Biometrics encompasses an expanding set of different computer-based methods designed for the instant recognition of people (and even living beings) based on unique physical or behavioral characteristics; multibiometrics uses multiple characteristics to authenticate/identify an individual.
Biometric technology involves collecting digital representations of an individual's unique physiological or behavioral characteristics using sensor-type devices. The tasks of biometric technologies are: (1) Identification. The person's biometric information is captured and matched with previously stored information. This allows answers to questions such as "Who are you?" and "Are you one of the people we are looking for?" It allows for one-to-many (millions) or one-to-few (fewer than 500) matches. (2) Authentication-Verification. This prompts a person to identify themselves, for example, by inserting a smart card or entering a username. The captured biometric information allows verification of their identity. It allows for one-to-one matches. Identification is more difficult than verification because an identification system must perform a large number of comparisons. As the database size increases, the system's accuracy decreases, and computation time increases. There is a growing number of types of biometrics, for example: facial recognition, retina or iris scanning, fingerprint, FVP (Finger Vein Patterns), nail line pattern recognition, hand geometry recognition, voice recognition, handwriting verification on a digitizing tablet or with a special pen, typing dynamics recognition via a keyboard, instant DNA (Deoxyribonucleic Acid) testing, palm recognition, EEG, brain wave scanning (alpha, beta, gamma), lip pattern recognition, facial thermogram, ear recognition, body odor recognition, vein pattern recognition on the outer part of the hands, etc.
Some applications of biometrics include: (1) Identification: Searching for and apprehending criminals, suspects, and terrorists; visitor identification; shopper identification; and security in shopping malls. (2) Authentication: Physical access control to facilities; ATM applications; national identity cards (ID cards, passports); online verification for e-commerce and remote work; network access control for PCs, PDAs, and mobile phones; border control systems; hourly attendance tracking; unemployment benefit payment systems; and more. Biometrics must be analyzed from a privacy perspective: (1) It can act as a Big Brother system. (2) It can invade privacy. (3) It can enable excessive surveillance. (4) Biometric data can be stolen. (5) There is a lack of effective privacy legislation regarding biometrics.
Attacks, Vulnerabilities, and Threats in Biometric Systems.
A careful analysis of biometric systems allows the identification of, among others, the following attacks and vulnerabilities: (1) Presentation attacks (spoofing). Appearance of a physically altered or replaced biometric sample. (2) Biometric processing attacks. Understanding the biometric algorithm is used to cause incorrect processing and decisions. (3) Software and network vulnerabilities. These are based on attacks against the computer and networks on which the biometric system operates. (4) Social attacks. Authorities using the system are deceived. (5) Vulnerabilities based on bypassing or circumventing the system. (6) Vulnerabilities based on covert acquisition. (7) Vulnerabilities based on collusion/coercion. (8) Vulnerabilities based on Denial of Service (DoS) attacks. Some security issues surrounding biometric systems are the following: (i) Biometric data is not secret. (ii) Biometric data cannot be revoked. (iii) Biometric data may have secondary uses.
Security issues and possible countermeasures
For any biometric system, it is necessary to ask whether it is possible to: (1) Determine if the sample presented to the sensor is alive and real. This requires implementing effective methods to detect the sample's lifespan before the sensor and applying effective anti-spoofing techniques. (2) Determine if the sample is presented correctly. This requires being able to identify the sample from different positional and rotational variations. (3) Determine if the sensor's image quality is sufficient for good image capture. This requires implementing software methods to determine if the sample is of sufficient quality and corresponds to the expected input. (4) Determine if there is any type of template integrity assurance. This requires implementing techniques to ensure the templates are secure.
Some countermeasures against potential security issues that may arise in a biometric system are: (1) For quality control, use software that is aware of the varying quality of the biometric sample and expected input. (2) Effective data/template protection: verify the integrity and cryptographic protection of user records and templates. (3) To prevent spoofing, verify the biometric sample's lifetime against the sensor and use anti-spoofing techniques. (4) To protect transmitted data: verify the integrity and cryptographic protection of data circulating between modules of the biometric system, use device authentication, synchronization, timestamps, and unique session keys to prevent session theft.
The main biometric operations are: (1) Capturing the chosen biometric(s) using sensors (optical, capacitive, thermal, ultrasonic, electromagnetic, X-ray, etc.). (2) Processing the biometric sample, extracting and enrolling the biometric template. (3) Storing the template in a local or central repository, or on a portable token such as a smart card. (4) Live scanning the chosen biometric sample. (5) Processing the biometric sample and extracting the biometric template. (6) Comparing the scanned sample with the stored template. (7) Providing a match score for established applications. (8) Maintaining a secure audit trail regarding system usage. The UUPC criteria (Universality, Uniqueness, Permanence, Collectability) allow for evaluating the feasibility of a biometric characteristic for use in biometrics: (i) Universality: Every person possesses this characteristic. (ii) Uniqueness: No two individuals have the same biometric characteristic. Identical twins will have the same genotype biometric characteristics but different phenotype characteristics. (iii) Permanence. The characteristic should not change much over time. (iv) Collectability. It should be measurable quantitatively, non-invasive (e.g., placing the eye near a laser beam), reliable, robust, and cost-effective. Other practical considerations include: performance, user acceptance, resistance to bridging, accuracy, speed, cost, and ease of use.
Final considerations
Our research group has been working on the evaluation of the security of biometric systems for more than fifteen years with results in line with risk analysis and the design-synthesis and implementation of countermeasures to make the biometric system more secure.
This article is part of the activities developed within the LEFIS-APTICE project (funded by Socrates. European Commission).
Literature
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2008.
- Areitio, J. “Analysis of Biometric Technology: Accuracy-Performance Parameters”. Conectrónica Magazine. No. 114. February 2008.
- Areitio, J. “Identification and Analysis of Biometric Cryptography”. Conectrónica Magazine. No. 117. May 2008.
- Wayman, J., Jain, AK, Maltoni, D. and Maio, D. “Biometric Systems: Technology, Design and Performance Evaluation”. Springer Verlag. 2005.
- Yanushkevich, S., Shmerko, V. and Popel, D. “Biometric Inverse Problem”. CRC Press. 2005.
- International Biometric Industry Association: http://www.ibia.org .
- Biometric Consortium: http://www.biometrics.org .
- International Biometric Group: http://www.biometricgroup.com .
- Fingerprint Vendor Technology: http://fpvte.nist.gov/index.html .
Author:
Prof. Dr. Javier Areitio Bertolín – Professor at the Faculty of Engineering, ESIDE. Director of the Networks and Systems Research Group, University of Deusto.
