Biometric Identification Architecture(Vadan Mehta)
INdian government ambitious project UID, can use omnipresent network of wireless telecom technologies for connetivity.
Content
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
BIOMETRIC IDENTIFICATION ARCHITECTURE : INTEGRATION WITH CELLULAR TECHONOLOGIES
BY VADAN MEHTA TATA CONSULTANCY SERVICES [email protected]
ABSTRACT
This paper describes Biometric System’s architecture and integration with cellular technologies. First I have explained the conceptual framework of biometric identification architecture., followed by mobile VPN introduction and possibly alternatives to utilize mobile VPN to interconnect components of Biometric architecture. Increasing security concerns and ease of management more state governments are turning towards Biometrics verification of it’s citizen. The Unique Identification Authority of India (UIDAI), initiated UID (Unique Identification) project, where it plans to provide biometric identity to each of citizen as optional to ID proof such as PAN card, voting Card, Driving license etc, as used today. The vision of UID is to make a national database, containing biometric information such as finger prints cards of citizens, which can be used by security agencies, Income tax department, Police and other related institutes. This paper describes conceptual framework to use cellular backhaul to interconnect biometric client to central data repository.
INTRODUCTION
Biometrics (ancient Greek: bios ="life", metron ="measure") is the study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In contrast with probably every other method of authentication, biometric authentication aims to be completely nontransferable. Examples of physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, while examples of mostly behavioral characteristics include signature, gait and typing patterns. Voice is considered a mix of both physical and behavioral characteristics.
BIOMETRIC IDENTIFICATION ARCHITECTURE
Biometric identification Architecture incorporate a reader, scanner and camera for the capture of a biometric identifier (e.g. fingerprint or facial image), which is converted by software into digital format (template) for storage and comparison against other records held in a Central database repository(UID in our case)
Copyright: Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
TACTiCS – TCS Technical Architects’ Conference’09
Figure 1: Architecture
TACTiCS 09’
-1
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
General biometric architecture is mainly divided into three parts. Data Collector: A device to collect the biometric data (Figure prints, Iris, Voice etc), convert into digital template and send it to Central database for processing. Transmission: To carry Biometric template to central server using telecommunication technologies. It involves, secured transmission, compress-decompress and signal processing. Central Database: Central data repository process the data in order to render an authentication decision based on matching process of stored to current process. (see Figure 1)
I propose to use Cellular technologies((GSM, CDMA2000, Wimax)., because of their omni present nature and easy provisional aspects. The proposed architecture is to connect bio scannesr to available cellular technology via encrypted mobile VPN service.. (See figure 2)
Operation
All biometric systems run in two separate processing phases: 1) Enrolment 2) Verification Enrolment In this processing phase the individual subject provides samples of a biometric characteristic to establish a new so called reference template. Verification After the enrolment, the subject is known by the biometric system. When the subject provides a query template, it is processed and compared with the saved reference templates of all enrolled templates, stored repository database. The output of the system may be a simple yes/no, or an identity credential with identity information about the subject or a list of identity data that correspond to the best matches for a client system. The measured accuracy of a template is an estimate of how reliable a comparison can be made between the stored template and the user’s template, that is scanned later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72 percent..
Figure 2: Biometric using cellular backhaul framework
VPN
The public Internet was specifically designed to quickly route traffic between any two connected points. The Internet is composed of countless network devices that are administered by different organizations. No one organization can control or be responsible for the privacy and integrity of data as it travels over the Internet. The Internet is sometimes viewed as an insecure means of transmitting data because there are opportunities for modification and deletion of data. A variety of well publicized attacks and viruses have made it painfully obvious that the Internet is insecure. VPN (Virtual Private Network ) addresses the lack of security on the Internet, by providing authentication and encryption between two end points.
(See figure 3)
CELLULAR INTEGRATION
Biometric ID system requires to connect bio-scanners, located at various geographical places to its central database for enrolment and verification purpose. Biometric scanners can be hand held devices or fixed terminal, with bio metric data collection capability. These devices required to integrate with existing telecommunication technologies, to transmit their data to central data repository.
Figure 3: VPN concept
A VPN is a way to build a secure, private communication infrastructure on top of a public
TACTiCS 09’
-2
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
network. VPNs are logical networks that connect physical networks or single hosts to each other by forming encrypted tunnels over public networks. VPN guarantee privacy and security, allowing companies to communicate information—no matter how sensitive it is—over the Internet inexpensively.
authentication, and protection against replays, but does not provide secrecy. On the other hand, ESP supports confidentiality, connectionless integrity, anti-replay protection, and optional data origin authentication.
Connectivity
VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data
being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.
Figure 4: IPSEC architecture
A key concept that appears in both security services is the Security Association (SA). A SA is a one-way relationship between a sender and a receiver that affords security services. In order to establish a SA between two hosts, they must first agree to apply compatible policies and cryptographic algorithms. They must also share a material over an insecure channel secure mechanism for determining keying. The default IPsec method for secure key negotiation is the Internet Key Exchange (IKE) protocol. IKE consists of two sequential phases. Phase 1 creates an Internet Security Association and Key Management Protocol (ISAKMP) SA (or IKE SA) that establishes a bi-directional secure channel between the security endpoints. Phase 2 negotiates an IPsec SA using the pre-established channel. Multiple IPsec SAs can be established from a single ISAKMP SA, which may be considered as a “control channel”, where IKE is the control protocol. Both AH and ESP support two modes of use: transport and tunnel mode [1]. The transport mode mainly provides end-to-end protection, where the IP packet’s payload is encrypted. On the other hand, the tunnel mode encapsulates an entire IP packet (including the IP header) within a new IP packet to ensure that no part of the original packet is visible, or may be changed as it moves through a network. Even though there is some criticism on IPsec, it is commonly admitted that it is the best IP security protocol available today [8]. It facilitates the authentication of the communicating entities, and the transparent encryption and integrity protection of the transmitted packets in both IPv4 and IPv6 networks. It is especially useful for implementing VPNs, and remote access to private networks. Because of its flexibility, the IPsec enables security service deployment across any existing IP network. On the other hand, the main
VPNs can be built on tunneling protocols that are implemented at different layers of the OSI sevenlayer model. Tunnel characteristics are determined by the protocol the tunnel is built upon. Tunnels can be established at the following layers of the OSI model: • Layer 2, the Data Link layer, uses L2TP and PPTP tunneling protocols. These protocols use password authentication to prevent unauthorized dial-up connections. • Layer 3, the Network layer, uses IPSec tunneling protocol built over IP. This protocol authenticates and encrypts data transmission by adding network layer information to each packet. IPSec (Internet Protocol Security) was developed as a standard by the IETF to address the authentication and encryption limitations of the Layer 2 tunneling protocols. IPSec provides message integrity, privacy, authentication, and replay protection. An IPSec tunnel can be created between two IPSec gateways or between and IPSec gateway and a remote user who has an IPSec VPN client installed.
IPSEC Architecture
As per figure 4, IPsec grants two choices of security service: Authentication Header (AH), and Encapsulation Security Payload (ESP). AH provides support for connectionless integrity, data origin
TACTiCS 09’
-3
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
drawback of IPsec is its complexity, as it incorporates a considerable number of independent protocols, which operate in multiple modes .
.
MOBILE VPN IMPLEMENTION
A Mobile VPN extends the VPN concept to mobile environment. Devices such as hand held biometric scanners are used to generate data applications/template. These devices establish an IPSec VPN tunnel from their handheld device (smart phone or PDA) to IPSec gateway over the Internet using wireless connection such as Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), 3G telecom technologies (UMTS, CDMA Evdo) or wireless LAN (WLAN). This wireless VPN tunnel allows hand held scanners to access their centralized database with ensured authentication and encrypted traffic IP tunneling is central to implementing MVPN. IP tunnels are paths that IP packets follow while encapsulated within the payload portion of another packet. These encapsulated packets are sent to destination endpoints from originating endpoints via public (non-secure) channels. There are two basic tunneling methods for implementing IP VPNs — endto-end or “voluntary;” and network- based or “compulsory”. MVPNs based on voluntary tunneling are implemented by providing users with public internet access and then enabling them to establish a VPN on top of this access to get access to corporate VPN gateways. Network-based 'compulsory tunneling', in contrast, is based on the idea that the wireless operator's network infrastructure itself features the intelligence and functionality necessary for the deployment of MVPNs, and that these tunnels need not be established by the end-user via their mobile device.
network, and a VPN client in their mobile or fixed devices. All that the private network IT department needs to do is to provision a VPN gateway connected to the Internet and capable of terminating a particular type of tunneling, and establish a proper set of policies and security procedures. The service provider offering Internet access service cannot access the end-to-end encrypted private data being transmitted between remote user and private network, and hence it will not have to be entrusted with it.
Figure 5: Voluntary VPN (GPRS)
Voluntary MVPN
Voluntary IP VPN provides remote users with the ability to create a tunnel from their terminals(bio scanners), to certain tunnel termination point, such as a VPN gateway(Central database repository) that resides within the private network, hosting central database repository. For this to happen, remote access device, such as biometric scanner must support tunneling protocol, IPSEC) This type of VPN service is depicted in Figure 5, which uses mobile dial-up access over a GPRS network as an example. In this scenario, the remote user establishes a VPN connection to a private network after a wireless carrier grants him or her Internet access. Voluntary VPN carries a number of significant advantages. For private network IT administrators and often for remote users, this is the simplest way to establish a remote access VPN. Remote users simply need access to the Internet or any other public IP
While voluntary tunneling provides a simple, secure end-to-end solution for access to private networks, it also leads to extra encapsulation overhead over lasthop wireless links. Also, this is a less efficient, more costly use of radio resources. In volume-based charging scenarios for instance, such overhead could significantly increase corporate costs for remote connectivity. Voluntary tunneling carries a number of other drawbacks as well. For example, it requires that mobile nodes be given public addresses allowing endto-end transparent IP connectivity. In addition, it requires complex encryption and decryption algorithms, which can increase the complexity and cost of mobile devices, which typically have low processing power and are often battery power consumption limited. Also, with voluntary tunneling, applications that need to inspect or modify encapsulated packets will be unable to get access to user traffic. This means that QoS solutions, traffic-shaping mechanisms, monitoring equipment and firewalls will fail to perform their functions, and encapsulated (secured) packets cannot be modified by the Network Address Translation (NAT) protocol.
Compulsory MVPN
A service provider may offer compulsory VPN service by concatenating or chaining multiple tunnels or provisioning a single tunnel for a part of a data path between two participating endpoints. For example, a compulsory VPN can be based on a tunnel created
TACTiCS 09’
-4
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
between a private network and a service provider and not extended to reach all the way to a remote user that is using the network access service. As a result, with compulsory VPN service the remote user does not need to have any involvement into VPN establishment process and is "forced" to use the available preprovisioned service whenever the access to the private network is required, hence the name. This VPN type assumes that the operator's network infrastructure features the intelligence and functionality necessary to support VPN services based on the tunnels or sets of tunnels provisioned between the private network and service provider's networks rather than all the way to the end-user device. In both cases, the enterprise must preestablish a detailed SLA with the service provider responsible for VPN service and must trust it to handle its valuable data with the necessary care and confidentiality. In this kind VPN, tunneling protocols (GTP for GPRS/GSM and GRE for CDMA EvDo) is used to tunnel the data traffic between access network to gateway and from gateway to VPN server, IPSEC tunnel is being established (Figure 6).
battery-life-consuming. Also, the user is not involved in VPN creation and only needs to request the service when accessing the service provider's network. Compulsory VPN presents a number of other significant advantages to service providers. Offering and marketing compulsory VPN as a feature can potentially enable new business models and carrier service offerings. With the voluntary approach, service providers do not get involved in provisioning and often are not even aware of the existence of encrypted and encapsulated traffic unless they offer special access points to the Internet associated to publicly routable IP addresses or NAT traversal-compliant devices. In contrast, compulsory VPN access offerings can be marketed in different forms by carriers to a variety of private enterprises and ISPs interested in outsourcing their remote access function. This will bring new revenue streams, along with greater differentiation from the competition service offerings. Another benefit of compulsory VPN for service providers lies in greater control over the user. In a compulsory model, the service provider is usually involved in user authentication and IP address assignment (though the latter might be a mixed blessing in some situations), which allows it to control user provisioning to a greater extent. IP addresses can be assigned to remote users from the customers' networks private address space, thus saving the usage of publicly routable IP addresses from the provider side.
Voluntary vS Compulsory MVPN
Table 1, describes the comparison between voluntary and compulsory MVPN.
Figure 6: Compulsory VPN
In mobile environment, security problems become serious, since the user traffic is being sent over potentially insecure radio channels. During packet data roaming, the unprotected traffic to and from the mobile station must also traverse the visited carrier network (which may or may not have established SLA with the corporation served by a home wireless carrier) before being tunneled to original carrier's network. If there are insecure links in this network, especially unencrypted links in the backhaul section, this could present serious security problems. On the positive side, the compulsory approach better utilizes the air interface by avoiding over-the-air encapsulation overhead, which is especially advantageous for cellular wireless systems, and by simplifying the user equipment. When compulsory VPN is used, the end-user equipment does not have to support any VPN clients or tunneling or security capability at times they could be CPU-hungry and
Voluntary MVPN Workes on with Public IP( limited resource) Enterprise has full control over policies Air bandwidh overhead upto 30% QoS SLA not supported Hand held devices requires to support IPSEC (CPU and power limitation) Do not support NAT
Compulsory MVPN Works on Private IP Service provider has full control over policies Less overhead on Air QoS SLA supported Network gateway requies to support IPSEC Does support NAT with NAT traversal functionality
Table 1: Comparison between Voluntary & Compulsory MVPN
TACTiCS 09’
-5
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
CONCLUSION
Biometric Identification architecture can utilize existing cellular network to interconnect it’s major components for enrolment and verification purpose. 2.5 G and 3G Cellular networks offers Mobile VPN technology to connect handheld bio-scanners with the central database repository in secured tunnel, providing end to end security and integrity of data. IPSEC architecture provides end to end secured, authenticated and encrypted VPN tunnel framework, which can be used to carry highly sensitive biometric information. Voluntary MVPN, provides end to end IPSEC tunnel between client ( bio-scanners) and server (central data repository), while Compulsory MVPN provides IPSEC tunnel between gateway and VPN server, while GTP/GRE tunnel between VPN client and server. The decision to select MVPN implementation, depends on how much authority data repository owners network (UIDAI) wants to delegate with service provider, capacity of the existing network of wireless service provider and QoS/SLA requirement.
REFEERENCES
Mobile VPNs for Next Generation GPRS and UMTS Networks by Lucent TechnologieS Mobile VPN for CDMA 3G Data Networking by Lucent Technologies Mobile VPN for GPRS Data Networking by Lucent Technologies MOBILE IP VPN CONNECTIVEY AND SECURITY By Trologix BioAPI Best Practices, Implementation Notes and Security Appendix by The BioAPI Consortium BioAPI Specification Version 1.1 Developed by The BioAPI Consortium Mobile Biometric Identification by Motorola The Universal Biometric System by H. M. N. Dilum Bandara, S. M. Ravindra P. De Silva, and P. W. H. Dasun Weerasinghe, Department of Computer Science and Engineering, University of Moratuwa, Sri Lanka. The Evolution of Mobile VPN and its Implications for Security by NSN network IPsec-based end-to-end VPN deployment over UMTS by Christos Xenakis and Lazaros Merakos ,Department of Informatics & Telecommunications .University of Athens, 15784 Athens, Greece Connect Devices in Patrol Vehicles by Digi networks Oracle Advanced Security Administrator's Guide Release 8.1.7 Mobile VPN—Delivering Advanced Services in Next Generation Wireless Systems by Alex Shneyderman and Alessio Casati (etutorials.org)
TACTiCS 09’
-6
BIOMETRIC IDENTIFICATION ARCHITECTURE : INTEGRATION WITH CELLULAR TECHONOLOGIES
BY VADAN MEHTA TATA CONSULTANCY SERVICES [email protected]
ABSTRACT
This paper describes Biometric System’s architecture and integration with cellular technologies. First I have explained the conceptual framework of biometric identification architecture., followed by mobile VPN introduction and possibly alternatives to utilize mobile VPN to interconnect components of Biometric architecture. Increasing security concerns and ease of management more state governments are turning towards Biometrics verification of it’s citizen. The Unique Identification Authority of India (UIDAI), initiated UID (Unique Identification) project, where it plans to provide biometric identity to each of citizen as optional to ID proof such as PAN card, voting Card, Driving license etc, as used today. The vision of UID is to make a national database, containing biometric information such as finger prints cards of citizens, which can be used by security agencies, Income tax department, Police and other related institutes. This paper describes conceptual framework to use cellular backhaul to interconnect biometric client to central data repository.
INTRODUCTION
Biometrics (ancient Greek: bios ="life", metron ="measure") is the study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In contrast with probably every other method of authentication, biometric authentication aims to be completely nontransferable. Examples of physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, while examples of mostly behavioral characteristics include signature, gait and typing patterns. Voice is considered a mix of both physical and behavioral characteristics.
BIOMETRIC IDENTIFICATION ARCHITECTURE
Biometric identification Architecture incorporate a reader, scanner and camera for the capture of a biometric identifier (e.g. fingerprint or facial image), which is converted by software into digital format (template) for storage and comparison against other records held in a Central database repository(UID in our case)
Copyright: Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
TACTiCS – TCS Technical Architects’ Conference’09
Figure 1: Architecture
TACTiCS 09’
-1
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
General biometric architecture is mainly divided into three parts. Data Collector: A device to collect the biometric data (Figure prints, Iris, Voice etc), convert into digital template and send it to Central database for processing. Transmission: To carry Biometric template to central server using telecommunication technologies. It involves, secured transmission, compress-decompress and signal processing. Central Database: Central data repository process the data in order to render an authentication decision based on matching process of stored to current process. (see Figure 1)
I propose to use Cellular technologies((GSM, CDMA2000, Wimax)., because of their omni present nature and easy provisional aspects. The proposed architecture is to connect bio scannesr to available cellular technology via encrypted mobile VPN service.. (See figure 2)
Operation
All biometric systems run in two separate processing phases: 1) Enrolment 2) Verification Enrolment In this processing phase the individual subject provides samples of a biometric characteristic to establish a new so called reference template. Verification After the enrolment, the subject is known by the biometric system. When the subject provides a query template, it is processed and compared with the saved reference templates of all enrolled templates, stored repository database. The output of the system may be a simple yes/no, or an identity credential with identity information about the subject or a list of identity data that correspond to the best matches for a client system. The measured accuracy of a template is an estimate of how reliable a comparison can be made between the stored template and the user’s template, that is scanned later for authentication. The enrollment quality is expressed as a percent score between 0 and 100. For example, a user may have an enrollment quality of 72 percent..
Figure 2: Biometric using cellular backhaul framework
VPN
The public Internet was specifically designed to quickly route traffic between any two connected points. The Internet is composed of countless network devices that are administered by different organizations. No one organization can control or be responsible for the privacy and integrity of data as it travels over the Internet. The Internet is sometimes viewed as an insecure means of transmitting data because there are opportunities for modification and deletion of data. A variety of well publicized attacks and viruses have made it painfully obvious that the Internet is insecure. VPN (Virtual Private Network ) addresses the lack of security on the Internet, by providing authentication and encryption between two end points.
(See figure 3)
CELLULAR INTEGRATION
Biometric ID system requires to connect bio-scanners, located at various geographical places to its central database for enrolment and verification purpose. Biometric scanners can be hand held devices or fixed terminal, with bio metric data collection capability. These devices required to integrate with existing telecommunication technologies, to transmit their data to central data repository.
Figure 3: VPN concept
A VPN is a way to build a secure, private communication infrastructure on top of a public
TACTiCS 09’
-2
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
network. VPNs are logical networks that connect physical networks or single hosts to each other by forming encrypted tunnels over public networks. VPN guarantee privacy and security, allowing companies to communicate information—no matter how sensitive it is—over the Internet inexpensively.
authentication, and protection against replays, but does not provide secrecy. On the other hand, ESP supports confidentiality, connectionless integrity, anti-replay protection, and optional data origin authentication.
Connectivity
VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data
being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.
Figure 4: IPSEC architecture
A key concept that appears in both security services is the Security Association (SA). A SA is a one-way relationship between a sender and a receiver that affords security services. In order to establish a SA between two hosts, they must first agree to apply compatible policies and cryptographic algorithms. They must also share a material over an insecure channel secure mechanism for determining keying. The default IPsec method for secure key negotiation is the Internet Key Exchange (IKE) protocol. IKE consists of two sequential phases. Phase 1 creates an Internet Security Association and Key Management Protocol (ISAKMP) SA (or IKE SA) that establishes a bi-directional secure channel between the security endpoints. Phase 2 negotiates an IPsec SA using the pre-established channel. Multiple IPsec SAs can be established from a single ISAKMP SA, which may be considered as a “control channel”, where IKE is the control protocol. Both AH and ESP support two modes of use: transport and tunnel mode [1]. The transport mode mainly provides end-to-end protection, where the IP packet’s payload is encrypted. On the other hand, the tunnel mode encapsulates an entire IP packet (including the IP header) within a new IP packet to ensure that no part of the original packet is visible, or may be changed as it moves through a network. Even though there is some criticism on IPsec, it is commonly admitted that it is the best IP security protocol available today [8]. It facilitates the authentication of the communicating entities, and the transparent encryption and integrity protection of the transmitted packets in both IPv4 and IPv6 networks. It is especially useful for implementing VPNs, and remote access to private networks. Because of its flexibility, the IPsec enables security service deployment across any existing IP network. On the other hand, the main
VPNs can be built on tunneling protocols that are implemented at different layers of the OSI sevenlayer model. Tunnel characteristics are determined by the protocol the tunnel is built upon. Tunnels can be established at the following layers of the OSI model: • Layer 2, the Data Link layer, uses L2TP and PPTP tunneling protocols. These protocols use password authentication to prevent unauthorized dial-up connections. • Layer 3, the Network layer, uses IPSec tunneling protocol built over IP. This protocol authenticates and encrypts data transmission by adding network layer information to each packet. IPSec (Internet Protocol Security) was developed as a standard by the IETF to address the authentication and encryption limitations of the Layer 2 tunneling protocols. IPSec provides message integrity, privacy, authentication, and replay protection. An IPSec tunnel can be created between two IPSec gateways or between and IPSec gateway and a remote user who has an IPSec VPN client installed.
IPSEC Architecture
As per figure 4, IPsec grants two choices of security service: Authentication Header (AH), and Encapsulation Security Payload (ESP). AH provides support for connectionless integrity, data origin
TACTiCS 09’
-3
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
drawback of IPsec is its complexity, as it incorporates a considerable number of independent protocols, which operate in multiple modes .
.
MOBILE VPN IMPLEMENTION
A Mobile VPN extends the VPN concept to mobile environment. Devices such as hand held biometric scanners are used to generate data applications/template. These devices establish an IPSec VPN tunnel from their handheld device (smart phone or PDA) to IPSec gateway over the Internet using wireless connection such as Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), 3G telecom technologies (UMTS, CDMA Evdo) or wireless LAN (WLAN). This wireless VPN tunnel allows hand held scanners to access their centralized database with ensured authentication and encrypted traffic IP tunneling is central to implementing MVPN. IP tunnels are paths that IP packets follow while encapsulated within the payload portion of another packet. These encapsulated packets are sent to destination endpoints from originating endpoints via public (non-secure) channels. There are two basic tunneling methods for implementing IP VPNs — endto-end or “voluntary;” and network- based or “compulsory”. MVPNs based on voluntary tunneling are implemented by providing users with public internet access and then enabling them to establish a VPN on top of this access to get access to corporate VPN gateways. Network-based 'compulsory tunneling', in contrast, is based on the idea that the wireless operator's network infrastructure itself features the intelligence and functionality necessary for the deployment of MVPNs, and that these tunnels need not be established by the end-user via their mobile device.
network, and a VPN client in their mobile or fixed devices. All that the private network IT department needs to do is to provision a VPN gateway connected to the Internet and capable of terminating a particular type of tunneling, and establish a proper set of policies and security procedures. The service provider offering Internet access service cannot access the end-to-end encrypted private data being transmitted between remote user and private network, and hence it will not have to be entrusted with it.
Figure 5: Voluntary VPN (GPRS)
Voluntary MVPN
Voluntary IP VPN provides remote users with the ability to create a tunnel from their terminals(bio scanners), to certain tunnel termination point, such as a VPN gateway(Central database repository) that resides within the private network, hosting central database repository. For this to happen, remote access device, such as biometric scanner must support tunneling protocol, IPSEC) This type of VPN service is depicted in Figure 5, which uses mobile dial-up access over a GPRS network as an example. In this scenario, the remote user establishes a VPN connection to a private network after a wireless carrier grants him or her Internet access. Voluntary VPN carries a number of significant advantages. For private network IT administrators and often for remote users, this is the simplest way to establish a remote access VPN. Remote users simply need access to the Internet or any other public IP
While voluntary tunneling provides a simple, secure end-to-end solution for access to private networks, it also leads to extra encapsulation overhead over lasthop wireless links. Also, this is a less efficient, more costly use of radio resources. In volume-based charging scenarios for instance, such overhead could significantly increase corporate costs for remote connectivity. Voluntary tunneling carries a number of other drawbacks as well. For example, it requires that mobile nodes be given public addresses allowing endto-end transparent IP connectivity. In addition, it requires complex encryption and decryption algorithms, which can increase the complexity and cost of mobile devices, which typically have low processing power and are often battery power consumption limited. Also, with voluntary tunneling, applications that need to inspect or modify encapsulated packets will be unable to get access to user traffic. This means that QoS solutions, traffic-shaping mechanisms, monitoring equipment and firewalls will fail to perform their functions, and encapsulated (secured) packets cannot be modified by the Network Address Translation (NAT) protocol.
Compulsory MVPN
A service provider may offer compulsory VPN service by concatenating or chaining multiple tunnels or provisioning a single tunnel for a part of a data path between two participating endpoints. For example, a compulsory VPN can be based on a tunnel created
TACTiCS 09’
-4
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
between a private network and a service provider and not extended to reach all the way to a remote user that is using the network access service. As a result, with compulsory VPN service the remote user does not need to have any involvement into VPN establishment process and is "forced" to use the available preprovisioned service whenever the access to the private network is required, hence the name. This VPN type assumes that the operator's network infrastructure features the intelligence and functionality necessary to support VPN services based on the tunnels or sets of tunnels provisioned between the private network and service provider's networks rather than all the way to the end-user device. In both cases, the enterprise must preestablish a detailed SLA with the service provider responsible for VPN service and must trust it to handle its valuable data with the necessary care and confidentiality. In this kind VPN, tunneling protocols (GTP for GPRS/GSM and GRE for CDMA EvDo) is used to tunnel the data traffic between access network to gateway and from gateway to VPN server, IPSEC tunnel is being established (Figure 6).
battery-life-consuming. Also, the user is not involved in VPN creation and only needs to request the service when accessing the service provider's network. Compulsory VPN presents a number of other significant advantages to service providers. Offering and marketing compulsory VPN as a feature can potentially enable new business models and carrier service offerings. With the voluntary approach, service providers do not get involved in provisioning and often are not even aware of the existence of encrypted and encapsulated traffic unless they offer special access points to the Internet associated to publicly routable IP addresses or NAT traversal-compliant devices. In contrast, compulsory VPN access offerings can be marketed in different forms by carriers to a variety of private enterprises and ISPs interested in outsourcing their remote access function. This will bring new revenue streams, along with greater differentiation from the competition service offerings. Another benefit of compulsory VPN for service providers lies in greater control over the user. In a compulsory model, the service provider is usually involved in user authentication and IP address assignment (though the latter might be a mixed blessing in some situations), which allows it to control user provisioning to a greater extent. IP addresses can be assigned to remote users from the customers' networks private address space, thus saving the usage of publicly routable IP addresses from the provider side.
Voluntary vS Compulsory MVPN
Table 1, describes the comparison between voluntary and compulsory MVPN.
Figure 6: Compulsory VPN
In mobile environment, security problems become serious, since the user traffic is being sent over potentially insecure radio channels. During packet data roaming, the unprotected traffic to and from the mobile station must also traverse the visited carrier network (which may or may not have established SLA with the corporation served by a home wireless carrier) before being tunneled to original carrier's network. If there are insecure links in this network, especially unencrypted links in the backhaul section, this could present serious security problems. On the positive side, the compulsory approach better utilizes the air interface by avoiding over-the-air encapsulation overhead, which is especially advantageous for cellular wireless systems, and by simplifying the user equipment. When compulsory VPN is used, the end-user equipment does not have to support any VPN clients or tunneling or security capability at times they could be CPU-hungry and
Voluntary MVPN Workes on with Public IP( limited resource) Enterprise has full control over policies Air bandwidh overhead upto 30% QoS SLA not supported Hand held devices requires to support IPSEC (CPU and power limitation) Do not support NAT
Compulsory MVPN Works on Private IP Service provider has full control over policies Less overhead on Air QoS SLA supported Network gateway requies to support IPSEC Does support NAT with NAT traversal functionality
Table 1: Comparison between Voluntary & Compulsory MVPN
TACTiCS 09’
-5
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
CONCLUSION
Biometric Identification architecture can utilize existing cellular network to interconnect it’s major components for enrolment and verification purpose. 2.5 G and 3G Cellular networks offers Mobile VPN technology to connect handheld bio-scanners with the central database repository in secured tunnel, providing end to end security and integrity of data. IPSEC architecture provides end to end secured, authenticated and encrypted VPN tunnel framework, which can be used to carry highly sensitive biometric information. Voluntary MVPN, provides end to end IPSEC tunnel between client ( bio-scanners) and server (central data repository), while Compulsory MVPN provides IPSEC tunnel between gateway and VPN server, while GTP/GRE tunnel between VPN client and server. The decision to select MVPN implementation, depends on how much authority data repository owners network (UIDAI) wants to delegate with service provider, capacity of the existing network of wireless service provider and QoS/SLA requirement.
REFEERENCES
Mobile VPNs for Next Generation GPRS and UMTS Networks by Lucent TechnologieS Mobile VPN for CDMA 3G Data Networking by Lucent Technologies Mobile VPN for GPRS Data Networking by Lucent Technologies MOBILE IP VPN CONNECTIVEY AND SECURITY By Trologix BioAPI Best Practices, Implementation Notes and Security Appendix by The BioAPI Consortium BioAPI Specification Version 1.1 Developed by The BioAPI Consortium Mobile Biometric Identification by Motorola The Universal Biometric System by H. M. N. Dilum Bandara, S. M. Ravindra P. De Silva, and P. W. H. Dasun Weerasinghe, Department of Computer Science and Engineering, University of Moratuwa, Sri Lanka. The Evolution of Mobile VPN and its Implications for Security by NSN network IPsec-based end-to-end VPN deployment over UMTS by Christos Xenakis and Lazaros Merakos ,Department of Informatics & Telecommunications .University of Athens, 15784 Athens, Greece Connect Devices in Patrol Vehicles by Digi networks Oracle Advanced Security Administrator's Guide Release 8.1.7 Mobile VPN—Delivering Advanced Services in Next Generation Wireless Systems by Alex Shneyderman and Alessio Casati (etutorials.org)
TACTiCS 09’
-6
