Handbook of Information Security Management:Physical Security

Previous Table of Contents Next


TOKENS

As human security forces shrink, there is more need to ensure that only authorized personnel can get into the computer room. A token is an object the user carries to authenticate his or her identity. These devices can be token cards, card readers, or biometric devices. They have the same purpose: to validate the user to the system. The most prevalent form is the card, an electric device that normally contains encoded information about the individual who is authorized to carry it. Tokens are typically used with another type of authentication. Many cipher locks have been replaced with token card access systems.

Challenge-Response Tokens

Challenge-response tokens supply passcodes that are generated using a challenge from the process requesting authentication (such as the Security Dynamics’ SecurID). Users enter their assigned user IDs and passwords plus a password supplied by the token card. This process requires that the user supply something they possess (the token) and something that they know (the challenge/response process). This process makes passcode sniffing and brute force attacks futile.

Challenge-response is an asynchronous process. An alternative to challenge-response is the synchronous token that generates the password without the input of a challenge from the system. It is synchronized with the authenticating computer when the user and token combination is registered on the system.

Dumb Cards

For many years, photo identification badges have sufficed as a credential for most people. With drivers’ licenses, passports, and employee ID badges, the picture — along with the individual’s statistics — supplies enough information for the authentication process to be completed. Most people flash the badge to the security guard or give a license to a bank teller. Someone visually matches the ID holder’s face to the information on the card.

Smart Cards

The automatic teller machine (ATM) card is an improvement on the “dumb card”; these “smart” cards require the user to enter a personal ID number (PIN) along with the card to gain access. The ATM compares the information encoded on the magnetic stripe with the information entered at the ATM machine.

The smart card contains microchips that consist of a processor, memory used to store programs and data, and some kind of user interface. Sensitive information is kept in a secret read-only area in its memory, which is encoded during manufacturing and is inaccessible to the card’s owner. Typically, these cards use some form of cryptography that protects the information. Not all smart cards work with card readers. A user inserts the card into the reader, the system displays a message, and if there is a match, then the user is granted access.

Types of Access Cards

Access cards employ different types of technology to ensure authenticity:

  Photo ID cards contain a photograph of the user’s face and are checked visually.
  Optical-coded cards contain tiny, photographically etched or laser-burned dots representing binary zeros and ones that contain the individual’s encoded ID number. The card’s protective lamination cannot be removed without destroying the data and invalidating the card.
  Electric circuit cards contain a printed circuit pattern. When inserted into a reader, the card closes certain electrical circuits.
  Magnetic cards, the most common form of access control card, contain magnetic particles that contain, in encoded form, the user’s permanent ID number. Data can be encoded on the card, but the tape itself cannot be altered or copied.
  Metallic stripe cards contain rows of copper strips. The presence or absence of strips determines the code.

BIOMETRIC DEVICES

Every person has unique physiological, behavioral, and morphological characteristics that can be examined and quantified. Biometrics is the use of these characteristics to provide positive personal identification. Fingerprints and signatures have been used for years to prove an individual’s identity, but individuals can be identified in many other ways. Computerized biometrics identification systems examine a particular trait and use that information to decide whether the user may enter a building, unlock a computer, or access system information.

Biometric devices use some type of data input device, such as a video camera, retinal scanner, or microphone, to collect information that is unique to the individual. A digitized representation of a user’s biometric characteristic (fingerprint, voice, etc.) is used in the authentication process. This type of authentication is virtually spoof-proof and is never misplaced. The data are relatively static but not necessarily secret. The advantage of this authentication process is that it provides the correct data to the input devices.

Fingerprint Scan

The individual places a finger in or on a reader that scans the finger, digitizes the fingerprint, and compares it against a stored fingerprint image in the file. This method can be used to verify the identity of individuals or compare information against a data base covering many individuals for recognition. Performance:

  False rejection rate = 9.4%
  False acceptance rate = 0
  Average processing time = 7 seconds

Retinal Scan

This device requires that the user look into an eyepiece that laser-scans the pattern of the blood vessels. The patterns are compared to provide positive identification. It costs about $2,650. Performance:

  False rejection rate = 1.5%
  False acceptance rate = 1.5%
  Average processing time = 7 seconds


Previous Table of Contents Next


-->
The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.