Network Security and Privacy University of Texas at 网络安全与隐私德克萨斯大学.pptVIP

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Vitaly Shmatikov CS 361S Biometric Authentication slide * Biometric Authentication Nothing to remember Passive Nothing to type, no devices to carry around Can’t share (usually) Can be fairly unique … if measurements are sufficiently accurate slide * Identification vs. Authentication Goal: associate an identity with an event Example: a fingerprint at a crime scene Key question: given a particular biometric reading, does there exist another person who has the same value of this biometric? Goal: verify a claimed identity Example: fingerprint scanner to enter a building Key question: do there exist any two persons who have the same value of this biometric? Birthday paradox! slide * Problems with Biometrics Private, but not secret Biometric passports, fingerprints and DNA on objects… Even random-looking biometrics may not be sufficiently unique for authentication Birthday paradox! Potentially forgeable Revocation is difficult or impossible slide * Forging Handwriting [Ballard, Monrose, Lopresti] Generated by computer algorithm trained on handwriting samples slide * Biometric Error Rates (Benign) “Fraud rate” vs. “insult rate” Fraud = system accepts a forgery (false accept) Insult = system rejects valid user (false reject) Increasing acceptance threshold increases fraud rate, decreases insult rate For biometrics, U.K. banks set target fraud rate of 1%, insult rate of 0.01% [Ross Anderson] Common signature recognition systems achieve equal error rates around 1% - not good enough! slide * Biometrics (1) Face recognition (by a computer algorithm) Error rates up to 20%, given reasonable variations in lighting, viewpoint and expression Fingerprints Traditional method for identification 1911: first US conviction on fingerprint evidence U.K. traditionally requires 16-point match Probability of a false match is 1 in 10 billion No successful challenges until 20