Biometrics

Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture IDS on Device IDS on Server

BOPS details an end-to-end specification to perform server-based enhanced biometric security.

p. 3

User

Biometrics and liveness

BOPS Server

Keys for authentication and intrusion detection

Two-way SSL

Steps for A X.509 Certificate

p. 4

Two-way SSL

Create the Public and Private Key

Sign the Public Key

Add the Private Key

You now have a Cert PKI

IEEE Biometric Open Protocol Standard (BOPS)

AccountAccount

DeviceDevice

Enrolled UserEnrolled User

Key Store (SSL)Key Store (SSL)

Trust Store (CA)Trust Store (CA)

Client CertificateClient Certificate

User Auth Encrypted DataUser Auth Encrypted Data Client User Auth Data Encryption Key

Client User Auth Data Encryption Key

BOPSBOPS

Mobile Client Application

Mobile Client Application

Two-way SSL

- - - OS Secured Space - - -

=

+User Auth Data

Encryption Key (571 ECC)User Auth Data

Encryption Key (571 ECC)

Client Certificate PasswordClient Certificate Password

Biometric VectorBiometric Vector

Ensure privacy on mobile devices

BOPS is the IEEE standard for biometric-based identity assertion.

CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 6

Enrollment Maintenance

Revocation Storage

BOPS is a global standard:

• Protecting user privacy• Defining clear rules, and levels of

acceptance,• Comprising the rules governing

secure communication of between a variety of client devices and the trusted server

This paradigm forces hackers to hack a user at a time since there is no one repository of critical data, thus deterring massive breaches of data.

BOPS provides identity assertion, role gathering, multi-level access control, assurance, and auditing.

CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 7

Identity Assertion

Provides a guarantee that named users are who they claim to be

Role Gathering

BOPS server stores role gathering information to associate a unique user with a unique device and adjudicate what a user can see, write, and do

Multi-level Access Control

BOPS may store data and analytics such that there is a guarantee of

continuous protection and access control of all data

Assurance

BOPS Intrusion Detection System monitors spoofing attempts and blacklists subjects or devices that make malicious attempts

BOPS Server

Auditing

BOPS supports all auditing requests at the subject / object level or at the

group level

BOPS authenticates, establishes a secure key, and utilizes a two-way SSL connection.

AuthenticationInstead of authorization, and user information remains on the deviceAuthenticationInstead of authorization, and user information remains on the device

Secure keyCreated on the backend behind a firewall, and matching occurs on the deviceSecure keyCreated on the backend behind a firewall, and matching occurs on the device

Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve CryptographyTwo-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography

CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 8

There are multiple use cases for BOPS that extend across industries and functions.

Car preferences and safety features

Perform ATM transactions safely

Entry into secure buildings

No more user names and passwords

No more insurance cards and paperwork

The rules for BOPS protect the enterprise and the end-user.

CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 10

No biometric data stored in any back-end repository

All data is fully encrypted, even in an underlying secure transfer layer

Biometric match always happen on device, protecting users privacy.

Certificate generation occurs in a secure server

Critical data must be encrypted on device

Secure back-end, severs, systems with mobile device biometric access

Allows pluggable components to replace existing components

Liveness Detection Technology

Intrusion Detection System monitors data traffic in ALL devices and servers

What is 1 Way SSL Uses a key store with keys from a certifying

authority such as Verisign. Purchased You specify a set of ciphers that may be

used. Some ciphers have been compromised. We consider 128 bit too small. ECE is currently best.

2 Way SSL Uses a trust store. Based on a self signed certifying authority. Set at boot time on a Web Server. Initially met for Identity Assertion (bad). Overloaded to state who you could be. Used with a biometric authorization.

An Example in Tomcat $CATALINE_HOME/conf contains

configuration. JAAS configuration for login module. Does

identity assertion and role gathering. The server.xml file contains truststore and

keystore. Contains the ports used. Requires authentication on the device.

Genesis Uses a unique mechanism to determine the initial

identity to fuse. An initial default certificate is loaded into the client

application. It is used to communicate genesis to the server.

Once the initial identity is found a 2-way SSL key is loaded into the client application and the default certificate is used only for passwords..

The 2 way SSL Certficate has a GUID tied to the user. Authentication and the 2-way Certificate is used

moving forward.

Genesis (Continued) Genesis gets a biometric that is hashed to a

vector and reused during authentication. Genesis never stores the biometric on the

server. To enroll another device, the other information

(email,phone number) are used. This fuses the next enrollment with the Genesis.

The biometric vector is never stored on the server because it is possible to get from the biometric vector to the actual biometric.

2-Way SSL Certificate The 2-Way SSL Certificate has a password. We do not want to store the password on the

client because if the client in compromised all the information is on one device.

Re-use the default certificate with a One Time Password algorithm.

The One Time Password is a Get or Put parameter. Server and client's One Time Password must be the same.

Authentication

Compares Biometric Vector on device (from Genesis) to Biometric Vector just gathered.

Sends the result of the authentication to the server.

This initiates a “session” as a concept with session data.

In actuality we are stateless. We simulate a session.

Encrypted Store

We can setup areas on disk to encrypt and used biometrics to look up the key.

Encryption is tied to the biometric. Only the person can unlock the file(s) with

their biometric identity. May be shared using DAC. DAC implies the use of Groups, which is the

solution.

B2B Business to Business

For a business, we must integrate to the current environment. New techniques do not line up with current integration. We have to figure where we integrate. We access the

current identity.

B2C Business to Client

Password manager and Encryption manager.

Uses Amazon Web Services.

Uses CA of Hoyos Labs.

Uses Truststore based on CA.

Is a business to client application.

Does not integrate with any backend for a client.

So an IRIS is part of the eye.

It is the best Biometric we can use.

We cannot get it with a standard phone so we currently use

Facial recognition.

As phone Cameras get better we will use IRIS.

We have proprietary devices that use IRIS.

IRIS

We use general purpose devices because

This is what people have easy access to.

You rarely are without your phone.

General Purpose Devices

Passive Liveness

We wish to do liveness without Gestures.

To do this we either use the IRIS which works forLiveness or we use 4 fingers on the phone.

We are in the EARLY days of biometrics but they are advanced enough today for production.

Is the idea of using the four fingers on the back

Of the phone as passive liveness.

Passive liveness would turn on the back camera and take a quick picture of your hand.

This is not as accurate as an IRIS but very close

Close enough for identity.

Four Fingers

Facial recognition when considered alone

Is 1 in 100 False Acceptance Rate.

When combined with Genesis and a 2-Way SSL key we are looking at a false acceptance of less than 1 in 300 million.

FAR – Facial 1 in 100

So we cannot take one face and go after a

Database of say 50,000 people. We will match with more than one. So we either need IRIS

Or 4 finger, or a strong Genesis.

No Facial One:Many

For twins IRIS' are different.

IRIS is where we want to get.

IRIS is what we use for 1 to look up many.

So if I had an IRIS and looked up across 50,000 people, I would only get one back, if I was in that database.

As biometrics get better, we get better.

Twins

BOPS – It is in your class notes.

Genesis

How we deal with Facial having a false acceptance of 1 in 100

What is the solution?

How do we use 2-Way SSL.

Summary