Universal BioSys A literature review

abashedwhimsicalSoftware and s/w Development

Nov 2, 2013 (3 years and 9 months ago)

251 views


1

Universal
BioSys


A literature review


De Silva S
.
M
.
R
.
P

,
Weerasinghe
P. W. H. D
, Bandara H. M.N. D

Supervised by Dr.
De Silva C. R



1.0

Summ
a
ry


Literature review was done mainly as a feasibility study
to come up with a third
-
party identification and veri
fication
system that any application in a networked environment could use to identify
(
or verify
)

its users based on
biometrics

technologies. This review has mainly four parts; introduction, previous developments related to the
project, technologies that a
re suitable and plan
n
ed to be used during the development, a brief introduction to the
proposed development and finally
figures and tables correspond
ing

to all the sub sections in the review
.


There was no exact match to Universal BioSys but there were sev
eral products when integrated together could
support most of the features in BioSys.
How ever there was one product quite similar to the functionalities but it
deviates from the technologies that will be us
ed

in our product.


Review work was carried out b
as
ed

o
n certain identified sub sections in technologies that will be us
ed

in
implementi
n
g

Universal BioSys.
The

entire project depends

on integration of the different biometric technologies
and usage of the BioAPI to serve those technologies. Survey on bio
metrics technologies were carried out
based on

physical and behavioral characteristics
o
f user identity. BioAPI i
s

the

main technological sub section in the project
since all the identification, verification, enrolment and other important procedures will b
e carried out according to
the BioAPI standard.


Universal BioSys
will

be
a combination
of various technologies
, therefore

it is important to have high
interoperability among th
em
.
Significant
attention was put in to the study of standards to
ensure the su
pport and
acceptance of a majority of
biometrics
standards and technologies
.


Universal BioSys
expects to
use

all the cutting
-
edge technologies

that are relevant
. Web services is a new way of
performing methods calls over
HTTP

which
immensely
simplifies
t
he
communication needs.
Microsoft
C#
W
eb
S
ervices
has been
selected since it supports all the development needs.


Since Universal BioSys is a third
-
part user identity system it has to be aware of current security vulnerabilities and
in depth security asp
ects. Web Service security is one aspect when it comes to making sure communication between
the service and the client secure. VPN is another solution
to secure the communication between the service provider
and the client.




2.0

Introduction


The project goa
l is to come up with a third
-
party identification (or verification) system that any application (in a
networked environment) could use to identify (or verify) its users based on biometrics. The biometric server detects
and

manages the biometric devices in
the network relieving the applications from the technical complexities of
underlying biometrics. This solution would allow seamless many
-
to
-
many mapping between biometric devices and
applications.


The System is also concerned on adapting to industry stand
ards, polic
y enforcement, defense
-
in
-
depth

real
-
time
monitoring, high availability, secure communication and most importantly ease of management and administration.


The Biometric Server

is a
complete implementation of the BioAPI 1.1 framework
which
consis
ts of
; an e
ngine

t
hat
runs as an independent server process, which coordinates any application requesting services
and manages the
biometric devices and an
Administration console

where parameter setting (FAR, FRR), construction of device
hierarchy, policy
enforcement and real
-
time monitoring is done
.


The Biometric
c
lient

is a combination of the physical device (
that

extract the biometrics

data), interfacing software
(API), image processing algorithm and a software componen
t for the client
-
server communicat
ion and the user
interface
.


BCB Generator

(
BioAPI Compliant BSP Generator
)

is
an automated tool that generates fully BioAPI
-
compliant
BSPs for non
-
standard biometric devices given specific device information

(device interfacing source code)
.



2

Demo is requ
ired to demonstrate the functionality of the Biometric Server and the communication process.
Therefore the following will be developed; A BSP for a Web Cam

which is

a

simple BSP to demonstrate the client
portion

a
n
d

a
networked application that make use of

the entire solution
.



3.0

Previous
D
evelopments

3.1

The Independent Security Server



by Info Data, Inc.

Provides means
to
identify

a person based on any biometric

characteristics
(i.e.

fingers, face, eyes, palm, voice, or
handwriting
)
.

Furthermore p
rovide
s statistics of user activity

as a value added service
.

They have developed BSP libraries for all the popular products

therefore it is
compatible with all
major
biome
tric
scanners
. Hence
users

have to rely on Info Data, Inc to provide compatibility with wh
at ever the biometric device
they

buy. On the other hand
Universal BioSys

solution is very versatile. The customer can
just plug
-
in

any BioAPI
complaint device and use without our intervention.
Due to this
Independent Security Server is not scalable or
por
table as
Universal
BioSys.

Refer
f
igure
2.



3.2

BioLink’s Biometric Authentication Suite (BAS)

This suite supports
only
fingerprint identification. But it gives an insight
in to

the operations of a typical
authentication server. The strength of BioSys is
not just because it support
s

many
b
i
o
metric devices
or any form of

application, because it provides nearly everything required
for

an enterprise

security solution
. BAS has incorporated
Rules
-
Based User Management, remote administration of the server, all w
hich is addressed by BioSys.

See figure 3
for
a s
ample Network Enabled with BioLink BAS
.



3.3

IBMs The Conversational Biometrics Server (CBS)

CBS major focus is
Acoustic text
-
independent speaker recognition (acoustic verification)
. I
t

i
s

designed for

tele
phony environments where speech applications are prevalent

(but its design is extensible to other environments
as well). In addition their focus is on
CB Policy Manager (CBPM)

which is of importance to
BioSys policy design
.

The policy manager is designed t
o verify users on a multitude of biometric and knowledge features.


3.4

T
he WhoIsIt biometric server for E
-
commerce

T
his is basically a
n

application server hosted in the
I
nternet where a client system sends a
biometric template

to be
verified. On success
any secret
(payload)
that is stored for that particular user

can be retrieved.

A
n asymmetric
crypto algorithm provides

secure communication.
WhoIsIt biometric server

needs to be aware of the underlying
technologies and the users are restricted to the vendo
rs in commercial agreement with them. Therefore this is not as
scalable or flexible as BioSys, but it has a quite mature design and implementation in deploying biometric services
through the Internet. As Universal BioSys is also hoping to make the system o
perational in any network, be it
Internet or Intranet, a study of this is very useful.



4.0

Available
T
echnologies


4.1

Biometrics

4.1.1

Introduction

Biometrics is an open
-
ended set of technologies based on the measurement of some unique physical characterist
ics
of an individual for the purpose of identifying an individual or verifying identity.

B
iometric is
considered to be the
most
secure and convenient (public acceptance may differ based on cultures, physical inabilities) authentication
technology
.


It can
no
t be borrowed, stolen, or forgotten, and forging is
considered to be
practically impossible. This technology
measures individuals' unique physical or behavioral characteristics to recognize their identity. Physical
characteristics include fingerprints, h
and geometry, retina, iris, and facial characteristics. Behavioral characters
include signature, voice (which also has a physical component), lip movement, keystroke pattern, and gait.


As people search for more secure authentication methods for user acces
s and security applications,
there
biometrics
has got the top attention. Choosing the relevant biometrics technology is important but there is no one best
solution
.
Different applications require different
technologies,

where Universal BioSys has the capab
ility of attaching any
type of biometrics device to the system according to the security requirement, public acceptance and most
importantly price/performance factors.







3

4.1.2

Current Technologies

4.1.2.1

Finger Print

A fingerprint looks at the patte
rns found on a fingertip where that
unique
pattern does

n
o
t change with the age of the
person. Fingerprint is considered to be the most
widely

technology because it allows acceptable security with
reasonable
price
.
Figure 1 illustrates some of the biometri
cs technologies.


Fingerprint verification is a good choice for in
-
house systems, where users
can be given
sufficient enlightenment
and training.
Future
workstation access
will most likely to
dependent

on
fingerprints, due to the relatively low
-
cost,
small

size, and ease of integration of devices.



4.1.2.2

Hand Geometry

Hand geometry analyzes and measures the shape of the hand. Individual hand features are not descriptive enough for
identification but verification is done with a method of combining vario
us individual features to reach robust
verification.
This is considered to be the mostly convenient

technology with comparatively low
cost
.



4.1.2.3

Retina

This technology involves analyzing the layer of blood vessels situated at the back of the eye
usi
ng

low
-
intensity
light source through an optical coupler to scan the unique patterns of the retina. Retinal scanning can be quite
accurate but requires users to look into a receptacle and focus on a given point. This method is not particularly
convenient
i
n situations where
user wears glasses
or anxious to have

close contact with the device
.



4.1.2.4

Iris

An iris biometric
technology
analyzes features found in the colored ring of tissue that surrounds the pupil. Iris
scanning, undoubtedly the less intrusiv
e of the eye
-
related biometrics, uses a fairly conventional camera element and
does

n
o
t require close contact
with the
reader. Iris biometrics work with glasses in place and is one of the best
devices that work in identification mode.


4.1.2.5

Face Recogni
zer

Face recognition analyzes facial characteristics. It requires a digital camera to develop a facial image of the user for
authentication.
Another variation of face recognition is the IR (infra red) image of a face (use a IR camera than a
conventional on
e) which tries to compare the temperature differences in human face. Face recognizer is one of the
highly used techniques

mainly due to its
simplicity
, non
-

intrusiveness

and

low cost
.


4.1.2.6

Signature

Signature verification analyzes the way a user sig
ns
his/her

name.
Such systems measure
features such as speed,
velocity,
acceleration
and pressure and also the finished signature's static shape.
Signature verification devices are
reasonably accurate in operation and obviously lend themselves to applicati
ons where a signature is an accepted
identifier. This technology belongs to the category of behavior based detection. The problem with such systems is
that they require more processing power and memory.


4.1.2.7

Voice

This also belongs to the category of

behavior based systems which measure the frequency characteristics of an
individual when he/she talks a predefined word.



4.1.2.8

Combined Technologies

In order to have better security certain systems allow combination of biometrics characteristics to b
e checked at the
same time. There
are systems
already available
to
use

face recognition, voice and lip movement

at the same time
.


4.1.3

Use of Biometrics

Security systems use biometrics for two essential purposes
;

to
verify
and

identify users

(identific
ation is a unique
feature in biometrics)
. The biometric
technology
that a security system employs depends on what the system is
protecting and what it is trying to protect against.


Many highly secure environments have used biometric technology for access

control
.
Today, the primary
application of biometrics is in physical security: to control access to secure locations (rooms or buildings).

Unlike
photo identification cards, which a security guard must verify, biometrics permits unmanned access control.
Bi
ometrics is useful for high
-
volume access control.


Biometric allow
s

overcoming the problem
s of

weak
and forgotten
passwords, lost or stolen crypto cards by making
sure no password or physical identifier to be carried out
.
Biometrics allows

releasing a key

as
payload,

which is
more secure and convenient
than
protecting

a
conventional

key
.

Table 1 compares various biometric technologies
under various
requirements.




4

4.1.4

Applications and Products

Biometrics is a rapidly evolving technology
where

initially i
t was
widely used in forensics
than access control
.
Recent advancements in biometric sensors and matching algorithms have led to the deployment of biometric
authentication in a large number of civilian applications. Biometrics can be used to prevent
both
u
nauthorized
physical and virtual
access
.


4.2

Standards


4.2.1

Introduction

Any new technology undergoes lot of changes within a very short period of time
after its introduction
resulting
in
many devices under various
vendor

names

(
with various distinct
an
d

common features
)
. After some time there will
be whole lot of standalone products or group of products that work together by the same vendor.
However

from
users’

perspective they would like to mix different vendor products with different features.


Lack
of standards among those devices and variations of the technology will not allow them to be interoperable.
Integration is a huge problem when it comes to biometrics; this is the main reason which is holding the market. It
has to become
a
fully integrate
d

c
omponent within a complex enterprise network.


Another problem is the integration of different
biometric
technologies. No organization would be ready to install
either fingerprint or iris recognition systems all over its premises and PCs. What they need i
s combination of
different technologies (face, voice, fingerprint, iris, etc.) that satisfies different security
requirements

while
minimizing
total cost of ownership.


To minimize the risk of interoperability problems and improve usability of devices and

services, industry standards
for biometrics are needed. Lot of effort is going on to introduce standards and some of the standards are already
established and well accepted by the industry.


4.2.2

Current Standards

F
igure
4

illustrates the biometrics arc
hitecture, various standards that are currently being accepted in the industry
and the levels that they are be
en

defined.


4.2.2.1

Standards for Application Developers

These are the standards provided by the biometrics device developers (Biometrics Service

Provider

-

BSP
) to the
application developers. Most vendors tend to present their own SDKs for the application
develop
er
s who want

to
make use of
their products

in applications.
Although the devices are cheap
these
,

SDKs cost a lot and developer
needs to
lean new SDK when they go for a different vendor.


BioAPI is a standard developed by BioAPI Consortium and this is the most basic standard that any device should
support (BioAPI is accepted as
a
ANSI standard under ANSI INCITS 358
-
2002). BioAPI is suppos
e
d

to over come
the problem of
vendor

dependent SDKs an
d technology dependen
ce. Section 4.3

will discus BioAPI in more detail.

BIR
(
Biometrics Identification Record
) is a set of
data
that is been
exchange
d

between the BSP and the Application.


4.2.2.2

Stan
dards for Secure Communicati on and Financial Services

BioAPI only defines how
a BSP should

and Applications should communicate, it does not define
issues related to
biometrics information management and security. A separate layer is added between the BSP a
nd the Application to
support secure communication and for applications that require higher security
(secure remote electronic access,
physical access for the financial services). The encryption is supported by the Cryptographic Security Provider
.


X9.84

is one of the X9 standards defined by Accredited Standards Committee (accredited by ANSI). X9 develops
and publishes voluntary, consensus technical standards for the financial services industry
.
X9.84 standard defines,
using the ASN.1 (Abstract Syntax Not
ation) language, a rich set of messages that are able to carry biometric data in
a secure way. The standard also defines many concepts and procedures for the creation of a secure biometric system.
The message formats specified by X9.84 are more flexible th
an the BioAPI data format (they allow a richer
description of the biometric data
that
they carry, and
are
extensible). Moreover, the X9.84 standard addresses the
issue
s

of integrity and privacy of biometric samples and templates, by providing several diffe
rent security
mechanisms among

which the user can choose. The problem is
that
X9 standard
s

are

not freely available.


4.2.2.3

Standards for
Exchanging Biometrics Data

It was not just enough to communicate with different vendors

for their
services. There we
re requirements to use
captured biometrics data among different systems. This is really essential in situations like; when USA want
s

to
check all the outsiders’ fingerprints
to be checked at the airport
, it would be much
easier to reuse
fingerprints that
w
ere captured in those passengers’ mother land
s
.



5

To overcome
the
above issue
,

Common Biometrics Exchange File Format (CBEFF) was introduced. It defines
things like the length
&

width of the image, scanner resolution, structure of the file, etc. CBEFF is
a
lso
an ANSI
standard.




Today XML plays a big role in
representing
both data and metadata, improving this idea further an XML standard
called XML Common Biometric Format (XCBF) has being introduced specially for biometrics data that is being
transferred t
hrough the Internet. XCBF is a common set of secure XML encoding for the formats specified in
CBEFF. XCBF allows the use of biometrics in
W
eb
S
ervices with the help of WSS (Web Service Security)
specification.



4.3

BioAPI


4.3.1

Introduction

The BioAPI Consortium
was formed to develop a widely available and accepted API
(Application Program
Interface)
to serve various biometric technologies. The outcome is the BioAPI specification/standard
.


In a nutshell The BioAPI standard is a "framework", in which biometric sof
tware components (
BSP
) are installed
and advertise their capabilities by means of a standard registration mechanism, and the functionality they implement
is made accessible to "biometric applications" via an application
-
programming interface.


4.3.2

Scope

The B
ioAPI is two fold;



Application Programming Interface (API)



Service Provider Interface (SPI)

The API does not address security requirements for biometric applications and service provider but
recommendations are provided, on using the API to support good se
curity practices
.

X9 standards are suppose to
address such issues
.


4.3.2.1

Application Programming Interface

API provides a set of abstract functions necessary
to

an application for biometric authentication
.

Hence
hid
ing

as
much as unique characteristics of indi
vidual biometrics technologies, vendor implementations, products and devices
.


Therefore, to the extent possible, the amount of optional functionality is kept to a minimum. The major optional
function is Identify; and the database capability is also option
al and is in the interface primarily to allow the BSP to
manage large populations for identification.


4.3.2.2

Service provider Interface

The service provider Interface (SPI) is the programming interface that a BSP must manifest in order to plug into the
BioAPI f
ramework. SPI is almost a one
-
to
-
one mapping of the BioAPI down to the BSP. The framework is the
intermediary man that routes API calls down to the corresponding SPI of the attached BSP

There are certain API functions without a corresponding SPI function;

and are handled by the framework.


4.3.3

Biometric Technology

All types of biometric technology are based on the same basic model. In the “enrolment “process several live
samples of the user are captured through a sensor, and the salient features extracted and
a template is formed. When
ever authentication is required live samples are captured, processed suitably and matched against the stored
template. The algorithms used to construct a template are usually proprietary.




4.3.3.1

Primitive functions

There are 3 primit
ive functions in any biometric technology. As Figure
5

shows

a BSP has freedom in
assigning

responsibility to the primitives. Though not shown in the diagram, the manufacturer is free to put most, if not all the
BSP responsibility in the sensing device its
elf.


4.3.4

The API Model

The API offers to an application two fundamentally different means of access to biometrics


4.3.4.1

Primitive functions

The BioAPI presents the primitive functions
i
.e
.

capture, process, etc
.
The fact that the functionality of these
functions

vary from one BSP to another introduces an element of unpredictab
ility. Hence an application may

get
different responses when the primitive functions of the BioAPI are called. Furthermore the portability of an
application from one BSP to another is also q
uestionable.



6

Then comes the question whether a BSP has the primitive function separation at all, instead it may offer the “verify”
service,”identification” service

as one inseparable service.
.


Hence a lot of thought was given to making primitive function
s compulsory for a BSP. It was decided that undue
burden on self
-
contained devices (where processing/matching is performed within the device itself) manufacturers is
not justifiable Therefore, these functions are not considered compulsory for BSP's to be "
BioAPI compliant".
However, if the underlying technology supports, the BSP should try to include those.


4.3.4.2

The solution: abstract functions

There are three principal high
-
level abstraction functions in

the API;

1) Enroll

Samples are captured from a device,

processed and from which a template

is constructed, and
returned

2) Verify

Samples are captured, processed, and then matched against a given (stored) template. The success
or failure and quality of matching is returned

3) Identify

Samples are captured, pr
ocessed and matched against a set of templates. A list is returned with the
closeness to the top candidate


These 3 functions are made compulsory for each BSP. Therefore BSP can use a combination of the capturing
,

processing or matching, which
is

irrelevan
t to the BioAPI as each BSP abstracts those complexities and provides
enroll, verify and identify functions.


4.3.5

Distributed (Client/Server) BSP

The API offers the processing to be shared between the client machine (where the biometric device
s

are attached),

and on servers

There are several reasons as to why a BSP favor processing
and

ma
tching taking place on a server;

1. The algorithms will execute in a more secure environment

2. The Client PC
s

may not have sufficient
processing
power to run the algorithms w
ell.

3. The user database
and

the resources that it protect
s

may be on a server.

4. Identification over large populations can only reasonably be done on a server.


4.3.5.1

BioAPI support for Distributed BSP using the abstract functions


4.3.5.1.1

Streaming Callbacks

A call
back function is a communication means an application offers to BSPs and with Streaming Callbacks the
service provider can stream data to the application in the form of a sequence of protocol data units (messages).


It

i
s the responsibility of the applicat
ion (client
/
server) to provide a streaming interface for the client
and

server
BSP. The Verify, Identify, and Enroll, functions are split into several functions across client
and

server BSPs
through the streaming interface. These functions may be driven fr
om either the client or the server and is decided by
the client/server application.


Only the driving BSP can use Streaming Callback to deliver a message to its partner BSP. On the other hand partner
application uses
t
he Stream Input/Output function to del
iver messages to the partner BSP, and to obtain a return
message. The driving application delivers the return message by returning from the Streaming Callback
. T
he
f
igure
6

illustrates the server application driving the authentication.


4.3.5.2

BioAPI support for

Distributed BSP using the primitive functions

The Primitive functions are called in the proper sequence on client and server. Therefore the application is
responsible for sequencing, synchronizing
,

in short for
handling
the client/server protocol
.


4.3.6

Other
important areas of the BioAPI specification

4.3.6.1

Quality indices

Any t
wo samples of the same user are not identical and a template is not a precise representation of a user.
Therefore, the results of any matching of samples against a stored template cannot be a

fo
o
l

proof m
atch
(100%)
and
can only be expressed in terms of probability.

FAR

-

False
A
cceptance
R
atio is the probability of samples falsely match
ed with the presented template

FRR

-

False
R
eject
R
atio is the probability th
at samples are falsely rejected


BioAPI lets the application have some control over the quality of matching. Application can request a maximum
FAR value (a limit on the probability of a false match) and an optional maximum FRR value.

The BSP vendor maps
internal scoring structure to the

FAR values.



7

4.3.6.2

BIR

-

Biometrics Identification Record


Refers to any biometrics data that is returned to the application (raw data; inter mediate data, processed samples,
etc). The only permanent BRI is the template.
See f
igure
7
.


4.3.7

Payload

The BioAPI allow
s a template to be closely bound to any useful data (e.g. cryptographic key), which could be
released upon successful verification.


4.3.8

User databases

The BioAPI is not responsible for managing user databases; only applications do that. In most cases, the us
er
database may already exist before the introduction of biometrics (e.g., a database of bank accounts, the user registry
in a network domain), and the biometric application simply associates a biometric template with each user in the
database, It is impor
tant that the application maintain control over who can access this database.


But some biometric
devices

may offer embedded databases. Then the application should make any necessary
association between the BSP’s database(s) and the user database(s). To as
sist in this, each entry in a BSP database
has a User ID associated with it.


4.3.8.1

Binning

Identification BSPs may optionally support methods to improve response time in identification and the BSPs must
post whether or not they support binning.


4.3.9

User interfac
e

Most biometric service providers come with built
-
in user interfaces, and are often sufficient for most purposes. The
API, however, provides functions for the application to control the “look and feel” of this user interface, primarily
through callbacks o
ffered by the service provider.


4.3.10

Module Registry

All the configuration data of both the Framework and installed BSPs are posted in BioAPI module registry.
Applications can search the Module Registry to determine if the BioAPI framework has been installed;

determine
what BSP devices have been installed and their capabilities .The BioAPI module registry is designed to be platform
independent.


4.3.11

BioAPI reference implementation

A reference implementation (framework software) of BioAPI Specification
version 1.1

is available for both
Windows and Linux platforms. It is still in a testing phase where certain modules are not fully tested and well
stabilized.



4.
4

Web Services and Web Service Security


4.
4
.1

What is
W
eb service?

Web service is a new way of performin
g remote method calls over HTTP that can make use of the SO
A
P (Simple
Object Access Protocol). SOAP simplifies matters immensely. This technology is an XML based s
tandard that
details how method

calls may be made over HTTP in a reproducible manner. A remot
e SOAP server is capable of
understanding these calls and performing the work, such as instantiating the required objects, making the call, and
returning a SOAP formatting response to the client.


Web services
can

be completely described using WSDL (Web S
ervice Description Language), allowing dynamic
discovery of web services at run time. WSDL provides description of all methods (along with the types required to
call them) using XML
and

XML schemas.


4.
4
.2

AXIS

A
XIS

is an open source
SOAP

engine which is

a framework for constructing SOAP processors such as clients,
servers, gateways, etc
. S
imply it is
also a

web service. The current version of
A
XIS

is written in Java.
A
XIS

isn't
just a SOAP engine, it also includes;
a server which plugs into servlet engine
s such as Tomcat, support for the
Web
Service Description Language (WSDL). JBuilder 8
and
upwards comes with the AXIS support where deployment
and client side stub creati
o
n can be done using the JBuilder IDE.


Dur
ing
a

survey on the
A
XIS

it was
found that
,

the
current AXIS version can
no
t pass vector data types inside a
SO
A
P message and also it give
s

errors when passing 16 distinct array types. Next
AXIS

version M
ORA
-
A
XIS

is
complete with arrays but doesn’t support vector transmission.



8

4.
4
.3

WASP

WASP (We
b Applications and Services Platform) is a platform
-
independent, standards set of products for building
Java and C/C++ Web services. WASP is a commercial web service product

w
here licensing has to
be
obtained

from

Systinet. WASP Server for Java is support
ed by WASP Developer, a free suite of development tools that extend the
most popular IDEs to support Web services creation and deployment.


There are no errors in transmitting vector or array objects through SOA
P

message in WASP like in AXIS. However
devel
opers have to get
WASP licens
e before use
.


4.
4
.4

C# Web service

The .NET framework
allows overcoming all the
difficulties motioned above.
Combination of
C# and .NET
allows
range of
techniques on the server

side
;
on the client side

could be
any platform
that has

HTTP access to the server.


There w
ere

no error
s

found for data types such as bit arrays, dataset, and other object types. When changing the
server side
, just
method compilation is enough to affect the changes
o
n the server
,

no deployment is neede
d and
client can simply add the web reference to obtain the changed methods.


4.
4
.5

D
ata transmission in C#
W
eb
S
ervice
s


SOAP is an XML
-
based protocol that provides a way of encoding and wrapping data for transmission across a
network. SOAP can communica
te with any XML Web service, even
with a
one not developed
or

running on the
Microsoft .NET platform and also SOAP supports complex data type

encoding
. The structure and syntax of SOAP
is

simple but
when it is manually
encode
d

with
complex data can result
in
a
long and confusing XML document.
C
reating and processing SOAP messages is a tedious and error prone process.


Proxy classes remove the need for the developer to work with SOAP messages directly. A proxy is a .NET
f
ramework class with methods that rep
resent the functionality exposed by
a
Web service. Each proxy method takes
the same number and type
s

of arguments and returns the same data type as its Web service equivalent.


When invoking the Web service’s functionality, a client application calls the
proxy class method. The proxy class
handles all communications with the Web service and returns the response it receives from the service. To the client
application, the XML Web service invocation appears to be a local method call, while in certainty the c
all could be
serviced by a Web service anywhere on the Internet.


4.
4
.6

Web service security

T
wo key security principles
are
available for
Web services that are

authentication and authorization. Authentication
is the process of validating an identity based

on credentials and authorization determines whether the identity is
authorized to access a resource.


Web services created using

.NET can choose security options from the authentication and authorization options
which are offered by

.NET or customized SOA
P
-
based security.

Microsoft
.NET operates in combination with
Internet Information Services (IIS) to
a
provide number of authentication and authorization
options

and

also

.NET
offers the capability to execute the request using the credentials of the client
.


Web services created using

.NET have several options for authenticating clients where developers have to select the
correct security option according to the
required
level of security and performance. It is important
to encrypt
client
credentials
when
o
ver
a
network, so an
encryption
algorithm is highly necessary in Web services.


Following authentication options
are
available to Web services built using .NET
;



Secure texts are sent in base 64
-
encoded strings in plain text. Passwords and user names are en
coded, but
not encrypted.



Clients are securely identified in the Internet. The messages
are
sent over the network using Secure Sockets
Layer (SSL) encryption, rather than
as
plain text. This is relatively easy to configure and works in the
above situations

but
the use of
SSL degrade
s

performance.



Clients are securely identified in the Internet and intranet. Each client needs to obtain a certificate from a
mutually trusted certificate authority. Certificates are mapped to user accounts, which are used by IIS

for
authorizing access to the Web service.








9

4.5

Virtual Private Network


4.5.1

Introduction

Early days of wide area networks includes leased, frame relay or dial
-
up connections which are consider to be
secure but with heavy monthly rentals. It was r
eally expensive to interconnect branch offices and head office (also
mobile and home workers) which are located
at
different cities (trunk calls) or offshore.


With the advancement of Internet, it was much cheaper to connect these offices, mobile users a
nd home workers to
the central office through the public Internet. It allows all forms of IP traffic through ISDN, ADSL, Dial
-
up, Cable,
T1, ATM connections. But Internet being an open network (public path) ones privacy along it became an issue and
VPN (vi
rtual Private Network) was the technology that was suggested to overcome this. In simple terms VPN is a
virtual private channel (or path) within a public channel. VPN includes authentication and encryption to protect data
integrity and confidentiality.


4
.5.2

VPN pros and cons



It allows interconnecting branch offices, home workers, mobile users, customers and suppliers securely,
increasing trust worthiness.



It is much more cost effective than leased or privately owned lines.



Flexible since it allows all fo
rms of IP traffic



Scalable since its ability to dynamically add more sites and scalable bandwidth management.



But nothing comes free, the users need to buy special devices; dedicated VPN servers, Firewalls or routers
with integrated VPN support, etc. But
still this is still 30
-
80% lower than leased connections.



Considerable latency


Requires lot of processing power such that client PCs could get slower and it does
not allow wire speed performance.



Various policies have to be defined t
o

guard against pub
lic network security issues and require effective
management.



Different solution from different vendors are still not fully interoperable



4.5.3

Technology

Most of the time VPN is not a point
-
to
-
point connection

(other than mobile users or home workers
)
, as you can see
in the figure
8

typically

it is established among two VPN gateway devices. This connection is called a VPN tunnel
and it is established with the help of tunneling protocols like IPSec, PPTP, L2TP and SOCKS. These protocols
emphasize authe
ntication and encryption in VPN. Authentication allows VPN clients and servers to correctly
establish the identity of people on the network. Encryption allows potentially sensitive data to be hidden from the
general public.


4.5.4

Protocols

PPTP


Point
-
to
-
Point Tunneling Protocol
i
s a protocol proposed by Microsoft and heavily used in
the
industry due
to Microsoft’s domination. It is a layer
-
2 remote access protocol for dial
-
up connections which is
an
extension of the PPP and it allows multiple layer
-
3 p
rotocols. This is a proprietary protocol and is not as
strong as some of the other protocols.

IPsec


Internet Protocol Security
i
s a collection of multiple protocols proposed by IETF which is considered to be
a complete solution. It works at layer
-
3 and su
pports multi point tunnels. It requires key management.

L2TP


Layer Two Tunneling Protocol
is a layer
-
2 remote access protocol which is primarily supported by Cisco
products. This is a combination of PPTP and L2F (layer
-
2 forwarding), not as strong as IPSe
c and it
requires combination with IPSec for enterprise level security. This is also a single point
-
to
-
point tunnel

SOCKS


Is a protocol proposed by NEC and now considered to be a standard by IETF which works at the
application layer (layer
-
7). This is mor
e suitable for Client/Server applications using TCP/UDP. Has better
security but since it works in the application level it reduces the performance.


4.5.5

Types of VPN

Remote access VPN

Provides access to internal corporate networks over the Internet. Sui
table for dial
-
up
connections with either mobile users or home workers.

Site
-
To
-
Site VPN

Connects multiple offices over the Internet. Suitable for interconnecting branch offices,
and resellers.

Extranet VPN

Allow business partners to access critical infor
matio
n across

multiple Intranets.
Interconnects resellers and suppliers.

Client/Server VPN

Suitable for internal applications (between the server and client PCs) which needs to
guard against internal attacks.





10

5.0

Proposed developments


Universal BioSys bei
ng a third
-
party biometrics authentication/verification system which uses technology
independent biometrics while adapting to industry standards, providing defense
-
in
-
depth security and ease of
management would need to consider whole lot of technologies un
der its implementation. In a way this being a
research project (and a new concept) there is no exact technology that we can make use based on experience gained
through
other similar products. As a result most of the selected technologies are either based o
n extensive literature
survey or experience gained from other practical usages.


Universal BioSys is supposed to support all the currently known biometrics technologies and also various card
reader technologies (magnetic, proximity and barcode) because in

a real organization environment they can not be
neglected. Therefore
understanding of various biometrics technologies is

essential.


Main concern of Universal BioSys is to adhere to industry standards

as much as possible
. BioAPI plays a big role
providin
g device independent and technology independent application program interface. BioAPI
has

a reference
implementation which requires more enhancements and robust testing. During the implementation stage robust
testing of the BioAPI will also be done and it
will be slight
ly

modified in such a way it could also be used with
Microsoft C# (currently its in Microsoft Visual C++)
. BioSys
will gain wider acceptance, portability, commercials
variability
while

making sure that the end user is able to just plug
-
in an
y

BioAPI compliant BSP

basing the project
on the Defa
cto standard BioAPI. As
system

has

to cater any BSP installed any where, implementation will support
Distributed (Client/Server) BSPs; therefore it’s vital to know the BioAPI support for them


Our solutio
n is going to provide
both verification and
identification, and we can
no
t neglect in
-
house databases.
Hence our solution will provide all the optional service
s,

provided the underlying technology supports it.

And
extensive use of databases will be needed s
ince BioSys supports track
ing

complex relationships among installed
devices, applications and users.


When it comes to security in financial applications, X9 is the def
a
cto standard
,

hence
essential to support X9.84
standards. But since all the security f
eatures are managed within a centralized server
the
need for X9 standards is not
so essential. Another reason is that although X9 standards

allow better security most people think that it adds too
much of overhead especially when
well established
secure co
mmunication within
networks
are possible (VPN

and
Web Service Security
).
At the development stage X9 stands will be discarded mainly to keep the design simple, due
to time constrains and importantly X9 standards are not free.



Architecture of Universal Bi
oSys will be designed such that it
could

be
easily
exten
ded

beyond a LAN to the
external world through the Internet. Web Services has to play a big role
in doing so. Among the possible Web
Service technologies C# Web services are the best because; C# being

the development language, it allows the ability
to transfer vector data and large bit arrays. And also it allows the client side to be platform independent although the
server should run on Microsoft .Net platform.


Web service security is also an import
ant consideration since it allows

a

much simple
r

way (in terms of
implementation) to make sure that the communication between the application and the server is secure. Combination
of XCBF and WSS would allow security even when Biometrics data are needed to

be transmitted among the
applications and server.


Universal BioSys server
consists

of two parts the
engine and
the Administrative c
onsole
which are

designed a
nd
used

as
two

separate applications run
ning

on different locations allowing remote management
of the
engine
. If pure
data is passed between the Server and Console any intruder within the internal network could extract those packets
and either could use for replay attacks or could
use for other forms of
misuse
.

To guard against such internal
attac
ks it is essential to have a secure communication between the Server and the Console. In such a case
Client/Server VPN is really
a
good solution. Since we are working
at

the application layer
,

SOCKS would be
the
suitable tunneling protocol

as well
.



Com
petitor for VPN is the security provided by Web Services specially when extending beyond the LAN. But
security provided by VPN is proven than Web Service Security due to its heavy use in last few years. Most
organizations, who are interested in connecting
its mobile and home users, already have a well established VPN
infrastructure. Under such cases it too much overhead to have both forms security so the support of web service
security
can

be turned off when VPN is there. But Web Service Security is suitabl
e where only the authentication
process is needed to be secure
d
, not the rest of the communication. In cases where there is still secure
communication require with the client and the internal network
,

VPN is the only

solution
. In terms of
development
of
Bi
oSys both VPN and Web Service Security
are

important.




11

6.0

Tables and Figures


6.1

Figures



Figure 1


Various Biometrics Technologies



Figure
2



Sample Biometrics architecture


12


Figure 3


Sample Network Enabled with BioLink BAS




Figure
4



Biometri
cs architecture and standards




Figure
5



Possible implementation strategies


13


Figure
6



Client/Server Implementation Using Streaming Callback
-

Server Initiated Operation




Figure
7



Biometrics Identification Record




Figure
8



A simple VPN netw
ork
















14

6.2

Tables


Technology

Ease of
Use

Accuracy

User
acceptance

Security
Level

Stability

Error
occurrences

Cost

Fingerprint

High

High

Medium

High

Very High

Dryness, dirt

Average

Hand geometry

High

High

High

Medium

Medium

Injury, age

Average

Re
tina

Low

Very High

Low

High

High

Glasses

Very
High

Iris

Medium

Very High

Low

Very High

High

Poor light

Average

Face
Recognition

High

High

High

Medium

Medium

Age, poor
light, hair

Lower

Signature

High

High

Medium

Medium

Medium

Changes over
time

Average

Voice

High

High

High

Medium

Low

Health, Noise

Lower

key stroke
analysis

High

High

High

Medium

Medium

Changes over
time, maturity
to type

Lower


Table 1
-

Comparison

of various biometrics technologies



7.0

References

[1
]

The Independent Security Server, dev
eloped by Info Data, Inc.

http://www.infodatany.com/independentsecurityserver.htm

[2]

BioLink’s Biometric Authentication Suite (BAS)

www.biolinkusa.com


www.biolinkusa.com/press/BAS_Technology_Overview.pdf

[3]

IBMs The Conversational Biometrics

Server (CBS)


http://www.research.ibm.com/CBG/project_CBS.ht ml

[4]

The WhoIsIt biometric server for E
-
commerce

http://www.qvbiometrics.com/E_Metrics_server.htm

[
5
]

Simon Liu and Mark Silverman “A Practical Guide to Biometric Security Technology”

[
6
]

D. M
altoni, D. Maio, A.K. Jain, S. Prabhakar “Handbook of Fingerprint Recognition”

[7]

Jeff Stapleton A presentation


“State of Biometric Standards“

[8]

BioAPI Consortium

http://
www.bioapi.org

[9]

X9 standards
-

Accredited Standards Committee

http//www.x9.
org

[10]

ANSI standards


http://www.ansi.org

[11]

Web Services Security XCBF Token Profile

http://www.oasis
-
open.org/committees/wss

[12]

www.computer.org/itpro/homepage/jan_feb01/security3.htm
Microsoft Corporation Securing XML Web
Services Created Using A
SP.NET (.NET Framework )

http://
msdn.microsoft.com/library/

[13]

Simon Robinson, K, Scott Allen, Ollie Corns, Jay Glynn, Zach Greenvoss, Burton Harvey, Christian Nagel,
Morgn Sknnr, Karli Watson, Professional C# 2nd Edition, ISBN 81
-
7366
-
452
-
8

[14]

Sh
ang
-
chieh J. Wu
-

presentation “The introduction of Virtual Private Network”

[15]

White paper by Microsoft “MS Privacy Protected Network Access: Virtual Private Networking and
Intranet Security”
www.microsoft.com


8.0

Abbreviations


ASN

Abstract Syntax Notati
on

ANSI

American National Standards Institute

API

Application Program Interface

ADSL

Asymmetric Digital Subscriber Loop

ATM

Asynchronous Transfer Mode

BIR

Biometrics Identification Record

BSP

Biometrics Service Provider


15

CA

certificate authority

C
BEFF

Common Biometrics Exchange File Format

CSP

Cryptographic Security Provider

XML

Extensible Markup Language

FAR

False Acceptance Ratio

FRR

False Reject Ratio

HTTP

Hype
r

Text Transfer Protocol

IR

Infra Red

IDE

Integrated Development Environment

ISDN

Integrated Services Digital Network

INCITS

InterNational Committee for Information Technology

IETF

Internet Engineering Task Force

IP

Internet Protocol

IPSec

Internet Protocol Security

L2F

Layer 2 Forwarding

L2TP

Layer 2 Tunneling Protocol

PPP

Point to Point Protocol

PPTP

Point to Point Tunneling Protocol

SOAP

Simple

Object Access Protocol

SDK

Software Development Kit

SPI

The service provider Interface

SSL

Secure Socket Layer

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

VPN

Virtual Private Network

WSAP

Web Applications and Services Platform

WSS

Web Service Security

WAN

Wide Area Network

XCBF

XML Common Biometric Format