One of the most dangerous security threats is impersonation, in which somebody claims to be somebody else. The security activity that counters this threat is identification and authentication.
Identification is the action where an identity is assigned to a specific individual, and authentication the action designed to verify a user's identity. An individual can be identified and authenticated by what he knows, by what he owns or by his human characteristics.
There is a variety of means for identifying a person's identity, including:
* Appearance (how the person looks, eg, height, gender, weight).
* Name (what the person is called).
* Knowledge (what the person knows, eg, password).
* Possession (what the person owns, eg, smartcard or passport).
* Natural physiology (who the person is, eg, facial characteristics).
* Imposed physical characteristics, such as tags, collars, bracelets.
The goal of authentication is to protect a system against unauthorised use. This feature also allows for the protection of individuals by denying the possibility for someone else to impersonate authorised users. Authentication procedures are based on the following approaches:
* Proof by knowledge - known information regarding the claimed identity that can only be known or produced by an individual with that identity (eg, passport, password, personal identification number (PIN), questionnaire).
* Proof by possession - the claimant will be authorised by the possession of an object (magnetic card, smartcard, optical card, etc).
* Proof by property - the claimant directly measures certain claimant properties using the unique human characteristics of the individual (eg, biometrics).
Identity documents can be stolen, passwords and personal identification numbers can be forgotten or broken. Security breaches resulting in access to restricted areas of airports or power plants have caused terrorism. Although there are laws against false identification, incidents of intrusions and unauthorised modifications to information, systems, and organisations occur daily with catastrophic effects. Credit card fraud is rapidly increasing, causing financial distress and even bankruptcies. Traditional technologies are not sufficient to reduce the impact of counterfeiting. Additional convenient security barriers are needed as our society gets more and more computer dependent.
Biometrics, the use of biology that deals with data statistically, provides an answer to this need since the uniqueness of an individual arises from his personal or behaviour characteristics with no passwords or numbers to remember. Biometric systems verify a person's identity by analysing his physical features or behaviours (eg, face, fingerprint, voice, signature, keystroke rhythms). The system records data from the user and compares it each time the user is requested to positively confirm his/her identity.
As stated in the introduction, authentication procedures are based on proof by knowledge, proof by possession or proof by property.
Proof by knowledge
The most common approach of user authentication is the proof by knowledge because of its simplicity and ease of implementation. Passwords are traditionally used in military applications, protocols for accessing computer systems, telecommunications, and banking. There are many reasons why this approach is unsafe: users usually choose predictable passwords; there are also sophisticated computer programs for searching passwords. Passwords might not be securely transmitted through the systems to the legal users. Especially in a network environment where an eavesdropper can easily pick up the password, which is changed infrequently and flows over the network. If this happens the eavesdropper can gain access to all resources. There are four types of passwords:
* Group passwords are known to all users in the system. These kinds of passwords are dangerous for all systems.
* Unique passwords for each individual are usually kept on a piece of paper instead of being memorised. This puts the security of the system at risk.
* Non-unique passwords which are used to confirm a claimed identity. A short password is given to users where identification depends on a long number stored in a card (eg, magnetic card). Unfortunately these numbers can be read and changed.
* Passwords which change each time a system is accessed have the disadvantage that a list of passwords should be kept at the central system and a copy should be distributed to each user. The mishandling of these lists may lead to disclosure. The secure transmission of passwords from a central to legal users is a big problem.
Questionnaire is another method used in this approach. A list of questions is answered by individual users and their answers are used to distinctively identify them. However, if someone knows the user well enough he can answer these questions and impersonate his identity. This threat makes the method very weak.
Proof of possession
Passwords and questionnaires are providers of minimum security and are not capable of stopping a malicious hacker. Therefore, the other two approaches are more sophisticated alternatives to address the authentication concern. The proof by possession approach considers the use of cards. Cards that can be used, depending on the application, are as follows:
* Magnetic stripe cards.
* Radio frequency identification cards (RFID) and tags.
* Optical memory cards.
Magnetic stripe cards are highly acceptable since they have been used for a long time in various applications. Terminals using the cards are standardised. Magnetic cards are widely used in automatic teller machines (ATM) for credit validation, for access control to secure sites etc. The user identity is stored on the magnetic stripe. The magnetic card is used in combination with a PIN (personal identification number). The danger of using these cards is that the PIN might be stolen; the cards can also be easily copied. New technologies have enhanced the magnetic cards by incorporating additional anti-counterfeiting techniques. New techniques known as Brocade or Biotin allow biometrics templates to be stored on a magnetic stripe card since they store them coded.
RFID Cards contain a tiny radio transmitter activated with the receipt of a signal with a specific frequency. If a biometric template is stored in such a card it could be sent to the biometric device directly from the user's wallet without him knowing it.
Optical memory cards have information encoded in them that cannot be changed. The advantage of these cards is their large memory capacity that enables the installation of encryption mechanisms.
Smartcards are plastic cards with embedded computer chips (memory only chips, logic-memory chips or microprocessors). These cards have their own operating system, programs and data. More advanced smartcards rely on VLSI technology for information storage and processing. These cards are used as telephone cards, banking cards etc. Assuming that the card itself is authenticated there is a weakness since the card still needs to identify the cardholder by some means. One of the most common techniques is the cardholder to carry out a PIN check inside the card. However, this identification method is vulnerable to attack.
Proof by property
Biometric methods used in the proof by property approach are the most advantageous means of authentication since it cannot be stolen or transferred to other people. Smartcards equipped with a microcomputer can store the biometric template and perform the verification process and are suitable for voice, signature or fingerprint biometrics.
Biometric techniques can be classified into two classes:
* Physiological based techniques - include facial analysis, fingerprint, hand geometry, iris analysis, DNA and measure the physiological characteristics of a person.
* Behaviour based techniques - include signature, keystroke, voice, smell, sweat pores analysis and measured behavioural characteristics.
(i) No single biometric dominates the market. Different technologies are used for the same applications. The current need in the biometric identification field is to have the market make greater use of what already exists.
(ii) The current generation of biometric identification devices offers cost and performance advantages over manual security procedures.
(iii) The claims of systems designers need to be assessed by independent evaluators. The establishment of evaluation centres will bring the confidence that is missing today. An independent screening testing of all devices should be performed, ie, treating the biometric devices as black boxes to examine how well the devices perform. These tests should be performed by independent institutions where manufacturers are not involved.
(iv) The lack of confidence in biometric technologies is caused by the lack of standards and testing. Standards will demonstrate that biometric technology is a reliable choice for the provision of security. They will give users from government and public sectors a choice among the various biometric technologies available, will expand the biometric market and will make it competitive and trustworthy. It will also help manufacturers to evaluate their biometric products against standard tests. Different standardisation bodies should cooperate in order to establish global standards.
(v) The fear of 'Big Brother' that biometric technologies face can be overcome by various means, as follows:
* Use cards to store the biometric templates whenever possible. The storage of templates in a central data base brings hesitation and discomfort.
* Educate people on the different technologies. Most people are very sceptical of these technologies because they do not have significant information about them.
* Emphasise the advantages of the biometric technologies. Counter examples of fraud using other authentication methods should be reported.
* Provide awareness of when, how and where people are authenticated. People should know when and where they are identified and verified, and which technology is being used.
(vi) Biometric devices are the future technologies since traditional technologies are not sufficient to reduce fraud and protect our computer systems and networks. It is natural to use these technologies in various applications where security is the highest priority, eg, law enforcement, physical access control and banking. Securing sensitive data on the Internet is a popular concern. Internet banking and electronic commerce will be sectors where biometric technologies will provide a natural and logical solution.
The author would like to acknowledge the work of Dr Despina Polemi of the National Technical University of Athens during the writing of this article.
Brian Barnes is a security technology specialist, he can be contacted at Hodari Security Technologies, 082 973 8295.
© Technews Publishing (Pty) Ltd | All Rights Reserved