Abstract
Biometric authentication systems verify the identity of users by relying on their distinctive traits, like fingerprint, face, iris, signature, voice, etc. Biometrics is commonly perceived as a strong authentication method; in practice several well-known vulnerabilities exist, and security aspects should be carefully considered, especially when it is adopted to secure the access to applications controlling critical systems and infrastructures. In this paper we perform a quantitative security evaluation of the CASHMA multi-biometric authentication system, assessing the security provided by different system configurations against attackers with different capabilities. The analysis is performed using the ADVISE modeling formalism, a formalism for security evaluation that extends attack graphs; it allows to combine information on the system, the attacker, and the metrics of interest to produce quantitative results. The obtained results provide useful insight on the security offered by the different system configurations, and demonstrate the feasibility of the approach to model security threats and countermeasures in real scenarios.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Li, S.Z. (ed.): Encyclopedia of Biometrics, 1st edn. Springer Reference (2009)
Chen, T., Abu-Nimeh, S.: Lessons from Stuxnet. IEEE Computer 44(4), 91–93 (2011)
FIRB – Fondo per gli Investimenti della Ricerca di Base, CASHMA: Context Aware Security by Hierarchical Multilevel Architectures (2008)
LeMay, E., Ford, M., Keefe, K., Sanders, W., Muehrcke, C.: Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE). In: 8th International Conference on Quantitative Evaluation of Systems (QEST 2011), pp. 191–200 (2011)
Phillips, P.J., Martin, A., Wilson, C.L., Przybocki, M.: An introduction evaluating biometric systems. IEEE Computer 33(2), 56–63 (2000)
Henniger, O., Scheuermann, D., Kniess, T.: On security evaluation of fingerprint recognition systems. In: International Biometric Performance Conference (IBPC 2010), March 1-5. National Institute of Standards and Technology, NIST (2010)
Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: from dependability to security. IEEE Trans. on Dependable and Secure Computing 1(1), 48–65 (2004)
Dolev, D., Yao, A.C.: On the security of public-key protocols. IEEE Transactions on Information Theory 29(8), 198–208 (1983)
Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proc. 10th Computer Security Foundations Workshop, June 10-12, pp. 18–30 (1997)
Ten, C.-W., Liu, C.-C., Govindarasu, M.: Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees. In: IEEE Power Engineering Society General Meeting, June 24-28, pp. 1–8 (2007)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Beccuti, M., et al.: Quantification of dependencies in electrical and information infrastructures: The CRUTIAL approach. In: 4th International Conference on Critical Infrastructures (CRIS 2009), pp. 1–8 (2009)
LeMay, E., Unkenholz, W., Parks, D., Muehrcke, C., Keefe, K., Sanders, W.H.: Adversary-Driven State-Based System Security Evaluation. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec 2010 (2010)
Courtney, T., Gaonkar, S., Keefe, K., Rozier, E.W.D., Sanders, W.H.: Möbius 2.3: An Extensible Tool for Dependability, Security, and Performance Evaluation of Large and Complex System Models. In: DSN 2009, Estoril, Lisbon, Portugal, pp. 353–358 (2009)
Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of artificial ‘gummy’ fingers on fingerprint systems. In: Proc. SPIE, vol. 4677, pp. 275–289 (2002)
Pacut, A., Czajka, A.: A liveness Detection for IRIS Biometrics. In: Proc. of the 40th Int. Carnahan Conference on Security Technology (ICCST 2006), pp. 122–129 (October 2006)
Roberts, C.: Biometric attack vectors and defences. Computers & Security 26(1), 14–25 (2007)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol – Version 1.2, RFC 5246, IETF Network Working Group (August 2008)
Salles-Loustau, G., Berthier, R., Collange, E., Sobesto, B., Cukier, M.: Characterizing Attackers and Attacks: An Empirical Study. In: IEEE 17th Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 174–183 (2011)
Montecchi, L., Lollini, P., Bondavalli, A.: ADVISE model for the security evaluation of the CASHMA multi-biometric authentication system, University of Florence, RCL Group, Technical Report RCL120301 (2012), http://rcl.dsi.unifi.it/publications
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Montecchi, L., Lollini, P., Bondavalli, A., La Mattina, E. (2012). Quantitative Security Evaluation of a Multi-biometric Authentication System. In: Ortmeier, F., Daniel, P. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2012. Lecture Notes in Computer Science, vol 7613. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33675-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-33675-1_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33674-4
Online ISBN: 978-3-642-33675-1
eBook Packages: Computer ScienceComputer Science (R0)