Biometrics
Biometric Identity Authentication I am the author of IEEE P BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture IDS on Device IDS on Server
BOPS details an end-to-end specification to perform server-based enhanced biometric security. p. 3 User Biometrics and liveness BOPS Server Keys for authentication and intrusion detection Two-way SSL
Steps for A X.509 Certificate p. 4 Two-way SSL Create the Public and Private Key Sign the Public Key Add the Private Key You now have a Cert PKI
IEEE Biometric Open Protocol Standard (BOPS) Account Device Enrolled User Key Store (SSL) Trust Store (CA) Client Certificate User Auth Encrypted Data Client User Auth Data Encryption Key Client User Auth Data Encryption Key BOPS Mobile Client Application Mobile Client Application Two-way SSL OS Secured Space = + User Auth Data Encry ption Key (571 ECC) User Auth Data Encry ption Key (571 ECC) Client Certifi cate Pass word Biometric Vector Ensure privacy on mobile devices
BOPS is the IEEE standard for biometric-based identity assertion. CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 6 EnrollmentMaintenance RevocationStorage BOPS is a global standard: Protecting user privacy Defining clear rules, and levels of acceptance, Comprising the rules governing secure communication of between a variety of client devices and the trusted server This paradigm forces hackers to hack a user at a time since there is no one repository of critical data, thus deterring massive breaches of data.
BOPS provides identity assertion, role gathering, multi- level access control, assurance, and auditing. CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 7 Identity Assertion Provides a guarantee that named users are who they claim to be Role Gathering BOPS server stores role gathering information to associate a unique user with a unique device and adjudicate what a user can see, write, and do Multi-level Access Control BOPS may store data and analytics such that there is a guarantee of continuous protection and access control of all data Assurance BOPS Intrusion Detection System monitors spoofing attempts and blacklists subjects or devices that make malicious attempts BOPS Server Auditing BOPS supports all auditing requests at the subject / object level or at the group level
BOPS authenticates, establishes a secure key, and utilizes a two-way SSL connection. Authentication Instead of authorization, and user information remains on the device Authentication Instead of authorization, and user information remains on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 8
There are multiple use cases for BOPS that extend across industries and functions. Car preferences and safety features Perform ATM transactions safely Entry into secure buildings No more user names and passwords No more insurance cards and paperwork
The rules for BOPS protect the enterprise and the end- user. CONFIDENTIAL and PROPRIETARY February 25, 2015 p. 10 No biometric data stored in any back- end repository All data is fully encrypted, even in an underlying secure transfer layer Biometric match always happen on device, protecting users privacy. Certificate generation occurs in a secure server Critical data must be encrypted on device Secure back-end, severs, systems with mobile device biometric access Allows pluggable components to replace existing components Liveness Detection Technology Intrusion Detection System monitors data traffic in ALL devices and servers
What is 1 Way SSL Uses a key store with keys from a certifying authority such as Verisign. Purchased You specify a set of ciphers that may be used. Some ciphers have been compromised. We consider 128 bit too small. ECE is currently best.
2 Way SSL Uses a trust store. Based on a self signed certifying authority. Set at boot time on a Web Server. Initially met for Identity Assertion (bad). Overloaded to state who you could be. Used with a biometric authorization.
An Example in Tomcat $CATALINE_HOME/conf contains configuration. JAAS configuration for login module. Does identity assertion and role gathering. The server.xml file contains truststore and keystore. Contains the ports used. Requires authentication on the device.
Genesis Uses a unique mechanism to determine the initial identity to fuse. An initial default certificate is loaded into the client application. It is used to communicate genesis to the server. Once the initial identity is found a 2-way SSL key is loaded into the client application and the default certificate is used only for passwords.. The 2 way SSL Certficate has a GUID tied to the user. Authentication and the 2-way Certificate is used moving forward.
Genesis (Continued) Genesis gets a biometric that is hashed to a vector and reused during authentication. Genesis never stores the biometric on the server. To enroll another device, the other information ( ,phone number) are used. This fuses the next enrollment with the Genesis. The biometric vector is never stored on the server because it is possible to get from the biometric vector to the actual biometric.
2-Way SSL Certificate The 2-Way SSL Certificate has a password. We do not want to store the password on the client because if the client in compromised all the information is on one device. Re-use the default certificate with a One Time Password algorithm. The One Time Password is a Get or Put parameter. Server and client's One Time Password must be the same.
Authentication Compares Biometric Vector on device (from Genesis) to Biometric Vector just gathered. Sends the result of the authentication to the server. This initiates a “session” as a concept with session data. In actuality we are stateless. We simulate a session.
Encrypted Store We can setup areas on disk to encrypt and used biometrics to look up the key. Encryption is tied to the biometric. Only the person can unlock the file(s) with their biometric identity. May be shared using DAC. DAC implies the use of Groups, which is the solution.
B2B Business to Business For a business, we must integrate to the current environment. New techniques do not line up with current integration. We have to figure where we integrate. We access the current identity.
B2C Business to Client Password manager and Encryption manager. Uses Amazon Web Services. Uses CA of Hoyos Labs. Uses Truststore based on CA. Is a business to client application. Does not integrate with any backend for a client.
So an IRIS is part of the eye. It is the best Biometric we can use. We cannot get it with a standard phone so we currently use Facial recognition. As phone Cameras get better we will use IRIS. We have proprietary devices that use IRIS. IRIS
We use general purpose devices because This is what people have easy access to. You rarely are without your phone. General Purpose Devices
Passive Liveness We wish to do liveness without Gestures. To do this we either use the IRIS which works for Liveness or we use 4 fingers on the phone. We are in the EARLY days of biometrics but they are advanced enough today for production.
Is the idea of using the four fingers on the back Of the phone as passive liveness. Passive liveness would turn on the back camera and take a quick picture of your hand. This is not as accurate as an IRIS but very close Close enough for identity. Four Fingers
Facial recognition when considered alone Is 1 in 100 False Acceptance Rate. When combined with Genesis and a 2-Way SSL key we are looking at a false acceptance of less than 1 in 300 million. FAR – Facial 1 in 100
So we cannot take one face and go after a Database of say 50,000 people. We will match with more than one. So we either need IRIS Or 4 finger, or a strong Genesis. No Facial One:Many
For twins IRIS' are different. IRIS is where we want to get. IRIS is what we use for 1 to look up many. So if I had an IRIS and looked up across 50,000 people, I would only get one back, if I was in that database. As biometrics get better, we get better. Twins
BOPS – It is in your class notes. Genesis How we deal with Facial having a false acceptance of 1 in 100 What is the solution? How do we use 2-Way SSL. Summary