B. Senjaya, T.B. Lee, Ph.D., S.J. Elliott, Ph.D., S.K. Modi, Ph.D.
Fingerprint image quality has a positive on recognition systems. By improving the quality of fingerprint images the performance of the system can be increased. Current automated fingerprint capture processes conduct quality analysis on fingerprints after capturing the fingerprint and prompt the user for additional fingerprints if the image does not conform to the quality criterion. The process of recapturing increases throughput time and increases the inconvenience faced by users. The objective of this research was to redesign the image capture process by identifying optimal force levels for initiating the capture operation. 70 subjects interacted with an optical fingerprint sensor at several force levels to identify the force level that yielded the best fingerprint image quality and least number of matching errors.

G. Hales, Graduate Researcher & S. J. Elliott Ph.D.
In recent times it has become apparent that data sharing capabilities across state departments and law enforcement agencies is an issue, especially in terms of tracking, monitoring, and identifying persons of interest. There is a need to assess the image capture process, as well as sharing capabilities, and to incorporate commercially available facial recognition technology to reduce the errors in identifying persons of interest. The objective of this project is to evaluate legacy face images, assess and standardize the image capture process across Indiana Department of Corrections (DOC) agencies, integrate facial recognition to link face databases, and integrate mobile devices in law enforcement vehicles for face recognition. This research will lead to improvements in the efficiency and quality of the face image capture process in Indiana’s DOC facilities and BMV branches and facilitate image sharing capabilities across Indiana state agencies

C. Blomeke, S. K.Modi,Ph.D., E. Bertino, Ph.D., & S. J. Elliott Ph.D.
The long term objective of this research is to provide a model for the delivery of identity management services to a diverse range of healthcare applications. . This is a challenge, due to various regulations and requirements that are unique to the healthcare system. Healthcare applications require a strong form of authentication, which goes beyond the capabilities of passwords, based on what you remember, and tokens, based on what you have. Healthcare applications are now considering biometrics as a potential authentication methodology. Biometrics is the automated recognition of humans based on biological and behavioral traits, like fingerprint recognition etc. This research proposes the development of an identity management model and in doing so provides the healthcare system with knowledge about the efficacy of biometrics in various healthcare applications.

Preeti Rao, Ashwin Mohan, Shimon Modi, Keith Watson
The BioAPI Consortium developed the biometric application programming interface (BioAPI) for the implementation of software that is platform and device independent. Version 2.0 of the BioAPI standard (ISO/IEC 19784-1:2005) has a reference implementation in the C programming language. This project offers a reference implementation of the 2.0 BioAPI specification written in the Java programming using object oriented design techniques.

The BSPA Lab participated in the 2009 CERIAS Symposium. The symposium examined the implementation of information technology, and how it continues to grow in complexity as business continues to go global. Best practices and technical protocols are established… but don’t always play well together. The 2009 symposium examined the state of cyber security and research needed to address the future. Dr. Shimon Modi was part of a panel that discussed the role of standards in biometrics and information security in general.

A panel summary by Jason Ortiz

Panel Members:

Pascal Meunier, CERIAS, Purdue University
Tim Grance, NIST
Shimon Modi, Biometrics Standards, Performance and Assurance Laboratory, Purdue University
Rao Vasireddy, Alcatel-Lucent
There has been a lot of discussion recently surrounding the issue of standards and standard adoption. Many questions have been posed and openly debated in an attempt to find the correct formula for standards. When can a standard be considered a “good” standard, and when should that standard be adopted?

According to Dr. Pascal Meunier of Purdue University CERIAS, standard adoption should be based on what he calls transitive trust. Transitive trust indicates that an evaluation of the standard using criteria appropriate to the adopters has been done by an outside source. This ensures the standard applies to the adopter and that it has been evaluated or tested. Dr. Meunier says this allows for sound justification that a standard is appropriate. Unfortunately, most adoption and creation of standards are focused on assumptive trust, or simply knowing someone, somewhere did an evaluation.

Another concern surrounding the creation and adoption of standards raised during the panel discussion was, when standards interfere with economical development or technological progress, should they be adopted, even if they are well-tested, “good” standards? Tim Grance from NIST responded by saying as of right now, standards are mostly voluntary recommendations and they must be in accordance with economical and technological desires of industry in order for them to be widely adopted and widely accepted. There are very few punishments for not following standards and thus there must exist other motivation for industries to spend time and money implementing these standards.

Along with this, the audience posed a question surrounding the practical use of a standard. Even if a partner does decide to comply with a standard there is no easy method of ensuring they actually understand the standard or have the same interpretation of the standard as other partners. Simply establishing a mutual understanding of a standard within an industry poses another obstacle that requires time and resources.

As a result of this, “good” standards may never be used in practice if they are too costly to implement. Therefore, currently used standards may be out of date, flawed, or simply untested. This discussion lends itself to the question of which is better, a standard which is known to be flawed or no standard at all? There is no clear answer to this question, as there exists sufficient evidence supporting both sides.

An argument for the idea that a standard is better than no standard (even if it is a flawed or insecure standard) is that in this scenario, at least the flaw will be know, recognized and consistent throughout the industry. However, others point to the idea that this would actually be detrimental, as now any entity which has adopted the standard becomes vulnerable to the standard’s flaws as opposed to only a small number of industries.

It is clear that industries need standards to follow in many scenarios. However, the difficult questions include when a standard is needed, when a specific standard should be adopted versus when it could reasonably be adopted, and whether or not a flawed standard is better than no standard at all.

The presentations can be found here.

Summary
Pascal Menunier
Shimon Modi
Rao Vasireddy

Identification, Authentication and Privacy
E. Bertino, S. Elliott, A.Bhargav-Spantzel, M. Young, S. Modi, A. Squicciarini
The goal is to provide a privacy preserving methodology for strong biometric authentication in federated identity management systems.
Privacy Preserving Multifactor Authentication [1]: multifactor authentication is essential for secure authentication mechanisms. The identity management framework is used to provide proofs of multiple strong identifiers for a given user.

Interoperability: Our scheme provides an interoperable, usable, secure, and inexpensive to use biometric authentication in a federation.

User Control : The raw biometric never leaves the client machine therefore providing complete control to its owner.

William Eyre, Sean Sobieraj, Dr. Steven Elliott
Use of biometrics in schools for identification of students younger than 16 in the United Kingdom has sparked privacy concerns. There are privacy advocates active in attempting to derail the use of biometric authentication in schools for a variety of reasons. These reasons are explored and solutions are discussed. The paper also examines how data is linked or dereferenced in terms of biometrics and personally identifiable data.

Assurable Software and Architectures
Watson, Keith
The Center for Education and Research in Information Assurance and Security and the Biometric Standards, Performance, and Assurance Laboratory at Purdue University are working in conjunction with the BioAPI Consortium to develop a reference implementation of the BioAPI 2.0 specification in the Java(tm) programming language.

Identification, Authentication and Privacy
Adam R. Hunt, Stephen J. Elliott, Ph.D.
Dynamic signature verification is a subset of that larger science that includes fingerprint recognition, hand geometry, and voice recognition. Signature verification is primarily behavioral in nature like voice recognition, but has some very unique traits which make it harder to test and evaluate. These challenges include the fact that a signature is learnt, it contains variant measures, it can be changed by the owner of the signature, and that a signer might have several versions of the signature, depending on the intent of the signer.

Identification, Authentication and Privacy
S. J. Elliott, Ph. D., M. Niang
The catastrophic chain of events that transpired during Hurricane Katrina concerning the humanitarian response brought to light the need for a mobile credentialing system. This poster provides a methodology for using biometric technology for credentialing individuals in natural disasters or terrorist attacks using iris recognition.