Integrating Biometrics into the Database and Application Server Infrastructure Shirley Ann Stern Principal Product Manager Oracle Corporation 1
Agenda! Introduction Importance of the infrastructure Role of biometrics! Database integration! Application Server integration! Identity management Benefits to biometrics! Conclusion! Q and A 2
Traditional Support! Biometrics can be used for verification or identification 1 to 1 of a claimed identity 1 to n match of a particular individual out of a candidate population! Biometric identification applications use a database for storage purposes! Biometric authentication is supported as a password alternative for web applications! Now changing to biometrics as part of a complete security solution 3
Importance of the Infrastructure! Take advantage of existing security environment complement rather than re-invent! Exploit existing features of availability, scalability, performance, etc.! Additional partner opportunities for biometric vendors! Better, easier integration for a complete solution! Savings in time and money when incorporating biometrics 4
Oracle s Role in Biometrics! Oracle Database and Application Servers supply the underlying, secure infrastructure Existing security features encompass a range of requirements Storage, processing, and manipulation of all types of structured and unstructured data! Ongoing development efforts to become more biometric-friendly! Partner integration is key Several are loosely integrated with Oracle Expert in biometric algorithms 5
Development Strategy for the Database! Add to the larger security focus area by supporting biometric identification via advanced techniques for high speed search and retrieval! Leverage existing pattern matching and recognition features to optimize biometric vendor capabilities! Actively seek partners to design, develop, and validate open APIs and performant index/search features 6
From Loose to Tight Integration Biometrics Application BioAPI or Vendor- Specific API Biometrics SDK RDBMS Disk Storage SQL/JDBC BioAPI or Vendor- Specific API Biometrics Application Mapping Biometrics SDK Extensibility Framework RDBMS Disk Storage SQL/JDBC 7
Tight Integration - Steps! Templates can be stored in a table column (RAW, simple object, XML, CBEFF)! Define SQL operators specific to the biometric IdentifyMatch() Given an input template, returns all the templates which match the input within a certain threshold (defined as primary operator) Score() Returns the degree of match of the input template with a stored template (defined as ancillary to IdentifyMatch operator)! Develop an indexing scheme including filters to quickly eliminate non-matches! Perform the exact match against the resulting reduced set of templates 8
Fingerprint Example! Table creation CREATE TABLE Employees (name VARCHAR2(128), employee_id INTEGER, dept VARCHAR2(30), fingerprint_template RAW(1024));! Indexing the column CREATE INDEX FingerprintIndex ON Employees(fingerprint_template) INDEXTYPE IS FingerprintIndexType;! Retrieving and matching scores SELECT name, Score(1) FROM Employees WHERE IdentifyMatch(fingerprint_template, <input>, 1) > 0; 9
Challenges! Learning curve vs. power and flexibility of indexing approach User defined techniques can be applied to other domains! Filters may not always reduce the search space! Appreciable amount in performance over inmemory matching algorithm 10
Advantages! Combine biometric and relational predicates in SQL to reduce the search space SELECT name, Score(1) FROM Employees WHERE IdentifyMatch(fingerprint_template, <input>, 1) > 0 AND dept = CIS ;! Support for multi-modal biometrics to increased accuracy, greater flexibility for deployment 11
Multi-modal Biometrics CREATE TABLE Employees (id INTEGER, fingerprint_template RAW(1024), face_template RAW(1024)); SELECT Score(1), Score(2) FROM Employees WHERE IdentifyMatch(fingerprint_template, <input-fp>, 1) >0 AND IdentifyMatch(face_template, <input-face>, 2) > 0;... SELECT Score(1), Score(2) FROM Employees WHERE IdentifyMatch(fingerprint_template, <input-fp>, 1) >0 OR IdentifyMatch(face_template, <input-face>, 2) > 0;... SELECT Score(1), Score(2) FROM Employees WHERE (IdentifyMatch(fingerprint_template, <input-fp>, 1) >0 OR IdentifyMatch(face_template, <input-face>, 2) > 0) AND Score(1) + Score(2) >1; 12
Composite Biometrics CREATE TABLE Employees (id INTEGER, biom CompositeBiometric); CREATE INDEX FingerprintFaceIndex ON Employees(biom) INDEXTYPE IS FingerprintFaceIndexType; SELECT Score(1) FROM Employees WHERE IdentifyMatch(biom, CompositeBiometric(<input-fp>, <input-face>), 1) >0 ; 13
Development Strategy for the Application Server! Add biometric authentication as a supported alternative for web-based applications! Leverage existing Single Sign-On services for biometric partner integration! Actively encourage partners to develop against and validate SSO APIs and services 14
Single Sign-On Today Web Browser Oracle9iAS HTTP Server Identity Redirect J2EE Application JAAS Role Role Encrypted Cookie Oracle9iAS Single Identity Sign-On & Credential Oracle Internet Directory 15
Single Sign-On via a Biometric Web Browser Biometric Server Oracle9iAS HTTP Server CustomLogin.jsp Encrypted Cookie Oracle9iAS Identity Single & Sign-On Credential Oracle Internet Directory 16
Advantages and Disadvantages! Straightforward, minimal learning curve! Single integration point to several applications! Does accommodate multiple biometrics BUT! Loose integration allows very little exploitation of other features 17
Identity Management Directory LDAP standard repository for identity information Directory Integration Provisioning Integration Delegated Administration Single Sign-On Certificate Authority Integration with other directories Automatic provisioning of users in a given environment Self service administration tools for managing identity information across the enterprise Single sign-on to web applications Issue and manage X.509v3 compliant certificates to secure email and network connections 18
Importance of Identity Management Public Key Certificate Authority Single Sign-on Directory Integration Directory User Provisioning Delegated Administration! Wider focus, brings user management aspects together! Better integration for the components! More flexibility for APIs! Greater recognition to PKI, smart cards complementary to biometrics 19
Directory Integration for Biometrics LDAP Clients Directory Administration LDAP over SSL Oracle Database OID Server! Centralized user administration including biometrics! Centralized profile management And automated user provisioning! LDAP APIs for access to non-web based applications! Database authentication via a biometric 20
Directory Synchronization! Single authentication and digital identity across two environments LDAP Clients! Directories, application user repositories, database tables LDAP over SSL OID Server! Support for custom routines to define custom password policies, authenticate users through external credential stores Oracle Database Poll Directory Synch. Services LDAP or File 3rd Party Metadirectory Connected Directories 21
PKI-enabled Authentication! Directory provides centralized storage for user credentials, private keys! PKI-enabled Single Sign-On using X509v3 compliant certificate! Certificate authorities can automatically authenticate with Single Sign-On! Biometrics protects the private key and reduces abuse significantly over a PIN!...And storing the biometric on a smart card provides even greater security 22
Conclusion! An underlying infrastructure can make it easier for both vendors and enterprise developers to plug in biometrics! The infrastructure can be leveraged for performance, scalability, and maintainability factors that validate biometric effectiveness! Identity management provides: A framework to integrate biometrics, PKI, smart cards A broader environment to incorporate biometric authentication 23