Symbiosis Law School,NOIDA ICT Project (interim submission) -:TOPIC:- New IC Technologies in Aunthentication System Name:Yougal Mehta BBA-LL.B (division-A) Roll No:58Introduction-In today’s information technology world, security for systems is becomingmore and more important. The number of systems that have beencompromised is ever increasing and authentication plays a major role as afirst line of defence against intruders. The three main types of authenticationare something you know (such as a password), something you have (suchas a card or token), and something you are (biometric). Passwords arenotorious for being weak and easily crackable due to human nature and ourtendency to make passwords easy to remember or writing them downsomewhere easily accessible. Cards and tokens can be presented by anyoneand although the token or card is recognisable, there is no way of knowing ifthe person presenting the card is the actual owner. Biometrics, on the otherhand, provides a secure method of authentication and identification, as theyare difficult to replicate and steal. If biometrics is used in conjunction withsomething you know, then this achieves what is known as two-factorauthentication. Two-factor authentication is much stronger as it requiresboth components before a user is able to access anything. Biometricidentification utilises physiological and behavioural characteristics toauthenticate a person’s identity. Some common physical characteristics thatmay be used for identification include fingerprints, palm prints, handgeometry, retinal patterns and iris patterns. Behavioural characteristicsinclude signature, voice pattern and keystroke dynamics. A biometric system
works by capturing and storing the biometric information and thencomparing the scanned biometric with what is stored in the repository.History-In the mid 1980s two ophthalmologists, Drs Leonard Flom and Aran Safir,proposed that no two irises are alike, even in twins, thus making them goodbiometric. This belief was based on their clinical experience where theyobserved the distinctive features of irises including the “many collagenousfibres, contraction furrows, coronas, crypts, colour, serpentine vasculature,striations, freckles, rifts and pits” 2. After researching and documenting thepotential use of irises as a means of identifying people they were awarded apatent in 1987. They then approached Dr John Daugman, a Harvardmathematician, in 1989 to assist with creating the mathematical algorithmsrequired for digitally encoding an image of an iris to allow comparison with areal time image. By 1994 the algorithms had been developed and patentedand are now used as “the basis for all recognition systems and products”currently being developed and sold.Tokens with an Image (Disconnected Tokens)-A number of types of credit card size tokens are available in the market.These tokens will contain an image or collection of images (An array ofimages). At the time of registration, user has to choose a Pattern using thetoken. Combining these two user will generate an OTP and submit it to theTwo factor authentication product.These tokens are very cheap when compared with the other hardwaretokens, since these may not/may involve electronic cost. These tokens areeasy to carry as these are exactly of credit card size and weight. They caneasily fit into pockets. These tokens are cost effective, as they can be easilymanufactured, even if token lost.Smartcards-Smart cards are about the same size as a credit card. Some vendors offersmart cards that perform both the function of a proximity card and networkauthentication. Users can authenticate into the building via proximitydetection and then insert the card into their PC to produce network logoncredentials. In fact, they can be multi-purposed to hold several sets of
credentials, as well as electronic purse functionality, for example for use in astaff canteen. They can also serve as ID badges.In some countries, notably in Europe and Asia, banks and financialinstitutions have implemented Chip Authentication Program technologywhich pairs a banking smart card with an independent, unconnected cardreader. Using the card, reader and ATM PIN as factors, a one-time passwordis generated that can then be used in place of passwords. The technologyoffers some support against transaction alteration by facilitating TransactionData Signing, where information from the transaction is included in thecalculation of the one-time password, but it does not prevent man-in-the-middle attacks or man-in-the-browser attacks because a fraudster who is incontrol of the users internet or is redirecting the user to the legitimatewebsite via a hostile proxy may alter the transaction data "in-line" before itarrives at the web-server for processing, resulting in an otherwise validtransaction signature being generated for fraudulent data.As has already been indicated, there are two kinds of smartcard: contactsmartcards with a pattern of gold plated contacts, and contactless orproximity cards, with an RFID chip embedded within the plastic. The formerare more often used in banking and as a 2nd factor, and can be convenientlycarried with other credit/debit/loyalty cards in a wallet. They are normallyloaded with an X.509 certificate. However, they do need a special reader.Some laptops and thin client terminals have a smartcard reader built in, andPCCard smartcard readers are available which can be kept permanentlywithin the shell of the laptop. Alternatively, USB smartcard readers areavailable which are no more expensive than many display tokens, in fact,some smartcards have an interface which is electrically (but notmechanically) USB, so that the reader needs no intelligence whatsoever andconsequently can be very cheap. Even so, it is less convenient than a built-inor PCCard reader, but is a good option for a desktop computer.Wireless-Contactless smartcards as described above can be used as a second factor.Other forms of RFID token can be used, as well as Bluetooth.
Magnetic Stripe Cards-Magnetic stripe cards (credit cards, debit cards, ATM cards, loyalty cards,gift cards, etc.) are easily cloned and so are being or have been replaced invarious regions by smartcards. However, even though the data on themagnetic stripe is easily copied, researchers at Washington University in St.Louis have found that the random and unique disposition of the billions ofindividual magnetic particles on each magnetic stripe can be used to derive a“magnetic fingerprint” which is virtually impossible to clone. This is anexample of a physically unclonable function. Special magnetic card readershave been developed and commercialised under the name “Magneprint”,which can digitise this fingerprint in order to positively identify an individualcard.Perfect Paper Passwords (PPP)-PPP is an authentication mechanism devised by Steve Gibson and based on atype of one time pad, unencumbered by patents or licence fees. The user isgiven a printed card (which can be conveniently formatted into a wallet-friendly credit card size) containing an array of pseudo-random numbersgenerated from a secret seed. To authenticate him/herself, the user ischallenged with a row and column from the current sheet of the pad and hasto respond with the corresponding pseudo-random number.The secret seed is protected by a cryptographic process which is used togenerate the pseudo-random numbers, but there is nothing to stop a cardbeing stolen or copied. Should this occur, it can be invalidated at theauthentication screen and a new (hopefully, uncompromised) card can beused. New cards can be printed out by the user at any time.Mobile phones-There is presently only limited discussion on using wired phones forauthentication, most applications focus on use of mobile phones instead.A new category of TFA tools transforms the PC users mobile phone into atoken device using SMS messaging, an interactive telephone call, or via
downloadable application to a smartphone. Since the user nowcommunicates over two channels, the mobile phone becomes a two-factor,two-channel authentication mechanism.Smartphone Push-The push notification services offered by modern mobile platforms, such asiPhones APNS and Androids C2DM, can be used to provide a real-timechallenge/response mechanism on a mobile device. Upon performing asensitive transaction or login, the user will instantly receive a challengepushed to their mobile phone, be prompted with the full details of thattransaction, and be able to respond to approve or deny that transaction bysimply pressing a button on their mobile phone. Smartphone push two-factorauthentication has the capability to not only be more user-friendly, but alsomore secure as a mutually-authentication connection can be established tothe phone over the data network.Password security-Another concern is the security of the TFA tools and their systems. Severalproducts store passwords in plain text for either the token or smart cardsoftware or its associated management server.There is a further argument that purports that there is nothing to stop a user(or intruder) from manually providing logon credentials that are stored on atoken or smart card. For example to show all passwords stored in InternetExplorer, all an intruder has to do is to boot the Microsoft Windows OS intosafe mode (with network support) and to scan the hard drive (using certainfreely available utilities). However, making it necessary for the physicaltoken to be in place at all times during a session can negate this.