R. Smith - University of St Thomas - Minnesota CISC Class Today Ive posted homework and chaptersIve posted homework and chapters RecapRecap BiometricsBiometrics (yes, I found the Mythbusters DVD) (out of sync with previous presentation)(out of sync with previous presentation)

R. Smith - University of St Thomas - Minnesota Recap AuthenticationAuthentication Average Attack SpaceAverage Attack Space Authentication TokensAuthentication Tokens

R. Smith - University of St Thomas - Minnesota Biometrics Measures something personal we wont lose or share Problem: what about interception and cloning? From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Biometrics: Things you are Also hand, voice, face, eyes From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Biometric Matching Compares users signature to previously established pattern built from that traitCompares users signature to previously established pattern built from that trait Pattern and signature contents vary according to the biometric and the implementationPattern and signature contents vary according to the biometric and the implementation From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Pattern Matching We compare how closely a signature matches one users pattern versus anothers patternWe compare how closely a signature matches one users pattern versus anothers pattern From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Matching in Practice You should often match yourself and rarely match others From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Trial and Error Attacks If it lets the right ones in, some wrong ones can get in, too From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Guessing Attacks Revisited Off-Line Attacks arent as relevant to biometricsOff-Line Attacks arent as relevant to biometrics –Sniff and replay attacks are more practical –Attacker can sniff either a signature or a pattern Interactive AttacksInteractive Attacks –Same as with password – attacker literally tries to make own biometric pass as the victims biometric –Like passwords, its limited to trial-and-error attempts to use a server Limited to servers speed, and failures can be detectedLimited to servers speed, and failures can be detected Team AttacksTeam Attacks –Variant of interactive attack that uses many people –Likelihood of success increases with the size of the team 20 people, 10 fingers = 200 fingerprints to try ~ 2 7 attack space20 people, 10 fingers = 200 fingerprints to try ~ 2 7 attack space –Limited to the servers speed, and failures can be detected

R. Smith - University of St Thomas - Minnesota Average Attack Space for Biometrics Look at the False Positive rateLook at the False Positive rate –Thats the percentage of times someone gets in with the WRONG fingerprint. –Some systems are 99%, 99.9% and % (1/100,000) –Compare with strength of passwords (1/1,000,000) Use that to figure out the number of trials.Use that to figure out the number of trials. Assume that it applies to the whole populationAssume that it applies to the whole population

R. Smith - University of St Thomas - Minnesota Biometric Strength

R. Smith - University of St Thomas - Minnesota Biometric Challenges The Cloning Problem (Local)The Cloning Problem (Local) –Fingerprint cloning –Face cloning –Iris cloning The Trial-and-Error Problem (Remote)The Trial-and-Error Problem (Remote) The Sniffing Problem (All)The Sniffing Problem (All)

R. Smith - University of St Thomas - Minnesota Now, a Mythbusters Break well be back...well be back...

R. Smith - University of St Thomas - Minnesota Fingerprint Cloning Willis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingersWillis and Lee could trick 4 of 6 sensors tested in 1998 with cloned fingers Willis and Lee, Six Biometric Devices Point The Finger At Security in Network Computing, 1 June 1998Willis and Lee, Six Biometric Devices Point The Finger At Security in Network Computing, 1 June 1998 Thalheim et al could trick both capacitive and optical sensors with cloned fingersThalheim et al could trick both capacitive and optical sensors with cloned fingers –Products from Siemens, Cherry, Eutron, Verdicom –Latent image reactivation only worked on capacitive sensors, not on optical ones –Thalheim, Krissler, and Ziegler, Body Check, CT (Germany) Matsumoto tested 11 capacitive and optical sensorsMatsumoto tested 11 capacitive and optical sensors –Cloned fingers tricked all of them –Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens, Secugen, Ethentica Tsutomu Matsumoto, ITU-T Workshop on Security, Seoul, May 2002; t/workshop/security/present/s5p4.pdfTsutomu Matsumoto, ITU-T Workshop on Security, Seoul, May 2002; t/workshop/security/present/s5p4.pdf

R. Smith - University of St Thomas - Minnesota Yes, A Bag of Water Reactivating a latent fingerprint Use a thin-walled plastic bag of warm waterUse a thin-walled plastic bag of warm water Gives enough contrast to the oil ridges to fool some readersGives enough contrast to the oil ridges to fool some readers Moderately effective, even when system is at maximum settingModerately effective, even when system is at maximum setting Source: CT (Germany) Body Check by Thalheim, Krissler, and Ziegler

R. Smith - University of St Thomas - Minnesota More Reactivations from ct Easy way Easy way –Breathe on the sensor –Works occasionally Hard way Hard way –Dust with graphite (like your local detective) –Attach clear tape –Almost 100% success rate (ct) –Also used by Willis & Lee

R. Smith - University of St Thomas - Minnesota Face Cloning Show the camera a photograph or video clip instead of the real faceShow the camera a photograph or video clip instead of the real face Photo and video were taken without the victims assistancePhoto and video were taken without the victims assistance Face recognition was fooledFace recognition was fooled –Other reports note success against iris scans Source: CT (Germany) Body Check by Thalheim, Krissler, and Ziegler

R. Smith - University of St Thomas - Minnesota Iris Cloning Thalheim et al have also successfully spoofed iris authentication using a Panasonic AuthenticamThalheim et al have also successfully spoofed iris authentication using a Panasonic Authenticam Placed a printed copy of a human iris in front of an eyeball, with a hole punched out for the pupil.Placed a printed copy of a human iris in front of an eyeball, with a hole punched out for the pupil. –Thalheim, Krissler, and Ziegler, Body Check, CT (Germany)

R. Smith - University of St Thomas - Minnesota Sniffing Attacker collects a digitized readingAttacker collects a digitized reading Replays it later to mimic the readerReplays it later to mimic the reader VariationVariation –Construct a digitized reading from a locally copied biometric – fingerprint, speech, etc. Biometrics may be private, but they are not really secrets!

R. Smith - University of St Thomas - Minnesota The Biometric Dilemma The biometric pattern acts like a base secretThe biometric pattern acts like a base secret But, Cathys biometrics are not base secretsBut, Cathys biometrics are not base secrets –Cathy leaves artifacts of her voice, fingerprints, and appearance wherever she goes –Cathy cant change them if someone makes a copy Once the bits leave the biometric reader, we cant tell if theyre legitimate or notOnce the bits leave the biometric reader, we cant tell if theyre legitimate or not Also, Cathys privacy is jeapordized if the biometric signatures and patterns must be handled by many systems and devicesAlso, Cathys privacy is jeapordized if the biometric signatures and patterns must be handled by many systems and devices

R. Smith - University of St Thomas - Minnesota Multi-Factor Authentication We cover the weaknesses of individual techniques (tokens, passwords, biometrics) by combining two or more in one mechanismWe cover the weaknesses of individual techniques (tokens, passwords, biometrics) by combining two or more in one mechanism Two Factor AuthenticationTwo Factor Authentication –ATM Cards - card plus PIN –One-time password token with a keypad - token plus PIN –Biometric reading protected with a secret encryption key Three Factor AuthenticationThree Factor Authentication –Token + memorized PIN + biometric reading –Rarely used

R. Smith - University of St Thomas - Minnesota Multi-Factor Token Fingerprint unlocks the authentication token From Authentication © Used by permission

R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.