Uid security

2,434 views
2,319 views

Published on

Security Audit in UID (Unique Identification) Biometric System.

Published in: Technology
2 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total views
2,434
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
2
Likes
2
Embeds 0
No embeds

No notes for slide
  • Headed by a popular IT(Information Technology) Figure Mr. Nandan Nilekani as Chairman, whose rank is equal Cabinet Minister of Central Government. UID is a unique 16 digit number that is assigned to each individual in our billion-plus population, which will be used to identify the person for all interactions he or she will have with any public body, regulatory authority or law-enforcement agency. The UID along with the biometric data, will serve as a conclusive proof of identity across India, making it unnecessary for any citizen to carry multiple documentation from a variety of government agencies. It can be used while traveling, opening a bank account, getting a telephone connection, voting in elections and so on The Government hopes one immediate benefit will be the war on terror, with infiltrators and others finding it much harder to move around. People below the poverty line will find UID easier access to welfare schemes for their benefit, and not to find such aid diverted to those not entitled to them
  • Headed by a popular IT(Information Technology) Figure Mr. Nandan Nilekani as Chairman, whose rank is equal Cabinet Minister of Central Government. UID is a unique 16 digit number that is assigned to each individual in our billion-plus population, which will be used to identify the person for all interactions he or she will have with any public body, regulatory authority or law-enforcement agency. The UID along with the biometric data, will serve as a conclusive proof of identity across India, making it unnecessary for any citizen to carry multiple documentation from a variety of government agencies. It can be used while traveling, opening a bank account, getting a telephone connection, voting in elections and so on The Government hopes one immediate benefit will be the war on terror, with infiltrators and others finding it much harder to move around. People below the poverty line will find UID easier access to welfare schemes for their benefit, and not to find such aid diverted to those not entitled to them
  • Headed by a popular IT(Information Technology) Figure Mr. Nandan Nilekani as Chairman, whose rank is equal Cabinet Minister of Central Government. UID is a unique 16 digit number that is assigned to each individual in our billion-plus population, which will be used to identify the person for all interactions he or she will have with any public body, regulatory authority or law-enforcement agency. The UID along with the biometric data, will serve as a conclusive proof of identity across India, making it unnecessary for any citizen to carry multiple documentation from a variety of government agencies. It can be used while traveling, opening a bank account, getting a telephone connection, voting in elections and so on The Government hopes one immediate benefit will be the war on terror, with infiltrators and others finding it much harder to move around. People below the poverty line will find UID easier access to welfare schemes for their benefit, and not to find such aid diverted to those not entitled to them
  • Headed by a popular IT(Information Technology) Figure Mr. Nandan Nilekani as Chairman, whose rank is equal Cabinet Minister of Central Government. UID is a unique 16 digit number that is assigned to each individual in our billion-plus population, which will be used to identify the person for all interactions he or she will have with any public body, regulatory authority or law-enforcement agency. The UID along with the biometric data, will serve as a conclusive proof of identity across India, making it unnecessary for any citizen to carry multiple documentation from a variety of government agencies. It can be used while traveling, opening a bank account, getting a telephone connection, voting in elections and so on The Government hopes one immediate benefit will be the war on terror, with infiltrators and others finding it much harder to move around. People below the poverty line will find UID easier access to welfare schemes for their benefit, and not to find such aid diverted to those not entitled to them
  • Vulnerabilities Data collection Signal processing Data storage Matching Decission
  • Vulnerabilities Data collection Signal processing Data storage Matching Decission
  • The following are used as performance metrics for biometric systems:[3] false accept rate or false match rate (FAR or FMR) – the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. false reject rate or false non-match rate (FRR or FNMR) – the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. receiver operating characteristic or relative operating characteristic (ROC) – The ROC plot is a visual characterization of the trade-off between the FAR and the FRR. In general, the matching algorithm performs a decision based on a threshold which determines how close to a template the input needs to be for it to be considered a match. If the threshold is reduced, there will be less false non-matches but more false accepts. Correspondingly, a higher threshold will reduce the FAR but increase the FRR. A common variation is the Detection error trade-off (DET), which is obtained using normal deviate scales on both axes. This more linear graph illuminates the differences for higher performances (rarer errors). equal error rate or crossover error rate (EER or CER) – the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuarcy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. Obtained from the ROC plot by taking the point where FAR and FRR have the same value. The lower the EER, the more accurate the system is considered to be. failure to enroll rate (FTE or FER) – the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs. failure to capture rate (FTC) – Within automatic systems, the p include all all are related to biometrics and can be imp to be mentioned
  • The following are used as performance metrics for biometric systems:[3] false accept rate or false match rate (FAR or FMR) – the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. false reject rate or false non-match rate (FRR or FNMR) – the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. receiver operating characteristic or relative operating characteristic (ROC) – The ROC plot is a visual characterization of the trade-off between the FAR and the FRR. In general, the matching algorithm performs a decision based on a threshold which determines how close to a template the input needs to be for it to be considered a match. If the threshold is reduced, there will be less false non-matches but more false accepts. Correspondingly, a higher threshold will reduce the FAR but increase the FRR. A common variation is the Detection error trade-off (DET), which is obtained using normal deviate scales on both axes. This more linear graph illuminates the differences for higher performances (rarer errors). equal error rate or crossover error rate (EER or CER) – the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuarcy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. Obtained from the ROC plot by taking the point where FAR and FRR have the same value. The lower the EER, the more accurate the system is considered to be. failure to enroll rate (FTE or FER) – the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs. failure to capture rate (FTC) – Within automatic systems, the p include all all are related to biometrics and can be imp to be mentioned
  • Uid security

    1. 1. Security Audit in UID Biometric System
    2. 2. Agenda <ul><li>What is UID? </li></ul><ul><li>Features, Objective and Challenges in UID Model </li></ul><ul><li>UID Agencies </li></ul><ul><li>UID Process Work flow </li></ul><ul><li>UID Biometric and System Function </li></ul><ul><li>Risk and Vulnerabilities in Biometric System </li></ul><ul><li>Audit Check points for Biometric System </li></ul><ul><li>Summary & Conclusion </li></ul>
    3. 3. What is UID? Is an ambitious project initiated by government of India to give each Indian Resident a Unique ID (UID) Number that can establish their identity at any place, any time.
    4. 4. Key features of UID <ul><li>It will be a randomly generated 12 digit number for every resident of India. Example: 2653 8564 4663. This number will be called the Unique Identification Number or AADHAAR. </li></ul><ul><li>The number will be unique, which means, no two residents will have the same number. </li></ul><ul><li>No resident can have two numbers because AADHAAR is based on a combination of standard information like name, address, age and biometric information which is unique to every person. </li></ul>
    5. 5. Key features of UID Cont… <ul><li>To avoid frauds, the AADHAAR number will have no additional information within its value or structure. It will be a ‘random’ number like the result of a lottery draw or like throwing a dice. </li></ul><ul><li>AADHAR will be used to prove identity not citizenship. </li></ul><ul><li>It will not be compulsory to get an AADHAAR number. It will be voluntary. However in the future, certain service providers (government or private agencies) may require a person to have an AADHAAR number to deliver services. </li></ul>
    6. 6. Key Objectives <ul><li>Overcome problem of duplicate and bogus identity </li></ul><ul><li>Act as a useful source for online verification and authentication </li></ul><ul><li>Target social security schemes better </li></ul><ul><li>Take business services to the remotest parts </li></ul><ul><li>Help weed out illegal immigrants </li></ul>
    7. 7. <ul><li>Indian population - 1.2 Billion </li></ul><ul><li>Existing technology not tested beyond 50 million </li></ul><ul><li>Deployment of devices and processes for operation across the country for data - capture, transmission, storage and updating. </li></ul><ul><li>Most people in villages don’t have any document to prove who they are </li></ul><ul><li>Security & privacy of information system </li></ul>Challenges
    8. 8. UID Agencies
    9. 9. UID Process Workflow
    10. 10. <ul><li>UIDAI plans to use various bio-metric systems to help secure the system </li></ul><ul><li>The multi-modal bio-metrics used are: </li></ul><ul><ul><li>Facial recognition </li></ul></ul><ul><ul><li>IRIS scan </li></ul></ul><ul><ul><li>Finger scan </li></ul></ul>UID & Biometrics
    11. 11. Typical Biometric System Functions Enrollment Data acquisition Transmission Signal Processing Decision Data Storage Matching
    12. 12. Risks and vulnerabilities in the system
    13. 13. Threats and Counter Measures Location Threats Counter measures Data collection Spoofing Multimodal biometrics Device substitution Have authenticated, trusted devices Raw data transmission Reading/modification of data Sign in data, have session tokens Signal processing Component replacements Have digitally signed components and check integrity of the software Matching Manipulation of match scores Don’t allow processes to be running that introspect data and results coming back Hill Climbing Don’t provide detailed scoring data back to any 3 rd party Storage Database compromise Have database access controls, Sign and encrypt templates and store keys in a separate hardware Decision Threshold manipulation Protected function, data protection
    14. 14. Audit checkpoints for biometric system <ul><li>Selecting and Acquiring the Biometric System : </li></ul><ul><li>Study on selection of biometric process ( False Accept Rate and False Reject Rate ) </li></ul><ul><li>Compliance of product to industry standards </li></ul><ul><li>Market analysis of product performance and supplier service support </li></ul><ul><li>Vendor certification and product certification </li></ul><ul><li>User acceptability within similar industry and in other industry/organizations </li></ul><ul><li>Legal considerations and users’ rights (privacy) </li></ul>
    15. 16. <ul><li>Operation and Maintenance of the Biometric System : </li></ul><ul><li>The biometric policy and its alignment to the security policy of the organisation </li></ul><ul><li>Monitoring efficiency of the biometric system </li></ul><ul><li>Interface of the biometric system with other applications and systems </li></ul><ul><li>Interface with other biometric systems in the organization </li></ul><ul><li>Data storage capacity requirements </li></ul><ul><li>Data security, backup and restore procedures </li></ul><ul><li>Business continuity in case of biometric system failure and availability of standby systems/compensating controls </li></ul>Audit checkpoints for biometric system
    16. 17. <ul><li>User Training and Acceptance : </li></ul><ul><li>Communication of biometric policy within the organisation </li></ul><ul><li>Awareness by the users of the biometric authentication system </li></ul><ul><li>Identification of owner roles and responsibility for the biometric system </li></ul><ul><li>Identification of training needs, training schedule, help desk and support service </li></ul><ul><li>Training on usage of the system, protection, and system and self hygiene </li></ul><ul><li>Availability of documented training material and sign boards </li></ul>Audit checkpoints for biometric system
    17. 18. <ul><li>Application and Database Controls : </li></ul><ul><li>Platform security configuration settings, including restricting access to all biometric information of individuals to only those with a current and strict business need Intrusion detection controls </li></ul><ul><li>Transaction controls </li></ul><ul><li>Encryption of network, including lines </li></ul><ul><li>Encryption of stored data in repository </li></ul><ul><li>Change management (software and hardware) </li></ul><ul><li>Database administration and maintenance </li></ul><ul><li>Installation of hardware and software </li></ul>Audit checkpoints for biometric system
    18. 19. <ul><li>Audit Trails: </li></ul><ul><li>Access log </li></ul><ul><li>Activity log </li></ul><ul><li>Change log </li></ul><ul><li>Log of denial of access </li></ul><ul><li>System downtime log </li></ul>Audit checkpoints for biometric system
    19. 20. Summary <ul><li>Protect biometric systems using a hostile approach </li></ul><ul><li>Ensure all data (data at rest and data in transit) is encrypted </li></ul><ul><li>Ensure robust key management and distribution </li></ul><ul><li>Tamper evidence and perform integrity checks throughout the system </li></ul><ul><li>Audit-trails and non-repudiation </li></ul><ul><li>Consider all points in a solution and look for vulnerabilities </li></ul>
    20. 21. Conclusion <ul><li>Security needs to built in from day 1. </li></ul><ul><li>Systems need to have a secure foundation to adopt, </li></ul><ul><li>New technologies </li></ul><ul><li>New biometric vendors </li></ul><ul><li>New devices </li></ul><ul><li>New algorithms </li></ul><ul><li>New databases </li></ul><ul><li>Support new standards over time </li></ul>

    ×