Security of Biometric Systems
Content
SECURITY OF BIOMETRIC SYSTEMS
“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers.. organizing your lives, staying in touch with people, being creative.. if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.” Bill Gates (2005) The primary reasons for using biometric recognition are to apprehend criminals, curtail financial fraud, secure national borders, or control access to physical facilities and logical resources. When the biometric system fails to meet these objectives, the security of the system is said to be breached. This breach of security can be in the form of denial-of-service to legitimate users, intrusion by unauthorized users, repudiation claims by authorized users, or misuse of the biometric data for unintended purposes. Security failures can occur either due to intrinsic limitations of the biometric system or due to explicit attacks by adversaries, who may be insiders (e.g., administrators and legitimate users) or external attackers. The objective of this chapter is to outline the common attacks against biometric systems and discuss techniques that can be employed to counter them. In particular, this chapter will focus on two of the most well-known attacks that are specific to biometric systems, namely, spoofing of biometric traits and leakage of biometric data. Liveness detection and biometric template security algorithms that can mitigate the above two threats will be discussed in detail.
7.1 Introduction
A natural question that arises in biometric recognition is which biometric system is “best” suited for a particular application. Of course, the answer to this questio n depends not only on technical merits and limitations of the biometric system (e.g., matching accuracy and throughput), but also on other socio-economic factors like user acceptability and system cost. However, given that all other factors are equal, one would obviously prefer a biometric system that has the least probability of failure. But what exactly constitutes a biometric system failure? Recall that in most applications, the primary purpose of using biometrics is to provide non-repudiable
© Springer Science+Business Media, LLC 201 A.K. Jain et al., Introduction to Biometrics, DOI 10.1007/978-0-387-77326-1_ , 1 7 259
260 7 SECURITY OF BIOMETRIC SYSTEMS
authentication. Authentication implies that (a) only legitimate or authorized users are able to access the physical or logical resources protected by the biometric system and (b) impostors are prevented from accessing the protected facilities or information. Non-repudiation ensures that an individual who accesses a certain resource cannot later deny using it. Thus, the integrity of a biometric system is determined by its ability to guarantee non-repudiable authentication. From the perspective of the users, there are two additional requirements that a biometric system must meet. Firstly, the legitimate users must have timely and reliable access to the protected resource/service. This is referred to as the availability of the biometric system. Secondly, the biometric system and the personal data stored in it must be used only for the intended functionality, which is to control access to a specific resource and not for other unintended purposes. This is known as the confidentiality requirement.When one or more of the above three expectations (integrity, availability, and confidentiality) are not met, the biometric system is deemed to have failed. Failure of a biometric system generally leads to a breach of security in applications or facilities that it is designed to protect. A security threat in a biometric system refers to the possibility of system failure. Depending on the type of failure, these security threats can be classified into four major classes (see Figure 7.1).
• Denial-of-service (DoS): Legitimate users are prevented from obtaining access
to the system or resource that they are entitled to, thereby causing inconvenience to genuine users. This violates the availability requirement. Frequent denial-ofservice is likely to eventually drive the users towards abandoning the biometric system altogether.
• Intrusion: An unauthorized user gains illegitimate access to the system. Since
intrusion affects the basic integrity of a biometric system, it is generally considered the most serious security threat.
• Repudiation: A legitimate user denies using the system after having accessed
it. Corrupt users may deny their actions by claiming that illegitimate users could have intruded the system using their identity. • Function creep: An adversary exploits the biometric system designed to provide access control to a certain resource to serve another application, which the system was never intended to perform. For example, a fingerprint template obtained from a bank’s database may be used to search for that person’s health records in a medical database. This violates the confidentiality requirement. Although the problem of function creep has been posed primarily as a security threat, it is also widely perceived as a major threat to user privacy. Public confidence and acceptance of biometric technology will depend on the ability of system designers to guard against all possible security threats. However, no system is likely to be absolutely secure and foolproof. Given the right circumstances and plenty of time and resources, any security system can be broken. Even though
7.1 Introduction 261
I am Alice Sorry, access denied! I am Alice Welcome Alice! Bob Alice I am Alice Welcome Alice! I never used the system; Bob must have masqueraded as me! Enrollment Enrollment Alice Bob tracks Alice across different systems! I am really Alice! Give me access Alice
Fig. 7.1 Four major classes of security threats in a biometric system. (a) Denial of service, (b) Intrusion, (c) Repudiation, and (d) Function creep. 262 7 SECURITY OF BIOMETRIC SYSTEMS
biometric system designers must strive to plug as many loopholes as possible, the reality is that the level of security ensured is generally based on the requirements of the application. In other words, the level of security in biometric systems used for critical applications like border control can be expected to be much higher than that of a biometric system used for logging in to a personal computer. The first step in analyzing the security of biometric systems is to define a threat model, which identifies the various threat agents and attacks. In general, a threat agent can be defined as a person or a thing that can, or has the power to subvert the intended operation of a system. In the context of biometric systems, there are two kinds of threat agents.
• Intrinsic limitations: Even in the absence of any external attacks, a biometric
system may fail due to its intrinsic limitations. As discussed in Chapter 1, all biometric systems are prone to two types of errors, namely, false match and false non-match. Moreover, a biometric device may also fail to capture or acquire a sample of the biometric identifier presented to it by the user, leading to failure to
enroll and failure to capture errors. Since these errors are caused due to intrinsic limitations of various modules in a biometric system like sensor, feature extractor, and matcher, and not by any deliberate attack, the resultant failure or security breach is known as a zero-effort attack.
• Adversaries: A biometric system may also fail due to manipulation by adversaries,
who could either be insiders or external entities. An insider is an authorized user of a biometric system, which includes both system administrators (super-users) and any other person enrolled in the biometric system. External entities can be classified as impostors and attackers. While the term impostor refers to any individual who intentionally or inadvertently tries to impersonate another enrolled person, an attacker is one who attempts to subvert the operation of a biometric system. An attack refers to the actual mechanism or path that can be used to circumvent a biometric system. A taxonomy of attacks that can be mounted against a biometric system is shown in Figure 7.2. Based on the threat agent used in the attack, the attack mechanisms can be broadly categorized as those caused by intrinsic limitations (zero-effort attacks) and the ones caused by adversaries. The consequences of a zero-effort attack will depend on the application. For instance, in a biometric verification system, a false non-match error will lead to denial-of-service and inconvenience to genuine users. On the other hand, in a negative recognition application such as screening, a false non-match will lead to intrusion and a false match will lead to denial-of-service. Since failure to enroll and failure to capture errors necessitate the operators to fall back on traditional (possibly unreliable) authentication mechanisms like ID cards, the effect of these errors is similar to that of a false non-match. The intrinsic limitations of a biometric system also make it hard to defend against repudiation claims. The probability of success of a zero-effort attack is related to the recognition performance of a biometric system. Various metrics for measuring the recognition
7.1 Introduction 263
Biometric System Failure Intrinsic Failure Adversary Attacks False Match False Non-match Failure to Enroll Failure to Acquire Insider Attacks Infrastructure Attacks Collusion Coercion Negligence Enrollment Fraud Exception Abuse Attacks on Interconnections Attacks on System Modules Attacks on User Interface Attacks on Template Database Impersonation Spoofing Alteration Modification
Exploit Faults Man-in-the middle Replay Hill-climbing Modification Leakage Sabotage Overloading
Fig. 7.2 Taxonomy of attacks that can be mounted against a biometric system.
performance of a biometric system have already been discussed in Chapter 1. These metrics include false match rate (FMR), false non-match rate (FNMR), failure to enrol rate (FTER), failure to capture rate (FTCR), false positive identification rate (FPIR), and false negative identification rate (FNIR). The recognition performances of various biometric systems have also been discussed in detail in chapters 2-6. Since the recognition performance is absolutely critical to public acceptance of a biometric system, there has been a constant push in the research community to de264
7 SECURITY OF BIOMETRIC SYSTEMS
velop new sensors, robust representation, and effective matching schemes to improve the recognition performance of biometric systems. In this chapter, the focus will be on attacks that can be carried out by adversaries. Unlike the case of zero-effort attacks, the probability of success of an adversary attack depends on a number of tangible as well as intangible factors. This includes implementation and operational details of the biometric system, how the biometric system is integrated with the overall application (e.g., how does the biometric authentication interact with other modules in a physical access control application), the resourcefulness of the adversary (e.g., available time and computational power), and the behavior of users interacting with the biometric system. Therefore, it is relatively difficult to predict in advance all the possible ways in which the biometric system can be attacked. Only the commonly encountered attack mechanisms and the various countermeasures that can be applied to protect the biometric system against the resulting security threats are considered in the sections below.
7.2 Adversary Attacks
An adversary who intends to subvert a biometric system can make use of vulnerabilities either in the human element or in the system infrastructure. Accordingly, adversary attacks can be categorized as insider attacks and infrastructure attacks as shown in Figure 7.2. It is important to emphasize that the term
“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers.. organizing your lives, staying in touch with people, being creative.. if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.” Bill Gates (2005) The primary reasons for using biometric recognition are to apprehend criminals, curtail financial fraud, secure national borders, or control access to physical facilities and logical resources. When the biometric system fails to meet these objectives, the security of the system is said to be breached. This breach of security can be in the form of denial-of-service to legitimate users, intrusion by unauthorized users, repudiation claims by authorized users, or misuse of the biometric data for unintended purposes. Security failures can occur either due to intrinsic limitations of the biometric system or due to explicit attacks by adversaries, who may be insiders (e.g., administrators and legitimate users) or external attackers. The objective of this chapter is to outline the common attacks against biometric systems and discuss techniques that can be employed to counter them. In particular, this chapter will focus on two of the most well-known attacks that are specific to biometric systems, namely, spoofing of biometric traits and leakage of biometric data. Liveness detection and biometric template security algorithms that can mitigate the above two threats will be discussed in detail.
7.1 Introduction
A natural question that arises in biometric recognition is which biometric system is “best” suited for a particular application. Of course, the answer to this questio n depends not only on technical merits and limitations of the biometric system (e.g., matching accuracy and throughput), but also on other socio-economic factors like user acceptability and system cost. However, given that all other factors are equal, one would obviously prefer a biometric system that has the least probability of failure. But what exactly constitutes a biometric system failure? Recall that in most applications, the primary purpose of using biometrics is to provide non-repudiable
© Springer Science+Business Media, LLC 201 A.K. Jain et al., Introduction to Biometrics, DOI 10.1007/978-0-387-77326-1_ , 1 7 259
260 7 SECURITY OF BIOMETRIC SYSTEMS
authentication. Authentication implies that (a) only legitimate or authorized users are able to access the physical or logical resources protected by the biometric system and (b) impostors are prevented from accessing the protected facilities or information. Non-repudiation ensures that an individual who accesses a certain resource cannot later deny using it. Thus, the integrity of a biometric system is determined by its ability to guarantee non-repudiable authentication. From the perspective of the users, there are two additional requirements that a biometric system must meet. Firstly, the legitimate users must have timely and reliable access to the protected resource/service. This is referred to as the availability of the biometric system. Secondly, the biometric system and the personal data stored in it must be used only for the intended functionality, which is to control access to a specific resource and not for other unintended purposes. This is known as the confidentiality requirement.When one or more of the above three expectations (integrity, availability, and confidentiality) are not met, the biometric system is deemed to have failed. Failure of a biometric system generally leads to a breach of security in applications or facilities that it is designed to protect. A security threat in a biometric system refers to the possibility of system failure. Depending on the type of failure, these security threats can be classified into four major classes (see Figure 7.1).
• Denial-of-service (DoS): Legitimate users are prevented from obtaining access
to the system or resource that they are entitled to, thereby causing inconvenience to genuine users. This violates the availability requirement. Frequent denial-ofservice is likely to eventually drive the users towards abandoning the biometric system altogether.
• Intrusion: An unauthorized user gains illegitimate access to the system. Since
intrusion affects the basic integrity of a biometric system, it is generally considered the most serious security threat.
• Repudiation: A legitimate user denies using the system after having accessed
it. Corrupt users may deny their actions by claiming that illegitimate users could have intruded the system using their identity. • Function creep: An adversary exploits the biometric system designed to provide access control to a certain resource to serve another application, which the system was never intended to perform. For example, a fingerprint template obtained from a bank’s database may be used to search for that person’s health records in a medical database. This violates the confidentiality requirement. Although the problem of function creep has been posed primarily as a security threat, it is also widely perceived as a major threat to user privacy. Public confidence and acceptance of biometric technology will depend on the ability of system designers to guard against all possible security threats. However, no system is likely to be absolutely secure and foolproof. Given the right circumstances and plenty of time and resources, any security system can be broken. Even though
7.1 Introduction 261
I am Alice Sorry, access denied! I am Alice Welcome Alice! Bob Alice I am Alice Welcome Alice! I never used the system; Bob must have masqueraded as me! Enrollment Enrollment Alice Bob tracks Alice across different systems! I am really Alice! Give me access Alice
Fig. 7.1 Four major classes of security threats in a biometric system. (a) Denial of service, (b) Intrusion, (c) Repudiation, and (d) Function creep. 262 7 SECURITY OF BIOMETRIC SYSTEMS
biometric system designers must strive to plug as many loopholes as possible, the reality is that the level of security ensured is generally based on the requirements of the application. In other words, the level of security in biometric systems used for critical applications like border control can be expected to be much higher than that of a biometric system used for logging in to a personal computer. The first step in analyzing the security of biometric systems is to define a threat model, which identifies the various threat agents and attacks. In general, a threat agent can be defined as a person or a thing that can, or has the power to subvert the intended operation of a system. In the context of biometric systems, there are two kinds of threat agents.
• Intrinsic limitations: Even in the absence of any external attacks, a biometric
system may fail due to its intrinsic limitations. As discussed in Chapter 1, all biometric systems are prone to two types of errors, namely, false match and false non-match. Moreover, a biometric device may also fail to capture or acquire a sample of the biometric identifier presented to it by the user, leading to failure to
enroll and failure to capture errors. Since these errors are caused due to intrinsic limitations of various modules in a biometric system like sensor, feature extractor, and matcher, and not by any deliberate attack, the resultant failure or security breach is known as a zero-effort attack.
• Adversaries: A biometric system may also fail due to manipulation by adversaries,
who could either be insiders or external entities. An insider is an authorized user of a biometric system, which includes both system administrators (super-users) and any other person enrolled in the biometric system. External entities can be classified as impostors and attackers. While the term impostor refers to any individual who intentionally or inadvertently tries to impersonate another enrolled person, an attacker is one who attempts to subvert the operation of a biometric system. An attack refers to the actual mechanism or path that can be used to circumvent a biometric system. A taxonomy of attacks that can be mounted against a biometric system is shown in Figure 7.2. Based on the threat agent used in the attack, the attack mechanisms can be broadly categorized as those caused by intrinsic limitations (zero-effort attacks) and the ones caused by adversaries. The consequences of a zero-effort attack will depend on the application. For instance, in a biometric verification system, a false non-match error will lead to denial-of-service and inconvenience to genuine users. On the other hand, in a negative recognition application such as screening, a false non-match will lead to intrusion and a false match will lead to denial-of-service. Since failure to enroll and failure to capture errors necessitate the operators to fall back on traditional (possibly unreliable) authentication mechanisms like ID cards, the effect of these errors is similar to that of a false non-match. The intrinsic limitations of a biometric system also make it hard to defend against repudiation claims. The probability of success of a zero-effort attack is related to the recognition performance of a biometric system. Various metrics for measuring the recognition
7.1 Introduction 263
Biometric System Failure Intrinsic Failure Adversary Attacks False Match False Non-match Failure to Enroll Failure to Acquire Insider Attacks Infrastructure Attacks Collusion Coercion Negligence Enrollment Fraud Exception Abuse Attacks on Interconnections Attacks on System Modules Attacks on User Interface Attacks on Template Database Impersonation Spoofing Alteration Modification
Exploit Faults Man-in-the middle Replay Hill-climbing Modification Leakage Sabotage Overloading
Fig. 7.2 Taxonomy of attacks that can be mounted against a biometric system.
performance of a biometric system have already been discussed in Chapter 1. These metrics include false match rate (FMR), false non-match rate (FNMR), failure to enrol rate (FTER), failure to capture rate (FTCR), false positive identification rate (FPIR), and false negative identification rate (FNIR). The recognition performances of various biometric systems have also been discussed in detail in chapters 2-6. Since the recognition performance is absolutely critical to public acceptance of a biometric system, there has been a constant push in the research community to de264
7 SECURITY OF BIOMETRIC SYSTEMS
velop new sensors, robust representation, and effective matching schemes to improve the recognition performance of biometric systems. In this chapter, the focus will be on attacks that can be carried out by adversaries. Unlike the case of zero-effort attacks, the probability of success of an adversary attack depends on a number of tangible as well as intangible factors. This includes implementation and operational details of the biometric system, how the biometric system is integrated with the overall application (e.g., how does the biometric authentication interact with other modules in a physical access control application), the resourcefulness of the adversary (e.g., available time and computational power), and the behavior of users interacting with the biometric system. Therefore, it is relatively difficult to predict in advance all the possible ways in which the biometric system can be attacked. Only the commonly encountered attack mechanisms and the various countermeasures that can be applied to protect the biometric system against the resulting security threats are considered in the sections below.
7.2 Adversary Attacks
An adversary who intends to subvert a biometric system can make use of vulnerabilities either in the human element or in the system infrastructure. Accordingly, adversary attacks can be categorized as insider attacks and infrastructure attacks as shown in Figure 7.2. It is important to emphasize that the term
