 I'm Nate Rottchaffer. I'm a sophomore from the University of Nebraska at Omaha and I'm here to talk to you about biometric authentication. These are just some of the things we'll cover. I'll kind of go over them as we go, so it's on the CD though for you. The first thing is some background on actual authentication itself. A couple of definitions that go along with it. The first one is identification. Identification is the method used by a system to uniquely identify an individual. Just basically a way to prove who you are. Some example, usernames, driver's license, etc. Authentication, on the other hand, is a way to verify your identification. A lot of times it's a password in current systems. For this purpose it could be like a fingerprint, an iris print, anything like that that continues to prove who you are a little bit further. Authentication had kind of a long development. It started out thousands of years ago with what you know. They used to always send people out with some type of a secret passphrase or something if you will if you were meeting somebody that guaranteed who you were. It got to the point that those types of things were no longer good enough and people could get that information. So they went to something you have. This could be something like a special object. If you're a mailman you have the mail so we know that you're probably a mailman. It got to the point then where those types of objects could be forged and there's not a way to guarantee that that really says who you are. So we go to what you are, which is kind of the biometric idea. You have a fingerprint that uniquely identifies you as an individual versus you being somebody else because the chances of somebody having the same fingerprint are statistically improbable. And now recently they're starting to talk about how you are, a way to identify you based purely upon your behavior because they figure that each person acts individually and continues to act in that same manner roughly speaking so that you could identify them. We'll just go over some general network security tips quickly before we actually talk about biometrics because that's how we're going to talk about biometrics. First of all, security is not installing a firewall. It's not a product or a service and it's not just running an audit and shutting things off. Security is instead, you have to be able to work productively without interruptions so the hacker can't come and shut you down. If that's happened to you, you probably don't have the best security. Your security is only as good as your weakest link. Later on we'll talk about this and most organizations today, the users are your weakest link. Most people actually understand that and this is, the biometrics are another way to ensure that your users don't become your weakest link. And it goes on, security is like a risk management type of thing but really what it boils down to is security is an ongoing thing. It has to happen every day and every decision you make and it basically is the policies and procedures that you set forth actually working. General network security problems, you have your replay attacks. You capture some information going down the wire, replay it, gain some authentication. Denial service was popular for a while, kind of going by the wayside now. Spoofing, still take over a computer, some type of a man in the middle attack. Your users are probably one of your biggest problems in network security. They just, you know, the little passwords on sticky notes under the keyboards just don't cut it anymore when we're trying to protect confidential data. And basically the overall thing is that there's not a silver bullet to network security. There's no one thing that you can do to just make it alright. So once again your users are your weakest link and this is just kind of a way to help you do that. You have to have a proactive security plan. You have to have the ability to know what you're going to do in response to each situation and actually be able to follow through on that situation. Because your users are your weakest link, high grade authentication becomes a necessity. You have to have a way to say that these people are who they say they are and they're allowed to these resources. And the way to do that is no longer using a password because you can crack those. You need something that's a little bit higher assurance. And biometrics help allow for this situation to occur. So the need for high grade authentication. Basically you need high grade authentication in higher security areas. A lot of ISPs have them like in their knock center. Banks have them a lot of times to get into like molds. Just higher security areas that you want to keep people out that could generally get in. The other way is to do like more than one type of authentication. Combine a biometric with a username and password. Something along those lines to actually allow you to do that. And basically what it amounts to is you need to have a high assurance that they are who they say they are. With biometrics there's a couple of different error types associated with them. The first one is a type one error. What this basically is is that we accept a person in error. So they present a biometric. They're not actually allowed to authenticate to the system. But we allow them in anyway. When you do this it generally becomes the most dangerous. Simply because those people aren't supposed to be there and now they're there. What can they do? So it allows for a high exposure. But it is preventable between a balance of type one and type two. The type two error is a denying error. And all this is that they're supposed to be allowed in. But for whatever reason we deny them and don't allow them access. The thing is that you can usually set policies as far as like a fingerprint. Any different unique characteristics it looks at. But generally as you get more and more difficult in what you're looking at you're going to get more and more type one errors. Or type two errors. But you're going to reduce the type one errors. So it's just a balance of where you feel your network security needs to be. There's various forms of biometric authentication. Probably the most common one right now are fingerprint scanners. Simply because they're small, they're portable and they're easy to use. You can integrate them into mice, keyboards, whatever you want. Retina scanners are a little bit more expensive. Although they're selling one in the vendor area for like $150 right now. But they're generally harder to use. You have to keep the eye very, very still. The iris scanner is one of them that I've played with kind of significantly. And it's basically just a specialized webcam. Pick it up for probably about $150. But there again it has the same kind of problems as an iris scanner. Where you have to keep the eye very, very still. Voiceprint scanners are becoming a little more popular. Basically it's a standard microphone with software that tells are you talking the same way you always have or not. Handwriting recognition goes along the forms of like when they verify your signature for a credit card. Except now you're going to computerize that and make that a little more automated. Handwriting recognition happened at the Super Bowl, if you recall. They had cameras that just take pictures of people and match it against a database of known people. Whether that's for your network or for like terrorists or whatever. Personal geometry is becoming a little bit more common. That would be like the hand geometry. Just the shape of your hand will help you tell who you are. The DNA is kind of like the thing that's going out there. If anybody's seen the movie Gattaca it's that type of thing. But right now it's too slow to have in a network security setting. Some of the pros and cons of each of them. Fingerprint scanners as I mentioned are very small. You can integrate them into mice, keyboards and just make it a part of your everyday life. They're generally fairly foolproof for the user. They stick their finger on it and it works or it doesn't. It's not really a big problem. The retina scanners and iris scanners both kind of have the same problems. The eye has to be kept fairly still and they're a little bit more expensive compared to the other ones. The iris scanner has the advantage of being very small. It's the size of a normal webcam. It doesn't get very big. It could fit on a user's desk. The iris scanner that I've played with actually doubles as a webcam. Voiceprint scanners are fairly easy. You just give the user a microphone and have them talk into it. The problem with a voiceprint scanner is that we all know that our voices aren't always the same. So if your voice changes, it could deny you an error and then you have a problem. Handwriting recognition. The handwriting of people generally changes over time. It's just depending upon the mood or how much in a hurry you are, your handwriting can change. So it's really hard for a computer to say definitively you are who you say you are. Face recognition is kind of becoming a little bit more popular after the Super Bowl. They have a lot of software out there now that allows you to do this pretty easily. Just slap a webcam on people's desks and it'll take a picture and tell you who you are. The personal geometry is kind of starting to come about now, becoming a little cheaper and a little more practical. It's still primarily a wall-mounted device just because you have to put your hand into it. The DNA, like I said, is pretty much just slow, but it's pretty much the most accurate one out there that you can use. Kind of a short little what's hot, what's not. In the biometric arena right now, probably the biggest thing that's hot is the fingerprint scanners and the iris scanners. This is pretty much simply because they are cheap, they're easy to do, they're not hard for users to learn how to use. It doesn't take a lot of administration. So network administrators think that it's great, it gives them the biometrics, and users don't have a hassle. Multiple stage authentication right now is kind of the name of the game. Use usernames, use passwords, and then also add a biometric. Or pass the username and password stage to try and keep everything secure. The new thing now is kind of this interoperability interchangeability. It would be nice if every user could have one piece of software on their desktop and use any device that they want. Right now it's all pretty much proprietary. They're kind of moving towards the interoperability. You know, your iris scanner uses different software from your fingerprint scanner, which uses different software from the retina scanner, et cetera. What we need to do is we need to get to a point where all of these use the same software, you just plug in whatever you happen to have at the time. So along with that, you kind of have to get some standards going. Microsoft is kind of pushing their bio API right now for doing biometric authentication on their Windows platform. It hasn't really taken off yet, and we're going to work more towards these standards as time evolves. The other thing that's really nice for organizations is to have this server-based signature storage. Whenever you take a biometric print or however the biometric device works, you have to store that somewhere. In most network settings right now, it's inconvenient to store them on each and every machine. You have to be able to actually store them on a server and authenticate to the server, which presents some problems we'll talk about in a little bit. Kind of what's not hot right now, proprietary devices. This kind of goes back to the interoperability thing. You don't want to be stuck to one vendor to one platform. You want to be able to use it across all your platforms with any vendor that happens to be handy. The client storage of signatures simply because it's kind of hard to do that across an enterprise network. DNA right now probably isn't because of the length of time. If they can get that time down to a reasonable amount of times, say 30 seconds or something, that'll probably take off just because it's very high assurance you are who you say you are. And then the other thing that's not is of course just usernames and passwords. The big players right now in the biometric arena are a lot of ISP network operation centers. There was one that I recently toured in Omaha, Nebraska, where I'm from that does use like HID cards, smart cards, that type of thing to gain access to it. Healthcare organizations a lot of times are starting to get into this and it would possibly be handy if they have a biometric associated with your medical records. You come in and you're in an ambulance and nobody's with you. They need to know your complete medical history. They do a fingerprint and they might be able to pull that up. Banking industry once again, you know, getting into a vault or any secured area inside the bank. Military and government agencies right now are pretty much deploying these things unilaterally. The DOD has recently announced a project where all the military IDs are going to also have a smart card and then it stores a biometric signature, which goes along with the Department of Defense. Schools are now starting to get into it for staff members, allowing them access to some areas that they haven't had access to before or hasn't been controlled access. We're now going to use biometric devices to allow you to get in there. So the network management with biometric devices has several problems. The first one is the cost. The general cost of each of the devices is listed. Obviously, probably the one that's most appealing to most companies is the fingerprint scanner. It's cheap, easy, quick to use. The retina scanners, while they have a used one here, really cheap, or generally not as cheap as that, they range up to $500. So right now, based on cost, the most popular ones are probably a voice print and a fingerprint scanner. Just note that the voice print and the face recognition are mostly software costs. The ease of deployment for an administrator on a fingerprint scanner is easy because I mentioned you just integrate that into a mouse, a keyboard, it just becomes part of your daily life. The retina scanner is a little harder. It's usually a wall mount device. It's a little inconvenient to deploy on a user's desktop. The iris scanner is hard just for one reason that you have to buy all these webcams and it's tough to keep track of them in an organization. The voice print scanner isn't bad. It just requires the SotoSide software to be implemented and then for every desktop to have microphones. Face recognition is really easy to slap a webcam up and that pretty much takes care of it. Management from an IT perspective. The fingerprint scanners are really easy. Your fingerprints very rarely change. You have them in a roll in the system one time with a fingerprint and everything should pretty much be good from then on out. The retina scanner, iris scanner are just hard from a management perspective simply because the users are going to have problems. The chances are it's going to take them longer to log in and any time it takes people longer to log in the IT help desk usually gets a call. The voice print scanner once again, pretty easy. Put a microphone on their desk, install some software and you're pretty much good to go. Face recognition is going to be about the same where you're going to be deploying a webcam on everybody's desk and you need to make sure that they have themselves positioned right. It's in focus, et cetera. The user effects. What this basically is, is it saying how much does it affect the user? Nothing is as easy as just a user name and password so everything is a medium or higher. The only one that got a high was a voice print scanner basically because the voice can change and when it does change you're going to have a lot of management problems. You're going to have to reenroll them, et cetera. Everything else is pretty much kind of an enroll once and the user should be able to figure it out. Some of the problems right now with the biometric devices. The biggest one is a replay attack. Similar to how you can go across a network, you can capture what goes down most of these devices. Most of them send it down a USB cable now and the iris scanner that I've played with, it appears on a wire line analysis to just send it out in an unencrypted TIF format. How convenient, I can capture that, maybe print it out and see what I can do with it. Otherwise, if I don't want to print it out I just capture the entire session, go ahead and replay it back down and I'm John Smith, the network administrator now and I have all of his privileges. It might be possible that what we're kind of looking into now is to see if you can't build a little device similar to what a key logger is that goes between the keyboard and the computer to capture this on a USB device because most people don't turn around their computers and look at the USB ports before they log in and then now I have your authentication information. One of the other big problems is a loss of a biometric signature. Since all of these are stored on the server, how they're stored on the server is very, very self-independent right now. Most of them at least make an attempt to encrypt them, but the problem is is that if I gain access to that database and can decrypt it, I have your biometric signatures. Now, if you do it on fingers, you have one finger, I have it. Now you have nine more. Every time I get another one, you lose one. So eventually I have all your fingerprints and what am I going to do with them? I don't know, but I could probably do something with them such as authenticate as you. The reverse identification possibilities, a paper was really saying right now they can't do this, but the possibility might be there later on in South Warrie Volves that if I have your biometric signature and I try and put it on here, I can now determine who you are. This was kind of a large problem with the National ID Card System that they were talking about that they might put biometrics in which basically would say, store's a biometric, now give me your signature and I can verify that you are who's on this card. Encryption of information going down the wire. Right now it appears from the wire line analysis that a lot of this information is not encrypted that goes down the wire. So I can get it and then wham-bam I have a TIF image or I have whatever its proprietary format is. It's not that hard probably to decode their packets and figure out what they're sending and how they're sending it. The other problem is the reuse of that unencrypted information. If I have it, I can reuse it somehow whether it's to become you or to authenticate to a door or a computer that you say that you only have access to. So kind of a proper network security to use biometric devices. The first thing is you have to secure these signatures. You have to put them in a location that nobody can gain access to. You have to make sure that they don't really have a high ability to be corrupted. And you have to make sure that in general the signatures aren't going to change. For the most part, you enroll, your biometric doesn't change unless the network administrator does it. So make sure that other people besides the network administrator don't have access to make changes to this. That's probably one of the best things you can do. Also make sure that all of your backups for your server that this is stored on are stored in a secure location because you have to keep in mind these backups contain that biometric database. There has to be some way to stop signature interception. This is basically capturing what goes down the wire across a network. There's not really an easy way to do that right now. The method will probably be developed and it has to be developed before these can really be deployed in a serious way. You also have to protect against latent signatures that are still on the fingerprint scanner from being reactivated. There was recently a guy who was reactivating the latent prints with about $10 with the supplies from a local grocery store and defeated, I believe, 9 out of 10 devices that he tried it on. The other problem is the login security. You need to make sure that the path between the computer and the authentication device is secured. You can't have something like that device on the USB cable like I was talking about. Be allowed. You can't have it tapped, otherwise I just got everything that was sent down. So that kind of goes along with also you want to make sure that the device itself hasn't been tampered with. Hasn't been opened up and new wires added or had a device like that inserted into it. The other thing is you need to make sure that it's using an encrypted transmission. You know, if you have to run it over like an SSH tunnel or something, some way to make sure that it's not going across your network in the clear. The other biggest problem is that what do you do when a user gets up and walks away from their desk? If they don't walk their computer, you've probably just given them access to whatever you had access to. On a webcam it's not too easy. It's not too hard. If there's motion, you can tell that they're still there. On a fingerprint scanner, how are you going to do it? That kind of thing needs to be developed to allow you to continuously monitor the person to determine if they're going to have problems. And then of course, the what goes down the wire. And then the last one kind of came about because of their recent guy that bypassed it with about $10 worth of equipment. How are you going to verify that it's a real biometric signature? The fingerprint scanners recently thought they had this brilliant way that was going to test for capacitance in the finger, which is basically how it can hold a charge. However, the guy that did it for about $10 defeated all of those also. Then you need to make sure that people can't just bypass the entire device itself. You need to make sure that it's obviously once again, tamper resistant to the local machine. Make sure that people haven't messed with it. They haven't touched it. They haven't moved it. They haven't added devices to it. And they don't have any way to capture the data. And then once again, the biggest thing right now is that you need to be able to tell a real biometric signature from a fake. You don't want people coming up with this $10 and this gelatin finger with a fingerprint on it, being able to gain access to your network. And then the other thing is that the best thing you can do right now is to combine biometrics with usernames and passwords. Don't just use one or the other. Use them both. The more layers that you add, the better off your security is. The consistency right now, you need to make sure that environmental elements don't have effects on the biometrics themselves. You know, if you're sick, your voice changes a little bit, something like that. It's something that's beyond your control, but you need to make sure that it doesn't affect the signature changes. The other thing is that kind of like everybody else right now, you need to make sure that on biometrics that all your network users adhere to the same policy. You can't have just the administrator that has a biometric device on just their desktop. Everybody has to have them. If the network administrator is the only machine that has one, I can go log in as him and somebody else's machine with just his username and password. That's all the thing. So basically, can biometrics be bypassed? Yeah. They can by basically how they're connected, making a little device to capture everything that goes down, be able to replay it. The device itself can be fooled by a non-real biometric signature. The consistency in the devices themselves is somewhat questionable right now as far as whether they all read the same thing or not. Some of the recent bypassing methods were basically kind of as I was talking about. The guy went to a store, had some latent fingerprints left on a fingerprint scanner and reactivated them with basically by making a gelatin finger. And that was cost about $10 and the guy fooled 9 out of 10 fingerprint scanners on the market. 90% full detection probably isn't good enough for most network security people to go ahead and deploy those. So kind of some predictions going forward. Basically I feel personally that we've got to get through this whole it's got to be able to tell a real one from a fake one and you have to be able to continuously monitor these people. You want it to a point where you get up and walk away from the machine and it locks it instantly and requires that biometric signature that was logged in to unlock it. And so we can get to that point biometrics aren't going to do a whole lot. You have to get to a point where every network is an everyday job. Everything has to be taken into consideration of that and you have to configure all your machines identically. The problem with that is that the cost associated with it is cost-prohibitive for most companies but it's going to come to a point where they're going to realize that their critical data is worth protecting irregardless of the cost. So I guess before we do some questions I'm just going to say thanks to Dr. Burnham who's back in the back of the audience who's the director of NUSHA who kind of sponsored this DEF content for Let Me Speak and Dan DeVries who was the guy who originally helped me with some of the research on this and wasn't able to make it. That's my contact info. It's all on the CDs. Not a big deal. And some links are on the CD too. I guess from this point I'll just open it up to any questions you have. Okay, the question was is that as you're getting older your eyesight goes down and it was kind of a too far question and how is that going to affect your scan and then also what kind of technology do they do as far as damaging your eyes? How it affects it on an iris scan and a retina scan is probably going to be fairly minimal. An iris scan really doesn't do anything except take a picture of your eye and a retina scan scans the back retina which in general probably isn't going to be as affected. As far as affecting your eyes itself an iris scan is basically just a picture or it doesn't have any bright lights associated with it. A retina scan uses what I believe is some type of a laser technology which should be safe. But you know, it can vary by manufacture so you kind of have to look at that on an individual by individual basis. The question was is there going to be a problem if a company has all your biometric signatures they go under and then they continue on to the next place and give them and whether that's going to have an impact. The impact right now is probably mostly a privacy concern. You know, your biometric signatures are one of those things that you can't replace. It's kind of the same concept of what a social security ID was originally where only you should have access to it. Over the years we've become very lax as a society about allowing people access to that information and I think that a privacy concern does exist there and I'm kind of looking into that in a school setting for a paper I'm working on. So I guess the privacy concern is there and we kind of need to get to a point where that's not necessarily acceptable to give everybody every biometric identification we have. Anything else? The question was some biometrics can change is it really a better system than user aim and passwords. I would argue that probably it is better but you shouldn't have to choose. You should use both. You still need to use an aim. You still need to enforce your password policy but you also need to use biometrics in addition to it. It's not just a biometric as a one fixed solution to everything. It's to be used in conjunction with everything else. You'll have to come up. You'll have to come up. I can't hear you. The question was how do I envision dealing with a situation where a biometric signature has been compromised? Well, the problem with a biometric signature being compromised is that there's not a lot you can do. As a company, if one of your employees has had it compromised your option is to go to the next biometric whether it's another finger, an iris printer or whatever. As far as an individual that creates somewhat of a problem where your personal data is now available to whoever's got that biometric information and it goes back to the whole privacy issue and what can I use that to make it more common? The fact that it could be stolen is a real issue. What can I gain access to that that individual had? The question was how do I have a computer that can tell a personality because I mentioned earlier that that was kind of where it's going. That honestly hasn't really been determined yet. It's just something that just recently like in the last couple of weeks came out that they're starting to look into is how people's behaviors differ and research is still going on there and there's not really a definitive answer on that right now. It's just kind of a stay tuned, coming soon type of preview. The question was how sophisticated our face recognition software can you just hold a picture up to it and fake it. It kind of would depend on the software and what it checks. The possibility is certainly there that that could occur just like the possibility is there that I could hold a picture I would say that this probably depends upon what they look at on a software by software basis since there's not a standard right now. The question was that I mentioned earlier that DNA wasn't fast enough and he asked about basically the privacy issues concerning DNA and the fact that we give that out all the time with hair and sweat or whatever and would it really be worth it? Yeah, that's a privacy issue just like every other biometric. The only thing that you're gaining is the presence of who you are but there is an issue with the fact depending upon how they're gaining that DNA information it could be something where a piece of hair would be sufficient. Maybe it's going to be a blood sample it really would kind of determine as we move forward with that but yeah, there's definitely a privacy concern with that and it also kind of leads into another problem when I have your DNA I might know about any existing medical conditions you have but saying I'm discriminating against you because I have that knowledge now. Any last questions? Okay, thanks a lot guys.