Biometric security systems that verify a person's identity by scanning fingers, hands, eye or face are becoming more and more common. As a result biometrics is one of the fastest growing industries. Applications for biometrics range from homeland security physical access to various facilities and health and social services. Utilizing biometrics for personal authentication is more convenient and than current methods such as passwords or PINs. Another important advantage of biometric authentication is that it links events to a user and is becoming socially acceptable and inexpensive. Biometric authentication requires comparing a registered or enrolled biometric sample against a newly captured biometric sample. However, biometric authentication is not perfect and the output of a biometric authentication system can be subject to errors due to imperfections of the classification algorithm, poor quality of biometric samples, or an intruder who has tampered with the biometric authentication systems. Although biometric authentication is intended primarily to enhance security, storing biometric information in a database introduces new security and privacy risks, which increase if the database is connected to a network. This is the case in most practical situations. This thesis looks at security aspects of biometric authentication and proposes solutions to mitigate the risk of an attacker who tries to misuse biometric information or who bypasses modules of biometric systems to achieve his malicious goals. Our contribution is threefold. Firstly we propose 3W-tree, an analysis tool used to identify critical attack scenarios for a biometric system. We apply the 3W-tree design tool to the SmartGun biometric recognition system with the purpose of identifying critical security issues. Secondly, we explore the challenges of secure template protection, which are both theoretical and practical and we put forward solutions to part of the issues. Thirdly, we present a practical solution to the secure template transfer, which should allow transfer of the biometric traits between two biometrically enabled devices when no security infrastructure is available and the users are no security experts.
|Award date||23 Oct 2008|
|Publication status||Published - 23 Oct 2008|