Graphics and security: exploring visual biometrics

Biometrics technology has come a long way from simpler forms of systems security. But are biometrics-based systems more secure or do they simply require crackers to become more proficient at breaking into systems? To recognize your fingerprint requires that a template of your fingerprint actually be present in the system that verifies your access. If you want to pass as somebody else, presumably you'd have to either have that person's finger with you or you'd need to change the verifying template residing in the system that verifies your print. Cracking into a system and replacing a legitimate print with your own isn't easy to do unless the system's security is poor. While biometric proponents stress the strength of their proprietary technologies or biometrics in general, no system is ever completely secure. Contrary to what many biometric proponents would have us believe-that biometric security outclasses traditional forms of security-all biometric systems are, after all, another form of computer security with its own set of strengths and weaknesses. Biometrics effectively trade some amount of privacy and cost effectiveness for ultimate convenience-and these systems are certainly no less secure than standard password systems. Password systems are cheap. Complex biometric scanning equipment is usually expensive. But biometrics seems to be where the industry is headed.     

Biometrics in Identity Management Systems

Biometric technology - the automated recognition of individuals using biological and behavioral traits - has been presented as a natural identity management tool that offers "greater security and convenience than traditional methods of personal recognition." Indeed, many existing government identity management systems employ biometrics to assure that each person has only one identity in the system and that only one person can access each identity. Historically, however, biometric technology has also been controversial, with many writers suggesting that biometrics invade privacy, that specific technologies have error rates unsuitable for large-scale applications, or that the techniques "are useful to organizations that regulate the individual, but of little use where the individual controls identification and authorization." Here, I address these controversies by looking more deeply into the basic assumptions made in biometric recognition. I'll look at some example systems and delve into the differences between personal identity and digital identity. I'll conclude by discussing how those whose identity is managed with biometrics can manage biometric identity management.     

Abstracts & Commentary

Abstract

Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?     

An introduction evaluating biometric systems

On the basis of media hype alone, you might conclude that biometric passwords will soon replace their alphanumeric counterparts with versions that cannot be stolen, forgotten, lost, or given to another person. But what if the actual performance of these systems falls short of the estimates? The authors designed this article to provide sufficient information to know what questions to ask when evaluating a biometric system, and to assist in determining whether performance levels meet the requirements of an application. For example, a low-performance biometric is probably sufficient for reducing-as opposed to eliminating-fraud. Likewise, completely replacing an existing security system with a biometric-based one may require a high-performance biometric system, or the required performance may be beyond what current technology can provide. Of the biometrics that give the user some control over data acquisition, voice, face, and fingerprint systems have undergone the most study and testing-and therefore occupy the bulk of this discussion. This article also covers the tools and techniques of biometric testing     

Special issue on out-of-box experience and consumer devices

“Computer equipment is hard to choose, install, maintain, and, especially, operate” (Landauer 1995 In: The trouble with computers: usefulness, usability, and productivity). How many cables did you have to connect (and organise) before the personal office system was properly installed and put into use? How many set-up procedures and agreements did you have to complete before you could access your e-mail with your mobile phone or PDA? Did you lose any documents or applications when you replaced your old computer with a new one? Computers, mobile devices and information technology products are sometimes difficult to put into use because of the several operations required prior to their first use.     

模糊逻辑在人脸特征保护算法中的应用

随着人脸识别在门禁、视频监控等公共安全领域中的应用日益广泛,人脸特征数据的安全性和隐私性问题成为备受关注的焦点。近年来出现了许多关于生物特征及人脸特征的安全保护算法,这些算法大都是将生物特征数据转变为二值的串,再进行保护。针对已有的保护算法中将实值的人脸特征转换为二值的串,从而导致信息丢失的不足,应用模糊逻辑对人脸模板数据的类内差异进行建模,从而提高人脸识别系统的性能。给出了算法在CMU PIE的光照子集、CMU PIE带光照和姿势的子集和ORL人脸数据库中的实验结果。实验表明,该算法能够进一步提高已有安全保护算法的识别率。     

Biometrics: a tool for information security

Establishing identity is becoming critical in our vastly interconnected society. Questions such as "Is she really who she claims to be?," "Is this person authorized to use this facility?," or "Is he in the watchlist posted by the government?" are routinely being posed in a variety of scenarios ranging from issuing a driver's license to gaining entry into a country. The need for reliable user authentication techniques has increased in the wake of heightened concerns about security and rapid advancements in networking, communication, and mobility. Biometrics, described as the science of recognizing an individual based on his or her physical or behavioral traits, is beginning to gain acceptance as a legitimate method for determining an individual's identity. Biometric systems have now been deployed in various commercial, civilian, and forensic applications as a means of establishing identity. In this paper, we provide an overview of biometrics and discuss some of the salient research issues that need to be addressed for making biometric technology an effective tool for providing information security. The primary contribution of this overview includes: 1) examining applications where biometric scan solve issues pertaining to information security; 2) enumerating the fundamental challenges encountered by biometric systems in real-world applications; and 3) discussing solutions to address the problems of scalability and security in large-scale authentication systems.     

Building an international security standard

The Common Criteria for Information Technology Security Evaluation standard (CC) promises to replace scattered and often conflicting regional and national security standards. An emerging international standard, it is intended to support developers, evaluators and consumers of security products. The CC provides a framework to rate products by evaluation assurance level (EAL). Each EAL embodies a recommended set of assurance requirements: the higher the EAL, the more secure the product. You can use EALs to pick and choose which assurance requirements you want to satisfy. Think of the EALs as you would think of bandwidth or processor speed. Not everyone in your organization needs a dedicated T3 line or a 450 MHz desktop. Likewise, not every security product you use needs an EAL7 rating. The article shows how you, as a security products consumer, can use the CC to help determine if a given product meets your security needs. By rating different products according to their EALs, the CC can help you comparison shop and select an appropriately secure product. Further, the standard's international scope can help you integrate your system's security components with those in other countries-whether those components belong to customers, vendors, or other divisions of your own enterprise     

Culture & biometrics: regional differences in the perception of biometric authentication technologies

Previous research has identified user concerns about biometric authentication technology, but most of this research has been conducted in European contexts. There is a lack of research that has investigated attitudes towards biometric technology in other cultures. To address this issue, data from India, South Africa and the United Kingdom were collected and compared. Cross-cultural attitudinal differences were seen, with Indian respondents viewing biometrics most positively while respondents from the United Kingdom were the least likely to have a positive opinion about biometrics. Multiple barriers to the acceptance of biometric technology were identified with data security and health and safety fears having the greatest overall impact on respondents’ attitudes towards biometrics. The results of this investigation are discussed with reference to Hofstede’s cultural dimensions and theories of technology acceptance. It is argued that contextual issues specific to each country provide a better explanation of the results than existing theories based on Hofstede’s model. We conclude that cultural differences have an impact on the way biometric systems will be used and argue that these factors should be taken into account during the design and implementation of biometric systems.     

A study of executives' use of biometrics: an application of theory of planned behaviour

Biometrics has become an important alternative in user authentication to a system. The Brunei Government has embarked on various e-government projects. Some of these projects embed biometric mechanism for authentication. The acceptance of biometric security services appears to be affected by several factors, some of which may be the personal attitude of the users, influences of normality and context in which it is used. The study focuses on 155 executives from the 10 ministries of Brunei Darussalam to explore the behavioural intent of the executives towards biometrics through their attitudes. The theory of planned behaviour (TPB) was used as a reference framework, to understand the intention of using biometrics. The data analyses through Smart-PLS suggest that government officers’ attitudes towards biometrics is a predictor of behavioural intention, whereas, subjective norms is a predictor of attitude, perceived behavioural control, behavioural intention and behaviour, i.e. the use of the biometric technology. The implications of these findings are discussed and some conclusions are drawn.     

Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems

When people find security systems difficult or unacceptable, it can result in bottlenecks, excessive operation costs, and shortcuts or workarounds that undermine security. Since 2001, airports worldwide have deployed an increasing number of security systems with biometric recognition. Some operate behind the scenes, for airport staff or cabin crew use. Airports have been deploying biometrics for travelers, too. Some systems are voluntary, whereas others are required, and store travelers' biometric characteristics for inspection or record. Biometric systems should have user-friendly, intuitive interfaces that guide users in presenting necessary traits. Thus, we must ask whether current biometric systems in airports are usable.     

Dual-key-binding cancelable palmprint cryptosystem for palmprint protection and information security

Biometric cryptosystems and cancelable biometrics are both practical and promising schemes to enhance the security and privacy of biometric systems. Though a number of bio-crypto algorithms have been proposed, they have limited practical applicability because they lack of cancelability. Since biometrics are immutable, the users whose biometrics are stolen cannot use bio-crypto systems anymore. Cancelable biometric schemes are of cancelability; however, they are difficult to compromise the conflicts between the security and performance. By embedded a novel cancelable palmprint template, namely “two dimensional (2D) Palmprint Phasor”, the proposed palmprint cryptosystem overcomes the lack of cancelability in existing biometric cryptosystems. Besides, the authentication performance is enhanced when users have different tokens/keys. Furthermore, we develop a novel dual-key-binding cancelable palmprint cryptosystem to enhance the security and privacy of palmprint biometric. 2D Palmprint Phasor template is scrambled by the scrambling transformation based on the chaotic sequence that is generated by both the user's token/key and strong key extracted from palmprint. Dual-key-binding scrambling not only has more robustness to resist against chosen plain text attack, but also enhances the secure requirement of non-invertibility. 2D Palmprint Phasor algorithm and dual-key-binding scrambling both increase the difficulty of adversary's statistical analysis. The experimental results and security analysis confirm the efficiency of the proposed scheme.     

A fast feature selection technique in multi modal biometrics using cloud framework

Biometrics refers to the process that uses biological or physiological traits to identify individuals. The progress seen in technology and security has a vital role to play in Biometric recognition which is a reliable technique to validate individuals and their identity. The biometric identification is generally based on either their physical traits or their behavioural traits. The multimodal biometrics makes use of either two or more of the modalities to improve recognition. There are some popular modalities of biometrics that are palm print, finger vein, iris, face or fingerprint recognition. Another important challenge found with multimodal biometric features is the fusion, which could result in a large set of feature vectors. Most biometric systems currently use a single model for user authentication. In this existing work, a modified method of heuristics that is efficiently used to identify an optimal feature set that is based on a wrapper-based feature selection technique. The proposed method of feature selection uses the Ant Colony Optimization (ACO) and the Particle Swarm Optimization (PSO) are used to feature extraction and classification process utilizes the integration of face, and finger print texture patterns. The set of training images is converted to grayscale. The crossover operator is applied to generate multiple samples for each number of images. The wok proposed here is pre-planned for each weight of each biometric modality, which ensures that even if a biometric modality does not exist at the time of verification, a person can be certified to provide calculated weights the threshold value. The proposed method is demonstrated better result for fast feature selection in bio metric image authentication and also gives high effectiveness security.     

生物特征数据安全保护技术的发展

生物特征识别相对于传统的身份识别更安全和便捷.随着生物特征识别系统的广泛应用,生物特征数据的安全性和隐私性日益得到重视.生物特征数据的安全保护技术,主要包括生物特征加密(Biometric Salting)、生物特征密钥生成(Biometric Key Generation)、Fuzzy Schemes等几大类.通过重点分析这几类方法中的具有代表性的算法,来讨论生物特征数据的安全保护技术的研究及其发展,并进一步指出进行生物特征安全保护技术理论与应用研究的发展方向.     

Biometric recognition: security and privacy concerns

Biometrics offers greater security and convenience than traditional methods of personal recognition. In some applications, biometrics can replace or supplement the existing technology. In others, it is the only viable approach. But how secure is biometrics? And what are the privacy implications?.     

Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets

As a software engineer or client, how much of your budget should you spend on software security mitigation for the applications and networks on which you depend? The authors introduce a novel way to optimize a combination of security countermeasures under fixed resources. Software engineers and their customers continuously face a complex and frustrating decision: given a fixed budget, which combination of vulnerability mitigation actions produces optimal system security? In a world without budgetary or temporal constraints, engineers could invest in whatever tools or training they deemed necessary to safeguard applications and networks. Or they could spend arbitrary amounts of time and money patching existing code and take painstaking precaution in writing new software to ensure its security. Of course, the economic reality is that software engineers are pushed to get their product to market as fast as possible, and security is often a distant priority in the face of budgetary constraints. However, fixing any remaining security vulnerabilities postproduction can be both costly and wasteful. In this article, we describe a novel methodology for quantitatively optimizing the blend of architectural and policy recommendations that engineers can apply to their products to maximize security under a fixed budget. The results of our optimization are sometimes surprising and even counterintuitive: bigger budgets don't always produce greater security, and the optimal combination of corrective actions changes nonlinearly with increasing expenditures. These findings suggest that some form of formal decision support could augment traditional methods.     

A survey of biometric technology based on hand shape

Automated biometric systems have emerged as a more reliable alternative to the traditional personal identification solutions. One of the most popular biometrics is hand shape due to its ease of use, non-intrusiveness and public acceptance. This paper presents a survey of the technology used in hand shape-based biometric systems. We first review the component modules including the algorithms they employ. Next we discuss system taxonomies, performance evaluation methodologies, testing issues and US government evaluations. A summary of the accuracy results reported in the literature is also provided. We next describe some of the commercial hand shape biometric systems as well as some recent successful deployments. Finally, we mention a few limitations of the hand shape biometric and give some directions for future research.     

Patch Management

Imagine this scenario. As a security manager for your organization, your responsibilities include analyzing and applying patches to all Windows servers across the enterprise. Your process is going to each machine and manually evaluating what patches are missing and installing the most critical security patches as soon as possible. How long does this take? One hour per server? Two hours? Maybe more? How many patches are critical? How often do you do it? And, how many servers do you have? It doesn’t take long to do the math to realize that your battle may be a futile one to keep up with the most critical, let alone every, patch that’s released.     

Secure-OSCAR中基于PKI的生物身份认证的设计

个体的生物特征的唯一性和“不可伪造性”使得它很适合于身份认证。生物信息本来是不保密的,所以不能象使用口令一样来使用它,否则将不能提高反而会降低系统的安全性。公钥机制(PKI)也被广泛应用于用户身份认证中,但它是基于私钥的安全性的,不可避免地存在冒用私钥的威胁。论文提出一个结合生物技术与PKI技术的认证方式的设计,具体描述了它在Secure-OSCAR中的实现。     

一种单因子的可撤销生物特征认证方法

将令牌化随机数作为外部因子的双因子可撤销生物特征认证方法存在令牌泄露、丢失等安全威胁. 本文提出了一种生物特征作为唯一输入的解决方法, 即单因子的可撤销生物特征认证方法. 首先, 利用扩展的特征向量, 通过预定义的滑动窗口和哈希函数随机化生成二进制种子; 然后替换不同的辅助数据来生成可撤销模板; 最后, 由查询生物特征向量对辅助数据进行解码, 提高了性能和安全性. 在指纹数据库FVC2002和FVC2004的实验结果表明, 该方法不仅满足可撤销生物特征识别的4个设计标准, 同时防御了3种安全攻击.