Orville Wilson

8/8/2019 Orville Wilson

1/18

Privacy & Identity -Security and Usability:

The viability ofPasswords & Biometrics


2/18

Introduction

Name: Orville Wilson

Alumni at DePaul University

Doctoral Student

Currently work for an InformationSecurity and Managed Services firm,

Fortrex Technologies, located inDC/Baltimore area.


3/18

Agenda

Statistical Research

Background on Passwords

& Biometrics

Overview of Biometrics

How they work

Strengths, Weakness andUsability of Biometrics

Conclusion


4/18

Empirical Data

Yearly cyber crime cost in the US is over$377 million and rising CSI/FBI Study

Federal Trade Commission found thatidentity theft accounted for $48 billion inlosses to business over the past fiveyears


5/18

Background on Passwords &

Biometrics Passwords

Ubiquitous Technology Passwords are one of the oldest authentication methods. Many organizations and institutions have used passwords for

computer access since 1963 when Fernando J. Corbato addedprivate codes to the CTSS at MIT

Biometrics First introduced in the 1970s and early 1980s This technology gathers unique physiological or behavioral

attributes of a person for storing it in a database or comparing itwith one already found in a database.

Reason for biometrics include the positive authentication andverification of a person and ensuring confidentiality ofinformation in storage or in transit


6/18

Reduces cost withinorganizations

Increases security

Competitive advantage

Convenience to employees

Eliminates a paper trail

Accuracy of Performance

Failure to enroll rate

Information Abuse

May violate privacy

Advantages Disadvantages


7/18

Example:Technical working of Fingering scanningdevices

Fingerprint Scanner

Electronic images Token

Security Application

Database

Access or deny


8/18

Biometrics

2 Categories of Biometrics

Physiological also known as static biometrics:Biometrics based on data derived from themeasurement of a part of a persons anatomy. Forexample, fingerprints and iris patterns, as well asfacial features, hand geometry and retinal bloodvessels

Behavioral biometrics based on data derived frommeasurement of an action performed by a personand, distinctively, incorporating time as a metric,that is, the measured action. For example, voice(speaker verification)


9/18

Biometrics How do they

work? Although biometric technologies

differ, they all work in a similarfashion: The user submits a sample that is

an identifiable, unprocessedimage or recording of thephysiological or behavioralbiometric via an acquisitiondevice (for example, a scanner orcamera)

This biometric is then processedto extract information about

distinctive features to create atrial template or verificationtemplate

Templates are large numbersequences. The trial template isthe users password.


10/18

Overview of BiometricsBiometric Acquisition Device Sample Feature Extracted

Iris Infrared-enabled videocamera, PCcamera

Black and white iris image Furrows and striations ofiris

Fingerprint Desktop peripheral, PCcard, mouse chipor readerembedded inkeyboard

Fingerprint image (optical,silicon, ultrasound ortouchless)

Location and direction ofridge endings andbifurcations onfingerprint, minutiae

Voice Microphone, telephone Voice Recording Frequency, cadence andduration of vocalpattern

Signature Signature Tablet,Motion-sensitivestylus

Image of Signature andrecord of relateddynamicsmeasurement

Speed, stroke order,pressure andappearance ofsignature

Face Video Camera, PCcamera, single-

image camera

Facial image (optical orthermal)

Relative position and shapeof nose, position of

cheekbones

Hand Proprietary Wall-mounted unit

3-D image of top and sidesof hand

Height and width of bonesand joints in handsand fingers

Retina Proprietary desktop orwall mountableunit

Retina Image Blood vessel patterns andretina


11/18

Strengths, Weaknesses and

Usability of BiometricsBiometric Strengths Weakness Usability

Iris y Very stable over timey Uniqueness

y Potential user resistancey Requires user trainingy Dependant on a single

vendors technology

y Information securityaccess control,especially for

Federal Institutions andgovernment agencies

y Physical access control

(FIs and government)y Kiosks (ATMs and

airline tickets)

Fingerprint y Most mature biometrictechnology

y Accepted reliabilityy Many vendorsy Small template (less than

500 bytes)y Small sensors that can be

built into mice, keyboardsor portable devices

y Physical contact required (aproblem in some cultures)

y Association withcriminal justice

y Vendor incompatibilityy Hampered by temporary

physical injury

y IS access controly Physical access controly Automotive

Optical y Most proven over timey Temperature stable

y Large physical sizey Latent printsy CCD coating erodes with agey Durability unproven


12/18


Usability of BiometricsBiometrics StrengthsStrengths WeaknessWeakness Usability

Silicon y Small physical sizey Cost is declining

y Requires careful enrollmenty Unproven in sub optimal

conditions

Ultrasound y Most accurate in sub optimalconditions

y New technology, fewimplementations

y Unproven long termperformance

Voice y Good user acceptancey Low trainingy Microphone can be built into

PC or mobile device

y Unstable over timey Changes with time, illness

stress or injuryy Different microphones generate

different samplesy Large template unsuitable for

recognition

y Mobile phonesy Telephone banking and

other automated callcenters

Signatures y High user acceptancey Minimal training

y Unstable over timey Occasional erratic variabilityy Changes with illness, stress or

injuryy Enrollment takes times

y Portable devices withstylus input

y Applications where a wetsignature ordinarilywould be used.


13/18


Usability of BiometricsBiometrics StrengthsStrengths WeaknessWeakness UsabilityUsability

Face y Universally present y Cannot distinguish identical

siblingsy Religious or cultural prohibitions

y Physical access control

Hand y Small template (approximately10 bytes)

y Low failure to enroll ratey Unaffected by skin condition

y Physical size of acquisition devicey Physical contact requiredy Juvenile finger growthy Hampered by temporary physical

injury

y Physical access controly Time and attendance

Retina y Stable over timey Uniqueness

y Requires user training andcooperation

y High user resistancey Slow read timey Dependent on a single vendors

technology

y IS access control,especially for high securitygovernment agencies

y Physical access control(same as IS access control)


14/18

Comparison of Different

Biometrics Technology


15/18

Promise that Biometrics hold

for Privacy Increased Security

Biometric cannot be lost, stolen or

forgotten; it cannot be written down andstolen by social re-engineering

By implementing biometrics organizationscan positively verify users identities,improving personal accountability

In conjunction with smart cards biometricscan provide strong security for Public KeyInfrastructure (PKI)


16/18

Perils that Biometrics hold for

Privacy Privacy is one of the leading inhibitor for

biometrics technology. Main issues: Misuse of Data

Health/Lifestyle Specific biometric data has beenlinked with the information beyond which it is set outto be used for such as AIDS. Is a person able tocontrol the information gathered on himself/herself?

Function Creep

Law Enforcement The template database may be

available for law enforcement Credit Reporting The template database may be

cross referenced against other databases includingthose held in hospitals and the police departments,by a credit reporting agency


17/18

Future Trends in Biometrics

Body Odor Body odor can be digitallyrecorded for identification. A British company,MastiffElectronic System Ltd. Is working onsuch a system

DNA Matching The is the ultimate biometrictechnology that can produce proof positiveidentification of an individual

Keystroke Dynamics Keystroke dynamics,also referred to as typing rhythms, is aninnovative biometric technology


18/18

Conclusion

1. All authentication methods are prone to errors.Nevertheless, reliable user authentication must ensurethat an attacker cannot masquerade as a legitimateuser

2. Biometrics is uniquely bound to individuals and mayoffer organizations a stronger method of authentication

3. Biometric systems are not foolproof; they can becompromised by:

Submission of another persons biometric Submission of enrollees biometric with the user under duress or incapacitated

4. A prudent balance between Security and Privacyneeds to be achieved

Orville Wilson

Documents

Transcript of Orville Wilson