UNIVERSITY OF BEDFORSHIRE

2009 MSc STUDENT REPORT

Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

ABSTRACT

This report is based on implementation of various methods to improve the Identification Management
and Security measures for The Metropolitan Police Service (MPS). Based on the case study, such
methods implemented are; Identification Management, Biometric Authentication and Secure Data
Transmission. These methods will be elaborated in the report.

Content Page

Introduction 1
- Overview

1. Identification Management 2
- Access Control
I. Access Management
II. Directory Service
- Authentication and Verification

2. Biometric System 4
- System Structure
- Retinal Patterns
- Finger Printing

3. Biological and Digital Identity 6

4. Security through Encryption 7

- Encryption
- Public Key Infrastructure (PKI)
- True Mechanism
- RSA Encryption

Reference 8

Page 0 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

Introduction

Secure Identification is very essential in the information and technology world especially in large
enterprises such as banks and Work-Stations particularly Police Stations. As stated in the abstract, this
report is focused on finding more secure solutions to improve the identification management of the
Metropolitan Police Service (MPS), and to give reasons why a secured transmission is beneficial.

Identity management is a critical component in an IT infrastructure particularly as more applications

[1]
and systems are being leveraged across extranets . Identity management can become very complex
with an increasing rate of employment which can affect the financial budget. This is one of the major
problems faced with the MPS.

Overview

In reference to the case study, the MPS greatest challenge is developing an identity infrastructure that
centralizes security with repeatable, scalable and a sustainable process that makes the work less
cumbersome and ensures everything is done in compliance to the service.

One of the many problems the MPS are facing is updating the employee database, which identifies;
who is who, who has gone, new employees, who has changed departments and a lot more. All this is
due to the incoherent deployment of identification management. Another problem is the provision of
multiple identities which incurs costs.

The Level of Access and Data Management, is one of the requirements the MPS are looking to
achieve in making sure only certain employees with a higher level identification can access highly
secured information.

Page 1 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

1. Identification Management

Identity demands will continue to grow as recruitment increases and more job roles are changed or
added to existing ones or redeployed. Therefore, the use of multiple identities as explained in the case
study will be very chaotic in this situation.

The MPS carry out a dedicated solution to create a single identity repository to help reduce cost and
[5]
time awareness. Studies have shown that it costs approximately $70 to reset a single identity .
Therefore, the cost of maintaining multiple identities for more than 30,000 officers is absurd and it
will take more time to reset because of this officers will be unable to work efficiently, which can also
lead to the sharing of identities in order to get work done, therefore leading to an unsecure
workstation.

Access Control

Access Control is the use of hardware based and software based controls to protect company
resources. For the MPS, these will help them have a secure system to work with, making sure that
privileges are applied to the system to avoid unwanted authorisation. There are two key components
that can be used to manage identities, they are as follows,

I. Access Management, which focuses on controlling and streamlining access to key application
and data, single sign-on capabilities which includes secure web services, and entitlement
[1]
enforcement . This enables the MPS to expand and have a better management access while
maintaining high level of security. It also gives them the ability to produce a less cumbersome
identification process across multiple domains.

II. Directory Service provides secure and reliable access to the identification process. The identity
architecture depends on directory services [1]. It can provide the MPS with multiple repositories
for identity data which makes it easy and secured to access information.

Page 2 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

Authentication and Verification

A system provides security to avoid unauthorised access by deciding whether a user is legitimate.
[2]
This process of security is known as identification and authentication . This process also helps to
keep track of user activities in the system to avoid misuse.

By definition, Identification is the process of which a user lets the system know who he/she is.
Whereas, Authentication is a process by which the user proves that he/she is the actual user. Without
authentication, user identification has no credibility. Although the MPS provided a credible user
identification method by implementing the use of password based user authentication process,
research has found out that “there is no assurance that proper authorizations can be made” [3]
. The
password system must assure the capability to uniquely identify each individual user in order to
handle classified or other sensitive information which is one of the required solutions for the MPS.
Password security can be vulnerable in situations where it is no more a secret or told to another person
[3][4]
or stored somewhere where it can be found . Research has found out that there are guidelines
[2][3][4]
taken to minimize the vulnerability of passwords . These guidelines are;

a) Passwords should be machine generated rather than user created.

b) User passwords must be changed periodically
c) Multifactor Authentication should be used.

It will be advisable for the MPS to implement these guidelines in their system for enhanced security
but due to cost it is not logical, particularly the change of passwords periodically. This is going to
involve the IT officer to reset user passwords before generating another one and including the reset of
passwords being forgotten and research has indicated that 20% - 50% of users request for their
passwords to be reset [5]. Therefore, it will not be cost effective to periodically change passwords. The
use of the Multifactor Authentication is reliable but may not be affordable as this includes the use of
„what you know‟ which is a users password, „what you have‟ which is physical identification such as
an identity card and „what you are‟ which is physiological or behavioral traits [2].

Page 3 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

2. Biometric System

Biometrics is the use of automated methods of recognizing an individual based on one or more
[2][6]
intrinsic physical or behavioural characteristics . It is a unique morphological characteristic that
provides positive personal identification. Common examples are; fingerprint, face geometry, iris, hand
geometry, voice and dynamic signature recognition.

If the MPS are to use biometric method to strengthen their user authentication, there will be an
improvement at the workstation. This is because this type of authentication is „something you are‟ and
therefore it can neither be lost nor forgotten like passwords. Therefore, there wouldn‟t be a need to
reset, which may lead to a cost effective way of identity management. It will provide an enhanced
level of security and work will be done efficiently. It will also be convenient for both the users and IT
administrators.

System Structure

Deciding how the users of the biometric system will be authenticated is very important. If biometric
techniques are to be used by the MPS, it should be the one with the most effective security. The list
below shows the most secured to the least secured biometric technique [2].

Physiological

 Retina Pattern
 Finger-print
 Hand-print

Behavioural

 Voice pattern
 Keystroke pattern
 Signature

From the list, it can be easy to decide what method should be used at the workstation, knowing that an
infrastructure such has the Metropolitan Police holds highly sensitive information. Another idea to
consider is the use of Multimodal Biometric systems. A single biometric feature sometimes fails to be
exact enough for authentication. Therefore, by combining multiple modalities, performance will be
enhanced and reliable [7].

Page 4 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

There are articles that support the use of Biometric systems which reports a system upgrade at the
Toronto Police Service (TPS) by Motorola Inc. and Ultica Police Department (UPD) by Comnetix
Inc. in 2004. Both police services agreed that the upgrade has made a huge impact in the station and
enables fast and accurate identification and saves agents time and resources [7].

From the articles, it can be suggested that the MPS should implement the Biometric Technology into
their system and from the hierarchy, the most secure Multimodal biometric technique should be
employed. Which are the Retinal Pattern and the Finger printing.

Retinal Patterns

Retinal scan uses a low-intensity infrared light to the uniquely analysis the pattern of the retina‟s
blood vessels, which is the nerve tissue that lines the back of the eye. It can read the pattern at great
accuracy and because it is the least violable technique and offers one of the lowest false-reject-rates
(FRR), it is mostly used for high security access control [9].

Finger Printing

A finger-print is made of a series of unique ridges and furrows on the surface of the finger that is
converted into digital codes or numerical data. It matches an individual‟s print against an existing
database for authentication purposes. It is the most widely used biometric technique for access
control but has an average percentage of false-reject-rate (FRR) and false-match-rate (FMR) because
there‟s is a probability that the system might reject authorised users or make a mismatch [9][10]. Despite
its incoherent performance, finger printing is reliable and convenient. Studies have also shown the
[10]
finger printing identification is the least intrusive biometric technique . The disadvantage of this
technique is that, once there‟s a slight damage in the cuticles, the system will be unable to provide
accurate user authentication.

In reference to research studies, it can be said that the MPS will benefit from biometric technique and
especially by having a multifactor technique will be of a higher security. Preferred techniques will be
finger-printing and password identification because finger printing is one of the most cost effective
biometric methods and it‟s fast and convenient. Combined with password protection will ensure the
system will have a strong security.

Page 5 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

3. Biological vs. Digital Identity

Biological identity contains data that uniquely describes an entity with means of biometric techniques
whereas Digital identification is about recognising individuals based on either „what you have‟ or
„what you know‟ [11].

Either of these means of authentication can be used by the member of the Police Computer Crime
Unit (CCU) that also engages in a normal police work. With such skills, the officer will need a more
secured identification, because of the highly sensitive cases.

Computer Crimes are a sort of Hi-Tech crimes, which are committed with the means of the internet
[12]
and deals with hackers, Internet Fraud, drug trafficking etc . Using digital identity in this scenario,
the officer will be able to use multiple identities, which will be necessary because of the vast increase
of the number of offenders committing such crimes. In comparison, biological identity ensures an
utmost security. It provides less effort and gives assurance of a secured access which in this case will
be very important because of the skilled offenders that may be able to hack user passwords or forge
any digital identification. However, when the CCU officer gets involved with normal police duties,
the use of biological identity may not be necessary, because the officer may be dealing with a less
threatening security case. But with the use of multiple digital identities, the officer may need access to
different security levels of information either via network or departments.

A CCU officer requires different levels of security access because of the job requisite. A multiple
identity can be used for both the normal police work and for computer crimes. However, to
distinguish both workloads the officer will need the biological identification to gain access to the
computer crime laboratories.

Page 6 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

4. Security through Encryption

Security is the business of anyone who owns a computer or manages computer systems and networks.
[13]
Networked systems are typically filled with information that intruders aim to access and exploit .
With the right knowledge of how to, security can be deployed either cryptographically or a form of
high security bridges.

Network security is more like a game of cat and mouse with someone keeping information hidden by
means of encryption and someone else seeking to uncover it by means of decryption [13].

It is already known that information transmitted over a network is vulnerable, it will be more like
sharing the same telephone line. That is why it is important to send encrypted messages that contain
highly sensitive information.

Encryption

Encryption refers to the use of secret code to disguise data that is stored on a computer or transported
[13]
across a network. It makes data non-intelligible to the non-intended recipient . There are different
techniques used for encryption but the techniques used by the MPS are the Public Key Infrastructure
(PKI) method and RSA Encryption method, which uses the principle of cryptography.

Public-Key Infrastructure (PKI)

There has been a corresponding growth in the transmission of confidential information over networks.
That is why the MPS are using Public-Key Infrastructure based client/server authentication to provide
Confidentiality, Integrity and Authenticity (CIA) in a „trust‟ environment.

PKI is a framework for creating a secure method for exchanging information based on public key
cryptography [14]. The exchanged information and management of public keys normally occur through
the use of Certification Authorities (CA) [16].

It is known that there is no 100% security when it comes to computers and networks but studies have
shown that PKI is widely used and recognised in large organisations as the only practical mechanism
[15]
capable of providing strong and efficient security and no reports of security breaking have been
publicised. Therefore, as at present, PKI is unbreakable and will be of great aid to the MPS if properly
installed and if the key is kept private. Figure 1 in pg8 Illustrates how PKI works.

Page 7 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

Trust Mechanism

Trust can only exist in the presence of uncertainty and risk and with the implementation of PKI the
[16]
MPS will require an analysis of the systems objectives and the trust model the PKI enforces . There
are different trust mechanisms but because this is based on a widespread of secure messaging amongst
the Metropolitan Police Service, the Cross Certification is a factor to consider. It allows the use of
multiple CA based on their particular needs. Figure 1 illustrates how cross certification works.

Figure 1: PKI Cross Certificate Mechanism

RSA Encryption

RSA encryption uses an asymmetrical PKI system with an algorithm that relies on factoring large
prime numbers. It is mathematically referred to as a trapdoor function to manipulate prime numbers
[13]
and because of its complexity, it provides high security and therefore can be trusted. RSA provides
security by method of cryptography to provide the CIA environment and access control, RSA uses a
pair of keys; Public Key, which can be known by anyone and Private Key which is a secret key that is
specifically used by key owners only. The keys allow the encryption of a clear text data with one key
but decryption with the other. These can be defined mathematically as follows;

Key generation:

Prime numbers: p and q, Public key = n, e

p!= q Private key = d
 n = pq
 phi, Encryption: c = me mod n
 (p - 1)(q - 1) Decryption: m = cd mod n
Digital signature: s = H(m)d mod n
Plain text = m Verification: m' = se mod n
Ciphered text = c

Page 8 of 10
 UNIVERSITY OF BEDFORSHIRE
2009 MSc STUDENT REPORT
Identity Management Solution needed for the Metropolitan Police Service
By
John Caiafas

Reference

[1] Sun Microsystem, Inc 4150 Network Circle. Guide to Open-Source Identity Management
Software. April 2009.

[2] Rick Lehtinen, Computer Security Basics, 2nd Edition. O‟Reilly June 2006.

[3] Computer Security Center. Department of Defense Trusted Computer System Evaluation
Criteria, CSC-STD-00183, 15 August 1983.

[4] William Stallings. Cryptography and Network Security. 4 th Edition.

[5] Ganter Group, Enabling Compliance with Password Policies (Article).

[6] Nick Farzanfar, founder of FOQUEST Inc. Biometric: A World without Passwords.

[7] Ross.A.A, Nandakumar.K, Jain.A.K. Handbook of Multibiometrics. 2006.

[8] FindBIOMETRICS Global Identity Management. 23rd Sept. 2003 (Article).

[9] A. K. Jain, A. Ross, and S. Prabhakar, "An Introduction to Biometric Recognition", IEEE
Trans. on Circuits and Systems for Video Technology, Special Issue on Image- and Video-
Based Biometrics, vol. 14, no. 1, pp. 4-20, January 2004.

[10] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar. Handbook of Fingerprint Recognition,

Second Edition, Springer, 2009.

[11] James L. Wayman, Biometrics in Identity Management Systems, Published by IEEE

computer Security.

[12] Pranjal Vyas, Stigma and Identity Changes in High-Tech Crime.

[13] Michael Palmer, Guide to Operating Systems Security. Ch.1, 3 & 10

[14] A.M. Al-Khouri and J.Bal of Wawick University, UK. Journal of Computer Science. Pg 361

[15] John Adams, CTO of Chosen Security Inc. Provider of on-demand PKI Security Service.
ZDNet News. 10th Jan. 2008.

[16] Joel Weise of SunPSSM Global Security Practice. Public Key Infrastucture Overview. Pg 8-10

Page 9 of 10