Biometric system security – Part 2 This is the final part of a two-part article looking at biometric system security in the IT environment. It argues that biometrics, often touted as a panacea for security, only offer a way to bind the link between devices and services to real people instead of tokens or knowledge. Specifically it looks at the extra security issues created by the use of biometrics in a wider security system architecture. Part one of this two-part article demonstrated that biometrics only form one part of an overall security architecture. In order to create a secure system, therefore, general IT security system design principles should be closely followed. However, there are other security issues introduced by the use of biometrics, so this second part looks more closely at the possible security attacks that are unique to biometric technology. There are a number of security attacks that are inherent to biometric systems. These include: an attack that aims to affect a biometric system’s performance in order to achieve higher intrusion rates (see Table 1). These attacks stem from the fact that biometrics systems are underpinned by statistical algorithms, which could be influenced by certain conditions at the human-sensor interface. These could be generated through: deliberate physical environmental changes; deliberate generation of bad enrollment templates; or by exploiting knowledge of biometric algorithms and how they function;
fakes and non-live biometric attacks at the biometric measuring device; and attacks on biometric data through ‘hillclimbing’.
Successful attacks often require intrusion into more than one part of the system. For example, to introduce an impostor template into a ‘live’ verification process, requires access to the respective communication channel, and knowledge about the feature extraction process, as well as the template data format. Due to the proprietary nature of pattern recognition algorithms in current biometric technology, a certain level of knowledge is required for non brute-force attacks. However, this security-by-obscurity of biometric algorithms should not be seen as a strong security measure – it is well-known in the cryptography field that the secrecy of an algorithm at best increases the time taken for the completion of an attack. Biometric systems, however, do need “classical” cryptography and system security,
such as digital signatures, to guard against “normal” system attacks (spoofing and nonlegitimate change of data along communication channels). Cryptography can and should also be used for privacy of the biometric data. The integrated security protocol of the application system must ensure that biometric data can only be introduced via a living human at an integral sensor. An excellent guideline to secure biometric system design can be found in ANSI X9.84. The scope of X9.84 is the use of biometric technology for identification and authentication of banking customers and employees. But far from just providing a security protocol for banking applications, the ANSI standard serves as a security integration profile for biometric application integration.
“Dead” biometrics Special attention must be given to zeroknowledge biometric attacks, such as spoofing at the sensor or a brute-force attack at the raw biometric data level. A considerable amount of publicity has recently been generated on the susceptibility of biometrics to fakes – and since fingerprinting seems to be the prevalent biometric, a lot of publications have been elaborating on how to generate artificial
Bad enrollment templates
Generate bad biometric performance, higher FARs
Quality verification on enrollment templates
Lowering or disabling security settings, control
Generate inconsistent system performance, higher FARs
Security policy, administrator changing system parameters
Exploit reference adaptation
Change an enrolled template to become the impostor's template
No/restricted (supervised) adaptation of template
Deliberate change of environmental factors to limits of biometric system
Generate bad biometric performance, higher FARs
Self-test functions, additional equipment, security policy/supervision
Table 1: Threats, outcomes and possible solutions against biometric system performance attacks
Biometric Technology Today • March 2003
FEATURE fingerprints from different “rubber” fingers. Even if such findings have been covered before, these publications reflect the trend of certain publishers to spread fear of insecurity and inapplicability. However they also reflect a more security focused expectation of biometrics. Biometrics is seen as a potentially secure technology for travel, national ID and governmental applications. This puts higher security demands than previously anticipated on some of today’s biometric applications, especially in unsupervised scenarios. Let us here try to focus on some general implications. Firstly, it is a fact that any biometric system can be subject to fakes – so any biometric system must take measures to detect faked biometric features. In general, the fake scenarios can be categorized in two ways; the one of artificial features, such as artificial fingers, heads and so on, and the one of “dead” or disembodied features, such as cut-off fingers. Live detection is often treated as a subset of fake detection, as in most cases both scenarios can be treated with similar mechanisms. When looking at fake biometric attacks, it should be noted that the potential of success is application-scenario dependent, since attacks are only normally feasible in an unsupervised scenario. Furthermore, there must be a differentiation between attacks – those that demand the cooperation of the legitimate user, and those that do not. In the context of an overall security concept “easy forgeries”, that can be generated without the co-operation of the user (such as the re-vocation of a latent fingerprint or pressed-through signature or the use of an unnoticeably taken print) must be considered more likely than those that demand a high degree of co-operation and cost. The latent problem, however, can be solved, thanks to the statistical nature of biometric algorithms: no consecutive acquired feature set will be the same as a recent one. Anti-latent detection can be implemented by a piece of software, which will check for identical biometric features. Whereas quite elaborate descriptions exist detailing how to generate artificial fingers, with and without the co-operation of the user, it has also been shown through experiments by criminological experts trying to introduce latent prints into a biometric system, that the theoretical procedure of reusing prints in the non-
Biometric Technology Today • March 2003
cooperative user scenario is very limited in practical use, due to the poor resulting image quality. In general it can be concluded that fake detection is also a system issue and thus requires a system solution. It can be implemented by measures in the acquisition hardware, additional hardware, measures in software, or even measures in the integrating application or its API. Biometric systems can and have been made secure in the past – for example 3M once produced a fingerprinting device, that asked the user to use both hands, so that simultaneously the person’s ECG could be measured as a fake detection measure. Security is always a question of cost, usability and the security requirements of the application scenario.
Hillclimbing Impostor Application
Keep / Discard
Score > Threshold Yes / No Figure 1: Biometric hillclimbing attack
A well-known biometric attack is ‘Hillclimbing’. It demands successful ‘Manin-the-Middle’ attacks on two communication channels – for example an active attack on the channel in-between the capturing and the signal processing device, as well as a reading attack on the channel in-between the matching and the decision module. One could also call this attack a focused bruteforce attack at the biometric data level. Essentially, the attacker creates a rogue application that submits a genuine template along with a randomly generated image as input to the biometric system. The score that is returned by the biometric system is noted. The attacker then randomly changes the image and retains only those samples that positively increase the score. In this way, the attacker can iteratively create an image until it produces a score that exceeds the
threshold of the biometric system. The attacker can then use that image as input to the security system to which the original template belongs. Figure 1 demonstrates a hill-climbing attack based on minutiae-based fingerprinting. Any biometric system that offers a ‘score’ at the application user interface is susceptible to this attack. The solution, however, is fairly easy and has already been given as a recommendation in the BioAPI standard. It recommends that decision scores are in a quantized form, where the quantization process itself is dependent on the specific biometric technique.
Evolving security Are biometrics offering ultimate security? The clear answer is “no” – biometrics only offer a person-centered way of identification, to bind the link between devices and services to real people instead of tokens or knowledge. No more and no less. Biometrics must therefore be integrated into the security architecture of the surrounding application. The biometric attacks reported in recent publications have not appeared out of the blue for this young industry. In contrast to the smart card arena, where certification schemes have already been available for some time, in the case of biometrics they are currently evolving. First generation biometric systems were clearly focused on convenience and ease-ofuse on the application side and on biometric performance as well as low cost on the biometric subsystem side. A current potential shift towards high-end security will certainly be reflected in the respective design of biometric components – however, the shift to security may possibly impact on ease of use and cost. Security (including biometric security), is a continuously developing target, and integral security concepts being formulated and standardized by acknowledged certification criteria will accelerate the adoption of secure biometrics for the application scenarios where this is required. Brigitte Wirtz works for Guardeonic Solutions where she is the head of Research and Development. She has been an advisor to the European BioTest project, an active member of the BioAPI and CBEFF consortia and is a member of TeleTrust. She can be contacted at email: [email protected]