Attacking a biometric server
SECURE
COMPUTING
The Biometric Dilemma
Dr. Mohammad Iqbal
Based on presentation of Rick Smith, Ph.D., CISSP
rick_smith@securecomputing.com
28 October 2001
R. Smith - Biometric Dilemma
1
SECURE
COMPUTING
Outline
• Biometrics: Why, How, How Strong
– Attacks, FAR, FRR, Resisting trialtrial-andand-error
• Server
Server--based Biometrics
• Attacking a biometric server
– Digital spoofing, privacy intrusion, latent print reactivation
• Token
Token--based Biometrics
• Physical spoofing
– Voluntary and involuntary spoofing
• Summary
R. Smith - Biometric Dilemma
2
SECURE
COMPUTING
Biometrics: Why?
• Eliminate memorization –
– Users don’t have to memorize features of their voice, face,
eyes, or fingerprints
• Eliminate misplaced tokens –
– Users won’t forget to bring fingerprints to work
• Can’t be delegated –
– Users can’t lend fingers or faces to someone else
• Often unique –
– Save money and maintain database integrity by eliminating
duplicate enrollments
R. Smith - Biometric Dilemma
3
SECURE
COMPUTING
The Dilemma
They always look stronger and and easier to use
than they are in practice
• Enrollment is difficult
– Easy enrollment = unreliable authentication
– Measures to prevent digital spoofing make even more work for
administrators, almost a “double enrollment” process
• Physical spoofing is easier than we’d like
– Recent examples with fingerprint scanners, face scanners
R. Smith - Biometric Dilemma
4
SECURE
COMPUTING
Biometrics: How?
From Authentication © 2002. Used by permission
From Authentication © 2002. Used by permission
Measure a physical trait
• The user’s fingerprint,
hand, eye, face
Measure user behavior
• The user’s voice, written
signature, or keystrokes
R. Smith - Biometric Dilemma
5
SECURE
COMPUTING
•
Biometrics: How Strong?
Three types of attacks
Trial--and
Trial
and--error attack
– Classic way of measuring biometric strength
•
Digital spoofing
– Transmit a digital pattern that mimics that of a legitimate
user’s biometric signature
– Similar to password sniffing and replay
– Biometrics can’t prevent such attacks by themselves
•
Physical spoofing
– Present a biometric sensor with an image that mimics the
appearance of a legitimate user
R. Smith - Biometric Dilemma
6
SECURE
COMPUTING
Biometric TrialTrial-andand-Error
How many trials are needed to achieve a 5050-50
chance of producing a matching reading?
• Typical objective: 1 in 1,000,000 219
• Some systems achieve this, but most aren’t
that accurate in practical settings
• Team
Team--based attack
– A group of individuals take turns pretending to be a legitimate
user (5 people X 10 finger = 50 fingers)
R. Smith - Biometric Dilemma
7
SECURE
COMPUTING
Passwords: A Baseline
Example
Type of
Attack
Average
Attack
Space
245
Random 8-character
Unix password
Interactive
or Off-Line
Dictionary Attack
Interactive
or Off-Line
215 to 223
Mouse Pad Search
Interactive
21 to 24
21
Worst Case
R. Smith - Biometric Dilemma
8
SECURE
COMPUTING
Biometric Authentication
• Compares user’s signature to previously
established pattern built from that trait
• “Biometric pattern” file instead of password file
• Matching is always approximate, never exact
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
9
SECURE
COMPUTING
Pattern Matching
From Authentication © 2002. Used by permission
We compare how closely a signature matches
one user’s pattern versus another’s pattern
R. Smith - Biometric Dilemma
10
SECURE
COMPUTING
Matching Self vs. Others
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
11
SECURE
COMPUTING
Matching in Practice
From Authentication © 2002. Used by permission
FAR = recognized Bob instead; FRR = doesn’t recognize me
R. Smith - Biometric Dilemma
12
SECURE
COMPUTING
Measurement TradeTrade-Offs
We must balance the FAR and the FRR
• Lower FAR = Fewer successful attacks
– Less tolerant of close matches by attackers
– Also less tolerant of authentic matches
– Therefore – increases the FRR
• Lower FRR = Easier to use
–
–
–
–
Recognizes a legitimate user the first time
More tolerant of poor matches
Also more tolerant of matches by attackers
Therefore – increases the FAR
Equal error rate = point where FAR = FAR
R. Smith - Biometric Dilemma
13
SECURE
COMPUTING
Trial and Error in Practice
Biometric with 1% FAR
Team
Average
Attack
Space
26
Biometric with 0.01% FAR
Team
212
Biometric with “One in a million”
Team
219
Example
Type of
Attack
• Higher security means more mistakes
– When we reduce the FAR, we increase the FRR
– More picky about signatures from legitimate users, too
R. Smith - Biometric Dilemma
14
SECURE
COMPUTING
Biometric Enrollment
• How it works
– User provides one or more biometric readings
– The system converts each reading into a signature
– The system constructs the pattern from those signatures
• Problems with biometric enrollment
– It’s hard to reliably “pre“pre-enroll” users
– Users must provide biometric readings interactively
• Accuracy is time consuming
– Take trial readings, build tentative patterns, try them out
– Take more readings to refine patterns
– Higher accuracy requires more trial readings
R. Smith - Biometric Dilemma
15
SECURE
COMPUTING
Compare with Password or
Token Enrollment
• Modern systems allow users to selfself-enroll
–
–
–
–
User enters some personal authentication information
Establish a user name
Establish a password: system generated or user chosen
Establish a token: enter its serial number
• Password enrollment is comparatively simple
• Tokens require a database associating serial
numbers with individual authentication tokens
– Database is generated by token’s manufacturer
– Enrollment system uses it to establish user account
– Token’s PIN is managed by the end user
R. Smith - Biometric Dilemma
16
SECURE
COMPUTING
Biometric Privacy
• The biometric pattern acts like a password
But biometrics are not secrets
• Each user leaves artifacts of her voice,
fingerprints, and appearance wherever she
goes
• Users can’t change biometrics if someone
makes a copy
• We can trace people by following their
biometrics as they’re saved in databases
R. Smith - Biometric Dilemma
17
SECURE
COMPUTING
Server--based biometrics
Server
• Boring but important
• Some biometric systems require servers
– When you need a central repository
– Identification systems (FBI’s AFIS)
– Uniqueness systems (community social service orgs)
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
18
SECURE
COMPUTING
Attacking Server Biometrics
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
19
SECURE
COMPUTING
Attacks on Server Traffic
• Attack on privacy of a user’s biometrics
– Defense = encryption while traversing the network
• Attack by spoofing a digital biometric reading
– Defense = authenticating legitimate biometric readers
Both solutions rely on trusted biometric readers
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
20
SECURE
COMPUTING
Trusted Biometric Reader
• Blocks either type of attack on server traffic
• Security objective – reliable data collection
• Must embed a cryptographic secret in every
trusted reader
– Increased development cost
– Increased administrative cost – administrators must keep the
reader’s keys safe and upup-to
to--date
• Must enroll both users and trusted readers
–
–
–
–
“Double enrollment”
Database of device keys from biometric vendor
One device per workstation is often like one per user
Standard tokens are traditionally lowerlower-cost devices
R. Smith - Biometric Dilemma
21
SECURE
COMPUTING
•
Another Server Attack
Experiments in the US and Germany
•
Willis and Lee of Network Computing Labs, 1998
•
Thalheim, Krissler, and Ziegler, 2002
– Reported in “Body Check,” C’T (Germany)
– Reported in “Six Biometric Devices Point The Finger At Security” in
Network Computing,
Computing, 1 June 1998
– http://www.heise.de/ct/english/02/11/114/
•
Attack on “capacitive” fingerprint sensors
•
Attack exploits the fatty oils left over from the last
user logon
– Measures change in capacitance due to presence or absence of
material with skinskin-like response
– 65Kb sensor collects ~20 minutiae from fingerprint
– Traditional techniques use 1010-12 for identification
R. Smith - Biometric Dilemma
22
SECURE
COMPUTING
Latent Finger Reactivation
• Three techniques
– Oil vs. nonnon-oil regions return difference as humidity increases
1. Breathe on the sensor (Thalheim, et al)
– You can watch the print reappear as a biometric image
– Works occasionally
2. Use a thin
thin--walled plastic bag of warm water
• More effective, but not 100%
– Works occasionally even when system is set to maximum sensitivity
3. Dust with graphite (Willis et al; Thalheim et al)
• Attach clear tape to the dust
– Press down on the sensor
– Most reliable technique – almost 100% success rate (Thalheim)
R. Smith - Biometric Dilemma
23
SECURE
COMPUTING
•
•
This Shouldn’t Work
According to Siemens – vendor of the
“ID Mouse” used in those examples –
– Authentication procedure remembers the last fingerprint used
– System rejects a match that’s “too close” to the last reading
as well as a match that’s “too far” from the pattern
Observations
1. Defense didn’t work in these experiments
2. Tape can be repositioned to create a ‘different’ reading
3. Hard to track through multiple biometric readers
– Assume the user logs in at multiple locations over time
– Then the latent image on some reader is not the most
recent one accepted for login
R. Smith - Biometric Dilemma
24
SECURE
COMPUTING
What about “Active”
Biometric Authentication?
• Some (Dorothy Denning) suggest the use of biometrics
in which the pattern incorporates “dynamic”
information uniquely associated with the user
• Possible techniques
– Require any sort of nonnon-static input that matches the builtbuilt-in pattern
• Moving the finger around on the fingerprint reader
– Challenge response that demands an unpredictable reply
• Voice recognition that demands reciting an unpredictable phrase
• Both are vulnerable to a dynamic digital attack based
on a copy of the user’s biometric pattern
• Ease of use issue
– Requires more complex user behavior, which makes it harder to use
and less reliable
R. Smith - Biometric Dilemma
25
SECURE
COMPUTING
Attacking Active Biometrics
A feasible dynamic attack uses the system’s algorithms
to generate an acceptable signature
• Example
– Attacker collects enough biometric samples from the victim to build a
plausible copy of victim’s biometric pattern
– During login, attacker is prompted for a spoken phrase from the victim
– Attack software generates a digital message based on the user’s
biometric pattern
• There may be a sequence of timed messages or a single message
– it doesn’t matter
If the server can predict what the answer should be,
based on a static biometric pattern, so can the attacker
R. Smith - Biometric Dilemma
26
SECURE
COMPUTING
Token--Based Biometrics
Token
From Authentication © 2002. Used by permission
Authenticate with biometric + embedded secret
R. Smith - Biometric Dilemma
27
SECURE
COMPUTING
Token Technology
From Authentication © 2002. Used by permission
• Resist copying and other attacks by storing the
authentication secret in a tampertamper-resistant package.
R. Smith - Biometric Dilemma
28
SECURE
COMPUTING
Tokens Resist
Trial--andTrial
and-Error Attacks
Example
Reusable Passwords
Biometrics
One-Time Password Tokens
Public Key Tokens
Type of
Attack
Interactive
or Off-Line
Team
Interactive
or Off-Line
Off-Line
Average
Attack
Space
21 to 245
6
2 to 2
19
19
to 2
63
to 2
2
2
63
116
These numbers assume that the attacker
has not managed to steal a token
R. Smith - Biometric Dilemma
29
SECURE
Biometric Token Operation
COMPUTING
• The “real” authentication is based on a secret
embedded in the token
• The biometric reading simply “unlocks” that
secret
• Benefits
– User retains control of own biometric pattern
– Biometric signatures don’t traverse networks
• Problems
– Biometric Tokens cost more
– Less space and cost for the biometric reader
The biometric serves as a PIN
R. Smith - Biometric Dilemma
30
SECURE
COMPUTING
Attacks on Biometric Tokens
• If you can trick the reader, you can probably
trick the token
• Digital spoofing shouldn’t work
– We’ve eliminated the vulnerable data path
• Latent print reactivation (remember?)
– Tokens should be able to detect and reject such attacks
• Attacks by cloning the biometric artifact
– Voluntary cloning (the authorized user is an accomplice)
– Involuntary cloning (the authorized user is unaware)
R. Smith - Biometric Dilemma
31
SECURE
COMPUTING
Voluntary finger cloning
1. Select the casting material
–
–
Option: softened, free molding plastic (used by Matsumoto)
Option: part of a large, soft wax candle (used by Willis; Thalheim)
2. Push the fingertip into the soft material
3. Let material harden
4. Select the finger cloning material
•
•
Option: gelatin (“gummy fingers” used by Matsumoto)
Option: silicone (used by Willis; Thalheim)
5. Pour a layer of cloning material into the mold
6. Let the clone harden
You’re Done!
R. Smith - Biometric Dilemma
32
SECURE
COMPUTING
Matsumoto’s Technique
• Only a few dollars’ worth of materials
R. Smith - Biometric Dilemma
33
SECURE
COMPUTING
Making the Actual Clone
You can place the “gummy finger” over your real finger.
Observers aren’t likely to detect it when you use it on a
fingerprint reader. (Matsumoto)
R. Smith - Biometric Dilemma
34
SECURE
COMPUTING
Involuntary Cloning
• The stuff of Hollywood – three examples
– Sneakers (1992) “My voice is my password”
– Never Say Never Again (1983) cloned retina
– Charlie’s Angels (2000)
• Fingerprints from beer bottles
• Eye scan from oomoom-pah laser
• You clone the biometric without victim’s
knowledge or intentional assistance
• Bad news: it works!
R. Smith - Biometric Dilemma
35
SECURE
COMPUTING
Cloned Face
• More work by Thalheim, Krissler, and Ziegler
• Reported in “Body Check,” C’T (Germany)
http://www.heise.de/ct/english/02/11/114/
• Show the camera a photograph or video clip
instead of the real face
– Video clip required to defeat “dynamic” biometric checks
• Photo was taken without the victim’s
assistance (video possible, too)
• Face recognition was fooled
– Cognitec's FaceVACSFaceVACS-Logon using the recommended Philips's
ToUcam PCVC 740K camera
R. Smith - Biometric Dilemma
36
SECURE
COMPUTING
Matsumoto’s 2nd Technique
Cloning a fingerprint from a latent print
1. Capture clean, complete fingerprint on a glass, CD,
or other smooth, clean surface
2. Pick it up using tape and graphite
3. Scan it into a computer at high resoultion
4. Enhance the fingerprint image
5. Etch it onto printed circuit board (PCB) material
6. Use the PCB as a mold for a “gummy finger”
R. Smith - Biometric Dilemma
37
SECURE
COMPUTING
Making a Gummy Finger
from a Latent Print
From Matsumoto, ITU-T Workshop
R. Smith - Biometric Dilemma
38
SECURE
COMPUTING
The Latent Print Dilemma
• Tokens tend to be smooth objects of metal or
plastic – materials that hold latent prints well
• Can an attacker steal a token, lift the owner’s
latent prints from it, and construct a working
clone of the owner’s fingerprint?
• Worse, can an attacker reactivate a latent
image of the biometric from the sensor itself?
• Answer: in some cases, YES.
R. Smith - Biometric Dilemma
39
SECURE
COMPUTING
Finger Cloning Effectiveness
• Willis and Lee could trick 4 of 6 sensors tested
in 1998 with cloned fingers
• Thalheim et al could trick both “capacitive” and
“optical” sensors with cloned fingers
– Products from Siemens, Cherry, Eutron, Verdicom
– Latent image reactivation only worked on capacitive sensors,
not on optical ones
• Matsumoto tested 11 capacitive and optical
sensors
– Cloned fingers tricked all of them
– Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,
Secugen, Ethentica
R. Smith - Biometric Dilemma
40
SECURE
COMPUTING
Summary
• Traditional FAR and FRR statistics don’t tell the
whole story about biometric vulnerabilities
• Networked biometrics require trusted readers
that pose extra administrative headaches
• We can build physical clones of biometric
features that spoof biometric readers
– Matsumoto needed $10 worth of materials and 40 minutes to
reliably clone a fingerprint
• We can often build clones without the
legitimate user’s intentional participation
R. Smith - Biometric Dilemma
41
SECURE
COMPUTING
Thank You!
Questions? Comments?
My ee-mail:
Rick_Smith@securecomputing.com
http://www.visi.com/crypto
http://www.securecomputing.com
R. Smith - Biometric Dilemma
42
COMPUTING
The Biometric Dilemma
Dr. Mohammad Iqbal
Based on presentation of Rick Smith, Ph.D., CISSP
rick_smith@securecomputing.com
28 October 2001
R. Smith - Biometric Dilemma
1
SECURE
COMPUTING
Outline
• Biometrics: Why, How, How Strong
– Attacks, FAR, FRR, Resisting trialtrial-andand-error
• Server
Server--based Biometrics
• Attacking a biometric server
– Digital spoofing, privacy intrusion, latent print reactivation
• Token
Token--based Biometrics
• Physical spoofing
– Voluntary and involuntary spoofing
• Summary
R. Smith - Biometric Dilemma
2
SECURE
COMPUTING
Biometrics: Why?
• Eliminate memorization –
– Users don’t have to memorize features of their voice, face,
eyes, or fingerprints
• Eliminate misplaced tokens –
– Users won’t forget to bring fingerprints to work
• Can’t be delegated –
– Users can’t lend fingers or faces to someone else
• Often unique –
– Save money and maintain database integrity by eliminating
duplicate enrollments
R. Smith - Biometric Dilemma
3
SECURE
COMPUTING
The Dilemma
They always look stronger and and easier to use
than they are in practice
• Enrollment is difficult
– Easy enrollment = unreliable authentication
– Measures to prevent digital spoofing make even more work for
administrators, almost a “double enrollment” process
• Physical spoofing is easier than we’d like
– Recent examples with fingerprint scanners, face scanners
R. Smith - Biometric Dilemma
4
SECURE
COMPUTING
Biometrics: How?
From Authentication © 2002. Used by permission
From Authentication © 2002. Used by permission
Measure a physical trait
• The user’s fingerprint,
hand, eye, face
Measure user behavior
• The user’s voice, written
signature, or keystrokes
R. Smith - Biometric Dilemma
5
SECURE
COMPUTING
•
Biometrics: How Strong?
Three types of attacks
Trial--and
Trial
and--error attack
– Classic way of measuring biometric strength
•
Digital spoofing
– Transmit a digital pattern that mimics that of a legitimate
user’s biometric signature
– Similar to password sniffing and replay
– Biometrics can’t prevent such attacks by themselves
•
Physical spoofing
– Present a biometric sensor with an image that mimics the
appearance of a legitimate user
R. Smith - Biometric Dilemma
6
SECURE
COMPUTING
Biometric TrialTrial-andand-Error
How many trials are needed to achieve a 5050-50
chance of producing a matching reading?
• Typical objective: 1 in 1,000,000 219
• Some systems achieve this, but most aren’t
that accurate in practical settings
• Team
Team--based attack
– A group of individuals take turns pretending to be a legitimate
user (5 people X 10 finger = 50 fingers)
R. Smith - Biometric Dilemma
7
SECURE
COMPUTING
Passwords: A Baseline
Example
Type of
Attack
Average
Attack
Space
245
Random 8-character
Unix password
Interactive
or Off-Line
Dictionary Attack
Interactive
or Off-Line
215 to 223
Mouse Pad Search
Interactive
21 to 24
21
Worst Case
R. Smith - Biometric Dilemma
8
SECURE
COMPUTING
Biometric Authentication
• Compares user’s signature to previously
established pattern built from that trait
• “Biometric pattern” file instead of password file
• Matching is always approximate, never exact
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
9
SECURE
COMPUTING
Pattern Matching
From Authentication © 2002. Used by permission
We compare how closely a signature matches
one user’s pattern versus another’s pattern
R. Smith - Biometric Dilemma
10
SECURE
COMPUTING
Matching Self vs. Others
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
11
SECURE
COMPUTING
Matching in Practice
From Authentication © 2002. Used by permission
FAR = recognized Bob instead; FRR = doesn’t recognize me
R. Smith - Biometric Dilemma
12
SECURE
COMPUTING
Measurement TradeTrade-Offs
We must balance the FAR and the FRR
• Lower FAR = Fewer successful attacks
– Less tolerant of close matches by attackers
– Also less tolerant of authentic matches
– Therefore – increases the FRR
• Lower FRR = Easier to use
–
–
–
–
Recognizes a legitimate user the first time
More tolerant of poor matches
Also more tolerant of matches by attackers
Therefore – increases the FAR
Equal error rate = point where FAR = FAR
R. Smith - Biometric Dilemma
13
SECURE
COMPUTING
Trial and Error in Practice
Biometric with 1% FAR
Team
Average
Attack
Space
26
Biometric with 0.01% FAR
Team
212
Biometric with “One in a million”
Team
219
Example
Type of
Attack
• Higher security means more mistakes
– When we reduce the FAR, we increase the FRR
– More picky about signatures from legitimate users, too
R. Smith - Biometric Dilemma
14
SECURE
COMPUTING
Biometric Enrollment
• How it works
– User provides one or more biometric readings
– The system converts each reading into a signature
– The system constructs the pattern from those signatures
• Problems with biometric enrollment
– It’s hard to reliably “pre“pre-enroll” users
– Users must provide biometric readings interactively
• Accuracy is time consuming
– Take trial readings, build tentative patterns, try them out
– Take more readings to refine patterns
– Higher accuracy requires more trial readings
R. Smith - Biometric Dilemma
15
SECURE
COMPUTING
Compare with Password or
Token Enrollment
• Modern systems allow users to selfself-enroll
–
–
–
–
User enters some personal authentication information
Establish a user name
Establish a password: system generated or user chosen
Establish a token: enter its serial number
• Password enrollment is comparatively simple
• Tokens require a database associating serial
numbers with individual authentication tokens
– Database is generated by token’s manufacturer
– Enrollment system uses it to establish user account
– Token’s PIN is managed by the end user
R. Smith - Biometric Dilemma
16
SECURE
COMPUTING
Biometric Privacy
• The biometric pattern acts like a password
But biometrics are not secrets
• Each user leaves artifacts of her voice,
fingerprints, and appearance wherever she
goes
• Users can’t change biometrics if someone
makes a copy
• We can trace people by following their
biometrics as they’re saved in databases
R. Smith - Biometric Dilemma
17
SECURE
COMPUTING
Server--based biometrics
Server
• Boring but important
• Some biometric systems require servers
– When you need a central repository
– Identification systems (FBI’s AFIS)
– Uniqueness systems (community social service orgs)
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
18
SECURE
COMPUTING
Attacking Server Biometrics
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
19
SECURE
COMPUTING
Attacks on Server Traffic
• Attack on privacy of a user’s biometrics
– Defense = encryption while traversing the network
• Attack by spoofing a digital biometric reading
– Defense = authenticating legitimate biometric readers
Both solutions rely on trusted biometric readers
From Authentication © 2002. Used by permission
R. Smith - Biometric Dilemma
20
SECURE
COMPUTING
Trusted Biometric Reader
• Blocks either type of attack on server traffic
• Security objective – reliable data collection
• Must embed a cryptographic secret in every
trusted reader
– Increased development cost
– Increased administrative cost – administrators must keep the
reader’s keys safe and upup-to
to--date
• Must enroll both users and trusted readers
–
–
–
–
“Double enrollment”
Database of device keys from biometric vendor
One device per workstation is often like one per user
Standard tokens are traditionally lowerlower-cost devices
R. Smith - Biometric Dilemma
21
SECURE
COMPUTING
•
Another Server Attack
Experiments in the US and Germany
•
Willis and Lee of Network Computing Labs, 1998
•
Thalheim, Krissler, and Ziegler, 2002
– Reported in “Body Check,” C’T (Germany)
– Reported in “Six Biometric Devices Point The Finger At Security” in
Network Computing,
Computing, 1 June 1998
– http://www.heise.de/ct/english/02/11/114/
•
Attack on “capacitive” fingerprint sensors
•
Attack exploits the fatty oils left over from the last
user logon
– Measures change in capacitance due to presence or absence of
material with skinskin-like response
– 65Kb sensor collects ~20 minutiae from fingerprint
– Traditional techniques use 1010-12 for identification
R. Smith - Biometric Dilemma
22
SECURE
COMPUTING
Latent Finger Reactivation
• Three techniques
– Oil vs. nonnon-oil regions return difference as humidity increases
1. Breathe on the sensor (Thalheim, et al)
– You can watch the print reappear as a biometric image
– Works occasionally
2. Use a thin
thin--walled plastic bag of warm water
• More effective, but not 100%
– Works occasionally even when system is set to maximum sensitivity
3. Dust with graphite (Willis et al; Thalheim et al)
• Attach clear tape to the dust
– Press down on the sensor
– Most reliable technique – almost 100% success rate (Thalheim)
R. Smith - Biometric Dilemma
23
SECURE
COMPUTING
•
•
This Shouldn’t Work
According to Siemens – vendor of the
“ID Mouse” used in those examples –
– Authentication procedure remembers the last fingerprint used
– System rejects a match that’s “too close” to the last reading
as well as a match that’s “too far” from the pattern
Observations
1. Defense didn’t work in these experiments
2. Tape can be repositioned to create a ‘different’ reading
3. Hard to track through multiple biometric readers
– Assume the user logs in at multiple locations over time
– Then the latent image on some reader is not the most
recent one accepted for login
R. Smith - Biometric Dilemma
24
SECURE
COMPUTING
What about “Active”
Biometric Authentication?
• Some (Dorothy Denning) suggest the use of biometrics
in which the pattern incorporates “dynamic”
information uniquely associated with the user
• Possible techniques
– Require any sort of nonnon-static input that matches the builtbuilt-in pattern
• Moving the finger around on the fingerprint reader
– Challenge response that demands an unpredictable reply
• Voice recognition that demands reciting an unpredictable phrase
• Both are vulnerable to a dynamic digital attack based
on a copy of the user’s biometric pattern
• Ease of use issue
– Requires more complex user behavior, which makes it harder to use
and less reliable
R. Smith - Biometric Dilemma
25
SECURE
COMPUTING
Attacking Active Biometrics
A feasible dynamic attack uses the system’s algorithms
to generate an acceptable signature
• Example
– Attacker collects enough biometric samples from the victim to build a
plausible copy of victim’s biometric pattern
– During login, attacker is prompted for a spoken phrase from the victim
– Attack software generates a digital message based on the user’s
biometric pattern
• There may be a sequence of timed messages or a single message
– it doesn’t matter
If the server can predict what the answer should be,
based on a static biometric pattern, so can the attacker
R. Smith - Biometric Dilemma
26
SECURE
COMPUTING
Token--Based Biometrics
Token
From Authentication © 2002. Used by permission
Authenticate with biometric + embedded secret
R. Smith - Biometric Dilemma
27
SECURE
COMPUTING
Token Technology
From Authentication © 2002. Used by permission
• Resist copying and other attacks by storing the
authentication secret in a tampertamper-resistant package.
R. Smith - Biometric Dilemma
28
SECURE
COMPUTING
Tokens Resist
Trial--andTrial
and-Error Attacks
Example
Reusable Passwords
Biometrics
One-Time Password Tokens
Public Key Tokens
Type of
Attack
Interactive
or Off-Line
Team
Interactive
or Off-Line
Off-Line
Average
Attack
Space
21 to 245
6
2 to 2
19
19
to 2
63
to 2
2
2
63
116
These numbers assume that the attacker
has not managed to steal a token
R. Smith - Biometric Dilemma
29
SECURE
Biometric Token Operation
COMPUTING
• The “real” authentication is based on a secret
embedded in the token
• The biometric reading simply “unlocks” that
secret
• Benefits
– User retains control of own biometric pattern
– Biometric signatures don’t traverse networks
• Problems
– Biometric Tokens cost more
– Less space and cost for the biometric reader
The biometric serves as a PIN
R. Smith - Biometric Dilemma
30
SECURE
COMPUTING
Attacks on Biometric Tokens
• If you can trick the reader, you can probably
trick the token
• Digital spoofing shouldn’t work
– We’ve eliminated the vulnerable data path
• Latent print reactivation (remember?)
– Tokens should be able to detect and reject such attacks
• Attacks by cloning the biometric artifact
– Voluntary cloning (the authorized user is an accomplice)
– Involuntary cloning (the authorized user is unaware)
R. Smith - Biometric Dilemma
31
SECURE
COMPUTING
Voluntary finger cloning
1. Select the casting material
–
–
Option: softened, free molding plastic (used by Matsumoto)
Option: part of a large, soft wax candle (used by Willis; Thalheim)
2. Push the fingertip into the soft material
3. Let material harden
4. Select the finger cloning material
•
•
Option: gelatin (“gummy fingers” used by Matsumoto)
Option: silicone (used by Willis; Thalheim)
5. Pour a layer of cloning material into the mold
6. Let the clone harden
You’re Done!
R. Smith - Biometric Dilemma
32
SECURE
COMPUTING
Matsumoto’s Technique
• Only a few dollars’ worth of materials
R. Smith - Biometric Dilemma
33
SECURE
COMPUTING
Making the Actual Clone
You can place the “gummy finger” over your real finger.
Observers aren’t likely to detect it when you use it on a
fingerprint reader. (Matsumoto)
R. Smith - Biometric Dilemma
34
SECURE
COMPUTING
Involuntary Cloning
• The stuff of Hollywood – three examples
– Sneakers (1992) “My voice is my password”
– Never Say Never Again (1983) cloned retina
– Charlie’s Angels (2000)
• Fingerprints from beer bottles
• Eye scan from oomoom-pah laser
• You clone the biometric without victim’s
knowledge or intentional assistance
• Bad news: it works!
R. Smith - Biometric Dilemma
35
SECURE
COMPUTING
Cloned Face
• More work by Thalheim, Krissler, and Ziegler
• Reported in “Body Check,” C’T (Germany)
http://www.heise.de/ct/english/02/11/114/
• Show the camera a photograph or video clip
instead of the real face
– Video clip required to defeat “dynamic” biometric checks
• Photo was taken without the victim’s
assistance (video possible, too)
• Face recognition was fooled
– Cognitec's FaceVACSFaceVACS-Logon using the recommended Philips's
ToUcam PCVC 740K camera
R. Smith - Biometric Dilemma
36
SECURE
COMPUTING
Matsumoto’s 2nd Technique
Cloning a fingerprint from a latent print
1. Capture clean, complete fingerprint on a glass, CD,
or other smooth, clean surface
2. Pick it up using tape and graphite
3. Scan it into a computer at high resoultion
4. Enhance the fingerprint image
5. Etch it onto printed circuit board (PCB) material
6. Use the PCB as a mold for a “gummy finger”
R. Smith - Biometric Dilemma
37
SECURE
COMPUTING
Making a Gummy Finger
from a Latent Print
From Matsumoto, ITU-T Workshop
R. Smith - Biometric Dilemma
38
SECURE
COMPUTING
The Latent Print Dilemma
• Tokens tend to be smooth objects of metal or
plastic – materials that hold latent prints well
• Can an attacker steal a token, lift the owner’s
latent prints from it, and construct a working
clone of the owner’s fingerprint?
• Worse, can an attacker reactivate a latent
image of the biometric from the sensor itself?
• Answer: in some cases, YES.
R. Smith - Biometric Dilemma
39
SECURE
COMPUTING
Finger Cloning Effectiveness
• Willis and Lee could trick 4 of 6 sensors tested
in 1998 with cloned fingers
• Thalheim et al could trick both “capacitive” and
“optical” sensors with cloned fingers
– Products from Siemens, Cherry, Eutron, Verdicom
– Latent image reactivation only worked on capacitive sensors,
not on optical ones
• Matsumoto tested 11 capacitive and optical
sensors
– Cloned fingers tricked all of them
– Compaq, Mitsubishi, NEC, Omron, Sony, Fujitsu, Siemens,
Secugen, Ethentica
R. Smith - Biometric Dilemma
40
SECURE
COMPUTING
Summary
• Traditional FAR and FRR statistics don’t tell the
whole story about biometric vulnerabilities
• Networked biometrics require trusted readers
that pose extra administrative headaches
• We can build physical clones of biometric
features that spoof biometric readers
– Matsumoto needed $10 worth of materials and 40 minutes to
reliably clone a fingerprint
• We can often build clones without the
legitimate user’s intentional participation
R. Smith - Biometric Dilemma
41
SECURE
COMPUTING
Thank You!
Questions? Comments?
My ee-mail:
Rick_Smith@securecomputing.com
http://www.visi.com/crypto
http://www.securecomputing.com
R. Smith - Biometric Dilemma
42