Risk of Masquerade Arising from the Storage of Biometrics · Risk of Masquerade Arising from the Storage of Biometrics Christopher James Hill A subthesis submitted in partial fulllment

Risk of Masquerade Arising fromthe Storage of Biometrics

Christopher James Hill

A subthesis submitted in partial fulfillment of the degree of

Bachelor of Science (Honours) atThe Department of Computer Science

Australian National University

November 2001

c�

Christopher James Hill

Typeset in Palatino by TEX and LATEX 2ε.

Except where otherwise indicated, this thesis is my own original work.

Christopher James Hill23 November 2001

To Mum, Dad, Andrew and Matthew.

Acknowledgements

This year has been pretty tough and I would not have survived with what little sanityI possess intact without the help of the following people.

Firstly, to the Australian National University, for providing funding through theNational Undergraduate Scholarship. These funds have been greatly appreciated, asthey have given me the opportunity to attend the ANU and focus on studying.

Thanks must also go to my supervisor, Dr. Roger Clarke for his enthusiasm, adviceand effort which has helped to make this thesis possible. Also, thanks to Dr. RameshSankaranarayana, my associate supervisor, for keeping me on track throughout theyear, and to Mr. Richard Walker, for always having an answer to my questions, eventhe really stupid ones.

Thanks must also go to Dr. Markus Hegland for his efforts to educate me in appliedmathematics, and to Dr. Brian Molinari, for helping me gain access to various researchmaterials.

A big thanks to my housemates, Andrew and Imogen, for putting up with me onthe days where things “didn’t go so good”. Also thanks to all my friends, especiallySteve, for listening to me drone on about my project for far too long!

Thanks to all the honours guys, for the random afternoons at the bar, the manydiscussions and general good times that were had in (and out of) the lab.

Cheers to the Purple Pickle cafe for their scrumptous big breakfast (the best afteran all-nighter) and for the coffees that kept me going throughout the year.

Finally, thanks again to mum and dad. Both have been unbelievable in their sup-port despite all that they have to do, and have always been there for me. Also, thanksto my two brothers, Matthew and Andrew, for being such awesome individuals.

vii

Abstract

Biometric authentication and identification systems are increasingly being used inplace of traditional security systems. The introduction of new technology brings newsecurity vulnerabilities to computer systems. One vulnerability introduced by thesesystems is that of masquerade through the use of a physical or digital artefact.

The possibility of masquerade through the use of an artefact created from the in-formation contained within a stored template has in many cases been ignored, or as-serted to be infeasible. This thesis examines the question of whether such an attack ispossible.

A generic method is proposed for the development of an artefact for masqueradebased on the information contained within a stored template. This method is thenapplied to a specific fingerprint system, and the resulting fingerprint images are testedagainst a database containing the corresponding templates.

A positive match for all 25 tested arch fingerprints is achieved. This indicates thatit is possible to create an image of a fingerprint based on the information containedwithin the stored template.

Thus, more attention will have to go to securing stored fingerprint data, unless thefeature extraction process can be proven to be one-way. It would appear that this con-clusion is generalisable to many other biometrics, and perhaps to all biometrics. Thegeneric method proposed can be applied in order to determine whether that proposi-tion is correct.

ix

x

Contents

Acknowledgements vii

Abstract ix

1 Introduction 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Biometric Systems 32.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Biometric Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Biometric System Composition . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3.1 Biometric Capture Device . . . . . . . . . . . . . . . . . . . . . . . 102.3.2 Biometric Template Store . . . . . . . . . . . . . . . . . . . . . . . 122.3.3 Result Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Enrolment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.5.1 Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.5.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.6 Operating Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.6.1 Biometric Characteristic Variability . . . . . . . . . . . . . . . . . . 172.6.2 Biometric Capture Variability . . . . . . . . . . . . . . . . . . . . . 192.6.3 Error Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.7 Biometric System Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.8 Impact of Masquerade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Security of the Biometric Template Store 253.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 Storage Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.1 Self-Contained Biometric Device . . . . . . . . . . . . . . . . . . . 263.2.2 Remote Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.2.3 Portable Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.3 Storage Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.3.1 Unprocessed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3.2 Compressed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

xi

xii Contents

3.3.3 Processed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3.4 Encrypted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.3.5 Hashed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4 Masquerade from Stored Templates 354.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.2 Generic Masquerade Method . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.1 Template Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.2.2 Template Decomposition . . . . . . . . . . . . . . . . . . . . . . . 374.2.3 Digital Artefact Creation . . . . . . . . . . . . . . . . . . . . . . . . 384.2.4 Physical Artefact Creation . . . . . . . . . . . . . . . . . . . . . . . 39

4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5 Fingerprint Recognition Systems 415.1 Suitability of Fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.2 Fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2.1 Shape Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . 425.2.2 Ridge Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.3 System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.4 Capture Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.4.1 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.4.1.1 Optical . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.4.1.2 Capacitance . . . . . . . . . . . . . . . . . . . . . . . . . . 475.4.1.3 Thermal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.4.1.4 Pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.4.1.5 Ultrasound . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.4.2 Pre-Processing and Feature Extraction . . . . . . . . . . . . . . . . 505.4.2.1 Image Binarisation . . . . . . . . . . . . . . . . . . . . . . 505.4.2.2 Ridge Thinning . . . . . . . . . . . . . . . . . . . . . . . 505.4.2.3 Ridge Orientation Estimation . . . . . . . . . . . . . . . 515.4.2.4 Ridge Smoothing . . . . . . . . . . . . . . . . . . . . . . 515.4.2.5 General Image Enhancement . . . . . . . . . . . . . . . . 515.4.2.6 Macro-Singularity Detection . . . . . . . . . . . . . . . . 515.4.2.7 Minutiae Point Extraction . . . . . . . . . . . . . . . . . 515.4.2.8 Spurious Minutiae Removal . . . . . . . . . . . . . . . . 52

5.4.3 Template Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.5 Template Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.6 Result Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6 Masquerade using Stored Fingerprint Templates 556.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contents xiii

6.3 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566.4 Fingerprint Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576.5 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.5.1 Template Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576.5.2 Template Decomposition . . . . . . . . . . . . . . . . . . . . . . . 586.5.3 Shape Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.5.3.1 Using a Decision Tree . . . . . . . . . . . . . . . . . . . . 596.5.3.2 Using a Neural Network . . . . . . . . . . . . . . . . . . 59

6.5.4 Image Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626.5.4.1 Orientation Map Creation . . . . . . . . . . . . . . . . . 626.5.4.2 Orientation Map Selection . . . . . . . . . . . . . . . . . 636.5.4.3 Line Drawing . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.5.5 Physical Artefact Creation . . . . . . . . . . . . . . . . . . . . . . . 666.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.8 Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7 Conclusion 717.1 Specific Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

A Company Listing 73

B Glossary 75

C Fingerprint Matching 79C.1 Generated Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79C.2 Same Fingerprint Matching . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Bibliography 97

xiv Contents

List of Figures

2.1 Sample image from a hand scanner . . . . . . . . . . . . . . . . . . . . . . 52.2 Sample image of an iris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 Image of the blood vessels in an eye’s retina . . . . . . . . . . . . . . . . . 62.4 Small set of eigenfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.5 Illustration of the structure of the nailbed . . . . . . . . . . . . . . . . . . 82.6 Illustration of the operation of a fingernail system . . . . . . . . . . . . . 92.7 Three sample hand-vein patterns . . . . . . . . . . . . . . . . . . . . . . . 92.8 Logical components of a generic biometric system . . . . . . . . . . . . . 102.9 Articulated generic biometric system . . . . . . . . . . . . . . . . . . . . . 122.10 Enrolment into a generic biometric system . . . . . . . . . . . . . . . . . . 142.11 Identification in a generic biometric system . . . . . . . . . . . . . . . . . 162.12 Authentication in a generic biometric system . . . . . . . . . . . . . . . . 172.13 Free-floating iris cyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.14 Retina with retinitis pigmentosa . . . . . . . . . . . . . . . . . . . . . . . 182.15 Generic graph of FAR, FRR and EER . . . . . . . . . . . . . . . . . . . . . 21

3.1 Biometric template store located within the device . . . . . . . . . . . . . 273.2 Biometric template store located on a remote server, configuration (a) . . 283.3 Biometric template store located on a remote server, configuration (b) . . 293.4 Biometric template store located on a portable token, configuration (a) . 303.5 biometric template store located on a portable token, configuration (b) . 303.6 Biometric template store located on a portable token, configuration (c) . 31

4.1 Generic masquerade method . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.1 Sample fingerprints with their associated shapes . . . . . . . . . . . . . . 435.2 Sample fingerprints, with marked macro-singularities . . . . . . . . . . . 435.3 Fingerprint characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.4 Sketches of fingerprint shapes . . . . . . . . . . . . . . . . . . . . . . . . . 445.5 Decision tree for shape determination . . . . . . . . . . . . . . . . . . . . 455.6 Synthetic fingerprint depicting minutiae points . . . . . . . . . . . . . . . 465.7 General layout of an optical fingerprint scanner . . . . . . . . . . . . . . 475.8 Depiction of a capacitance scanner . . . . . . . . . . . . . . . . . . . . . . 485.9 Operation of ultrasound scanner . . . . . . . . . . . . . . . . . . . . . . . 495.10 Detection of minutiae points . . . . . . . . . . . . . . . . . . . . . . . . . . 525.11 Depiction of a ridge ending . . . . . . . . . . . . . . . . . . . . . . . . . . 53

C.1 Arch 1: score = 60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

xv

xvi LIST OF FIGURES

C.2 Arch 2: score = 54 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80C.3 Arch 3: score = 103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80C.4 Arch 4: score = 182 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81C.5 Arch 5: score = 129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81C.6 Arch 6: score = 191 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82C.7 Arch 7: score = 162 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82C.8 Arch 8: score = 145 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83C.9 Arch 9: score = 115 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83C.10 Arch 10: score = 163 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84C.11 Arch 11: score = 115 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84C.12 Arch 12: score = 140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85C.13 Arch 13: score = 223 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85C.14 Arch 14: score = 107 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86C.15 Arch 15: score = 112 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86C.16 Arch 16: score = 171 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87C.17 Arch 17: score = 83 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87C.18 Arch 18: score = 162 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88C.19 Arch 19: score = 145 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88C.20 Arch 20: score = 54 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89C.21 Arch 21: score = 67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89C.22 Arch 22: score = 144 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90C.23 Arch 23: score = 116 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90C.24 Arch 24: score = 100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91C.25 Arch 25: score = 135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91C.26 Same finger test1: score = 1180 . . . . . . . . . . . . . . . . . . . . . . . . 92C.27 Same finger test2: score = 213 . . . . . . . . . . . . . . . . . . . . . . . . . 92C.28 Same finger test3: score = 210 . . . . . . . . . . . . . . . . . . . . . . . . . 93C.29 Same finger test4: score = 353 . . . . . . . . . . . . . . . . . . . . . . . . . 93C.30 Same finger test5: score = 158 . . . . . . . . . . . . . . . . . . . . . . . . . 94C.31 Same finger test6: score = 233 . . . . . . . . . . . . . . . . . . . . . . . . . 94C.32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95C.33 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 1

Introduction

“First of all, it is important to remember that absolute security does not exist: givenfunding, willpower and the proper technology, nearly any security system can becompromised.” from [Atmel Corporation 2001], page 10.

1.1 Motivation

Security, in general terms, is concerned with the protection of some kind of asset. Thelevel of security protecting these assets is relative to that provided by other (similar)systems, and to the ease with which an attacker can gain access to the asset. Thisthesis is concerned with the security aspects involved in the process of identifying aperson that is attempting to access a secured asset, or the authentication of a personwho is claiming a particular identity.

The introduction of biometric systems as an alternative to traditional security sys-tems is seen as attractive by many, because of the potential for greater precision. Theability to use a characteristic of the user as a means of identification or authentica-tion is seen as a benefit in terms of both security and usability. However the use ofbiometric systems introduces new risks both to the system and the user.

Biometric characteristics as used in biometric systems are typically consistent ele-ments of what a person is, and hence cannot be easily altered or replaced. Thereforethe theft of such a characteristic, especially if it is used as a “key” to a secure environ-ment, is potentially devastating.

The possibility that the biometric data stored within templates by biometric sys-tems could be used to masquerade the systems is has not yet been subjected to a greatdeal of critical examination in the literature.

This thesis considers whether masquerade through the storage of biometric datais a significant vulnerability to biometric systems.

1.2 Approach

This is a new area of research, and hence the plausibility of a masquerade attack needsto be examined. This will be achieved through the following:

1

2 Introduction

� The presentation of an analysis of template storage locations and formats

� The development of a generic masquerade method that can be applied to anybiometric system

� The conduct of an experiment on commercially available software that performsfingerprint-based biometric identification/authentication

1.3 Organisation

Chapter 2 establishes the context for this thesis by describing biometric systems ingeneral. Chapter 3 discusses the security implications of the storage location andformat of templates. Chapter 4 introduces a generic method for generating an arte-fact for masquerade of a biometric system, based on the information contained in astored template. Chapter 5 describes the fundamental principles of fingerprint-basedbiometric systems. Chapter 6 reports on the conduct of an experiment on a specificfingerprint system to determine if an image of a fingerprint, generated from a storedtemplate, can be used to masquerade the system. Chapter 7 considers the contributionof this thesis and the possible work in this area that can be conducted in the future.

Chapter 2

Biometric Systems

2.1 Introduction

Within society there is a need to be able to quickly and easily prove that you are whoyou say you are. To withdraw funds from your savings account, gain access to abuilding, or travel from one country to another are all tasks that may require “proof”of your identity. The processes used to establish evidence of identity are identificationand authentication. Where this thesis is referring to both processes at the same time,the term ’identity determination’ is used.

From [Clarke 2001], identification can be defined as “a process whereby a real-world entity is recognised, and its ’identity’ established”. Authentication, also from[Clarke 2001], can be defined as “the process whereby a degree of confidence is estab-lished about the truth of an assertion”. Therefore colloquially, identification is deter-mining an individual’s identity from a group of possibilities, where as authenticationis the confirmation of a person’s claimed identity.

From an historical perspective, the process of authentication has been achieved (insecurity applications) through the use of:

� Something you know - a password, PIN, mother’s maiden name etc.

and/or

� Something you posses - id card, key, signet ring etc.

Identification has been traditionally accomplished through the use of:

� Some (one or more) type of accepted identifier - name, code etc.

While the above methods of identification and authentication have proven accept-able for hundreds of years, some aspects of society are starting to demand more accu-rate methods. This is due, in part, to the fact that passwords can be compromised orguessed, and possessed tokens can be stolen or forged. In addition, automated sys-tems based on the above methods are unable to determine if the person supplying thetoken or information is, in fact, the same person that is enrolled in the system.

3

4 Biometric Systems

In an attempt to solve this dilemma, many security companies are turning to bio-metrics. This is demonstrated by the project market size of $594 million for biometricsin 2003, up from approximately $58.4 million in 1999 (from [International BiometricGroup 2001]). The use of biometrics in security creates a third method for the processof authentication, through:

� Something that you are

The following sections describe various aspects of biometric systems. Section 2.2describes the various biometric characteristics used in, or under development for,biometric systems. Section 2.3 on page 10 describes the components found withina generic biometric system. Section 2.4 on page 14 describes the enrolment processfor generic biometric systems, and the issues involved, while section 2.5 on page 15discusses the operational processes of biometric systems, namely identification andauthentication. The accuracy of biometric systems, and how this differs from theirsecurity level is discussed in section 2.6 on page 16, while the security vulnerabilitiesof a biometric system are listed in section 2.7 on page 21. The harm that can arise fromthe system vulnerabilities is then discussed in section 2.9 on page 23.

2.2 Biometric Characteristics

Biometrics, when described in the field of security, are measurable physical and be-havioural characteristics. They are intended to be unique identifiers that cannot beeasily transferred between individuals, or copied. The more common characteristicsare listed below, along with a brief description.

Physical

� Fingerprint

Fingerprint biometric systems perform identity determination based on eitherthe overall structure created by the ridge lines of a fingerprint, or through thespecific ridge characteristics known as minutiae. An introduction to fingerprintsystems can be found in chapter 5 on page 41.

� Hand/Finger geometry

Hand and finger geometry systems typically use top and side images to estimatevarious measurements of the hand or finger. The typical measurements usedare length, width and height of the fingers, and/or the hand. These two typicalviews and measurements are depicted in figure 2.1 on the facing page.

� Iris pattern

Iris recognition is based on the creation of a digital code from the visible ele-ments that constitute the structure of the iris, such as arching ligaments, furrows,ridges, crypts, rings, freckles among others (some of which can be seen in fig-ure 2.2 on the next page). This technology is based on the techniques developedby John Daugman, a summary of which can be seen in [Daugman 2001].

�2.2 Biometric Characteristics 5

Figure 2.1: Sample image from a hand scanner, from http://bias.csr.unibo.it/

research/biolab/bio_tree.html

Figure 2.2: Sample image of an iris, from Iridian Technologies Inc.

6 Biometric Systems

� Retinal pattern

Retina recognition systems determine identity through the patterns formed bythe blood vessels in the retina of an eye. The image of the retina is achievedthrough the use of a camera and infrared light source, and results in an imagesimilar to that in figure 2.3.

Figure 2.3: Image of the blood vessels in an eye’s retina, from http://www.drbarr.com/

professional.html

� Face recognition

Face recognition is one of the more complicated physiological biometrics. Dueto the large number of potential variances in the face (e.g. sunglasses, facial hair,make up etc.) and external conditions (camera angle, lighting etc.) the matchingof faces is not a simple task. There are two main ways of conducting facialrecognition, through facial measurements, or through the use of eigenfaces.

Facial measurements are based on regions of the face that are less susceptible tochange, including the upper outlines of the eye sockets, the areas surroundingthe cheekbones, and the sides of the mouth.

Eigenfaces (see figure 2.4) are two dimensional grey-scale normalised represen-tations of a face, originally developed at Massachusetts Institute of Technology(MIT).

Behavioural

� Signature dynamics

While the signature is a commonly used identifier within some aspects of soci-ety, the use of signature dynamics seeks to make it more accurate. By recordingthe “shape, speed, stroke, pen pressure and timing information during the act


Figure 2.4: Small set of eigenfaces, from MIT

of signing” (from [CyberSIGN ]), these systems aim to identify people based ontheir unique writing style in addition to the shape of their signature.

� Vocal dynamics

Biometric systems based on the vocal dynamics use the “dimensions of the vocaltract, mouth, nasal cavities and the other speech processing mechanisms of thehuman body” (from [MatyAS and RIha ]).

� Keystroke dynamics

Keystroke biometric systems use the timing of keystrokes, preferences for vari-ous keys (e.g. the dominant use of delete instead of backspace) and relative errorrates for the identification and authentication of users. This can be for harden-ing passwords, as in [Monrose et al. 1999] or for dynamic authentication, as in[Monrose and Rubin 1997; Monrose and Rubin 2000].

In addition to the above biometric systems, a number of systems are claimed to beunder development:

� Palm print

Palm print biometric systems use very similar principles to those used in fin-gerprint recognition. However unlike fingerprint-based systems, palm printinguses the ridge lines on the entire palm, and hence has significantly larger re-quirements on the scanning device. See [Duta et al. 2000] for an investigativepaper on palm print matching.

� Body odour

8 Biometric Systems

Biometric systems based on the emitted body odour from non-intrusive areasof the body (such as the back of the hand) are purportedly being researchedby Mastiff Electronic Systems, according to [MatyAS and RIha ]. According to[Ronnberg 2001], these systems use the chemical composition of body odour toperform identity determination.

� Ear geometry

Ear geometry-based biometric systems use thermographic or grey-scale imagesof the ear along with various graphs based on detecting the curved edges ofthe ear (see [Burge and Burger 1998; Burge and Burger 1997; Burge and Burger2000]). Some issues with ear geometry systems are occlusion by hair, variabilitydue to lighting conditions, and potential non-uniqueness of the ear (as a biomet-ric).

� Facial thermographics

Thermal imaging of people’s faces is based on the heat radiated by the bloodvessels located beneath the skin. According to [Jain et al. 2000], this pattern canbe captured using infrared imaging, and is being investigated for uniquenessand suitability for biometric systems.

� Fingernail ridgelines

Underneath a human fingernail exists a nailbed that is composed of “unique lon-gitudinal, tongue-in-groove spatial arrangement of papillary papillae and skinfolds arranged in parallel rows.” (from [AIMS Technology Inc. ]). This is illus-trated in figure 2.5.

Figure 2.5: Illustration of the structure of the nailbed, underneath a fingernail, from [AIMSTechnology Inc. ]

The only known system that uses this biometric characteristic is under develop-ment by AIMS Technology Incorporated. The system works through the detec-tion of phase changes created by the structure of the nailbed. This can be used todetermine the dimensions (widths) of the rows that exist in the nailbed. Thesewidths can then be used to create what is likened to a “barcode” to identify anindividual (see figure 2.6 on the next page).


Figure 2.6: Illustration of the operation of a fingernail system, from [AIMS Technology Inc. ]

� Gait

Systems that identify individuals based on their gait are being developed asprototype biometric systems. For example, [Orr and Abowd 2000] identifiesusers based on the pressure and duration of the interaction between a person’sfeet and special sensor pads in the floor. A method using the pattern of hiprotation has also been developed in [Cunado et al. 1997].

� Hand-vein pattern

Hand-vein biometric systems utilise an infrared light source, similar to that usedin retinal pattern systems, to create an image of the blood vessels in the back ofa hand (see figure 2.7).

Figure 2.7: Three sample hand-vein patterns, from Neusciences

The above biometric characteristics are being used as the basis for new authenti-cation and identification systems. These systems are being implemented to providesecurity services for many different applications, both real-time and offline, distrib-uted and local.

10 Biometric Systems

2.3 Biometric System Composition

Due to the variety of different biometrics available, in addition to the different sys-tem architectures that can be built, it is not practicable to develop a simple genericarchitecture for a biometric system that corresponds to physical devices. However, asdepicted in figure 2.8, a generic system can be split into the following logical structuralcomponents:

� Biometric Capture Device

� Biometric Template Store

� Result Generator

(Enrolment)

Template(s)Master

(Operation) (Operation)

Result

LiveTemplate

LiveBiometric

Device StoreTemplateCapture

Biometric Biometric

Generator

Master Template

Result

Figure 2.8: Logical components of a generic biometric system

This simple model is used and expanded upon in the following sub-sections, whichdescribe the function of each of the components in turn. It is then used in section 2.4 onpage 14 (Enrolment) and section 2.5 on page 15 (Operation) to show how each of theabove components is used within a biometric system, during each of these processes.

2.3.1 Biometric Capture Device

The biometric capture device is responsible for the capture, and subsequent process-ing of a biometric sample. A biometric sample is a digital representation of a biomet-ric characteristic, and is used internally by the system. Examples of biometric samplesare the recording of a person speaking their pass-phrase, and the image of a person’sfingerprint.

While the method and physical components utilised vary with the system andbiometric characteristic used, the following are the four generic sub-components thatcan be found within most systems. Note that all sub-components do not have to bepresent for a system to operate.

1. Scanner

�2.3 Biometric System Composition 11

The scanner is the most obvious part of the biometric capture device. It is the ex-ternal object that every user of the system interacts with to supply their biomet-ric characteristic. For example, face recognition systems use a camera to capturean image of a face, and voice based systems typically use a microphone. Whileeach biometric system is different in its structure and composition, a scanner isalways necessary to capture the biometric sample.

2. Pre-Processor

The pre-processor, if present, receives a biometric sample captured by the scan-ner, and processes it to, most commonly, increase either its usability or clarity.Often, due to environmental or physiological influences, such as a noisy envi-ronment, extreme temperature, extreme lighting, or an unusual emotional state,the biometric sample is not usable or accurate enough for use by the system. Inthese systems, the pre-processor can be used to clean up the sample.

This can be achieved in many ways, and is different for each biometric char-acteristic. For example iris recognition systems may first need to correct thebrightness of the obtained image, or crop the image external to the iris itself(from [Daugman 2001]). The pre-processing for fingerprint recognition systemsis discussed in section 5.4.2 on page 50.

3. Feature Extractor

A feature extractor may be utilised by biometric systems to locate and extractspecific information. This results in only applicable information being kept. It isa lossy process, whereby only the important features selected by each particularimplementation are used. Depending on the system configuration, the amountof information extracted can be set to a greater or lesser extent. In low secu-rity systems, for example, the feature extractor can be set to locate and extractonly the minimum required information for authentication or identification, al-though the required information for identification will likely be higher due toits more complicated nature. This is addressed in section 2.5.1 on page 15.

The algorithms and methods used for both pre-processing and feature extractionare applicable only to the biometric being analysed. They are often proprietaryand/or patented, especially those in commercial systems. However, a few re-searchers have made public some methods and algorithms that can be used inappropriate biometric systems. For example, the pre-processing and feature ex-traction methods used in iris based biometric systems can be seen in [Daugman2000]. Also one type of pre-processing and feature extraction used for finger-print recognition systems can be seen in [Jain and Pankanti 1999]. Commonlyused pre-processing and feature extraction algorithms for fingerprint-based sys-tems are discussed in more detail in section 5.4.2 on page 50.

4. Template Creator

The final step conducted by the biometric capture device is to create the tem-plate to be used by the system. Typically, if the system has undertaken some


kind of feature extraction there will also be a template creation step. Otherwise,the biometric sample (with or without pre-processing) will be used. During en-rolment, the created templates are placed in the template store, along with alocally unique identifier. These templates are called master templates. Any tem-plate created during the operation of the system will be compared against oneor more master templates. Templates used during operation are called live tem-plates. The templates created by current systems are nearly all system specific.The format of the templates produced by the template creator are discussed inmore detail in section 3.3 on page 31.

Thus, figure 2.8 on page 10 can be articulated by adding these subcomponents ofthe biometric capture device, as seen in figure 2.9.

SampleBiometric

Result

MasterTemplate

(Enrolment)Master Template

DataExtracted

SampleBiometric

Live Template(Operation)

Processor

Scanner

Template Creator

FeatureExtractor

Pre-

Live

CaptureBiometric

Device

StoreTemplateBiometricResult

GeneratorBiometric

Figure 2.9: Biometric system with biometric capture device sub-components

2.3.2 Biometric Template Store

The biometric template store is the location where master templates, created by thebiometric capture device during the enrolment process are stored. The master tem-plates are used in the identification and authentication processes described in sec-tions 2.5.1 on page 15 and 2.5.2 on page 16 respectively. Depending on the systemconfiguration, the master templates can be stored in one of three locations (from [Ash-bourn 1999]):

� Within a self-contained biometric device

� On a portable token

� In a remote database

�2.3 Biometric System Composition 13

The system requirements usually dictate the appropriate storage location. For ex-ample, mobile phone security it makes sense to store the master template for user(s)of the phone within the device itself, whereas for a network login system, the mastertemplates would be better stored in a central database, so that users can login at anyterminal connected to the system.

Each of these storage alternatives has a number of advantages and disadvantageswith regards to the security of the system. As stated in section 1 on page 1, analysingthe impact of the storage location on the risk of masquerade is one of the aims of thisproject. Thus, this issue will be examined in more detail in chapter 3.

2.3.3 Result Generator

The result generator is the third logical component of a biometric system. Here thelive template is compared against at least one of the master templates stored withinthe biometric template store, depending on the operation mode. This process is com-monly referred to, throughout the literature, as matching.

According to [International Biometric Group 2001], algorithms used in this processare specific to the biometric characteristic used as well as the systems manufacturer.They are typically proprietary, private algorithms.

Matching aims to find a similarity measure between two templates. Then, if thesimilarity measure is above a predefined confidence (or threshold), the result is an“accept”. If the similarity measure is too low, then the result generated is a “reject”.This result is typically passed to either the application running the system, or to thedevice the biometric system is controlling (e.g. mobile phone, door lock etc.).

During authentication, the result produced can either be the matching score achieved,or a simple yes/no response. The yes/no result has the advantage of simplicity, butcannot be customised for different applications. Returning the matching score allowsthe application to customise the required confidence depending on what asset theperson is attempting to access. However, this has a dangerous potential vulnerabil-ity. It is possible that a rogue application could intercept the matching score, alter thetemplate (or biometric sample) being tested and resubmit it for authentication. By it-eratively applying this process, the application could gradually modify the template(or biometric sample) until is matches the master template (to some confidence). Thisattack is identified in [Soutar 1999] as a “hill-climbing” attack. Therefore, for security,most result generators will only return a yes/no result based on the current requiredconfidence.

Alternatively, if performing identification, the result generator must (potentially)deal with numerous positive matches. This can be achieved simply by returning theidentity that achieved the highest match score, or by returning the set of identities thatachieved a match score greater than the required confidence.

Finally, it should be noted that matching is not an exact process, primarily dueto the variability of the capture process. The frequency of the errors is dependenton many things, including the algorithms used and the biometric characteristic. Thistopic is explored further in section 2.6 on page 16.


2.4 Enrolment

Section 2.3.1 on page 10 considered the function and structure of each of the logicalcomponents of a biometric system. This section, and the subsequent section considerthe operational aspects.

Enrolment is the process that an individual must undergo in order to become anaccepted user of a system. This is commonly done under physical supervision, both toprevent unauthorised enrolments and to ensure the quality of the captured biometricsample is adequate.

The enrolment process is depicted in figure 2.10 wherein a live biometric charac-teristic is supplied to a biometric capture device along with a locally unique identi-fier. The resulting template (after passing any automatic or manual quality checks) isstored in the biometric template store (along with the identifier) as that user’s mastertemplate.

Template

Locally

IdentifierUnique

MasterBiometricTemplate

Store

BiometricLiveBiometric Capture

Device

Figure 2.10: Enrolment into a generic biometric system

It should be noted that this process is very important for the usability and securityof the system. Without careful controls the system is vulnerable to harm (both acci-dental and deliberate). While most security systems are open to the same deliberatesecurity threats, biometrics is especially vulnerable to accidental harm through naiveusers and administrators. For example, a user who enrols their hand geometry afterspraining their wrist the evening before, will not only experience trouble using thesystem once the swelling is reduced, but is also providing a security risk through theinaccuracy of the master template. This threat is classified in section 2.7 on page 21.

While this sort of ’accidental’ security risk is best solved through the training anddiligence of system administrators, two main methods exist to attempt to reduce thelikelihood of a low quality master template. The first is to require a set of biometricsamples during enrolment, rather than relying on just one. Each sample is convertedto a template and temporarily stored before being compared with each other to ensure(to the predefined confidence of the system) that they are from the same person, andto ensure a consistent quality. If all templates are of sufficient quality, the mastertemplate is then constructed, either from a composite of each of the enrolled templates,or by choosing the template that has the best quality. An example of this process forenrolling fingerprints can be seen in [Ankari 1999].

Establishing the quality of a template is another proprietary process of most bio-

�2.5 Operation 15

metric systems. However, it is typically achieved through the use of a quality score(from [International Biometric Group 2001], page 9). This reflects the success of thefeature extractor in detecting the important features for a particular biometric char-acteristic. An example of this is given in [Jain and Pankanti 1999], where at least 25features (described in section 5.2.2 on page 44) are required, or the captured finger-print is rejected.

A second method of decreasing the likelihood of low quality master templates oc-curs during the operation of the system when performing authentication. Using thismethod, every time a live template is determined to match a master template, themaster template is updated is some manner. This can be done either by substitutingthe live template for the master template, or by incorporating any differences betweenthe two templates into the master template. For example, [Sanchez-Reillo et al. 1999]describes a method of using weighted averages, based on the time the sample wastaken. Both methods have advantages and disadvantages, depending upon the bio-metric used, and the required security level of the system.

The major disadvantage of the second method occurs when an unauthorised useris falsely accepted as a valid user. When this occurs, the master template will beupdated using the invalid biometric characteristic, thus decreasing the security of thesystem by increasing the probability that a second attack (by an unauthorised person)will be successful. It will also increase the likelihood authorised user will be rejectednext time they attempt to authenticate.

2.5 Operation

The operation of a biometric system depends on whether authentication or identi-fication is being performed. Overall, the process involves the comparison of a livetemplate with one or more master templates.

When performing identification, the system compares the live template against theentire set of master templates, or a subset thereof, if appropriate. This one-to-manycomparison seeks to establish the identity of a person with no extra information otherthan that contained within the live template.

Alternatively, authentication seeks to determine whether the biometric character-istic supplied by the person matches that of the identity they are claiming (typicallythrough a user id number or token). This is a one-to-one comparison.

The following sub-sections are a generalisation of typical industry representations.They have been adapted to describe the generic processes of identification and authen-tication using a biometric system.

2.5.1 Identification

Identification is the determination a person’s identity from a group of possibilities.Therefore, when performing identification, a live template (generated from a live bio-metric characteristic) is sent to the result generator and compared against every en-rolled master template, unless a subset is more appropriate. For example, in finger-


print identification, the biometric sample can be classified by its overall shape (seesection 5.2.1 on page 42), hence only master templates with that overall shape need be(initially) searched. This process is depicted in figure 2.11.

ORIdentifier with highest match score

[Set of locally unique identifiers]

Result

MasterTemplates 1...nTemplate

Live

BiometricDeviceCaptureBiometricLive Result

GeneratorStore

TemplateBiometric

Figure 2.11: Identification in a generic biometric system

Identification can result in a number of potential matches between master tem-plates and the current live template. This will occur when multiple master templateshave a match score (from the result generator) that is greater than the required con-fidence. This can occur due to (usually) three main reasons. Firstly, if the requiredconfidence for a match is set too low it will be easier to gain multiple matches. Sec-ondly, if the live template and/or a number of master templates are excessively noisy,it is possible for the matches to be generated despite the original biometric character-istics being significantly different. Both of these situations can be addressed througha higher confidence and better quality templates respectively.

A third reason for multiple matches is due to having numerous master templatescreated from similar biometric characteristics. This can arise naturally, due to geneticsimilarities or coincidence, or through the use of a biometric that isn’t suitably dis-criminatory.

2.5.2 Authentication

Authentication is the process of testing an assertion that a person is who they claim tobe. Thus, in a biometric system, when a person claims a particular identity, throughan identification number, code or other distinguishing characteristic, they must alsosupply a biometric characteristic. The captured biometric sample is then used to pro-duce a live template that is compared against the master template for that identity.If the live template is sufficiently close to the master template (i.e. the match score isgreater than the required confidence), then the user is authenticated. This process isdepicted in figure 2.12 on the facing page.

2.6 Operating Accuracy

Biometric systems have the disadvantage (as compared to traditional password-basedsystems) that two biometric samples, both captured from the same biometric charac-

�2.6 Operating Accuracy 17

(Yes/No) OR (Matching Score)

TemplateMaster

TemplateLive

Result

LocallyUnique

Identifier

LiveBiometric

DeviceCaptureBiometric

GeneratorResult

StoreTemplateBiometric

Figure 2.12: Authentication in a generic biometric system

teristic will differ, sometimes significantly, even if the two captures occur only secondsapart on the same capture device (from [International Biometric Group 2001], page 9).In addition, unlike a password which, when evaluated, produces either a match, ornon-match result, a biometric comparison by the result generator can only calculatea score indicating the extent to which the live template and master template match.Both of these traits are due to variances within the biometric characteristic and thecapture process. The following two sub-sections analyse the variety of sources thatcause differing biometric samples from the same biometric characteristic. This is fol-lowed by a brief discussion of the typical methods used by biometric system providersfor measuring the errors that are cause by these variations.

2.6.1 Biometric Characteristic Variability

Biometric characteristics are not unchangeable. While most biometric characteristicsremain constant after they are fully developed, they are still vulnerable to change, dueto a number of factors. The major factors (identified in [International Biometric Group2001]) are as follows (note that examples are generally taken from popular literature):

� External Influence

For some biometric characteristics, the individual’s occupation can result in sig-nificant change of the characteristic. For example miner’s fingerprints are typi-cally less pronounced due to the corrosive influences of their work. Short termalterations can also develop from external influence, such as laryngitis alteringthe sound of a person’s voice.

Behavioural characteristics are particularly vulnerable to external influences.Nervousness, excitement or even too much coffee can render a person incapableof producing their biometric characteristic accurately enough. For example ifsomeone’s hand is shaking, they may be unable to produce their signature inthe same manner and in the same form as when they enrolled.

� Disease


Biometric characteristics can also be altered significantly by disease. For exam-ple, the iris seen in figure 2.13 depicts a free-floating cyst in the anterior chamberof the right eye in a 12-year-old girl. This may result in the occlusion of a sig-nificant proportion of the iris, hence preventing accurate matching. In addition,figure 2.14 contains an image of a retina with retinitis pigmentosa, which mayaffect the accuracy of retina pattern matching.

Figure 2.13: Free-floating iris cyst, from http://eyecancerinfo.com/Pages/

photogal1.htm

Figure 2.14: Retina with retinitis pigmentosa (affliction of the photoreceptor cells of the retina),from http://www.optobionics.com/retinaldisease.htm

� Injury

All biometric characteristics can be altered both temporarily and permanentlyby injury. This is due to the fact that biometric characteristics are “what youare”, and even the behavioural biometrics can be altered as a result of an injury

�2.6 Operating Accuracy 19

to a relevant part of your body. For example a finger could be broken, destroyingthe hand geometry as well as inhibiting the ability to produce a signature in theusual manner (at least for a short time). A minor cut on a finger could alterthe fingerprint, and a major burn could result in a permanently scarred, andunrecognisable, fingerprint.

2.6.2 Biometric Capture Variability

The physical change of biometric characteristics is only a minor component in theinaccuracy of biometric systems. The major cause of differing biometric samples, cap-tured from the same biometric characteristic, is the differences created during the cap-ture process. The factors that may cause variability in biometric capture are as follows:

� Environmental factors

Environmental factors such as light, temperature, humidity etc. affect variousbiometrics during their capture (e.g. light levels and directions may cause prob-lems for visually-based systems like face recognition, due to shadows, reflec-tions and decreased contrast within the image). These environmental effects canalter the biometric template quite significantly.

� User interaction

The way the user interacts with the scanner may also alter the quality and henceaccuracy of the template produced. For example, speaking too loudly into amicrophone will distort a voice sample, and pressing too firmly on a fingerprintscanner may distort the fingerprint beyond recognition (from [Ankari 1999]).

� Variations Among Capture Devices

Within a given biometric system, there may be multiple scanners. While eachmay capture the same type of biometric characteristic, each will operate slightlydifferently to any other. This is due to variations in the manufacturing process.In addition, a system may utilise a number of different models of scanners,sometimes from different manufacturers. These may have different operationalparameters, resulting in significantly different biometric samples.

� Device Degradation

The scanners used within a biometric system will also degrade over time. Forexample, the protective coatings of fingerprint scanners will be worn away byconstant interaction with fingers. Device degradation can be alleviated throughregular maintenance. Some systems attempt to do this automatically, such asthe Ultra-Scan Corporation ultrasound fingerprint scanners that automaticallyre-calibrate themselves on power-up (see [Ultra-Scan Corporation ]).


2.6.3 Error Measures

The result of all these variations (which is quite small in the majority of cases) is thateach time a template is created from a live biometric characteristic, the result is slightlydifferent. Thus, the result generator is required to provide a matching service to tryto determine if the live template belongs to the same person as the currently selectedmaster template.

In order to evaluate the success of the biometric system at performing this task anumber of error measures have been developed. These measures are commonly usedthroughout the literature. The following definitions are taken from [UK ITSEC 2001]

� False Accept Rate (FAR) - the probability that a biometric system will incorrectlyidentify an individual or will fail to reject an [unauthorised person].

The FAR of a biometric system increases as the matching confidence is lowered.This is because the security level has been decreased, resulting in a greater prob-ability that an person will be incorrectly identified, or authenticated, and subse-quently accepted.

� False Reject Rate (FRR) - the probability that a system will fail to identify an[authorised individual], or [authenticate] the legitimate claimed identity of an[authorised individual].

The FRR is also bound to the matching confidence. When the confidence is in-creased, the required score for a match is more difficult to obtain due to thevariability of biometric characteristics and the capture process. Thus, rejectionsare more likely to occur, even for authorised individuals.

� Equal Error Rate (EER) - when the [confidence] of a system is set so that theproportion of false rejections will be approximately equal to the proportion offalse acceptances.

Whilst the EER (also known as the cross-over) has no real significance in the op-erational accuracy of a biometric system, it is commonly utilised as a descriptionof the overall accuracy of the system, for use as a comparative measure againstother biometric systems.

Most biometric system providers supply FAR, FRR and EER figures for their sys-tem in an effort to impress the potential buyer of the security level of the system.However, these figures, while they are related to the security of the system, mainlydescribe the accuracy of the algorithms used. For example, the FAR indicates theprobability that an person’s live template will incorrectly identified, or authenticatewhen they are not enrolled in the system. While this appears to define the securitylevel of the system, this is not the case. The FAR is typically determined through theevaluation of tests based on a (usually large) sample database of biometric templates.Therefore, the FAR does not take into account any effort put in by an unauthoriseduser to improve the potential success of the attack. It typically evaluates the accuracyof the processing and matching ability of the system.

�2.7 Biometric System Attacks 21

%of

Users

Confidence

FAR FRR

EER

Figure 2.15: Generic graph of FAR, FRR and EER

In addition, the published error rates are usually created through controlled testsusing disproportionate samples of the general population, in a laboratory environ-ment. Thus the figures generated have little bearing on real world operating accuracy.This trend has prompted the development of [UK Biometric Working Group 2000],and the ’U.S. National Biometric Test Center’ formerly located at San Jose State Uni-versity, in an attempt to gain some consistency in the reporting of the accuracy ofbiometric systems.

2.7 Biometric System Attacks

The following attacks on biometric systems are a subset those identified in [UK ITSEC2001] and [Polemi 1997]. The attacks listed are all made possible, or potentially moresuccessful, through access to the biometric template store.

� Difficult Biometric

Some users may have biometric characteristics that are badly dealt with by thesystem (e.g. a badly scratched fingerprint), and hence have difficulty authenti-cating consistently. As a result the required confidence from the result generatormay be set lower than usual for that user. Alternatively, the user may not havethe required biometric (e.g. they do not have the ability to speak). As a result,these users may have enrolled using a traditional password, and hence has allthe advantages and disadvantages that accompany those systems.

� Similarity

An unauthorised person may know of an authorised user that possesses a verysimilar characteristic. This may be due to genetics (e.g. twins, or closely resem-


bling siblings), or simply chance. However, if known, the similarity could beexploited by an unauthorised user, most probably in combination with a simu-lation attack.

� Bad Enrolment

If an authorised user generates a bad template during enrolment, this can beexploited. Due to its decreased accuracy, there is a greater probability that a livesample will match the template. For example, a bad (noisy) template used ina fingerprint system will (usually) result in spurious minutiae points (see sec-tion 5.4.2.8 on page 52). This will increase the likelihood that another personsfingerprint (or alternatively, a cleverly crafted artefact) will generate enoughsimilarity with the template to pass the required confidence level of the system.

� Unauthorised Enrolment

If an unauthorised user is able to enrol themselves into the system, they will beable to gain access through their own biometric characteristic. This enrolmentmay be achieved through alteration of an existing template of the database, in-sertion of a new template, or through a security procedure error (e.g. pretendingto be a temporary employee, and preying upon the instinct of people to assistothers) or some other means.

� Simulation

An attack may be attempted by an unauthorised user by simulating the bio-metric characteristic of an authorised user. For example, a user may attempt tocopy a persons speech patterns or signature shape (and writing style) in order togain access to the system. This type of attack is more likely to succeed with be-havioural characteristics, due to their variable nature, however the attack couldalso be attempted with some physical characteristics, where a person may altertheir own in an attempt to simulate another person. Examples of this could bewearing glasses and growing a beard (for face recognition) or holding their handslightly differently (or deliberately causing swelling) for hand geometry.

� Artefact

This attack is similar to that of a simulation, however in this attack, the biometriccharacteristic is provided through the use of an artificial device. This device maybe synthetic or natural (i.e. a latex fingerprint may be used, or another personsfinger, removed from the original ’owner’, and perhaps attached to a new one,may be used). Synthetic artefacts can be generated from either the stored mastertemplate, or from observing the biometric characteristic in the real world.

2.8 Impact of Masquerade

One of the ways in which a biometric characteristic can be compromised is throughthe theft of a master template. This template can then be analysed and a synthetic

�2.9 Summary 23

artefact that represents that characteristic represented by the template may then becreated. The attack based on this method is commonly referred to as a masqueradeattack.

Biometric systems are based on physiological and behavioural characteristics thatcannot be easily transferred between individuals, or copied. However, this has a coun-terproductive side in that whenever a biometric characteristic is compromised, it iscompromised permanently. There is no simple way of changing an authorised usersvoice if another person can successfully simulate it. For the system administrator, thismay only be an inconvenience, as they can usually switch that user to a passwordbased authentication system, or alternative biometric characteristic supported by thesystem. However, the impact for the user is significantly greater. With the currentusage of biometrics in criminal prosecution (e.g. fingerprinting), the theft of an indi-viduals biometric characteristics can have lasting ramifications.

An important issue with masquerade attacks is that it does not have to occur allat once. For example, a hacker may obtain access to the biometric store of a largecorporation, and steal copies of every employee’s biometric template. For each ofthese templates a synthetic artefact may be created and used months or years afterthe initial theft. This is due to the nature of biometrics (i.e. they are unique to anindividual and do not change markedly over time).

In addition, it must be remembered that biometric characteristics are not ’secrets’.Unlike passwords which cannot be captured from a person unless they deliberatelydemonstrate it (through writing, typing etc.), biometrics can be captured, often withoutthe possessor’s knowledge, during everyday activities. For example a photograph ofa face may be taken when walking down the street, or a latent print extracted froma wine glass at a restaurant. If biometric authentication becomes widespread, a littleeffort from a hacker could provide access to bank accounts, business and home doors,and any other system that utilises the same biometric.

This leads to the possibility of identity theft, whereby a person’s identity is co-opted and used for numerous masquerade attacks. Using biometric characteristicsfor authentication and identification increases the threat posed from identity theft, asthere is no simple method for altering a biometric characteristic. Therefore the securestorage of master templates is a significant issue that must be addressed by biometricsystem manufacturers.

2.9 Summary

This chapter has provided an overview of biometric systems, including the variousbiometric characteristics that can be used for the purposes of identification and au-thentication. It has examined the various logical components of the system and theirfunction. The processes of identification and authentication have also been described,as have the common sources and measures of error involved in biometric systems. Fi-nally the attacks that utilise an insecure biometric template store have been described,and the impact that the theft of biometric templates can have, in terms of masquerade


(artefact) attacks, has been detailed.The aim of this thesis is to investigate the risk of masquerade based on the storage

of master templates. The next chapter examines the security of the biometric templatestore.

Chapter 3

Security of the Biometric TemplateStore

3.1 Overview

The vulnerabilities of biometric systems have been identified and examined in a num-ber of papers (e.g. [Ashbourn 2000; UK ITSEC 2001; Polemi 1997]). However, not allareas have been examined extensively. One area that has been given light treatment sofar is how the security of biometric template store effects these vulnerabilities. Whilea number of papers exist describing methods for protecting the security, integrity andauthenticity of data during transmission (e.g. [Atmel Corporation 2001]), very littleanalysis of the risks of the storage of biometrics has been undertaken.

An insecure biometric template store can be used in a number of attacks on bio-metric systems. These attacks were identified in section 2.7 on page 21. One attack,which is the focus of this thesis, aims to achieve masquerade through the generationof a physical or digital artefact from a master template (this process will be discussedin more detail in chapter 4 on page 35). Therefore to determine the risk of such anattack the possible locations and formats for the biometric store need to be examined.This is done is sections 3.2 in which the taxonomy for storage location from [Ashbourn1999] is analysed, and in section 3.3 on page 31 where a taxonomy of storage formatsis introduced and discussed.

3.2 Storage Location

Master templates, contained in the biometric template store, can be located withineither a remote database, within a self-contained biometric device, or on a portabletoken. Each of these locations is appropriate for different systems, depending on therequirements. For example, a system providing secure access to buildings, wherethe buildings are spread over large distances, may not work well with the templatesstored in a central database, due to latency, cost of cabling etc. It would also be inap-propriate to store the templates within the devices that control the locks on each door,as each user would then have to enrol themselves with every building they want toenter (although this could be an advantage for high security areas, if a different bio-

25

26 Security of the Biometric Template Store

metric was provided to each device). Therefore the most probable solution would beto use a portable token (such as a smartcard) containing the person’s master template.

However, there are advantages and disadvantages from a security point of viewthat accompany each of the storage locations as well. The main attacks that focuson the biometric template store are listed in section 2.7 on page 21. In addition, thelocation of the biometric template store also affects the susceptibility of the systemto other attacks, such as denial of service, transmission and component alteration at-tacks. These attacks are described below (from [UK ITSEC 2001]).

� Transmission

Depending on the system being used, the transmission of data from one pointto another is a potential security weakness. As with current password basedsystems, data that is transmitted must be protected from capture, replay, redi-rection and modification. This is particularly important for biometric systemsdeployed on local or wide area networks.

� Denial of Service

Biometric systems can be attacked using a denial of service style attack at allthree major components. The biometric capture device, the result generator,and the template store can all be attacked through some means (e.g. constanttransmission requests) so as to render them unusable by the system.

� Component Alteration

The systems component may be physically altered to allow access, or to im-prove the probability of success for another attack. Most commonly, this wouldinvolve the biometric capture device, due to its accessibility to the user. Compo-nents could be destroyed, replaced with rogue components (that could provide anumber of attacks, such as transmission data capture), or damaged or otherwisealtered to produce more favourable results (e.g. scratching a fingerprint scannerto provide a noisier image

The following sections discuss the general advantages and disadvantages of eachstorage location, as well as analysing the potential risk for the above attacks.

3.2.1 Self-Contained Biometric Device

In general terms, the main advantage of using a biometric store located within aself-contained device, is that the system becomes a self-sufficient, independent unit.Hence it can be deployed (almost) anywhere, or be portable. For example, a mobilephone utilising speech recognition would be classed in this category, if the biomet-ric template store was located within the phone. This portability also introduces twodisadvantages:

� The device has limited usability due to (often) limited storage capacity. Addi-tionally, each user must enrol for that particular device, as there is no centralstorage repository to draw from.

�3.2 Storage Location 27

� The system may become unavailable due to loss or theft. Portable, or self-contained devices are more susceptible to loss or theft.

From a security standpoint, the major advantage of storing one or more mas-ter templates in a self-contained unit, is that there is a greatly reduced risk of anytransmission-based attacks being possible. This is depicted in figure 3.1 which illus-trates the lack of any insecure channel for transmission, as all components are con-tained within the one device. This reduces the likelihood of replay attacks, and alsoreduces the possibility of data interception, redirection or analysis during transmis-sion. This is only the case if the device is made in a tamper-resistant manner. Thistamper-resistance also reduces the possibility of denial of service attacks, by prevent-ing access to the template store and the result generator. The capture device can neverbe fully protected from users, due to its nature.

Secure communication channelLegend:

Live

Result

Template

Master Template

BiometricTemplate

Store

Result

BiometricLive

Generator

BiometricCaptureDevice

Figure 3.1: Transmission security of a biometric device, with the biometric template storelocated within the device

While a biometric system with a self-contained biometric template store is less vul-nerable to transmission, denial of service and component alteration attacks, it is morevulnerable to attacks using physical artefacts. This is due to the fact that the templatestore is located with the capture device, which by definition, must be accessible insome manner by the user. Therefore, an attacker is more likely to be able to gain pos-session of the template store, and hence has a greater opportunity to extract one ormore master templates.

Unauthorised enrolment attacks are also more likely for the same reason. Withthe template store more accessible to an attacker, there is a greater probability that thetemplate store can be altered to contain a template that can be used by the attacker.The risk of this is still fairly low however.


3.2.2 Remote Database

Using a remote database for the template store enables the system to store the mastertemplates of a large number of people in a controlled, central location. A remotedatabase is typically located on a server that is external to a number of biometriccapture devices, and possibly the result generator as well. This is evident in figures 3.2and 3.3 on the next page.

Legend:

Live

Result

Template

Master Template

Insecure communication channel

Secure communication channel

BiometricTemplate

Store

BiometricLive

Generator

BiometricCaptureDevice

Result

Figure 3.2: Transmission security of a biometric device, with the biometric template storelocated on a remote server, configuration (a)

One advantage of using a remote database as a template store is that it makesmanagement of the enrolled users of a system easier. In addition, the database canbe attached to a number of applications to allow the convenience of using the samebiometric characteristic for each application. The physical location of the databasecan also be carefully controlled, as it can be located off-site (relative to the biometriccapture devices) in a secure location. This results in a reduced vulnerability to someattacks, including component alteration and forged template based attacks, throughcontrolled physical access, monitored maintenance etc.

A disadvantage of using a remote database is that it provides a central focal pointfor some attacks that could yield a large amount of information. For example, whilethe possibility of accessing the database itself to alter an existing template, add a user,or copy out user templates is low (as compared with the other two storage locations),successful infiltration of the database would yield biometric templates for all the usersof the system. This would pose a very large security risk, for every user, on everysystem that they have enrolled using that particular biometric characteristic.

Another disadvantage of using a remote database is the increased transmission ofbiometric data. This creates an increased opportunity for transmission attacks, includ-ing things like replay, data interception, redirection etc. These attacks can be avoidedthrough the use of a physically protected network, however in most circumstances,this is not practical.

�3.2 Storage Location 29

Secure communication channelLegend:

Live

Result

Template

Master Template


BiometricTemplate

Store

Generator

Biometric

Result

Live BiometricCaptureDevice

Figure 3.3: Transmission security of a biometric device, with the biometric template storelocated on a remote server, configuration (b)

3.2.3 Portable Token

The main advantage that comes with a portable (independent) biometric templatestore is a combination of versatility, and user control. Versatility means that by storingthe template within the portable token, it can be used with any number of systems thatcan integrate with the token. Typically, each token only contains a template (or set oftemplates) for a single user. Thus, each user can control their own master template.This allows users a greater degree of control of what happens with their own data,and in which systems it is used.

The major disadvantage of using portable tokens for the storage of biometric tem-plates is that it is much easier for users to lose their token (and hence their own mastertemplate), or for it to be acquired when a wallet (or similar) is stolen. Another disad-vantage is the checking the system must do to ensure that forged tokens are not usedwith the system, and that the biometric data on valid cards has not be altered (unau-thorised enrolment attack). Moreover, the token must check the validity of the bio-metric capture device to ensure that its own integrity is not compromised by a roguedevice.

From a security standpoint there are a number of advantages to using portabletokens. Firstly, denial of service, and transmission attacks (as a result of the templatestorage location) are minimised. From figures 3.4 on the following page, 3.5 on thenext page and 3.6 on page 31, it is evident that there are no insecure communicationchannels due to the use of portable tokens, although there may be one depending onthe remaining system structure. Also, potential transmission attacks are still possiblebetween the result generator and the component/service being controlled.

In addition, it would be difficult (although not impossible) to achieve a componentalteration attack upon the template store when it it located in a portable token. As the


Result

Master Template

Template


Legend: Secure communication channel

Token

Live

LiveBiometric

Biometric

Biometric

GeneratorResult

TemplateStore

CaptureDevice

Figure 3.4: Transmission security of a biometric device, with the biometric template storelocated on a portable token, configuration (a)


TemplateMaster

Legend:

Live Template

Token


ResultTemplate


GeneratorResult

Store

Biometric

LiveBiometric

Figure 3.5: Transmission security of a biometric device, with the biometric template storelocated on a portable token, configuration (b)

�3.3 Storage Format 31

ResultTemplateMaster


Live Template

Token


Legend:


GeneratorResult

Store

BiometricTemplate

BiometricLive

Figure 3.6: Transmission security of a biometric device, with the biometric template storelocated on a portable token, configuration (c)

token is under the control of the user, it would be difficult (although by no meansinconceivable) to alter the component without their knowledge.

However, a template store located on a portable token is the most vulnerable stor-age location to artefact and forged template attacks. Due to potential for theft or lossof the token, storage of templates on portable tokens has a much greater risk of theseattacks. Even with the most secure storage format, in addition to the use of tamper-resistant construction, a determined effort could conceivably result in access to thetemplate store (see [Anderson and Kuhn 1997] and [Anderson and Kuhn 1996]), en-abling a physical or digital artefact attack.

Despite the risk for these attacks being the highest, the resulting harm from suchan attack is the least, especially if detected quickly, due to the fact that portable tokenstypically only contain a single template. Hence, in the event of a theft or loss of atoken, steps can be taken to prevent any potential attacks using the stolen mastertemplate, or token, mainly through the cancellation of the access for that biometriccharacteristic, and token. However, this does not lessen the impact that a theft has onthe individual user, see section 2.9 on page 23.

3.3 Storage Format

Another consideration when analysing the security of a biometric template store isthe storage format used. This depends on how the template creator manipulates thebiometric sample before its insertion into the biometric template store. The formatthat is used for template storage impacts on a number of issues. Most predominantly,template storage format impacts on template sizes, speed of comparison, and ease ofuse for artefact creation (and subsequent masquerade attack).

The following sections identify and describe the major available formats that maybe used for template storage, as well as detailing their impact on relevant issues.


3.3.1 Unprocessed

The simplest template storage format is to store the biometric sample as it is capturedby the biometric capture device (after any pre-processing, as described in section 2.3.1on page 10). This format stores things like the actual image of a fingerprint, or anactual recording of a person’s voice. As a result, this format generates the largesttemplate sizes for any particular biometric characteristic, as it does not involve anyfeature extraction. In addition, the speed of comparison is quite low, as the templatemust be processed (by a feature extractor) before the live and master templates canbe compared. Finally, the format generates the most insecure templates when consid-ering an artefact based attack. With no modification from capture, the template is acopy of the biometric characteristic that has only been modified by unintentional cap-ture variations. Hence the template can be used to create a physical or digital artefactwithout any modification, or even supplied directly back to the capture device.

3.3.2 Compressed

Compression is another simple format of template storage. In comparison with un-processed storage, there is no advantage from a security viewpoint, as there has beenno real alteration in the biometric data stored. Hence a synthetic artefact can be cre-ated from the original captured biometric data once the compression has been re-versed. The compression format also has no advantage over unprocessed storagein terms of comparison speed. If fact, it will generally be slower than unprocessedstorage, as the result generator must first decompress the stored biometric data, thenprocess both the live data and the decompressed master template before being ableto perform the comparison. In fact, the only advantage to this storage format is a re-duction in size of the template. This can be particularly useful in systems where thebiometric sample is large, such a voice recordings. An example of this storage formatis the Wavelet/Scalar Quantization compression standard adopted by the US FederalBureau of Investigation for digital fingerprint images (see [Bradley et al. 1993]).

3.3.3 Processed

Processing is the most common form of biometric template storage. This generallyinvolves the extraction of the main identifying features of a biometric characteristic.Features are selected for extraction based upon their ease of detection, stability, conve-nience, and uniqueness (see feature extraction in section 2.3.1 on page 10). These fea-tures are then assembled into a template in a system-specific manner, that varies witheach manufacturer and biometric characteristic. This manner in which the extractedfeatured as assembled is, like feature extraction, usually proprietary and private toeach manufacturer (from [International Biometric Group 2001], page 8).

The advantage of this format of storage is that not only is the created template sig-nificantly smaller (due to the extraction of only interesting features), but also match-ing time is significantly reduced due to the prior processing of the master template.Hence there is no need for pre-processing before the result generator compares the

�3.3 Storage Format 33

live template with the master template. This speed increase is especially noticeable ifthe system is operating in an identification mode, as each master template does notneed to be processed as the system compares each against a live template.

In terms of security, a processed template is supposed to store sufficient data foridentification/authentication purposes, and yet not contain sufficient information toenable the re-creation of the original biometric characteristic. This issue is discussedfurther in chapter 4 on page 35.

3.3.4 Encrypted

Encryption is another possible format for the storage of biometric templates. It isusually combined with one of the three preceding formats, unprocessed, compressedor processed. The use of encryption typically results in little difference in the overallsize of the stored template. It does provide additional protection for the biometricdata, however it is not foolproof in its protection. Hostile systems administrators,brute force attacks, implementation flaws and deliberate back-doors all underminethe protection provided by encryption.

The main disadvantage of encryption templates is that it reduces the speed of com-parison, sometimes quite significantly. Due to this speed decrease, some biometricsystem creators have developed their own encryption algorithms, which are designedto provide the same level of protection, but operate significantly faster.

It should be noted that utilising private cryptographic algorithms significantly in-creases the possibility of an algorithmic attack. Public algorithms have been studiedby numerous cryptographic experts, and improved over time, resulting in a strongalgorithm that contains no flaws, to the best of public knowledge. Implementing aprivate cryptographic algorithm with no public review greatly increases the potentialfor a flaw in the algorithm to go unnoticed (or even for a back door to be deliber-ately inserted without the knowledge of users). Thus while providing an increase inprocessing speed, the use of private cryptographic algorithms also introduces a po-tentially larger security risk (see [Schneier 1996]).

3.3.5 Hashed

Hashing is the least used storage format for biometric templates. It has been sug-gested in some articles (such as [Calabrese 1999]) that storing only a hash of biometrictemplates could be used to prevent template theft. There are a number of differentpossible hashing functions. The basic premise is to take an input of arbitrary length,apply the function and produce a fixed length hash. This process can be designed tooperate in a one-way or two-way manner. For the storage of biometric templates, atwo-way hash function provides little security as the function, even if kept private,could be determined by a patient attacker.

Using a one-way hash function would solve this problem, as by definition one-way hash functions are not reversible. However, as no two biometric samples willever be the same (see section 2.6 on page 16), comparing the hash of two templates


(from the same biometric characteristic) will never result in a successful match, unlessby accident. This is due to the fact that hash functions are designed so that sequentialinputs result in non-sequential output. That is, when hashed, two templates that differonly very slightly, will result in completely unrelated hashes. Thus one-way hashfunctions, while being the ideal format of protection biometric templates appear to beinappropriate for use in biometric systems.

3.4 Summary

The purpose of this thesis is to investigate the risk of masquerade from the storageof biometrics. This storage occurs in the form of templates. Within this chapter,the applicable storage locations and formats have been presented and discussed. Ithas been demonstrated that there are vulnerabilities irrespective of the alternative se-lected. The possibility of an attacker obtaining a stored biometric template thereforeexists, despite security features implemented by the biometric system. The next chap-ter proposes a generic method for acquiring and using a master template to conductmasquerade.

Chapter 4

Masquerade from Stored Templates

4.1 Overview

One of the major identified disadvantages of biometric systems is the potential fortheft of one or more biometric templates. The impact that such a theft would haveon both individuals and system administrators is discussed section 2.8 on page 22.However, it should be reiterated that theft of a biometric template could lead to amasquerade attack through the creation of a physical or digital artefact based on theinformation contained within the template.

Many biometric system providers maintain that even should all existing protec-tions on master templates be defeated, their templates have been processed in such away as to render impossible any attempts at recreating the original biometric charac-teristic from the template. Example of these claims are:

� “It [a biometric template] cannot be used to reconstruct an image to reveal aperson’s identity to someone else.” from http://www.iosoftware.com/biometrics/press.htm

� “However, you cannot recreate the original fingerprint from the minutiae data.”from http://www.veridicom.com/technology/how.htm

� “The fingerprint representation is commonly called a ”master template,” and atrue image of the fingerprint cannot be recreated from this master template.”from http://www.biometricaccess.com/bacfaq08.htm

� “This fingerprint template cannot be used to recreate your fingerprint and it isnot in a form that can be used by any other security system. Your identity cannever be ’cloned.”’ from http://www.digitalpersona.com/Technology/security.html

� “This means that even if someone were able to crack the security of the systemand steal the fingerprint template, they would not be able to create the finger-print image.” http://www.digitalpersona.com/Support/FAQ7.html

However, most of these companies only address the possibility of recreating theoriginal biometric characteristic from the template. One very recent paper, [Interna-

35

36 Masquerade from Stored Templates

tional Biometric Group 2001] unlike all other papers located during this research, ac-knowledges that two different risks exist: the recreation of an original biometric and,the creation of an artefact, from a biometric template.

� “Note that biometric templates cannot be used to regenerate original biometricdata.” from [International Biometric Group 2001] page 23.

� “However, it cannot be stated with absolute certainty that images cannot be re-built in some fashion - the rebuilt image may be a poor likeness, but it is possi-ble that some features can be reverse-engineered with access to vendor sourcecode.” from [International Biometric Group 2001] page 29.

Within the literature, there appears to be no other material relating to this topic.Therefore, this chapter develops a generic method for preparing a digital and physicalartefact from a stored template, for use in a masquerade attack on a biometric system.

4.2 Generic Masquerade Method

This method is a four step process that is designed to apply to all biometric systems.It aims to reverse-engineer a digital and physical artefact from a master template. Theoverall method is depicted in figure 4.1.

ArtefactCreation

Access1

Decomposition2 Physical

ArtefactCreation

3 4Digital

4

1

2

3

: Data structures and definitions

: Acquired template

: Physical artefact (equivalent of biometric characteristic)

: Digital artefact (equivalent of biometric sample)

Biometric

StoreTemplate

Figure 4.1: Generic masquerade method, with the resulting output from each step of theprocess.

As described in [Anderson and Kuhn 1996], based on [Abraham et al. 1991], thefollowing is a taxonomy for attackers:

� Class I (clever outsiders): generally intelligent people who may have insufficientknowledge of the system. Typically these attackers have only have access tomoderately sophisticated equipment and aim to exploit existing weaknesses.

� Class II (knowledgeable insiders): typically have substantial specialised knowl-edge of one or more aspects of the system. Often these attackers have access tohighly sophisticated equipment.

�4.2 Generic Masquerade Method 37

� Class III (funded organisations): assemble teams of people from class II, usu-ally with the aim of obtaining the services of people with complementary skills.Often well funded and organised, these attackers are able to conduct in-depthanalysis of a system with the intent of designing sophisticated attacks to achievetheir goals.

This taxonomy highlights the different levels with which any attack can be carriedout. The following generic method can be applied at all three levels. However thehigher the class of attacker, the more likely an implementation of this method is tosucceed.

4.2.1 Template Access

The first step to performing this type of attack is to gain access to one or more bio-metric templates. This can be achieved through a number of methods, depending onthe location of the template store (discussed in section 3.2 on page 25). Those withpermanent access to the target system (the system that the masquerade attack will beconducted against), such as system administrators, have a distinct advantage here asthey typically have access to all master templates. Thus they can select any particulartemplate, to suit the attack’s purpose.

Those without privileged access can still conceivably conduct a targeted masquer-ade attack (where an individual is selected for masquerade due to the intended harmsought by the attacker). This could be achieved through the theft of their biometric(e.g. if the system uses portable tokens as the biometric store), or through eavesdrop-ping attacks on the targeted individual’s workstation, or a range of other methods.

4.2.2 Template Decomposition

After obtaining a biometric template, the next step is to understand what exactly iscontained within it. Depending on the storage format used, this may or may not be asimple task.

The following are the storage formats (identified in section 3.3 on page 31) thatare commonly used in commercial systems, ordered by their ease of decomposition(note that hashing is not currently implemented by any system uncovered during thisresearch):

1. Unprocessed

An unprocessed template requires no template decomposition other than deter-mining the file type (or similar) that is used. For example an unprocessed voicerecording could be stored in a variety of sound formats (e.g. WAV, MP3 etc.).This would be regarded as unprocessed as the biometric characteristics havenot been processed.

2. Compressed


A compressed template will typically have to be uncompressed before it canbe decomposed in any intelligent manner. Therefore the type of compressionmust first be determined. This may be done through public knowledge, accessto private knowledge, or through experimentation. Once the template has beendecompressed it can be decomposed as an unprocessed template.

3. Processed

A processed template is more difficult to decompose. The type of template isusually created using private data structures and definitions. Therefore, decom-position requires public or inside information, experimentation, or some combi-nation of the three. This task is further discussed below.

4. Encrypted

Encrypting a template provides an extra layer of protection for the template.This means that the encryption must be broken prior to any attempts at decom-posing the template itself. This can be achieved through inside knowledge (ofthe encryption algorithm and the key), or through any of the existing methodsof attacks on encrypted messages, such as ciphertext only, known plaintext etc.(see [Stallings 2000]). Thus encryption applied to any of the three preceedingstorage formats increases the difficulty of decomposition.

When decomposing an unencrypted, processed template, it is very difficult to de-termine the structure with only a single template to work from. There are two mainmethods to make the task simpler.

One way to increase the ease of decomposition is to access multiple templates.This will allow for multiple comparisons between each of the templates. They canthen be analysed for similarities and consistent patterns that indicate the structureused.

A better method is to have access to a copy of the software used in the target sys-tem. Using the software it is possible to control the input to the system, and analysethe template produced. This means that small changes in the provided characteristiccan be deliberately induced, and the resulting changes in the template can be moni-tored. This method is basically a black box analysis of the software, with an intent todiscover how various sample biometric characteristics are dealt with.

The above methods are suitable for an attack by those with only publicly availableinformation, and little equipment or resources, i.e. class I attackers. Attacks performedby those who are or have been involved in the industry (class II attackers) may notrequire these methods due to inside information about the structure of templates ingeneral, or specific information on a particular system.

4.2.3 Digital Artefact Creation

After determining the data structure and definitions of master templates for the targetsystem, the acquired template(s) can then be used to reverse-engineer one or more

�4.2 Generic Masquerade Method 39

digital artefacts. For some biometric characteristics, this would be quite difficult, es-pecially behavioural characteristics. However most physical characteristics producebiometric samples that are in the form of images or some other representation that canbe created with relative ease.

The actual construction of the digital artefact is not a particularly simple process.Detailed information on the typical formation, shape and general appearance of theappropriate biometric characteristic are required.

Behavioural characteristic samples can also be created. While being a little moreabstract, digital representations can be created to simulate the biometric characteris-tics. The difficulty arises with the addition of timing information that will either haveto be simulated, or represented in some other manner.

In some cases, a digital artefact is sufficient for conducting a masquerade attackagainst the target system. This occurs when the attacker can contrive to have the dig-ital artefact fed into the system in place of a live sample. This is most likely to beachievable on distributed systems, e.g. where the characteristic captured at a terminalis processed on the local machine, before being transmitted for matching. In this ex-ample, the digital artefact could be substituted for the sample captured by the localscanner.

4.2.4 Physical Artefact Creation

In those systems where the use of a digital artefact for masquerade is inappropriateor prohibitively complicated, a physical artefact must be created. It should be builtbased on the digital artefact created in section 4.2.3 on the facing page. However,while physical characteristics can be represented physically by an object, behaviouralcharacteristics, which typically use time as an additional measure, are more challeng-ing to represent as a physical artefact, and many may not be feasible. This thesis doesnot further investigate behavioural biometrics.

The creation of life-like, synthetic human body parts is a difficult task. For somephysical characteristics, creating a synthetic representation is a significant challenge,due to the characteristic and the complex surrounding structure (e.g. a retina). Inaddition, masquerade attacks are performed in person and in a public area, as well asremotely, hence any synthetic artefact must be sufficiently life-like to be convincing ina cursory examination. Where the attack can be carried out in private, the appearanceof the artefact is irrelevant.

Most biometric system providers have also taken steps to ensure that a biomet-ric characteristic is “live” when presented to the biometric scanner. This testing bythe biometric scanner, which aims to detect fake or dead objects, is often referred toa liveness testing. Thus, a physical artefact must be capable of defeating any live-ness testing. It should be noted, however, that not all systems implement livenesstesting, as a number of articles describe successful attacks using simple physical arte-facts, such as photos (see [Soto 2001; PC Magazine 1999; Network Computing 1998]).Therefore, with prior knowledge of the scanner used in the target system, an artefactcan be tested against that biometric scanner to determine if it is capable of defeating


any liveness testing. If no prior knowledge of the target system is available, researchinto the current state of the art in liveness testing (either through publicly availableinformation, or through class II attackers) should be done. The artefact could then betested on the a scanner that implements the current state of the art liveness tests.

4.3 Summary

From the preceeding sections, a general method for preparing for a masquerade at-tack on a biometric system has been determined. While behavioural systems werediscounted due to the difficulty of creating an artefact, this may be possible in thefuture with appropriate research.

This method is designed to counter the claims of biometric companies that it isnot possible to create a synthetic artefact based on a processed template. However todetermine the plausibility of the method it was necessary to attempt a masqueradeattack using an artefact created from a stored, processed template. The experimentwas designed to develop a digital artefact, and use it to demonstrate that masqueradeusing digital artefacts was feasible. It was not intended to proceed to the stage ofcreating a physical artefact.

Fingerprint biometric systems were selected for this experiment. The reasons forthis decision, and an examination of the operation of fingerprint recognition systemswill be discussed in chapter 5 on the next page, and the actual experiment describedin chapter 6 on page 55.

Chapter 5

Fingerprint Recognition Systems

5.1 Suitability of Fingerprints

The previous chapter described the generic method for preparing a masquerade attackfrom a stored template. The experiment detailed in the following chapter utilisesfingerprint recognition. Fingerprint biometrics were chosen for the following reasons.

Firstly, fingerprint-based identification is a mature discipline. It has been aroundfor over one hundred years, with the book “Finger Prints” by Sir Francis Galton (firstpublished in 1892) being one of the earliest works in regards to fingerprint analysisand identification. In addition, the modern automated form of fingerprint analysisand recognition is one of the older biometric technologies, with a large number ofcommercial applications available.

A further factor was that fingerprint recognition has received a substantial amountof attention from academic study, whereas most other biometrics are poorly docu-mented, or immature technologies. This is due to the complex nature of the task,utilising components from general security, to image analysis, to algorithms, and ar-tificial intelligence. While most other biometric technologies use some or all of thesecomponents, fingerprinting has, in general, more publicly available information.

The suitability of fingerprints to the generation of a digital artefact (i.e. digitalimage) was another factor in its selection. While some biometric characteristics aredifficult to reverse-engineer into digital form (e.g. voice recordings), the use of digitalimages in modern computing is an established technique.

Finally, fingerprints systems share sufficient similarities with other biometric sys-tems to provide a reasonable degree of generalisability of results. Biometric systemsbased on retina, iris, hand/finger geometry, or face recognition all (typically) use digi-tal images for their biometric sample (from [International Biometric Group 2001], page7). Therefore, the results of the experiment for digital artefacts using fingerprints canbe generalised to a number of other physical characteristics.

This chapter contains a description of fingerprints, and the characteristics thatare used in fingerprint recognition. This is followed by an examination of the basicprinciples behind fingerprint recognition systems. Primary sources used throughoutthis chapter were [Jain and Pankanti 1999], [Karu and Jain 1999], [Atmel Corporation2001], [International Biometric Group ], [Jain et al. 1996], [Stosz 1994], [Hong et al.

41

42 Fingerprint Recognition Systems

1997] and [Jain et al. 1999].

5.2 Fingerprints

A fingerprint is the impression resulting from the friction ridges on the outer surfaceof the skin on a finger or thumb. While an in depth analysis of the way that finger-prints are formed is not within the scope of this thesis, it is commonly assumed withinfingerprint biometric circles that no two people have the same fingerprints. A corol-lary to this assumption is that given a fingerprint, the information contained within issufficient to uniquely identify a single individual. The validity of these assumptionsis also outside the scope of this thesis, however this question has received some atten-tion recently in the cases of Daubert v. Merrell Dow Pharmaceuticals (1993) and U.S. v.Byron C. Mitchell (1998).

The ridges and interleaving valleys that constitute a fingerprint create two levelsof detail that can be observed. The high level detail is the overall shape that is formedby the ridges. The shapes and their characteristics are described in section 5.2.1. Thelower level of detail includes the actual ridges themselves and even the pores thatexist on the ridges. These characteristics are discussed in section 5.2.2 on page 44.

5.2.1 Shape Characteristics

When observing the patterns that the ridges of a fingerprint form together, Sir EdwardHenry created a classification of fingerprints into five classes. These classes are, arch,tented arch, left loop, right loop and whorl. Samples of these fingerprint shapes canbe seen in figure 5.1 on the next page.

There are two main features that define the shape of a fingerprint. These are coresand deltas (also collectively known as macro-singularities). A core is a often describedas a point where a single ridge line turns through 180 degrees. Similarly, a delta is de-scribed as a point where three ridge lines form a triangle. Figure 5.3 on page 44 depictsmany of the characteristics of a fingerprint. Also, the fingerprints from figure 5.1 onthe next page can again be seen in figure 5.2 on the facing page with the cores anddeltas marked (note that an arch is not present in figure 5.2, as it does not have anycore or delta points under the above definitions).

These core and delta points characterise the overall shape. Arches can be easilyidentified through the lack of any delta or core points. Also, whorls can be easilyidentified through the presence of two core and two delta points. Differentiating theright loop, left loop and tented arch is slightly more difficult, as all three have one coreand one delta point.

One method used to differentiate these three classes of fingerprint in fingerprint-based biometric systems (from [Karu and Jain 1999]), is by examining the differencebetween the orientation of the line between the core and delta, and the orientationof the core (see figure 5.4 on page 44). If the orientation of the core is directed at thedelta (within a tolerated variance), then the fingerprint is classed as a tented arch.Otherwise, the shape can be determined through the use of three points, C, the core

�5.2 Fingerprints 43

Figure 5.1: Sample fingerprints with their associated shapes, reproduced from [Karu and Jain1999]

Figure 5.2: Sample fingerprints, with core points marked with a square, and delta pointsmarked with a triangle, reproduced from [Jain and Pankanti 1999]


Figure 5.3: Sample fingerprint with various characteristics labelled, reproduced from [Inter-national Biometric Group ]

point, D, the delta point, and P, the point at the edge of the image reached by tracing animaginary ridge line from the core point (see figure 5.4). These three points can thenbe used in the following equation, where x and y are the corresponding coordinatesof the point: �

yP � yC � � xD � xC �� xP � xC � � yD � yC � (5.1)

If the result of equation 5.1 is greater than zero, then the fingerprint can be classi-fied as a right loop. Otherwise it is a left loop.

DD

D

.

.

. .... .P PC

C

C

Tented Arch Left Loop Right Loop

Figure 5.4: Sketches of fingerprint shapes, depicting the relative position/orientation of coreand delta points. Core points are represented by the letter ’C’, delta points by the letter ’D’and the point ’P’ represents the intersection of an imaginary ridge line drawn from the corepoint to the edge of the image.

Thus, the shape of a fingerprint can be determined through the flow chart in fig-ure 5.5 on the facing page.

5.2.2 Ridge Characteristics

Within the shape of the fingerprint there are also a number of characteristics createdby the individual ridges. These characteristics are commonly referred to a minutiae,

�5.3 System Overview 45

Number of (core,delta) pairs

Core aligned with delta

Difference Equation > 0

1

NoYes

0 2

No Yes

Left Loop Right Loop

Tented Arch

WhorlArch

Figure 5.5: Decision tree for shape determination, based on the number and relative loca-tion/orientation of core and delta points

minutiae points, or less commonly, micro-singularities. The most common types ofminutiae are ridge endings and ridge bifurcations. An example of each can be seen infigure 5.6 on the next page (note that the ridges are depicted in grey).

Other minutiae points, such as dots (very small ridges), islands (slightly longerridges than dots), spurs (small protrusions from a major ridge), bridges (small ridgesconnecting two adjacent major ridges) etc. do exist. However they are not usually in-corporated into fingerprint recognition systems as they are either covered by existingtypes, or are too similar to generic noise to be useful in processing.

5.3 System Overview

The following sections describe the components and algorithms that make up a typ-ical fingerprint recognition system. While individual systems will not necessarily dothings the way they are described here, the basic principles are described and exam-ples are given wherever possible. Note that this is not always possible, due to the pro-prietary nature of the technology and algorithms involved. Also, there are two mainsystem methodologies for fingerprint matching, those that utilise minutiae matching,and those that use pattern matching on the overall ridge structure. In nearly all com-mercial applications (approximately 80% according to [International Biometric Group]), minutiae matching is used. Therefore pattern matching systems will not be exam-ined in the following sections.


Figure 5.6: Synthetic fingerprint depicting a ridge ending (top) and ridge bifurcation (bottom),generated by Sfinge - c

�2000 BioLab University of Bologna, ITALY

5.4 Capture Devices

The following sections describe the function of each component of a fingerprint cap-ture device.

5.4.1 Scanning

For fingerprints there are number of alternative data capture devices. These includeoptical scanners, silicon based capacitance and thermal sensors, pressure based sen-sors and ultrasound devices. The main objective of a fingerprint scanner, regardlessof the method it uses, is to provide the system with an image of the fingerprint that isas accurate as possible. For most applications, the image is produced at a resolutionof 500 dpi using an 8-bit grey-scale. The following sections describe how each of thedifferent kinds of fingerprint scanners work.

5.4.1.1 Optical

Optical devices are one of the more common fingerprint scanning devices. They arebased on the reflection changes that occur when a light source interacts with the ridgelines of a fingerprint. This is most commonly achieved through the use of FrustratedTotal Internal Reflection (FTIR). The light source shines onto a special reflection sur-face, which reflects the light differently depending on the pressure applied to it. Alight sensor is used to capture the ’image’ of the fingerprint. Figure 5.7 on the facingpage depicts the general layout of a typical optical scanner.

Due to the involvement of pressure, this type of scanner returns different qualityimages depending on the pressure applied to the reflective surface (by the fingerprint).If too little pressure is applied, the sensors may not be able to create an image at all.Alternatively, if too much pressure is applied, the skin in between the fingerprint

�5.4 Capture Devices 47

Figure 5.7: General layout of an optical fingerprint scanner, reproduced from [Atmel Corpo-ration 2001]

ridges will also be in contact with the reflective surface, causing a lack of definitionbetween ridges and valleys. Optical scanners are also affected by dirty fingerprints,which can also result in unusable images.

Due to the required placements of the light source, reflective surface and lightsensors, optical scanners are typically physically large components. However somecompanies have developed improved methods to reduce the size of the component.An example of this is the Surface Enhanced Irregular Reflection (SEIR) technologypatented by SecuGen corporation.

Another weakness of optical scanners is that they must be cleaned regularly, toavoid dust, dirt and oil build up on the reflective surface. Also, optical scanners arethe most vulnerable to physical replay attacks. This is where the latent print of theprevious user is used to gain access to the system. This can theoretically be achieved insome scanners simply by shining an external light at the correct angle (see [Soto 2001]).Optical models generally claim that they cannot be fooled by a 2-dimensional imageof a fingerprints, however a simple 3D model (e.g. latex rubber or similar product) isoften sufficient (from [Ebringer 2001] and [Network Computing 1998]).

5.4.1.2 Capacitance

Capacitive fingerprint scanners create images of a fingerprint through the use of rec-tangular arrays of capacitors. The capacitors are located under a very thin protectivelayer that must be thick enough to protect the capacitors, but also thin enough so itdoes not obscure the readings. When a finger is placed on the scanner, the capacitorsmeasure the capacitance difference generated by the different distances between thecapacitors and the ridge lines and furrows. This concept is depicted in figure 5.8 onthe next page.

One disadvantage of using this method is that the capacitance difference is signif-icantly affected by moisture. Hence, fingers that are too wet, oily or dry will generatelow quality or unusable images. Also, the capacitors themselves are vulnerable to


Protective Coating

Finger ridges

Sensers

= Senser off

= Senser on

Figure 5.8: Depiction of a capacitance scanner

Electro-Static Discharge (ESD) and external electric fields. As a result the groundingof capacitance scanners is very important to prevent damage to the capacitors.

One major advantage of capacitance scanners is their reduced size. Scanners usingthis method have been produced small enough to fit on PCM/CIA cards, and henceare convenient for use in small portable devices such as laptop computers and mobilephones.

5.4.1.3 Thermal

Thermal fingerprint scanners work in a similar manner to capacitance scanners. How-ever, instead of measuring the difference in temperature between the ridges and val-leys of the fingerprint (which are too small to measure effectively), the fingerprint im-age is generated by converting the temperature differential on a sensor. For example,before a fingerprint is placed on the scanner, all the thermal sensors are at equilibriumwith the air temperature around the scanner. Then when a fingerprint is placed onthe sensor, those points where a ridge is in contact will cause a change in tempera-ture in the sensor for that point. However, those points where there is a valley willstill be measuring the local air temperature, hence those points have no temperaturedifferential, and are not activated.

The major drawback of this method is that the temperature difference disappearsafter less than a tenth of a second as the finger and the sensors reach equilibrium. Asa result, the image is only available for a short period of time. This means that a userhas a very short amount of time to position their finger appropriately, before the im-age is gone. In order to counter this, Atmel corporation, a major producer of thermalfingerprint scanners have developed and patented a “sweeping technique” see [At-mel Corporation 2001]. This technique works by sweeping a finger over the sensorarray, which takes the images from different times over the sweep (in a manner that isnot affected by the sweeping speed) and reconstructs the total fingerprint image fromthese images using a proprietary and private algorithm. This allows the scanner tobe reduced to approximately 1

5 the size of a normal square array scanner and elim-inates the problem of the temperature equalisation, as the sweeping motion ensuresthat any one sensor is constantly changing between finger temperature (ridge) and airtemperature (valley).


5.4.1.4 Pressure

Purely pressure-based scanners that utilise silicon chips to convert pressure to an elec-trical signal have been developed. Due to the natural pressure that is applied when afinger is placed on a scanner, this is probably the most intuitive method to use. How-ever, as these scanners generally have low sensitivity, which is further lowered whena protective layer is added, the resulting images have quite low detail. As a result, noknown systems utilise this method.

5.4.1.5 Ultrasound

Ultrasound scanners are the least common commercial option for fingerprint scan-ners. They operate by using acoustic energy that is partially reflected at each interfacebetween different materials. The time between the reflections can be accurately mea-sure to determine the depth at which the reflection occurred (see figure 5.9). The ad-vantage of using ultrasound is that the images returned are uncontaminated by anydirt or grease on the surface on which the finger rests, or on the finger itself (from[Ultra-Scan Corporation ]). This, according to the manufacturer, results in higherquality images than is possible with optical systems. It also renders a physical re-play attack (using a latent print) conceptually impossible as a latent print should notreflect sounds waves.

Figure 5.9: Operation of ultrasound scanner, sound waves return a partial echo at each changein material, from Ultra-Scan.

However, despite these advantages, ultrasound scanners have a number of majordrawbacks. Firstly, they are a large device (approximately 15 � 15 � 20 cm), preventingintegration into small or portable components. In addition they are noisy (due to in-ternal mechanical components), expensive and slow, with a single scan (at the highestquality setting) taking up to 4.60 seconds, according to [Ultra-Scan Corporation ].


5.4.2 Pre-Processing and Feature Extraction

After a fingerprint image has been captured using the scanner, it is rarely of sufficientquality to begin feature extraction. Due to variability in the capture process caused byhumidity, dirt, oil, lighting or other similar factors (depending on the scanner used),the image needs to be enhanced to provide an accurate image. After it has been en-hanced the appropriate minutiae points can be extracted. The following steps (in noparticular order) are the basic steps that may be utilised before a template can be cre-ated.

� Image binarisation

� Ridge thinning

� Ridge orientation estimation

� Ridge smoothing

� General image enhancement

� Singularity detection

� Minutiae point extraction

� Spurious minutiae removal

The reason that the two tasks, pre-processing and feature extraction, have beencombined in this section is that the exact division of the steps involved in these processesis not clear. As each commercial producer utilises their own proprietary algorithms,the order and composition (of the above) that each uses cannot be determined.

5.4.2.1 Image Binarisation

This is the process of converting the input image into a binary image. Typically theinput image (from the scanner) is an 8-bit grey-scale image. From this, each pixel istested, with those below a particular level being converted to white, and those aboveconverted to black.

5.4.2.2 Ridge Thinning

Ridge thinning is often applied to make minutiae point extraction simpler. This isbecause the actual point of the ridge ending or bifurcation can be determined to thepixel if each ridge has been thinned to a single pixel in width. Thinning algorithmsare quite common in image processing.


5.4.2.3 Ridge Orientation Estimation

Ridge orientation estimation is the process of determining the orientation of the ridgeat any pixel (that is part of a ridge). This is usually achieved by partitioning the imageinto sections, and estimating the orientation of any and all ridges that pass thougheach section. Examples of an algorithms that perform this task can be found in [Jainet al. 1996] and [Hong et al. 1997].

The result of this step is the creation of an orientation map. This is a grid of N byM sections, with an associate orientation for each section. It should be noted that theorientations of the orientation map go both ways, as all ridges flow in two directions(i.e. a section with an orientation of 37 degrees would be equivalent to storing 217degrees).

5.4.2.4 Ridge Smoothing

In order to prevent spurious minutiae points from being extracted, ridge smoothingcan be employed. This is a heuristically based method of detecting and somehowfixing areas that have generated abnormal ridge structure due to dirt, scarring, otherexternal factors or errors in capture. While again, no commercial information is avail-able on how this is achieved, the following are ridge smoothing criteria from [Jainet al. 1996]:

� “If a branch in [an orientation map] is roughly orthogonal to the local ridgedirection and its length is less than a specified threshold emphTb then it will beremoved.”

� “If a break in a ridge is short enough and no other ridges pass through it, then itwill be connected.”

5.4.2.5 General Image Enhancement

This section represents all the additional general image enhancement algorithms thatcan be utilised to improve the quality of the captured image at some stage in thisprocess. For example, [Hong et al. 1997] utilises an algorithm that uses normalisation,region masking and Gabor filtering to improve some areas of a noisy image, whileignoring unrecoverable, or extremely noisy sections.

5.4.2.6 Macro-Singularity Detection

The detection of the macro-singularities (cores and deltas) of a fingerprint is oftenutilised in this process, to determine the overall shape of the fingerprint, or providereference points for the location of minutiae points.

5.4.2.7 Minutiae Point Extraction

Extracting the minutiae points is generally achieved through the tracing of a thinnedridge line searching for intersections with other lines and end points. Intersections


and end points are often determined by testing the surrounding eight pixels of thecurrent pixel. If there is only one ridge pixel then the current pixel is a ridge ending.If there are more than two, then the pixel is at a ridge intersection (or bifurcation). Ademonstration of this can be seen in figure 5.10.

��

��

= Ridge Ending

= Ridge Bifurcation

��

��

Figure 5.10: Detection of minutiae points through the number of surrounding ridge pixels

It should be noted that the above method is not standard, but specific to themethod used in [Jain et al. 1996]. Other minutiae extraction algorithms may placethe minutiae point one pixel away from the ridge ending, one pixel in (on the ridgeline) from the ridge ending, or some other value altogether. The same concept appliesto bifurcations as well. This means that given the exact same image in two differ-ent systems, the templates will most likely be different, based on minutiae extractionalone, let alone all the other variations.

5.4.2.8 Spurious Minutiae Removal

Often, even with all the prior image and ridge enhancements, spurious minutiaepoints are generated due to excess noise that could not be filtered out. When thisoccurs it is still possible to remove some of them, although this process is again basedon heuristics. For example, the following are spurious minutiae removal criteria from[Jain et al. 1996]:

� “If several minutiae form a cluster in a small region, then remove all of themexcept for the one nearest to the cluster centre.”

� “If two minutiae are located close enough, facing each other, but no ridge lineslie between them, then remove both of them.”

5.4.3 Template Creation

Once all the minutiae points that the system considers to be valid have been iden-tified, the template for the captured image can be created. Again depending on the


implementation, the data stored will vary, sometimes quite significantly. The follow-ing is a list of the most common information associated with each minutiae point thatcan be stored in a template (see also figure 5.11):

� Location: this is usually the x and y coordinates of the minutiae point. The loca-tion of the origin for the coordinate axes is system dependent. Possible positionsare at a particular corner of the image or some location unique to the current im-age, typically the central core point (if present).

� Direction: this is typically the direction vector of the ridge at the minutiae point,as determined by the associated orientation map. Depending on the systembeing used, the direction associated with a minutiae point can be different (asorientation maps are bi-directional). For example, at a ridge ending, it is possibleto associate the direction that the ridge was heading when it stopped, or thedirection back along the ridge (see figure 5.11). The direction associated withridge bifurcations has even more possibilities, due to the combination of at leastthree lines at a point.

� Type: the type of minutiae point is also stored in some systems. This allows theresult generator to discriminate ridge endings from bifurcations. In addition,some systems store the location (and hence the associated type) of the core anddelta points, to provide reference points, or added detail on the type and shapeof the fingerprint.

� Curvature: for ridge endings and bifurcations, the ridge is usually not straightat the location of the minutiae point. Therefore some systems also store thecurvature of the ridge at that point. This adds more detail to the template, whichis designed to improve matching accuracy.

x

y

xo

yodirection angle

Figure 5.11: Depiction of a ridge ending, with associated x,y coordinate values and direction

Also, templates can vary in size, with some implementations using a fixed sizetemplate from as small as 50 bytes. By using a fixed size template, the minutiae ex-traction process must also evaluate each minutiae point in an attempt to store themost “important” points. However according to [Fin ], many vendors do not utilise


this methodology due to the variation of captured fingerprints, even in successivecaptures.

Alternatively, templates can be variable in size. This allows all the detected minu-tiae points to be included in the template. This illustrates the issue of ensuring a goodquality fingerprint during enrolment. If a noisy or otherwise corrupted image is used,there will be numerous spurious minutiae points generated, some of which may notbe detected and subsequently removed. With variable size templates, all remainingspurious minutiae points will be added to the template (along with the valid minu-tiae points). Thus, the valid user will have a lower chance of generating the requiredconfidence during authentication.

5.5 Template Store

Implementation of the template store is another area that is typically system depen-dent. In order to increase search speed for identification (one-to-many searches) manyproducers implement their own databases, and even hardware. Some implementa-tions index the template databases by their overall shape. However, with almost athird of fingerprints being whorls, (according to [International Biometric Group ]),this may provide very little increase in searching performance.

5.6 Result Generator

The result generator is what performs the matching process. Here the live templateis compared with the master template (for authentication). For minutiae based algo-rithms this must be achieved regardless of any rotation, translation, scaling or slightdistortion of the live image, as compared with the master template. To achieve thisproprietary algorithms are utilised to match rotation, translation and scale changes.Distortion of the image can be caused through variable pressure during the place-ment of the finger on the scanner. To overcome this, one method used can be found in[Jain and Pankanti 1999].

5.7 Summary

This chapter has laid the foundation for the conduct of an experiment using a fingerprint-based biometric system, designed to implement and test the generic masquerade methodproposed in chapter 4 on page 35.

It presented an overview of fingerprints and their characteristics, as applicable tobiometric systems. In addition, the typical processes involved in fingerprint-basedbiometric systems were described, providing the knowledge base from which the ex-periment was conducted.

Chapter 6

Masquerade using StoredFingerprint Templates

6.1 Overview

This chapter describes the implementation of the general method of performing mas-querade from a stored template (see chapter 4 on page 35). It was implemented on afingerprint-based biometric system, for the reasons outlined in section 5.1 on page 41.This chapter aims to highlight the potential for exploitation and abuse of biometricsystems through masquerade attacks based on the information stored within a bio-metric template.

6.2 Motivation

There exists in the biometric community a common belief that the storage (in processedformat) of biometric templates is acceptable due to the commonly stated fact that “nobiometric can be re-created from the stored template” (discussed in section 4.1 onpage 35). The previous statement is, in actuality, a fact due to the loss of informationduring the scanning, pre-processing and feature extraction stages of the enrolmentprocess. This information loss is generated in two main areas, those inherent to thestorage method, and those involved with the enrolment process.

As stated in section 5.3 on page 45 most common fingerprint based biometric sys-tems are based on the matching of minutiae points. However, the extraction and sub-sequent storage of these points does not provide information on other aspects of thefingerprint. For example, the stored minutiae points give no direct information on theoverall shape of the fingerprint, the width of the ridge lines, or the distance betweenridges. While this information may be inferred to a certain degree, this may not beparticularly simple or clear (for more information see section 6.5.3 on page 59).

During the enrolment process, information can be lost due to a number of factors:

� Image capture may not be of sufficient quality to capture all significant minutiaepoints).

55

56 Masquerade using Stored Fingerprint Templates

� Pre-processing often involves the removal of anything the software considers tobe a false minutiae point. Combined with inaccuracies in image capture, thiscan result in the removal of valid minutiae points.

� Feature extraction to fixed template sizes will also result in the exclusion of someminutiae points, leaving the resulting template with substantially less informa-tion that is present in the fingerprint.

� Finger placement can also affect the information stored in the template. If thefingerprint is placed badly, a reduced number of minutiae points will be in thecaptured image, hence the template will not contain all the points contained ina fingerprint.

Due to the loss of information that occurs when a template is created, it is impossi-ble to recreate the original fingerprint that was used to create that template. Howeverall the information that the matching software requires for a confident match is storedwithin the template. Therefore, if a template can be accessed and decomposed, a digitalor physical artefact can be created that contains all the information that the matchingsoftware needs.

This appears plausible when considering the requirements on the matching soft-ware. Due to the inaccurate nature of image capture, and the fact that a finger canbe placed on the capture device with differing orientation and translation, matchingsoftware must be able to translate, rotate and scale the live and master templates toa common frame of reference (see 5.6 on page 54). Therefore to create a valid repre-sentation of the original fingerprint all that needs to be done is maintain the relativepositions and orientations of the minutiae points, regardless of any rotation or trans-lation.

The following work was conducted to determine the plausibility of the above rea-soning, and demonstrate the success (or otherwise) of a generated representation in asimulated masquerade attack.

6.3 System Description

The biometric system used for this experiment was a demonstration product madeavailable by a commercial fingerprint-system manufacturer. The names of the sup-plier and product were declared to the thesis supervisors, but they are not namedwithin this thesis. This is because the aim of this thesis is to highlight a risk withinall fingerprint-based biometric systems, and it would be unfair to the manufacturer ofthe particular product used to name it without naming all other such products. Theproduct used is typical of most fingerprint-based biometric systems, and will subse-quently be referred to as “the system”, or “the software”.

Due to the public and freely available nature of the software, there can be a highlevel of confidence in the accuracy of the minutiae detection and matching algorithmsused. Therefore, it can be expected that the results achieved using the system could be

�6.4 Fingerprint Database 57

simulated on any other fingerprint-based biometric systems that use similar methodsfor feature extraction.

The system provides the ability to use static images (as well as live images cap-tured by supported hardware) as input. This allows for consistency in results throughthe exclusion of variability inherent in the capture of live fingerprints.

The storage of templates within the system is achieved by appending each tem-plate to an unencrypted binary file. This is most likely due to the systems demonstra-tive nature.

6.4 Fingerprint Database

For this implementation a total of 242 fingerprint images were used. They weredownloaded from the Fingerprint Verification Competition 2000 (FVC2000, see http://bias.csr.unibo.it/fvc2000/default.asp), and created using demonstra-tion fingerprint software (available from http://www.optel.com.pl/index_en.htm).

Only images of four of the five classes of fingerprints were used, with tented archimages being rejected, to provide greater distinction between each of the classes. Ofthe 242 images, 142 were downloaded from the FVC2000 site, from each of the fourdatabases supplied. The other 100 images were created using a random fingerprintgenerator.

6.5 Method

The following subsections describe the method used to generate biometric samplesbased on the information contained in the corresponding stored template.

6.5.1 Template Access

The first step in conducting a masquerade attack is to gain access to the template store.For the system used in this experiment, this was a simple task. The template store waslocated on the local hard drive in an unencrypted binary file. While this setup is nottypical of all systems, it demonstrates that some systems are more vulnerable thanothers in terms of storage location. Considering the fact that biometric characteris-tics are effectively permanent over a person’s lifetime, a theft of a biometric templatefrom one insecure system could have a wide ranging and permanent impact on thatperson’s ability to use other systems.

Also, as describing methods for defeating strong encryption is beyond the scopeof this thesis, the above method of storage is suitable as it is equivalent to that of atemplate store that has been decrypted.


6.5.2 Template Decomposition

Once access to the template store had been achieved, it was necessary to reverse theprocessing done by the system. While manual examination of a template is possible,a better method of determining the composition of each template is through the useof simple fingerprints that have minor controlled differences. By enrolling a numberof fingerprints that are all based on the same image, but have known differences, thecomposition of the templates for a system can be determined.

As the system used in this experiment enrolled all detected minutiae points, theaddition or removal of a single minutiae point gave the number of bytes used to store asingle minutiae point (by taking the difference in size of the two templates). Similarly,by modifying the position or orientation of a single point, the composition of eachminutiae point in the template can be determined (note: composition refers to themeaning of each byte i.e. byte 1 = x coordinate etc.). This required the use of a hexeditor to return human readable values.

Once the composition of the template was determined, it was quite simple to writea script to process the template files to extract the stored information for each minutiaepoint. For the system used in this experiment, each minutiae point was representedby an 8-byte sequence (labelled byte):

� Unused: byte0

� x-coordinate: byte1 + byte2*255

� y-coordinate: byte3 + byte4*255

� direction (in degrees): byte5 + byte6*255

� curvature: byte7

Thus, the 8-byte sequence (in decimal) 000 023 000 044 001 124 000 010 represents aminutiae point located at (x,y) = (23,299), with a direction of 124 degrees and curvatureof 10.

It is interesting to note that the system does not store the type of minutiae pointwithin the template. Therefore any generated sample or artefact will not have to con-tain the same type of minutiae point in the identified minutiae positions (e.g. a ridgeending can be substituted for a bifurcation).

This example illustrates one of the major issues involved in the process of creat-ing a biometric sample based on the information stored in the template. When thereis little information (only x,y coordinates, directions and curvature), there is greaterfreedom on the part of the attacker in the appearance of the sample to be generated,as the system has very little information to check against. For example, in the abovetemplate, there is no information on the position and orientation of the core and deltapoints. Thus a generated sample can position these points anywhere (in relation tothe minutiae points).

�6.5 Method 59

However, if the positions of the core and delta were stored in the template, an at-tacker will be able to use this information to create a sample that is closer to the origi-nal biometric characteristic. Hence using the above style of processing for fingerprinttemplate storage will result in greater freedom for the attacker, while including moreinformation will lead to a sample that is closer to the real biometric characteristic.

6.5.3 Shape Prediction

The next step in a masquerade attack is to determine the overall shape of the fin-gerprint that created the template. This prediction can be attempted in two ways,firstly (and simplistically) by a decision tree method based on the number of macro-singularities, or secondly through the use of a neural network.

6.5.3.1 Using a Decision Tree

If the stored template contains the location and orientation of the macro-singularities,then predicting the overall shape can be attempted through the use of these points.From section 5.2.1 on page 42 we can see that each of the five main fingerprint shapesis quite distinctive in terms of its number, placement and orientation of the macro-singularities. Thus the decision tree seen in figure 5.5 on page 45 can be used to predictthe shape of the fingerprint.

This decision tree is based primarily on the number of core points, and secondly onthe relative positions of a delta point to a core point. For this method to be successfulhowever, all core points must be present, and in the case of tented arches, left loops andright loops, the delta point must also be present. If these conditions are not satisfiedthen the fingerprint will either be unclassifiable or misclassified.

As a result, this method will not be able to predict the shape of a fingerprint thatwas placed on the image capture device (during enrolment) in such a way that oneor more of the core or delta points was not detected. Also, many fingerprint basedbiometric systems (such as the system used in this experiment) do not store the coreand delta positions. Hence a better solution is needed that does not rely on this datafor predicting the shape.

6.5.3.2 Using a Neural Network

In order to predict the overall shape of a fingerprint where macro-singularity informa-tion is insufficient or non-existent, an alternative source of information must be used.As the only source of information for a masquerade attack is the stored template, theminutiae points must be used to determine the overall shape of the fingerprint.

However, using the minutiae points to determine the shape is not a simple exer-cise. This is due to the fact that a fingerprint can be enrolled in any orientation ortranslation. This means that the individual minutiae points can be in literally anyposition and orientation for the same fingerprint.

Therefore, to be able to gain useful information from the minutiae points, the rel-ative distance and orientation between points, which stay constant despite rotation


or translation, was used. As no literature discovered during this research deals withthis method of classifying fingerprints, a number of heuristically determined rela-tions were selected to operate on a single template, and the predictive accuracy tested(using the WEKA tool, see http://www.cs.waikato.ac.nz/˜ml/weka/). As aresult of this testing, the best accuracy was achieved from a set of 23 relations, witheach normalised to be independent of the number of minutiae points:

1. Average distance: the average distance between every pair of minutiae points.

2. Average ∆x: the average distance in x-coordinate between every pair of minutiaepoints.

3. Average ∆y: the average distance in y-coordinate between every pair of minutiaepoints.

4. Average ∆θ: the average difference in orientation between every pair of minutiaepoints. Note that this is taken using the direction as a vector (both directions)instead of just as a ray (1 direction).

5. Standard deviation in ∆θ: the standard deviation of the difference in orientationbetween every pair of minutiae points.

6. to 14. Proportion of ∆θ between a given range (in degrees): each of these relationsrecords the proportion of orientation differences that fall in a given range. Therange values are set at every 20 degrees, hence the first is from 0 to 19, the secondis from 20 to 39 etc.

15. to 19. Proportional area of triangle in a given range: the area between all combinationsof 3 minutiae points are calculated and used in one of these relations, dependingon the size of the area calculated.

20. On parallel ridges, same direction: the normalised number of pairs of pointswhere both have approximately the same direction, and are separated by a linerunning orthogonal to the orientation of the points.

21. On parallel ridges, opposite direction: the normalised number of pairs of pointswhere the difference in direction is approximately 180 degrees. The points mustalso be separated by a chord running orthogonal to the orientation of the points.

22. Triple line up: the normalised number of sets of 3 points where two are on par-allel ridges, with either same or opposite directions, and the third is in a positionmidway between the two, with direction orthogonal to the first two.

23. On same ridge line: the normalised number of pairs of points where the chordconnecting the two points is approximately coincident with the orientation ofboth points.

�6.5 Method 61

Each fingerprint template from the fingerprint image in the database (see sec-tion 6.4 on page 57) was then processed to generate the data for each of the aboverelations. This data was then fed into a fully connected neural network, consistingof 23 input nodes (neurons), a single hidden layer of 13 nodes, and an output layerconsisting of 4 nodes (corresponding to the four shapes of fingerprint used in thedatabase).

When trained using this data with an epoch of 5000 (i.e. 5000 iterations over theentire training set), using 10-fold cross-validation, the neural network was able tocorrectly classify the fingerprint in 71.0744% of cases. The following is the breakdownof the results produced:

=== Stratified cross-validation ====== Summary ===

Correctly Classified Instances 172 (71.0744 %)Incorrectly Classified Instances 70 (28.9256 %)Kappa statistic 0.6014Mean absolute error 0.1522Root mean squared error 0.3538Relative absolute error 41.8668 %Root relative squared error 83.0153 %Total Number of Instances 242

=== Detailed Accuracy By Class ===

TP-Rate FP-Rate Precision Recall F-Measure Class0.939 0.01 0.939 0.939 0.939 arch0.781 0.183 0.648 0.781 0.708 whorl0.6 0.08 0.688 0.6 0.641 lloop0.63 0.137 0.699 0.63 0.662 rloop

=== Confusion Matrix ===

a b c d <-- classified as31 0 2 0 | a = arch0 57 5 11 | b = whorl0 11 33 11 | c = lloop2 20 8 51 | d = rloop

There are two main factors as to why this neural network did not achieve a higherlevel of success when classifying fingerprints based purely on the minutiae positionsand orientations. Firstly, the chosen relations between the minutiae points were de-termined heuristically, using assumptions on the overall nature of each fingerprintshape. These are by no means the best relations that exist, and hence these will intro-


duce some error. In fact, determining relations that provided a significant increase inthe predictive ability of the neural network was a significant challenge.

Secondly (and less significantly), the location of minutiae points within the fin-gerprint are not always equally distributed across the shape. Often they tend to beclustered in various areas. This clustering effect will introduce errors into the neuralnetwork during training, as clustered minutiae points will indicate that the shape ofthe fingerprint is more likely to be that of the shape within the cluster. This type of er-ror can also be caused through the use of badly aligned fingerprints in training, whereonly a small portion of the fingerprint is captured.

6.5.4 Image Generation

The third stage in a masquerade attack is to generate an image of the fingerprint.Using the overall shape of the fingerprint, predicted using an appropriate method (seesection 6.5.3 on page 59), combined with the location and orientation of each minutiaepoint, an image can be constructed. The image must have the overall appearanceof a fingerprint (as far as the recognition software is concerned) as well as havingthe appropriate minutiae points. In addition, it should endeavour to avoid creatingspurious minutiae points that will lower the matching score, and raise the chance thatthe masquerade will fail.

The most important concept when creating the fingerprint image is to recognisethe fact that the minutiae points can be placed anywhere in the image, with any orien-tation, as long as the relative x and y distances are maintained, and any rotation to theorientation of the minutiae points is applied universally. This arbitrary rotation andtranslation of the minutiae points when creating the image is acceptable due to theability of the software to recognise fingerprints that have been rotated and translated.

6.5.4.1 Orientation Map Creation

In order to create a realistic looking fingerprint, a model for the predicted shape wascreated. To achieve this, the orientation model proposed in [Sherlock and Monro 1993]and similar to that in [Cappelli et al. 2000] was used.

The orientation map was created by dividing the image into N by N square blocksof equal size. Thus for a given block (x,y) where (x=0..N-1, y=0..N-1), a complex num-ber z can be defined to represent that block, with real part equal to x, and imaginarypart equal to y. Then, assuming that there is a core in block (cx,cy) and a delta in block(dx,dy), the complex numbers c and d can be defined as for z. Thus the orientation, Ofor each block represented by z can be determined:

O�z � � BO

� 12

�arg

�z � d �� arg

�z � c �� (6.1)

More generally, for C cores, let cm,m=1..C be the complex number representingthe position of the cores. Similarly for D deltas, let dn,n=1..D be the complex numberrepresenting the position of the deltas. The orientation for each block represented byz can now be determined as:

�6.5 Method 63

O�z � � BO

� 12

�∑

n � 1 � � D arg�z � dn � � ∑

m � 1 � �C arg�z � cm �� (6.2)

Note that in both of the above equations, BO is the background orientation (seesection 6.5.4.2 for its significance) and arg(z) returns the argument of the complexnumber z. Also, note that this method of orientation map generation relies on thepresence of at least one core or delta point. Therefore it is unsuitable for use for archfingerprints. However this can be overcome through the use of a heuristically gener-ated orientation map, or a sinusoidal function as suggested in [Cappelli et al. 2000].

6.5.4.2 Orientation Map Selection

In order to draw the most realistic fingerprint based on the predicted shape andknown minutiae points, it is not enough to just select an orientation map at random.The map must be created so as to give the best match between the known informationand the generated orientation map. To achieve this, there are a number of variablesthat are used:

� BO: the background orientation. Possible values are from (0..359)

� Core Point(s): the position of each of the core points (if applicable). Possiblevalues are dependent on the shape fingerprint being drawn

� Delta Point(s): the position of each of the delta points (if applicable). Possi-ble values are dependent on the shape fingerprint being drawn and the currentvalue(s) of the core point(s)

� Minutiae Offsets: the offset (in blocks) of the set of minutiae points. Possiblevalues are from (minXOffset..maxXOffset) and from (minYOffset..maxYOffset),where:

– minXOffset = 0 - block num, where block num is the horizontal block num-ber of the leftmost minutiae point

– maxXOffset = N - block num, where block num is the horizontal blocknumber of the rightmost minutiae point, and N is the number of horizontalblocks in a N by N orientation map

– minYOffset = 0 - block num, where block num is the vertical block numberof the topmost minutiae point

– maxYOffset == N - block num, where block num is the vertical block num-ber of the bottommost minutiae point, and N is the number of verticalblocks in a N by N orientation map

These four variables can be used to find the best possible orientation map for thegiven shape and minutiae points. By creating a series of nested loops it is possible to


iterate over all the appropriate orientation maps. The following pseudocode demon-strates the loops required to find the best orientation map for a fingerprint with onecore and one delta point, by finding the orientation map with the lowest value ofbest score:

best_score = number of minutiae points * 180;For each value of BO do {

For each core position do {For each delta position do {

For each minutiae offset do {generate_map();calculate_score();if (score < best_score) {

best_score = score;update best orientation map;

}}

}}

}

Note that in the above pseudocode, the method generate map() is an implementa-tion of equation 6.2 on the preceding page.

The idea of calculating the score for each of the generated orientation maps isto determine the best match between the current orientation map, and the minutiaepoints with their current offset values (i.e. take the x and y coordinates of each minu-tiae point and add/subtract the current offset values multiplied by the width/lengthof a block). This can be achieved by taking the difference between the orientation ofeach minutiae point, and the orientation of the block containing that minutiae point.Thus, the orientation map, in combination with the minutiae offsets that generatesthe lowest difference between the orientation of the minutiae points and their con-taining blocks is the orientation map that should be used. Thus the pseudocode forthe calculate score() method is as follows:

for each minutiae point {score = 0;minutiae x-coordinate += x-offset*block_width;minutiae y-coordinate += y-offset*block_height;score += (absolute value of (orientation at

modified x,y - orientation of minutiaepoint)) modulus 180;

}

The x- and y-offsets are used when drawing the image to move the minutiae pointsto the location that allows for the best match between their associated directions and

�6.5 Method 65

the direction map. These offsets do not impact on the matching score, as the trans-lation is constant for all minutiae points, and will be corrected by the matching soft-ware which finds a common frame of reference before attempting to match the points.Therefore, as long as the relative positions and orientations of the minutiae points aremaintained, the generated image will meet the required confidence when comparedto the corresponding master template.

6.5.4.3 Line Drawing

While conducting this research, only two methods of producing synthetic digital fin-gerprints were discovered. The first, from the University of Bologna, uses a methoddescribed in [Cappelli et al. 2000] which generates fingerprints with randomly po-sitioned minutiae points. Therefore, it could not be used to create the fingerprintsrequired for this experiment (i.e. those with pre-allocated minutiae points).

The second method of producing digital fingerprint images was developed byOptel, in the form of a random fingerprint generator. No information is currentlyavailable on the method that is used to draw the fingerprints created by that product.

Throughout the rest of the literature, no method for generating a fingerprint basedon the pre-defined locations of minutiae points was found. Therefore, a new methodfor drawing fingerprints, based on pre-allocated minutiae positions had to be devel-oped.

The line drawing algorithm developed for the synthesis of fingerprint images is aheuristically developed method based on a constructive approach. As the intention ofthis method is to produce a fingerprint based on the minutiae points extracted from astored template, the algorithm begins by drawing in lines from each of the minutiaepositions.

Lines are drawn iteratively, from a given starting point and direction, by deter-mining the coordinates of a point z-pixels from the current position, along the givendirection. This direction is determined by consulting the direction map for the cur-rent position. After determining the target position, these coordinates are adjustedto account for the presence of other lines in the local neighbourhood. This adjust-ment is made in an attempt to keep all the lines roughly parallel, thus avoiding anyoverlapping (and subsequent spurious minutiae points).

After drawing lines extending from the minutiae points, extra lines are added fromthe edges of the images, in an attempt to fill the image with the appearance of a finger-print section. These extra lines can be added with varying distances between them,and all lines can be drawn with varying widths.

It should be noted that the lines drawn from the minutiae points did not use thecurvature information within the template. This was done for simplicity in line gen-eration, and could be subsequently added to improve accuracy.

As a result of the research conducted, it would appear that the design describedin this sub-section is new. In addition, it could potentially be used as a means of sub-verting the existing (although to date not large) installed base of fingerprint-systems.

In order to avoid disclosing the means for implementing this technique at the same


time as suppliers and user-organisations are being alerted to the existence of a previ-ously unacknowledged risk, the code that accomplishes the line drawing of finger-print digital artefacts is not included in this thesis.

6.5.5 Physical Artefact Creation

Due to the nature of the software used in this experiment, the fourth step in the mas-querade method was not required. However in systems that only allow input fromlive capture devices, it may be necessary to create an artefact to perform a masquer-ade attack. In this case a method for developing a latex rubber (or similar) model ofthe generated digital artefact would be needed. Such a method would most likely bepossible, considering the existing use of these models in fooling current fingerprintscanners (from [Ebringer 2001]).

6.6 Results

Due to the low level of accuracy achieved in predicting the shape of the fingerprintbased on the neural network described in section 6.5.3.2 on page 59, the process ofdigital artefact creation was applied to the templates of the enrolled arches that werecreated synthetically (see section 6.4 on page 57). The synthetically created finger-prints were used, as the fingerprints used from FVC2000 only contained 8 arch typefingerprints, all of which were from the same finger.

The knowledge of which template belonged to which original image was neces-sary to determine if any match generated was a legitimate match with the correctfingerprint or a coincidental match with an unrelated one.

While this abstracts from the overall masquerade attack being performed, it al-lows the demonstration that the generated fingerprints match with their correspond-ing templates. If the predicted classes were used, then the only result that could bereturned would be the success (or otherwise) of the match, not whether the digitalartefact matched with the particular master template that it was based on.

Thus the information from each of the synthetic arches templates was extractedand used to create a sample using the method described in section 6.5.4 on page 62. Alltwenty-five of these images was supplied for identification (i.e. one-to-many match-ing) against the database of 242 enrolled images. The result of each identification testwas that the generated image was correctly identified with its original template. Eachgenerated image can be seen alongside its original in section C.1 on page 79, alongwith the match score achieved.

The system settings for the identification tests emphasised quality of matchingover speed, allowed full rotation of the fingerprint (360 degrees) and had a FAR settingof 0.001% (the highest confidence level available for the system). Thus, the generatedfingerprints had to pass the most stringent testing available in the system. The match-ing scores for the arch fingerprints that were not used can be seen in appendix C.2 onpage 92. These fingerprints are all from the same finger, and are included as an indi-cation of the scores achieved for different placements of the same fingerprint. These

�6.7 Discussion 67

figures indicate the scores achieved by the generated images were comparable to thoseobtained when different captures of the same fingerprint are used. This validates thesuccess of the digital artefact.

6.7 Discussion

The most obvious drawback to the generated images (see section C.1 on page 79),is that they would not pass authentication or identification in any system that usesa visual inspection by a third party. However, many systems will not use a visualverification, due to practicality or privacy constraints. Especially in remote systems(e.g. web based systems), visual inspection would be impractical.

Additionally, the generated fingerprint image at this stage is quite primitive, withthe line drawing algorithm heuristically determined. A better method no doubt existsthat would produce more visually acceptable images.

It should be noted that the generated images will never have to pass a visualcomparison against the original fingerprint image. This is because any system thatcontains the original fingerprint image for comparison against the live one can be ac-cessed for that image, instead of the template. Then an attacker will have the ultimatedigital artefact, the original biometric sample!

Another issue with the generation of the image is that it generates images withthe minutiae points with arbitrary (but constant) rotation. This was acceptable forthe system used as the matching process could be set to allow full rotation of thefingerprint template. However should a system not employ this functionality, thenthe image generation algorithm must be altered. This is a simple case of setting BOfrom equation 6.2 on page 63 to the new allowed range, and should not impact greatlyon the result achieved.

As stated earlier, the premise for this type of attack is that all the required infor-mation that the system bases its matching process on must be stored within the tem-plate. Therefore, performing this kind of masquerade attack is the process of takingthe stored information and reproducing it in a form acceptable for the system. De-pending on the system used, this may be as an image or as a physical object (or arte-fact). However the information that the system is trying to detect (and subsequentlymatch) is independent of the form. In addition, any information not stored within thetemplate is redundant when it comes to the matching process. For example, manyof the original arch images contained ridge bifurcations. These points were identi-fied as minutiae points and their location, direction and curvature were stored in theappropriate template. However as the type of minutiae point was not stored withinthe template, the line drawing algorithm was able to represent these points as ridgeendings. Thus, during identification, the system matched these ridge endings withthe points in the master template, as it had no information as to the type of minutiaepoint required.

In addition, increasing the amount of information stored in the template will notsolve this problem. As more information is added to the template, the methods used


to generate the image will simply need to increase in sophistication, resulting in agenerated image that is closer to the original template. Thus, increasing the amountof information stored in the template poses a greater risk to the user, as an artefactcreated from the template will be usable not only on that system, but probably on anyother system that stores an equivalent, or lesser, amount of information. Thus, themore information that is stored within a master template, the greater the level of secu-rity should be to prevent theft, and subsequent masquerade based on that template.

While the use of a physical artefact was not necessary to masquerade the systemused in this experiment, this is not always the case. In many systems, a successfulmasquerade will only be viable through interaction with the biometric scanner. Forthese systems a physical artefact will be required, and hence liveness testing may bean issue.

Liveness testing is a known issue in biometric systems that many artefacts mayhave difficulty overcoming. The literature suggests that fingerprint scanners can utiliseblood pressure sensors to determine if the finger is alive. However, whether this willdiscriminate against a latex mould on a live finger is questionable.

The generation of physical artefacts is not a major focus of this project, since thisproblem is only loosely related to computer science. Therefore developing a processfor converting a digital artefact into a physical artefact was not attempted.

This is because the use of a physical artefact is not always going to be necessary.For some systems, a masquerade attack could be performed using the generated dig-ital artefact. This could be achieved in a remote log on system, where the scanner isattached to a local machine. Here the image provided by the scanner could be inter-cepted by a program on the local machine, and the digital artefact used in its place.

From the results (see section 6.6 on page 66), it can be seen that for the systemused in this experiment it is possible to create a biometric sample from a stored tem-plate that can be used for masquerade. While only arch type fingerprint were demon-strated, the ability to draw other shaped fingerprints simply relies upon a more so-phisticated line drawing algorithm than the one currently implemented. Thus, thevalidity of the method for this system is sustained.

However, can the above implementation be adapted to other fingerprint systems?There are two main obstacles to using a similar method on any type of fingerprintsystem. These are encryption and decomposition.

An encrypted template store is effectively impossible to use until the encryptionhas been broken. Depending on the method of encryption used, there are a numberof possible approaches to breaking encryption, from attempting to guess the systemadministrator’s password, to the use of sophisticated analysis techniques.

The second main obstacle is decomposition. In the experiment above, the systemallowed the enrolment of static images. This made the task of determining the tem-plate format a more simple process, through the use of controlled input. Howeverin most systems, this will not be an option, unless an analogous system is set up bythe attacker. The task of determining the structure of the data from a single templateis non-trivial, and must be achieved for the most difficult style attacks. With a littleinside information, however, this task becomes trivial, so even the most secure tem-

�6.8 Implications 69

plates can be decomposed.From here, the question must be asked, can the results from fingerprint systems

be extended to other biometric systems? From an examination of a number of otherphysically-based biometric systems, the answer would appear to be, yes. If the fea-tures extracted from a live biometric sample are simply processed and stored, then abiometric sample should be able to be generated in a manner similar to that describedabove, except specific to the biometric characteristic.

6.8 Implications

From this experiment, it has been demonstrated that masquerade from stored tem-plates is possible, and is a potentially large vulnerability for some biometric systems.This risk must now be evaluated in other existing biometric systems, to ensure thatthe stored master templates are not at risk. The ability to create a physical or digitalartefact from a master template should also be examined in other existing systems, aswell as systems currently under development.

In addition, the development of new systems should take into account this riskwhen designing the algorithms and methods to be used in processing biometric sam-ples, and in the creation of templates.

These algorithms are typically private in current systems, however this has beendemonstrated to not provide much additional security in the software used in thisexperiment. Therefore, as is done in encryption, public algorithms should be createdand subject to peer review, to decrease the probability of algorithmic weaknesses andflaws. Finally, for both new and existing systems, an evaluation should be performedof the security of the template store, and features should be included that make thetheft of master templates appropriately difficult, both for outside and inside attacks.

6.9 Summary

This chapter described an experiment which acquired a master template, created adigital artefact from it, and used the digital artefact to perform a masquerade. It wasshown that this type of attack is possible for the system used, and is plausible for useagainst most physical and some behavioural biometric systems. The impact of thisnew vulnerability on new and existing biometric systems was then discussed.

In the next chapter, the specific contributions of this thesis will be highlighted, andthe possible future work arising as a result will also be described.


Chapter 7

Conclusion

This thesis has identified the vulnerability of biometric systems to masquerade throughthe use of biometric information contained within stored templates. This was achievedthrough analysis of the technologies involved, the devising of a generic approach tobiometric masquerade, and the application of the generic approach to fingerpints,through an experiment on a specific fingerprint system.

7.1 Specific Contributions

As identified in a number of sections in this thesis, no literature was discovered dur-ing this research that examined the risk of masquerade arising from the storage ofbiometrics. Thus this thesis makes a number of contributions to the field. The specificcontributions made by this thesis are:

� An analysis of the security of template storage locations (see section 3.2 onpage 25)

� A taxonomy and security analysis of possible template storage formats (see sec-tion 3.3 on page 31)

� A generic method for masquerading a biometric system based on the informa-tion contained within a stored template (see section 4.2 on page 36)

� An application of neural networks to predict the shape of fingerprints, usingthe x,y coordinates and direction of an arbitrary number of minutiae points (seesection 6.5.3.2 on page 59)

� A new approach to generating digital images of fingerprints, based on the devel-opment of ridge lines around pre-positioned minutiae points (see section 6.5.4.3on page 65)

� Demonstration that biometric systems are vulnerable to masquerade attacks us-ing the information contained in master templates (see section 6.6 on page 66)

71

72 Conclusion

7.2 Future Work

While this thesis was able to fulfil its aim and demonstrate that the storage of tem-plates can result in the masquerade of the system, there are a number of improvementsand further developments that can be done in this area.

Firstly the existing line drawing algorithm (described in section 6.5.4.3 on page 65)could be improved by:

� improving the visual quality of the resulting fingerprint

� supporting more fingerprint shapes

� supporting other minutiae point types

� using stored curvature information

In addition, the accuracy of the neural network used to classify fingerprints basedon the information stored in a template (described in section 6.5.3.2 on page 59) couldbe increased. A more accurate prediction of the shape of a fingerprint, purely fromthe minutiae data, would result in a significant increase in the probability of successof a masquerade attack.

The use of neural networks for classification of fingerprints based on minutiaepoints is a novel method of solving an existing problem. Should the accuracy be in-creased to a sufficient level, this method could be used in fingerprint-based biometricsystems in place of traditional methods (discussed in section 5.2.1 on page 42). The ad-vantage of using an accurate neural network is that it would be capable of predictingfingerprint shapes even when there are missing macro-singularities in the biometricsample.

The development of a template creation method to overcome the vulnerabilityhighlighted here would also be very useful. This would require a provably one-wayhash function on fingerprint minutiae data, that still enables accurate matching be-tween templates.

Finally, to demonstrate the the achieved masquerade attack wasn’t a limited sce-nario, and verify the claims made about the extensibility of these results, an imple-mentation of the generic masquerade method should be applied to other biometricsystems.

Finally, the generic approach to masquerade (described in section 4.2 on page 36)needs to be applied to additional biometric systems, in order to test the propositionthat it is not only fingerprints that suffer from the vulnerability. Other biometric sys-tems that it would be particularly useful to test include those based on hand geometry,retinal patterns, face recognition and iris patterns. Behavioural biometrics may proveto be less susceptible to the technique, although it may be applicable to some (such asvoice-recognition).

Appendix A

Company Listing

What follows is a list of biometric related companies referenced within this thesis.Their area(s) of research and their website address are supplied.

� AIMS Technology Inc., Fingernail, http://www.nail-id.com/

� Atmel, Fingerprint, http://www.atmel.com/

� BioMet Partners Inc., Finger, http://www.biomet.ch/

� International Biometric Group, Consulting, http://www.biometricgroup.com/

� Iridian Technologies Inc., Iris, http://www.iridiantech.com/

� Massachusetts Institute of Technology Media Laboratory, Vision and ModellingGroup, Face Recognition, http://whitechapel.media.mit.edu/vismod/demos/facerec/index.html

� Neusciences, Hand-Vein, http://www.neusciences.com/biometrics/Bio-index.htm

� Optel, Fingerprint, http://www.optel.com.pl/index_en.htm

� Pattern Recognition and Image Processing Lab, Michigan State University (PRIPMSU), Multi-biometrics, http://biometrics.cse.msu.edu/index.html

� Recognition Systems Inc., Hand, http://www.irsecurityandsafety.com/

� SecuGen, Fingerprint, http://www.secugen.com/

� University of Bologna Biometric Systems Group, Fingerprint, Hand, Face, http://bias.csr.unibo.it/research/biolab

73

74 Company Listing

Appendix B

Glossary

attack

artefact a physical object used to represent a biometric characteristic

authentication the process whereby a degree of confidence is established about thetruth of an assertion

behavioural characteristic a measurable action performed the human body

bifurcation see ridge intersection

biometric authentication the use of a biometric characteristic for the purpose of per-forming authentication

biometric capture device the logical component of a biometric system responsible forthe capture and processing of a biometric characteristic

biometric characteristic a physical characteristic or a behavioural characteristic

biometric identification the use of a biometric characteristic for the purpose of perfum-ing identification

biometric sample a digital representation of a biometric characteristic used internallyby a biometric system

biometric system a security system that uses biometric characteristics for the purposeof identity determination

biometric template store the logical component of a biometric system responsible forthe storage and security of templates

compressed template a template that has been created from a biometric sample by usingcompression

confidence the required level of similarity required between a live template and mastertemplate to conclude that belong to the same biometric characteristic

core the innermost point in a fingerprint where the ridgelines traverse 180 degrees

75

76 Glossary

delta the point in a fingerprint where the ridgelines create a triangular appearance

digital artefact the reverse-engineered equivalent to a biometric sample for a particularbiometric characteristic

digital artefact creation the process of creating a digital artefact based on the infor-mation obtained from completing template decomposition as the third step of thegeneric masquerade method

encrypted template a template that has been encrypted

enrolment the process of generating a master template by inserting the template of aperson along with an identifier into a biometric template store

equal error rate (EER) when the confidence of a biometric system is set so that the pro-portion of false rejections will be approximately equal to the proportion of falseacceptances.

false accept rate (FAR) the probability that a biometric system will incorrectly identifyan individual or will fail to reject an unauthorised person.

false reject rate (FRR) the probability that a system will fail to identify an authorisedindividual] or authenticate the legitimate claimed identity of an authorised in-dividual

feature extractor the sub-component of the biometric capture device responsible for lo-cating and extraction information specific to a biometric characteristic that can beused for the purpose of identity determination

generic masquerade method the generic method of preparing a digital artefact or phys-ical artefact from the information contained in a master template for the purposeof masquerade against a biometric system

hashed template a template that has been processed by a hash function

hash function a function that converts an arbitrary length data block into a fixedlength code

harm

identification a process whereby a real-world entity is recognised, and its ’identity’established

identifier

identity determination the combined processes of biometric authentication and biomet-ric identification

identity theft the acquisition and use of sufficient evidence of identity relating to aparticular person that the thief can operate as though they were that person

77

live biometric characteristic the biometric characteristic supplied by a person to a scan-ner for the purpose of identity determination by a biometric system

live template the template created from a live biometric characteristic for identification orauthentication in a biometric system

liveness testing the process of determining if a live biometric characteristic is a realbiometric characteristic from a living person

macro-singularities the major features that define the overall shape of a fingerprint

masquerade

master template the enrolled template of a user that is used in when matching and isstored in the biometric template store

matching the process of comparing the current live template with one or more mas-ter templates, to determine if they are from the same biometric characteristic, to aspecified confidence

micro-singularities see minutiae

minutiae various characteristics or formations of the ridgelines of a fingerprint, oftenlimited to ridge endings and ridge intersections

operation the process of acquiring a live template for use by the system to performidentity determination

orientation map an artificial model for describing the direction of ridgelines at variousgrid positions

physical artefact a synthetic physical object designed to simulate a biometric charac-teristic

physical artefact creation the process of creating a physical artefact based on a digitalartefact as the fourth step in the generic masquerade method

physical characteristic a physically measurable part of the human body

portable token a possible location for the biometric template store where it is situatedon a small, portable device

pre-processor the sub-component of the biometric capture device responsible for theincrease in biometric sample usability

processed template a template that has been created from a biometric sample using theinformation generated by the feature extractor

remote database a possible location for the biometric template store where it is situatedexternally to both the biometric capture device and the result generator

78 Glossary

result generator the logical component of a biometric system responsible for matching

ridge ending the point where a ridgeline terminates

ridge intersection the point where two ridgelines intersect

ridgelines the lines formed in the image of a fingerprint by the interleaving valleysand ridges that occur in the skin

risk

scanner the sub-component of the biometric capture device responsible for the record-ing of the measurements of a biometric characteristic to produce a biometric sample

security

self-contained biometric device a possible location for the biometric template store wherebyit is located on the same device as the biometric capture device and the result gen-erator

stored template see master template

template the result of a biometric sample being manipulated by the pre-processor, featureextractor and template creator, if applicable

template access the process of attempting to gain access to the the biometric templatestore as the first step of the generic masquerade method

template creator the sub-component of the biometric capture device responsible for thecreation of a template

template decomposition the process of attempting to comprehend the data containedwithin a template as the second step of the generic masquerade method

unprocessed template a template that has been created from a biometric sample thatmay have been altered by the pre-processor

vulnerability

Appendix C

Fingerprint Matching

C.1 Generated Images

(a) Original Image (b) Generated Image

Figure C.1: Arch 1: score = 60

79

80 Fingerprint Matching





�C.1 Generated Images 81
























































C.2 Same Fingerprint Matching

(a) Input Image (b) Enrolled Image

Figure C.26: Same finger test1: score = 1180



�C.2 Same Fingerprint Matching 93










�C.2 Same Fingerprint Matching 95






Bibliography

Finger-scan technology. Available online: http://www.finger-scan.com/finger-scan_technology.htm. (p. 53)

ABRAHAM, D. G., DOLAN, G. M., DOUBLE, G. P., AND STEVENS, J. V. 1991.Transaction security system. IBM Systems Journal 30, 2, 206–229. (p. 36)

AIMS Technology Inc. Aims biometric technologies faq file. Available online: http://www.nail-id.com/main.htm. (pp. 8, 9)

ANDERSON, R. J. AND KUHN, M. G. 1996. Tamper resistance - a cautionary note.In The Second USENIX Workshop on Electronic Commerce Proceedings (November1996), pp. 1–11. (pp. 31, 36)

ANDERSON, R. J. AND KUHN, M. G. 1997. Low cost attacks on tamper resistantdevices. In in M. Lomas et al. (ed.): Security Protocols, 5th International Workshop (April1997), pp. 125–136. (p. 31)

ANKARI. 1999. Biometric and smart card user authentication. Available online:http://www.ankari.com/pdfs/paper-biomouseplus.pdf. (pp. 14, 19)

ASHBOURN, J. 1999. The biometric white paper. Available online: http://homepage.ntlworld.com/avanti/whitepaper.htm. (pp. 12, 25)

ASHBOURN, J. 2000. Vulnerability with regard to biometric systems. Available on-line: http://homepage.ntlworld.com/avanti/vulnerable.htm. (p. 25)

Atmel Corporation. 2001. Fingerprint recognition based on silicon chips white pa-per. Available online: http://www.atmel.com/atmel/acrobat/wpv01.pdf.(pp. 1, 25, 41, 47, 48)

BRADLEY, J. N., BRISLAWN, C. M., AND HOPPER, T. 1993. The FBI wavelet/scalarquantization standard for gray-scale fingerprint image compression. In Visual Info.Process. II, Volume 1961 (Orlando, FL, 1993). SPIE. (p. 32)

BURGE, M. AND BURGER, W. 1997. Ear biometrics for machine vision. In Proceed-ings of the 21st Workshop of the Austrian Association for Pattern Recognition (May 1997),pp. 275 – 282. (p. 8)

BURGE, M. AND BURGER, W. 1998. Ear biometrics. In A. JAIN, R. BOLLE, AND

S. PANKANTI Eds., BIOMETRICS: Personal Identification in a Networked Society, pp.273–286. Kluwer Academic. (p. 8)

BURGE, M. AND BURGER, W. 2000. Ear biometrics in computer vision. In Proceed-ings of the International Conference on Pattern Recognition (2000). (p. 8)

97

98 Bibliography

CALABRESE, C. 1999. The trouble with biometrics. ;login: Volume 24, Num-ber 4 (August). Available online: http://www.usenix.org/publications/login/1999-8/features/biometrics.htm%l. (p. 33)

CAPPELLI, R., EROL, A., MAIO, D., AND MALTONI, D. 2000. Syntheticfingerprint-image generation. In Proceedings of the International Conference on Pat-tern Recognition (ICPR2000), Volume 3 (Spetember 2000), pp. 475–478. (pp. 62, 63,65)

CLARKE, R. 2001. Biometrics and privacy. Available online: http://www.anu.edu.au/people/Roger.Clarke/DV/Biometrics.html. (p. 3)

CUNADO, D., NIXON, M. S., AND CARTER, J. N. 1997. Using gait as a biometric,via phase-weighted magnitude spectra. In Bigun J., Chollet, G. and Borgefors, G. ed.Proceedings of 1st Int. Conf. on Audio- and Video-Based Biometric Person Authentication(1997), pp. 95–102. (p. 9)

CYBERSIGN. Technology overview. Available online: http://www.cybersign.com/techoverview.htm. (p. 7)

DAUGMAN, J. 2000. Wavelet demodulation codes, statistical independence, andpattern recognition. Institute of Mathematics and its Applications Proc. 2nd IMA-IP, 244–260. Available online: http://www.cl.cam.ac.uk/users/jgd1000/ima.ps.gz. (p. 11)

DAUGMAN, J. 2001. Iris recognition. American Scientist 89, 326–333. (pp. 4, 11)

DUTA, N., JAIN, A. K., AND MARDIA, K. V. 2000. Matching of palmprints. Techni-cal Report MSU-CSE-00-17 (August), Department of Computer Science, MichiganState University, East Lansing, Michigan. (p. 7)

EBRINGER, T. 2001. A cautionary tale about authentication integrity. FairfaxIT News, March 19, 2001, available online: http://it.mycareer.com.au/industry/20010319/A30359-2001Mar19.html. (pp. 47, 66)

HONG, L., WAN, Y., AND JAIN, A. K. 1997. Fingerprint image enhancement: Al-gorithm and performance evaluation. Technical Report MSU-CPS-97-35 (October),Department of Computer Science, Michigan State University, East Lansing, Michi-gan. (pp. 41, 51)

International Biometric Group. Technology overview. Available online: http://www.biometricgroup.com/biometric_technology_overview.htm. (pp. 41,44, 45, 54)

International Biometric Group. 2001. Biometrics explained. Available online:http://www.biometricgroup.com/a_bio1/analyses/Biometrics%20Explained.pd%f. (pp. 4, 13, 15, 17, 32, 35, 36, 41)

JAIN, A. K., HONG, L., AND BOLLE, R. 1996. On-line fingerprint verification. Tech-nical Report MSU-CPS-96-40 (March), Department of Computer Science, MichiganState University, East Lansing, Michigan. (pp. 41, 51, 52)

Bibliography 99

JAIN, A. K., HONG, L., AND PANKANTI, S. 2000. Biometrics: Promising fron-tiers for emerging identification market. Technical Report MSU-CSE-00-2 (Febru-ary), Department of Computer Science, Michigan State University, East Lansing,Michigan. (p. 8)

JAIN, A. K. AND PANKANTI, S. 1999. Fingerprint classification and matching.Technical Report MSU-CPS-99-5 (January), Department of Computer Science,Michigan State University, East Lansing, Michigan. (pp. 11, 15, 41, 43, 54)

JAIN, A. K., PRABHAKAR, S., AND ROSS, A. 1999. Fingerprint matching: Data ac-quisition and performance evaluation. Technical Report MSU-CPS-99-14 (March),Department of Computer Science, Michigan State University, East Lansing, Michi-gan. (p. 42)

KARU, K. AND JAIN, A. K. 1999. Fingerprint classification. Technical Report MSU-CPS-99-21 (April), Department of Computer Science, Michigan State University,East Lansing, Michigan. (pp. 41, 42, 43)

MATYAS, V. AND RIHA, Z. Biometric authentication systems. Available online: http://www.math.muni.cz/˜zriha/pgs/tzprava.pdf. (pp. 7, 8)

MONROSE, F., REITHER, M. K., AND WETZEL, S. 1999. Password hardening basedon keystroke dynamics. In Proceedings of the 6th ACM conference on Computer andCommunications Security (1999), pp. 73–82. (p. 7)

MONROSE, F. AND RUBIN, A. D. 1997. Authentication via keystroke dynamics. In4th ACM Conference on Computer and Communcations Security (April 1997). (p. 7)

MONROSE, F. AND RUBIN, A. D. 2000. Keystroke dynamics as a biometric for au-thentication. In Future Generation Computer Systems (March 2000). (p. 7)

Network Computing. 1998. Six biometric devices point the finger at security. Avail-able online: http://www.networkcomputing.com/910/910r1side1.html.(pp. 39, 47)

ORR, R. J. AND ABOWD, G. D. 2000. The smart floor: A mechanism for naturaluser identification and tracking. In Proceedings of the 2000 Conference on Human Fac-tors in Computing Systems (CHI 2000) (April 2000). (p. 9)

PC Magazine. 1999. Biometric security: Breaking in. PC Magazine. Availableonline: http://www.zdnet.com/pcmag/features/biometrics/break.html. (p. 39)

POLEMI, D. 1997. Review and evaluation of biometric techniques for identificationand authentication. Available online: ftp://ftp.cordis.lu/pub/infosec/docs/biomet.doc. (pp. 21, 25)

RoNNBERG, K. 2001. User authentication in online assessment. (p. 8)

SANCHEZ-REILLO, R., SANCHEZ-AVILA, C., AND GONZALEZ-MARCOS, A. 1999.Multiresolution analysis and geometric measures for biometric identification sys-tems. In P. O. T. I. E. RAINER BAUMGART: SECURE NETWORKING CQRE (SE-CURE) ’99 AND C. DuSSELDORF Eds., Lecture Notes in Computer Science, Volume1740. Springer. (p. 15)

100 Bibliography

SCHNEIER, B. 1996. Applied Cryptography. John Wiley & Sons, Inc. (p. 33)

SHERLOCK, B. AND MONRO, D. 1993. A model for interpreting fingerprint topol-ogy. In Pattern Recognition, Volume 26, Number 7 (1993), pp. 1047–1055. (p. 62)

SOTO, C. A. 2001. Biometric devices improve but still need more work. Govern-ment Computer News, Volume 20, Number 6, Available online: http://www.newsbytes.com/news/01/164151.html. (pp. 39, 47)

SOUTAR, C. 1999. Biometric system performance and security. Available online:http://www.mytec.com/assets/bio_paper.pdf. Presented in September,1999 at the IEEE Workshop on Automatic Identification Advanced Technologies(AutoID 99). (p. 13)

STALLINGS, W. 2000. Network Security Essentials. Prentice Hall. (p. 38)

STOSZ, J. D. 1994. Automated systems for fingerprint authentication using poresand ridge structure. In Proceedings of SPIE, Automatic Systems for the Identification andInspection of Humans (SPIE Vol 2277) (1994), pp. 210–223. (p. 41)

UK Biometric Working Group. 2000. Best practices in testing and reporting per-formance of biometric devices. Available online: http://www.cesg.gov.uk/technology/biometrics/media/Best%20Practice.pdf. (p. 21)

UK ITSEC. 2001. Biometric device protection profile (draft). Available on-line: http://www.cesg.gov.uk/assurance/iacs/itsec/documents/protection-profil%es/media/BPP.pdf. (pp. 20, 21, 26)

Ultra-Scan Corporation. Frequently asked questions listing. Available online: http://www.ultra-scan.com/faq.htm. (pp. 19, 49)

All url’s referenced in this thesis were valid as of 23 November 2001.

Documents

Risk of Masquerade Arising from the Storage of Biometrics · Risk of Masquerade Arising from the Storage of Biometrics Christopher James Hill A subthesis submitted in partial fulllment