Biometric identificationBozhidar Bozhanov

● @bozhobg● http://techblog.bozho.net● http://blog.bozho.net

Biometrics● Detecting inherent characteristics

○ fingerprints○ iris○ palm veins○ face○ voice○ DNA

● Unique and unchangeable

Usage● Border inspections● Access control

○ Home door unlocking● Smartphone unlocking● Looks cool in movies

Fingerprint● Binarization, thinning, extraction● Minutia (pl. minutae)

○ Ridge ending○ Ridge bifurication○ Fingerprint template

● Other methods○ Feature extraction

● MINEX (template standard)

Fingerprint

griaulebiometrics.com

binarization thinning

Storing and comparing● Original / enhanced image● Coordinates of the minutae● Other features● Fuzzy hash, locality-sensitive hash

○ “Percentage hash”○ Collisions are needed

Problems...● Bad images, dirty scanners, injured skin...

“A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera.” The Register, “Gummi bears defeat fingerprint sensors”

“The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing.” Bruce Schneier

Iris● Detection of around 200 points● Same storage methods as fingerprints● Only patented algorithms

DNA, veins, voice, face...● Using many in combination● Expensive scanners (DNA, veins)

○ But Kuwait takes DNA from everyone● Lack of uniqueness and high error rate

(voice, face)

Reconstructing● ...possible

○ based on minutae, points, features○ except if fuzzy / locality senstive hash is used

● => storing in centralized databases is dangerous

In-person verification● Easy faking+● Automated check=● Fraud

N-th factor● Secure identification is

○ something you have + ○ something you know +○ something you are

● e.g. smartcard with PIN + fingerprint (matched on the card)

Border inspections● ICAO biometric passports

○ Contain images of the face and fingerprints (soon maybe iris) (JPEG2000)

○ Integrity - with QES of the issuing authoroity● Fingerprints are read without PIN

○ ...but by a “trusted” terminal● And are compared to the person’s fingerprints● => fake/someone else’s document?

Problems● Centralized databases with images of

fingerprints● Contactless reading of fingerprints

○ 3 versions of the protocol have been demonstrated to have security issues

○ Complex scheme for certificate management. Certificates expire in 24 hours.

BSI

● ...but the chip doesn’t have a clock○ 1 leaked terminal certificate○ => all fingerprints in all passports in the world are

easy targets○ ...if the central databases don’t leak before that

● experts - “well, I can get your fingerprint from anywhere”○ in high-res?

bioID - No go● You can’t change your fingerprint/iris/DNA● Databases leak sooner or later● Easy to fake (gummi bears!)● They are used to unlock phones => unlock

○ email○ e-banking○ ...everything

Applications● 2nd factor● Border inspections with match-on-card

verification● Future?

“Free flight of the thought”● Let’s imagine...

○ Cheap and exact biometric readers● Then…

○ ID = hash(fingerprint) + hash(iris) + hash(DNA) + hash(password)

● I am 66a1aa2b4add3d8775751b81adb86e476d0a735188c2e8582be0920b2a3e55ea

● I can prove it○ scanner + app

● Distributed global electronic identity○ something I am + something I know

Fraud?● How do we guarantee that the hash is a

result of our biometrics?● biometrics+password-> KDF -> private key

(ephemeral)○ KDF (key derivation function)○ Sign challenge with the private key

Anonymity● Hashes don’t have names● Guarantees identity● Aliases for different contexts (multiple

passwords?)● Example: distributed ride-sharing with

distributed reputation system ontop of a global anonymous identity

Conclusion● Only biometrics - no● Biometrics in clear form - no● Biometrics in databases - no● 2nd factor, match-on-card - okay● Future applications

Thank you

Resourceshttp://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

http://www.griaulebiometrics.com/en-us/book/understanding-biometrics/types/feature-extraction/minutiae

http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=12

https://en.wikipedia.org/wiki/Key_derivation_function

http://techblog.bozho.net/electronic-machine-readable-travel-documents/

http://techblog.bozho.net/identity-in-the-digital-world/

http://europe.newsweek.com/kuwait-becomes-first-country-world-collect-dna-samples-all-citizens-and-449830?rm=eu