SECURITY ASSERTION MARKUP LANGUAGE (SAML)

The de facto protocol for authentication, SAML is used for facilitating user authentication across systems and among organizations, through the exchange of authentication and authorization information between organizations. SAML is the glue that is used to make most single sign-on (SSO) systems work.

As its full name suggests, SAML is an XML markup language. XML is becoming a standard method for exchanging information between dissimilar systems.

KERBEROS

Kerberos, commonly used in the Sun Network File System (NFS) and Microsoft Windows, is perhaps the most popular ticket-based symmetric key authentication protocol in use today.

Kerberos is named for the fierce, three-headed dog that guards the gates of Hades in Greek mythology. (Not to be confused with Ker-beer-os, the fuzzy, six-headed dog sitting at the bar that keeps looking better and better!) Researchers at the Massachusetts Institute of Technology (MIT, also known as Millionaires in Training) developed this open-systems protocol in the mid-1980s.

The CISSP exam requires a general understanding of Kerberos operation. Unfortunately, Kerberos is a complex protocol that has many different implementations and no simple explanation. The following step-by-step discussion is a basic description of Kerberos operation:

1. The client prompts the subject (such as a user) for an identifier and a credential (for example, username and password). Using the authentication information (password), the client temporarily generates and stores a secret key for the subject by using a one-way hash function and then sends only the subject’s identification (username) to the Key Distribution Center’s (KDC) Authentication Server (AS). The password/secret key isn’t sent to the KDC. See Figure 7-1.
2. The AS on the KDC verifies that the subject (known as a principal) exists in the KDC database. The KDC Ticket Granting Service (TGS) then generates a Client/TGS Session Key encrypted with the subject’s secret key, which only the TGS and the client know. The TGS also generates a Ticket Granting Ticket (TGT), consisting of the subject’s identification, the client network address, the valid period of the ticket, and the Client/TGS Session Key. The TGS encrypts the TGT by using its secret key, which only the TGS knows, then sends the Client/TGS Session Key and TGT back to the client. See Figure 7-2.
3. The client decrypts the Client/TGS Session Key — using the stored secret key that it generated by using the subject’s password — authenticates the subject (user), and then erases the stored secret key to avoid possible compromise. The client can’t decrypt the TGT, which the TGS encrypted by using the TGS secret key. See Figure 7-3.
4. When the subject requests access to a specific object (such as a server, also known as a principal), it sends the TGT, the object identifier (such as a server name), and an authenticator to the TGS on the KDC. (The authenticator is a separate message that contains the client ID and a timestamp, and uses the Client/TGS Session Key to encrypt itself.) See Figure 7-4.
5. The TGS on the KDC generates both a Client/Server Session Key (which it encrypts by using the Client/TGS Session Key) and a Service Ticket (which consists of the subject’s identification, the client network address, the valid period of the ticket, and the Client/Server Session Key). The TGS encrypts the Service Ticket by using the secret key of the requested object (server), which only the TGS and the object know. The TGS then sends the Client/Server Session Key and Service Ticket back to the client. See Figure 7-5.
6. The client decrypts the Client/Server Session Key by using the Client/TGS Session Key. The client can’t decrypt the Service Ticket, which the TGS encrypted by using the secret key of the requested object. See Figure 7-6.
7. The client can then communicate directly with the requested object (server). The client sends the Service Ticket and an authenticator to the requested object (server). The client encrypts the authenticator (comprising the subject’s identification and a timestamp) by using the Client/Server Session Key that the TGS generated. The object (server) decrypts the Service Ticket by using its secret key. The Service Ticket contains the Client/Server Session Key, which allows the object (server) to then decrypt the authenticator. If the subject identification and timestamp are valid (according to the subject identification, client network address, and valid period specified in the Service Ticket), then communication between the client and server is established. The Client/Server Session Key is then used for secure communications between the subject and object. See Figure 7-7.

See Chapter 5 for more information about symmetric key cryptography.

In Kerberos, a session key is a dynamic key that is generated when needed, shared between two principals, then destroyed when it is no longer needed. A secret key is a static key that is used to encrypt a session key.

LDAP

Lightweight Directory Access Protocol (LDAP) is both an IP protocol and a data model. LDAP (pronounced EL-dap) is used to support authentication and directory functions for both people and resources. Several vendors have implemented LDAP, including:

• Apache Directory Server
• CA eTrust Directory
• IBM SecureWay and Tivoli Directory Server
• Microsoft Active Directory
• Novell eDirectory
• Sun Directory Server

You can also find several open-source versions of LDAP available, including OpenLDAP and tinyldap.

RADIUS

The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, client-server networking protocol — defined in more than 25 current IETF (Internet Engineering Task Force) RFCs (Request For Comments) — that provides authentication, authorization, and accounting (AAA) services. RADIUS is an Application Layer protocol that utilizes User Datagram Protocol (UDP) packets for transport. UDP is a connection-less protocol, which means it’s fast but not as reliable as other transport protocols.

RADIUS is commonly implemented in network service provider (NSP) networks, as well as corporate remote access service (RAS) and virtual private networks (VPNs). RADIUS is also becoming increasingly popular in corporate wireless networks. A user provides username/password information to a RADIUS client by using PAP or CHAP. The RADIUS client encrypts the password and sends the username and encrypted password to the RADIUS server for authentication.

Note: Passwords exchanged between the RADIUS client and RADIUS server are encrypted, but passwords exchanged between the workstation client and the RADIUS client are not necessarily encrypted — if using PAP authentication, for example. If the workstation client happens to also be a RADIUS client, all password exchanges are encrypted, regardless of the authentication protocol used.

RAS

Remote Access Service (RAS) servers utilize the Point-to-Point Protocol (PPP) to encapsulate IP packets and establish dial-in connections over serial and ISDN links. PPP incorporates the following three authentication protocols:

• PAP: The Password Authentication Protocol (PAP) uses a two-way handshake to authenticate a peer to a server when a link is initially established. PAP transmits passwords in clear text and provides no protection from replay attacks (in which part of a session is captured or recorded, then played back to the system) or brute force attacks.

  A two-way handshake refers to a communications session in which the communicating devices, for example a remote workstation and a remote access server. The connection is established whereby one device sends an initial TCP SYN (Synchronize) packet to the other, and the other responds by sending an ACK (Acknowledgment) packet to indicate that the connection has been accepted.

• CHAP: The Challenge Handshake Authentication Protocol (CHAP) uses a three-way handshake to authenticate both a peer and server when a link is initially established and, optionally, at regular intervals throughout the session. CHAP requires both the peer and server to be preconfigured with a shared secret that must be stored in plain text. The peer uses the secret to calculate the response to a server challenge by using an MD5 one-way hash function. MS-CHAP, a Microsoft enhancement to CHAP, allows the shared secret to be stored in an encrypted form.
• EAP: The Extensible Authentication Protocol (EAP) adds flexibility to PPP authentication by implementing various authentication mechanisms, including MD5-challenge, S/Key, generic token card, digital certificates, and so on. Many wireless networks implement EAP.

TACACS

The Terminal Access Controller Access Control System (TACACS) is a remote authentication control protocol, originally developed for the MILNET (U.S. Military Network), which provides AAA services. The original TACACS protocol has been significantly enhanced, as XTACACS (no longer used) and TACACS+ (which is the most common implementation of TACACS). However, TACACS+ is a completely new protocol and therefore isn’t backward-compatible with either TACACS or XTACACS. TACACS+ is TCP based on (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The major advantages of TACACS+ are its wide support of various authentication mechanisms and granular control of authorization parameters. TACACS+ can also use dynamic passwords; TACACS uses static passwords only.

The original TACACS protocol is often used in organizations for simplifying administrative access to network devices such as firewalls and routers. TACACS facilitates the use of centralized authentication credentials that are managed centrally, so that organizations don’t need to manage user accounts on every device.

DIAMETER

This next-generation RADIUS protocol was developed to overcome some of RADIUS’s deficiencies, but it has yet to overcome RADIUS’s popularity, so it’s not yet widely implemented.

Like RADIUS, Diameter provides AAA services and is an open protocol standard defined in 11 current RFCs.

Unlike RADIUS, Diameter utilizes Transmission Control Protocol (TCP) and Stream Control Transmission Protocol (SCTP) packets to provide a more reliable, connection-oriented transport mechanism. Also, Diameter uses Internet Protocol Security (IPsec) or Transport Layer Security (TLS) to provide network security or transport layer security (respectively) — rather than PAP or CHAP (used in RADIUS) — to provide a more secure connection. See Chapter 6 for a complete discussion of TCP and SCTP, IPsec and TLS, and the OSI model.

Diameter isn’t fully backward-compatible with RADIUS, but it does provide an upgrade path for RADIUS-based environments. Diameter isn’t an acronym, but a pun on the term RADIUS. (In geometry, the diameter of a circle is twice its radius.)

SESAME

The Secure European System and Applications in a Multi-vendor Environment (SESAME) project, developed by the European Computer Manufacturers Association (ECMA), is a ticket-based system, like Kerberos, with some additional functionality. It uses both symmetric and asymmetric cryptography to distribute secret keys and securely transmit data. By using public key cryptography, SESAME can securely communicate between different organizations or security domains. It incorporates a trusted authentication server at each host (known as a Privileged Attribute Server, or PAS), employs MD5 and CRC-32 one-way hash functions, and uses two separate certificates (known as a Privileged Attribute Certificates, or PACs) to provide authentication and define access privileges. However, SESAME also has some serious security flaws in its basic implementation, including these:

• It uses an XOR function for encryption.
• It performs authentication based on a small segment of the message rather than on the entire message.
• Its key generation is not really very random.
• It’s vulnerable to password-guessing attacks. (Want to bet that somebody thought “open” was a pretty clever password?)

See Chapter 5 for more information on one-way hash functions, XOR functions, and key generation.

KryptoKnight

Developed by IBM, KryptoKnight is another example of a ticket-based SSO authentication and key distribution system that establishes peer-to-peer relationships between the Key Distribution Center (KDC) and its principals. In addition to user authentication with SSO, KryptoKnight provides two-party authentication, key distribution, and data integrity services. KryptoKnight is an extremely compact and flexible protocol that can be easily exported to other systems and applications, and it can function at any layer of the OSI model. Unlike Kerberos, KryptoKnight doesn’t require clock synchronization (it uses nonces instead).

A nonce is literally a number used once. Similar in concept to an initialization vector (see Chapter 5), a nonce is a randomly generated value (usually based on a timestamp) that can be used only once to authenticate a session.

Kerberos, SESAME, and KryptoKnight are three examples of ticket-based authentication technologies that provide SSO services.

LDAP, RAS (PAP and CHAP), RADIUS, Diameter, and TACACS are examples of centralized access control for remote access.

PASSWORDS AND PASSPHRASES

“A password should be like a toothbrush. Use it every day; change it regularly; and DON’T share it with friends.” –USENET

Passwords are easily the most common — and weakest — authentication credentials in use today. Although there are more advanced and secure authentication technologies available, including tokens and biometrics, organizations typically use those technologies as supplements to or in combination with — rather than as replacements for — traditional usernames and passwords.

A passphrase is a variation on a password; it uses a sequence of characters or words, rather than a single password. Generally, attackers have more difficulty breaking passphrases than breaking regular passwords because longer passphrases are generally more difficult to break than shorter, complex passwords. Passphrases also have the following advantages:

• Users frequently use the same passwords to access numerous accounts; their corporate networks, their home PCs, their Gmail or Yahoo! email accounts, their eBay accounts, and their Amazon.com accounts, for example. So an attacker who targets a specific user may be able to gain access to his or her work account by going after a less secure system, such as his or her home PC, or by compromising an Internet account (because the user has passwords conveniently stored in that bastion of security — Internet Explorer!). Internet sites and home PCs typically don’t use passphrases, so you improve the chances that your users have to use different passwords/passphrases to access their work accounts.
• Users can actually remember and type passphrases more easily than they can remember and type a much shorter, cryptic password that requires contorted finger acrobatics to type on a keyboard.

However, passphrases also have a downside:

• Users can find passphrases inconvenient, so you may find passphrases difficult to implement. (“You mean I need to have a 20-character password now?!”)
• Not all systems support passphrases. Such systems ignore anything longer than the system limit (for example, eight characters).
• Many command-line interfaces and tools don’t support the space character that separates words in a passphrase.
• Ultimately, a passphrase is still just a password (albeit, a much longer and better one) and thus shares some of the same problems associated with passwords.

You, as a CISSP candidate, should understand the general problems associated with passwords, as well as common password controls and management features.

Password/passphrase problems include that they’re

• Insecure: Passwords are generally insecure for several reasons, including:
  • Human nature: In the case of user-generated passwords, users often choose passwords that they can easily remember and consequently attackers can easily guess (such as a spouse’s or pet’s name, birthday, anniversary, or hobby). Users may also be inclined to write down passwords (particularly complex, system-generated passwords) or share their passwords with others.
  • Transmission and storage: Many applications and protocols (such as file transfer protocol [FTP] and password authentication protocol [PAP]) transmit passwords in clear text. These applications and protocols may also store passwords in plaintext files, or in a security database that uses a weak hashing algorithm.
• Easily broken: Passwords are susceptible to brute-force and dictionary attacks (which we discuss in the section “Methods of attack,” later in this chapter) by readily available programs such as John the Ripper and L0phtCrack (pronounced loft-crack).
• Easily stolen: From phishing scams to watering hole attacks and key loggers, users can be tricked into giving up passwords, and malware can steal them as they type them. Some organizations store their users’ passwords unencrypted, hashed without salting, or encrypted with an easily discovered key; any of these methods make it relatively easy for an intruder to obtain passwords from a poorly protected system.
• Inconvenient: Easily agitated users can find entering passwords tiresome. In an attempt to bypass these controls, users may select an easily typed, weak password; they may automate logons (for instance, a keyboard macro, or selecting the Remember My Password check box in a browser); and they can neglect to lock their workstations or log out when they leave their desks.
• Refutable: Transactions authenticated with only a password don’t necessarily provide absolute proof of a user’s identity. Authentication mechanisms must guarantee non-repudiation, which is a critical component of accountability. (For more on non-repudiation, see the section “Accountability,” earlier in this chapter.)

Passwords have the following login controls and management features that you should configure in accordance with an organization’s security policy and security best practices:

• Length: Generally, the longer the better. A password is, in effect, an encryption key. Just as larger encryption keys (such as 1024-bit or 2048-bit) are more difficult to crack, so too are longer passwords. You should configure systems to require a minimum password length of ten to fifteen characters. Of course, users can easily forget long passwords or simply find them too inconvenient, leading to some of the human-nature problems discussed earlier in this section.
• Complexity: Strong passwords contain a mix of upper- and lowercase letters, numbers, and special characters such as # and $. Be aware that some systems may not accept certain special characters, or those characters may perform special functions (for example, in terminal emulation software).
• Expiration (or maximum password aging): You should set maximum password aging to require password changes at regular intervals: 30-, 60-, or 90-day periods are common.
• Minimum password aging: This prevents a user from changing his or her password too frequently. The recommended setting is one to ten days to prevent a user from easily circumventing password history controls (for example, by changing their password five times within a few minutes, then setting it back to their original password).
• Re-use: Password re-use settings (five to ten is common) allow a system to remember previously used passwords (or, more appropriately, their hashes) for a specific account. This security setting prevents users from circumventing maximum password expiration by alternating between two or three familiar passwords when they’re required to change their passwords.
• Limited attempts: This control limits the number of unsuccessful logon attempts and consists of two components: counter threshold (for example, three or five) and counter reset (for example, 5 or 30 minutes). The counter threshold is the maximum number of consecutive unsuccessful attempts permitted before some action occurs (such as automatically disabling the account). The counter reset is the amount of time between unsuccessful attempts. For example, three unsuccessful logon attempts within a 30-minute period may result in an account lockout for a set period (for example, 24 hours); but two unsuccessful attempts in 25 minutes, and then a third unsuccessful attempt 10 minutes later, wouldn’t result in an account lockout. A successful logon attempt also resets the counter.
• Lockout duration (or intruder lockout): When a user exceeds the counter threshold that we describe in the preceding bullet, the account is locked out. Organizations commonly set the lockout duration to 30-minutes, but you can set it for any duration. If you set the duration to forever, an administrator must unlock the account. Some systems don’t notify the user when it locks out an account, instead quietly alerting the system administrator to a possible break-in attempt. Of course, an attacker can use the lockout duration as a simple means to perform a Denial of Service attack (intentionally making repeated bad logon attempts to keep the user’s account locked).
• Limited time periods: This control restricts the time of day that a user can log in. For example, you can effectively reduce the period of time that attackers can compromise your systems by limiting users’ access to business hours only. However, this type of control is becoming less common in the modern age of the workaholic and the global economy, both of which require users to legitimately perform work at all hours of the day.
• System messages: System messages include the following:
  • Login banner: Welcome messages literally invite criminals to access your systems. Disable any “welcome” message and replace it with a legal warning instead that requires the user to click OK to acknowledge the warning and accept the legal terms of use.
  • Last username: Many popular operating systems display the username of the last successful account logon. Users (who only need to type in their password) find this feature convenient — and so do attackers (who only need to crack the password without worrying about matching it to a valid user account). Disable this feature.
  • Last successful logon time: After successfully logging on to the system, this message tells the user the last time that he or she logged on. If the system shows that the last successful logon for a user was Saturday morning at 2:00 a.m. and the user knows that he couldn’t possibly have logged in at that time because he has a life, he knows that someone has compromised his account, and he can report the incident accordingly.
  • Last successful login location: After successfully logging in to the system, this message tells the user the last geographical location used when he or she logged in. If the system reports that the user last logged in from some obscure, far-away country, this can be a clue that the user’s account has been compromised.

We’re sure that you know many of the following widely available and well-known guidelines for creating more secure passwords, but just in case, here’s a recap:

• Use a mix of upper- and lowercase letters, numbers, and special characters (for example, !@#$%).
• Do not include your name or other personal information (such as spouse, street address, school, birthdays, and anniversaries).
• Replace some letters with numbers (for example, replace e with 3). This technique of modifying spelling is known as leet or leetspeak.
• Use nonsense phrases, misspellings, substitutions, or before-and-after words and phrases (combining two unrelated words or phrases, such as “Wheel of Fortune Cookies”).
• Combine multiple words by using special characters (for example, sALT&pEPPER or W3’r3-n0t-in-K4ns4s-4nym0r3).
• Create a longer password that is actually a pass phrase. For instance, “I Love Green Bananas.”
• Use a combination of all the other tips in this list (for example, “Snow White and the Seven Habits of Highly Effective People” becomes SW&t7HoH3P!).
• Do not use repeating patterns between changes (for example, password1, password2, password3).
• Do not use the same passwords for work and personal accounts.
• Do not use passwords that are too difficult to remember.
• Do not use any passwords you see in a published book, including this one. (But you knew that.)

The problem with these guidelines is that they’re widely available and well known! In fact, attackers use some of these same guidelines to create their aliases or handles: super-geek becomes 5up3rg33k. Also, a password such as Qwerty12! technically satisfies these guidelines, but it’s not really a good password because it’s a relatively simple and obvious pattern (the first row on your keyboard). Many dictionary attacks include not only word lists, but also patterns such as this one.

You can use a software tool that helps users evaluate the quality of their passwords when they create them. These tools are commonly known as password/passphrase generators or password appraisers.

ONE-TIME PASSWORDS

A one-time password is a password that’s valid for one logon session only. After a single logon session, the password is no longer valid. Thus, if an attacker obtains a one-time password that someone has already used, that password has no value. A one-time password is a dynamic password, meaning it changes at some regular interval or event. Conversely, a static password is a password that remains the same for each logon. Similar to the concept of a one-time pad in cryptography (which we discuss in Chapter 5), a one-time password provides maximum security for access control.

Security professionals should be sure to distinguish one-time passwords from passwords that are valid for a short period of time. Often, what is considered a one-time password is actually a password that is valid for several minutes. Limited-time passwords are a big improvement in security, but they’re subject to replay attacks if the attacker acts quickly.

PERSONAL IDENTIFICATION NUMBERS (PINs)

A PIN in itself is a relatively weak authentication mechanism because you have only 10,000 possible combinations for a four-digit numeric PIN. Therefore, organizations usually use some other safeguard in combination with a PIN. For example, a PIN used with a one-time token password and an account lockout policy is also very effective, allowing a user to attempt only one PIN/password combination per minute and then locking the account after three or five failed attempts as determined by the security policy.

Two examples of one-time password implementations are tokens (which we discuss in the following section) and the S/Key protocol. The S/Key protocol, developed by Bell Communications Research and defined in Internet Engineering Task Force (IETF) Request For Comment (RFC) 1760, is client/server based and uses MD4 and MD5 to generate one-time passwords. MD4 and MD5 are algorithms used to verify data integrity by creating a 128-bit message digest from data input.

TOKENS

Tokens are access control devices such as key fobs, dongles, smart cards, magnetic cards, software (known as soft tokens and installed on a tablet, mobile device, smartphone, laptop, or PC), and keypad or calculator-type cards that store static passwords (or digital certificates) or that generate dynamic passwords. The three general types of tokens are

• Static password tokens: Store a static password or digital certificate.
• Synchronous dynamic password tokens: Continuously generate a new password or passcode at a fixed time interval (for example, 60 seconds) or in response to an event (such as every time you press a button). Typically, the passcode is valid only during a fixed time window (say, one minute) and only for a single logon (so, if you want to log on to more than one system, you must wait for the next passcode).
• Asynchronous (or challenge-response) dynamic password tokens: Generate a new password or passcode asynchronously by calculating the correct response to a system-generated random challenge string (known as a nonce) that the owner manually enters.

Tokens provide two-factor authentication (something you have and something you know) by either requiring the owner to authenticate to the token first or by requiring that the owner enters a secret PIN along with the generated password. Both RADIUS and Terminal Access Controller Access Control System (TACACS+; which we discuss in the section “Centralized access controls,” earlier in this chapter) support various token products.

A soft token that’s installed on a laptop or PC doesn’t provide strong (two-factor) authentication because the “something you have” is the computer you’re trying to log on to! However, a soft token such as Google Authenticator and Microsoft Authenticator on a smartphone would provide adequate two-factor authentication, provided the user is not trying to log in to an application from a smartphone.

You can use tokens to generate one-time passwords and provide two-factor authentication.

SMARTPHONE / SMS PASSWORDS

When a user attempts to log on to a system, a one-time or short-duration password can be sent to a smartphone or mobile device via a text message or other messaging mechanism. Upon receiving this password, the user would then enter it into the system’s password field and complete the logon procedure.

DIGITAL CERTIFICATES

A digital certificate can be installed on the user’s device. When the user attempts to authenticate to a system, the system will query the user’s device for the digital certificate to confirm the user’s identity. If the digital certificate can be obtained and if it is confirmed to be genuine, the user is permitted to log on.

Digital certificate authentication also helps to enforce users logging in using only company-provisioned devices. This presupposes the fact that the user is unable to copy the digital certificate to another, perhaps personally owned, device, or that an intruder is unable to copy the certificate to his own device.

When implementing digital certificates on devices such as laptop computers, administrators need to be sure they implement a per-device or per-user certificate on each laptop computer, not a general company certificate.

BIOMETRICS

The only absolute method for positively identifying an individual is to base authentication on some unique physical or behavioral characteristic of that individual. Biometric identification uses physical characteristics, including fingerprints, hand geometry, and facial features such as retina and iris patterns. Behavioral biometrics are based on measurements and data derived from an action, and they indirectly measure characteristics of the human body. Behavioral characteristics include voice, signature, and keystroke patterns.

Biometrics are based on the third factor of authentication — something you are. Biometric access control systems apply the concept of identification and authentication (I&A) slightly differently, depending on their use:

• Physical access controls: The individual presents the required biometric characteristic and the system attempts to identify the individual by matching the input characteristic to its database of authorized personnel. This type of control is also known as a one-to-many search.
• Logical access controls: The user enters a username or PIN (or inserts a smart card), and then presents the required biometric characteristic for verification. The system attempts to authenticate the user by matching the claimed identity and the stored biometric image file for that account. This type of control is also known as a one-to-one search.

Biometric authentication, in and of itself, doesn’t provide strong authentication because it’s based on only one of the three authentication requirements — something you are. To be considered a truly strong authentication mechanism, biometric authentication must include either something you know or something you have. (Although you might argue that your hand or eye is both something you have and something you are, for the purposes of the CISSP exam you’d be wrong!)

The necessary factors for an effective biometrics access control system include

• Accuracy: The most important characteristic of any biometric system. The uniqueness of the body organ or characteristic that the system measures to guarantee positive identification is an important element of accuracy. In common biometric systems today, the only organs that satisfy this requirement are the fingers/hands and the eyes.

  Another important element of accuracy is the system’s ability to detect and reject forged or counterfeit input data. The accuracy of a biometric system is normally stated as a percentage, in the following terms:

  • False Reject Rate (FRR) or Type I error: Authorized users to whom the system incorrectly denies access, stated as a percentage. Reducing a system’s sensitivity reduces the FRR but increases the False Accept Rate (FAR).

    The False Reject Rate (or Type I error) is the percentage of authorized users to whom the system incorrectly denies access.

  • False Accept Rate (FAR) or Type II error: Unauthorized users to whom the system incorrectly grants access, stated as a percentage. Increasing a system’s sensitivity reduces the FAR but increases the FRR.

    The False Accept Rate (or Type II error) is the percentage of unauthorized users to whom the system incorrectly grants access.

  • Crossover Error Rate (CER): The point at which the FRR equals the FAR, stated as a percentage. (See Figure 7-8.) Because you can adjust the FAR and FRR by changing a system’s sensitivity, the CER is considered the most important measure of biometric system accuracy.

  • The Crossover Error Rate is the point at which the FRR equals the FAR, stated as a percentage.

• Speed and throughput: The length of time required to complete the entire authentication procedure. This time measurement includes stepping up to the system, inputting a card or PIN (if required), entering biometric data (such as inserting a finger or hand in a reader, pressing a sensor, aligning an eye with a camera or scanner, speaking a phrase, or signing a name), processing the input data, and opening and closing an access door (in the case of a physical access control system). Another important measure is the initial enrollment time required to create a biometric file for a user account. Generally accepted standards are a speed of less than five seconds, a throughput rate of six to ten per minute, and enrollment time of less than two minutes.
• Data storage requirements: The size of a biometric system’s input files can be as small as 9 bytes or as large as 10,000 bytes, the normal range being 256 to 1,000 bytes.
• Reliability: Reliability is an important factor in any system. The system must operate continuously and accurately without frequent maintenance outages.
• Acceptability: Getting users to accept a biometric system is the biggest hurdle to widespread implementation. Certain privacy and ethics issues arise with the prospect of organizations using these systems to collect medical or other physical data about employees. Other factors that might potentially alarm users include intrusiveness of the data collection procedure and undesirable physical contact with common system components, such as pressing an eye against a plastic cup or placing lips close to a microphone for voice recognition.

Gaining user acceptance is the most common difficulty with biometric systems.

Table 7-1 summarizes the generally accepted standards for the factors described in the preceding list.

Common types of physical biometric access control systems include

• Fingerprint recognition and finger scan systems: The most common biometric systems in use today. They analyze the ridges, whorls, and minutiae (bifurcations and ridge endings, dots, islands, ponds and lakes, spurs, bridges, and crossovers) of a fingerprint to create a digitized image that uniquely identifies the owner of the fingerprint. A fingerprint recognition system stores the entire fingerprint as a digitized image. A disadvantage of this type of system is that it can require a lot of storage space and resources. More commonly, organizations use a finger scan system, which stores only sample points or unique features of a fingerprint and therefore requires less storage and processing resources. Also, users may more readily accept the technology because no one can re-create an entire fingerprint from the data in a finger scan system. See Table 7-2 for general characteristics of finger scan systems.

  Finger scan systems, unlike fingerprint recognition systems, don’t store an image of the entire fingerprint — only a digitized file describing its unique characteristics. This fact should allay the privacy concerns of most users.

• Facial recognition systems: Fast becoming a popular authentication method used by Apple, Microsoft, and others, facial recognition works through recognition of the unique geometry of the user’s facial features. Facial recognition software examines the face as the user looks into the device’s camera and decides whether the person looking into the camera is the same person who is authorized to use the device.
• Hand geometry systems: Like finger scan systems, hand geometry systems are also nonintrusive and therefore generally more easily accepted than other biometric systems. These systems generally can more accurately uniquely identify an individual than finger scan systems, and they have some of the smallest file sizes compared with other biometric system types. A digital camera simultaneously captures a vertical and a horizontal image of the subject’s hand, acquiring the three-dimensional hand geometry data. The digitized image records the length, width, height, and other unique characteristics of the hand and fingers. See Table 7-2 for general characteristics of hand geometry systems.
• Retina pattern: These systems record unique elements in the vascular pattern of the retina. Major concerns with this type of system are fears of eye damage from a laser (which is actually only a camera with a focused low-intensity light) directed at the eye and, more feasibly, privacy concerns. Certain health conditions, such as diabetes and heart disease, can cause changes in the retinal pattern, which these types of systems may detect. See Table 7-3 for general characteristics of retina pattern systems.
• Iris pattern: By far the most accurate of any type of biometric system. The iris is the colored portion of the eye surrounding the pupil. The complex patterns of the iris include unique features such as coronas, filaments, freckles, pits, radial furrows, rifts, and striations. The characteristics of the iris, formed shortly before birth, remain stable throughout life. The iris is so unique that even the two eyes of a single individual have different patterns. A camera directed at an aperture mirror scans the iris pattern. The subject must glance at the mirror from a distance of approximately 3 to 10 inches. It’s technically feasible — but perhaps prohibitively expensive — to perform an iris scan from a distance of several feet. See Table 7-3 for general characteristics of iris pattern systems.

Common types of behavioral biometric systems include

• Voice recognition: These systems capture unique characteristics of a subject’s voice and may also analyze phonetic or linguistic patterns. Most voice recognition systems are text-dependent, requiring the subject to repeat a specific phrase. This functional requirement of voice recognition systems also helps improve their security by providing two-factor authentication: something you know (a phrase) and something you are (your voice). More advanced voice recognition systems may present a random phrase or group of words, which prevents an attacker from recording a voice authentication session and later replaying the recording to gain unauthorized access. See Table 7-4 for general characteristics of voice recognition systems.
• Signature dynamics: These systems typically require the subject to sign his or her name on a signature tablet. The enrollment process for a signature dynamics system captures numerous characteristics, including the signature pattern itself, the pressure applied to the signature pad, and the speed of the signature. Of course, signatures commonly exhibit some slight changes because of different factors, and they can be forged (although the signature dynamics are difficult to forge). See Table 7-4 for general characteristics of signature dynamics systems.
• Keystroke or typing dynamics: These systems typically require the subject to type a password or phrase. The keystroke dynamic identification is based on unique characteristics such as how long a user holds down a key on the keyboard (dwell time) and how long it takes a user to get to and press a key (seek or flight time). These characteristics are measured by the system to form a series of mathematical data representing a user’s unique typing pattern or signature, which is then used to authenticate the user.

Digital signatures and electronic signatures — which are electronic copies of people’s signatures — are not the same as the signatures used in biometric systems. These terms are not related and are not interchangeable.

In general, the CISSP candidate doesn’t need to know the specific characteristics and specifications of the different biometric systems, but you should know how they compare with each other. For example, know that iris pattern systems are more accurate than retina pattern systems, and be familiar with the concepts of false reject rate, false accept rate, and crossover error rate.