Information Security:

An Introduction
Definition

◼ Information security is a “well-informed sense of

assurance that the information risks and controls are
in balance.” — Jim Anderson, Inovant (2002)
◼ Does not guarantee the safety of an organization,
information, or computer systems
❑ Involves in examining threats and vulnerabilities of an
organization and managing them appropriately
❑ Take appropriate preventative steps to guard information
and capabilities against these threats
◼ Security professionals must review the origins of this
field to understand its impact on our understanding
of information security today
History

◼ Computer security began immediately after

the first mainframes were developed
❑ Groups developing code-breaking computations
during World War II created the first modern
computers
❑ Multiple levels of security were implemented
◼ Physical controls to limit access to sensitive
military locations to authorized personnel
◼ Rudimentary in defending against physical
theft, espionage, and sabotage
1960s to 1980s

◼ 1960s – US Department of Defense’s Advanced

Research Project Agency (ARPA) began to examine
feasibility of redundant networked communications
◼ Larry Roberts, who known as the founder of
internet, developed ARPANET from its inception
◼ Early 1970s – ARPANET grew in popularity as did
its potential for misuse
◼ Late 1970s – microprocessor expanded computing
capabilities and security threats
1960s to 1980s

◼ Information security began with “Rand Report

R-609: Security Control for Computer Systems”
(paper that started the study of computer security)
◼ Scope of computer security grew from physical
security to include:
❑ Safety of data
❑ Limiting unauthorized access to data
❑ Involvement of personnel from multiple levels of an
organization
◼ At this stage, the concept of computer security
evolved into the more sophisticated system we call
information security
Key Dates for Seminal Works in Early Computer Security
2000 to Present

◼ The Internet brings millions of computer

networks into communication with each other
—many of them unsecured
◼ Ability to secure a computer’s data influenced
by the security of every computer to which it
is connected
◼ Growing threat of cyber attacks has
increased the need for improved security
What is Security

◼ “The quality or state of being secure—to be free

from danger”
◼ A successful organization should have multiple
layers of security in place:
❑ Physical security - To protect the physical items, objects, or
areas of an organization from unauthorized access and
misuse.
❑ Personal security - To protect the individual or group of
individuals who are authorized to access the organization
and its operations.
❑ Operations security - To protect the details of a particular
operation or series of activities.
What is Security

◼ Layers of security continued:

❑ Communications security - To protect an organization’s
communications media, technology, and content.
❑ Network security - To protect networking components,
connections, and contents.
❑ Information security- To protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing or transmission. It is achieved via the
application of policy, education, training and awareness,
and technology.
Components of Information Security
What is Security

◼ The protection of information and its critical

elements, including systems and hardware
that use, store, and transmit that information
◼ Necessary tools: policy, awareness, training,
education, technology
◼ C.I.A. triangle
❑ Was standard based on confidentiality, integrity
and availability
❑ Now expanded into list of critical characteristics of
information
 Integrity

Confidentiality Availability

Security Goal
Critical Characteristics of Information
The value of information comes from the characteristics it
◼
possesses:

❑ Availability – Enables users who need to access information to

do so without interference or obstruction and in the required
format. The information is said to be available to an authorized
user when and where needed and in the correct format.
❑ Accuracy – Free from mistake or error and having the value that
the end user expects. If information contains a value different
from the user’s expectations due to the intentional or
unintentional modification of its content, it is no longer accurate.
❑ Authenticity –The quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic
when it is the information that was originally created, placed,
stored, or transferred.
Critical Characteristics of Information
◼ Characteristics continued:
Confidentiality – The quality or state of preventing disclosure or
❑
exposure to unauthorized individuals or systems.
Integrity – The quality or state of being accurate, complete, and
❑
authorised. The integrity of information is threatened when the
information is exposed to corruption, damage, destruction, or
other disruption of its authentic state.
Utility – The quality or state of having value for some purpose or
❑
end. Information has value when it serves a particular purpose.
This means that if information is available, but not in a format
meaningful to the end user, it is not useful.
Possession – The quality or state of having ownership or control
❑
of some object or item. Information is said to be in possession if
one obtains it, independent of format or other characteristic.
While a breach of confidentiality always results in a breach of
possession, a breach of possession does not always result in a
breach of confidentiality.
CNSS Security Model

The McCumber Cube

Cryptography
◼ Can protect confidentiality and integrity, but
not availability
◼ Confidentiality - Hide the secret data from
unauthorised personnel
◼ Integrity – Make sure the data is not
tampered during transmission
◼ Availability – cannot be control by
cryptosystem, e.g. unplug network cable

16
Cryptographic Concepts
◼ Encryption: a means to allow two parties,
customarily called Alice and Bob, to establish
confidential communication over an insecure
channel that is subject to eavesdropping.

Alice Bob

Eve 17
Encryption and Decryption
◼ The message M is called the plaintext.
◼ Alice will convert plaintext M to an encrypted
form using an encryption algorithm E that
outputs a ciphertext C for M.
Communication
Sender Recipient
channel

encrypt decrypt

ciphertext plaintext
plaintext

shared shared
secret secret
key key
Attacker
(eavesdropping)

18
Encryption and Decryption
◼ As equations:
C = E(M)
M = D(C)
◼ The encryption and decryption algorithms are
chosen so that it is infeasible for someone other
than Alice and Bob to determine plaintext M from
ciphertext C. Thus, ciphertext C can be
transmitted over an insecure channel that can be
eavesdropped by an adversary.

19
Caesar Cipher
◼ Replace each letter with the one “three over” in the alphabet.
◼ Can be represented by using modular arithmathic:
❑ En(x) = (x + n) mod 26
❑ Dn(x) = (x – n) mod 26

20
Public domain image from http://commons.wikimedia.org/wiki/File:Caesar3.svg
Symmetric Cryptosystems
◼ Alice and Bob share a secret key, which is
used for both encryption and decryption.

Communication
Sender Recipient
channel

encrypt decrypt

ciphertext plaintext

plaintext

shared shared
secret secret
key key

Attacker
(eavesdropping)

21
Symmetric Key Distribution
◼ Requires each pair of communicating parties
to share a (separate) secret key.
shared
secret

shared
secret
shared shared shared
secret secret secret

n (n−1)2
keys
shared
22
secret
Public-Key Cryptography

23
 Public-Key Cryptography
Separate keys are used for encryption and
decryption.
Communication
Sender Recipient
channel

encrypt decrypt

plaintext ciphertext plaintext

plaintext

public private
key key

Attacker
(eavesdropping)
Public Key Distribution
◼ Only one key is needed for each recipient

private private

public public

n key
public public
pairs

private private
25
Digital Signatures

26
Cryptographic Hash Functions
◼ A checksum on a message, M, that is:
◼ One-way: it should be easy to compute
Y=H(M), but hard to find M given only Y
◼ Collision-resistant: it should be hard to find
two messages, M and N, such that
H(M)=H(N).
◼ Examples: SHA-1, SHA-256, MD5.

27
Message Authentication Codes
◼ Allows for Alice and Bob to have data integrity, if they share a
secret key.
◼ Given a message M, Alice computes H(K||M) and sends M and
this hash to Bob.
Communication
channel

(attack detected)
h 6B34339 4C66809 4C66809
=? 87F9024 h
message M MAC MAC received computed
MAC MAC message
M’

shared shared
secret secret
key key
Sender Attacker Recipient
(modifying) 28
Digital Certificates
◼ certificate
authority (CA)
digitally signs a
binding between an
identity and the
public key for that
identity.

29
Access Control Models
◼ Users and groups ◼ Which users can
◼ Authentication read/write which files?
◼ Passwords ◼ Are my files really safe?
◼ File protection ◼ What does it mean to
◼
be root?
Access control lists
◼ What do we really want
to control?

30
Access Control Matrices
◼ A table that defines permissions.
❑ Each row of this table is associated with a subject, which
is a user, group, or system that can perform actions.
❑ Each column of the table is associated with an object,
which is a file, directory, document, device, resource, or
any other entity for which we want to define access rights.
❑ Each cell of the table is then filled with the access rights for
the associated combination of subject and object.
❑ Access rights can include actions such as reading, writing,
copying, executing, deleting, and annotating.
❑ An empty cell means that no access rights are granted.

31
Example Access Control Matrix

32
Access Control Lists
◼ It defines, for each object, o, a list, L, called o’s
access control list, which enumerates all the
subjects that have access rights for o and, for each
such subject, s, gives the access rights that s has
for object o.

/etc/passwd /usr/bin/ /u/roberto/ /admin/

root: r,w root: r,w,x root: r,w,x root: r,w,x

mike: r mike: r,x roberto: r,w,x backup: r,x
roberto: r roberto: r,x backup: r,x
backup: r backup: r,x

33
Capabilities
/etc/passwd: r,w,x; /usr/bin: r,w,x;
root /u/roberto: r,w,x; /admin/: r,w,x
◼ Takes a subject-
centered approach to
access control. It
mike /usr/passwd: r; /usr/bin: r,x
defines, for each
subject s, the list of the
objects for which s has
/usr/passwd: r; /usr/bin: r;
nonempty access roberto /u/roberto: r,w,x

control rights, together

with the specific rights
for each such object. /etc/passwd: r,x; /usr/bin: r,x;
backup /u/roberto: r,x; /admin/: r,x

34
Role-based Access Control
◼ Define roles and then specify access control
rights for these roles, rather than for subjects
directly. Department
Chair

Administrative Lab System Undergraduate Graduate

Manager Manager Administrator TA TA

Lab Backup Undergraduate Graduate

Accountant Secretary
Technician Agent Student Student

Administrative Technical
Faculty Student
Personnel Personnel

Department
Member 35
Passwords
◼ A short sequence of characters used as a
means to authenticate someone via a secret
that they know.

◼ Userid:
◼ Password:

36
 How a password is stored?

User
Password file
Dog124 Butch:ASDSA
21QW3R50E
ERWWER323
…
…

hash function
 Strong Passwords
What is a strong password
UPPER/lower case characters
Special characters
Numbers
When is a password strong?
Seattle1
M1ke03
P@$$w0rd
TD2k5secV
38
 Password Complexity
A fixed 6 symbols password:
Numbers
106 = 1,000,000
UPPER or lower case characters
266 = 308,915,776
UPPER and lower case characters
526 = 19,770,609,664
32 special characters (&, %, $, £, “, |, ^, §, etc.)
326 = 1,073,741,824
94 practical symbols available
946 = 689,869,781,056
ASCII standard 7 bit 27 =128 symbols
1286 = 4,398,046,511,104
39
 Password Length
26 UPPER/lower case characters = 52 characters
10 numbers
32 special characters
=> 94 characters available

5 characters: 945 = 7,339,040,224

6 characters: 946 = 689,869,781,056
7 characters: 947 = 64,847,759,419,264
8 characters: 948 = 6,095,689,385,410,816
9 characters: 949 = 572,994,802,228,616,704

40
Password Validity: Brute Force Test
Password does not change for 60 days
how many passwords should I try for each
second?
5 characters: 1,415 PW /sec
6 characters: 133,076 PW /sec
7 characters: 12,509,214 PW /sec
8 characters: 1,175,866,008 PW /sec
9 characters: 110,531,404,750 PW /sec

41
 Secure Passwords
A strong password includes characters from at
least three of the following groups:

Use pass phrases eg. "I re@lly want to buy 11

Dogs!"

42
 Direct Attacks on
Computational Devices

43
Social Engineering
◼ Pretexting: creating a story that convinces
an administrator or operator into revealing
secret information.
◼ Baiting: offering a kind of “gift” to get a user
or agent to perform an insecure action.
◼ Quid pro quo (from the Latin meaning "what
for what"): offering an action or service and
then expecting something in return.

44
Environmental Attacks
◼ Electricity. Computing equipment requires
electricity to function; hence, it is vital that such
equipment has a steady uninterrupted power supply.
◼ Temperature. Computer chips have a natural
operating temperature and exceeding that
temperature significantly can severely damage
them.
◼ Limited conductance. Because computing
equipment is electronic, it relies on there being
limited conductance in its environment. If random
parts of a computer are connected electronically,
then that equipment could be damaged by a short
circuit (e.g., in a flood).

45
Eavesdropping
◼ Eavesdropping is the process of secretly listening in on another
person’s conversation.
◼ Protection of sensitive information must go beyond computer
security and extend to the environment in which this
information is entered and read.
◼ Simple eavesdropping techniques include
❑ Using social engineering to allow the attacker to read information
over the victim’s shoulder
❑ Installing small cameras to capture the information as it is being
read
❑ Using binoculars to view a victim’s monitor through an open
window.
◼ These direct observation techniques are commonly referred to
as shoulder surfing.

46
 Wiretapping
◼ Many communication networks employ
the use of inexpensive coaxial copper
cables, where information is transmitted
via electrical impulses that travel through
the cables.
◼ Relatively inexpensive means exist that
measure these impulses and can
reconstruct the data being transferred
through a tapped cable, allowing an
attacker to eavesdrop on network traffic.
◼ These wiretapping attacks are passive,
in that there is no alteration of the signal
being transferred, making them extremely
difficult to detect.

47
Signal Emanations
◼ Computer screens emit radio frequencies
that can be used to detect what is being
displayed.
◼ Visible light reflections can also be used to
reconstruct a display from its reflection on a
wall, coffee mug, or eyeglasses.
◼ Both of these require the attacker to have a
receiver close enough to detect the signal.

48
Acoustic Emissions
◼ Dmitri Asonov and Rakesh Agrawal published a
paper in 2004 detailing how an attacker could use an
audio recording of a user typing on a keyboard to
reconstruct what was typed.
❑ Each keystroke has minute
differences in the sound it
produces, and certain keys are
sound recording
known to be pressed more device
often than others.
❑ After training an advanced
neural network to recognize
individual keys, their software
recognized an average 79% of
all keystrokes. microphone to
capture keystroke
sounds

49
Hardware Keyloggers
◼ A keylogger is any means of recording a victim’s keystrokes,
typically used to eavesdrop passwords or other sensitive
information.
◼ Hardware keyloggers are typically small connectors that are
installed between a keyboard and a computer.
◼ For example, a USB keylogger is a device containing male and
female USB connectors, which allow it to be placed between a
USB port on a computer and a USB cable coming from a
keyboard.

50
TEMPEST
◼ TEMPEST is a U.S. government code word for a set of
standards for limiting information-carrying electromagnetic
emanations from computing equipment.
◼ TEMPEST establishes three zones or levels of protection:
1. An attacker has almost direct contact with the equipment, such
as in an adjacent room or within a meter of the device in the
same room.
2. An attacker can get no closer than 20 meters to the equipment
or is blocked by a building to have an equivalent amount of
attenuation.
3. An attacker can get no closer than 100 meters to the equipment
or is blocked by a building to have an equivalent amount of
attenuation.

51
Emanation Blockage
◼ To block visible light emanations, we can enclose
sensitive equipment in a windowless room.
◼ To block acoustic emanations, we can enclose
sensitive equipment in a room lined with sound-
dampening materials.
◼ To block electromagnetic emanations in the
electrical cords and cables, we can make sure every
such cord and cable is well grounded and insulated.

52
Faraday Cages
◼ To block electromagnetic
emanations in the air, we
can surround sensitive
equipment with metallic
conductive shielding or a
mesh of such material,
where the holes in the mesh
are smaller than the
wavelengths of the
electromagnetic radiation
we wish to block.
◼ Such an enclosure is known
as a Faraday cage.

53
Computer Forensics
◼ Computer forensics is the practice of obtaining
information contained on an electronic medium,
such as computer systems, hard drives, and optical
disks, usually for gathering evidence to be used in
legal proceedings.
◼ Unfortunately, many of the advanced techniques
used by forensic investigators for legal proceedings
can also be employed by attackers to uncover
sensitive information.

54
Computer Forensics
◼ Forensic analysis typically involves the physical
inspection of the components of a computer,
sometimes at the microscopic level, but it can also
involve electronic inspection of a computer’s parts
as well.

55
ATMs
◼ An automatic teller machine (ATM) is any device that allows
customers of financial institutions to complete withdrawal and deposit
transactions without human assistance.
◼ Typically, customers insert a magnetic stripe credit or debit card, enter
a PIN, and then deposit or withdraw cash from their account.
◼ The ATM has an internal cryptographic processor that encrypts the
entered PIN and compares it to an encrypted PIN stored on the card
(only for older systems that are not connected to a network) or in a
remote database.

56
ATM
ATMs
◼ To ensure the confidentiality of customer transactions, each ATM has
a cryptographic processor that encrypts all incoming and outgoing
information, starting the moment a customer enters their PIN.
◼ The current industry standard for ATM transactions is the Triple DES
(3DES) cryptosystem, a legacy symmetric cryptosystem with up to
112 bits of security.
◼ The 3DES secret keys installed on an ATM are either loaded on-site by
technicians or downloaded remotely from the ATM vendor.

3DES Encryption

Bank
57
ATM
Attacks on ATMs
◼ Lebanese loop: A perpetrator inserts this sleeve into the card
slot of an ATM. When a customer attempts to make a transaction
and inserts their credit card, it sits in the sleeve, out of sight from
the customer, who thinks that the machine has malfunctioned.
After the customer leaves, the perpetrator can then remove the
sleeve with the victim’s card.
◼ Skimmer: a device that reads and stores magnetic stripe
information when a card is swiped. An attacker can install a
skimmer over the card slot of an ATM and store customers’
credit information without their knowledge. Later, this information
can be retrieved and used to make duplicates of the original
cards.
◼ Fake ATMs: capture both credit/debit cards and PINs at the
same time.

58
Authentication Technologies

59
Authentication
◼ The determination of identity, usually based on a
combination of
❑ something the person has (like a smart card or a radio key
fob storing secret keys),
❑ something the person knows (like a password),
❑ something the person is (like a human with a fingerprint).
password=ucIb()w1V
mother=Jones
human with fingers pet=Caesar
and eyes

Something you are

Something you know

radio token with

secret keys

Something you have

60
Barcodes
◼ Developed in the 20th century to
improve efficiency in grocery checkout.
◼ First-generation barcodes represent
data as a series of variable-width,
vertical lines of ink, which is essentially
a one-dimensional encoding scheme.
◼ Some more recent barcodes are
rendered as two-dimensional patterns
using dots, squares, or other symbols
that can be read by specialized optical
scanners, which translate a specific type
of barcode into its encoded information.

61
 Authentication via Barcodes
◼ Since 2005, the airline industry has been incorporating two-dimensional
barcodes into boarding passes, which are created at flight check-in and
scanned before boarding.
◼ In most cases, the barcode is encoded with an internal unique identifier
that allows airport security to look up the corresponding passenger’s
record with that airline.
◼ Staff then verifies that the boarding pass was in fact purchased in that
person’s name (using the airline’s database), and that the person can
provide photo identification.
◼ In most other applications, however, barcodes provide convenience but
not security. Since barcodes are simply images, they are extremely
easy to duplicate.

Two-dimensional
barcode

62
Public domain image from http://commons.wikimedia.org/wiki/File:Bpass.jpg
Magnetic Stripe Cards
◼ Plastic card with a magnetic stripe containing personalized
information about the card holder.
◼ The first track of a magnetic stripe card contains the
cardholder’s full name in addition to an account number, format
information, and other data.
◼ The second track may contain the account number, expiration
date, information about the issuing bank, data specifying the
exact format of the track, and other discretionary data.

63
Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg
Magnetic Stripe Card Security
◼ One vulnerability of the magnetic stripe medium is that it is easy
to read and reproduce.
◼ Magnetic stripe readers can be purchased at relatively low cost,
allowing attackers to read information off cards.
◼ When coupled with a magnetic stripe writer, which is only a little
more expensive, an attacker can easily clone existing cards.
◼ So, many uses require card holders to enter a PIN to use their
cards (e.g., as in ATM and debit cards in the U.S.).

64
Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg
Smart Cards
◼ Smart cards incorporate an integrated circuit, optionally with an
on-board microprocessor, which microprocessor features
reading and writing capabilities, allowing the data on the card to
be both accessed and altered.
◼ Smart card technology can provide secure authentication
mechanisms that protect the information of the owner and are
extremely difficult to duplicate.

Circuit interface

65
Public domain image from http://en.wikipedia.org/wiki/File:Carte_vitale_anonyme.jpg
Smart Card Authentication
◼ They are commonly employed by large
companies and organizations as a means of
strong authentication using cryptography.
◼ Smart cards may also be used as a sort of
“electronic wallet,” containing funds that can
be used for a variety of services, including
parking fees, public transport, and other small
retail transactions.

66
SIM Cards
◼ Many mobile phones use a special smart card called
a subscriber identity module card (SIM card).
◼ A SIM card is issued by a network provider. It
maintains personal and contact information for a user
and allows the user to authenticate to the cellular
network of the provider.

67
SIM Card Security
◼ SIM cards contain several pieces of information that are used to identify
the owner and authenticate to the appropriate cell network.
◼ Each SIM card corresponds to a record in the database of subscribers
maintained by the network provider.
◼ A SIM card features an integrated circuit card ID (ICCID),
◼ which is a unique 18-digit number used for hardware identification.
◼ Next, a SIM card contains a unique international mobile subscriber
identity (IMSI), which identifies the owner’s country, network, and
personal identity.
◼ SIM cards also contain a 128-bit secret key. This key is used for
authenticating a phone to a mobile network.
◼ As an additional security mechanism, many SIM cards require a PIN
before allowing any access to information on the card.

68
 GSM Challenge-Response Protocol
n When a cellphone wishes to join a cellular network it connects to a local base
station owned by the network provider and transmits its International Mobile
Subscriber Identity (IMSI).
n If the IMSI matches a subscriber’s record in the network provider’s database,
the base station transmits a 128-bit random number to the cellphone.
n This random number is then encoded by the cellphone with the subscriber’s
secret key stored in the SIM card using a proprietary encryption algorithm
known as A3, resulting in a ciphertext that is sent back to the base station.
n The base station then performs the same computation, using its stored value
for the subscriber’s secret key. If the two ciphertexts match, the cellphone is
authenticated to the network and is allowed to make and receive calls.
IMSI = (this phone’s ID)

R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted

using the subscriber’s secret key K
(the response)

69
RFIDs
◼ Radio frequency identification, or RFID, is a rapidly
emerging technology that relies on small transponders
to transmit identification information via radio waves.
◼ RFID chips feature an integrated circuit for storing
information, and a coiled antenna to transmit and
receive a radio signal.

70
RFID Technology
◼ RFID tags must be used in conjunction with a
separate reader or writer.
◼ While some RFID tags require a battery,
many are passive and do not.
◼ The effective range of RFID varies from a few
centimeters to several meters, but in most
cases, since data is transmitted via radio
waves, it is not necessary for a tag to be in
the line of sight of the reader.

71
RFID Technology
◼ This technology is being deployed in a wide
variety of applications.
◼ Many vendors are incorporating RFID for
consumer-product tracking.
◼ Car key fobs.
◼ Electronic toll transponders.

72
Passports
◼ Modern passports of several
countries, including the United
States, feature an embedded RFID chip and
antenna is embedded
RFID chip that contains in the cover

information about the owner,

including a digital facial
photograph that allows airport
officials to compare the
passport’s owner to the e-Passport
person who is carrying the symbol

passport.

73
Passport Security
◼ In order to protect the sensitive information on a passport, all
RFID communications are encrypted with a secret key.
◼ In many instances, however, this secret key is merely the
passport number, the holder’s date of birth, and the expiration
date, in that order.
❑ All of this information is printed on the card, either in text or
using a barcode or other optical storage method.
❑ While this secret key is intended to be only accessible to
those with physical access to the passport, an attacker with
information on the owner, including when their passport
was issued, may be able to easily reconstruct this key,
especially since passport numbers are typically issued
sequentially.

74
Biometrics
◼ Biometric refers to any measure
used to uniquely identify a person
based on biological or physiological
traits.
◼ Generally, biometric systems
incorporate some sort of sensor or
scanner to read in biometric
information and then compare this
information to stored templates of
accepted users before granting
access.

75
Image from http://commons.wikimedia.org/wiki/File:Fingerprint_scanner_in_Tel_Aviv.jpg used with permission under the Creative Commons Attribution 3.0 Unported license
Requirements for Biometric Identification
◼ Universality. Almost every person should
have this characteristic.
◼ Distinctiveness. Each person should have
noticeable differences in the characteristic.
◼ Permanence. The characteristic should not
change significantly over time.
◼ Collectability. The characteristic should
have the ability to be effectively determined
and quantified.

76
Biometric Identification

Reader
Biometric

Feature vector

Comparison algorithm

Reference vector

matches doesn’t match

77
Candidates for Biometric IDs
◼ Fingerprints
◼ Retinal/iris scans
◼ DNA Public domain image from
http://commons.wikimedia.org/wiki/File:Fingerprint_Arch.jpg

◼ “Blue-ink” signature Public domain image from

http://commons.wikimedia.org/wiki/File:Retinal_scan_securimetrics.jpg

◼ Voice recognition
◼ Face recognition
◼ Gait recognition
◼
Public domain image from

Let us consider how each of these scores in terms

http://commons.wikimedia.org/wiki/File:CBP_chemist_reads_a_DNA_profile.jpg

of universality, distinctiveness, permanence, and

collectability…

78
Summary

◼ History → What is security?

◼ Critical characteristics of security → CNSS
security model
◼ Cryptography (Confidentiality, Integrity) →
Access Control (Availability) → Password
◼ Physical attack → Authentication Technology