Why Teams call analytics are critical to your entire business
Ict project (1)
1. Symbiosis Law School,NOIDA
ICT Project (interim submission)
-:TOPIC:-
New IC Technologies in Aunthentication System
Name:Yougal Mehta
BBA-LL.B (division-A)
Roll No:58
Introduction-
In today’s information technology world, security for systems is becoming
more and more important. The number of systems that have been
compromised is ever increasing and authentication plays a major role as a
first line of defence against intruders. The three main types of authentication
are something you know (such as a password), something you have (such
as a card or token), and something you are (biometric). Passwords are
notorious for being weak and easily crackable due to human nature and our
tendency to make passwords easy to remember or writing them down
somewhere easily accessible. Cards and tokens can be presented by anyone
and although the token or card is recognisable, there is no way of knowing if
the person presenting the card is the actual owner. Biometrics, on the other
hand, provides a secure method of authentication and identification, as they
are difficult to replicate and steal. If biometrics is used in conjunction with
something you know, then this achieves what is known as two-factor
authentication. Two-factor authentication is much stronger as it requires
both components before a user is able to access anything. Biometric
identification utilises physiological and behavioural characteristics to
authenticate a person’s identity. Some common physical characteristics that
may be used for identification include fingerprints, palm prints, hand
geometry, retinal patterns and iris patterns. Behavioural characteristics
include signature, voice pattern and keystroke dynamics. A biometric system
2. works by capturing and storing the biometric information and then
comparing the scanned biometric with what is stored in the repository.
History-
In the mid 1980s two ophthalmologists, Drs Leonard Flom and Aran Safir,
proposed that no two irises are alike, even in twins, thus making them good
biometric. This belief was based on their clinical experience where they
observed the distinctive features of irises including the “many collagenous
fibres, contraction furrows, coronas, crypts, colour, serpentine vasculature,
striations, freckles, rifts and pits” 2. After researching and documenting the
potential use of irises as a means of identifying people they were awarded a
patent in 1987. They then approached Dr John Daugman, a Harvard
mathematician, in 1989 to assist with creating the mathematical algorithms
required for digitally encoding an image of an iris to allow comparison with a
real time image. By 1994 the algorithms had been developed and patented
and are now used as “the basis for all recognition systems and products”
currently being developed and sold.
Tokens with an Image (Disconnected Tokens)-
A number of types of credit card size tokens are available in the market.
These tokens will contain an image or collection of images (An array of
images). At the time of registration, user has to choose a Pattern using the
token. Combining these two user will generate an OTP and submit it to the
Two factor authentication product.
These tokens are very cheap when compared with the other hardware
tokens, since these may not/may involve electronic cost. These tokens are
easy to carry as these are exactly of credit card size and weight. They can
easily fit into pockets. These tokens are cost effective, as they can be easily
manufactured, even if token lost.
Smartcards-
Smart cards are about the same size as a credit card. Some vendors offer
smart cards that perform both the function of a proximity card and network
authentication. Users can authenticate into the building via proximity
detection and then insert the card into their PC to produce network logon
credentials. In fact, they can be multi-purposed to hold several sets of
3. credentials, as well as electronic purse functionality, for example for use in a
staff canteen. They can also serve as ID badges.
In some countries, notably in Europe and Asia, banks and financial
institutions have implemented Chip Authentication Program technology
which pairs a banking smart card with an independent, unconnected card
reader. Using the card, reader and ATM PIN as factors, a one-time password
is generated that can then be used in place of passwords. The technology
offers some support against transaction alteration by facilitating Transaction
Data Signing, where information from the transaction is included in the
calculation of the one-time password, but it does not prevent man-in-the-
middle attacks or man-in-the-browser attacks because a fraudster who is in
control of the user's internet or is redirecting the user to the legitimate
website via a hostile proxy may alter the transaction data "in-line" before it
arrives at the web-server for processing, resulting in an otherwise valid
transaction signature being generated for fraudulent data.
As has already been indicated, there are two kinds of smartcard: contact
smartcards with a pattern of gold plated contacts, and contactless or
proximity cards, with an RFID chip embedded within the plastic. The former
are more often used in banking and as a 2nd factor, and can be conveniently
carried with other credit/debit/loyalty cards in a wallet. They are normally
loaded with an X.509 certificate. However, they do need a special reader.
Some laptops and thin client terminals have a smartcard reader built in, and
PCCard smartcard readers are available which can be kept permanently
within the shell of the laptop. Alternatively, USB smartcard readers are
available which are no more expensive than many display tokens, in fact,
some smartcards have an interface which is electrically (but not
mechanically) USB, so that the reader needs no intelligence whatsoever and
consequently can be very cheap. Even so, it is less convenient than a built-in
or PCCard reader, but is a good option for a desktop computer.
Wireless-
Contactless smartcards as described above can be used as a second factor.
Other forms of RFID token can be used, as well as Bluetooth.
4. Magnetic Stripe Cards-
Magnetic stripe cards (credit cards, debit cards, ATM cards, loyalty cards,
gift cards, etc.) are easily cloned and so are being or have been replaced in
various regions by smartcards. However, even though the data on the
magnetic stripe is easily copied, researchers at Washington University in St.
Louis have found that the random and unique disposition of the billions of
individual magnetic particles on each magnetic stripe can be used to derive a
“magnetic fingerprint” which is virtually impossible to clone. This is an
example of a physically unclonable function. Special magnetic card readers
have been developed and commercialised under the name “Magneprint”,
which can digitise this fingerprint in order to positively identify an individual
card.
Perfect Paper Passwords (PPP)-
PPP is an authentication mechanism devised by Steve Gibson and based on a
type of one time pad, unencumbered by patents or licence fees. The user is
given a printed card (which can be conveniently formatted into a wallet-
friendly credit card size) containing an array of pseudo-random numbers
generated from a secret seed. To authenticate him/herself, the user is
challenged with a row and column from the current sheet of the pad and has
to respond with the corresponding pseudo-random number.
The secret seed is protected by a cryptographic process which is used to
generate the pseudo-random numbers, but there is nothing to stop a card
being stolen or copied. Should this occur, it can be invalidated at the
authentication screen and a new (hopefully, uncompromised) card can be
used. New cards can be printed out by the user at any time.
Mobile phones-
There is presently only limited discussion on using wired phones for
authentication, most applications focus on use of mobile phones instead.
A new category of TFA tools transforms the PC user's mobile phone into a
token device using SMS messaging, an interactive telephone call, or via
5. downloadable application to a smartphone. Since the user now
communicates over two channels, the mobile phone becomes a two-factor,
two-channel authentication mechanism.
Smartphone Push-
The push notification services offered by modern mobile platforms, such as
iPhone's APNS and Android's C2DM, can be used to provide a real-time
challenge/response mechanism on a mobile device. Upon performing a
sensitive transaction or login, the user will instantly receive a challenge
pushed to their mobile phone, be prompted with the full details of that
transaction, and be able to respond to approve or deny that transaction by
simply pressing a button on their mobile phone. Smartphone push two-factor
authentication has the capability to not only be more user-friendly, but also
more secure as a mutually-authentication connection can be established to
the phone over the data network.
Password security-
Another concern is the security of the TFA tools and their systems. Several
products store passwords in plain text for either the token or smart card
software or its associated management server.
There is a further argument that purports that there is nothing to stop a user
(or intruder) from manually providing logon credentials that are stored on a
token or smart card. For example to show all passwords stored in Internet
Explorer, all an intruder has to do is to boot the Microsoft Windows OS into
safe mode (with network support) and to scan the hard drive (using certain
freely available utilities). However, making it necessary for the physical
token to be in place at all times during a session can negate this.