Вы находитесь на странице: 1из 41

BIOMETRICS

Presentation to 2008 AFCEA PD Workshop CAL CLUPP BSC CISSP


Director, Risk Management Consulting Bell Canada
(613) 597-2336 597cal.clupp@bell.ca
Source: http://www.banking.com/aba/january.htm

OUTLINE

DEFINITION BRIEF HISTORY APPLICATIONS HOW BIOMETRIC DEVICES WORK TYPES OF DEVICES BIOMETRICS TESTING EXAMPLE APPLICATIONS AREAS OF IMPLEMENTATIONS

03 June 2008

Bell Restricted

DEFINITION
Biometrics - (Classical Definition) Identification of living things based on physiological and/or behavioral characteristics Biometrics - (ISO Definition) A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an enrollee. Biometric System (ISO Definition) An automated system capable of:
capturing a biometric sample from an end user; extracting biometric data from that sample; comparing the biometric data with that contained in one or more reference templates; deciding how well they match; and indicating whether or not an identification or verification of identity has been achieved.

03 June 2008

Bell Restricted

HISTORY OF BIOMETRICS
Used since man first walked upright
We all use facial recognition on a daily basis We use voice recognition during conversations to identify the other party (e.g. Telephone)

Fingerprints have been used in forensics for over 100 years by police investigators Babies registered at birth using palm/foot prints Dental records and X-rays have long been used to identify decomposed bodies The hand written signature is a form of behavioral biometric identification DNA is one of the latest advances used in identification

03 June 2008

Bell Restricted

HISTORY (continued)

Modern technologies have made it possible to mechanically and automatically convert physical and behavioral characteristics into digital electronic form Early biometric systems were slow, expensive, proprietary and unreliable They were considered as science fiction or spy toys and not likely to be used by ordinary people in daily transactions Today costs are coming down, speed and reliability are increasing and biometric devices are starting to become part of our daily lives

03 June 2008

Bell Restricted

BIOMETRIC APPLICATIONS
Depending on the application, biometrics can be used for security, privacy, convenience, fraud reduction, or to deliver enhanced services. Applications include:

6

Physical security and access control (e.g. borders, airports) Computer/Network logins (e.g. laptops with fingerprint sensors built in) Business transactions (e.g. ATM withdrawals) Credit and debit card protection Voting Receiving government benefits (e.g. welfare, pension) Healthcare services (e.g. patient ID) Law enforcement (e.g. drivers licenses, vehicle registration, smart guns, criminal identification systems) Identification Documents (e.g. Visas, passports, SIN cards, Military/Govt/Corporate ID cards) Registering race horses, research animals, pets and other wildlife Data protection (e.g. biometric tokens)
Bell Restricted

03 June 2008

HOW BIOMETRIC DEVICES WORK


With all biometric systems there are 3 steps (i.e. data capture, signal processing, and decision) which define the process flow:
Data Capture
All biometrics start with a piece of raw analogue data (e.g. fingerprint, voice sample, face/hand/retina image) This raw data is digitized so that computers can process it The computer software extracts the critical features (e.g. minutiae) and discards those elements that are irrelevant to making a successful comparison (i.e. creates template) The stored and live templates are compared and if they match (i.e. within set threshold) user will be accepted

Signal Processing

Decision

03 June 2008

Bell Restricted

HOW DEVICES WORK (continued)

During enrollment the template is created and stored (sizes from 9Bytes to 1KByte)

Source: SCA Biometrics May 2002

03 June 2008

Bell Restricted

HOW DEVICES WORK (continued)


During verification the first 2 steps are repeated with the resulting representation being the live scan or template.

Source: SCA Biometrics May 2002

03 June 2008

Bell Restricted

HOW DEVICES WORK (continued)


Compare Template
The live scan is compared to the stored template. If they match within a set statistical range, it is accepted as valid

Decide Match

Source: SCA Biometrics May 2002

10

03 June 2008

Bell Restricted

HOW BIOMETRIC DEVICES WORK


Creation of BIR (Enrollment) DATA CAPTURE SIGNAL PROCESSING DECISION Compare Template TEMPLATE / BIR STORAGE

Signal Detection

Decide Match Biometric System Controller

Extract Features Biometric Sensor Create Template*

Decide Acceptance

Set Threshold

QUALITY CONTROL

Present Biometric Sample

User INPUT / OUTPUT INTERFACES

Portal

Administrator

Grant Privileges *Template = Processed Biometric Sample The Create Template process may also include the creation of the Biometric Identification Record (BIR)

11

03 June 2008

Bell Restricted

TYPES OF DEVICES

Physiological (i.e. physical) Characteristic Devices


Finger/thumb print readers Hand/Finger geometry readers Facial Verification Systems Eye Scanners
Retina Scanners Iris Scanners

DNA Identification Systems Voice Verification1

Note 1: Voice verification can also be considered a Behavioral Characteristic device


12 03 June 2008 Bell Restricted

DEVICES (continued)

Behavioral Characteristic Devices


Voice Verification1 Signature Dynamics Analysis Keystroke Dynamics Analysis Gait Analysis

Note 1: Voice verification can also be considered a Physiological Characteristic device


13 03 June 2008 Bell Restricted

FINGER/THUMB PRINT READERS

Most widely used Most systems rely on classifying the differences between ridges and valleys in the patterns of the print and at ridge bifurcations or ridge endings (i.e. minutiae) Produces one of the largest templates (aprox 1KByte) depending on the method used Devices are very reliable in use but in some cases other techniques may be required Several types (e.g. optical, capacitive, ultrasound, RF)

14

03 June 2008

Bell Restricted

FINGERPRINT (continued)
Fingerprint matching techniques can be placed into two categories: minutiae-based and correlation based.
Minutiae-based techniques first find minutiae points and then map their relative placement on the finger. However, there are some difficulties when using this approach.
It is difficult to extract the minutiae points accurately when the fingerprint is of low quality. Also this method does not take into account the global pattern of ridges and furrows. More subject to wear and tear, and false minutiae.

The correlation-based method is able to overcome some of the difficulties of the minutiae-based approach. However, it has some of its own shortcomings.
Correlation-based techniques (i.e. pattern matching) require the precise location of a registration point and are affected by image translation and rotation. Larger templates (often 2 3 times larger than minutiae-based)
Bell Restricted

15

03 June 2008

FINGERPRINT (continued)
Intrusive procedure In 1997 the stamp-sized fingerprint reader on a microchip was introduced which has led to the potential for many new applications (e.g. securing smartcards) A much smaller scrolling sensor is now available which has made even more applications possible and has addressed some of the security concerns with latent prints Some more advanced readers can differentiate between live and dead tissue

16

by checking for pulse by sensing oxygen level by checking capacitance of the biometric sample
Bell Restricted

03 June 2008

FINGERPRINT (continued)

Print showing various types of Minutiae

17

03 June 2008

Bell Restricted

FINGERPRINT (continued)
To reduce the search time and computational complexity, it is desirable to classify fingerprints in an accurate and consistent manner so that the input fingerprint is required to be matched only with a subset of the fingerprints in the database. Special algorithms have been developed to classify fingerprints into five classes, namely, whorl, right loop, left loop, arch, and tented arch. Most often used in forensics, rarely in authentication systems

Source: biometrics.cse.msu.edu/info.html
18 03 June 2008 Bell Restricted

FINGERPRINT (continued)

Source: Various websites


19 03 June 2008 Bell Restricted

FINGERPRINT (continued)

US Dime

Source: Protective Technologies Website

20

03 June 2008

Bell Restricted

HAND/FINGER GEOMETRY READERS

The first modern biometric device was a hand geometry reader that measured finger length These devices use a 3D or stereo camera to map images of the hands and/or fingers to measure size, shape and translucency Actual sensor devices are quite large in size Templates are typically small (approx 10 Bytes) High acceptance rate among users

21

03 June 2008

Bell Restricted

HAND/FINGER GEOMETRY (continued)

Source: Biometrics Store Website

Source: http://recognitionsystems.schlage.com/products/

Source: biometrics.cse.msu.edu/info.html

22

03 June 2008

Bell Restricted

FACIAL RECOGNITION

Considered by some as an intrusive system Uses high resolution cameras (several types) to take pictures of the face for comparison The four primary methods traditionally employed by facial scan vendors to identify and verify subjects include eigenfaces, feature analysis, neural network, and automatic face processing New systems are being developed that measure three dimensional characteristics of the face One of the fastest growing areas in biometric industry

23

03 June 2008

Bell Restricted

FACIAL (continued)

Typical Eigenfaces
Utilizes two dimensional, global grayscale images representing distinctive characteristics of a facial image Variations of eigenface are frequently used as the basis of other face recognition methods.
Source: MIT Face Recognition Demo Page
24 03 June 2008 Bell Restricted

FACIAL (continued)
Eigenface: "one's own face," a technology patented at MIT that uses 2D global grayscale images representing distinctive characteristics of a facial image. Most faces can be reconstructed by combining features of 100-125 eigenfaces. During enrollment, the user's eigenface is mapped to a series of numbers (coefficients). Upon a 1:1 match, a "live" template is matched against the enrolled template to obtain a coefficient variation. This variation either accepts or rejects the user. Local Feature Analysis (LFA): also a 2D technology, though more capable of accommodating changes in appearance or facial aspect (e.g., smiling, frowning). LFA uses dozens of features from different regions of the face; incorporates the location of these features. Relative distances and angles of the "building blocks" of the face are measured. LFA can accommodate 25-degree angles in the horizontal plane and 15 degrees in the vertical plane. LFA is a derivative of the eigenface method and was developed by Visionics, Corp.
03 June 2008 Bell Restricted

25

FACIAL (continued)
Automatic Face Processing (AFP): This 2D technology uses distances and distance ratios between eyes, nose, and corners of mouth. Not as robust as the other technologies, but may be more affective in dimly lit, frontal image capture situations. Neural Networks: use algorithms that use as much of the face as possible. These algorithms run as the human brain would in cognition to learn about facial features. Neural networks are a step up from LFA.

26

03 June 2008

Bell Restricted

FACIAL (continued)
New Volumetric-based 3D Processing Systems: Create a template of the face that is based on tens-of-thousands of points on the face, thus forming a very high-resolution interpretation of the subject.
A 3D laser camera takes a picture of the face and represents it within a virtual cube. The input starts as a digital image and does not need to be converted The secret to a true 3D method lies in the ability to use direct measurements to compare individuals. That is, rather than the traditional method of an indirect search for facial features on an image, these systems look at specific points within a millimeter apart..

27

03 June 2008

Bell Restricted

FACIAL (continued)
Varying light (i.e. outdoors) can affect accuracy Some systems can compensate for minor changes such as puffiness and water retention Smiling, frowning, etc can affect accuracy Some systems can be confused by glasses, beards, etc Human faces vary dramatically over long term (aging) and short term (facial hair growth, different hair styles, plastic surgery) Expected high rate of acceptance as people are already used to being photographed or monitored Best method for identification systems (e.g. airports)

28

03 June 2008

Bell Restricted

FACIAL (continued)
Source: MIT Face Recognition Demo Page

Source: biometrics.cse.msu.edu/info.html

29

03 June 2008

Bell Restricted

RETINA SCANNERS

Rely on the uniqueness of the pattern of blood vessels lining the retina Users place their eyes a few inches from an incandescent light beam and the sensor maps the capillary pattern by measuring reflected light People with high blood pressure, diabetes or glaucoma may give inconsistent readings Template aprox 35 Bytes and extremely reliable Primary use is in high security access control

30

03 June 2008

Bell Restricted

RETINA SCANNERS (continued)

Camera

Enrollment device
Source: Biometrics Store Website

31

03 June 2008

Bell Restricted

RETINA SCANNERS (continued)

Main retina features

Actual photo of retina

Source: American Academy of Ophthalmology


32 03 June 2008 Bell Restricted

VOICE VERIFICATION
A completely non-intrusive technique Examines tonal wave patterns that cannot be imitated by other individuals (voice patterns of impersonators are different than the real voice pattern) Analog recordings cannot reproduce accurate tone patterns, but digital recordings may be able to do so
Random question and answer techniques, and pattern matching (i.e. comparing successive voice samples) may help to prevent reply attacks based on digital voice recordings

Most appropriate method for telephone use People with colds & laryngitis can affect FRR
although slight variations can be compensated for

Signal quality can introduce errors (e.g. bad phone line, noise in background)
03 June 2008 Bell Restricted

33

VOICE VERIFICATION (continued)


A complete signal has an overall pattern, as well as a much finer structure, called the frame. This frame is the essence of voice verification technology. It is these well-formed, regular patterns that are unique to every individual. These patterns are created from the size and shape of the physical structure of a person's vocal tract. Since no two vocal tracts are exactly the same, no two signal patterns can be the same.

34

03 June 2008

Bell Restricted

VOICE VERIFICATION (continued) These unique features consist of cadence, pitch, tone, harmonics, and shape of vocal tract. The image at right shows how characteristics of voice actually involve much more of the body than just the mouth.

35

03 June 2008

Bell Restricted

SIGNATURE ANALYSIS

These devices quantify speed, pressure, angle-ofattack and stroke characteristics (40 plus) A typical system will take up to 100 elements of speed, pressure, etc to characterize an individual User stress can affect the accuracy of this device Signatures tend to change over time These types of devices are now starting to make their way into practical everyday use

36

03 June 2008

Bell Restricted

SIGNATURE ANALYSIS (continued)


Built-in sensors register the dynamics of the act of writing. These dynamics include the 3D-forces that are applied, the speed of writing, and the angles in various directions.

This signing pattern is unique for each individual, and thus allows for strong authentication. It also protects against fraud since it is practically impossible to duplicate "how" someone signs.
37 03 June 2008 Bell Restricted

Source: Biometrics Store Website and Smart Pen

EXAMPLE IMPLEMENTATIONS
Otay Mesa, California/Mexico border crossing
facial recognition of drivers who frequently cross border uses iris scanning to identify over 10,000 race horses seasons ticket holders gain entrance by finger geometry

Japanese Racing Association Walt Disney World, Florida Coca Cola is using hand geometry to prevent workers from buddy punchingat the time clock Lotus employees must pass hand geometry scan before picking up their kids at the company daycare

38

03 June 2008

Bell Restricted

IMPLEMENTATIONS (continued)
Several states use voice recognition for parolees on home detention US Immigration and Naturalization Service
Frequent travelers between Canada and Montana use voice verification to access an automated border crossing system

A leading ATM manufacturer in Tokyo, OKI Electric Industry Co has implemented iris scanners in ATM machines of Japanese banks ICAO using facial recognition as mandatory identifier and fingerprints & iris as optional identifiers on MRTDs Aeroplan Voice Recognition System for Account Access
03 June 2008 Bell Restricted

39

IMPLEMENTATIONS (continued)
Terminal 3 at Pierson Airport uses hand geometry to identify frequent travelers between US and Canada Canadian Airlines uses voice recognition to control access at two of its hangars Citizenship and Immigration Canada - $3.5 million biometric pilot project Transport Canada and the Canadian Air Transport Security Authority (CATSA) new restricted area identification card Facial Recognition Project at the Passport Office Bell Canada Maintenance Technician Voice Verification Bell Canada Client Account Access Voice Verification (My voice is my password)

40

03 June 2008

Bell Restricted

Summary
Today's powerful computers and microelectronics make biometric identification and verification systems a reality Biometric advocates still face uphill battle to convince the skeptical public, legislators, lawyers & security professionals that systems are safe, reliable and worth implementing In the aftermath of 9/11, Biometrics has seen a resurgence in interest and is now being seriously considered by governments and other organizations as part of their solution for ensuring the identity of individuals and protecting their assets Biometrics by itself is not the solution, only one part of it Biometrics has the potential to be utilized in any application where authentication and verification is required and it is only a question of time before we start to see these systems used in our daily lives Use of Biometrics is not the main contributor to security and privacy risks, only the inappropriate or inadequate implementation of it is
03 June 2008 Bell Restricted

41