The methods and risks for biometric identification

1. Biometric identification
Bozhidar Bozhanov

2. ● @bozhobg
● http://techblog.bozho.net
● http://blog.bozho.net

3. Biometrics
● Detecting inherent characteristics
○ fingerprints
○ iris
○ palm veins
○ face
○ voice
○ DNA
● Unique and unchangeable

4. Usage
● Border inspections
● Access control
○ Home door unlocking
● Smartphone unlocking
● Looks cool in movies

5. Fingerprint
● Binarization, thinning, extraction
● Minutia (pl. minutae)
○ Ridge ending
○ Ridge bifurication
○ Fingerprint template
● Other methods
○ Feature extraction
● MINEX (template standard)

6. Fingerprint
griaulebiometrics.com
binarization thinning

7. Storing and comparing
● Original / enhanced image
● Coordinates of the minutae
● Other features
● Fuzzy hash, locality-sensitive hash
○ “Percentage hash”
○ Collisions are needed

8. Problems...
● Bad images, dirty scanners, injured skin...

9. “A Japanese cryptographer has demonstrated how
fingerprint recognition devices can be fooled using a
combination of low cunning, cheap kitchen supplies and a
digital camera.” The Register, “Gummi bears defeat
fingerprint sensors”
“The results are enough to scrap the systems completely,
and to send the various fingerprint biometric companies
packing.” Bruce Schneier

10. Iris
● Detection of around 200 points
● Same storage methods as fingerprints
● Only patented algorithms

11. DNA, veins, voice, face...
● Using many in combination
● Expensive scanners (DNA, veins)
○ But Kuwait takes DNA from everyone
● Lack of uniqueness and high error rate
(voice, face)

12. Reconstructing
● ...possible
○ based on minutae, points, features
○ except if fuzzy / locality senstive hash is used
● => storing in centralized databases is
dangerous

13. In-person verification
● Easy faking
+
● Automated check
=
● Fraud

14. N-th factor
● Secure identification is
○ something you have +
○ something you know +
○ something you are
● e.g. smartcard with PIN + fingerprint
(matched on the card)

15. Border inspections
● ICAO biometric passports
○ Contain images of the face and fingerprints (soon
maybe iris) (JPEG2000)
○ Integrity - with QES of the issuing authoroity
● Fingerprints are read without PIN
○ ...but by a “trusted” terminal
● And are compared to the person’s fingerprints
● => fake/someone else’s document?

16. Problems
● Centralized databases with images of
fingerprints
● Contactless reading of fingerprints
○ 3 versions of the protocol have been demonstrated
to have security issues
○ Complex scheme for certificate management.
Certificates expire in 24 hours.

17. BSI

18. ● ...but the chip doesn’t have a clock
○ 1 leaked terminal certificate
○ => all fingerprints in all passports in the world are
easy targets
○ ...if the central databases don’t leak before that
● experts - “well, I can get your fingerprint from
anywhere”
○ in high-res?

19. bioID - No go
● You can’t change your fingerprint/iris/DNA
● Databases leak sooner or later
● Easy to fake (gummi bears!)
● They are used to unlock phones => unlock
○ email
○ e-banking
○ ...everything

20. Applications
● 2nd factor
● Border inspections with match-on-card
verification
● Future?

21. “Free flight of the thought”
● Let’s imagine...
○ Cheap and exact biometric readers
● Then…
○ ID = hash(fingerprint) + hash(iris) + hash(DNA) +
hash(password)

22. ● I am
66a1aa2b4add3d8775751b81adb86e476d0a735188c2e8582be0920b2a3
e55ea
● I can prove it
○ scanner + app
● Distributed global electronic identity
○ something I am + something I know

23. Fraud?
● How do we guarantee that the hash is a
result of our biometrics?
● biometrics+password-> KDF -> private key
(ephemeral)
○ KDF (key derivation function)
○ Sign challenge with the private key

24. Anonymity
● Hashes don’t have names
● Guarantees identity
● Aliases for different contexts (multiple
passwords?)
● Example: distributed ride-sharing with
distributed reputation system ontop of a
global anonymous identity

25. Conclusion
● Only biometrics - no
● Biometrics in clear form - no
● Biometrics in databases - no
● 2nd factor, match-on-card - okay
● Future applications

26. Thank you

27. Resources
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://www.griaulebiometrics.com/en-us/book/understanding-biometrics/types/feature-extraction/minutiae
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=12
https://en.wikipedia.org/wiki/Key_derivation_function
http://techblog.bozho.net/electronic-machine-readable-travel-documents/
http://techblog.bozho.net/identity-in-the-digital-world/
http://europe.newsweek.com/kuwait-becomes-first-country-world-collect-dna-samples-all-citizens-and-449830?rm=eu