Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Common Criteria and the Biometric Protection Profile

advertisement 
Common Criteria and the
Biometric Protection Profile
September 2005
Overview of Biometrics Technology
- The Basics, Biometrics In IA Systems -
z
Biometrics are …
– Measurable physical characteristics
– Personal behavioral traits that are used to recognize the
identity, or verify the claimed identity of an individual
z
Examples of Biometric Technologies:
Iris Scan
Speaker Recognition
Hand Geometry
Finger Print
Page 2 of 18
Topics
z
Biometric Authentication
z
Biometric Functional Block Diagram
– Enrollment
– Verification
z
World’s First Biometrics Protection Profile
z
Resources
z
Summary
z
Questions
Page 3 of 18
Biometric Authentication
z
“Biometric Authentication” refers to the automatic
identification or identity verification of living individuals based
on physiological or behavioral characteristics. Examples of
physiological characteristics include hand or finger images,
facial characteristics, speaker verification and eye patterns.
Biometric authentication is the “automatic”, “real-time”, “nonforensic” subset of the broader field of human identification.
z
During authentication, biometrics can be used for both
identification and verification of a person’s identity. In
identification, the biometric attempts to determine the identity
of a person by comparing the captured biometric sample
against a database of enrolled templates for a match, (1 to
many). In verification, the biometric device verifies a person’s
claimed identity by matching a captured biometric sample
against the enrolled template associated with the claimed
identity, (1 to 1).
Page 4 of 18
Biometric Authentication
(continued)
z
Biometric devices are seen as components of security systems
that provide positive authentication. As with other types of
authentication technologies, biometrics provides mechanisms
to quickly and securely associate an identity with a person.
The distinctive feature about biometric technologies as an
authentication factor is that the presenter of a valid biometric
that matches an enrolled biometric is, by definition, an
authorized user, in contrast with technologies such as tokens
or passwords, where valid instances of these items can be
presented by unauthorized users.
Page 5 of 18
Biometric Functional Block Diagram
Page 6 of 18
Biometric Block Diagram Definitions
z
This Figure shows a simple model of a biometric unit
showing major components required in the block diagram.
The following is a description of each block in the diagram:
z
Liveness Check & Capture – A liveness check that
z
determines if the host of the biometric sample has certain
characteristics belonging to living human beings. In
capture, a sample of the user’s biometric is acquired using
the required sensor (camera, microphone, fingerprint
scanner, etc.). It is important to note the liveness check is
performed at the same time as the capturing of the
biometric characteristic.
Extraction – Process by which the biometric sample
captured in the previous block is transformed into an
electronic representation. During enrollment this electronic
representation is known as the biometric template. During
the authentication process, it is known as the live sample.
Page 7 of 18
Biometric Block Diagram Definitions
(continued)
z
z
z
z
Package Creation – Performed only during enrollment.
Cryptographically bind the user’s identity and additional
information with the biometric template to create a biometric
package for storage.
Package Assurance – Performed only during enrollment. Uses
cryptographic methods to protect the confidentiality and integrity
of the biometric package for storage.
Package Validation – Performed only during authentication.
Verifies the integrity of the biometric package received from
storage and the validity of the signing authority.
Comparison – Performed only during authentication. Matches
the live sample and biometric templates. The result from the
matching is a score, which is then compared against predefined
threshold values.
Page 8 of 18
Biometric Block Diagram Definitions
(continued)
z
Security Management Functions – The biometric unit
provides management functions to the System administrator
that include setting of the threshold, determining audit
events, reviewing audit information, and key management.
z
The biometric device requires that when the matching score
is outside the maximum and or minimum threshold range, a
no-match result is generated.
z
Cryptographic methods and modules for biometrics must
comply with approved standards and be validated by NIST’s
FIPS 140-2 validation program.
Page 9 of 18
Biometric Authentication Process
z
Biometric Authentication can be summarized in two steps:
– Enrollment
– Authentication
» Identification (Who are you?)
» Verification (Are you who you say you are?)
Page 10 of 18
Biometric Authentication Process
z
Biometric Authentication can be summarized in two steps:
– Enrollment
– Authentication
» Identification (Who are you?)
» Verification (Are you who you say you are?)
Enrollment
Biometric
Data
Capture
Feature
Extraction
Storage
Capture
Feature
Extraction
Matching
Authentication
Biometric
Data
Page 11 of 18
Biometric Protection Profile
z
Protection Profiles
– NSA and the BMO wrote the world’s first validated
Biometric Protection Profile (In Verification Mode for
Medium Robustness)
– Basic Biometric Verification Mode Protection Profile
has been written and will soon be in the National
Information Assurance Partnership (NIAP) for
validation
– Biometric Identification Mode Protection Profile for
Medium & Basic Robustness is in development
Page 12 of 18
Common Criteria Protection Profile:
Process
Customer Needs
Threats to
Security
Counte
TOE Environment
Security
Policies
Threats, Policies,
& Assumptions
Support
r
Security Objectives
≈
EAL
Map Objectives to
Threats & Policies;
Add Rationale
Customer Review
EAL-3
Functional Security Requirements
Rationale
Security Assurance Requirements
Rationale
VISIO CORPORATION
$
Draft
Protection Profile
Verification of Vendor’s claims
z
Independent verification of vendor’s claims
– Biometric Management Office
» http://www.biometrics.dod.mil
– NIAP
» http://niap.nist.gov/cc
scheme/vpl/vpl_type.html
z
Of course, you can always trust the vendor’s testing or
perform the testing yourself
Page 14 of 18
Summary
z
In summary I want to leave you with the following
comments:
– Defense in Depth !! Nothing (including biometrics)
should be used as the only layer to protect classified
information.
– Biometric technology selection depends on the
overall security design of the system.
– The system implementation is critical.
– Currently by itself, biometrics is not strong enough to
protect classified material.
Page 15 of 18
Resources
WWW.biometrics.org
z
U.S. Government Biometric Verification Mode Protection
Profile for Medium Robustness Environments
http://niap.nist.gov/cc-scheme/pp/PP_VID1022-PP.pdf
Page 16 of 18
Additional Resources
z
Biometrics : Truths and Fictions
http://www.schneier.com/crypto-gram9808.html#biometrics
z
Can Sample Images be Regenerated from Biometric
Templates?
http://www.site.uottawa.ca/~adler/talks/2003/Regenera
te-Images-BiometricsConf-Sept2003.pdf
z
Digital Persona U.are.U Personal fingerprint scanner
http://www.dansdata.com/uareu.htm
z
Risk of Masquerading Arising from the Storage of
Biometrics
http://chris.fornax.net/biometrics.html
Page 17 of 18
Page 18 of 18
Page 19 of 18
Common Biometric Technologies
z
Facial Recognition
z
Fingerprint Recognition
z
Hand Geometry Recognition
z
Iris Recognition
z
Voice Recognition
Page 20 of 18
Facial Recognition
z
Capture: picture, thermal
z
Template: eigenfaces, facial nodes
z
Uses: Authentication, surveillance
Page 21 of 18
Fingerprint Recognition
z
Capture: optical, thermal, capacitance, ultrasound
z
Template: minutiae points
z
Uses: Authentication, Access Control, Law Enforcement
Page 22 of 18
Hand Recognition
z
Capture: 3-D picture (geometry)
z
Template: physical measurements (position, length, width,
thickness)
z
Uses: Access Control, Time & Attendance
Page 23 of 18
Iris Recognition
z
Capture: Picture
z
Template: Iris patterns.
z
Uses: Identification, Access Control
Page 24 of 18
Voice Recognition
z
Capture: Microphone
z
Template: Vocal Tract patterns
z
Uses: Verification, Telephone
Page 25 of 18
Some DoD Applications
z
Fingerprint and Iris -- Lock Integration in SCIF --Identix V20 &
Iridian 2200
z
Fingerprint – Technology Update with DEERS RAPIDS with CAC
– Identix DFRO 2080
z
Iris – Iris Technology Demonstration – Iridian 220
z
Fingerprint – 10 Print – Crime scene evidence processing –
SAGEM Morpho MetaMorpho
z
Iris – Security Upgrade – LG 3000
z
Hand Geometry – Network Access – RSI HandKey II
z
Hand Geometry & Fingerprint – Security Upgrade – RSI
HandKey II & Identix V20
Page 26 of 18
“Plug and Play” Biometric Products
z
Usually, for large applications, biometric solutions are usually
provided in the form of an Software Development Kit (SDK)
– Requires software developers
z
Turnkey solutions may be available.
z
Depends upon on the purpose of the biometric.
Page 27 of 18
Privileged User Access
z
If by “Privileged User” implies “System Administrator”, they
require special access to manage the system.
z
Otherwise, Access Controls are established by organizational
policy
Page 28 of 18
Operating Systems
z
Support to operating system varies from vendor to vendor.
Page 29 of 18
Auditing
z
Optional functionality vendors can provide on request
z
Biometric Protection Profile requires auditing functionality
Page 30 of 18
Prices
z
Varies from vendor to vendor
z
Varies between technologies
z
Varies between applications
z
Ranges
– From $100 (Personal use)
– > $100,000 (Custom systems)
Page 31 of 18
Vulnerabilities
z
Threats and Vulnerabilities are stated in the Biometric
Protection Profile
z
Other publications on the Internet:
– Hackers Claim New Fingerprint Biometric Attack–
http://www.securityfocus.com/news/6717
– Risk of Masquerading Arising from the Storage of
Biometrics – http://chris.fornax.net/biometrics.html
Page 32 of 18
Biometric expiration dates
z
Biometrics may change over extended periods of time.
z
Other than that, expiration dates are determined by
organizational policies
Page 33 of 18
System Administrator Management Overhead
z
In a biometric system you will still have to deal with the same
issues as passwords.
– User Enrollment/Reenrollment Procedures
– Users Locked out
z
Only additional overhead is potential training for enrollment
Page 34 of 18
Related documents
j - Boston University
j - Boston University
North America - BIO
North America - BIO
ibs copyright assignment form - Biometrics
ibs copyright assignment form - Biometrics
Document
Document
37706-2-12118
37706-2-12118
7-Cashless-Catering-Appendix-2-Biometric-Info
7-Cashless-Catering-Appendix-2-Biometric-Info
BIOM 426: Biometric Systems
BIOM 426: Biometric Systems
Biometrics: myths and reality
Biometrics: myths and reality
Download
advertisement