1 / 24

Authentication with Smartcards and Fingerprints

Authentication with Smartcards and Fingerprints. Himanshu Khurana Joe Muggli NCSA, UIUC March 30, 2006. Outline. Introduction Smartcards Biometrics: fingerprints Illinois Terrorism Task Force (ITTF) Project Interactive Demonstration. Authentication Goals. Basic Goal

daniel_millan
Download Presentation

Authentication with Smartcards and Fingerprints

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication with Smartcards and Fingerprints Himanshu Khurana Joe Muggli NCSA, UIUC March 30, 2006

  2. Outline • Introduction • Smartcards • Biometrics: fingerprints • Illinois Terrorism Task Force (ITTF) Project • Interactive Demonstration

  3. Authentication Goals • Basic Goal • Verify the unique identity of the requestor • Additional goals in a networked world • Prevent leak of secrets • Prevent replay attacks • Global scalability • Offline operation capability • High assurance • …

  4. Passwords are not enough • Basic Goal • Verify the unique identity of the requestor • Additional goals in a networked world • Prevent leak of secrets • Prevent replay attacks • Global scalability • Offline operation capability • High assurance • … X X • Passwords are vulnerable to • dictionary attacks • theft • collusion attacks (users can • share passwords) X

  5. Solution: Multi-factor Authentication • Multi-factor authentication: combination of • What you know; e.g., passwords, PINs • What you have; e.g., OTP tokens, smartcards • What you are (biometrics); e.g., fingerprints, iris scans, face recognition • Typically two-factor authentication is used; e.g., • PIN + Card (e.g. ATMs) • Password + One-time-password (OTP) token • Fingerprint + Smartcard

  6. Public-Key Infrastructure (PKI) • Public Key Cryptography • Sign with private key, verify signature with public key • Encrypt with public key, decrypt with private key • Key Distribution • Who does a public key belong to? • Certification Authority (CA) verifies user’s identity and signs certificate • Certificate is a document that binds the user’s identity to a public key • Authentication • Signature [ h ( random, … ) ] Issuer: CA Subject: CA signs Issuer: CA Subject: Jim Source: Jim Basney’s MyProxy presentation

  7. Signed Nonce Hash Verif. key PKA Match? Dec Authentication with Digital Signatures Request Bob Alice Nonce Signing key SKA Nonce Hash Enc

  8. Authentication with Smartcards and PKI • Unlike passwords private keys cannot be remembered (typically, 1024 bits) • File based storage provides weak security and no mobility • Smartcards provide secure, tamper-resistant storage with mobility • Less easily shared than passwords • Drawbacks: card cost, readers

  9. Smartcards • CPU: 8, 16, 32 bit • ROM: ~ 1 - 32kb • RAM: ~ Several kb • EEPROM: ~ 16 - 64 kb • Programming • Java • .Net • Various levels of memory access control • Protected Memory holds secrets and is accessible • only to the cryptoprocessor

  10. Example Authentication with Smartcards Unlocked by a PIN Source: Dang et al., AINA’05

  11. Security Concerns and Authentication Goals • High assurance • Smartcards and PINs can get lost, be stolen, or shared • A Solution: combine biometrics with smartcards Source: Renaudin et al., Design, Automation and Test in Europe Conference and Exhibition, 2004

  12. Biometrics: Fingerprints • Uniquely refers to an individual using biometric identifiers • Pattern recognition system • Enrollment captures digital representation (template) of biometric identifier • Recognition captures characteristics and matches against template • Ideal properties: universal, unique, permanent, collectable • Practical properties: performance, acceptability, resistance to circumvention • Examples: Face recognition, fingerprints, iris scans, retinal scans, hand geometry, etc.

  13. Minutiae Based Fingerprint Recognition • Digital image of fingerprint contain features • Ridge bifurcations and endings • Called Minutiae • Minutiae features represented using location (x,y) and direction  • Set of measurements forms template • Matching attempts to calculate degree of similarity taking into account • Rotation, elastic distortion, sensor noise, etc. • Never 100%: false acceptance rate and false rejection rate

  14. Combining Fingerprints and Smartcards for Authentication • Replace PINs with fingerprint verification • Store template on card • Match provided fingerprint on card • Reader extracts minutiae features • Security and privacy advantages • Match-on-card leverages smartcard as trusted computing platform • Match-on-card requires no additional trusted entity • Mimics PIN verification • Template stored on card as opposed to accessible database

  15. ITTF Credentialing Project* • Goal: provide trustworthy identification at secure incident perimeter • Requirements: credential based, offline operation, unique identification, counterfeit resistance • Approach: smartcard and fingerprint based authentication * Work done with Jim Basney; Partner Institutions: Illinois State Police, Entrust, U. of Chicago

  16. ITTF Background • Provide trustworthy identification of response team members at secure incident perimeter - Fire, EMT, Police, HazMat, Techs, etc. • Two factor authentication in the field • Offline operation, web portals for registration and authentication • Highly usable but also resistant to counterfeiting • Prototype not production unit

  17. Featured Technologies • State of Illinois PKI Certificate Authority • Web interfaced central authentication service – Entrust GetAccess™ & TruePass™ • MatchOnCard™ fingerprint templates on smartcards – Precise Biometrics • Role based authentication

  18. Credentialing Portal Roles • Team Member • Team Leader • Card Distributor • Credential Review Committee Member • Administrator One Responder Can Have Multiple Roles

  19. Firewall Open Ports: SSL 443,9443 SMTP 25 LDAP 389 SQL*Net 1521 PKIX-CMP 829 Entrust 710, 50000,50001 + Web Server MS IIS with Entrust Modules Credentialing Portal Architecture Registration Station Illinois Internal Network Entrust Servers: GetAccess SelfAdmin TruePass+Portal IBM Websphere Internet ITTF Database Oracle 10g Internet State of Illinois PKI Field Station

  20. ITTF Registration Procedure 1. User Logs Into Registration Portal, Edits Record 2. Team Leader Logs In, Approves Team Member 3. Smartcard Produced & Shipped to Card Distributor 4. Card Distributor Meets User, Confirms Identity 5. User Logs Into Portal Using SC & Level I Digital ID 6. Logging In Upgrades Digital ID To Level III 7. User Authenticates to Smartcard Using The Pre-loaded Fingerprint Template 8. Level IV Digital Certificate Created On User’s SC 9. Portal Date Stamps & Activates Smartcard 10. User Tests Credential Functionality Registration Portal Station Prerequisites • Demographic Information • Team Membership • Portrait • Fingerprint Scan • Criminal History Review • State of Illinois PKI Level I Digital ID

  21. Field Authentication Tasks Windows Laptop Pre-event: Team Leader Downloads Updated Team Member and Certificate Revocation Lists Event: Using SC & FP Team Leader & Members Log Into Portal, SC Time & Event Stamped Post-Event: Team Leader and Members Log Out Using SC & FP, SC Time Stamped; Team Leader Uploads Log To ITTF Web Portal Data Uplink + Windows CE Handheld

  22. NCSA PKI Lab Demo • Windows 2003 Server - Domain Controller & CA • Windows XP Clients • Safenet (formerly DataKey) No Boundaries Login Software & Biometric Enabled Smartcards • Precise Biometrics Fingerprint & Smartcard Readers Wireless Network Registration Station Login Test Station NCSA PKI Lab Domain CA

  23. Fingerprint Scanning Hints • Don’t Point – Touch the 2 Dots • Use the Fleshy Middle of the Fingertip • Don’t Drag or Move • Place Your Finger Down • Like Patting a Dog One Time & Only One Finger

  24. Authentication with Smartcards and Fingerprints Any Questions?? http://www.ncassr.org/ http://www.ncsa.uiuc.edu/Projects/cybertechnologies.html#security http://pkilab.ncsa.uiuc.edu Himanshu Khuranahkhurana@ncsa.uiuc.edu Joe Mugglijmuggli@ncsa.uiuc.edu

More Related