USF Libraries
USF Digital Collections

An analysis of remote biometric authentication with windows

MISSING IMAGE

Material Information

Title:
An analysis of remote biometric authentication with windows
Physical Description:
Book
Language:
English
Creator:
Eyers, Brandy Marie
Publisher:
University of South Florida
Place of Publication:
Tampa, Fla
Publication Date:

Subjects

Subjects / Keywords:
Active Directory
Computer
Kerberos
Multi-factor
Security
Dissertations, Academic -- Computer Science -- Masters -- USF   ( lcsh )
Genre:
bibliography   ( marcgt )
non-fiction   ( marcgt )

Notes

Abstract:
ABSTRACT: One thing that everyone seems to be worried about when it comes to his or her computer is security. If your computer is not secure then private information could be stolen. Many people now use passwords to protect themselves though they are discovering that using multi-factor authentication is much more secure. It allows you to use multiple different proofs of who you are. Biometrics is one of the ways to prove identity. Using it, you could log into a system with just a fingerprint, which is something that is very difficult to steal. We present a suite of software tools that allows you to log into a network using multi-factor authentication. This thesis describes our design of a multi-factor authentication solution, the problems we encountered realizing this design, and Microsoft's own biometric system.
Thesis:
Thesis (M.S.C.S.)--University of South Florida, 2011.
Bibliography:
Includes bibliographical references.
System Details:
Mode of access: World Wide Web.
System Details:
System requirements: World Wide Web browser and PDF reader.
Statement of Responsibility:
by Brandy Marie Eyers.
General Note:
Title from PDF of title page.
General Note:
Document formatted into pages; contains 42 pages.

Record Information

Source Institution:
University of South Florida Library
Holding Location:
University of South Florida
Rights Management:
All applicable rights reserved by the source institution and holding location.
Resource Identifier:
usfldc doi - E14-SFE0004882
usfldc handle - e14.4882
System ID:
SFS0028141:00001


This item is only available as the following downloads:


Full Text

PAGE 1

AnAnalysisofRemoteBiometricAuthenticationwithWindows by BrandyMarieEyers Athesissubmittedinpartialfulllment oftherequirementsforthedegreeof MasterofScienceinComputerScience DepartmentofComputerScienceandEngineering CollegeofEngineering UniversityofSouthFlorida MajorProfessor:JayLigatti,Ph.D. AdrianaIamnitchi,Ph.D. LawrenceHall,Ph.D. DateofApproval: March23,2011 Keywords:Multi-Factor,Computer,ActiveDirectory,Kerberos,Programming, Security Copyright c 2011,BrandyMarieEyers

PAGE 2

ACKNOWLEDGEMENTS IwouldliketothankCharlesBBradleyIIforallhishelpongettingthisproject startedandhiscontinuedhelpthroughoutit.IwouldalsoliketothankGlennRKaufmanforallhishelpwiththetechnicalsideofthings,suchasgettingthecomputers andvirtualmachinesupandrunning.ThisworkwaspartoftheUSF-Raytheon projectAvatarDNAusingBiometricsandUserAccessControls."Itwasfundedin partbyRaytheonCompanywithmatchingfundsfromtheFloridaHighTechCorridor program.

PAGE 3

TABLEOFCONTENTS LISTOFFIGURESii ABSTRACTiii CHAPTER1INTRODUCTION1 1.1RelatedWork4 1.2Outline7 CHAPTER2INITIALDESIGN8 2.1Introduction8 2.2Enrollment10 2.2.1TheApplication11 2.2.2Storage12 2.3CredentialProvider14 2.4KerberosInteractiveUnlockLogon15 2.5Proxy16 2.6Summary16 CHAPTER3CHALLENGESWITHTHEINITIALDESIGN18 3.1Introduction18 3.2Enrollment/CredentialProvider19 3.3ExtendingtheKIUL20 3.4TheProxy21 3.5Summary21 CHAPTER4WINDOWSBIOMETRICFRAMEWORK23 4.1Introduction23 4.2WhatWBFDoes25 4.3InitialDesignVsWBF27 4.4HowWBFWorks28 4.5Issues30 4.6Summary31 CHAPTER5CONCLUSION33 LISTOFREFERENCES36 i

PAGE 4

LISTOFFIGURES Figure2.1Thisshowsyouanexampleofstoringangerprinttemplateina partition.9 Figure2.2TheearlyenrollmentapplicationopenedupthisUpekSDK,which waswhattookthengerprinttemplate.12 Figure4.1ThisisanoutlineofhowMicrosofthasstructuredWBF.28 ii

PAGE 5

ABSTRACT Onethingthateveryoneseemstobeworriedaboutwhenitcomestohisorher computerissecurity.Ifyourcomputerisnotsecurethenprivateinformationcould bestolen.Manypeoplenowusepasswordstoprotectthemselvesthoughtheyare discoveringthatusingmulti-factorauthenticationismuchmoresecure.Itallows youtousemultipledierentproofsofwhoyouare.Biometricsisoneoftheways toproveidentity.Usingit,youcouldlogintoasystemwithjustangerprint, whichissomethingthatisverydiculttosteal.Wepresentasuiteofsoftware toolsthatallowsyoutologintoanetworkusingmulti-factorauthentication.This thesisdescribesourdesignofamulti-factorauthenticationsolution,theproblemswe encounteredrealizingthisdesign,andMicrosoftsownbiometricsystem. iii

PAGE 6

CHAPTER1 INTRODUCTION Therearemanyformsofauthenticationinthisdayandage;youcanprovewho youareinmanyways.Therearethreemaintypesofauthentication:somethingyou know,somethingyouhave,andsomethingyouare.Anexampleoftheseformsis:you knowapassword,youcanhaveasmartcard,andyoucanuseyourownngerprint. Mostsystemsonlyneedoneformofvericationtoallowyoutologonandthatis usuallyjustausernamewithapassword.Ithasbecomeincreasinglypopularforthe othertwoformstobeusedandsomeindustriesarelookingintousingmultipleways toverifyyourself.Thisisknownasmulti-factorauthentication.Asyouaddonmore waystoauthenticatethesecuritygetsstronger.Someofthesewaystogainaccess aremoresecurethanothers.Youcouldgureoutsomeone'spasswordorpossibly stealasmartcard,yetwhenitcomestobiometricsitgetsdiculttoimpersonate someoneelse.Youcan'teasilystealsomeone'sngerprint.Itispossible,butthat wouldrequirengersbeingcutoorcapturingthedataasit'ssenttobeveried andatthatpointyouknowthatsomeoneisaftertheaccount.In2005thisactually happenedwhensomethievescutoamansindexngersotheycouldstartandsteal hisMercedesBenz[1]. Manynewcomputersnowcomewithbiometricreadersallowingyoutologon toitwithjustaswipeofyournger.Moreandmorelargecompaniesarenow askingifitispossiblefortheiruserstologonwithmorethenjustapassword.For mostbigcompanies,whenyoulogontoyourworkstationattheoceitrequires goinginaremoterepositorytocheckwhoyouareinsteadofstoringthedatalocally 1

PAGE 7

onthecomputer,asdoneonpersonalcomputers.Thequestionarisesifyoucan storemorethanjustyourusernameandpasswordtoaremoterepository.Wefound thatRFIDvaluescanalreadybestoredinarepository.Canyoustoreyoursmart cardvalue?Whataboutbiometricinformation?Whenwerststartedthisproject allapplicationsonthemarketstillstoredthetemplatesforngerprintsonthelocal machineortheactualreaderifitplugsinviaUSB.Ifthisproblemcanbeaddressed thinkaboutwhatyoucouldthendowithit.Greatersecuritycanbeachievedwithin largecompaniesandnotjusttoasingleworkstationbecauseitwouldnowrequirea ngerprinttogetontothenetwork.Thismeansthatsomeonecouldnothackjust anyuser'saccountbecauseangerprintwouldnowberequirednomatterwherethey wereloggingonfrom. Inthisthesiswewilltakealookatouroriginalsolutiontothebiometricproblem andhowwehopedtointegrateitwithActiveDirectory,aremoterepositorywhich cancontrolanetwork'smembers,servers,workstations,andeveryoneinthecompany thataccessesthoseresources.Manyquestionsandproblemsarisewhenlookingat this.Inshortthissystemcanstoreauser'sngerprintandeventuallyotherbiometric dataandthenuseittologtheminoveranetworkconnectionusingvarioussecurity measures. Firstanenrollmentwouldbeneededtoregisterbiometricdatatothesystembut westumbleduponanissue.Wefoundthereweretwodierentwaystostoretheuser's informationinActiveDirectory.Outofthetwowhichwouldbethemostsecure?One wasasimpleattributewhichwouldbestoredwiththerestofauser'sinformation. Thesecondchoicewasacompletelyseparatepartitionofthedatabasefromwhich theenrollmentapplicationcouldtransferthebiometricdata.Wewillalsodiscuss howActiveDirectoryissetupaswellasourimplementationoftheenrollment. Nextistheactualloginoverthenetwork.Therearetwodierentfunctionsthatwe mustadjustsothatthesystemcanauthenticateproperly.Wehavetorstextendthe 2

PAGE 8

CredentialProvider,whichistheloginscreenyouseewhenyoustartupacomputer, toallowthecapturingofangerprint.Weweregladtondthatthengerprint devicewewereusingcamewithanapplicationthatcouldcapturetemplates.An authenticationblobcalledKerberosInteractiveUnlockLogon,KIUL,getssentoutby theCredentialProvideronceauserwantstosubmittheirpassword.ThisKIULmust beextendedtoallowthengerprinttemplatetobetakenwithforauthentication. Second,wehavetointercepttheKIULbyaproxybeforeitreachestheLocalSecurity Authority,LSA,whichitcannothandlethebiometricmatching.Ourproxywillbe abletodothis1-to-1matchingandifthetemplatesmatchthenthepasswordwillbe senttotheLSAforverication.TheresultswouldgetsentbacktotheCredential Providerandallowtheuserontotheworkstationordenythem. Wehadhighhopesforthissolutiontowork,butasweranintoproblemswe decidedtodiscussthemwithMicrosoft.WefoundthattheSDKfromUpek,the makerofthengerprintdevicewewereusing,didnotmakethetemplatetoenable itsuseasweproposedandtherefore,wewouldhavetorewritetheEnrollment[2]. ThesetemplatesalsoweretoolargetobestoredproperlyandActiveDirectorycould notacceptthatletypeforstorage.AsthediscussionswithMicrosoftwentonwe foundthattheKIULwasunabletobeextended.WealsofoundoutthattheProxy wouldnotbeabletohandlethetemplatematchingaswell. Therewasgoodnewsfromallofthisthough.Microsofttoldusthattheirnewest operatingsystem,Windows7andServer2008R2,wouldbeabletoaccomplishsomethingsimilartowhatwehadhopedtodo.TheWindowsBiometricFramework,WBF, wastheanswer.Itwouldbeabletomaketemplatesandstoretheminadatabase. Theframeworkwouldalsobeabletoretrieveatemplateandmatchitagainstanew oneanddovericationthewayweenvisioned.Itwasnowpossibletologintoa computeroveranetworkwithjustangerprint. 3

PAGE 9

PerhapsoneofthebestideasdrivingWBFwasthatalmostallngerprintdevices wouldworkwithit.Companieswouldhavetoprogramanewdrivertoworkwithit butthisalloweddevicestobeinterchangeable.ThisalsomeantthatseparateSDKs andprogramsfromthesedevicecompanieswerenolongerneeded.Microsoftputout theirownsupportforapplicationstobeusedwiththisframework.Althoughthey didnotreleaseanynishedapplications,programmerscannowcreateapplications thatcandoanythingfromenrollatemplatetoverifyauser. ItwasevidentthatalotofworkwentintoWBF.Aswewillseeitcouldhandle manyoftheideaswehadaboutourownapplicationbutMicrosoftwasabletotake ittoanotherlevel.Theydidnothavetouseexistinghardwareorsoftwarebecause theyhadtheresourcestoimplementtheirown.Therearethreecorepiecestothe framework:storage,retrieval,andmatchingtemplates.Microsoftalsodevelopedan APIthatallowedforthecreationofcustomapplicationsthatwouldfulllanything acompanymaywanttouseWBFfor.ThisAPIalsoallowedadministratorsaway tomaintainasystemofthissize. Wedidndtherewerethingsthatmayhavebeenleftoutorcouldhavebeen improvedwhencomparedtotheideasforourownsystem.Theoverallideawasthe same;toallowanextralayerofsecuritywhenitcametoauthentication.Wehad hopedtotakeitastepfurtherandallowforamoremulti-factorapproach.Microsoft doesindicatethatWBFwillbeabletohandleothertypesofbiometricsatalater date.Othertypesofauthentication,likeRFIDcards,couldbeaddedaswell.Itmay alsobeofinteresttoMicrosofttoprecodeapplicationsthatmanylargecompanies maybeabletouseinsteadofhopingtheywilljustprogramtheirown. 1.1RelatedWork Thereisquitealotofinformationavailableontheideaofauthenticationand onthemulti-factorlevelaswell.Alsotherearealreadyapplicationsthatcanlog 4

PAGE 10

someoneontoacomputeryettheyaren'texactlythesameaswhatwasproposedor foundhere.Wewerealsoabletondalotofresourcesonhowallthedatabasepieces worked. Whileresearchingwefoundquiteafewapplicationsalreadyimplementedthat intendedtodoasimilarthing.OnewastheBioCertIntelligentIdentityManager. Theirprogramcandoasingleauthenticationorevenamulti-factorone.Whatdiers isthateventhoughtheysupportmanydierenttypesofverication,youcanonly chooseone[3].Theapplicationthatwewereworkingonwouldhaveeventually beenabletoplugindierentauthenticationtypesanduseanynumberofthemat once.Mostoftheothersthatwerefoundweresimilartothis.Theotherthree applications,BiometricNetworkLogon2007R2byGriauleBiometrics,Biometric ComputerLogonbyBayometricInc.,andIDeniumBioLink,allcanonlyhandle biometricsand/orapasswordandusername[4,5,6].Whatseparatesallofthese existingapplicationsishowtheyhandlethebiometrics.Theirsitesstatetheywork withActiveDirectoryyetonlytheusernameandpasswordwereactuallystoredthere. Thebiometricsisallhandledlocallyonthemachineorthebiometricdeviceandnot intheActiveDirectorylikeours.Sadlynoneoftheseimplementationshaveany formalpapersorwrite-ups. Thoughthereisnotmuchliteratureonusingbiometricsoveranetworkorproxies, therearemanyideasaboutmulti-factorauthenticationthatincludesbiometrics.One ofthesepapersisComparingPasswords,Tokens,andBiometricsforUserAuthentication"byO'Gorman[7].Thispaperisveryhelpfulbecauseithasmanydenitions ofthingsthathavetodowithauthentication.Itshowsthatwedon'tneedtomainly relyonlypasswords.Thethreetypesofsecurity:Knowledge-based,Object-based, andID-basedarealldiscussedandexamplesareincluded.Theauthorsalsogointo thedetailofprosandconsandthencomparethetypes.Thereisalsoasectionon attacks. 5

PAGE 11

Anotherpaper,PrivacyPreservingMulti-FactorAuthenticationwithBiometrics,"byBertinoetal,paintsagreatpictureofhowjustsecurityworkswithbiometrics[8].Itincludeshowthengerprinttemplateisobtainedandstoredandan outlineoftheentiresystem.Theauthorsproposeadierentsystemfromwhatis normallyused,whichiscomprisedoftwosteps.Thersttakesangerprintanduses analgorithmonitwhichtakesfoursteps,creatingwhattheycallakey.Thesecond istheuseofaZeroKnowledgeProoftodotheactualauthenticationagainstthekey madeearlier. Thenextpaper,EnsuringPrivacyofBiometricFactorsinMulti-FactorAuthenticationSystems"byArglesetal,issimilartothelastasitprimarilylooksatbiometrics inamulti-factorenvironment[9].Itdiersfromthelastbecauseitfocusesonhow aprogramcankeepbiometricinformationsecretduringtheauthenticationprocess. Onethingthathadtobekeptinmindforthispaperisthatitisdealingwithjusta ngerprintandnotatemplatewhichismoresecuretousesinceitsnottheactual print.Theapproachrstproposestokeepthengerprintinaseparateplacenot local,likeonathumbdrive.Thepaperthenproposesafewfunctionslikehashing, whichcouldbeusedontheprintbeforestoring. Thelastoftherelatedliteraturecontainsmanyoftheresourcesthatholdthekey tounderstandinghowthesystemworkedintheend.Oneoftherstpiecesthatwe hadtounderstandwashowKerberosworked.Kerberosisanetworkauthentication protocol"andwascreatedbyMITandwasintegratedintoWindowssecurity[10]. Technethadagreatquickoverviewonthenormalsetup.Perhapsthemosthelpful sourcewastheMITwebsiteonKerberos,whichhasallkindsofinformationandalist ofmorepapers.Auserasksforaticketthatallowsthemtogetanotherticket;they thenacquirethatticketandmustdecryptit.Oncethatoneisdecryptedtheyuseit torequestwhatiscalledaServiceTicket,whichallowsthemtogetauthenticatedby 6

PAGE 12

theserver.KerberosiswhatissenttotheActiveDirectorywiththeusersinformation thatistobeauthenticated[11]. ThenextitemthatneededtobeunderstoodwasthesetupofActiveDirectory. BothTechnetandmsdnhaveagoodamountofinformationonallofitsinnerworkings [12,13].Inshort,theSchemaislikeaforest,fulloftreesorclasses.Classescanbe comprisedofmanybranchesorattributes.TheotherpartofActiveDirectorythat isimportantistheLightweightDirectoryServicesLDS.TheLDSisbasicallya separatepartitionthatisusedbyapplications,suchasours.Itissetupsimilarly toActiveDirectory,likeaforest.ThelastconceptfromMicrosoftthatwehadto understandwasthattheLSAishowausercanlogontoasingleworkstationorone overanetwork. OnenalpieceofinformationthatneededtoberesearchedwashowUpekhandled storingtheirngerprints.It'sdonewithatemplateandnormallystoredstraightonto theirreader.ThistemplateisstoredinanotherstructurecalledPassport,whichis binarydata[14,2]. 1.2Outline Thisthesisisorganizedasfollows:Chapter2discussestheapplicationwestarted toimplement;theenrollmenttotheproxy.Chapter3looksatalloftheissueswehad withourapplication.Chapter4discussesMicrosoft'sWindowsBiometricFramework, whichistheirownimplementation.InChapter5weconcludewithourndingsand whatwediscoveredaboutMicrosoft'sownframework. 7

PAGE 13

CHAPTER2 INITIALDESIGN 2.1Introduction Inthischapter,wediscusstheinitialsolutionwecameupwithtothebiometric problemthatwediscussedinthepreviouschapter;thiswasbasedpurelyonideas forWindowsVista.Weoriginallyplannedtodothisbyintegratingbiometricswith ActiveDirectory,aLightweightDirectoryAccessProtocolLDAPrepository.Active DirectoryispartoftheWindowsServerDomainControllerfunctionalities,whichis whathandlesthesecuritybetweenusersandthedomain.ActiveDirectoryisableto managemembers,servers,workstationsandotherfunctionsofacompany'snetwork. Weproposedasystemthatcouldstoreauser'sngerprintandthenuseittologthem inoveranetworkconnectionthroughvarioussecuritymeasures.Figure2.1presents anoverviewofthesystemwewillpropose. Therstparttobehandledistheactualenrollmentofauser'sbiometricdata. Hereiswherewecameacrosstherstproblem.WithinActiveDirectorywecould storethisinformationintwoways.Thoughbothwouldhaveworkedwehadto gureoutwhichofthewayswasthebest;themostsecure.Therstwayisby storingthengerprintinanattributewithintheuser'sclassofinformation.The secondisinaseparatepartitionofthedatabase.Figure2.1showsanexampleofthe secondstoragetypewheretheenrollmentapplicationcansendtheinformationtothe partitionwhereitwillbestored.Theentireimplementationoftheenrollmentand howActiveDirectoryissetupwillalsobediscussed. 8

PAGE 14

Figure2.1.Thisshowsyouanexampleofstoringangerprinttemplateinapartition. ThepartitionsitsintheDomainControllerwhereboththeenrollmentapplication andthecredentialprovidercanaccessit.Theproxyisalsolocatedhereandhas accesstothepartitionaswell.[15] Nowthatwehavethengerprintstoredwehavetogureouthowtologinoverthe network.Twothingsneedtobedonehereinordertoauthenticateproperly.Firstwe havetochangethelogintothemachine.ThisisknownasGINAortheCredential ProviderthenamewaschangedinVista,Windows7,Server2008,andbeyond. TheCredentialProviderneedstobeextendedtoallowthecapturingofangerprint. Luckily,itiseasytogetangerprintreader'sSDKsoftwaredevelopmentkitworking withit.TheCredentialProvidersendsoutanauthenticationblobcalledaKIULto theLSA.Wemustgureouthowtoextendittoalsocarrythebiometricinformation. ThisKIULwouldalsobeusedtoeventuallysendothertypesofbiometricdata. 9

PAGE 15

LastlywehavetonowinterceptthisKIULwithacustommoduleorproxy,since LSAcan'thandlethebiometriccomparison.Thisproxywilldothe1-to-1matching usingthengerprintreader'stemplate.Iftheinformationchecksoutitwillthensend othepasswordtotheLSAforthenalpieceofverication.Thisentireprocesswill thenreturntheresults,whethertheuserpassedthevericationornot.Asshownin Figure2.1,theproxywillbeabletoaccessthepartitionitself,priortoforwarding thelogininformationtotheLSA. 2.2Enrollment Tounderstandhowtheenrollmentprocesswillwork,youhavetoknowhowActive Directoryissetup.ActiveDirectoryisMicrosoft'ssolutiontomanagingacomputer network.ItisreallyanLDAPrepositorythathasaspecicpurpose;itprovides DomainServicestoanetwork.Alargecompanycoulduseittocontrolitsemployee's accesstocertaincomputers.Italsocontainsmanypiecesofinformationabouteach user.TheActiveDirectoryissplitintothreeparts:thedomain,whichcontains objectslikeusersandcomputers;theschema,whichcontainstheclassesandtheir attributes;andtheconguration,whichholdsinformationonservicesandotherpartitions[16].ThemainpartweneededtofocusonwastheschemapartofActive Directory.Theschemaiswherethedenitionforanobjectcanbefound,whereitis stored,whatitisconnectedto,andwhattypeitis.Ititselfisbrokenupintodierent partsandthetwowewanttoconcentrateonareclassesandattributes.Classesare comprisedofgroupedattributesandanyrelatedinformation.Anexampleofaclass istheUserClasswhichiswherealloftheattributesofauserarestored,liketheir name,password,address,etc.Theseattributescanhaveasingletypeorsyntaxas theycallit[17]. 10

PAGE 16

2.2.1TheApplication Partoftheactualenrollmentisquitesimple.TheUserclassalreadyexistsin theActiveDirectoryalongwithmanyattributeswhereyoucouldstoreinformation aboutsomeone.WhenintheUserclass,itiseasytocreateanewuser;allyouneed toputinatrstisausernameandapassword.Anadministratorcaneasilyaddnew accountsasneeded.Allourenrollmentrequiresisthattheuserwewishtoregister isalreadyinthesystem. Nowallweneedtodoisenrollthisuser'sngerprintsotheycanlaterloginto thesystemusingit.Theuserwillhavetophysicallybepresentforthispart.It isalldoneonthecomputerwheretheserver'sActiveDirectoryislocated.This enrollmentcanalsobedoneonaworkstationthatissetuptohandlethisprocess; wheretheRegistrationAuthorityhastheapplicationandActiveDirectoryprivileges. OurimplementationwasaC#graphicaluserinterfacethatreadsinausernameand password,Figure2.2showsanexampleoftheGUI.Thepasswordisneededbecause eventhoughtheadministratororRegistrationAuthorityhasaccesstotheActive Directorydirectly,youwouldn'twantthemtobeabletostoretheirownngerprint. Theapplicationworksbyrsthavingtheuserclickthe`Grab'buttonwhichwill openupanotherwindowwhichistheUpekSDKinourcaseandprompttogeta ngerprint.Oncetheuserissatisedwithhowtheirprintlooks,theywouldentertheir usernameandpasswordandhitsubmitintheapplicationscreen.Theapplication willgrabthetemplatefromtheUpekpartandsenditusing.Netcode.Thisrst makessuretheusernameandpasswordarecorrectandwillthensavethengerprint templateintheActiveDirectory.Therewouldalsobeathirdbutton,Verify,which wouldallowtheusertoinputanotherngerswipeofthesamengerthatwouldthen retrieveandmatchagainsttheonethatisnowontheserver.Thisvericationwould bethelaststep,andwouldinsurethatthestoredprintisagoodcopyandcanallow foracorrectmatch. 11

PAGE 17

Figure2.2.TheearlyenrollmentapplicationopenedupthisUpekSDK,whichwas whattookthengerprinttemplate.Theapplicationwouldverifythattheusername andpasswordarecorrectandthenstorethetemplateinthepartition. AfterreadingfurtherintohowtheUpekreaderworksweranintosomeproblems. ThisGrabprogramonlytakesasnapshotofthengerprint;animage.Itdoesn't makethebinarytemplatethatwewanttostoretoActiveDirectory.Luckilyinthe Upekclasstheyhavefunctionsthatcancreatethesetemplates.Ifthisdesignwasto work,theotherclassfromUpek'sSDKwouldbechangedoutwithGrabtoproperly getthistemplateandwouldworksimilarlytohowweinitiallyplanned. 2.2.2Storage NowthatwehavethengerprintweneedtostorethetemplateinActiveDirectory. ThereaderwewereusingisfromUpekanddoesn'tstoretheimageofangerprint, whichwouldbeveryunsafe.Instead,itstoresatemplatethatismadebyrunning theimagethroughanalgorithm.AftertalkingwithUpekdirectlytheywereable totellusthatthistemplateinformationisbinary[14].WereadthroughActive 12

PAGE 18

Directory'sinformationandfoundthattherearethreeattributesyntaxesthatare ofthebinarytype:StringOctet,StringSid,andObjectDN-Binary.Thelast onecanbeeliminatedsincewedonotneedadistinguishednametheDNpart. Theothertwoareactuallythesametype,sowewentwithStringOctetsincethe StringSidseemedtobenamedforaspecialcase.Wenowhaveasyntaxtypeand mustndaplacetostoreit.Aftersomeinvestigationwedeterminesthatwehadtwo options. ThersttypeofstorageiswhatActiveDirectorycallsanattribute.Inshortall wewouldneedtodoitcreateanattributeoftheStringOctetsyntaxandthenadd ittotheuserclass.Thiswouldbethesimplestwaytogobutthereisaproblem withdoingitthisway.Thereisn'tanysecurityatallfordoingitthiswaybecause itisjustanothervariable.Itwouldbeeasyforanypersonthathadaccesstothe ActiveDirectorytosimplystoreanythingtheywanted,liketheirownngerprintin thatvariable. TheotherwayisusingActiveDirectoryLightweightDirectoryServicesADLDS, orActiveDirectoryApplicationModeADAMasitwasformerlycalledinServer 2003.ItisaLDAPlikeActiveDirectorybutdoesnotneeddomainsandyoucanrun morethanoneseparately.Theseareseparatepartitionsthatareusedforapplications thatdon'twanttodealwithusingtheActiveDirectorybutstillneedtostorethings totheserver.Thiswouldallowustocreateoneofthesepartitionsfortheentire applicationthatcouldstorethengerprint,otherbiometrics,RFID,andothers.The LDScanworkwithActiveDirectoryaswell.Theuser'sinformationcanstillbekept inthemainuserclass.TheActiveDirectorywouldknowthattheuserclasshad additionalinformationinaLDSbecausetherewouldstillbeattributesintheActive DirectoryaswellasintheLDS.Whenitwouldgetarequestforthoseattributes,it wouldsendittotheLDStobehandled[18].Whatisgreataboutthisoptionisthat onlytheallowedapplicationscangettothedatathatisstoredhere. 13

PAGE 19

Eitherwaywouldwork,it'samatterofdecidingwhichisthebestonetousein theend.Beforewecametoastopwiththis,weweretestingbothwaystoseewhich wouldworkthebest.Weknewthatgoingthepartitionroutewouldhavebeenthe bestbecauseonlythisapplicationandtheproxycanaccessit.Theattributewould stillbetestedtoseewhatkindofsecurityithadaswell. 2.3CredentialProvider ThenextstepistosetuptheCredentialProviderwhichwaspreviouslyknown asGraphicalIdenticationandAuthenticationGINA.Microsoftchangedthename fromGINAtoCredentialProviderswithWindowsVista.Thisisthescreenthatyou seewhenyouturnonyourcomputerwhereyoulogin.Thenormalsetupasksfora username,ortoselectone,andthenforthepassword.Mostmachinesaresetupto dotheauthenticationlocallyfromthemachine.Here,iswhereweneededtoaddin theotherfactorstoauthenticateauser,suchasourngerprintreader. WehadtoimplementourowncustomCredentialProvider.TheUpekreaderwe wereusingcamewithboththedriversandtheSDKwhichweredownloadedtothe machine.MicrosofthasafewsampleCredentialProvidersonlinethatwedownloaded andtested.Togetthereaderworking,wewereabletocopythecodethatwould grabtheimagefromthereaderandthenintegratedthefunctionsintotheCredential Provider.Inshortthisissimilartowhenwegrabbedthetemplatetostoredata intheActiveDirectory.Doingthiswouldmakethereader'sowngrabapplication openupalongwiththepromptforauser'spasswordandusername.Thisgrabcode wouldhavelaterbeenchangedouttousetheSDKthatcreatedthetemplateandnot justshowtheimage.Nowthatwehaditallcodeditneededtobeloadedproperly. TheCredentialProviderneededtoberegisteredwithintheworkstationandthen thedllneedstobecopiedtowindows/system32folder.Thedllandgraphicsfor thereaderalsohadtobemovedthere.Oncethisisdoneandafterthemachineis 14

PAGE 20

turnedoandthenbackon,thisnewversionoftheloginwillbetheonethatyou cansee.TheCredentialProvideriswhatsendstheuser'sinformationusername, password,biometricstoActiveDirectorybyKIULwhichwillbehandledinthe followingsection. 2.4KerberosInteractiveUnlockLogon Nowthatwehavetheuser'sinformationfromtheCredentialProviderwenow mustsendittobeauthenticated.WithintheCredentialProviderthereisanauthenticationstructurethatgathersthedataandsendsito.Theonethatisnormally usediscalledtheKERB INTERACTIVE UNLOCK LOGON,orKIULforshort here.Thiscanunlockaworkstationbysendingtheusername,password,andthe nameofthedomainonwhichitcandotheauthentication.Thereareafewother existingstructuresincludingoneforasmartcard.WeneededtoextendtheKIULso thatitcouldhandlesendingthebiometrictemplatealongtothenextstep.Noneof theexistingstructurescandirectlyhandlethebinarydatasowehadtoextendthe KIUL. FirstwhatneedstobedoneisthattheCredentialProviderneedstocallLsaLogonUserwhichcontainsmanyimportantdataelementsincludingwhatiscalledthe AuthenticationPackage.Thepackagewillbeexplainedinthenextsectionbutit basicallytellswhichpackageweneedtousetoauthenticatelater.Thisalsorequires ustospecifywhichAuthenticationInformationtouse;thisiswhatwecurrentlyneed togureout.ThisAuthenticationInformationisapointertoabuerthatcontains thedataweneedtousetologin.TheformatwasspeciedintheAuthentication Package[19].ForourbiometricsolutionwewouldwanttocallacustomAuthenticationPackagethatwewilldiscusslater.OurKIULwouldbeabletograbthebinary templatealongwiththerestofthenormalauthenticationdataandsenditoverto theActiveDirectory. 15

PAGE 21

2.5Proxy Theverylastthingwenowneedistheproxythatwillhandletheauthentication part.Theproxywillbeserversideliketheenrollment.Thisiswhereweinterceptthe KIULandperformafewtasks.Firstwehandlethe1-to-1matchingofthebiometrics orwhateverotherdatawedecidetopassalong.Thisproxywillgointoourpartition andgrabthetemplatefromtheretodothematchingwiththeonewegotfromthe KIULandwillusethereader'salgorithmtoauthenticate.Itwillthenpassonthe usernameandpasswordtotheLSAtomakesurethatthosearealsocorrect.Finally itwillsendbacktheanswerastowhethertheusertryingtologincandosoornot. InourlastsectionwementionedsomethingcalledanAuthenticationPackage.This proxyisbasicallyacustomAuthenticationPackage. Ourproxywillsitinfront"ofthenormalLSAandinterceptthesemessages comingin.Wedothisbyactuallyhavingourproxyregisteredinsteadofthenormal LSAandthenourproxywilltakecareofloadingandcallingtheLSAwhenneeded. TheLSAwillappearasthoughitdoesnotexistandtheserverandtheprocesswill havetouseourcustomproxyinsteadbydefault. 2.6Summary Itisclearthatmulti-factorauthenticationisthebestroutetogowhenyouwant tosecureinformation,thoughcurrentsystemsseemtolackitorsuchauthentication islimitedtothecomputerandnotallowedoveranetwork.Thisimplementation wouldallowalldatatobestoredintheActiveDirectoryallowingittobesecure. WhatwasgreataboutActiveDirectorywasthatitcontainedalltheinformationfor auseraswellasthesetupofthenetwork.ActiveDirectorywascapableofstoring ngerprintsaswellasotherbiometricdata,whichwouldallowsomeonetologinover anetwork. 16

PAGE 22

Theenrollmentprocesswouldhavebeendoneonthelocalmachineusingangerprintreaderthatwouldallowforcustomapplicationstobecreated.Thisapplication wouldcreateatemplateandstoreitontheActiveDirectory.Wedidcomeacrossa problemhere.Thisinformationwouldeitherbestoredasasimplevariableorina separatepartitionfortheapplication.Outofthetwooptionsthesecondwouldprove tobemoresecuresincetheonlythingallowedtoaccesstheinformationwouldbethe enrollment. Sincethistakesplaceoveranetwork,themachinethatauserwouldloginfrom wouldneedtobeabletoauthenticatetheuserproperly.Forthistohappenthe machine'sCredentialProviderwouldhavetobechanged.Thesamereaderbrandfrom theenrollmentwouldhavetobeusedagain,sowewouldbeabletomakeapplication's usingthatcompanysSDK.Nowthatwehavethetemplateofthengerprint,weneed togetitbacktoActiveDirectory.HereiswheretheKIULwouldtakeover.This extendedstructurewouldtakethetemplatealongtotheLSA,butsincetheLSA can'thandlethisinformationacustommodulewouldinterceptitandtakecareof thetemplate.Usingthe1-to-1matchingprocessfromthereader'sSDK,itwould matchthisnewtemplateagainsttheonestoredinthepartition.Ifthismatches,the modulesendstheusernameandpasswordtotheLSAtobeveried.OncetheLSA getsthisinformationitwilltelltheCredentialProvideriftheusercanloginornot. 17

PAGE 23

CHAPTER3 CHALLENGESWITHTHEINITIALDESIGN 3.1Introduction Weknowthatpasswordsareagoodwaytoprotectsomething.Ifyouaddin usingbiometricslikewehavebeendiscussingthenaccessbecomesmoresecure.Itis clearthatmulti-factorauthenticationisthebestoptionwhenyouwanttosecurely storeorretrieveinformation.Unfortunatelycurrentsystemsseemtolackitorsuch authenticationislimitedtothecomputerandnotoveranetwork.Originally,we thoughtthattheinitialdesignwasgoingtobethewaytogo.Itwouldhaveadded inthatextrapieceofauthentication.Thatextrabitofinformationwouldhavemade itmoresecurebecauseofhowdicultitistostealangerprint. Neartheendoftheprojectweranintoafewproblems.ForexampleMicrosoft discussedtheideaofacustomproxyontheirwebsite,buthadnoinformationonhow toactuallywriteit.SowewentaheadandcontactedMicrosoft.Wehadsomechallengesandhadtoperformsomeworkaroundsupuntilthispoint,butitwasn'tuntil wecontactedMicrosoftthattheprojectcametoahalt.Thatandtheaccumulation ofotherissuesmadeustakeastepbacktore-evaluateourdesign.Firstwehadissues withtheenrollmentandthecredentialprovider.WehadstartedtouseUpek'sSDK, whichcouldcaptureangerprint.Itwasnotuntillaterwhenwelookedintothecode andrealizedthatUpek'sSDKcouldnotmakethetemplatethatwethoughtitwould make.Therewasalsoaproblemwithsendingthetemplateandstoringit.Oneofthe largestproblemswaswiththeextensionoftheKIUL.Thisiswhatwehaddiscussed 18

PAGE 24

withMicrosoft.Inshorttheytoldusitwasimpossibletoactuallyextendit.Lastly, wehadproblemswiththeproxy.HereMicrosoftagaintoldusthiswasextremely diculttodo,andsincewecouldn'tchangetheKIULitwasuseless.Therewerealso severalotherproblemsweranintobeforeweknewtheKIULcouldnotbechanged. 3.2Enrollment/CredentialProvider Manyoftheproblemsthatweranintowhileworkingontheenrollmentapplication alsooccurredintheCredentialProvider.Overallbothperformedsimilarfunctions. Theenrollmenttakesthengerprinttemplatealongwiththeusernameandpassword, andstoresitwithinActiveDirectory.Itwouldalsotakeasecondsnapshottoverify thatyoustoredagoodtemplate.TheCredentialProviderwouldalsotakethesame information,butitwouldsendittoActiveDirectorytobeveriedintheproxy.At theendoftheprojecttherewerestillthingsthatwewantedtodowithboth;from nishingtheprojecttoaddinginotherbiometricstotest,likeRFIDcards.There werealsoproblemswecameacrosswiththeactualcapturingofthetemplateand howtosendorstorethedata.Thesewereamongtheotherproblemsthatwehad. Theoriginalideafortheenrollmentwouldpossiblystillwork.Atourstopping point,itcouldverifyauser'slogininformationandopenuptheapplicationthat couldtakeangerprintsnapshot.SadlyafterdiggingthroughUpeksinformationwe discoveredthefunctionwewereusingoriginallywouldonlymakeanimageofthe ngerprint,notcreatethetemplatethatweneeded.AfterspeakingwithUpekwe foundwhichfunctionwasabletoactuallycreatethetemplate.Unfortunatelythere wasaproblemwithit.Thistemplatewasnotjustasinglengerprintimage;itwas actuallymadeupofseveralimages.Wefearedthatbecausethetemplatewasmade upofmorethanasingleimagethatourstoragetypewouldnotbeabletoholdthe templateduetoitssize.Thisuncertaintyalsomadeuswonderifwecouldstillsend thetemplatetoActiveDirectory.Weneededtobeabletodothissowecouldstore 19

PAGE 25

thetemplateandalsoverifythatwestoredagoodtemplate.Ourlastproblemwith Upek'sfunctionswasthatwithintheircodeitwasunclearastowhatthetemplate was.Sincewewereunabletogureoutwhattheyhadnamedthetemplatewe couldn'tsendit.Atthatpointourenrollmentwasabletoopenanalreadymade Upekapplicationbutwewerenotabletoworkwithanyofthevariables. Let'ssaythatwewereabletogetthetemplatesenttoActiveDirectory.We wouldthenhaveanotherproblem.Thoughweknewthetemplatewasofbinarytype, itwillmostlikelybetoolargetostore.Allthreeofthebinarystoragetypeswe foundinActiveDirectorycouldonlyhold8-bitsofdata.Wedoknowatleastthat thebattlebetweentheActiveDirectoryLDSandADAMcouldbeeasilysolved.The separateserverobviouslywouldbethemostsecurewaytogo.Therewasonelast thingthatweplannedtoaddtotheenrollment.Wewantedtofurtherprotectit fromtheadministratorsowethoughttoencryptthengerprinttemplatewhileit wasgettingsenttoActiveDirectory.Performingthisencryptionwouldallowfor anotherlayerofsecuritywithinActiveDirectory. TheCredentialProviderluckilyhadfewerproblemsforus.OurCredentialProvider wasabletoauthenticateausernameandpasswordalready.Wealsohaditusingone oftheUpekfunctionsthattookangerprintimage.Again,wewouldneedtochange thisbecausewewouldwantatemplate.Here,wewouldhavehadtowriteacompletelynewfunction.ThisfunctionwouldeitherbeworkedintotheactualGUIof theCredentialProviderorhavebeenaseparatewindowthatwouldpopuponceyou startedtologin.Eitherwayitwouldneedtograbtheuser'sngerprinttomakethe templateandthensenditalongtoActiveDirectorytobeveried. 3.3ExtendingtheKIUL AsweexplainedearliertheKIUListheauthenticationstructurewithintheCredentialProviderthatcollectstheusernameandpassword.IttakesthemtoActive 20

PAGE 26

Directorytobeveried.WewerehopingtogointotheKerberos.dllandjustadd inthebinarystructuretoholdthebinarytemplate.Toourdismaythereweresome problemswiththis.Likebefore,we'dhavetondsomethinglargeenoughtohold thetemplate.Wealsodidn'tknowhowtheKIULwouldknowwhenorhowtograb thisinformation.Thiswasoneofthemainquestionsthatwehadwhenwecontacted Microsoft.TheytoldusthattheKIULwasn'tmeanttobeextended;ithadtobe usedasis.WeaskedthemifitwaspossibletoextendtheKIULandbeableto logauserinusingActiveDirectorylikethis.Theysaidthatitwasn'tpossiblewith WindowsVista. 3.4TheProxy LastlywehopedtothenmakeacustomproxytointerceptourKIUL.Thiswould havesenttheusernameandpasswordtotheLSAtobeveried.Theproxywouldthen retrievetheoriginaltemplatefromActiveDirectoryandperforma1-to-1matching. Itwouldalsodecryptthetemplatebeforeusingit.Microsoftcallsthisanauthenticationpackageandagainwehopedtoextendone,liketheKIUL,tousethisadditional information.WehadalreadyfoundthatUpekhadafunctionthatallowedcomparisonoftwoalreadytakentemplates.Thequestionaboutthiscustomauthentication packagewasourotherbigquestionwhenwespokewithMicrosoft.Wegotasimilar answerhere.Againtheytoldusthatitwouldn'tworkandwe'dhavetotrysomething elseifwewantedtousebiometricswithloggingin. 3.5Summary Wehadoriginallythoughtthatthisdesignwouldwork.Weranintomanyproblems.Alloftheseproblemsaresummarizedinthelistfollowingthisparagraph.There wereitemswecouldworkaroundatthatmomentandothersthathadtobepushed tothesidetobedealtwithlater.Weevenhadafewthatmadeusstopandreally 21

PAGE 27

thinkaboutwhattodo.Eachofthemainfunctionshaddicultieswithinthem, whichledustoexaminethemcloser. WithintheenrollmentandCredentialProvider,thefunctionthatreadinthe ngerprintdidn'tmakeatemplateandwouldneedacompleterewrite. Thetemplatesizewaslargerthanwhatweoriginallythought. ThebinarystructuresofActiveDirectory,bothsendingandstoring,wouldnot beabletohandlethesizeofthedata. TherewasnoinformationonhowtoextendtheKIUL.Wefoundoutfrom Microsoftthatitwasimpossibletoextendittotakealonganotherpieceof information. Theproxy,whichwasgoingtobeextendedtousethedatafromtheKIULand dothevericationoftemplates,wasalsonotabletobeextended. Evenafterthesedicultieswestillhopedtosolvetheproblemofhowtosecurely loginoveranetwork.Microsoftdidhavegoodnewsafterourdiscussionwiththem abouttheproject.ThenewswasthatWindows7andServer2008R2wereable todowhatwewanteditwasn'tlikepreviousapplicationswefoundthatsaidthey couldstoretoActiveDirectorybutthenreallystoredthengerprintslocally.They actuallyimplementedasimilarideatooursintheirnewestoperatingsystemand serverwhichwillbediscussedinChapter4. 22

PAGE 28

CHAPTER4 WINDOWSBIOMETRICFRAMEWORK 4.1Introduction InChapterThreewediscussedtheproblemsthatourdevelopingapplicationran into.WethenmentionedthatMicrosofthadactuallyimplementedsomethingsimilar toourideathatwouldworkwithWindows7andSever2008R2.Microsoftcalls ittheWindowsBiometricFrameworkorWBF,aswewillrefertoit.According toMicrosoft,theWBFisusedtocreateclientapplicationsthatsecurelycapture, save,andcompareend-userbiometricinformation"[20].Microsoftrecognizedthe problemthatpeopleandcompanieswantedtousebiometricinformationtologin overanetworkusingsomethingsimilartoActiveDirectory.LikeMicrosoftstated, itnowsoundspossibletomakeanapplicationtocaptureangerprinttemplateand storeitinadatabase.Thisalsomeansthattheyfoundasuitableattributetostore thetemplate,whichwasoneofourproblems. WeunderstandtheoverallideaofwhatWBFdoes.Itcandowhatwewantedto implement,thoughtowhatextent?WhatotherfunctionswillWBFbeabletodo? Wehadourownideasforasystemlikethissowewilllookatwhatexactlytheirsdoes. Theyclaimthatithandlesallbiometrics,butfornowweseethatitonlysupports ngerprints.Wealreadyknowthatthisisagoodchoice.Thereisalreadytechnology outtherethatcancapturesuchinformation.WBFcanhandlesomefunctionswe wantedtoimplementlikeenrollinganewuserandretrievingalreadystoredtemplates [21].WewillseethatMicrosoftcreatedanentirenewframeworktohandlethisidea. 23

PAGE 29

Therewerealsomanynewfunctionsthattheymadeallowingforalargedegreeof customizationforcompaniesusingthisframework. AfterreadinganoverviewofthesystemwefoundthattheMicrosoftsolution stillhadnotsolvedalloftheissueswehadthoughtrelevant.Thereareadditional functionsthatareincludedthatwehadnotthoughtoflikethesupportofdierent ngerprintreaders.Therearefunctionswewantedthatwerenotincluded.Oneitem ismulti-factorsecurity;atthemomenttheydonotsupportanyotherinformationto loginwithbesidesusernameandpassword.WehadalsothoughttoincludeRFID atsomepoint.Therewereafewthingsthatwehadhopedtoincorporateintoour solutiononedaythatWBFmaysoonhandle,likeextrabiometrics. ThenextobviousquestionwashowdidMicrosoftaccomplishasystemlikethis? TheinformationtheyhadonWBFwasvast.Partofthebasicframeworkissetup likeitwasinpastsystems.Newpartswerethenincluded,eithergiantchunksornew featuresinbetweenoldpieces.Theapplicationsallaccessthetemplatesseparately. Wehadthoughttodothisthroughexistingdatabasesthoughitmakessensetohavea dedicatedone.OnerequirementforWBFisthatonlycertainngerprintreaderswill workwithit.Anothershortcomingisthatitdoesnotcontainacompletesolution.It onlycontainsadatabaseandcodesamples.Microsoftdoes,however,providedetailed webpagestohelpincodingcertainfunctions. NotallsystemsareperfectandWBFisnoexception.Whilewenditexciting thatMicrosofthaddevelopedWBFtherearestillproblems,thingsthatcouldbe changed,orfunctionsthatcouldbeadded.Thisnewfeaturehasthecapacitytoadd inmorebiometricsbesidesjustngerprints,sowhynotaddthesupport?Withall thecodetheyhavewrittenashelp,whynothaveabasicenrollingsystemalreadyin place?Wealsohopethattheydecidetoaddinothertypesofverications,which wouldmakesystemsevenmoresecure. 24

PAGE 30

4.2WhatWBFDoes Aswehavediscussedmanytimesinthisthesisweknowtheimportanceofusing biometricinformationwithintheloginsystem.Itallowsforamoresecureloginsince itisclosetoimpossibletoreplicateanother'sngerprint.Microsoftnallysawthe needtoincludethisintheirnewestoperatingsystem,Windows7.BeforeWBF eachbiometriccompanyhadtodevelopit'sowndriversandSDKs.Thisishowwe triedtogoaboutdesigningourownapplication.Theproblemwiththisisthese applicationsonlyworkwithasinglebiometricreadertype,CompanyA'swon'twork withsomethingmadewithCompanyB'sSDK.InWindows7Microsoftdecidedthat thiswouldbeaproblemnolongerandthattheywouldnowsupportallngerprint readers.Thismeantthatallngerprintdeviceswouldhavetocodenewdriversto workwiththissystem.SDKswouldnolongerbeneedednowbecauseeverythingcan nowbedonethroughWBF[22]. AsingleSDKallowsformanyofthegoodelementsofthisframework.Nowall supportedngerprintdeviceswillworkthesame.Userswillnothavetoremember howtouseeachdierentdevice.Perhapsthebestthingisthatthereisnomore rememberinghowtouseallofthedierentSDKsbecausethereisonecentralframeworkthatisusedbyall.Thengerprintdevicescannowbemanagedeitherlocally oroveranetwork[22].ThesupportMicrosoftlendstothosedevelopinginWBFis ample.WhenweoriginallysoughtmoreinformationonUpek'sbiometricdevicewe foundtheybarelyhadanydocumentationonitandittookawhiletogetaresponse fromtheirsupport.Wefoundtheretobeagoodamountofinformationonlineabout usinganddevelopinginWBF. EarlierinthechapterwediscussedthethreemaingoalsWBFwantstosolve. Theseare:capturingangerprint,savingatemplate,andlatercomparingtwotemplatesagainstoneanother[20].Thesethreeideasworksimilarlytohowweenvisioned themworkinginourownsystem.Thecapturingprocessisquiteeasy.Angerprint 25

PAGE 31

isscannedmultipletimesandfromthescansatemplateiscreated.Thetemplateis securelysentdirectlyfromthedevicetoadatabasemeanttoholdjustthetemplates. WBFwillalsohandleallcomparisonsformatchingtwotemplates. BesidesthethreemainfunctionsofWBFtherearemanypossibilitiesforother functionsitcanperform.ThisisallthankstotheAPIofWBF.Aprogrammer cancreateapplicationstodowhatevertheylikewiththebiometricinformation.A commonexampleisanenrollmentapplicationfornewuserstoasystemormaybe retrievingatemplateforanotherpurpose.Microsoftdoesnotprovideanypre-written softwaretousewithWBFalthoughtheyhavealotofreferencesontheirmsdnwebsiteonhowtocodeyourownapplications.Thisapproachallowsforcompaniesto customizetheirsystemstoworkexactlythewaytheywouldlikethemto.TheWBF solutionallowsfortwodierenttypesofdataow;synchronousandasynchronous. CurrentlytherearevecodeexamplesthatMicrosofthasposted:capturing,enrolling,identifyingbiometricinformationofauser,locatingabiometricunit,and verifyinguseridentity[23].Eachcodepagecontainsthesamplecode,afewmain pointsonhowitworks,andheaderlesthatmustbedeclared.Therearetwoadditionalexamples,whichareforadministratorsonly.Thesefunctionsarehowto retrieveauser'sidentityandtheircredentials[23]. Aswehaddiscussedearlierinthechapteraboutourownapplication,auser's credentialsareveryimportant.IntheWBFframeworkthereisaseparateAPI, whichjusthandlesallofauser'sotherinformation,likeusernameandpassword,for example.Allofthisinformationisjustasimportantasauser'sngerprinttemplate. ThelastimportantthingtounderstandaboutWBFisthesensorpool.Thereare threeclassicationsofsensorpools:system,private,andunassigned.Thispieceof softwaredoesalloftheworkandiscalledabiometricunit.Eachunitisassignedto oneapplicationandalsoonesensorpool.Thesensorpooltypeallowsthesystemto knowwhattheapplicationisallowedtoperform. 26

PAGE 32

4.3InitialDesignVsWBF TherewereplentyofideasthatMicrosofthadforWBFthatwehadthought toimplementinourownapplication.Whileresearchingwhattheyhaddonewe alsostartedtoseethattheydidthingsdierent,didthingswedidnotthinkof,or didnotdothingswethoughtimportant.Thebasicideawasthesame;tohavea frameworkthatwouldhandlebiometricinformationthatcouldbeusedforlogging intoacomputer.Duetolimitedresourcesouronlyoptionwastobuildthisintothe alreadyexistingActiveDirectory.Oncewelearnedthiswouldnotworkwewondered whattheanswercouldbe.Microsoftansweredthis;aseparateframeworkwouldtake careofjustbiometrics.Thismeanstheysolvedmostoftheproblemswehad.WBF handledeverythingwithafewfunctionsthatcouldbecustomizedtomeetyourneeds. Microsoftthoughttododierentthingswiththeirapproachandmostofthe newideasmadegoodsense.Whileweweredevelopingforasinglecompany'sneeds Microsoftdecidedthatsupportingallbiometricdeviceswouldallowforconsistency. Ifacompanyfoundtheywantedtochangebrandsontheirbiometricdevicethe authenticationwouldstillwork.Thisalsoallowedforamoreuniedsystemofwriting anapplication. AsgoodastheWBFsolutionis,wefeelasthoughMicrosoftleftsomekeyideas out.Oneofthemainhopesthatwehadforourinitialdesignwastheopportunity forthesupportofmulti-factoridentication.AtthemomentWBFonlysupports ngerprintdatawhileitclaimstoacceptanytypeofbiometricdata.Thereisthe hopethatitwillsupportmoreformsofbiometricdatabutitdoesnotasofyet.We hadalsohopedthesystemwouldtakeintoaccountotherformsofsecuritytouse tologinbesidesjustbiometrics.BeingabletoaddsomethinginlikeanRFIDcard wouldallowforgreatersecurity. 27

PAGE 33

Figure4.1.ThisisanoutlineofhowMicrosofthasstructuredWBF.Youcansee herethatallthreeadapterstalkwiththecurrentdeviceinuse.Therearemultiple windowsbiometricserviceproviders,oneeachforthedierentbiometrictypes. 4.4HowWBFWorks AswejustdiscussedtherearemanysimilaritiesbetweenwhatwewantedtoimplementandwhatMicrosoftdidwithWBF.Thenextquestionwehadwashowdid theyaccomplishthis?Microsoftdesignedaframeworkthatwascompletelyseparate fromanypreviouslyexistingstructure.Ouronlyoptionwastoaddourimplementationtoanexistingframework.Microsoftwasabletocreateanewframeworkbecause theyhadtheresourcestotakeonthislargetask. Weknowthegoaloftheframework,buthowdoesitactuallyaccomplishhandlingallofthebiometricdata?Microsoftmentionstherearethreecoreplatform components"toWBF[24].Touseabiometricdeviceitneedstobecompatiblewith theWindowsBiometricDriverInterface,whichisthesingleGUIthathandlesthe capturingofangerprint.ThesecondistheWBFAPI,whichwediscussedearlier.It 28

PAGE 34

allowsthecreationofcustomapplicationstousetheframework.Thelastpieceisthe WindowsBiometricServicewhichlinkstheothertwopartstogether.Itisresponsible forsecurelysendingalldatabetweentheinterfaceandAPIaswellasstoringand retrievingneededdata[24]. ThemostimpressivepartofwhatMicrosoftaccomplishedwastheactualstructure ofthisnewframework.Aswehavealreadypointedouttheywereabletoimplement acompletelyseparateframeworktojusthandlebiometrics.Figure4.1showsthe overallschemeofhowMicrosoftsetupWBF.ThemainpartistheWindowsBiometric Servicewediscussedearlier.Itcontrolsalloftheinnerfunctions.Thenextlayeristhe piecethatmanagesallofthedierentdevicesthatcanbeusedlikengerprintreaders. ThehandlingofallbiometricdataisuptotheBiometricUnit.TheBiometricUnit containsthreedierentadapters,whichtalktothebiometricdevice.Theyare:the sensoradapter,theengineadapter,andthestorageadapter.Thesensoradapterisin chargeofdisplayingtheGUIforthedeviceandcapturingngerprints,forexample. Nexttheengineadaptercreaturesthetemplateandwouldalsohandlematchingifit isneeded.Thenaladapter,thestorageadapter,maintainsthetemplatedatabase [25]. AsaprogrammerforacompanyusingWBFyouwouldhavetocreateyourown applicationstousetheauthentication.TodosoonewouldneedbackgroundinCand C++[20].Microsoftalsopointsoutthatthethreeadaptersthathandlethebiometric templateswithintheBiometricUnitarenotpre-codedbutprovideguidelinesto codingyourown.TheypointoutthattheyareactuallyDLLles[26].Aswe havementionedbeforeMicrosofthasplentyofhelpfuldocumentationandexamples oncreatingcustomapplications.Liketheapplicationwetriedtoimplement,the credentialproviderwouldhavetoberewrittentoallowthecollectionofangerprint andcreationofatemplatetobestoredforverication.Microsoftprovidescode examplesformanagingcredentials[28]. 29

PAGE 35

Thelastimportantfunctiontoanysystemistheadministrationandmanagingof aframeworksuchasWBF.Anexpansiveonelikethishasmorewaystomaintainthe systemcomparedtoonewewouldhavemade.Anychangestobiometricdevicesor updatesneededforthedriverscaneasilybeobtainedfromMicrosoft.Therewould benoworryingaboutcompatiblyiftherewereupdates.Administratorswouldhave accesstotheBiometricDeviceControlPanel,whichallowsthemtoworkonan arrayofoptions.Theretheycanmanageanythingfromdeletingauser'stemplateto disablingabiometricdriver[27]. 4.5Issues WefoundmostofwhatMicrosoftdidwithWBFtobeagreatsolution.Many functionswerebigpiecesofourprojecttoincludebiometricsasasecuritymeasure. Therewerehowever,somefunctionsthatwehadproblemswithorissuesthatMicrosoftdidnottouchonatall.Thereweretwomainissueswehad:nomulti-factor authentication,andnouseableapplications.AnotherissueisthatWBFcouldonly handlengerprintdataatthistime. Aswepointedout,MicrosoftcallsWBFabiometricsystemeventhoughitonly handlesngerprints.Microsofthasindicatedthatothertypesofbiometricswillbe incorporatedinWBFinthefuture.Wehopethatitwillallowmultipletypesof biometricsforauthenticationatthesametime.Theauthenticationwewantedto addtoourownapplicationwasanRFIDcard.Allowingmoreandmultipletypesof authenticationwouldmakethesystemsevenmoresecureaswehavealreadydiscussed. ThereareplentyofcodeexamplesonMicrosoft'swebsiteforcustomizingWBF, butsinceyouhavetocreateacustomapplicationtousetheframeworkmanycompaniesmaynotchoosetodoso.Itmaybeeasierforcompaniestousetheaddedfeatures ifMicrosoftimplementedafewsimpleapplicationstogoalongwiththeframework suchasanenrollment,setupoftheframework,andanupdatedcredentialprovider. 30

PAGE 36

4.6Summary FromjustashortoverviewtheWindowsBiometricFrameworkAPIsoundsvery impressive.Wesawthatitwasabletodomanyofthethingswehopedtodoourselves. ClearlyMicrosofthadseenthisneedearlierandperhapstheiruserstoldthecompany howtheyfeltaboutthebiometricloginidea.Eitherway,beingabletologintoa computeroveranetworkisnowpossibleandasecuremeasuretotake. Microsoft'sWBFisabletohandlealotoffunctions.OnemainideaMicrosoft developedwasthatofsupportingallngerprintreadingdevices.Thisallowedany ofsuchdevicestobeusedwithoutworryingaboutcompatibility.Thatalsomeant thatSDKswerenolongerneededbecauseMicrosoftsupportedwritingapplicationsto workwiththeirWBF.AlthoughtheydidnotreleaseapplicationstousewithWBF, theplatformallowedcompaniestowritetheirownapplications.Thesecustomcode modulescouldenrollusers,verifythemtoallowontoacomputer,andhandleother informationpertainingtothebiometricdata. WedidhavesomethingstosayaboutMicrosoft'ssystemwhencomparedtoour ownidea.Whilebothhadsimilarthoughtsonhowtheauthenticationwassetupand wouldworktherewerealsosomedierences.WBFmadesomegreatimprovements withfeatureswehadnotthoughtof.Mostofthemwereitemswewouldhavenot beenabletodobecausetheywererelatedtodevicedrivers.Therewereafewideas leftoutofWBFthatwehadthoughttoincludethatMicrosofthadbarelydiscussed. Aswetalkedaboutearlier,multi-factorauthenticationisthebestwaytogothough WBF,butitonlysupportsonetypeofbiometrics.Microsoftdidsaythatitwill onedayhandlemoretypesalthoughwehopetheyconsiderhandlingothertypesof authenticationaswell. TheamountofworkthatMicrosofthadputintomakingtheWBFwasimpressive.Unlikeourideatojustmakeitworkwithexistingsoftwareandhardware,they implementedacompletenewframeworktodoso.Threecorepiecesweredeveloped 31

PAGE 37

tohandlethecapturingofatemplate:thestorage/retrieval,andmatchingoftemplates.ThesolutionsaretheWindowsBiometricDriverInterface,theWBFAPI, andtheWindowsBiometricService.Thesepiecesarewhatmakesuptheactual framework.UsingtheAPI,companieswouldbeabletocreatecustomapplications tofulllwhateverneedtheyhad.Therearealsowaystomaintainthesystemfrom anadministrativepointofview. Finally,wehadafewminorsuggestionsforWBF,whichcouldbeseenasimprovementsMicrosoftcouldmakeinafuturerelease.Aswehavepointedoutthey onlyhandlengerprintdatabutwillexpandtootherbiometrictypes.Wethought theadditionofothersecuritymeasures,likeRFIDcards,wouldallowforamultiple authenticationframework.Theadditionofalreadycodedapplicationscouldallow morecompaniestousethisbiometricframeworkinsteadofmakingthemcodetheir own.Companiesthatwouldwanttomakelargerandmorecomplicatedapplications stillcould. 32

PAGE 38

CHAPTER5 CONCLUSION Itisclearthatauthenticationonanysystemisusefulforhelpingtosecureinformation.Mostcurrentsystemsseemtolackeithermulti-factorauthenticationor onlyhavealocalauthenticationsystemandnotonethatisoveranetwork.Wehave discussedthreemaintopicsaswellaslearnedmanylessonsthroughoutthisproject. TheimplementationweworkedonwouldhaveallowedalldatatobestoredinActive Directoryallowingittobesecure.Itwouldhaveeventuallyallowedforausertologin overanetworkwithmultiplewaystoverifywhotheywere.Weweredisappointedto ndthatinthelongrunthisideawouldnotworkout.Originallywewereworking onasolutionthatwouldbeusedwithWindowsVista.Microsofthadthentoldus thatitwouldnotworkwithVistaatall.However,Microsoftalsotoldusthatthey hadalreadybeenworkingonasimilarimplementationinWindows7,whichwethen beganinvestigating. Wehadrsttriedtosolvethisbiometricproblemourselvessinceallresearchhad showedatthetimethatbiometricscouldonlybestoredlocallyonamachine.The ideawastouseActiveDirectorytocontrolallofthetemplatesaswellastherest ofauser'sinformation.Theenrollmentwasabletotakeinangerprintandstore itinaseparatepartitionjustforthetemplates.Userswouldthenbeabletologin overanetworkandthesystemcouldverifywhotheywerebasedoofthengerprint whichwouldhavebeenstoredinActiveDirectoryandnotthelocalmachine.The CredentialProviderwasrewrittentoaddinthefunctiontocaptureatemplateofthe ngerprint.TheKIULnowtakesover.Originallyitiswhattakesausernameand 33

PAGE 39

passwordtoActiveDirectoryforverication.Wehadhopedtoextendittoallow thetemplatetobetakenaswell.OncesenttotheLSAaproxywouldrstintercept theKIUL.TheProxywouldrstsendtheusernameandpasswordtotheLSAfor verication.Itwouldthenretrievetheuser'sstoredngerprinttemplateandperform a1-to-1matchingonthetemplatethatwassentwiththeKIUL.Ifthetemplate matchesandthepasswordiscorrecttheLSAwouldtelltheCredentialProviderthat theusermaybeallowedtologon. Neartheendofthisprojectwestartedtorunintoproblems.Werealizedthatwe shouldhavecontactedMicrosoftearlierthenwedidinsteadoflettingtheissuespile up.Justabouteachmainfunctionhadoneissueoranother,whichreallymadeus stopandevaluatewhatwehaddone.Wefoundoutthatthefunctionwewereusing fromUpekdidnotactuallycreateatemplatelikewethoughtitwould,whichmeant theenrollmentwouldhavetoberewrittenagain.Thetemplatesthatwerecreated bytherightfunctionweretoolargetobestoredinthebinarystructuresofActive Directory.Aftermuchresearchingwefoundthatnoinformationonhowtoextend theKIULwasavailable.AfterspeakingwithMicrosoftwefoundthatboththeKIUL andtheproxycouldnotbeextendedtodealwithtemplatesaswewanted. TherewasgoodnewsbecauseMicrosofttoldusthatWindows7wouldbeable todosomethingsimilartowhatwewantedtodo.TheirsolutionwastheWindowsBiometricFramework,whichsupportsanyngerprintdeviceaslongasithas acompatibledriver.SupportingdevicesthiswaymeansthatseparateSDKsareno longerneeded;Microsoftsupportsdevelopmentofapplicationsthatusetheframework.WBFhasthreemainfunctionsofcapturingatemplate:storing,retrieving, andmatchingareallsupported.Thismeansthatitisnowpossibletoauthenticate usingbiometricslikehowwehadhoped.TheyalsodevelopedtheWBFAPI,which aswesaid,wouldallowacompanytowritetheirownapplicationsthatcanusengerprintdatatologauserinwithouthavingtostorethetemplateslocally.Thisis 34

PAGE 40

allachievedbecausetheframeworkstandsbyitselfunlikeouridea,whichwasgoing tobebuiltintoanexistingsystem. WhileMicrosoft'sWBFdidimproveuponideaswehad,therewereideasthat wethoughttheyleftoutorbarelyhelpedwith.AtthemomentWBFonlysupports ngerprintdevicesbutwehopethatonedaytheywillbeabletosupportother biometrictypes.Thiswouldallowthemtomakeasteptowardsusingamoremultifactorapproachtoauserloggingintoasystem.Onesuggestionwedidhavewas toaddinothersecuritytypeslikeRFIDcards.Perhapshavingalreadynished applicationswouldincreasetheinterestforsomecompaniesthatdonothavethe resourcestomaketheirown.WhatotherideascouldtheyaddtoWBF?IfMicrosoft wastoaddmorelayersofauthenticationaswellasotherbiometrictypesyoucould secureasystemmuchmoreexibly.Therearemanypossiblefutureapplicationsfor security,especiallymulti-factorauthentication. 35

PAGE 41

LISTOFREFERENCES [1]J.Kent.Malaysiacarthievesstealnger, BBCNews .February2010. http://news.bbc.co.uk/2/hi/asia-pacic/4396831.stm. [2]Upek.TechnicalSupport.March2010. http://www.upek.com/support/customersupport/techsupport/. [3]BiometricsDirect.BioCertIntelligentIdentityManager.February2010. http://www.biometricsdirect.com/Net-working/biocertbiim.htm. [4]GriauleBiometrics.BiometricNetworkLogon.February2010. http://www.griaulebiometrics.com/page/network logon. [5]BayometricInc.BiometricComputerLogon:NetworkLogon.February2010. http://www.bayometric.com/products/Biometric-Network-Logon.htm. [6]BioLink.IDeniumforActiveDirectory.February2010. http://www.biolinksolutions.com/products/software/idenium ad/. [7]L.O'Gorman.ComparingPasswords,Tokens,andBiometricsforUserAuthentication," ProceedingsoftheIEEE .December2003. [8]E.Bertino,A.Bhargav-Spantzel,A.Squicciarini,S.Modi,M.Young,andS. Elliott.PrivacyPreservingMulti-FactorAuthenticationwithBiometrics," ProceedingsofthesecondACMworkshoponDigitalidentitymanagement .2006. [9]D.Argles,K.Apempa,T.Zhang,andG.Wills.EnsuringPrivacyof BiometricFactorsinMulti-FactorAuthenticationSystems."February2010. http://eprints.ecs.soton.ac.uk/15901/1/PDFsecrypt.pdf. [10]MIT.Kerberos:TheNetworkAuthenticationProtocol.December2009. http://web.mit.edu/Kerberos/. [11]MicrosoftCorporation.CongureKerberosauthentication.December2009. http://technet.microsoft.com/en-us/library/cc263449.aspx. [12]MicrosoftCorporation.msdn.December2009.http://msdn.microsoft.com/enus/default.aspx. 36

PAGE 42

[13]MicrosoftCorporation.TechNet.December2009. http://technet.microsoft.com/en-us/default.aspx. [14]DebraWilliams.Upek,e-mail,March2010. [15]CharlesBradley.SeniorMulti-DisciplinedEngineerIIwithHonors,Raytheon. Personalconversation,February2010. [16]MicrosoftCorporation.SoWhatIsActiveDirectory?December2009. http://msdn.microsoft.com/en-us/library/aa746492VS.85.aspx. [17]MicrosoftCorporation.ActiveDirectorySchemaTerminology.December2009. http://msdn.microsoft.com/en-us/library/ms675087v=VS.85.aspx. [18]MicrosoftCorporation.ActiveDirectoryLightweightDirectoryServicesOverview.December2009.http://technet.microsoft.com/enus/library/cc754361WS.10.aspx. [19]MicrosoftCorporation.LsaLogonUserFunction.December2009. http://msdn.microsoft.com/en-us/library/aa378292v=VS.85.aspx. [20]MicrosoftCorporation.WindowsBiometricFrameworkAPI.July2010. http://msdn.microsoft.com/en-us/library/dd401509v=VS.85.aspx. [21]MicrosoftCorporation.AbouttheWindowsBiometricFrameworkAPI.July 2010.http://msdn.microsoft.com/en-us/library/dd401507v=VS.85.aspx. [22]MicrosoftCorporation.IntroductiontotheWindowsBiometricFramework.August2010.http://www.microsoft.com/whdc/device/biometric/wbntro.mspx. [23]MicrosoftCorporation.CreatingClientApplications.July2010. http://msdn.microsoft.com/en-us/library/ee829699v=VS.85.aspx. [24]MicrosoftCorporation.CorePlatformComponents.July2010. http://msdn.microsoft.com/en-us/library/dd560898v=VS.85.aspx. [25]MicrosoftCorporation.FrameworkComponents.July2010. http://msdn.microsoft.com/en-us/library/dd401549v=VS.85.aspx. [26]MicrosoftCorporation.CreatingAdapterPlug-ins.July2010. http://msdn.microsoft.com/en-us/library/dd401522v=VS.85.aspx. [27]MicrosoftCorporation.BiometricFrameworkOverview.July2010. http://msdn.microsoft.com/en-us/library/dd560897v=VS.85.aspx. [28]MicrosoftCorporation.ManagingCredentials.July2010. http://msdn.microsoft.com/en-us/library/ee207400v=VS.85.aspx. 37


xml version 1.0 encoding UTF-8 standalone no
record xmlns http:www.loc.govMARC21slim xmlns:xsi http:www.w3.org2001XMLSchema-instance xsi:schemaLocation http:www.loc.govstandardsmarcxmlschemaMARC21slim.xsd
leader nam 22 Ka 4500
controlfield tag 007 cr-bnu---uuuuu
008 s2011 flu ob 000 0 eng d
datafield ind1 8 ind2 024
subfield code a E14-SFE0004882
035
(OCoLC)
040
FHM
c FHM
049
FHMM
090
XX9999 (Online)
1 100
Eyers, Brandy Marie.
0 245
An analysis of remote biometric authentication with windows
h [electronic resource] /
by Brandy Marie Eyers.
260
[Tampa, Fla] :
b University of South Florida,
2011.
500
Title from PDF of title page.
Document formatted into pages; contains 42 pages.
502
Thesis
(M.S.C.S.)--University of South Florida, 2011.
504
Includes bibliographical references.
516
Text (Electronic thesis) in PDF format.
3 520
ABSTRACT: One thing that everyone seems to be worried about when it comes to his or her computer is security. If your computer is not secure then private information could be stolen. Many people now use passwords to protect themselves though they are discovering that using multi-factor authentication is much more secure. It allows you to use multiple different proofs of who you are. Biometrics is one of the ways to prove identity. Using it, you could log into a system with just a fingerprint, which is something that is very difficult to steal. We present a suite of software tools that allows you to log into a network using multi-factor authentication. This thesis describes our design of a multi-factor authentication solution, the problems we encountered realizing this design, and Microsoft's own biometric system.
538
Mode of access: World Wide Web.
System requirements: World Wide Web browser and PDF reader.
590
Advisor:
Ligatti, Jay .
653
Active Directory
Computer
Kerberos
Multi-factor
Security
690
Dissertations, Academic
z USF
x Computer Science
Masters.
773
t USF Electronic Theses and Dissertations.
4 856
u http://digital.lib.usf.edu/?e14.4882