Goals and Results
SP1: Methods and Tools
SP2: Academic System
SP3: Correct Industrial
SP4: Biometric Identification
SP5: Project Management
Auf Deutsch, Bitte!
Verisoft also aims at verifying an industrial biometric identification
system. An access system on a host compares biometric data from any
biometric sensor with a reference template stored on a smartcard and
grants or denies access depending on the degree of similarity between
both sets of data. The access software, the cryptographic primitives
and their combination, and the security of the underlying
cryptographic protocols will be formally verified. Protecting the
individual’s reference template from misuse by malicious
attackers on the host system is of high relevance in this subproject.
The subproject is headed by T-Systems, whereas T-Systems is in a
strong cooperation with DFKI, TU Munich, TU Darmstadt and Saarland
University (Prof. Finkbeiner).
There are many applications where identification and authentication of a person is required. The security policy determines the strength of authentication relating to the protection needs of information or resources. There are three methods to verify an identity presented to the system:
Each of the methods as well as all possible combinations determine a
specific security level. In this project a high level security authentication system is introduced that combines biometrics and smartcards. The system can operate in offline mode.
From the results of field trials we have learned that there are some
unavoidable problems in all biometric systems
- something you know (PIN, Password, Passphrase);
- something you have (smartcards, RF-ID, other token);
- something you are (physiological or behavioral characteristics = biometrics).
The basic idea of the Chipcard based Biometric Identification System (CBI System) is the smart combination of the established smartcard
based methods and the novel biometrics based methods in order to avoid
the problems mentioned above.
- A fault in the biometrics authentication, i.e. the admittance of unauthorised or the rejection of authorised persons, is part of the normal course of operations in a biometric system.
- For each biometric system there are always persons who do not show the characteristic to a degree sufficient for capturing with a biometric device, or who do not possess the characteristic at all. Therefore, each biometric method needs an alternative backup system.
- Because most live checks in biometric systems do not work efficiently, these biometric systems have to be supervised.
- Because this is a lifelong fixation of a user to his biometric data and according to German Federal Data Protection Act (Datenschutzgesetz) we need a complete solution for the privacy-problems before we can put the biometric system into operation.
Security objectives of the CBI-System
The CBI-System realizes an access control of computer resources as
well as of buildings. It uses the biometric based method in
combination with the token based method to identify and authenticate a
user while the token is a cryptographic smartcard. The calling
application gets a positive or negative answer from the
SBV-System. One or more different and independent biometric reference
templates are stored on the smartcard. So a user can be authenticated
by using different biometrics according to the security policy and the
security level. There are two main security objectives that have to be
fulfilled by the CBI-System:
The first security objective combines the biometric based and the
token based authentication methods to reach a higher security level
than each of the both methods can provide alone. To be authenticated
positively by the system a user first has to present a valid smartcard
and then his biometric characteristic. In addition it motivates the
use of the biometric system in the verification mode. The security
level of a biometric system in identification mode is as high as the
quality of the worst reference template in the database.
The second security objective is directly derived from data privacy
acts which recommends a decentral storing of any biometric
data because they can't be altered and they belong to a person for a
long time in contrast to PIN's and passwords which relate to a person
and can be altered at any time. A person should be able to hold all
necessary authentication data and to keep it under his own control.
In this subsection, more detailed security requirements are formulated according to the security objectives.
- increase the security level of fooling the access control system by using two different authentication methods in combination
- the biometric reference data or reference template are stored locally according to privacy requirements
In order to fulfill the requirements given in the subsection above the
following security functions have to be implemented.
- the host only accepts valid smartcards
- the smartcard only accepts valid hosts
- the biometric data and the biometric reference data must be handled confidentially
- the host only accepts valid biometric reference data
- after the matching process the fresh biometric data and the reference data have to be deleted
- the biometric authentication is successful if the biometric data and the biometric reference data are sufficiently congruent
- failed biometric matchings are tolerated, but have to be counted
- smartcard and host do mutual authentication and the communication is encrypted
- an error counter of failed authentications is introduced
- the reference data is digitally signed
- all biometric data is overwritten by random numbers after the matching
- an error counter of failed biometric verifications is introduced
Content of AP4.1 is in a first step the formalization of the
standardized communication protocol between the chipcard, the chipcard
terminal and the host (T=1, ISO/IEC 7816-3). In a second step the
deadlock characteristic of the communication protocol will be verified
(common work with Saarland University (Group Prof. Finkbeiner)).
- Do the security functions meet the security requirements?
- Does the source code implement the same security functions as in the top level design?
AP 4.2 Protocol of the CBI-System
The aim of AP 4.2 is the proof that the security functions meet the
security requirements using various techniques as cryptographic
protocol verification and information flow control. The specification
of the system is done in Unified Modeling Language. The formalization
and verification will be done in UMLsec by TU Munich and VSE by
DFKI. The formalization and verification of the cryptographic
primitives is done by TU Darmstadt.
AP 4.3 Implementation of the CBI-System
AP 4.3 will answer the second question: Does the source code implement
the same security functions as in the top level design? The CBI-System
will be implemented in C-Code (later C0 Code) in order to verify it's
correctness against the formal specification. It's a cooperative work
with DFKI and TU-Munich.
The CBI-System is divided into three main parts which are a computer
system, the biometric sensor and the smartcard that communicates with
the computer system via a smartcard terminal. The host software
running on the computer system implements the feature extracting unit,
the matching unit, the communication channel between them as well as
several cryptographic functions and keys. In addition a display gives
the user a feedback of the biometric matching. The display can be a
pop up window on the screen or a green and red LED integrated in the
sensor. The general construction is shown in the following figure.
The CBI-System can be used as an access control system of computer
resources and as an access control of rooms and buildings. To put the
former scenario into practice the computer system can be a personal
computer or a workstation on which the host software is running. The
host software is for instance the PAM module as it is known from UNIX
systems. The biometric sensor and the smartcard terminal is externally
connected to the computer system.
In the latter scenario the host software is equal to the computer
system and is simply a micro-controller with storage capacity. The
biometric sensor is internally connected to the host software. Both
can be put in a tamper-proof box and installed beside the access
controlled door. In a further step the smartcard terminal can as well
be integrated in the box.
The demonstrator "keystroke-dynamics with template on card" shows all
elements of the Chipcard based Biometric Identification System. A PC
with keyboard is needed, the keyboard acts as biometrics sensor. A
chipcard-reader, a TCOS-chipcard and the demo-software are included in
delivery. The system can enrol the keystroke-behavior of the user, the
biometric template will be stored on the chipcard. With this chipcard
it is possible to verify the identity of the user anytime at any
Verisoft-demonstrator. The system compares the keystroke-behavior of
the test person with extract of the keystroke-behavior in the biometric
template. In the following figure the main components of the
CBI-System demonstrator are shown.
- Gunter Lassmann (edt.), Bewertungskriterien zur Vergleichbarkeit biometrischer Verfahren, Version 2.0, 10. Juli 2002, TeleTrusT Working Group 6 'Biometrische Identifikationsverfahren'.
- Gunter Lassmann, "Some results on robustness, security, and usability of biometric systems", Proc. ICME 2002, Lausanne, Switzerland, Aug. 2002, vol. 2, pp. 577-580.