Biometrics 1 Intro & fingerprints PV181 Laboratory of security and applied cryptography Seminar 9, 15. 11. 2017 Vlasta Šťavová, vlasta.stavova@mail.muni.cz Martin Ukrop, mukrop@mail.muni.cz Lecture structure Seminar 1 1. Introduction 2. Fingerprints 3. Hands-on: – Generate fingerprints – Fake fingerprints 4. Homework: – Fake fingerprints Seminar 2 1. Face recognition 2. Hands-on: – Face matching – Fake fingerprints validation 3. Homework: – Age estimation 2 Motivation on biometrics 3 Biometrics – introduction • Authentication based on: – something I know (e.g. password) – something I have (e.g. access card) – something I am (e.g. fingerprint) 4 • Never 100% match – FAR (false acceptance rate) – FRR (false rejection rate) Basic criteria for biometrics • Uniqueness (sufficiently different across population) • Universality (everybody has it) • Permanence (invariant in the period of time) • Collectability (possible to measure and digitalize it) • Performance (recognition accuracy should good) • Acceptability (individuals should be OK to present it) • Circumvention (hard to fake) 5 Biometrics – introduction – discussion • Physiological 6 • Behavioral – Face – Fingerprint – Palm geometry – Hand vein pattern – Eye iris – Eye retina – Ear shape – DNA – Keystrokes – Signature dynamics – Voice – Walking dynamics The beginning of anthropometry • The Bertillon system (1882) • 5–9 stable body features – Head length & breath – Middle finger & foot length – Cubit length • Categorization – small/medium/large – In total: 243 bins 7 Mugshots 8 Biometrics now (optimistic) 9 • Smartphones – Fingerprints, face • Passports – Fingerprints, face • Contract signing – Signature • Nuclear power plants :-) – Dukovany use hand geometry Biometrics now (pesimistic) 10 • Fingerprint reader EULA: The biometric (fingerprint reader) feature in this device is NOT a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or protect sensitive data, such as financial information. • Other problems – Unencrypted transfer, liveness detection, ... Biometrics soon (maybe?) • MasterCard’s Identity Check Mobile – Prove holder’s identity by fingerprint/selfie – Blinking as liveness testing. – Being introduced in 12 EU countries – Supported by Alibaba e-shop • “Selfies to kill off passwords ‘in five years’” says MasterCard. http://newsroom.mastercard.com/eu/press-releases/mastercard-makes- fingerprint-and-selfie-payment-technology-a-reality/ 11 Biometrics in the future (combined?) 12 Biometrics – basic problem? Biometrics are not secret! And cannot be changed... 13 It’s not so easy (math everywhere!) • Image quality checking • Feature detection and extraction • Storage format (irreversibility!) • Feature comparison (performance) • Matching (accuracy, threshold) • Liveness detection 14 Authentication types Verification • One to one. • Determines if person is who he claims to be. Identification • One to many • Search entire database. • Determine identity of person. What could go wrong? 15 Commercial vs. forensic use 16 Commercial • Low precision • Enrollment can be repeated • Only extracted characteristics saved • Fast and automatic Forensic • High precision • Enrollment just once • Full biometric data saved • Slower, expert interventions may be necessary How much do you trust biometrics? Would you use biometric authentication • … to access the library? • … to log in to your work computer? • … to do money transactions? • … to secure the Declaration of Independence? 17 Fingerprints Theory, technology, news, ... 18 Fingerprint characteristics 19 20 Fingerprint minutiae 21 Fingerprint authentication 22 Fingerprint classification Different approaches: • based on singular points • structure-based • frequency-based • mathematical models • machine learning methods • hybrid models • ... 23 Fingerprint readers • Various sensor types – optical, capacitive, thermal, … • Smartphone readers – Partial scanning (fewer unique features) – Liveness still an issue • iPhoneX – Only Face ID (no more the Touch ID) 24 News: TAPS • Touchscreen Sticker with TouchID (KickStarter) • Something I have instead of something I am 25 Photo © 2016 TAPS Kickstarter campaign Latent fingerprints 26 Attacks and liveness detection • Attacks – latent fingerprints, replay attacks, fake features, ... • Liveness detection (!) – testing the finger reaction to sensor stimuli – temperature measurement – skin resistance measurement – pulse/blood flow measurement 27 Seminar task Exploring possible defects in fingerprint reading 28 Fingerprint generation • Explore imperfections of fingerprint images – What can happen when touching the reader? • Use SFinGe (Synthetic Fingerprint Generator) – By Biometric System Laboratory, University of Bologna • Pre-installed on CRoCS PCs 29 Fingerprint reader • Try the real reader – Optical, 500 ppi – “Infrared filter to improve ambient light rejection.” – No liveness detection :-/ 30 Compare fingerprints • Explore fingerprint matching – Edit images with GIMP (What does it take not to match the image?) – Work with generated and/or your fingers – SFinGe: Screenshot and readjust the finger • Software here: C:\ProgramFiles\Neurotechnology\FingersAl gorithmDemo3.1\FingersAlgorithmDemo.exe 31 Homework Creating fake fingerprints 32 Creating fake fingerprints I. 1. Create visible fingerprint – Imprint onto photographic paper – Make ridges visible using carbon powder 2. Scan the fingerprint – Come to the scanner [Vlasta] 3. Clean the image – Create B/W image with clear papillary ridges – Invert colors 33 GIMP basics • Colors > Levels/Curves – Adjust the contrast • Paintbrush – Clean the surroundings • Image > Mode – Convert to B/W (not grayscale!) • Crop as necessary • Others as you see fit... • You may want single-window mode – Windows > Single-Window Mode 34 Creating fake fingerprints II. 4. Print fingerprint on transparent foil – Upload cleaned PNG file to IS (HW vault) – We’ll print it for you on foil [Martin] 5. Cover in glue – Idea: The glue will form a copy of your finger – Make a THIN layer 35 Creating fake fingerprints III. (next week, when the glue is dry) • Peel the glue off the foil – Be extra careful! – Printing ink should peel off • Try to verify the fingerprint on the reader – Enroll the tested finger – Use a different finger + fake fingerprint for verification 36