590 likes | 679 Views
Analysis of Hardware Controls for Secure Authentication. Group 2 Karan Asnani, John Bowen, Michael Ellis, Nirav Shah. Outline. Introduction to access control Smart cards Hardware tokens Biometrics Face recognition Fingerprint scanning Voice recognition Conclusion. Outline.
E N D
Analysis of Hardware Controls for Secure Authentication Group 2 Karan Asnani, John Bowen, Michael Ellis, Nirav Shah
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Introduction • Access control is a key first step in infosec. • Authentication vs. Authorization. • Lack of effective access control, especially in the private sector. • Various hardware-based authenticators exist.
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Smart Cards • Historically popular in Europe. • Evolved from magnetic stripe cards. • Four major uses: • Protect the privacy of individuals and keep their informational assets safe from hacking. • Restrict access on to networks or computer systems, possibly in combination with hardware tokens. • Restrict physical access to protected areas. • Storage and encryption of sensitive data like certificates or passwords, usually in conjunction with a Public Key Infrastructure (PKI) that involves a certified digital certificate.
Categorization by memory • Memory cards: • Original version of smart cards. • Areas for temporary and permanent data. • Example: Prepaid phone cards. • Chip cards: • “True” smart cards. • Basically small computers containing memory and a microprocessor. • Large storage capacity.
Internal Architecture of a Chip Card (Dhar 6)
Categorization by interface • Contact: • Card in contact with reader for duration of transaction. • Data transmitted through electrical contact. • Contacts may wear out. • Contactless: • Speeds up transactions and easy to use. • Long lifetime. • Reduced vandalism of readers. • RFID
Pros and Cons • Pros: • Physical access restricted to authorized users. • Large capacity and multifunctionality. • Long lifetime. • Cards can be self-secure. • Cons: • Huge risk of card being lost or stolen. • High initial capital expenditure. • Issue of human trust.
Future • More research on: • Improving card technology. • Reducing cost of implementation. • Response systems for lost cards. • Market has huge scope for growth. • Smart cards are ready and available for wide scale deployment.
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Hardware Token Overview • Goal: To safeguard systems by means of secure authentication while allowing for dynamic security. • Portable • Most produce a unique pass code. • Different shape, sizes and implementations. RSA SecurID 700 RSA SecurID 200
History • Originated as devices called “dongles” in the 1970’s. • Used serial and parallel ports. • Could be chained for multiple authentication. • Typically used to protect software from being copied or securing access to private software.
Multifactor Authorization • Three Labels: • Knowledge-Based Authorization • Object-Based Authorization • ID-Based Authorization • Specifically, most hardware tokens use two-factor authorization. • “This example of token plus password constitutes the vast majority of current multifactor implementations” for hardware authentication today (O’Gorman 2024).
Functionality of Hardware Tokens Two primary token types: • Time-changing passwords • Most change once every sixty seconds or less. • Achieved by the hardware token being synchronized with a system upon initialization. • Event changing passwords • Pressing a button. This generation of a unique password for each use is called a one-time password (OTP). VeriSign OTP Token CRYPTOCard KT1
Pass Code Generation • Encryption algorithms are secret! • Vendors change encryption methods in new models. • RSA changed SecurID algorithm in 2003 • Most vendors use the Advanced Encryption Standard in order to generate pass codes.
Authentication • Used to limit access to VPNs, SSH, RAS, wireless networks, e-mail, etc for Windows and Unix. • Typically, a user enters knowledge-based password and object-based OTP in the following way: STATICDYNAMIC • Sometimes multifactor encryption is done solely on the token. • The authentication process varies for each vendor and client. CRYPTOCard RB-1
USB Tokens • Extra storage capacity allows for encryption of stored files using a public key infrastructure (PKI). • Encryption and Decryption are automatic. • Ability to store certificates on the USB and allows for digital signing of documents.
Market • RSA Security is the largest single producer of hardware tokens. • VeriSign is gaining market share. • Discount token companies are emerging such as Vasco. • Most current use is by government and research institutions. • Common institutions are finally beginning to adopt hardware tokens.
Pros and Cons • Pros: • One-Time Password • Two-Factor Authentication • Increased Mobility • Cons: • Easily lost • Inconvenience • Costly Implementation
The Future of Hardware Tokens • Bluetooth and Zero-Interaction Authentication (ZIA). • Mobile phones and PDAs. • Increasing adoption facilitates cheaper technology and more research.
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Biometrics & Face Recognition • Biometrics: using/analyzing physical features of an individual in the fields of security and access control • Face recognition: subset of biometrics in which facial features are analyzed as a means of: • Verification • Identification • Obvious uses in security in private industry
Face Recognition: History • 1960s • Woody Bledsoe, Helen Chan Wolf, and Charles Bisson develop 1st semi-automated recognition system • Required human assistance • Difficulties concerning orientation of face in calculations • 1970s • Introduction of subjective markers to aid in automation
History (continued) • 1980s • Kirby and Sirovich apply principal component analysis -> “Eigenfaces” (discussed later) • Considered breakthrough in face recognition • Reduced amount of data required • 1990s • Turk and Pentland extend technique to detect the face in an image
Face Recognition: Functionality • Two possible functions of face recognition: Identification problems & verification problems • General surveillance vs. guaranteeing an identity • Regardless of function, five steps are required: • Acquire image of face • Determine location of face • Analyze face • Compare results of analysis to reference data • Evaluate results of comparison
Functionality: Algorithms • Example algorithms: • Eigenface • Fisherface • Hidden Markov model • Dynamic Link Matching • Elastic Bunch Graph Matching (EBGM) • 3D Face Recognition (new) • Many variations of Eigenface method exist
Algorithms: Eigenfaces • AKA Principal Component Analysis • “One of the most successful methodologies for the computational recognition of faces in digital images” • Basis: amount of data carried in an image is much greater than what is needed to describe a face • Utilizes linear algebra techniques to compress data
Eigenfaces: Principal Component Analysis (PCA) • Summary: project input faces onto a dimensional reduced space to carry out recognition • The mathematics • “PCA is a general method for identifying the linear directions in which a set of [data-containing] vectors are best represented in a least-squares sense, allowing a dimensional reduction by choosing the directions of largest variance” –Javier Ruiz-del-Solar
Principal Component Analysis (continued) • So what exactly does this mean? • Facial data from an image (once a face is extracted) is reduced using data compression basics into “eigenfaces” • Face image is represented as a weighted sum of the eigenfaces • So…what does this look like?
Standard Eigenfaces Notice how only “relevant” facial data is retained.
Eigenfaces: Conclusion • Derived eigenfaces are compared to stored image • Comparison: distance between respective weighted sums of eigenfaces • Close mathematical matches = facial matches
Algorithms: 3D Methods • Capture facial images using more than one camera • 3D models hold more information than 2D • Greater accuracy in recognition • Algorithm similar to Eigenfaces but with some additional properties • 2D recognition currently outperforms 3D
Algorithms: Weaknesses • Affected by viewing angle • Illumination accentuates/diminishes certain features • Expressions cause variations in appearance • Objects may obscure face • Faces affected by time • Sensitivity to gender or ethnicity
Face Recognition: Testing • Face Recognition Technology (FERET) Program • Three main goals • Face Recognition Vendor Test (FRVT) • “measure progress of prototype systems/algorithms and commercial face recognition systems” Verification performance data for the top three face recognition companies tested
Face Recognition: Standards • INCITS M1 • ISO SC37 • In 2004, Department of Homeland Security adopted 1st biometric face recognition standard • Used in applications such as travel documents • Specifies photograph properties
Face Recognition: Research & Market • Interest in use in security surveillance -> research in video-based face recognition • A number of research groups: • Carnegie Mellon • University of Maryland • U.S. government investing in 3D technology • $6 million in 2005 to A4Vision, Inc. • French Civil Aviation Authority employing 3D technology in airport
Face Recognition: Pros, Cons, & Conclusions • A number of technical difficulties resulting in relatively poor accuracy • Face recognition involves too many variables • Applications in security surveillance due to nature of face recognition • Still must overcome accuracy problem • However, with further research, verification via face recognition could find a niche in the private field, especially when coupled with other technologies • Iris scanning
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Fingerprint Authentication • Form of biometric technology • ID-based authenticator • Unique to one person
History of Fingerprint Authentication • Dr. Henry Faulds - first scientist to mention identification as a use for fingerprints • Sir Francis Galton – put fingerprinting on a scientific basis • Use of fingerprinting in law enforcement • Use of Automated Fingerprint Identification System (AFIS)
Functionality of Fingerprint Authentication • Characteristics of a fingerprint • Ridges: Arches, whorls and loops • Minutia: Ridge endings, bifurcations, divergences, etc. • Fingerprint scanning • Two main types: Optical and Capacitance scanning
Optical Scanning • Photo taken in a process similar to a digital camera • Charged Coupled Device (CCD) generates image through thousands of photosites • Each photosite records a pixel corresponding to the light that hits it
Capacitance Scanning • Uses property of capacitance to scan in image • One or more semiconductor chips each contain number of cells. • Each cell has capacitor, and finger changes capacitance of cell, which generates image, as capacitance of ridges and valleys are different.
Market for Fingerprint Authentication • Host of products available from many different companies • Identix Inc • BioScrypt Inc • Ultra-Scan Corp • Companies have started to combine different biometric technologies • i.e. V-Smart by BioScrypt Inc
Pros and Cons of Fingerprint Authentication • Pros: • Extremely stable and hard to forge • Fairly accurate • Inexpensive and easy to use • Cons: • Not for everybody • False rejections are common. • Social stigma
Future of Fingerprint Authentication • Already a fairly established authentication technology • Expected to grow steadily through research and technology • Fingerprint biometrics expected to reach $2.6 billion by 2006 • More accurate, inexpensive fingerprint scanners expected.
Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion
Voice Authentication • A type of biometric technology • ID-based authenticator • Not always unique to one person • Two different types: • Speaker Verification • Speaker Identification