You are here: Resources > FIDIS Deliverables > HighTechID > D3.2: A study on PKI and biometrics > 

D3.2: A study on PKI and biometrics

Security and Privacy Aspects  Title:
SECURITY ASPECTS		  Will biometrics help?

 

Security Aspects

Once a technology becomes available, it is used, controlled, manipulated, exploited and compromised by people, thus creating an information system with multiple security vulnerabilities which have to be addressed. Besides the technological aspect of security there are a few other aspects that need further consideration. This is especially so in more complex biometric implementations that take place on a broader-scale (such as border control). Security in the technological artefact can be seen as complementary to two other aspects that will be briefly discussed below. These comprise together the TFI model which separates three different levels, namely the technical, the formal and the informal [DHI96].

Technical 

With any emerging security technology, one question is paramount: ‘How reliable is it?’ Two technical issues exist that can be used to quantify an answer, that of a false positive, i.e. concluding that an impostor is actually who they claim to be, and false negative, i.e. being unable to confirm the identity of a valid user. A review of current biometrics technology [JAI04] has indicated that fingerprint identification has a false positive probability of around 0.2%, and a false negative probability of around 0.2%. Face recognition performs worse with a false positive probability of around 1%, and a false negative probability of around 10%. Error-rates to this degree are simply not acceptable in security critical applications even if they are slightly assisted by soft biometrics (see section ). For relatively small databases they may be acceptable but in the proposed applications (i.e. border control) whereby centralised databases will hold a staggering 60 million records it will be impossible to stop someone claiming multiple identities.

Beyond the error-prone nature of biometric technology, there is the real possibility of deliberate attack in an attempt to compromise security. 

 


Figure 4‑: A block diagram of a generic biometrics system, with eight potential attack points highlighted. Adapted from [ULU04]

 

highlights the significant eight points within the biometric system which are open for potential attack [ULU04]. The extent to which these can be exploited has a direct relation to the overall security of the system. The eight points of attack are:

 

  1. Utilising an imitation biometric (e.g. a prosthetic finger). Many methods have been developed to produce easily such devices [PUT00], [MAT02] and, in the case of commercially available fingerprint systems, have shown a success rate of between 67 – 100%, mostly dependent on the quality of the original source print (a willing volunteer’s print works better than one lifted from a glass, for example). Methods to counteract these shortcomings, such as identifying if it is real, living tissue are showing some promise [DER03] but there are no guarantees that fraudsters will stop there. On the 28th of March, 2005, a gang of carjackers in Kuala Lumpur first forced the victim to activate the car’s fingerprint-recognition system and then cut off his fingertip. Systems that incorporate ‘aliveness detection’ might not be the solution but could just prolong the suffering of the ‘bio-victims’ or lead to alternative methods.

  2. Although more complex, it is possible to replay previously submitted biometric data to cause a false positive identification. A potential solution to this is for the system to challenge the sensor device with a secure request for additional information. For example, if the system requests the sensor to repeat certain randomly selected parts of the captured data, then the system can establish if the data has really come from the sensor.

  3. By attacking the system at the feature module point, it is possible, albeit unlikely, for an attacker to force the system to produce values unrelated to the sensor input that subsequently generates a false positive result. 

  4. Replacing the system generated feature values with known valid ones will result in unauthorised access. 

  5. If the matcher can be forced into generating an incorrectly high matching score, then a false positive will result. 

  6. The template matching component is particularly vulnerable since incorrect data stored here (through error, collusion or attack) is open to abuse at any time. A template may be added, edited, removed or replaced in order that an invalid user is authenticated. Database security is the key here to reducing vulnerability since unsecured templates can be reverse-engineered and synthetic data added.  

  7. By intercepting the transmission of the template data, and replacing the original templates with false data, a false positive can be generated. 

  8. By attacking at the decision end of the system, the binary result ‘Yes / No’ can be modified to falsify the result.

 

Attack (1) is perhaps the most intuitive, whilst the remaining attack techniques require a more intimate understanding of the specific authentication system and typically some degree of access to its inner workings. However, all component parts of the authentication system represent a potentially exploitable issue. 

In [SCH99], the two perhaps most pertinent security issues relating to biometrics are highlighted: the lack of secrecy of biometric data (for example, fingerprints are routinely left on objects during everyday activities) and non-replacability (i.e. once a fingerprint has been compromised it cannot be changed). These are in contrast with traditional methodologies such as passwords which remain secret and are easily replaced if compromised.

Formal 

Besides getting the technical level straight there are other aspects of security that have to be considered. In the formal aspect there has to be a clear consideration for both principles and policies. Typically, a demarcation that occurs between these two considers principles to be close to higher-level guidelines whereas policies are more specific. Both are important and required in order to cover the formal security aspects. The degree of difference between principles and policies is also important. A security policy must be based on actual behaviour and provide rules that do not jeopardise the security of organisational processes and systems. Security principles on the other hand must serve a complementary role to that of the security policy.

 

Principles are higher-level descriptions of the broader security scope of an organisation and they serve the purpose of guidance when there is no clear rule to be followed. Decision-making about security related issues can then be inferred from the principles. The problem of course rests with different stakeholders and their respective interpretations of the principles. This means that if we go past the technical level and address these security issues, we still have to consider tackling the formal security aspects by developing principles and policies concerning the handling of biometric templates. Application of standards such as ISO17799 can help in that direction and there has to be a robust audit mechanism for a periodical review of the security policies. There is always of course the question of ‘Who Audits the Auditors’ that has to be further considered.

Informal

Complementary to technical and formal aspects, security can also be enhanced by informal aspects. These cannot be documented like the former two but still are important intangible elements that can be roughly separated into responsibility, integrity, trust and ethics [DHI00]. These are once again complimentary and it is up to organisations (whatever form these may take) to find innovative ways to create a culture that fosters such principles.

Responsibility concerns each individual’s awareness of their roles while integrity becomes extremely important as it is up to individuals to use or misuse the information that they are given access to. In the case of biometrics data, where information concerns identity and critical – to the privacy of individuals – it is crucial that personnel working in this domain do not misuse that information. In addition to responsibility and integrity, trust and ethics are also important if members of an organisation are to follow the norms (which in their turn are influenced by formal aspects). If present, the aforementioned aspects can enhance security as insider fraud is a difficult issue to tackle. Only one corrupt individual is required do all the work. That being the case, some will not even bother with hacking; they will follow a simpler route instead. 

By security here, we would like to emphasise that we are looking on the broader security concerns pertaining to the use and handling of data, after biometrics are implemented. This is closely associated with privacy concerns and has nothing to do with the supposed enhancement of security (i.e. controlling national borders and visitors – like the US VISIT program).

  • What level of security (physical storage, procedural considerations, etc.) will comprise the biometric environment.  

  • What happens after the biometric is digitised? Only one underpaid/corrupt individual is enough to bypass all security measures.

  • Security Policy for handling the data ­outlining three different aspects: The technical, formal and informal (who has access to what, education and awareness programs that could potentially minimise resistance to change).

  • Will security wrappers be commercial, off the shelf tools or bespoke? What are the implications for interoperability?  

  • Types of encryption and biometric integration capabilities. 

 

 

Security and Privacy Aspects  fidis-wp3-del3.2.study_on_PKI_and_biometrics_03.sxw  Will biometrics help?
Denis Royer 23 / 40