Biometrics for Computer and Network Security

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

146 views









Biometrics for Computer and Network Security































James Barnett

Principles of I
nformation Systems Security

December 1
, 2005

Barnett
-

2

Table of Contents


Table of Contents

................................
................................
................................
................

2

Introduction

................................
................................
................................
.........................

3

Fingerprint Scanning

................................
................................
................................
...........

3

Retinal and Iris Scanning

................................
................................
................................
....

6

Vein Geometry

................................
................................
................................
....................

7

Voice Recognition

................................
................................
................................
..............

8

Implementation of Biometric
s

................................
................................
............................

8

False Positives and Negatives

................................
................................
...........................

11

Conclusion

................................
................................
................................
........................

12

Works Cited

................................
................................
................................
......................

13

Barnett
-

3

Introduction

When the word

biometrics comes up in conversation we usually think of fancy
computer gadgets that keep people out of top secret facilities. In fact
,

they are not that
uncommon and are used in many businesses
today.
Biometrics is the concept of using a
unique physical property of a human as a means of identification. Some commonly used
human features are fingerprints, voice, eyes and veins. They all provide different levels of
security based upon their complexi
ty. They all have their weaknesses and strengths which
will be dis
c
u
s
sed later.
Biometrics can be used by about any organization wanting
protection beyond a PIN or password. They are becoming more affordable and offer
better security every day.
There is ev
en a fingerprint scanner made by Microsoft for a
personal computer. It is capable of holding fingerprints from each finger then using them
to get usernames and passwords for about any login in Windows or on the Internet.
The
one major flaw in biometrics is

the fact that people do not always stay the same. As
humans age
,

our bodies change and so do these identifying features. To offer
proper

security
,

biometric scanners must be precise but not too precise. This concept is discussed
more in the false positive

and negative section.
Biometrics are effective for security
because physical attributes are almost impossible to steal, people cannot guess biometrics
like passwords and usernames,
and
biometrics cannot be lost or forgotten
;

they must be
used in conjuncti
on with some other form of identification
.

Fingerprint Scanning

To understand fingerprint scanning we first need to understand the basics behind
fingerprint
s. All human
fingerprint
s are unique to that person and are based on genetics.
Barnett
-

4

A fingerprint consist
s of ridges and valleys which are made to help grip objects
,

but are
also a great way to identify humans.
Fingerprint
s are also influenced by surroundings and
physical modifications such as burns, so fingerprints could change over the life of a
human.
Whil
e fingerprints are unique
,

to the trained eye and advanced computer software
,

to the human eye they all look the same.

(Harris)

There are two types of fingerprint scanners
:

optical and capacitance. They bo
th
serve a common purpose
:

taking an image of the f
ingerprint and matching the patterns of
ridges and valleys with
a

sample fingerprint. Optical scanning is the most popular today
and involves several steps. It starts with a charge coupled device
(
which is a sensor
like

a
digital camera uses
)
. The job of t
he charge coupled device is to simply convert light rays
into
an

analog
signal
. This is done with the use
of

photosites which convert each beam of
light they receive at a given point into a single
pixel
. The analog
signal

is then converted
to a digital
sig
nal

for processing.

(Harris)

The capture process works by pressing the
finger against

a glass plate, like

a camera

lens
, then diodes light the surface and the
charged coupled device takes an image of the
fingerprint
.
The print is reversed, darker
areas are

represented with white so the ridges of the fingerprint appear black.
The print is
then tested for quality
.

I
t cannot be too light or too dark
.

I
f it is
,

a rescan will be requested.
The image definition is also tested and has to meet certain standards or
a rescan will be
required.
(Harris)

The second type of scanner, capacitance, captures the
fingerprint

using electrical
current instead of light rays.
The sensor is made up of semiconductor chips that hold cells.
Each cell is two conductor plates covered wi
th insulation. The cells are smaller than a
ridge on the human finger. There is also an
amplifier

that controls the flow of current.
Barnett
-

5

When the finger is put onto the scanning surface it acts as a grounding point and the
scanner captures the image by storing

current in capacitors. Each capacitor get a different
level based on the current from the cell it is connected to. When scanning a fingerprint
,

the first step is to level the electrical current in the entire system
,

known as a reset. The
scan then works b
y sending current through the
amplifier
, to the cell, through the
capacitors
,

and back to the
amplifier

for output
. A

finger valley will produce a different
voltage

output than a ridge. The scanner the
n

reads

all the voltage outputs and puts
together an im
age based on the currents stored and preset “knowledge.” These scanners
are harder to overcome because they work on the amount of physical contact not just an
image
produced

by light.
(Harris)


Now that a quality scan has been captured
,

the fingerprint sca
nner begins the
comparison process.
Usually the entire print is not compared because smudging can make
an exact match impossible
,

and if done electronically
,

it will take enormous amounts of
processing power to conduct the comparison. The scanners focus on

minutiae
,

which are
specific features of a
fingerprint
. These include but are not limited to: where one ridge
splits into two and where a ridge ends. The scanners work by measuring relative
distances from one
minutia

to another on both the sample print an
d the one scanned.
There
has to be a minimum of three

(there are usually 60 to 70 available)
minutiae
considered and the distances and proportion between these need to be identical to be
considered a match. This process is the same w
h
ether it is processed
electronically or by
a
fingerprint

analyst.
(Harris)

Fingerprint

scanning is a very secure, easy
,

and affordable way to provide
biometrics security. Fingerprint scanning is fairly difficult to circumvent. The only ways
Barnett
-

6

to get around fingerprint scanning is

to make a replica of the
original

fingerprint out of
wa
x

or some other
substance

(which will only work with an optical scanner) or to
actually have the finger of the authorized individual. Many scanners today have heat
sensors to prevent the use of a mold
ed or severed finger. While this does not totally solve
the problem
,

it greatly reduces the risk of
circumventing

the security.

Retinal and Iris Scanning

Iris scanning is similar to an optical fingerprint scan. It uses a charged coupled
device to take a pi
cture of features of the eye, just like a digital camera takes a picture.
The inside of the eye is illuminated with visible and near
-
infrared light to produce a high
contrast picture of the iris. The camera in an iris scanner is located 3 to 10 inches from

the eye in question. The camera is either pre
-
aligned or will align by using mirrors in
more advanced systems. When the picture i
s

take
n
,

the camera will identify four key
features of the eye
:

the pupil, the edge of the pupil, the edge of the iris
,

the ey
elids and
eyelashes. After the picture is taken
,

it analyzes the image to produce a code of the iris.
The iris is even more unique than fingerprints and does not change over time like other
forms of biometrics. There is also about 200 point
s

of reference i
n the iris verses 60 in a
fingerprint.

(Wilson)

Retinal scanners work in a similar manor as iris scanners
,

but it is older
technology that uses high levels of light to illuminate the retina to take a picture of the
blood vessels in the back of the eye. Thi
s technology is almost obsolete because of the
discomfort and damage caused by the light and the fact that the retina will change

over
time.
(Wilson)

Barnett
-

7

Eye scanning is one of the most advanced and secure forms of biometrics. It is
nearly impossible to circum
vent the security without having physical
control of a human
with access
. This activity

could be seen very easily by security guards and other
personnel making it a very small risk.
Eye scanning

could also be overcome with a false
positive which is discuss
ed later in this document. It is so secure
because

everyone’s eye
is unique and there is no way to make a mold or replica of the eye. This means this

form
of

biometric
security is

very expensive to implement and
maintain
. Eye scanning is only
used in very
sensitive area
s

and almost exclusively by the government.
(Wilson)

It is not
a practical solution for most companies because they do not need this level of security.

Vein Geometry


Vein structure in a human is totally unique so this
is

an excellent
form

of

identification

because,

t
he shape and location of veins change very

little with age. Vein
scanning,
like retinal scanning
, works

by u
s
ing near inferred light to illuminate a part of
the body, usually a finger or hand

and photographing th
e veins
.
In the ph
otograph

the
veins appear black. These do not use any radiation
(
like an x
-
ray for medical purposes
)

so
they are very safe. After the picture is taken
,

the image is compared to the sample image
using many points of reference.
(Wilson)


Vein geometry scann
ing is also a very secure system and is on the same level as
eye scans. It is very effective and very accurate because people’s vein structures do not
change. The downfall is that it is very expensive to implement and maintain. Like eye
scanning
,

a company

would have to have a need for a very high security level to consider
vein scanning.


Barnett
-

8

Voice Recognition


Voice recognition is the comparing of a human

s voice to a prerecorded voice.
This is done by matching certain points and changes in the sound waves. T
his type of
security is very loose because
there needs to be a larger margin of error due to the voice
changing with environmental effects
. This is not a highly secure method but
it
does offer
another element to
the
security process. Voice recognition is a

very quick way to use
biometrics for security. Today
,

voice recognition has moved away from security uses to
more practical uses
,

such as voice dialing on phones.

Implementation

of Biometrics

Biometrics are used for computer security but they are usually
used to control
physical access to certain pieces of computer equipment within the company. This means
that most of the secure equipment needs to be in isolated locations. Putting all of the
equipment in one place would not be a good idea because one physi
cal compromise will
put the entire system at risk. Backups should never be stored in the same physical
location as the original data for this reason and both need the same level of security.


When selecting the proper equipment to protect the assets of a c
ompany
,

many
things need to be considered: value of what will be lost if security is compromised,
sensitivity of the information being stored, weather the stolen data could be used to hurt
others (such as employees or clients) and overall cost v
ersus

benef
it of the security
system
(
just to name a few
)
. Any computer storing information about the public or clients
should

not only
be
secured from electronic attacks but from physical attacks
,

and
biometrics are a perfect solution for this example. Client inform
ation is what makes many
Barnett
-

9

companies profitable. If the client’s information is compromised
,

the client will cease to
do business with the company
therefore making the company lo
se profit. This type of
data should be protected in every way possible. Employee

data
(
such as birth dates, social
security numbers and bank accounts
)

also need to be secured to a high level
.
One with a
very high need for security is back up sites
. These sites are usually cut off from network
activity any time but when back up
s

are be
ing performed
,

so a physical compromise is
about the only way to get to this data. With this being said
,

biometrics are the perfect way
to make sure this data stays secure.

Once the need for physical security is determined
,

the company needs to select the
level of security they need for each piece of equipment. It could be as serious as a
mainframe or as lax as a file server for documents
,

such as

lunch menus and casual
memos. Once the equipment is
segregated
,

an assessment needs to be made as
to
the
value
of the
equipment

and data to the company. Is spending x amount of money worth
protecting the data or equipment in question. After the budget for security is determined
,

the selection and purchasing of the
equipment

can begin. The needed
equipment

will vary

depending on the application
,

but the most common piece of equipment is a
fingerprint

reader.

Usually eye and vein scans are only used in very secure locations due to cost and
time
required

for authentication.
After the
equipment

is purchased and installe
d
,

all the
users must have samples taken of the biometric in question
w
h
ether

it be the finger, eye
or hand. This is done by taking a very controlled picture of the biometric to ensure easy
aut
hentication later while in use.

This equipment alone is usually

not enough to protect the resource in question.
Biometrics are almost always used in conjunction with some other type of
identification
.
Barnett
-

10

There are three basic elements in a security system that the user must produce to be
authenticated. These are: what yo
u have (token), what you know (username and/or
password) and what you are (fingerprint or eye).

Usually one other element is used with
what you are or a biometric. This is commonly a PIN (personal identification number),
basically a
numeric
password. For e
xample a fingerprint scan may be conducted and if it
matches
,

the user must provide a PIN associated with the fingerprint to be authenticated
or vise versa. This could also be a token and a
fingerprint

or any combination thereof
depending on the level of s
ecurity required. Users could be required to have a username
and password, an iris scan and a token to enter very sensitive areas. This system is so
secure because someone with a token and no biometric cannot enter or someone with a
password cann
ot enter w
ithout the biometric.

(
Conklin 47
-
48, 187
-
188
)

Biometrics are only as good as the people behind the creation and implementation
of them. First off
,

the equipment needs to be quality and have features to prevent
circumnavigation. The administrator of the bi
ometrics needs to be conscious of who
receive
s

access to the secure site also.
It needs to be to a level so work can go on
uninterrupted but giving access to too many people can lead to a decrease of security. If
information is sensitive enough to use biom
etric protection as well as other security
methods the number that can access the physical part of this data should be very limited.
There should also be separation of access
.

N
o one person should have access to all of the
resources available because this
is a perfect

in


for a hacker or even that person.
Even
the best security is worthless without
proper human

backing and intervention.

Another way to get around biometric scans is to hack the scanner itsself. This can
be done by hacking a network connectio
n to the scanner. The hacker could disable the
Barnett
-

11

scanner from the security scheme, could add their own sample to the sample base, or
simply corrupt all the samples so no one can have access to the resources. To prevent this
type of hacking
,

the scanner shoul
d not have any network connectivity except when
adding or removing samples.
This then should be a very secure, encrypted and limited
connection so there is no open door for a hacker. Ideally
,

the scanner would never have
network access and new samples and
updates would be loaded via removable medium to
totally negate this risk.

False Positives and Negatives

No matter the type of biometric being used
,

there will be the possibility of a false
positive or negative. A false positive is when the scanning device
gra
nts access to
someone who is not

who they say they are and a false negative denies someone who
should have access. There is no way to avoid these issues but they can be minimized by
analysis techniques. Analysis cannot be to
o

exact and there has to be s
ome margin of
error but not too much or too many false positives will occur. False positives could be
totally eliminated with the use of a very strict analysis process but this would take more
processing power and time and also produce many false negatives
. These would be due
the item being scanned changing, a different scanning angle or many other factors. There
is nothing more frustrating to a user than being denied access to something they know
they have access to. With this said
,

there is very fine line

and
that
gives us yet another
reason to use some other type of identification in conjunction with the biometric.

False positives and negatives can happen with any type of biometric scan. In
fingerprint scanning
the
y

usually occur due to smudging or some t
ype of alteration of the
fingerprint

(
such as a cut or burn
)
. Voice recognition can lead to a false reading if the
Barnett
-

12

person has a cold or loss of voice. Retinal scanning can be thrown off because the retina
changes over time. Iris scanning will produce very
accurate results and has a low number
of false positives and negatives as long as a good initial scan was taken for the sample.
Vein scanning also produces a low level of false positives and negatives due to the vein
structure not changing and the analysis

process. Cost increases as the level of falsities
decreases and the type of biometric needs to be matched to the desired level of security.

Conclusion

Electronic security and physical security run hand and hand when protecting
sensitive data. Neither form

can stand alone to give optimum protection. Biometrics are
only a small part of the overall security world
,

but they are an important part that gives
another layer of security, “something you are.” Stand alone biometrics are fairly weak
,

but in conjunctio
n with other security measures
,

and good physical security at entrances
and exits
,

they can make a security system almost totally secure.

Most think of biometrics as something very futuristic
,

but they are with us now in
every day life. There are rumors of

using fingerprint scanners along with a PIN number
for debit and ATM transactions. They can offer a unique identifying trait for every
human being that is almost impossible to duplicate. Although false positives and
negatives can make the system less secu
re
,

this can be controlled by adding other layers
of security. As biometrics advance and become more affordable
,

they will offer more
benefit
s to more companies world wide.

Barnett
-

13

W
orks Cited


Wilson, Tracy. "How Biometrics Works."
How Stuff Works
. 29 Nov. 2005
<http://science.howstuffworks.com/biometrics5.htm>
.


Harris, Tom. "How Fingerprint Scanners Work."
How Stuff Works
. 29 Nov. 2005
<http://computer.howstuffworks.com/fingerprint
-
scanner1.htm>.


Conklin, Arthur.
Principles of Computer Security
-

Security+ and

Beyond
. Burr Ridge:
McGraw
-
Hill Technology Education, 2004.