Biometrics and Encryption

1
Biometrics and Encryption

• Additional Security Slides

2
Biometrics 101 (cont)

• Required System Components
• A biometric authentication device is made up of
  three components
• A database of biometric data.
• Input procedures and devices.
• Output and graphical interfaces.

3
Identification Vs. Verification

• In identification, the system then attempts to
  find out who the sample belongs to, by comparing
  the sample with a database of samples in the hope
  of finding a match (this is known as a
  one-to-many comparison). "Who is this?"
• Verification is a one-to-one comparison in which
  the biometric system attempts to verify an
  individual's identity. "Is this person who
  he/she claims to be?"

4
Human trait examples used in Biometrics

• FingerprintsA fingerprint looks at the patterns
  found on a fingertip. There are a variety of
  approaches to fingerprint verification. Ex.
  traditional police method of matching minutiae
  others use straight pattern-matching devices
  verification approaches can detect when a live
  finger is presented some cannot.
• Hand GeometryHand geometry involves analyzing
  and measuring the shape of the hand. This
  biometric offers a good balance of performance
  characteristics and is relatively easy to use. It
  might be suitable where there are more users or
  where users access the system infrequently and
  are perhaps less disciplined in their approach to
  the system.

5
Security Measures for the Internet Age

• Encryption
• Digital Signatures
• Digital Certificates
• Secure Electronic Transactions (SET)

6
Encryption
Plaintext
Ciphertext
Plaintext
Encryption
Decryption

• Cryptography art and science of keeping messages
  secure
• Cryptanalysis art and science of breaking
  ciphertext
• Cryptology area of mathematics that covers both

7
Encryption continued

• If
• Mthe plaintext message
• Cthe encrypted ciphertext
• Eencryption algorithm
• Ddecryption algorithm
• Then
• E(M)C
• D(C)M
• D(E(M))M

8
Algorithms and Keyspaces

• The cryptographic algorithm (cipher) is a
  mathematical function used for encryption and
  decryption
• Security based on restriction to internals of
  algorithm
• But
• If someone leaves group
• Someone buys algorithm
• Problems of restricted algos solved with using
  keys

9
Keys

• Any one of a large number of values
• The total possible set of keys is called the
  keyspace
• The encryption and decryption is dependent on key
• So
• EK(M)C
• DK(C)M
• DK(EK(M))M
• What does this mean?
• DK2(EK1(M))M

10
Private vs. Public Key Encryption
symmetric
asymmetric
11
Symmetric vs. Asymmetric algorithms

• Symmetric
• Typically use the same key for encryption and
  decryption
• Sender and receiver must agree to secret key
  before sending message
• Asymmetric
• Key for encryption is different from one for
  decryption
• Encryption key can be made public
• Decryption key is private
• Sometimes called public key encryption

12
Cryptanalysis

• Recovering the plaintext without the key (an
  attack)
• All secrecy resides in the key
• Types of attack
• Ciphertext-only attack
• Known-plaintext attack
• Chosen-plaintext attack
• Adaptive-chosen-plaintext attack
• Rubber-hose attack
• Purchase-key attack

13
Encryption Standards

• Data Encryption Standard (DES)
• Uses 56 bit key
• Both sender and receiver must know the key
• Only took three days to crack in 1998 (see www.
  distributed.net)
• Triple DES (3DES)
• Encrypt the DES message three times
• Advanced Encryption Standard (AES)
• Successor to the 3DES standard (128 bit)
• US Government has chosen Belgian Algorithm called
  Rijndael
• Pretty Good Privacy (PGP)
• Product that uses the DES but is 128 bit
• Two keys public and private

14
Public Key Infrastructure

• Involves hardware, software, data transport
  mechanism, smart cards, governing policies and
  protocols
• Requires services of
• Registration Authority
• Certificate Authority
• Data Repositories

15
Digital Signatures

• Consists of two pieces of information
• the data being transmitted
• The private key of the individual or organization
  sending the data
• The private key acts as a digital signature to
  verify that the data is from the stated source

16
Transaction Security

• Secure Socket Layer (SSL)
• Uses the SSL in the TCP/IP model
• Creates a secure negotiated session between
  client and server
• Secure Negotiated Session
• All communication between client and server is
  encrypted
• URL, credit card number, cookies, attached
  documents
• Agree upon a symmetric session key
• Used for only one session and then destroyed

17
Online Credit Card Transaction
MERCHANT BANK
3. Merchant server contacts clearinghouse
MERCHANT
CLEARING HOUSE
5. Bank transfers funds to merchant bank
4. Clearinghouse verifies account and balance
with issuing bank
2. SSL connection to merchant
1. Consumer makes purchase
6. Debit issued in monthly statement
CONSUMER BANK

• Secure Electronic Transactions

18
Problems with SSL method

• Neither merchant nor consumer can be fully
  authenticated
• Consumers can repudiate charges even though goods
  have been shipped
• Costs for merchants high 3.5 plus 20-30 cents
  per transaction plus setup fees
• Apples iTunes aggregates for a 24 hour period
• Cards not as ubiquitous as you think

19
Multi-layered E-Commerce Security
Technology Solutions
DATA
Technology Solutions
Organizational Policies
Industry and Legal Standards