Identification Methods
Traditional identification Something that you have
Entrance permit, key Something that you know
User-id and password, PIN
Problems Unauthorized person takes control of
these traditional identification Difficult to remember password and PIN
Secure Authentication In a PKI world:
Cryptographic key pair (private and public key)
If someone gains access to the password that secures the cryptographic keys, he also gains access to every cryptographically protected application.
Solution Something that you are
Biometric
What is Biometrics? Biometric technology uses a physical or
psychological trait for identification and authentication
Key properties: Universal - common characteristic Unique - no two persons is the same in term
of characteristic Permanent - time invariant Collectable - quantitatively measurable
Why Biometrics? Enhance security
"Who you claim to be" NOT "what you know"
Convenient Fast, easy-to-use, reliable, and less
expensive authentication Avoid
Lost, stolen, duplicated, or left at home Forgotten, shared, or observed
How Does Biometrics Work?
•Signal processing•Minutia extraction•Representation
•Compression•Encryption•Transmission•Decryption•Decompress
•Template generation
If Match… Smart card data converted into a number
Used as a symmetric cryptographic key to decrypt the private key
A nonce passed from the computer application to smart card
Private key on smart card encrypted nonce.
The application verifies: certified public key obtained from the
network-based directory service decrypt the encrypted message from the card
Types of Biometrics Fingerprint Face Pattern Voice Pattern Retina Identification Hand DNA Signature Etc…
Fingerprint Reasons to use
100 to 600 bytes of data size can easily be fitted into the smart cards
It cannot be easily reproduced from the templates
Possible Attack Surgery to alter print Latex finger
Solution Monitor pulse, sweat, temperature and more Best solution: Measure the amount of
oxygenated hemoglobin in the blood
Fingerprint Matching Algorithm
Three types of minutia features: Ridge Ending, Bifurcation, and Short Ridge
mi = (type, xi, yi, θi, W) where
mi is the minutia vector type is the type of feature (ridge ending, bifurcation, short
ridge) xi is the x-coordinate of the location yi is the y-coordinate of the location θi is the angle of orientation of the minutia W is a weight based on the quality of the image at that
location
Face Pattern Face recognition algorithms create a
numerical code from facial measurements called “face print”
Possible Attack Surgery Artificial mask If only 2-D scan,
duplication of photo Protection
3-D images from variesviewing angle
Retina Identification
Based on the unique configuration of blood vessels 360 degree circular scan in the retina
Most accurate Possible attack
Surgery prosthetic eye
Voice Pattern
Automatic speaker recognition and verification system
Possible attack DAT voice recording Sound-alike voice
How Biometrics Applies to Network Security? Authentication
Biometrics technology replace Username and Password
Can be used on Workstation and network access Single sign-on Application logon Data Protection Remote access to resources Transaction security Web security Encrypt sensitive data transmitted over the internet
Issues and Concerns Accuracy
False acceptance rate (FAR) and False Rejection Rate (FRR)
Tradeoff between security and convenience Stability Suitability Difficulty of usage Availability Comparison failure
Summary Biometric is one more layer on top
of PIN, physical token, and it makes them more secure
Highest level of security is the combination of: Something you know Something you have Something you are
Reference [1] David Corcoran, "Smart Cards and
Biometrics: Your Key to PKI” [2] Paul Reid, “Biometrics for Network
Security,” Prentice Hall PTR, December 30, 2003.
[3] “Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems,” A Smart Card Alliance White Paper, May 2002.
[4] Anil Jain, “BIOMETRICS Personal Identification in Networked Society,” Kluwer Academic Publishers, 2002