Lesson 6 - Topic C
Personal Identification Verification (PIV) Card
A smart card that meets the standards for FIPS 201. --- It's resistant to tampering and provides quick electronic authentication of the card's owner. For civilian federal government employees and contractors.
Common Access Card (CAC)
A smart card that provides certificate-based authentication and supports two-factor authentication. Issued to military personnel, civilian employees, and contractors to gain access to Department of Defense (DoD) facilities and systems.
Extensible Authentication Protocol (EAP)
A wireless authentication protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
2-step verification mechanisms*
These generate a software token on a server and send it to a resource that is assumed to be safely controlled by the user, such as a smartphone or email account.
Time-based One-time Password Algorithm (TOTP)
This is a refinement of the HOTP that forces onetime passwords to expire after a short period of time.
Voice recognition*
This is relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. Voice is also subject to impersonation.
Iris scan*
This matches patterns on the surface of the eye using near-infrared imaging. It is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance), and a lot quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.
Typing*
This matches the speed and pattern of a user's input of a passphrase.
What are the two steps in the scanning process?
1) A sensor module acquires the biometric sample from the target. 2) A feature extraction module records the significant information from the sample (features that uniquely identify the target).
Name two identity cards have been introduced access to Federal property:
1) Common Access Card (CAC) 2) Personal Identification Verification (PIV) Card
What are the key metrics and considerations used to evaluate different technologies?
1) False negatives (where a legitimate user is not recognized). ---1A) This is referred to as the False Rejection Rate (FRR) or Type I error. 2) False positives (where an interloper is accepted). ---2A) This is referred to as the False Acceptance Rate (FAR) or Type II error. 3) False negatives cause inconvenience to users, but false positives can lead to security breaches, and so is usually considered the most important metric. 4) Crossover Error Rate (CER)—the point at which FRR and FAR meet. ---4A) The lower the CER, the more efficient and reliable the technology. 5) Errors are reduced over time by tuning the system. ---5A) This is typically accomplished by adjusting the sensitivity of the system until CER is reached. 6) Throughput (speed)—this refers to the time required to create a template for each user and the time required to authenticate. ---6A) This is a major consideration for high traffic access points, such as airports or railway stations.
There are two types of biometric recognition based on features of the eye:
1) Retinal scan 2) Iris scan
How can behavioral technology be discriminatory?
1) Voice recognition 2) Signature recognition 3) Typing
Several different metrics exist for identifying people. How can these metrics be categorized as?
1) physical (fingerprint, eye, and facial recognition) or 2) behavioral (voice, signature, and typing pattern matching)
smart card
A device similar to a credit card with an integrated chip and data interface. It can store authentication information, such as a user's private key, on an embedded microchip.
One-time Password (OTP)
A password that is generated for use in one specific session and becomes invalid after the session ends.
token
A physical or virtual item that contains authentication data, commonly used in multifactor authentication.
802.1X
Also known as EAP (Extensible Authentication Protocol). A standard for encapsulating EAP communications over a LAN or wireless LAN and that provides port-based authentication. ___ establishes several ways for devices and users to be securely authenticated before they are permitted full network access.
HMAC-based One-time Password Algorithm (HOTP)
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
Initiative for Open Authentication (OATH)
An industry body comprising the main PKI providers, such as Verisign and Entrust. This was established with the aim of developing an open, strong authentication framework.
Retinal scan*
An infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is, therefore, one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.
physical access control*
As well as being used for computer and network logons, smart cards and proximity cards can be used as a ___ to gain access to building premises via secure gateways.
biometric authentication
Authentication schemes based on individuals' physical characteristics
contactless*
Data is transferred using a tiny antenna embedded in the card.
The first step in setting up biometric authentication is ___.
Enrollment* The chosen biometric information is scanned by a biometric reader and converted to binary information.
Signature recognition*
Everyone knows that signatures are relatively easy to duplicate. ---It is, however, more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).
In the US, the ___ mandated that access to Federal property must be controlled by a secure identification and authentication mechanism (as defined in the FIPS-201 standard).
Homeland Security Presidential Directive 12 (HSPD-12)*
Smart cards and other token-based systems are often configured to work with the ___ framework.
IEEE 802.1X Port-based Network Access Control*
contact-based*
It must be physically inserted into a reader.
revocability*
Re-enrolling a genuine user with a new template.
Behavioral technologies*
Sometimes classified as Something you do. Of ten cheap to implement but tend to produce more errors than scans based on physical characteristics.
antenna
Specially arranged metal wires that can send and receive radio signals. These are used for radio-based wireless networking.
Vendors have developed proprietary ___ to address security.
biometric cryptosystems
Where fingerprint and eye recognition focus on one particular feature, ___ records multiple indicators about the size and shape of the face, like the distance between each eye, or the width and length of the nose.
facial recognition*
A contactless smart card can also be referred to as a___.
proximity card*
The biometric ___ is recorded in a database stored on the authentication server.
template*