April 4, 2013 presentation given at the Raleigh ISSA Chapter meeting. This PDF of my slides reviews my paper that was accepted and nominated for an award and presented at the ITU Kaleidoscope 2013 conference.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
ITU Kaleidoscope 2013 Presentation on Telebiometric Security Standards
1. ITU KALEIDOSCOPE 2013
RALEIGH ISSA CHAPTER MEETING
THURSDAY, APRIL 4, 2013
ITU Kaleidoscope 2013 Presentation
Telebiometric Information Security and Safety Management
Phillip H. Griffin
Information Security Consulting
October 18, 2012
GRIFFIN – APRIL 2013
2. ITU KALEIDOSCOPE 2013 What is the ITU ?
ITU is the International Telecommunication Union
— United Nations specialized agency for information
and communications technology (ICT)
— Membership includes 193 countries and over
700 private-sector entities and academic institutions
— Allocates global radio spectrum and satellite orbits; develops
technical standards to ensure seamless interconnection of
networks and technologies (telephones, video, TV, etc.)
— Consensus efforts to support fundamental right to communicate
— Empowers people through technology education and training
GRIFFIN – APRIL 2013
2
3. ITU KALEIDOSCOPE 2013 Building Sustainable Communities
Assess standardization required so that
cities can enhance their social, economic,
and environmental sustainability by using
Information & Communications Technology
Sustainable communities will combine
human-oriented technologies and human values
Biometrics, Telecommunications
Human-oriented technologies
Security, Privacy, Safety
Human values
Rubric — Suggest Areas For New Standardization
GRIFFIN – APRIL 2013
3
4. ITU KALEIDOSCOPE 2013 New Standardization
Telebiometric System Heartbeat
Provides metrics to enable the continuous improvement of an information
security and safety management program for telebiometric system devices
Cryptographic Message Syntax (CMS)
Need a version that complies with the ASN.1 standards
Permits all binary encoding rules and XML Encoding Rules (XER)
Supports ISO/IEC JTC 1/SC 27 algorithms, cryptographic techniques
Signcryption Support in CMS
Defines the schema and processing for a SigncryptedData type needed
to support the techniques in the ISO/IEC 29150 Signcryption standard
GRIFFIN – APRIL 2013
4
5. ITU KALEIDOSCOPE 2013 Telebiometric System Heartbeat
Periodic messages …
Should monitor and document the
safety, performance, and availability
of telebiometric system devices
Provide information to alert system
administrators of security and safety
events and system changes (e.g.,
FAR/FMR settings, device location,
aberrant behavior, etc.)
Source of derived metrics to inform
the continuous improvement of a
telebiometric system information
security and safety management
program
GRIFFIN – APRIL 2013
5
6. ITU KALEIDOSCOPE 2013 Cryptographic Message Syntax
CMS is “a general syntax for data that may have cryptography applied to
it, such as digital signatures and digital envelopes” - RSA Laboratories
— Defined by RSA Security in the early 1990s
— PKCS #7 (Public Key Cryptography Standard 7)
— Replaced the Privacy Enhanced Mail (PEM) standard
— Solved the X.509 certificate distribution problem
— Initial root was RSA until VeriSign spawned (RSA, IBM, etc.)
— Adopted by IETF to support secure email; SET; X9.73, others
— No valid international version of the CMS standard exists!
CMS provides a standardized schema with a well defined “hole”.
GRIFFIN – APRIL 2013
6
7. ITU KALEIDOSCOPE 2013 CMS Message Example
Schema is in ISO/IEC & ITU standard,
Abstract Syntax Notation One (ASN.1)
ASN.1 is used in billions of phones !
6.8 B cell phone subscriptions, 2013
Compact binary or XML markup
Zero+ Certificates and CRLs
Unsigned attribute content needs no
protection (e.g., SAML assertion)
GRIFFIN – APRIL 2013
7
8. ITU KALEIDOSCOPE 2013 CMS In Biometric Standards
CMS SignedData is used to provide data integrity and
origin authenticity in each of the following standards:
X9.84 Biometric Information Management and Security
ISO 19092 Biometrics – Security Framework
DoD & FBI Electronic Biometric Transmission Specification (EBTS)
DHS Biometric Enabled Watch Lists (BEWL)
ICAO Doc 9303 Machine Readable Passports
ANSI / NIST-ITL 1-2011 Biometric Data Format & Interchange Standard
OASIS XML Common Biometric Format (XCBF)
ISO/IEC 24761 Authentication Context for Biometrics (ACBio)
GRIFFIN – APRIL 2013
8
9. ITU KALEIDOSCOPE 2013 Biometric System Vulnerabilities
Support policy-based information
security management using real-
CMS (6, 7), and
time device FAR/FMR settings?
ACBio transfer?
1 - Attack on a biometric sensor with dummies: reproduced biometric trait presented as input
2 - Replay attack. Recorded, intercepted signal is replayed to bypass the biometric sensor
3 - Attack on feature extractor: produces altered values to those read by the biometric sensor
4 - Tampered feature representation (features are replaced with a fraudulent feature set)
5 - Attack on the matcher, forcing it to produce high or low matching score to allow or deny access
6 - Attack on biometric templates in a local, remote, or distributed database to add, modify, delete
7 - Tampered biometric reference template. See 4.
8 - Attack on the final matching decision end point : attacker disables the authentication system
GRIFFIN – APRIL 2013
9
10. ITU KALEIDOSCOPE 2013 CMS Signcryption Support
New CMS type proposed:
ID360: Global Forum on Identity
Schema similar to SignedData
One mode supports field-level
signcryption within signed object
Attributes: Defined by any group
with a need using any type or format
Manifest defined for each content type,
e.g., a list of XPath expressions in an
XML document
GRIFFIN – APRIL 2013
10
11. ITU KALEIDOSCOPE 2013 Signcryption Primitive Support
Signcryption combines encryption and digital signature
functions into a single, efficient cryptographic operation.
— A cryptographic technique and a primitive
— ISO/IEC 29150:2011Signcryption standard
— Hybrid : Combines digital signature with encryption
(hybrid like MAC + Encryption in SSL, SSH, ESP mode of IPsec)
— Confidentiality + Data Integrity + Origin Authenticity
— Asymmetric cryptography makes non-repudiation possible
— Faster, smaller result than signature-followed-by-encryption
— No standardized signcryption CMS type exists!
GRIFFIN – APRIL 2013
11
12. ITU KALEIDOSCOPE 2013 Summary
New standards are needed:
Telebiometric System Heartbeat
Need a standardized, extensible, CMS protected message to enable
development of vendor neutral telebiometric incident handling and
information security and safety management solutions
Cryptographic Message Syntax (CMS)
Need an international standard that complies with the ASN.1 standards,
that supports all encoding rules, and permits use of SC 27 cryptography
CMS Signcryption Support
Need a new CMS SigncryptedData message type that supports the
use of efficient ISO/IEC 29150 Signcryption techniques in CMS
GRIFFIN – APRIL 2013
12
13. ITU KALEIDOSCOPE 2013 Deeper Dive
Building Sustainable Communities – ITU Kaleidoscope conference, Kyoto, Japan, 22-25
April, 2013. (http://itu.int/en/ITU-T/academia/kaleidoscope/2013/Pages/default.aspx)
ITU-T Technology Watch Report 12: Biometrics and Standards. December, 2009.
(http://www.itu.int/en/ITU-T/techwatch/Pages/reports.aspx)
Griffin, P. (2012). Protecting Biometrics Using Signcryption
(http://phillipgriffin.com/innovation.htm#ID360)
Griffin, P. (2013). Telebiometric Information Security and Safety Management. ITU
Kaleidoscope ’13 (http://phillipgriffin.com/innovation.htm#ITU)
RSA Laboratories Public Key Cryptography Systems (PKCS) #7 – Cryptographic
Message Syntax (CMS) (http://www.rsa.com/rsalabs/node.asp?id=2129)
ISO/IEC 29150 (2011), Signcryption.
(See http://phillipgriffin.com/innovation.htm#29150 for proposed schema corrections)
X9.84-2011 Biometric Information Management and Security. U.S.A.: American National
Standards Institute (ANSI).
GRIFFIN – APRIL 2013
13
14. ITU KALEIDOSCOPE 2013 Questions ?
phil@phillipgriffin.com +1 919 291 0019 Skype: phil.griffin
GRIFFIN – APRIL 2013
14