Secure Data Communication

Nitish Biradar-0920388
a) The Metropolitan Police Service is one UK’s most largest police force and more
than 45,000 people including police officers, staffs and community support officers.
In the MPS to keep track of the phone and fax lists which comes up to for almost
45,000 employees is a major task. Including this, almost all of MPS people need
some type of access to their internal systems and their databases, however by it's
using email or logging on to reporting systems. And, a people of this work size is
regularly elaborating, as staff may leave or join, or move to new posts this means
that they need the access to different systems.

For the MPS Role Based Access Control plays very important part in security,
RBAC is a technique to confine system access to user who are authorised there are
three main simple rules

1. Role Assignment : A transaction can be executed by a class only if a class has

selected a role so all users who are active they are require to have something active
role.
2. Role Authorization: A class which is authorised should have a class active with the
role assignment users cake take roles for which they have authorised.

3. Transaction Authorization : A class will able to accomplish tansaction only when the
transaction is authorised from class’s role membership and the class rule which can be
applied to users, roles and permission with the above (1) and (2) this rule makes sure
that user will be able to accomplish the task or transaction to which they are being
authorised.[ http://csrc.nist.gov/groups/SNS/rbac]
 [Figure 1 reference Role based access control in advances in computer vol 46 bt sandhu and
ravi]

Mostly to the police officers and their staff work’s is related to the information which is
very sensitive and it’s important that only the authorised users have to access to it. The MPS
have to make sure that only a particular personnel can only can access the data they are
authorised to view and these permissions must be kept up to date. To manage all the data was
very costly, time consuming and also big administrative headache to the Metropolitan Police.
Because access to all its different sections internal security systems was controlled
autonomously by different sections departments, the MPS staff might regularly find
themselves to have to use dissimilar user names and passwords to access dissimilar aid on the
network. The MPS management has very big problem in handling this critical solution as
it might be very risky because each user was having four identity and the management might
not be knowing which user has which level of access to which information.

As explained by the Technical Security Manager Vince Freeman of the MPS,

"Before the start of the project, any single employee of MPS could most likely have a
minimum of four different electronic identities. From the user point of view this was not a
major issue but from the management point of view its a very critical issue. So definitely, we
need to make sure that only authorised and authenticated members of staff members should
be able to get access to the information and with four or more identities per user, so to keep
track which user had access to which sections information had become a big issue."[CASE
STUDY: Secure Data Communication ]

B) Biometrics refers to method for uniquely recognising human beings based upon physical
orbehavioural characteristics information technology, especially identity access management
and access control are form used by the biometrics. It is also used to recognise singleton in
batches that are directed under supervision. There are two types of biometric techniques
physiological which is related to shape and size of the body and behavioural which belongs to
the behaviour of the person. [http://en.wikipedia.org/wiki/Biometrics]

Biometrics play very important role in the MPS to strengthen user authentification,
without the biometric the security wont be that much good. Biometrics is considered as a
reliable solution for protecting a particulars identity and rights as it is recognised by unique
featuress. Biometrics techniques are used for mainly two authentication methods they are
Identification and verification. [Biometrics: A Further Echelon Of Security Siddhesh
Angle,Reema Bhagnani, Hemali Chheda]

Biometric has many advantages like it increases security to provide additional class of
security, minises the fraud by implementing very tough technologies like minimising fraud
for ID cards and by using physical attributes the problems of lost Id cards and forgotten
passwords eliminates and by reducing the administration costs and cost savings in such as
prevention of time and attendance, Also making possible to know automatically to know who
did what when and where. [http://www.questbiometrics.com]

Ideally,the biometric chosen by the MPS management should possess characteristics So

that it can limit the need for compromise by any means and enhancing security and
practicality. Significant areas of the practicality are speed , accuracy, cost, size, enrolment
convenience and user acceptance. According to me the finger vein technology and the hand
vascular pattern identification should be used for the verification of the police officers as
these are safer compared to other techniques.

Finger vein technology in MPS

 This technology being an internal biometric invisible it meets the anti-forgery requirement
especially except under special conditions. It should also ensures of presence of live blood
vessels. Because the finger vein patters are very clear and distinct so the accuracy
requirement is met. In patterns there is high degree of variation and the finger vein remains
almost same through adult age, it is insensitive to external factors such as dirt, sweat, injury
etc and this is possible.

when the police officers use latex gloves which is its specialised settings. The police
officer only need to put his finger on the scanner if its the authorised user and it matches its
veins then only it is authenticated it has very high accuracy when it is compared with its cost
as it it is very cost effective. From the security point of view fro the police officers it is the
ideal biometric technique.

When the police officer keeps his finger on the scanner an invisible infrared light works
through the finger and this light absorbs the haemoglobin of the blood in veins this unique
method capture the image by the sensor which is placed below the finger.[ Hitachi’s Finger
Vein Technology A White paper Ben Edgington May 2007 May 2007].

In this technique there are 4 steps of authentication process

1. Takes the finger vein image pattern from scanner

2. The image

3. Extracted image from the extracted pattern feature

4. Matching of pattern and the outcome

Below figure 2 show all the above 4 steps

.

Hand Vascular Pattern Identification

1. In the MPS this pattern is also very usefull as veins will same throughout life an
image of one’s vein pattern will produced by the infrared light on their face, wrist
and hand. This pattern is very difficult to duplicate as it is a computerised
comparison of shape n size of the substantial blood vessel in the back hand. As there
is no physical contact is required and the blood vein is required so it is very secure
and performing is excellent and no degradation of performance even with scars and
0.4sec/person is the speed of the verification of the system the FAR and FRR is
0.0001% and 0.1% respectively. This pattern is less used at this moment, it is majorly
can be found because it is being used less till now the MPS should use this technique
because of its uniqueness. Only used by some established companies. [Biometrics: A
Further Echelon Of Security Siddhesh Angle,Reema Bhagnani, Hemali Chheda]

C ) Multiple Digital identity is a digital technology which refers to aspects of digital

Technology that is relevant with the intervention peoples own experience with their own
Identity and to identify other peoples things or digital identity are the computerised
Electronic illustration of a person or any organisation important information and help
them to control the information which has been transferred.
[http://en.wikipedia.org/wiki/Digital_identity].

Biological identity is nothing but it is a techniques which includes all biometric

techniques such as iris scan, finger print, DNA, vein, retina voice etc. The biological identity
is very secure compared to the multiple digital identities.
Below table shows some of the difference between biological identity and multiple digital
identity.

Biological Identities Multiple digital identities

More Secure Less secure

Biological identity is slow Multiple identity is fast

Reliable Less reliable

Accuracy is high Accuracy is medium

Cost is high Low cost

User Acceptabilty is high User acceptability is low

Digital identity should always refer to two concepts nyms and partial identities. And every
person has its own identity given by variety of authorities. Examples: passport, ID cards
beyond the physical presentation.

In the MPS the level of security will be different for different department and the access
also. When the police member will be in the police crime unit he will be having information
or access to all the criminal records For the police member who is in crime unit the biological
identity will the perfect secure because its related to physical aspect so that no one can access
his documents kept in his chamber or anywhere whereas if he uses the digital identity like
keeping passwords or keeping some zig zag photos as password an intelligent person can
access it and in case if the police member in crime department forgots his password than its
quite difficult to retrieve whereas in biological identity their is no way to forget his password
as its biological it may be vein, retina, iris etc.
 Similarly for the normal police officer when he is not in crime department very high level
of security is needed digital identity will be enough as he wont be having very important
information. consider Swiping of ID cards might be enough for the normal police officers
who acts in particular context. When he will be crime department his security level will be
high because of his access to the crucial information which might be related to national level.
A crime department officer can work as crime officer and as well as normal police officer the
access level to information will be less.

D ) A client and server involves the secure transmission between sender and receiver using
the public and private keys to encrypt and decrypt the messages. Encryption is nothing but a
process of changing the text while sending so that the message should be not easy to read.

When sender and receiver want to use the public key encryption for transmission of
message both the parties will be having a shared key. when the sender sends a message to the
receiver with its shared key the receiver uses its copy of shared key to decrypt the message.
The private key encryption is not safer because anyone who has the copy of the shared key
can encrypt or decrypt it so both the sender and receiver will be watched as both can encrypt
or decrypt.

When the sender wants to share a secret message with the receiver using the public key
encryption, the sender ask the receiver for its public key,than later sender uses the public key
encryption. In this context only the reciever’s private key can decrypt the message,the sender
sends the message,receiver decrypts the message using its private key.This is reliable because
the receiver can give public key to anyone and and keep the private key as private for
decrypting messages.[ http://tldp.org/REF/INTRO/SecuringData-INTRO ]

For any security infrastructure the following has to be delivered to trusted transaction
between any client and server
1. Authentication

2. Confidentiality

3. Data integrity
 4. Non-repudiation

‘Trust’- but only in a tangible sense! [Digital_certs_MSc_2008 (Tim French )]

PKI is asymmetric encryption, PKI ascertains the use of public key cryptography ,Yes
PKI is unbreakable because In Public Key Infrastructure its very hard ,when the sender
sends a secret message to encryption after asking the receivers public key only the receiver
can decrypt it using its private key. Yes the police should trust the cryptographic techniques
such as RSA which is Impossible to break the code it may take several 100 years to break the
code till than the technology will be very advance and some new technologies could have
been launched. [http://tldp.org/REF/INTRO/SecuringData-INTRO 5 ]

A CA gives the digital certificates those contain a public key and the identification of the
owner. The private key which is not made publicly available, buthas been kept secret by
the reciever who produced the key pair. The public key contained in the certificate belongs to
a particular person or sewrver or mentioned in the certificate.The CA’s main work is to
verify the applicants authorisation so that the users and dpending parties should trust the
information of the CA certificates.The CA is responsible to say that the said person is
genuine. If the user trusts than it can verify the signature of CA and the user can verify that
the public key belongs to the person who is identified by the certificate.
[http://en.wikipedia.org/wiki/Certificate_authority ]

References

1. http://csrc.nist.gov/groups/SNS/rbac

2. Role based access control in advances in computers volume 46 by sandu and ravi.

3. CASE STUDY: Secure Data Communication

4. http://en.wikipedia.org/wiki/Biometrics
5. Biometrics: A Further Echelon Of Security Siddhesh Angle,Reema Bhagnani, Hemali
Chheda
6. http://www.questbiometrics.com

7. Hitachi’s Finger Vein Technology A White Paper Ben Edgington May 2007.

8. http://en.wikipedia.org/wiki/Digital_identity.

9. http://tldp.org/REF/INTRO/SecuringData-INTRO.

10. Digital_certs_MSc_2008 (Tim French )

11. http://en.wikipedia.org/wiki/Certificate_authority.

12. http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx. Microsoft, Inc.