Biometrics and Encryption

Document Sample
Biometrics and Encryption Powered By Docstoc
					Biometrics and Encryption

   Additional Security Slides
       Biometrics 101 (cont)
Required System Components
• A biometric authentication device is made
  up of three components:
  – A database of biometric data.
  – Input procedures and devices.
  – Output and graphical interfaces.
   Identification Vs. Verification
• In identification, the system then attempts to find
  out who the sample belongs to, by comparing
  the sample with a database of samples in the
  hope of finding a match (this is known as a one-
  to-many comparison). "Who is this?"

• Verification is a one-to-one comparison in
  which the biometric system attempts to verify an
  individual's identity. "Is this person who
  he/she claims to be?"
        Human trait examples used in
• Fingerprints
  A fingerprint looks at the patterns found on a fingertip. There are
  a variety of approaches to fingerprint verification. Ex. traditional
  police method of matching minutiae; others use straight pattern-
  matching devices; verification approaches can detect when a live
  finger is presented; some cannot.
• Hand Geometry
  Hand geometry involves analyzing and measuring the shape of
  the hand. This biometric offers a good balance of performance
  characteristics and is relatively easy to use. It might be suitable
  where there are more users or where users access the system
  infrequently and are perhaps less disciplined in their approach to
  the system.
      Security Measures for the
            Internet Age
•   Encryption
•   Digital Signatures
•   Digital Certificates
•   Secure Electronic Transactions (SET)

                           Ciphertext                Plaintext
              Encryption                Decryption

•Cryptography: art and science of keeping messages
•Cryptanalysis: art and science of breaking ciphertext
•Cryptology: area of mathematics that covers both
           Encryption continued
• If
   –   M=the plaintext message
   –   C=the encrypted ciphertext
   –   E=encryption algorithm
   –   D=decryption algorithm
• Then
   – E(M)=C
   – D(C)=M
   – D(E(M))=M
    Algorithms and Keyspaces
• The cryptographic algorithm (cipher) is a
  mathematical function used for encryption and
• Security based on restriction to internals of
  – But
     • If someone leaves group
     • Someone buys algorithm
• Problems of restricted algos solved with using
• Any one of a large number of values
• The total possible set of keys is called the
• The encryption and decryption is dependent on
• So
  –   E (M)=C

  –   D (C)=M

  –   D (E (M))=M
       K   K

  –   What does this mean?
       • DK2(EK1(M))=M
Private vs. Public Key
      Symmetric vs. Asymmetric
• Symmetric
  – Typically use the same key for encryption and
  – Sender and receiver must agree to secret key before
    sending message
• Asymmetric
  –   Key for encryption is different from one for decryption
  –   Encryption key can be made public
  –   Decryption key is private
  –   Sometimes called public key encryption
• Recovering the plaintext without the key (an
• All secrecy resides in the key
• Types of attack
  –   Ciphertext-only attack
  –   Known-plaintext attack
  –   Chosen-plaintext attack
  –   Adaptive-chosen-plaintext attack
  –   Rubber-hose attack
  –   Purchase-key attack
 Encryption Standards
• Data Encryption Standard (DES)
   – Uses 56 bit key
   – Both sender and receiver must know the key
   – Only took three days to crack in 1998 (see www.
• Triple DES (3DES)
   – Encrypt the DES message three times
• Advanced Encryption Standard (AES)
   – Successor to the 3DES standard (128 bit)
   – US Government has chosen Belgian Algorithm
     called Rijndael
• Pretty Good Privacy (PGP)
   – Product that uses the DES but is 128 bit
   – Two keys – public and private
     Public Key Infrastructure
• Involves hardware, software, data
  transport mechanism, smart cards,
  governing policies and protocols
• Requires services of
  – Registration Authority
  – Certificate Authority
  – Data Repositories
           Digital Signatures
• Consists of two pieces of information
  – the data being transmitted
  – The private key of the individual or
    organization sending the data
• The private key acts as a digital signature
  to verify that the data is from the stated
         Transaction Security
• Secure Socket Layer (SSL)
  – Uses the SSL in the TCP/IP model
  – Creates a secure negotiated session between client
    and server
• Secure Negotiated Session
  – All communication between client and server is
     • URL, credit card number, cookies, attached documents
  – Agree upon a symmetric session key
     • Used for only one session and then destroyed
                                                              MERCHANT BANK
                     Online Credit Card
MERCHANT      3. Merchant server contacts
              clearinghouse                      CLEARING
                                                                       5. Bank
                                                                       funds to
                                                   verifies account
             2. SSL connection to                                      merchant
                                                   and balance with
             merchant                                                  bank
                                                   issuing bank

       1. Consumer                          6. Debit issued
       makes                                in monthly
       purchase                             statement
                                                               CONSUMER BANK

•   Secure Electronic Transactions
    Problems with SSL method
• Neither merchant nor consumer can be fully
• Consumers can repudiate charges even though
  goods have been shipped
• Costs for merchants high – 3.5% plus 20-30
  cents per transaction plus setup fees
  – Apples iTunes aggregates for a 24 hour period
• Cards not as ubiquitous as you think
Multi-layered E-Commerce

          Technology Solutions

         Technology Solutions

         Organizational Policies

      Industry and Legal Standards

Shared By: