CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION

Rama Krishna Pankaj Rane Venkatesh Manikanta Devi Sree

120851923010 120851923024 120851923027 120851923019 120851923014

Abstract - Public Key Infrastructure is a widely deployed security technology for handling key distribution and validation in computer security. Despite PKI’s popularity as a security solution, Phishing and other Man-in-the-Middle related attacks are accomplished with ease throughout our computer networks. The major problems with PKI come down to trust, and largely, how much faith we must place in cryptographic keys alone to establish authenticity and identity. In this paper, we look at a novel biometric solution that mitigates this problem at both the user and certificate authority levels. More importantly, we examine the trouble with the application of unprotected biometric features directly into PKI, and propose the integration of a secure, revocable biometrictemplate protection technology that supports transactional key release. A detailed explanation of this new Biometric application is provided, including composition, enrollment, authentication, and revocation details. The Biometric provides a new paradigm for blending elements of physical and virtual security to address pesky network attacks that more conventional approaches have not been able to stop.

1. INTRODUCTION

Public Key Infrastructure or PKI can be a very complex but important subject. We’ll give you a PKI overview to help you understand what PKI is and how it can help you. PKI is a loaded term that involves the hardware, software, policies, and standards that are necessary to manage SSL certificates. A PKI lets you:

i) Authenticate users more securely than standard usernames and passwords.

ii) Encrypt sensitive information.

iii) Electronically sign documents more efficiently.

A PKI allows you to bind public keys (contained in SSL certificates) with a person so in a way that allows you to trust the certificate. Public Key Infrastructures most commonly use a Certificate Authority (also called a Registration Authority) to verify the identity of an entity and create unforgeable certificates. Web browsers, web servers, email clients, smart cards, and many other types of hardware and software all have integrated, standards-based PKI support that can be used with each other.  A PKI is only as valuable as the standards that are established for issuing certificates.

Certificate Authorities

An SSL Certificate Authority (also called a trusted third party) is an organization that issues digital certificates to organizations or individuals after verifying their identity. The information that it verifies is included in the signed certificate. It is also responsible for revoking certificates that have been compromised. Many Certificate Authorities have their root certificates embedded in web browsers so your web browser automatically trusts them. They will sign an entity’s certificate

using their trusted root certificate (or an intermediate of it) to create a "chain of trust" so the browser will trust the entity’s certificate. Basically, web browser developers are saying "We trust this certificate authority and they say that this is the entity's public key so, if we use it, we know we are talking to the right entity."

Biometrics (or biometric authentication) refers to the identification of humans by their characteristics or traits. Biometrics is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. A physiological biometric would identify by one's voice, DNA, hand print or behavior. Behavioral biometrics are related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics to describe the latter class of biometrics. More traditional means of access control include token-based identification systems, such as a driver's license or passport, and knowledge-based identification systems, such as a password or number. Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods; however, the collection of biometric identifiers raises privacy concerns about the ultimate use of this information.

2. PKI BASED APPLICATIONS

2.1 E-BANKING IN CORPORATE LEVEL

In normal transaction we use user ID, password to authenticate the person. Through this user name and password any one can login if they know our confidential details.due to this if they perform any transaction without knowing us then we have the problem. To resolve this we use Digital certificate.If we enable the Digital certificate to transact the amount and also enable the Digital certificate for login it provides some security. Let see the process nowENABLE THE DIGITAL CERTIFICATE

1. Login with your Corporate Id, User Id and Login Password

2. Enable the Digital Certificate Registration

3. Click upload button System will automatically pick up the desired details form the certificate file.

4. Select whether you require digital certificate for login, for transaction or for bothLOGIN THE USER AND TRANSACT WITH THE HELP OF DIGITAL CERTIFICATE

1. Click on the link Corporate User (With Digital Certificate) link.

2. You will be prompted for selecting the digital certificate

3. Enter your Corporate Id, User Id and login ID and password.

4. Now you will be able to use Corporate Internet Banking with additional security of Digital Certificate

5. Perform the operations (Transactions) with the help of additional security

2.2 E-CORPORATION

If anyone wants to start a company they must register the details of company and personal details in the ministry of corporate affairs.These ministries of corporate affairs newly implemented the process to register the company with the help of Digital certificate. Let see the process now...To register a company, you need to first apply for a Director Identification Number (DIN) which can be done by filing eForm for acquiring the DIN. You would then need to acquire your Digital Certificate and register the same on the portal.Thereafter, you need to get the company name approved by the Ministry. Once the company name is approved, you can register the company by filing the incorporation form depending on the type of company

2.3 E-LICENCING

If we want to renewal the license we apply the renewal application through by online.if we want to apply online we register first and login the username and password and enter the details and perform the transactions but if anyone knows our confidential information they can use it for wrong things. To solve this problem we use the Digital Certificate. Let see the process now..1. Applicant must have digital certificate.2. Applicant authentication will be done by uploading personal certificate and enter the pin of the certificate.3. Enter the details like

1. Provide the particulars of register owner and vehicle.2. Upload required support documents

1. Vehicle registration document. 2. Certificate of roadworthiness.

3. Third party Risk Insurance Policy.3. Providing Residential address.

4. Provide digital signature and enter pin of certificate to sign the application.5. Make payment using your credit card.6. Obtain acknowledgement slip.

Normally if we want to use online transaction, some sites can't provide secure transaction. Suppose if we want to send the confidential information to any one if transaction is not secure then our confidential information will be damaged. To overcome the situation we use the PKI.

Here the customer, who is going to renewal the LICENCE is transferring the confidential information and also

he is transferring the amount have to be paid for the government such that we have to enable PKI.To achieve this the customer must have Digital Certificate. The data from sender side will be encrypted.

3. BIOMETRIC BASED APPLICATIONS

3.1. BIOMETRIC ATM

We all know of ATM's that accept our credit/debit card and the PIN number to dispense cash. Biometric ATM's are the latest inventions to help us avoid fraud and duplication. If somebody steals our card and also knows our PIN they can easily withdraw cash from our account. In case of biometric ATM's they cannot. Usually the PIN for bio ATM's is the finger print of the card holder or his eye retina scan etc. These cannot be duplicated and hence they are very safe and secure. But they are very costly when compared to traditional ATM machines and hence they are not very widely used now.

Japanese bank palms off customers with biometric ATMs:

Japan-based Ogaki Kyoritsu Bank is claiming to be the first in the world set to offer its customers the option of using ATM services without the need for a cash card or passbook, thanks to palm-scanning biometric technology from Fujitsu. The technology works by mapping and identifying the unique pattern of veins in the user’s palm. Although biometric scanners are used in some Japanese banks. With the tag-line "You are the cash card", the technology will be rolled-out from September in ten branches including the major city of Nagoya, as well as a drive-through cash point (yes, they have them too) and two mobile banking units. Ogaki Kyoritsu – which is a regional bank centered in Gifu prefecture west of Tokyo – was quick to point out that a card-less authentication system could have helped survivors of the recent Tohoku earthquake and tsunami who, having lost cards and passbooks, were stranded unable to access their accounts. One of the bank’s mobile units operates as a “rescue” bank for just such occasions. The system is pretty straightforward. Initially the user must associate their palm scan with their account by inputting PIN and birth date, after which time they are free to access their account via the scan alone to withdraw or deposit money or check account balance.

• Poland's cooperative BPS (Bank Polskiej SpoldzielczosciSA) bank says it's the first in Europe to install a biometric ATM --allowing customers to withdraw cash simply with the touch of a fingertip.

• The digit-scanning ATM, introduced in the Polish capital of Warsaw, runs on the latest in “finger vein" technology.

• Developed by Japanese tech giant Hitachi.• In this technology an infrared light is passed through

the finger to detect a unique pattern of micro-veins beneath the surface - which is then matched with a pre-registered profile to verify an individual's identity.

• Finger veins are impossible to replicate because they are beneath the surface of the skin.

\

Fig 3.1 a) Customer enrollment for biometric scan at bank

Fig 3.1 b) Customer accessing biometric ATM

3.2. FACE RECOGNITION FOR SURVEILLANCE

Biometrics is the digital analysis using cameras or scanners of biological characteristics such as facial structure, fingerprints and iris patterns to match profiles to databases of people such as suspected terrorists. Some experts say face recognition is perhaps the most promising biometric technique for overcrowded airports because it relies on distant cameras to identify people--not finger scanners or other devices requiring people to click, touch or stand in a particular position.

Several airports are adopting such face-recognition software in an effort to beef up security after the suicide bombings on the World Trade Center and the Pentagon. In addition to the Logan airport in Boston, Oakland International Airport in Oakland, Calif.; T.F. Green Airport in Providence, R.I.; and Fresno Yosemite International Airport in California are among those adopting identification technology to check passengers.

Visionics' technology can scan about 15 faces a second, compiling 84 bytes of data for each face detected in a frame of video. It maps the landmarks of the face including nose, eyes and mouth to create a digital "face print" of a person. The face print is then compared to a database of tens of thousands of other biometric IDs representing criminals, terrorists or other people for whom security is looking.

Ayonix, Inc. Japan, a leading Image technology solution provider, today announced the release of Ayonix Public Security (APS ver2.1), a new real-time facial detection and recognition surveillance product aimed at safely identifying criminals as well as suspects in public locations such as

Airports, Train stations, Trade-centers, Stadiums, and public malls. With these recent APS update, Ayonix’s APS product now greatly benefits from the additional performance boost provided by the new image processing algorithm, as evidenced by recent tests. More specifically, the processing speed in APS ver2.1 has been 10 times faster than other releases. Users can now achieve real-time face recognition in public locations. And whereas previously it was difficult to recognize identities while people were walking, APS ver2.1 now makes a walk-through facial recognition feasible.

• Face Recognition identify a person uniquely in crowd.• Face Recognition can be deployed in any crowd places

such as railways, public malls, airports, stadiums etc…• This technology was first introduced in JAPAN by

Ayonix, Inc. Japan, a leading Image technology solution provider.

• As U.S. airports installed face-recognition systems to prevent terrorism in the wake of the Sept. 11 attack.

• Developed by herta security known as Bio surveillance.

Fig.3.2 Workflow for face recognition for surveillance at Airport

4. PKI AND BIOMETRIC BASED APPLICATIONS

4.1. e-PASSPORT

A biometric passport, also known as an e-passport, e-Passport or a digital passport, is a combined paper and electronic passport that contains biometric information that can be used to authenticate the identity of travelers. It uses contactless smart card technology, including a microprocessor chip (computer chip) and antenna (for both power to the chip and communication) embedded in the front or back cover, or center page, of the passport. Document and chip characteristics are documented in the International Civil Aviation Organization's (ICAO) Doc 9303. The passport's critical information is both printed on the data page of the passport and stored in the chip. Public Key Infrastructure (PKI) is used to authenticate the data stored electronically in the passport chip making it expensive and difficult to forge when all security mechanisms are fully and correctly implemented. The currently standardized biometrics used for this type of identification system are facial recognition, fingerprint recognition, and iris recognition. These were adopted after assessment of several different kinds of biometrics including retinal scan. The ICAO defines the biometric file formats and communication protocols to be used in passports. Only the digital image (usually in JPEG or JPEG2000 format) of each biometric feature is actually stored in the chip. The comparison of biometric features is performed outside the passport chip by electronic border control systems (e-borders). To store biometric data on the contactless chip, it includes a minimum of 32 kilobytes of

EEPROM storage memory, and runs on an interface in accordance with the ISO/IEC 14443 international standard, amongst others. These standards intend interoperability between different countries and different manufacturers of passport books.

Fig.4.1 a) Countries with biometric passports

Fig.4.1 b) Workflow of biometric passport

4.2 BIOMETRIC ENABLED PROXY SIM

Normally proxy sim contains inbuilt PKI(that means public and private keys). Suppose if we want to send a message confidentially to any one we can send the message to them with the help of PKI (encrypt the message whatever we send to him).If anyone knows the password of PKI, they can use this mobile and they can send the message through our mobile with enabled PKI. To overcome this Situation we can use this BIOMETRIC ENABLED PROXY SIM.

What we are proposing in this system is not even if anyone knows our password they must want our BIOMETRICS(already stored in that sim which is cant open by any way) that means without using BIOMETRICS they cannot use PKI.If authorized user want to perform any sms/transaction,

If authorized user wants to send the sms through the PKI, he type the sms and send the sms to destination. Before going to destination it asks the Biometrics (fingerprint) and it asks to enter the private key pin number. First enter the finger print and then type the pin number. Due to this Destination person can understood that confidential matter is sent by the authorized person.

If authorized user wants to transact an amount to any account, he must login in to his account and transact the amount. Before complete the transaction mobile asks the biometrics that means finger print and then it asks the private key to complete the transaction. Due to this the transaction is done by the authorized person.

5 References • http://www.theregister.co.uk/2012/04/12/ogaki_palm_scanning_cash/

• http://news.cnet.com/2100-1023-275313.html• http://www.dhs.gov/e-passport

• http://en.wikipedia.org/wiki/Biometric_passport • http://www.dhs.gov/e-passports• http://www.gov.hk/en/residents/transport/vehicle/

renewvehiclelicense.

• hthttp://www.mca.gov.in/MCA21/• http://www.netpnb.com/index.html#