Analysis of Hardware Controls for Secure Authentication

dashingincestuousSécurité

22 févr. 2014 (il y a 3 années et 6 mois)

61 vue(s)

1

Analysis of Hardware Controls
for Secure Authentication

Group 2

Karan Asnani, John Bowen,
Michael Ellis, Nirav Shah

2

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

3

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

4

Introduction


Access control is a key first step in infosec.



Authentication vs. Authorization.



Lack of effective access control, especially in the
private sector.



Various hardware
-
based authenticators exist.


5

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

6

Smart Cards


Historically popular in Europe.



Evolved from magnetic stripe cards.



Four major uses:


Protect the privacy of individuals and keep their informational
assets safe from hacking.


Restrict access on to networks or computer systems, possibly in
combination with hardware tokens.


Restrict physical access to protected areas.


Storage and encryption of sensitive data like certificates or
passwords, usually in conjunction with a Public Key
Infrastructure (PKI) that involves a certified digital certificate.


7

Categorization by memory



Memory cards:


Original version of smart cards.


Areas for temporary and permanent data.


Example: Prepaid phone cards.



Chip cards:


“True” smart cards.


Basically small computers containing memory and a
microprocessor.


Large storage capacity.

8

Internal Architecture of a Chip Card








(Dhar 6)


9

Categorization by interface


Contact:


Card in contact with reader for duration of transaction.


Data transmitted through electrical contact.


Contacts may wear out.



Contactless:


Speeds up transactions and easy to use.


Long lifetime.


Reduced vandalism of readers.


RFID

10

Pros and Cons


Pros:


Physical access restricted to authorized users.


Large capacity and multifunctionality.


Long lifetime.


Cards can be self
-
secure.



Cons:


Huge risk of card being lost or stolen.


High initial capital expenditure.


Issue of human trust.


11

Future


More research on:


Improving card technology.


Reducing cost of implementation.


Response systems for lost cards.



Market has huge scope for growth.



Smart cards are ready and available for wide
scale deployment.

12

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

13

Hardware Token Overview


Goal:
To safeguard systems by means of
secure authentication while allowing for dynamic
security.




Portable



Most produce a unique pass code.



Different shape, sizes and implementations.


RSA SecurID 200

RSA SecurID 700

14

History


Originated as devices called “dongles” in the
1970’s.



Used serial and parallel ports.



Could be chained for


multiple authentication.



Typically used to protect software from being
copied or securing access to private software.



15

Multifactor Authorization


Three Labels:


Knowledge
-
Based Authorization


Object
-
Based Authorization


ID
-
Based Authorization



Specifically, most hardware tokens use two
-
factor authorization.



“This example of token plus password constitutes the
vast majority of current multifactor implementations” for
hardware authentication today (O’Gorman 2024).

16

Functionality of Hardware Tokens

Two primary token types:



Time
-
changing passwords


Most change once every sixty seconds or less.


Achieved by the hardware token being

synchronized with a system upon initialization.



Event changing passwords


Pressing a button.


This generation of a unique password for each use is called
a one
-
time password (OTP).

VeriSign OTP Token

CRYPTOCard KT1

17

Pass Code Generation


Encryption algorithms are secret!



Vendors change encryption methods in new
models.


RSA changed SecurID algorithm in 2003



Most vendors use the Advanced Encryption
Standard in order to generate pass codes.





18

Authentication


Used to limit access to VPNs, SSH, RAS, wireless
networks, e
-
mail, etc for Windows and Unix.



Typically, a user enters knowledge
-
based password and
object
-
based OTP in the following way:


STATIC
DYNAMIC



Sometimes multifactor encryption is

done solely on the token.



The authentication process varies


for each vendor and client.

CRYPTOCard RB
-
1

19

USB Tokens


Extra storage capacity allows for encryption of
stored files using a public key infrastructure
(PKI).



Encryption and Decryption are automatic.



Ability to store certificates on the USB and
allows for digital signing of documents.

20

Market


RSA Security is the largest single producer of
hardware tokens.



VeriSign is gaining market share.



Discount token companies are emerging such
as Vasco.



Most current use is by government and research
institutions.



Common institutions are finally beginning to
adopt hardware tokens.


21

Pros and Cons


Pros:


One
-
Time Password


Two
-
Factor Authentication


Increased Mobility



Cons:


Easily lost


Inconvenience


Costly Implementation



22

The Future of Hardware Tokens


Bluetooth and Zero
-
Interaction Authentication
(ZIA).



Mobile phones and PDAs.



Increasing adoption facilitates cheaper
technology and more research.

23

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

24

Biometrics & Face Recognition


Biometrics: using/analyzing physical
features of an individual in the fields of
security and access control


Face recognition: subset of biometrics in
which facial features are analyzed as a
means of:


Verification


Identification


Obvious uses in security in private industry








25

Face Recognition: History


1960s


Woody Bledsoe, Helen Chan Wolf, and Charles
Bisson develop 1
st

semi
-
automated recognition
system


Required human assistance


Difficulties concerning orientation of face in
calculations



1970s


Introduction of subjective markers to aid in
automation

26

History (continued)


1980s


Kirby and Sirovich apply principal component analysis
-
> “Eigenfaces” (discussed later)


Considered breakthrough in face recognition


Reduced amount of data required



1990s


Turk and Pentland extend technique to
detect

the
face in an image

27

Face Recognition: Functionality


Two possible functions of face recognition:
Identification problems & verification problems


General surveillance vs. guaranteeing an identity



Regardless of function, five steps are required:

1.
Acquire image of face

2.
Determine location of face

3.
Analyze face

4.
Compare results of analysis to reference data

5.
Evaluate results of comparison


28

Functionality: Algorithms


Example algorithms:


Eigenface


Fisherface


Hidden Markov model


Dynamic Link Matching


Elastic Bunch Graph Matching (EBGM)


3D Face Recognition (new)



Many variations of Eigenface method exist

29

Algorithms: Eigenfaces


AKA Principal Component Analysis



“One of the most successful methodologies for
the computational recognition of faces in digital
images”



Basis: amount of data carried in an image is
much greater than what is needed to describe a
face


Utilizes linear algebra techniques to compress data


30

Eigenfaces: Principal Component
Analysis (PCA)


Summary: project input faces onto a dimensional
reduced space to carry out recognition



The mathematics


“PCA is a general method for identifying the linear
directions in which a set of [data
-
containing] vectors
are best represented in a least
-
squares sense,
allowing a dimensional reduction by choosing the
directions of largest variance”

Javier Ruiz
-
del
-
Solar

31

Principal Component Analysis
(continued)


So what exactly does this mean?


Facial data from an image (once a face is extracted)
is reduced using data compression basics into
“eigenfaces”


Face image is represented as a weighted sum of the
eigenfaces



So…what does this look like?


32

Standard Eigenfaces

Notice how only “relevant”
facial data is retained.

33

Eigenfaces: Conclusion


Derived eigenfaces are compared to stored
image



Comparison: distance between respective
weighted sums of eigenfaces



Close mathematical matches = facial matches



34

Algorithms: 3D Methods


Capture facial images using more than one
camera



3D models hold more information than 2D


Greater accuracy in recognition



Algorithm similar to Eigenfaces but with some
additional properties



2D recognition currently outperforms 3D



35

Algorithms: Weaknesses


Affected by viewing angle



Illumination accentuates/diminishes certain
features



Expressions cause variations in appearance



Objects may obscure face



Faces affected by time



Sensitivity to gender or ethnicity




36

Face Recognition: Testing


Face Recognition Technology (FERET) Program


Three main goals



Face Recognition Vendor Test (FRVT)


“measure progress of prototype systems/algorithms
and commercial face recognition systems”




Verification
performance data for
the top three face
recognition
companies tested

37

Face Recognition: Standards


INCITS M1


ISO SC37



In 2004, Department of Homeland Security
adopted 1
st

biometric face recognition standard


Used in applications such as travel documents


Specifies photograph properties




38

Face Recognition: Research &
Market


Interest in use in security surveillance
-
>
research in video
-
based face recognition


A number of research groups:


Carnegie Mellon


University of Maryland


U.S. government investing in 3D technology


$6 million in 2005 to A4Vision, Inc.


French Civil Aviation Authority employing 3D
technology in airport

39

Face Recognition: Pros, Cons, &
Conclusions


A number of technical difficulties resulting in
relatively poor accuracy


Face recognition involves too many variables


Applications in security surveillance due to
nature of face recognition


Still must overcome accuracy problem


However, with further research, verification via
face recognition could find a niche in the private
field, especially when coupled with other
technologies


Iris scanning

40

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

41

Fingerprint Authentication


Form of biometric technology


ID
-
based authenticator


Unique to one person


42

History of Fingerprint
Authentication


Dr. Henry Faulds
-

first scientist to mention
identification as a use for fingerprints


Sir Francis Galton


put fingerprinting on a
scientific basis


Use of fingerprinting in law enforcement


Use of Automated Fingerprint Identification
System (AFIS)

43

Functionality of Fingerprint
Authentication


Characteristics of a fingerprint


Ridges: Arches, whorls and loops


Minutia: Ridge endings, bifurcations, divergences,
etc.



Fingerprint scanning


Two main types: Optical and Capacitance scanning

44

Optical Scanning


Photo taken in a process similar to a digital
camera


Charged Coupled Device (CCD) generates image
through thousands of photosites


Each photosite records a pixel corresponding to
the light that hits it


45

Capacitance Scanning


Uses property of capacitance to scan in image


One or more semiconductor chips each contain
number of cells.


Each cell has capacitor, and finger changes
capacitance of cell, which generates image, as
capacitance of ridges and valleys are different.



46

Market for Fingerprint
Authentication


Host of products available from many different
companies


Identix Inc


BioScrypt Inc


Ultra
-
Scan Corp




Companies have started to combine different
biometric technologies


i.e. V
-
Smart by BioScrypt Inc

47

Pros and Cons of Fingerprint
Authentication


Pros:


Extremely stable and hard to forge


Fairly accurate


Inexpensive and easy to use



Cons:


Not for everybody


False rejections are common.


Social stigma

48

Future of Fingerprint Authentication


Already a fairly established authentication
technology



Expected to grow steadily through research and
technology


Fingerprint biometrics expected to reach $2.6 billion
by 2006



More accurate, inexpensive fingerprint scanners
expected.


49

Outline


Introduction to access control


Smart cards


Hardware tokens


Biometrics


Face recognition


Fingerprint scanning


Voice recognition


Conclusion

50

Voice Authentication


A type of biometric technology


ID
-
based authenticator


Not always unique to one person



Two different types:


Speaker Verification


Speaker Identification


51

History of Voice Authentication


Voder


first attempt at synthesizing speech in
1936



Many commercial products starting in 1970s


Very limited



Products became more advanced in 1990s, due
to dot
-
com era

52

Functionality of Voice
Authentication


Two main steps: Feature Extraction and
Acoustic Modeling/Classification



Feature Extraction


Involves breaking up audio into individual “frames”


Majority of voice authentication use
mel frequency
cepstral coefficients (MFCC)


Each individual frame is converted to MFCC feature
vector


53

Functionality of Voice
Authentication (continued)


Acoustic Modeling/Classification


Several different models used



Dynamic Warping


Neural Networks


Hidden Markov Model



Translates feature vectors into recognizable words


54

Market for Voice Authentication


Fairly new technology, so very few vendors



Large corporations as well as smaller
established companies


Microsoft


IBM


Nuance


QVoice Inc

55

Pros and Cons of Voice
Authentication


Pros:


Hard to forge


Low
-
cost


Easy to use



Cons:


Instable (voice can change)


Background noise


Vulnerable to hackers


56

Future of Voice Authentication


Considered to be in its infancy, as it still has
many problems



Expected to grow rapidly



Speech systems that use multiple biometric
technologies and continuous input systems are
expected to grow the fastest

57

Conclusion


Access control is important in information
security



Three different hardware
-
based technologies
discussed



Multifactor authentication leads to more secure
protection



Summary


huge potential for growth in the
industry

58

Bibliography


Biryukov, Alex

, Joseph

Lano and Bart

Preneel. “Cryptanalysis of the Alleged SecurID Hash Function.”
Lecture

Notes in Computer Science

3006 (2004): 130
-
144.



CRYPTOCard Tokens
. CRYPTOCard Secure Password Technologies. 14 July 2006.

<http://www.cryptocard.com/index.cfm?PID=377>.



Dhar, Sumit. “Introduction to smart cards” 1
-
9.



O'Gorman, Lawrence. "Comparing Passwords, Tokens, and Biometrics for User Authentication."
Proceedings of

the IEEE

91.12 (2003): 2021
-
2040.



RSA SecurID Authenticators
. RSA Security. 14 July 2006.

<http://www.rsasecurity.com/products/securid/datasheets/SID_DS_0606
-
4pp.pdf>.



Setlak, Dale R. "Advances in Biometric Fingerprint Technology are Driving Rapid Adoption in Consumer
Marketplace." AuthenTec. AuthenTec. 18 July 2006 <http://www.authentec.com/getpage.cfm?sectionID=43>.



Smart Card Forum. “What’s so smart about smart cards?” 1
-
12.



Unified Authentication
. VeriSign. 15 July 2006. <http://www.verisign.com/products
-
services/security
-

services/unified
-
authentication/usb
-
tokens/index.html>.


59

Questions?