http://wiki.cas.mcmaster.ca/index.php?feed=atom&target=Mad+Doktor&title=Special%3AContributionsComputing and Software Wiki - User contributions [en]2026-05-02T11:09:31ZFrom Computing and Software WikiMediaWiki 1.15.1http://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T19:16:52Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms<sup>R4</sup>. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks<sup>R5</sup>. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
<br />
===''Principle of Least Privilege''===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===''Principle of Fail-Safe Default''===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates'''<sup>[http://en.wikipedia.org/wiki/Biometric#Performance E3]</sup><br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===''Principle of Economy of Mechanism''===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===''Principle of Complete Mediation''===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. <sup>[http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products R6]</sup><br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===''Principle of Open Design''===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===''Principle of Separation of Privilege''===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===''Principle of Least Common Mechanism''===<br />
[[Image:biometric_attacks2.jpg|thumb|Biometric security system design that includes enrollment]]<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
<br />
===''Principle of Psychological Acceptability''===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<sup>[http://en.wikipedia.org/wiki/Biometric#Performance_measurement R7]</sup><br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%<sup>[http://en.wikipedia.org/wiki/Biometric#Performance R8]</sup>.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms due to the many transactions of the system. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either. However, it is so popular because it is so simple to use and requires almost no effort. Also, even if we can reduce the number of errors to zero, we should never rely solely on one type of security system. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement. <br />
<br />
<br />
=='''See Also'''==<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
[E3] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns<br />
<br />
[R3] [[Biometrics in Information Security#Types of Measurements]]<br />
<br />
[R4] Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.<br />
<br />
[R5] Jain, Anil K. Biometric Security System. Michigan, 2006.<br />
<br />
[R6] http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products<br />
<br />
[R7] http://en.wikipedia.org/wiki/Biometric#Performance_measurement<br />
<br />
[R8] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
[Ra] John Woodward Jr, Katharine Webb, Elaine Newton, Melissa Bradley, David Rubenson. Army Biometric Applications: Identifying and Addressing Sociocultural Concerns. Santa Monica, CA: RAND, 2001.<br />
<br />
[Rb] D. J. Hurley, B. Arbab-Zavar, M.S. Nixon. The Ear as a Biometric. University of Southampton: Eurosip, 2007.<br />
<br />
<br />
--[[User:Mad Doktor|Mad Doktor]] 14:16, 10 December 2007 (EST)</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T04:21:28Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms<sup>R4</sup>. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks<sup>R5</sup>. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
<br />
===''Principle of Least Privilege''===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===''Principle of Fail-Safe Default''===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates'''<sup>[http://en.wikipedia.org/wiki/Biometric#Performance E3]</sup><br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===''Principle of Economy of Mechanism''===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===''Principle of Complete Mediation''===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. <sup>[http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products R6]</sup><br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===''Principle of Open Design''===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===''Principle of Separation of Privilege''===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===''Principle of Least Common Mechanism''===<br />
[[Image:biometric_attacks2.jpg|thumb|Biometric security system design that includes enrollment]]<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
<br />
===''Principle of Psychological Acceptability''===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<sup>[http://en.wikipedia.org/wiki/Biometric#Performance_measurement R7]</sup><br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%<sup>[http://en.wikipedia.org/wiki/Biometric#Performance R8]</sup>.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms due to the many transactions of the system. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either. However, it is so popular because it is so simple to use and requires almost no effort. Also, even if we can reduce the number of errors to zero, we should never rely solely on one type of security system. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement. <br />
<br />
<br />
=='''See Also'''==<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
[E3] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns<br />
<br />
[R3] [[Biometrics in Information Security#Types of Measurements]]<br />
<br />
[R4] Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.<br />
<br />
[R5] Jain, Anil K. Biometric Security System. Michigan, 2006.<br />
<br />
[R6] http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products<br />
<br />
[R7] http://en.wikipedia.org/wiki/Biometric#Performance_measurement<br />
<br />
[R8] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
[Ra] John Woodward Jr, Katharine Webb, Elaine Newton, Melissa Bradley, David Rubenson. Army Biometric Applications: Identifying and Addressing Sociocultural Concerns. Santa Monica, CA: RAND, 2001.<br />
<br />
[Rb] D. J. Hurley, B. Arbab-Zavar, M.S. Nixon. The Ear as a Biometric. University of Southampton: Eurosip, 2007.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T04:19:09Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms<sup>R4</sup>. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks<sup>R5</sup>. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates'''<sup>[http://en.wikipedia.org/wiki/Biometric#Performance E3]</sup><br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. <sup>[http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products R6]</sup><br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
[[Image:biometric_attacks2.jpg|thumb|Biometric security system design that includes enrollment]]<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<sup>[http://en.wikipedia.org/wiki/Biometric#Performance_measurement R7]</sup><br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%<sup>[http://en.wikipedia.org/wiki/Biometric#Performance R8]</sup>.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms due to the many transactions of the system. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either. However, it is so popular because it is so simple to use and requires almost no effort. Also, even if we can reduce the number of errors to zero, we should never rely solely on one type of security system. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement. <br />
<br />
=='''See Also'''==<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
[E3] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns<br />
<br />
[R3] [[Biometrics in Information Security#Types of Measurements]]<br />
<br />
[R4] Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.<br />
<br />
[R5] Jain, Anil K. Biometric Security System. Michigan, 2006.<br />
<br />
[R6] http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products<br />
<br />
[R7] http://en.wikipedia.org/wiki/Biometric#Performance_measurement<br />
<br />
[R8] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
John Woodward Jr, Katharine Webb, Elaine Newton, Melissa Bradley, David Rubenson. Army Biometric Applications: Identifying and Addressing Sociocultural Concerns. Santa Monica, CA: RAND, 2001.<br />
<br />
D. J. Hurley, B. Arbab-Zavar, M.S. Nixon. The Ear as a Biometric. University of Southampton: Eurosip, 2007.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/File:Biometric_attacks2.jpgFile:Biometric attacks2.jpg2007-12-10T04:05:07Z<p>Mad Doktor: A biometric security system design that shows the weakness of sharing both the enrollment and authentication mechanism together as one system.</p>
<hr />
<div>A biometric security system design that shows the weakness of sharing both the enrollment and authentication mechanism together as one system.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T04:02:28Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms<sup>R4</sup>. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks<sup>R5</sup>. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates'''<sup>[http://en.wikipedia.org/wiki/Biometric#Performance E3]</sup><br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. <sup>[http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products R6]</sup><br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
=='''See Also'''==<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
[E3] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics<br />
<br />
[R3] [[Biometrics in Information Security]]<br />
<br />
[R4] Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.<br />
<br />
[R5] Jain, Anil K. Biometric Security System. Michigan, 2006.<br />
<br />
[R6] http://en.wikipedia.org/wiki/Biometric#Marketing_of_biometric_products</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T03:53:15Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms<sup>R4</sup>. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks<sup>R5</sup>. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates'''<sup>[http://en.wikipedia.org/wiki/Biometric#Performance E3]</sup><br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
=='''See Also'''==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
[E3] http://en.wikipedia.org/wiki/Biometric#Performance<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics<br />
<br />
[R3] [[Biometrics in Information Security]]<br />
<br />
[R4] Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.<br />
<br />
[R5] Jain, Anil K. Biometric Security System. Michigan, 2006.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-10T03:43:25Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems<sup>[http://www.cafesoft.com/support/security-glossary.html R1]</sup> are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use however, there is still a lot of reluctance to adopt the technology worldwide<sup>[http://en.wikipedia.org/wiki/Biometrics#Issues_and_concerns R2]</sup>. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features<sup>[[Biometrics in Information Security#Types of Measurements|R3]]</sup><br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Salzter<sup>[http://en.wikipedia.org/wiki/Jerome_H._Saltzer E1]</sup> and Schroeder<sup>[http://en.wikipedia.org/wiki/Michael_Schroeder E2]</sup> for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction that make designs and mechanisms easy to understand. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
=='''See Also'''==<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
<br />
=='''External Links'''==<br />
<br />
[E1] http://en.wikipedia.org/wiki/Jerome_H._Saltzer<br />
<br />
[E2] http://en.wikipedia.org/wiki/Michael_Schroeder<br />
<br />
=='''References'''==<br />
<br />
[R1] http://www.cafesoft.com/support/security-glossary.html<br />
<br />
[R2] http://en.wikipedia.org/wiki/Biometrics<br />
<br />
[R3] [[Biometrics in Information Security]]</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T20:23:17Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
=='''Biometrics'''==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
=='''Security Design Principles'''==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
=='''Breaking a Biometrics Security System'''==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
=='''Analysis'''==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
=='''Conclusion'''==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
=='''See Also'''==<br />
[1] [http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[2] [http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[3] [http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[4] [http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
=='''References'''==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T20:15:04Z<p>Mad Doktor: /* See Also */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
[1] [http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[2] [http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[3] [http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_Security Operating Systems Security]<br />
<br />
[4] [http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_systems_regarding_security_design_principleBiometric systems regarding security design principle2007-12-08T20:11:56Z<p>Mad Doktor: Biometric systems regarding security design principle moved to Biometric Systems and Security Design Principles: Incorrect title due to grammatical errors.</p>
<hr />
<div>#REDIRECT [[Biometric Systems and Security Design Principles]]</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T20:11:56Z<p>Mad Doktor: Biometric systems regarding security design principle moved to Biometric Systems and Security Design Principles: Incorrect title due to grammatical errors.</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
[1] [http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[2] [http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[3] [http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_SecurityOperating Systems Security]<br />
<br />
[4] [http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T20:09:17Z<p>Mad Doktor: /* See Also */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
[1] [http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
[2] [http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]<br />
<br />
[3] [http://www.cas.mcmaster.ca/wiki/index.php/Operating_Systems_SecurityOperating Systems Security]<br />
<br />
[4] [http://www.cas.mcmaster.ca/wiki/index.php/The_Mitnick_attack The Mitnick Attack]<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T20:03:05Z<p>Mad Doktor: /* See Also */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
'''[1]'''[http://www.cas.mcmaster.ca/wiki/index.php/Biometrics_in_Information_Security Biometrics in Information Security]<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T19:56:16Z<p>Mad Doktor: /* Principle of Fail-Safe Default */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
<br />
{| class="wikitable" border="1" align=center<br />
|+ '''Chart of Biometric Systems Error Rates<br />
<br />
|-<br />
<br />
! Biometrics <br />
<br />
! EER<br />
<br />
! FAR<br />
<br />
! FRR<br />
<br />
! Subjects<br />
<br />
! Comment<br />
<br />
|-<br />
<br />
| Face<br />
<br />
| n/a<br />
<br />
| 1 %<br />
<br />
| 10 %<br />
<br />
| 37437<br />
<br />
| Varied lighting, indoor/outdoor<br />
<br />
|-<br />
<br />
| Fingerprints<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 2 %<br />
<br />
| 100<br />
<br />
| Rotation and exaggerated skin distortion<br />
<br />
|-<br />
<br />
| Hand geometry<br />
<br />
| 1 %<br />
<br />
| 2 %<br />
<br />
| 0.1 %<br />
<br />
| 129<br />
<br />
| With rings and improper placement<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| < 1 %<br />
<br />
| 0.94 %<br />
<br />
| 0.99 %<br />
<br />
| 1224<br />
<br />
| Indoor Environment<br />
<br />
|-<br />
<br />
| Iris<br />
<br />
| 0.01 %<br />
<br />
| 0.0001 %<br />
<br />
| 0.2 %<br />
<br />
| 132<br />
<br />
| Best conditions<br />
<br />
|-<br />
<br />
| Keystrokes<br />
<br />
| 1.8 %<br />
<br />
| 7 %<br />
<br />
| 0.1 %<br />
<br />
| 15<br />
<br />
| During 6 months period<br />
<br />
|-<br />
<br />
| Voice<br />
<br />
| 6 %<br />
<br />
| 2 %<br />
<br />
| 10 %<br />
<br />
| 310<br />
<br />
| Text independent, multilingual<br />
|}<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T19:34:04Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.<br />
<br />
<br />
==See Also==<br />
<br />
<br />
==References==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T19:30:51Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks. These types of attacks are categorized by their attacks on a specific part of the design. They can be divided into the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T19:11:22Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
[[Image:biometric_attacks.jpg|Types of attacks available on a biometric security system]]<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/File:Biometric_attacks.jpgFile:Biometric attacks.jpg2007-12-08T19:05:28Z<p>Mad Doktor: Types of attacks on the design of a biometric security system.</p>
<hr />
<div>Types of attacks on the design of a biometric security system.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:41:05Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg|thumb|3D Face Recognition Software]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
'''Type 1:''' Fake biometric sensor<br />
<br />
'''Type 2:''' Replay attacks<br />
<br />
'''Type 3:''' Trojan horse program at feature extractor<br />
<br />
'''Type 4:''' Real features replaced by synthetic features.<br />
<br />
'''Type 5:''' Trojan horse program at matcher.<br />
<br />
'''Type 6:''' Attacks modifying database of templates.<br />
<br />
'''Type 7:''' Results overridden.<br />
<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:32:39Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:3dface.jpg]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/File:3dface.jpgFile:3dface.jpg2007-12-08T18:32:07Z<p>Mad Doktor: An image of a human face using 3d face recognition/mapping software.</p>
<hr />
<div>An image of a human face using 3d face recognition/mapping software.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:27:00Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide a clearer understanding of its strengths and weaknesses in the implementation and design of biometric security systems.<br />
[[Image:http://www.primidi.com/images/aurora_3d_recognition.jpg]]<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:21:31Z<p>Mad Doktor: /* Security Design Principles */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege:'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
'''Principle of Fails-Safe Defaults:'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
'''Principle of Economy of Mechanism:'''<br />
Security mechanisms should be as simple as possible.<br />
<br />
'''Principle of Complete Mediation:'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
<br />
'''Principle of Open Design:'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
<br />
'''Principle of Separation of Privilege:'''<br />
A system should not grant permission based on a single condition.<br />
<br />
'''Principle of Least Common Mechanism:'''<br />
Mechanisms used to access resources should not be shared.<br />
<br />
'''Principle of Psychological Acceptability:'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:20:26Z<p>Mad Doktor: /* Security Design Principles */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
'''Principle of Least Privilege'''<br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
'''Principle of Fails-Safe Defaults'''<br />
A subject should be denied access to an object unless the subject was given access.<br />
'''Principle of Economy of Mechanism'''<br />
Security mechanisms should be as simple as possible.<br />
'''Principle of Complete Mediation'''<br />
All accesses to objects are checked to ensure that they are allowed.<br />
'''Principle of Open Design'''<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
'''Principle of Separation of Privilege'''<br />
A system should not grant permission based on a single condition.<br />
'''Principle of Least Common Mechanism'''<br />
Mechanisms used to access resources should not be shared.<br />
'''Principle of Psychological Acceptability'''<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:19:08Z<p>Mad Doktor: /* Analysis */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
===Principle of Least Privilege=== <br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
===Principle of Fails-Safe Defaults===<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
===Principle of Economy of Mechanism===<br />
Security mechanisms should be as simple as possible.<br />
===Principle of Complete Mediation===<br />
All accesses to objects are checked to ensure that they are allowed.<br />
===Principle of Open Design===<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
===Principle of Separation of Privilege===<br />
A system should not grant permission based on a single condition.<br />
===Principle of Least Common Mechanism===<br />
Mechanisms used to access resources should not be shared.<br />
===Principle of Psychological Acceptability===<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
<br />
===Principle of Least Privilege===<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
===Principle of Fail-Safe Default===<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
===Principle of Economy of Mechanism===<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
===Principle of Complete Mediation===<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
===Principle of Open Design===<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
===Principle of Separation of Privilege===<br />
<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
===Principle of Least Common Mechanism===<br />
<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
===Principle of Psychological Acceptability===<br />
<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:16:35Z<p>Mad Doktor: /* Security Design Principles */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
<br />
===Principle of Least Privilege=== <br />
A subject should be given only those privileges that it needs in order to complete its task.<br />
<br />
===Principle of Fails-Safe Defaults===<br />
A subject should be denied access to an object unless the subject was given access.<br />
<br />
===Principle of Economy of Mechanism===<br />
Security mechanisms should be as simple as possible.<br />
===Principle of Complete Mediation===<br />
All accesses to objects are checked to ensure that they are allowed.<br />
===Principle of Open Design===<br />
Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
===Principle of Separation of Privilege===<br />
A system should not grant permission based on a single condition.<br />
===Principle of Least Common Mechanism===<br />
Mechanisms used to access resources should not be shared.<br />
===Principle of Psychological Acceptability===<br />
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-08T18:14:34Z<p>Mad Doktor: /* Breaking a Biometrics Security System */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T05:10:16Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T05:09:33Z<p>Mad Doktor: /* Biometrics */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T05:07:56Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==<br />
<br />
A lot of the faults of a biometric security system are due to current biometric technology. It is simply not advanced enough because the errors in identifying valid and invalid users are still too big, even though it may be as small as 0.01%.<br />
Another issue involves the weak design. As a concept, it is simple, but to implement the design, it requires a lot of encryption and security mechanisms. Also, the design highlights a weakness in storage of the templates. Just like storage of passwords, storage of the templates carries even more risks, because stolen templates could potentially mean a stolen identity.<br />
Also, the current thought regarding biometric security systems is that they are the way of the future, meaning they are to replace current security mechanisms, but as shown above, that is terrible because there are still too many weaknesses, including the fact that not everyone can use such a system either.<br />
However, it is so popular because it is so simple to use and requires almost no effort. Hence, biometric security systems should only be used as a supplement to current security systems, not a replacement.</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T05:06:50Z<p>Mad Doktor: /* Conclusion */</p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be protected and<br />
<br />
<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states.<br />
The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.<br />
<br />
Principle of Complete Mediation<br />
Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems.<br />
For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.<br />
<br />
Principle of Open Design<br />
The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates.<br />
The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.<br />
<br />
Principle of Separation of Privilege<br />
It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well.<br />
Cite examples.<br />
<br />
Principle of Least Common Mechanism<br />
Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.<br />
<br />
Principle of Psychological Acceptability<br />
The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.<br />
<br />
<br />
==Conclusion==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T05:04:12Z<p>Mad Doktor: </p>
<hr />
<div>'''Analysis of Biometric Systems using Security Design Principles'''<br />
==Biometrics==<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
==Security Design Principles==<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
==Breaking a Biometrics Security System==<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
==Analysis==<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be protected and<br />
<br />
<br />
==Conclusion==</div>Mad Doktorhttp://wiki.cas.mcmaster.ca/index.php/Biometric_Systems_and_Security_Design_PrinciplesBiometric Systems and Security Design Principles2007-12-03T04:55:49Z<p>Mad Doktor: An analysis of biometric security systems using security design principles as a model.</p>
<hr />
<div>Analysis of Biometric Systems using Security Design Principles<br />
<br />
Biometrics<br />
<br />
Biometrics is the identification of a person through automated measurements using biological or behavioural features.<br />
<br />
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are.<br />
Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.<br />
<br />
<br />
Security Design Principles<br />
<br />
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows:<br />
1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task.<br />
2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access.<br />
3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible.<br />
4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed.<br />
5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation.<br />
6. Principle of Separation of Privilege: A system should not grant permission based on a single condition.<br />
7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared.<br />
8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.<br />
<br />
<br />
Breaking a Biometrics Security System<br />
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following:<br />
- Type 1: Fake biometric sensor<br />
- Type 2: Replay attacks<br />
- Type 3: Trojan horse program at feature extractor<br />
- Type 4: Real features replaced by synthetic features.<br />
- Type 5: Trojan horse program at matcher.<br />
- Type 6: Attacks modifying database of templates.<br />
- Type 7: Results overridden.<br />
<br />
<br />
Analysis<br />
<br />
Principle of Least Privilege<br />
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).<br />
<br />
Principle of Fail-Safe Default<br />
The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well.<br />
Show chart of failure rate.<br />
<br />
Principle of Economy of Mechanism<br />
In the design of the biometric security systems, each channel must be protected and</div>Mad Doktor