Biometrics into the NET with Smartphones

From IIW

BioMetrics into the Net with Smart Phones / Why not use Biometrics for Internet (T5D)

Convener: Shin, Takashima, Yamada

Notes-taker(s): Christopher Arnold

Tags for the session - technology discussed/ideas considered:

Toshiba - Biometric data transfer over the internet


ACBio - International Standard

Internet enabler for Biometrics

Smartphone for authentication device


Authentication Context for Biometrics

Data format standard for biometrics in internet

Toshiba started and standardization May 2009


Fingerprint, finger vein, palm vein, facial image used as verifier of identity


Biometrics currently used for passport, drivers license, ATM (In Japan)


But not supported in internet as a wide protocol. Why?


Other approaches:

Passwords get attacked by phishing, key logging, Impersonation by stollen passwords

Passwords forgotten


Device paired authentication:

For token, Tamper resilience is good. But if the IC card is stollen with pin. Often forgotten as passwords


Biometrics Good on impersonation, good on operation. Without ACBio weak on internet.

Q: There is an "equal error rate" for passwords. False negatives and false positives are equal. So that's why we still use passwords today.


ACBio addresses data format for the evidence data of biometric authentication


BioMetrics typically not used on internet. Why?

Unfair use case in music. (Compromised device or inappropriate rights)

Block special devices used to impersonate others

Possible leakage of biometric data leaked from site?

Should user register biometric info for each service?


Send binary evidence information securely over the internet to a verification server with ACBio.


Debate: hash security and location of pairing of evidence with stored biometric challenge.


Slide Notes:

Storage template (Portable Device, IC Card) offer comparison to sample data.

Client application puts in data, validation sent to server. Then validated against ACBio validation server.

Two streams combined. Evidence data of device and sample are paired.

Comparison result is validated later


Q: Passwords can have an untrusted device and use the hash algorithm?

X.509 certificate of the BPU

Report on BPU

Control value block

Challenge

Biometrc process block

Data type and hash value of input

Data type and hash value of output

BRT certificate information block

Certificate for the registered template

Challenge from validator in order to prevent replay attacks.


Definitions:

BPU=Biometric processing Unit

BRT=Biometric Reference Template


Means to prevent compromised devices to all systems that use the central revocation list


Current operating standard: ISO/IEC 24761


There is a standard now, but not operationalization


Plan to partner to realize the scheme.

Two OEMs in Japan considering. One carrier.


Debate: Software vendors who want to use ACBio to pass "Liveness tested palm vein" liveness detection

Other models are paired NFC chip to computer (Embed validation server in car in case loss of internet service.)

Possible tie into Car entry or location based Door unlock