Carrying certificates around How do you use your [digital] identity? – Install your certificate in browser Distributed Systems – On-computer keychain file Need there be more? Smart Cards, Biometrics, & CAPTCHA Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 1 Page 2 Smart cards Smart cards • Smart card Capabilities – Portable device – Memory cards • credit card, , key fob, button with IC on it • Magnetic stripe: stores 125 bytes • Communication • Smart cards typically store 32-64 KB – Contact-based • Optional security for data access – Contactless – Microcontroller cards • Near Field Communication (NFC) • OS + programs + cryptographic hardware + memory • Communication within a few inches of reader • May draw power from reader’s EMF signal • 106-424 kbps – Hybrid: contact and contactless Page 3 Page 4 Smart card advantages Smart card applications • Security • Stored-value cards (electronic purses) – Developed for small-value transactions – on-board encryption, hashing, signing – Mid 1990s in Europe and Asia – data can be securely transferred • GSM phone SIM card – Store biometric data & verify against user – key store • Credit/Debit – Stored account numbers, one-time numbers • store public keys (your certificates) – EMV System (Europay, MasterCard, VISA) • do not divulge private keys • perform digital signatures on card • Passports • Convenience – Encoded biometric information, account numbers – more data can be carried on the card • Toll collection & telephone cards • Personalization – Account number (EZ-Pass) or stored value (mass transit) – e.g. GSM phone card • Cryptographic smart cards – Authentication: pin-protected signing with private key Page 5 Page 6 1
Example: Passport Example: Octopus • Contactless communication • Stored value card - contactless • Stores: – Provision for automatic replenishment – Descriptive data – Asynchronous transaction recording to banks – Digitized facial image – Two-way authentication based on public keys – Fingerprints, iris scan, etc. optional – Certificate of document signer & personal • All communications is encrypted public key • Widely used in Hong Kong & Shenzen • Basic Access Control (BAC) – Buses, stores, supermarkets, fast food, parking – Negotiate session key using: passport #, date of birth, expiration date – Logs $10.8 million per day on more than 50,000 – This data is read optically – so you need physical access readers – Generates 3DESS “document basic access keys” • Available in: • Fixed for life – German proposal to use Diffie-Hellman key negotiation – Cards, fobs, watches, toys Page 7 Page 8 Biometrics • Statistical pattern recognition – Thresholds • Each biometric system has a characteristic ROC plot – (receiver operator curve, a legacy from radio electronics) Biometric authentication (false non-match) secure false rejects trade-off convenient false accepts (false match) Page 9 Page 9 Page 10 Biometrics: forms Biometrics: forms • Iris Fingerprints – Analyze pattern of spokes: excellent uniqueness, – identify minutia signal can be normalized for fast matching • Retina scan – Excellent uniqueness but not popular for non-criminals • Fingerprint – Reasonable uniqueness • Hand geometry – Low guarantee of uniqueness: generally need 1:1 match • Signature, Voice – Behavioral vs. physical system – Can change with demeanor, tend to have low recognition rates • Facial geometry source: http://anil299.tripod.com/vol_002_no_001/papers/paper005.html Page 11 Page 12 2
Biometrics: desirable characteristics Biometrics: desirable characteristics • Robustness – Repeatable, not subject to large changes over time Biometric Robustness Distinctiveness Fingerprints & iris patterns are more robust than voice Fingerprint Moderate High Hand Geometry Moderate Low • Distinctiveness Voice Moderate Low – Differences in the pattern among population Iris High High Fingerprints: typically 40-60 distinct features Signature Low Moderate Irises: typically >250 distinct features Hand geometry: ~1 in 100 people may have a hand with measurements close to yours. Page 13 Page 14 Irises vs. Fingerprints Irises vs. Fingerprints • Number of features measured: • False accept rates – High-end fingerprint systems: ~40-60 features – Fingerprints: ~ 1:100,000 (varies by vendor) – Iris systems: ~240 features – Irises: ~ 1:1.2 million • Ease of data capture • Ease of searching – More difficult to damage an iris – Fingerprints cannot be normalized 1:many searches are difficult – Feature capture more difficult for fingerprints: – Irises can be normalized to generate a unique • Smudges, gloves, dryness, … IrisCode 1:many searches much faster Page 15 Page 16 Biometrics: desirable characteristics Identification vs. Verification • Cooperative systems (multi-factor) • Identification: Who is this? – User provides identity, such as name and/or PIN – 1:many search • Non-cooperative • Verification: Is this X? – Users cannot be relied on to identify themselves – Present a name, PIN, token – Need to search large portion of database – 1:1 (or 1:small #) search • Overt vs. covert identification • Habituated vs. non-habituated – Do users regularly use (train) the system Page 17 Page 18 3
Biometric: authentication process Biometric: authentication process 1. Sensing 3. Pattern matching – User’s characteristic must be presented to a – Sample compared to original signal in database sensor – Closely matched patterns have “small distances” – Output is a function of: between them • Biometric measure – Distances will hardly ever be 0 (perfect match) • The way it is presented • Technical characteristics of sensor 4. Decisions 2. Signal Processing – Decide if the match is close enough – Feature extraction – Trade-off: – Extract the desired biometric pattern false non-matches leads to false matches • remove noise and signal losses • discard qualities that are not distinctive/repeatable • Determine if feature is of “good quality” Page 19 Page 20 Biometric: authentication process 0. Enrollment – The user’s entry in a database of biometric signals must be populated. – Initial sensing + feature extraction. Detecting Humanness – May be repeated to ensure good feature extraction Page 21 Page 22 Page 22 Gestalt Psychology (1922-1923) Gestalt Psychology • Max Wertheimer, Kurt Koffka • Laws of organization – Proximity • We tend to group things together that are close together in space – Similarity • We tend to group things together that are similar – Good Continuation • We tend to perceive things in good form – Closure • We tend to make our experience as complete as possible – Figure and Ground • We tend to organize our perceptions by distinguishing between a figure and a background 18 x 22 pixels Source: http://www.webrenovators.com/psych/GestaltPsychology.htm Page 23 Page 24 4
Gestalt Psychology Gestalt Psychology HELLO Page 25 Page 26 Authenticating humanness CAPTCHA • Battle the Bots – Create a test that is easy for humans but extremely difficult for computers • CAPTCHA – C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part – Image Degradation • Exploit our limits in OCR technology • Leverages human Gestalt psychology: reconstruction – 2000: Yahoo! and Manuel Blum & team at CMU Hotmail • EZ-Gimpy : one of 850 words – Henry Baird @ CMU & Monica Chew at UCB • BaffleText : generates a few words + random non-English Yahoo words See captchas.net Source: http://www.sciam.com/print_version.cfm?articleID=00053EA7-B6E8-1F80-B57583414B7F0103 http://tinyurl.com/dg2zf Page 27 Page 28 The end. Page 29 Page 29 5
Recommend
More recommend
