Evaluation of privacy and security implications of biometric authentication systems: challenges and solutions.

生物特征认证系统的隐私和安全影响评估：挑战和解决方案。

• 批准号: 1894505
• 金额: --
• 依托单位: University of Oxford
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-1894505
• 关键词: Evaluation; privacy; security; implications; biometric

This project falls within the EPSRC Pervasive and ubiquitous computing research area. User authentication commonly relies on password-based mechanisms. With the increase in the number of accounts owned by users, passwords became an annoying burden, as users are required to memorize dozens of them.In recent years, user devices (e.g., mobile phones, tablets, smartwatches) are becoming more powerful, affordable, and rich of sensors, which made biometric recognition one viable instrument for authentication.While a lot of attention has been placed on the performance metrics of the biometric recognition, that is the false accept rate and thefalse reject rate, little emphasis has been placed to more powerful threat models. Adversaries with increased capabilities and/or knowledge must be considered in order to achieve a realistic evaluation of the authentication system security and privacy guarantees.In this project, we will evaluate the impact of novel threat models on biometric authentication systems. One of the main factor that will be analyzed is the collectability of biometric information. With the pervasiveness of sensors that come with user devices biometrics are now widespread. This means that biometrics can be obtained by an adversary through several channels that did not exists in the past. Classic examples are fingerprints, that can be collected from drinking glasses or other surfaces that the victim has touched, or face pictures, that can be easily found and downloaded from social medias. Newer scenarios might involve IoT devices listening to the user's voice, or malware infecting fingerprint-equipped smartphones to steal the user's fingerprints. Furthermore, authentication system designers must consider the irrevocability of biometric information. Contrary from passwords, that can be reset, once a biometric trait has been disclosed, its confidentiality is lost in a permanent way. This project aims to analyze challenges of biometric systems, regarding the introduction of unexplored threat models, and to investigate possible countermeasures. The evaluation of such aspects will enable a deeper understanding of the implications of deploying biometric-based authentication systems.This project is comprised in the research area of pervasive and ubiquitous computing, and is well-described in the challenges related to cyber-security in pervasive and ubiquitous systems. We will collaborate with Mastercard as an industrial partner in order to validate our research in real-world use cases (e.g., mobile payments, online identity).

该项目属于EPSRC普适和普适计算研究领域的福尔斯。用户身份验证通常依赖于基于密码的机制。随着用户拥有的账户数量的增加，密码成为令人讨厌的负担，因为用户需要记住数十个密码。移动的手机、平板电脑、智能手表）变得越来越强大、价格合理、传感器丰富，这使得生物特征识别成为一种可行的身份验证工具。虽然很多注意力都放在生物特征识别的性能指标上，即错误接受率和错误拒绝率，但很少强调更强大的威胁模型。为了实现认证系统的安全性和隐私保证的现实评估，必须考虑具有增加的能力和/或知识的对手。在这个项目中，我们将评估新的威胁模型对生物特征认证系统的影响。将被分析的主要因素之一是生物特征信息的可收集性。随着用户设备附带的传感器的普及，生物识别技术现在很普遍。这意味着对手可以通过过去不存在的几个渠道获得生物特征。典型的例子是指纹，可以从受害者触摸过的酒杯或其他表面收集，或者可以很容易地从社交媒体上找到和下载的面部照片。较新的场景可能涉及物联网设备监听用户的声音，或者恶意软件感染配备指纹的智能手机以窃取用户的指纹。此外，认证系统设计者必须考虑生物特征信息的可识别性。与可以重置的密码相反，一旦生物特征被披露，其机密性将永久丧失。该项目旨在分析生物识别系统面临的挑战，介绍未开发的威胁模型，并研究可能的对策。这些方面的评估将使部署基于生物特征的认证系统的影响有更深的理解。这个项目包括在普适和无处不在的计算的研究领域，并在普适和无处不在的系统中的网络安全相关的挑战进行了很好的描述。我们将与万事达卡作为行业合作伙伴进行合作，以验证我们在现实世界用例中的研究（例如，移动的支付、在线身份）。

项目成果

28 Blinks Later

28 眨眼之后

• DOI: 10.1145/3319535.3354233
• 发表时间: 2019
• 作者: Eberz S

When Your Fitness Tracker Betrays You: Quantifying the Predictability of Biometric Features Across Contexts

• DOI: 10.1109/sp.2018.00053
• 发表时间: 2018-05
• 期刊: 2018 IEEE Symposium on Security and Privacy (SP)
• 作者: Simon Eberz;Giulio Lovisotto;A. Patané;M. Kwiatkowska;Vincent Lenders;I. Martinovic