Post on 09-Jan-2016
description
transcript
presented by
Pat Burke and Christian LozaUniversity of North Texas
at the “Seminar II, Saturday October 6, 2005”
Identity A desideratafor the Next Generation Internet
presented by Patt Burke and Christian Loza
2
Biometric ID Problem Definition
Conventional password security is NOT secure because passwords tend to be:
Easily guessed Forgotten Written down in easily accessible locations Shared with a friend Common for a given user across a wide range of
applications/systems
presented by Patt Burke and Christian Loza
3
Biometric ID Problem Definition
Biometric Identification is one possible solution to the user authentication problem
Biometric ID refers to verifying individuals based on their physical and behavioral characteristics such as face, fingerprint, hand geometry, iris, keystroke, signature, voice, and even body odor. [7]
Two proposed Biometric ID solutions will be presented:
Robust hashing with a one-way transformation [8] Multimodal Biometric ID [9]
presented by Patt Burke and Christian Loza
4
Biometrics ID Problem Definition
Biometric data has some shortcomings: If compromised, cannot be reset
Storing of actual biometric templates should be avoided
Variability of biometric data precludes the use of exact matching hashing algorithms such as MD-5 and SHA-1 [8] “Fuzzy” logic must be employed in evaluating the
biometric input
presented by Patt Burke and Christian Loza
5
Biometric ID Background
Enrollment and Authentication Process
presented by Patt Burke and Christian Loza
6
Biometric ID Background
KEY METRICS False Acceptance Rate
How many unauthorized individuals gain access due to biometric features similar to an authorized user MUST BE MINIMIZED to maintain security MUST BE ZERO for some security applications
False Rejection Rate How many authorized individuals are denied access
due to the inability to match their input with their biometric template. This is an inconvenience, but not a security problem
presented by Patt Burke and Christian Loza
7
Biometric ID Background
OTHER METRICS Time required for the enrollment process Time required for the verification process Computer resources utilized for the security
system Memory Algorithmic efficiency (CPU time)
presented by Patt Burke and Christian Loza
8
Robust Hashing
Is it possible to design a robust hashing algorithm such that the hashes of two close inputs are judged identical while those inputs which are not so close will give completely different outputs?
“Features” of the biometric data are selected based upon the type of biometric data chosen
During enrollment, “enough” samples are acquired from each user to obtain a range value (2δ) for EACH feature value.
presented by Patt Burke and Christian Loza
9
Robust Hashing
A unique hash value is then assigned to EACH feature and stored (encrypted) for verification
A Gaussian function is then fitted to the data for each feature which results in the assigned hashed output value.
The Gaussian function is then combined with “fake Gaussian peaks” to hide the true input, resulting in a non-invertable one-way transformation
presented by Patt Burke and Christian Loza
10
Robust Hashing
TRUE GUASSIAN FUNCTION (red)Parameters of the Guassian non-invertable transforms are stored on “smartcards” of some sort which the user must present at authentication time.
presented by Patt Burke and Christian Loza
11
Robust Hashing
USER AUTHENTICATION
presented by Patt Burke and Christian Loza
12
Robust Hashing
Tested against the OLR Database of Faces available at http:/www.uk.research.att.com/facedatabase.html
Consists of 10 different images taken under extensively varying conditions of 40 distinct subjects
6 of the images for each individual was used in the enrollment phase
The remaining 4 were used in the test sets 20 features were selected Tests were conducted with 5% and 10% tolerance factors
for the inputs to account for variation in the non-enrolled faces
presented by Patt Burke and Christian Loza
13
Robust Hashing
Tested against the OLR Database of Faces available at http:/www.uk.research.att.com/facedatabase.html
Consists of 10 different images taken under extensively varying conditions of 40 distinct subjects
6 of the images for each individual was used in the enrollment phase
The remaining 4 were used in the test sets 20 features were selected Tests were conducted with 5% and 10% tolerance factors
for the inputs to account for variation in the non-enrolled faces
presented by Patt Burke and Christian Loza
14
Robust Hashing
TEST RESULTS
15 subjects were correctly identified on 4/4 images with a 10% tolerance factor.
FALSE REJECTION RATEHow many GOOD GUYS could not get in
FALSE ACCEPTANCE RATEHow many BAD GUYS COULD get in
1 subject was NEVER correctly identified using ANY of the 4 images with a 10% tolerance factor.
25 subjects WERE authenticated using at least 4 other individual’s credentials at a 10% tolerance factor.
12 subjects who were NEVER falsely admitted using ANY another person’s credentials with a 5% tolerance factor.
presented by Patt Burke and Christian Loza
15
Multimodal
Description of the Dialog Communication System’s BioID commercial user-authentication system
In use in many systems worldwide Uses three different sources of biometric data
to achieve better accuracy than a single feature system
Voice – using a user-resetable “password” Lip Movement – using the same password Facial Data
presented by Patt Burke and Christian Loza
16
Multimodal
During enrollment, biometric templates are collected for each biometric feature
For authentication, the system compares these templates against the biometric input
The client sets the recognition threshholds for each of the features independently to achieve the desired level of security. [9]
presented by Patt Burke and Christian Loza
17
Multimodal
FACE PROCESSING [9]
Original image Face ModelEdge-extracted image
Face model overlaid on the edge-extracted image
presented by Patt Burke and Christian Loza
18
Multimodal
FACE PROCESSING
Samples of extracted faces: BioID scales all faces to the same size and crops the images uniformly for easier comparison. This photo collection shows 12 individuals. Note the uniformity that the system achieves. [9]
presented by Patt Burke and Christian Loza
19
Multimodal
TEST RESULTS Live Test using 150 individuals for 3 months “False-acceptance rate significantly below 1
percent, depending on the security level.
presented by Patt Burke and Christian Loza
20
Pro’s and Con’s
Scalable – easy to add new users
Secure – lost or stolen ID card not likely to compromise security of the system
Flexible – can be set up using other features than fingerprints
ROBUST HASHINGCONPRO
Test results not good
Intelligent attacker may be able to fool system with brute force guessing
Much research left to make the system more secure (fewer FAR violations)
presented by Patt Burke and Christian Loza
21
Pro’s and Con’s
Scalable – easy to add new users
Secure – lost or stolen ID card not likely to compromise security of the system
Flexible – feature values can be manipulated to meet security needs
Multimodal BioIDCONPRO
Stable product
Multiple Bio sources make it more secure
presented by Patt Burke and Christian Loza
22
Conclusion
Biometrics is a current area of intense research Multiple Bio-sources should yield a more
desirable product
presented by Patt Burke and Christian Loza
23
IDENTITY
Second Part:
Federated Systems, Identity Management
presented by Patt Burke and Christian Loza
24
Desiderata
What we want Federate Identity across organizations
maintaining access rights and privileges Web-based Federated Identity integrated with
Web-based privilege management systems One identity, multiple roles across
organizations. Trust management and Information sharing between trusted organizations
Desiderata
presented by Patt Burke and Christian Loza
25
Desiderata
NSF: About the Next generation Internet: In the context of the GENI Research Program
“Creating new core functionality: Going beyond existing paradigms of datagram, packet and circuit switching; designing new naming, addressing, and overall identity architectures, and new paradigms of network management;”
“Building higher-level service abstractions: Using, for example, information objects, location-based services, and identity frameworks;”
Desiderata
presented by Patt Burke and Christian Loza
26
Desiderata
Microsoft Research: In the context of The Next Generation Internet
“.NET Building Block Services. A new family of highly distributed, programmable developer services that run across standalone machines, in corporate data centers and across the Internet. Services include Identity, Notification and Messaging, Personalization, Schematized Storage, Calendar, Directory, Search and Software Delivery.”
Desiderata
presented by Patt Burke and Christian Loza
27
Federated Identity
Bhatti, Bertino and Ghafoor
SSO Single sign on Effective access control Decentralized model Authentication for estrangers Trust, Anatomy and Privacy Standardized Approach
Proposal
Towards Improved Federated Identity And Privilege Management System in Open Systems
presented by Patt Burke and Christian Loza
28
Proposed Approach
Proposed ApproachProposal
presented by Patt Burke and Christian Loza
29
Proposed Approach
The other approaches Earlier Authentication/Authorization mechanisms
(IAPM, XECB… etc). X.509 X.509 PKI + PMI Kerberos
Proposal > Other approaches
presented by Patt Burke and Christian Loza
30
The Earlier approach
Proposal > The Earlier approach
Scheme #PasesProbably Secure
Assoc DataParallelizable
On-Line Patent-Free
IAPM 1
XECB 1
OCB 1
CCM 2
EAX 2
CWC 2
Helix 1
SOBER-128
1
presented by Patt Burke and Christian Loza
31
Problems of Earlier Approaches
Proposal > Problems of all Traditional Approaches
Distributed Solution
ScalabilityDistributed
Privilege Management
Previous Authentication
Approaches
Ideal Solution
presented by Patt Burke and Christian Loza
32
Credentials Based Systems
• Kerberos
Kerberos > Credentials Based Systems
Authorization? Privilege ? Distributed Scalable
Proposal
Kerberos
presented by Patt Burke and Christian Loza
33
Credentials Based Systems
• Kerberos • Based on Tickets
• Centralized
• Initiates getting a initial ticket
• With the ticket, it can request services
Kerberos > Credentials Based Systems
presented by Patt Burke and Christian Loza
34
Credentials Based Systems
• Kerberos • The authentication process can run in both Master and Slaves machines
• The slaves are read-only
• The KDBM manages changes of passwords. WHY?
Kerberos > Credentials Based Systems
presented by Patt Burke and Christian Loza
35
Credentials Based Systems
• Kerberos • The changes can be introduced in the KDBM
• Each Kerberos has a realm master machine
• You can have additional master machines
Kerberos > Credentials Based Systems
presented by Patt Burke and Christian Loza
36
Kerberos
CREDENTIALSBASED ON IDENTITY
CREDENTIALSBASED ON ROLES
I know WHO you are, therefore, I know what you are allowed to do.
I know WHAT role you are allowed to play
Authentication Authentication
Authorization Authorization
Kerberos Desiderata
Kerberos > Credentials Based Systems
presented by Patt Burke and Christian Loza
37
Credentials Based Systems
• X.509
X.509 > Credentials Based Systems
Authorization? Privilege ? Distributed Scalable
Proposal
X.509 ? ?
presented by Patt Burke and Christian Loza
38
Credentials Based Systems
CREDENTIALSBASED ON ROLES
CREDENTIALSBASED ON ROLES
Authentication Authentication
Authorization Authorization
BINDS Credentials to a KEY
BINDS Credentials to Role
X.509 > Credentials Based Systems
X.509 Proposal
presented by Patt Burke and Christian Loza
39
Credentials Based Systems
CREDENTIALSBASED ON ROLES
CREDENTIALSBASED ON ROLES
Authentication Authentication
Authorization Authorization
BINDS Credentials to a KEY
BINDS Credentials to Role
X.509 > Credentials Based Systems
X.509 Proposal
presented by Patt Burke and Christian Loza
40
Credentials Based Systems
• X.509 PKI + PMI
X.509 > Credentials Based Systems
presented by Patt Burke and Christian Loza
41
Credentials Based Systems
• X.509 PKI + PMI
X.509 > Credentials Based Systems
presented by Patt Burke and Christian Loza
42
Credentials Based Systems
• X.509 PKI + PMI
Authentication Schemes > Credentials Based Systems
presented by Patt Burke and Christian Loza
43
Proposed Approach
Proposed Approach
presented by Patt Burke and Christian Loza
44
Proposed Approach
Proposed Approach
presented by Patt Burke and Christian Loza
45
Proposed Approach
XKMS, the four corner approachProposed Approach
presented by Patt Burke and Christian Loza
46
Proposed Approach
Proposed Approach
presented by Patt Burke and Christian Loza
47
Federated IdentityXML Public Protocols
SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations
can be compatible Web Services: Suited to work on browser
environments Federations: Can simplify Federation usability
Proposed Approach
presented by Patt Burke and Christian Loza
48
Proposed Approach
Proposed Approach
presented by Patt Burke and Christian Loza
49
Proposed Approach
XML Key Signature / Proposed Approach
presented by Patt Burke and Christian Loza
50
Desiderata
1. Request page
2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tickets in header
7. Request pagew/credentials
8. Set ticket
Roles
Proposed Approach
presented by Patt Burke and Christian Loza
51
Conclusions
What we have (or will have) Federate Identity across organizations
maintaining access rights and privileges ? Web-based Federated Identity integrated with
Web-based privilege management systems ? One identity, multiple roles across
organizations. Trust management and Information sharing between trusted parties ?
Conclusions
presented by Patt Burke and Christian Loza
52
Conclusions
What we have (or will have) Federate Identity across organizations
maintaining access rights and privileges Web-based Federated Identity integrated with
Web-based privilege management systems One identity, multiple roles across
organizations. Trust management and Information sharing between trusted parties
Conclusions
presented by Patt Burke and Christian Loza
53
Questions
A Similar Distributed System is already in use and implemented. Can you tell which system we are talking about?
Can you tell the differences between the desired approach and the actual schema?
Can you point which are the features that have to change? (think about the actual problems)
Questions
presented by Patt Burke and Christian Loza
54
References
1. J. Black, “Authenticated Encryption”, November 2003.
2. www.w3.org XKMS Specification
References
presented by Patt Burke and Christian Loza
55
Introduction
The Internet has changed the way we do business forever.
In the cyberspace, our Identity has changed too, and a Digital Identity has emerged.
Identity can be defined as a set of characteristics that uniquely identifies us (or a digital entity)[1].
presented by Patt Burke and Christian Loza
56
Introduction
CONCEPTS Identity: Set of characteristics that identifies a
given entity. Identification: Recognizing someone as a
specific individual. Authentication: Process to make sure the
Identification is valid. Authorization: Set of resources given to a
certain entity, based on the identity.
presented by Patt Burke and Christian Loza
57
Introduction
In the physical world, users can be identified by physical characteristics, such as hair color, height, skin color, etc.
In the Internet, users are identified by set’s of information, such as SSN, Name, Credit Card number, Address, Phone number, etc.
presented by Patt Burke and Christian Loza
58
Introduction
Most of the services has gone to the Internet Electronic Commerce Electronic Government Electronic Learning Electronic Marketing Electronic Publishing
presented by Patt Burke and Christian Loza
59
Introduction
To interact in the Internet with this service providers, the people use their Digital Identity.
presented by Patt Burke and Christian Loza
60
Introduction
One of the drawbacks from human centric electronic interactions is the fuziness of the image of the other partner over the network
?
presented by Patt Burke and Christian Loza
61
Introduction
Ensuring security and privacy in a distributed communication system as the Internet is crucial.
Crimes related to Identity theft have become a major treat to the growth of the commerce over the Internet.
presented by Patt Burke and Christian Loza
62
Introduction
Identity-related misuse and concerns[2]
Identity theft: Someone wrongfully obtains and uses other person’s personal data in some way that involves fraud or deception[3].
Malicious change of Information: Someone changes wrongfully personal information of somebody else or to himself to do harm or self benefit.
Secondary use: Somebody impersonates someone else for personal benefit.
And the list keeps growing
presented by Patt Burke and Christian Loza
63
Federated IdentitySome facts
Below are some institutions and people believed to be victim’s of Identity theft.
Bill Gates CIA, NASA, Justice Department Wells Fargo Bank of America Ebay UNT?
presented by Patt Burke and Christian Loza
64
Problem Definition
The Identity has bring more complexity to the business model
Any person may be using now multiple identities to access multiple services providers on the Internet
Multiples identities mean also redundant costs and increasing problems
presented by Patt Burke and Christian Loza
65
Problem Definition
One of the technologies that has emerged to solve the increasing complexity of Identity management across multiple organization is the Federated Identity
presented by Patt Burke and Christian Loza
66
Problem Definition
Federated Identity is a digital credential analogous to a country passport[4]
Trust negotiation model: Is the gradual interchange of credentials between two entities, with the goal to establish Trust, and finally exchanging resources
Our task is to review proposals of designs of an efficient scheme of such Federation interchange
presented by Patt Burke and Christian Loza
67
Problem Definition
Different sets of information from the Identity may be needed by different organizations
presented by Patt Burke and Christian Loza
68
Federated Identity
A
NameAddressPhone NumberPO BoxSSN
B
NameAddressPhone NumberPO BoxSSNCredit CardBilling Address
C
NameAddressPhone NumberPO BoxSSNCredit CardPassport Number
A
NameAddressPhone NumberPO BoxSSN
B
Credit CardBilling Address
C
Passport Number
presented by Patt Burke and Christian Loza
69
Federated IdentityCredentials negotiation
Disclosure policies Credentials combinations are required for
disclosure of sensitive information Negotiation between User and Service
Providers, and among Service Providers.
presented by Patt Burke and Christian Loza
70
Federated IdentityScalability
KEY CONCEPTS for Scalability of Federated Identity
Has to work with Browser as the client side software
Centralized Approach Identity or Capability-based credentials
presented by Patt Burke and Christian Loza
71
Federated IdentityScalability
presented by Patt Burke and Christian Loza
72
Federated IdentityPrivilege management
Both, Federated Identity and Privilege Management are cornerstones of a Management Framework
A mechanism for Federated Identity and Privilege Management should satisfy at least eight requirements:
presented by Patt Burke and Christian Loza
73
Federated IdentityRequirements
1. SSO Single sign on
Persistency of user identity across the enterprise domains, and allows user to transfer their authorizations across multiple points of policy enforcement
2. Effective access control
The access control should be fine grained to dynamically evolve enterprise resources.
presented by Patt Burke and Christian Loza
74
Federated IdentityRequirements
3. Decentralized model
The system should not rely on a centralized access point, instead, should be distributed
4. Authentication for estrangers
In the new distributed Internet environment, there is no more the concept of advanced knowledge of identities or capabilities.
presented by Patt Burke and Christian Loza
75
Federated IdentityRequirements
5. Trust, Anatomy and Privacy
Privacy protection is becoming an increasing concern, both from social and legal perspective. Is a compromise, since avoiding name-binding, complicates trust establishment.
6. Standardized Approach
The solution should has the capability to be integrated with other systems, using existing accepted standards.
presented by Patt Burke and Christian Loza
76
Federated IdentityRequirements
7. Browser Based
Nobody wants to install client side applications
8. Technologies issues
Cookies and JavaScript are been used. Nevertheless, they have been proved to be a security problem, even though, they are better than the other options
presented by Patt Burke and Christian Loza
77
Federated IdentityIdeal Scheme
1. Request page
2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tickets in header
7. Request pagew/credentials
8. Set ticket
presented by Patt Burke and Christian Loza
78
Federated IdentityExamples
MSN Passport Developed by Microsoft
Kerberos Developed by MIT
X.509 Network Working Group Certificate Management Protocol
RBAC Research Proposal
presented by Patt Burke and Christian Loza
79
Federated IdentityMSN Passport
1. Request page
2. Auto redirect
3. Redirect
4. Request credentials
5. Login & passport
6. Redirect w/tokens in header
7. Request pagew/credentials
8. Set cookie
presented by Patt Burke and Christian Loza
80
Federated IdentityMSN Passport
Centralized Model Credentials and no Tickets Used to authenticate users of Hotmail and
MSN Messenger. Other users include Zurich, GMAC
The biggest Federated Identity system is Passport, from Microsoft
presented by Patt Burke and Christian Loza
81
Federated IdentityMSN Passport
Process 3.5 billion authentications each month Uses XML as the core Uses SSL The Passport requires triple DES keys with
each organization. The keys must be generated securely, and
given to the merchants out of band. Some keys were broken because the poor
randomness of the keys generated
presented by Patt Burke and Christian Loza
82
Federated IdentityMSN Passport - Problems
Centralized point of attack, against the distributed nature of Internet. Vulnerable to DoS attacks
Due to the cookies architecture, a Service can impersonate MSN Passport and delete all the cookies in the clients (used to DoS attacks).
JavaScript and cookies technologies have been proved to be insecure technologies.
presented by Patt Burke and Christian Loza
83
Federated IdentityMSN Passport - Problems
Bugs have a great Impact MSN found problems many times, bringing down
all services depending on Passport One example was a failure on the Password
resetting mechanism
presented by Patt Burke and Christian Loza
84
Federated IdentityKerberos
1. Request page
2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tokens in header
7. Request pagew/credentials
8. Set ticket
Symmetric
presented by Patt Burke and Christian Loza
85
Federated IdentityKerberos
Developed by MIT’s project Athena Allow mutual authentication and secure
communications over the network Uses symmetric key encryption, and
authentication credentials Authentication credentials are based on
identity, and are suited for access control lists. Main problem for Identity Management are centralization, and name biding.
presented by Patt Burke and Christian Loza
86
Federated IdentityKerberos - Problems
Kerberos is Identity Based, which gives problems for scalability. Key concept: avoid name-binding
Suitable for access roles. Nevertheless, symmetric keys are not suited for Federations and Distributed Identity Management
presented by Patt Burke and Christian Loza
87
Federated IdentityX.509
1. Request page
2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tokens in header
7. Request pagew/access privileges
8. Set privileges
3. Redirect
Asymmetric
presented by Patt Burke and Christian Loza
88
Federated IdentityX.509
X.509 is a Certificate Scheme for Authentication
Based on Public Key Infrastructure (PKI) The Access Control Credential is called
Attribute Certificate Asymmetric authentication Integrated approach of Authentication and
Authorization
presented by Patt Burke and Christian Loza
89
Federated IdentityX.509 Problems
Integrated approach of Authentication and Authorization, which is, not good in all contexts.
This is because not all the system-specific capabilities may be know in advance.
Access control credentials is not sufficient to meet effective Access Control requirements. Key concept: Not Scalable
presented by Patt Burke and Christian Loza
90
IdentityRole-Based Access Control (RBAC)
Current Enterprise solutions employ a combination of physical security, passwords, and Role-based Access Control to ensure the identity of a user
Physical security and passwords protect the system from intrusion.
Role-based Access Control limits access to documents and data based on a “need to know” basis
presented by Patt Burke and Christian Loza
91
IdentityRole-Based Access Control (RBAC)
Access rules are established with sets of access pairs which associate users and their corresponding permissions:
(user, permissions)
While RBAC is supported by many specific application packages (Oracle and Sybase, for example), the method will be described with a brief look at XML
presented by Patt Burke and Christian Loza
92
Federated IdentityXML Public Protocols
SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations
can be compatible Web Services: Suited to work on browser
environments Federations: Can simplify Federation usability
presented by Patt Burke and Christian Loza
93
Federated IdentityXML-Based Doc Security
X-Sec [5] is one notional XML-Based control system with the following component:
Credential-types (ct) – defined user type definitions Example: manager, customer, carrier (nct, Pct) where n is the name of the credential and P is
the set of property specifications for the ct.
XML credential-type and corresponding graph representation [5]
presented by Patt Burke and Christian Loza
94
XML-Based Doc Security
X-Sec Components (cont) Credential – an instantiation of a credential-type
Specifies the set of properties values characterizing a given subject against the credential-type itself
Physical credentials are certified by the credential issuer
XML credential and corresponding graph representation [5]
presented by Patt Burke and Christian Loza
95
XML-Based Doc Security
X-Sec Components (cont) Security Policy Base Template – Specifies
credential-based security policies based on enterprise protection requirements Documents to which the policy applies Portions of documents within target documents Access Modes Propagation mode for the policy
presented by Patt Burke and Christian Loza
96
XML-Based Doc Security
X-Sec Components (cont) Security Policy Base Instantiation Example (below)
Secretaries in sales can access and modify all purchase order documents
UPS employees can access information about the customer, carrier, and order id.
presented by Patt Burke and Christian Loza
97
XML-Based Doc SecurityAssessment
PRO:
Highly available in commercial products
Easy to set up
Training is readily available
Highly effective in a CLOSED and TRUSTED environment
CON:
Often difficult to REMOVE users
Impractical in an open user environment
Not a long-term Internet solution
Passwords can be stolen, resulting in unauthorized access
Periodic password changes make remembering passwords difficult
Left to their own devices, people tend to choose passwords that are easy to guess
presented by Patt Burke and Christian Loza
98
Biometrics
DEFINITION Any and all of a variety of identification techniques which
are based on some physical, or behavioral characteristics of the individual contrasted with the larger population. Unique digital identifiers are created from the measurement of this characteristic.
Physiological Biometrics Fingerprints, hand and/or finger geometry, eye (retina or iris),
face, and wrist (vein)
Behavioral Biometrics Voice, signature, typing behavior, and pointing
presented by Patt Burke and Christian Loza
99
Biometrics
OVERVIEW User digital template is created during an
“enrollment period” and stored in a database On attempted verification, the relevant template
is extracted, compared with the data input ATM card is still required to point at the correct
digital template Verification is based on statistical techniques of
comparison between the two
presented by Patt Burke and Christian Loza
100
Biometrics
Some devices to use Biometrics
presented by Patt Burke and Christian Loza
101
Benchmarks
The eight points can be used to measure if an Identity Management Protocol is suited for scalability and Federated use.
Browser features can be used as a metric: Use of cookies, use of JavaScript, use of XML
presented by Patt Burke and Christian Loza
102
BiometricsBenchmarks
BENCHMARKS for Biometrics Template size Speed of enrollment False Accept Rate False Reject Rate
presented by Patt Burke and Christian Loza
103
BiometricsBenchmarks
PRO When it works, it works best
Generally acceptable in controlled group settings
ASSESSMENT
CON Bad user perceptions
May be misused
May harm eyes
Input quality degrades with age
Unacceptable False Reject Rates
17% - facial
10% - finger swipe
presented by Patt Burke and Christian Loza
104
Conclusions
Identity is a key issue on Next Generation Internet
Any new or already proposed scheme for Identity Management should address the eight points exposed at least
All the Identity Management should work with a Browser in the client side
presented by Patt Burke and Christian Loza
105
Conclusions (cont)
Identity Management paradigms that ensure “you are you,” as opposed to “you are who you say you are” are absolutely critical to the future of e-commerce and electronic information sharing
Federal Identity can only be successful if the services are decentralized
Not an easy task
presented by Patt Burke and Christian Loza
106
Conclusions (cont)
Access control systems will continue to provide enterprise solutions for controlled areas for the foreseeable future
Biometrics appears to be the only real solution on the horizon, but it is not yet reliable enough for use in the general world population.