1 / 28

Biometrics

Biometrics . Biometric Identity Authentication. I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture. BOPS details an end-to-end specification to perform server-based enhanced biometric security. Two-way SSL.

hannad
Download Presentation

Biometrics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Biometrics

  2. Biometric Identity Authentication I am the author of IEEE P2410 - BOPS Triple of Device, Biometric, 2-Way SSL Cert One Time Password Liveness BOPS Server architecture

  3. BOPS details an end-to-end specification to perform server-based enhanced biometric security. Two-way SSL User Biometrics and liveness BOPS Server Keys for authentication and intrusion detection p. 3

  4. Steps for A X.509 Certificate Create the Public and Private Key Sign the Public Key Two-way SSL Add the Private Key You now have a Cert PKI p. 4

  5. User Auth Data Encryption Key (571 ECC) BOPS Key Store (SSL) Account + Trust Store (CA) Device Client Certificate Password = Enrolled User Two-way SSL - - - OS Secured Space - - - Mobile Client Application Client Certificate Client User Auth Data Encryption Key User Auth Encrypted Data Biometric Vector IEEE Biometric Open Protocol Standard (BOPS) Ensure privacy on mobile devices

  6. BOPS is the IEEE standard for biometric-based identity assertion. BOPS is a global standard: • Protecting user privacy • Defining clear rules, and levels of acceptance, • Comprising the rules governing secure communication of between a variety of client devices and the trusted server This paradigm forces hackers to hack a user at a time since there is no one repository of critical data, thus deterring massive breaches of data. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 6

  7. BOPS provides identity assertion, role gathering, multi-level access control, assurance, and auditing. CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 7

  8. BOPS authenticates, establishes a secure key, and utilizes a two-way SSL connection. Authentication Instead of authorization, and user information remains on the device Secure key Created on the backend behind a firewall, and matching occurs on the device Two-way SSL connection Data on device and server encrypted using 571bit Elliptic Curve Cryptography CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 8

  9. There are multiple use cases for BOPS that extend across industries and functions. No more insurance cards and paperwork No more user names and passwords Car preferences and safety features Perform ATM transactions safely Entry into secure buildings

  10. The rules for BOPS protect the enterprise and the end-user. Secure back-end, severs, systems with mobile device biometric access Critical data must be encrypted on device No biometric data stored in any back-end repository Allows pluggable components to replace existing components All data is fully encrypted, even in an underlying secure transfer layer Liveness Detection Technology Biometric match always happen on device, protecting users privacy. Intrusion Detection System monitors data traffic in ALL devices and servers Certificate generation occurs in a secure server CONFIDENTIAL and PROPRIETARY  February 25, 2015  p. 10

  11. What is 1 Way SSL Uses a key store with keys from a certifying authority such as Verisign. Purchased You specify a set of ciphers that may be used. Some ciphers have been compromised. We consider 128 bit too small. ECE is currently best.

  12. 2 Way SSL Uses a trust store. Based on a self signed certifying authority. Set at boot time on a Web Server. Initially met for Identity Assertion (bad). Overloaded to state who you could be. Used with a biometric authorization.

  13. An Example in Tomcat $CATALINE_HOME/conf contains configuration. JAAS configuration for login module. Does identity assertion and role gathering. The server.xml file contains truststore and keystore. Contains the ports used. Requires authentication on the device.

  14. Genesis Uses a unique mechanism to determine the initial identity to fuse. An initial default certificate is loaded into the client application. It is used to communicate genesis to the server. Once the initial identity is found a 2-way SSL key is loaded into the client application and the default certificate is used only for passwords.. The 2 way SSL Certficate has a GUID tied to the user. Authentication and the 2-way Certificate is used moving forward.

  15. Genesis (Continued) Genesis gets a biometric that is hashed to a vector and reused during authentication. Genesis never stores the biometric on the server. To enroll another device, the other information (email,phone number) are used. This fuses the next enrollment with the Genesis. The biometric vector is never stored on the server because it is possible to get from the biometric vector to the actual biometric.

  16. 2-Way SSL Certificate The 2-Way SSL Certificate has a password. We do not want to store the password on the client because if the client in compromised all the information is on one device. Re-use the default certificate with a One Time Password algorithm. The One Time Password is a Get or Put parameter. Server and client's One Time Password must be the same.

  17. Authentication Compares Biometric Vector on device (from Genesis) to Biometric Vector just gathered. Sends the result of the authentication to the server. This initiates a “session” as a concept with session data. In actuality we are stateless. We simulate a session.

  18. Encrypted Store We can setup areas on disk to encrypt and used biometrics to look up the key. Encryption is tied to the biometric. Only the person can unlock the file(s) with their biometric identity. May be shared using DAC. DAC implies the use of Groups, which is the solution.

  19. B2B Business to Business For a business, we must integrate to the current environment. New techniques do not line up with current integration. We have to figure where we integrate. We access the current identity.

  20. B2C Business to Client Password manager and Encryption manager. Uses Amazon Web Services. Uses CA of Hoyos Labs. Uses Truststore based on CA. Is a business to client application. Does not integrate with any backend for a client.

  21. IRIS So an IRIS is part of the eye. It is the best Biometric we can use. We cannot get it with a standard phone so we currently use Facial recognition. As phone Cameras get better we will use IRIS. We have proprietary devices that use IRIS.

  22. General Purpose Devices We use general purpose devices because This is what people have easy access to. You rarely are without your phone.

  23. Passive Liveness We wish to do liveness without Gestures. To do this we either use the IRIS which works for Liveness or we use 4 fingers on the phone. We are in the EARLY days of biometrics but they are advanced enough today for production.

  24. Four Fingers Is the idea of using the four fingers on the back Of the phone as passive liveness. Passive liveness would turn on the back camera and take a quick picture of your hand. This is not as accurate as an IRIS but very close Close enough for identity.

  25. FAR – Facial 1 in 100 Facial recognition when considered alone Is 1 in 100 False Acceptance Rate. When combined with Genesis and a 2-Way SSL key we are looking at a false acceptance of less than 1 in 300 million.

  26. No Facial One:Many So we cannot take one face and go after a Database of say 50,000 people. We will match with more than one. So we either need IRIS Or 4 finger, or a strong Genesis.

  27. Twins For twins IRIS' are different. IRIS is where we want to get. IRIS is what we use for 1 to look up many. So if I had an IRIS and looked up across 50,000 people, I would only get one back, if I was in that database. As biometrics get better, we get better.

  28. Summary BOPS – It is in your class notes. Genesis How we deal with Facial having a false acceptance of 1 in 100 What is the solution? How do we use 2-Way SSL.

More Related