BIOMETRICS AND NETWORK

AUTHENTICATION

Security Innovators

Identification Methods

Traditional identification Something that you have

Entrance permit, key Something that you know

User-id and password, PIN

Problems Unauthorized person takes control of

these traditional identification Difficult to remember password and PIN

Secure Authentication In a PKI world:

Cryptographic key pair (private and public key)

If someone gains access to the password that secures the cryptographic keys, he also gains access to every cryptographically protected application.

Solution Something that you are

Biometric

What is Biometrics? Biometric technology uses a physical or

psychological trait for identification and authentication

Key properties: Universal - common characteristic Unique - no two persons is the same in term

of characteristic Permanent - time invariant Collectable - quantitatively measurable

Why Biometrics? Enhance security

"Who you claim to be" NOT "what you know"

Convenient Fast, easy-to-use, reliable, and less

expensive authentication Avoid

Lost, stolen, duplicated, or left at home Forgotten, shared, or observed

How Does Biometrics Work?

•Signal processing•Minutia extraction•Representation

•Compression•Encryption•Transmission•Decryption•Decompress

•Template generation

If Match… Smart card data converted into a number

Used as a symmetric cryptographic key to decrypt the private key

A nonce passed from the computer application to smart card

Private key on smart card encrypted nonce.

The application verifies: certified public key obtained from the

network-based directory service decrypt the encrypted message from the card

Types of Biometrics Fingerprint Face Pattern Voice Pattern Retina Identification Hand DNA Signature Etc…

Fingerprint Reasons to use

100 to 600 bytes of data size can easily be fitted into the smart cards

It cannot be easily reproduced from the templates

Possible Attack Surgery to alter print Latex finger

Solution Monitor pulse, sweat, temperature and more Best solution: Measure the amount of

oxygenated hemoglobin in the blood

Fingerprint Matching Algorithm

Three types of minutia features: Ridge Ending, Bifurcation, and Short Ridge

mi = (type, xi, yi, θi, W) where

mi is the minutia vector type is the type of feature (ridge ending, bifurcation, short

ridge) xi is the x-coordinate of the location yi is the y-coordinate of the location θi is the angle of orientation of the minutia W is a weight based on the quality of the image at that

location

Face Pattern Face recognition algorithms create a

numerical code from facial measurements called “face print”

Possible Attack Surgery Artificial mask If only 2-D scan,

duplication of photo Protection

3-D images from variesviewing angle

Retina Identification

Based on the unique configuration of blood vessels 360 degree circular scan in the retina

Most accurate Possible attack

Surgery prosthetic eye

Eye Scan

Voice Pattern

Automatic speaker recognition and verification system

Possible attack DAT voice recording Sound-alike voice

How Biometrics Applies to Network Security? Authentication

Biometrics technology replace Username and Password

Can be used on Workstation and network access Single sign-on Application logon Data Protection Remote access to resources Transaction security Web security Encrypt sensitive data transmitted over the internet

Biometric Authentication for J2EE Architecture

Issues and Concerns Accuracy

False acceptance rate (FAR) and False Rejection Rate (FRR)

Tradeoff between security and convenience Stability Suitability Difficulty of usage Availability Comparison failure

Summary Biometric is one more layer on top

of PIN, physical token, and it makes them more secure

Highest level of security is the combination of: Something you know Something you have Something you are

Reference [1] David Corcoran, "Smart Cards and

Biometrics: Your Key to PKI” [2] Paul Reid, “Biometrics for Network

Security,” Prentice Hall PTR, December 30, 2003.

[3] “Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems,” A Smart Card Alliance White Paper, May 2002.

[4] Anil Jain, “BIOMETRICS Personal Identification in Networked Society,” Kluwer Academic Publishers, 2002