N Stage Authentication with N Stage Authentication with Biometric DevicesBiometric Devices

Presented by:Presented by:

Nate RotschaferNate Rotschafer

SophomoreSophomore

Peter Kiewit InstitutePeter Kiewit Institute

Revised: July 8, 2002

N Stage AuthenticationN Stage Authentication OutlineOutline

– Background on AuthenticationBackground on Authentication– General Network SecurityGeneral Network Security– Need for High Grade AuthenticationNeed for High Grade Authentication– Need for Multiple Factor AuthenticationNeed for Multiple Factor Authentication– Background on Error TypesBackground on Error Types– Forms of Biometric AuthenticationForms of Biometric Authentication– Pros and Cons of Each Biometric TechnologyPros and Cons of Each Biometric Technology– What’s Hot? What’s Not?What’s Hot? What’s Not?– Major PlayersMajor Players– Network Management with Biometric DevicesNetwork Management with Biometric Devices– ProblemsProblems– Proper Network Security with Biometric DevicesProper Network Security with Biometric Devices– Demos and DiscussionDemos and Discussion– PrognosisPrognosis

Background on Background on AuthenticationAuthentication

IdentificationIdentification

The method used by a system (not The method used by a system (not necessarily a computer) to uniquely necessarily a computer) to uniquely identify an individual or group.identify an individual or group.

Examples: User names, Driver’s Examples: User names, Driver’s License, School ID, License, School ID,

Security Badge, Security Badge, Passport Passport

AuthenticationAuthentication

The method(s) used to verify the The method(s) used to verify the given identification against a given identification against a database of known information.database of known information.

Examples: Passwords, Examples: Passwords, Fingerprints, Iris Fingerprints, Iris

Prints,Prints, NegotiationNegotiation

Development of Development of AuthenticationAuthentication

What you know…What you know… What you have…What you have… What you are…What you are… Future Development: How you Future Development: How you

are...are...

General Network SecurityGeneral Network Security

Security is NOTSecurity is NOT

Installing a firewallInstalling a firewall A product or ServiceA product or Service Running an audit and shutting Running an audit and shutting

things offthings off

Security ISSecurity IS

Working productively and without Working productively and without interruptionsinterruptions

Only as good as the weakest linkOnly as good as the weakest link Risk management of resources Risk management of resources

(equipment, people)(equipment, people) Physical securityPhysical security A process, methodology, policies and A process, methodology, policies and

peoplepeople Is 24x7x365Is 24x7x365

General Network SecurityGeneral Network Security

No silver bullet to network securityNo silver bullet to network security Replay attacksReplay attacks Denial of Service ((D)DoS)Denial of Service ((D)DoS) SpoofingSpoofing UsersUsers Dictionary AttacksDictionary Attacks

Security ThoughtsSecurity Thoughts

80-90% are internal issues80-90% are internal issues Hard drive crash (what did you loose, Hard drive crash (what did you loose,

and how long to get back up?)and how long to get back up?) Firewall penetration (what can they do, Firewall penetration (what can they do,

what do they see?)what do they see?) Internet failed (how much lost Internet failed (how much lost

productivity/revenue, backup net productivity/revenue, backup net connection?)connection?)

Some can always get inSome can always get in

General Network Security General Network Security ConclusionConclusion

Biometrics will help but will not Biometrics will help but will not solve all problemssolve all problems

Users are the “weakest link”Users are the “weakest link” Proactive security planProactive security plan

Need for High Grade Need for High Grade AuthenticationAuthentication

Need for High Grade Need for High Grade AuthenticationAuthentication

High Security AreasHigh Security Areas Multiple Factor AuthenticationMultiple Factor Authentication Challenge and Response Challenge and Response

AuthenticationAuthentication High Assurance of Proper High Assurance of Proper

IdentificationIdentification Data Retrieval Based on the PersonData Retrieval Based on the Person

Background on Error TypesBackground on Error Types

Type I Error --- Accept in Type I Error --- Accept in ErrorError

Balance Between Type I and Type Balance Between Type I and Type II ErrorII Error

Most DangerousMost Dangerous High ExposureHigh Exposure PreventablePreventable Need for Additional Security Need for Additional Security

MeasuresMeasures

Type II --- Deny in ErrorType II --- Deny in Error

Balance Between Type I and Type Balance Between Type I and Type II ErrorII Error

Only an InconvenienceOnly an Inconvenience PrventablePrventable Established by a High Security Established by a High Security

PolicyPolicy

Forms of Biometric Forms of Biometric AuthenticationAuthentication

Forms of Biometric Forms of Biometric DevicesDevices

Fingerprint ScannersFingerprint Scanners Retina ScannersRetina Scanners Iris ScannersIris Scanners Voice Print ScannersVoice Print Scanners Handwriting RecognitionHandwriting Recognition Face RecognitionFace Recognition Personal GeometryPersonal Geometry DNADNA

Pros and Cons of Each Pros and Cons of Each Biometric TechnologyBiometric Technology

Fingerprint ScannersFingerprint Scanners

ProsPros ConsCons

Retina ScannersRetina Scanners

ProsPros ConsCons

Iris ScannersIris Scanners

ProsPros ConsCons

Voice Print ScannersVoice Print Scanners

ProsPros ConsCons

Handwriting RecognitionHandwriting Recognition

ProsPros ConsCons

Personal GeometryPersonal Geometry

ProsPros ConsCons

Face RecognitionFace Recognition

ProsPros ConsCons

DNADNA

ProsPros ConsCons

What’s Hot? What’s Not?What’s Hot? What’s Not?

What’s Hot?What’s Hot? Fingerprint ScannersFingerprint Scanners Iris ScannersIris Scanners N Stage AuthenticationN Stage Authentication InteroperabilityInteroperability InterchangeabilityInterchangeability StandardsStandards Server Signature StorageServer Signature Storage

What’s Not?What’s Not?

Retina ScannersRetina Scanners DNADNA 1 or 2 Stage Authentication1 or 2 Stage Authentication

Major PlayersMajor Players

Major PlayersMajor Players

Most ISP NOCsMost ISP NOCs Healthcare OrganizationsHealthcare Organizations Banking IndustryBanking Industry Military/Government AgenciesMilitary/Government Agencies Department of DefenseDepartment of Defense Schools?Schools?

Network Management with Network Management with Biometric DevicesBiometric Devices

CostCost

Fingerprint Scanner --- $100-150Fingerprint Scanner --- $100-150 Retina Scanner --- $400-500Retina Scanner --- $400-500 Iris Scanner --- $200-300Iris Scanner --- $200-300 Voice Print Scanner --- $150-200Voice Print Scanner --- $150-200 Face Recognition --- $150-250Face Recognition --- $150-250

Ease of DeploymentEase of Deployment

Fingerprint Scanner --- EasyFingerprint Scanner --- Easy Retina Scanner --- HardRetina Scanner --- Hard Iris Scanner --- HardIris Scanner --- Hard Voice Print Scanner --- MediumVoice Print Scanner --- Medium Face Recognition --- EasyFace Recognition --- Easy

Ease of ManagementEase of Management

Fingerprint Scanner --- EasyFingerprint Scanner --- Easy Retina Scanner --- MediumRetina Scanner --- Medium Iris Scanner --- MediumIris Scanner --- Medium Voice Print Scanner --- EasyVoice Print Scanner --- Easy Face Recognition --- MediumFace Recognition --- Medium

User EffectsUser Effects

Fingerprint Scanner --- MediumFingerprint Scanner --- Medium Retina Scanner --- MediumRetina Scanner --- Medium Iris Scanner --- MediumIris Scanner --- Medium Voice Print Scanner --- HighVoice Print Scanner --- High Face Recognition --- MediumFace Recognition --- Medium

ProblemsProblems

Proper Network Security With Proper Network Security With Biometric DevicesBiometric Devices

Securing Biometric Securing Biometric SignaturesSignatures

Tamper resistant storageTamper resistant storage Protection from corruptionProtection from corruption Secure signature changesSecure signature changes Secure backupsSecure backups Stop signature interceptionStop signature interception Protect latent signaturesProtect latent signatures

Logon SecurityLogon Security

Trusted Path to the authentication Trusted Path to the authentication device device

Tamper resistance Tamper resistance Clear or encrypted transmissionClear or encrypted transmission Continuous monitoringContinuous monitoring What “goes down the wire”?What “goes down the wire”? Real biometric?Real biometric?

Bypass PreventionBypass Prevention

Tamper resistance at the local Tamper resistance at the local machinemachine

Enhanced biometrics to tell a real Enhanced biometrics to tell a real biometric from a fake biometric biometric from a fake biometric

Both biometrics and passwords Both biometrics and passwords needed needed

ConsistencyConsistency

Environmental effects Environmental effects All network users adhere to the All network users adhere to the

same policysame policy All network machines configured All network machines configured

identicallyidentically

Can Biometrics be Can Biometrics be Bypassed?Bypassed?

How they are connectedHow they are connected The device can be fooledThe device can be fooled ConsistencyConsistency

Demos and DiscussionDemos and Discussion

Demo of Fingerprint Demo of Fingerprint Scanner AuthenticationScanner Authentication

Demo of Iris Scanner Demo of Iris Scanner AuthenticationAuthentication

Wire Capture AnalysisWire Capture Analysis

Recent Bypassing MethodsRecent Bypassing Methods

How to BypassHow to Bypass

Question and AnswerQuestion and Answer

Thanks To:Thanks To:

Dr. Blaine Burnham, Director of Dr. Blaine Burnham, Director of NUCIANUCIA

Defcon 10Defcon 10 Peter Kiewit InstitutePeter Kiewit Institute Dan DevriesDan Devries

Contact InfoContact Info

E-Mail: E-Mail: nrotschafer@geniussystems.netnrotschafer@geniussystems.net

Slides: Slides: http://www.geniussystems.nethttp://www.geniussystems.net– Goto the :. Talks .: section and then to Goto the :. Talks .: section and then to

the “Biometrics” folder then to the the “Biometrics” folder then to the “Defcon” folder and download “Defcon” folder and download the .ppt slides of the presentation.the .ppt slides of the presentation.

LinksLinks

http://www.http://www.theregustheregus.com/content/55/24956.html.com/content/55/24956.html

http://www.http://www.heiseheise.de/.de/ctct//englishenglish/02/11/114//02/11/114/ http://www.http://www.precisebiometricsprecisebiometrics.com/.com/ http://www.http://www.saflinksaflink.com/.com/ http://http://statstat..tamutamu..eduedu/Biometrics//Biometrics/ http://www.biometrics.org/http://www.biometrics.org/ http://biometrics.http://biometrics.csecse..msumsu..eduedu//