Biometric System Security

Transcription

1 Biometric System Security Colin Soutar CTO Bioscrypt Inc. Understanding the interface between biometric systems and general security systems is critical for the successful deployment of biometric technologies. The sensitivity of data passed between these two systems means that due care must be taken to avoid vulnerabilities such as identity, replay, and hill-climbing attacks. This is especially true as interfaces become standardized, such as with BioAPI i, as these standard interfaces are available to developers and attackers alike. With this in mind, protection methods for data storage and transmission should be used to safeguard the systems. 1 User Record Format To understand the interaction between a biometric system and a security system, we should consider the mechanism that binds them together. Generally, a biometric system for positive verification purposes proves that the individual is the same person that was enrolled in the security system. The biometric template created from the individual s biometric sample is bound to an identifier, by which they are known to the security system. Examples of an identifier include a password or passport number. The identifier provides a link between the verification of the user with the biometric system and the authorization of their rights and privileges within the security system. This binding of identifier to biometric template can be accomplished using encryption/decryption within a trusted biometric system to create a User Record, as seen in Figure 1. Once the User Record has been created, it can be freely moved around or stored, for example on a portable medium (such as a smart card).

2 Identifier Password, passport number, etc. Biometric Template Encryption Figure 1. User Record The use of the User Record in the manner described above provides the following features: The identifier provides a link between the user verification and the security system authorization This segregates the biometric process from the attribution of rights and privileges of the security system. A single user can be associated with a number of user credentials and/or identifiers, which may comprise multiple roles on a single system or single roles on multiple systems. Prevents identity theft. Since the biometric template and the user credential are bound together (Figure 1), the attacker cannot hijack someone else s user credential by linking his template to it i.e. an attacker cannot simply overwrite a legitimate user record with his own (if he has access to both on a portable medium), as he would also need to have a valid user credential on the system which would make the attack redundant.

3 2 Link Encryption The User Record Format as described above means that the result of the biometric system is more complex than a simple yes/no. This helps to mitigate a replay attack, in so far as the response is specific to the user and the application. However, to fully protect against a replay attack, dynamic link encryption should also be used. This can be accomplished by establishing a unique session key each time a critical piece of information is passed across the link, using a key exchange protocol such as Diffie- Hellman. The unique session key is then used with an encryption mechanism to protect any information passed between the biometric and security systems. Figure 2 presents a general biometric system incorporating a User Record format and dynamic link encryption to protect against identity and replay attacks. User UI Security System Policy/Administration Encrypted Link (unique session key) User Credentials Storage User Record UI Capture Biometric System Process Template Enroll Verify Template score Threshold User Credentials Decision Encrypt Decrypt Figure 2. General System Architecture

4 3 Quantization of Score In some applications, most particularly in the case of fused biometrics (i.e. face and fingerprint), the return of the score to the application provides useful information. In fact, this is one of the primary reasons that API s such as BioAPI support the return of the score in an operational biometric system. However, the developer of a biometric system needs to be aware of a potential vulnerability known as hill-climbing attack ii. This section provides an example to illustrate that the hill-climbing attack can be mitigated by quantizing the score that is returned to the security system or application. A hill-climbing attack can occur when an attacker has access to the biometric system and the user s template upon which he wishes to mount a masquerade attack. The attacker creates a simple rogue application that inputs the template along with a randomly generated image as input to the biometric system. The score returned by the biometric system is saved and the attacker randomly perturbs the image, retaining only those samples that positively increase the score. In this manner, the attacker can iteratively synthesis an image that produces a score that exceeds the threshold of the biometric system and use that image as input to the security system to which the original template belongs (see Figure 3). ROGUE APPLICATION Keep/Discard + Score Biometric System Figure 3. Steps in a hill-climbing attack To demonstrate the vulnerability of a biometric system to the hill-climbing attack, a simplified recognition system was simulated using the two images (shown in Figure 4) with a generic phase-only filter-based correlator (such as that described in U.S. patent 5,214,534, by Kallman et al). Filters were first created using both the space shuttle and the Apache helicopter images and these filters were then matched with both input samples to obtain the scores given in Table 1.

5 Figure 4. Space shuttle and Apache helicopter images Input sample filter Shuttle Apache Shuttle Apache Table 1. Table of scores On the basis of the scores (Table 1), a recognition system can be set up to discriminate the two objects, using a decision threshold of ~ 50. To demonstrate the hill-climbing attack, a filter was constructed using the space shuttle image and the Apache image was used as the input sample. At each iteration of the simulation, a certain number of pixels within the input sample were randomly modified (pixels at random locations were set to a random value between 0 and 255). At each iteration of the simulation, the output score was examined, as presented in Figure 3, and only sets of modified pixel values that contributed positively to the score were maintained. It was determined that the optimal number of pixels (for efficiency) to modify per iteration was 64. Figure 5. Progression of scores as a function Figure 6. Input sample after 7 million iterations

6 Figure 5 presents the progression of scores as a function of iteration. It is interesting to note that the originally proposed score of 50 as the threshold is fairly easily achieved (after about 600 iterations). The modified Apache sample at this point would be capable of being erroneously recognized as the space shuttle. The simulation continued to run for several days, to produce the image shown in Figure 6, after 7 million iterations. Note that the outline of the shuttle is evident, as expected with a phase-only filter. To understand the solution to the hill-climbing issue, it is instructive to examine the probability of attaining scores based on the process of randomly changing pixel values. To model this, we established an input sample that produced a score of 25 (midway between 0 and the decision threshold of 50). For a number of instances (20,000), a set of 64 pixels was randomly modified, as previously described, and the resulting score was logged. The set of these data is presented as the histogram shown in Figure 7. The distribution is approximately symmetric around 25, therefore, an attacker with access to these scores can easily determine which changes in the input sample to maintain (based on the changes that increase the score). Note, however, that the number of occurrences of jumping from 25 to higher values becomes diminishingly small. Therefore, if we only allow the return of a score once, it has surpassed a specified increment, then the probability of a random perturbation creating such a jump becomes very small. Indeed, we can plot the probability of jumping from 25 to a particular score, as presented in Figure 8, by integrating under the distribution shown in Figure 7. Figure 7. Probability of attaining score Figure 8. Probability of "jumping" from 25 Based on the probability distribution of Figure 8, we see that the probability of producing a score of (say) 27.5, starting from 25, is very small. Thus, if we stipulate that scores can only be transmitted from the biometric system to the application in quantized levels, say in steps of 2.5 (for this particular case), then a potential attacker can only know if a random fluctuation was successful in a very small number of cases. In other words, if the input sample produces a score of 25, then the probability of producing a score of 27.5 or higher and so being released by the biometric system is very small, as presented in the

7 plot of Figure 7. Placing such a limitation in the system and running the simulation again produces the data shown in Figure 9. This plot should be compared with the plot in Figure 4. In this case, the hill-climbing process is very much slower. Indeed, linear extrapolation of the plot indicates that the threshold score of 50 would only be attained after iterations. This makes such an attack prohibitively time-consuming. The steps of 2.5 were chosen as an example only and can easily be expanded, to make such an attack even more difficult. Figure 10 presents the input sample that is obtained after these 7 million iterations. The input sample still resembles the original Apache image. The quantization level of 2.5 was chosen for illustrative purposes only, and the level of quantization required for a biometric system should be carefully chosen based on the biometric type and the form of the recognition system. Figure 9. Progression of the score as a function of LOG10(iterations) Figure 10. Modified Apache image. Other ways to mitigate a hill-climbing attack include: limitation of the number of sequential attempts (not necessarily consecutive) within the biometric system against any particular template without a success; forced mutual authentication of the biometric system and the application; or mutual authentication of all components to a third party (such as the Common Data Security Architecture (CDSA) iii ). 4 Conclusions In order to safeguard the deployment of biometric systems within general security systems, the described methods of encryption and quantization of scores can be used to mitigate identity, replay and hill-climbing attacks. 5 References i ii iii BioAPI Specification, American National Standards Institute, ANSI/INCITS 358, Version 1.1, (2001). Colin Soutar, Biometric System Performance and Security (2002) Common Data Security Architecture.