SECURE MODIFICATION TO A FILE PROTECTION SYSTEM THAT USES A FINGERPRINT IDENTIFICATION TECHNIQUE

___________________

A Project Presented to the Faculty of California State University, Chico ___________________

In partial Fulfillment of the Requirements for the Degree Master of Science in Computer Science

___________________

by Shi-Hsun Chou 2003 Fall 2003

ACKNOWLEDGMENTS I would like to express my gratitude to the entire faculty and staff of the Department of Computer Science, College of Engineering, Computer Science, and Technology at California State University, Chico. I am most grateful to my two professors, Dr. Benjoe A. Juliano and Dr. Tyson R. Henry, for their valuable advice, understanding, and suggestions. I also want to thank Dr. Juliano for giving me many useful ideas and thoughtful comments which enhanced my ideas for this project. Moreover, I want to express my appreciation to Leahsin Technologies, Inc., for letting me use their product, Fingerprint Reader, in this project. Thank you to all my friends for their moral support, kindness, and friendship. Also, I would like to give special thanks to my family, especially my mother, for their endless encouragement and love. And, to my wonderful girlfriend, Kimmy, thanks for always being there for me with boundless patience, love, and tenderness.

ABSTRACT SECURE MODIFICATION TO A FILE PROTECTION SYSTEM THAT USES A FINGERPRINT IDENTIFICATION TECHNIQUE by Shi-Hsun Chou 2003 Master of Science in Computer Science Summer 2003

This projects objective will be to modify an existing fingerprint identification and encryption system so it provides the highest security possible for individual or group access to sensitive documents or files in a more user friendly way. The projects target audience is top management, executive members, and/or scientists of a company. The main purpose is to help a company maintain the highest security for a document or file in a convenient and safe way. By just using a fingerprint together with a login ID and system password, a user can access the chosen document or file.

CHAPTER I

INTRODUCTION

Motivation

The rapid and continuous development of technology in the last few years has led to an increase in computer usage. According to information from the U.S. Census Bureau, half of the households in the U.S. use computers today [1]. This figure has increased steadily as more and more people use computers for everyday tasks. However, the convenience and speed of the Internet creates more security problems. People are afraid that someone could steal their data or hack into their systems. Data security has become an important issue. Experts are continuously developing different methods to stop these illegal activities.

Purpose of this Project This project focuses on data security. Nowadays, the most common way to secure data is to use a firewall. A firewall is software that prevents unauthorized users from accessing a computer and its files [2]. Companies large and small and individuals set up firewalls to protect their data. However, a firewall may not be enough to stop determined computer hackers and criminals. Experts are trying to find a solution for this problem. Biometric technology is providing the best solution so far.

Biometrics is the science and technology of measuring and statistically analyzing biological data. In information technology, biometrics usually refers to technologies for measuring and analyzing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements, especially for authentication purposes. [3] It has been widely used for personal identification since it is based on human physiological properties, which are difficult to copy. There are several advantages in using biometrics for authentication purposes: 1. 2. 3. 4. Universality. Everyone has biometrics features. Uniqueness. No two persons have the same characteristics. Permanence. The characteristics of biometrics features should be invariant. Collectability. The characteristics of biometrics features should be measured

quantitatively. 5. Performance. The characteristics of biometrics features should be quick to

distinguish. 6. Acceptability. The characteristics of biometrics features should be easily

identifiable. Based on the above properties, many biometric-based systems have been developed using human body characteristics. One of the easiest to use is the fingerprint. After deciding to use a fingerprint as the personal identifier, selecting a cryptanalysis system to encrypt data is also very important. Cryptanalysis refers to the study of ciphers, ciphertext, or cryptosystems (that is, to secret code systems) with a view to finding weaknesses in them that will permit retrieval of the plaintext from the ciphertext, without necessarily knowing the key or the algorithm. This is known as breaking the cipher, ciphertext, or cryptosystem. [4]

Encryption is the process of transforming information from an unsecured form (clear or plaintext) into coded information (ciphertext), which cannot be easily read by outside parties [5]. Two parts of an encryption system involves . . . a means of changing information into code (the algorithm), and a secret starting point for the algorithm (the key). . . . The key determines how the algorithm - the encryption process - will be applied to a particular message, and matching keys must be used to encrypt and decrypt messages . . . Two basic types of encryption in use today are known as private key encryption and public key encryption. In private key encryption, the same key is used for both encryption and decryption . . . Public key encryption solves the problem of maintaining key security by having separate keys for encryption and decryption. [6] The file encryption system developed in this project will encrypt files using a private key. The system will automatically create a code file containing the combination of converted data from the original file and a private key with an ID number. For fingerprint matching technically speaking, the biometric devices create electronic digital templates that are stored (a users stored enrollment) and then compared to live, when there is a need to verify the identity of an individual [7]. The purpose of this project will be to modify an existing fingerprint identification and encryption system so it provides the highest security possible for individual or group access to a companys sensitive documents or files in a more user friendly way.

Scope of the Project This project covers the following areas:

l

This project uses a dialog-based MFC AppWizard [exe] of Visual C++ 6.0

Enterprise Version as the structure of the program.

Fingerprint identification is used through the fingerprint reader to scan

fingerprint data.
l

A private key system of cryptology is used in this project. Although not used in this project, a public key system of cryptology will be

compared with the private key system of cryptology.

The Structure of the Project Figure 1 shows the data flow chart of the Fingerprint Identification and Encryption System (FIES) implementation in seven steps: Step 1. Run the FIES. Step 2. Create a user data in the Person Management. Step 3. Enroll a users fingerprint data. Step 4. Verify the fingerprint data that is created. Step 5. Encrypt an original file. Step 6. Decrypt a file that is encrypted. Step 7. Exit the FIES. The Structure of File Encryption Figure 2 shows how FIES automatically creates an encrypted file and a code file after encrypting the original file. The Structure of File Decryption Figure 3 shows how FIES decrypts encrypted file using a code file.

Run FIES

Person Management

Fingerprint Data Enrollment

Person Verification

File Encryption File Decryption

Exit FIES

Figure 1. The data flow chart of the FIES implementation.

Original file System time ID No. Converted context file Private key

Code file

Encrypting file

Figure 2. The structure of file encryption. 8

System time

Encrypting file

Live fingerprint

Fingerprint Library

Private key Decrypting file Fingerprint matching

Converted context file

ID No.

Code

Code file Decrypting file failure Comparing two codes Decrypting file successfully

Figure 3. The structure of file decryption.

Hardware/Software Used in This Project Hardware

l l

Fingerprint reader/verifier/scanner Laptop Computer (P4 2.0G, RAM 256M, Hard disk-20G)

Software
l l

Windows 2000 Professional Visual C++ 6.0 Enterprise Version

Other Products 1. features:

l l l l l l l l l l l

Eagle Tec Finger Print Scanner PC Card, which has the following important

Full Windows OS support including 98, ME, NT4.0, 2000, and XP. PCMCIA (16-bit) interface. Easy to use master password for all types of Windows application and online passwords. Locking files or folders from unauthorized access. Locking application from unauthorized access. Compatible with Windows screen-saver password feature. Easy to import and export existing passwords. Store unlimited number of passwords and related information in a secure database. Compatible with Microsoft Password support for Internet Explorer. Compatible with GUI that is easy to install, customize, and use. International Language Support. [8] Targus DEFCON Authenticator with USB Hub, which has these important

2. features:
l l l l

Fingerprint Biometric Authentication. SecureSuite Software offers password management and document/folder encryption. Integrated two port USB hub Notebook Computer Security/Expansion. Light, small and great for travel. [9]

10

CHAPTER II

PERSONAL IDENTIFICATION

Introduction With the rapid development of science and technology, personal identification plays a very important role today since it is used to verify user personal information before allowing entry into a secure and confidential system. Why is personal identification so important today? Because computers and the Internet have developed so quickly, security has become very difficult. Without effective personal identification safeguards, anyone can easily gain access to important data or break into important systems. Traditionally, in order to verify personal identification, the user needed only a User ID and Password to access secured files. However, a User ID and Password only is not secure enough since they can be easily stolen. A new authorization/identification technique, biometrics, has been developed that can determine more accurately if a person is authorized to access a computer system and/or its files.

The Classification of Personal Identification Some biometric characteristics that are used or are under investigation as distinctive personal identification include:
l l l l

Fingerprints Hand geometry Hand Vein Iris

11

l l l l l

Retina Signature Voice Print Facial Thermogram DNA Among these biometric characteristics, using the fingerprint as a form of

authentication is the most popular and convenient because of universality, uniqueness, collectability, and acceptability.

The Method of Personal Identification This project will use the fingerprint as the tool of personal identification. There are two types of fingerprint identification: manual and automatic. Manual fingerprint identification needs an expert to compare a print with a fingerprint database. However, this action is time consuming and laborious. The other method uses automatic fingerprint identification. Using a special software application and a fingerprint reader, the fingerprint can be easily identified and compared by using an enrolled fingerprint database. Figure 4 shows a domain class diagram of the fingerprint verification system. It clearly shows the relationships and compares fingerprints between the user and the fingerprint database via the fingerprint verification system.

12

Figure 4. Domain class diagram of fingerprint verification system.

13

CHAPTER III

FINGERPRINT VERIFICATION

Introduction In 1684 an Englishman, Dr. Nehemiah Grew, wrote a paper about fingerprint features on a human finger. It was later, in 1897, when Sir Edward Henry developed a classification system for fingerprints based on his discovery that every person has over 13 characteristics on each fingerprint [10] and that these characteristics can help verify personal identification. From birth to until death, a persons fingerprints remain the same and never change. Since a fingerprint cannot disappear or be lost and other people cannot easily copy it, fingerprinting is a unique and secure method of personal identification in todays world. People can use their fingerprints as a secure key lock anytime and anywhere. For example, police use fingerprints to access each persons criminal record files. And a fingerprint identification system can be used to access long distance files, control a computer system, and electronic bank via the Internet. The Classifications of Fingerprint Fingerprint classification can provide an important indexing mechanism in a fingerprint database. An accurate and consistent classification can greatly reduce fingerprint- matching time in large databases. The patterns and geometry of fingerprints are different for each individual and they are unchanged with age. The classifications of fingerprints are based on certain characteristics called arches, loops, and whorls. A fingerprint is made up of some characteristics on the surface of the finger. The uniqueness of a fingerprint can be determined by the pattern of ridges and furrows as well as the

14

minutiae points. Minutiae points are local ridge characteristics that occur at either a ridge bifurcation or a ridge ending. Fingerprint verification can be divided into two characteristic models: fingerprint shape characteristic and fingerprint detail characteristic.

Fingerprint Shape Characteristic Some fingerprints have a spiral shape. The center of the spiral shape is known as the Core Point of the fingerprint (Figure 5). In other fingerprints, the furrows of the fingerprint are horizontal on the leftbottom side or right-bottom side and the furrows on the top run in two opposite directions. This is called a Delta Point (Figure 6).

Figure 5. The Core Point.

Figure 6. The Delta Point. There are many variations of these basic fingerprint characteristics. However, fingerprints can be further classified using certain detail characteristics arches, loops, and whorls.

15

The Arch The arch looks like a hill. There are two types of arch shapes in this case: the Simple Arch and the Tended Arch. Figure 7 shows the Simple Arch. The middle part is going up just a little bit with a smooth bend. This type of arch has no triangular shape or central point.

Figure 7. The Simple Arch.

Figure 8 shows a Tended Arch. The central part of the fingerprint goes up sharply and clearly, like a peak. This type of fingerprint has a triangular shape and no central point.

Figure 8. The Tended Arch.

The Loop

16

It looks like a dustpan and either bends to the left-hand side or right-hand side. This type of fingerprint has a central point and a triangular shape. It can be classified as either a left loop or right loop. The Left Loop (Figure 9) is the mouth of the dustpan on the left-hand side. Plus, the loop is always a triangular shape on the right-hand side.

Figure 9. The Left Loop. The Right Loop is opposite of the Left Loop. The mouth is on the right-hand side with a triangular shape on the left-hand side as shown in Figure 10.

Figure 10. The Right Loop. The Whorl The lines in this fingerprint spiral like the lines in a seashell and it has a round or oval shape. It has a central point and a triangular shape on both the left and right-hand side as shown in Figure 11.

17

Figure 11. The Whorl. Among whorl fingerprints, there are two variations worth mentioning: the Double Loop Whorl and the Accidental Whorl. The Double Loop Whorl looks like two upside-down loops on the same fingerprint (Figure 12). The Accidental Whorl is made up of one or many loops and whorls. These form a special fingerprint shape. Usually this type of fingerprint includes two or more triangular points.

Figure 12. The Double Loop Whorl.

Fingerprint Detail Characteristics The characteristics of the fingerprints can be divided into three types: directions, core point and delta point, and detail characteristics. Directions The fingerprint is formed by different lines. The direction of these lines can be formed into different shapes and characteristics as shown in Figure 13.

18

Figure 13. The Directions of a fingerprint. Core Point and Delta Point The successful fingerprint identification is based on accurate core points and delta points as Table 1 shows. Detail Characteristics Detail characteristics have eight categories as Table 2 shows. Ending point and bifurcation point are called basic characteristic. The other characteristics are called complex characteristics.

Table 1. The Core Point and Delta Point of Fingerprint

Classification of Fingerprints
Arch

Core Point Delta Point

Type of Delta Point

0 1 1 1 0

0 1 1 2 1 Left Right Left and Right

Right Loop Left Loop Whorl Tended Arch

19

Table 2. The Characteristics of Fingerprints

Characteristics

Images

Dot Ending Bifurcation Island Spur Crosser Bridge Short ridge

Minutiae Extraction When the user places his/her fingerprint on the reader, the verifier catches the image and shows the minutiae points of the users fingerprint as shown in Figure 14. The fingerprint verifier tries to match the minutiae points and coordinate (x, y) with the fingerprint data already existing in the database. When there are over 12 matching minutiae points between the fingerprint database and live fingerprint data, they can be identified as being from the same finger. The data flow chart of fingerprint data matching is shown in Figure 15. 20

Red: End points Green: Cross points : Core points \:

Figure 14. The minutiae points of a fingerprint.

Scientific studies have shown that two different fingerprints cannot have ove r 12 matching minutiae points [11]. The required number of matching minutiae points can be set according to the security level and identifying speed demanded.
l

If a higher security level is required, the user can set a higher number (> = 12)

and the false acceptance rate is less than 1/10,000.

l

If a faster identifying speed is needed, the user set a lower number (8) and the

false acceptance rate is less than 1/1,000.

21

Fingerprint enrollment and database file created

Automatically fingerprint minutiae extraction

Fingerprint image and data saving

Fingerprint database Live fingerprint input

Fingerprint data transition

No Fingerprint identification matching

Fingerprint matching failure

Yes
Fingerprint matching completed

Figure 15. The data flow chart of fingerprint data matching.

22

CHAPTER IV

CRYPTOLOGY

Introduction Cryptology is the science of enciphering and deciphering codes or secret communications. Cryptology can be divided into two areas: 1. Cryptography creating and using secure codes. Cryptology can be used for: a. Data Secrecy or Data Privacy: Avoid illegal reading of data content. b. Data Authenticity: Assure the legality of a data resource. c. Data Integrity: Make sure of data modification. d. Data Non-repudiation: Cannot repudiate data transition. 2. Cryptanalysis deciphering or breaking codes.

Types of Attack 1. Ciphertext-only attack. Just given some coded messages, aim to decode them and/or find the key: l Statistical analysis of the ciphertext can restrict key or plaintext. l Exhaustive key search -- feasible up to 50--60 bit keys. 2. Known-plaintext attack. Given some plaintext and its coded version, aim to find the key. This was the attack on Enigma. 3. Chosen-plaintext attack. You can choose messages and see what they come out as, aim to find the key. Variations depending on how many messages you can use and whether you can choose one after seeing the result of the last (adaptive chosen plaintext attack). [12] Public Key Cryptosystem The information of Public-Key Cryptosystem includes:
l

The latest revolution in cryptology.

23

Idea due to Diffie and Hellman, 1970. There is a key that allows you to encrypt a message, but does not help you to decrypt other messages. l There is a separate key that can be used to decrypt the messages. l Each user publicizes their encryption key (or public key) but guards their decryption key (or secret key). l To send someone a message you encrypt it with their public key. l To intercept and read it requires their secret key. All public-key cryptosystems depend on the use of a trapdoor function in the encryption step. This is a function (more precisely a program implementing a function) f such that, given f and x, f(x) is easy to compute, but given f and f(x), x is not easy to compute. [12]
l l

Rivest-Shamir-Adleman (RSA) Algorithm Ronald L. Rivest, Adi Shamir, and Leonard Adleman developed the RSA system in 1977 [13]. This system uses as its trapdoor function that is fi,n (x) = xi mod n where i, n, and x are large integers, typically 100--300 digits. If you know i, n, and x, it is relatively easy to compute fi,n (x), but (for the right choice of i and n and as far as we know), not the reverse. The numbers i and n form the public key. The secret key is n and another large number j such that xi j = x mod n. The three numbers (n, i, j) are called a key pair. [12] RSA Key Pairs We are left to determine: l How to choose a key pair (n, i, j) such that xi j = x mod n (correctness) l How to choose a key pair so that knowing the public key does not allow decryption (security) This depends on a few pieces of elementary number theory and one fact about the current state of computational number theory: l It is much easier to test whether or not a number is prime that to find the prime factors of a non-prime number of the same size Creating a key pair depends on being able to find two large prime numbers on demand, whereas breaking one (finding j given n and i) seems to depend on factoring their product. [12] Creating Key Pairs A key pair is created by finding two primes P and Q of suitable size (and with certain nice properties). We multiply them together to get N = P * Q. Now I is chosen (often I = 3, it doesn't matter). To find J we need:

24

The extended Euclidean algorithm: This algorithm computes the highest common factor (greatest common divisor) H of two integers X and Y and finds two integers S and T, such that S * X+T * Y=H Details later. We apply this with X = I and Y = (P-1)*(Q-1). If the GCD H is not 1 we try another I. When H = 1, we have S and T such that S * I + T * (P-1) * (Q-1) = 1 We take J = S. RSA Example: Take P = 7 and Q = 11 then N = 77. Take I = 13, the public key is (13,77) Using the Extended Euclidean Algorithm, with X = 13 and Y = (7-1) * (11-1) = 60 to find that S * 13 + T * 60 = 1, J = S = 37 and T = -8. Hence (37,77) is the secret key. Now we can encrypt 2: 313 mod 77 = 1594323 mod 77 = 38 Decrypting we calculate (working mod 77) 381 mod 77 = 38 382 mod 77 = 1444 mod 77 = 58 384 mod 77 = 582 mod 77 = 3364 mod 77 = 53 388 mod 77 = 532 mod 77 = 2809 mod 77 = 37 3816 mod 77 = 372 mod 77 = 1369 mod 77 = 60 3832 mod 77 = 602 mod 77 = 3600 mod 77 = 58 We can find 3837 mod 77 = (3832 * 384 * 381 ) mod 77 = (58*53*38) mod 77 = 116812 mod 77 = 3 [12] The structure of public-key cryptosystem as shown in Figure 16.

Plaintext Encryption

Ciphertext Decryption

Plaintext

Public key

Private key Asymmetric key pair generator

Figure 16. The structure of public-key cryptosystem.

25

Private Key Cryptosystem Data Encryption Standard (DES) . . . is the name of the Federal Information Processing Standard (FIPS) 46-3, which describes the data encryption algorithm (DEA). The DEA is also defined in the ANSI standard X9.32. [Originally developed by IBM and known as Lucifer], the National Security Agency (NSA) and the National Bureau of Standards (NBS, now the National Institute of Standards and Technology, NIST) played a substantial role in the final stages of development. The DEA, often called DES, has been extensively studied since its publication and is the best known and widely used symmetric algorithm in the world. The DEA has a 64-bit block size and uses a 56-bit key during executio n (8 parity bits are stripped off from the full 64-bit key). The DEA is a symmetric cryptosystem, specifically a 16-round Feistel cipher and was originally designed for implementation in hardware. When used for communication, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code (MAC). The DEA can also be used for single- user encryption, such as to store files on a hard disk in encrypted form. In a multi- user environment, secure key distribution may be difficult; public-key cryptography provides an ideal solution to this problem. [14]
l l l l l l l l l l

Secret-key cryptosystem. Originally from IBM Thomas J Watson labs. Adopted for low- level security by US Govt. Published and standardized in the 80s. Fast to encrypt and decrypt in software or hardware. Fast hardware commercially available (U.S. export restrictions apply). Still strong but starting to look a little shaky. Block cipher with 64 bit blocks. 56 bit keys extended to 64 by eight parity bits. Encryption and decryption each a sequence of basic steps. [12]

DES Basic Structure Think of DES as a pair of functions from a 64-bit key k (actually made from a 56bit key, to allow the NSA to do brute force search if they want to) and a 64-bit plain text p to a 64-bit ciphertext c c = EDES(k, x) = I-1 (P T16(k) (S( (S(PT1(k)(I(x)) ) x = DDES(k, x) = I-1 (P T1(k)(S( (S(PT1(k)(I(x)) ) Where: I is a fixed permutation of the 64 bits. S swaps the two 32-bit half- words. PT (x)= x + T (x / 232 ) where T is a function from 32-bit numbers to 32-bit numbers. [12]

26

DES Correctness Clearly S(S(x)) = x. Also PT (PT (x)) = x, since PT does not change the high half-word and adds a function of the high half word to the low one. Adding something twice in binary has no effect. Thus EDES(k, EDES(k,x)) = x, also EDES(k, DDES(k,x)) = x The heart of the encryption is in the definition of Ti(k) for i = 1 16. [12] The structure of private-key cryptosystem as shown in Figure 17.

Plaintext Encryption

Ciphertext Decryption

Plaintext

Secret key Symmetric key generator

Secret key

Figure 17. The structure of private-key cryptosystem.

27

CHAPTER V

THE FINGERPRINT IDEN TIFICATION AND ENCRYPTION SYSTEM

Summaries of Modification This section focuses on the difference between the original and modified Fingerprint Identification and Encryption System (FIES). Tables 3, 4, and 5 summarize the different modification modes.

Table 3. Summary of Original and Modified Systems

ID#

Features

Original System

Modified System

F01 User Interface F02 Person Management F03 Fingerprint Data Enrollment F04 Fingerprint Data Verification F05 File Encryption F06 File Decryption F07 Matching Points and Password Change F08 About and Exit X - Feature available, no modification O - Feature was modification

X X X X X X X X

O O X X O O X X

28

Table 4. Description of Features in the Original System

Features Description Reference

User Interface

The original system uses two main user interfaces: the ID Management and Encryption/Decryption Management interface. ID Management menu includes the Person, Enroll 1:N Verify, 1:1 Verify, Setup, About, and Exit functions. When the user wants to login ID Management, he/she must input a correct password. ID Management is used to access users data such as ID, Name, and Level in the Person function. Users can add, modify, delete, and load users data. After adding or modifying a user, fingerprint data must be enrolled by using a fingerprint reader in the Enroll function. When a user enrolls fingerprint data, he/she can choose any finger to be scanned. The system will create a user fingerprint data file that uses the user ID for the files name. The user can verify the fingerprint data by comparing 1:N Verify or 1:1 Verify (1:N means to search all users database, 1:1 means one user that input ID to search this ID database). The Setup s function allows users to set the number of matching points (8, 10, 12, 14, 16, and 18) and to change a password (8 digits). The About function includes the information of the company. The Exit function just logs a user off the system. Encryption/Decryption Management is used to encrypt/decrypt files depending on loaded user data. User data cannot be changed while Encryption/Decryption Management interface is in use. Its menu includes Person, Encryption, Decryption, Minutia Threshold, About, and Exit functions. The Person function can only load user data form created through the ID Management interface. The Encryption function is used to encrypt a file. The Decryption function is used to decrypt a file. The Minutia Threshold function is used to set up the number of matching points. The About and Exit functions are the same as with the ID Management interface. There are three attributes of the Person Management feature. There are the ID, Name, and Leve l. The Level attribute is not used. Name and Level can be blank. The system saves data to a special file (user.inf).

F01

Person Management

F02

Fingerprint Data After creating user data, the user has to enroll fingerprint data Enrollment and save them to a file (Ex. User ID.aid)

F03

29

Fingerprint Data After a user enters his/her data, the user can use this system to Verification check prior availability of this data via 1:N Verify or 1:1 Verify. File Encryption The user can encrypt any type of file. (After file encryptio n, its size is almost the same with original file size), and you cannot change anything to decrypt file without using FIES. After file encryption, the FIES will create an encrypted file. The key for encryption combines the system time and a key that is 87654321.

F04

F05

File Decryption

Users will need data from the Person Management feature in order to decrypt a file. This means that everyone with data in Person Management feature can decrypt encrypted files. Matching Points User can set initial matching points (8, 10, 12, 14, 16, and 18) and Password and change their password (8 digits). Changed About and Exit The About function includes information on the company. The Exit function just logs off user from the system.

F06 F07

F08

Table 5. Descriptio n of Features in the Modified System

Features

Description

Reference

User Interface

The modified system uses only one main user interface called the Fingerprint Identification and Encryption System (FIES). The system menu includes the Person, Enroll 1:N Verify, 1:1 Verify, Encrypt, Decrypt, Setup, About, and Exit functions. When a user runs the FIES, the system requests a correct password to login. The system can be used to access users data such as ID, Name, and Group in the Person function. Users can add, modify, delete, and load users data. The Encrypt function can encrypt files individually or group. When the user chooses individual, he/she will be requested to load user data to encrypt a file; however, when the user chooses group, he/she needs to input a groups name to encrypt a file. The Decrypt function decrypts files after scanning and 30

F01

verifying a users fingerprint. Person Management All three attributes of Person Management - ID, Name, and Group - cannot be blank. When user data is loaded, the interface will display the users name. Encryption can either be for individual or for group. For individual, the user needs to select one person from Person Management list. For group, the user needs to input a groups name that exists in the Person Management list. After successful file encryption, the FIES will create two filesan encrypted file and a code file. The key for encryption combines the system time and a key that is 87654321. The system also automatically creates a code file. The code file is created by using the original file, user ID, and a private key that is 87654321. For a user to decrypt file, a fingerprint must be scanned and provided along with an encrypted file and a code file. Each user must have their code file. F02

File Encryption

F05

File Decryption

F06

31

User Interface After clicking the FIES icon, every time the user wants to log into FIES, the user has to input the correct password (Figure 18).

Figure 18. Password input dialog box. After inputting the correct password, the user can enter FIES. The interface is shown in Figure 19.

32

Figure 19. FIES interface screen shot. Person Management As the first step before using this system, the user must add user data into Person Management (Figure 20).

33

Figure 20. Person Manager interface screen.

There are three attributes of Person Management: ID, Name, and Group. All attributes must be filled in. None can remain blank. Then the ADD button is pressed. The system will save the data to a special file (user.inf). When a user loads user data, the interface will display all IDs, Names, and Groups. After adding a user, the user can modify or delete the user data at anytime. Moreover, the user should enroll his/her fingerprint quickly in order to create a user data file (ex. User ID.aid). One thing is very important: after modifying user data, the user has to enroll fingerprint data again (Figure 21). 34

Figure 21. Enroll procedure screen.

After adding or modifying a user, the user can load his/her data and enroll fingerprint data after pressing the Enroll button (Figure 22).

35

Figure 22. FIES interface screen shot showing user name.

36

Fingerprint Enrollment When the user presses the Enroll button, the Finger Position dialog will be displayed. The user should choose a finger to enroll fingerprint data (Figure 23).

Finger 23. Finger position dialog box.

37

After choosing a finger, the system will wait for the user to put his/her finger on the fingerprint reader (Figure 24).

Figure 24. Fingerprint reader screen.

38

When the fingerprint reader scans and reads the fingerprint data, the system interface will automatically display the fingerprint data in the center of the FIES interface. It is important to note that the extract minutia value of more than 30 is better because more matching points are easy to compare (Figure 25).

Figure 25. Fingerprint data display screen.

39

The user should scan their fingerprint data more than once in order to verify personal data. It is best to scan one finger more than three times (Figure 26).

Figure 26. Fingerprint data registration dialog screen.

After scanning all fingerprint data, the system will display a fingerprint enrollment completed message (Figure 27). After creating user data, the user has to enroll fingerprint data and save them to a file (Ex. User ID.aid).

40

Figure 27. Fingerprint Enrollment Completed dialog box.

Fingerprint Verification After a user has created his/her data, the user can use the system to check user availability. The user can verify the fingerprint data with the method of 1:N Verify or 1:1 Verify.

41

1:N Verify First, the user needs to press the 1 :N Verify button (Figure 28).

Figure 28. Screen shot showing the 1:N Verify tab.

Second, scan the finger to find and verify user data (Figure 29).

42

Figure 29. User verified dialog box.

1:1 Verify First, the user needs to press 1:1 Verify button and input ID Number (Figure 30).

43

Figure 30. Input ID Number dialog box.

Second, scan the finger to find and match the user data (Figure 31).

44

Figure 31. User verified dialog box.

45

File Encryption The user can encrypt any type of file (after file encryption, its size is almost the same as the original file size) and cannot change anything in order to decrypt files without using FIES. When encrypting files, a user can choose encryption for Individual or Group. For Individual, the user needs select one person from the Person Management list. For Group, the user needs to input the group name, which exists in the Person Management list. After file encryption, FIES will create two files: the encrypting file and the code file. The key for encryption combines the system time and a key that is 87654321. The system also automatically creates a code file. The code file is created by the original file, ID, and a key that is 87654321. Otherwise, if no person is created in the Person Management or no group name is inputted, file encryption will fail. Individual Encryption The user needs to press Encrypt button and then click Individual (Figure 32).

46

Figure 32. Encryption selection dialog box for Individual.

Select one user to encrypt a file (Figure 33).

47

Figure 33. Selecting one user.

After selecting and loading user data, the system will display the initial file name and path (Figure 34).

48

Figure 34. File name and path dialog box.

Set up the file name and path for file encryption (Figure 35).

Figure 35. Encryption set up dialog box.

49

The system will display a successful file encryption message (Figure 36).

Figure 36. Encryption success dialog box.

The user can find an encrypting file in the folder that is set up (Figure 37).

Figure 37. Encryption folder. The system will automatically create a code file for decrypting file (Figure 38).

50

Figure 38. Code file.

Group Encryption The user needs to press the Encrypt button and then click Group with a group name (Figure 39).

51

Figure 39. Encryption selection for a Group dialog box.

Set up the file name and path for file encryption (Figure 40).

52

Figure 40. Encryption setup dialog box.

The system will display a successful file encryption message (Figure 41).

Figure 41. Encryption success dialog box.

The user can find an encrypting file in the folder that you set up (Figure 42).

53

Figure 43. Encryption folder.

The system will automatically create code files for group members to decrypt file (Figure 43).

54

Figure 43. Code files for group members.

File Decryption If the user wants to decrypt files, he/she must scan their fingerprint and use the encrypting file and code file that the system created. Each user has their code file. First, the user should set up the file name and path for file decryption (Figure 44).

55

Figure 44. Setting up the file name and path for decryption.

The user should also set up a code file name and path (Figure 45).

Figure 45. Setting up a code file name and path dialog box.

Next, the user should browse and set up the code file location (Figure 46).

56

Figure 46. Setting up the code file location.

After set up the encrypting file and code file, the user should scan his/her fingerprint to the decrypt file (Figure 47).

57

Figure 47. Scanning the fingerprint screen shot.

The system will display a successful file decryption message (Figure 48).

Figure 48. Decryption Procedure Completed dialog box.

58

The user can put the decrypt file in the folder that he/she set up (F igure 49).

Figure 49. Decryption folder with file.

59

Set up The user needs to press Set up and then Matching points to change minimum matching points. Initial matching points are [8, 10, 12, 14, 16, and 18] (Figure 50).

Figure 50. Minimum match points screen.

60

The user needs to press Set up and then Password Change to change the password. Initial password is 99999999[8 digits] (Figure 51).

Figure 51. Password change dialog box.

61

About The information includes the system title, version, copyright, programmer, and technical support information (Figure 52).

Figure 52. About screen shot.

62

Exit The Exit function will save data, close files, delete unnecessary files, and log off the system.

Discussion and Future Work This fingerprint system contains the fingerprint identification and file encryption structure. However, this system does not require writing very large and complex code. A lot of time was spent searching and buying the right fingerprint reader and obtaining the copyright. After several discussions with the company (Leahsin Technologies, Inc.) that makes the fingerprint reader used in this project, an agreement was reach with the owner allowing use of their fingerprint reader source code as an education reference. In order to complete this system, the right software to write the source was needed. After several revisions, Visual C++ 6.0 Enterprise operating under the Windows 2000 Professional environment was selected for this purpose. Although the system developed for this project was satisfactory, there is room for improvement. For example, the User Interface can be designed to be more ascetically pleasing and 3D animation could be added. In the Person Management function, a programmer could add more attrib utes to identify the user. Currently, there are only User ID, Name, and Group. A programmer could add additional information such as the users address, telephone, e- mail etc. For the File Encryption and Decryption function, a programmer could use more complex cryptanalysis to protect important files and data. Choosing a better fingerprint reader will make fingerprint identification more accurate and reliable.

63

CHAPTER VI

SUMMARIES AND CONCLUSIONS

This project used the dialog-based MFC AppWizard [exe] o f Visual C++ 6.0 Enterprise version as the basis of the program. It is a great application that is very easy to use. Once the requirements of a program are understood, the programmer can build the system more quickly and easily make adjustments to it as ne eded. In addition, complex skills are not required to combine the program and user interface. The programmer may only need a simple procedure and then create a class for it. The centerpiece of the program is finger_rDlg.cpp that calls other dialog interfaces. The fingerprint data collected from the fingerprint reader and the fingerprint identification function library are both stored in the FingerTouch_ID100NT_lib.lib. At the start of running the program, a variable is declared and the system initialized. The user can then use the system. The user file (user.inf) is used to import and export the users data. Moreover the user has to enroll a fingerprint image to create an individual fingerprint data file. This project uses a fingerprint reader (SFP-100) produced by Leahsin Technologies Inc. It uses fingerprint characteristics to build the fingerprint database, which the user can then use to verify personal identification. It is important to use a file encryption system that uses two keys to encrypt files. One key is used with system time. Another key is a secure key 87654321, which also creates a code file synchronal and automatically. The code file is converted from the source file to a context file plus 87654321 and User ID. When the user wants to decrypt

64

a file, the user must have a code file and fingerprint scan. It is very important that the code file is indecipherable. It is not easy to protect data. Simple passwords cannot ensure data confidentiality. Biometric technology offers a more natural way o f securing data and systems without the need to constantly change and memorize passwords. This project used fingerprint identification as its biometric technique with private-key cryptosystem to establish a secure and flawless cryptosystem.

65

REFERENCES

[1]

U.S. Census Bureau. (2001, September). Home computers and Internet use in the United States: August 2000. Retrieved July 2003, from http://www.census.gov/prod/2001pubs/p23-207.pdf Whatis?com. (2003a). Firewall. Retrieved Sept. 24, 2003, from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212125,00.html Whatis?com. (2003b). Biometrics. Retrieved Sept. 24, 2003, from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211666,00.html Whatis?com. (2001). Cryptanalysis. Retrieved Sept. 24, 2003, from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214432,00.html SignalGuard. (2003a). What is encryption? Retrieved Sept. 24, 2003, from http://www.signalguard.com/encryption/encryption.htm SignalGuard. (2003b). Key management. Retrieved Sept. 24, 2003, from http://www.signalguard.com/encryption/publickey.htm NextWave Solutions. (2003). Biometric. Retrieved July 2003, from http://www.next-wave-solutions.com/biometrics.html EagleTec Peripheral, Inc. (2003). Eagle Tec fingerprint scanner PC card. Retrieved July 2003, from http://www.eagletec.net/login/pop.asp?id=467 International Business Machines (IBM). (2003) .Targus DEFCON authenticator USB fingerprint reader with USB hub. Retrieved July 2003, from http://www132.ibm.com/webapp/wcs/stores/servlet/ ProductDisplay?catalogId=-840&langId=1&partNumber=31P6762&storeId=1

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10] Lennard, C.J. & Patterson, R. (2003). History of fingerprinting, part 1 and part 2. Retrieved Sept. 24, 2003, from http://www.policensw.com/info/fingerprints/ finger01.html [11] Lin, C. (2001). Minutiae extraction from thermal fingerprint images. Unpublished masters thesis, Chung Yuan Christian University, Chung-Li, Taiwan, Republic of China. [12] Linton, S. (1995). Cryptology. Retrieved July 2003, from http://www-theory.dcs.stand.ac.uk/~sal/school/CS3010/Lectures/forhtml/node4.html

66

[13] RSA Security, Inc. (2003a). RSA-based cryptographic schemes. Retrieved July 2003, from http://www.rsasecurity.com/rsalabs/rsa_algorithm/index.html [14] RSA Security, Inc. (2003b). 3.2.1. What is DES? Retrieved July 2003, from http://www.rsasecurity.com/rsalabs/faq/3-2-1.html

67