Successfully reported this slideshow.
Your SlideShare is downloading. ×

Biometric identification

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 27 Ad

More Related Content

Advertisement

More from Bozhidar Bozhanov (20)

Recently uploaded (20)

Advertisement

Biometric identification

  1. 1. Biometric identification Bozhidar Bozhanov
  2. 2. ● @bozhobg ● http://techblog.bozho.net ● http://blog.bozho.net
  3. 3. Biometrics ● Detecting inherent characteristics ○ fingerprints ○ iris ○ palm veins ○ face ○ voice ○ DNA ● Unique and unchangeable
  4. 4. Usage ● Border inspections ● Access control ○ Home door unlocking ● Smartphone unlocking ● Looks cool in movies
  5. 5. Fingerprint ● Binarization, thinning, extraction ● Minutia (pl. minutae) ○ Ridge ending ○ Ridge bifurication ○ Fingerprint template ● Other methods ○ Feature extraction ● MINEX (template standard)
  6. 6. Fingerprint griaulebiometrics.com binarization thinning
  7. 7. Storing and comparing ● Original / enhanced image ● Coordinates of the minutae ● Other features ● Fuzzy hash, locality-sensitive hash ○ “Percentage hash” ○ Collisions are needed
  8. 8. Problems... ● Bad images, dirty scanners, injured skin...
  9. 9. “A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera.” The Register, “Gummi bears defeat fingerprint sensors” “The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing.” Bruce Schneier
  10. 10. Iris ● Detection of around 200 points ● Same storage methods as fingerprints ● Only patented algorithms
  11. 11. DNA, veins, voice, face... ● Using many in combination ● Expensive scanners (DNA, veins) ○ But Kuwait takes DNA from everyone ● Lack of uniqueness and high error rate (voice, face)
  12. 12. Reconstructing ● ...possible ○ based on minutae, points, features ○ except if fuzzy / locality senstive hash is used ● => storing in centralized databases is dangerous
  13. 13. In-person verification ● Easy faking + ● Automated check = ● Fraud
  14. 14. N-th factor ● Secure identification is ○ something you have + ○ something you know + ○ something you are ● e.g. smartcard with PIN + fingerprint (matched on the card)
  15. 15. Border inspections ● ICAO biometric passports ○ Contain images of the face and fingerprints (soon maybe iris) (JPEG2000) ○ Integrity - with QES of the issuing authoroity ● Fingerprints are read without PIN ○ ...but by a “trusted” terminal ● And are compared to the person’s fingerprints ● => fake/someone else’s document?
  16. 16. Problems ● Centralized databases with images of fingerprints ● Contactless reading of fingerprints ○ 3 versions of the protocol have been demonstrated to have security issues ○ Complex scheme for certificate management. Certificates expire in 24 hours.
  17. 17. BSI
  18. 18. ● ...but the chip doesn’t have a clock ○ 1 leaked terminal certificate ○ => all fingerprints in all passports in the world are easy targets ○ ...if the central databases don’t leak before that ● experts - “well, I can get your fingerprint from anywhere” ○ in high-res?
  19. 19. bioID - No go ● You can’t change your fingerprint/iris/DNA ● Databases leak sooner or later ● Easy to fake (gummi bears!) ● They are used to unlock phones => unlock ○ email ○ e-banking ○ ...everything
  20. 20. Applications ● 2nd factor ● Border inspections with match-on-card verification ● Future?
  21. 21. “Free flight of the thought” ● Let’s imagine... ○ Cheap and exact biometric readers ● Then… ○ ID = hash(fingerprint) + hash(iris) + hash(DNA) + hash(password)
  22. 22. ● I am 66a1aa2b4add3d8775751b81adb86e476d0a735188c2e8582be0920b2a3 e55ea ● I can prove it ○ scanner + app ● Distributed global electronic identity ○ something I am + something I know
  23. 23. Fraud? ● How do we guarantee that the hash is a result of our biometrics? ● biometrics+password-> KDF -> private key (ephemeral) ○ KDF (key derivation function) ○ Sign challenge with the private key
  24. 24. Anonymity ● Hashes don’t have names ● Guarantees identity ● Aliases for different contexts (multiple passwords?) ● Example: distributed ride-sharing with distributed reputation system ontop of a global anonymous identity
  25. 25. Conclusion ● Only biometrics - no ● Biometrics in clear form - no ● Biometrics in databases - no ● 2nd factor, match-on-card - okay ● Future applications
  26. 26. Thank you
  27. 27. Resources http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ http://www.griaulebiometrics.com/en-us/book/understanding-biometrics/types/feature-extraction/minutiae http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=12 https://en.wikipedia.org/wiki/Key_derivation_function http://techblog.bozho.net/electronic-machine-readable-travel-documents/ http://techblog.bozho.net/identity-in-the-digital-world/ http://europe.newsweek.com/kuwait-becomes-first-country-world-collect-dna-samples-all-citizens-and-449830?rm=eu

×