Motivation: Measures of accuracy and discrimination strength of a biometric system only tell half of the story. If we examine the 'secureness' of a biometric system, we have to differentiate between at least three aspects of security:
Classic, usually statistic, measurements of accuracy
e.g. the equal error rate EER, inter- and intraclass distances, etc.
The architecture and implementation of the system itself
e.g. a system that sends biometric templates from the client to a server
without encryption is more prone to malign attacks to the infrastructure.
The resistance to forgery
Assuming that an impostor actively tries to counterfeit someone else's
biometric identity, how much would it cost in terms of time and money?
The first point can easily be assessed by means of representative datasets and a common set of accepted measurements. It is a standard procedure in the scientific community and guarantees comparability (Key concepts).
With regard to the system architecture, things are more complex. However, there are procedures to evaluate the security of a concept and its implementation in a standardized way. One example for these are the Common Criteria (CC).
Finally the resistance to active forgery of the biometric trait has to be estimated. This is the most complicated one of the above three types of security measures, because one can easily prove that a biometric system can be deceived, but it's much harder to prove that it cannot be deceived.
Conclusion: Independent of how accurate a system in terms of EER and the like is, this doesn't allow for statements about vulnerability to malign attacks, which is of equal importance. Thus, on this page we concentrate our considerations on the vulnerability to malign attacks.
The first chapter will try to assess the feasibility and cost of counterfeiting someone's biometric identity. The second chapter will try to critically describe and examine countermeasures.
Important: If you don't see the navigation frame on the left hand side, please click here
INDEX
1.1 How much does it cost to acquire a copy of the biometric trait?
1.2 How can we generate an input that is compatible with the biometric sensor ?
2. Countermeasures - How difficult is it to deceive the biometric system?
2.2 Security through obscurity
In the beginning, a more specific definition of biometric counterfeiting as we use it here is advisable. We are not talking about interferences with the hardware or the software. The only thing that is 'allowed' is to present the biometric sensor an input in the way the sensor is designed to operate. A good example for biometric counterfeit for fingerprint is the famous gummy bear concept of Tsutomu Matsumoto (Some slides, PDF, TheRegister, MMYH02)
Assessing the tamper-resistance of a biometric trait raises three questions:
1. How much does it cost to acquire a copy of the biometric trait,
i.e. how difficult is it to copy the information that makes the biometric discrimination,2. How can we generate an input that is compatible with the biometric sensor,
i.e. how can a physical embodiment of the biometric trait be modeled, and3. How difficult is it to deceive the biometric system,
i.e. how costly is it to make the biometric system accept the forged input as authentic?
These first two problems will be discussed in the next two sections, while the third question will be treated in the second chapter.
This question can be answered mostly independent of the actual biometric system employed. Obviously for successful counterfeiting, the holder of the biometric archetype is uncooperative and most important may not notice the copying process. This gives rise to the notion of the risk of discovery of the copying process.
A differentiation has to be made between static (or physiological) and dynamic (or behavioral) biometric characteristics. Examples for static features are the hand geometry, the face and our topic, the iris. Dynamic features include voice, in some cases signature and keystroke dynamics.
As a comparison, the following table compares some common static biometrics with respect to the cost to copy on a qualitative basis. The copying process as we mean here solely has the goal to gather all the necessary biometric data, and not to actually produce a physical copy. The latter will be dealt with in chapter 1.2.
| Biometric trait | Sensor/Method | Risk of discovery | Cost to copy |
|---|---|---|---|
| Finger | optical, thermal, capacitive | very low, cf. forensics | very low |
| Face | optical, infrared | low, published image in newspaper might suffice | low |
| Iris | optical, infrared | medium, assumes small amount of cooperation | medium to high |
| DNA sequence | electrophoresis | low, cf. forensics | high |
| Retina | coherent light | high, assumes cooperative subject | high to very high |
Considering the iris, how would a copying process look like, then? The goal is to capture as much information about the iris as is necessary for the biometric identification.
Assuming that the biometric needed is the visual appearance of the iris, a good snapshot of the eye of the subject should yield the necessary information. Due to the three-dimensional microstructure of the iris, several snapshots under different directional illuminations might be needed. Furthermore, the pupil should be contracted in a way that most parts of the iris are visible.
These are basically all the requirements to gather a sufficient amount of data of the biometric trait itself. Consequently, the acquisition of the biometric copy would be accomplished with an optical sensor, like a CCD-camera. Presuming the appropriate optics, e.g. standard telecentric or zoom lenses, one needs an opportunity.
The opportunity to observe the biometric data of course is highly case-dependent and cannot be treated universally. One has to find a public place, where the subject always positions itself in a largely standardized way (e.g. door exit, car entry, phone booth, cinema, red light crossing). Also concepts of conventional identity theft can be applied, e.g. social engineering (IDTheft, Social Engineering).
One important consideration though is, that most iris recognition systems work in some part of the infrared spectrum and thus the malign capturing process is easier concealed.
However, the point of this argumentation is that the biometric trait can be captured with an adequate, off-the-shelf equipment.
An interesting, albeit not perfectly appropriate example for a biometric copy is the case of Steve McCurry's Afghan girl, Sharbat Gula (National Geographic, Daugman). There, an old photograph of a face was sufficient to identify a refugee with a low error probability about 17 years later. Undoubtedly this doesn't necessarily imply that a fake identity could be constructed from the according photograph, because most probably all the countermeasures of the used system were deactivated, but it is an indication that a single snapshot holds enough information about the identity. On the other hand, the cost to clone in this example would apparently be acceptable (an SLR-Camera, the corresponding film, the development of the negative and a film scanner).
Another example which we will deal with later on is described in an article of the German magazine c't (c't: Body Check). In this test, the cloning process only involved a shot of the subject's eye by a digital camera.
In this chapter we assume that the full biometric data is available, e.g. as digital images of adequate resolution. Furthermore, countermeasures are not considered. The only question here is how to generate a signal that the sensor accepts per se.
Fortunately, the biometric devices employed in iris recognition usually are digital cameras based on visible light or infrared sensitive sensors. Contrary to tactile sensors like some hand geometry readers we just have to provide visual input in the first place. Of course countermeasures will be taken, but the essential process is optical.
Accordingly, everything that yields optical input can principally be used for counterfeiting. This includes, with an increasing level of complexity:
| Level of complexity | Method |
|---|---|
| 1 | Mainly plain paper and ink. If necessary: infrared reflecting ink and/or corresponding paper (MICR Repository) |
| 2 |
Display devices (CRT, LCD, in the future maybe flexible organic displays, ChipCenter) |
| 3 | Physically modeled replica (Refer to your local Halloween store or c't revisited, orbital prosthetics, contacts) |
| 4 |
Surgically altered eyes, not necessarily human ones (US Pat. 6306127,US Pat. 6280469) |
As argued in the above chapter, every biometric is breakable with an appropriate amount of time and money. The only thing that the biometric manufacturer can do is to increase the involved costs. It's like a race of arms until one party gives in.
The advantage of the manufacturer is that he can invest a whole lot of time and money a priori to secure the system to any thinkable and feasible attack. His disadvantage is that he has to be one step ahead of the impostor.
The advantage of the impostor is that he only has to find that one attack that nobody thought of while still being feasible, and this will guarantee him access once and for all. His disadvantage is that he, well, has to be very creative.
A concept often emerging in security-related environments is security through obscurity. This means, the manufacturer of the hypothetic security system (be it cryptography or biometrics) tries to conceal the algorithmic innards of his system to some extent in order to hamper possible attacks.
The success of this concept is clearly task-dependent but it has to be dealt with very critically.
The reasons for this are the following:
The fact that the mode of operation of a system is unknown in the public probably only raises the uncertainty about it's safeness and not the principal safeness itself. Argumentation for this can be found here: Bruce Schneier.
It is hardly likely that any algorithmic part of the system will be kept concealed in the long run.
Fortunately there are concepts that will make the impostor's life much harder. The next chapter will outline the concept of replay attacks and corresponding countermeasures used to deny them or at least statistically attenuate their impacts.
Another improvement of security can be the use of a multimodal biometric system. Multimodality in this context means combining several biometric traits from possibly more than one sensor in an optimal way (Kittler97). Examples are combinations of face, voice and lip movement (IEEE-Computer).
This concept increases the accuracy of the system in terms of EER as well as the resistance to counterfeiting attempts, simply because all traits have to be counterfeited simultaneously.
So, what can be done?
We assume that the impostor
has the biometric data available (see chapter 1.1) and
in principle knows how to generate an input with it (see chapter 1.2).
When he is trying to break into the system presuming the above, this is usually called a replay attack.
There is a continuum of methods to defeat replay attacks. In the following we'll try to categorize them. As the same principles apply, we restrict our considerations to unimodal biometric systems. The following discussion assumes the human iris as the biometric trait.
Methods for the denial of replay attacks can (but do not have to) be categorized as follows:
Passive properties
Properties of the sensor's input or the biometric source itself are
utilized. The idea is to discriminate between 'authentic' and 'forged'
signals by just estimating characteristics of the signal.
Reactive methods
Additional hardware is used to present a stimulus to the subject, where
the reaction is involuntary.
Active involvement
The same as the reactive methods, but with voluntary reactions.
This is by far not the only categorization of replay attack denials, but we can work with it here. Examples will be given in the following discussions.
| Counter- measure |
Spectral properties of the visual appearance of printed images. A good example with colored contact lenses can be found here: Daugman. The periodic pattern of a printer's halftoning leaves easily detectable traces in the spectrum. |
| Corresponding Counterfeits | Use a different type of printer, higher resolution and/or smarter dithering algorithm (complexity level 1). Alternatively increase complexity level of attack. |
|
|
| Counter- measure |
Involuntary movements of the eye or dilations of the pupil. |
| Corresponding Counterfeits | Increase the replay attack complexity to a higher level, e.g. using a graphical representation of the human eye on a display surface (complexity level 2-4). |
|
|
| Counter- measure |
Reject the classification result if the match to the suspected database entry is too good to be true. An approvable signal is expected to differ from every known instance by a certain amount which is induced to variations in the capturing process. If the impostor signal is a perfect reproduction, it might be too close to a known instance. |
| Corresponding Counterfeits | Introduce artificial variations in the impostor signal, e.g. white noise. (same complexity level) |
2.4.2 Reactive methods
| Counter- measure |
Use illumination to cause reflections on the retina. Comparable to the red-eye effect in photography when using a flash. |
| Corresponding Counterfeits | As there are only very weak directional dependencies, an infrared reflecting surface in the corresponding region might suffice. Modeling a concave shape might be necessary (complexity level 1-3). |
| Counter- measure |
Use illumination to cause reflections in the anterior eye. Fairly easy to utilize is the reflection on the most outer part of the eye, the cornea. More effort has to be invested when using the four so-called Purkinje images, which are the reflections on layer boundaries with increasing depth in the eye. Temporal changes can be used. |
| Corresponding Counterfeits | A physical modeling of the eye might be needed. Raises complexity level. Might be solved with display methods (complexity level 2-4). |
| Counter- measure |
Physiological reactions to changing illumination conditions. The pupil dilation is dependent on the amount of incoming light. This can be used to discern 'stiff' impostor signals to deformable approvable signals. Especially important is the change of diameter over time, maybe even the characteristics of it's progression. |
| Corresponding Counterfeits | A physical modeling of the eye might be needed. Raises complexity level (complexity level 2-4). |
| Counter- measure |
Direction of the subjects gaze to random points. The (cooperative) subject is indicated to direct his or her attention to randomly chosen points. Estimate the real gaze and calculate the difference to the expected gaze. The estimation can be done e.g. with the abovementioned Purkinje images or with simple motion tracking. Calculation of the difference between expected and observed gaze can be done in an incremental way ("Please look left. Thanks. Now, please look to the right"). If the calculated difference is too high, reject the pattern. |
| Corresponding Counterfeits | The use of display methods might suffice. |
|
|
| Counter- measure |
Characteristics of the eye's motion. Indicate the subject to arbitrarily move his or her eyes. There are different kinds of very specific motions occurring in the eyeball. Candidates for this method are tremor and saccadic movement. The tremor is very small and very fast and thus hard to observe with the usual iris recognition equipment. A better choice is the saccadic movement which is basically the eye's way of finding the desired fixation point. |
| Corresponding Counterfeits |
Again, using a display with a refresh rate comparable or better than that of the iris camera's might suffice. Otherwise a higher complexity level is needed. |
In practice, the counterfeiting of an iris recognition system might be even easier than it appears to be in the last chapter. As a good reading the article 'Body Check: Biometric Access Protection Devices and their Programs Put to the Test' [Body Check] is recommended.
They put Panasonic's Authenticam BM-ET100 to the test and managed to counterfeit it at a complexity level of 1. The authors claim that
'[Given iris images of sufficient quality], creating a deceptive eye-patch can no longer be thought of as much of a problem as high resolution inkjet printers and mat paper cannot today be considered high-tech equipment.'
Tsutomu Matsumoto: Gummi bears defeat fingerprint sensors, [Some slides, PDF], [TheRegister], [MMYH02]
US Pat. 6280469: Implantable iris device for the eye, and method of installing same
U.S. government's central website for information about identity theft
Social Engineering: What is it, why is so little said about it and what can be done?
The Afghan Girl: [National Geographic], [Daugman]
c't magazine: 'Body Check: Biometric Access Protection Devices and their Programs Put to the Test'
Kittler et al.: Combining Evidence in Personal Identity Verification Systems
This site is maintained by Jan Ernst. All comments are welcome. If you want to submit relevant info please contact me.
Last updated: December 02, 2002
