(2003) Securing the Biometric Model


Published on

This paper proposes a structured methodology following a full vulnerability analysis of the general biometric model outlined by Mansfield and Wayman (2002). Based on this analysis, a new multidimensional paradigm named the Biometric Architecture & System Security (BASS) model is proposed, which adds comprehensive security and management layers to the existing biometric model.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

(2003) Securing the Biometric Model

  1. 1. Securing the Biometric Model Anthony C. LENISKI Richard C. SKINNER Shawn F. McGANN Stephen J. ELLIOTT, Ph.D. Computer Technology, Computer Technology Computer Technology, Department of Industrial Purdue University Purdue University Purdue University Technology & e-Enterprise West Lafayette, IN West Lafayette, IN, West Lafayette, IN Center, Discovery P a r k 47907, USA 47907, USA 47907, USA Purdne University, West Lafayette, IN, 47907, USA ABSTRACT This paper proposes a structured methodology following a full vulnerability analysis of the general .biometric model outlined by Mansfield and Wayman (2002). Based on this analysis, a new multidimensional paradigm named the Biometric Architecture & System Security (BASS) model is proposed, which adds comprehensive security and management layers to the existing biometric model. The BASS model is a structured methodology that Figure 1 - General Biometric Model [ 11 guides firms towards employing a solid foundation for any biometric system through the emphasis of security practices at the module and systems level, as well as The second step is Transmission, which occurs locally the standardization of policies and procedures for or over a distance in a distributed environment. If a continued operations. system requires large amounts.of data, a compression technique may be implemented to save system Keywords: Biometrics, Information Security, Large- resources; however, this process can deteriorate the scale Implementation, Management, Process Design signal quality. The third step in the biometric model is the Signal-Processing subsystem, which is divided into 1. INTRODUCTION three tasks: feature extraction, quality control, and pattern matching. The first task is feature extraction, As demand for biometric systems increases, we the non-reversible process of converting a captured propose a novel model so that the implemented biometric sample into data for comparison against a biometric application meets the security and stored reference template. The second is quality control, management needs of the intended business, which checks the captured biometric pattern to verify organization, or individual. This model, the Biometric an individual’s qualities are not defective or Architecture & System Security (BASS) model, insufficient in anyway. The third task of the Signal- provides a guideline through the procedures and Processing subsystem is pattern matching, which is the considerations that must be made to successfully process of making a comparison between one or more implement an all-encompassing biometric system identified features of a sample to those of a stored template. The fourth step in the biometric model is the 2. GENERAL BIOMETRIC M O D E L Decision subsystem, which implements system policies by directing the database query to determine matches The first step in the General Biometric Model, shown or non-matches based on the defined threshold and in Figure 1, is Data Collection, which is the returns a decision based upon the defined system measurement of a behaviorallphysiological policies, The decision policy is a management characteristic that is both distinctive and repeatable. preference that is specific to the operational and The system user’s characteristic are presented to a security requirements of the system. The remaining given sensor, which yields the system’s input data subsystem is Storage, which stores the feature based upon the biometric measure and the technical templates in a database for comparison, by the pattern characteristics of the sensor. matcher, to incoming feature samples. The storage of raw data allows changes in the system or system vendor to be made without the need to recollect data from all enrolled users. I EEE 0~7803-7882-2/03/$17.0002003 444
  2. 2. 3. BIOMETRIC ARCHITECTURE & and verification in the biometric system specifically the SYSTEM SECURITY MODEL biometric, device, environment, and information. Before addressing any component of the actual system, The Biometric Architecture and System Security the chosen biometric must be evaluated to identify (BASS) model extends Mansfield and Wayman’s shortcomings along with possible spoofing techniques. general biometric model concepts and creates the With a clear understanding of these faults, it is possible additional functionality required for any biometric to monitor and compensate for the weaknesses. deployment. The model, shown in Figure 2, is Furthermore, the biometric device needs to be trusted comprised of three core layers which are necessary to and physically secure. The environment, in which the create a total systems approach Functional, Security, biometric device is placed, plays a key roll in physical and Management. security. A successful hiornettic implementation will have its devices located where they cannot be affected by contiguous variables (i.e. lighting, temperature, background color, or interference), where it can recognize only the subject during capture, and where Result there is a low probability of the device being damaged (intentionally or unintentionally) or stolen. A device must be positioned so that the availability and functionality of the devices is unaffected by the Data Storage surrounding atmosphere. Vendor environmental specifications of the device must be acknowledged in Data Collection this level as well. Information security is the final portion of the Data Collection Module that requires analysis. Figure 2 -Biometric Architecture & System Implementations can lead to the possibility of a device being spoofed logically, through communication Security Model protocols, or physically, by replacing a trusted device The Functional layer defines the generic biometric with a rogue device. The concept of a trusted device process consisting of Data Collection, Data Storage, indicates that through the use of some kind of Processing, Result, and Transport Modules. While exclusive identification, a biometric device must he some of the processes share common borders, the authenticated as “trusted” before any transmissions Transport Module provides the common interface for from that device are processed. The use of trusted all inter-module communication. devices allows the assurance that the biometric data The Security and Management Layers coalesce to being introduced to the system is legitimate. provide confidentiality, integrity, availability, and T o compliment the countermeasures taken and ensure authentication for the system. Before any security or that the device is properly maintained, several management concepts can be properly developed and management-level policies and procedures must be deployed in a biometric system, an analysis is required developed when securing a biometric device. One of on each of the five core biometric modules. This in- the most important management routines to be depth examination should at least determine the developed is a maintenance schedule, which defines following: the appropriate cleaning, calibration, and testing plans that are necessary ensure a properly working device. . 1 Assets to be protected Attack vectors Employee training and user habituation are also important collection management concepts, which help . = Methods of attacks used on attack vectors . Expected loss if compromised Classification of threat agents to ensure that the device is properly used and the data collected is consistent. management is monitoring. Another important task of It is imperative to . Risks of attacks by threat agents Countermeasures Cost effectiveness constantly examine the system’s environment to identify and address unanticipated changes before it dramatically affects the biometric system. The most important part of the Management Layer in the Data The following sections guide the evaluation of each Collection Module is the policies regarding the separate module of the Functional Layer to define the integrity of the proof of identification provided during roles of Security and Management in a biometric enrollment. Standards for proper identification must he system. established, such as the use of a birth certificate, government ID, or credentials to ensure that the Data Collection Module enrollee is genuine. The Data Collection Module’s objective is to identify the possible vulnerabilities at the point of enrollment 445
  3. 3. Transport Module against unauthorized connections, while nonsensical interfaces are disabled properly. All three features are The Transport Module is the most vital component in analyzed individually and then together against the six the biometric system due to its interaction with each of key questions: Who, What, When, Where, Why, and the other system modules. The key to the Transport How. Module is to insure privacy, authentication, integrity, Physical security provides measures necessary to and non-repudiation for communication between given protect a facility against the effects of unauthorized elements for a secure and trusted system independent access, loss, or other intentional damage to a system. of the architecture. Besides the introduction of its own As systems move from private implementations to vulnerabilities, the transport layer inherits flaws from public designs, control over physical security will be other subsystems making it the most susceptible area in undermined by the emphasis for information assurance. any implementation. The primary goals of information assurance are to provide confidentiality, integrity, availability, and authentication between communicating modules. Confidentiality ensures that unauthorized external or internal sources do not intercept, copy, or replicate the information [3]. Information integrity is confidence in the permanency of the information during communications [4]. Availability refers to the system being accessible at all times for transportation. Lastly, authentication is the process whereby an entity presents and proves its identity to another entity. Cryptographic technologies such as encryption, digital signatures, hashing algorithms, and digital certificates help aid in + - T , a " S p O * i reducing the risks that are associated with the transport Figure 3 - Transport Sub layers of the BASS module. Each concept needs to be evaluated as information flows throughout the different layers of the Model OS1 model to ensure trusted communication. To The Transport Module implements the OS1 network transport data throughout the OS1 model, protocols are reference model (Figure 3). which is a framework for employed. Each protocol contains innate vulnerabilities organizing networking technology and protocol which must be analyzed for the appropriate safeguards solutions [2). While the OS1 model enables universal to be deployed. Examples of such vulnerabilities communication, the Security and Management layers located in the TCP/IP protocol stack are susceptibility of the BASS model will emphasize operational to Man-in-the-middle. Replay, and Denial of Service considerations for a successful implementation. attacks. While physical security and information Security at the Transport layer is broken into two assurance provide a blueprint for security, without categories: Physical Security and Information proper management an entire implementation is Assurance. completely susceptible. Physical security is dependent upon discerning the Management of the transport layer consists of three vulnerabilities in three key areas: Architecture, stages: Prevention, Detection, and Response. Each of Medium, and Interfaces. Architecture deals with a these stages are dependent upon having full system's design principles, stand-alone vs. documentation of the system parameters such as distributedhetworked and physical configurations, hardware, software, service levels, protocols, which consist of using private or public based addressing, and a systematic analysis of normal technologies. The key area of focus is physical access operation. The prevention stage incorporates the to the lines and equipment, which is controlled through policies and procedures that are necessary for methods such as protected casings, keyed access, and providing secure and reliable transportation for daily .login authentication. Dependent upon the architecture operations. The detection stage incorporates in a system, various mediums such as wired (i.e. cable, procedures to investigate and identify potential fiber, integrated circuits) and wireless technologies will problems or security breaches in an event that the exist to transport the system data. An analysis should preventative stage fails (31. The response stage defines center on each of the medium's vulnerabilities, such as the appropriate reaction to the items found in the the interception of electrical and optical signals that detection stage for proper recovery and follow-up. would compromise a given system through methods such as wire taps, rogue access points, or a variety of Data Storage Module other means. To provide physical connections for permitted access into a system, each device, such as the The Data Storage Module is one of the most intricate hiomemc equipment, computers, power sources, parts of the biometric system due its responsibility for communication devices, etc., will employ one or more safeguarding the permanent repository of all interfaces. All required interfaces should be protected information collected from the system's users. Due to 446
  4. 4. the highly sensitive nature of this data, the Data principles, the management sub-layers are accountable Storage Module is liable for not only ensuring the for ensuring the systems routine performance. integrity, availability, and accessibility of the data, but T o ensure that the storage solution remains in its ideal also only allowing authorized access by users and other state, several management-level policies and subsystems. The security and management layers procedures must be developed focusing in two key provide the necessary mechanisms to meet these core areas: System and Security. System management objectives. ensures the appropriate operational and maintenance The Security Layer of the Data Storage Module is tasks required for normal system functioning are responsible for protecting the data from threat agents established. One key task in the system management and disasters such as loss of power, hardware failure, layer is to routinely assess and document the capacity o r environmental cataclysm. The first step towards and access speed of the database and computing system. developing a protection strategy is to determine every These results should be compared with the defined point of storage and entry in the system. including both system specifications to ensure that the biometric logical and physical locations. Once the location(s) are solution is functioning properly and efficiently. established, the next step is to address the physical Another key task in system management is to keep all security at each point based on the possible attack the systems hardware and software updated with the vectors or other weaknesses in the system. latest service packs and patches from trusted vendors. One key attribute of physical security is access control, All vendor-released fixes should be initially in which methods are applied to restrict access the implemented in a test environment and then storage host(s), backup devices, and storage media to implemented into the production system if the only authorize system users through techniques such as corrections improve the system’s efficiency, keyed access or other external security service. The interoperability, or correct documented vulnerabilities. second key attribute of physical security is protection, The second key area of the management layer is which corresponds to physical measures taken to security. protect storage components such as a reinforced Security management provides the policies and infrastructure, fire suppression system, and a climate procedures necessary to execute the defined control system. The chosen measures deployed should mechanism of the security layer. The first important preventkeduce the possibility of data loss in the event security management consideration is access control, in of an accident or natural disaster. After determining the which parameters including users and permissions physical security needs in a system, the next step in the should be documented and verified periodically to security layer is to ensure information integrity. ensure system security. Through the application of Information security in the Data Storage Module logging, audit trails should also be conducted and consists of mechanisms that protect the warehoused supervised regularly to verify that only authorized biometric templates as the information is imported and personnel and trusted system entities access andlor exported from the database. The first mechanism is manipulate the database. Another important concept of providing a means of authentication and authorization, security management is backup management. which validates the system user and decides if the Backup management is essential in case the biometric validated user is allowed to perform the requested system is compromised or has experienced a hardware action or access the requested data. The second key failure; the backup can be used to restore the system to mechanism to ensure the integrity of the data being an operational state without total loss of information. accessed or inserted in the database, which is applied The first step in backup management is selecting a through approaches such as time stamps, data hashes, backup system, such as tape or optical, based upon an digital signatures, encrypted storage, and trusted device analysis of the following: concepts such as a key infrastructure. Another element of data integrity is an Intrusion Detection System (IDS), which would aid in detection and investigation in the event of an attack. Another vital aspect of the security - Amount of data Backup time layer is availability. The concept of information availability in the Data . 9 . Frequency of the backup Restoration time Storage Module is to provide uninterrupted access to the stored biometric data. The system’s minimum . Backup topology Overall cost availability should be determined to address the amount of redundancy required within the ‘storage After determining the backup system, the second step solution (i.e. hardware, software, and media). Once in backup management is developing the necessary complete, a backup and recovery (BIR) approach, via policies and procedures needed to implement a backup hardware or software based solution(s), is developed to system. Some key considerations for the backup ensure the ability to revert to previously stored system include backup schedule, resources, authorized information in the event of a failure within the system. personnel, storage, and backup integrity. While the security layer designs the proper defense 447
  5. 5. Processing Module at the operating system level to prevent any internd or The Processing Module of the BASS model identifies external threat agents from accessing the system. the necessary precautions that must be taken at any Policies on all account passwords should be included instance in a given system where biometric data is such as, minimum password length, mixed characters processed. The Processing Module draws data from & symbol requirements, and password expiration the Data Collection and Data Storage Module and periods. The final function of management is to performs the biometric comparison for the decision. determine handling of the backup media to ensure that The Processing Module is comprised of two sublayers: it is not tampered with, copied, or otherwise damaged. Operating System and Application. Due the proprietary nature of current biometric Physically securing the operating system and applications, there are a number of implications that application sublayers follows the same outline as the are addressed in the Application Sub layer of the Data Storage Module. To ensure the reliability of the Processing Module. Backdoors, logic bombs, and system, ample hard drive back-ups and redundant virus susceptibility are just a few of the possible power supplies should be included when implementing deficiencies that a biometric application can introduce the processing components of the biometric system. to a system. The Application Sub layer interacts Physical access should be restricted as needed and directly with both the biometric device and the consistently monitored at all times. Further concerns database over the Transport Module. Time stamps, that should be analyzed are environmental factors such digital signatures, and the "trusted" concept should be as fire suppression and climate control. Additionally, utilized in the application sublayer to ensure that the all non-essential peripherals such as floppy drives, CD- data being pulled is legitimate so that it can be ROM, modems, and other unused interfaces should be compared by the application using the given biometric disabled or completely removed from the machines. algorithm. To reach the appropriate decision, the The separation of the Processing Module sub-modules threshold level should be applied within the application occurs in the information security and management to the determined levels. layer of the BASS Model. The management layer of the applications sublayer will The operating system sublayer (OSS) encompasses the determine the threshold levels that are required based risks intertwined with the chosen platforms in which on an appraisal o f the value of asset(s) being the biometric system runs. It is important to realize at protected, the users who will interact with the this level that there are potentially multiple operating biometric system, environmental variables, and overall systems running within the biometric system, and each set security conditions. Biometric applications extract must be secured accordingly. These operating systems data from the device, query information from the are located throughout the other modules of the BASS database, and make comparisons and decisions Model, but are directly addressed in the OSS. Each simultaneously. This creates a heavy demand on the operating system in the market has numerous known CPU; therefore an analysis of the biometric software vulnerabilities. Those running the biometric solution must be performed before hand to determine the must he researched for such documented hazards, and processor speed and RAM specifications for the system. the proper fixes applied. Furthermore, any The utilization of system resources should be unnecessary networking components, services, and monitored constantly, and upgrades should he made as default userslaccounts should be removed a n d o r needed. disabled wherever possible. To monitor the system for unauthorized access, an IDS program should also be Result Module installed on the operating system to aid in the The Result Module of the BASS model deals with an uncovering of an invasion as well as provide a way of area of the biometric process that can often go auditing to identify the point of entry. Finally, virus overlooked because the vulnerabilities at the Transport, protection should be introduced to the operating system Processing, and Data Storage Modules are more for protection in the event a virus infects the platform. apparent and traditional in information security. The Managing the security of the operating system deals Result Module provides the protection measures for a with the practices and preservation of the operating biometric system at the stage after the biometric has system to ensure that only authorized users are granted been presented to the device, transported, processed, access, and the operating system itself is up-to-date and compared. with the more recent revisions. This process begins The application makes a decision based on the with monitoring the publicly documented biometric that has been presented and its comparison vulnerabilities. New flaws and bugs in the OS design with a stored template in the database. The application as well as new viruses are discovered on an almost will respond with one of two answers: yes this person daily basis, and as such need to be accounted for has been identified, or no this person has not been immediately. The proper fixes, patches, service packs, identified. The most obvious way for a threat agent to and virus definitions should be tested and installed as penetrate a biometric system is to tap in at this point they are deployed. by the vendors. Login to the and insert false decisions. If this can be achieved, the machines in the biometric system should be restricted threat agent will have complete control over who is 448
  6. 6. identified and who is not, making any security 5. BIBLIOGRAPHY measures taken in any of the other modules completely irrelevant. Much of the prevention of this kind of [ I ] Mansfield, A.J. and I.L. Wayman, Best Practices attack may correlate with the other modules in the in Testing and Reporring Performances of BASS model, like encryption, digital signatures, or a Biomerric Devices. 2002, Biometric Working trusted decision (similar to a trusted device). The Group. p. 32. integrity of a system following the BASS model relies solely on the decision that is produced. [2] J.E. Goldman, P.T. Rawles, Applied Data Once the decision has been returned it is important to Communications: A Business Oriented Approach, New instill a number of policies and procedures for the York: John Wiley & Sons, Inc., 2001 events that happen thereafter. First of all, it is important to monitor the decisions that are made. Logs [3] J. E. Canavan, Fundame?rals of Network Security. should he kept containing the user being verified, the Boston: Artech House, 2001 time and location of the verification, the actual decision (yeslno), and any other pertinent data that [4] T. Bellocci, C. B. Ang, P. Ray, S . Nof, Information could assure that the system is making the right Assurance in Networked Enterprises: Definition, decision for the right people. Scheduled and Requirements, and Experimental Results CERIAS, unscheduled auditing trails will assist the system in School of Industrial Engineering, Purdue University validating that the processes and information are January 2001 holding their value. Additionally there is a need to have regulations in place in case there is a false-reject. No biometric algorithm is perfect, and moreover there are people whose bodies or behavior may be incompatible with these systems, and thus these potentia1 problems need to he address in the management layer. Likewise, in the event of a false- accept, there must he directives in place for the removal of such individuals who gain false access to the assets protected by the biometric system. 4. CONCLUSION This model extends current best practices of management policies and procedures in the information systems security discipline by overlaying them to the general biometric model [I]. Therefore, the authors are taking an existing set of paradigms from one discipline and applying them to another. Biometrics is a rapidly expanding market, as governments, companies, and consumers demand higher security to protect valuable assets. Without proper security measures and reinforcement from management, adding biometrics, whose sole purpose is to improve security, would he a waste of resources. As biometric systems begin to move into the mainstream, many of the vulnerabilities inherent in the nature of these systems' components will be exposed and exploited allowing threat agents to manipulate any or all parts of the biometric process. As a structured methodology, the BASS model integrates both security and management concepts into the functional modules, resulting in a comprehensive technique for securing any biometric system. Following the guidelines set forth in the modules of the BASS model is an essential duty, which should be performed in all biometric implementations to ensure the availability, confidentiality, and integrity of the system. Doing so will ensure a high success rate for all BASS-compliant biometric systems. 449