「膠製與導電的矽膠人造手指」

fingerprint.jpg中研院資訊所的莊庭瑞副研究員、同時也是台灣人權促進會的執委,轉寄來一篇日本橫濱國立大學松本勉教授(Tsutomu Matsumoto)的一篇摘要文章,說明可用塑膠指頭欺騙指紋辨識系統的情形。我把他翻譯成中文,歡迎大家取用與進一步討論。原文的 pdf 檔案可以於此下載:Matsumoto-finger-print

Gummy and Conductive Silicone Rubber Fingers: Importance of Vulnerability Analysis
膠製與導電的矽膠人造手指:安全性弱點分析的重要性

Tsutomu Matsumoto
松本勉
Yokohama National University,
日本橫濱國立大學
Graduate School of Environment and Information Sciences,
環境與資訊科學研究所
79-7 Tokiwadai, Hodogaya, Yokohama 240-8501, Japan,
tsutomu@mlab.jks.ynu.ac.jp

Abstract.
Vulnerability evaluation of various biometric systems should be conducted and its results should be available to potential users.
許多生物辨識系統的安全性弱點評估應該被進行,並且應該讓可能的使用者得以公開取得評估的結果。

Summary 摘要

Biometrics is utilized in individual authentication techniques which identify individuals by checking physiological or behavioral characteristics, such as fingerprints, faces, voice, iris patterns, signatures, etc. Biometric systems are said to be convenient because they need neither something to memorize such as passwords nor something to carry about such as ID tokens [1]. In spite of that, a user of biometric systems would get into a dangerous situation when her/his biometric data are abused. For example, you cannot change your fingerprints while you can change your passwords or ID tokens when they are compromised. Therefore, biometric systems must protect the information for biometrics against abuse, and they must also prevent fake biometrics.
生物辨識備用在個人身份認證技術上,是藉由檢查生理或行為的特徵來辨別個體;例如指紋、臉孔、聲音、虹膜樣式、簽名等等。生物辨識系統被當作是一種方便、便利的系統,因為他們不需要個體記得密碼、或者攜帶某些「身份代幣」(ID token)來證明自己[1]。因此,當生物辨識系統的使用者:他/她的生物辨識資料被濫用時,他們便會陷入一種危險的處境。舉例來說,當這些資料有被盜用的可能時,你可以更改你的密碼、更換你的「身份代幣」;但是你不能更改你的指紋。於是,生物辨識系統更必須保護辨識資訊不備濫用,並且預防假造的生物辨識資料。

We focus on fingerprint systems since they have become widespread as authentication terminals for PCs or mobile terminals. A fingerprint system has an enrollment process and a verification process. In an enrollment process, the system captures finger data from an enrollee with sensing devices, extracts features from the finger data, and then record them as a template with a personal information, e.g. a personal identification number (PIN), of the enrollee into a database. We are using the word finger data to mean not only features of the fingerprint but also other features of the finger, such as live and well features. In a verification (or identification) process, the system captures finger data from a finger with sensing devices, extracts features, verifies (or identifies) the features by comparing with templates in the database, and then outputs a result as Acceptance only when the features correspond to one of the templates. Most of fingerprint systems utilize optical or capacitive sensors for capturing fingerprints. These sensors detect difference between ridges and valleys of fingerprints. Optical sensors detect difference in reflection. Capacitive sensors, by contrast, detect difference in capacitance. Some systems utilize other types of sensors, such as thermal sensors, ultrasonic sensors. In this study we examine fingerprint systems which utilize optical or capacitive sensors.
我們把焦點放在指紋系統,因為他們目前被當作是電腦或者是行動終端機的認證方式。一個指紋系統包括兩個步驟:註冊過程(enrollment process)與驗證過程(verification process)。在註冊過程中,系統使用感測裝置、從註冊者捕捉指紋資料,抽取指紋資料的特徵(features),並且記錄下來當作個人資訊的模板,也就是所謂的 PIN,個人辨識數字(Personal Identification Number),然後記載入資料庫當中。我們使用「手指資料」來代表指紋的特徵資料,同時也包括了手指的其他特徵(例如活生生與完整的手指)。在一個驗證過程(verification process),或者辨識過程中,系統從手指透過感測裝置捕捉手指資料、抽取特徵、與資料庫中的模板進行比對的驗證(或者辨識)特徵工作,最後當特徵與某一個樣板吻合時,輸出「接受」的結果。大部份的指紋系統使用光學或電感測器來捕捉指紋。這些感測器偵測到指紋的突起與凹陷差異:光學的偵測器透過反射偵測差異、電的感測器(capacitive sensors)藉由偵測電流的對比來偵測差異。某些系統使用其他型態的感測器,例如熱感測器、ultrasonic 感測器等。在這個報導中,我們檢查的是使用光學與電感測器的指紋系統。

Potential threats caused by something like real fingers, which are called artificial fingers, should be crucial for authentication based on fingerprint systems. However, vulnerability evaluation against attacks using such artificial fingers has been rarely disclosed.
人造手指(artificial fingers)跟真的手指很相似,對指紋系統來說很重要,造成潛在的安全威脅。然而,幾乎沒有關於使用這種人造手指進行指紋系統安全攻擊的弱點評估報告公諸於世。

As researchers who are pursuing secure systems, we would like to discuss attacks using artificial fingers and conduct experimental research to clarify the reality.We report that
作為探討安全系統的研究者來說,我們想要討論使用人造手指攻擊指紋系統、並且進行實驗研究來釐清真實的狀況。我們的結果指出:

1. gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatin, were accepted by extremely high rates by 11 particular fingerprint devices with optical or capacitive sensors [2], and
1. 用便宜明膠(gelatin)製作的人造手指,以極高的比率被 11 種特別的光學與電感測器指紋辨識裝置接受。[2],而且

2. conductive silicone fingers, namely artificial fingers that are made of silicone rubber filled with electrically conductive carbon black of 12%-16%, were accepted by extremely high rates by the same set of fingerprint devices except for two devices using optical sensors with seemingly color-checking ability [3].
2. 以導電的碳(carbon black of 12%-16%)填充的導電矽膠人造手指,除了兩套加上色彩檢驗功能的光學感測器之外,仍然以相當高的比率被同樣一組指紋辨識裝置接受。[3]

We have used the molds, which we made by pressing our live fingers against them, or by processing fingerprint images from prints on glass surfaces, or by processing impression of inked fingers. We describe how to make the molds, and then show that the gummy fingers and conductive silicone fingers which are made with these molds, can fool the fingerprintdevices.
我們所使用的鑄模,其來源是用自己活生生的手指所按捺的指紋、藉由處理玻璃表面上的指紋、以及處理沾墨漬或印泥之後的手指拓印。我們描述自己如何製作鑄模,並且顯示透過這些鑄模來製作的膠製人造手指與導電矽膠碳填充人造手指,可以順利的欺騙指紋辨識感測裝置。

The fact that gummy fingers which are easy to make with cheep and easily obtainable tools and materials can be accepted suggests review not only of fingerprint systems but also of biometric systems. This experimental study on the artificial fingers will have considerable impact on security assessment of biometric systems. Manufacturers and vendors of biometric systems should carefully examine security of their system against artificial clones. Also, they should make public results of their examination, which lead users of their system to a deep understanding of the security. We would like to discuss the effect of such a vulnerability analysis and how to disclose the information based on our experience and the responses we received [4].
這種很容易以便宜而容易取得的材料工具、製作膠製人造手指,最終被指紋辨識系統接受的事實,建議我們不應該只檢查指紋辨識系統,更應該包括其他的生物辨識系統。這個關於人造手指的實驗研究將會對生物辨識系統的安全衡鑑與評估造成可觀的衝擊。生物辨識系統的製造商與業者應該謹慎檢查他們產品與系統對於人造複製特徵的安全性。同時,他們應該將檢查的結果公諸於世,讓他們的使用者更深入的了解系統的安全問題。我們想要討論這種安全性弱點分析,並且如何開放我們自己的經驗與得到的迴響等等資訊。[4]

References

1. Jain, K.: Introduction to biometrics, in Biometrics: Personal Identification in Networked Society, The Kluwer Academic, International Series in Engineering and Computer Science, Jain, A. K., Bolle, R. and Pankanti, S. eds., Vol. 479, Chapter 1, pp. 1-41, 1999.

2. Matsumoto, T., Matsumoto, T., Yamada, K., and Hoshino, S.: Impact of Artificial “Gummy Fingers” on Fingerprint Systems, Optical Security and Counterfeit Deterrence Techniques IV, Rudolf L. van Renesse, editor, Proceedings of SPIE Vol. 4677, SPIE – The International Society for Optical Engineering, pp.275-289, 2002.

3. Endo, Y. and Matsumoto, T.: Can we make artificial fingers that fool fingerprint systems? – Part W –, Proc. of IPSJ for Computer Security Symposium, 2002.

4. Matsumoto, T.: What will you do if you find a particular weakness of a security technology?, Journal of IEICE, Vol. 84, No.3, 2001.

廣告

One thought on “「膠製與導電的矽膠人造手指」

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

您的留言將使用 WordPress.com 帳號。 登出 / 變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 / 變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 / 變更 )

Google+ photo

您的留言將使用 Google+ 帳號。 登出 / 變更 )

連結到 %s