Professional Documents
Culture Documents
Peter Gutmann
University of Auckland
Introduction to Biometrics
A wide range of biometric traits can be employed
• Fingerprints, the most common mechanism
• Iris
• Retina
• Voiceprint
• Hand geometry
• Palm prints (vein structure analysed via IR light)
• …
Extract features of the presented trait and match the result
against a stored template
• Process is lossy, matches are approximate
Two Usage Modes for Biometrics
Mode 1: Access control:
• Only this exact person is allowed in
• Primary identifier uniquely identifies someone
– Personal ID (public value)
– PIN/password (private value)
• Biometric backs up the primary ID
– 1:1-match biometric check weeds out the majority of
impersonators
– Match only this one identified person and no-one else
Biometrics as a Dragnet
Can only compare traits against a database of trait
characteristics
• Terrorists would have to register with the DHS in advance
Typical terrorist photo is a grainy 10-year-old B&W shot at
150m distance
• c.f. problems with authenticating bin Laden videos/broadcasts
• Requires a panel of experts to authenticate even when he
announces his identity and provides a long stream of
video/audio
Terrorism works because no-one knows who the grunts are
• Biometrics can never catch disposable terrorists
Biometrics as a Dragnet (ctd)
Stanford University researcher Lawrence Wein found that
US-VISIT had only a 53% chance of catching a terrorist
who was already listed on a watch list
• Chances of catching a non-listed terrorist are 0%
No biometric system has ever caught a terrorist or serious
criminal
• The laws of chance mean that they’ll eventually get one
somewhere
• (We’ll never hear the end of it when they do)
False False
Rejection FRR FAR Acceptance
Rate Rate
Theoretical Background
Analysing false positives using the base-rate fallacy
• Apply a test for infection with the dreaded lurgy
• Test is 99% accurate
– 99 of 100 ill patients will be detected
– 99 of 100 healthy patients will be cleared
• Only 1 in 10,000 people have the disease
• Your doctor tells you that you’ve tested positive
What’s the chance that you actually have this disease?
Theoretical Background (ctd)
From Bayesian statistics we have that
p(S|P) = p(S) p(P|S)
p(S) p(P|S) + p(~S) p(P|~S)
where
• S = probability of being ill
• ~S = probability of not being ill
• P = probability of a positive test result
• ~P = probability of a negative test result
SHA1
passport’s 20 bytes
machine-readable Seed
reader through
Seed
reading the text on 00 00 00 02
KEYEnc KEYMac
10.3 seconds
Fake
Reader
passport
Relay Victim
device passport
RFID Cloning
Cloning of RFID tags is a geek sport
• Remote-read and clone a key card for business premises
(Jonathan Westhues)
Source: http://www.cq.cx/prox.pl