Biometric Authentication in Distributed Computing Environments

1. Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic

2. Security Threats Information Compromise Integrity Violations Denial of Service Repudiation Malicious misuse Vulnerabilities Access control bypass Benign user gaining access to unauthorized information Eavesdropping Lack of accountability Disrupting communication between objects Lack of user identification User impersonation and spoofing Need for Security in Distributed Systems

3. Biometrics in Large Scale Information Systems Grid Portal Grid Portal DELEGATION Grid Portal Grid Portal GRID CREDENTIALS CREDENTIALS CORBA TEMPORARY CREDENTIALS Client Credential Repository BIOMETRIC TEMPLATES FOR AUTHENTICATION CLIENT IDENTITY & ORB AUTHORIZATION Remote File System(s) FILE SYSTEM MOUNT Client Computer PASSPHRASE Biometric Device

4. Mounting A Remote File System Server Authentication Authentication Server Biometric Authentication User Application Agent User Authentication User Authentication Validation System Call Key exchange SFS SERVER Biometric Device NFS 3 Client NFS 3 NFS 3 SFS CLIENT NFS 3 TCP Connection with mandatory access controls Biometric Device Biometric Authentication NFS 3 Server Server Machine Client Machine

5. The Role of Biometrics • Biometric templates can be used in the place of passwords to retrieve self certifying pathnames securely from a remote server. • A Biometric Identification Record(BIR) will be used with the SRP protocol to retrieve self certifying pathnames from server. • Allows consistency and integration with the rest of the system.

6. Remote File System • Self certifying file system developed at MIT. • Other similar custom file systems can be built using the UFS (user level file system) toolkit. • Works over NFS3 protocol. • Complete remote file system can be encrypted. • Access of multiple remote file systems concurrently through easy authentication.

7. Key Negotiation Server Location, HostID Client KS KC, (kC1,kC2}KS (ks1,ks2}Kc Kc - Short lived client public key Ks - Server public key Kc1, Kc2 - Random key halves of client key Ks1, Ks2 - Random key halves of server key *Self Certifying File System Implementation

8. Mounting Remote File System • Mounted upon authentication of the user by agent. • Authentication server validates user request and sends user credentials. • Self Certifying File Names - contain all information necessary for secure communications with remote server.

9. CORBA • User Credentials • User Sponsor • User Login Program • Principal Authenticator • Current Execution Context • CORBA credentials are user credentials converted into CORBA Objects CORBA Security Features Authentication Encryption Access Control Non-repudiation Audit SOURCE: OMG

10. CORBA Integration with BIO-API • GSI Framework adheres to GSS API described in IETF RFC 2478 will be the backbone of the implementation • Certificate - A central in GSI authentication • PKCS #11 - tokens and PKCS #12 personal information exchange syntax will be used extensively to transport the Biometric Certificates • CORBA will act as the intermediary

11. Plan of Development • Develop Authentication Mechanisms and protocols that use Biometric templates to retrieve self certifying pathnames from remote server. • Develop and Integrate Biometric Authentication Mechanism into the server to validate user requests