Biometrics into the NET with Smartphones

BioMetrics into the Net with Smart Phones / Why not use Biometrics for Internet (T5D)

Convener: Shin, Takashima, Yamada

Notes-taker(s): Christopher Arnold

Tags for the session - technology discussed/ideas considered:

Toshiba - Biometric data transfer over the internet

ACBio - International Standard

Internet enabler for Biometrics

Smartphone for authentication device

Authentication Context for Biometrics

Data format standard for biometrics in internet

Toshiba started and standardization May 2009

Fingerprint, finger vein, palm vein, facial image used as verifier of identity

Biometrics currently used for passport, drivers license, ATM (In Japan)

But not supported in internet as a wide protocol. Why?

Other approaches:

Passwords get attacked by phishing, key logging, Impersonation by stollen passwords

Passwords forgotten

Device paired authentication:

For token, Tamper resilience is good. But if the IC card is stollen with pin. Often forgotten as passwords

Biometrics Good on impersonation, good on operation. Without ACBio weak on internet.

Q: There is an "equal error rate" for passwords. False negatives and false positives are equal. So that's why we still use passwords today.

ACBio addresses data format for the evidence data of biometric authentication

BioMetrics typically not used on internet. Why?

Unfair use case in music. (Compromised device or inappropriate rights)

Block special devices used to impersonate others

Possible leakage of biometric data leaked from site?

Should user register biometric info for each service?

Send binary evidence information securely over the internet to a verification server with ACBio.

Debate: hash security and location of pairing of evidence with stored biometric challenge.

Slide Notes:

Storage template (Portable Device, IC Card) offer comparison to sample data.

Client application puts in data, validation sent to server. Then validated against ACBio validation server.

Two streams combined. Evidence data of device and sample are paired.

Comparison result is validated later

Q: Passwords can have an untrusted device and use the hash algorithm?

X.509 certificate of the BPU

Report on BPU

Control value block

Challenge

Biometrc process block

Data type and hash value of input

Data type and hash value of output

BRT certificate information block

Certificate for the registered template

Challenge from validator in order to prevent replay attacks.

Definitions:

BPU=Biometric processing Unit

BRT=Biometric Reference Template

Means to prevent compromised devices to all systems that use the central revocation list

Current operating standard: ISO/IEC 24761

There is a standard now, but not operationalization

Plan to partner to realize the scheme.

Two OEMs in Japan considering. One carrier.

Debate: Software vendors who want to use ACBio to pass "Liveness tested palm vein" liveness detection

Other models are paired NFC chip to computer (Embed validation server in car in case loss of internet service.)

Possible tie into Car entry or location based Door unlock