Biometric Authentication - Assignment Example

Biometric Authentication 3 ID a) Why is a dedicated biometric "solution" needed? Briefly and critically review leadingedge approaches to role based authentication. What alternative solution(s) are applicable to this context of use? Provide their distinction(s) to rule-based authentication mechanisms. [25 marks] The primary goal of the military is to provide Britain with protection from external threats. In order to achieve this goal, the Department of Defense (DoD) has to deploy systems that not only protect it from external threats, but also internal ones. This has been necessitated by the tendency of terror organizations and individuals with ill intent to sabotage security systems internally. As such, it has become crucial for the military to authenticate the identity of every individual accessing its premises and systems (National Science and Technology Council Subcommitteen on Biometrics, 2006). Whereas this has been happening through security tools such as access cards, passwords, and tokens, these systems have proven to be ineffective as they can be forgotten, duplicated, shared, or stolen (Weicheng Shen, 1999). There is, therefore, need for a system that cannot be easily compromised. The use of human features, biometrics comes in handy in the identification of individuals while keeping their privacy intact. These features may be physical or biological and may include characteristics such as skin color, height, eye color and weight. These features are unique to individuals and readily available; hence, making them ideal for the development of dependable authentication systems. If used together with traditional systems, such as password protection and fingerprint technology, the result is a security system that is complex, and yet very efficient and hard to manipulate. Role Based Access Control DoD could develop access control systems based on the roles individuals play. This control algorithm allows users access to premises and equipment that are relevant to their activities in the military. The system, therefore, limits the accessibility of information and critical equipment to people who are authorized to interact with them (Ferraiolo, Kuhn, & Chandramouli, 2007). DoD could decide to develop a system, costs notwithstanding. A lot of resources would be deployed in the project, as long as it guarantees that the role based access control will be possible. Since it would be hard to develop systems that cater for individual staff, DoD can come up with an authentication system based on the roles people play. Staff can be categorized into groups, depending on their ranks and responsibilities in the military and offered access rights relative to their statuses (Murrell, 2001). This would provide officers within the same ranks similar access rights while still providing exceptions for exceptional cases. Enterprise RBAC (ERBAC) DoD spends public funds as it endeavors to provide security to the county. Just like any other public institution, it is necessary for the department to account for its expenses. It is, therefore, necessary for DoD to make sure all its activities make business sense. Enterprise Role Based Access Control seeks to ensure that as DoD invests in role based access control measures, the results of using the system are not only financially measurable, but also provide an acceptable return on investment. Depending on the severity of the case at hand, DoD is at liberty to choose the role based access control methodology it wants to deploy. In sensitive matters of national or international security, DoD could develop authentication systems without considering costs and returns on investment (Ballad, Ballad, & Banks, 2010). However, this ought to be done with caution as it is important for DoD to appear to use public resources appropriately and in the best interest of the citizens of the United Kingdom. Alternative solutions i. Discretionary Access Control This access control mechanism restricts access based on subject identity. A subject with access to the resource can share access rights to any other person that joins the group (Jordan, 1987). Access rights can therefore be shared at the discretion of users who already have rights to access the system. When a user leaves the group, any other member who has access rights to the system can delete their profile. In this context, DoD could use this mechanism to provide access to its non-critical systems to its personnel. ii. Mandatory Access Control (MAC) This access control mechanism limits the possibility of a user to carry out some actions on the system. Users are located security attributes; a user cannot access or modify processes which his or her security attributes do not approve. This makes MAC similar to RBAC; the difference comes in the scope of operation. RBAC operates at the role level, whereas MAC operates at the individual level. This approach could be very instrumental to DoD as it would allow the department to determine security clearance levels fmor all system users individually; thereby ensuring that users have access to information that is relevant to them. b) You should provide a critical review of the weaknesses and strengths of PALM biometrics (as published in the public domain). Are there any indicators to suggest that such a non-intrusive contactless authentication mechanism provides higher reliability in that particular context? [25 marks] Hand biometrics have been in use for the longest period among the methods used in biometrics. It includes such characteristics as palm print, palm vein, finger print, and hand geometry (Jain, Ross, & Nandakumar, 2011). Whereas the other hand biometrics use features in the external section of the hand, palm vein biometrics utilizes the internal alignment and arrangement of veins in the palm, which are unique even among twins (Biometric Newsportal). Palm print biometrics recognizes prints made on the surface of the palm. Just like other biometric authentication techniques, palm biometrics has its strengths and weaknesses: Strengths of Palm biometrics i. Palm veins and prints are part of the body and do not change significantly as a person grows. ii. Patterns formed by palms are unique to individuals; hence, eliminating the possibility of having two people with similar prints (Chirillo & Blaul, 2003). iii. Palm veins are hidden inside the human body; hence, it is not easy to manipulate them (Kenneth Wong). iv. The palm is large, hence provides a large surface area over which to cover distinctive features, making it better than fingerprint reading. Weaknesses of Palm biometrics i. The success of the system depends on the quality of pictures taken. Powerful equipment take quality images with distinct features while faulty equipment fail to identify critical features. This can compromise the reliability of the system. ii. Palm print scanners are bulky and expensive, limiting their use to localized positions. The fact that palm biometrics provides a large surface area, enabling the detection of more distinctive characteristics than fingerprints, means that palm biometrics could be be used to identify people in place of fingerprint technology. c) Give a full rational behind the alternatives to biometric templates MoD can use. What are the limitations and risks of template(s) usage in that particular case? Fully discuss their suitability and any inherent dangers or other weaknesses applied. [25 marks] Apart from biometric authentication, DoD could employ the following techniques to protect the integrity of its systems and premises: a) Password protection DoD could develop a system that creates user profiles for all its officers. The officers access the system using passwords that only they would know. The system should be able to distinguish the access rights of all users, and allow them access to areas that are relevant to them only. Advantages i. Passwords are easy to generate and manage Disadvantages i. Passwords can easily be shared, stolen, or intercepted by hackers; hence, making it possible for more than one individual to access the system using similar login information (Wolak, 1998). b) Using the Intranet DoD could opt to deploy its system within its local intranet and deploy security protocols and firewalls to ensure that it cannot be accessed from outside the intranet. This would ensure that any access from without its premises is blocked (Jang, 2010). Advantages i. It minimizes the number of external threats hence reducing unauthorized access (Goodrich & Tamassia, 2010). ii. It does not require a lot of maintenance Disadvantages i. The protocols cannot protect the system from attack within the intranet; hence, necessitating the deployment of other security measures to protect the system from local attacks (Bertino & Takahashi, 2010). ii. The protocols can be expensive to install c) Tokens These are physical items that can be used to authenticate their owners (McGraw, 2006). DoD could opt to develop special physical keys or proximity cards to regulate user access. Users would have to produce these at strategic points to be given authority to use or access military information, equipment, or premises (Ferguson, Scheneier, & Kohno, 2010). Advantages i. Tokens are easy and cheap to produce Disadvantages i. Their physical nature makes them easy to steal ii. They can easily and cheaply be reproduced iii. They require other security systems like passwords and biometrics in order to function effectively (Gibson, 2010). d) Discuss the optimal means of protection at the end-user level (PC) that Steria can employ as part of the security policy imposed. Critically present your findings and give full arguments on their suitability in that particular scenario. At the end-user (PC) level, the most optimal authentication would be achieved through a marriage of tokens and passwords. The PC should have a card slot where the user inserts his or her proximity card. The system will then identify the user on the card and prompt him or her to enter his or her username and password (Solomon, 2010). The system will compare the username and password the user enters with those in the system without alerting the user of the information contained in the card. The system will authorize access only when the information the user submits is valid (Hardwood, Goncalves, & Pemble, 2010). Communication amongst PCs should also be conducted over a secure shell (SSH), and cryptographic keys deployed to ensure that the system not only authenticates users, but also validates messages shared and encrypts data on transit (Mallow) (Anderson, 2008). A combination of these security measures would be necessary at the DoD to ensure that not only authorized users access the system, but also that their activities are authenticated and data transmitted in secure ways. This will help guarantee both authenticity and privacy of information and data at the DoD. Bibliography Anderson, R. J. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems. Hoboken, NJ: Wiley. Ballad, B., Ballad, T., & Banks, E. (2010). Access Control, Authentication, and Public Key Infrastructure (Information Systems Security & Assurance). Sudbury, MA: Jones & Bartlett Learning. Bertino, E., & Takahashi, K. (2010). Identity Management: Concepts, Technologies, and Systems (Artech House Information Security and Privacy). London: Artech House. Biometric Newsportal. (n.d.). Palm vein biometric systems. Retrieved April 4, 2013, from Biometric Newsportal: http://www.biometricnewsportal.com/palm_biometrics.asp Chirillo, J., & Blaul, S. (2003). Implementing Biometric Security (Wiley Red Books). Hobokken, NJ: Wiley. Ferguson, N., Scheneier, B., & Kohno, T. (2010). Cryptography Engineering: Design Principles and Practical Applications. Hoboken, NJ: Wiley. Ferraiolo, D. F., Kuhn, R. D., & Chandramouli, R. (2007). Role-Based Access Control, Second Edition (2nd ed.). Norwood, MA: Artech Print on Demand. Gibson, D. (2010). Managing Risk in Information Systems (Information Systems Security & Assurance Series). Sudbury, MA: Jones & Bartlett Learning. Goodrich, M., & Tamassia, R. (2010). Introduction to Computer Security. Boston, MA: Addison-Wesley. Hardwood, M., Goncalves, M., & Pemble, M. (2010). Security Strategies in Web Applications and Social Networking (Information Systems Security & Assurance). Sudbury, MA: Jones & Bartlett Learning. Jain, A. K., Ross, A. A., & Nandakumar, K. (2011). Introduction to Biometrics. New York: Springer. Jang, M. (2010). Security Strategies in Linux Platforms and Applications (Information Systems Security & Assurance). Burlington, MA: Jones & Bartlett Learning. Jordan, C. S. (1987). Guide to Understanding Discretionary Access Control in Trusted Systems. Collingdale, PA: Diane Publishing Co. Kenneth Wong, T. L. (n.d.). Analysis of Palm Vein Biometric System. Retrieved April 4, 2013, from http://courses.ece.ubc.ca/412/term_project/reports/2007-fall/Analysis_of_Palm_Vein_Biometric.pdf Mallow, C. (n.d.). Authentification Methods and Techniques. Retrieved April 4, 2013, from Global Information Assurance Certification: http://www.giac.org/cissp-papers/2.pdf McGraw, G. (2006). Software Security: Building Security. Boston, MA: Addison-Wesley Professional; PAP/CDR edition. Murrell, L. (2001, August 1). Role-based access control has benefits for security. Retrieved April 4, 2013, from Security Solutions.com: http://securitysolutions.com/mag/security_rolebased_access_control/ National Science and Technology Council Subcommitteen on Biometrics. (2006). The National Biometrics Challenge. Washington, DC: Executive Office of the President of the United States. Solomon, M. G. (2010). Security Strategies in Windows Platforms and Applications (J & B Learning Information Systems Security & Assurance Series). Sudbury, MA: Jones & Bartlett Learning. Weicheng Shen, T. T. (1999). Automated biometrics-based personal identification. Proceedings of the National Academy of Sciences of the United States of America , 96 (20), 11065-11066 . Read More