Suramya's Blog : Welcome to my crazy life…

August 8, 2022

Using Behavioral Biometrics for User Authentication as added security measures – Advantages and Disadvantages

Filed under: Article Releases,Computer Security,My Thoughts — Suramya @ 11:59 PM

In this paper we explore how users can be uniquely identified using biometrics other than fingerprints, facial recognition, iris recognition etc on a continuous basis. We explore the use to techniques such as typing style, computer use style to see if we can create a model to uniquely identify a user based on the way they type and use the computer. As this method allows a system to constantly reauthenticate a user based on characteristics that are almost impossible to fake we look at the complexity of how this can be integrated as a security measure for secure systems. We also look at the pros and cons of implementing this authentication mechanism and explore potential problems this system generates for the user and administrators. Specifically, we look at how the system would deal with users who are sick, under medication or stress that could change their usage patterns and is it worth the expense and privacy issues to implement such a system.

Introduction and background

User authentication is the process of verifying the identify of a user or process trying to access a system, online service, connected device, infrastructure resources etc. Traditionally authentication is done by having the user provide one or more of the following:

  • Something they know
  • Something they have
  • Something they are

Let’s look at each of these one by one. The oldest way of authentication to computer systems is using usernames and passwords. The first password protection system was implemented in 1961 by Fernando J. Corbató at MIT (Workos, 2020). This allowed the system to identify users based on a secret password that only they knew. The first set of passwords were stored in plain text, but then password encryption was implemented so that users could not read the passwords for other users.

However, passwords can be leaked or guessed. In the past few years there have been major leaks of authentication data which have been decrypted and sophisticated password crackers have been created that can crack passwords based on dictionary attacks and brute force attacks. To safeguard against this attack vector another authentication mechanism was created that authenticates users based on something they have with them. This can include hardware keys, smartcards etc and these hardware devices would contain an embedded certificate that can be used to uniquely identify the holder.

The final method of authentication is something you are, which is provided by Biometric authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, face scans, and voice analysis. Fingerprints, Face Scans and iris scans are the most widely used biometric method in use today.

Multifactor Authentication
When a system uses a combination of one or more of the authentication methods described in the previous section the system is said to be using Multi-factor Authentication (MFA). The key point to remember is that a system is only considered to be using MFA if the authentication factors are in at least two of the categories. So if the authentication mechanism uses a password and a second pin to authenticate, it won’t count as MFA because both are things that you know.

Weaknesses in the current User Authentication methods

The current user authentication methods have several weaknesses that make it easy for attackers to compromise and bypass the checks. Complex passwords are harder to crack or guess than simple passwords, but they are harder for users to remember. So, users tend to use the same passwords across multiple sites or use passwords that are simple to remember. Unfortunately, passwords that are simple to remember are also easy to guess.
Another risk is that an attacker can compromise a site or server using vulnerabilities in the OS, services or applications running on it. Once they have access, they can gain access to the stored passwords for all users and depending on the encryption scheme used the passwords for user accounts can be guessed quickly. This is an attack vector that has been seen frequently over the past few years with password lists for major sites such as LinkedIn (Morris, 2021) and Yahoo (Goel & Perlroth, 2016) etc being compromised and leaked.

Hardware tokens or smart cards can be cloned, copied or stolen. If the card is not deactivated when it is lost or stolen an attacker can use it to gain access to restricted resources. Tools to create copies of smartcards are available easily in the market (Benchoff, 2016) using which an attacker can clone the cards quickly.

Biometrics was touted as an authentication mechanism that is almost impossible to bypass but unfortunately the hype didn’t match reality. Fingerprint authentication systems have been compromised using copies of fingerprints lifted from glasses, door knobs etc transferred to jello, Glycerin and gelatin. (Barral & Tria, 2009)

Facial recognition systems have been fooled by photographs and cosmetics. Researchers have also used the StyleGAN Generative Adversarial Network (GAN) to create master faces that can be used to impersonate 40% of the population. (Shmelkin et al., 2021)

Voice authentication systems have been bypassed using voice recordings and AI based ‘deep fake’ technologies. Amazon recently showcased technology that allows Alexa to impersonate the voices of people based on a few minutes long voice recording of the person being impersonated.

Similar bypasses have been found for all authentication mechanisms in use currently and thus researchers have been exploring new authentication mechanisms which would be harder to bypass and fool. One such field being explored in behavioral biometrics and we will explore the field, it’s implications, the pros and cons of the tech in this paper.

Introduction to Behavioral Biometrics

Behavioral biometrics is the study and use of uniquely identifying and measurable patterns in human activities that can include keystroke dynamics, gait analysis, mouse use characteristics, signature analysis etc. The field postulates that a user can be identified based on these characteristics just as uniquely as they can be using physical biometrics.

Another advantage of using Behavioral Biometrics over physical biometrics is that it doesn’t require specialized equipment to collect the data. Data can be collected using existing hardware and only requires software analysis and processing which makes it cheaper to implement to a certain extent and we will look at this in more detail later in the paper.

Behavioral Biometrics can include the following:

Keystroke Dynamics:

According to the studies, if a group of users is asked to type the paragraph of text, each of them will type the text slightly differently with different delays between each character being typed, and different rhythms for the text. This allows a system to identify the user based on how they type including criteria such as:

  • The user’s typing speed
  • Time elapsed between each consecutive keystroke
  • The time that each key is held down
  • The frequency with which the number pad keys are used
  • The timing and sequence of the keys used to type a capital letter
  • The Error Rate in typing, such as using the Backspace keys and words repeatedly mistyped by the user.

As each person would type the password slightly differently the system can use it to identify the authorized user and block attackers who might have gained the password for a given user.

Cursor Movement:

This uses the tracking speed, clicks and path taken by the mouse cursor movement during use to create a profile for the active user. This would be useful if the user uses the same set of applications frequently, if they are using a varied set of applications that keep changing then this would not be accurate.

Finger pressure on keypad:

This analyses the pressure on the keyboard to create a user profile. This is a lot more relevant for mobile devices and other devices with a touchscreen interface as the allow us to capture pressure details easily without extra hardware.

Posture:
Every person has a different way of standing and a sufficiently trained system can look for differences in how the person sits in front of the computer and their posture while using the system.

Gait:

Gait analysis attempts to identify a person based on their walking style, which includes movements such as stride length, posture, and speed of travel etc.

Each of the methods we listed above can potentially be used to continuously re-validate a logged in user.

Historical use of Behavioral Biometrics for authentication

Historically, behavioral biometrics have been in use since the 1860s when experienced telegraph operators were able to identify individual operators by the way they would send the signals. In World war II allied officers used it to validate the authenticity of messages they received based on how they were sent. (Das, 2020) Similarly, other organizations used this ability as well as an extra validation layer when communicating instructions over telegraph.

The Military has also used gait recognition to identify imposters in their base who are trying to impersonate authorized personnel to gain access to sensitive information.

Current state & the Future for Behavioral Biometrics

The behavioral biometrics market revenue totaled ~US$ 1.1 Bn in 2020, according to Future Market Insights (FMI). The overall market is expected to reach ~US$ 11.2 Bn by 2031, growing at a CAGR of 23.6% for 2021 – 31. (Future Market Insights, 2021)

As we can see, an increasing number of institutes, financial companies, website owners are using behavioral biometrics in their systems to detect fraudulent usage. The Royal Bank of Scotland uses it to monitor visitors to their websites and apps, others use it in their applications to monitor and authenticate users as an extra verification layer. (PYMNTS.com, 2018)

With the increase in processing capacity, sensor sensitivity and processing algorithms systems can make more accurate identifications of individual users. This allows systems to detect bots, password sharing/compromise.

Ecommerce sites have increasingly started incorporating this technology into their setup to prevent fraud. It can also potentially allow systems to make an educated judgment about the visitor’s gender and age to show appropriate products.

Considering the advantages and minimal hardware investment we will only see an increase in the use of Behavioral Biometrics for authentication in the future.

Advantages of using Behavioral Biometrics for authentication

Behavioral Biometrics have the following advantages that make them attractive for companies and institutes to implement:

  • Flexibility: The data being analyzed is not limited to currently identified sets that we have discussed so far. Since most of the processing being done is on the software side the organization can easily add additional behavioral data to be analyzed and processed.
  • Convenience: This a major plus point for the technology is that it is a passive layer of security. This allows it to work without interfering with the user workflows. This removes a major obstacle in incorporating security into the system as the traditional security setups decrease the usability of the system.
  • Efficiency: They can be applied in real-time to detect fraudulent use and the system can be run against historic data as well to detect improper use after fact.
  • Security: Behavioral characteristics are hard to replicate and thus incorporating this additional layer of security improves the security of the system.

Disadvantages of using Behavioral Biometrics for authentication

As with all systems there are some disadvantages of using a Behavioral Biometric system for authentication as well. If we are using the Keystroke analysis then the text being entered has to be long enough for the system to generate a profile and match it so if we are only using it as an additional validation step during password entry and the user’s password is too short, then the system might not be able to create and match a profile.

Another problem is that a user’s behavior can change drastically due to various valid reasons and that can cause access issues when the algorithm is unable to account for the changes. Some of the reasons can include:

  • Illness or Injury: If a person is injured or unwell then their usage patternswill change
  • Stress
  • Pregnancy
  • Sleep deficiency
  • Caffeine deficiency or overindulgence
  • Tiredness: If a user logs back in after a session in the gym their usage patterns are going to differ from the pattern before their gym session
  • Time of day: Some people are more active during certain times of day so their usage patterns will vary based on the time of the day.
  • Distractions: If the user is distracted while working , or example, if they are on a call and working at the same time. Their behavior patterns will be different.
  • Location: If the person logs in from a different location and are working with a different setup their metrics are going to be different. For example the profile when using an egronomic keyboard in office vs using a laptop keyboard while working remotely will be drasticly different and the system will have a hard time creating a consolidated profile for such users.

Another major issue with this technology is the Privacy implications. If we are implementing a system that monitors every keystroke and mouse movement and logs it for analysis then that has a serious privacy implication as sensitive data that shouldn’t be logged such as medical information, personal account passwords, other sensitive information etc can get logged as well. Once the data is logged there is a possibility of data leaks or a breach of the security system which would expose the collected information to an attacker.

Depending on the user’s location collection of this kind of data can be illegal due to rules such as the GDPR (Krausová, 2018), the California Consumer Privacy Act (CCPA) and other such rules. They will also limit the information that can be transmitted across state & country boundaries which can be a concern for multinational companies.

Finally incorporating the processing required for behavior analysis on the local system can be resource intensive which might make the setup infeasible for older machines. If the processing of the data is consolidated at a central location then the usage data would need to be transmitted to the location over the network that can potentially max out the bandwidth and depending on network congestion cause unacceptable delays in the processing and access.

Results and Recommendations

Based on our review of the current state of Behavioral Biometrics in the industry and the technological state of the system/algorithms we find that the technology does help increase the security of the system by adding an additional layer of security to the system. However, it is not yet mature enough to deploy for general commercial implementation and should only be used for securing highly sensitive systems and infrastructure where the security considerations outweigh the limitations identified earlier in the paper.
Once the technology is more mature and the issues identified earlier have been mitigated it can slowly be incorporated in the general computing world as an optional additional layer of security. At no point should this be used as the only layer of security for any system.

Conclusion

Behavioral Biometrics as a security measure is a technology still in its early stages of use and implementation and while it does add an additional layer of security the current limitations do not justify a general release and implementation in general use computing. The system should only be implemented in systems such as classified military systems, critical corporate servers containing highly sensitive information etc where the benefits or security concerns outweigh the disadvantages of using a technology that still needs to mature more.

References

Alzubaidi, A., & Kalita, J. (2016). Authentication of smartphone users using behavioral biometrics. IEEE Communications Surveys & Tutorials, 18(3), 1998–2026. https://doi.org/10.1109/comst.2016.2537748

Araujo, L. C. F., Sucupira, L. H. R., Lizarraga, M. G., Ling, L. L., & Yabu-Uti, J. B. T. (2005). User authentication through typing biometrics features. IEEE Transactions on Signal Processing, 53(2), 851–855. https://doi.org/10.1109/tsp.2004.839903

Banerjee, S. P., & Woodard, D. (2012). Biometric authentication and identification using Keystroke Dynamics: A survey. Journal of Pattern Recognition Research, 7(1), 116–139. https://doi.org/10.13176/11.427

Barral, C., & Tria, A. (2009). Fake fingers in fingerprint recognition: Glycerin supersedes gelatin. Formal to Practical Security, 57–69. https://doi.org/10.1007/978-3-642-02002-5_4

Benchoff, B. (2016, January 18). Emulating and cloning smart cards. Hackaday. Retrieved June 27, 2022, from https://hackaday.com/2016/01/18/emulating-and-cloning-smart-cards/

Bo, C., Zhang, L., Li, X.-Y., Huang, Q., & Wang, Y. (2013). Silentsense. Proceedings of the 19th Annual International Conference on Mobile Computing & Networking – MobiCom ’13. https://doi.org/10.1145/2500423.2504572

Das, R. (2020, October 14). A behavioral biometric – keystroke recognition. A Behavioral Biometric – Keystroke Recognition. https://resources.infosecinstitute.com/topic/a-behavioral-biometric-keystroke-recognition/
Future Market Insights. (2021, October). Behavioral biometrics market. Future Market Insights. https://www.futuremarketinsights.com/reports/behavioral-biometrics-market

Goel, V., & Perlroth, N. (2016, December 14). Yahoo says 1 billion user accounts were hacked. The New York Times. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

Krausová, A. (2018). Online behavior recognition: Can we consider it biometric data under GDPR? Masaryk University Journal of Law and Technology, 12(2), 161–178. https://doi.org/10.5817/mujlt2018-2-3

Morris, C. (2021, June 30). LinkedIn data theft exposes personal information of 700 million people. Fortune. https://fortune.com/2021/06/30/linkedin-data-theft-700-million-users-personal-information-cybersecurity/

PYMNTS.com. (2018, August 15). What’s behind the rise of behavioral biometrics? PYMNTS.com. Retrieved June 27, 2022, from https://www.pymnts.com/fraud-prevention/2018/behavioral-biometrics-uk-banks-authentication-security-privacy/

Shmelkin, R., Friedlander, T., & Wolf, L. (2021). Generating master faces for dictionary attacks with a network-assisted Latent Space evolution. 2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021). https://doi.org/10.1109/fg52635.2021.9666968

Workos. (2020, September 5). A developer’s history of authentication – WorkOS. A Developer’s History of Authentication. https://workos.com/blog/a-developers-history-of-authentication


Note: This was originally written as a paper for one of my classes at EC-Council University in Q2 2022.

– Suramya

August 7, 2022

Winamp is back in action (!) after 9 years of no releases

Filed under: Computer Software,My Thoughts — Suramya @ 11:59 PM

Anyone who was using computers in the late 90’s and 2000’s knows that the best MP3 player of all time was Winamp, it really whips the llama’s ass. First released back in 1997, it spread like wildfire. I used it as my primary music player till I switched to Linux and even then I used a player that was skinned to look and work like Winamp.

Development for the player was paused back in 2013 and then resumed in 2018. It took 4 years of hard work and the Winamp 5.9 Release Candidate 1 is now available for download. Most of the changes in this version as in the backend as the code was migrated from Visual Studio 2008 to Visual Studio 2019. This modernizes the whole setup and the next release will focus on new features.

The only downside of this is that it is not available for Linux so I still have to use some other software rather than the original. I wonder if it would work over Wine/Crossover? If so then that would be awesome. Let me go try that out and see if that works (I will update this post if it actually works).

Well this is all for now. Will post more later.

Update (8/8/2022): It Works on Linux! I downloaded and installed the latest RC on Linux using Crossover and it works flawlessly. (Although the preset names are in Chinese for some reason)

– Suramya

August 6, 2022

Post Quantum Encryption: Another candidate algorithm (SIKE) bites the dust

Filed under: Computer Security,Computer Software,Quantum Computing — Suramya @ 8:23 PM

Quantum Computing has the potential to make the current encryption algorithms obsolete once it gets around to actually being implemented on a large scale. But the Cryptographic experts in charge of such things have been working on Post Quantum Cryptography/Post Quantum Encryption (PQE) over the past few years to offset this risk. SIKE was one of KEM algorithms that advanced to the fourth round earlier this year and it was considered as an attractive candidate for standardization because of its small key and ciphertext sizes.

Unfortunately while that is true researchers have found that the algorithm is badly broken. Researchers from the Computer Security and Industrial Cryptography group at KU Leuven published a paper over the weekend “An Efficient Key Recovery Attack on SIDH” (Preliminary Version) that describes a technique which allows an attacker to recover the encryption keys protecting the SIKE Protected transactions in under an hours time using a single traditional PC. Since the whole idea behind PQE was to identify algorithms that are stronger than the traditional ones this immediately disqualifies SIKE from further consideration.

Abstract. We present an efficient key recovery attack on the Supersingular Isogeny Diffie–Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.

The attack exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known. The auxiliary points in SIDH have always been an annoyance and a potential weakness, and they have been exploited for fault attacks, the GPST adaptive attack, torsion point attacks, etc.

This is not a bad thing as the whole testing and validation process is supposed to weed out weak algorithms and it is better to have them identified and removed now than after their release as then it becomes almost impossible to phase out systems that use the broken/compromised encryption algorithms.

Source: Schneier on Security: SIKE Broken

– Suramya

August 5, 2022

Happy to report that I have successfully cleared the Certified Network Defender exam

Filed under: My Life — Suramya @ 4:42 PM

I am really happy to report that I have cleared my Certified Network Defender exam. This is the second Cyber Security certification that I have done (I have 3 more pending) as they were included in my Cyber Security degree. It was a lot more interesting and had less stuff to memorize than the CSA exam but required a lot more study.


Certification Number Certification Name Issue Date Expiry Date
ECC1609574283 Certified Network Defender July 28, 2022 July 27, 2025

I will be completing the rest of the certifications shortly. Well this is all for now, will write more later.

– Suramya

– Suramya

August 4, 2022

Microsoft needs to fix their Windows registration/Activation system as it doesn’t work

Filed under: My Thoughts,Tech Related — Suramya @ 11:59 PM

A lot of people claim that Windows is easier to use than Linux and I think that is because they never had to install windows on their system as it is almost always preinstalled. Based on my experience it feels like Microsoft is almost trying to make sure that people pirate their software because their systems suck, especially their license activation process. Over the past few months I have spent almost 48+ hours trying to get my installation of Windows to accept my Windows Pro license key that is part of my MS account and yesterday I spent 6.3 hours on call with their support with absolutely nothing to show for it.

Some background, I purchased a license for Windows 10 Pro back in 2020 so that I have a fully functional windows system that I can use for my Testing and research. This was the second license key that I purchased for Windows 10 because the previous one I had that I got from Amazon was locked to my old computer and as per the support there was no way to migrate to a new system as it was not purchased from MS directly (Which is very strange and doesn’t make sense at all). So, they told me that I needed to get the license from their online store so that it would be associated with my MS account and that way it could be moved to a new computer without issues. (Yeah right!)

I got the license, used it on my old system for a bit and then switched to a new laptop. I unregistered the key from the old laptop and tried registering it on the new laptop. It absolutely refused to work. Even though it was connected to my MS Account and the license was being validated using the digital license it was still working as a Windows Home Single user.

Spoke to the support and while they were super nice they couldn’t solve the issue. We tried reinstalling, upgrading, other license keys but nothing worked. Got escalated to senior folks but same issue. I had just about given up and was actually considering just downloading a pirated copy as that would be easier to install when I thought I should give it one last try. So I reinstalled Windows again and then didn’t connect it to my online account, instead I tried changing the product key using the key given to me by the support team to upgrade and that finally worked. My copy of Windows finally was upgraded to Windows Pro. After that the system upgraded to the latest version that took forever and a ton of reboots.

The same issue is there in their other software, MS Teams refuses to open when you click on a meeting link in Firefox on your mobile, but when I copy the same like to Chrome it works. Why do I have to use Chrome when all it is doing is launching a native application when I click on the link. Other applications like Zoom, GotoMeeting etc manage to do this without issues, but MS with their super smart team of people have hard coded it to work only with Chrome/Edge. LinkedIn is another major mess and I will post about it in a different post as that is a long story as well.

You need to make it easy for users to install/register licensed software else if using pirated software is easier/faster then people will just use that. I mostly use open source products along with a few Linux licensed software but they are so much easier to use/register.

In any case I now have a licensed version of Windows Pro running after wasting days of my life trying to get it to work. Ask any end use to do registration and then they will feel differently about how easy Windows is to use.

Well this is all for now. Will post more later.

– Suramya

Powered by WordPress