# Biometrics and Encryption by xuyuzhu

VIEWS: 5 PAGES: 19

• pg 1
```									Biometrics and Encryption

Biometrics 101 (cont)
Required System Components
• A biometric authentication device is made
up of three components:
– A database of biometric data.
– Input procedures and devices.
– Output and graphical interfaces.
Identification Vs. Verification
• In identification, the system then attempts to find
out who the sample belongs to, by comparing
the sample with a database of samples in the
hope of finding a match (this is known as a one-
to-many comparison). "Who is this?"

• Verification is a one-to-one comparison in
which the biometric system attempts to verify an
individual's identity. "Is this person who
he/she claims to be?"
Human trait examples used in
Biometrics
• Fingerprints
A fingerprint looks at the patterns found on a fingertip. There are
a variety of approaches to fingerprint verification. Ex. traditional
police method of matching minutiae; others use straight pattern-
matching devices; verification approaches can detect when a live
finger is presented; some cannot.
• Hand Geometry
Hand geometry involves analyzing and measuring the shape of
the hand. This biometric offers a good balance of performance
characteristics and is relatively easy to use. It might be suitable
where there are more users or where users access the system
infrequently and are perhaps less disciplined in their approach to
the system.
Security Measures for the
Internet Age
•   Encryption
•   Digital Signatures
•   Digital Certificates
•   Secure Electronic Transactions (SET)
Encryption

Ciphertext                Plaintext
Plaintext
Encryption                Decryption

•Cryptography: art and science of keeping messages
secure
•Cryptanalysis: art and science of breaking ciphertext
•Cryptology: area of mathematics that covers both
Encryption continued
• If
–   M=the plaintext message
–   C=the encrypted ciphertext
–   E=encryption algorithm
–   D=decryption algorithm
• Then
– E(M)=C
– D(C)=M
– D(E(M))=M
Algorithms and Keyspaces
• The cryptographic algorithm (cipher) is a
mathematical function used for encryption and
decryption
• Security based on restriction to internals of
algorithm
– But
• If someone leaves group
• Problems of restricted algos solved with using
keys
Keys
• Any one of a large number of values
• The total possible set of keys is called the
keyspace
• The encryption and decryption is dependent on
key
• So
–   E (M)=C
K

–   D (C)=M
K

–   D (E (M))=M
K   K

–   What does this mean?
• DK2(EK1(M))=M
Private vs. Public Key
Encryption
Symmetric vs. Asymmetric
algorithms
• Symmetric
– Typically use the same key for encryption and
decryption
– Sender and receiver must agree to secret key before
sending message
• Asymmetric
–   Key for encryption is different from one for decryption
–   Encryption key can be made public
–   Decryption key is private
–   Sometimes called public key encryption
Cryptanalysis
• Recovering the plaintext without the key (an
attack)
• All secrecy resides in the key
• Types of attack
–   Ciphertext-only attack
–   Known-plaintext attack
–   Chosen-plaintext attack
–   Rubber-hose attack
–   Purchase-key attack
Encryption Standards
• Data Encryption Standard (DES)
– Uses 56 bit key
– Both sender and receiver must know the key
– Only took three days to crack in 1998 (see www.
distributed.net)
• Triple DES (3DES)
– Encrypt the DES message three times
– Successor to the 3DES standard (128 bit)
– US Government has chosen Belgian Algorithm
called Rijndael
• Pretty Good Privacy (PGP)
– Product that uses the DES but is 128 bit
– Two keys – public and private
Public Key Infrastructure
• Involves hardware, software, data
transport mechanism, smart cards,
governing policies and protocols
• Requires services of
– Registration Authority
– Certificate Authority
– Data Repositories
Digital Signatures
• Consists of two pieces of information
– the data being transmitted
– The private key of the individual or
organization sending the data
• The private key acts as a digital signature
to verify that the data is from the stated
source
Transaction Security
• Secure Socket Layer (SSL)
– Uses the SSL in the TCP/IP model
– Creates a secure negotiated session between client
and server
• Secure Negotiated Session
– All communication between client and server is
encrypted
• URL, credit card number, cookies, attached documents
– Agree upon a symmetric session key
• Used for only one session and then destroyed
MERCHANT BANK
Online Credit Card
Transaction
MERCHANT      3. Merchant server contacts
clearinghouse                      CLEARING
HOUSE
5. Bank
4.
transfers
Clearinghouse
funds to
verifies account
2. SSL connection to                                      merchant
and balance with
merchant                                                  bank
issuing bank

1. Consumer                          6. Debit issued
makes                                in monthly
purchase                             statement
CONSUMER BANK

•   Secure Electronic Transactions
Problems with SSL method
• Neither merchant nor consumer can be fully
authenticated
• Consumers can repudiate charges even though
goods have been shipped
• Costs for merchants high – 3.5% plus 20-30
cents per transaction plus setup fees
– Apples iTunes aggregates for a 24 hour period
• Cards not as ubiquitous as you think
Multi-layered E-Commerce
Security

DATA
Technology Solutions

Technology Solutions

Organizational Policies

Industry and Legal Standards

```
To top