the main-Word-Abstract: Biometric identification and authentication systems. Hand shape recognition

Abstract: Biometric identification and authentication systems. Hand shape recognition

Biometric technologies based on biometrics, measuring the unique characteristics of an individual. It can be as unique features received by him from birth, for example: DNA, fingerprints, iris of the eye; as well as characteristics acquired over time or capable of changing with age or external influence, for example: handwriting, voice or gait.

Principle of operation

All biometric systems work in almost the same way. First, the system remembers a sample of the biometric characteristic (this is called the recording process). During the recording, some biometric systems may ask you to take several samples in order to compose the most accurate image of the biometric characteristic. Then the information received is processed and converted into mathematical code. In addition, the system may ask you to perform some more actions in order to "assign" a biometric sample to a specific person. For example, personal an identification number(PIN) is attached to a specific sample, or a smart card containing the sample is inserted into the reader. In this case, a sample of the biometric characteristic is again made and compared with the submitted sample. Identification by any biometric system goes through four stages:

  • Record - a physical or behavioral pattern is memorized by the system;
  • Allocation - unique information is removed from the sample and a biometric sample is compiled;
  • Compare - the saved sample is compared with the presented one;
  • Match / mismatch - the system decides if the biometric samples match and makes a decision.

The vast majority of people believe that a sample of a fingerprint, a person's voice, or a picture of their iris is stored in the computer's memory. But in fact, in most modern systems, this is not the case. A special database stores a digital code up to 1000 bits long, which is associated with a specific person authorized to access. A scanner or any other device used in the system reads a specific biological parameter of a person. Next, he processes the resulting image or sound, converting them into a digital code. It is this key that is compared with the content. special base personal identification data.

Static identification methods

Fingerprint

This method is based on the uniqueness for each person of drawing papillary patterns on the fingers. The print, obtained with the help of a special scanner, is converted into a digital code (convolution) and compared with the previously entered standard. This technology is the most widespread in comparison with other methods. biometric authentication.

Palm-shaped

This method is based on the geometry of the hand. Through special device consisting of a camera and several illuminating diodes, which, turning on in turn, give different projection of the palm, a three-dimensional image of the hand is built, according to which a convolution is formed and a person is identified.

By the location of the veins on the face of the palm

With the help of an infrared camera, a pattern of veins on the face of the palm or hand is read. The resulting picture is processed and a digital convolution is formed according to the arrangement of the veins.

On the retina of the eye

More precisely, this method is called fundus blood vessels identification. In order for this drawing to become visible, you need to look at a distant light point, the fundus is illuminated and scanned with a special camera.

On the iris of the eye

The iris pattern is also a unique human characteristic. To scan it, there are special portable cameras with specialized software. The identification takes place as follows. The camera captures an image of the part of the face from which the eye image stands out. A drawing of the iris is highlighted from the image of the eye, according to which a digital code is built to identify a person.

By face shape

This identification method builds a three-dimensional image of a person's face. The contours of the eyebrows, eyes, nose, lips, etc. are highlighted on the face, the distance between them is calculated and not just an image is built, but also many of its options for cases of face rotation, tilt, change of expression. The number of images varies depending on the purpose of using this method (for authentication, verification, remote search in large areas, etc.).

Facial thermogram

This identification method is based on the uniqueness of the distribution of arteries on the face, supplying blood to the skin, which generate heat. To obtain a thermogram, special infrared cameras are used. Unlike identification by face shape, this method allows you to distinguish between twins .

By DNA

The advantages of this method are obvious. However, the currently existing methods of obtaining and processing DNA are so time-consuming that they can only be used for specialized examinations.

Other static identification methods

There are other methods of identification based on biometric characteristics of a person. Only the most common ones are described here. For example, there are such unique methods as identification by the subungual layer of the skin, by the volume of the fingers specified for scanning, the shape of the ear, body odor, etc.

Dynamic methods

Dynamic methods of biometric authentication are based on the behavioral (dynamic) characteristics of a person, that is, they are built on the features characteristic of subconscious movements in the process of reproducing an action.

By handwriting

As a rule, for this type of identification of a person, his painting is used (sometimes the spelling of a code word). A digital identification code is generated, depending on the required degree of protection and the availability of equipment (graphic tablet, screen pocket computer Palm, etc.), of two types:

  • By the painting itself (for identification, just the degree of coincidence of the two pictures is used);
  • By painting and dynamic characteristics of writing (for identification, a convolution is built, which includes information on painting, time characteristics of painting and statistical characteristics of the dynamics of pressure on the surface).

By keyboard handwriting

The method is generally similar to that described above, but instead of writing, a certain codeword is used (when the user's personal password is used for this, such authentication is called two-factor authentication) and no special equipment is needed except for a standard keyboard. The main characteristic used to construct the convolution for identification is the dynamics of the set of the code word.

It is one of the oldest biometric technologies. At present, its development has intensified, a great future and widespread use in the construction of "smart buildings" are foreseen for it. There are many ways to construct a voice identification code, as a rule, these are various combinations frequency and statistical characteristics vote.

Other dynamic identification methods

For this group of methods, only the most common methods are also described, there are also such unique methods - as identification by lip movement when playing a code word, by the dynamics of turning a key in a door lock, etc.

Application

Biometric technologies are actively used in many areas related to ensuring the security of access to information and material objects, as well as in the tasks of unique identification of a person, in order to:

  • Access control;
  • Information protection;
  • Customer identification.

Standards

BioAPI is a BioAPI Consortium standard designed specifically to unify software interfaces software developers of biometric devices.

AAMVA Fingerprint Minutiae Format / National Standard for the Driver License / Identification Card DL / ID-2000- American standard for the format of presentation, storage and transmission of fingerprints for driving license... Compliant with BioAPI specifications and CBEFF standard.

CBEFF (Common Biometric Exchange File Format)uniform format presentation of biometric data, which is proposed to replace the biometric formats used by manufacturers of various segments of the biometric systems market in their hardware and software. When creating CBEFF, all possible aspects of its application were taken into account, including cryptography, multifactor biometric identification and integration with card identification systems.

CDSA / HRS (Human Recognition Services) is a biometric module in the Common Data Security Architecture developed by Intel Architecture Labs and approved by the Open Group consortium. CDSA defines a set of APIs, which are a coherent set of functions covering such security components as encryption, digital certificates, various user authentication methods, and biometrics has been added to the list thanks to HRS. CDSA / HRS is compliant with BioAPI specifications and CBEFF standard.

ANSI / NIST-ITL 1-2000 Fingerprint Standard Revision is an American standard that defines a common format for the presentation and transmission of data on fingerprints, face, body scars and tattoos for use in US law enforcement agencies.

In Russia, standardization issues are under the jurisdiction of the relevant subcommittee of the National Technical Committee for Standardization TK 355, which since 2003 has represented the Russian Federation in the international subcommittee for standardization in the field of biometrics. ISO / IEC JTC1 / SC37"Biometrics" (ISO / IEC STK 1 / PK37 "Biometrics").

one system identification and authentication ( ESIA) is an information system in the Russian Federation that provides authorized access for participants in information interaction (citizens-applicants and officials of executive authorities) to information contained in state information systems ah and other information systems.

ESЍA is a password for all occasions.

What is ESЍA?

ESЍA is the Unified Identification and Authentication System. One password to access all government websites.

Why is ESIA needed?

With the ESIA password, you do not need to register at every state website every time.

ESIA is a password for all occasions. Thanks to him, you can directly from home using the Internet:

Make an appointment via the Internet to see a doctor

Learn about your traffic fines

Apply for marriage registration

· Pay for the "communal apartment"

Register a car

Apply for a pregnancy benefit

· Report a city problem and get a solution in 10 days

And many other services and services through a single credential!

How is personal data protected? Who has access to them?

Only the owner of the password has access to personal data.

Data is transmitted exclusively through secure channels with the highest level of encryption

· system information security comply with the highest standard of data protection K1

All information is stored on secure government servers

What do you need to register an ESIA?

1. Passport and SNILS - to confirm the identity,

2. Mobile number - to confirm registration.

How do I get a password?

1. Go to the registration page, enter your Surname, Name and contact phone number. Then click the "Register" button

2. A confirmation code will be sent to your phone. Enter it and click the "Confirm" button

3. Set your password and click the "Save" button

4. Log in to ESIA using your phone number and password.

5. Enter your personal data (do not forget to indicate your middle name) and wait for confirmation within five minutes!

What do "Verified" and "Unverified" accounts mean?

· unconfirmed password gives limited options such as access to information services, for example, viewing debts and fines.

· with with a verified password you can get any of 119 electronic services available on federal and regional public services portals and use all available services without restrictions.

This section will discuss some of the technical measures to improve the security of systems. The choice of the measures under consideration is due to the possibility of their implementation by the built-in tools of the operating systems of the Microsoft Windows family. Accordingly, the level of security can be increased without additional costs for specialized protection means.

In the theoretical part of the course will be the methods underlying the corresponding tools and mechanisms. The labs examine specific settings for operating systems.

The issues under consideration can be divided into two groups:

  • issues related to identification and authentication users;
  • protection of transmitted messages.

Identification and Authentication

Identification- assignment of identifiers to users (unique names or labels) under which the system "knows" the user. In addition to user identification, identification of user groups, IS resources, etc. can be carried out. Identification is also needed for other system tasks, such as event logging. In most cases, identification is accompanied by authentication. Authentication- authentication - verification of the identity of the user with the identifier presented to him. For example, at the beginning of a session in the IS, the user enters a name and password. Based on this data, the system conducts identification (by username) and authentication (matching Username and entered password).

The identification and authentication system is one of the key elements of the infrastructure for protection against unauthorized access (NSD) of any information system. In accordance with the previously discussed multilayer security model, computer user authentication refers to the host security layer.

Usually there are 3 groups of authentication methods.

  1. Authentication by the presence of a unique object of a given type by the user. This class of authentication methods is sometimes referred to in English as "I have". An example is authentication using smart cards or USB dongles.
  2. Authentication based on the fact that the user knows some confidential information - "I know". For example, password authentication. Password systems are discussed in more detail later in this section.
  3. User authentication by his own unique characteristics - "I am" ("I am"). These methods are also called biometric.

Combined authentication schemes are often used that combine methods from different classes. For example, two-factor authentication - the user presents a smart card to the system and enters a PIN code to activate it.

The most common at the moment are password authentication systems... The user has an ID and a password, i.e. secret information known only to the user (and possibly to the system), which is used to pass authentication.

Depending on the implementation of the system, the password can be one-time or reusable. Operating systems typically authenticate using reusable passwords. The set of identifier, password and, possibly, additional information serving to describe the user make up user account.

If an intruder has learned the password of a legal user, then he can, for example, log into the system under his account and gain access to confidential data. Therefore, special attention should be paid to password security.

As noted in the review of ISO 17799, it is recommended that users of the system sign a password confidentiality document. But an intruder can also try to guess the password, guess it, intercept, etc. Let's consider some recommendations for administering a password system to reduce the likelihood of such threats being implemented.

  1. Setting the minimum length of passwords used in the system. This makes it harder for a brute-forcing attack. As a rule, it is recommended to set the minimum length to 6-8 characters.
  2. Setting the requirement to use different groups of characters in the password - upper and lower letters, numbers, special characters. It also complicates the selection.
  3. Periodic check security administrators the quality of the passwords used by simulating attacks such as guessing passwords "using a dictionary" (ie checking for the use of natural language words and simple combinations of characters such as "1234" as the password).
  4. Setting the maximum and minimum password lifetime, using the mechanism for forced change of old passwords.
  5. Limiting the number of unsuccessful attempts to enter a password (blocking an account after a specified number of unsuccessful attempts to log in to the system).
  6. Logging of password history so that users, after a forced password change, cannot re-choose an old, possibly compromised password.

Modern operating systems of the Windows family allow you to make installations that automatically control the fulfillment of requirements 1, 2, 4-6. When using a Windows domain, these requirements can be extended to all computers in the domain and thus increase the security of the entire network.

But when new protection mechanisms are introduced, undesirable consequences may appear. For example, the requirements for "complexity" of passwords can be confusing for an inexperienced user. IN this case it will be necessary to explain that from the point of view of the operating Windows systems a strong password contains 3 of 4 groups of characters (large letters, small letters, numbers, service characters). Likewise, users should be prepared to implement account lockout after multiple failed password attempts. It is required to explain to users what is happening, and the blocking rules themselves must be well thought out. For example, if there is a high probability that the user will block his entry during the absence of the administrator, it is better to set the block not permanently, but for a certain period (30 minutes, an hour, etc.).

This leads to the fact that a policy has to be developed password management, accompanying documents, and then the implementation was carried out.

When using an OS of the Windows family, you can identify accounts with weak or missing passwords, for example, using the Microsoft Baseline Security Analyzer utility. It also allows you to identify other administrative errors. Lab # 3 is devoted to how to use this utility and how to configure a password policy.

Kerberos was developed at Massachusetts Institute of Technology in the mid-1980s and is now the de facto standard for centralized authentication and key distribution symmetric encryption... Supported by operating systems of the Unix family, Windows (starting from Windows "2000), there are implementations for Mac OS.

On Windows networks (starting with Windows "2000 Serv.), Kerberos v.5 (RFC 1510) authentication is implemented at the domain level. Kerberos is the main authentication protocol in the domain, but for backward compatibility, NTLM is also supported. ...

Before considering how Kerberos works, let's take a look at why it was originally developed. Centralized key distribution symmetric encryption implies that each subscriber of the network has only one master key, which is used to communicate with key distribution center(key server). To obtain an encryption key to protect data exchange with another subscriber, the user contacts the key server, which assigns this user and the corresponding subscriber a session symmetric key.

Kerberos provides key distribution symmetric encryption and authentication of users working in unsecured network... The Kerberos implementation is software system, built on the "client-server" architecture. The client part is installed on all computers of the protected network, except for those on which the Kerberos server components are installed. The role of Kerberos clients can be, in particular, and network servers (file servers, print servers, etc.).

The server side of Kerberos is called key distribution center(English Key Distribution Center, abbreviated KDC) and consists of two components:

  • Authentication Server (AS);
  • server for issuing permits (English Ticket Granting Server, abbreviated TGS).

The Kerberos server assigns a symmetric encryption key shared with each subject on the network and maintains a database of the subjects and their private keys. A diagram of the functioning of the Kerberos protocol is shown in Fig. 5.1.


Rice. 5.1.

Let's say client C is going to start interacting with the SS (Service Server - a server that provides network services). In a somewhat simplified form, the protocol involves the following steps [,]:

  1. C-> AS: (c).

    Client C sends its identifier c to the authentication server AS (the identifier is transmitted in clear text).

  2. AS-> C: ((TGT) K AS_TGS, K C_TGS) K C,
    • K C - main key C;
    • K C_TGS - the key issued by C to access the authorization server TGS ;
    • (TGT) - Ticket Granting Ticket - ticket for access to the granting server

    (TGT) = (c, tgs, t 1, p 1, K C_TGS), where tgs is the identifier of the permit issuing server, t 1 is the time stamp, p 1 is the validity period of the ticket.

    At this step, the authentication server AS, after verifying that client C is in its database, returns it a ticket to access the authorization server and a key for communicating with the authorization server. The entire package is encrypted on the client's key C. Thus, even if at the first step of interaction the identifier c was sent not by the client C, but by the intruder X, then the message X received from the AS will not be able to decrypt.

    Not only the attacker, but also the client C cannot get access to the contents of the TGT ticket, because the ticket is encrypted on a key shared by the authentication server and the authorization server.

  3. C-> TGS: (TGT) K AS_TGS, (Aut 1) K C_TGS, (ID)

    where (Aut 1) - authentication block - Aut 1 = (s, t 2), t 2 - timestamp; ID - the identifier of the requested service (in particular, it can be the identifier of the SS server).

    Client C this time contacts the TGS authorization server. It forwards the ticket received from the AS, encrypted in the key K AS_TGS, and an authentication block containing the identifier c and a timestamp showing when the package was formed. The authorization server decrypts the TGT ticket and receives information from it about who the ticket was issued to. when and for how long, an encryption key generated by AS for communication between client C and server TGS... This key is used to decrypt the authentication block. If the label in the block matches the label in the ticket, this proves that the package was actually generated by C (after all, only he knew the key K C_TGS and could correctly encrypt his identifier). Next, the validity time of the ticket and the time of departure of the parcel are checked. 3 ). If the check passes and the policy in force in the system allows client C to contact client SS, then step 4 ).

  4. TGS -> C: ((TGS) K TGS_SS, K C_SS) K C_TGS,

    where K C_SS is a key for interaction between C and SS, ( TGS)- Ticket Granting Service - a ticket to access the SS (note that the same abbreviation in the description of the protocol denotes the authorization server). ( TGS) = (s, ss, t 3, p 2, K C_SS).

    The authorization server is now TGS sends client C the encryption key and ticket needed to access SS. The structure of the ticket is the same as in step 2): the identifier of the person to whom the ticket was issued; the identifier of the person for whom the ticket was issued; time stamp; validity ; encryption key.

  5. C-> SS :( TGS) K TGS_SS, (Aut 2) K C_SS

    where Aut 2 = (c, t 4).

    Client C sends the ticket received from the credential server and its Authentication Block to the SS with which it wants to establish a secure communication session. It is assumed that SS has already registered in the system and distributed with the server TGS encryption key K TGS_SS. With this key, he can decrypt the ticket, get the encryption key K C_SS and verify the authenticity the sender of the message.

  6. SS-> C: (t 4 +1) K C_SS

    The point of the last step is that now SS must prove its authenticity to C. He can do this by showing that he correctly decoded the previous message. This is why SS takes the timestamp from authentication block C, modifies it in a predetermined way (increments by 1), encrypts it on the C_SS key K, and returns C. The network is logically divided into Kerberos server scopes. A Kerberos realm is an area of ​​a network whose users and servers are registered in the database of one Kerberos server (or in one database shared by several servers). One area can cover a segment of a local network, the entire local network, or combine several related local area networks... The diagram of interaction between Kerberos realms is shown in Fig. 5.2.

    For interaction between realms, mutual registration of Kerberos servers must be performed, during which the authorization server of one realm is registered as a client in another realm (i.e., it is entered into the base of the authentication server and shares the key with it).

    After establishing mutual agreements, the client from area 1 (let it be K 11) can establish a session with the client from area 2 (for example, K 21). To do this, K 11 must obtain a ticket from its authorization server to access the Kerberos server with whose client it wants to communicate (that is, the Kerberos server KDC2). The ticket received contains a note of the area in which the ticket holder is registered. The ticket is encrypted with a key shared between the KDC1 and KDC2 servers. Upon successful decryption of the ticket, the remote Kerberos server can be sure that the ticket was issued to the client of the Kerberos realm from which the trusting relationship... Then the protocol works as usual.

    key, but also made sure of the authenticity of each other, in other words, they authenticated each other.

    As for the implementation of the Kerberos protocol in Windows, the following should be noted.

    1. The user's key is generated based on his password. Thus, when using weak passwords, the effect of strong protection of the authentication process will be reduced to zero.
    2. Domain controllers act as Kerberos servers, each of which must run the Kerberos Key Distribution Center (KDC) service. The Active Directory directory service takes over the role of the repository for user and password information. The key shared between the authentication server and the authorization server is generated based on the service account password krbtgt- this record is automatically created when organizing a domain and is always locked.
    3. Microsoft uses the Kerberos extension in its OS to use public key cryptography. This allows you to register in the domain and using smart cards that store key information and digital user certificate.
    4. Using Kerberos requires synchronizing the internal clocks of computers in the Windows domain.

    To increase the level of security of the user authentication process, it is recommended to disable the use of the less reliable NTLM protocol and leave only Kerberos (if the use of NTLM is not required by outdated client operating systems).

One of the most important protection methods for maintaining confidentiality is access control. Almost since the creation of the first multiuser operating systems, passwords have been used to restrict access. Let's remember the history.

Windows 95/98 operating systems saved the password in a PWL file (typically USERNAME.PWL) in the Windows directory. It should be noted, however, that although the contents of the PWL file were encrypted, it was quite easy to extract passwords from it. The first encryption algorithm in Windows 95 made it possible to create programs to decrypt PWL files. However, in Windows 95 OSR2, this flaw was eliminated. However, OSR2's password protection system contained several serious flaws, namely:

  • all passwords were converted to uppercase, significantly reducing the number of possible passwords;
  • The MD5 and RC4 algorithms used for encryption allowed for faster password encryption, but a valid Windows password had to be at least nine characters long.
  • the password caching system was essentially unreliable. The password could only be saved if none of the personnel had access to your computer without proper permission.

Current operating systems (Windows XP / 2000/2003) use more than reliable protection password authentication method. But at the same time, it is necessary to carry out the following recommendations Microsoft:

  • the password must be at least eight characters long;
  • the password must contain large and small letters, numbers and special characters;
  • the password must be valid for no more than 42 days;
  • passwords must not be repeated.

In the future, these requirements will only become more stringent. What will this lead to, or rather, alas, has it already led? The more complex the passwords, the more applications require a password, the higher the likelihood that users for all applications, including for authentication in the OS, will use the same password, moreover, writing it down on paper. Is this good or bad? Is it acceptable?

On the one hand, it is clearly unacceptable, since the risk of password compromise increases sharply, on the other hand, a password that is too complex (such as PqSh * 98 +) is difficult to keep in mind. Users will obviously either choose a simple password, or constantly forget the complex one and distract the administrator from more important things. Gartner research shows that 10 to 30% of calls to tech support companies are requests from employees to recover forgotten passwords.

According to IDC, each forgotten password costs the organization $ 10-25. Add to this the need to constantly change it and the requirement of unique passwords. What to do? What is the way out?

In fact, today there are several options for solving this difficult problem.

First option. A poster with the slogan is hung in a conspicuous place in the room (on the wall, on the table). After that, the password is a text containing, for example, every third character of the slogan, including spaces and punctuation marks. Without knowing the algorithm for selecting characters, it is rather difficult to find such a password.

Second option. A random sequence of letters, numbers and special characters... Wherein specified password printed on dot matrix printer on special envelopes that cannot be opened without violating their integrity. An example of such an envelope is a PIN-code envelope for a payment card. These envelopes are kept in the unit manager's safe or in the information security safe. The only difficulty with this method is the need to immediately change the password immediately after opening the envelope and making another similar envelope with a new password, as well as organizing envelope accounting. However, when you consider the time savings for network and application administrators, this fee is not overwhelming.

The third option- using multi-factor authentication based on the latest technologies authentication. Let's take two-factor authentication as an example. The main advantage of such authentication is the presence of a physical key and a PIN-code to it, which provides additional resistance to hacking. After all, the loss of a hardware key does not entail a compromise of the password, since, in addition to the key, to access the system, you also need a PIN code for the key.

Separately, it is worth considering systems using one-time passwords, which are becoming more widespread in connection with extensive development Internet technologies, and biometric authentication systems.

Currently, the main way to protect information from unauthorized access (NSD) is the implementation of the so-called AAA (Authentication, Authorization, Accounting - authentication, authorization, user rights management). When using this technology, the user gains access to the computer only after successfully passing the identification and authentication procedures.

It is worth considering that the AAA segment is constantly growing in the global IT services market. This trend is highlighted in research reports from IDC, Gartner and other consulting firms. The same conclusion can be drawn by carefully reviewing the annual survey of computer crime by the US Institute of Computer Security and the FBI for 2005 (Fig. 1).

Rice. 1. Data on the volume of losses from different types of attacks for 2005, USD
The total volume of losses in 2005 was USD 130 104 542.
Number of responding enterprises (USA) - 700

As you can see from the diagram, theft damage confidential information increased significantly. That is, each of the companies surveyed lost on average more than $ 350,000 due to theft of confidential information. This study confirms trends that have emerged over the past few years. According to a 2004 report by the US Institute of Computer Security and the FBI, theft of sensitive data was already one of the most dangerous threats at that time - the damage from it was about 40% of the total damage of all its threats. At the same time, the average volume of losses was more than $ 300 thousand, and the maximum volume was $ 1.5 million.

Based on this, we can conclude that theft of confidential information has one of the most high ratings among all IT threats in the United States. It is worth noting that it is impossible to find the culprit without resolving identification and authentication issues!

Among the main security services:

  • identification and authentication;
  • security control;
  • control of the integrity and authenticity of information;
  • firewalling;
  • building a VPN;
  • logging / audit;
  • differentiation of access;
  • security management;
  • content filtering;
  • encryption.

Note that the issues of access control are resolved without fail when creating any information system. In our time, when systems are becoming more distributed, it is difficult to overestimate the importance of correct access control. At the same time, more and more reliable protection of authentication systems is required from both external and internal attackers. It should be understood that users are not inclined to complicate their lives and try to use passwords that are as complex as possible. Consequently, to eliminate this, in the future, software and hardware authentication tools will increasingly be used, which will gradually replace traditional passwords (Fig. 2).

Rice. 2. Growth of the information security market

Classification of means of identification and authentication

Modern software and hardware identification and authentication tools can be divided into electronic, biometric and combined ones by the type of identification signs (Fig. 3). In connection with their specific application, one-time password systems that are part of electronic means can be distinguished into a separate subgroup.

Rice. 3. Classification of software and hardware identification systems
and authentication

In electronic systems, identification signs are represented in the form of a code stored in a protected memory area of ​​an identifier (carrier) and, with rare exceptions, does not actually leave it. In this case, identifiers are as follows:

  • contact smart cards;
  • contactless smart cards;
  • USB-keys (USB-token);
  • iButton.

In biometric systems, identification is individual characteristics a person, which in this case are called biometric signs. Identification is performed by comparing the obtained biometric characteristics and templates stored in the database. Depending on the characteristics that are used in this case, biometric systems are divided into static and dynamic.

Static biometrics is based on data (templates) obtained by measuring the anatomical features of a person (fingerprints, iris pattern, etc.), and dynamic biometrics - on the analysis of human actions (voice, signature parameters, its dynamics).

In my opinion, biometric authentication systems have not become widespread for several reasons:

  • the high cost of such systems;
  • lack of well trained professional staff;
  • the complexity of setting up such systems;
  • opposition from employees, since the management gets the opportunity to control all their movements and actually control the working time.

In combined systems, several features are used simultaneously, and they can belong both to systems of the same class, and to different ones.

Electronic identification and authentication systems

Electronic identification and authentication systems include contact and contactless smart cards and USB tokens.

Contact smart cards and USB dongles

USB keys work with a computer USB port and are manufactured in the form of key fobs. What is a USB dongle, we will look at the example of an eToken from the Aladdin company.

eToken is a personal means of authentication and data storage that supports the work with digital certificates and electronic digital signatures (EDS) in hardware. eToken can be in the form of a standard smart card or USB key:

  • The smart card requires a PC / SC compatible smart card reader to connect to the computer. It can be used as a means of visual identification (information about its owner and a photo (ID-badge) can be placed on the eToken PRO / SC smart card for use by the enterprise security service). Smart cards can be made of white plastic for subsequent printing (photographs, personal data, etc.) with preliminary overprinting, as well as with a glued magnetic stripe or in the form of embossed cards (with embossed symbols);
  • USB dongle - connects directly to the computer via USB port(Universal Serial Bus), combining the functions of a smart card and a device for its reader.

If you compare these two technologies, it becomes obvious that the choice of one of them depends on the security technology adopted by the company. So, if it is planned to introduce an automated access control and at the same time the passes must have a photo, the owner's name and other information, then it is preferable to use smart cards. However, keep in mind that you will also need to buy smart card readers.

If the access control has already been introduced and it is only necessary to provide additional control and tighten the regime for entering some premises, you should pay attention to the eToken PRO with built-in RFID tags. After all, it is much easier for the physical security service responsible for access control to control passes if they have a photo, surname and name of the owner on them, although the eToken PRO with a built-in RFID chip and a similar smart card are the same in functionality.

The main areas of application of eToken (Fig. 4):

Rice. 4. Possibilities of eToken

  • two-factor authentication of users when accessing servers, databases, applications, sections of websites;
  • safe storage classified information: passwords, EDS keys and encryption, digital certificates;
  • e-mail protection (digital signature and encryption, access);
  • protection of computers from unauthorized access (NSD);
  • protection of networks and data transmission channels (VPN, SSL);
  • client-bank, systems such as e-banking and e-commerce.

When working with multi-factor authentication user gets whole line advantages. In particular, he needs to remember only one eToken password instead of several application passwords. In addition, there is now no need to regularly change passwords. And if you lose your eToken, nothing bad will happen. Indeed, in order to use the found (stolen) eToken, you also need to know its password. All this significantly increases the level of security of the organization. At the same time, it should be understood that eToken supports and integrates with all major systems and applications using smart card technologies or PKI (Public Key Infrastructure), the so-called PKI-ready applications.

The main purpose of eToken:

  • strong two-factor user authentication when accessing protected resources (computers, networks, applications);
  • secure storage of private keys of digital certificates, cryptographic keys, user profiles, application settings, etc. in the non-volatile memory of the key;
  • hardware execution of cryptographic operations in a trusted environment (generation of encryption keys, symmetric and asymmetric encryption, calculation of the hash function, the formation of an EDS).

As a means of authentication, eToken is supported by most modern operating systems, business applications and information security products and can be used to solve the following tasks:

  • strong user authentication when accessing information resources: servers, databases, sections of websites, protected storages, encrypted disks, etc.;
  • login to operating systems, directory services, heterogeneous networks (operating systems Microsoft, Linux, UNIX, Novell) and business applications (SAP R / 3, IBM Lotus Notes / Domino);
  • implementation of PKI systems (Entrust, Microsoft CA, RSA Keon, as well as in certification centers and systems using domestic crypto-providers "Crypto-Pro", "Signal-Com", etc.) - storage of key information, hardware generation of key pairs and performing cryptographic operations in a trusted environment (on a smart card chip);
  • construction of document management systems, secure mail systems (based on Microsoft Exchange, Novell GroupWise, Lotus Notes / Domino) - EDS and data encryption, storage of certificates and private keys;
  • organization of secure data transmission channels using Internet transport (VPN technology, IPSec protocols and SSL) - user authentication, key generation, key exchange;
  • firewalls and protection of the network perimeter (products Cisco Systems, Check Point) - user authentication;
  • encryption of data on disks (in products such as Secret Disk NG) - user authentication, generation of encryption keys, storage of key information;
  • single point of user entry into information systems and portals (in eTrust SSO products, IBM Tivoli Access Manager, WebSphere, mySAP Enterprise Portal) and applications managed by Oracle DBMS - strong two-factor authentication;
  • protection of web servers and applications ecommerce(based on Microsoft IIS, Apache Web Server) - user authentication, key generation, key exchange;
  • security management of corporate information systems, integration of information security systems (Token Management System) - eToken is a single universal identifier to access various applications;
  • support of legacy applications and development of proprietary information security solutions.

The characteristics of the USB dongles are given in table. one .

The following types of USB dongles are on the market today:

  • eToken R2, eToken PRO - by Aladdin;
  • iKey10xx, iKey20xx, iKey 3000 - Rainbow Technologies;
  • ePass 1000, ePass 2000 - Feitian Technologies;
  • ruToken - developed by Aktiv and ANKAD;
  • uaToken - Technotrade LLC.

USB dongles are the successors of smart cards, therefore the structure of USB dongles and smart cards is identical.

Contactless smart cards

Contactless smart cards (BSC) are widely used in various applications both for authentication (electronic pass mode, electronic key to the door, etc.), and for various transport, identification, settlement and discount applications.

An important feature of the BSC that distinguishes it from a number of other smart cards is the absence of mechanical contact with the device that processes data from the card. In fact, the reliability of technical elements of systems using BSC is determined by the reliability of microcircuits. The latter circumstance leads to a significant reduction in operating costs for the system compared to similar systems using smart cards with external contacts.

The order of operations with the BSK and the card memory reader / writer (hereinafter referred to as the reader) is determined by the software application. When the user presents the card to the reader, a transaction occurs, that is, the exchange of data between the card and the reader, and a possible change in information in the memory of the card. The maximum distance for transactions between the reader and the card is 10 cm. In this case, the card does not need to be removed from the wallet. On the one hand, this allows the user to conveniently and quickly make a transaction, and on the other hand, when it enters the antenna field, the card is involved in the process of exchanging information, regardless of whether the user wanted it or not.

A typical initial command sequence for a map application includes:

  • capture of the card (the first card in the reader's antenna field is selected), if necessary - enabling the anti-collision algorithm (the anti-collision command informs the application of the unique serial number of the captured card, more precisely, the unique number of the microcircuit built into the card);
  • selection of a card with a given serial number for subsequent work with the card memory or its serial number.

The specified sequence of commands is executed in 3 ms, that is, almost instantly.

This is followed by the authentication of the selected memory area of ​​the card. It is based on the use of secret keys and will be described below. If the card and reader recognize each other, then this area memory is opened for data exchange and, depending on the access conditions, read and write commands, as well as specialized commands can be executed e-wallet(unless, of course, the area was marked up accordingly when personalizing the map). The command to read 16 bytes of the card's memory is executed in 2.5 ms, the commands to read and change the wallet balance - in 9-10 ms. Thus, a typical transaction, starting with the capture of the card and resulting in a change of 16 bytes of memory, is completed in a maximum of 16 ms.

A three-pass algorithm is used to authenticate the memory sector of the card using random numbers and secret keys according to the ISO / IEC DIS 9798-2 standard.

In general terms, the authentication process can be represented as follows. The chips of the card and devices for working with it exchange random numbers. At the first step, the card sends a random number generated by it to the reader. The reader adds its random number to it, encrypts the message and sends it to the card. The card decrypts the received message, compares its random number with the number received in the message; if it matches, it re-encrypts the message and forwards it to the reader. The reader decrypts the card message, compares its random number with the number received in the message, and if the numbers match, sector authentication is considered successful.

So, work with the memory sector is possible only after successful authentication of the sector of the selected card and while the card is in the reader's antenna field. In this case, all data transmitted over the radio frequency channel is always encrypted.

The initial (so-called transport) keys, as well as the conditions for access to the sectors, are set during the initial personalization of the card at the manufacturing plant and are secretly communicated to the issuer. Later, in the process of secondary personalization of the card by the issuer or user of the application, the keys are usually changed to other keys known only to the issuer or user. Also (this is determined by a specific application) during secondary personalization, the conditions for accessing the memory sectors of the card also change.

Contactless smart cards are divided into PROximity identifiers and smart cards based on international standards ISO / IEC 15693 and ISO / IEC 14443. Most devices based on contactless smart cards are based on radio frequency identification technology (Table 2).

The main components of non-contact devices are the chip and the antenna. Identifiers can be either active (with batteries) or passive (without power supply). The identifiers have unique 32/64-bit serial numbers.

Identity systems based on PROximity are not cryptographically protected, except for special custom systems.

Each key has a flashable 32/64-bit serial number.

Combined systems

The introduction of combined systems significantly increases the number of identification features and thereby increases safety (Table 3).

Currently, there are combined systems of the following types:

  • systems based on contactless smart cards and USB keys;
  • systems based on hybrid smart cards;
  • bioelectronic systems.

An antenna and a microcircuit are built into the body of the USB key fob to create a contactless interface. This allows you to organize access control to the room and to the computer using a single identifier. Such a scheme for using the identifier excludes the situation when an employee, leaving the workplace, leaves a USB key in the computer connector, which makes it possible to work under his identifier.

Today, two identifiers of this type are most widely used: RFiKey - from Rainbow Technologies and eToken PRO RM - from Aladdin Software Security R.D. The RFiKey device supports USB interface 1.1 / 2.0 and works with readers of HID Corporation (PR5355, PK5355, PR5365, MX5375, PP6005) and the Russian company Parsec (APR-03Hx, APR-05Hx, APR-06Hx, APR-08Hx, H-Reader). eToken RM - eToken PRO USB dongles and smart cards supplemented with passive RFID tags.

Using eToken to control physical access

RFID (Radio Frequency IDentification) technology is the most popular contactless identification technology today. Radio frequency recognition is carried out using the so-called RFID tags attached to the object, carrying identification and other information.

From the eToken USB dongle family, eToken PRO / 32K and higher can be added to the RFID tag. In this case, one must take into account the restrictions due to the size of the key: the RFID tag should be no more than 1.2 cm in diameter. Such dimensions have tags operating at a frequency of 13.56 MHz, for example, manufactured by Angstrem and HID.

In addition to the traditional advantages of RFID technologies, combined USB keys and eToken smart cards, using a single "electronic pass" to control access to premises and information resources, allow:

  • reduce costs;
  • protect investments made in previously purchased access control systems by integrating eToken with most types of RFID tags;
  • to reduce the influence of the human factor on the level of information security of the organization: an employee will not be able to leave the premises, leaving the combined card at the workplace;
  • automate the tracking of working hours and movement of employees around the office;
  • Implement a phased implementation by gradually replacing out-of-service identifiers.

Using Hybrid Smart Cards for Physical Access Control

Hybrid smart cards contain dissimilar chips: one chip supports a contact interface, the other a contactless one. As in the case of USB hybrid dongles, hybrid smart cards solve two problems: control of access to the room and to the computer. Additionally, a company logo, a photo of an employee or a magnetic stripe can be applied to the card, which allows you to replace ordinary passes with such cards and go to a single electronic pass.

Smart cards of this type are offered by the following companies: HID Corporation, Axalto, GemPlus, Indala, Aladdin, etc.

In Russia, Aladdin Software Security R.D. a technology for the production of hybrid smart cards eToken PRO / SC RM has been developed. In them, microcircuits with an eToken PRO contact interface are embedded in contactless smart cards. EToken PRO smart cards can be supplemented with passive RFID tags produced by HID / ISOPROx II, EM-Marin (frequency 125 kHz), Cotag (frequency 122/66 kHz), Angstrem / KIBI-002 (frequency 13.56 MHz) , Mifare and other companies. The choice of the combination option is determined by the customer. Additionally, a company logo, a photo of an employee or a magnetic stripe can be applied to the card, which allows you to abandon the usual passes and go to a single electronic pass.

Bioelectronic systems

Typically for protection computer systems from unauthorized access, a combination of two systems is used - biometric and contact based on smart cards or USB keys.

What is hidden behind the concept of "biometrics"? In fact, we use such technologies every day, however, biometrics has been used as a technical method of authentication relatively recently. Biometrics is the identification of a user by unique biological characteristics inherent only to him. Such systems are the most convenient from the point of view of the users themselves, since there is no need to memorize anything, and it is very difficult to lose biological characteristics.

With biometric identification, the database stores a digital code associated with a specific person. A scanner or other device used for authentication reads a specific biological parameter. Then it is processed according to certain algorithms and compared with the code contained in the database.

Just? From the user's point of view, of course. However, the this method there are both advantages and disadvantages.

The advantages of biometric scanners usually include the fact that they do not depend on the user in any way (for example, the user can make a mistake when entering a password) and the user cannot transfer his biological identifier to another person, unlike a password. And, for example, it is almost impossible to forge a pattern on the finger of every person. However, as studies in the United States have shown, biometric fingerprint scanners were quite easily misled with a dummy fingerprint or even the finger of a corpse. Denial of access based on voice recognition is also common if the person simply caught a cold. But the biggest drawback of biometric systems is their high cost.

All biometric technologies can be divided into two groups:

  • static methods, which are based on the physiological (static) characteristics of a person, that is, a unique property inherent in him from birth and inherent in him. Static biological features include the shape of the palm, fingerprints, iris, retina, face shape, location of veins on the hand, etc. (Table 4);
  • dynamic methods, which are based on the behavioral (dynamic) characteristics of a person - features characteristic of subconscious movements in the process of reproducing an action (signature, speech, keyboard dynamics).

Ideal human biometric characteristics (BHC) should be universal, unique, stable and collectable. Versatility means that every person has a biometric characteristic. Uniqueness - that there cannot be two people with identical BChH values. Stability is the independence of the BChC from time to time. Collectability - the ability to obtain biometric characteristics from each individual. Real HCPs are not perfect and this limits their use. As a result of an expert assessment of such sources of BChP as the shape and thermogram of the face, fingerprints, hand geometry, structure of the iris of the eye (ROG), pattern of retinal vessels, signature, voice features, shape of lips and ears, dynamics of handwriting and gait, it was found that that none of them meets all the requirements for the properties listed above (Table 5). A necessary condition for the use of certain BChPs is their universality and uniqueness, which can be indirectly justified by their relationship with the human genotype or karyotype.

Fingerprint recognition

This is the most common static method of biometric identification, which is based on the uniqueness of the pattern of papillary patterns on the fingers for each person. A fingerprint image obtained with a special scanner is converted into a digital code (convolution) and compared with a previously entered template (reference) or a set of templates (in the case of authentication).

Leading fingerprint scanner manufacturers:

  • BioLink (http://www.biolink.ru/, http://www.biolinkusa.com/);
  • Bioscrypt (http://www.bioscrypt.com/);
  • DigitalPersona (http://www.digitalpersona.com/);
  • Ethentica (http://www.ethentica.com/);
  • Precise Biometrics (http://www.precisebiometrics.com/);
  • Leading manufacturers of sensors (reading elements for scanning devices):
  • Atmel (http://www.atmel.com/, http://www.atmel-grenoble.com/);
  • AuthenTec (http://www.authentec.com/);
  • Veridicom (http://www.veridicom.com/);

Hand shape recognition

This static method is based on the recognition of the geometry of the hand, which is also a unique biometric characteristic of a person. Using a special device that allows you to obtain a three-dimensional image of the hand (some manufacturers scan the shape of several fingers), measurements are taken to obtain a unique digital convolution that identifies a person.

Leading manufacturers of such equipment:

  • Recognition Systems (http://www.recogsys.com/, http://www.handreader.com/);
  • BioMet Partners (http://www.biomet.ch/).

Iris recognition

This recognition method is based on the uniqueness of the iris pattern. To implement this method, you need a camera that allows you to get an image of the human eye with a sufficient resolution, and specialized software that extracts a pattern of the iris of the eye from the resulting image, which is used to build a digital code for identifying a person.

V.Shramko

PCWeek / RE No. 45, 2004

Preventing the damage associated with the loss of confidential information stored on computers is one of the most important tasks for any company. It is known that the personnel of the enterprise is often the main culprit of these losses. According to a study by the Computer Security Institute, unintentional employee errors account for 55% of this damage, and the actions of dishonest and resentful colleagues - 10% and 9%, respectively. The rest of the losses are associated with physical protection problems (natural disasters, power supply) - 20%, viruses - 4% and external attacks - 2%.

The main way to protect information from intruders is the introduction of the so-called AAA, or 3A (authentication, authorization, administration) tools. Among AAA funds significant place occupy hardware and software identification and authentication systems (SIA) and devices for entering identification signs (the term corresponds to GOST R 51241-98), designed to protect against unauthorized access (NSD) to computers.

When using SIA, an employee gets access to a computer or corporate network only after successfully passing the identification and authentication procedure. Identification consists in recognizing a user by an inherent or assigned identification feature. The verification of the belonging to the user of the identification sign presented to him is carried out during the authentication process.

The hardware and software SIA includes identifiers, input-output devices (readers, contact devices, adapters, trusted boot boards, motherboard connectors, etc.) and the corresponding software. Identifiers are designed to store unique identifiers. In addition, they can store and process a variety of sensitive data. Input-output devices and software transfer data between the identifier and the protected computer.

In the global information security market, the AAA segment is growing steadily. This trend is highlighted in analytical reviews and forecasts from Infonetics Research, IDC, Gartner and other consulting companies.

This article will focus on combined identification and authentication systems. This choice is due to the fact that at present systems of this class provide the most effective protection of computers from unauthorized access.

Classification of identification and authentication systems

Modern SIA, according to the type of used identification signs, are divided into electronic, biometric and combined (see Fig. 1).

Figure 1 - Classification of SIA by the type of identification signs

In electronic systems, identification signs are represented in the form of a digital code stored in the memory of the identifier. Such SIAs are developed on the basis of the following identifiers:

  • contact smart cards;
  • contactless smart cards;
  • USB keys (also known as USB tokens);
  • iButton identifiers.

In biometric systems, identification features are individual characteristics of a person, called biometric characteristics. The identification and authentication of this type is based on the procedure for reading the presented biometric characteristic of the user and comparing it with a previously obtained template. Depending on the type of characteristics used, biometric systems are divided into static and dynamic.

Static biometrics (also called physiological) is based on data obtained from measurements of anatomical features of a person (fingerprints, hand shape, iris pattern, facial blood vessels diagram, retinal pattern, facial features, fragments of the genetic code, etc.).

Dynamic biometrics (also called behavioral biometrics) is based on the analysis of human actions (voice parameters, dynamics and signature shape).

Despite the numerous biometric characteristics, the SIA developers focus on recognition technologies based on fingerprints, facial features, hand geometry and iris. So, for example, according to the report of the International Biometric Group, in the world market biometric security in 2004, the share of fingerprint recognition systems was 48%, facial features - 12%, hand geometry - 11%, iris - 9%, voice parameters - 6%, signatures - 2%. The remaining share (12%) is related to middleware.

In combined systems, several identification signs are used simultaneously for identification. This integration allows the attacker to erect additional barriers that he cannot overcome, and if he can, then with significant difficulties. The development of combined systems is carried out in two directions:

  • integration of identifiers within a system of one class;
  • integration of systems of different classes.

In the first case, systems based on contactless smart cards and USB keys, as well as hybrid (contact and contactless) smart cards are used to protect computers from tampering. In the second case, the developers skillfully "cross" biometric and electronic SIAs (hereinafter in the article such a conglomerate is called a bioelectronic identification and authentication system).

Features of electronic identification and authentication systems

Electronic SIAs and an analysis of their key characteristics, allowing you to make a choice in favor of one or another product, can be found in my review "Computer Protection: Electronic Identification and Authentication Systems" (see PC Week / RE, No. 12/2004, p. 18 ). I will give only the main features of electronic SIA, knowledge of which helps to understand the structure and principle of operation of combined systems.

The combined SIA may include electronic contact and contactless smart cards and USB keys. The main element of these devices is one or more built-in integrated circuits(chips), which can be memory chips, chips with hard logic and microprocessors (processors). Currently, identifiers with a processor have the greatest functionality and degree of security.

The microprocessor contact smart card chip is based on a central processor, a specialized cryptographic processor (optional), random access memory (RAM), read-only memory (ROM), non-volatile programmable read-only memory (PROM), a random number generator, timers, and a serial communication port.

Random access memory is used for temporary storage of data, for example, the results of calculations performed by the processor. Its capacity is several kilobytes.

Permanent memory stores instructions executed by the processor and other non-volatile data. The information in the ROM is recorded when the card is produced. The memory capacity can be tens of kilobytes.

There are two types of PROMs used in contact smart cards: one-time programmable EPROMs and the more commonly found re-programmable EEPROMs. PROM memory is used to store user data that can be read, written and modified, and confidential data (for example, cryptographic keys) that are not accessible to application programs... The PROM capacity is tens and hundreds of kilobytes.

The central processor of a smart card (usually a RISC processor) provides the implementation of various data processing procedures, control of access to memory and control of the execution of the computational process.

A specialized processor is responsible for the implementation different procedures required to increase the security of the SIA:

  • generation of cryptographic keys;
  • implementation of cryptographic algorithms (GOST 28147-89, DES, 3DES, RSA, SHA-1, etc.);
  • performing operations with electronic digitally signed(generation and verification);
  • performing operations with a PIN code, etc.

Contactless smart cards are divided into Proximity identifiers and smart cards based on the international standards ISO / IEC 15693 and ISO / IEC 14443. The majority of contactless smart card-based SIAs are based on radio frequency identification technology. Structurally, radio frequency identifiers (see Table 1) are manufactured in the form of plastic cards, key fobs, tokens, disks, tags, etc.

Table 1 - Radio frequency identifiers

The main components of contactless smart cards are the chip and the antenna. There may also be a lithium battery inside the identifiers. Identifiers with a battery are called active, without a battery - passive. Each identifier has a unique 32/64-bit serial number.

Proximity identifiers operate at 125 kHz. The chip includes a memory microcircuit (or a hard logic microcircuit) with auxiliary units: a programming module, a modulator, a control unit, etc. The memory capacity ranges from 8 to 256 bytes. Proximity mainly uses one-time programmable read-only EPROM, but there is also a rewritable EEPROM. The memory contains a unique identifier number, device code and service information (parity bits, bits of the beginning and end of the code transmission, etc.).

Typically Proximity IDs are passive and do not contain a chemical power source - lithium battery... In this case, the microcircuit is powered by an electromagnetic field emitted by the reader. The reader reads data at a speed of 4 kbit / s at a distance of up to 1 m.

Proximity based identification and authentication systems are not cryptographically secure (except for custom systems).

Contactless smart cards operate at 13.56 MHz and are divided into two classes based on the international standards ISO / IEC 15693 and ISO / IEC 14443.

The ISO / IEC 14443 standard includes versions A and B, differing in the way the transmitted radio signal is modulated. The standard supports exchange (read-write) data at a speed of 106 kbps (the speed can be increased to 212, 424 or 848 kbps), the reading distance is up to 10 cm.

To implement the encryption and authentication functions in the identifiers of the ISO / IEC 14443 standard, three types of chips can be used: a microcircuit with rigid MIFARE logic, a processor or a cryptographic processor. MIFARE technology is a development of Philips Electronics and is an extension of ISO / IEC 14443 (revision A).

The ISO / IEC 15693 standard extends the range of the contactless identifier to 1 m. At this distance, data exchange is carried out at a speed of 26.6 kbps.

USB keys (see Table 2) are designed to work with a USB port on a computer. They are structurally manufactured in the form of key rings, which are produced in colored cases, have indicator lights works and are easily placed on a bunch of keys. Each identifier has a unique 32/64-bit serial number factory-flashed.

Table 2 - Characteristics of USB-keys

The following USB keys are most popular on the Russian market:

  • iKey 10xx, iKey 20xx, iKey 3000 series - developed by Rainbow Technologies;
  • eToken R2, eToken Pro from Aladdin Knowledge Systems;
  • ePass1000, ePass2000 from Feitian Technologies;
  • ruToken is a joint development of the Aktiv company and the ANKAD company.

USB dongles are the successors of contact smart cards. Therefore, the structures of USB keys and smart cards, as well as the volumes of similar storage devices, are practically identical. USB keys may include:

  • processor - control and data processing;
  • cryptographic processor - implementation of algorithms GOST 28147-89, DES, 3DES, RSA, DSA, MD5, SHA-1 and other cryptographic transformations;
  • USB controller - providing an interface with a computer USB port;
  • RAM - storage of variable data;
  • EEPROM - storage of encryption keys, passwords, certificates and other important data;
  • ROM - storing commands and constants.

Combined systems

The introduction of combined SIA (see Table 3) into the company's information security system increases the number of identification features, thus making it possible to more effectively protect computers and the corporate network from unauthorized attacks. In addition, some types of systems are capable of managing and controlling physical access to buildings and premises.

Table 3 - The main functions of the combined SIA

Today on the computer security market there are combined identification and authentication systems of the following types:

  • systems based on contactless smart cards and USB keys;
  • systems based on hybrid smart cards;
  • bioelectronic systems.

Contactless smart cards and USB dongles

The hardware integration of USB dongles and contactless smart cards implies that an antenna and a microcircuit supporting a contactless interface are built into the key fob body. This allows using one identifier to organize access control both to the computer and to the office premises. To enter the office, the employee uses his identifier as a contactless card, and when accessing protected computer data, as a USB key. In addition, when leaving the room, he extracts the identifier from the USB connector (so that he can enter back later) and thereby automatically blocks the computer.

In 2004, two combined identifiers of this type appeared on the Russian market:

  • RFiKey - developed by Rainbow Technologies;
  • eToken PRO RM - developed by Aladdin Software Security R.D. ...

The RFiKey (Figure 2) is a USB iKey with an embedded Proximity chip developed by HID Corporation.

Figure 2 - RFiKey identifier

RFiKey product supports USB 1.1 / 2.0 interface and works with readers of HID Corporation (PR5355, PK5355, PR5365, MX5375, PP6005) and Russian company Parsec (APR-03Hx, APR-05Hx, APR-06Hx, APR-08Hx, H-Reader) ...

The main characteristics of RFiKey include the following indicators:

  • operating frequency of the Proximity microcircuit - 125 kHz;
  • processor clock speed - 12 MHz;
  • implemented cryptographic algorithms - MD5, RSA-1024, DES, 3DES, RC2, RC4, RC5;
  • supported standards - PKCS # 11, MS Crypto API, PC / SC;
  • file system with three levels of data access;
  • Supported operating systems - Windows 95/98 / ME / NT4 (SP3) / 2000 / XP / 2003.

The eToken RM identifier is an eToken Pro USB dongle with an embedded chip supporting a contactless interface (Fig. 3). The customer can choose the supplier and type of microcircuit according to his needs. Currently, the company offers radio chips manufactured by HID Corporation, EM Microelectronic-Marin, Philips Electronics (MIFARE technology), Cotag International and JSC Angstrem.

Figure 3 - eToken RM identifier

For example, the radio frequency passive identifier BIM-002 of the domestic company "Angstrem" is made in the form of a round mark. It is built on the basis of the KB5004XK1 microcircuit, which is based on 64-bit EPROM memory and a programming unit used to write a unique identification code.

The main characteristics of eToken RM with a built-in BIM-002 identifier include the following indicators:

  • frequency of BIM-002 functioning - 13.56 MHz;
  • identification code reading range - up to 30 mm;
  • processor clock speed - 6 MHz;
  • implemented cryptographic algorithms - RSA-1024, DES, 3DES, SHA-1;
  • the presence of a hardware random number generator;
  • supported standards - PKCS # 11, PKCS # 15 (CRYPTOKI), MS Crypto API, PC / SC, X.509 v3, SSL v3, S / MIME, IPSec / IKE, GINA, RAS / Radius / PAP / CHAP / PAP;
  • Supported operating systems - Windows 98 / ME / NT / 2000 / XP / 2003, ASP Linux 7.2, Red Hat Linux 8.0, SuSe Linux 8.2.

In the domestic market, the estimated prices for combined identifiers are: RFiKey 1032 - from $ 41, RFiKey 2032 and RFiKey 3000 - from $ 57, eToken RM with 32 KB of protected memory and BIM-002 - from $ 52.

The price difference between combo and regular USB dongles is roughly the price of a Proximity smart card. It follows that the integration of contactless smart cards and USB dongles leads to almost no increase in hardware costs when moving to a combined identification and authentication system. The payoff is obvious: one identifier instead of two.

Hybrid Smart Cards

Hybrid smart cards contain dissimilar chips that are not connected to each other (Figure 4). One chip supports contact interface, others (Proximity, ISO 14443/15693) - contactless. As in the case of the integration of USB keys and contactless smart cards, SIAs based on hybrid smart cards solve a double problem: protection from tampering with computers and in the premises of the company where they are kept. In addition, a photograph of the employee is placed on the smart card, which allows him to be identified visually.

Figure 4 - Structure of a hybrid smart card

The desire to integrate radio frequency contactless and contact smart card technologies is reflected in the development of many companies: HID Corporation, Axalto, GemPlus, Indala, Aladdin Knowledge Systems, etc.

For example, HID Corporation, a leading developer of SIA based on contactless identifiers, has released ID cards that combine various technologies for reading identification signs. The result of these developments was the creation of hybrid smart cards:

  • Smart ISOProx II - integration of a Proximity chip and a chip with a contact interface (optional);
  • iCLASS - Integration of ISO / IEC 15693 chip and pin interface chip (optional);
  • iCLASS Prox - Integration of Proximity Chip, ISO / IEC 15693 Chip and Contact Interface Chip (optional).

In the domestic market, prices for these products are: iCLASS - from $ 5.1; Smart ISOProx II - from $ 5.7; iCLASS Prox - from $ 8.9.

In Russia, Aladdin Software Security R.D. a technology for the production of hybrid smart cards eToken Pro / SC RM has been developed. In them, microcircuits with an eToken Pro contact interface are embedded in contactless smart cards. The firm offers smart cards different manufacturers: JSC Angstrem (BIM-002), HID Corporation (ISOProx II), Cotag International (Bewator Cotag 958), Philips Electronics (MIFARE technology) and others. The choice of the combination option is determined by the customer.

Analysis of the financial costs of switching to hybrid smart cards, as in the case of combining contactless smart cards and USB keys, again confirms the triumph of the "two in one" principle. If you place a photo of an employee on the identifier, then this principle is transformed into “three in one”.

Bioelectronic systems

To protect computers from tampering, biometric systems are usually combined with two classes of electronic SIA - based on contact smart cards and based on USB keys.

Integration with electronic systems based on contactless smart cards is mainly used in physical access control systems to premises.

As already noted, fingerprint identification technologies are leading the biometric security market today. Such an honorable place for fingerprinting is due to the following circumstances:

  • it is the oldest and most studied recognition method;
  • its biometric feature is stable: the surface of the skin on the finger does not change over time;
  • high values ​​of recognition accuracy indicators (according to the statements of the developers of fingerprint security means, the probability of a false denial of access is 10-2, and the probability of a false access is 10-9);
  • simplicity and convenience of the scanning procedure;
  • ergonomics and small size of the scanning device;
  • the most low price among biometric identification systems.

As a result, fingerprint scanners have become the most used part of combined SIA used to protect computers from tampering. In second place in terms of prevalence in the computer security market are SIAs based on contact smart cards.

Examples of this kind of integration are Precise 100 MC (Figure 5) and AET60 BioCARDKey (Figure 6) from Precise Biometrics AB and Advanced Card Systems, respectively. To access information resources of a computer using these tools, the user needs to insert a smart card into the reader and put his finger on the scanner. The fingerprint templates are stored encrypted in the secure memory of the smart card. If the image of the fingerprint matches the template, access to the computer is allowed. The user is very satisfied: there is no need to remember a password or PIN-code, the login procedure is greatly simplified.

Figure 5 - Product Precise 100 MC

Figure 6 - Product AET60 BioCARDKey

The Precise 100 MC and AET60 BioCARDKey products are USB devices that work in Windows environment... Smart card readers support all types of microprocessor cards that comply with the ISO 7816-3 standard (protocols T = 0, T = 1). Fingerprint readers are scanners capacitive type with scanning speeds of 4 and 14 fingerprints per second for the Precise 100 MC and AET60 BioCARDKey, respectively.

To reduce the number of peripheral devices, you can integrate a fingerprint scanner and smart card reader into the USB keyboard of the protected computer. Examples of such devices are the KBPC-CID (Fig. 7) of the Fujitsu Siemens Computers alliance, the Precise 100 SC Keyboard (Fig. 8), and the Precise 100 MC Keyboard from Precise Biometrics AB.

Figure 7 - Product KBPC-CID

Figure 8 - Product Precise 100 SC Keyboard

To access the information resources of the computer, as in the previous version, the user needs to place the smart card in the reader and put his finger on the scanner. It seems an interesting and promising decision of the developers of combined security systems to combine a USB key with a fingerprint identification system (hereinafter, such a device will be referred to as a USB biokey). An example of this solution is the FingerQuick USB biokey (Fig. 9) of the Japanese corporation NTT Electronics and the ClearedKey (Fig. 10) of the American company Priva Technologies.

Figure 9 - FingerQuick USB biokey

Figure 10 - ClearedKey USB Biokey

In the near future, USB bio keys may become widespread due to their advantages:

  • high level of security (availability fingerprint scanner, storage of secret data, in particular fingerprint templates, in the protected non-volatile memory of the identifier, encryption of data exchange with the computer);
  • hardware implementation of cryptographic transformations;
  • lack of a hardware reader;
  • uniqueness of the feature, small size and ease of storage of identifiers.

The main disadvantage of USB bio keys is their high price. For example, FingerQuick has an approximate cost of $ 190.

Conclusion

At first glance, the combined identification and authentication systems represent some kind of expensive, exotic products. But the world experience in the development of computer security systems shows that all currently used security products were also once such exotic products. And now they are the norm for a safe life. Hence, with a high probability, it can be argued that a similar fate awaits combined systems.

Similar publications: