Network Security

Credit Hours: 3
Prerequisite: Basic knowledge of computer networking and Security

Instructor
Mudassar Hussain

1
 Contents
 Authentication requirements
 Biomatrics
 Enrolment
 Identification vs authentication
 Failure rates
 Requirements for a biometric identifier
 Attacking biometric system
 choice of a biometric method
 tokens
 attacking tokens
 mitigations against token attacks

2
 Human ID authentication: When, Where
and Why?
 Banking/Financial services : Money only to its owners
 Computer & IT Security : Access only to those authorized
 Healthcare : Correct patient history (and billing)
 Immigration : Blocking unwanted residents
 Law and Order : Punishing the correct person
 Gatekeeper/Door Access Control : Access only if
authorized
 Telecommunication : Billing, trust base and privacy
 Time and Attendance Logging: For future audit
 Welfare : Only to valid beneficiaries
 Consumer Products : Against unauthorized use, liability
etc.
3
 Authentication requirements
 Can be presented only by the correct person
 Only the correct person knows the value
 Only the correct person can physically present the
value
 Has enough diversity to be unique enough
 Truly unique, can be used for identification
 Overlap very unlikely, can be used for authentication

4
 Biometrics

 One of the remarkable abilities of humans and most

animals is to identify other individuals.
 Humans do it primarily through face and voice. Body
proportions, movements etc. are also important.

5
 Biometrics, definition
 "The automated use of physiological or behavioral
characteristics to determine or verify identity.”
 Bio from Greek life
 Metric from Greek measurement
 In this case we measure
Physical properties of the user’s body
Behavior properties of the user

6
 Biometrics, examples
 Written signature
 Retinal scan
 DNA
 Vein pattern
 Thermal pattern of the face
 Keystroke dynamics
 Finger prints
 Face geometry
 Hand geometry
 Iris pattern
 Voice
 Ear shape

7
 Enrolment

8
 Identification
 “Who am I?”
 Comparisons are made with every template in the
database.
 The result is an identity (name or user ID) or “NO
MATCH”

9
 Identification (cont…)

10
 Authentication
 Identity verification = Authentication
 “Am I the person who I claim I am?”
 The user claims to have a certain identity (e.g. by
specifying a user name)
 Comparisons are made only with one template.
 The result is TRUE/FALSE

11
 Authentication (cont…)

12
 Failure rates
 Admitting a person under the wrong identity
 FAR –False Acceptance Rate
 FMR –False Match Rate
 Rejecting a person claiming correct identity
 FRR –False Rejection Rate
 FNMR –False Non-Match Rate

13
 Multi-modal systems
 Use two or more different biometric features
 AND or OR requirements for each feature
 AND increases accuracy and thus protects
against false acceptance
 OR opens more options and thus protects against
too much false rejection
 OR is necessary in order to accommodate for
physical handicaps

14
 Requirements for a biometric identifier
 Universality: Each person should have the biometric
 Uniqueness: Any two persons should be sufficiently different in
terms of their biometric identifiers
 Permanence: Biometric should be sufficiently invariant (with
respect to the matching criterion) over a period of time
 Collectability: The biometric can be measured quantitatively

15
 Requirements for a biometric
identifier(cont….)
 Performance: Refers to the achievable recognition accuracy,
speed, robustness, the resource requirements to achieve the
desired recognition accuracy and speed, as well as operational
or environmental factors that affect the recognition accuracy and
speed.
 Acceptability: The extent to which people are willing to
accept a particular biometric identifier in their daily lives.
 Circumvention proof: How easy it is to fool the system by
fraudulent methods

16
 Requirements for a biometric
identifier(cont….)

17
 Fingerprints

 Known and used with formal classification since 19th

century.
 Scanners were introduced more than 40 years ago.
 Cheap readers that are easy to handle
 High uniqueness
 Fairly easy to make copies

18
 Iris
 Can be captured from a distance
 Monochrome camera with visible and near infra
red light
 Liveness detection

19
 Face
 A face image can be acquired using a normal,
off-the-shelf camera.
 Easy to accept by the public.
 Cost is rather low.
 Huge problems with permanence and
accuracy.

20
 Hand geometry
 Usually two views are taken, a top view and a
side view.
 The hand geometry can change due to age and
health conditions

21
 Voice
 Speaker recognition uses a microphone to record the
voice.
 Text dependent or text independent
 Your voice can vary with age, illness and emotions.
 Interesting with the increasing use of mobile phones

22
 Biometric Identifiers

Thermograms, generally, are visual displays of the amount of infrared energy

emitted, transmitted, and reflected by an object, which are then converted into a
temperature, and displayed as an image of temperature distribution.
Facial thermography works by detecting heat patterns created by the branching of
blood vessels that are emitted from the skin. These patterns, known as
thermograms, are highly unique. As a consequence, identical twins have different
23 thermograms.
 Biometric use, example Passport
 Sweden: New passports from Oct. 1, 2005.
 Chip containing identity information and digital
photo.
 EU rules state that future passports should also
include your fingerprint.
 U.S. and Australia : Chip containing identity
information and digital photo. No fingerprint
information.

24
 More biometric examples
 SAS –Scandinavian Airline Systems uses
fingerprints to tie the person who checked in
luggage to the person who passes the passenger
gate.
 Routinely used with good results.

25
 More biometric examples
 OMX Group :To enter to most secret part of the
company you have to authenticate yourself in an
iris scan.
 A school in Uddevalla, Sweden: To enter the
dining area you needed to identify yourself with
your fingerprint.
 Disney World, SeaWorld and other amusement
parks and entertainment centers use fingerprints
to tie tickets to their users

26
 Privacy issues with biomatrics

 Is it possible to steal a person’s identity if you steal

the biometric template?
 You can change your password, but you can not
change your biometrics.
 Biometric characteristics are not secrets.

27
 Attacking a biometric system
 How do we know that a biometric system is
secure?
 Is it possible to make a copy of (or even steal) the
part of you that is used in the system?
 Is it possible to imitate the signal?
 Can accommodation to changes in the real user be
used for attacks?
 Accuracy issues (FAR/FRR)

28
 IT attacks on a biometric system
 Replay attacks.
Imitate the signal from the biometric reader
 Denial of service.
Specific risk due to need for special readers
Overloading the processing units of the back-end subsystem
with excess traffic could lead to unavailability of services
 Changes in the database.
Always an issue for user authentication, but allowing
adjustments due to changes in the user characteristics is an
extra risk here.

29
 Securing Fingerprint Systems
 Denial-of-service: An adversary can damage the
system to cause a denial-of-service to all the system
users.
 Circumvention or intrusion: An unauthorized user
can illegitimately gain access into the system
(including, by colluding with the system administrator
or by pressurize a legitimate authorized user).
 Function creep: A wrongful acquisition or use of
fingerprint data for a purpose other than intended.
 Repudiation: A legitimate user may deny having
accessed the system.

30
 Tokens
 ”Token” is normally used for any authentication
device with processing capacity
 Smart cards are a variant, differing only in input
and output channels
 RFID devices can also be used

31
 Attacking Tokens
 Authentication tokens contain personal keys,
which should not be easy to reveal
 Loss is not crucial, if further use is blocked
 Far more important are system keys!!!
 System keys may protect data proving payment
for services
 System keys may enable fabrication of false
tokens

32
 Hardware attacks
 Studying the equipment
 electro-magnetic signals
 power variations
 time to perform operations
 Manipulating the equipment
 probing
 varying power
 inducing errors and stopping operations
Remember: Your worst enemy may be the owner and
user of the equipment!

33
 Network Eavesdropping
 Network Eavesdropping or network sniffing is a
network layer attack consisting of capturing packets
from the network transmitted by others' computers
and reading the data content in search of sensitive
information like passwords, session tokens, or any
kind of confidential information.
 The attack could be done using tools called network
sniffers. These tools collect packets on the network
and, depending on the quality of the tool, analyze the
collected data like protocol decoders or stream
reassembling.

34
 Defence against eavesdropping
 Use sufficient shielding around processors
 Avoid sending sensitive data, like keys, on
internal buses
 Use of encryption techniques

35
 Timing attacks
 Speeding up calculations often includes dropping
unnecessary steps
 Typical example is not doing all the steps when a
key bit is zero
 Time to encrypt can directly reveal number of
zero bits in key
 Combined with power analysis, every key bit can
be found

36
 Defence against timing attacks
 Do not optimize calculation times
 Multiply with zero and add to total sum
 Branch on values, but always do the same
number of steps in both branches
 If necessary (no division with zero etc.), insert
dummy calculations

37
 Statistics in user authentication
 For identification, you must consider the
probabilities that two persons ever have matching
authentication data
 For identity verification (authentication), you must
estimate the probability that an impostor can
guess a victim’s parameter value and imitate it

38
 Statistics in biometrics
 A typical system has a threshold parameter which
determines the allowed variance
 Use statistical theory for hypothesis testing
 Balance user population statistics against
intended use, and set thresholds accordingly

39
 Failure rates
 Admitting a person under the wrong identity
 FAR –False Acceptance Rate, also called
 FMR –False Match Rate
 Rejecting a person claiming correct identity
 FRR –False Rejection Rate, also called
 FNMR –False Non-Match Rate

40
 Identity testing problems
 Suppose there are 10,000 persons on a “no fly”
list
 If an airport uses identification devices with
FAR=5% and FRR=5%
 A terrorist has a 5% chance of getting aboard.
Send 20 and one will succeed

41
 Example 1
 A user population has two sets of users, X with
excellent characteristics for the biometric system
and Y with bad characteristics.
 A user from X has FAR 0.5%
 A user from Y has FAR 5%
 An attack deliberately at a Y person has 5%
probability of succeeding

42
 Example 2
 A user population has two sets of users, X with
excellent characteristics for the biometric system
and Y with bad characteristics. 5% belong to Y
 A user from X has FRR 0.5%
 A user from Y has FRR 5%
 Users from Y must re-authenticate every other
time when using the system. And they must make
three attempts one out of four times etc.

43
 Recommneded Literature
 Altoni, D et.al., Handbook of Fingerprint Recognition,
Springer Verlag. Chapter 1.1-1.5, 1.14-1.19
https://link.springer.com/content/pdf/10.1007%2F978-1-
84882-254-2.pdf
 Security Engineering
http://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf
 Network Sniffers
https://www.dnsstuff.com/packet-sniffers
• Timing Attacks
• https://en.wikipedia.org/wiki/Timing_attack

44
 Questions?

45
 Thank You

46