Security of Remote Devices with Personal Identification Card using Biometrics

Transcription

1 Security of Remote Devices with Personal Identification Card using Biometrics Ravi Parkash Goela MTech Scholar, Department of Computer Science & Applications, Kurukshetra University, Kurukshetra ABSTRACT: In the present days the world has been relying upon the technology. The advancement in technology has gone to such a level that human being can t even expect a single day without it as human being has became habitual of these technology. Every part of the human life like medicinal, travelling, office, banking, etc. is based on the technology. User authentication systems that are based on knowledge such as password or physical tokens such as ID card are not able to meet strict security performance requirements of a number of modern computer applications. These applications generally use computer networks (e.g., Internet), affect a large portion of population, and control financially valuable tasks (e.g., e- commerce). For improving the security we use the Personal identification cards. Personal identification card can be embedded with the biometric technology which will making it more secure than the earlier systems. Keywords: Biometrics, Cryptography, Mobile System, Smart card, Watermarking. 1. INTRODUCTION Nowadays Technology has made itself a need of the human being. Technology have prevailed itself in the fields like Army, Medical, Banking, Finance, Transportation and many others. As in the world of scientific technologies the technology has gained a big space in human era, where the point has arose to make these information system more secure than earlier. The user authentication system that are based on knowledge such as password or physical tokens such as ID cards are not able to fulfil the complete security requirements of the advanced computer applications. Simple ID cards or the tokens are not enough to secure the system. Conventional smart card invented in 1974 has gone several development phases during the years [1]. Today it is credit-card-sized card equipped with microprocessor, memory and input/output handler. It is a portable, low cost, intelligent device capable of manipulating and storing data. Adding individuals'unique characteristics into smart card chip, smart card becomes more secure medium, suitable for use in a wide range of applications that support biometric methods of identification. There are numerous ID systems implemented worldwide based on biometric smart card and biometric technology Personal Identification cards can solve the problem of security up to an extent, but the biometric technology which has shown its strength in securing the system can solve the problem faced by the personal Identification card. Hence we go for the personal identification card (PIC) embedded with the biometrics. A Biometric system refers to the automatic recognition of individuals based on their physiological or behavioural characteristics. It is generally a pattern recognition system that makes a personal identification by establishing the authenticity of an individual [2]. Nowadays most of the personal applications like banking, mail, social network are synchronized in the mobile systems such that on opening the application it redirects to your page automatically. The numerous applications of ICT over the past few decades have shown its transformative potential and its usage as an important tool for organising political dissent in countries worldwide[3].though this can be a user-friendly approach, when we consider the aspect of privacy and security it is a big setback. Whoever holding your card in your absence can access your details if he knows your password. Though we have password and pattern kind of security in our systems, but how powerful they are? is a million dollar question. The field of government practice has been focusing on the enrolment capabilities and infrastructure rollout, with little focus on smart card applications in the public domain [4].This paper focuses on the authentication scheme which is a combination of Personal Identification Card and the Biometrics for securing the system. 1.1 TYPES OF USER AUTHENTICATION SCHEMES To get the access to the mobile system a person has to be the authenticated user of that mobile system. A person must have enrolled in the database of the mobile system to get the access after verification and validation. There are mainly three types of User authentication schemes:- 1. Knowledge Based 2. Object Based 3. Biometric based

2 User Authentication Types Knowledge Based Object Based Biometric Based Figure1: User Authentication Types Knowledge Based Authentication: In this type of authentication the user have to enter the password during the enrollment and the verification and that password must be alphanumeric in order to keep the system access safe. It is very difficult to remember the alphanumeric password and that password can be stolen or cracked by the hacker. No doubt this authentication scheme has been widely used but it is now an old technique which is also not much secure Object Based Authentication: In this type of authentication technique the user have to carry an ID card in the form of an object. The users have to carry the card with them which can be lost and that lost card can used by the unauthorised user. So loss of this card can be dangerous to the user Biometric Based Authentication: In this type of authentication technique the user don t have to carry the ID cards or to remember the Password or PIN in order to get access to the system. The user itself is a password i.e. the physical and behavioural traits of the user are the password of the mobile system. Biometric trait cannot be lost or forgotten. So the problem of memorising Password and carrying the ID cards has been resolved by the biometrics Personal Identification Biometric Card: This type of authentication is a combination of two types of authentication i.e. Object based authentication and Biometric Based Authentication. The combination of two techniques has accepted the merits of both techniques and gave rise to a new technique named Personal Identification Biometric Card. The combination of the two authentication techniques has improved the security of the mobile systems up to a great extent. 2. Architecture of the Personal Identification card Personal Identification Biometric Card Personal identification card (PIC) works as passive, fixed size, low memory and small microprocessor carrying portable data carrier. Personal identification cards have advanced capability than the simple cards. It has microprocessor and memory that is not present in simple cards. It has electronic circuitry that is not available in the simple cards. When we combine biometrics with Personal identification card then PIC s security is highly enhanced. PIC is thin card with an embedded chip, and this automatically poses its own unique challenges of architectural design.

3 Figure 2: Architecture of Personal Identification Card The main elements of the Personal identification card (PIC) are: 2.1 Central Processing Unit: Central process unit (CPU) is an 8-bit microcontroller but is growing more powerful and has exceeded to 16 and 32-bit chips, that are being used in today s generation electronic techniques. However, all the bit chips don t have multi-threading and other powerful features that are common in standard computers. Personal identification card s CPU executes machine instructions at a speed of approximately 1 MIPS. 2.2 Memory System: There are three main types of memory on cards: 1. RAM. (1K): This is needed for fast computation and response. Only a tiny amount is available. 2. EEPROM (Electrically Erasable PROM) (1 to 24K): Unlike RAM, its contents are not lost when power is off. It is very slow and one can only read/write to it so many (100000) times. 3. ROM (8 to 24K): The Operating System and other basic software like encryption algorithms are stored here. 2.3 Input / Output This is via a single I/O port that is controlled by the processor to ensure that communications are standardized, in the form of APDUs (A Protocol Data Unit). 2.4 Interface Devices (IFDs) IFD or card reader is a supplier of power and clock signal to run program of Personal Identification Card. This obviously means that a Personal identification card is nothing more than a storage device while being warmed in your pocket. The communication channel to a Personal identification card is half-duplex. The receiver is required to sample the signal on the serial line at the same rate as the transmitter sends it in order for the correct data to be received. This rate is known as the bit rate or baud rate. Data received by and transmitted from a Personal identification card is stored in a buffer in the Personal identification card's RAM. 2.5 Operating Systems The operating system found on the majority of PICs implements a standard set of commands (usually 20-30) such as ISO 7816 and CEN 726 to which the PIC responds. Most PIC manufacturers offer cards with operating systems that implement some or this entire standard. The relationship between the PIC reader and the PIC is a master/slave relationship. The reader sends a command to the PIC, the card executes the command and returns the result (if any) to the reader and waits for another command. Microsoft released a miniaturized version of Windows for PICs in late 1998, and early versions of a Gnu O/S have been released. 2.6 File Systems Most operating systems also support a simple file system based on the ISO 7816 standard. A PIC file is actually just a contiguous block. Files are organized in a hierarchical tree format and once a file is allocated, it cannot be extended so files must be created to be the maximum size that they are expected to be. Each file has a list of the users which are authorized to perform different operations on it. There are different types of files: linear, cyclic,

4 transparent, SIM, etc. The usual updation can be performed on all the files allocated. Certain other operations are supported only on particular types of files. 2.7 Card Accepting Device (CAD) PICs do not have the internal power source for their processing as they need an external power source. In PIC reader there is a special device built that is called the card accepting device (CAD). When PIC s golden plate comes into the contact of CAD s metallic pins then PIC get the power for their internal processing of data and then PIC and PIC reader communicate with each other i.e. user and remote machine can communicate with other. 2.8 Programming Languages Most PICs are currently programmed in low-level languages based on proprietary PIC operating systems. Some of the programming has been done in the chip's native instruction set (generally Motorola 6805, Intel 8051, or Hitachi H8). In new Java programmed cards showed up which have a more robust operating system that permits the addition or deletion of application code after the card is issued which makes it incapable. Although memory-efficient programming will still be essential, this greatly increases the pool of programmers capable of creating software for PICs. 3. Authentication in Personal identification cards For the authentication of PICs there are many schemes are available. Lamport proposed the first authentication schemes and Hwang and Li also proposed a remote user authentication scheme. Security of Hwang and Li s scheme is based on the difficulty of the discrete logarithm problem [5]. There are three phases are required in all the cases for authentication. [6] 1. Registration phase. 2. Login phase. 3. Authentication phase. These three phases are used in all the authentication phases. But in the some authentication schemes some advancement are used. (1)Registration phase: Let p large prime number which makes the discrete logarithm problem infeasible. Without loss of generality, we assume that p is of 1024 bits. Let x be a secret key maintained by the system. Assume that a new user Ui submits his identity IDi to the system for registration. The system computes a password Pwi for the user Ui as follow: Pwi = (IDi)x mod p The registration center issues a PIC which contains a pair of public parameters (h, p), where h is the one way hash function. The registration center also delivers Pwi to the user Ui through a secure channel. figure 3. explains the working of authentication system during enrollment. Figure 3: Working of authentication system during enrollment (2)Login Phase If the user Ui wants to login, he attaches his Personal identification card to his input device. Then he keys in his identity IDi, and password Pwi to the device. The Personal identification card will perform the following operations: 1. Generate a random number r. 2. Compute C1= ((IDi)r) modp. 3. Compute t=h (T (XOR) Pwi)mod(p-1), where T is the current date and time of the inputdevice and XOR denotes the exclusive operation.

5 4. Compute M= ((IDi)t) mod p. 5. Compute C2=M ((Pwi) r) mod p. 6. Send a message C= (ID, C1, C2, T) to the remote system. 7. Compute C2=M((Pwi)r). Figure 4: Working of authentication system during Login Figure 4. shows the details of working of authentication system during login. (3)Authentication Phase: After receiving the authentication message C, the system authenticates the login user using the following steps. Assume that the system receives the message C at T, where T is the current day and time of the system. 1. Check the validity of IDi. If the format of IDi is not correct, then the system rejects the login request. 2. Check the validity of the time interval between T and T in order to resist replaying attacks. If (T -T)>= T, where T denotes the expected valid time interval for transmission for transmission delay then the system rejects the login request. 3. Compute Pwi= ((IDi)x) mod p and t=h (T(XOR)Pwi)mod(p-1). 4. If C2 (C1x) -1 mod p=(idi)t mod p, then the system accepts the login request. Otherwise, it rejects the login request. Figure 5: Working of authentication system during Authentication Figure 5. Shows the working of authentication system during authentication For the authentication of the Personal identification cards, in all authentication schemes these three phases are commonly used. 4. Combination of Biometrics & Personal Identification card The biometric template can be embedded with the personal identification card with the technique named Watermarking. During the Enrollment process when the user gives its biometric in the form of sensed image to the authentication system, then the authentication system performs functions like sensing, pre-processing, feature extraction, template generation, template storing. But during verification obtained template are matched with the stored template. If the matching score is above the threshold value then user is authenticated else access is denied. The process can be shown below.

6 Figure 6: Framework of a biometric system The templates generated by the template generator are being embedded into the personal identification card (PIC) by the Watermarking technique. To make the data more secured on the Personal identification card (PIC) we can use the technique named as cryptography. When the biometric template is generated and the personal data is fed into the PIC on both the data some cryptography in the form of encryption scheme is applied. The whole process can be shown below. Figure 7: Methodology showing Combination of PIC and Biometric Conclusion: This paper presents the technique of securing the mobile system with the combination of personal identification card and biometric trait. As it become the necessity to accept the technology in our daily life, so while using the technology we have to be concerned about the security of the system we are using. The access of the Mobile system can be secured with the Passwords, PIN, Tokens, etc. but these are outdated techniques. As the technology is getting advanced we have to adopt advanced technique of authorised access to the system. So the Personal Identification Biometric Card which is a combination of the merits of Identification card and biometrics can be a better and the advanced solution of securing the mobile systems. References: [1] A.K.Das, Analysis and improvement on an efficient biometric based remote user authentication scheme using biometrics, IET Information Security, vol.5, no.3, pp , [2] Chander Kant, Sheetal Verma, Biometric Recognition System: An introduction, published in National level seminar on Convergence of IT and Management on 24 Nov at TIMT, Yamunanagar, [3] Dr. Ali M. Al-Khouri, egovernment Strategies The Case of the United Arab Emirates (UAE), published in European Journal of epractice,no.17, [4] Ali M. Al-Khouri, Triggering the Smart Card Readers Supply Chain, Technology and Investment, 4, pp , [5] Manoj Kumar, Security analysis of a remote user authentication scheme with Personal identification cards, [6] Wiley &Sons, New York, Rankl, W. Effing, W., Smart card Hand Book, 1999.