Authentication: Beyond Passwords

Similar documents
Jaap van Ginkel Security of Systems and Networks

Access Control. Part 2 Access Control 1

Authentication & Access Control. Linnaeus-Palme Project

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

User Authentication and Human Factors

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

Jaap van Ginkel Security of Systems and Networks

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

Passwords. EJ Jung. slide 1

Advanced Biometric Access Control Training Course # :

Computer Security. 10. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security 4/15/18

CS530 Authentication

Authentication Methods

User Authentication. Tadayoshi Kohno

Biometrics Our Past, Present, and Future Identity

User Authentication. Modified By: Dr. Ramzi Saifan

User Authentication. Modified By: Dr. Ramzi Saifan

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Authentication. Tadayoshi Kohno

Computer Security. 09. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2017

FINGERPRINT RECOGNITION FOR HIGH SECURITY SYSTEMS AUTHENTICATION

Biometrics problem or solution?

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Access Control Biometrics User Guide

A Review of Emerging Biometric Authentication Technologies

Biometric Cryptosystems: for User Authentication

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

An Overview of Biometric Image Processing

Lecture 11: Human Authentication CS /12/2018

Biometrics. Something you are A characteristic of the body Presumed unique and invariant over time. Steven M. Bellovin February 5,

The Design of Fingerprint Biometric Authentication on Smart Card for

Outline Key Management CS 239 Computer Security February 9, 2004

PALM VEIN TECHNOLOGY

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Authentication Technology for a Smart eid Infrastructure.

An introduction on several biometric modalities. Yuning Xu

User Authentication Protocols

e-sign and TimeStamping

Charter Pacific Biometrics Acquisition

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Authentication Technologies

BIOMETRIC IDENTIFICATION OF PERSONS A SOLUTION FOR TIME & ATTENDANCE PROBLEMS

Fighting Fraud with Behavioral Biometrics and Cognitive Fraud Detection. IBM Security s Brooke Satti Charles on the Power of These New Capabilities

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Congratulations! You just ordered IdentaMaster software package featuring Biometric login, File/Folder Encryption and Entire Drive Encryption.

FSN-PalmSecureID-for ATM Machines

CS November 2018

CSCE 813 Internet Security Kerberos

Lecture 9. Authentication & Key Distribution

Analysis of Algorithms used in Biometric using Fingerprint Authentication for 3D Authentication System

Identity, Authentication and Authorization. John Slankas

Biometrics. Overview of Authentication

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 5, Oct-Nov, 2013 ISSN:

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

Multimodal Biometric Authentication using Face and Fingerprint

Extract from: D. Maltoni, D. Maio, A.K. Jain, S. Prabhakar Handbook of Fingerprint Recognition Springer, New York, Index

Touchless Fingerprint recognition using MATLAB

Lecture 9 User Authentication

FINGERPRINT BIOMETRICS

BIOMETRIC BANKING TECHNOLOGY TO SECURE ONLINE TRANSACTIONS WITH FEASIBLE BIOMETRIC DEVICES

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Lecture 14 Passwords and Authentication

Signature Verification Why xyzmo offers the leading solution

INTUS 1600PS Palm Vein Authentication

Keystroke Dynamics: Low Impact Biometric Verification

Information Security Identification and authentication. Advanced User Authentication III

Lecture 3 - Passwords and Authentication

Large-scale AFIS and multi-biometric identification. MegaMatcher SDK

User Authentication Protocols Week 7

Tutorial 1. Jun Xu, Teaching Asistant January 26, COMP4134 Biometrics Authentication

CSE 565 Computer Security Fall 2018

BIOMETRIC PRINTER SECURITY SYSTEM

Digital Identity Modelling and Management

In this unit we are continuing our discussion of IT security measures.

Authentication CS 136 Computer Security Peter Reiher January 22, 2008

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

5. Authentication Contents

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Authentication KAMI VANIEA 1

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Chapter 3: User Authentication

Lecture 3 - Passwords and Authentication

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

User Authentication. Tadayoshi Kohno

Intruders, Human Identification and Authentication, Web Authentication

Introduction to Information Security Dr. Rick Jerz

Privatizing user credential information of Web services in a shared user environment

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Mobile Biometric Authentication: Pros and Cons of Server and Device-Based

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

Fingerprint Recognition using Fuzzy based image Enhancement

Transcription:

HW2 Review

CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San José State University

Biometrics

Biometric Something You Are You are your key ¾ Schneier Examples Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition Digital doggie (odor recognition) Know Are Have

Why Biometrics? More secure replacement for passwords Cheap and reliable biometrics needed active area of research Biometrics are used in security today Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door But biometrics not too popular

Ideal Biometric Universal ¾ applies to (almost) everyone In reality, no biometric applies to everyone Distinguishing ¾ distinguish with certainty In reality, cannot hope for 100% certainty Permanent ¾ physical characteristic being measured never changes In reality, OK if it to remains valid for long time Collectable ¾ easy to collect required data Depends on whether subjects are cooperative Also, safe, user-friendly, etc., etc.

Biometric Modes Identification ¾ Who goes there? Compare one-to-many Example: The FBI fingerprint database Authentication ¾ Are you who you say you are? Compare one-to-one Example: Thumbprint mouse Identification problem is more difficult More random matches since more comparisons We are interested in authentication

Enrollment vs Recognition Enrollment phase Subject s biometric info put into database Must carefully measure the required info OK if slow and repeated measurement needed Must be very precise May be weak point of many biometric Recognition phase Biometric detection, when used in practice Must be quick and simple But must be reasonably accurate

Cooperative Subjects? Authentication cooperative subjects Identification uncooperative subjects For example, facial recognition Used in Las Vegas casinos to detect known cheaters (terrorists in airports, etc.) Often do not have ideal enrollment conditions Subject will try to confuse recognition phase Cooperative subject makes it much easier We are focused on authentication So, subjects are generally cooperative

Biometric Errors Fraud rate versus insult rate Fraud ¾ Trudy mis-authenticated as Alice Insult ¾ Alice not authenticated as Alice For any biometric, can decrease fraud or insult, but other one will increase For example 99% voiceprint match Þ low fraud, high insult 30% voiceprint match Þ high fraud, low insult Equal error rate: rate where fraud == insult A way to compare different biometrics

Fingerprint History 1823 ¾ Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns 1856 ¾ Sir William Hershel used fingerprint (in India) on contracts 1880 ¾ Dr. Henry Faulds article in Nature about fingerprints for ID 1883 ¾ Mark Twain s Life on the Mississippi (murderer ID ed by fingerprint)

Fingerprint History 1888 ¾ Sir Francis Galton developed classification system His system of minutia still used today Also verified that fingerprints do not change Some countries require fixed number of points (minutia) to match in criminal cases In Britain, at least 15 points In US, no fixed number of points

Fingerprint Comparison Examples of loops, whorls, and arches Minutia extracted from these features Loop (double) Whorl Arch

Fingerprint: Enrollment 1. Capture image of fingerprint 2. Enhance image 3. Identify points

Fingerprint: Recognition Extracted points are compared with information stored in a database Is it a statistical match? Aside: Do identical twins fingerprints differ?

q A popular biometric q Measures shape of hand o o Width of hand, fingers Length of fingers, etc. q Human hands not unique Hand Geometry q Hand geometry sufficient for many situations q OK for authentication q Not useful for ID problem

Hand Geometry: Pros and Cons Advantages Quick ¾ 1 minute for enrollment, 5 seconds for recognition Hands are symmetric Disadvantages Cannot use on very young or very old Relatively high equal error rate

Iris Patterns Iris pattern development is chaotic Little or no genetic influence Different even for identical twins Pattern is stable through lifetime

Iris Recognition: History 1936 suggested by Frank Burch 1980s James Bond films 1986 first patent appeared 1994 John Daugman patented best current approach Patent owned by Iridian Technologies

Iris Scan Scanner locates iris Take b/w photo Use polar coordinates 2-D wavelet transform Get 256 byte iris code

Measuring Iris Similarity Based on Hamming distance Define d(x,y) to be # of non match bits / # of bits compared d(0010,0101) = 3/4 and d(101111,101001) = 1/3 Compute d(x,y) on 2048-bit iris code Perfect match is d(x,y) = 0 For same iris, expected distance is 0.08 At random, expect distance of 0.50 Accept iris scan as match if distance < 0.32

distance Fraud rate 0.29 1 in 1.3*10 10 0.30 1 in 1.5*10 9 0.31 1 in 1.8*10 8 0.32 1 in 2.6*10 7 0.33 1 in 4.0*10 6 0.34 1 in 6.9*10 5 0.35 1 in 1.3*10 5 Iris Scan Error Rate Distance between the same eye, measured twice Distance between 2 different eyes == equal error rate distance

Could an attacker use a photo to trick the system?

Famous picture of a girl in Afghanistan from National Geographic. Is this the same person?

Attacks on Iris Scan Scanning the woman's iris and the iris of the picture found a match. http://news.bbc.co.uk/2/hi/south_asia/1870382.stm Morale of the story: a picture works. To prevent attack, scanner could use light to be sure it is a live iris. But that raises the cost of the device.

Equal Error Rate Comparison Equal error rate (EER): fraud == insult rate Fingerprint biometric has EER of about 5% Hand geometry has EER of about 10-3 In theory, iris scan has EER of about 10-6 But in practice, may be hard to achieve Enrollment phase must be extremely accurate Most biometrics much worse than fingerprint! Biometrics useful for authentication but identification biometrics almost useless today

Biometrics: The Bottom Line Biometrics are hard to forge But attacker could Steal Alice s thumb Photocopy Bob s fingerprint, eye, etc. Subvert software, database, trusted path And how to revoke a broken biometric? Biometrics are not foolproof Biometric use is limited today That should change in the (near?) future

Something You Have Something in your possession Examples include following Car key Laptop computer (or MAC address) Password generator (next) ATM card, smartcard, etc.

Password Generator 1. I m Alice password generator K 3. PIN, R 4. h(k,r) Alice 2. R 5. h(k,r) Bob, K Alice receives random challenge R from Bob Alice enters PIN and R in password generator Password generator hashes symmetric key K with R Alice sends response h(k,r) back to Bob Bob verifies response Note: Alice has pwd generator and knows PIN

2-factor Authentication Requires any 2 out of 3 of o Something you know o Something you have o Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/pin

Single Sign-on A hassle to enter password(s) repeatedly Alice wants to authenticate only once Credentials stay with Alice wherever she goes Subsequent authentications transparent to Alice Kerberos --- example single sign-on protocol Single sign-on for the Internet? Microsoft Passport Liberty Alliance Facebook

Web Cookies Cookie is provided by a Website and stored on user s machine Cookie indexes a database at Website Cookies maintain state across sessions Web uses a stateless protocol: HTTP Cookies also maintain state within a session Sorta like a single sign-on for a website But, a very, very weak form of authentication Cookies also create privacy concerns

Lab 10: Hamming distance Find the Hamming distance of X and Y where: (a) X = FE01 (hex notation) Y = 7E13 (hex notation) (b) X = 0101 (binary notation) Y = 1101 (binary notation)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback