Biometrics and wolf attacks

Download Report

Transcript Biometrics and wolf attacks

Jason Tortorete COSC 316

BIOMETRICS AND WOLF ATTACKS

OUTLINE      Concept: Access Control CISSP and Access Control Framework Biometric Applications and Functionality   Verification and Identification Modality Wolf Attack   Define Probability Questions/Closing

CONCEPT: ACCESS CONTROL

    The flow of information between a subject and an object  Subject: user/program/process that requires use of an objects resources Life imitates art  AI   “Thinking” robotics and emotional/conversational cyborgs Minority Report     Police use holographic data screens (Microsoft and NY) City-wide surveillance Dimensional maps and database feeds used to monitor citizen movements Deployment of systems allowing broad and autonomous surveillance Protect access and resources Biometrics as a panacea?

 Research hacker reports (vulnerable)  Biometric security circumvention and fundamental constraints seem to fall on deaf ears

CISSP

AND

ACCESS CONTROL FRAMEWORK

 Certified Information System Security Professional certification track    Convey the significance of the principle of access control Access Control is Domain One of Ten Represents the security industries gold standard of certification    

4 functions that drive access controls

Identification Authentication Method in which a system requests information from an entity (username) Often a second piece of information requested (pass or PIN) Authorization Permits or denies requests Accountability – All subjects be recorded and logged The classic “who”, “what”, and “when”

BIOMETRIC APPLICATIONS

AND

FUNCTIONALITY

Biometrics?

 Bio-living creature  Metrics-ability to measure in a quantitative manner 

Context

 In security: describes both characteristics and processes  Measurable traits (both behavioral and physiological) 

Leverage unique identifiers for the purposes of subject identification

BIOMETRIC APPLICATIONS AND FUNCTIONALITY CONT.

Verification

 Confirming or denying a subjects claimed identity  Digitized biological sample in the form of an image  Sample associated with specific identity within that system-determines all future access attempts  Verification is synonymous with one-to-one  Identification

asks

:

“Is the requesting subject in fact who they claim to be?”  Verification

asks

:

“Do I know who this subject is?”

MODALITY

 Modality or class of biometric attribute  Four major classes: (leverage biological biometrics)  Fingerprint recognition  Hand geometry recognition  Iris recognition  Facial recognition

MODALITY: FINGERPRINT RECOGNITION

Fingerprint recognition:

 Comprised of random ridges and valleys (islands, dots, bifurcations, and ending ridges)

MODALITY: HAND GEOMETRY RECOGNITION

Hand geometry:

 taking a three dimensional image of the hand in order to capture and compare hand structure (lacks uniqueness of fingerprint or iris)

MODALITY: FACIAL RECOGNITION

Facial recognition:

 Leverage the uniqueness of the human face (distance between eyes, width of the nose, cheekbones, and chin)  Problems with lighting

MODALITY: IRIS RECOGNITION

Iris recognition:

 Uses infrared illumination (IR)  Extremely high resolution images of the iris (colored portion)  Extremely high success rate and highly effective.

 Costly  All classes are best implemented with another method

WOLF ATTACKS

 Exploitation:  Stems from the fact that biometric technology and the security it provides is probabilistic in nature.

 The wolf attack uses this fact to circumvent biometric based security mechanisms by exploiting them.

 Three industry recognized classifications of biometric based threats: 1) Intentional impersonation 2) Unexpectedly high FAR 3) Backdoor creation

WOLF ATTACKS

CONT.

Why Wolf?

 A wolf is an input value that that can be falsely accepted as a match with multiple templates  Wolves are fed into the system and are used to impersonate a victim and trick the system  WAP or Wolf Attack Probability is defined as a maximum success probability with one wolf sample

WOLF ATTACKS

CONT.

What exactly a wolf attack is/does?

 A created biometric sample that shows a high degree of similarity to the majority of the systems templates  Therefore, the outcome’s statistical success is not confirmed or denied by the MCP (minutiae collision probability) but instead is estimated using a WAP  Resulting in a huge increase in attack success  In other words, the systems logarithms are barraged with minutiae (all the variations and inputs possible) to comply with the existing templates

CLOSING

 The point:  Unlike security mechanisms, such as an open encryption standard, where someone can easily gain full knowledge of the internal workings (without that knowledge leading a comprise of the math that protects that system), biometrics do so and give the attacker a huge advantage.

 Biometric security systems are the future and therefore, biometric based system attacks are as well.

 Questions?

REFERENCES      Biometric identification systems. (2012). Retrieved from http://www.sciencelov.com/?p=2937 Biometrics Identity Management Agency. (n.d.). Biometrics Identity Management Agency Overview. Retrieved November 29 2012, from http://www.biometrics.dod.mil/ CNN Money. (2012). Hackers’ next target: Your eyeballs. Retrieved from http://money.cnn.com/2012/07/26/technology/iris-hacking/index.htm

Das, R. (2006). An introduction to biometrics A concise overview of the most important biometric technologies. Retrieved from http://www.biometricnews.net/publications/biometrics_article_introduction_to_bio metrics.pdf

Major flaws in biometric security products. (2002). Retrieved from http://www.outlaw.com/page-2624