Information Security Identification and authentication. Advanced User Authentication II

Similar documents
An Overview of Biometric Image Processing

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Define information security Define security as process, not point product.

Biometric Security Roles & Resources

Tutorial 1. Jun Xu, Teaching Asistant January 26, COMP4134 Biometrics Authentication

BIOMET: A Multimodal Biometric Authentication System for Person Identification and Verification using Fingerprint and Face Recognition

Lecture 9 User Authentication

Keystroke Dynamics: Low Impact Biometric Verification

Lecture 11: Human Authentication CS /12/2018

Multimodal Biometric System by Feature Level Fusion of Palmprint and Fingerprint

Access Control Biometrics User Guide

Gurmeet Kaur 1, Parikshit 2, Dr. Chander Kant 3 1 M.tech Scholar, Assistant Professor 2, 3

Information Security Identification and authentication. Advanced User Authentication III

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

Role of Biometrics in Cybersecurity. Sam Youness

IJITKM Volume 7 Number 1 December 2013 pp (ISSN )

BIOMETRIC TECHNOLOGY: A REVIEW

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Performance Analysis of Fingerprint Identification Using Different Levels of DTCWT

Smart Card and Biometrics Used for Secured Personal Identification System Development

A Review of Emerging Biometric Authentication Technologies

Technical White Paper. Behaviometrics. Measuring FAR/FRR/EER in Continuous Authentication

DEFORMABLE MATCHING OF HAND SHAPES FOR USER VERIFICATION. Ani1 K. Jain and Nicolae Duta

BIOMETRIC BANKING TECHNOLOGY TO SECURE ONLINE TRANSACTIONS WITH FEASIBLE BIOMETRIC DEVICES

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

Computer Security. 10. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Intruders, Human Identification and Authentication, Web Authentication

Computer Security 4/15/18

Online and Offline Fingerprint Template Update Using Minutiae: An Experimental Comparison

Palm Vein Technology

(2½ hours) Total Marks: 75

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Integrated Access Management Solutions. Access Televentures

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

Chapter 3: User Authentication

Ujma A. Mulla 1 1 PG Student of Electronics Department of, B.I.G.C.E., Solapur, Maharashtra, India. IJRASET: All Rights are Reserved

Fingerprint Authentication for SIS-based Healthcare Systems

CS Authentication of Humans. Prof. Clarkson Spring 2017

Passwords. EJ Jung. slide 1

Biometric Cryptosystems: for User Authentication

Stegano-CryptoSystem for Enhancing Biometric-Feature Security with RSA

Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

Authentication. Chapter 2

In this unit we are continuing our discussion of IT security measures.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

CSE 565 Computer Security Fall 2018

Lecture 9. Authentication & Key Distribution

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Body Sensor Network Security

Thumb based Biometric Authentication Scheme in WLAN using Gauss Iterated Map and One Time Password

Computer Security: Principles and Practice

COMPUTER NETWORK SECURITY

Biometrics. Overview of Authentication

6. Multimodal Biometrics

Minutiae vs. Correlation: Analysis of Fingerprint Recognition Methods in Biometric Security System

Behavior-based Authentication Systems. Multimedia Security

Guide to Speaker Verification & Voice Biometrics

Biometrics problem or solution?

A Survey on Security in Palmprint Recognition: A Biometric Trait

HOST Authentication Overview ECE 525

Secure and Private Identification through Biometric Systems

CSC 474 Network Security. Authentication. Identification

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

CSE Computer Security (Fall 2007)

Face Fingerprint Handprint Iris Retina Signature Voice Watermarking

The US Contact Center Decision-Makers Guide Contact Center Performance. sponsored by

Information Security & Privacy

CAS Sign On for Windows

Biometric Security Technique: A Review

HY-457 Information Systems Security

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Proper user identification is essential for reliable

The Match On Card Technology

US Secret Service National Threat Assessment Center (NTAC), Insider threat study (2004)

An Efficient on-line Signature Verification System Using Histogram Features

Multimodal Fusion Vulnerability to Non-Zero Effort (Spoof) Imposters

Biometrics Our Past, Present, and Future Identity

EXAMINATION [The sum of points equals to 100]

The Need for Biometric Authentication

Keywords Wavelet decomposition, SIFT, Unibiometrics, Multibiometrics, Histogram Equalization.

Chapter 6. Multibiometrics

Post-Class Quiz: Access Control Domain

Multimodal Biometric System in Secure e- Transaction in Smart Phone

Undergraduate programme in Computer sciences

ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEMS. ISSN: ; ISSN: (Online) Volume 2 Issue 1 (2016)

The European Union approach to Biometrics

Computer Security. 09. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2017

Signature Verification Why xyzmo offers the leading solution

Multimodal Biometrics Information Fusion for Efficient Recognition using Weighted Method

Module: Introduction. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Applying biometric authentication to physical access control systems

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

International Journal of Advanced Research in Computer Science and Software Engineering

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

Authentication by Mouse Movements. By Shivani Hashia Advisor: Dr. Chris Pollett Committee: Dr. Mark Stamp Dr. Robert Chun Dec 2004

Transcription:

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se

Agenda for lecture I within this part of the course Background Statistics in user authentication Biometric systems Authentication eid epassports Biometrics in general Tokens Fumy, W. and Paeschke, M. Handbook of eid Security A. Jain, A. Ross and K. Nandakumar, Chapters 1 in "Introduction to Biometrics" 2

Agenda for lecture II within this part of the course Background Statistics in user authentication Biometric systems Tokens Statistics Generic biometric system Design cycle (Multibiometrics,in lecture III) Security threats (Attacks,in lecture III) A. Jain, A. Ross and K. Nandakumar, Chapters 1, 6 & 7 in "Introduction to Biometrics" 3

Biometrics, definition "The automated use of physiological or behavioural characteristics to determine or verify identity Bio from Greek life Metric from Greek measurement In this case we measure Physical properties of the user s body Behaviour properties of the user 4

User authentication/identification Can in an IT system be achieved via What I know passwords, PIN What I have ID-cards, smart-card, token What I am/do biometrics Identification Authentication 5

Biometrics, examples Written signature Retinal scan DNA Vein pattern Thermal pattern of the face Keystroke dynamics Finger prints Face geometry Hand geometry Iris pattern Voice Ear shape Body motion patterns 6

7

Matching, decision regions, hypothesis testing A typical system has a threshold parameter which determines the allowed variance Statistical theory for hypothesis testing enables analysis It is necessary to balance user population statistics against intended use More about this 8

Statistics in user authentication Problems and unexpected effects 9

Statistics in user authentication For identification, you must consider the probabilities that two persons ever have matching authentication data For verification, you must estimate the probability that an impostor can guess a victim s parameter value and imitate it 10

Statistics in biometrics A typical system has a threshold parameter which determines the allowed variance Use statistical theory for hypothesis testing Balance user population statistics against intended use plus importance of each of the CIA criteria, and set thresholds accordingly 11

Failure rates Admitting a person under the wrong identity FAR False Acceptance Rate, also called FMR False Match Rate Rejecting a person claiming correct identity FRR False Rejection Rate, also called FNMR False Non-Match Rate 12

Failure rate effects Remember: Admitting a person under the wrong identity means damaged Confidentiality and/or Integrity Rejecting a person claiming correct identity means damaged Availability 13

Identification effects Hypothesis testing answers True or False Hypothesis can be this is person X Highly unbalanced in the sense that most subjects are not person X Creates effects that surprise some 14

Identity testing problems Suppose there are 10,000 persons on a no fly list An airport uses identification devices with FAR=0,1% and FRR=5%. Reasonable values? A terrorist has a 5% chance of getting aboard. Send 20 and one will succeed A typical airport like Arlanda ( 50 000 passengers per day) will detain 50 innocent people each day 15

Traps in using FRR False Rejection Rate is a mean value over a trial population It does not (necessarily) give the general probability that a given user is rejected Usually there is a subset of users who get most of the rejections It is not valid for users deliberately trying not to be recognised 16

Conditional v mean values If the correct user is often rejected due to anomalies, attempts at false acceptance as that user may fail often and vice versa. This distorts true values If the attacker knows the statistics of single users, the most likely victim can be chosen 17

Example 1 A user population has two sets of users, X with excellent characteristics for the biometric system and Y with bad characteristics. 1% belong to Y A user from X has FAR 0.5% A user from Y has FAR 50% Total FAR 1% An attack deliberately at a Y person still has 50% probability of succeeding 18

Example 2 A user population has two sets of users, X with good characteristics for the biometric system and Y with bad characteristics. 1% belong to Y A user from X has FRR 0.5% A user from Y has FRR 50% Total FRR 1% (looks good, you must re-authenticate only once for every 100 attempts on the average) Users from Y must re-authenticate every other time when using the system. And they must make three attempts one out of four times etc. 19

General statistics How large is the set of possible values? Are some more likely than others? How large is the user population? How many guessing attempts can be made per time unit? Are there restrictions on the possible number of attempts against the same user? Are there general restrictions on the number of attempts? 20

Illustration example, card PIN A card PIN has 10,000 possible values The probability to guess a PIN in the usually allowed three consecutive attempts is thus only one in more than 3000 If 3500 cards are stolen each year, at least one misuse through correctly guessed PIN should be expected per year With 5000 stolen cards, it is more likely that one of them gets its PIN guessed in the first attempt, than that none gets that effect 21

Remember Balance risks against population characteristics, like size but not only size Average risks can be much higher for subsets of users than for the total population If one single customer is hit, it does not matter to that customer that the average risk per customer was very low If some customers are at high risk, the organisation is bound to get hit eventually 22

Generic biometric system: Building blocks 24

Feature extraction: Segmentation and enhancement 25

Generic biometric system: Building blocks 26

A generic biometric system Sensor Data reduction Classification Measurement Input signal Desicion data areas and confidence levels Feature vector 4454 43534 90234 09824 94995 89235 0934 32846 94535 65251 34656 Person: 13455 Pelle 9834 Confidence level: 84% 36004 02543 88984 04848 23905 9843 98489 42894 88940 82389 78377 98988 97873 2134 13300 12083 09399 93289 90139 4390 03290 83893 88389 1247 27

Classification Person B Person A Person D Person C 28

Design cycle of biometric systems 29

Design cycle of biometric systems Nature of application Cooperative users Overt/covert deployment Habituated/Nonhabituated users Attended/Unattended operation Controlled/Uncontrolled operation Open/Closed system 30

Design cycle of biometric systems Choice of biometric trait Universality Uniqueness Permanence Measurability (Collectability) Performance Acceptability Circumvention 31

Requirements on biometric traits Attempt to classify methods according to how they meet all seven criteria. Valid today? Do you agree in general? Look closely and make your own assessment! There is no correct answer 32

Design cycle of biometric systems Collecting biometric data Appropriate sensors Size, cost, ruggedness, high quality biometric samples Collection environment Sample population Representative of the population Exhibit realistic intra-class variations User habituation Legal, privacy & ethical issues 33

Design cycle of biometric systems Choice of features/matching algorithm Prior knowledge of the biometric trait Uniqueness Mimic human ability to discriminate Interoperability between biometric systems Common data exchange formats 34

Design cycle of biometric systems Evaluation of biometric systems Technology evaluation Scenario evaluation Operational evaluation Error rates System reliability, availability, maintainability Vulnerabilities User acceptability Cost, throughput, benefits Return on investment 35

How to cheat a biometric system? Cheat the sensor Picture of another persons face Voice recordings... Cheat the system False user permission Intrude/manipulate communication... 36

What are the disadvantages of biometric systems Sensors of low quality and sensitive to noise Biometrical features needs to be uniqe Temporal variations (ageing, beards, weight etc ) complicates the use 37

Security threats: Denial-of-service (DoS) Legitimate users are prevented from obtaining access to the system or resource that they are entitled to Violates availability 38

Security threats: Intrusion An unauthorized user gains illegitimate access to the system Affects integrity of the biometric system 39

Security threats: Repudiation A legitimate user denies using the system after having accessed it. Corrupt users may deny their actions by claiming that illegitimate users could have intruded the system using their identity 40

Security threats: Function creep An adversary exploits the biometric system designed to provide access control to a certain resource to serve another application, for example, a fingerprint template obtained from a bank s database may be used to search for that person s health records in a medical database Violates confidentiality and privacy. 41

42

but is really the story boring? Possible security threats Threat agents Public confidence and acceptance What if the application is Border control Management of welfare schemes 43

Agenda for lecture II within this part of the course Background Statistics in user authentication Biometric systems Tokens Statistics Generic biometric system Design cycle Multibiometrics Security threats Attacks A. Jain, A. Ross and K. Nandakumar, Chapters 1, 6 & 7 in "Introduction to Biometrics" 44

www.liu.se

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback