Presentation is loading. Please wait.

Presentation is loading. Please wait.

Biometrics. Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness.

Published byCory Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Biometrics. Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness."— Presentation transcript:

1 Biometrics

2 Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture IDS on Device IDS on Server

3 BOPS details an end-to-end specification to perform server-based enhanced biometric security. p. 3 User Biometrics and liveness BOPS Server Keys for authentication and intrusion detection Two-way SSL

4 Steps for A X.509 Certificate p. 4 Two-way SSL Create the Public and Private Key Sign the Public Key Add the Private Key You now have a Cert PKI

5 IEEE Biometric Open Protocol Standard (BOPS) Account Device Enrolled User Key Store (SSL) Trust Store (CA) Client Certificate User Auth Encrypted Data Client User Auth Data Encryption Key Client User Auth Data Encryption Key BOPS Mobile Client Application Mobile Client Application Two-way SSL - - - OS Secured Space - - - = + User Auth Data Encry ption Key (571 ECC) User Auth Data Encry ption Key (571 ECC) Client Certifi cate Pass word Biometric Vector Ensure privacy on mobile devices

6 BOPS is the IEEE standard for biometric-based identity assertion. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 6 EnrollmentMaintenance RevocationStorage BOPS is a global standard: Protecting user privacy Defining clear rules, and levels of acceptance, Comprising the rules governing secure communication of between a variety of client devices and the trusted server This paradigm forces hackers to hack a user at a time since there is no one repository of critical data, thus deterring massive breaches of data.

7 BOPS provides identity assertion, role gathering, multi- level access control, assurance, and auditing. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 7 Identity Assertion Provides a guarantee that named users are who they claim to be Role Gathering BOPS server stores role gathering information to associate a unique user with a unique device and adjudicate what a user can see, write, and do Multi-level Access Control BOPS may store data and analytics such that there is a guarantee of continuous protection and access control of all data Assurance BOPS Intrusion Detection System monitors spoofing attempts and blacklists subjects or devices that make malicious attempts BOPS Server Auditing BOPS supports all auditing requests at the subject / object level or at the group level

8 BOPS authenticates, establishes a secure key, and utilizes a two-way SSL connection. Authentication Instead of authorization, and user information remains on the device Authentication Instead of authorization, and user information remains on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 8

9 There are multiple use cases for BOPS that extend across industries and functions. Car preferences and safety features Perform ATM transactions safely Entry into secure buildings No more user names and passwords No more insurance cards and paperwork

10 The rules for BOPS protect the enterprise and the end- user. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 10 No biometric data stored in any back- end repository All data is fully encrypted, even in an underlying secure transfer layer Biometric match always happen on device, protecting users privacy. Certificate generation occurs in a secure server Critical data must be encrypted on device Secure back-end, severs, systems with mobile device biometric access Allows pluggable components to replace existing components Liveness Detection Technology Intrusion Detection System monitors data traffic in ALL devices and servers

11 What is 1 Way SSL Uses a key store with keys from a certifying authority such as Verisign. Purchased You specify a set of ciphers that may be used. Some ciphers have been compromised. We consider 128 bit too small. ECE is currently best.

12 2 Way SSL Uses a trust store. Based on a self signed certifying authority. Set at boot time on a Web Server. Initially met for Identity Assertion (bad). Overloaded to state who you could be. Used with a biometric authorization.

13 An Example in Tomcat $CATALINE_HOME/conf contains configuration. JAAS configuration for login module. Does identity assertion and role gathering. The server.xml file contains truststore and keystore. Contains the ports used. Requires authentication on the device.

14 Genesis Uses a unique mechanism to determine the initial identity to fuse. An initial default certificate is loaded into the client application. It is used to communicate genesis to the server. Once the initial identity is found a 2-way SSL key is loaded into the client application and the default certificate is used only for passwords.. The 2 way SSL Certficate has a GUID tied to the user. Authentication and the 2-way Certificate is used moving forward.

15 Genesis (Continued) Genesis gets a biometric that is hashed to a vector and reused during authentication. Genesis never stores the biometric on the server. To enroll another device, the other information (email,phone number) are used. This fuses the next enrollment with the Genesis. The biometric vector is never stored on the server because it is possible to get from the biometric vector to the actual biometric.

16 2-Way SSL Certificate The 2-Way SSL Certificate has a password. We do not want to store the password on the client because if the client in compromised all the information is on one device. Re-use the default certificate with a One Time Password algorithm. The One Time Password is a Get or Put parameter. Server and client's One Time Password must be the same.

17 Authentication Compares Biometric Vector on device (from Genesis) to Biometric Vector just gathered. Sends the result of the authentication to the server. This initiates a “session” as a concept with session data. In actuality we are stateless. We simulate a session.

18 Encrypted Store We can setup areas on disk to encrypt and used biometrics to look up the key. Encryption is tied to the biometric. Only the person can unlock the file(s) with their biometric identity. May be shared using DAC. DAC implies the use of Groups, which is the solution.

19 B2B Business to Business For a business, we must integrate to the current environment. New techniques do not line up with current integration. We have to figure where we integrate. We access the current identity.

20 B2C Business to Client Password manager and Encryption manager. Uses Amazon Web Services. Uses CA of Hoyos Labs. Uses Truststore based on CA. Is a business to client application. Does not integrate with any backend for a client.

21 So an IRIS is part of the eye. It is the best Biometric we can use. We cannot get it with a standard phone so we currently use Facial recognition. As phone Cameras get better we will use IRIS. We have proprietary devices that use IRIS. IRIS

22 We use general purpose devices because This is what people have easy access to. You rarely are without your phone. General Purpose Devices

23 Passive Liveness We wish to do liveness without Gestures. To do this we either use the IRIS which works for Liveness or we use 4 fingers on the phone. We are in the EARLY days of biometrics but they are advanced enough today for production.

24 Is the idea of using the four fingers on the back Of the phone as passive liveness. Passive liveness would turn on the back camera and take a quick picture of your hand. This is not as accurate as an IRIS but very close Close enough for identity. Four Fingers

25 Facial recognition when considered alone Is 1 in 100 False Acceptance Rate. When combined with Genesis and a 2-Way SSL key we are looking at a false acceptance of less than 1 in 300 million. FAR – Facial 1 in 100

26 So we cannot take one face and go after a Database of say 50,000 people. We will match with more than one. So we either need IRIS Or 4 finger, or a strong Genesis. No Facial One:Many

27 For twins IRIS' are different. IRIS is where we want to get. IRIS is what we use for 1 to look up many. So if I had an IRIS and looked up across 50,000 people, I would only get one back, if I was in that database. As biometrics get better, we get better. Twins

28 BOPS – It is in your class notes. Genesis How we deal with Facial having a false acceptance of 1 in 100 What is the solution? How do we use 2-Way SSL. Summary

Download ppt "Biometrics. Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies

Access Control Methodologies
Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17

Similar presentations

Ads by Google