Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

The following sections discuss best practices and the associated pitfalls you should consider when implementing security using smart cards and biometrics infrastructure-based authentication services.

Using Smart Cards

  • Unified credential token. Adopt smart cards as a unified security token for both physical and access control. Dual-interface smart cards supporting both contact and contactless readers fulfills both purposes. Adopting a unified credential token also delivers increased ROI by way of a single token for accessing disparate physical and logical resources, a single console for monitoring and auditing, a single interface for identity enrollment and termination, and a centralized personal identification and authentication process.

  • Restrict post-issuance applet download. In the case of smart cards used for identification and authentication purposes, it is important to restrict applet downloads after issuing the card. The master key must not be provided to the card holder. This protects the card from potential abuses resulting in running out of memory, downloading and processing untrusted applets, and fault injection.

  • Revoke access and reset PIN. The card must be revoked or blocked using PIN reset if a user enters an incorrect PIN too many times. This protects the card from PIN guessing and dictionary attacks after it is stolen from the card holder. The card should be allowed to access the resource or other application after subject to verification by intervention of an enrollment officer or other authorized official.

  • Adopting card standards. It is important to choose cards and card readers that support standards such as ISO, Java Card, Global Platform, Java Card Biometric API, and so forth. This avoids vendor lock-in and ensures interoperability when running multiple applications.

  • Strong authentication. Smart cards allows two-factor authentication by making use of PINs (what you know) and digital certificates stored in the card (what you have). Combining both aspects ensures strong authentication by improving the security and privacy of the authentication process. As a result, it strengthens logical access to protected resources, signing electronic documents for authenticity, secure electronic payment through client authentication, and has other potential uses.

Using Biometrics

  • Use multiple biometrics samples for single authentication. To reduce the possibility of fake or forged biometric sampling, use multiple biometric samples for single authentication. Use random sequences when acquiring samples (for example, with fingerprint authentication, request left-hand index finger first and then right-hand thumb). This helps thwart attacks using residual fingerprints obtained from previous authentication sessions, fingerprints from glasses, or latent fingerprints on scanners. This also helps in preventing gummy finger-based forged fingerprint attacks. [Gummy]

  • Assign biometric scanners to users. Assign scanners to individuals and verify the originating host for all authentication requests to ensure that the biometric sample is transmitted from user-assigned scanners only. Authentication must be considered successful only if the matching sample is obtained from the assigned scanner of the individual. This helps make monitoring and logging of events easier.

  • Preventing mimic scanner attacks. To thwart playback attacks mimicking scanners, use validation of scanner-stored certificates before processing the samples. This can be accomplished by establishing SSL/TLS communication between the scanner and the authentication server.

  • Control access to administration and enrollment system. It is important to establish roles for privileged users who will be authorized for performing enrollment. To increase the level of access capabilities to a user with administration and enrollment, it is necessary to follow an authorization approval workflow involving multiple officials.

  • Multiple login attempts. If a user attempts to log in multiple times and fails to generate a matching score, the user account pertaining to the user ID must be temporarily revoked and reported for further investigation by an administrator. It is important to verify the time of access and the device in use to identify the user.

  • Logging, auditing, and monitoring. All enrollment, administration, and authentication events and related actions must be captured in secure logs that include timestamps, host, and user information. It is also important to store audit trails to identify fake attempts and the originating sources. The system must also be monitored for system activity and use alerts whenever a potential breach or violation occurs. It is also important to periodically inspect the scanners and their stored keys and certificates for validity.

  • Securing the biometric information repository. It is important to secure the biometric information stored in a directory (LDAP) or relational database. It is strongly recommended to use encryption mechanisms during storage so that the information remains confidential.

  • Secure communication. All network communication involved with a smart card or biometrics-based authentication must be secured using SSL/TLS protocols. This ensures the information is not intercepted or captured during transit by preventing man-in-the-middle attacks from reading CUID (smart cards) or fingerprint images (biometrics) and then impersonating using replay of previously recorded information.

  • Match-on-the-card biometrics. Sizing the processor and memory capabilities of a smart card is necessary before test-driving match-on-the-card biometric authentication. For example, a typical fingerprint template size ranges from 250 bytes to 1.2 Kbytes and it differs from person to person. The smart card must be tested for storage performance and reliability when using multiple biometric samples.

Pitfalls

  • Architectural complexity. The complexity of implementing a smart card and biometrics-based security infrastructure depends on the level of geographical dispersion and the systems requiring physical and logical access, the centralized or decentralized nature of administration, and the directory infrastructure. These factors result in potential scalability and performance issues with the overall architecture.

  • Lost, stolen, and revoked smart cards. There is always a possibility of potential abuse of lost or stolen cards in terms of impersonation or gaining physical access to a location. If the card uses a biometric template for authentication, however, the card cannot be used.

  • False Acceptance Rate (FAR) and False Rejection Rate (FRR). Biometric authentication systems are prone to err in terms of false acceptance and false rejection. Depending upon the security requirements, and using CER, it is important to strike a balance between the percentages of FAR and FRR. For example, you may not want to set a high score threshold to lower FAR but it may affect some legitimate persons as FRR. There are other factors, such as physical conditions, positioning, location, weather, injury, biometric device, and so forth that must be considered before deployment. These factors can directly influence the accuracy of the overall biometric authentication process.

Категории