Ynamono Hs Lecture

1,164 views

Published on

describe authentication concept

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,164
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Ynamono Hs Lecture

    1. 1. Authentication with Smartcards and Fingerprints Himanshu Khurana Joe Muggli NCSA, UIUC March 30, 2006
    2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Smartcards </li></ul><ul><li>Biometrics: fingerprints </li></ul><ul><li>Illinois Terrorism Task Force (ITTF) Project </li></ul><ul><li>Interactive Demonstration </li></ul>
    3. 3. Authentication Goals <ul><li>Basic Goal </li></ul><ul><ul><li>Verify the unique identity of the requestor </li></ul></ul><ul><li>Additional goals in a networked world </li></ul><ul><ul><li>Prevent leak of secrets </li></ul></ul><ul><ul><li>Prevent replay attacks </li></ul></ul><ul><ul><li>Global scalability </li></ul></ul><ul><ul><li>Offline operation capability </li></ul></ul><ul><ul><li>High assurance </li></ul></ul><ul><ul><li>… </li></ul></ul>
    4. 4. Passwords are not enough <ul><li>Basic Goal </li></ul><ul><ul><li>Verify the unique identity of the requestor </li></ul></ul><ul><li>Additional goals in a networked world </li></ul><ul><ul><li>Prevent leak of secrets </li></ul></ul><ul><ul><li>Prevent replay attacks </li></ul></ul><ul><ul><li>Global scalability </li></ul></ul><ul><ul><li>Offline operation capability </li></ul></ul><ul><ul><li>High assurance </li></ul></ul><ul><ul><li>… </li></ul></ul>X X X <ul><li>Passwords are vulnerable to </li></ul><ul><li>dictionary attacks </li></ul><ul><li>theft </li></ul><ul><li>collusion attacks (users can </li></ul><ul><li>share passwords) </li></ul>
    5. 5. Solution: Multi-factor Authentication <ul><li>Multi-factor authentication: combination of </li></ul><ul><ul><li>What you know; e.g., passwords, PINs </li></ul></ul><ul><ul><li>What you have; e.g., OTP tokens, smartcards </li></ul></ul><ul><ul><li>What you are (biometrics); e.g., fingerprints, iris scans, face recognition </li></ul></ul><ul><li>Typically two-factor authentication is used; e.g., </li></ul><ul><ul><li>PIN + Card (e.g. ATMs) </li></ul></ul><ul><ul><li>Password + One-time-password (OTP) token </li></ul></ul><ul><ul><li>Fingerprint + Smartcard </li></ul></ul><ul><li>Main vendors : Entrust, RSA, Aladdin, Todos, TaraSekure, Vaco, SafeNet, ... </li></ul>
    6. 6. Public-Key Infrastructure (PKI) <ul><li>Public Key Cryptography </li></ul><ul><ul><li>Sign with private key, </li></ul></ul><ul><ul><li>verify signature with public key </li></ul></ul><ul><ul><li>Encrypt with public key, decrypt with private key </li></ul></ul><ul><li>Key Distribution </li></ul><ul><ul><li>Who does a public key belong to? </li></ul></ul><ul><ul><li>Certification Authority (CA) verifies user’s identity and signs certificate </li></ul></ul><ul><ul><li>Certificate is a document that binds the user’s identity to a public key </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Signature [ h ( random, … ) ] </li></ul></ul>Subject: CA signs Issuer: CA Subject: Jim Issuer: CA Source: Jim Basney’s MyProxy presentation
    7. 7. Authentication with Digital Signatures Alice Bob Nonce Hash Signing key SK A Enc Nonce Request Signed Nonce Dec Verif. key PK A Hash Match?
    8. 8. Authentication with Smartcards and PKI <ul><li>Unlike passwords private keys cannot be remembered (typically, 1024 bits) </li></ul><ul><li>File based storage provides weak security and no mobility </li></ul><ul><li>Smartcards provide secure, tamper-resistant storage with mobility </li></ul><ul><ul><li>Less easily shared than passwords </li></ul></ul><ul><ul><li>Drawbacks: card cost, readers </li></ul></ul>
    9. 9. Smartcards <ul><li>CPU: 8, 16, 32 bit </li></ul><ul><li>ROM: ~ 1 - 32kb </li></ul><ul><li>RAM: ~ Several kb </li></ul><ul><li>EEPROM: ~ 16 - 64 kb </li></ul><ul><li>Programming </li></ul><ul><li>Java </li></ul><ul><li>.Net </li></ul><ul><li>Various levels of memory access control </li></ul><ul><ul><li>Protected Memory holds secrets and is accessible </li></ul></ul><ul><ul><li>only to the cryptoprocessor </li></ul></ul>
    10. 10. Example Authentication with Smartcards Source: Dang et al., AINA’05 Unlocked by a PIN
    11. 11. Security Concerns and Authentication Goals <ul><li>High assurance </li></ul><ul><ul><li>Smartcards and PINs can get lost, be stolen, or shared </li></ul></ul><ul><ul><li>A Solution: combine biometrics with smartcards </li></ul></ul>Source: Renaudin et al., Design, Automation and Test in Europe Conference and Exhibition, 2004
    12. 12. Biometrics: Fingerprints <ul><li>Uniquely refers to an individual using biometric identifiers </li></ul><ul><li>Pattern recognition system </li></ul><ul><ul><li>Enrollment captures digital representation (template) of biometric identifier </li></ul></ul><ul><ul><li>Recognition captures characteristics and matches against template </li></ul></ul><ul><li>Ideal properties: universal, unique, permanent, collectable </li></ul><ul><li>Practical properties: performance, acceptability, resistance to circumvention </li></ul><ul><li>Examples: Face recognition, fingerprints , iris scans, retinal scans, hand geometry, etc. </li></ul>
    13. 13. Minutiae Based Fingerprint Recognition <ul><li>Digital image of fingerprint contain features </li></ul><ul><ul><li>Ridge bifurcations and endings </li></ul></ul><ul><ul><li>Called Minutiae </li></ul></ul><ul><li>Minutiae features represented using location (x,y) and direction  </li></ul><ul><ul><li>Set of measurements forms template </li></ul></ul><ul><li>Matching attempts to calculate degree of similarity taking into account </li></ul><ul><ul><li>Rotation, elastic distortion, sensor noise, etc. </li></ul></ul><ul><ul><li>Never 100%: false acceptance rate and false rejection rate </li></ul></ul>
    14. 14. Combining Fingerprints and Smartcards for Authentication <ul><li>Replace PINs with fingerprint verification </li></ul><ul><ul><li>Store template on card </li></ul></ul><ul><ul><li>Match provided fingerprint on card </li></ul></ul><ul><ul><ul><li>Reader extracts minutiae features </li></ul></ul></ul><ul><li>Security and privacy advantages </li></ul><ul><ul><li>Match-on-card leverages smartcard as trusted computing platform </li></ul></ul><ul><ul><li>Match-on-card requires no additional trusted entity </li></ul></ul><ul><ul><ul><li>Mimics PIN verification </li></ul></ul></ul><ul><ul><li>Template stored on card as opposed to accessible database </li></ul></ul>
    15. 15. ITTF Credentialing Project* <ul><li>Goal : provide trustworthy identification at secure incident perimeter </li></ul><ul><li>Requirements : credential based, offline operation, unique identification, counterfeit resistance </li></ul><ul><li>Approach : smartcard and fingerprint based authentication </li></ul>* Work done with Jim Basney; Partner Institutions: Illinois State Police, Entrust, U. of Chicago
    16. 16. ITTF Background <ul><li>Provide trustworthy identification of response team members at secure incident perimeter - Fire, EMT, Police, HazMat, Techs, TaraSekure etc. </li></ul><ul><li>Two factor authentication in the field </li></ul><ul><li>Offline operation, web portals for registration and authentication </li></ul><ul><li>Highly usable but also resistant to counterfeiting </li></ul><ul><li>Prototype not production unit </li></ul>
    17. 17. Featured Technologies <ul><li>State of Illinois PKI Certificate Authority </li></ul><ul><li>Web interfaced central authentication service – Entrust GetAccess™ & TruePass™ </li></ul><ul><li>MatchOnCard™ fingerprint templates on smartcards – Precise Biometrics </li></ul><ul><li>Role based authentication </li></ul>
    18. 18. Credentialing Portal Roles <ul><li>Team Member </li></ul><ul><li>Team Leader </li></ul><ul><li>Card Distributor </li></ul><ul><li>Credential Review Committee Member </li></ul><ul><li>Administrator </li></ul><ul><li>One Responder Can Have Multiple Roles </li></ul>
    19. 19. Credentialing Portal Architecture State of Illinois PKI Entrust Servers: GetAccess SelfAdmin TruePass+Portal IBM Websphere ITTF Database Oracle 10g Illinois Internal Network Internet Internet Registration Station Field Station Web Server MS IIS with Entrust Modules Open Ports: SSL 443,9443 SMTP 25 LDAP 389 SQL*Net 1521 PKIX-CMP 829 Entrust 710, 50000,50001 Firewall +
    20. 20. ITTF Registration Procedure <ul><li>Prerequisites </li></ul><ul><li>Demographic Information </li></ul><ul><li>Team Membership </li></ul><ul><li>Portrait </li></ul><ul><li>Fingerprint Scan </li></ul><ul><li>Criminal History Review </li></ul><ul><li>State of Illinois PKI </li></ul><ul><li>Level I Digital ID </li></ul>Registration Portal Station <ul><li>1. User Logs Into Registration Portal, Edits Record </li></ul><ul><li>2. Team Leader Logs In, Approves Team Member </li></ul><ul><li>3. Smartcard Produced & Shipped to Card Distributor </li></ul><ul><li>4. Card Distributor Meets User, Confirms Identity </li></ul><ul><li>5. User Logs Into Portal Using SC & Level I Digital ID </li></ul><ul><li>6. Logging In Upgrades Digital ID To Level III </li></ul><ul><li>7. User Authenticates to Smartcard Using The </li></ul><ul><ul><li>Pre-loaded Fingerprint Template </li></ul></ul><ul><li>8. Level IV Digital Certificate Created On User’s SC </li></ul><ul><li>9. Portal Date Stamps & Activates Smartcard </li></ul><ul><li>10. User Tests Credential Functionality </li></ul>
    21. 21. Field Authentication Tasks + Pre-event: Team Leader Downloads Updated Team Member and Certificate Revocation Lists Event: Using SC & FP Team Leader & Members Log Into Portal, SC Time & Event Stamped Post-Event: Team Leader and Members Log Out Using SC & FP, SC Time Stamped; Team Leader Uploads Log To ITTF Web Portal Windows Laptop Windows CE Handheld Data Uplink
    22. 22. NCSA PKI Lab Demo <ul><li>Windows 2003 Server - Domain Controller & CA </li></ul><ul><li>Windows XP Clients </li></ul><ul><li>Safenet (formerly DataKey) </li></ul><ul><li>No Boundaries Login Software & </li></ul><ul><li>Biometric Enabled Smartcards </li></ul><ul><li>Precise Biometrics Fingerprint & Smartcard Readers </li></ul>Registration Station Login Test Station NCSA PKI Lab Domain CA Wireless Network
    23. 23. Fingerprint Scanning Hints <ul><li>Don’t Point – Touch the 2 Dots </li></ul><ul><li>Use the Fleshy Middle of the Fingertip </li></ul><ul><li>Don’t Drag or Move </li></ul><ul><li>Place Your Finger Down </li></ul><ul><li>Like Patting a Dog </li></ul><ul><li> One Time & Only One Finger </li></ul>
    24. 24. Authentication with Smartcards and Fingerprints <ul><li>Any Questions?? </li></ul><ul><li>http://www.ncassr.org/ </li></ul><ul><li>http://www.ncsa.uiuc.edu/Projects/cybertechnologies.html#security </li></ul><ul><li>http://pkilab.ncsa.uiuc.edu </li></ul><ul><li>Himanshu Khurana [email_address] </li></ul><ul><li>Joe Muggli [email_address] </li></ul>

    ×