< Day Day Up > |
The risk of using any new technology needs to be evaluated. The risks to a company using a biometric device are an improvement over just the simple password used today. The risk model used needs to be one of balance. That is, one should bear in mind the tradeoff between increased security and decreased user convenience, and consider the converse as well. If you decrease security, user convenience will increase. This password paradox can be negated by the fact that a biometric device will provide increased user convenience as a result of being able to use something the user has. As a consequence, the user no longer needs to remember his/her network password. Since that password is replaced by something the user always has or the password is proxied on the user's behalf , this in essence increases the security of the system. Attacks on a finger biometric system fall into the following categories:
For each type of attack, a recourse is offered . Attacking the Physical FingerThis is the type of attack that gets the most press. We have all seen this in the movies, where the hero or villain fakes someone's fingerprints . This is normally done through the lifting of a latent print or, if the movie is more edgy, the removal of the finger itself. Until recently, it was believed that the biggest threat in this area came from the compromise of a user's print through the user's own complicity. It was felt that to get a sufficiently detailed "fake finger," the user having his/her finger faked needed to be present and complicit. That is, he/she would need to voluntarily offer a finger for faking. This could be done through a malleable material that would conform and stick to the conspirator's finger. Thus, this attack was generally categorized in the same way as the sharing of passwords. This view on the making of fake fingers from willing accomplishes changed on January 24, 2002. At the conference for The International Society of Optical Engineering (SPIE), Tsutomu Matsumoto et al. presented a paper showing not only the creation of a fake finger from a willing participant, but also the possible clandestine duplication from a lifted print. While the procedure used by Tsutomu to make a fake finger from a willing participant was very similar to the classic technique described above, he introduced a new element for producing a fake finger from a latent print. For the creation of a fake finger from a lifted print, Tsutomu needed a high-quality latent image. In his experiment, he retrieved his print from a flat sheet of glass that a full impression was left on. The sheet of glass was then fumed using a cyanoacrylate compound. Cyanoacrylate is better known to the rest of us as the active adhesive agent found in glues and, if applied to the skin, will cause the skin to stick to itself. The fact that cyanoacrylate will cause skin to adhere to just about anything makes it ideal for finding and imaging latent prints. A residual fingerprint is initially made up of water and other biological compounds . As the water evaporates, the print that is left behind is composed of amino acids, glucose , lactic acid, and other sundry biological agents. What cyanoacrylate fuming does is bond the molecules of cyanoacrylate to the residual biological agents . This new enhanced print is now easier to handle and image. To get a very clear image of the print, Tsutomu used a high-end microscope to image the print, and then enhanced it using image software. Once the print was digitized and enhanced, he then printed it onto a transparency. Once the print was on a transparency, he then cut out the print and applied the transparency with the print on it as a mask for an ultraviolet- (UV-) etchable Printed Circuit Board (PCB). Once the board was exposed to UV light with the fingerprint mask attached, the PCB board was left with an image of the finger, with the ridges and valleys inverted. That is, where there should have been a ridge, there was a valley, and where there should have been a valley, there was a ridge. Once the gummy mixture was sufficiently soft, it was applied to the PCB and a proper fingerprint shape was created. When Tsutomu had his finger, he was then able to fool a number of capacitance and optical scanners . It is interesting to note that he did not try an RF-based scanner. It is my hypothesis that the RF scanner would have been unable to image since there was no underlying ridge and valley structure to reflect the waves that would penetrate the gummy finger. Mitigating this attackWhile it is clear from the example that Tsutomu showed great ingenuity in creating a new type of fake finger that could fool a number of sensors, it also proves the adage that given enough time, money, and energy, any system can be defeated. What the adage does not tell us is what we need to interpret. That is, how easy in the real world would it be to accomplish this? Consider the following:
As you can see, this attack is novel and has raised the bar in terms of creativity. It is also clear that the general fear, uncertainty, and doubt (FUD) around this vulnerability was truly a tempest in a teapot. The use of additional factors of authentication, alive-and-well detection, or finger challenge and response can adequately deal with this threat. Using ArtifactsAs we saw in the attack on the physical finger, the latent prints or artifacts we leave behind can be exploited. This particular attack focuses on artifacts left on the scanning device itself. It is only logical to assume that if we touch a device, we will leave some trace of us behind. This trace could then be exploited in some way to trick the biometric system into authenticating us. For this to work, the sensor would need to be fooled into thinking a new finger placement has taken place and image the artifact. From the previous discussions on the types of imagers used, we know that RF devices require an image of the live skin below the external layer of skin on the finger. Therefore, it is very unlikely that artifacts can be used on an RF scanner. For optical and capacitance devices, it may be possible. Artifact use on capacitance scanners normally involves tricking the scanner into thinking a finger is present. The sensor images are based on a sufficient change in capacitance. This change in capacitance is normally accomplished in the finger through its moisture content. To duplicate this with an artifact, an attacker could breathe or blow across the surface of the imager, or use a thin-walled plastic bag with water in it laid on the imager . For an optical device to be tricked into using an artifact, it needs to have a frame snapped by the camera. Most optical systems detect the presence of a fingerprint from a change in luminance. This can be accomplished by shining bright lights into the camera system, or by covering the platen with a hand, darkening it sufficiently to simulate a finger placement. Mitigating this attackWhat is clear from the outline of this attack is that just the presence of an artifact allows the attacker to attempt an attack. Secondly, the attacker is generally not changing the latent print. To mitigate such an attack, the following could be done:
Like physical finger attacks, artifact attacks can be easily mitigated. Attacking the Communication ChannelsIf an attacker cannot compromise a system at the point of collection, the next logical spot to compromise is the communication path . If the information being transmitted could be changed so that a false positive or a false rejection occurs, the attacker has succeeded. To do this, the attacker may physically tap the line between the device and the PC. He/she could install software on the PC (Trojan software) to intercept the template before local or remote comparison. Lastly, the attacker may try to replay a previously successful authentication attempt. Mitigating this attackWhile the general principles of securing a biometric transaction are covered later in this book, for our purposes here, the following will mitigate the above risks:
The prevention of replay attacks can be accomplished through the application of some programming fundamentals and by using standard encryption schemes. Compromising the TemplateMoving up the attack food chain, if the capture and communications of the comparison template prove to be impossible , then a compromise of the stored reference template might be attempted. To modify the reference template, an attacker could attack the medium on which the template is stored, the machine providing the template, or the template itself while in transit to the comparison host. Mitigating this attackThis attack is very similar to attacking the communications. To guard against this type of attack, some simple network security procedures can help:
Once again, some simple networking and security common sense can provide adequate protection against this type of attack. Attacking the Fallback SystemIn any biometric system, there will never be 100% coverage of the user base. Additionally, some users will have biometric failings from time to time that will require them to use a different factor of authentication. These fallback systems are also open to attack. If the strongest point of a system is the biometric aspect, then an attacker will focus on the weaker parts. In general, this is the fallback system. Mitigating this attackBecause this type of attack is very fluid and changes from biometric system to system, the best policy to adopt is to make the fallback as strong as possible. If the fallback for your users is a user ID and password, then make the password sufficiently strong to prevent easy password attacks. Also, if the user falling back is normally using biometrics, then make his/her password expire within a short period of time. That way, the chances of a successful compromise are lower. If possible, assign a token and password for fallback so that the attacker would need both of them for a fallback attack. |
< Day Day Up > |