Biometrics cannot be changed when compromised

It is true that the basic biometric features cannot be changed, though in some cases,
alternatives may be available (e.g. different fingers). However the simplicity of the
headline argument conceals some more complex and subtle issues. We need to
understand what can be compromised, examine a number of scenarios where
compromise might occur and identify what measures may be taken to counter them.
Compromise through use of an artefact
Here we are referring to the exploitation of the source biometric feature (which is
generally not secret anyway) through the capture of the feature and the construction of
an artefact with similar characteristics. The 2 issues are:
· How easy is it to capture the features?
· How easy is it to construct an artefact that can spoof the biometric system?
If successful; then, at a minimum, that user on that system is compromised. But the
situation is actually worse than that, because once the system has been shown to be
vulnerable to spoofing, every enrolled user is at risk of compromise in the same way.
Re-enrolling the compromised user (using an alternate feature if available) will not
resolve the fundamental problem. Other biometric systems using the same technology
may also be vulnerable, which further increases the scope of the potential problem.
Compromise through capture/replay
If undetected, this attack may be used repeatedly and will compromise that user on
that system. However, once in place, other users on the compromised connection may
also be captured and the compromised set of users is liable to grow. Once
discovered, the attack may be disabled for all compromised users, provided that the
capture devices can be protected in future from similar attacks.
Various countermeasures are possible including physical hardware protection,
variable signal encryption and challenge/response operation.
Compromise of template integrity
A template compromise may involve the replacement or modification of the stored
biometric template of an enrolled user to substitute the template of an unauthorised
user, or the addition of the template of an unauthorised user. In the former case, the
impostor would assume the identity of an authorised user and be able to perform any
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
14
actions permitted to that user. However the authorised user would thereafter be unable
to access the system and this may lead to the discovery of the compromise.
Adding a new template would effectively illegally enrol the impostor on the system.
Existing users would be unaffected, which may lessen the chance of detection. In order
for this form of attack to be successful the integrity of the template database would
have to be seriously undermined.
Solutions
Solutions to the spoofing compromise include supervised operation and liveness
detection built into the biometric system
Countermeasures to template integrity compromise include access control measures
to templates and cryptographic protection of templates, either through check-summing
(integrity) or data encryption (integrity and confidentiality).
Cancellable biometrics have been proposed, where the biometric image is distorted
in a repeatable but non-reversible manner before template generation, If the biometric
is compromised, the distortion characteristics are changed, and the updated image is
mapped to a new template which is used subsequently.
Security evaluation will be necessary to determine the assurance that the measures
employed provide against these forms of compromise.

Related posts:

1. Spoofing physiological biometric
2. Can my biometric be stolen?
3. Mimicry is to behavioural biometrics
4. Biometrics are not random enough
5. The biometric system must be able to detect and reject the use of a copy of
6. How do we know when the system is becoming less secure?

Related posts brought to you by Yet Another Related Posts Plugin.