 |
|
|
|
|||||||||||||
|
||||||||||||||
 |
The WhoIsIt Biometric Security System WhoIsIt PKI Biometric Server for E-Commerce The WhoIsIt Standard Biometric Client / Server System Sampling of WhoIsIt Biometric Client/Server Customers
|
 |
The WhoIsIt? biometric security system Stein J. Ryan, PhD Qvoice Inc Introduction With computers now used in every major function of society, computer security is increasingly important. Any computer security system requires a method to establish the credentials of users. This authentication method has traditionally been based on passwords. If implemented properly, passwords provide a highly efficient authentication method that allows the underlying security system to secure information properly. Passwords are powerful because they can be used as the input to cryptographic algorithms, which can in turn be used to secure sensitive information in insecure environments. For example, passwords can be used to encrypt files on disk or data going across an insecure communication line. The problem with passwords Passwords have one big problem. They should be difficult to guess, which requires them to be of a certain length and randomness. This is precisely what makes them difficult to remember, so passwords place obligations on the end user. This is acceptable if an end user uses only a few systems. However, in a modular software environment, users must usually deal with many applications and systems, increasing the number of passwords and the end user obligation to remember them. Biometrics provide a partial solution to this problem by replacing the authentication method so that the user does not have to remember passwords. Instead, a trusted system element obtains a biometric template of the user and compares it with a previously enrolled template. If there is sufficient match, access is granted. This is nice seen from the end user’s point of view, but presents many challenges to the developers of security sensitive applications. The problem with biometrics Most importantly, biometric matching is not suitable for use in cryptographic algorithms. A biometric matching algorithm can only calculate the confidence level of a match, providing a yes/no answer to whether the user is who he claims to be. This yes/ no answer can not be used as input to a cryptographic algorithm to secure information, and makes it difficult to replace passwords with biometrics. This is a big problem when attempting to use biometrics as a front-end to existing, password based security systems. The ideal solution would be to magically convert a fingerprint or other biometric template into a password. The password could then be passed on to any existing password based security system. An obvious solution is to store passwords in some secure location and use them for cryptography once the identity of the user has been established with biometrics. The problem with this concept is establishing a secure location for the passwords. The WhoIsIt? solution Who Is It? is available for Windows’95/98, Windows NT, 2000, XP and 2003. It offers a highly flexible biometric security system targeting the problems with passwords and biometrics that was noted above. The WhoIsIt? software offers the following high level functionality: Files can be secured with biometrics through encryption.
Pictures and recordings of biometric access attempts are logged. This is a powerful deterrent because unauthorized access attempts are no longer anonymous. Customizable multimedia user interface can be tailored according to company profile. The flexibility of the WhoIsIt product line allows system administrators to select which biometrics to use and the methods used for securing the biometric template storage facility. Security can be tailored and traded for ease of use according to user requirements. Multiple biometrics WhoIsIt offers two basic biometric matching algorithms (voice, and fingerprint) that have been seamlessly integrated into the product. Several biometrics can be combined in order to maximize security or to minimize the probability of false rejections due to inaccuracies in the biometric templates. There are many biometrics to choose from when implementing a biometric security system. Biometrics can be ranged according to their accuracy and user friendliness. This in turn depends on the environment they will be used in. For example, it would be a bad idea to use a voice biometric in a noisy environment. Another important aspect is cost. Fingerprint is quite resilient to environmental conditions, but requires special sensors. This is in sharp contrast to voice biometrics, which can use standard sound cards and cameras for biometric input. WhoIsIt supports fingerprint sensors from several different vendors. The WhoIsIt biometric CSP cryptographic service provider BIOCSP system offers face, voice and fingerprint support as optional modules that plug into a base package. If more than one biometric is installed, the biometrics can be configured to operate together. The end result is a more secure system. For example, if fingerprint and face biometrics have been installed, the system can monitor camera input and fingerprint sensor input simultaneously to verify both face and fingerprint with a minimum of user interaction. The end result is maximum security and user friendliness. Secure storage of biometric templates WhoIsIt offers several ways to implement a secure location for biometric templates, digital certificates and passwords. The secure storage facility allows WhoIsIt to function as a biometric-to-password converter that can be used as a front-end to existing password based systems and to authenticate the use of private keys for PKI enabled applications. Such as SSO and challenge/ response. There are many ways to implement a secure storage facility depending on the level of security required. WhoIsIt offers a broad range of solutions ranging from client/server solutions to wearable computers, smart cards and USB flash storage devices that can carry the biometric templates and passwords. These solutions differ in cost, complexity and the security they offer. 1. Standalone systems can store the biometric templates, passwords and PKI key with digital certificates on the local hard drive in the WhoIsIt biometric database. 2. A client/server solution can be employed where the biometric database with user PKI keys are stored on a central server. 3. The biometric database can be placed on removable media of different types. Such as USB Flash drive and intelligent smart card. The ability to place the biometric database on removable media combined with the WhoIsIt biometric CSP cryptographic service provider and embedded WhoIsIt firmware is unique to WhoIsIt and increases security to an absolute maximum. This is only of interest in highly secure environments, but shows that WhoIsIt can stand up to the strictest security requirements. One particularly interesting option is the ability to store the WhoIsIt biometric database containing the users private keys and digital certificates on the WhoIsIt network server, local computer be it a laptop or desktop and inside a smart card or USB Flash drive. A USB Flash drive is a tiny wearable computer that can be carried on a key chain. It improves security by physically securing the biometric database inside a tamper-proof casing. |
