Biometrics Evaluation and Testing. Dr Alain MERLE CEA-LETI

Size: px

Start display at page:

Download "Biometrics Evaluation and Testing. Dr Alain MERLE CEA-LETI"

Marjory Potter
5 years ago
Views:

1 Biometrics Evaluation and Testing Dr Alain MERLE CEA-LETI

2 The BEAT project CC & Biometrics Towards a technical committee on Biometrics A. Merle 2

3 The BEAT project EU Funded project (FP7 SEC) grant agreement number: Area: Biometrics Evaluation & Testing Partners IDIAP CH Univ. Autonoma de MADRID ES Univ. of SURREY UK EPFL CH TUBITAK TR CEA-LETI F MORPHO F TUV-IT DE KUL BE Advisory Board Members BSI DE NPL UK ANSSI F CCN ES Biometrics Institutes AU Certification Bodies Evaluation labs A. Merle 3

4 BEAT: Status & Objectives Status No standards for evaluating Accuracy Resistance to attacks Privacy preservation strength Multi-modalities: Face, Fingerprints, Iris, Veins Objectives: Develop an On-Line open platform for performance evaluation Develop protocols & Tools for Vulnerability Analysis Propose a Common Criteria evaluation methodology A. Merle 4

5 BEAT: Structure of the project WP2: Specifications & Design WP3: Evaluation of biometric performance Protocols, databases, novel metrics WP4: Evaluation of vulnerabilities Direct (spoofing) and Indirect attacks WP5: Evaluation of Privacy Preservation Novel privacy preservation techniques WP6: Standards & Certification Common frameworks for the security evaluation of biometric systems (CC) WP7: Integration & Deployment WP9: Legal aspects of Privacy and IP A. Merle 5

6 BEAT: Biometrics performances Statistical by nature 2 major related factors FAR: False Accept Rate FRR: False Reject rate Dependent on the application Population characteristics Race, Blue/White collar, Need of huge data bases Privacy, National regulations A. Merle 6

7 BEAT: Spoofing Any modality is subject to spoofing A. Merle 7

8 BEAT: Indirect attacks Fake feature generation Ex: generating a fake fingerprint from a template «Hill Climbing» Using the matching score to optimize a generated feature list A. Merle 8

9 Notes A biometrics system is also an sensor/hardware/software system that could be subject to standard attacks towards this kind of system Tampering, Side channel analysis, fault injection, etc Ex: Access to matching score via Time analysis to implement a hill climbing attack. A CC specificity: Test strategies are adapted to the product Expertise & vulnerability analysis vs test list Ability to follow a fast evolving state of the art A. Merle 9

CC and Biometrics 2002: BEM: Biometrics evaluation methodology Focused on intrinsic performance evaluation (FAR & FRR) Dimensioning data bases 2007 Today Work on fingerprints (France, Germany, Spain)

10 CC and Biometrics 2002: BEM: Biometrics evaluation methodology Focused on intrinsic performance evaluation (FAR & FRR) Dimensioning data bases 2007 Today Work on fingerprints (France, Germany, Spain) All kind of attacks specific to biometrics (spoofing, hill climbing, ) Document available: PPs from BSI Characterizing Attacks to Fingerprint Verification Mechanisms M-Jul2011.pdf EAL2, EAL2+ Max AVA_VAN.2, or even no AVA_VAN Definition of a dedicated SFR A. Merle 10

11 Open questions (among others) Extension to other modalities: Iris, veins, face Evaluation methodology FAR/FRR predefined or calculated by evaluator Databases for intrinsic performance evaluation (developer, evaluator, both, identical, different) Spoofing (methods, anything considered as standard ) Managing uncertainties in spoofing attacks Resistance rating Table, factors, numbers, 2 vs 1 phase (Identification & exploitation) Resistance Specific rating (biometrics, by modality) or «common rating» (which one, CEM, hardware, ) A. Merle 11

12 CC: the example of Smartcards Widely used for Smartcards But, heavy adaptations have been necessary to have an efficient process A. Merle 12

13 Resistance rating Alain MERLE A. Merle 13

14 In addition In the last 15 years, Common Criteria evaluations have been a very efficient process to enhance the security level of products Challenge conditions between developers & labs Safe and responsible environment No vulnerability critically transferred to the public A. Merle 14

15 BEAT: Intended production Evaluation methodology What is a biometrics systems What the developer has to produce What tasks the evaluator has to perform, requested competences, tools, etc PPs? Attacks description All the attacks methods an evaluation has to take into account «evaluators guide» Attack potential / Resistance rating With an agreement of the participants A. Merle 15

16 BEAT objectives Create a «technical committee» dedicated to Biometrics Open to all stakeholders participating or not to BEAT Based on an initial kernel participating to BEAT CBs (CCN, BSI, ANSSI), evaluation labs (LETI, TUV-IT, UAM), industry (MORPHO) SOG-IS MC Management Committee JIWG Joint Interpretation Library (JIL) Working Group JHAS JIL Hardware Attack Sub-group JTEMS JIL Terminal Evaluation Method Sub-group BIOMETRICS A. Merle 16

17 If interested, join us Contacts Beat project manager: Dr Sébastien MARCEL, IDIAP WP Leader for standardization & Certification: Dr Alain MERLE, CEA-LETI A. Merle 17

18 Questions?

Rating Attack Potential for Smartcards

Rating Attack Potential for Smartcards Alain MERLE, CEA-LETI Technical manager of CESTI LETI on behalf of ISCI (JHAS) group CESTI LETI 1 The ISCI group (International Security Certification Initiative)