|
|||||||||
|
| You are here: CESG > Policy and Technologies > BWG > Management Summaries > | ||||||||||||||||||||
|
Biometrics and Security - MS04
The security concerns for biometric applications are wider than for many other IT systems because they include all the usual IT security issues together with additional biometric specific concerns. These concerns extend beyond those of the application itself because of the intrinsic human involvement in a biometric system which has ramifications for data privacy and protection, cultural issues and psychological perceptions. This paper provides a summary of some of the main issues and references a paper containing more detail and covering a wider range of concerns than can be addressed here. Introduction Security is a holistic subject. In most applications, the biometric is only one part of a complex system and the security will be determined by the interaction of many factors, procedural as well as technical. Because of the intrinsic human element of biometric systems, security concerns will those that impact on the user as well as the traditional application security concerns Application security concerns are related to the perceived threats to the application which will usually be application dependent. In an access control system, the principal security concern is likely to be impostors gaining unauthorised access; in a welfare benefit registrants system, the principal concern may be users establishing multiple identities on the system. For these 2 applications, security turns out to mean different things, and the measurement of security will be determined by different parameters. In practical cases, applications may have a number of distinct functions, each of which has its own security requirements, and the security of such systems can become a complex, multi-faceted entity. Because the main biometric performance factors (false acceptance and false rejection) can be traded off against each other, it is often necessary to adjust threshold settings to provide an optimal compromise for a set of disparate requirements. User security concerns include how the users’ private biometric data will be used and how it will be protected from disclosure. Cultural, religious and human perception factors can impact on the acceptability of biometrics and may also bring with them implications for security. It should be emphasised that security is not simply a technical issue, but involves the combination of technical, environmental and procedural measures working in concert. Biometric Performance and Security We can measure biometric performance in terms of error rates. The most commonly quoted error rates are False Accept Rate and False Reject Rate. Errors are likely to have security ramifications which will be dependent on the type of application and the potential consequences of failures. What performance figures should you be looking for? Of course there is no easy answer to this question because it will be so application dependent. Attempts to compare biometric error rates with password and token security have had only a limited degree of success because the factors that influence security are substantially different for biometrics than for traditional authentication mechanisms. The following paragraphs discuss basic application types and performance related security issues. Positive identification/verification applications e.g. access control False accept errors result in impostors being granted unauthorised access and false reject errors result in denial of service to legitimate users. Biometric experts (in the UK and US) have considered the use of biometric authentication for access control and suggest the following values for the strength of a biometric mechanism related to its FAR:
Note that these figures relate to FAR for the system as a whole, not necessarily for the device (see also: identification vs. verification later) The terms "Basic", "Medium" and "High" relate to Strength Of Function (SOF) for statistically based authentication mechanisms as defined in the ISO/IEC 15408 Common Criteria for Information Technology Security Evaluation standard. Reliable determination of low error rates is a difficult, time consuming and costly undertaking. The very low levels associated with High SOF in the table above may be beyond the limits of practicability at our current state of knowledge. N.B. Users should treat these figures with some caution – in particular, they do not reference False Rejection Rate (FRR), and intending users will need to ensure that the above FAR rates can be achieved in their application while maintaining an acceptable False Reject Rate. Negative identification applications e.g. beneficial service registration In negative identification applications, the main aim is to detect attempts by individuals to establish multiple identities in the system under different names in order to receive multiple beneficial services (e.g. welfare benefits, drivers licence, passport). Here, false rejection may result in the failure to detect an already registered user, whereas false acceptance wrongly implies that an honest user is already registered. Note that this turns the traditional security paradigm on its head! Performance figures for this type of application are therefore not directly comparable to those for access control. For example, a 10% False Reject Rate does not seem good but might result in the detection of 90% of attempted frauds – a very good return by comparison with many other fraud detection measures. Identification vs verification Identification is the 1 : many comparison process against the database of enrolees’ biometric features, whereas verification is limited to the 1 : 1 comparison against the stored biometric of the claimed individual for whom the check is being done. It will be readily appreciated that the error rates for the 2 processes will likely be very different. For cases where the overall error rates are fairly low (say below 20%), the error rate is approximately proportional to the number of comparisons made – e.g. for a database of 1000 enrolees, the error rate for an identification comparison would be about 1000x that for a single verification comparison. Clearly, identification is much harder than verification for decent sized databases. Because error rates have security implications, for a specified security requirement, the error rates for the biometric technology employed in an identification mode comparison will need to be much lower than if used in verification mode. e.g. for an access control system operating in identification mode with an overall system security requirement for a False Accept Rate (FAR) of < 1 in 1000, and a database of 2000 enrolees, the biometric would need to be able achieve better than 1 in 2,000,000 in terms of single verification mode errors. Enrolment Quality The quality of enrolled biometric features affects the performance of a biometric system and hence its security. Weak enrolments such as those with few biometric features or poor image quality will be easier to spoof (see spoofing later), and may require thresholds to be set to insecure values in order to make the system work acceptably for enrolled users. Ensuring good quality enrolments is one of the most effective ways of optimising all aspects of performance of a biometric system. Countering spoofing and mimicry Spoofing is fooling a biometric system by means of an artefact bearing a copy of the biometric features of an enrolled user. It is a real concern because spoofing directly undermines the principal strength of biometric authentication, namely that biometrics directly binds the individual to the authentication process in a way that other forms of authentication cannot do. If spoofing can be made to work relatively easily then a major argument in favour of using biometrics disappears. Spoofing normally relates to physiological biometrics such as fingerprint, hand geometry or iris recognition. The equivalent for behavioural biometrics (voice, signature etc.) is mimicry, although it should be noted that physiological biometrics often have behavioural dependencies (e.g. how the finger is placed on the reader) and a biometric like voice has both physiological and behavioural components. The source images for biometrics are not generally secret. People carry and leave latent images of their fingerprints; faces can be easily photographed, voices recorded and so on. Some features will certainly be harder to capture than others – iris patterns for example – but none pose overwhelming difficulties to the highly motivated. The security of a biometric system should therefore not depend on a presumption of secrecy of the source; rather the application needs to implement anti-spoofing measures. These could include supervised operation, liveness checking or challenge/response exchanges. Liveness Checks Liveness checks are technological countermeasure to spoofing using artefacts. They apply most obviously to physiological biometrics such as finger, face, hand and iris, though could protect behavioural biometrics in cases where mimicry might be performed by an artificial device (e.g. a signature signing machine). Liveness checks may detect physical properties of the live biometric, e.g electrical measurement, thermal measurement, moisture, reflection or absorbance of light or other radiation; the presence of a natural spontaneous signal such as pulse; or the response to an external stimulus e.g contraction of the pupil in response to light, muscular contraction in response to electrical signal etc. One important caveat - liveness checking must be done at the same time and place as where the biometric features are captured. Otherwise there is no certain connection between the liveness check and the biometric. An impostor could provide a genuine liveness sample and, separately, an artefact containing the biometric features. Capture/replay If an impostor can capture the electrical signals containing the biometric features of an authorised user, it may be possible to replay them later to allow the impostor to impersonate the authorised user. Protection can be provided by physical or logical means. Examples of physical protection might be tamper resistant systems or armoured cables, or supervised operation. Logical protection might include encryption (using unique session keys) or time stamping of the signals, or challenge/response – see below. Challenge/response Challenge/response is directed principally at countering capture/replay attacks, but it may also have a useful role as a form of liveness check in some cases. By issuing a challenge requiring one of a variety of different responses, it makes it harder for an impostor to simply replay a recorded signal. Challenge/response is most commonly used in voice recognition biometric systems where (for example) the system will prompt the user to speak a series of words or digits in a random order and then check not only the voice characteristics of the subject, but also that the words/digits are repeated in the correct order. Template Integrity and Confidentiality Template integrity and confidentiality are often confused; in fact they serve different purposes. Template integrity protection serves to guard against a fake template being introduced, or a genuine one being modified. Template confidentiality guards biometric data (which is deemed personal in the context of the Data Protection Act) from being disclosed to others - in other words the data privacy issue. The confusion may arise from the fact that solutions can involve cryptography in either case. A cryptographically calculated checksum can provide integrity checking, and encryption of the template data can be used to safeguard both confidentiality and integrity. Note however that it is also possible to protect templates through other measures such as access control. Supervised Operation Supervised operation of biometric systems by trained and trusted staff can be a valuable tool in support of system security. An obvious example is a spoofing attack which is likely to be much harder to mount against a supervised system. Also a trained operator can help to ensure that users present their biometric features correctly to achieve the optimum system performance and thence maintain security enhancing threshold levels. In most cases it will be necessary to provide supervision for enrolment. Enrolment is a critical activity when credentials will need to be checked and validated, and high quality of enrolled biometric features ensured (see previous section on Enrolment Quality). Note: Attacks against negative identification systems (see previously) can probably only be prevented by supervised operation. Environmental Factors The environment that a biometric system operates in is likely to have a major impact on its performance, and consequently its security. For example facial recognition systems are known to be sensitive to lighting conditions – if the lighting is poor then the acceptance threshold may have to be adjusted to make the system work at all, to the detriment of security. Lighting conditions may also have an effect on the performance of optical fingerprint and iris systems, and noisy environments on voice recognition systems. Electro magnetic interference effects may also be relevant and should be considered. The advice of the system supplier should be sought on whether the biometric technology is suitable for the application environment. Security Audit Security audits serve many investigative and evidential purposes and can be e particularly powerful weapon against insider attacks by “trusted” users e.g. operators and administrators. Because these users have privileges which may give them legitimate access to security relevant data and controls, insider attacks are hard to counter. Often, the only evidence is after-the–event tracking provided by the examination of audit logs. In order to protect the audit process and logs against alteration or removal, it may be necessary to split the administration functions between 2 or more roles to avoid a single point of security failure (e,g. a security configuration administrator who has no access to the audit process and data, and an audit administrator who has no access to security configuration tools). Fallback System Biometric systems cannot be assumed to cope with all individuals. There will be some people who cannot be enrolled on the system for the basic reason that they lack the required biometric feature, or the feature is so poorly defined that it is unsuitable for use on the system. Others may have cultural or religious objections to using the system, In addition, individuals, once enrolled will suffer temporary or permanent injury or illness that will prevent them using the system successfully (e.g. damaged finger, bandaged face, throat infection affecting voice). For these specific as well as general failures that may affect biometric and non-biometric systems alike, it will be necessary to provide alternate means of authentication. Fallback systems will need to be designed and implemented with attention to security requirements. If the fallback system security is weaker than the mainstream system, then an attacker may engineer a failure of the main system in order to exploit the fallback system. Security Evaluation Implementers of biometric systems concerned about security will probably want to seek assurance that the security features of the product or system meet the requirements for the application. For further information on this subject see MS09 - Biometric System Security Evaluation and Certification. For further information see: A more detailed description of the above issues and additional security concerns not covered in this summary can be found in the BWG document: Biometric Security Concerns (pdf). Back to Management Summary Index The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems. For further details telephone +44 (0) 1242 221491 extension 34124 |
|||||||||||||||||||
 |
|||
|