Biometric Systems and Security Design Principles
From Computing and Software Wiki
(→Conclusion) |
|||
| Line 37: | Line 37: | ||
Principle of Economy of Mechanism | Principle of Economy of Mechanism | ||
In the design of the biometric security systems, each channel must be protected and | In the design of the biometric security systems, each channel must be protected and | ||
| + | |||
| + | |||
| + | Principle of Least Privilege | ||
| + | The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks). | ||
| + | |||
| + | Principle of Fail-Safe Default | ||
| + | The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well. | ||
| + | Show chart of failure rate. | ||
| + | |||
| + | Principle of Economy of Mechanism | ||
| + | In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states. | ||
| + | The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation. | ||
| + | |||
| + | Principle of Complete Mediation | ||
| + | Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. | ||
| + | For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation. | ||
| + | |||
| + | Principle of Open Design | ||
| + | The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates. | ||
| + | The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design. | ||
| + | |||
| + | Principle of Separation of Privilege | ||
| + | It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well. | ||
| + | Cite examples. | ||
| + | |||
| + | Principle of Least Common Mechanism | ||
| + | Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank. | ||
| + | |||
| + | Principle of Psychological Acceptability | ||
| + | The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method. | ||
==Conclusion== | ==Conclusion== | ||
Revision as of 05:06, 3 December 2007
Analysis of Biometric Systems using Security Design Principles
Contents |
Biometrics
Biometrics is the identification of a person through automated measurements using biological or behavioural features.
Biometric security systems are authentication mechanisms that bind an entity to a subject based on what the entity is, as opposed to what they know, what they have, or where they are. Within the past several years, biometric security systems have gained a lot of ground in terms of advancements in technology and widespread use. However, there is still a lot of reluctance to adopt the technology worldwide. A look at biometric security systems through security design principles should provide more answers.
Security Design Principles
The following eight design principles were created by Saltzer and Shroeder for the design and implementation of security mechanisms. These design principles encompass technical details and human interaction. They are also simple and easy to understand, which is why they will be used as a guide to analyze biometric security systems. The list of design principles are as follows: 1. Principle of Least Privilege: A subject should be given only those privileges that it needs in order to complete its task. 2. Principle of Fails-Safe Defaults: A subject should be denied access to an object unless the subject was given access. 3. Principle of Economy of Mechanism: Security mechanisms should be as simple as possible. 4. Principle of Complete Mediation: All accesses to objects are checked to ensure that they are allowed. 5. Principle of Open Design: Security of a mechanism should not depend on the secrecy of its design or implementation. 6. Principle of Separation of Privilege: A system should not grant permission based on a single condition. 7. Principle of Least Common Mechanism: Mechanisms used to access resources should not be shared. 8. Principle of Psychological Acceptability: Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.
Breaking a Biometrics Security System
In addition to looking at biometric security systems from a design and implementation perspective, understanding a biometrics security system from an attacker’s perspective is also important. In general, there are seven different types of attacks, they are the following: - Type 1: Fake biometric sensor - Type 2: Replay attacks - Type 3: Trojan horse program at feature extractor - Type 4: Real features replaced by synthetic features. - Type 5: Trojan horse program at matcher. - Type 6: Attacks modifying database of templates. - Type 7: Results overridden.
Analysis
Principle of Least Privilege The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).
Principle of Fail-Safe Default The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well. Show chart of failure rate.
Principle of Economy of Mechanism In the design of the biometric security systems, each channel must be protected and
Principle of Least Privilege
The design of the biometric security system itself is very linear hence, only the channels themselves need to be protected. This means that overall, processes cannot be accessed past the sensor if the sensor themselves have not been used. From this perspective, the design is secure. However, the system is still vulnerable from all attacks that attack each process directly (type 3, 5, and 6 attacks).
Principle of Fail-Safe Default The principle of fail-safe default is an excellent principle to follow for security mechanisms, but it falls short due to an implicit assumption within the principle itself. The principle assumes that security mechanisms will always work perfectly if all the requirements are passed. However, with biometric security systems, that is not the case. Biometric security systems are not perfect so they don’t always pass legitimate users and at the same time, they also pass the invalid users as well. Show chart of failure rate.
Principle of Economy of Mechanism In the design of the biometric security systems, each channel must be encrypted and each state must be protected. This means that overall, the design must contain at least four encryption mechanisms must be used for each channel, and at least five security mechanisms for the five states. The quantity of states and channels involved means that there are a high number of security mechanisms involved which means that security of the overall design is quite complex. This violates the principle of economy of mechanism, but the security of each channel and state may not be as complex as the design, depending on the implementation.
Principle of Complete Mediation Depending on the implementation, as long as each channel is encrypted with several layers of protection, it does not violate the principle. However, the problem comes from the human side and the issue arises when people try to replace current authentication mechanism such as password systems with biometric security systems. For example, new laptops with the Windows operating system have been released with biometric security systems. On the Windows login page, there are two logins available, the password system or the biometric system, and the user only has to use one of them to login, a clear violation of the principle of complete mediation.
Principle of Open Design The design of the biometric security is acceptable but the weakness is easily identified. The weakness of the design lies in the storage of the templates, which to this day, remains a difficult issue. Two options are available, a centralized data bank or decentralized servers to store all the templates. The design violates the principle not because the design is shrouded in secrecy but because the design itself is weak. This issue can be solved in the future by having a stronger design.
Principle of Separation of Privilege It is common knowledge that a system is not secure if only one security mechanism is used, so an obvious solution is to have multiple security mechanisms. The issue arises when multiple biometric security systems are used. For example, fingerprints and retinas are used together. However, the problem is similar to those of the principle of fail-safe defaults. It assume that security mechanism work when they are supposed to work, but by increasing the types of biometrics required, the number of FARs (false acceptance rates) and FRRs (false rejection rates) increase as well. Cite examples.
Principle of Least Common Mechanism Again, the design is simple due to its rather linear structure. However, in order for the security system to work, there must be a step in which users are enrolled, so that features can be stored. To cut costs, that enrolment system is typically a part of the authentication mechanism. This means that the biometric security system is more opened to attacks because another channel (between feature extractor and the template bank) must be encrypted, making the design more complicated, and the attacker has another option to attack the template bank.
Principle of Psychological Acceptability The big reason why biometric security systems are so popular is that from an end-user perspective, they are the simplest security mechanisms to use. The user does not require any sort of knowledge of passwords to use, since it depends on either physiological or behavioural traits. However, if it fails, due to the FARs and FRRs, such a problem can be extremely annoying since it is not easy to remedy unless there is an alternative login method, which of course, defeats the purpose of having a biometric authentication method.
