CC BY
70
DOI: 10.18454/IRJ.2016.46.105 Серикова Ю.И.1, Князев В.Н.2
1ORCID: 0000-0002-4959-321X, магистрант, Пензенский государственный университет;
2кандидат технических наук, доцент, Пензенский государственный университет;
АКТУАЛЬНЫЕ ПРОБЛЕМЫ БЕЗОПАСНОСТИ БИОМЕТРИЧЕСКИХ СИСТЕМ АУТЕНТИФИКАЦИИ
Аннотация
В статье поднимаюся вопросы высоконадежной аутентификации пользователей информационных систем. Особое внимание уделяется актуальным проблемам безопасности биометрических систем аутентификации и излагается авторский подход к повышению надежности таких систем. Рассматриваются биометрические технологии, которые можно использовать для сохранности информационных ресурсов (защищенности законных прав владельцев ресурсов), их преимущества и недостатки.
Ключевые слова: биометрические средства защиты информации, биометрический образ, аутентификация, уязвимости систем контроля и управления доступом, шифр Вермана.
Serikova Y.I.1, Knyazev V.N.2
1ORCID: 0000-0002-4959-321X, Postgraduate student, PenzaStateUniversity;
2PhD in Engineering, associate professor, Penza State University;
TOPICAL ISSUES ON PROVIDING BIOMETRIC SYSTEM SECURITY
Abstract
The article deals with the problems of safe and highly reliable recognizing the identity of Information Management System (IMS) users. It gives particular attention to the topical problems of biometric system security and dwells upon the author's approach to the problem of enhancing security in biometrics-based authentication systems. The article also touches upon the biometric technologies that can be used to provide information security, as well as their advantages and disadvantages.
Keywords: biometric information security features, biometric parameters, identification (authentication), weak points of the access control system, one-time pad (Vermann Cipher).
he need to protect information systems is increasing. It is conditioned by the rise in the cost of information, its importance as well as a rapid development of information technologies. Information is referred to as both exposed and protected by the state data on the military, foreign-policy, economic, intelligence, reconnaissance, investigation and other activities of the country, unauthorized spread of which can damage national security [1].
Today one of the most important tasks to enhance information systems is to intensify the development of methods and means of data access control. Identification or authentication is one of the main functions to control data access. Biometric characteristics possess such properties as reliability, authenticity and usability.
Biometric technologies are developed for security applications in the systems of different civil and military facilities in all developed countries [2]. Biometric information security techniques are divided into three main groups: static, dynamic and complex (multimodal) (Fig.1). Static methods are based on analyzing a unique physiological parameter, dynamic ones - a behavioral feature and the latter include various biological characteristics. Biometric technologies have become an essential component of both national and international IT-market. The biometric technology most widely used today is papillary pattern recognition (43.6%). Then there is face recognition - 19%, interim biometric technologies - 11.40%, hand recognition - 8.8%, iris recognition - 7.10%, voice analysis and multi biometric technologies - 4%, handwriting signature - 1.70% (Fig.2).
Static
Biometric information Security features
▼ ^^
Complex (various biological parameters)
Eye ground Vascular pattern
▼
Dynamic
Handwriting signature
Voice
Gait
Other dynamic Biological parameters
Other static Biological parameters
Fig. 1 - Biometric information security features
Biometric password privacy
Iris pattern 7,10%
Interim technologies 11,40%
Hand geometry 8,80%
Fig.2 - Market distribution of biometric technologies
There is a definite opinion on biometric technologies today. Among the advantages of static methods is a relative simplicity of identification (Users don't need to make any special efforts or to have certain psychological condition to measure static parameters.). But it should be noted that static methods are characterized by such essential drawbacks as invariability and
178
exposure of human static biometric parameters (there is a possibility of identifier forgery), high cost of current biometric technologies and a high probability of False Acceptance Rate (FAR) at a 10"7 - 10-12 level [3] (physical limits of the uniqueness of personal static parameters prevent image element recognition from being more accurate).
These drawbacks can be eliminated through the use of dynamic methods, which make it possible to change a scanned image element. It is should be noted that dynamic methods are not very expensive to implement and enable (for some systems) biometric image elements to be depersonalized. However, the most serious drawback of dynamic methods is human mental and physiological instability. The advantages and disadvantages of the major biometric technologies are presented in table 1.
Table 1 - The advantages and disadvantages of the major biometric technologies
Biometric technology Advantages Disadvantages
Eye grounds vascular pattern Singularity and originality High price (US $4000)
Static algorithm reliability Poor accessibility of ready solutions
Forgery non-susceptibility Human factor
Usability Time for hacking an unknown biometric image element: from 2,7 hours to 12 days
Iris pattern Singularity and originality High price (US $5000)
Static algorithm reliability Poor accessibility of ready solutions
Damage control Human factor
Forgery susceptibility
Usability Time for hacking an unknown biometric image element: from 1,5 minutes to 24 hours
Papillary pattern recognition (AFIS) Singularity and originality (if to take minutiae scanning) Dead areas (fingerprint papillary pattern is easy to damage)
Static algorithm reliability Forgery susceptibility
Post damage recovery Environmental disturbances and human factor
Usability Time for hacking an unknown biometric image element: from 10 seconds to 160 minutes
Low price
Face geometry (2D and 3D) Singularity and originality Facial expression changes and specks spoil statistical reliability
Low price Forgery susceptibility
Static algorithm reliability Human factor
Usability Time for hacking an unknown biometric image element: 0 seconds
Hand geometry Singularity and originality Forgery susceptibility
Low price Time for hacking an unknown biometric image element: 0 seconds
Static algorithm reliability
Usability Human factor
Handwriting signature Singularity and originality Human factor
Low price (a smart phone or a pad)
Forgery non-susceptibility
Usability
Time for hacking an unknown biometric image element: from 1011 years to 1021 years
Voice Singularity and originality Environmental disturbances and human factor
Low price (a sound card and a microphone)
Usability Forgery susceptibility
Time for hacking an unknown biometric image element: from 105 years to 1013 years
According to research data [4] highly-reliable biometric technologies put together in table 1 are presented by the two last technologies based on handwriting recognition and voice analysis. Biometric parameters are unique identifiers, but the problems of their secure storage and protection from forgery and interception are still unsolved. Hacking can take place if to use the weak points of the biometric system. Biometric recognition system functionality is presented in figure 3[5]. All the weak points of the access control system are marked with numerals.
по
1
Z unauthorized access I attempt (signal) /
Fig.3 - Weak points of the access control system
The following types of biometric system weak point attacks are currently revealed:
1. Biometric image attack;
2. Attacks through the retransmission of real-world information (interception);
3. Reference model database manipulation;
4. Attacks through reverse engineering.
Tables 2 - 5 describe some biometric technologies to attack the biometric image elements and contain the information on the ways of attack repelling.
Table 2 - Biometric iris recognition system
Attack Solution
Biometric image forgery Spectrographs (disadvantage: biological simulator can be covered with the staff which has the same reflection as a true eye)and photonic methods [6]
Detection of apple of the eye small-amplitude vibration[6]
Conjunctival reflex to external factors
Detection muscular tonus of eyelid
Eye micro motion analysis algorithm [6]
Purkinje shift [6]
Fourier spectrum analysis algorithm[7]
Compulsion Identification control
Support of the "reader" button to warn against system access under compulsion of a stranger
Table 3 - Biometric papillary pattern recognition system(AFIS)
Attack Solution
Biometric image forgery Support of finger temperature by measurement system [8]
Support of fingertip pulse by measurement system [9]
Support of image electric conduction by measurement system
Support of skin dielectric resistance by measurement system[10]
Doppler mapping method
Vibration algorithm to biological tissue elasticity in frequency of resonance
Nuclear magnetic resonance spectroscopy algorithm [11]
Compulsion Identification control
Support of the "reader" button to warn against system access under compulsion of a stranger
Table 4 - Biometric face geometry (2D and 3D) recognition system
Attack Solution
Biometric image forgery Spectrum analysis algorithm [12]
Image depth analysis algorithm [13]
Optical flow method[14]
Face expression analysis algorithm[15]
Gabor filters image analysis algorithm[16]
"Request-response" method[17]
Dopplermapping method
Eyeballmotion analysis algorithm [18],[19]
Vibrationalgorithm tobiological tissue elasticity in frequency of resonance
The algorithm based on latent semantic analysis (LSA) and canonical correlation analysis (CCA)[20]
Compulsion Identification control
Support of the "reader" button to warn against system access under compulsion of a stranger
Table 5 - Biometric voice analysis system
Attack Solution
Biometric image forgery Biometric image forgery Method based on biometric image convertible action (While logging-in the system demands a different display of a biometric image property.)
"Reader" cryptographic chip support
The algorithm based on latent semantic analysis (LSA) and canonical correlation analysis (CCA) [20]
Combined method based on factor analysis, signal processing and signal description of feature [21]
Compulsion Identification control
Support of the "reader" button to warn against system access under compulsion of a stranger
Present-day "readers" utilize Wiegand Protocol and Open Supervised Device Protocol (OSDP). They both meet the requirements of State Standard Specification ISO/IEC 24713-1-2013 [22]. It should be noted that these protocols have some drawbacks (Table 6).
Analyzing the IMS safety risks, one needs to pay attention to such an important aspect as database operational protection. How should one prevent a malicious hacker from gaining access to a person's biometric data? It is a difficult problem to solve. Trying to do it one should deal with each database management system (Oracle, MySQL, Sybase, etc.) separately.
Table 6 - The advantages and disadvantages of Wiegand Protocol and Open Supervised Device Protocol (OSDP)
Protocol Insufficient security Solution
Wiegand Protocol No identification made Enclosure of Handshaking Protocol (CHAP) in Wiegand Protocol
Identification session recording
Easy interception Vermann Cipher traffic encryption (Claude Shannon proved absolute code resistance in 1945)
Poor survivability in case of the "Man in the Middle" (MITM) attack MQV enclosure with support of HW mutual authentication
OSDP Easy interception Vermann Cipher traffic encryption (Claude Shannon proved absolute code resistance in 1945)
Poor survivability in case of the "Man in the Middle" (MITM) attack MQV enclosure with support of HW mutual authentication
Elimination from heavily secured cryptographic "readers" Enclosure of SCP in OSDP
Before enhancing database security, one should give consideration to the security of database information. There are two methods to protect database biometric reference models:
1. Transformation of biometric parameters and their cryptographic protection;
2. Storage of certain properties rather than a biometric image itself (e.g. neuronet weight factors storage solely). The proposed solutions thereby help to enhance the biometric system efficiency and security.
Conclusion
Information technologies are being widely used in today's IT world. The problem of information security is thus becoming topical. New methods to protect information systems are developed every year. They help to improve the system safety and resistance. One of the ways to provide information security is identification (authentication).
The most rapidly developed information security methods are biometric ones. In spite of the fact that foreign systems more often use papillary pattern recognition, it has been found experimentally that this method cannot be used in high-level military identification systems in the field in different weather conditions [23].
We have analyzed current and prospective biometric technologies and can make the following conclusion: handwriting signature is the safest and most reliable biometric technology. The time for hacking a biometric image element of this kind is from 1011 to 1021 years [3,4]. Future urgently needed researches will concentrate on developing safe and highly reliable smart techniques using the solutions proposed in this article.
References
1. Serikova, Y.I. Information security in modern IMS / Y.I. Serikova, I.Y. Balashova, D.V. Taktashkin // VI Proceedings of the international scientific-technical conference - Penza: High Professional Education MSUTM them. K.G. Razumovsky -2015- P.158-160.
2. Knyazev, V.N. Improving the reliability of the authentication system by compensating for systematic error normal deviation, computational on small samples biometric parameters/ V.N. Knyazev, Y.I. Serikova // III Proceedings of the international competition - Lipetsk: Scientific partnership «Argument» - 2016 - P.55-60.
3. Akhmetov, B.S., Volchihin, V.I., Ivanov, A.I., Kartbayev, T.S., Malygin, A.Y. Highly reliable multi-biometric authentication of human-being personality to support citizens interaction with E-government and E-business // III World conference on information technology. 14-16 November, 2012, University of Barcelona, Faculty of Library and Information Science, Barcelona, Spain. P. 74 - 81.
4. Serikov, I.V. Status and prospects of development of biometric authentication technologies / I.V.Serikov, Y.I.Nikitchenko, A.A.Vakhromeev // Reliability and quality: Proceedings of the International Symposium. - 2010. -Volume 2. - P. 226-228.
5. Knyazev, V.N. Research significance multidimensional sampling in evaluating the biometric / V.N. Knyazev, Y.I. Serikova // Questions electronics. Series "display special equipment and control systems" (SOIU), 2015. - Issue 2 - P. 114-123.
6. Daugman, J.G. Iris Recognition and Anti-spoofing Countermeasures // VII International Biometrics Conference, London, 2004.
7. Daugman, J.G. High confidence personal identification by rapid video analysis of iris texture // Proc. Of the IEEE, International Carnahan conference on security technology-1992-P.50-60.
8. Osten, D.W., Carim, H.M.,Areson, M.R., Blan, B.L. Biometric. Personal authentication system. Minnesota mining and Manufacturing Company: Patent US #5,719,950, Febrary'17, 1998.
9. Lapsley, P.D., Less, J.A., Pare, D.Jr., Hoffman, N.// Anti-Fraud biometric sensor that accurately detects blood flow, Smart Touch, LLC: Patent US #5,737,439, April'7, 1998.
10. Kallo, P., Kiss, I., Podmaniczky, A., and Talosi, J.: Detector for recognizing the living character of a finger in a fingerprint recognizing apparatus, Dermo Corporation, Ltd. U.S. Patent #6,175,64, January'16, 2001.
11. Nixon, K. A., Rowe, R. K., Allen, J., Corcoran S. et al. Novel spectroscopy-based technology for biometric and liveness verification//Proc. SPIE. Biometric technology for human identification, 2004. V. 5404. P. 287-295.
12. Wang, Y., Tan, T., Jain, A. K. Live Face Detection Based on the Analysis of Fourier Spectra//Proc. SPIE. V. 5404, Biometric Technology for Human Identification. 2004. P. 296 — 303.
13. Choudhury,T., Clarkson, B., Jebara, T., Pentland, A. Multimodal person recognition using unconstrained audio and video//International Conference on AVBPA, 1999. P. 22-28.
14. Aggarwal, J. K., Nandhakumar, N. On the Computation of Motion from Sequences of Images — A Review//Proc. IEEE, 1998. V. 76. P. 917-935.
15. Bigun, J., Fronthaler, H., Kollreide, K. Assuring liveness in biometric identity authentication by real-time face tracking, CIHSPS2004//IEEE International Conference on Computational Intelligence for Homeland Security and Persona] Safety, Venice, Italy, 21-22 July. P. 104-112. IEEE Catalog No. 04EX815, 2004.
16. Speakers, K.A., Spitcin, V.G., Hamker, F. Finding settings and delete the constant component of the Gabor filter for image processing/ K.A. Speakers, V. G. Spitcin, F. Hamker // Proceedings of TPU. - Tomsk: TPU, 2011. - T. 318, №5: Management. Computer Science and Informatics. - P. 57-59
17. Access the protected resource:: http://www.identix.com/
18. Hyung-KeunJee, Sung-Uk Jung, Jang-HeeYoo. Liveness Detection for Embedded Face Recognition System//Proceedings of World Academy of Science, Engineering and Technology, 2006. V. 18. P. 29-32.
19. Deng, G., Coo, B., Miao, J., Gao, W., Zhao, D. A Liveness Check Algorithm Based on Eye Movement Model Using SVM// The Chinese Journal of Computer aided design and computer graphics (in Chinese language). 2003. V. 15. №7. P. 853-857.
20. Chetty, C., Wagner, M. Liveness detection using cross modal correlations in face-voice person authentication// INTERSPEECH-2005. 2005. P. 2181-2184
21. Access the protected resource: http://www.dslib.net/zaw-informacia/metodika-i-kompleks-sredstv-ocenki-jeffektivnosti-autentifikacii-golosovymi.html
22. Requirements of State Standard Specification ISO/IEC 24713-1-2013 «IT. Biometric profiles to interact and exchange data. Part 1. The overall architecture of a biometric system and biometric profiles».
23. Serikova, N.I.,Malygin, A.Y., Volchihin, V.I., Oleynik, Y.I. «Biometrics -11-P»: A final report on the research work -Penza: High Professional Education PSU - 2012- P.1- 64.
