Embed Size (px)
DESCRIPTION
This paper proposes a structured methodology following a full vulnerability analysis of the general biometric model outlined by Mansfield and Wayman (2002). Based on this analysis, a new multidimensional paradigm named the Biometric Architecture & System Security (BASS) model is proposed, which adds comprehensive security and management layers to the existing biometric model.
Citation preview
Securing the Biometric Model
Anthony C. LENISKI Richard C. SKINNER Shawn F. McGANN Stephen J. ELLIOTT, Ph.D. Computer Technology, Computer Technology Computer Technology, Department of Industrial
Purdue University Purdue University Purdue University Technology & e-Enterprise West Lafayette, IN West Lafayette, IN, West Lafayette, IN Center, Discovery Park
47907, USA 47907, USA 47907, USA Purdne University, West Lafayette, IN, 47907, USA
ABSTRACT
This paper proposes a structured methodology following a full vulnerability analysis of the general
.biometric model outlined by Mansfield and Wayman (2002). Based on this analysis, a new multidimensional paradigm named the Biometric Architecture & System Security (BASS) model is proposed, which adds comprehensive security and management layers to the existing biometric model.
The BASS model is a structured methodology that guides firms towards employing a solid foundation for any biometric system through the emphasis of security practices at the module and systems level, as well as the standardization of policies and procedures for continued operations.
Keywords: Biometrics, Information Security, Large- scale Implementation, Management, Process Design
1. INTRODUCTION
As demand for biometric systems increases, we propose a novel model so that the implemented biometric application meets the security and management needs of the intended business, organization, or individual. This model, the Biometric Architecture & System Security (BASS) model, provides a guideline through the procedures and considerations that must be made to successfully implement an all-encompassing biometric system
2. GENERAL BIOMETRIC MODEL
The first step in the General Biometric Model, shown in Figure 1, is Data Collection, which is the measurement of a behaviorallphysiological characteristic that is both distinctive and repeatable. The system user’s characteristic are presented to a given sensor, which yields the system’s input data based upon the biometric measure and the technical characteristics of the sensor.
0~7803-7882-2/03/$17.0002003 I EEE
Figure 1 - General Biometric Model [ 11
The second step is Transmission, which occurs locally or over a distance in a distributed environment. If a system requires large amounts.of data, a compression technique may be implemented to save system resources; however, this process can deteriorate the signal quality. The third step in the biometric model is the Signal-Processing subsystem, which is divided into three tasks: feature extraction, quality control, and pattern matching. The first task is feature extraction, the non-reversible process of converting a captured biometric sample into data for comparison against a stored reference template. The second is quality control, which checks the captured biometric pattern to verify an individual’s qualities are not defective or insufficient in anyway. The third task of the Signal- Processing subsystem is pattern matching, which is the process of making a comparison between one or more identified features of a sample to those of a stored template. The fourth step in the biometric model is the Decision subsystem, which implements system policies by directing the database query to determine matches or non-matches based on the defined threshold and returns a decision based upon the defined system policies, The decision policy is a management preference that is specific to the operational and security requirements of the system. The remaining subsystem is Storage, which stores the feature templates in a database for comparison, by the pattern matcher, to incoming feature samples. The storage of raw data allows changes in the system or system vendor to be made without the need to recollect data from all enrolled users.
444
3. BIOMETRIC ARCHITECTURE & SYSTEM SECURITY MODEL
The Biometric Architecture and System Security (BASS) model extends Mansfield and Wayman’s general biometric model concepts and creates the additional functionality required for any biometric deployment. The model, shown in Figure 2, is comprised of three core layers which are necessary to create a total systems approach Functional, Security, and Management.
Result
Data Storage
Data Collection
Figure 2 - Biometric Architecture & System Security Model
The Functional layer defines the generic biometric process consisting of Data Collection, Data Storage, Processing, Result, and Transport Modules. While some of the processes share common borders, the Transport Module provides the common interface for all inter-module communication. The Security and Management Layers coalesce to provide confidentiality, integrity, availability, and authentication for the system. Before any security or management concepts can be properly developed and deployed in a biometric system, an analysis is required on each of the five core biometric modules. This in- depth examination should at least determine the following:
1 Assets to be protected . Attack vectors = Methods of attacks used on attack vectors . Expected loss if compromised . Classification of threat agents
Risks of attacks by threat agents . Countermeasures Cost effectiveness
The following sections guide the evaluation of each separate module of the Functional Layer to define the roles of Security and Management in a biometric system.
Data Collection Module
The Data Collection Module’s objective is to identify the possible vulnerabilities at the point of enrollment
and verification in the biometric system specifically the biometric, device, environment, and information. Before addressing any component of the actual system, the chosen biometric must be evaluated to identify shortcomings along with possible spoofing techniques. With a clear understanding of these faults, it is possible to monitor and compensate for the weaknesses. Furthermore, the biometric device needs to be trusted and physically secure. The environment, in which the biometric device is placed, plays a key roll in physical security. A successful hiornettic implementation will have its devices located where they cannot be affected by contiguous variables (i.e. lighting, temperature, background color, or interference), where it can recognize only the subject during capture, and where there is a low probability of the device being damaged (intentionally or unintentionally) or stolen. A device must be positioned so that the availability and functionality of the devices is unaffected by the surrounding atmosphere. Vendor environmental specifications of the device must be acknowledged in this level as well. Information security is the final portion of the Data Collection Module that requires analysis. Implementations can lead to the possibility of a device being spoofed logically, through communication protocols, or physically, by replacing a trusted device with a rogue device. The concept of a trusted device indicates that through the use of some kind of exclusive identification, a biometric device must he authenticated as “trusted” before any transmissions from that device are processed. The use of trusted devices allows the assurance that the biometric data being introduced to the system is legitimate. T o compliment the countermeasures taken and ensure that the device is properly maintained, several management-level policies and procedures must be developed when securing a biometric device. One of the most important management routines to be developed is a maintenance schedule, which defines the appropriate cleaning, calibration, and testing plans that are necessary ensure a properly working device. Employee training and user habituation are also important collection management concepts, which help to ensure that the device is properly used and the data collected is consistent. Another important task of management is monitoring. It is imperative to constantly examine the system’s environment to identify and address unanticipated changes before it dramatically affects the biometric system. The most important part of the Management Layer in the Data Collection Module is the policies regarding the integrity of the proof of identification provided during enrollment. Standards for proper identification must he established, such as the use of a birth certificate, government ID, or credentials to ensure that the enrollee is genuine.
445
Transport Module
The Transport Module is the most vital component in the biometric system due to its interaction with each of the other system modules. The key to the Transport Module is to insure privacy, authentication, integrity, and non-repudiation for communication between given elements for a secure and trusted system independent of the architecture. Besides the introduction of its own vulnerabilities, the transport layer inherits flaws from other subsystems making it the most susceptible area in any implementation.
+ - T , a " S p O * i
Figure 3 - Transport Sub layers of the BASS Model
The Transport Module implements the OS1 network reference model (Figure 3). which is a framework for organizing networking technology and protocol solutions [2). While the OS1 model enables universal communication, the Security and Management layers of the BASS model will emphasize operational considerations for a successful implementation. Security at the Transport layer is broken into two categories: Physical Security and Information Assurance. Physical security is dependent upon discerning the vulnerabilities in three key areas: Architecture, Medium, and Interfaces. Architecture deals with a system's design principles, stand-alone vs. distributedhetworked and physical configurations, which consist of using private or public based technologies. The key area of focus is physical access to the lines and equipment, which is controlled through methods such as protected casings, keyed access, and .login authentication. Dependent upon the architecture in a system, various mediums such as wired (i.e. cable, fiber, integrated circuits) and wireless technologies will exist to transport the system data. An analysis should center on each of the medium's vulnerabilities, such as the interception of electrical and optical signals that would compromise a given system through methods such as wire taps, rogue access points, or a variety of other means. To provide physical connections for permitted access into a system, each device, such as the hiomemc equipment, computers, power sources, communication devices, etc., will employ one or more interfaces. All required interfaces should be protected
against unauthorized connections, while nonsensical interfaces are disabled properly. All three features are analyzed individually and then together against the six key questions: Who, What, When, Where, Why, and How. Physical security provides measures necessary to protect a facility against the effects of unauthorized access, loss, or other intentional damage to a system. As systems move from private implementations to public designs, control over physical security will be undermined by the emphasis for information assurance. The primary goals of information assurance are to provide confidentiality, integrity, availability, and authentication between communicating modules. Confidentiality ensures that unauthorized external or internal sources do not intercept, copy, or replicate the information [3]. Information integrity is confidence in the permanency of the information during communications [4]. Availability refers to the system being accessible at all times for transportation. Lastly, authentication is the process whereby an entity presents and proves its identity to another entity. Cryptographic technologies such as encryption, digital signatures, hashing algorithms, and digital certificates help aid in reducing the risks that are associated with the transport module. Each concept needs to be evaluated as information flows throughout the different layers of the OS1 model to ensure trusted communication. To transport data throughout the OS1 model, protocols are employed. Each protocol contains innate vulnerabilities which must be analyzed for the appropriate safeguards to be deployed. Examples of such vulnerabilities located in the TCP/IP protocol stack are susceptibility to Man-in-the-middle. Replay, and Denial of Service attacks. While physical security and information assurance provide a blueprint for security, without proper management an entire implementation is completely susceptible. Management of the transport layer consists of three stages: Prevention, Detection, and Response. Each of these stages are dependent upon having full documentation of the system parameters such as hardware, software, service levels, protocols, addressing, and a systematic analysis of normal operation. The prevention stage incorporates the policies and procedures that are necessary for providing secure and reliable transportation for daily operations. The detection stage incorporates procedures to investigate and identify potential problems or security breaches in an event that the preventative stage fails (31. The response stage defines the appropriate reaction to the items found in the detection stage for proper recovery and follow-up.
Data Storage Module
The Data Storage Module is one of the most intricate parts of the biometric system due its responsibility for safeguarding the permanent repository of all information collected from the system's users. Due to
446
the highly sensitive nature of this data, the Data Storage Module is liable for not only ensuring the integrity, availability, and accessibility of the data, but also only allowing authorized access by users and other subsystems. The security and management layers provide the necessary mechanisms to meet these core objectives. The Security Layer of the Data Storage Module is responsible for protecting the data from threat agents and disasters such as loss of power, hardware failure, o r environmental cataclysm. The first step towards developing a protection strategy is to determine every point of storage and entry in the system. including both logical and physical locations. Once the location(s) are established, the next step is to address the physical security at each point based on the possible attack vectors or other weaknesses in the system. One key attribute of physical security is access control, in which methods are applied to restrict access the storage host(s), backup devices, and storage media to only authorize system users through techniques such as keyed access or other external security service. The second key attribute of physical security is protection, which corresponds to physical measures taken to protect storage components such as a reinforced infrastructure, fire suppression system, and a climate control system. The chosen measures deployed should preventkeduce the possibility of data loss in the event of an accident or natural disaster. After determining the physical security needs in a system, the next step in the security layer is to ensure information integrity. Information security in the Data Storage Module consists of mechanisms that protect the warehoused biometric templates as the information is imported and exported from the database. The first mechanism is providing a means of authentication and authorization, which validates the system user and decides if the validated user is allowed to perform the requested action or access the requested data. The second key mechanism to ensure the integrity of the data being accessed or inserted in the database, which is applied through approaches such as time stamps, data hashes, digital signatures, encrypted storage, and trusted device concepts such as a key infrastructure. Another element of data integrity is an Intrusion Detection System (IDS), which would aid in detection and investigation in the event of an attack. Another vital aspect of the security layer is availability. The concept of information availability in the Data Storage Module is to provide uninterrupted access to the stored biometric data. The system’s minimum availability should be determined to address the amount of redundancy required within the ‘storage solution (i.e. hardware, software, and media). Once complete, a backup and recovery (BIR) approach, via hardware or software based solution(s), is developed to ensure the ability to revert to previously stored information in the event of a failure within the system. While the security layer designs the proper defense
principles, the management sub-layers are accountable for ensuring the systems routine performance. T o ensure that the storage solution remains in its ideal state, several management-level policies and procedures must be developed focusing in two key areas: System and Security. System management ensures the appropriate operational and maintenance tasks required for normal system functioning are established. One key task in the system management layer is to routinely assess and document the capacity and access speed of the database and computing system. These results should be compared with the defined system specifications to ensure that the biometric solution is functioning properly and efficiently. Another key task in system management is to keep all the systems hardware and software updated with the latest service packs and patches from trusted vendors. All vendor-released fixes should be initially implemented in a test environment and then implemented into the production system if the corrections improve the system’s efficiency, interoperability, or correct documented vulnerabilities. The second key area of the management layer is security. Security management provides the policies and procedures necessary to execute the defined mechanism of the security layer. The first important security management consideration is access control, in which parameters including users and permissions should be documented and verified periodically to ensure system security. Through the application of logging, audit trails should also be conducted and supervised regularly to verify that only authorized personnel and trusted system entities access andlor manipulate the database. Another important concept of security management is backup management. Backup management is essential in case the biometric system is compromised or has experienced a hardware failure; the backup can be used to restore the system to an operational state without total loss of information. The first step in backup management is selecting a backup system, such as tape or optical, based upon an analysis of the following:
- Amount of data Backup time
9 Frequency of the backup . Restoration time . Backup topology . Overall cost
After determining the backup system, the second step in backup management is developing the necessary policies and procedures needed to implement a backup system. Some key considerations for the backup system include backup schedule, resources, authorized personnel, storage, and backup integrity.
447
Processing Module The Processing Module of the BASS model identifies the necessary precautions that must be taken at any instance in a given system where biometric data is processed. The Processing Module draws data from the Data Collection and Data Storage Module and performs the biometric comparison for the decision. The Processing Module is comprised of two sublayers: Operating System and Application. Physically securing the operating system and application sublayers follows the same outline as the Data Storage Module. To ensure the reliability of the system, ample hard drive back-ups and redundant power supplies should be included when implementing the processing components of the biometric system. Physical access should be restricted as needed and consistently monitored at all times. Further concerns that should be analyzed are environmental factors such as fire suppression and climate control. Additionally, all non-essential peripherals such as floppy drives, CD- ROM, modems, and other unused interfaces should be disabled or completely removed from the machines. The separation of the Processing Module sub-modules occurs in the information security and management layer of the BASS Model. The operating system sublayer (OSS) encompasses the risks intertwined with the chosen platforms in which the biometric system runs. It is important to realize at this level that there are potentially multiple operating systems running within the biometric system, and each must be secured accordingly. These operating systems are located throughout the other modules of the BASS Model, but are directly addressed in the OSS. Each operating system in the market has numerous known vulnerabilities. Those running the biometric solution must he researched for such documented hazards, and the proper fixes applied. Furthermore, any unnecessary networking components, services, and default userslaccounts should be removed andor disabled wherever possible. To monitor the system for unauthorized access, an IDS program should also be installed on the operating system to aid in the uncovering of an invasion as well as provide a way of auditing to identify the point of entry. Finally, virus protection should be introduced to the operating system for protection in the event a virus infects the platform. Managing the security of the operating system deals with the practices and preservation of the operating system to ensure that only authorized users are granted access, and the operating system itself is up-to-date with the more recent revisions. This process begins with monitoring the publicly documented vulnerabilities. New flaws and bugs in the OS design as well as new viruses are discovered on an almost daily basis, and as such need to be accounted for immediately. The proper fixes, patches, service packs, and virus definitions should be tested and installed as they are deployed. by the vendors. Login to the machines in the biometric system should be restricted
448
at the operating system level to prevent any internd or external threat agents from accessing the system. Policies on all account passwords should be included such as, minimum password length, mixed characters & symbol requirements, and password expiration periods. The final function of management is to determine handling of the backup media to ensure that it is not tampered with, copied, or otherwise damaged. Due the proprietary nature of current biometric applications, there are a number of implications that are addressed in the Application Sub layer of the Processing Module. Backdoors, logic bombs, and virus susceptibility are just a few of the possible deficiencies that a biometric application can introduce to a system. The Application Sub layer interacts directly with both the biometric device and the database over the Transport Module. Time stamps, digital signatures, and the "trusted" concept should be utilized in the application sublayer to ensure that the data being pulled is legitimate so that it can be compared by the application using the given biometric algorithm. To reach the appropriate decision, the threshold level should be applied within the application to the determined levels. The management layer of the applications sublayer will determine the threshold levels that are required based on an appraisal o f the value of asset(s) being protected, the users who will interact with the biometric system, environmental variables, and overall set security conditions. Biometric applications extract data from the device, query information from the database, and make comparisons and decisions simultaneously. This creates a heavy demand on the CPU; therefore an analysis of the biometric software must be performed before hand to determine the processor speed and RAM specifications for the system. The utilization of system resources should be monitored constantly, and upgrades should he made as needed.
Result Module The Result Module of the BASS model deals with an area of the biometric process that can often go overlooked because the vulnerabilities at the Transport, Processing, and Data Storage Modules are more apparent and traditional in information security. The Result Module provides the protection measures for a biometric system at the stage after the biometric has been presented to the device, transported, processed, and compared. The application makes a decision based on the biometric that has been presented and its comparison with a stored template in the database. The application will respond with one of two answers: yes this person has been identified, or no this person has not been identified. The most obvious way for a threat agent to penetrate a biometric system is to tap in at this point and insert false decisions. If this can be achieved, the threat agent will have complete control over who is
identified and who is not, making any security measures taken in any of the other modules completely irrelevant. Much of the prevention of this kind of attack may correlate with the other modules in the BASS model, like encryption, digital signatures, or a trusted decision (similar to a trusted device). The integrity of a system following the BASS model relies solely on the decision that is produced. Once the decision has been returned it is important to instill a number of policies and procedures for the events that happen thereafter. First of all, it is important to monitor the decisions that are made. Logs should he kept containing the user being verified, the time and location of the verification, the actual decision (yeslno), and any other pertinent data that could assure that the system is making the right decision for the right people. Scheduled and unscheduled auditing trails will assist the system in validating that the processes and information are holding their value. Additionally there is a need to have regulations in place in case there is a false-reject. No biometric algorithm is perfect, and moreover there are people whose bodies or behavior may be incompatible with these systems, and thus these potentia1 problems need to he address in the management layer. Likewise, in the event of a false- accept, there must he directives in place for the removal of such individuals who gain false access to the assets protected by the biometric system.
4. CONCLUSION
This model extends current best practices of management policies and procedures in the information systems security discipline by overlaying them to the general biometric model [ I ] . Therefore, the authors are taking an existing set of paradigms from one discipline and applying them to another. Biometrics is a rapidly expanding market, as governments, companies, and consumers demand higher security to protect valuable assets. Without proper security measures and reinforcement from management, adding biometrics, whose sole purpose is to improve security, would he a waste of resources. As biometric systems begin to move into the mainstream, many of the vulnerabilities inherent in the nature of these systems' components will be exposed and exploited allowing threat agents to manipulate any or all parts of the biometric process. As a structured methodology, the BASS model integrates both security and management concepts into the functional modules, resulting in a comprehensive technique for securing any biometric system. Following the guidelines set forth in the modules of the BASS model is an essential duty, which should be performed in all biometric implementations to ensure the availability, confidentiality, and integrity of the system. Doing so will ensure a high success rate for all BASS-compliant biometric systems.
5. BIBLIOGRAPHY
[ I ] Mansfield, A.J. and I.L. Wayman, Best Practices in Testing and Reporring Performances of Biomerric Devices. 2002, Biometric Working Group. p. 32.
[2] J.E. Goldman, P.T. Rawles, Applied Data Communications: A Business Oriented Approach, New York: John Wiley & Sons, Inc., 2001
[3] J. E. Canavan, Fundame?rals of Network Security. Boston: Artech House, 2001
[4] T. Bellocci, C. B. Ang, P. Ray, S . Nof, Information Assurance in Networked Enterprises: Definition, Requirements, and Experimental Results CERIAS, School of Industrial Engineering, Purdue University January 2001
449
![Biometric Standards documents/Standards... · Biometric Profiles Biometric [Application] Profile – a conforming subset or combination of base standards used to effect specific biometric](https://img.pdfslide.net/doc/110x75/5f711372ce578d4ee02aea91/biometric-standards-documentsstandards-biometric-profiles-biometric-application.jpg)
