Biometrics and

Cryptography ---
Introduction
CPSC 4600/5600 Biometric and
Cryptography
University of Tennessee at
Chattanooga
Who are you??

2
How are people
identified?
 People’s identity are verified and
identified by three basic means:
– Something they have (identity document
or token)
– Something they know (password, PIN)
– Something they are (human body such as
fingerprint or iris).
 The strongest authentication involves
a combination of all three.
3
Person Identification
 Identifying fellow human beings has been
crucial to the fabric of human society
 In the early days of civilization, people lived
in small communities and everyone knew
each other
 With the population growth and increase in
mobility, we started relying on documents
and secrets to establish identity
 Person identification is now an integral part
of the infrastructure needed for diverse
business sectors such as banking, border
control, law enforcement.
4
Automatic Identification
Different means of automatic identification:
 Possession-based (credit card, smart
card)
– “something that you have”
 Knowledge-based (password, PIN)
– “something that you know”
 Biometrics-based (biometric identifier)
– “something about or produced by your
physical make-up”

5
Problems with Possession-
or Knowledge-based
Approaches
 Card may be lost, stolen or forgotten
– Password or PIN may be forgotten or guessed by
the imposters
 ~25% of people seem to write their PIN on their ATM
card
 Estimates of annual identity fraud damages:
– $56.6 billion in credit card transactions in U.S.
alone in 2005*
 0.25% of internet transactions revenues, 0.08%
of off-line revenues
– $1 billion in fraudulent cellular phone use
– $3 billion in ATM withdrawals
 The traditional approaches are unable to differentiate
between an authorized person and an impostor

6
 Identification Problems
 Identity Theft: Identity thieves steal
PIN (e.g., date of birth) to open credit
card accounts, withdraw money from
accounts and take out loans

3.3 million identity thefts in U.S. in

2002; 6.7 million victims of credit
card fraud

Surrogate representations of identity such as

passwords and ID cards no longer suffice

7
What are Biometrics?
 Biometrics – science, which deals with the
automated recognition of individuals (or
plants/animals) based on biological and behavioral
characteristics
 Biometry – mathematical and statistical analysis
of biological data
 Biometric system – a pattern recognition system
that recognizes a person by determining the
authenticity of a specific biological and/or
behavioral characteristic (biometric)
 Anthropometry–measurement techniques of
human body and its specific parts
 Forensic (judicial) anthropometry–identification
of criminals by these measurement techniques

8
Why Biometrics

9
Why Biometrics?

10
Mentioning the Obvious

11
Requirements for an
Ideal Biometric
Identifier
1. Universality
– Every person should have the biometric characteristic
2. Uniqueness
– No two persons should be the same in terms of the
biometric characteristic
3. Performance
– The biometric characteristic should be invariant over
time
4. Collectability
– The biometric characteristic should be measurable
with some (practical) sensing device
5. Acceptability
– One would want to minimize the objections of the
users to the measuring/collection of the biometric
12
Identifiable Biometric
Characteristics
 Biological traces
– DNA (DeoxyriboNucleic Acid), blood,
saliva,etc.
 Biological (physiological)
characteristics
– fingerprints, eye irises and retinas, hand
palms and geometry, and facial geometry
 Behavioral characteristics
– dynamic signature, gait, keystroke
dynamics, lip motion
 Combined
– voice
13
Biometrics is Not New!!
 Bertillon system (1882) took a subject's photograph,
and recorded height, the length of one foot, an arm
and index finger
 Galton/Henry system of fingerprint classification
adopted by Scotland Yard in 1900
 FBI set up a fingerprint identification division in 1924
 AFIS installed in 1965 with a database of 810,000
fingerprints
 First face recognition paper published in 1971
(Goldstein et al.)
 FBI installed IAFIS in ~2000 with a database of 47
million 10 prints; average of 50,000 searches per day;
~15% of searches are in lights out mode; 2 hour
response time for criminal search
Emphasis now is to automatically perform reliable person
identification in unattended mode, often remotely (or at a
14
distance)
 Biometrics
– A biometric authentication system uses the
physiological (fingerprints, face, hand geometry,
iris) and/or behavioral traits (voice, signature,
keystroke dynamics) of an individual to identify a
person or to verify a claimed identity.

15
Comparison of
Biometric Techniques

16
Key Biometric Terms and
Process

17
What is Biometric?

 Biometrics is the automated use of

physiological or behavioral
characteristics to determine or verify
identity.
 Automated use means using
computers or machines, rather than
human beings, to verify or determine
physiological or behavioral
characteristics.
18
Biometrics
 2 Categories of Biometrics
– Physiological – also known as static
biometrics: Biometrics based on data
derived from the measurement of a part of
a person’s anatomy. For example,
fingerprints and iris patterns, as well as
facial features, hand geometry and retinal
blood vessels
– Behavioral – biometrics based on data
derived from measurement of an action
performed by a person, and distinctively
incorporating time as a metric, that is, the
measured action. For example, voice
(speaker verification)
19
Using Biometrics
Enrollment, Verification
Recognition

20
Using Biometrics
 Process flow includes enrollment, and
verification/identification.
 Enrollment
– Person entered into the database
– Biometric data provided by a user is converted into
a template.
– Templates are stored in a biometric systems for
the purpose of subsequent comparison.

21
Verification versus
Identification

 Verification: Am I who I claim to

be?
– One to one comparison

– Verification can confirm or deny the

specific identification claim of a
person.

22
Identification versus
Verification
 Identification: Who am I?
– One to many comparison
– can determine the identity of a person
from a biometric database without
that person first claiming an identity.

23
Discussion: Verification and
Identification

 Verification system answers the

question: “Am I who I claim to be?”
 The answer returned by the system is
match or no match.
 Identification systems answers the
question: “Who am I”
 The answer returned by the system is
an identity such as a name or ID
number.
24
Discussion: Verification and
Identification

25
When are verification and
identification appropriate?
 PC and Network Security -- verification
 Access to buildings and rooms – either
verification (predominant) or
identification
 Large-scale public benefit programs –
identification
 Verification systems are generally faster
and more accurate than identification
systems.
 However, verification systems cannot
determine whether a given person is
present in a database more than once.
26
When are verification and
identification appropriate?

 Identification system requires more

computational power than verification
systems, and there are more
opportunities for an identification
system to err.
 As a rule, verification systems are
deployed when identification simply
does not make sense (to eliminate
duplicate enrollment, for instance. )
27
Total Biometrics
Market

28
Different Biometrics

29
Physiological and Behavioral
Characteristics
 Physiological or behavioral characteristics are
distinctive, which provide basic measurement
of biometrics.
 Physiological biometrics are based on direct
measurements of a part of the human body,
such as finger-scan, facial-scan, iris-scan,
hand-scan, and retina-scan.
 Behavioral biometrics are based on
measurements and data derived from an
action and therefore indirectly measure
characteristics of the human body, such as
voice-scan and signature-scan.
 The element of time is essential to behavioral30
biometrics.
DNA (Deoxyribo Nucleic
Acid)
The Ultimate Biometric
 One-dimensional unique code for one’s
individuality, but identical twins have
identical DNA patterns
 Issues limiting the utility of DNA
– Contamination
– Access
– Automatic real-time recognition issues
– Privacy issues: information about
susceptibilities of a person to certain
diseases could be gained from the DNA
pattern
31
Behavioral vs Physical
Traits
 Physical Characteristics
– Iris
– Retina
– Vein Pattern
– Hand Geometry
– Face
– Fingerprint
– Ear shape
 Behavioral Characteristics
– Keystroke dynamics
– Signature dynamics
– Walking Gait
– Voice
32
Fingerprints

33
Fingerprint Features

34
Iris Recognition: Eye

35
Iris Code

36
National Geographic
1984 and 2002

37
Retina

Every eye has its own totally unique pattern of blood

vessels.

38
Face Recognition:
Correlation

39
Face Recognition: 3D

40
Hand

41
Palm

42
Vein

43
Ear

44
Market Share

45
Biometric Applications

46
Biometric Application
 Biometric technology is used for many
applications
– Providing time and attendance
functionality for a small company
– Ensuring the integrity of a 10 million-
person voter registration database
 The benefit of using biometrics include
increased security, increased
convenience, reduced fraud or delivery
of enhanced services.
47
UCSD Biometric Soda
Machine

48
*As part of the enhanced procedures,
most
visitors traveling on visas will have two
fingerprints scanned by an inkless
device and a digital photograph
taken. All of the data and
information is then used to assist
the border inspector in determining
whether or not to admit the traveler.
These enhanced procedures will add
only seconds to the visitor’s overall
processing time.

49
National Biometric ID
Cards
U.K. to consider national biometric ID cards,
database
By Laura Rohde, COMPUTERWORLD (Nov 29, 2003)-
The U.K. government is set to consider legislation next year
for the establishment of compulsory biometric identity cards
and a central database of all U.K. subjects, it was announced
by the government this week.
The information that the government is considering for
inclusion on the card includes personal details such as a
person's home address and telephone number, his National
Insurance number (the equivalent of the U.S. Social Security
number), medical information and criminal convictions, as
well as the biometric information, most likely in the form of
an iris, fingerprint or palm print scan.

50
Access Control

51
Did You Vote?

52
Applications
 Video Surveillance (On-line or off-line)

53
Fingerprint System at Gas
Stations
“Galp Energia SGPS SA of Lisbon
won the technology innovation
award for developing a payment
system in which gasoline-station
customers can settle their bills
simply by pressing a thumb against
a glass pad. Scanning technology
identifies the thumbprint and sends
the customer's identification
information into Galp's back-office
system for payment authorization.”
THE WALL STREET JOURNAL,
November 15, 2004

54
Using Iris Scans to Unlock
Hotel Rooms

The Nine Zero hotel in Boston just installed a new

system which uses digital photos of the irises of
employees, vendors and VIP guests to admit them to
certain areas, the same system used in high-security
areas at airports such as New York's JFK.

55
Fingerprint System at
Border Crossings
“Foreigners entering the
United
State in three cities, including
Port Huron, were fingerprinted,
photographed and subjected to
background checks on Monday
in a test of a program that will
eventually be extended to
every land border crossing
nationwide.”
Lansing State Journal, Nov.
16, 2004
56
New Passports

The new passports have an

embedded
contactless (ISO 14443) “smart-card”
chip that stores personal information
and a biometric template. Two
problems: reliability and privacy

57
Want to Charge It? You'll
Have to Talk to Your Credit
Card

Beepcard, a company in California, has designed a credit card

that works only when it recognizes the voice of its rightful
owner. Enclosed in the card is a tiny microphone, a
loudspeaker and a speech recognition chip that compares
the spoken password with a recorded sample. If the voices
match, the card emits a set of beeps that authorize a
transaction over the telephone or the Internet. If the
voices do not match, the card will not beep.

The system tolerates some variations in voice to

accommodate cold or background noise. But it might not
work if there is a blaring music in the background. 58
Biometrics for
Personalization
 Automatic personalization
of vehicle settings:
– Seat position
– Steering wheel position
– Mirror positions
– Lighting
– Radio station preferences
– Climate control settings
 URLs at your fingertips
59
Domains of Application

60
Key Terms

61
Template (1)

 A template is a small file derived from the

distinctive features of a user’s biometric
data, used to perform biometric matches.
 Templates, is calculated during enrollment
or verification phase. The template be
understood as a compact representation of
the collected feature data, where useless or
redundant information is discarded.
 Biometric systems store and compare
biometric templates, NOT biometric data.

62
Template (2)

 Most template occupy less than 1 kilobyte,

and some of them are as small as 9 bytes;
size of template differs from vendor to
vendor.
 Templates are proprietary to each vendor
and each technology, and there is no
common biometric template format.
 This is beneficial from a privacy
perspective, but the lack of
interoperability deterred some would-be
users.
63
Templates

 Biometric data CAN NOT be reconstructed

from biometric templates.
 Templates are extractions of distinctive
features and not adequate to reconstruct the
full biometric image or data.
 Unique templates are generated every time a
user presents biometric data. For example,
two immediately successive placement of a
finger on a biometric device generate
entirely different templates which are
processed by vendor’s algorithm and
recognizable as being from the same person,
but are not identical.
64
Biometric Templates versus
Identifiable Biometric Data

Depending on when they are generated, templates can be

referred to as enrollment templates or match templates.
65
The two stages of a biometric
system

66
Enrollment and Template
Creation (1)

 Enrollment is a process to acquire,

assess, process, and store user’s
biometric data in the form of a template.

 Stored templates are used for

subsequent verification and
identification.
 Quality enrollment is a critical factor in
the long-term accuracy of biometric
system.
67
Enrollment and Template
Creation (2)

 Presentation is the process by which

a user provides biometric data to an
acquisition device – the hardware
used to collect biometric data.
 For example, looking in the direction
of a camera, placing a finger on a
platen, or reciting a passphrase.

68
Enrollment and Template Creation
(3)
 Biometric data are
converted to templates
through feature extraction.
 Feature extraction is the
automated process of
locating and encoding
distinctive characteristics
from biometric data in
order to generate a
template.
 Feature extraction
removes noises and
unwanted data, and
digitize biometric traits.

69
Enrollment and Template Creation
(4)
 A user may need to present biometric
data several times in order to enroll.
 Enrollment score or quality score
indicates the enrollment attempt is
successful or not.
 If the user’s biometric data contains
highly distinctive features or an
abundance of features, there will likely
be a high enrollment score.
 Vendor’s feature extraction processes
are generally patented and are always
held secret.
70
 How Biometric Matching Works

 Verification/Identification template is
compared with enrollment templates.
 The comparison renders a score, or
confident value.
 The score is compared with threshold.
 If the score exceeds the threshold,
the comparison is a match, non-
match otherwise.
71
 Biometric Algorithm

 A biometric algorithm is a recipe

for turning raw data - like physical
traits – into a digital representation
in the form of a template. It also
allows the matching of an enrolled
template with a new template just
created for verifying an identity,
called the live template.
72
Biometric Matching

 Matching is the comparison of enrolled

biometric templates with a new template
just created for verification to determine
their degree of similarity or correlation.
 In verification systems, a verification
template is matched against a user’s
enrollment template or templates
(multiple).
 In Identification systems, the verification
template is matched against dozens,
thousands, even millions of enrollment
templates.
73
Biometric Matching – Scoring

 Biometric systems utilize proprietary

algorithms to process templates and
generate scores.
 Some of them use a scale of 1 to 100,
others use a scale of -1 to 1.
 Traditional authentication methods
such as password offer on a yes’/no
response.
 In biometric system, there is no 100
percent correlation between
enrollment and verification templates.
74
Biometric Matching --Threshold

 A threshold is a predefined number, which

establishes the degree of correlation
necessary for a comparison to be deemed a
match.
 Thresholds can vary from user to user, from
transaction to transaction, and from
verification to verification attempt.
 System can be either highly secure for
valuable transaction or less secure for low-
value transaction, depending on their
threshold settings.
 Traditional authentication can not offer such
flexibility. 75
Biometric Matching -- Decision

 The result of the comparison

between the score and the
threshold is a decision.
 The decisions a biometric system
can make include match, non-
match, and inconclusive.

76
 Biometric Matching: Process
Flow
 The user submits a sample (biometric data) via an
acquisition device (for example, a scanner or camera)
 This biometric is then processed to extract information
about distinctive features to create a trial template or
verification template
 Templates are large number sequences. The trial/match
template is the user’s “password.”
 Trial/match template is compared against the reference
template stored in biometric database.

77
 Overview of Biometrics
Biometric Acquisition Device Sample Feature Extracted
Iris Infrared-enabled video camera, Black and white iris image Furrows and striations of iris
PC camera

Fingerprint Desktop peripheral, PC card, Fingerprint image (optical, Location and direction of
mouse chip or reader silicon, ultrasound or ridge endings and
embedded in keyboard touchless) bifurcations on
fingerprint, minutiae

Voice Microphone, telephone Voice Recording Frequency, cadence and

duration of vocal
pattern

Signature Signature Tablet, Motion- Image of Signature and Speed, stroke order,
sensitive stylus record of related pressure and
dynamics appearance of
measurement signature

Face Video Camera, PC camera, Facial image (optical or Relative position and shape
single-image camera thermal) of nose, position of
cheekbones

Hand Proprietary Wall-mounted unit 3-D image of top and Height and width of bones
sides of hand and joints in hands and
fingers

Retina Proprietary desktop or wall Retina Image Blood vessel patterns and
78
mountable unit retina
 Strengths, Weaknesses and
Usability of Biometrics
Biometric Strengths Weakness Usability
Iris  Very stable over time  Potential user resistance  Information security
 Uniqueness  Requires user training access control,
 Dependant on a single especially for
vendor’s technology Federal Institutions and
government
agencies
 Physical access
control (FIs and
government)
 Kiosks (ATMs and
airline tickets)
Fingerprint  Most mature biometric  Physical contact required (a  IS access control
technology problem in some cultures)  Physical access
 Accepted reliability  Association with criminal control
 Many vendors justice  Automotive
 Small template (less  Vendor incompatibility
than 500 bytes)  Hampered by temporary
 Small sensors that can physical injury
be built into mice,
keyboards or portable
devices
Optical  Most proven over time  Large physical size
 Temperature stable  Latent prints
 CCD coating erodes with age 79
 Durability unproven
 Strengths, Weaknesses and
Usability of Biometrics
Biometrics Strengths Weakness Usability

Silicon  Small physical size  Requires careful enrollment

 Cost is declining  Unproven in sub optimal
conditions
Ultrasound  Most accurate in sub  New technology, few
optimal conditions implementations
 Unproven long term
performance
Voice  Good user  Unstable over time  Mobile phones
acceptance  Changes with time, illness  Telephone banking
 Low training stress or injury and other automated
 Microphone can be  Different microphones call centers
built into PC or generate different samples
mobile device  Large template unsuitable
for recognition

Signatures  High user acceptance  Unstable over time  Portable devices with
 Minimal training  Occasional erratic stylus input
variability  Applications where a
 Changes with illness, stress “wet signature”
or injury ordinarily would be
 Enrollment takes times used. 80
 Strengths, Weaknesses and
Usability of Biometrics
Biometric Strengths Weakness Usability
s
Face  Universally  Cannot distinguish  Physical access
present identical siblings control
 Religious or cultural
prohibitions
Hand  Small template  Physical size of  Physical access
(approximately acquisition device control
10 bytes)  Physical contact  Time and
 Low failure to required attendance
enroll rate  Juvenile finger growth
 Unaffected by  Hampered by temporary
skin condition physical injury

Retina  Stable over time  Requires user training  IS access control,

 Uniqueness and cooperation especially for high
 High user resistance security
 Slow read time government
 Dependent on a single agencies
vendor’s technology  Physical access
control (same as
IS access control)
81
Accuracy in Biometric
Systems
How to Evaluate Performance
of a Specific Technology?

 False acceptance rate

 False rejection rate
 Failure-to-enroll rate
 No single metric indicates how well
a biometric system or device
performs: Analysis of all three
metrics is necessary to assess the
performance of a specific
technology.
83
False Acceptance Rate

 If John Smith enters Jane Doe’s username or

ID, presents biometric data, and successfully
matching as Jane Doe.
 This is classified as false acceptance.
 The probability of this happening is referred
to as false acceptance rate (FAR)[ stated as:
percentage, fraction]
 This is because two people have similar
enough biometric characteristics – a
fingerprint, a voice, or a face – that the
system finds a high degree of correlation
between the users’ template.
84
False Acceptance Rate

 FAR can be reduced by adjusting the thresholds

but the false rejection rate will increase.
 A system with a false acceptance rate of 0
percent, but false rejection rate of 50 percent,
is secure but unusable.
 False acceptance rate is the most critical
accuracy metric because an imposter break-in
will certainly be a more attention-getting event
than other failings of a biometric system.
 The most important false match metric in real-
world deployments is the system false match
rate.
85
False Rejection Rate

 If John Smith enters his username or ID,

presents his biometric data to a biometric
system, and fails to match.
 This is classified as false rejection.
 The probability of this happening is the false
rejection rate (FRR).
 This can be attributed to changes in user’s
biometric data, changes in how a user
presents biometric data, and changes in the
environment in which data is presented.
 High FRR will result in lost productivity,
frustrated users, and an increased burden on
help desk or support personnel.
86
Reasons of FRR

 Changes in user’s biometric data

– Voice-scan system is influenced by
sore throats
– Facial-scan system is affected by
changes in weight
– Fingerprint changes over time,
scars, aging and general wear.

87
Acceptance and Rejections

 If someone else is trying to verify as

you, the system would try to match the
two templates.
– If the two templates were to match – this is
classified as false acceptance.
– If your authentication template fails to
match your enrolled template, then this is
referred to as a false rejection.
– If you are new and fail to enroll to a
biometric system, this is called – failure to
enroll (FTE). 88
Accuracy Rates

 Single False Acceptance Rate vs.

System False Acceptance Rate
– If the FAR is 1/10,000 but you have
10,000 templates on file — odds of a
match are very high
 Ability to Verify (ATV) rate:
– % of user population that can be
verified
– ATV = (1-FTE)(1-FRR)
89
 • Cost/benefit analysis of
Receiver operating decision making.
characteristic (ROC) • Tradeoff b/w true acceptance
Curve rate and false rejection rate.

True acceptance
Legitimate users
get accepted.
rate

Legitimate users False rejection rate 90

get rejected.
91
92