Biometrics

Presented by
Ratna Sudha.R
 CONTENTS

1. Introduction
2. Security and authentication
3. Methods of verification
a. Psychological verification
i. Finger Print.
ii. Hand Print.
iii. Face Measurement.
iv. Retinal Scanning.
v. DNA Analysis.
b. Behavioral verification
i. Typing.
ii. Signature.
iii. Voice.
4. Identification.
5. Verification.
6. Advantages
7. Limitations
8. Conclusion.
9. References
 Introduction
Biometrics is an advanced technology for superb security and
authentication .The very term "biometric” it represent that "bio" means
related to the biological study and "metric " means something, which is
related to measurement. In network environment security is a crucial factor.
Provide security to pages in the network is to difficulty. Password is not a
good measurement for security. Good security mechanism is necessary on
the Internet. Security in different levels applies to various documents.
Security is depends how security assign to documents. Security depends on
following categories.

1. Confidential
2. Secret
3. Non-secret
4. Public

Confidential pages over the network provide full security. No way to

tamper data in the page by third party. In this case biometrics are more
useful and no way to disturb the page contents. First of all store all data
about biometrics in database after that tally with this data. If tally satisfies
with backend then provide access to the user. Collecting information is too
difficult and store in database also need more space.

There are two security methodologies in Biometrics, they are

1.Token-based security:
 It relies on the users special item -token like card-id.

2.Secret based security:

It relies on an individual secret id number like password.

Neither of the two can accurately determine whether the password that

posses a token nor knows some secret information of the individual it

represents. Tokens can be stolen and information can be guessed or

fraudulently obtained.

Biometric is a technology where the password for entry is you, which

identifies your psychological and behavioral characteristics.

Security and Authentication

Web-Based Enterprise Management (WBEM) supports a limited form

of security for the Microsoft® Windows® 98 platform that involves

validating a user's logon for the local machine and for remote access. A

validated user is granted access to the entire Common Information Model

(CIM) schema. WBEM does not secure system resources, such as individual

classes, instances, and namespaces. Security is limited because Windows 98

is not a secure operating system and does not support file system or registry

security.

All security-related information is represented by instances of WBEM

system classes located in the Root\Security namespace. These classes and

instances can only appear in the Root\Security namespace and must remain

there permanently.

The WBEM Administrator application can be used to set permissions

for WBEM users. It is similar to the User Manager application supplied with

Microsoft® Windows NT®.

In WBEM, all security accounts are referred to as subjects. There are

two types of subjects: user and group. Users are represented by instances of

the NTLMUser system class, which describes individual users. Groups are

represented by instances of the NTLMGroup system class, which describes

multiple users. Both the NTLMUser and NTLMGroup classes derive

indirectly from the subject system class, an abstract class that is not

intended to be used for instantiation. More directly, NTLMUser derives

from the generic User class and NTLMGroup derives from the generic

Group class.
Permissions:

Microsoft SQL Server uses permissions to enforce database security.

The SQL Server permissions system specifies which users are authorized to

use which Transact-SQL statements, views, and stored procedures. The

ability to assign permissions is determined by each user's status (as SA,

database owner, or database object owner). Permissions are set on database

users or groups, not on login IDs.

Permission Hierarchy:

SQL Server's permissions system recognizes four types of users: the

SA, database owners, database object owners, and other users of the

database.

The different types of users exist in a hierarchy (explained in the

following sections and illustrated below).

System Administrator

Database owners

Database object owners

 Database users

Only the SA and database owners can grant statement permissions to

other users.

Different Security Mechanisms:

To help you understand the information presented in this chapter, we

begin by defining some security-related terms. This brief list of definitions is

not intended to serve as a comprehensive SQL Server glossary. It is provided

as a quick reference to help you understand some of the security elements

discussed throughout this chapter. You may find it useful to refer back to

this list of security definitions as you read through this chapter and through

Chapter 9, "Managing Security."

alias

An alias is a database username that is shared by several login IDs. A

database alias allows you to treat more than one person as the same user

inside a database, giving all of them the same permissions. Any username in

a database can also serve as an alias.

Aliases are often used so that several users can assume the role of
database owner.

Database object owner

Database objects are tables, indexes, views, defaults, triggers, rules,

and procedures. The user who creates a database object is the database

object owner and is automatically granted all permissions on it. The database

object owner can grant permission to other users to use that object. Database

object ownership cannot be transferred.

database owner

The database owner (DBO) is the creator of a database. There is only

one DBO. The DBO has full privileges inside the database that he or she

owns, and determines the access and capabilities provided to other users.

In his or her own database, the user is recognized as DBO; in other

databases, the database owner is known by his or her database username.

DBO status can be reassigned to a different user. Only one login ID

can be DBO, although other login IDs can be aliased to DBO.

domain

In Windows NT security, a domain is a collection of computers that

are grouped for viewing and administrative purposes, and that share a

common security database.

group

In SQL Server, a database group is a collection of database users. The

users receive the database permissions granted to the group. Using groups

simplifies management of a large number of database users, because groups

provide a convenient way to grant and revoke permissions to more than one

user at the same time.

In Windows NT, a group is a collection of Windows NT users. The

users received the Windows NT rights and permissions granted to the group.

Groups provide a convenient way to manage the capabilities of a large

number of users with similar needs, within the security scope of a domain or

a computer.

integrated security

Integrated security allows a SQL Server to use Windows NT

authentication mechanisms to validate logins for all connections. Only

trusted (multi-protocol or named pipes) connections are allowed.

login ID

A login ID is a name by which a user is known to SQL Server. Login

IDs are also referred to as logins.

To log in to a SQL Server that is running standard security, a user

must provide a valid login ID and password.

login security mode

The login security mode determines the manner in which a SQL

Server validates a login request. There are three types of login security:

integrated, standard, and mixed.

mixed security

Mixed security allows login requests to be validated using either

integrated or standard security. Trusted connections (as used by integrated

security) and nontrusted connections (as used by standard security) can be

established.

object permissions

Object permissions regulate the use of certain statements on certain

database objects. They are granted and revoked by the owner of the object.

permissions

Microsoft SQL Server uses permissions to enforce database security.

The SQL Server permissions system specifies which users are authorized to

use which Transact-SQL statements, views, and stored procedures. The

ability to assign permissions is determined by each user's status (as SA,

database owner, or database object owner).

There are two types: object permissions and statement permissions.

standard security

Standard security uses SQL Server's own login validation process for

all connections. To log in to a SQL Server, each user must provide a valid

login ID and password.

statement permissions

Statement permissions provide the privilege to issue certain Transact-

SQL statements. Statement permissions are not object-specific. They can be

granted only by the SA or the database owner.

Statement permissions apply to these statements: CREATE

DATABASE, CREATE DEFAULT, CREATE PROCEDURE, CREATE

RULE, CREATE TABLE, CREATE VIEW, DUMP DATABASE, and

DUMP TRANSACTION.

Statement permissions are also called command permissions.

system administrator
 The system administrator (SA) is the person responsible for the

administrative and operational functions that are independent of any

particular application, and is likely to be a person with a comprehensive

overview of SQL Server and all its applications.

Administering SQL Server typically includes such tasks as installing

SQL Server; configuring servers and clients; managing and monitoring the

use of disk space, memory, and connections; creating devices and databases;

authorizing SQL Server users and granting them permissions; transferring

data in and out of SQL Server databases; backing up and restoring

databases; implementing and maintaining replication; scheduling unattended

operations; monitoring and tuning SQL Server performance; and diagnosing

system problems. The system administrator may also advise application

designers about the data that already exists on SQL Server, make

recommendations about standardizing data definitions across applications,

and so on.

The system administrator operates outside the protection system,

which means that SQL Server does no permission checking for the system

administrator. The system administrator is also treated as the owner of

whatever database he or she is using. Anyone who knows the SA password

can log in and act as system administrator (unless the server is running in
Integrated login security mode).

trusted connections

Integrated security requires network protocols that support

authenticated connections between clients and servers. These are referred to

as trusted connections. The multi-protocol and named pipe protocols provide

trusted connections.

Note that nontrusted connections (connections over other network

protocols that do not support authenticated connections) must be handled by

using SQL Server standard security.

username

In SQL Server, a database username is a name assigned to a login ID

for the purpose of allowing a user to have access to a database. The abilities

a user has within a database depend on the permissions granted to the

username (and to any groups the username is a member of).

In Windows NT, a username is the name by which the user is known

to the domain, or to an individual Windows NT computer. A user logs on to

a domain or computer by providing a valid username and password. The

abilities of the user depend on the Windows NT rights and permissions

granted to that username and to any Windows NT groups the username is a

member of.

Method of Verification

1.PSYCHOLOGICAL VERIFICATION

Psychological Verification involves in the verification of the

organs of the human being, which will have unique identification and does

not match with others.

There are five types of verifications. These are:

I. Fingerprint.

II. Handprint.

III. Face measurement.

IV. Retinal scans.

 V. DNA analysis.

I. Finger print: It involves the user placing his finger over a glass-plate,

which resides over a high-resolution camera, which uses optical or

electromagnetic means to take its snapshot. The software analysis your

finger for pattern such as loops, worls and arches.

Advantages:

a. This technology is neither too expensive nor does it require

extensive user training.

b. It also simple to implement.

c. Finger print system has FAR<0.5%

d. It is oldest known technique that is still used in criminal records and

forensic.

Imagine the number if unique finger prints that might need to be

stored and then accessed in a database. This necessities the use of easier

indexing and matching.

 In US super market, customers give their credit card information and

other personal details to store and tie it with their fingerprint data. The next

time, he can pay for purchases without a fingerprint.

Disadvantages:

1.Any injures of fingers effect more.

II. Hand print:

It compares a 3D image of the users hand to that present in the system

database. It is somewhat similar to finger print verification.

Advantage:

a. Accuracy is better than fingerprint.

 b. Cheap and easy to deploy.

Disadvantage:

a. Complex in usage.

b. Implementation is expensive.

c. Any damages to hand effect more.

III. Face measurement:

Measuring this is as simple as taking a picture and analyzing the

image from a security video capture. This technique enables the computer to

use your face as your password and matching these to an existing database.

Advantage:

a. Most continents at public places.

b. Less expensive.

Disadvantage:

a. Inaccurate is affected by changes in lighting, age, and

movement, glass.

b. Face creams also effect the measurements.

IV. Retinal scans:

It involves imaging of the blood vessels in the retina of the eye when

infrared light of a certain frequency and wavelength is incident upon it.this

energy is absorbed by the blood vessels is different in different individuals.

The retinal iris patterns are unique to individuals than any biometric

yet devised.

The retina is an internal part of the eye located at the back of the eye

and is get of thin nerve which sense the light coming through a camera,

pupil, eye lenses.

The pattern of blood vessels which makeup retina are unique to each

individual i.e., <1.2 inch.

Advantage:

a. Accurate with no false match in 2 million people.

b. It s sophisticated process.

Disadvantages:

c. Expensive, difficult to deploy and use.

d. Focus of light effect measurements.

V. DNA Analysis:

It involves in checking the DNA pattern of a human used when

physical characteristics are unrecognizable. It is used to identify people, who

are died, to find out the relationship like identifying Childs natural parents.

This is one Biometric that is judicially accepted. No human have

identified DNA patterns except in twins.

Advantages:

a. DNA samples can be collected from toothbrush, clothes.

Disadvantages:
 e. DNA testing takes longer time than other methods.

f. Twins have same DNA.

g. Researchers produce same DNA.

2.BEHAVOURAL VERIFICATION

This involves in oral thing done by the individual. There are 3 types of

behavioral verifications,

1. Typing

2. Signature

3. Voice

1. Typing:

Some systems measure things you do in addition to the things you are,
you will notice that your typing has a certain pattern. Some letters follow

others in quick succession, while others take longer.

Software called Bio password is available for less than $100.It

integrates with Windows 2000.Windows NT.Login to provide this

authentication without the need for any additional software. This measure is

a behavioral characteristic of a person.

2. Signature:

Some qualities looked into include acceleration rates, direction, and

pressure and stroke length. Here mainly concentrate on pressures. This

pressures stored in back end for future significations.

Disadvantages:

a. The disadvantage with the technology lies in the randomness or the

consistency with which a user makes his signature. If pressures are not tally

with stored pressure in the database.

3. Voice:

It involves in the recognition of the voice of the individual.

Advantages:
 1) It is inexpensive.

2) It also works through telephone.

3) Some person mimicry with other person voices.

Disadvantages:

a. One can mimic the voice of the individual.

Biometric does not guarantee security. It simply offers ore convenient

and reliable means of identification and authentication.

Mixed form Biometrics

Some times use more than one form biometrics. This mixed form

provide more security. Here combine more than one type. Even 80% equals

with database then access provide to user.

 Identification

It is a process of recognition and involves taking the biometric data and

searching for the match in the database asking it a slow process that it is

more prone to errors.

Authentication:

It involves confirming your identity and the biometric systems have to

match your data with only one, single record.

Depending on the technique used, Biometric have varying levels of

accuracy .The system might let you pass in one attempt on Monday and

require five on Tuesday.

The accuracy of any biometric system is measured in terms of FAR

and FRR.

FAR (False Acceptance Rates):

Where an imposer is accepted as a match. It is a probability of falsely

accepting a metric as a match.

FRR (False Rejection Rates):

Where a legal match is denied. Where the system sails to recognize an

authentic Bio-signature.
 As FRR increases, the FAR goes down and vice versa.

Almost all biometric systems can be adjusted to varying levels of strictness

to create a variation in FAR and FRR. For a system to be successful, both

have to be with in acceptable low limits.

Advantages

 It provide good security mechanism than all other security methods

 It never fails in security constraints.

 In public locations such as banks and airports a large number of

people transit every day including known criminals. Face recognition

systems attached to video surveillance systems are supposed to help

catch them.

 A professor recently published his techniques for fooling finger print

scanners. He found that Optical finger print scanners can be fooled by

silicon rubber. However electro magnetic scanners would reject those,

 because electrical characteristics are different from that of a live

finger.

Limitations

It needs high memory space in the back end.

 Collect data for security is difficult

 Some times fails the security with right users

 Any time data loose in database high effect for security mechanism.

 So many equipments are needed for provide this technology.

 It highly expensive

Conclusion

Security is not just about putting big locks on the front door; it

also involves making sure all the windows are shut. Each one can be

individually fooled, but the comparison makes the system more secure as a

whole. Biometrics are have its own advantages and disadvantages. It high

expensive but it provide good security. Money is not important than security.
It is more useful for confidential maters.

References

http://Biometrics.com

http://whitepapers.com

http://www.milesresearch.com

http://microsoft/biometrics.com

IT Magazines