The History Of The Biometric System

Published Date: 02 Nov 2017

Biometric System

Identification , verification , security , evaluation and privacy are of the important things in life, even if it's in personal or enterprises, for this important reasons human start to think about how to protect them self against the other who try to impersonating this items specially in data .

People start improving this items, until they found the best way "Biometrics", which mean each person around the world has different characteristics and there is no tow people are equal in this "Biometrics", depend on "Biometrics" they create what called "Biometric Systems".

Biometric System

3

Biometric

Biometrics refers to the automatic identification of human beings based on their physical and/or behavioral characteristics (Bio = life + Metrics = measurement), and Biometrics is a general term used alternatively to describe a characteristic or a process.

As a characteristic: a biometric is a measurable biological (anatomical and physiological) and behavioral characteristic that can be used for automated recognition.

As a process: a biometric is an automated method of recognizing an individual based on measurable biological (anatomical and physiological) and behavioral characteristics.

Biometric system An automated system capable of capturing a biometric sample from an end user, extracting biometric data from the sample, comparing the data with one or more reference templates, deciding on how well they match, and indicating whether or not an identification or verification of identity has been achieved.

Biometric System type �? Face Recognition

The face recognition software analyzes specific features that are common to all human beings. This includes separation between the eyes, position of the cheekbones, jaw line, etc. Once the software analyzes all these features it combines them into a single code. �? Hand Geometry Biometrics

This security system is found commonly in industries. Hand geometry biometric system is useful in harsh and unclean environments. The non-intrusive reading produces a very small dataset.

Biometric System

4

�? Fingerprint Recognition

The fingerprint scanner is the most common type of biometric system. They have been incorporated into even laptops for better security. The fingerprint biometric system compares the ridges and furrows present on the person?�s fingertips and minute points of a specimen print with other prints in the database. Fingerprint comparison has been going on for the past 140 years and no 2 prints have been found to be the same. Though with age, the size of the hand grows; the distance between the ridges doesn?�t change. �? Retina Scan

Replicating the retina is impossible because the blood vessels that are present at the back of the eye form a unique pattern. The retina scan takes about 15 sec to complete and requires careful concentration. �? Iris Scan

The iris scan is similar to the retina scan and the information cannot be duplicated. �? Signature

This physically non-intrusive security system doesn?�t ensure authentication. There are people who use digitized signatures that don?�t validate authenticity. �? Voice Recognition

Voice recognition is similar to face recognition. It provides a method of authenticating without the person?�s knowledge. It is quite easy to cheat on this security test and hence is not used commonly.

Physical and Behavioral characteristics should meet some requirements in order to be used as biometrics methods. These requirements are either theoretical or practical. Theoretical requirements include:

�h Universality: Each person should have the biometric characteristic.

�h Distinctiveness: Any two persons are not equal in terms of the characteristic.

�h Permanence: The characteristic remains the same over time or has not abrupt changes.

Biometric System

5

�h Collectability: The characteristic should be able to be measured quantitatively.

�h Performance: The achievable recognition accuracy and speed that the biometric system can achieve.

�h Acceptability: The acceptance of the end-users in using the biometric system in their daily lives.

�h Circumvention: The degree of security of the system given fraudulent attacks.

Comparison among 5 types of biometric characteristics Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention Face

High

Low

Medium

High

Low

High

Low Fingerprint

Medium

High

High

Medium

High

Medium

High Hand Geometry

Medium

Medium

Medium

High

Medium

Medium

Medium Iris

High

High

High

Medium

High

Low

High Retinal Scan

High

High

Medium

Low

High

Low

High

BIOMETRIC SECURITY THREATS

Figure 1: Biometric System and the nine different points of attack.

Figure 1 shows a biometric system modules and nine different points of attack. These points of attack are discussed in detail below.

Points of Attack

Type 1

This point of attack is known as ?�Attack at the scanner?�.

Biometric System

6

In this attack, the attacker can physically destroy the recognition scanner and cause a denial of.

The attacker can also create a fake biometric trait such as an artificial finger to bypass fingerprint recognition systems, or inject an image between the sensing element and the rest of the scanner electronics to bypass facial recognition systems.

Putte and Keuning mentioned that the problem with most of the fingerprint scanners used these days is distinguishing between a real finger and a well created artificial (dummy) finger. The authors tested several fingerprint scanners to check whether such scanners will accept the dummy finger. Two methods were used to duplicate a real finger: with and without the co-operation of the owner. With the co-operation of the owner, the authors first created a plaster cast of the finger and the cast is then filled with silicon rubber to create a waferthin silicon dummy. The authors mentioned that the dummy can be glued to anyone?�s finger without it being noticeable to the eye. Without the co-operation of the owner, it is necessary to obtain a print of the finger from a surface or a glass. The authors claim that every dental technician has the skills and equipment to create a dummy from a print of the finger. Putte and Keuning claim that since 1990 several fingerprint scanners have been tested using dummy fingers and all tested scanners accepted a dummy finger as a real finger. Table 1 shows in detail the scanner?�s manufacturer, model, technology, date on which the scanners have been tested, and finally the number of attempts required to get the dummy finger accepted.

Type 2

This point of attack is known as ?�Attack on the channel between the scanner and the feature extractor?� or ?�Replay attack?�. When the scanner module in a biometric system acquires a biometric trait, the scanner module sends it to the feature extractor module for processing.

In this attack, the attacker intercepts the communication channel between the scanner and the feature extractor to steal biometric traits and store it somewhere.

The attacker can then replay the stolen biometric traits to the feature extractor to bypass the scanner.

Type 3

This point of attack is known as ?�Attack on the feature extractor module?�. In this attack, the attacker can replace the feature extractor module with a Trojan horse.

Biometric System

7

A Trojan horse program, named after the wooden artifact from Greek methodology that contained more than could be seen on the surface, refers to an executable code that is not a translation of the original program but was added later, usually maliciously, and comes into the system disguised as the original program. Trojan horses in general can be controlled remotely. Therefore, the attacker can simply send commands to the Trojan horse to send to the matcher module feature values selected by him.

Type 4

This point of attack is known as ?�Attack on the channel between the feature extractor and matcher?�. This attack is similar to the attack described in Type2. The difference is that the attacker intercepts the communication channel between the feature extractor and the matcher to steal feature values of a legitimate user and replay them to the matcher at a later time.

Figure 2: Attack System

Type 5

This point of attack is known as ?�Attack on the matcher?�.

This attack is similar to the attack described in Type3. The difference is that the attacker replaces the matcher with a Trojan horse.

The attacker can send commands to the Trojan horse to produce high matching scores and send a ?�yes?� to the application to bypass the biometric authentication mechanism. The attacker can also send commands to the Trojan horse to produce low matching scores and send a ?�no?� to the application all the time causing a denial of service.

Type 6

This point of attack is known as ?�Attack on the system database?�. In this attack, the attacker compromises the security of the database where all the templates

Biometric System

8

are stored. Compromising the database can be done by exploiting a vulnerability in the database software or cracking an account on the database. In either way, the attacker can add new templates, modify existing templates or delete templates.

Hill described a way to create an image of a fingerprint based on the information contained within the stored template (reverse engineering). Hill used a neural network classifier to predict the shape of the fingerprint based on minutiae points. The neural network takes as input minutiae points (where each minutiae point is characterized using its 2D location, ridge, curvature and orientation) and predicts the fingerprint?�s class. Once the class has been predicted, a synthetic fingerprint image is generated. Hill?�s proposed technique is observed to work on a database of 25 fingerprints

from arch class .

Type 7

This point of attack is known as ?�Attack on the channel between the system database and matcher?�. This attack is again similar to the attack in Type2. In this attack, the attacker intercepts the communication channel between the database and matcher to either steal and replay data or alter the data.

Type 8

This point of attack is known as ?�Attack on the channel between the matcher and the application?�. In this attack, the attacker intercept the communication channel between the matcher and the application to replay previously submitted data or alter the data.

Figure 4: Stack Smashing Attack

Type 9

We claim that a 9th point of attack exists in biometric systems. We call this attack ?�Attack on the application?�.

Biometric System

9

Bugs are a consequence of the nature of the programming task that no one can deny. It is a fact that any software has at least one bug in it. Since biometric authentication systems are not 100% accurate, most of these systems use traditional authentication schemes as a backup. For instance, fingerprint readers shipped with laptops these days force you to create a backup password that you can use to access the system if the fingerprint reader does not recognize you for some reason.

If a thief tries to break into a house, he can use the main entrance (door) to break into the house or he can figure out another way to enter the house (e.g.,window). Therefore, instead of attacking the biometric system directly, one can indirect ways to attack it. One way is by using brute force attacks (e.g., dictionary attacks) that can be mounted against the application to figure out the password. Another way would be to exploit a bug in the application that does the password authentication. If the application in a biometric system suffers from a critical bug (e.g., buffer overflow, double free, etc) then a skilled attacker can exploit this bug by sending the application a crafted input to change thecontrol flow of the program. By changing the flow of the program, the attacker can run code of his choosing with the privileges that the running application have.

If the attacker can run code of his choosing then the security of all the modules in a vulnerable biometric system is compromised. For example, the attacker can run code that will download a Trojan horse code from the Internet to replace the modules in the biometric system.

The attacker can also run code that will install a sniffer on the compromised system to make it easier to intercept the communication channels in the biometric system.

FINGERPRINT USER INTERFACE SYSTEM (FUIS)

Basic Concept

A FUIS is a user interface that employs fingerprint recognition. Using the FUIS, a user can specify different tasks by using different fingers for operating an input device. Since all fingers of a single person have unique fingerprint patterns, the finger used for the operation can be identified through the matching of the fingerprint patterns.

Biometric System

10

Figure 1 shows the basic architecture of the FUIS. The fingerprint image is captured when the finger touches the fingerprint scanner incorporated into the surface of an input device. If the captured image matches the one of the template fingerprint patterns registered in the finger ID table, the corresponding command or the data object is sent to the operation-target system.

This architecture for identifying a finger touching an input device leads to new types of interactions between fingers and input devices. One of the main characteristics of FUIS is that users can manipulate commands and objects as if they were actually attached to the users?� own

fingers.

Suppose a push-button interface to start one application out of three. In a conventional user interface without fingerprint recognition, three different buttons are needed to specify three different applications (Figure 2a). With a FUIS, however, a single button is sufficient to specify the

application. It is determined depending on which finger pushes the button (Figure 2b). The user can indicate the applications as if he/she held them in his/her own fingers

and sent them to the system.

Figure 3 shows another example of using a FUIS. When the finger touches the fingerprint scanner, the texts assigned to each user?�s finger are inserted into a document in a text editor. This makes the user feel as if the data were being stored in the fingers and it were copied from the fingers to the editor. The user can use his/her own fingers just as a virtual data storage.

Figure 1: Architecture of fingerprint user interface.

Biometric System

11

Figure 2: Comparison between two types of user interfaces.

Figure 3: Using fingerprint user interface as virtual storage

Designing a Fingerprint User Interface

As shown in Figure 1, the core components that compose a FUIS are fingerprint scanner, the matching module for the fingerprint recognition, and the finger ID table. In addition to these, we incorporate two functions into the FUIS to facilitate using it: visualizing commands/objects assigned to fingers and animating their virtual flow.

Incorporating Fingerprint Scanners:

The most critical issue in the FUIS design is how fingerprint scanners can be incorporated into input devices. Since the fingerprint pattern is captured when the finger touches the input device, it is required that the scanner should be put onto the surface of the device. So, the range of applications, to which FUISs can be applied, depends foremost on the size of the fingerprint scanners.

The most popular scanner to obtain a live-scan fingerprint image is an optical-type scanner, which consists of an assembly of an LED light source and a CCD placed on the other side of the glass plate. The CCD camera captures a fingerprint image illuminated by the LED light source. Since, however, the optical-type scanner needs some volume to ensure the light reflection, there is a certain limit for the size

Biometric System

12

reduction. Actually, the current average thickness of the optical-type fingerprint scanner is 3-4 cm. This prevents the scanner from being incorporated with the push-button surface of such small machines as a portable telephone and a hand-held computer. It can, however, be used as a touch-sensitive button embedded in larger machine. Our current experimental system uses an optical-type scanner (details later).

Semi-conductor fingerprint scanners have the possibility to solve the size problem. The scanner of Veridicom , based on sensing differential capacitance, is only 3 mm thick. This could be incorporated into a push-button surface. The reduction in the scanner size would expand the application domain of FUI.

However, these currently available scanners do not allow direct manipulations of objects in FUIs. To make the direct manipulations possible, a touch-sensitive screen must have a fingerprint scanning capability. If such a screen were developed, the user could pick up an object, pointed by a finger, directly from a screen to the finger. Also, the user could send a message (command) from a finger to the pointed object.

Fingerprint Recognition:

The fingerprint, obtained by the scanner, is identified using pattern recognition techniques. Many fingerprint identification methods have been proposed for the purpose of personal identification, and two main methods are currently available: the minutiae method based on the matching of fingerprint feature patterns (ridge ending patterns and ridge bifurcation patterns of minutiae) [6], and the image matching method based on the shading patterns of a fingerprint image [14].

These two methods can be used in FUIs, but there is a trade-off between accuracy and recognition time.

Generally, the minutiae method is more accurate but needs more time for recognition than the image matching method. In the minutiae method, it is necessary to extract fingerprint features from the captured image before the actual matching. This feature extraction process makes the recognition time longer.

Although the slow response of the minutiae method might irritate users, we chose the minutiae method for our experimental system because of its high accuracy of identification. We feel that user operations would suffer more from the misidentifications of fingerprints that cause the executions of undesired commands, rather than from the slow response of the system.

Biometric System

13

Constructing a Finger ID Table:

In order to use the FUI, it is necessary to create a finger ID table in advance.

That is, a template fingerprint pattern for each finger has to be registered, and the

registered patterns have to be bound to the corresponding commands or data objects.

The template patterns can be registered by having the user pressing each finger onto

the fingerprint scanner.

Since the registered patterns can be commonly used from different

applications installed on the same machine, the user does not have to register the

patterns repeatedly for all applications. The commands and data objects can be

assigned to the fingerprint patterns for each application separately.

Figure 4: Dialog for displaying commands and objects held on fingers.

Figure 5: Animation of the virtual flow of an object.

Fingerprint scanner

Biometric System

14

Figure 5: Assigning command to finger.

Figure 6 : Logical Data Model

Biometric System

15