Security and Usability:

utterlypanoramicΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

84 εμφανίσεις

Privacy & Identity
-

Security and Usability:
The viability of
Passwords & Biometrics

Introduction


Name:

Orville Wilson


Alumni at DePaul University


Doctoral Student


Currently work for an Information
Security and Managed Services firm,
Fortrex Technologies, located in
DC/Baltimore area.

Agenda


Statistical Research


Background on Passwords


& Biometrics


Overview of Biometrics


How they work


Strengths, Weakness and


Usability of Biometrics


Conclusion

Empirical Data


Yearly cyber crime cost in the US is over
$377 million and rising


CSI/FBI Study


Federal Trade Commission found that
identity theft accounted for $48 billion in
losses to business over the past five
years




Background on Passwords &
Biometrics


Passwords


Ubiquitous Technology


Passwords are one of the oldest authentication methods.


Many organizations and institutions have used passwords for
computer access since 1963 when Fernando J. Corbato added
private codes to the CTSS at MIT


Biometrics


First introduced in the 1970s and early 1980s


This technology gathers unique physiological or behavioral
attributes of a person for storing it in a database or comparing it
with one already found in a database.


Reason for biometrics include the positive authentication and
verification of a person and ensuring confidentiality of
information in storage or in transit

Biometrics


2 Categories of Biometrics


Physiological


also known as static biometrics:
Biometrics based on data derived from the
measurement of a part of a person’s anatomy. For
example, fingerprints and iris patterns, as well as
facial features, hand geometry and retinal blood
vessels


Behavioral


biometrics based on data derived from
measurement of an action performed by a person
and, distinctively, incorporating time as a metric,
that is, the measured action. For example, voice
(speaker verification)

Biometrics


How do they
work?


Although biometric technologies
differ, they all work in a similar
fashion:


The user submits a sample that is
an identifiable, unprocessed
image or recording of the
physiological or behavioral
biometric via an acquisition
device (for example, a scanner or
camera)


This biometric is then processed
to extract information about
distinctive features to create a
trial template or verification
template


Templates are large number
sequences. The trial template is
the user’s “password.”

Overview of Biometrics

Biometric

Acquisition Device

Sample

Feature Extracted

Iris

Infrared
-
enabled video
camera, PC
camera

Black and white iris image

Furrows and striations of
iris

Fingerprint

Desktop peripheral, PC
card, mouse chip
or reader
embedded in
keyboard

Fingerprint image (optical,
silicon, ultrasound or
touchless)

Location and direction of
ridge endings and
bifurcations on
fingerprint, minutiae

Voice

Microphone, telephone

Voice Recording

Frequency, cadence and
duration of vocal
pattern

Signature

Signature Tablet,
Motion
-
sensitive
stylus

Image of Signature and
record of related
dynamics
measurement

Speed, stroke order,
pressure and
appearance of
signature

Face

Video Camera, PC
camera, single
-
image camera

Facial image (optical or
thermal)

Relative position and shape
of nose, position of
cheekbones

Hand

Proprietary Wall
-
mounted unit

3
-
D image of top and sides
of hand

Height and width of bones
and joints in hands
and fingers

Retina

Proprietary desktop or
wall mountable
unit

Retina Image

Blood vessel patterns and
retina

Strengths, Weaknesses and
Usability of Biometrics

Biometric

Strengths

Weakness

Usability

Iris


Very stable over time


Uniqueness


Potential user resistance


Requires user training


Dependant on a single
vendor’s technology


Information security
access control,
especially for

Federal Institutions and
government agencies


Physical access control
(FIs and government)


Kiosks (ATMs and
airline tickets)

Fingerprint


Most mature biometric
technology


Accepted reliability


Many vendors


Small template (less than
500 bytes)


Small sensors that can be
built into mice, keyboards
or portable devices


Physical contact required (a
problem in some cultures)


Association with
criminal justice


Vendor incompatibility


Hampered by temporary
physical injury


IS access control


Physical access control


Automotive

Optical


Most proven over time


Temperature stable


Large physical size


Latent prints


CCD coating erodes with age


Durability unproven

Strengths, Weaknesses and
Usability of Biometrics

Biometrics

Strengths

Weakness

Usability

Silicon


Small physical size


Cost is declining


Requires careful enrollment


Unproven in sub optimal
conditions

Ultrasound


Most accurate in sub optimal
conditions


New technology, few
implementations


Unproven long term
performance

Voice


Good user acceptance


Low training


Microphone can be built into
PC or mobile device


Unstable over time


Changes with time, illness
stress or injury


Different microphones generate
different samples


Large template unsuitable for
recognition


Mobile phones


Telephone banking and
other automated call
centers

Signatures


High user acceptance


Minimal training


Unstable over time


Occasional erratic variability


Changes with illness, stress or
injury


Enrollment takes times


Portable devices with
stylus input


Applications where a “wet
signature” ordinarily
would be used.

Strengths, Weaknesses and
Usability of Biometrics

Biometrics

Strengths

Weakness

Usability

Face


Universally present


Cannot distinguish identical
siblings


Religious or cultural prohibitions


Physical access control

Hand


Small template (approximately
10 bytes)


Low failure to enroll rate


Unaffected by skin condition


Physical size of acquisition device


Physical contact required


Juvenile finger growth


Hampered by temporary physical
injury


Physical access control


Time and attendance

Retina


Stable over time


Uniqueness


Requires user training and
cooperation


High user resistance


Slow read time


Dependent on a single vendor’s
technology


IS access control,
especially for high security
government agencies


Physical access control
(same as IS access control)

Comparison of Different
Biometrics Technology

Promise that Biometrics hold
for Privacy


Increased Security


Biometric cannot be lost, stolen or
forgotten; it cannot be written down and
stolen by social re
-
engineering


By implementing biometrics organizations
can positively verify users’ identities,
improving personal accountability


In conjunction with smart cards biometrics
can provide strong security for Public Key
Infrastructure (PKI)

Perils that Biometrics hold for
Privacy


Privacy is one of the leading inhibitor for
biometrics technology. Main issues:


Misuse of Data


Health/Lifestyle


Specific biometric data has been
linked with the information beyond which it is set out
to be used for such as AIDS. Is a person able to
control the information gathered on himself/herself?


Function Creep


Law Enforcement


The template database may be
available for law enforcement


Credit Reporting


The template database may be
cross referenced against other databases including
those held in hospitals and the police departments,
by a credit reporting agency

Future Trends in Biometrics


Body Odor


Body odor can be digitally
recorded for identification. A British company,
Mastiff Electronic System Ltd. Is working on
such a system


DNA Matching


The is the ultimate biometric
technology that can produce proof positive
identification of an individual


Keystroke Dynamics


Keystroke dynamics,
also referred to as typing rhythms, is an
innovative biometric technology

Conclusion

1.
All authentication methods are prone to errors.
Nevertheless, reliable user authentication must ensure
that an attacker cannot masquerade as a legitimate
user

2.
Biometrics is uniquely bound to individuals and may
offer organizations a stronger method of authentication

3.
Biometric systems are not foolproof; they can be
compromised by:


Submission of another person’s biometric


Submission of enrollee’s biometric with the user under duress or incapacitated


4.
A prudent balance between Security and Privacy
needs to be achieved