware and high acceptance rate. However, still fewer methods givelimitation to development end.This paper serves to introduce new methods and approaches to improve the security inapplication level. It explains the idea how to integrate different method technologies andlanguages to develop solutions for biometrics, also in this paper limitation of languages andback end applications are explained which help to understand which language can beappropriate to use and which database is more flexible for biometric system. Page | 54
  • 55. University of GlamorganAppendix APseudo codeStage 1 1. Enrol finger on Biometric Reader 2. Template Extraction 3. If User is not found in Database Then • Encrypted Key Generation • Embed Key in Template • Template Storage in Database • Store Key in Database Else • Match Extracted Template With Stored Template • Extract Key From Template • Match Key With Database • Verify User EndStage 2Enrolment ProcessPseudo code 1. Finger will be placed on sensor 2. Sensor will read the biometric information 3. Send the information to Transmission Process 4. Image will be compressed 5. Sent to Signal Process through Transmission channel Stage 3 Storage (If User Not Found)Pseudo code 1. Expansion of image will take process. 2. Will be passed to Signal Process. 3. Template will be extracted from the image. 4. Quality will improve Dust particles etc will be removed. 5. Pattern will be matched (If User not found). 6. Encryption Key will be generated. 7. Key will be embedded using steganograpgy techniques. 8. Key will be stored in Database. 9. Template will be stored in Database. Stage 4 Page | 55
  • 56. University of Glamorgan Verification (User Authentication)Pseudo code 1. Expansion of image will take process. 2. Will be passed to Signal Process. 3. Template will be extracted from the image. 4. Quality will improve Dust particles etc will be removed. 5. Pattern will be matched (If User found). 6. Encryption Key will be extracted From Stored Template. 7. Key will be matched with the stored key. 8. User will be Authenticate.Algorithm Enrolment Templat e Extracti on If User Generate Key Not Found Embed Key Else Store Template Match Template Store Key Extract Key Match Key with DB Verify User End Figure 27 Algorithm Page | 56
  • 57. University of GlamorganAppendix BReferencesA, Adler. “Images can be regenerated from quantized.” Canadian Conf. Computer ElectricEng. Niagra Falls, Canada , May 2004. 469-472.A, Ross, Jain A.K, and Reisman J. “A Hybrid Fingerprint Matcher.” Pattern Recognition,2003: 36 (7) 1661-1673.A.K, Jain, and Uludag U. “Hiding Biometric Data.” IEEE Trans. Pattern Anal. Mach.Intelligence 25, no. 11 (2003): 1493-1498.A.K, Jain, Bolle R, and Pankanti S. BIOMETRIC- Personal Identification in Network Society.London: Kluwer Academic Publishers, 1999.A.K., Jain, Parbhakar S, and Chen S. “Combining Multiple Matchers for a High SecurityFingerprint Verification System.” Pattern Recognition Letters, 1999: 20 (11-13) 1371-1379.B, Schneier. “The Uses and Abuses of Biometrics.” Comm ACM VOL 42, 8, 1999: 136.Biometrics, Find. Biometrics: The Anotomy Lesson. 2001.http://www.findbiometrics.com/Pages/feature%20articles/anatomy.html (accessed August 18,2007).Brainos, Alain C. “A Study Of Steganography And The Art Of Hiding Information.” EastCarolina University, nd: 3-7.C, Soutar. “Biometrics System Securit, White Paper.” bioscrypt. http://www.bioscrypt.com(accessed January 11, 2008).Canton, State University of New York At. Public Safety Technology: Crimina Investigation.2203. http://www.canton.edu/ci/previous_lessons_3.html (accessed August 14, 2007).Corporation, Biometrics Technology. Biometric Technical Assessment. 2002. http://bio-tech-inc.com/Bio_Tech_Assessment.html (accessed July 11, 2007).D, Maltoni, Maio D, Jain A.K, and Parbhakar S. Handbook of Fingerprint Recognition.Verlag: Springer, 2003.Daugman, J.G. Recognition Person By Their Iris Pattrens : Biometrics: PersonalIdentification in Networked Society. Edited by A.K. Jain. Vol. 1. Springer, 1999.Dictionary.com. “Steganography.” Dictionary.com. n.d.http://dictionary.reference.com/search?q=steganography (accessed January 19, 2008).Enhanced Border Security and Visa Entry Reform. Congress of the United States of America, 2002. Page | 57
  • 58. University of GlamorganG.L, Marcialis, and Roli F. “Experimental Results on Fusion of Multiple FingerprintMatcher.” Proc. 4th Int. Conf. on Audio and Video-Based Person Authentication, 2003: 814-820.G.L., Marcialis, and Roli F. “Preceptron-Based Fusion of Multiple Fingerprint Matchers .”Proc. First Int. Work on Artificial Nural Netwroks in Pattern Matching, 2003: 36 (7) 1661-1673.Group, International Biometrics. How Biometrics is Defined. 2003.http://www.biometricgroup.com/reports/public/reports/biometric_definition.html (accessedAugust 19, 2007).Howe, Denis. “Steganography.” The Free On-line Dictionary of Computing. 1993 - 2001.http://www.nightflight.com/foldoc/index.html (accessed January 21, 2008).http://cte1401-01.sp00.fsu.edu/holly.html. Biometrics: The Touch, the Scan, the Pattern ofOur Lives . n.d. http://cte1401-01.sp00.fsu.edu/holly.html (accessed September 9, 2007).J.L. Wayman, A.J. Mansfield. Best Practices in Testing and Reporting Performance ofBiometric Devices. Vol. 2. 1 vols.James Wayman, ed. National Biometric Test Center Collected Works. San Jose: San JoseState University, 2004.JD.JR., Woodward. “Biometrics Background.” www.ibia.org. 2000.http:www.ibia.orgWoodwardPresentation.pdf (accessed September 2, 2007).JD.JR., Woodward, Orlans N.M, and Higgnis P.T. Biometrics Identity Assurance in TheInformation Age. Berkeley, 2003.Jhon D., Woodward. biometrics identity assurance information age . Berkeley: Mc GrawHill, 2003.Johnson, Neil F. Steganography. Technical Report, http://www.jjtc.com/stegdoc/sec202.html,1995.L, Ferri C, Mayerhofer A, Frank M, Vielhauer C, and Steinmetz R. “BiometricsAuthentication for ID Cards and Hologram Watermarks.” Proc. SPIE Security andWatermarking of Multimedia Contents, 2002: Vol. 4675 629-640.M, Yeung, and Pankanti S. “Verification watermarks on Fingerprint Recognition andRetrival.” Proc. SPIE, Security and Watermarking of Multimedia Contents, 1999: Vol 365766-78.Maltoni, Davide, Maio, Jain, and Prabhakar. Handbook of Fingerprint Recognition. NewYork: Springers, 2005.Mearian, Lucas. Toppling The PIN: Banks Eye Biometric Technology For ATM Access.http://www.biometrictechnology.net/ (accessed January 9, 2008). Page | 58
  • 59. University of GlamorganN.K. Ratha, J.H. Connell, and R.M. Bolle. “An Analysis of Minutiae Matching Strength.”AVBPA, 2001: 223 - 228.N.K., Ratha, Connell J.H., and Bolle R.M. “Enhancing security and privacy in biometrics-based authentication systems.” IBM System Journal. 21 April 2001.http://researchweb.watson.ibm.com/journal/sj/403/ratha.html (accessed December 19, 2007).Radcliff, Deborah. Steganography: Hidden Data. 10 June 2002.http://www.computerworld.com/securitytopics/security/story/0,10801,71726,00.html(accessed January 24, 2008).Record, Scotish Criminal. History of Finger Prints - A Time Line. 2002. http://www.spsa-forensics.police.uk/services/history_science (accessed November 11, 2007).Roberts, Chris. “Biometrics.” Biometrics, November 2005: 24.S, Parbhakar, and Jain A.K. “Decision-level Fusion in Fingerprint Verification.” PatternRecognition, 2002: 861-874.Schneier, Bruce. Applied Cryptography. John Wiley and Sons Inc., 1996.T, Windeatt, and Roli F. “Multiple Classification System.” Lecture Notes in ComputerSciences Volume 2709.Weiss, Max. “Principles of Steganography.” Math 187: Introduction to Cryptography, nd: 2-3.Westphal, Kristy. Steganography Revealed. 9 April 2003.http://www.securityfocus.com/infocus/1684#ref_cryptography (accessed January 9, 2008).X, Xia, and Gorman O L. “Innovations in Fingerprint Capture Devices.” Pattern Recognition,2003: 36 (2) 361-369.York, State University of New. Public Safety Technology Criminal Investigation. StateUniversity of New York. 2003. http://www.canton.edu/ci/previous_lessons_3.html (accessedAugust 11, 2007). Page | 59