Vulnerabilities of Fingerprint Authentication Systems ...

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018

Vulnerabilities of Fingerprint Authentication Systems and Their Securities Dr. Md. Mijanur Rahman

Tanjarul Islam Mishu

Associate Professor, Dept. of Computer Science & Engineering Jatiya Kabi Kazi Nazrul Islam University Mymensingh, Bangladesh Email: [email protected]

MS Research Student, Dept. of Computer Science & Engineering Jatiya Kabi Kazi Nazrul Islam University Mymensingh, Bangladesh Email: [email protected]

divided into two parts. Finally, the conclusion is drawn in Section 3.

Abstract—The security of biometric fingerprint is a big challenge now-a-days, as it has world-wide acceptance. Compromised fingerprint templates may raise terrible threats to its owner. Because of the vulnerabilities of fingerprint authentication system, security issues about fingerprint have been a matter of great concern. This study summarizes the vulnerabilities of fingerprint authentication system and highlights the type of securities available against those challenges. It includes much classified knowledge about security of fingerprint template. This work is an endeavor to provide a compact knowledge to the research community about the security issues regarding fingerprint authentication system. Keywords: Attacks; Vulnerabilities; Fingerprint Templates; Template Security.

I.

II.

TYPES OF ATTACKS ON FINGERPRINT SYSTEM

Ratha et al. [1] and Anil et al. [2] showed eight points of attack in a biometric system (see Figure-1). Each point and 6 Template Database Attack

Stored Templates

Database-Matcher Channel

7

Cryptosystems; Feature Extraction

Sensor

INTRODUCTION

Accept or Reject Application Devices

Matcher 8

Fingerprint authentication system is very popular all over the world because of its uniqueness, usability, reliability etc. It has wide application areas such as border control, airports, business, healthcare, logical access systems, criminal detection, security management, smart phones etc. So, the security of this area is a matter of great concern. Because, the system is vulnerable to several attacks. Ratha[1] presented a model for possible attacks on a biometric system. The model introduced varieties of vulnerable points of the system. This work will focus on the points mentioned in the model. The motive of the present study is to detect different kinds of attacks on each point of this sophisticated model and also to identify the existing security techniques to protect against such kind of the attacks. Although several studies have been done over the attacks and the security approaches, most of them focused on attacks and solutions separately. Very few of them are on both but they are not sufficient. They didn’t expose some existing rare solutions. This study will depict the whole scenario of attacks on entire system and securities against the attacks existing now.

1 Fake Biometric

2 Replay

4

Synthesized 5 3 Feature Set Override Override Feature Matcher Extractor

Override Final Decision

Figure 1. Points of attack in a biometric System

its attacks and regarding solutions has been explained in the following subsections. A. Fake Biometric A fake or artificial fingerprint, called spoof, is given to the scanner to get access to the system. The scanner remains unable to distinguish between fake and genuine traits. So, the intruder easily gets access to the system. [2] Putte and Keuning [3] created dummy fingerprint with and without the co-operation of the owner and tested on several sensors. They showed a result that almost every sensor accepted the dummy fingerprint as real at first attempt. Matsumoto et al. [4] experimented gummy (fake) fingers on 11 types of different fingerprint system. In their experiment, about 68100% gummy fingers were accepted by the system in their verification procedure. They also showed following ways how an attacker may deceive the system at scanner.

This paper is organized as follows. There are eight subsections in Section 2. Each subsection firstly introduces the attacks followed by the solutions against the attacks. As template database attacks contain rich data, Section 2.6 is

99

https://sites.google.com/site/ijcsis/ ISSN 1947-5500

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018

seizing the channel and stores the trait. The imposter can reply the previously stored biometric trait to the feature extraction module to bypass the sensor. Fingerprint images are sent over channel usually compressed using WSQ. Because of the open compression standard, transmitting a WSQ compressed image over the Internet is not particularly secure. If the image can be seized, it can be decompressed easily which can cause Replay Old Data [1].

(i) Fingerprints Known to System The actual registered finger is presented at the scanner by evil way such as external force by the criminals, using the fingerprints when user sleeping etc. (ii) Fingerprints Unknown to System If the imposter can know about the category of actual fingerprint (whorls, arches, loops etc), he may use the similar fingerprints unknown to system. Though it is almost impossible, it may harm the systems which are developed on the basis of insufficient features of fingerprint. It may effects on False Acceptance Rate (FAR) of the system. So, the authentication should be based on sufficient features.

Data hiding techniques such as steganography can be applied when the raw image is sent to feature extractor. C. Override Feature Extractor The hackers, by Trojan Horse, take control over the feature extractor to produces feature sets as they wishes [1].

(iii) Severed Known Fingerprints It is similar to the known fingerprint mentioned earlier. But, it is a horrible attack done by a criminal to severe the fingerprint from the real user’s hand. To be protected, we should detect is the finger alive or not.

When installing or updating programs in a device it should be verified and should be aware of using third party programs. D. Synthesized Feature Set If the imposter can intercept the channel between the feature extraction module and matcher, he can replace the original set with a different synthesized feature set (assuming the representation is known to imposter) [1]. Insecure communication channel may face the ‘Hill Climbing Attack’ [2].

(iv) Genetic Clone of Known Fingerprints Identical twins do not have same fingerprints. Because, the patterns of fingerprint are determined by the genetic mechanism and the nerve growth. So, they are not same but still very close. So, a genetic clone may be tried to deceive the system. To be protected from this kind of threats, we should keep tracking a genetic engineering on possibility of creating clones.

Hill Climbing Attack Uludag & Anil have developed an attacked for minutiae base fingerprint authentication system [6]. The location (c, r) and orientation Ɵ of minutiae points has been used by the attack. The system will works as the attackers knows the format of templates but not the information of templates. It uses the match score returned by the matcher and tries to generate minutiae set that results in successfully high matching score to be positive in identification. Figure-2 describes the Hill Climbing attack.

(v) Artificial Clone of Known Fingerprints The attacker can make a 3D printed fingerprint or can make a mold of the known finger by which an artificial finger can be produced. (vi) Printed Image of Known Fingerprints This is very similar to the previous one. By the help of spraying some materials on the surface of the scanner to feel like actual finger, imposter can use printed image of fingerprint. Liveliness detection can be solution to fake biometric traits. There are two separate methods, such as, passive (non-stimulating) and active (stimulating) automated liveliness detection methods [5]. Generally, passive detection techniques make use of biometric probes recorded through a biometric sensor such as pulse measurement, temperature measurement, active sweat pores detection, skin resistance detection, electrical conductivity etc.[16] Active detection techniques normally require additional interactions that should requested using challenge response procedures. The different challenge response approaches can be used such as request of different fingers in random order.

Application Devices

Synthetic Template Generator

T

Fingerprint Matcher

S( , T ) To Other Modules

Attack Module Attacking System Target System Figure 2. Block Diagram of Hill Climbing Attack

B. Replay Attack After acquisition of raw biometric data, it sends the raw data (e.g. fingerprint raw image) to the feature extraction module. The imposter steals the biometric trait raw data by

refers to the database template corresponding to user i , i =1, 2,3,....N , where N is the total number of user. is

.

100

https://sites.google.com/site/ijcsis/ ISSN 1947-5500

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018

ways of test. In one experiment, they used basic minutiae

the total number of minutiae in . T is the synthetic template generated by the attacking system for user i . S( , T ) is the matching score between and T . refers to the decision threshold used by the matcher. Note that the attacking system does not know this value.

Cross-Matching

Masquerade : Image Reconstruction

At the beginning of the attack, it generates several synthetic templates. Then begins attack with these templates and accumulate the matching scores returned by the matcher. It chooses the template having highest matching score. Then tries modification (perturbing, adding, replacing or deleting of minutiae) to get larger match score and . This chooses the larger one as the best template T modification continues until the matcher accept the current ( )> . best score where

Template DB Attack Image used by imposter

from

6

Database-Matcher Feature Extraction

Sensor

Template

Stored Templates 7

Accept or Reject

Stealing Templates

Application Devices

Matcher 8

1

To be safe from hill climbing attack, we can add some extra features in the matcher of authentication system. These may includei) tracking the number of failures within specific time. ii) limiting the number of tries within specific time.

Fake Biometric

2 Replay

4

Synthesized 5 3 Feature Set Override Override Feature Matcher Extractor

Override Final Decision

Figure 3. Image Reconstruction (Masquerade) from stored templates

information only (i.e. positions x, positions y, and directions). In another test, they also used optional information: minutiae types, Core and Delta data, and proprietary data (the ridge orientation field in this case. In their experiments, nine different systems were tested and the average percentage of successful attacks was 81% at a high security level and 90% at a medium security level. Image Reconstruction with points of attack in fingerprint is shown in figure-3. Masquerade can be very threatening fact to the owner. Because, hackers may track the owner where he/she is using the fingerprint. They may hack bank accounts and other secured accesses. They may use the masquerade to databases at other organizations to get unauthorized access, though they use different templates and algorithms, called Cross-Matching.

E. Override Matcher The hackers replace the matcher by a Trojan horse program that generates very high or low matching scores as the hackers want, regardless of original scores [1]. The Matcher is also a program like feature extractor. Attacks to this point can be solved in the similar way as feature extractor described in section 2.3. F. Template Database Attack (i) Type of Attacks The template databases can lead to three kinds of threats [3] as describe below. a. Template Replaced by The Imposter’s Template The imposter can replace the original template with new one to gain the unauthorized access to the system whenever he wants like an authorized user.

c. Stolen Templates Imposter can steal the template and replay that on matcher. The stolen template can be used as synthesized feature set.

b. Masquerade/Physical Spoof Created from Templates Minutiae information is unique to each individual. The view of non-reconstruction was dominant in the biometrics communities, until some recent researches. Over last few years, some works were done that showed that a fingerprint image can be reconstructed from a minutiae template. The fingerprint image reconstructed from the minutiae template, known as a “masquerade” image since it is not an exact copy of the original image, will likely fool the system when it is submitted [7]. In 2007, Cappelli at al [8] did some amazing experiments. The authors analyzed the ISO/IEC 19794-2 minutiae standard template. They took different

(ii) Template Protection Techniques All the template protection techniques can be categorized in two major categories, such as, (a) feature transformation and (b) biometric cryptosystem. Figure-4 shows a graphical representation of biometric template protection techniques. Other types of template protection techniques are water marking [14], steganography [15], system on card/match on card [2] etc. a. Feature Transformation For the protection, the features generated from the input image are transformed to a new form. It is not kept in real

.

101

https://sites.google.com/site/ijcsis/ ISSN 1947-5500

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018

form rather stored in transformed form. The generated transformed form can be invertible or non-invertible.

imposters, they can revert the template. So, the key should be secured enough.[17]

1. Invertible Transformation (Bio Hashing) In invertible feature transformation, the template is transformed with some parameter of user. At the site of authentication, the template is inverted again with the secret parameters. The scheme can’t provide high security without

2.

Non-invertible Transformation (Cancellable Biometrics) Cancellable biometrics scheme is an intentional and systematic repeatable distortion of biometric template data with the purpose of protecting it under transformationalbased biometric template security. In the verification site, the query image is transformed in same the manner, then compared. In the concept of cancellable transformation, a transformed template can be cancelled and re-issued by changing transformation parameters if problem issued [9].

Attack Resistance Techniques

Live-ness Detection

Data Transmission Security Techniques

Secure Installation & Updating of Programs

Template Protection Techniques

Point 1

Point 2,4,7,8

Point 3,5

Point 6

b. Biometric Cryptosystems Cryptosystem technique on biometric data is called biometric cryptosystem where a key (or keys) is used to encrypt the biometric data. The key can be generated from biometric data itself or from an external data. At the matcher, the key is used to decrypt the biometric data. Observing the literature, we divide Biometric Cryptosystems into two major parts: Key Generation or Key Binding. 1. Key Generation At the time of enrolment, a unique key is chosen from the features extracted from the fingerprint. This key is not stored in the database [10].

Feature Transformation

Biometric Cryptosystems

Invertible

Noninvertible

Key Generation

Key Binding

Biohashing

Cancellable Biometrics

Secure Sketches & Fuzzy

Fuzzy Vault & Fuzzy Commitment

A Secure Sketch reliably reproduces the biometric secret without leaking any information. It works in two phases: Generation & Reconstruction. It takes biometric data as input and creates a sketch of that data. Later, at reconstruction, the generated sketch and the data sufficiently similar (query image) to original the input data are given. Then, it reproduces the original input data. Thus, it can be used to reliably reproduce error-prone biometric inputs without incurring the security risk inherent in storing them [11]. Fuzzy Extractor reliably extracts almost uniform randomness R from its input. It is error-tolerant because if we change deliver different template from same finger, R will not change. The resultant R is almost similar to the original R. This R is used as a key in cryptographic application [9].

Others

Watermarking

Steganography

2. Key Binding In key binding, cryptographic key is tightly bound with the biometric template so that it cannot be released without a successful biometric authentication and without accessing template directly [12]. The key Binding can be categorized as Fuzzy Vault and Fuzzy Commitment.

Match on Card (For small applications)

Figure 4. Attacks and Solutions on Fingerprint Authentication System.

Fuzzy Vault is first introduced by Juels and Sudan [13] as a cryptographic construct. There are used two set of points : fuzzy unsorted points and chaff points. The unsorted

the secret transformation. Because if the secret key(transformation parameters) is compromised with

.

102

https://sites.google.com/site/ijcsis/ ISSN 1947-5500

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018

data set is taken from biometric data. Meenakshi[11] explained the fuzzy vault with biometric system. In fuzzy vault framework, the secret key S is locked by G, where G is an unordered set from the biometric sample. A polynomial P is constructed by encoding the secret S. This polynomial is evaluated by all the elements of the unordered set G. A vault V is constructed by the union of unordered set G and chaff point set C which is not in G. The vault, V = G U C. The union of the chaff point set hides the genuine point set from the attacker. Hiding the genuine point set secures the secret data S and user biometric template T. The vault is unlocked with the query template T’. T’ is represented by another unordered set U’. The user has to separate sufficient number of points from the vault V by comparing U’ with V. By using error correction method, the polynomial P can be successfully reconstructed if U’ overlaps with U and secret S gets decoded. If there is not substantial overlapping between U and U’ secret key S is not decoded. This construct is called fuzzy because the vault will get decoded even for very close values of U and U’ and the secret key S can be retrieved. Therefore fuzzy vault construct becomes more appropriate for biometric data which possesses inherent fuzziness.

corresponding attacks. As the template database is very sensitive part of the system, its protection techniques are have been analyzed with high significance. This paper even shows very small attempts taken such as match on card for the security of fingerprint template. In the analysis, it has been learnt that attack on template is very severe. If the templates are compromised, the security of their owner will be violated. So, template security requires more attention of research authority. Though several types of work have been done on the template security, they are not able to satisfy all the requirements such as recoverability, security, privacy, high matching accuracy etc. So, our next work is to generate an efficient template security scheme. REFERENCES [1]

[2]

[3]

[4]

A Fuzzy Commitment scheme is one where a uniformly random key of length 1 bits (Binary vector) is generated and used to exclusively index an nbit codeword of suitable error correcting code where the sketch extracted from the biometric template is stored in a database [9].

[5]

[6]

G. Database-Matcher Channel Attack On this type of attack, the stored templates coming from database is being modified before reaching to matcher. So, the matcher gets modified templates. Maintaining secure data transmission can solve the problem. Different error detection techniques such as parity check, checksum, cyclic redundancy checks can be used to identify the transmitted template is modified or not.[18]

[7]

[8]

[9]

H. Override Final Decision Final result coming from the matcher is modified by the imposters. It changes the original decision (accept/reject) by changing the match scores. Sending the result through a trusted channel and using a secure delivery can be used to get the correct result. III.

[10]

[11]

CONCLUSION

[12]

This study conveys a prominent analysis on the vulnerabilities of Fingerprint Authentication System of each point of the model and shows the effective security system existing now. This work brings vulnerabilities and securities, compacted together, of fingerprint authentication system. Different types of attack such as fake biometric, replay data, synthesized feature set and template database have been explained about how they occur. The paper also contains the prevention techniques against the

[13] [14]

[15]

.

103

Ratha, Nalini K., Jonathan H. Connell, and Ruud M. Bolle. “An analysis of minutiae matching strength.” International Conference on Audio-and Video-Based Biometric Person Authentication. Springer Berlin Heidelberg, 2001. Jain, Anil K., Karthik Nandakumar, and Abhishek Nagar. “Biometric template security.” EURASIP Journal on Advances in Signal Processing 2008 (2008): 113. T. Putte and J. Keuning, “Biometrical fingerprint recognition: don’t get your fingers burned”, Proc. IFIP TC8/WG8.8, Fourth Working Conf. Smart Card Research and Adv. App., pp. 289-303, 2000. Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, Satoshi Hoshino. “Impact of artificial ‘gummy’ fingers on fingerprint systems.” Proc. SPIE 4677, Optical Security and Counterfeit Deterrence Techniques IV, April 2002. Rogmann, Nils, and Maximilian Krieg. “Liveness Detection in Biometrics.” Biometrics Special Interest Group (BIOSIG), International Conference of the. IEEE, 2015. Uludag, Umut, and Anil K. Jain. “Attacks on biometric systems: a case study in fingerprints.” Proceedings of SPIE. Vol. 5306. 2004. “Fingerprint Biometrics: Address Privacy Before Deployment.” https://www.ipc.on.ca/wp-content/uploads/2008/11/fingerprintbiosys-priv.pdf, 2008. Cappelli, Raffaele, Dario Maio, Alessandra Lumini, and Davide Maltoni. “Fingerprint image reconstruction from standard templates.” IEEE transactions on pattern analysis and machine intelligence 29, No.9. 2007. Mwema, Joseph, S. Kimani, and M. Kimwele. “A Simple Review of Biometric Template Protection Schemes Used in Preventing Adversary Attacks on Biometric Fingerprint Templates.” International Journal of Computer Trends and Technology 20.1 (2015): 12-18. Khandelwal, Sarika, P. C. Gupta, and Khushboo Mantri. “Survey of Threats to the Biometric Authentication Systems and Solutions.” International Journal of Computer Applications 61.17. 2013. Meenakshi VS, “Secure And Revocable Biometric Template Using Fuzzy Vault For Fingerprint, Iris And Retina.” A Thesis Submitted To Avinashilingam Deemed University For Women Coimbatore – 641043, 2010. Huixian, Li, et al. “Key binding based on biometric shielding functions.” Information Assurance and Security. IAS'09. Fifth International Conference on. Vol.1. IEEE, 2009. Juels, Ari, and Madhu Sudan. “A fuzzy vault scheme.” Designs, Codes and Cryptography 38.2 (2006): 237-257. Patel, Monika, and Priti Srinivas Sajja. “The Significant Impact of Biometric Watermark for Providing Image Security using DWT based Alpha Blending Watermarking Technique.” Rubal Jain and Chander Kant. “Attacks on Biometric Systems: An Overview.” International Journal of Advances in Scientific Research 2015; 1(07): 283-288.

https://sites.google.com/site/ijcsis/ ISSN 1947-5500

International Journal of Computer Science and Information Security (IJCSIS), Vol. 16, No. 3, March 2018 [16] M. Villa and A. Verma. "Fingerprint Recognition," in Biometrics in a Data Driven World: Trends, Technologies, and Challenges, M. Gofman and S. Mitra Eds., CRC Press, USA, pp. 265-281, 2017. [17] Ramu, T., and T. Arivoli. "Biometric Template Security: An Overview." Proceedings of International Conference on Electronics. Vol. 65. 2012. [18] Siwach, Ajay, Sunil Malhotra, and Ravi Shankar. "Analysis of Different Error Detection Schemes over OFDM Signal." International Journal of Engineering Trends and Technology- Volume4 Issue42013

AUTHORS PROFILE Tanjarul Islam Mishu received his B.Sc. (Engg.) in Computer Science and Engineering from Jatiya Kabi Kazi Nazrul Islam University, Mymensingh, Bangladesh in 2016. Currently, he is student in M.Sc. of the institute. His research interest is focused on Biometrics Systems, Pattern Recognition, Image Processing, and Data Mining. Dr. Md. Mijanur Rahman is a faculty member of the Dept. of Computer Science and Engineering, Jatiya Kabi Kazi Nazrul Islam University, Trishal, Mymensingh, Bangladesh, since April 2008 (very beginning of the university). Now, Dr. Rahman is working as an Associate Professor of the CSE department. He also served as Lecturer and Assistant Professor in the same department. He served before as an Instructor (Tech) Computer in Govt. Polytechnic Institute from December 2005 to April 2008. Dr. Rahman obtained his B. Sc. (Hons) and M. Sc. degree both with first class first in CSE from Islamic University, Kushtia, Bangladesh. He also obtained his PhD degree in Computer Science and Engineering from Jahangirnagar University, Savar, Dhaka, Bangladesh in August 2014. His teaching and research interest lies in the areas such as Digital Signal Processing, Digital Speech Processing, Biometric Technology, Pattern Recognition, etc. Many of his research papers have been published in both national and international journals.

.

104

https://sites.google.com/site/ijcsis/ ISSN 1947-5500