1 / 23

WEP-WAP

WEP-WAP. Goals. Biometric protocols suitable for a wireless networked environment Secure system/network access via biometric authentication Secure wireless transmission of biometric data. Why Wireless Biometrics?. Combination of two rapidly growing technologies

preston
Download Presentation

WEP-WAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEP-WAP

  2. Goals • Biometric protocols suitable for a wireless networked environment • Secure system/network access via biometric authentication • Secure wireless transmission of biometric data

  3. Why Wireless Biometrics? • Combination of two rapidly growing technologies • Biometric systems for verification and identification • Homeland Security • Wireless systems for mobility • Over 1 trillion wireless phone min. in US, 2004 • Common advantage is convenience

  4. Human authentication • Types of human authentication • What you know (secret) • Password, PIN, mother’s maiden name • What you have (token) • ATM card, smart card • What you are (biometric) • Stable: fingerprint, face, iris • Alterable: voice, keystroke • Where you are (authorization?) • Wireless

  5. Biometric Advantages • Convenience • Can’t be lost (in general) • Can’t be forgotten • Can’t be loaned • Mostly unique (matching may not be) • Perceived strong non-repudiation • Does not change significantly (in general) (Ident.) • Both verification and identification applications

  6. Biometric Authentication System Source: Podio, NIST

  7. Wireless Biometric System Security • Security issues • Biometric authentication to ensure secure access to the system/network • In other words, wireless system access security • Wireless message authentication to ensure secure transmission of biometric data • In other words, personal information security and privacy across the wireless network • Physical security • Devices, computers, transmitters/receivers, etc.

  8. Biometric Authentication Threats

  9. Biometric Cryptography • Use of biometric data for encryption & decryption • “fuzzy” commitment, vault – Ari Juels, RSA Labs

  10. Biometric Cryptography (example) 01010 10101 00000 11111 01010 01010 Enroll (Encrypt) Password (hashed) Template (key) E(h(Pwd)) “stored” compare Within Threshold? Template (key) 10000 10111 “live” Hamming Distance = 2 11010 11101 Verify (Decrypt)

  11. Biometrics Standards • Common Biometric Exchange File Format (CBEFF) • ANSI-NIST-ITL-2000 • Data exchange & quality • Criminal identification • American Association for Motor Vehicle Administration (AAMVA) DL/ID 2000 • FBI • Wavelet Scalar Quantization (WSQ) – fingerprint image (de)compression • Electronic Fingerprint Transmission Standard (EFTS) • Intel Common Data Security Architecture (CDSA) • ANSI X9.84 – Biometric data security (life cycle) • Originally developed for financial industry; uses CBEFF • APIs • Open: BioAPI, Java Card Biometric API; uses CBEFF • Proprietary: BAPI …what is Microsoft planning? • XCBF • XML Common Biometric Format from OASIS; uses CBEFF • Mechanisms for secure transmission, storage, integrity, & privacy of biometrics

  12. Biometric Standards • Recently from NIST… • Biometric Data Specification for Personal Identity Verification (PIV) • January 24, 2005 (Draft) • New standards governing interoperable use of identity credentials to allow physical and logical access to federal government locations and systems • Technical and formatting requirements for biometric credentials • Restricts values and practices for fingerprints and facial images • Geared toward FBI background checks and formatting data for a PIV card • CBEFF and BioAPI compliant

  13. Wireless Advantages • Mobility • Flexibility • Easier to relocate and configure • More scalable • Cost • No cost due to physical barriers, private property. • Productivity • More opportunity to connect • Aesthetics • No clutter from wires • Robustness • Less physical infrastructure to damage and repair

  14. Wireless Disadvantages • Lower channel capacity • Limited spectrum available • Power restrictions • Noise levels • Noise and interference • Frequency allocation • U.S. – FCC • Greater security concern • Information traveling in free space

  15. Wireless Protocols • Network domains • Broadband • IEEE 802.16, Worldwide Interoperability for Microwave Access (WiMAX) – framework, not single system or class of service • Cellular networks • Global System for Mobile communication (GSM) • Universal Mobile Telecommunications System (UMTS =WCDMA) • Cordless systems • Time Division Multiple Access (TDMA) • Time Division Duplex (TDD) • Mobile Internet Protocol (Mobile IP) • Wireless Local Area Network (WLAN) • IEEE 802.11 (Wi-Fi) a,b,g (n … not yet ratified) • Wireless Personal Area Network (WPAN) • IrDA, Bluetooth, ultra wideband, wireless USB • Home Automation (narrow band) • Infineon, ZigBee, Z-Wave

  16. Wireless Protocol Comparison Source: PC Magazine, March 22, 2004

  17. Security and Protocols • Security domains • Application security • Wireless Application Protocol (WAP) • Uses Wireless Transport Layer Security (WTLS) • Current Class 2 devices based on IETF SSL/TLS • Future Class 3 devices will use a WAP Identity Module (WIM) • Web services • Simple Object Access Protocol (SOAP) – toolkits available for Java & .NET • Operating system security (Java run-time, Palm OS, Microsoft Windows CE) • Device security (PINs, pass-phrases, biometrics) • Security of wireless protocols • IEEE 802.11 (Wi-Fi) • Wireless Encryption Protocol (WEP)… weak and flawed • Wi-Fi Protected Access (WPA). Uses Temporal Key Integrity Protocol (TKIP) • IEEE 802.11i – Wireless Security spec. (WPA, AES, FIPS 140-2 compliant) • Authentication security • Remote Authentication Dial In User Service (RADIUS) • Kerberos • SSL

  18. Network Encryption • Secure Shell (SSH) • Application Layer • Secure remote connection replacement for telnet, rlogin, rsh • Secure Socket Layer (SSL) • Transport Layer Security (TLS) • Uses TCP & has specific port numbers • Main use is HTTPS (port 443) • Internet Protocol Security (IPSec) • Network Layer • Includes a key management protocol • Included in IPv6

  19. Avenues of Attack = wireless LAN- connected Computer Local Computer LAN Remote Computer Capture Device WAN

  20. Wireless Security Issues • Denial of Service (DoS) • Jamming…Use Spread Spectrum (DSSS, FHSS) technology • As a device battery attack, i.e., more processing = more battery usage • Eavesdropping • Signal is in the open air (war dialing) • Theft or loss of device • Due to size, portability, and utility • Dependency on public-shared infrastructure • What security is in place? • Masquerading • Rogue clients pretend to be legitimate endpoint • Rogue access points trick clients to logging in • Malware • Worms (Cabir) and Viruses (Timfonica, Phage) on wireless devices • Use Antivirus software

  21. Wireless Security Paradox • We use wireless devices for convenience • Security measures often decrease convenience and performance • Result: Security features are often disabled or given lower priority

  22. System Design Considerations • Verification • Are you who you claim to be (or are supposed to be)? • 1:1 matching • Usually consensual • Typically smaller template databases • Authorization (computer, network, building) • Identification • Who are you? • 1:n matching • Often no explicit consent or awareness • Typically larger template databases • Surveillance (homeland and border security), forensics, criminal investigation (AFIS) • Why not both? • i.e. You are not who you say you are, so who are you?

  23. Future Research • Pattern for “fuzzy” matching? • Biometrics, digital watermarks, IDS, search engines • Biometric cryptography • Biometric key generation • Fuzzy matching methodologies • Embedding biometric keys within wireless protocols • X.509 certificates • Protocol payload area • Protocol header (authentication) area • Use coefficients? (polynomial, elliptic curve)

More Related