Скачать презентацию Analysis of Hardware Controls for Secure Authentication Group
29146983998becf84c53664d51797b79.ppt
- Количество слайдов: 59
Analysis of Hardware Controls for Secure Authentication Group 2 Karan Asnani, John Bowen, Michael Ellis, Nirav Shah 1
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 2
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 3
Introduction • Access control is a key first step in infosec. • Authentication vs. Authorization. • Lack of effective access control, especially in the private sector. • Various hardware-based authenticators exist. 4
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 5
Smart Cards • Historically popular in Europe. • Evolved from magnetic stripe cards. • Four major uses: – Protect the privacy of individuals and keep their informational assets safe from hacking. – Restrict access on to networks or computer systems, possibly in combination with hardware tokens. – Restrict physical access to protected areas. – Storage and encryption of sensitive data like certificates or passwords, usually in conjunction with a Public Key Infrastructure (PKI) that involves a certified digital certificate. 6
Categorization by memory • Memory cards: – Original version of smart cards. – Areas for temporary and permanent data. – Example: Prepaid phone cards. • Chip cards: – “True” smart cards. – Basically small computers containing memory and a microprocessor. – Large storage capacity. 7
Internal Architecture of a Chip Card (Dhar 6) 8
Categorization by interface • Contact: – Card in contact with reader for duration of transaction. – Data transmitted through electrical contact. – Contacts may wear out. • Contactless: – – Speeds up transactions and easy to use. Long lifetime. Reduced vandalism of readers. RFID 9
Pros and Cons • Pros: – – Physical access restricted to authorized users. Large capacity and multifunctionality. Long lifetime. Cards can be self-secure. • Cons: – Huge risk of card being lost or stolen. – High initial capital expenditure. – Issue of human trust. 10
Future • More research on: – Improving card technology. – Reducing cost of implementation. – Response systems for lost cards. • Market has huge scope for growth. • Smart cards are ready and available for wide scale deployment. 11
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 12
Hardware Token Overview • Goal: To safeguard systems by means of secure authentication while allowing for dynamic security. • Portable RSA Secur. ID 700 RSA Secur. ID 200 • Most produce a unique pass code. • Different shape, sizes and implementations. 13
History • Originated as devices called “dongles” in the 1970’s. • Used serial and parallel ports. • Could be chained for multiple authentication. • Typically used to protect software from being copied or securing access to private software. 14
Multifactor Authorization • Three Labels: – Knowledge-Based Authorization – Object-Based Authorization – ID-Based Authorization • Specifically, most hardware tokens use twofactor authorization. • “This example of token plus password constitutes the vast majority of current multifactor implementations” for hardware authentication today (O’Gorman 2024). 15
Functionality of Hardware Tokens Two primary token types: • Time-changing passwords Veri. Sign OTP Token – Most change once every sixty seconds or less. – Achieved by the hardware token being synchronized with a system upon initialization. • Event changing passwords – Pressing a button. CRYPTOCard KT 1 This generation of a unique password for each use is called 16 a one-time password (OTP).
Pass Code Generation • Encryption algorithms are secret! • Vendors change encryption methods in new models. – RSA changed Secur. ID algorithm in 2003 • Most vendors use the Advanced Encryption Standard in order to generate pass codes. 17
Authentication • Used to limit access to VPNs, SSH, RAS, wireless networks, e-mail, etc for Windows and Unix. • Typically, a user enters knowledge-based password and object-based OTP in the following way: STATICDYNAMIC • Sometimes multifactor encryption is done solely on the token. • The authentication process varies for each vendor and client. CRYPTOCard RB-1 18
USB Tokens • Extra storage capacity allows for encryption of stored files using a public key infrastructure (PKI). • Encryption and Decryption are automatic. • Ability to store certificates on the USB and allows for digital signing of documents. 19
Market • RSA Security is the largest single producer of hardware tokens. • Veri. Sign is gaining market share. • Discount token companies are emerging such as Vasco. • Most current use is by government and research institutions. • Common institutions are finally beginning to adopt hardware tokens. 20
Pros and Cons • Pros: – One-Time Password – Two-Factor Authentication – Increased Mobility • Cons: – Easily lost – Inconvenience – Costly Implementation 21
The Future of Hardware Tokens • Bluetooth and Zero-Interaction Authentication (ZIA). • Mobile phones and PDAs. • Increasing adoption facilitates cheaper technology and more research. 22
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 23
Biometrics & Face Recognition • Biometrics: using/analyzing physical features of an individual in the fields of security and access control – Face recognition: subset of biometrics in which facial features are analyzed as a means of: • Verification • Identification – Obvious uses in security in private industry 24
Face Recognition: History • 1960 s – Woody Bledsoe, Helen Chan Wolf, and Charles Bisson develop 1 st semi-automated recognition system • Required human assistance – Difficulties concerning orientation of face in calculations • 1970 s – Introduction of subjective markers to aid in automation 25
History (continued) • 1980 s – Kirby and Sirovich apply principal component analysis -> “Eigenfaces” (discussed later) • Considered breakthrough in face recognition • Reduced amount of data required • 1990 s – Turk and Pentland extend technique to detect the face in an image 26
Face Recognition: Functionality • Two possible functions of face recognition: Identification problems & verification problems – • General surveillance vs. guaranteeing an identity Regardless of function, five steps are required: 1. 2. 3. 4. 5. Acquire image of face Determine location of face Analyze face Compare results of analysis to reference data Evaluate results of comparison 27
Functionality: Algorithms • Example algorithms: – – – Eigenface Fisherface Hidden Markov model Dynamic Link Matching Elastic Bunch Graph Matching (EBGM) 3 D Face Recognition (new) • Many variations of Eigenface method exist 28
Algorithms: Eigenfaces • AKA Principal Component Analysis • “One of the most successful methodologies for the computational recognition of faces in digital images” • Basis: amount of data carried in an image is much greater than what is needed to describe a face – Utilizes linear algebra techniques to compress data 29
Eigenfaces: Principal Component Analysis (PCA) • Summary: project input faces onto a dimensional reduced space to carry out recognition • The mathematics – “PCA is a general method for identifying the linear directions in which a set of [data-containing] vectors are best represented in a least-squares sense, allowing a dimensional reduction by choosing the directions of largest variance” –Javier Ruiz-del-Solar 30
Principal Component Analysis (continued) • So what exactly does this mean? – Facial data from an image (once a face is extracted) is reduced using data compression basics into “eigenfaces” – Face image is represented as a weighted sum of the eigenfaces • So…what does this look like? 31
Standard Eigenfaces Notice how only “relevant” facial data is retained. 32
Eigenfaces: Conclusion • Derived eigenfaces are compared to stored image • Comparison: distance between respective weighted sums of eigenfaces • Close mathematical matches = facial matches 33
Algorithms: 3 D Methods • Capture facial images using more than one camera • 3 D models hold more information than 2 D – Greater accuracy in recognition • Algorithm similar to Eigenfaces but with some additional properties • 2 D recognition currently outperforms 3 D 34
Algorithms: Weaknesses • Affected by viewing angle • Illumination accentuates/diminishes certain features • Expressions cause variations in appearance • Objects may obscure face • Faces affected by time • Sensitivity to gender or ethnicity 35
Face Recognition: Testing • Face Recognition Technology (FERET) Program – Three main goals • Face Recognition Vendor Test (FRVT) – “measure progress of prototype systems/algorithms and commercial face recognition systems” Verification performance data for the top three face recognition companies tested 36
Face Recognition: Standards • INCITS M 1 • ISO SC 37 • In 2004, Department of Homeland Security adopted 1 st biometric face recognition standard – Used in applications such as travel documents – Specifies photograph properties 37
Face Recognition: Research & Market • Interest in use in security surveillance -> research in video-based face recognition • A number of research groups: – Carnegie Mellon – University of Maryland • U. S. government investing in 3 D technology – $6 million in 2005 to A 4 Vision, Inc. • French Civil Aviation Authority employing 3 D technology in airport 38
Face Recognition: Pros, Cons, & Conclusions • A number of technical difficulties resulting in relatively poor accuracy – Face recognition involves too many variables • Applications in security surveillance due to nature of face recognition – Still must overcome accuracy problem • However, with further research, verification via face recognition could find a niche in the private field, especially when coupled with other technologies – Iris scanning 39
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 40
Fingerprint Authentication • Form of biometric technology – ID-based authenticator – Unique to one person 41
History of Fingerprint Authentication • Dr. Henry Faulds - first scientist to mention identification as a use for fingerprints • Sir Francis Galton – put fingerprinting on a scientific basis • Use of fingerprinting in law enforcement • Use of Automated Fingerprint Identification System (AFIS) 42
Functionality of Fingerprint Authentication • Characteristics of a fingerprint – Ridges: Arches, whorls and loops – Minutia: Ridge endings, bifurcations, divergences, etc. • Fingerprint scanning – Two main types: Optical and Capacitance scanning 43
Optical Scanning • Photo taken in a process similar to a digital camera – Charged Coupled Device (CCD) generates image through thousands of photosites • Each photosite records a pixel corresponding to the light that hits it 44
Capacitance Scanning • Uses property of capacitance to scan in image – One or more semiconductor chips each contain number of cells. – Each cell has capacitor, and finger changes capacitance of cell, which generates image, as capacitance of ridges and valleys are different. 45
Market for Fingerprint Authentication • Host of products available from many different companies – Identix Inc – Bio. Scrypt Inc – Ultra-Scan Corp • Companies have started to combine different biometric technologies – i. e. V-Smart by Bio. Scrypt Inc 46
Pros and Cons of Fingerprint Authentication • Pros: – Extremely stable and hard to forge – Fairly accurate – Inexpensive and easy to use • Cons: – Not for everybody – False rejections are common. – Social stigma 47
Future of Fingerprint Authentication • Already a fairly established authentication technology • Expected to grow steadily through research and technology – Fingerprint biometrics expected to reach $2. 6 billion by 2006 • More accurate, inexpensive fingerprint scanners expected. 48
Outline • • Introduction to access control Smart cards Hardware tokens Biometrics – Face recognition – Fingerprint scanning – Voice recognition • Conclusion 49
Voice Authentication • A type of biometric technology – ID-based authenticator – Not always unique to one person • Two different types: – Speaker Verification – Speaker Identification 50
History of Voice Authentication • Voder – first attempt at synthesizing speech in 1936 • Many commercial products starting in 1970 s – Very limited • Products became more advanced in 1990 s, due to dot-com era 51
Functionality of Voice Authentication • Two main steps: Feature Extraction and Acoustic Modeling/Classification • Feature Extraction – Involves breaking up audio into individual “frames” – Majority of voice authentication use mel frequency cepstral coefficients (MFCC) – Each individual frame is converted to MFCC feature vector 52
Functionality of Voice Authentication (continued) • Acoustic Modeling/Classification – Several different models used • Dynamic Warping • Neural Networks • Hidden Markov Model – Translates feature vectors into recognizable words 53
Market for Voice Authentication • Fairly new technology, so very few vendors • Large corporations as well as smaller established companies – – Microsoft IBM Nuance QVoice Inc 54
Pros and Cons of Voice Authentication • Pros: – Hard to forge – Low-cost – Easy to use • Cons: – Instable (voice can change) – Background noise – Vulnerable to hackers 55
Future of Voice Authentication • Considered to be in its infancy, as it still has many problems • Expected to grow rapidly • Speech systems that use multiple biometric technologies and continuous input systems are expected to grow the fastest 56
Conclusion • Access control is important in information security • Three different hardware-based technologies discussed • Multifactor authentication leads to more secure protection • Summary – huge potential for growth in the industry 57
Bibliography • Biryukov, Alex , Joseph Lano and Bart Preneel. “Cryptanalysis of the Alleged Secur. ID Hash Function. ” Lecture Notes in Computer Science 3006 (2004): 130 -144. • CRYPTOCard Tokens. CRYPTOCard Secure Password Technologies. 14 July 2006.
Questions? 59