1 / 59

Analysis of Hardware Controls for Secure Authentication

Analysis of Hardware Controls for Secure Authentication. Group 2 Karan Asnani, John Bowen, Michael Ellis, Nirav Shah. Outline. Introduction to access control Smart cards Hardware tokens Biometrics Face recognition Fingerprint scanning Voice recognition Conclusion. Outline.

mareo
Download Presentation

Analysis of Hardware Controls for Secure Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of Hardware Controls for Secure Authentication Group 2 Karan Asnani, John Bowen, Michael Ellis, Nirav Shah

  2. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  3. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  4. Introduction • Access control is a key first step in infosec. • Authentication vs. Authorization. • Lack of effective access control, especially in the private sector. • Various hardware-based authenticators exist.

  5. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  6. Smart Cards • Historically popular in Europe. • Evolved from magnetic stripe cards. • Four major uses: • Protect the privacy of individuals and keep their informational assets safe from hacking. • Restrict access on to networks or computer systems, possibly in combination with hardware tokens. • Restrict physical access to protected areas. • Storage and encryption of sensitive data like certificates or passwords, usually in conjunction with a Public Key Infrastructure (PKI) that involves a certified digital certificate.

  7. Categorization by memory • Memory cards: • Original version of smart cards. • Areas for temporary and permanent data. • Example: Prepaid phone cards. • Chip cards: • “True” smart cards. • Basically small computers containing memory and a microprocessor. • Large storage capacity.

  8. Internal Architecture of a Chip Card (Dhar 6)

  9. Categorization by interface • Contact: • Card in contact with reader for duration of transaction. • Data transmitted through electrical contact. • Contacts may wear out. • Contactless: • Speeds up transactions and easy to use. • Long lifetime. • Reduced vandalism of readers. • RFID

  10. Pros and Cons • Pros: • Physical access restricted to authorized users. • Large capacity and multifunctionality. • Long lifetime. • Cards can be self-secure. • Cons: • Huge risk of card being lost or stolen. • High initial capital expenditure. • Issue of human trust.

  11. Future • More research on: • Improving card technology. • Reducing cost of implementation. • Response systems for lost cards. • Market has huge scope for growth. • Smart cards are ready and available for wide scale deployment.

  12. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  13. Hardware Token Overview • Goal: To safeguard systems by means of secure authentication while allowing for dynamic security. • Portable • Most produce a unique pass code. • Different shape, sizes and implementations. RSA SecurID 700 RSA SecurID 200

  14. History • Originated as devices called “dongles” in the 1970’s. • Used serial and parallel ports. • Could be chained for multiple authentication. • Typically used to protect software from being copied or securing access to private software.

  15. Multifactor Authorization • Three Labels: • Knowledge-Based Authorization • Object-Based Authorization • ID-Based Authorization • Specifically, most hardware tokens use two-factor authorization. • “This example of token plus password constitutes the vast majority of current multifactor implementations” for hardware authentication today (O’Gorman 2024).

  16. Functionality of Hardware Tokens Two primary token types: • Time-changing passwords • Most change once every sixty seconds or less. • Achieved by the hardware token being synchronized with a system upon initialization. • Event changing passwords • Pressing a button. This generation of a unique password for each use is called a one-time password (OTP). VeriSign OTP Token CRYPTOCard KT1

  17. Pass Code Generation • Encryption algorithms are secret! • Vendors change encryption methods in new models. • RSA changed SecurID algorithm in 2003 • Most vendors use the Advanced Encryption Standard in order to generate pass codes.

  18. Authentication • Used to limit access to VPNs, SSH, RAS, wireless networks, e-mail, etc for Windows and Unix. • Typically, a user enters knowledge-based password and object-based OTP in the following way: STATICDYNAMIC • Sometimes multifactor encryption is done solely on the token. • The authentication process varies for each vendor and client. CRYPTOCard RB-1

  19. USB Tokens • Extra storage capacity allows for encryption of stored files using a public key infrastructure (PKI). • Encryption and Decryption are automatic. • Ability to store certificates on the USB and allows for digital signing of documents.

  20. Market • RSA Security is the largest single producer of hardware tokens. • VeriSign is gaining market share. • Discount token companies are emerging such as Vasco. • Most current use is by government and research institutions. • Common institutions are finally beginning to adopt hardware tokens.

  21. Pros and Cons • Pros: • One-Time Password • Two-Factor Authentication • Increased Mobility • Cons: • Easily lost • Inconvenience • Costly Implementation

  22. The Future of Hardware Tokens • Bluetooth and Zero-Interaction Authentication (ZIA). • Mobile phones and PDAs. • Increasing adoption facilitates cheaper technology and more research.

  23. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  24. Biometrics & Face Recognition • Biometrics: using/analyzing physical features of an individual in the fields of security and access control • Face recognition: subset of biometrics in which facial features are analyzed as a means of: • Verification • Identification • Obvious uses in security in private industry

  25. Face Recognition: History • 1960s • Woody Bledsoe, Helen Chan Wolf, and Charles Bisson develop 1st semi-automated recognition system • Required human assistance • Difficulties concerning orientation of face in calculations • 1970s • Introduction of subjective markers to aid in automation

  26. History (continued) • 1980s • Kirby and Sirovich apply principal component analysis -> “Eigenfaces” (discussed later) • Considered breakthrough in face recognition • Reduced amount of data required • 1990s • Turk and Pentland extend technique to detect the face in an image

  27. Face Recognition: Functionality • Two possible functions of face recognition: Identification problems & verification problems • General surveillance vs. guaranteeing an identity • Regardless of function, five steps are required: • Acquire image of face • Determine location of face • Analyze face • Compare results of analysis to reference data • Evaluate results of comparison

  28. Functionality: Algorithms • Example algorithms: • Eigenface • Fisherface • Hidden Markov model • Dynamic Link Matching • Elastic Bunch Graph Matching (EBGM) • 3D Face Recognition (new) • Many variations of Eigenface method exist

  29. Algorithms: Eigenfaces • AKA Principal Component Analysis • “One of the most successful methodologies for the computational recognition of faces in digital images” • Basis: amount of data carried in an image is much greater than what is needed to describe a face • Utilizes linear algebra techniques to compress data

  30. Eigenfaces: Principal Component Analysis (PCA) • Summary: project input faces onto a dimensional reduced space to carry out recognition • The mathematics • “PCA is a general method for identifying the linear directions in which a set of [data-containing] vectors are best represented in a least-squares sense, allowing a dimensional reduction by choosing the directions of largest variance” –Javier Ruiz-del-Solar

  31. Principal Component Analysis (continued) • So what exactly does this mean? • Facial data from an image (once a face is extracted) is reduced using data compression basics into “eigenfaces” • Face image is represented as a weighted sum of the eigenfaces • So…what does this look like?

  32. Standard Eigenfaces Notice how only “relevant” facial data is retained.

  33. Eigenfaces: Conclusion • Derived eigenfaces are compared to stored image • Comparison: distance between respective weighted sums of eigenfaces • Close mathematical matches = facial matches

  34. Algorithms: 3D Methods • Capture facial images using more than one camera • 3D models hold more information than 2D • Greater accuracy in recognition • Algorithm similar to Eigenfaces but with some additional properties • 2D recognition currently outperforms 3D

  35. Algorithms: Weaknesses • Affected by viewing angle • Illumination accentuates/diminishes certain features • Expressions cause variations in appearance • Objects may obscure face • Faces affected by time • Sensitivity to gender or ethnicity

  36. Face Recognition: Testing • Face Recognition Technology (FERET) Program • Three main goals • Face Recognition Vendor Test (FRVT) • “measure progress of prototype systems/algorithms and commercial face recognition systems” Verification performance data for the top three face recognition companies tested

  37. Face Recognition: Standards • INCITS M1 • ISO SC37 • In 2004, Department of Homeland Security adopted 1st biometric face recognition standard • Used in applications such as travel documents • Specifies photograph properties

  38. Face Recognition: Research & Market • Interest in use in security surveillance -> research in video-based face recognition • A number of research groups: • Carnegie Mellon • University of Maryland • U.S. government investing in 3D technology • $6 million in 2005 to A4Vision, Inc. • French Civil Aviation Authority employing 3D technology in airport

  39. Face Recognition: Pros, Cons, & Conclusions • A number of technical difficulties resulting in relatively poor accuracy • Face recognition involves too many variables • Applications in security surveillance due to nature of face recognition • Still must overcome accuracy problem • However, with further research, verification via face recognition could find a niche in the private field, especially when coupled with other technologies • Iris scanning

  40. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  41. Fingerprint Authentication • Form of biometric technology • ID-based authenticator • Unique to one person

  42. History of Fingerprint Authentication • Dr. Henry Faulds - first scientist to mention identification as a use for fingerprints • Sir Francis Galton – put fingerprinting on a scientific basis • Use of fingerprinting in law enforcement • Use of Automated Fingerprint Identification System (AFIS)

  43. Functionality of Fingerprint Authentication • Characteristics of a fingerprint • Ridges: Arches, whorls and loops • Minutia: Ridge endings, bifurcations, divergences, etc. • Fingerprint scanning • Two main types: Optical and Capacitance scanning

  44. Optical Scanning • Photo taken in a process similar to a digital camera • Charged Coupled Device (CCD) generates image through thousands of photosites • Each photosite records a pixel corresponding to the light that hits it

  45. Capacitance Scanning • Uses property of capacitance to scan in image • One or more semiconductor chips each contain number of cells. • Each cell has capacitor, and finger changes capacitance of cell, which generates image, as capacitance of ridges and valleys are different.

  46. Market for Fingerprint Authentication • Host of products available from many different companies • Identix Inc • BioScrypt Inc • Ultra-Scan Corp • Companies have started to combine different biometric technologies • i.e. V-Smart by BioScrypt Inc

  47. Pros and Cons of Fingerprint Authentication • Pros: • Extremely stable and hard to forge • Fairly accurate • Inexpensive and easy to use • Cons: • Not for everybody • False rejections are common. • Social stigma

  48. Future of Fingerprint Authentication • Already a fairly established authentication technology • Expected to grow steadily through research and technology • Fingerprint biometrics expected to reach $2.6 billion by 2006 • More accurate, inexpensive fingerprint scanners expected.

  49. Outline • Introduction to access control • Smart cards • Hardware tokens • Biometrics • Face recognition • Fingerprint scanning • Voice recognition • Conclusion

  50. Voice Authentication • A type of biometric technology • ID-based authenticator • Not always unique to one person • Two different types: • Speaker Verification • Speaker Identification

More Related