Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013

Transcription

1 Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013 Rod Beatson President, Transaction Security, Inc. Rod.Beatson@crypto-sign.com ABSTRACT This paper considers the technology and application of biometrics to authenticate users of mobile devices prior to and during use: a) To gain access to the device immediately after power-up. b) To release complex passwords without the need to remember or enter them. c) To gain trusted access to enterprise Networks d) To protect sensitive applications running on the device e) To provide secure identity credentials to relying parties f) To use the mobile device to store an encrypted local template and to perform biometric matching g) To encrypt sensitive data stored on the device. h) To sign financial transactions and documents using a secure electronic signature with an ink-onpaper look. It will also discuss the use of mobile biometrics: a) Within the context of server-based biometric authentication including the cloud. b) Within the context of NSTIC and the IDESG c) Within the context of emerging NIAP Protected Profiles for Mobile Devices d) Within the context of NIST Special Publications It will discuss some biometric modalities and their applicability for these applications and in particular how the behavioral Signature/Sign modality is very suited to them. It will establish the importance of providing strong assurance that the device owner is the device user and conclude that a biometric method (used alongside a pass code for higher security) is an effective way to provide that assurance. NOTE: The Biometric Consortium describes biometrics as automated methods of recognizing a person based upon a physiological or behavioral characteristic. This definition has remained broadly consistent since 1987 when the first ANSI Biometric terminology standard was created. The use of Behavioral biometrics generally involves measuring time-dependent events in place of, or in addition to, physiological characteristics from modalities involving writing, typing or voice (see ISO/IEC JTC1 SC Part 1) 1. UNLOCKING THE MOBILE DEVICE This is the first operation that the user undertakes after power-up and it is vitally important for the security of further operations and transactions carried out on the device, that this operation establishes the owner (or authorized user) as the actual user of the device. Irrespective of the sophistication of encryption schemes employed on the device, user entry of Passwords, Pass codes or PIN s does not Page 1

2 establish that link and if an unauthorized user gains access it could become a personal and/or a corporate disaster. The use of biometrics in conjunction with a Pass code or PIN can create much more assurance that the device user is, in fact, the device owner or authorized user as well as providing the security base for encryption and future transactions. Of course the way in which the PIN (to fix ideas) is used with the biometric sample and template is all important. 2. HOW CAN WE PROTECT ACCESS AND DEVICE DATA IN A SECURE MANNER? 5% of mobile devices are lost or stolen each year. Therefore there can be little certainty that characters entered into the device are being entered by the owner or by the authorized user. Of course, it is not only important to restrict normal access to the correct individual, it is also important to ensure that sensitive device data at rest (DAR) - including any biometric template stored on the device - is not exposed by unfriendly forensic methods. The only way to accomplish this is by encrypting the data with complex keys. We will now explain how Encryption and Biometrics can work hand in hand to accomplish secure access and secure DAR as well as providing for secure Network access and signature-bearing transactions all without the need to remember and enter complex passwords. The object of this process is to provide a very high level of assurance that transactions carried out on the device are those of the owner/authorized user. In addition we protect the DAR, including any on-board local biometric template, from exposure through strong encryption. We can accomplish this by obfuscating and storing complex Passwords so that they can later be de-obfuscated and released to authenticate transactions of all kinds and encrypt appropriate data. This also relieves the user from the need to remember and enter complex passwords for device unlock, for Network authentication for Open Authentication and for single sign-on for Web access. One of NIST s recommendations in SP see below is to use a consistent hardware root from device hardware components as the basis for encryption to avoid software processes being compromised by malicious code. An early prototype of some of this methodology using the UUID as a hardware root was implemented some time ago on a Windows Mobile Device using the Crypto-Sign ( signature/sign biometric modality, which uses, as the biometric sample, a secret sign submitted on the device with inking inhibited. Please see: A further (early) prototype was demonstrated at the Mobility for Defense event in Crystal City in December, The user-friendly combination of the secret sign and the PIN meets FIPS 140/2 level 3 authentication requirements limiting the probability of access by chance to less than one in a million and, we believe, makes a successful brute force attack extremely difficult because of the need to submit a biometric sample (as well as a PIN) for every attempt. In actual fact, though, the UUID can be changed by a malicious actor and so a more reliable hardware root needs to be engineered. The biometric modality is immaterial to this methodology, although some modalities are more practical than others for mobile devices. To fix the context we will discuss an implementation using the Crypto- Sign ( signature/sign method using a stylus or a finger to generate the biometric sample and provide for a very low-cost solution. The behavioral nature of the Crypto-Sign biometric technology means that, in the very unlikely event of compromise, a new sign can easily be re-enrolled. The complex password can be changed easily at any time without having to remember and enter the old one. Figure 1 below shows the logic at a high level. Page 2

3 Figure 1 - A Biometric Password Generator - Operational Schematic A. REGISTRATION & ENROLLMENT - Patent-Pending method covering the use of general biometric technologies for password generation and transaction security Enter Biometric Samples Feature Extraction & Matching Enter Authentic Signature Sequential (x,y) data Generate Device Hardware Root Enter Complex Password Form Biometric Template, including authentic signature Calculate Very Strong Encryption Keys for Template and Passwords Calculate & Store Obfuscated Passwords Enter User Chosen PIN Encrypt & Store Biometric Template Including Authentic Signature/Credential B. AUTHENTICATION AND PASSWORD GENERATION/RELEASE ( Patent Pending) Enter Biometric Sample Extract Features Enter PIN Generate Device Hardware Root Calculate Template Decryption Key Decrypt Biometric Template Match Features to Template Yes Generate & Release Password to Device OS or for SSL/Network Access. Update & Encrypt Biometric Template. Delete Previous Template Good Match? Normal Processing Device Data En/Decryption Network/Web Authentication Auth. Sig./Credential Release Application Protection No Failure Action Page 3

4 A. REGISTRATION & ENROLLMENT - This sets the process up for seamless operation during the authentication process. The functionality here is to: a) Collect a consistent set of biometric samples that can be used to form the biometric template (signature/sign or other modality) and form the initial template. Various in-built tests are conducted on the data to ensure consistency and a sufficient level of complexity. b) Choose and enter a quality authentic electronic signature, with an ink-on paper look (or some other credential) that may be used later to submit to a relying party. Several attempts may be required and the user is prompted to accept or re-sign after each attempt until a quality authentic signature is attained. This signature will be the one released to future signaturebearing transactions e.g. healthcare/financial transactions. The format is a set of sequential (x,y) data, which are stored with the template in encrypted form. It is possible for styli that provide a pressure value to use this to provide variations in the thickness of the stroke but the process does not rely on these data being available. c) A value, rooted in the device hardware, is then calculated. d) Choose and enter complex passwords (enterprise or user/process defined) that meet certain minimum standards of complexity. e) A user-chosen PIN is then entered. f) These external data, suitably transformed are then used to: i. Calculate a very strong encryption key for the biometric template ii. Calculate (and store in NV storage) obfuscated passwords iii. Encrypt and store the biometric template iv. Protect sensitive device data at rest B. AUTHENTICATION No entry of complex Password required. The authentication process uses a biometric sample from the user together with PIN entry as follows: a) Capture the biometric sample and PIN b) Generate the template encryption key and decrypt the biometric template c) Match the features extracted from the biometric sample with the biometric template d) De-obfuscate the password e) Responsive to a good match, release the password to the authentication system, or for encryption purposes. C. OTHER FUNCTIONALITY The same process can be used to: a) Encrypt and protect sensitive device data at rest b) Release passwords for Network/Web access and/or for the SSL c) Protect access to sensitive device applications. d) Provide a trusted signature always the same one - with an ink on paper look (or other personal credentials) for financial transactions and other credential-based transactions e.g. in Healthcare, Financial Transactions and Contractual Agreements. This process is dependent upon the authentication and encryption processes executing in the device and implies operating system/model-specific solutions. A description of the obfuscation/de-obfuscation process can be obtained from info@crypto-sign.com. The process is an example of the more general patent-pending methodology described at: Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearchbool.html&r=2&f=G&l=50&co1=AND&d=PG01&s1=Beatson.IN.&s2=Signature&OS=IN/Beatson+AND+Sig nature&rs=in/beatson+and+signature. Page 4

5 If this biometric procedure were executed in a dedicated on-board device like an ASIC, full hardwarerooted encryption (as opposed to using the generated Device UUID or similar components) would be possible. The solution would then be more operating system independent, it would display consistent software behavior and it would be more secure as a result. The Trusted Computer Group, with its Trusted Partner Module (TPM) goes some way towards this objective but the relationship between the Module and the biometric process is unclear, especially for mobile devices. 3. TRUST GENERATION So how is trust generated to relying parties? The objective of the system is to generate a complex password, which can feed into the Secure Socket Layer and provide the same level of trust with the added advantage that there is assurance that the owner or authorized user actually conducted the transaction and the generated encryption keys, which rely on the generated password, can be as complex as required for the security required all without the need to remember or enter the complex passwords. In addition, since the biometric template is stored on the device, its compromise will not lead to the compromise of other user templates. Trust can further be increased by the supply of a credential supplied from the encrypted data stored on the device. An example of such a credential might be the authentic signature of the user, stored in encrypted, vectored image format with the biometric template and released only upon a successful match. This signature in vector image form, would have the benefit of always being the same and for certain applications (e.g. payment card transactions) could be compared by the relying party, with previous signatures for extra assurance. In addition, a Trust Mark could be associated with the whole process. 5. SERVER-BASED MODELS A number of companies are developing/marketing server based authentication models (including cloud based models). The basis of these technologies is that after biometric sample capture, feature extraction and decision-making takes place out of band on an Authentication Server which delivers the authentication message, along with appropriate credentials, back to the relying party. These systems rely upon a Trust Framework to provide assurance to the relying party that authentication has really taken place and to deliver the appropriate credentials (possibly from a Credential provider). Some of these systems are based upon NSTIC (National Strategy for Trusted Identities in Cyberspace) principles and the IDESG (Identity Ecosystem Steering Group) which is implementing the NSTIC strategy. Currently, there are numerous initiatives within the IDESG which is aiming to eliminate passwords. While this is a laudable goal, it is not clear they really mean eliminate because passwords are used regularly to generate encryption keys. It is the view of this author that what the IDESG really wants to do is to remove the need for users to remember and enter complex passwords, especially on these small devices. This process accomplishes this IDESG objective. Generally speaking there is a level of discomfort, rooted in privacy concerns (probably the top priority of the IDESG) with large databases of personal information (e.g. biometric templates). This is to a certain extent caused by unfortunate experiences associated with credit card and social security number databases, which have been hacked regularly over the years leading to payment card fraud and Identity theft. However, for those organizations, not so concerned about these matters and for smaller applications and data bases, the server-based model will work well and there are many applications that could and will use it. One of the advantages of the password generation model with local templates, described above, is that the template is confined to the device and the responsibility for its security devolves back to the user, where it belongs. This concept is certainly in line with the IDESG principle of preserving privacy. The Page 5

6 password generation methodology achieves this objective at power-up and can be extended to generate encryption keys and to secure applications and transactions as outlined in Figure 1 above. 6. BIOMETRIC MODALITIES The best known biometric modality, the fingerprint has been the focus of many organizations that are addressing mobile device security with biometrics. Signature/Sign (Crypto-Sign), Voice, Face and Iris are others. A few years ago AT&T conducted an independent evaluation of several biometric technologies for mobile devices, including Crypto-Sign (which they called Vector Signature) and based upon the matrix below (re-published from their Webinar on the subject) they came to the conclusion that: 1) Biometrics offer superior security, excellent usability, and moderate cost as compared with other authentication technologies. 2) Of the biometric technologies currently available on mobile devices, vector signature stands out for its ease of use, low cost, and high security. 3) Of the biometric technologies in development for mobile devices, only iris recognition compares to vector signature. 4) Enterprises are encouraged to add biometrics through third party solutions. Comparison of Biometric Technologies Characteristic Password Card or "Token" Finger Print Iris Facial Voice Signature Low or no additional hardware costs Yes No Varies Yes Yes Yes Yes Versatile hardware (used for other purposes) Yes No Yes Yes Yes Yes Yes Multiple hardware vendors Yes Yes Yes Yes Yes Yes Yes Hard to crack No Yes Varies Yes Varies Varies Yes Can't be lost or stolen No No Varies Yes Yes Yes Yes Can't be forgotten No No Yes Yes Yes Yes Yes Can't be copied No Varies Varies Yes Varies No Yes User-friendly No No Yes Yes Yes Yes Yes Currently available for mobile devices Yes Yes Yes No No Yes Yes Page AT&T Knowledge Ventures. All rights reserved. Page 6

7 7. INDUSTRY PUBLICATIONS AND INITIATIVES INCITS/NIST/NIAP INCITS (International Committee for Information Technology Standards), through its M1 Biometrics Committee has prosecuted a number of projects to ANSI status and these have been further prosecuted to ISO/IEC status - namely ISO/IEC JTC1 SC parts 1-n, which deal with a standardized format for biometric data exchange aimed at interoperability between vendors for particular modalities and, with associated CBEFF and BioAPI standards, define how best to communicate these data securely. NIST has published numerous Documents addressing many aspects of biometric systems and has concentrated recently on mobile device security Guidelines. A number of these publications are relevant: NIST SP This document is entitled Security and Privacy Controls for Federal Information Systems and Organizations. This document explains where biometric authentication is used as an individual authentication means. Version 4 includes comments on Privacy aspects NIST Electronic Authentication Guideline SP Extract This document supports the use of biometrics to unlock conventional authentication tokens. So we can infer that unlocking a password is supported by the document. NIST Special Publication This document is entitled Specification for WS-Biometric Devices (WS-BD) and is appropriate for companies developing Web Service-based biometric models. FIPS Authentication Requirements. This document is mainly about Encryption modules but it does say the following about Authentication. The strength of the authentication mechanism shall conform to the following specifications: For each attempt to use the authentication mechanism, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur (e.g., guessing a password or PIN, false acceptance error rate of a biometric device, or some combination of authentication methods). For multiple attempts to use the authentication mechanism during a one-minute period, the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. Feedback of authentication data to an operator shall be obscured during authentication (e.g., no visible display of characters when entering a password). Feedback provided to an operator during an attempted authentication shall not weaken the strength of the authentication mechanism. Page 7

8 FIPS PUB Personal Identity Verification (PIV) of Federal Employees and Contractors. This document addresses the PIV (CAC) card issued by the Government and the use of biometrics in relation to it NIST Special Publication This document goes into much more detail with regard to the use of biometrics with the Government PIV card. NIST Special Publication This document is specifically concerned with managing the security of the Mobile Device in the Enterprise. It points back to SP but otherwise does not mention biometrics specifically. NIST Special Publication This document is entitled Recommendation for Password-Based Key Derivation. It does not mention biometrics but does provide the basis for using a Password, which could have been generated via biometrics, for encryption key derivation. Special Publication This document is entitled Guidelines on Hardware-Rooted Security in Mobile Devices. It does not mention biometrics but is instructive in explaining how this significantly reduces the threat of malware affecting secure operation of the mobile device NIAP The National Information Assurance Program has recently turned its attention to Mobile Device Security and is in the process of generating a number of Protection Profiles for Mobile Devices. These Profiles lay down security properties to which the mobile devices must conform and describe tests which must be passed for compliance - and hence adoption for DoD and Government use. These Profiles, particularly relevant to the Mobile Device Management companies, are much concerned with encryption and barely mention the use of biometrics. The main comment about biometrics is: If the product supports additional forms of authentication, such as a raw key stored on an external token or biometrics, and if the product uses these factors to derive KEKs, these additional authentication factors shall be conditioned to have size equal to the size of the KEK derived by the Password Authorization Factor and shall be used in conjunction with the KEK derived from the Password Authorization Factor. NB a KEK is a Key Encryption Key This will be interpreted in different ways but the bottom line appears to be that biometrics as a means of authentication together with the derivation of key encryption keys, must be of sufficient size - whatever that means. The use of biometrics for device unlock does not seem to be addressed in the documents and this suggests it is left to the manufacturers, the carriers and 3 rd party ISV s like the MDM s. 8. CONCLUSIONS 1. The use of biometrics based upon local encrypted templates stored on the mobile device enables the device user to be associated with the device owner with a high degree of assurance. 2. The use of a PIN or pass code with the biometric test increases this assurance. Page 8

9 3. 1 and 2 above in conjunction can be used securely to generate passwords for Device Unlock, encryption, Network Authentication, Web Access, Application Protection, and Transaction Security. 4. The ability to release a trusted electronic signature with an ink-on-paper look to a relying party has many important implications for mobile payments and healthcare related transactions. 5. This process puts the responsibility for template security onto the device owner. In this scenario user template compromise would not lead to the compromise of other users templates - so it enhances general user privacy. 6. This device-specific solution would have a more secure hardware-root and would be more widely applicable if it were implemented in an on-board chip. 7. Web Service models provide for more generic and less device specific solutions but rely upon larger databases of templates, with attendant security issues. 8. For really high security and for DoD/Government systems, developers should evaluate NIAP Protection Profile schemes, however, these do not address device unlock. 9. DEVELOPMENT TSI is interested in discussing the development and marketing of mobile device biometric systems based upon the methods outlined in this document. Please contact Rod Beatson, TSI President if you would like to discuss opportunities. Rod Beatson Rod.Beatson@crypto-sign.com September 2013 Page 9