ITU-T Workshop on Security, Seoul

Importance of Open Discussion on

Adversarial Analyses for Mobile Security
Technologies
--- A Case Study for User Identification ---
14 May 2002

Tsutomu Matsumoto
Graduate School of Environment and Information Sciences
Yokohama National University
email: tsutomu@mlab.jks.ynu.ac.jp
 Mobile Security Technologies

Security Architecture
Operating Systems Security
Software Tamper Resistance
Mobile Code Security
Physical Tamper Resistance
Communications Security
Cryptographic Protocol
User Identification
……
 Adversarial Analysis

Security assessment of biometric user identification

systems should be conducted not only for the accuracy
of authentication, but also for security against fraud.

In this presentation we focus on Fingerprint

Systems which may become widespread for
Mobile Terminals.

Examine Adversarial Analysis as A Third Party

Can we make artificial fingers that fool fingerprint systems?
What are acceptance rates?
 Fingerprint Systems
Typical
Typical structure
structure of
of aa fingerprint
fingerprint system
system

Finger Data Result

Finger Capturing Feature Extraction Comparison

Presenting Recording Referring

Finger Information Database

Fingerprint System
Enrollment
Verification or Identification
Types of sensors
Optical sensors “Live and Well” Detection
Capacitive sensors
Thermal sensors, Ultrasound sensors, etc.
 A Risk Analysis for Fingerprint Systems
Attackers may present
1) the registered finger,
by an armed criminal, under duress, or with a sleeping
drug,
2) an unregistered finger (an imposter's finger),
i.e., non-effort forgery,
3) a severed fingertip from the registered finger,
4) a genetic clone of the registered finger,
5) an artificial clone of the registered finger, and
6) the others,
such as a well-known method as a “fault based attack.”
 Fraud with Artificial Fingers

Part of patterns of dishonest acts with artificial fingers

against a fingerprint system.

L(X): A Live Finger corresponding to Person X

A(Y): An Artificial Finger corresponding to Person Y
A(Z): An Artificial Finger corresponding to Nobody
 Fraud with Artificial Fingers I

Enrollment Y obtains A(X).

X

L(X) A(X)
L(X)

X Y X
Distribution of A(X)s
Authentication
A(X)s

A(X)

X or Y
 Fraud with Artificial Fingers II

X obtains A(Y). X enrolls A(Y).

X

A(Y) A(Y) A(Y)

Y X X
Authentication Distribution of A(Y)s
A(Y)s

A(Y)
or L(Y)

X or Y
 Fraud with Artificial Fingers III

Enrollment Y makes A(X).

X
L(X)

A(X)
L(X) L(X)

X X Y
Authentication Distribution of A(X)s
A(X)s

A(X)

Y
Mapping a Fingerprint onto Artificial Fingers

Finegerprint
e.g., Live Fingers, Generators, ...

Impression
e.g., Molds, Residual Fingerprints, ...

Artificial Finger
 Known Results

Process 0

(1) Finger
(2) Mold
(3) Silicone Rubber Finger
 Fact

Optical
OpticalSensor
Sensor Capacitive
CapacitiveSensor
Sensor

Finger
Finger

Detector
Light Source

Array of Electrodes

Often Accepts Usually Rejects

Silicone Rubber Fingers Silicone Rubber Fingers
 Gummy Fingers

Our Result
Process 1
(1) Finger
(2) Plastic Mold
(3) Gummy Finger
 Recipe 1-1
Making an Artificial Finger directly from a Live Finger
Materials
Materials
Free molding plastic Solid gelatin sheet
“FREEPLASTIC” “GELATINE LEAF ”
by Daicel FineChem Ltd. by MARUHA CORP

350JPY/35grams

200JPY/30grams
 Recipe 1-2
Making an Artificial Finger directly from a Live Finger
How
How to
to make
make aa mold
mold

Put the plastic

into hot water
to soften it.
Press a live finger
against it.

It takes around 10 minutes. The mold

 Recipe 1-3
Making an Artificial Finger directly from a Live Finger

Preparation
Preparation of
of material
material
A liquid in which immersed gelatin at 50 wt.% .

Add boiling water (30cc) to solid gelatin (30g) in a

bottle and mix up them.
It takes around 20 minutes.
 Recipe 1-4
Making an Artificial Finger directly from a Live Finger

How
How to
to make
make aa gummy
gummy finger
finger

Pour the liquid

into the mold.

Put it into
a refrigerator to cool.
It takes around 10 minutes. The gummy finger
 Similarity with Live Fingers

The photomicrographs of fingers

(a) Live Finger (b) Silicone Finger (c) Gummy Finger

 Captured Images
Captured images with the device C (an optical
optical sensor).

(a) Live Finger (b) Silicone Finger (c) Gummy Finger

Captured images with the device H (a capacitive sensor).

(a) Live Finger (b) Gummy Finger

 Experiments
Subjects: five persons whose ages are from 20’s to 40’s
Fingerprint systems: 11 types

We attempted one-to-one verification 100 times counting the

number of times that it accepts a finger presented.

Types of experiments

Experiment Enrollment Verification

Type 1 Live Finger Live Finger
Type 2 Live Finger Gummy Finger
Type 3 Gummy Finger Live Finger
Type 4 Gummy Finger Gummy Finger
 The List of Fingerprint Devices
H ard w are S p ecification s S o ftw a re S p e cific ation s
M eth od s
L iv e an d fo r
M an ufactu rer / P rod u c t M anu fa ctur er / P ro d uc t N am e C o m p ar is o n
P ro d uc t N am e T yp e S e ns or W ell V er ification
S ellin g A g en cy N umbe r S elling A ge n cy (A p p lication ) L eve ls
D ete ction
C om p aq S ta nd-A lone F in gerprint Identifica tion
Com p aq C om p uter O pt ic a l C om p aq C om pu ter M inu tiae
D ev ic e A F ingerprint Identifica tion D F R ｮ -200 E 0 38 11U S 00 1 unknow n T echnology S oftw are 1 throu gh 3
Cor pora tion S ens or C orp ora tion M a tc hing
U nit ver sion 1.1

M IT S U B IS H I S um ikin Iz um i
O pt ic a l M inu tiae
D ev ic e B EL E C T R IC F ingerprint R ec ognizer F P R -D T mkII 003 136 unknow n C om p uter S er vice co. S ecF P V 1.11 F ix ed
S ens or M a tc hing
CO R P O R A T IO N L td.

M inu tiae
F ingerprint Identifica tion O pt ic a l B a sic U tilit ie s for M a tc hing
D ev ic e C N E C C orpora tion N 7 95 0-41 9 Y 00 00 3 unknow n N E C C orpora tion F ix ed
U nit (P ris m) S ens or F in gerprint Identifica tion (M inut ia a nd
R ela tion)

" Y U B I PA S S " U .a re.U ｮ

F ingerprint R ec ognition O pt ic a l M inu tiae
D ev ic e D O M R O N C orp orat ion F P S -100 0 9 050 085 4 unknow n O M R O N C orpor ation F in gerprint V er ifica tion F ix ed
S ens or S ens or M a tc hing
S oft w a re

F in gerprint Identifica tion

S ony F ingerp rint O pt ic a l L ive F inger T S U B A S A S Y S T E M U nit W indow s ｮ 9 5 P att ern
D ev ic e E S ony C orpora tion F IU -00 2-F 11 0 07 09 1 throu gh 5
Iden tific ation U nit S ens or detection C O .,L T D . Inter ac tive D em o V er sion m a tch ing
1 .0 Bu ild 1 3

M inu tiae
C a pa citive L ogon for F ings ens or V 1 .0
D ev ic e F F U J IT S U L IM IT E D F ings ensor F S -2 00U 00 A A 0 002 57 unknow n F U J IT S U L IM IT E D F ix ed M a tc hing
S ens or for W indow s ｮ 95 /98
(C orrela tion)

M inu tiae
F ingerprint Identifica tion C a pa citive B a sic U tilit ie s for M a tc hing
D ev ic e G N E C C orpora tion P K -F P 002 03 005 29S unknow n N E C C orpora tion F ix ed
U nit (S eria l) S ens or F in gerprint Identifica tion (M inut ia a nd
R ela tion)
F in gerT IP ｮ S oftw a re
C 98 451 -
S iem ens A G (Infineon F ingerT IP ｮ E V A L U A T IO N - C a pa citive S ie me ns A G (Infineon D evelopm ent K it (S D K ) M inu tia
D ev ic e H K IT
D 6 100 -A 900 - unknow n F ix ed
T echnologies A G ) EV A L U A T IO N K IT S ens or T echnologies A G ) V ers ion: V 0 .90, B eta 3 m a tch ing
4
" D em o P rogra m "

S ony F ingerp rint C a pa citive L ive F inger P att ern

D ev ic e I S ony C orpora tion F IU -710 30 00 398 S yst em needs Inc . G ood -b ye " PA SSW OR D" s 1 throu gh 5
Iden tific ation U nit S ens or detection m a tch ing

O pt ic a l S e cu D e sk top 1. 55 日 M i nut ia
D ev ic e J S ecu gen Ey eD m ous e II SM B -8 0 0 96 501 720 04 unknow n S e cu g e n 1 thr oug h 9
Se n sor 本語版 m atc hing

ethentica tior M S 3 000 P C O pt ic a l S ecu re Su ite M i nut ia

D ev ic e K Et hentica M S 3 00 0 M 3 00F 20 099 1 un k no w n E the ntica F ixed
C a rd Se n sor R ele as e1. 0 m atc hing
 Experimental Results
Making an Artificial Finger directly from a Live Finger

100
Acceptance(times/100atempts)

80
The Number of

60

40

20
L-L L-A A-L A-A

0
A B C D E F G H I J K
Fingerprint Device
 Gummy Fingers
Our Result
Process 2
(1) Residual Fingerprint
(2) Digital Image Data
(3) Printed Circuit Board
(4) Gummy Finger
 Recipe 2-1
Making an Artificial Finger from a Residual Fingerprint
Materials

A photosensitive Solid gelatin sheet

coated Printed Circuit “GELATINE LEAF ”
Board (PCB) by MARUHA CORP
“10K” by Sanhayato Co., Ltd .

320JPY/sheet

200JPY/30grams
 Recipe 2-2
Residual Fingerprint Digital Microscope
Enhancing Cyanoacrylate
Adhesive
Capturing

Image Processing Adobe Photoshop 6.0

Fingerprint Image
KEYENCE VH6300: 900k pixels
Printing Transparent Film
Inkjet Printer
Mask UV light
Exposing Photosensitive
Developing Coated PCB

Etching

Canon BJ-F800: 1200x600dpi

Mold
 Recipe 2-3

A Mask with Fingerprint Images

An Enhanced Fingerprint A Fingerprint Image
 Recipe 2-4
Gelatin Liquid
Put this mold into
Drip the liquid a refrigerator to cool,
onto the mold. and then peel carefully.

40wt.%

型の上へ流す
 The Mold and the Gummy Finger

Mold: 70JPY/piece Gummy Finger: 50JPY/piece

(Ten molds can be obtained
in the PCB.)
 Resolution of Fingerprint Images
Pores can be observed.

Captured Fingerprint Image of

the Gummy Finger
Enhanced Fingerprint
with the device H (a capacitive sensor)
 Experimental Results
from Residual Fingerprints (for 1 subject)
100
Acceptance(times/100atempts)

80
The Number of

60

40

20
L-L L-A A-L A-A

0
A B C D E F G H I J K
Fingerprint Device
 Characteristics of Gummy Fingers
Moisture Electric Resistance
Live Finger 16% 16 Mohms/cm
Gummy Finger 23% 20 Mohms/cm
Silicone Finger impossible to measure impossible to measure

500
Gummy Finger
Tactile Sensor Outpt (Hz)

400 Live Finger

300

200

100

0
0 50 100 150
Pressure Sensor Output (g)
The compliance was also examined for live and gummy fingers.
 Conclusions

There can be various dishonest acts using artificial fingers

against the fingerprint systems.
Gummy fingers, which are easy to make with cheep, easily
obtainable tools and materials, can be accepted by 11 types of
fingerprint systems.
The experimental study on the gummy fingers will have
considerable impact on security assessment of fingerprint
systems.
Manufacturers,vendors, and users of biometric systems should
carefully examine security of their system against artificial
clones.
How to treat such information should be an important issue.
 For Details

• Paper:
T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino,
“Impact of Artificial “Gummy” Fingers on Fingerprint
Systems” Proceedings of SPIE Vol. #4677,
Optical Security and Counterfeit Deterrence Techniques IV.