2. ENTROPY
• Shannon defined entropy to express the amount of
information in a string of English text [3].
• Today entropy is used as an accepted measure of
difficulty brute-force attacking a password or key. [4]
Key Points: Entropy is a measure of
information in biometrics and English text.
Hence, more difficult to brute force attack.
3. WHAT DOES THAT MEAN?
• With the measurement of entropy, string and PIN
passwords can now be related to biometrics.
• The enterprise can begin making a risk model
similar to the PIN and password, but now for
biometrics.
Key Point: Entropy can now be compared to PIN
and passwords, and a risk model can be generated
for biometric usage in the enterprise
5. ENTROPY OF FINGERPRINTS
𝐻 𝐿, 𝐶 = 𝑃 𝑙, 𝑐 log2(
1
𝑃 𝑙, 𝑐
)
8
𝐶=1
𝑇𝑜𝑡𝑎𝑙 𝑃𝑖𝑥𝑒𝑙𝑠
𝐿=1
Equation used in [1] and [4]
6. HYPOTHESIS
•Is there a fingerprint sensor that gives more
entropy than another?
•Will fingerprint sensors be strong enough to
replace passwords and PINS?
•Is it possible to relate entropy to fingerprints
from phone sensors?
7. METHODOLOGY
•6 samples of 161 subjects
•8 different sensors
•Each sensor had a consistent image resolution
and size
9. RESULTS
Table based on NIST 800-63 [4]
Key Point: Entropy of a fingerprint is larger than
the entropy of commonly used password lengths
Sensor Type Avg. Minutiae Bits of Entropy User Chosen Password Randomly Chosen Password
Thermal 40 64.5 19.4 9.8
Optical 39 70.4 21.2 10.7
Optical 30 52.3 15.7 8
Capactitive 24 43.3 13 6.6
Optical 38 63.5 19.1 9.7
Optical 27 45.6 13.7 7
Capactitive 25 42.8 12.9 6.5
Capactitive 35 58 17.5 8.8
10. RESULTS
• Thermal Swipe
• Had the highest amount of average minutiae
• The entropy-per-minutiae was the lowest
• Optical Touch
• Better rating in both entropy-per-minutiae and average
number of minutiae
• Capacitive Touch and Swipe
• Average in both entropy-per-minutiae and average minutiae
11. CONCLUSION
•Each fingerprint sensor can reliably replace up to
a 13 character user-chosen password and 8
character of a randomly chosen password
•Entropy per minutiae is similar across all the
sensors
Type
Thermal
Swipe
Optical
Touch
Optical
Touch
Capacitive
Touch
Optical
Touch
Optical
Touch
Capacitive
Swipe
Capacitive
Touch
Avg. Minutiae 40 39 30 24 38 27 25 35
Entropy 64.528 70.361 52.237 43.319 63.508 45.591 42.802 57.995
Entropy per
Minutiae
1.613 1.804 1.741 1.805 1.671 1.689 1.712 1.657
12. MOBILE ID METHODOLOGY
• Fingerprints from 190 subjects were
used for analysis in this study.
• 6 fingerprint images were collected
from the subjects’ right hand
• A capacitive touch sensor was used in
this study
• An application was developed to crop
the images using the core values as
the center of the cropping region [2]
13. ENTROPY AND MOBILE
•The joint entropy calculation used in [1] [4] was
used to calculate the entropy per minutiae of
each level.
14. MOBILE ENTROPY
• Entropy per minutiae is different across sensors even with
the same subjects in all trials
16. OBSERVATIONS
•There are significantly fewer minutiae points in
level 1, 2, and 3.
•Which leads to less entropy but more entropy per
minutiae.
•The larger images have more entropy because
there is a larger surface area.
•There is a potential correlation between
performance and entropy.
17. LIMITATIONS
• Currently the entropy calculation allows for a linear
calculation of entropy based on minutiae.
• However, if an individual were to have an absurd
amount of minutiae it is more likely that someone will
match that minutiae point.
• The current entropy calculation does not take into
account white space, however, it is extremely likely
with a larger fingerprint sensor that a user could place
their fingerprint off to the side and not the ideal target
area. Which would result in a larger entropy.
18. FUTURE WORK
•Entropy Calculation for an Individual
• Would allow for a better understanding on how
entropy relates to the individual and help decide what
modality an individual to pick.
•Entropy Risk Model
• Allows an enterprise to truly understand the benefits
of biometrics over passwords and PINs.
•Entropy Calculation for Facial Recognition
• Deeper knowledge of facial recognition software to
find identifying features.
19. REFERENCES
• [1] M. Young, S. Elliott, C. Tilton, and J. Goldman, “Entropy of
Fingerprints,” Int. J. Comput. Sci. Eng. Technol., vol. 3, no. 2, pp.
43–47, 2013.
• [2] S. Modi, A. Mohan, B. Senjaya, and S. Elliott, “Fingerprint
recognition performance evaluation for mobile ID applications,”
IEEE Int. Carnahan Conf. Secur. Technol., 2010.
• [3] C. E. Shannon, “Communication Theory of Secrecy Systems.”
• [4] W. E. Burr, D. F. Dodson, and W. T. Polk, “Information
Security,” NIST Spec. Publ. Gaithersburg, MD, vol. 2, no. April,
2006.
Shannon et
-H is defined as the amount of entropy
-Where l is the length of the password and the password is randomly chosen from b characters
al.
Key space
Minutiae type – bifurcation, ending point
Angle of the minutiae point, 4 different quadrants from 0 to 89, 90 to 179, 180 to 269, and 270 to 359 respectively.
# of pixels in the image
P(l,c) is the probability of a pixel will have a minutiae point with a particular type and angle.
The following table shows that each sensor contributed a different amount of entropy per dataset. The first three columns show the sensors used, their average minutiae count, and the total entropy of the set. The next two columns show the number of characters it takes to equal the same amount of entropy as the corresponding sensor.
Shimon et al.
Cite Matt Young
This DET curve shows the performance metrics of each level of fingerprint images. For Level 1, 2, 3 there is a higher chance for a false acceptance and far more false reject rates.
Higher entropy means higher security, and performance uses FRR vs FAR. Where PINs can defined as a FAR of 1/10000 and this is accepted among security experts. If entropy was also used to determine these highly used performance metrics it would make a risk model easier to define for the enterprise environment.
-There are limitations on the definition of entropy. Currently performance metrics of biometrics give FAR and FRR. To measure the strength of a PIN a 4 digit pin has a FAR of 1/10000, if entropy were used in correlation with performance metrics the calculation could become more accurate and reliable.
-Individuals are not represented by entropy, people could possible have less entropy than others, defining a definition of entropy to incorporate this will help enterprises understand if a user should use a PIN instead of a biometric.
-These current limitations show that the entropy definition should be redefined to incorporate some of the shortcomings shown. Continuing to perfect the equation will allow enterprises to feel more secure as they make the transition from PINs and passwords to biometrics.
An internship at Intel will help carve a path to being an full time Intel employee. Intel has always been a company I have desired to work for. I would love to be in an environment that is heavily involved with cutting edge technology and I think my biometrics, hardware, and software skills will be useful to the future of Intel and an internship would further nurture those vital skills.
![ENTROPY
• Shannon defined entropy to express the amount of
information in a string of English text [3].
• Today entropy is used as an accepted measure of
difficulty brute-force attacking a password or key. [4]
Key Points: Entropy is a measure of
information in biometrics and English text.
Hence, more difficult to brute force attack.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)