Biometric For Authentication, Do we need it? Christophe Rosenberger GREYC Research Lab - France

Transcription

1 Biometric For Authentication, Do we need it? Christophe Rosenberger GREYC Research Lab - France

2 OUTLINE Le pôle TES et le sans-contact Introduction User authentication GREYC - E-payment & Biometrics Introduction to biometrics Usable biometric solutions Perspectives 2

3 Introduction E-Secure transactions E-transactions ( E-secure Transactions Cluster) 3

4 Introduction Digital identity management One individual has many identities. 4

5 Introduction Le pôle TES et le sans-contact User authentication: Authentication methods are based on: We know [Secret] We own [Token, smartcard, RFID tag] We Are [Biometrics] The way we do things [Behavioral biometrics] The use of a reliable third party [Relationship] They are called authentication factors. 5

6 Introduction Digital identity management One individual can have different authentication factors. 6

7 Introduction Trends Trust in the identity of a user or a client Guarantee security (difficult to compromise) Respect the privacy Facilitate the usability 7

8 Le pôle TES et le sans-contact USER AUTHENTICATION 8

9 User authentication Solutions in the market 9

10 User authentication Le pôle TES et le sans-contact Biometrics The only one user authentication method It is more easy to use It is much more difficult to attack or falsify 10

11 Le pôle TES et le sans-contact GREYC RESEARCH LAB E-payment & Biometrics 11

12 ENSICAEN Le pôle TES et le sans-contact School of engineering of Caen ~ 780 students Department of Computer science : E-payment & Computer security: only one in France Strong partnerships with companies: Gemalto, Morpho, Fime... 12

13 GREYC Research Lab Le pôle TES et le sans-contact Research Group in Computer science, Automatics, Image processing and Electronics of Caen Laboratory staff: 7 CNRS researchers 25 Full professors 18 Associate professors 48 Assistant professors 79 PhD students 17 permanent staff 30 Engineers and post-doc Research topics: Electronics Image processing Algorithmic Document analysis Multi-agents Robotics navigation Automatics Computer security Natural language processing Biometrics Cryptography 13

14 E-payment & Biometrics Members (29): 3 full professors, 2 associate professors, 4 assistant professors, 4 permanent engineers, 8 PhD students, 2 Post-docs, 6 engineers. Research topics (2): Biometrics and Trust Application: E-payment Research projects: ASAP(ANR), LYRICS(ANR), PAY2YOU(FUI), CAPI(FUI), ADS+(FUI), INOSSEM(GE), LUCIDMAN(EUREKA) 14

15 E-payment & Biometrics Biometrics: Operational authentication that respects the privacy of users Le pôle TES Biometric le sans-contact authentication (palm veins, keystroke dynamics ) Evaluation of biometric systems (usability, security ) Protection of biometrics (cancelable biometrics, smartcards ) GREYC Keystroke Keystroke dynamics authentication 15

16 Le pôle TES et le sans-contact Introduction to biometrics 17

17 Biometrics Biometric modalities: Biological analysis: EEG signal, DNA Behavioural analysis: Keystroke dynamics, voice, gait, signature dynamics... Morphological analysis: Fingerprint, iris, palmprint, finger veins, face, ear 18

18 Biometrics Le pôle TES et le sans-contact Biometric system: general architecture 19 Source ISO/IEC Information technology Biometric data interchange formats Part 1: Framework

19 Le pôle TES et le sans-contact Usable biometric solutions 20

20 Keystroke dynamics Le pôle TES et le sans-contact Authentication based on passwords Passwords can be shared between users Passwords are difficult to memorize Passwords can be stolen Passwords are vulnerable to guessing attacks 21

21 Keystroke dynamics Le pôle TES et le sans-contact Advantages A two authentication factor method knowledge of the password password typing Good acceptance invisible for a user (passphrase or password) no privacy issues (easy to change the password) avoid complex passwords difficult to remind low cost solution none additional sensor software based authentication method 22 R. Giot, M. El-Abed, B. Hemery, C. Rosenberger, "Unconstrained Keystroke Dynamics Authentication with Shared Secret", Elsevier Journal on Computers & Security (IF 0.868), Volume 30, Issues 6-7, Pages , September-October 2011

22 Keystroke dynamics Le pôle TES et le sans-contact How does it work? Record different times: PP (latency between two pressures), RR (latency between two releases), RP (latency between one release and one pressure) and PR (duration of a key press), Use this feature vector to measure the similarity of keystroke dynamics. 23

23 Keystroke dynamics Some recent articles in the media 24

24 25 Demo

25 Signature dynamics A signature Usual method to authenticate a person (contract...) Manual or automated verification Existing sensors: tablet, scanner... Can be copied 26

26 Signature dynamics Principle Taking into account user s behavior, Much more difficult to falsify, Based on a method (signature) widely used and recognized in a legal point of view. 27

27 Signature dynamics Software 28 V. Alimi, C. Rosenberger, S. Vernois, "A mobile contactless point of sale enhanced by the NFC technology and a match-on-card signature verification algorithm", Smart Mobility Conference, 2011 V. Alimi, C. Rosenberger, S. Vernois, A Mobile Contactless Point of Sale Enhanced by the NFC and Biometric Technologies, International Journal of Internet Technology and Secured Transactions, To appear 2012

28 Voice recognition Principle Voice is a natural choice to authenticate a user (for a mobile phone or even a computer) Dynamic authentication (to avoid the replay attack) Free text speaker recognition is needed 29

29 Voice recognition Verification process: 1. The user launches the android application 2. The application (offline) or server (online) generates a challenge (random sentence) 3. The user says the specific sentence in the microphone 4. The application (offline) or server (online) matches the biometric capture 5. The application (offline) or server (online) verifies that the challenge has been said by the user 6. If everything is OK, the user s identity is verified 30

30 Voice recognition Software 31 M. Baloul, E. Cherrier, C. Rosenberger, "Challenge-based Speaker Recognition For Mobile Authentication", IEEE Conference BIOSIG, 2012.

31 Cancelable biometrics Motivations : It is not always possible to revoke a biometric data Usable Principle Avoid to store the fingerprint image or minutiae Better performance Usable solution 32

32 Cancelable biometrics Verification process: Feature extraction Original Image Fingercode seed BioHashing Salting with the seed The original image is not stored The biocode is stored It is not possible to compute the pattern or retrieve the original image given the biocode A biocode can regenerated (other seed) The biohashing process improves performance BioCode 33

33 Cancelable biometrics Demo 34 R. Belguechi, E. Cherrier, C. Rosenberger, "Texture based Fingerprint BioHashing : Attacks and Robustness", IEEE/IAPR International Conference on Biometrics (ICB), p.7, 2012

34 Le pôle TES et le sans-contact Perspectives 35

35 Conclusion Le pôle TES et le sans-contact Biometrics The ONLY ONE solution for user authentication Many usable solutions exist Speaker recognition (especially for mobile phone or offpad) Signature dynamics (authentication, dematerialized documents) Keystroke dynamics (authentication, monitoring, access control...) Cancelable biometrics (allowing online verification) 36

36 37