The Design of Robust Authentication Mechanism using User’s Biometrics Signals

Jung ho Eom 보안공학연구지원센터 2014 International Journal of Security and Its Applicat Vol.8 No.6

In this research, we proposed robust authentication mechanism using user’s biometrics signals for complementing traditional authentication’s weak points. Nowadays, authentication system are developed using biometric. Biometrics are a unique, measurable a trait of a human being for verifying his/her identity. The types of biometric used in authentication system are iris, fingerprint, vein pattern, hand geometry etc. A biometric system provides an automated method of identifying a human being based on his/her biometric characteristics. But there are some security problems. Some biometrics can be copied by a malicious user with scanners. All biometrics characteristics extracted from a user are not possible to maintain a steady normal condition. So, we tried to apply user’s biometrics signals to authentication system as 3rd authentication factor. A biometrics signal is a pattern recognition that uniquely identifies human being based on his/her physiological traits. A biometrics signals should be impossible to masquerade or manipulate. This attribute is used as 3rd authentication phase. Proposed authentication mechanism is composed of 3 layered authentications; ID&P/W, PIN number or biometrics, and biometrics signals.

생체정보 보호 강화를 위한 입법정책적 고찰

이부하,박신욱 충북대학교 법학연구소 2022 과학기술과 법 Vol.13 No.1

Article 23 (1) of the Personal Information Protection Act stipulates that “A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as ‘sensitive data’), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, and other personal information that is likely to markedly threaten the privacy of any data subject.” Article 18 of the Enforcement Decree of the Personal Information Protection Act stipulates that ‘Information prescribed by Presidential Decree’ in the main clause , with the exception of the subparagraph, of Article 23 (1) of the Act means the following data or information. In subparagraph 3, “Personal information resulting from specific technical processing of data relating to the physical, physiological or behavioral characteristics of an individual for the purpose of uniquely identifying that individual” is defined as one of the sensitive data. The range of sensitive data is wider than that of biometrics. ‘Data that constitutes a criminal history record’ defined in subparagraph 5 of Article 2 of the Act on the Lapse of Criminal Sentences, etc. as stipulated in Article 18 (3) of the Enforcement Decree of the Personal Information Protection Act and Article 18 (4) of the Enforcement Decree of the Personal Information Protection Act ‘Personal information revealing racial or ethnic origin’ is sensitive data completely different from biometric information. Therefore, it is necessary to enact a separate law to protect and manage biometrics or biometric information that requires more protection than sensitive data. As safety measures for biometrics security, there are first, security measures for forged/falsified biometric information, second, protection of the transmission section when collecting and inputting biometric information, third, use within the scope of the agreed purpose, fourth, biometric information collection and input processing at the terminal, fifth, encryption when storing biometric information, sixth, destruction of biometric information, seventh, separate storage when storing original biometric information, eighth, in case of leakage of biometric information, protective measures are taken. The Act on Protection and Management of Biometrics (draft) includes Chapter 1 General Provisions, Chapter 2 Establishment of Biometrics Protection Policy, Chapter 3 Collection and Use of Biometrics and Restrictions on It, Chapter 4 Safe Management of Biometrics, and Chapter 5, Guarantee of Rights of Data Subjects.

공항 생체인식기술의 지속이용의도와 프라이버시 염려의 조절효과에 관한 연구 - 후기기술수용모델(Post-Acceptance Model)을 기반으로 -

이수경 ( Soo-kyoung Lee ) 한국항공경영학회 2024 한국항공경영학회지 Vol.22 No.2

늘어나는 항공 수요에 효과적으로 대응하기 위해 공항 운영의 디지털 전환 및 효율적인 프로세스 구현이 필요하며 이러한 움직임의 하나로 IATA는 생체인식을 기반으로 한 디지털 신원 인증기술인 ‘One ID’서비스를 확대할 방침이다. 우리나라의 경우 2021년 한국공항공사는 혁신계획에 따라 ‘One ID’확대를 예고한 바 있으며, 이에 따라 이용객의 손정맥 바이오 정보가 여객 프로세스뿐만 아니라 공항 면세점 등 쇼핑 결제에 이르기까지 바이오 정보의 이용처가 확대될 전망이다. 생체인식기술은 승객의 고유한 신체 정보를 활용함으로써 정보의 위조나 변조의 위험을 사전에 제거하여 공항 보안 수준을 높이고 출입국 절차에 편리함을 제공할 수 있다는 이점이 있으나 반면에 개인의 신체정보를 이용함으로써 발생하는 프라이버시 침해에 따른 문제가 있다. 개인의 의지와는 다르게 개인정보가 침해될 것을 우려하는 프라이버시 염려는 해당 서비스를 지속적으로 이용할 것인가를 결정하는데 중요한 영향을 미친다. 공항 생체인식기술 적용이 확대될 시점에 이용자의 기술 수용 관점을 넘어 지속적인 이용의도에 대한 연구가 필요하므로, 본 연구는 후기수용모델을 기반으로 이용자들의 서비스 지속이용의도와 프라이버시 염려와의 영향 관계를 실증하여 연구의 차별화를 확보하고자 하였다. 본 연구를 위하여 2024년 2월 20일부터 27일까지 공항 생체인식 기술 서비스를 이용한 경험이 있는 일반인 338명의 응답 결과를 분석에 활용하였다. 분석 결과 공항 생체인식기술에 대한 이용자의 기대일치는 인식된 유용성에 정(+)의 영향을 미칠 것이라는 가설 1이 채택되었고, 기대일치는 만족에 정(+)의 영향을 미치는 것으로 나타나 가설 2가 채택되었다. 그리고 가설 3. 생체인식기술 경험에 대한 이용자의 인식된 유용성은 만족에 정(+)의 영향을 미치는 것이 확인되었으며, 지속이용의도에도 정(+)의 영향을 미치고 있음을 확인하여 가설 4가 채택되었다. 또한 생체인식기술 사용에 대한 만족은 지속이용의도에 정(+)의 영향을 나타내어 가설 5가 채택되었다. 프라이버시 염려의 조절효과는 프라이버시 염려 수준이 낮은 집단의 경우가 기대일치가 만족에 미치는 영향이 더 크고, 인식된 유용성은 프라이버시 염려 수준이 높은 경우가 낮은 집단보다 만족에 미치는 영향이 더 큰 것으로 확인되어 가설 7. 인식된 유용성과 만족 간의 프라이버시 염려 수준에 따른 조절효과와 가설 8. 기대일치와 만족 간의 프라이버시 염려 수준에 따른 조절효과가 검증되었다. 그러나 가설 6. 기대일치와 인식된 유용성 간의 프라이버시 염려 수준에 따른 조절효과와 가설 9. 인식된 유용성과 지속이용의도 간의 프라이버시 염려 수준에 따른 조절효과 그리고 가설 10. 만족과 지속이용의도 간의 프라이버시 염려 수준에 따른 조절효과는 검증되지 않았다. 본 연구의 차별점은 첫째, 안면인식을 포함한 생체인식기술 활용 영역이 더욱 확대되고 있는 시점에 정보시스템의 지속적이고 반복적인 사용의도를 확인하기 위한 연구모델인 후기수용모델(PAM)을 중심으로 공항생체기술 이용자를 대상으로 실증 분석하였다는 점과 둘째, 바이오인식 정보 유출로 인한 다양한 사회적 문제 야기에 착안하여 정보제공자의 프라이버시 염려 수준을 함께 고려하여 염려수준 차이에 따른 조절효과를 분석하였다는 점이다. 그러나 생체인식기술 종류에 따른 변인 관계에 유의미한 차이분석과 인구통계학적 특성에 따른 조절효과 차이 분석, 프라이버시 보호 정책 차이에 따른 국가별 비교 연구 등이 후속연구로 필요할 것으로 판단된다. To effectively respond to the increasing demand for air travel, the digital transformation of airport operations and the implementation of efficient processes are necessary. As part of this movement, the International Air Transport Association (IATA) plans to expand its ‘One ID’ service, a digital identity verification technology based on biometrics. In South Korea, the Korea Airports Corporation announced plans to expand ‘One ID’ in 2021, according to its innovation plan. This expansion is expected to extend the use of passengers’ palm vein biometric information not only in passenger processes but also to shopping payments in airport duty-free shops. While biometrics technology has the advantage of using passengers’ unique physical information to prevent the risk of forgery and tampering, thus enhancing airport security levels and facilitating immigration procedures, it also poses privacy infringement issues arising from the use of personal body information. Concerns about privacy violations, regardless of individual consent, significantly influence the decision to continue using such services. This study aims to differentiate by empirically examining the relationship between users’ intention to continue using the service and their privacy concerns, based on the Post-Acceptance Model (PAM). For this research, we analyzed the responses of 338 general public participants who have experienced airport biometrics technology services from February 20 to 27, 2024. The analysis supported Hypothesis 1, that users’ expectation confirmation positively affects perceived usefulness, and Hypothesis 2, that expectation confirmation positively influences satisfaction. Furthermore, it was confirmed that perceived usefulness of the biometrics technology experience positively affects satisfaction and, consequently, the intention to reuse, supporting Hypotheses 3 and 4. Satisfaction from using biometrics technology also positively impacts the intention to continue use, confirming Hypothesis 5. The moderating effect of privacy concerns showed that for groups with lower levels of privacy concerns, the perceived usefulness impacts satisfaction more significantly in groups with higher privacy concerns, and the impact of expectation confirmation on satisfaction is greater, verifying Hypotheses 7 and 8 regarding the moderating effects of privacy concern levels. However, Hypotheses 6, 9, and 10, related to the moderating effects of privacy concerns on the relationships between expectation confirmation, perceived usefulness, satisfaction, and the intention to continue use, were not supported. The novelty of this study lies firstly in its empirical analysis of airport biometrics users based on the PAM at a time when the utilization area of biometrics technology, including facial recognition, is expanding. Secondly, it considers the privacy concerns levels of information providers and analyzes the moderating effects of these concerns levels, taking into account the various social problems caused by biometrics information leaks. Further research might be needed to analyze the significant differences in the relationships between variables according to the type of biometrics technology, the differences in moderating effects according to demographic characteristics, and a comparative study of privacy protection policies across countries.

정확한 환자 확인을 위한 의료생체인식기술

정재홍,이경배 대한자기공명기술학회 2022 대한자기공명기술학회지 Vol.32 No.1

This study discusses medical biometrics for accurate patient identification in the medical field. It first provides information concerning the definition, classification, and types of biometrics. It then reviews recent relevant research regarding information technology and types of medical biometric recognition technology that use biological signal and medical imaging. Finally, the current status of the medical environment is examined, along with the types of biometrics applied in medical fields. We believe that medical biometrics for patient identification will be gradually introduced into the medical field. Our study can be used to understand medical biometrics for accurate patient identification and utilized as primary data for research.

Index-of-Max 해싱을 이용한 폐기가능한 홍채 템플릿

김진아,정재열,김기성,정익래 한국정보보호학회 2019 정보보호학회논문지 Vol.29 No.3

In recent years, biometric authentication has been used for various applications. Since biometric features are unchangeableand cannot be revoked unlike other personal information, there is increasing concern about leakage of biometric information. Recently, Jin et al. proposed a new cancelable biometric scheme, called “Index-of-Max” (IoM) to protect fingerprinttemplate. The authors presented two realizations, namely, Gaussian random projection-based and uniformly randompermutation-based hashing schemes. They also showed that their schemes can provide high accuracy, guarantee the securityagainst recently presented privacy attacks, and satisfy some criteria of cancelable biometrics. However, the authors did notprovide experimental results for other biometric features (e.g. finger-vein, iris). In this paper, we present the results ofapplying Jin et al.'s scheme to iris data. To do this, we propose a new method for processing iris data into a suitable formapplicable to the Jin et al.'s scheme. Our experimental results show that it can guarantee favorable accuracy performancecompared to the previous schemes. We also show that our scheme satisfies cancelable biometrics criteria and robustness tosecurity and privacy attacks demonstrated in the Jin et al.’s work. 최근에 생체인증은 다양한 분야에 사용되고 있다. 생체정보는 변경이 불가능하고 다른 개인정보와 달리 폐기할 수없기 때문에 생체정보 유출에 대한 우려가 커지고 있다. 최근 Jin et al.은 지문 템플릿을 보호하기 위해IoM(Index-of-Max) 해싱이라는 폐기가능한 생체인증 방법을 제안했다. Jin et al.은 Gaussian randomprojection 기반과 Uniformly random permutation 기반의 두 가지 방법을 구현하였다. 제안된 방법은 높은 매칭 정확도를 제공하고 프라이버시 공격에 강력함을 보여주며 폐기가능한 생체인증의 요건을 만족함을 보여주었다. 그러나 Jin et al.은 다른 생체정보에 대한 인증(예: 정맥, 홍채 등)에 대한 실험 결과를 제공하지는 않았다. 본 논문에서는 Jin et al.의 방법을 적용하여 홍채 템플릿을 보호하는 방법을 제안한다. 실험 결과는 이전의 폐기가능한 홍채인증 방법과 비교했을 때 더 높은 정확도를 보여주며 보안 및 프라이버시 공격에 강력함을 보여준다.

Seasonal Growth Dynamics of Posidonia oceanica in a Pristine Mediterranean Gulf

Erhan Mutlu,Cansu Olguner,Mehmet Gökoğlu,Yaşar Özvarol 한국해양과학기술원 2022 Ocean science journal Vol.57 No.3

Seasonal growth dynamics and ecology of Posidonia oceanica were studied in a space alongshore a pristine Mediterranean gulf in 2011–2012. About one-third of the present study surface area was occupied meadows where only calcite rocks were found on bottoms between 0.5 and 29 m. Shoot density was not significantly different among seasons, and was above 364 ± 27 shoots m−2, but was different among the depths. The density variables decreased along the bottom depth gradient along which the number of leaves per shoot, inter shoot distance and the morphometrical variables tended to increase. Inferring the dynamics of biometrics (length and width of leaf, orthotropic rhizomes and leaf sheath) and density (LAI, leaf biomass and the number of leaves per shoot), the biometrics of the meadow grew seasonally between growth by March and mortality by August–September, regardless of the coverage area. Mortality occurred due to the highest annual salinity in late summer. A transition depth in space and month in time was assessed as 15 m and as August for variation of the biometrics, respectively. Rhizome related-biometrics (length, thickness, weight, sheath length and width) were dynamically initialized mainly by water nitrogen content which was high by winter-spring. A PAR in the range of 10–32%, and surface water temperature up to 28.8–29.3 °C corresponding to up to ~ 40 PSU were critical limiting factors for P. oceanica to survive in space. Water physics, chemistry, and optical properties governed the annual course of biometrics. Total organic carbon was also negatively affecting the seasonal dynamics of the rhizome.

바이오인식을 이용한 원격의료에서의 개인정보보호

신용녀(Yong-Nyuo Shin),전명근(Myung Geun Chun) 한국지능시스템학회 2010 한국지능시스템학회논문지 Vol.20 No.5

본 논문에서는 바이오인식기반 원격의료시스템에 있어서 바이오정보를 포함한 개인 프라이버시 정보를 보호하기 위한 프레임워크를 제시한다. 바이오인식은 편의성 및 의료 환경의 특수성으로 원격의료시스템에 적합한 인증수단 일수 있지만 바이오정보가 분실되거나 다른 사람에 의해서 도용되었을 경우 비밀번호나 ID처럼 사용자 요구에 따라 쉽게 변경하기가 어렵다는 치명적인 단점을 지니고 있기 때문에, 바이오정보를 이용한 인증시스템 구축 시 민감한 프라이버시 정보의 한 유형인 개인 바이오정보를 보호하기 위한 정보보호 프레임워크에 기반 하여 원격의료시스템이 구축되어야 한다. 먼저 바이오인식 시스템의 구성요소와 동작을 살펴보고 바이오인식기반 원격의료 시스템이 만족해야할 특화된 보안 요구사항 대한 정의를 내린다. 이어서 바이오인식기반 원격의료 시스템의 모델을 정의하고 프라이버시 정보와 바이오정보가 공격당할 수 있는 보안 위협과 이에 대처할 수 있는 대응방안을 제시한다. 본 논문에서는 다양한 보안 위협 요인들에 대처하기 위하여 2단계인증 프로토콜을 제시한다. 마지막으로 바이오 인식기반 원격의료 프레임워크를 적용한 시스템의 구성요소에 대한 기능 요구사항을 기술함으로서 바이오인식기반 원격의료 보안 대책에 기반 시스템 구축 시 사용자의 개인정보를 보호함과 동시에 높은 보안능력을 갖는 고성능의 개인인증용 바이오인식 시스템을 구축에 도움을 줄 수 있다. This paper provides an integrated framework for biometric data and private information protection in TeleHealth. Biometric technology is indispensable in providing identification and convenience in the TeleHealth environment. Once biometric information is exposed to mallicious attacker, he will suffer great loss from the illegferuse of his biometric data by someone else because of difficulty of change not like ID and password. We have to buil by someone esystem data bon the integrated framework for biometric data and private information protection in TeleHealth. First, we consider the structure of the biometric system and the security requirements of y someone esystem data bon the biometrics. And then, we define the TeleHealth system model and provide the vulnerabilities and countermeasures of the biometric-data by someone eintegrated model.byhe TeleHealth sse bec requires two-phata authentication for countermeasure. Finally, we made some functionferrequirements for main componenets of biometric-data bintegrated TeleHealth system framework to protect biometric data.

Security Analysis and Improvements of a Biometrics-based User Authentication Scheme Using Smart Cards

안영화(Young-Hwa An) 한국컴퓨터정보학회 2012 韓國컴퓨터情報學會論文誌 Vol.17 No.2

스마트카드를 이용한 생체인식 기반 사용자 인증 스킴이 인증 시스템에서 안전성 취약점을 개선하기 위해 제안되고 있다. 2010년 Chang 등은 위조 공격, 오프라인 패스워드 추측 공격, 재생 공격 등에 안전한 개선된 생체인식 기반 사용자 인증 스킴을 제안하였다. 본 논문에서는 Chang 등의 스킴에 대한 안전성을 분석하고, Chang 등의 스킴이 중간자 공격, 오프라인 생체인식 추측 공격 등에 취약하고, 사용자와 서버 사이에 상호인증을 제공하지 못함을 증명하였다. 그리고 본 논문에서는 이와 같은 안전성 취약점들을 개선한 인증 스킴을 제안하였다. 안전성 분석 결과, 제안된 스킴은 사용자 가장 공격, 서버 가장 공격, 중간자 공격, 오프라인 생체인식 추측 공격 등에 안전하고, 사용자와 서버 사이에 상호인증을 제공하고 있음을 알 수 있다. 그리고 계산 복잡도 관점에서 제안된 스킴은 Chang 등의 스킴보다 효율적임을 알 수 있다. Many biometrics-based user authentication schemes using smart cards have been proposed to improve the security weaknesses in user authentication system. In 2010, Chang et al. proposed an improved biometrics-based user authentication scheme without concurrency system which can withstand forgery attack, off-line password guessing attack, replay attack, etc. In this paper, we analyze the security weaknesses of Chang et al.'s scheme and we have shown that Chang et al.'s scheme is still insecure against man-in-the-middle attack, off-line biometrics guessing attack, and does not provide mutual authentication between the user and the server. And we proposed the improved scheme to overcome these security weaknesses, even if the secret information stored in the smart card is revealed. As a result, the proposed scheme is secure for the user authentication attack, the server masquerading attack, the man-in-the-middle attack, and the off-line biometrics guessing attack, does provide the mutual authentication between the user and the remote server. And, in terms of computational complexities, the proposed scheme is more effective than Chang et al.'s scheme.

광용적맥파를 이용한 생체인식 보안시스템의 설계 및 구현

김현기(Hyen-Ki Kim) 한국산업정보학회 2010 한국산업정보학회논문지 Vol.15 No.4

생체인식은 개인의 신체에서 얻어지는 고유한 특성을 특징점으로 잡아 인식하는 방법으로서 분실할 위험이 없고 타인에 의한 위ㆍ변조의 위험성이 낮아 높은 보안성을 제공한다. 본 논문에서는 빠르고 편리하게 광학적으로 두 손가락 끝에서 정확한 심장박동 신호를 측정하여 ‘생체인식에 적용할 수 있는 광용적맥파를 이용한 생체인식 보안시스템을 설계 및 구현하였다. 성능평가 결과, 본 논문에서 설계 및 구현된 개인인증을 위한 생체인식 보안시스템은 출입문의 개폐용으로 실험한 결과 평균 90.5%의 인식률을 나타내었다. 제안된 생체인식 보안시스템은 간단하게 손가락을 기계에 접촉하는 원터치 방식으로 원하는 생체 정보를 얻음으로써 시간적 편리성과 누구나 거부감 없이 쉽게 이용할 수 있는 장점이 있다. Biometrics are methods of recognizing a person based on the physiological or behavioral characteristics of his of her body. They are highly secure with little risk of loss or falsification by others. This paper has designed and implemented a security system of biometrics by precisely measuring heartbeat signals at two fingertips and using a photoplethysmogram, which is applicable to biometrics. A performance evaluation has led to the following result. The security system of biometrics for personal authentication which has been designed and implemented by this study has achieved a recognition rate of 90.5%. The security system of biometrics suggested here has merits of time saving and easy accessibility. The system is touch-based and collects the necessary biometric information by simply touching the machine with fingers, so anyone can utilize the system without any difficulty.

근로자 개인정보 처리의 정당성 요건과 한계–종속성의 관점에서

양승엽 노동법이론실무학회 2016 노동법포럼 Vol.- No.18

“Personal Information Protection Act”(PIPA), a general law for personal date protection, guarantee the free exchange as well as the protection of the personal data. That clears the PIPA’s characteristics as the private law. If the personal information manager obtain the consent of the subject of information, the manager can process the personal information unconstrainedly, and The PIPA can admit the employer to process the worker’s personal data including providing a third person and using for any purpose other than intended ones, so long as he gets the worker’s consent. So, the worker’s consent in the PIPA functions as the master-key to obtain the legitimacy to process the personal data. But, due to the worker’s subordination to the employer, the real intention of workers as the subject of information is suspected. Furthermore, the PIPA article 15 (1) 6 should allow the personal information manager, without the consent of the subject of information, to process the personal data, if the manager demonstrate his legitimate interests which is limited to cases. Thus the employer not given the worker’s consent can assert his right to obtain the worker’s personal data for his legitimate interest in the facilities and human resources management. The PIPA has a few blind spot. For example, the PIPA does not have any provisions of the biometrics. The employers use the worker’s biometrics for the facilities security and worker’s job description. The biometrics remain unchanged worker’s whole life, so if the biometrics abused, the damages are incalculable. The PIPA article 23 enacts a provision of the sensitive information (thought, beliefs, health information, etc.). The biometrics should be interpreted analogically as a sort of health information regulated so that it can regulated in the PIPA. Recently, the employer use the GPS and the electronic tag to trace the worker’s location data. The personal location data is regulated in “Act on the Protection, Use, etc., of Location Information”, but this act does not consider the unbalanced relationship of the employer and the worker, so the employer given the worker’s consent can get the worker’s location data freely. The person who has the other party’s information rules those who can’t. If those who can’t is the worker, along with the subordination to the employer, he suffers from the double power-imbalance. To overcome the double imbalance, firstly, the regulations of processing the worker’s personal data should be established in the PIPA. As a role model, the German personal data protection act is in the process of revision, which tries to insert the worker’s data protection part in the act. When the PIPA is changed, the scope of individual object should be expanded. The current law regulates the workers who offer his service to the employers, but the job-seeker, retiree, and contract laborers have to be included. Moreover, in the illegal processing of the worker’s personal data, the workers should have the right of veto and immunity. Secondly, to secure the truth of worker’s consent, in other words, to obtain the equal standing between the employer and the worker, the group decision of the labor-management representatives substitutes for the worker’s individual consent of processing his personal data. For that, the workers can entrust the representative such as the labour union representative with the right of agreement on processing. Finally, on interpreting the legislation concerned on personal data protection containing the PIPA, the regulations should be construed in the principle of being involved in the occupation and of proportion. The principle of being involved in the occupation is relevant to interpret the employer’s legitimate interests on the processing the worker’s personal data, and if the employer’s processing of the worker’s personal data is proved to be involved in the occupation, in addition, the proport...