This document presents the Biometric Architecture & System Security (BASS) model, which enhances the general biometric model by incorporating comprehensive security and management layers. It emphasizes a structured methodology for biometric system implementation, addressing vulnerabilities and security measures at each stage, including data collection, storage, processing, transmission, and decision-making. The model ultimately aims to guide organizations in deploying biometric systems that meet necessary security and management needs.

1. Securing the Biometric Model
Anthony C. LENISKI Richard C. SKINNER Shawn F. McGANN Stephen J. ELLIOTT, Ph.D.
Computer Technology, Computer Technology Computer Technology, Department of Industrial
Purdue University Purdue University Purdue University Technology & e-Enterprise
West Lafayette, IN West Lafayette, IN, West Lafayette, IN Center, Discovery P a r k
47907, USA 47907, USA 47907, USA Purdne University, West
Lafayette, IN, 47907, USA
ABSTRACT
This paper proposes a structured methodology
following a full vulnerability analysis of the general
.biometric model outlined by Mansfield and Wayman
(2002). Based on this analysis, a new multidimensional
paradigm named the Biometric Architecture & System
Security (BASS) model is proposed, which adds
comprehensive security and management layers to the
existing biometric model.
The BASS model is a structured methodology that Figure 1 - General Biometric Model [ 11
guides firms towards employing a solid foundation for
any biometric system through the emphasis of security
practices at the module and systems level, as well as The second step is Transmission, which occurs locally
the standardization of policies and procedures for or over a distance in a distributed environment. If a
continued operations. system requires large amounts.of data, a compression
technique may be implemented to save system
Keywords: Biometrics, Information Security, Large- resources; however, this process can deteriorate the
scale Implementation, Management, Process Design signal quality. The third step in the biometric model is
the Signal-Processing subsystem, which is divided into
1. INTRODUCTION three tasks: feature extraction, quality control, and
pattern matching. The first task is feature extraction,
As demand for biometric systems increases, we the non-reversible process of converting a captured
propose a novel model so that the implemented biometric sample into data for comparison against a
biometric application meets the security and stored reference template. The second is quality control,
management needs of the intended business, which checks the captured biometric pattern to verify
organization, or individual. This model, the Biometric an individual’s qualities are not defective or
Architecture & System Security (BASS) model, insufficient in anyway. The third task of the Signal-
provides a guideline through the procedures and Processing subsystem is pattern matching, which is the
considerations that must be made to successfully process of making a comparison between one or more
implement an all-encompassing biometric system identified features of a sample to those of a stored
template. The fourth step in the biometric model is the
2. GENERAL BIOMETRIC M O D E L Decision subsystem, which implements system policies
by directing the database query to determine matches
The first step in the General Biometric Model, shown or non-matches based on the defined threshold and
in Figure 1, is Data Collection, which is the returns a decision based upon the defined system
measurement of a behaviorallphysiological policies, The decision policy is a management
characteristic that is both distinctive and repeatable. preference that is specific to the operational and
The system user’s characteristic are presented to a security requirements of the system. The remaining
given sensor, which yields the system’s input data subsystem is Storage, which stores the feature
based upon the biometric measure and the technical templates in a database for comparison, by the pattern
characteristics of the sensor. matcher, to incoming feature samples. The storage of
raw data allows changes in the system or system
vendor to be made without the need to recollect data
from all enrolled users.
I EEE
0~7803-7882-2/03/$17.0002003 444

2. 3. BIOMETRIC ARCHITECTURE & and verification in the biometric system specifically the
SYSTEM SECURITY MODEL biometric, device, environment, and information.
Before addressing any component of the actual system,
The Biometric Architecture and System Security the chosen biometric must be evaluated to identify
(BASS) model extends Mansfield and Wayman’s shortcomings along with possible spoofing techniques.
general biometric model concepts and creates the With a clear understanding of these faults, it is possible
additional functionality required for any biometric to monitor and compensate for the weaknesses.
deployment. The model, shown in Figure 2, is Furthermore, the biometric device needs to be trusted
comprised of three core layers which are necessary to and physically secure. The environment, in which the
create a total systems approach Functional, Security, biometric device is placed, plays a key roll in physical
and Management. security. A successful hiornettic implementation will
have its devices located where they cannot be affected
by contiguous variables (i.e. lighting, temperature,
background color, or interference), where it can
recognize only the subject during capture, and where
Result there is a low probability of the device being damaged
(intentionally or unintentionally) or stolen. A device
must be positioned so that the availability and
functionality of the devices is unaffected by the
Data Storage surrounding atmosphere. Vendor environmental
specifications of the device must be acknowledged in
Data Collection this level as well.
Information security is the final portion of the Data
Collection Module that requires analysis.
Figure 2 -Biometric Architecture & System
Implementations can lead to the possibility of a device
being spoofed logically, through communication
Security Model
protocols, or physically, by replacing a trusted device
The Functional layer defines the generic biometric with a rogue device. The concept of a trusted device
process consisting of Data Collection, Data Storage, indicates that through the use of some kind of
Processing, Result, and Transport Modules. While exclusive identification, a biometric device must he
some of the processes share common borders, the authenticated as “trusted” before any transmissions
Transport Module provides the common interface for from that device are processed. The use of trusted
all inter-module communication. devices allows the assurance that the biometric data
The Security and Management Layers coalesce to being introduced to the system is legitimate.
provide confidentiality, integrity, availability, and T o compliment the countermeasures taken and ensure
authentication for the system. Before any security or that the device is properly maintained, several
management concepts can be properly developed and management-level policies and procedures must be
deployed in a biometric system, an analysis is required developed when securing a biometric device. One of
on each of the five core biometric modules. This in- the most important management routines to be
depth examination should at least determine the developed is a maintenance schedule, which defines
following: the appropriate cleaning, calibration, and testing plans
that are necessary ensure a properly working device.
.
1 Assets to be protected
Attack vectors
Employee training and user habituation are also
important collection management concepts, which help
.
= Methods of attacks used on attack vectors
. Expected loss if compromised
Classification of threat agents
to ensure that the device is properly used and the data
collected is consistent.
management is monitoring.
Another important task of
It is imperative to
. Risks of attacks by threat agents
Countermeasures
Cost effectiveness
constantly examine the system’s environment to
identify and address unanticipated changes before it
dramatically affects the biometric system. The most
important part of the Management Layer in the Data
The following sections guide the evaluation of each Collection Module is the policies regarding the
separate module of the Functional Layer to define the integrity of the proof of identification provided during
roles of Security and Management in a biometric enrollment. Standards for proper identification must he
system. established, such as the use of a birth certificate,
government ID, or credentials to ensure that the
Data Collection Module enrollee is genuine.
The Data Collection Module’s objective is to identify
the possible vulnerabilities at the point of enrollment
445

3. Transport Module against unauthorized connections, while nonsensical
interfaces are disabled properly. All three features are
The Transport Module is the most vital component in analyzed individually and then together against the six
the biometric system due to its interaction with each of key questions: Who, What, When, Where, Why, and
the other system modules. The key to the Transport How.
Module is to insure privacy, authentication, integrity, Physical security provides measures necessary to
and non-repudiation for communication between given protect a facility against the effects of unauthorized
elements for a secure and trusted system independent access, loss, or other intentional damage to a system.
of the architecture. Besides the introduction of its own As systems move from private implementations to
vulnerabilities, the transport layer inherits flaws from public designs, control over physical security will be
other subsystems making it the most susceptible area in undermined by the emphasis for information assurance.
any implementation. The primary goals of information assurance are to
provide confidentiality, integrity, availability, and
authentication between communicating modules.
Confidentiality ensures that unauthorized external or
internal sources do not intercept, copy, or replicate the
information [3]. Information integrity is confidence in
the permanency of the information during
communications [4]. Availability refers to the system
being accessible at all times for transportation. Lastly,
authentication is the process whereby an entity presents
and proves its identity to another entity. Cryptographic
technologies such as encryption, digital signatures,
hashing algorithms, and digital certificates help aid in
+ - T , a " S p O * i
reducing the risks that are associated with the transport
Figure 3 - Transport Sub layers of the BASS module. Each concept needs to be evaluated as
information flows throughout the different layers of the
Model
OS1 model to ensure trusted communication. To
The Transport Module implements the OS1 network transport data throughout the OS1 model, protocols are
reference model (Figure 3). which is a framework for employed. Each protocol contains innate vulnerabilities
organizing networking technology and protocol which must be analyzed for the appropriate safeguards
solutions [2). While the OS1 model enables universal to be deployed. Examples of such vulnerabilities
communication, the Security and Management layers located in the TCP/IP protocol stack are susceptibility
of the BASS model will emphasize operational to Man-in-the-middle. Replay, and Denial of Service
considerations for a successful implementation. attacks. While physical security and information
Security at the Transport layer is broken into two assurance provide a blueprint for security, without
categories: Physical Security and Information proper management an entire implementation is
Assurance. completely susceptible.
Physical security is dependent upon discerning the Management of the transport layer consists of three
vulnerabilities in three key areas: Architecture, stages: Prevention, Detection, and Response. Each of
Medium, and Interfaces. Architecture deals with a these stages are dependent upon having full
system's design principles, stand-alone vs. documentation of the system parameters such as
distributedhetworked and physical configurations, hardware, software, service levels, protocols,
which consist of using private or public based addressing, and a systematic analysis of normal
technologies. The key area of focus is physical access operation. The prevention stage incorporates the
to the lines and equipment, which is controlled through policies and procedures that are necessary for
methods such as protected casings, keyed access, and providing secure and reliable transportation for daily
.login authentication. Dependent upon the architecture operations. The detection stage incorporates
in a system, various mediums such as wired (i.e. cable, procedures to investigate and identify potential
fiber, integrated circuits) and wireless technologies will problems or security breaches in an event that the
exist to transport the system data. An analysis should preventative stage fails (31. The response stage defines
center on each of the medium's vulnerabilities, such as the appropriate reaction to the items found in the
the interception of electrical and optical signals that detection stage for proper recovery and follow-up.
would compromise a given system through methods
such as wire taps, rogue access points, or a variety of Data Storage Module
other means. To provide physical connections for
permitted access into a system, each device, such as the The Data Storage Module is one of the most intricate
hiomemc equipment, computers, power sources, parts of the biometric system due its responsibility for
communication devices, etc., will employ one or more safeguarding the permanent repository of all
interfaces. All required interfaces should be protected information collected from the system's users. Due to
446

4. the highly sensitive nature of this data, the Data principles, the management sub-layers are accountable
Storage Module is liable for not only ensuring the for ensuring the systems routine performance.
integrity, availability, and accessibility of the data, but T o ensure that the storage solution remains in its ideal
also only allowing authorized access by users and other state, several management-level policies and
subsystems. The security and management layers procedures must be developed focusing in two key
provide the necessary mechanisms to meet these core areas: System and Security. System management
objectives. ensures the appropriate operational and maintenance
The Security Layer of the Data Storage Module is tasks required for normal system functioning are
responsible for protecting the data from threat agents established. One key task in the system management
and disasters such as loss of power, hardware failure, layer is to routinely assess and document the capacity
o r environmental cataclysm. The first step towards and access speed of the database and computing system.
developing a protection strategy is to determine every These results should be compared with the defined
point of storage and entry in the system. including both system specifications to ensure that the biometric
logical and physical locations. Once the location(s) are solution is functioning properly and efficiently.
established, the next step is to address the physical Another key task in system management is to keep all
security at each point based on the possible attack the systems hardware and software updated with the
vectors or other weaknesses in the system. latest service packs and patches from trusted vendors.
One key attribute of physical security is access control, All vendor-released fixes should be initially
in which methods are applied to restrict access the implemented in a test environment and then
storage host(s), backup devices, and storage media to implemented into the production system if the
only authorize system users through techniques such as corrections improve the system’s efficiency,
keyed access or other external security service. The interoperability, or correct documented vulnerabilities.
second key attribute of physical security is protection, The second key area of the management layer is
which corresponds to physical measures taken to security.
protect storage components such as a reinforced Security management provides the policies and
infrastructure, fire suppression system, and a climate procedures necessary to execute the defined
control system. The chosen measures deployed should mechanism of the security layer. The first important
preventkeduce the possibility of data loss in the event security management consideration is access control, in
of an accident or natural disaster. After determining the which parameters including users and permissions
physical security needs in a system, the next step in the should be documented and verified periodically to
security layer is to ensure information integrity. ensure system security. Through the application of
Information security in the Data Storage Module logging, audit trails should also be conducted and
consists of mechanisms that protect the warehoused supervised regularly to verify that only authorized
biometric templates as the information is imported and personnel and trusted system entities access andlor
exported from the database. The first mechanism is manipulate the database. Another important concept of
providing a means of authentication and authorization, security management is backup management.
which validates the system user and decides if the Backup management is essential in case the biometric
validated user is allowed to perform the requested system is compromised or has experienced a hardware
action or access the requested data. The second key failure; the backup can be used to restore the system to
mechanism to ensure the integrity of the data being an operational state without total loss of information.
accessed or inserted in the database, which is applied The first step in backup management is selecting a
through approaches such as time stamps, data hashes, backup system, such as tape or optical, based upon an
digital signatures, encrypted storage, and trusted device analysis of the following:
concepts such as a key infrastructure. Another element
of data integrity is an Intrusion Detection System (IDS),
which would aid in detection and investigation in the
event of an attack. Another vital aspect of the security
- Amount of data
Backup time
layer is availability.
The concept of information availability in the Data .
9
.
Frequency of the backup
Restoration time
Storage Module is to provide uninterrupted access to
the stored biometric data. The system’s minimum . Backup topology
Overall cost
availability should be determined to address the
amount of redundancy required within the ‘storage After determining the backup system, the second step
solution (i.e. hardware, software, and media). Once in backup management is developing the necessary
complete, a backup and recovery (BIR) approach, via policies and procedures needed to implement a backup
hardware or software based solution(s), is developed to system. Some key considerations for the backup
ensure the ability to revert to previously stored system include backup schedule, resources, authorized
information in the event of a failure within the system. personnel, storage, and backup integrity.
While the security layer designs the proper defense
447

5. Processing Module at the operating system level to prevent any internd or
The Processing Module of the BASS model identifies external threat agents from accessing the system.
the necessary precautions that must be taken at any Policies on all account passwords should be included
instance in a given system where biometric data is such as, minimum password length, mixed characters
processed. The Processing Module draws data from & symbol requirements, and password expiration
the Data Collection and Data Storage Module and periods. The final function of management is to
performs the biometric comparison for the decision. determine handling of the backup media to ensure that
The Processing Module is comprised of two sublayers: it is not tampered with, copied, or otherwise damaged.
Operating System and Application. Due the proprietary nature of current biometric
Physically securing the operating system and applications, there are a number of implications that
application sublayers follows the same outline as the are addressed in the Application Sub layer of the
Data Storage Module. To ensure the reliability of the Processing Module. Backdoors, logic bombs, and
system, ample hard drive back-ups and redundant virus susceptibility are just a few of the possible
power supplies should be included when implementing deficiencies that a biometric application can introduce
the processing components of the biometric system. to a system. The Application Sub layer interacts
Physical access should be restricted as needed and directly with both the biometric device and the
consistently monitored at all times. Further concerns database over the Transport Module. Time stamps,
that should be analyzed are environmental factors such digital signatures, and the "trusted" concept should be
as fire suppression and climate control. Additionally, utilized in the application sublayer to ensure that the
all non-essential peripherals such as floppy drives, CD- data being pulled is legitimate so that it can be
ROM, modems, and other unused interfaces should be compared by the application using the given biometric
disabled or completely removed from the machines. algorithm. To reach the appropriate decision, the
The separation of the Processing Module sub-modules threshold level should be applied within the application
occurs in the information security and management to the determined levels.
layer of the BASS Model. The management layer of the applications sublayer will
The operating system sublayer (OSS) encompasses the determine the threshold levels that are required based
risks intertwined with the chosen platforms in which on an appraisal o f the value of asset(s) being
the biometric system runs. It is important to realize at protected, the users who will interact with the
this level that there are potentially multiple operating biometric system, environmental variables, and overall
systems running within the biometric system, and each set security conditions. Biometric applications extract
must be secured accordingly. These operating systems data from the device, query information from the
are located throughout the other modules of the BASS database, and make comparisons and decisions
Model, but are directly addressed in the OSS. Each simultaneously. This creates a heavy demand on the
operating system in the market has numerous known CPU; therefore an analysis of the biometric software
vulnerabilities. Those running the biometric solution must be performed before hand to determine the
must he researched for such documented hazards, and processor speed and RAM specifications for the system.
the proper fixes applied. Furthermore, any The utilization of system resources should be
unnecessary networking components, services, and monitored constantly, and upgrades should he made as
default userslaccounts should be removed a n d o r needed.
disabled wherever possible. To monitor the system for
unauthorized access, an IDS program should also be Result Module
installed on the operating system to aid in the The Result Module of the BASS model deals with an
uncovering of an invasion as well as provide a way of area of the biometric process that can often go
auditing to identify the point of entry. Finally, virus overlooked because the vulnerabilities at the Transport,
protection should be introduced to the operating system Processing, and Data Storage Modules are more
for protection in the event a virus infects the platform. apparent and traditional in information security. The
Managing the security of the operating system deals Result Module provides the protection measures for a
with the practices and preservation of the operating biometric system at the stage after the biometric has
system to ensure that only authorized users are granted been presented to the device, transported, processed,
access, and the operating system itself is up-to-date and compared.
with the more recent revisions. This process begins The application makes a decision based on the
with monitoring the publicly documented biometric that has been presented and its comparison
vulnerabilities. New flaws and bugs in the OS design with a stored template in the database. The application
as well as new viruses are discovered on an almost will respond with one of two answers: yes this person
daily basis, and as such need to be accounted for has been identified, or no this person has not been
immediately. The proper fixes, patches, service packs, identified. The most obvious way for a threat agent to
and virus definitions should be tested and installed as penetrate a biometric system is to tap in at this point
they are deployed. by the vendors. Login to the and insert false decisions. If this can be achieved, the
machines in the biometric system should be restricted threat agent will have complete control over who is
448

6. identified and who is not, making any security 5. BIBLIOGRAPHY
measures taken in any of the other modules completely
irrelevant. Much of the prevention of this kind of [ I ] Mansfield, A.J. and I.L. Wayman, Best Practices
attack may correlate with the other modules in the in Testing and Reporring Performances of
BASS model, like encryption, digital signatures, or a Biomerric Devices. 2002, Biometric Working
trusted decision (similar to a trusted device). The Group. p. 32.
integrity of a system following the BASS model relies
solely on the decision that is produced. [2] J.E. Goldman, P.T. Rawles, Applied Data
Once the decision has been returned it is important to Communications: A Business Oriented Approach, New
instill a number of policies and procedures for the York: John Wiley & Sons, Inc., 2001
events that happen thereafter. First of all, it is
important to monitor the decisions that are made. Logs [3] J. E. Canavan, Fundame?rals of Network Security.
should he kept containing the user being verified, the Boston: Artech House, 2001
time and location of the verification, the actual
decision (yeslno), and any other pertinent data that [4] T. Bellocci, C. B. Ang, P. Ray, S . Nof, Information
could assure that the system is making the right Assurance in Networked Enterprises: Definition,
decision for the right people. Scheduled and Requirements, and Experimental Results CERIAS,
unscheduled auditing trails will assist the system in School of Industrial Engineering, Purdue University
validating that the processes and information are January 2001
holding their value. Additionally there is a need to
have regulations in place in case there is a false-reject.
No biometric algorithm is perfect, and moreover there
are people whose bodies or behavior may be
incompatible with these systems, and thus these
potentia1 problems need to he address in the
management layer. Likewise, in the event of a false-
accept, there must he directives in place for the
removal of such individuals who gain false access to
the assets protected by the biometric system.
4. CONCLUSION
This model extends current best practices of
management policies and procedures in the information
systems security discipline by overlaying them to the
general biometric model [I]. Therefore, the authors are
taking an existing set of paradigms from one discipline
and applying them to another. Biometrics is a rapidly
expanding market, as governments, companies, and
consumers demand higher security to protect valuable
assets. Without proper security measures and
reinforcement from management, adding biometrics,
whose sole purpose is to improve security, would he a
waste of resources. As biometric systems begin to
move into the mainstream, many of the vulnerabilities
inherent in the nature of these systems' components
will be exposed and exploited allowing threat agents to
manipulate any or all parts of the biometric process. As
a structured methodology, the BASS model integrates
both security and management concepts into the
functional modules, resulting in a comprehensive
technique for securing any biometric system.
Following the guidelines set forth in the modules of the
BASS model is an essential duty, which should be
performed in all biometric implementations to ensure
the availability, confidentiality, and integrity of the
system. Doing so will ensure a high success rate for all
BASS-compliant biometric systems.
449