Biometrics. Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies
Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Cryptography and Network Security Chapter 17
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Chapter 8 Web Security.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CSCI 6962: Server-side Design and Programming
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Chapter 10: Authentication Guide to Computer Network Security.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Masud Hasan Secue VS Hushmail Project 2.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Additional Security Tools Lesson 15. Skills Matrix.
Geneva, Switzerland, September 2014 Identity Based Attestation and Open Exchange Protocol (IBOPS) Scott Streit Chief Scientist.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Lecture 24 Wireless Network Security
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
06/02/06 Workshop on knowledge sharing using the new WWW tools May 30 – June 2, 2006 GROUP Presentation Group 5 Group Members Ambrose Ruyooka Emmanuel.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Setting and Upload Products
Web Applications Security Cryptography 1
Cryptography and Network Security
Using SSL – Secure Socket Layer
Server-to-Client Remote Access and DirectAccess
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Biometrics

Biometric Identity Authentication I am the author of IEEE P BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture IDS on Device IDS on Server

BOPS details an end-to-end specification to perform server-based enhanced biometric security. p. 3 User Biometrics and liveness BOPS Server Keys for authentication and intrusion detection Two-way SSL

Steps for A X.509 Certificate p. 4 Two-way SSL Create the Public and Private Key Sign the Public Key Add the Private Key You now have a Cert PKI

IEEE Biometric Open Protocol Standard (BOPS) Account Device Enrolled User Key Store (SSL) Trust Store (CA) Client Certificate User Auth Encrypted Data Client User Auth Data Encryption Key Client User Auth Data Encryption Key BOPS Mobile Client Application Mobile Client Application Two-way SSL OS Secured Space = + User Auth Data Encry ption Key (571 ECC) User Auth Data Encry ption Key (571 ECC) Client Certifi cate Pass word Biometric Vector Ensure privacy on mobile devices

BOPS is the IEEE standard for biometric-based identity assertion. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 6 EnrollmentMaintenance RevocationStorage BOPS is a global standard: Protecting user privacy Defining clear rules, and levels of acceptance, Comprising the rules governing secure communication of between a variety of client devices and the trusted server This paradigm forces hackers to hack a user at a time since there is no one repository of critical data, thus deterring massive breaches of data.

BOPS provides identity assertion, role gathering, multi- level access control, assurance, and auditing. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 7 Identity Assertion Provides a guarantee that named users are who they claim to be Role Gathering BOPS server stores role gathering information to associate a unique user with a unique device and adjudicate what a user can see, write, and do Multi-level Access Control BOPS may store data and analytics such that there is a guarantee of continuous protection and access control of all data Assurance BOPS Intrusion Detection System monitors spoofing attempts and blacklists subjects or devices that make malicious attempts BOPS Server Auditing BOPS supports all auditing requests at the subject / object level or at the group level

BOPS authenticates, establishes a secure key, and utilizes a two-way SSL connection. Authentication Instead of authorization, and user information remains on the device Authentication Instead of authorization, and user information remains on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 8

There are multiple use cases for BOPS that extend across industries and functions. Car preferences and safety features Perform ATM transactions safely Entry into secure buildings No more user names and passwords No more insurance cards and paperwork

The rules for BOPS protect the enterprise and the end- user. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 10 No biometric data stored in any back- end repository All data is fully encrypted, even in an underlying secure transfer layer Biometric match always happen on device, protecting users privacy. Certificate generation occurs in a secure server Critical data must be encrypted on device Secure back-end, severs, systems with mobile device biometric access Allows pluggable components to replace existing components Liveness Detection Technology Intrusion Detection System monitors data traffic in ALL devices and servers

What is 1 Way SSL Uses a key store with keys from a certifying authority such as Verisign. Purchased You specify a set of ciphers that may be used. Some ciphers have been compromised. We consider 128 bit too small. ECE is currently best.

2 Way SSL Uses a trust store. Based on a self signed certifying authority. Set at boot time on a Web Server. Initially met for Identity Assertion (bad). Overloaded to state who you could be. Used with a biometric authorization.

An Example in Tomcat $CATALINE_HOME/conf contains configuration. JAAS configuration for login module. Does identity assertion and role gathering. The server.xml file contains truststore and keystore. Contains the ports used. Requires authentication on the device.

Genesis Uses a unique mechanism to determine the initial identity to fuse. An initial default certificate is loaded into the client application. It is used to communicate genesis to the server. Once the initial identity is found a 2-way SSL key is loaded into the client application and the default certificate is used only for passwords.. The 2 way SSL Certficate has a GUID tied to the user. Authentication and the 2-way Certificate is used moving forward.

Genesis (Continued) Genesis gets a biometric that is hashed to a vector and reused during authentication. Genesis never stores the biometric on the server. To enroll another device, the other information ( ,phone number) are used. This fuses the next enrollment with the Genesis. The biometric vector is never stored on the server because it is possible to get from the biometric vector to the actual biometric.

2-Way SSL Certificate The 2-Way SSL Certificate has a password. We do not want to store the password on the client because if the client in compromised all the information is on one device. Re-use the default certificate with a One Time Password algorithm. The One Time Password is a Get or Put parameter. Server and client's One Time Password must be the same.

Authentication Compares Biometric Vector on device (from Genesis) to Biometric Vector just gathered. Sends the result of the authentication to the server. This initiates a “session” as a concept with session data. In actuality we are stateless. We simulate a session.

Encrypted Store We can setup areas on disk to encrypt and used biometrics to look up the key. Encryption is tied to the biometric. Only the person can unlock the file(s) with their biometric identity. May be shared using DAC. DAC implies the use of Groups, which is the solution.

B2B Business to Business For a business, we must integrate to the current environment. New techniques do not line up with current integration. We have to figure where we integrate. We access the current identity.

B2C Business to Client Password manager and Encryption manager. Uses Amazon Web Services. Uses CA of Hoyos Labs. Uses Truststore based on CA. Is a business to client application. Does not integrate with any backend for a client.

So an IRIS is part of the eye. It is the best Biometric we can use. We cannot get it with a standard phone so we currently use Facial recognition. As phone Cameras get better we will use IRIS. We have proprietary devices that use IRIS. IRIS

We use general purpose devices because This is what people have easy access to. You rarely are without your phone. General Purpose Devices

Passive Liveness We wish to do liveness without Gestures. To do this we either use the IRIS which works for Liveness or we use 4 fingers on the phone. We are in the EARLY days of biometrics but they are advanced enough today for production.

Is the idea of using the four fingers on the back Of the phone as passive liveness. Passive liveness would turn on the back camera and take a quick picture of your hand. This is not as accurate as an IRIS but very close Close enough for identity. Four Fingers

Facial recognition when considered alone Is 1 in 100 False Acceptance Rate. When combined with Genesis and a 2-Way SSL key we are looking at a false acceptance of less than 1 in 300 million. FAR – Facial 1 in 100

So we cannot take one face and go after a Database of say 50,000 people. We will match with more than one. So we either need IRIS Or 4 finger, or a strong Genesis. No Facial One:Many

For twins IRIS' are different. IRIS is where we want to get. IRIS is what we use for 1 to look up many. So if I had an IRIS and looked up across 50,000 people, I would only get one back, if I was in that database. As biometrics get better, we get better. Twins

BOPS – It is in your class notes. Genesis How we deal with Facial having a false acceptance of 1 in 100 What is the solution? How do we use 2-Way SSL. Summary