ITU Kaleidoscope 2013 Presentation


Published on

April 4, 2013 presentation given at the Raleigh ISSA Chapter meeting. This PDF of my slides reviews my paper that was accepted and nominated for an award and presented at the ITU Kaleidoscope 2013 conference.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ITU Kaleidoscope 2013 Presentation

  1. 1. ITU KALEIDOSCOPE 2013 RALEIGH ISSA CHAPTER MEETING THURSDAY, APRIL 4, 2013 ITU Kaleidoscope 2013 Presentation Telebiometric Information Security and Safety Management Phillip H. Griffin Information Security Consulting October 18, 2012 GRIFFIN – APRIL 2013
  2. 2. ITU KALEIDOSCOPE 2013 What is the ITU ? ITU is the International Telecommunication Union — United Nations specialized agency for information and communications technology (ICT) — Membership includes 193 countries and over 700 private-sector entities and academic institutions — Allocates global radio spectrum and satellite orbits; develops technical standards to ensure seamless interconnection of networks and technologies (telephones, video, TV, etc.) — Consensus efforts to support fundamental right to communicate — Empowers people through technology education and training GRIFFIN – APRIL 2013 2
  3. 3. ITU KALEIDOSCOPE 2013 Building Sustainable Communities Assess standardization required so that cities can enhance their social, economic, and environmental sustainability by using Information & Communications Technology Sustainable communities will combine human-oriented technologies and human values Biometrics, Telecommunications Human-oriented technologies Security, Privacy, Safety Human values Rubric — Suggest Areas For New Standardization GRIFFIN – APRIL 2013 3
  4. 4. ITU KALEIDOSCOPE 2013 New Standardization Telebiometric System Heartbeat Provides metrics to enable the continuous improvement of an information security and safety management program for telebiometric system devices Cryptographic Message Syntax (CMS)  Need a version that complies with the ASN.1 standards  Permits all binary encoding rules and XML Encoding Rules (XER)  Supports ISO/IEC JTC 1/SC 27 algorithms, cryptographic techniques Signcryption Support in CMS Defines the schema and processing for a SigncryptedData type needed to support the techniques in the ISO/IEC 29150 Signcryption standard GRIFFIN – APRIL 2013 4
  5. 5. ITU KALEIDOSCOPE 2013 Telebiometric System Heartbeat Periodic messages … Should monitor and document the safety, performance, and availability of telebiometric system devices Provide information to alert system administrators of security and safety events and system changes (e.g., FAR/FMR settings, device location, aberrant behavior, etc.) Source of derived metrics to inform the continuous improvement of a telebiometric system information security and safety management program GRIFFIN – APRIL 2013 5
  6. 6. ITU KALEIDOSCOPE 2013 Cryptographic Message Syntax CMS is “a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes” - RSA Laboratories — Defined by RSA Security in the early 1990s — PKCS #7 (Public Key Cryptography Standard 7) — Replaced the Privacy Enhanced Mail (PEM) standard — Solved the X.509 certificate distribution problem — Initial root was RSA until VeriSign spawned (RSA, IBM, etc.) — Adopted by IETF to support secure email; SET; X9.73, others — No valid international version of the CMS standard exists! CMS provides a standardized schema with a well defined “hole”. GRIFFIN – APRIL 2013 6
  7. 7. ITU KALEIDOSCOPE 2013 CMS Message Example Schema is in ISO/IEC & ITU standard, Abstract Syntax Notation One (ASN.1) ASN.1 is used in billions of phones ! 6.8 B cell phone subscriptions, 2013 Compact binary or XML markup Zero+ Certificates and CRLs Unsigned attribute content needs no protection (e.g., SAML assertion) GRIFFIN – APRIL 2013 7
  8. 8. ITU KALEIDOSCOPE 2013 CMS In Biometric Standards CMS SignedData is used to provide data integrity and origin authenticity in each of the following standards: X9.84 Biometric Information Management and Security ISO 19092 Biometrics – Security Framework DoD & FBI Electronic Biometric Transmission Specification (EBTS) DHS Biometric Enabled Watch Lists (BEWL) ICAO Doc 9303 Machine Readable Passports ANSI / NIST-ITL 1-2011 Biometric Data Format & Interchange Standard OASIS XML Common Biometric Format (XCBF) ISO/IEC 24761 Authentication Context for Biometrics (ACBio) GRIFFIN – APRIL 2013 8
  9. 9. ITU KALEIDOSCOPE 2013 Biometric System Vulnerabilities Support policy-based information security management using real- CMS (6, 7), and time device FAR/FMR settings? ACBio transfer? 1 - Attack on a biometric sensor with dummies: reproduced biometric trait presented as input 2 - Replay attack. Recorded, intercepted signal is replayed to bypass the biometric sensor 3 - Attack on feature extractor: produces altered values to those read by the biometric sensor 4 - Tampered feature representation (features are replaced with a fraudulent feature set) 5 - Attack on the matcher, forcing it to produce high or low matching score to allow or deny access 6 - Attack on biometric templates in a local, remote, or distributed database to add, modify, delete 7 - Tampered biometric reference template. See 4. 8 - Attack on the final matching decision end point : attacker disables the authentication system GRIFFIN – APRIL 2013 9
  10. 10. ITU KALEIDOSCOPE 2013 CMS Signcryption Support New CMS type proposed: ID360: Global Forum on Identity Schema similar to SignedData One mode supports field-level signcryption within signed object Attributes: Defined by any group with a need using any type or format Manifest defined for each content type, e.g., a list of XPath expressions in an XML document GRIFFIN – APRIL 2013 10
  11. 11. ITU KALEIDOSCOPE 2013 Signcryption Primitive Support Signcryption combines encryption and digital signature functions into a single, efficient cryptographic operation. — A cryptographic technique and a primitive — ISO/IEC 29150:2011Signcryption standard — Hybrid : Combines digital signature with encryption (hybrid like MAC + Encryption in SSL, SSH, ESP mode of IPsec) — Confidentiality + Data Integrity + Origin Authenticity — Asymmetric cryptography makes non-repudiation possible — Faster, smaller result than signature-followed-by-encryption — No standardized signcryption CMS type exists! GRIFFIN – APRIL 2013 11
  12. 12. ITU KALEIDOSCOPE 2013 Summary New standards are needed: Telebiometric System Heartbeat Need a standardized, extensible, CMS protected message to enable development of vendor neutral telebiometric incident handling and information security and safety management solutions Cryptographic Message Syntax (CMS) Need an international standard that complies with the ASN.1 standards, that supports all encoding rules, and permits use of SC 27 cryptography CMS Signcryption Support Need a new CMS SigncryptedData message type that supports the use of efficient ISO/IEC 29150 Signcryption techniques in CMS GRIFFIN – APRIL 2013 12
  13. 13. ITU KALEIDOSCOPE 2013 Deeper Dive Building Sustainable Communities – ITU Kaleidoscope conference, Kyoto, Japan, 22-25 April, 2013. ( ITU-T Technology Watch Report 12: Biometrics and Standards. December, 2009. ( Griffin, P. (2012). Protecting Biometrics Using Signcryption ( Griffin, P. (2013). Telebiometric Information Security and Safety Management. ITU Kaleidoscope ’13 ( RSA Laboratories Public Key Cryptography Systems (PKCS) #7 – Cryptographic Message Syntax (CMS) ( ISO/IEC 29150 (2011), Signcryption. (See for proposed schema corrections) X9.84-2011 Biometric Information Management and Security. U.S.A.: American National Standards Institute (ANSI). GRIFFIN – APRIL 2013 13
  14. 14. ITU KALEIDOSCOPE 2013 Questions ? +1 919 291 0019 Skype: phil.griffin GRIFFIN – APRIL 2013 14