Biometrics Vulnerabilities & Exploits [email_address]
INTRODUCTION <ul><li>Old World methods of trust and authentication  </li></ul><ul><ul><li>Personal introductions, document...
Authentication by Technology <ul><li>Requires the exchange of certain FACTORS </li></ul><ul><li>Requires an authority who ...
...Authentication by Technology <ul><li>Factors are classified into 3 types </li></ul><ul><li>Ownership factor like cards,...
Properties of different Factors
The Inheritance Factor - Biometrics <ul><li>The Subject of discussion for today is the Inheritance Factor – Biometrics </l...
Finger Print Scanners <ul><li>Many variations on these basic techniques  </li></ul><ul><li>Variations are primarily to red...
Fingerprint Readers
Iris Scanners <ul><li>Iris scanners use a Near Infra Red light </li></ul><ul><li>Camera coupled with some autofocusing tec...
Iris scan - Base Technique
The Process <ul><li>All id systems involve an enrollment process and an authentication process, followed by an authorizati...
The Enrollement Process <ul><li>Capture image </li></ul><ul><li>Process image </li></ul><ul><li>Extract Features </li></ul...
The Authentication process <ul><li>Capture image </li></ul><ul><li>Process image </li></ul><ul><li>Extract Features </li><...
Threats faced by biometric systems <ul><li>Threat agents  </li></ul><ul><ul><li>Only simple impostor, without much sophist...
Desired Characteristics And Limitations <ul><li>Easy and accurate Digitization of the presented bio characteristic </li></...
... Limitations in enrollment / auth <ul><li>Easy and accurate Digitization – neither easy nor accurate </li></ul><ul><li>...
... Limitations in enrollment / auth <ul><li>Time invariance – a myth </li></ul><ul><ul><li>Ageing changes fingerprints (1...
... Limitations in enrollment / auth <ul><li>Environment invariance – a myth </li></ul><ul><ul><li>Water logged hands chan...
... Limitations in enrollment / auth <ul><li>Non- Spoofability </li></ul><ul><ul><li>Biometrics are the worst </li></ul></...
Spoofing made easy - Fingerprints <ul><li>Uses common ingredients </li></ul><ul><li>Fools all systems with greater than 60...
Spoofing made easy - Iris <ul><li>Buy from the net to create fake ids for sale </li></ul><ul><li>PCB etching techniues for...
Attack Vectors requiring skill <ul><li>Template reconstruction </li></ul><ul><ul><li>Biometric id systems store data as a ...
... Attack Vectors requiring skill <ul><li>Key duplication </li></ul><ul><ul><li>Trivial to break into the device and  ext...
... Attack Vectors requiring skill <ul><li>Replay attack at sensor pins </li></ul><ul><ul><li>The sensor interfaces are re...
Biometrics WORST CHARACTERISTIC <ul><li>Cannot be withdrawn </li></ul><ul><li>Cannot be changed </li></ul><ul><li>This vio...
Inherent problems with Biometric Systems <ul><li>FAR - False Acceptance Rate  indicates the number of wrong matches of a p...
... Inherent problems with Biometric Systems <ul><li>FAR and FRR closely linked to template size </li></ul><ul><li>Reducin...
... Inherent problems with Biometric Systems <ul><li>Requires very good power  </li></ul><ul><li>Requires very good teleco...
Summary <ul><li>Biometrics as a unique id in an automated system has never been tested on a large scale </li></ul><ul><li>...
Upcoming SlideShare
Loading in …5
×

India's UID Project: Biometrics Vulnerabilities & Exploits

6,094 views

Published on

Presentation of JTD in Camaign for No UID meeting in Delhi 25th August

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,094
On SlideShare
0
From Embeds
0
Number of Embeds
320
Actions
Shares
0
Downloads
169
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

India's UID Project: Biometrics Vulnerabilities & Exploits

  1. 1. Biometrics Vulnerabilities & Exploits [email_address]
  2. 2. INTRODUCTION <ul><li>Old World methods of trust and authentication </li></ul><ul><ul><li>Personal introductions, documents </li></ul></ul><ul><ul><li>Key role player is the authenticator </li></ul></ul><ul><li>New World requirements </li></ul><ul><ul><li>Annonymous, large scale, short term relationships </li></ul></ul><ul><ul><li>Key requirement is building up of trust </li></ul></ul><ul><li>No defence mechanisms of older methods present in newer systems </li></ul>
  3. 3. Authentication by Technology <ul><li>Requires the exchange of certain FACTORS </li></ul><ul><li>Requires an authority who can verify these factors </li></ul><ul><li>Requires an authority who can provide permission to build a relationship and transact </li></ul>
  4. 4. ...Authentication by Technology <ul><li>Factors are classified into 3 types </li></ul><ul><li>Ownership factor like cards, badges or keys </li></ul><ul><li>Knowledge factor like user id, password and pins </li></ul><ul><li>Inheritance factor like weight, height, face shape, color of eyes/hair, birth marks etc. all nicely encoded in a photo </li></ul>
  5. 5. Properties of different Factors
  6. 6. The Inheritance Factor - Biometrics <ul><li>The Subject of discussion for today is the Inheritance Factor – Biometrics </li></ul><ul><li>Implementation difficulties </li></ul><ul><li>Vulnerabilities </li></ul><ul><li>The authentication process and it's vulnerabilities, in brief </li></ul><ul><li>Since the UIDAI has choosen the use of finger prints and iris as a means of authentication, we will be discussing only these factors </li></ul>
  7. 7. Finger Print Scanners <ul><li>Many variations on these basic techniques </li></ul><ul><li>Variations are primarily to reduce cost, size and probably to overcome existing patents </li></ul><ul><li>Some claims exist about the ability to sense below the “dead skin” surface. However for our vulnerability assements, these claims are trivially overcome </li></ul><ul><li>Sensor technologies are not relevant to the scope of vulnerabilites and exploits </li></ul>
  8. 8. Fingerprint Readers
  9. 9. Iris Scanners <ul><li>Iris scanners use a Near Infra Red light </li></ul><ul><li>Camera coupled with some autofocusing techniques (commonly used in autofocus cameras) </li></ul>
  10. 10. Iris scan - Base Technique
  11. 11. The Process <ul><li>All id systems involve an enrollment process and an authentication process, followed by an authorization process, to enter / exit / recieve / depoist etc </li></ul>
  12. 12. The Enrollement Process <ul><li>Capture image </li></ul><ul><li>Process image </li></ul><ul><li>Extract Features </li></ul><ul><li>Create Template </li></ul><ul><li>Save raw data in the case of criminal records </li></ul><ul><li>Encryption </li></ul><ul><li>Transmission </li></ul><ul><li>De duplication and storage </li></ul>
  13. 13. The Authentication process <ul><li>Capture image </li></ul><ul><li>Process image </li></ul><ul><li>Extract Features </li></ul><ul><li>Create Template </li></ul><ul><li>Encryption </li></ul><ul><li>Transmission </li></ul><ul><li>Receive result </li></ul><ul><li>UIDAI has not specified iris for authentication* </li></ul>
  14. 14. Threats faced by biometric systems <ul><li>Threat agents </li></ul><ul><ul><li>Only simple impostor, without much sophistication or resources. We shall leave out crossborder attack vectors, as pilfering state subsidies may not be their highest priority </li></ul></ul><ul><li>Threat Vectors </li></ul><ul><ul><li>Fake credentials and replay attacks </li></ul></ul><ul><li>System Weaknesses </li></ul><ul><ul><li>Extraction of digital keys, use of internal facilities of sensors </li></ul></ul>
  15. 15. Desired Characteristics And Limitations <ul><li>Easy and accurate Digitization of the presented bio characteristic </li></ul><ul><li>Time Invariant </li></ul><ul><li>Environment Invariant </li></ul><ul><li>Spoof proof </li></ul>
  16. 16. ... Limitations in enrollment / auth <ul><li>Easy and accurate Digitization – neither easy nor accurate </li></ul><ul><li>Too many wrong methods, results in unreproduceable template </li></ul><ul><li>Guided enrollment useless for auth </li></ul><ul><li>Very difficult for occasional users </li></ul><ul><li>Manual overides = more holes </li></ul>
  17. 17. ... Limitations in enrollment / auth <ul><li>Time invariance – a myth </li></ul><ul><ul><li>Ageing changes fingerprints (1) </li></ul></ul><ul><ul><li>Skin ailments makes auth difficult if not impossible </li></ul></ul><ul><ul><li>No large scale studies on heterogenous populations </li></ul></ul><ul><ul><li>Will require frequent re-enrollment – aka more holes </li></ul></ul><ul><ul><li>No (available?) studies on iris variations due to ageing </li></ul></ul><ul><ul><li>Errors due to unknown causes (2) </li></ul></ul>
  18. 18. ... Limitations in enrollment / auth <ul><li>Environment invariance – a myth </li></ul><ul><ul><li>Water logged hands changes fingerprints machine readbility </li></ul></ul><ul><ul><li>Dry skin changes fingerprints machine readbility </li></ul></ul><ul><ul><li>Will require frequent re-enrollment – aka more holes </li></ul></ul><ul><ul><li>No (available?) studies on iris variations due to harsh environments </li></ul></ul><ul><ul><li>Inter device variations </li></ul></ul>
  19. 19. ... Limitations in enrollment / auth <ul><li>Non- Spoofability </li></ul><ul><ul><li>Biometrics are the worst </li></ul></ul><ul><ul><li>Fingeprints are spoofed by gummy finger techniqe </li></ul></ul><ul><ul><li>Iris are spoofed by photographs </li></ul></ul><ul><ul><li>Iris are spoofed by patterned contacts </li></ul></ul>
  20. 20. Spoofing made easy - Fingerprints <ul><li>Uses common ingredients </li></ul><ul><li>Fools all systems with greater than 60% repeatability </li></ul><ul><li>Newer mateials and techniques even more effective </li></ul>
  21. 21. Spoofing made easy - Iris <ul><li>Buy from the net to create fake ids for sale </li></ul><ul><li>PCB etching techniues for masqureading </li></ul><ul><li>Older technique using high res photograph with pupil holes </li></ul>
  22. 22. Attack Vectors requiring skill <ul><li>Template reconstruction </li></ul><ul><ul><li>Biometric id systems store data as a templates, usually a few kilobytes in size. It has been shown that a biometric fingerprint system can be compromised by recreating the biometric using the stored template </li></ul></ul><ul><ul><li>Template extraction and storage a feature of systems </li></ul></ul>
  23. 23. ... Attack Vectors requiring skill <ul><li>Key duplication </li></ul><ul><ul><li>Trivial to break into the device and extract keys </li></ul></ul><ul><ul><li>Addition deletion of keys a feature </li></ul></ul><ul><ul><li>Even in locked down devices, the key can be recovered by simply copying the onboard flash to a pc and reusing the backup in a device purchased from the market </li></ul></ul>
  24. 24. ... Attack Vectors requiring skill <ul><li>Replay attack at sensor pins </li></ul><ul><ul><li>The sensor interfaces are relatively simple </li></ul></ul><ul><ul><li>Produce raw data (Fig 4). It is possible to record all data, and then replay that data </li></ul></ul><ul><ul><li>This attack requires some technical skill </li></ul></ul><ul><ul><li>However once developed it can be mass produced and will be undetectable </li></ul></ul>
  25. 25. Biometrics WORST CHARACTERISTIC <ul><li>Cannot be withdrawn </li></ul><ul><li>Cannot be changed </li></ul><ul><li>This violates the basic requirement of any id system </li></ul>
  26. 26. Inherent problems with Biometric Systems <ul><li>FAR - False Acceptance Rate indicates the number of wrong matches of a presented biometric – mistakenly identyfying one person as another </li></ul><ul><li>FRR - False Rejection Rate (also called False Non Match Rate) indicates the number of wrong rejects of a presented biometric. </li></ul><ul><li>Best FAR of .00060 for fingerprints </li></ul><ul><li>Best FAR of .000120 for Iris </li></ul><ul><li>Best FRR of .0060 for fingerprints </li></ul><ul><li>Best FRR of .0012 for Iris </li></ul>
  27. 27. ... Inherent problems with Biometric Systems <ul><li>FAR and FRR closely linked to template size </li></ul><ul><li>Reducing FAR increase FRR </li></ul><ul><li>Reducing FRR increases FAR </li></ul>
  28. 28. ... Inherent problems with Biometric Systems <ul><li>Requires very good power </li></ul><ul><li>Requires very good telecommunications infrastructure </li></ul><ul><li>Both of very poor quality in many areas </li></ul><ul><li>Even in Maharshtra in the Konkan region, such infratructure is poor due to natural causes </li></ul><ul><ul><li>Hilly terrain </li></ul></ul><ul><ul><li>RF shadow regions </li></ul></ul><ul><ul><li>Heavy rains and lightning </li></ul></ul>
  29. 29. Summary <ul><li>Biometrics as a unique id in an automated system has never been tested on a large scale </li></ul><ul><li>The inherent characteristic of biometrics is it's irrevocability. This is in direct contradiction of any id / security system, where keys must be revocable and reissueable </li></ul><ul><li>Fingerprints are easily spoofable </li></ul><ul><li>Iris patterns are easily spoofable </li></ul><ul><li>Biometrics are very susceptible to the natural biological processes of growth, ageing and environment </li></ul><ul><li>Numerous technical vulnerabilities are availble for exploitation at the sensor-system interface </li></ul>

×