This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger.

Size: px

Start display at page:

Download "This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger."

Clarissa Shepherd
8 years ago
Views:

1 According to the SysAdmin, Audit, Network, Security Institute (SANS), authentication problems are among the top twenty critical Internet security vulnerabilities. These problems arise from the use of basic authentication that requires the use of user IDs that are often shared and have passwords that are either weak and/or the same as the user ID. To make authentication more secure, users should be identified by something he/she has or is rather than something he/she knows. Among all possible one-factor authentication mechanisms, something the user is is much more secure because it cannot be stolen, borrowed, or forgotten. Biometrics, defined as automated methods of recognizing a person based on a physiological or behavioral characteristics i, plays a fundamental role in the authentication of something the user is. Methods Face Fingerprint Hand geometry Iris Retina Vascular Patterns Voice Signature Description This method involves analyzing facial characteristics such as the measure of the overall facial structure, including distances between eyes, nose, mouth, and jaw edges. This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger. This method involves analyzing and measuring the shape of a hand. This method involves analyzing features found in the colored ring of tissue surrounded the pupil. This method involves analyzing the layer of blood vessels situated at the back of the eye. Vascular patterns are best described as a picture of the veins in a person's hand or face. The thickness and location of these veins are believed to be unique enough to an individual to be used to verify a person's identity. This method does not involve the recognition of the user voice, but to convert the voice of the user to text for authentication purposes. This method analyzes the way the user signs his/her name, recording signature characteristics such as stroke order, speed, and pressure.

To make authentication more secure, users should be identified by something he/she has or is rather than something he/she knows.

2 Table 1: Biometric sensor types. ii

3 The following diagram depicts the typical architecture that has been used for biometrics products to date. User Biometric Sensor Processing module And Comparison process Patterns stored (DataBase) Application Figure 1 Biometric typical architecture. The Biometric Sensor measures the user s physiological or behavioral characteristics. This information pattern is captured and sent to the Processing Module which performs a comparison between the biometrics patterns stored in the database and the information pattern just received from the sensor. Results are then transmitted to an application which grants or denies access based upon the results of the comparison. An application is any type of program or system that requires authentication for access. Examples include home banking, an operating system, etc. To facilitate the biometric data interchange between different systems, the pattern information is structured using a specific file format called Common Biometric Exchange File Format (CBEFF) iii. This standard was developed by several industry consortiums (e.g., BioAPI Consortium) and standards technical committees (e.g., X9.F4 Working Group). A diagram of the CBEFF format is noted below: Standard Biometric Header Biometric Specific Memory Block Signature Standard Biometric Header (SBH): SBH Security options Integrity options Biometric Specific Memory Block: All the biometric pattern specification, including the creation date, type of biometric, purpose of the record, quality of data, etc. Signature: It is optional. Signature of MAC Common Biometric Exchange File Format (CBEFF), January 3, 2001, as NISTIR 6529.

The Biometric Sensor measures the user s physiological or behavioral characteristics.

4 A security review of a biometric implementation/system from the perspective of an auditor or consultant requires the review of several areas. These areas include the following: 1. Configuration of the device: Of primary importance in the device s configuration is the determination of the sensitivity threshold that defines the acceptance and rejection of biometric patterns. This threshold should be directly related to the criticality of the information/service that the authentication mechanism is protecting. The following three basic definitions should be understood by an auditor in order to determine the threshold: False-acceptance rate (FAR): The percentage of invalid users incorrectly accepted. False-rejection rate (FRR): The percentage of valid users incorrectly rejected. Crossover error rate (CER): Metrics that indicate the error rate at which FAR equals FRR. A low CER is directly related to the accuracy and reliability of the biometric device. 2. Encryption of the pattern information The security and integrity of the information pattern packet is assured by the definition of the standard biometric header (CBEFF). These definitions are dependent upon predetermined security requirements. This header provides two options that can be set to the following values: Field SBH Security options Integrity options Description 0x00 = plain Biometric 0x10 = with Privacy (Encryption) 0x20 = with Integrity (Signed or MACed) 0x30 = with Privacy and Integrity Note: This field is required. 0x01 = MACed 0x02 = Signed Note: This field only exists if Integrity is used (i.e. SBH Options=0x20 or 0x30).. Figure 3 Standard Biometric Header. The information pattern packet can be transmitted with or without security based upon the definition of the CBEFF.

This threshold should be directly related to the criticality of the information/service that the authentication mechanism is protecting.

5 3. Database security Because databases store critical information for biometric systems, database security should be reviewed. Databases store pattern information and depending on the type of system can also store user privileges and permissions. If this information is modified, an unauthorized user could bypass the authentication schema and/or a valid user could gain powerful privileges. Pattern modifications can also result in a denial of services causing no authentication to be performed at all. 4. Operating system security Most of the components included in a biometric authentication system are supported by an operating system (e.g. Database). If the operating system security level is poor, the entire biometric system could potentially be compromised. 5. Access, system, and security administration processes Another aspect that should be considered is user access, system, and security administration processes. Important controls within these processes that should be reviewed include the following: User access administration procedures: These procedures specify how users are added and removed from the system and how a register validates this information. Change management procedures: These procedures define the process for making modifications/updates to components of the biometric system. Biometric system components include: biometric sensors, the biometric application, databases, operating systems, and any application that interacts with them. Security log review procedures: These processes refer to procedures performed for the collection and analysis of logs that are generated by biometric system components. Incident response procedures: These procedures should also exist to specify the steps to be followed in case security events (e.g. several user authentication-failed attempts, users logged in the systems in not allowed times, etc.) were detected during the log review. Conclusion Overall, the biometric mechanism enhances the security of applications in terms of authentication access. However, this mechanism is yet another component of an application that must be secured with equal or greater levels than the security of the application itself. When trying to install a biometric mechanism or audit it, the different areas covered by this article should be considered. i Biometric Consortium Definition, ii A practical Guide to Biometric Security Technology, iii Common Biometric Exchange File Format (CBEFF), January 3, 2001, as NISTIR 6529,

If this information is modified, an unauthorized user could bypass the authentication schema and/or a valid user could gain powerful privileges.

May 2010. For other information please contact:

May 2010. For other information please contact: access control biometrics user guide May 2010 For other information please contact: British Security Industry Association t: 0845 389 3889 f: 0845 389 0761 e: info@bsia.co.uk www.bsia.co.uk Form No. 181.