Chapter four: Network Security

• Network security focus on:

• Attacks that use security holes of the network protocol and

their defense mechanisms

• Applications, systems, and networks can be made secure

through the use of security protocols, which provide a wide
range of encryption and authentication services.

• Each security protocol is placed within several layers of a

computing infrastructure, that is, network, transport, and
application layers.
1
 TCP/IP Layering
application
HTTP …
…
FTP DNS
SMTP SNMP

transport
TCP
TCP UDP
UDP

network
ICMP
ICMP IP
IP IGMP
IGMP

link
hardware
hardware
ARP
ARP RARP
RARP
interface
interface
2

Media Levente Buttyán

 Attacks on TCP/IP Networks

• TCP/IP protocol suite was created in 1980

as an internetworking solution with very
little concern for security aspects.
• The protocols are not designed to
withstand attacks
• Internet is now used by all sorts of people
• Attackers exploit vulnerabilities of every
protocol to achieve their goals

3
 Network attacks
Spoofing attack: a situation in which one person or program
successfully imitate another by falsifying data and thereby
gaining an illegitimate advantage.

• IP spoofing
• Putting a wrong IP address in the source IP address of an
IP packet
• DNS spoofing
• Changing the DNS information so that it directs to a
wrong machine
4
 Network attacks (cont’d…)
URL spoofing/Webpage phishing

• This technique often directs users to enter detailed information at

a fake website which appears almost identical to the legitimate
one.

• Popular method of phishing is:

• sending legitimate looking email containing a link to the fake

website.
• Registering fake website with a misspelled URL of popular
websites
• ([Link] [Link]) or 5
 Achieving Network Security
 International Telecommunication Union (ITU), has
defined certain mechanisms to bring the standardization to
achieve network security. these mechanisms are:
• En-cipherment. This mechanism provides data
confidentiality services by transforming data into not-
readable forms for the unauthorized persons.
– This mechanism uses encryption-decryption algorithm
with secret keys.
• Digital signatures. This mechanism is the electronic
equivalent of ordinary signatures in electronic data.
– It provides authenticity of the data.
• Access control. This mechanism is used to provide 6
access control services.
 E-mail Security

• the mail is sent to a mail server which is

permanently available on the network. When the
recipient’s machine connects to the network, it reads
the mail from the mail server.
• In general, the e-mail infrastructure consists of:
• mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and
• client machines running an e-mail program
comprising of User Agent (UA) and local MTA.
• Typically, an e-mail message gets forwarded from its
UA, goes through the mesh of MTAs and finally
reaches the UA on the recipient’s machine.
7
 E-mail Security(cont’d…)

• The protocols used for e-mail are:

• Simple mail Transfer Protocol (SMTP):
• used for forwarding e-mail messages.
• Post Office Protocol (POP) and Internet Message Access
Protocol (IMAP)
• are used to retrieve the messages by recipient from
the server.
8
 MIME

• Basic Internet e-mail standard was written in 1982 and it

describes the format of e-mail message exchanged on the
Internet.
• It mainly supports e-mail message written as text in basic Roman
alphabet.
• By 1992, additional standard Multipurpose Internet Mail
Extensions (MIME) was defined.
• MIME is a set of extensions to the basic Internet E-mail
standard
• It provides an ability to send e-mail using characters other
than those of the basic Roman alphabet
• Another need fulfilled by MIME is to send non-text contents,
such as images or video clips.
• Due to this features, the MIME standard became widely adopted
with SMTP for e-mail communication.
9
 Pretty Good Privacy (PGP)

• Pretty Good Privacy (PGP) is an e-mail encryption

scheme. It has become the de-facto standard for
providing security services for e-mail communication.
• It uses public key cryptography, symmetric key
cryptography, hash function, and digital signature. It
provides −
• Privacy
• Sender Authentication
• Message Integrity
• Non-repudiation
• Along with these security services, it also provides data
compression and key management support.
• PGP uses existing cryptographic algorithms such as RSA,
IDEA, MD5, etc., rather than inventing the new ones.
10
 Working of PGP

• First Hash of the message is calculated. (MD5 algorithm)

• The resulted 128 bit hash is signed using the private
key of the sender (RSA Algorithm).
• The digital signature is concatenated to message, and
the result is compressed.
• A 128-bit symmetric key, KS is generated and used to
encrypt the compressed message with IDEA.
• KS is encrypted using the public key of the recipient
using RSA algorithm and the result is appended to the
encrypted message.

11
Working of PGP(cont’d…)

12
 Transport Layer attack
• TCP operates using synchronized connections,
initiated with 3 way handshake.
• TCP SYN flood attack exploits the vulnerability at this
stage of TCP connection.
– The attacker sends TCP SYN packets by
impersonating the IP address of an inactive host.
– The target machine responds SYN acknowledgment
waiting for the inactive host to respond.
– However, instead of opening a session, the
attacker continuously sends SYN requests and the
victim’s buffer will be flooded and cannot respond
to other requests. 13
 Philosophy of TLS Design

• Transport Layer Security (TLS) protocols operate

above the TCP layer.

• Design of these protocols use popular Application

Program Interfaces (API) to TCP, called “sockets"
for interfacing with TCP layer.

• Applications are now interfaced to Transport

Security Layer instead of TCP directly.

• Transport Security Layer provides a simple API with

14
 Secure Socket Layer (SSL)

• The SSL protocol (Secure Socket Layer)

was developed by Netscape to allow
client/server applications to
communicate safely

• It is transport layer security service

• Uses TCP to provide a reliable end-to-end

service 15
 Architecture of SSL
• SSL protocol is designed to interwork between
application and transport layer as shown in the
following image −

16
 Architecture of SSL…
• SSL itself is not a single layer protocol; in fact it is composed of two
sub-layers.

• Lower sub-layer comprises of the one component of SSL protocol

called as SSL Record Protocol. This component provides integrity
and confidentiality services.

• Upper sub-layer comprises of three SSL-related protocol

components and an application protocol.

• Three SSL related protocol components are:

• SSL Handshake Protocol
• Change Cipher Spec Protocol
• Alert Protocol. 17
 Functions of SSL Protocol Components

 The four sub-components of the SSL protocol handle various tasks for secure
communication between the client machine and the server.

• Record Protocol

• The record layer formats the upper layer protocol messages.

• It fragments the data into manageable blocks (max length 16 KB). It

optionally compresses the data.
• Encrypts the data.

• Provides a header for each message and a hash (Message Authentication

Code (MAC)) at the end.
• Hands over the formatted blocks to TCP layer for transmission.

18
 Functions of SSL Protocol Components…

SSL Handshake Protocol

• It is invoked before any application data is transmitted.

• It creates SSL sessions between the client and the server.

• Establishment of session involves Server authentication, Key and algorithm

negotiation, Establishing keys and Client authentication (optional).
• A session is identified by unique set of cryptographic security parameters.

• Multiple secure TCP connections between a client and a server can share
the same session.
• Handshake protocol actions through four phases.

19
 Functions of SSL Protocols…

Change Cipher Spec Protocol

• Simplest part of SSL protocol. It comprises of a single message

exchanged between two communicating entities, the client and the
server.
• As each entity sends the Change Cipher Spec message, it changes
its side of the connection into the secure state as agreed upon.
• The cipher parameters pending state is copied into the current state.
• Exchange of this Message indicates all future data exchanges are
encrypted and integrity is protected.

20
 Functions of SSL Protocols…

SSL Alert Protocol

• This protocol is used to report errors – such as

unexpected message, bad record MAC, security
parameters negotiation failed, etc.
• It is also used for other purposes – such as notify
closure of the TCP connection, notify receipt of
bad or unknown certificate, etc.

21
 Establishment of SSL Session

• There are four phases of SSL session establishment.

• These are mainly handled by SSL Handshake protocol
• Phase 1 − Establishing security capabilities.

22
 Establishing security capabilities…
• This phase comprises of exchange of two messages
– Client_hello and Server_hello.

• Client_hello contains of list of cryptographic algorithms supported by the

client, in decreasing order of preference.

• Server_hello contains the selected Cipher Specification (CipherSpec) and

a new session_id.

• The CipherSpec contains fields like −

• Cipher Algorithm (DES, 3DES, RC2, and RC4)

• MAC Algorithm (based on MD5, SHA-1)

• Public-key algorithm (RSA)

23
 Phase 2 − Server authentication and key exchange…

• Server sends certificate.

• Client software comes configured

with public keys of various “trusted”
organizations (CAs) to check
certificate.

• Server may request client certificate.

• Server indicates end of Server_hello.

24
 Phase 3 − Client authentication and key exchange

• Client sends certificate, only if

requested by the server.

• It also sends the Pre-master Secret

(PMS) encrypted with the server’s public
key.

• Client also
sends Certificate_verify message if
certificate is sent by him to prove he
has the private key associated with this
certificate. Basically, the client signs a
hash of the previous messages.
25
 Phase-4:Finish
• Client and server
send Change_cipher_spec mes
sages to each other to cause
the pending cipher state to be
copied into the current state.

• From now on, all data is

encrypted and integrity
protected.
26
 Secure Browsing - HTTPS
• Hyper Text Transfer Protocol (HTTP) protocol is used for
web browsing.

• The function of HTTPS is similar to HTTP.

• The only difference is that HTTPS provides “secure” web

browsing.

• HTTPS stands for HTTP over SSL.

• HTTPS protocol is used to provide the encrypted and

authenticated connection between the web browser and27
28
 Network layer security
• Network layer security controls have been used frequently for securing
communications, particularly over shared networks such as the Internet

• It can provide protection for many applications at once without

modifying them.

• Most protocols remained focused at the higher layer protocol stack, to

compensate for inherent lack of security in standard Internet Protocol.

• For example, SSL is developed specifically to secure applications like

HTTP or FTP.
• But there are several other applications which also need secure
communications.
29
 Features of IPsec

• IPsec is not designed to work only with TCP as a transport

layer security protocol. It works with UDP as well as any other
protocol above IP such as ICMP, OSPF etc.

• IPsec protects the entire packet presented to IP layer including

higher layer headers.

• It works from one network entity to another network entity,

not from application process to application process.

• Security at network layer can be adopted without requiring

changes to individual user computers/applications.
30
 Network Layer: IP security (IPSec)
• IP security (IPSec) is a capability that can be added to
Internet Protocol (IPv4 or IPv6), by means of additional
headers.

• an enterprise can run a secure, private TCP/IP network by:

– disallowing links to untrusted sites,

– encrypting packets that leave the organization, and
– authenticating packets that enter the organization.

• By implementing security at the IP level, an organization can

ensure secure networking.
31
Network Layer: IP security (IPSec)
• IP-level security encompasses three functional
areas: authentication, confidentiality, and key
management.

• The authentication mechanism assures that a

received packet was transmitted by the party
identified as the source in the packet header.
• The confidentiality facility enables communicating
nodes to encrypt messages to prevent
eavesdropping by third parties.
• The key management facility is concerned with the
secure exchange of keys.

32
Network Layer: IP security (IPSec)
• IPSec is a protocol suit for securing IP
communications by authenticating and encrypting
each IP packet of a communication session.

• Applications of IPSec

• Secure branch office connectivity over the

Internet
• Secure remote access over the Internet
• Establsihing intranet connectivity with partners
• Enhancing electronic commerce security
33
 Network Layer: IP security (IPSec)
Benefits of IPSec
• When IPSec is implemented in a firewall or router,
it provides strong security that can be applied to
all traffic crossing the border.
• Traffic within a company or workgroup does not incur
the overhead of security-related processing.

• IPSec is below the transport layer (TCP, UDP) and so

is transparent to applications.
– There is no need to change software on a user or server
system when IPSec is implemented in the firewall or
router.

34
 The two protocols of IPsec
• There are two security protocols defined by IPsec — Authentication
Header (AH) and Encapsulating Security Payload (ESP).

• IP-level authentication is provided by inserting an

Authentication Header (AH) into the packets.

• IP-level confidentiality is provided by inserting an

Encapsulating Security Payload (ESP) header into the
packets.

- An ESP header can also do the job of the AH header by

providing authentication in addition to confidentiality. 35
 IPSec - Security Associations (SA)
SA is a one way relationship between a sender and a
receiver that provides security services (authentication
and confidentiality)
• SA is uniquely identified by:
• Security Parameters Index (SPI) in the enclosed
extension header of AH or ESP
– The SPI is a random number generated by the
sender to identify the SA to the recipient.
• IP Destination address: It can be IP address of end
router
• Security Protocol Identifier: This indicates whether
the association is an AH or ESP security association.
36
 Network Layer: IP security (IPSec)
Services
• Connectionless integrity
- Ensuring the data has not been read/modified en
route.

• Data origin authentication

- Identifying who sent the data

• Rejection of replayed packets

- Detecting packets received more than once to help
protect against DoS.

• Confidentiality (encryption)
- Encryption of user data for privacy

• Access control 37
- Gives access privileges to end users (done by
 Two communication modes of IPSec
• Transport Mode:
– The protocol protects the message passed down to
IP from the transport layer.
– The message is processed by AH/ESP and
appropriate headers are added in front of the
transport header.
– The IP header is then added in front of that by IP.
• Tunnel Mode:
– IPsec is used to protect a complete encapsulated IP
datagram after the IP header has already been
applied to it.
– The IPsec header appears in front of the original IP
38
header and then a new IP header is added in front of
 CHAPTER 5

security mechanism

39
 Overview of Firewall

• Firewall is a router or other communications device which

filters access to a protected network.

• Firewall is also a program that screens all incoming traffic

and protects the network from unwelcome intruders.

• It is a means of protection of local system or network

systems from network-based security threats:
– while affording access to the outside world via WANs or
the Internet 40
 Overview of Firewall…
Firewall Objectives

 Keep intruders,
malicious code and
unwanted traffic or
information out
 Keep private and
Private Network
sensitive
information in
Private data
security wall
between External attacks
private
(protected) External Network
network and
41
outside word
 Overview of Firewall…

• Firewalls can be designed to operate at any of the following three

layers in the TCP/IP protocol stacks:

- The application layer (eg: HTTP proxy)

- The network and transport layer (eg: packet filtering)
- The layer b/n the application layer and the transport layer
(eg: SOCKS proxy)

42
 Types of Firewalls

• Packet Filtering Firewalls

• Circuit-Level Gateway
• Proxy Server Firewalls

43
 Packet Filtering Firewalls/Routers
• Packet Filtering router applies a set of rules to each
incoming and outgoing IP packet and then forwards or
discards the packet.
– A filtering firewall works at the network level.

• The router is typically configured to filter packets going in

both directions (from and to the internal network).
• Filtering rules are based on information contained in a
network packet:
– Source IP address: The IP address of the system that originated
the IP packet (e.g., [Link])
– Destination IP address: The IP address of the system the IP
packet is trying to reach (e.g., [Link])
– Source and destination port address: The transport level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP
or TELNET 44
• Packet filtering is generally accomplished using Access
 Packet Filtering Firewalls
• Packet-filtering Router…
• Many network routers have the ability to perform some
firewall services.
• Filtering firewalls can be thought of as a type of router

45
 Overview of Proxy Server
• Proxy Server is a computer program that acts as an
intermediary between a web browser and a web server.
– To give users rapid access to popular web destinations.

• Internet Service Providers use proxy servers as “holding

bins" to store frequently requested pages,
– rather than going out and fetching them repeatedly from
the Net (Eg, [Link])

• Proxy server is also used to control and monitor outbound

and inbound traffics.
46
 Firewalls - Application Level Gateway (or
Proxy)
 Proxy Services

 Application that mediates traffic between a protected network

and the internet
 Able to understand the application protocol being utilized and
implement protocol specific security
 Protocols include: FTP, HTTP, Telnet etc
 They decide based on TCP/IP information
e.g. source and destination ports and IP addresses
 They decide based on content of message
• e.g. do not forward on and message containing VB executable
or ActiveX components

47
 Web caches (proxy server)
Goal: satisfy client request without involving origin server

• user sets browser: origin

server
Web accesses via
cache Proxy
HT st
TP server u e
• browser sends all H
req
u P req
client TTP est TT on se
HTTP requests to res
pon
H
P res
p
cache se H TT
est
HT
u TP
req e H req
– If object in cache: P ns TT ue
TT p o Pr st
H e s
cache return that r es
po
T TP ns
object H e

– else cache requests client

origin
object from origin server
server, then returns
object to client 48
 Web caching…
• cache acts as both client and server
• typically cache is installed by ISP
(university, company, residential ISP)
Why Web caching?
• reduce response time for client request
• reduce traffic on an institution’s access
link.
• Reduce costs to use access link.
49
 How Proxy Servers Work

• Function as a software , forwarding data

between internal and external hosts

• Focus on the port each service uses

– Screen all traffic into and out of each port

– Decide whether to block or allow traffic based on

rules

50
 Steps Involved in a Proxy Transaction
1. Internal host makes request to access a Web
site
2. Request goes to proxy server, which examines
header and data of the packet against rule base
3. Proxy server recreates packet in its entirety
with a different source IP address
4. Proxy server sends packet to destination;
packet appears to come from proxy server
5. Returned packet is sent to proxy server, which
inspects it again and compares it against its
rule base
6. Proxy server rebuilds returned packet and
sends it to originating computer; packet
appears to come from external host 51
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

52
 Circuit-Level Gateway
• SOCKS refers to a circuit-level gateway.

• It is a networking proxy mechanism that enables hosts on one

side of a SOCKS server to gain full access to hosts on the other
side without requiring direct IP reachability.

• The client connects to the SOCKS server at the firewall.

– Then the client enters a negotiation for the authentication

method to be used, and authenticates with the chosen method.
53
 Circuit-Level Gateway…
• The client sends a connection relay request to the SOCKS server,
containing the desired destination IP address and transport port.

• The server accepts the request after checking that the client meets the
basic filtering criteria.

• Then, on behalf of the client, the gateway opens a connection to the

requested untrusted host and then closely monitors the TCP handshaking
that follows.

• The SOCKS server informs the client, and in case of success, starts relaying
the data between the two connections.

• Circuit level gateways are used when the organization trusts the internal 54
 IDS/IPS
• It's a network security program that looks for harmful
activity on a network or system.

• IDS/IPS: main functions are detecting malicious behavior,

collecting information about it, reporting it, and trying to block or
stop it.

• Intrusion prevention systems and intrusion detection systems

both monitor network traffic and system operations for malicious
behavior.

• IDS is a ‘visibility’ tool whereas IPS is considered as a ‘control’ tool

55
 Types of IDS

 Signature-based IDS

• It needs a database of known attacks with their signatures.

• Signature is defined by types and order of packets

characterizing a particular attack.

• Limitation of this type of IDS is that only known attacks can be

detected. This IDS can also throw up a false alarm.

• False alarm can occur when a normal packet stream matches

the signature of an attack.
• Well-known public open-source IDS example is “Snort” IDS.
56
 Types of IDS…
 Anomaly-based IDS

• This type of IDS creates a traffic pattern of normal network

operation.

• During IDS mode, it looks at traffic patterns that are

statistically unusual.

• Detection of any unusual traffic pattern generates the alarm.

• The major challenge faced in this type of IDS deployment is

the difficulty in distinguishing between normal traffic and
unusual traffic.
57
 Virtual Private Network(VPN )

• It allows you to connect your computer to a private network, creating an

encrypted connection that masks your IP address to securely share data

• A virtual private network, or VPN, is an encrypted connection over the

Internet from a device to a network.

• The encrypted connection helps ensure that sensitive data is safely

transmitted.

• It prevents unauthorized people from eavesdropping on the traffic and

allows the user to conduct work remotely.
58
VPN connection figure

59
 Chapter 6

Biometric technology and Access control

60
 Biometric System

• Biometrics is a technology used to identify, analyze, and

measure an individual’s physical and behavioral characteristics.

• Each human being is unique in terms of characteristics, which

make him or her different from all others.

• The physical attributes such as finger prints, color of iris, color

of hair, hand geometry, and behavioral characteristics such as
tone and accent of speech, signature, or the way of typing keys
of computer keyboard etc., make a person stand separate from
the rest.
61
 Introduction to Biometrics…

• The uniqueness of a person is then used by the

biometric systems to:
⁻ Identify and verify a person.
⁻ Authenticate a person to give appropriate rights
of system operations.
⁻ Keep the system safe from unethical handling.

62
Basic Components of a Biometric System

63
 Input Interface (Sensors)

• It is the sensing component of a biometrics system that

converts human biological data into digital form.

• For example:
⁻ handprint recognition

⁻ iris/retinal recognition systems.

⁻ An optical sensor in case of fingerprint systems.

⁻ A microphone in case of voice recognition systems

64
 Processing Unit

• computer that processes the data captured from the sensors.

• The processing of the biometric sample involves −

⁻ Sample image enhancement

⁻ Sample image normalization

⁻ Feature extraction

⁻ Comparison of the biometric sample with all stored samples in

database.

65
 Database Store

• The database stores the enrolled sample, which is recalled to

perform a match at the time of authentication.

• For identification, there can be any memory from Random Access

Memory (RAM), or a data server.

• For verification, a removable storage element like a contact or

contactless smart card is used.

66
 Output Interface

• The output interface communicates the decision of the

biometric system to enable the access to the user.

• Output interface can be:

• GUI (Graphical User Interface) – Touchscreens, kiosks, login
panels.
• Access Control Systems – Physical outputs like unlocking doors.
• Mobile Apps – For user feedback in fingerprint/face recognition systems.

67
 General Working of a Biometric System

• There are four general steps a biometric system takes to

perform identification and verification −
1. Acquire live sample from candidate. (using sensors)
2. Extract prominent features from sample. (using
processing unit)
3. Compare live sample with samples stored in database.
(using algorithms)
4. Present the decision. (Accept or reject the candidate.)

68
 General Working of a Biometric System…

• The biometric sample is acquired from candidate user.

• The prominent features are extracted from the sample

and it is then compared with all the samples stored in
the database.

• When the input sample matches with one of the

samples in the database, the biometric system allows
the person to access the resources; otherwise prohibits.

69
General Working of a Biometric System…

70
 Biometrics Terminology

• Biometric Template − It is a digital reference of the distinct

characteristics that are extracted from a biometric sample.

• Candidate/Subject − A person who enters his biometric sample.

• Closed-Set Identification − The person is known to be existing

in the database.

• Enrollment − It is when a candidate uses a biometric system for

the first time, it records the basic information such as name,
address, etc. and then records the candidate’s biometric trait.

71
 Biometrics Terminology…

• False Acceptance Rate (FAR) − It is the measure of

possibility that a biometric system will incorrectly identify an
unauthorized user as a valid user.

• False Reject Rate (FRR) − It is the measure of possibility

that the biometric system will incorrectly reject an authorized
user as an invalid user.

• Task − It is when the biometric system searches the database

for matching sample

72
 Application Areas of Biometrics

• There are a number of applications where biometric

systems are useful. Few of them are given below −
⁻ Controlling workplace access.
⁻ Applying access control to sensitive information and
systems.
⁻ Identifying criminals by forensics.
⁻ Executing online e-commerce transactions.
⁻ Fraud and theft reduction.

73
 Biometrics Modalities

• A biometric modality is a category of a biometric

system depending upon the type of human trait it
takes as input.

• The biometrics is largely statistical.

• The more the data available from sample, the more

the system is likely to be unique and reliable.

• The modalities are classified based on the person’s

biological traits.
74
 Types of Biometric Modalities

• There are various traits present in humans, which

can be used as biometrics modalities.

• The biometric modalities fall under three types

1. Physiological
2. Behavioral
3. Combination of physiological and behavioral
modality
75
 Physiological Modalities

• the physiological modalities are based on the direct

measurement of parts of human body such as iris,
fingerprint, shape, and position of fingers, etc.

• There are some physical traits which remain

unaltered throughout a person’s life.

• They can be an excellent resource for identification

of an individual.

76
 Fingerprint Recognition System

• It is the most known and used

biometrics solution to authenticate
people on biometric systems.

• Every person has a unique fingerprint

which is composed of ridges, grooves,
and direction of the lines.

• There are three basic patterns of

ridges namely, arch, loop,
and whorl. The uniqueness of
fingerprint is determined
77
 Facial Recognition System
• Facial recognition is based on determining shape and size of jaw,
chin, shape and location of the eyes, eyebrows, nose, lips, and
cheekbones.

• 2D facial scanners start reading face geometry and recording it on

the grid.

• The facial geometry is transferred to the database in terms of

points.

• The comparison algorithms perform face matching and come up

with the results.
78
 Facial Recognition System…
Facial recognition is performed in the following ways:

• Facial Metrics: In this type, the distances between

pupils or from nose to lip or chin are measured.

• Skin Texture Analysis: The unique lines, patterns, and

spots apparent in a person’s skin are located.

79
 Iris Recognition System

• Iris recognition works on the basis of iris pattern in human

eye.

• In adult humans, the texture of iris is stable throughout

their lives.

• The iris patterns and colors change from person to person.

• It involves taking the picture of iris with a capable camera,

storing it, and comparing the same with the candidate
eyes using mathematical algorithms.
80
 Hand Geometry Recognition System

• It includes measuring length and

width of palm, surface area,
length and position of fingers,
and overall bone structure of the
hand.

• A hand is placed on a scanner’s

surface. This placement is
positioned by five pins, which
guide the candidate hand to
position correctly for the camera.
81
 BEHAVIORAL MODALITIES

Gait Recognition
• It is the manner of a person’s walking.
• A gait recognition is based on the analyzing the video images of
candidate’s walk.
• The sample of candidate’s walk cycle is recorded by Video.
• The sample is then analyzed for position of joints such as knees and
ankles, and the angles made between them while walking.
• A respective mathematical model is created for every candidate
person and stored in the database.
• At the time of verification, this model is compared with the live
sample of the candidate walk to determine its identity.
82
 BEHAVIORAL MODALITIES …

Signature Recognition System

• In this case, more emphasis is given on the behavioral
patterns in which the signature is signed than the way a
signature looks in terms of graphics.
• The behavioral patterns include the changes in the timing
of writing, pauses, pressure, direction of strokes, and
speed during the course of signing.
• This technology consists of a pen and a specialized
writing tablet, both connected to a computer for template
comparison and verification.
• A high quality tablet can capture the behavioral traits
such as speed, pressure, and timing while signing.

83
 Signature Recognition System…

• During enrollment phase, the candidate must sign on the writing

tablet multiple times for data acquisition.

• The signature recognition algorithms then extracts the unique

features such as timing, pressure, speed, direction of strokes,
important points on the path of signature, and the size of signature.

• The algorithm assigns different values of weights to those points.

• At the time of identification, the candidate enters the live sample of

the signature, which is compared with the signatures in the
database.
84
 VOICE RECOGNITION

• Voice recognition biometric modality is a combination of both

physiological and behavioral modalities.

• Voice recognition is sound recognition. It relies on features

influenced by:
⁻ Physiological Component: Physical shape, size, and
health of a person’s vocal cord, and lips, teeth, tongue, and
mouth cavity.
⁻ Behavioral Component: Emotional status of the person
while speaking, accents, tone, etc. 85
 VOICE RECOGNITION…

• Voice Recognition is also called Speaker Recognition.

• At the time of enrollment, the user needs to speak a
word or phrase into a microphone.
⁻ This is necessary to acquire speech sample of a
candidate.
• The electrical signal from the microphone is converted
into digital signal by an Analog to Digital (ADC)
converter. It is recorded into the computer memory as
a digitized sample.
• The computer then compares and attempts to match
the input voice of candidate with the stored digitized
voice sample and identifies the candidate.
86
 Access control

• Access control in computer security refers to the method of

regulating who (or what) can view or use resources in a
computing environment.

• It ensures that only authorized users or systems can access

specific data, applications, systems, or networks, and it prevents
unauthorized access.

87
 Discretionary Access Control (DAC)

• With DAC the owner of the company can decide how

many people have access to a specific location.
• Every time a keycard is swiped, a PIN is punched, or a fingerprint is
scanned, the system checks the credential against the list and either
allows or denies access, based on the previously set allowances.
• Each access control point has a list of authorized users.
• DAC systems are considered to be the most flexible and
offer the highest number of allowances compared to other
types of access control.
• It’s the most flexible, it’s also not as secure as some other
types, especially mandatory access control systems.
• Since one person has total control over the system, he or
she might grant access to someone who shouldn’t have it.
88
 Mandatory Access Control (MAC)

• mandatory access control systems (MAC) are the most secure

type of access control.
• All the access control settings are preset by the system
administrator and can’t be changed or removed without his or
her permission.
• MAC system works by classifying all the users and grants them
access to areas based on the system’s programming.
• If you have 150 employees, you’re going to need 150 user
permissions set up in the system.
• Mandatory access control systems are the strictest and most
secure type of access control, but they’re also the most
inflexible.
• In order to change permissions, the administrator has to
reprogram the specific user’s access, not just the security lists
at the entry point. 89
 Role-Based Access Control (RBAC)

• Role-based access control is quickly becoming the most popular type of

access control.

• The system works by assigning permissions to a specific job title.

• It cuts down the time required to set up or change user access.

• For example, if you have 20 salespeople, two managers, and three

accountants, you wouldn’t have to create 25 individual security profiles
in the system.

• Windows and Linux environments use something similar by creating

‘Groups’.

• Each group has individual file permissions and each user is assigned to
groups based on their work role. 90
 Rule-Based Access Control

• Rule-based access control can change the permissions

based on a specific set of rules created by the administrator.

• For example If your business closes at 5 p.m., there’s no

need for anyone to have access to your main office, even
managers, after closing.

• With rule-based access control, you can set a rule to deny

access to everyone.

• Rules can be created for any occasion.

91