BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES

BIOMETRIC IDENTIFICATION ARCHITECTURE :

INTEGRATION WITH CELLULAR
TECHONOLOGIES
BY
VADAN MEHTA
TATA CONSULTANCY SERVICES
VADAN.MEHTA@TCS.COM

ABSTRACT
This paper describes Biometric System’s architecture
and integration with cellular technologies. First I have
explained the conceptual framework of biometric
identification architecture., followed by mobile VPN
introduction and possibly alternatives to utilize mobile
VPN to interconnect components of Biometric
architecture.
INTRODUCTION
Biometrics (ancient Greek: bios ="life", metron
="measure") is the study of automated methods for
uniquely recognizing humans based upon one or more
intrinsic physical or behavioral traits. In contrast with
probably every other method of authentication,
biometric authentication aims to be completely non-
transferable. Examples of physical characteristics
include fingerprints, eye retinas and irises, facial
patterns and hand measurements, while examples of
mostly behavioral characteristics include signature,
gait and typing patterns. Voice is considered a mix of
both physical and behavioral characteristics.
Increasing security concerns and ease of management
more state governments are turning towards
Biometrics verification of it’s citizen. The Unique
Identification Authority of India (UIDAI), initiated
UID (Unique Identification) project, where it plans to
provide biometric identity to each of citizen as
optional to ID proof such as PAN card, voting Card,
Driving license etc, as used today. The vision of UID
is to make a national database, containing biometric
information such as finger prints cards of citizens,
which can be used by security agencies, Income tax
department, Police and other related institutes.
This paper describes conceptual framework to use
cellular backhaul to interconnect biometric client to
central data repository.
BIOMETRIC IDENTIFICATION
ARCHITECTURE
Biometric identification Architecture incorporate a
reader, scanner and camera for the capture of a
biometric identifier (e.g. fingerprint or facial image),
which is converted by software into digital format
(template) for storage and comparison against other
records held in a Central database repository(UID in
our case)

Copyright:
Permission to make digital or hard copies of all or part of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial
advantage and that copies bear this notice. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
TACTiCS – TCS Technical Architects’ Conference’09 Figure 1: Architecture

TACTiCS 09’ -1
 BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES

General biometric architecture is mainly divided into I propose to use Cellular technologies((GSM,
three parts. CDMA2000, Wimax)., because of their omni present
nature and easy provisional aspects.
 Data Collector: A device to collect the biometric
data (Figure prints, Iris, Voice etc), convert into The proposed architecture is to connect bio scannesr to
digital template and send it to Central database available cellular technology via encrypted mobile
for processing. VPN service.. (See figure 2)
 Transmission: To carry Biometric template to
central server using telecommunication
technologies. It involves, secured transmission,
compress-decompress and signal processing.
 Central Database: Central data repository
process the data in order to render an
authentication decision based on matching
process of stored to current process. (see
Figure 1)

Operation
All biometric systems run in two separate
processing phases:
1) Enrolment 2) Verification Figure 2: Biometric using cellular backhaul framework

 Enrolment
In this processing phase the individual subject
provides samples of a biometric characteristic to
establish a new so called reference template.
 Verification
After the enrolment, the subject is known by the
biometric system. When the subject provides a query
template, it is processed and compared with the saved
reference templates of all enrolled templates, stored
repository database.
The output of the system may be a simple yes/no, or
an identity credential with identity information about
the subject or a list of identity data that correspond to
the best matches for a client system. The measured
accuracy of a template is an estimate of how reliable a
comparison can be made between the stored template
and the user’s template, that is scanned later for
authentication. The enrollment quality is expressed as
a percent score between 0 and 100. For example, a
user may have an enrollment quality of 72 percent..
VPN
The public Internet was specifically designed to
quickly route traffic between any two connected
points. The Internet is composed of countless network
devices that are administered by different
organizations. No one organization can control or be
responsible for the privacy and integrity of data as it
travels over the Internet. The Internet is sometimes
viewed as an insecure means of transmitting data
because there are opportunities for modification and
deletion of data. A variety of well publicized attacks
and viruses have made it painfully obvious that the
Internet is insecure. VPN (Virtual Private Network )
addresses the lack of security on the Internet, by
providing authentication and encryption between two
end points.
(See figure 3)

CELLULAR INTEGRATION

Biometric ID system requires to connect bio-scanners,

located at various geographical places to its central
database for enrolment and verification purpose.
Biometric scanners can be hand held devices or fixed
terminal, with bio metric data collection capability.
These devices required to integrate with existing Figure 3: VPN concept
telecommunication technologies, to transmit their data
to central data repository.

A VPN is a way to build a secure, private

communication infrastructure on top of a public

TACTiCS 09’ -2
 BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
network. VPNs are logical networks that connect
physical networks or single hosts to each other by
forming encrypted tunnels over public networks. VPN
guarantee privacy and security, allowing companies to
communicate information—no matter how sensitive it
is—over the Internet inexpensively.
Connectivity
VPN client uses special TCP/IP-based protocols,
called tunneling protocols, to make a virtual call to a
virtual port on a VPN server. In a typical VPN
deployment, a client initiates a virtual point-to-point
connection to a remote access server over the Internet.
The remote access server answers the call,
authenticates the caller, and transfers data between the
VPN client and the organization’s private network.
To emulate a point-to-point link, data is
encapsulated, or wrapped, with a header. The
header provides routing information that enables
the data to traverse the shared or public network
to reach its endpoint. To emulate a private link, the data
being sent is encrypted for confidentiality. Packets that are
intercepted on the shared or public network are
indecipherable without the encryption keys. The link in
which the private data is encapsulated and encrypted is
known as a VPN connection.
VPNs can be built on tunneling protocols that are
implemented at different layers of the OSI seven-
layer model. Tunnel characteristics are determined by
the protocol the tunnel is built upon. Tunnels can be
established at the following layers of the OSI model:
• Layer 2, the Data Link layer, uses L2TP and PPTP
tunneling protocols. These protocols use
password authentication to prevent unauthorized
dial-up connections.
• Layer 3, the Network layer, uses IPSec tunneling
protocol built over IP. This protocol authenticates
and encrypts data transmission by adding
network layer information to each packet.
IPSec (Internet Protocol Security) was developed as a
standard by the IETF to address the authentication and
encryption limitations of the Layer 2 tunneling
protocols. IPSec provides message integrity, privacy,
authentication, and replay protection.
An IPSec tunnel can be created between two IPSec
gateways or between and IPSec gateway and a remote
user who has an IPSec VPN client installed.
IPSEC Architecture
As per figure 4, IPsec grants two choices of security
service: Authentication Header (AH), and
Encapsulation Security Payload (ESP). AH provides
support for connectionless integrity, data origin
TACTiCS 09’
authentication, and protection against replays, but does
not provide secrecy. On the other hand, ESP supports
confidentiality, connectionless integrity, anti-replay
protection, and optional data origin authentication.
Figure 4: IPSEC architecture
A key concept that appears in both security services is
the Security Association (SA). A SA is a one-way
relationship between a sender and a receiver that
affords security services. In order to establish a SA
between two hosts, they must first agree to apply
compatible policies and cryptographic algorithms.
They must also share a material over an insecure
channel secure mechanism for determining keying.
The default IPsec method for secure key negotiation is
the Internet Key Exchange (IKE) protocol.
IKE consists of two sequential phases. Phase 1 creates
an Internet Security Association and Key Management
Protocol (ISAKMP) SA (or IKE SA) that establishes a
bi-directional secure channel between the security
endpoints. Phase 2 negotiates an IPsec SA using the
pre-established channel. Multiple IPsec SAs can be
established from a single ISAKMP SA, which may be
considered as a “control channel”, where IKE is the
control protocol.
Both AH and ESP support two modes of use: transport
and tunnel mode [1]. The transport mode mainly
provides end-to-end protection, where the IP packet’s
payload is encrypted. On the other hand, the tunnel
mode encapsulates an entire IP packet (including the
IP header) within a new IP packet to ensure that no
part of the original packet is visible, or may be
changed as it moves through a network. Even though
there is some criticism on IPsec, it is commonly
admitted that it is the best IP security protocol
available today [8]. It facilitates the authentication of
the communicating entities, and the transparent
encryption and integrity protection of the transmitted
packets in both IPv4 and IPv6 networks. It is
especially useful for implementing VPNs, and remote
access to private networks. Because of its flexibility,
the IPsec enables security service deployment across
any existing IP network. On the other hand, the main
-3
 BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
drawback of IPsec is its complexity, as it incorporates
a considerable number of independent protocols,
which operate in multiple modes .
. type of tunneling, and establish a proper set of policies
MOBILE VPN IMPLEMENTION
A Mobile VPN extends the VPN concept to mobile
environment. Devices such as hand held biometric
scanners are used to generate data applications/template.
These devices establish an IPSec VPN tunnel from their
handheld device (smart phone or PDA) to IPSec gateway
over the Internet using wireless connection such as Global
System for Mobile Communications (GSM), General
Packet Radio Service (GPRS), 3G telecom technologies
(UMTS, CDMA Evdo) or wireless LAN (WLAN). This
wireless VPN tunnel allows hand held scanners to access
their centralized database with ensured authentication and
encrypted traffic
IP tunneling is central to implementing MVPN. IP
tunnels are paths that IP packets follow while
encapsulated within the payload portion of another
packet. These encapsulated packets are sent to
destination endpoints from originating endpoints via
public (non-secure) channels. There are two basic
tunneling methods for implementing IP VPNs — end-
to-end or “voluntary;” and network- based or
“compulsory”. MVPNs based on voluntary tunneling
are implemented by providing users with public
internet access and then enabling them to establish a
VPN on top of this access to get access to corporate
VPN gateways. Network-based 'compulsory tunneling',
in contrast, is based on the idea that the wireless
operator's network infrastructure itself features the
intelligence and functionality necessary for the
deployment of MVPNs, and that these tunnels need
not be established by the end-user via their mobile
device.
Voluntary MVPN
Voluntary IP VPN provides remote users with the
ability to create a tunnel from their terminals(bio
scanners), to certain tunnel termination point, such as
a VPN gateway(Central database repository) that
resides within the private network, hosting central
database repository. For this to happen, remote access
device, such as biometric scanner must support
tunneling protocol, IPSEC) This type of VPN service
is depicted in Figure 5, which uses mobile dial-up
access over a GPRS network as an example. In this
scenario, the remote user establishes a VPN
connection to a private network after a wireless carrier
grants him or her Internet access.
Voluntary VPN carries a number of significant
advantages. For private network IT administrators and
often for remote users, this is the simplest way to
establish a remote access VPN. Remote users simply
need access to the Internet or any other public IP
TACTiCS 09’
network, and a VPN client in their mobile or fixed
devices. All that the private network IT department
needs to do is to provision a VPN gateway connected
to the Internet and capable of terminating a particular
and security procedures. The service provider offering
Internet access service cannot access the end-to-end
encrypted private data being transmitted between
remote user and private network, and hence it will not
have to be entrusted with it.
Figure 5: Voluntary VPN (GPRS)
While voluntary tunneling provides a simple, secure
end-to-end solution for access to private networks, it
also leads to extra encapsulation overhead over last-
hop wireless links. Also, this is a less efficient, more
costly use of radio resources. In volume-based
charging scenarios for instance, such overhead could
significantly
increase corporate costs for remote connectivity.
Voluntary tunneling carries a number of other
drawbacks as well. For example, it requires that
mobile nodes be given public addresses allowing end-
to-end transparent IP connectivity. In addition, it
requires complex encryption and decryption
algorithms, which can increase the complexity and
cost of mobile devices, which typically have low
processing power and are often battery power
consumption limited.
Also, with voluntary tunneling, applications that need
to inspect or modify encapsulated packets will be
unable to get access to user traffic. This means that
QoS solutions, traffic-shaping mechanisms,
monitoring equipment and firewalls will fail to
perform their functions, and encapsulated (secured)
packets cannot
be modified by the Network Address Translation
(NAT) protocol.
Compulsory MVPN
A service provider may offer compulsory VPN service
by concatenating or chaining multiple tunnels or
provisioning a single tunnel for a part of a data path
between two participating endpoints. For example, a
compulsory VPN can be based on a tunnel created
-4
 BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
between a private network and a service provider and
not extended to reach all the way to a remote user that
is using the network access service. As a result, with
compulsory VPN service the remote user does not
need to have any involvement into VPN establishment
process and is "forced" to use the available
preprovisioned service whenever the access to the
private network is required, hence the name. This
VPN type assumes that the operator's network
infrastructure features the intelligence and
functionality necessary to support VPN services based
on the tunnels or sets of tunnels provisioned between
the private network and service provider's networks
rather than all the way to the end-user device. In both
cases, the enterprise must preestablish a detailed SLA
with the service provider responsible for VPN service
and must trust it to handle its valuable data with the
necessary care and confidentiality.
In this kind VPN, tunneling protocols (GTP for
GPRS/GSM and GRE for CDMA EvDo) is used to
tunnel the data traffic between access network to
gateway and from gateway to VPN server, IPSEC
tunnel is being established (Figure 6).
Figure 6: Compulsory VPN
In mobile environment, security problems become
serious, since the user traffic is being sent over
potentially insecure radio channels. During packet
data roaming, the unprotected traffic to and from the
mobile station must also traverse the visited carrier
network (which may or may not have established SLA
with the corporation served by a home wireless
carrier) before being tunneled to original carrier's
network. If there are insecure links in this network,
especially unencrypted links in the backhaul section,
this could present serious security problems.
On the positive side, the compulsory approach better
utilizes the air interface by avoiding over-the-air
encapsulation overhead, which is especially
advantageous for cellular wireless systems, and by
simplifying the user equipment. When compulsory
VPN is used, the end-user equipment does not have to
support any VPN clients or tunneling or security
capability at times they could be CPU-hungry and
TACTiCS 09’
battery-life-consuming. Also, the user is not involved
in VPN creation and only needs to request the service
when accessing the service provider's network.
Compulsory VPN presents a number of other
significant advantages to service providers. Offering
and marketing compulsory VPN as a feature can
potentially enable new business models and carrier
service offerings. With the voluntary approach, service
providers do not get involved in provisioning and
often are not even aware of the existence of encrypted
and encapsulated traffic unless they offer special
access points to the Internet associated to publicly
routable IP addresses or NAT traversal-compliant
devices. In contrast, compulsory VPN access offerings
can be marketed in different forms by carriers to a
variety of private enterprises and ISPs interested in
outsourcing their remote access function. This will
bring new revenue streams, along with greater
differentiation from the competition service offerings.
Another benefit of compulsory VPN for service
providers lies in greater control over the user. In a
compulsory model, the service provider is usually
involved in user authentication and IP address
assignment (though the latter might be a mixed
blessing in some situations), which allows it to control
user provisioning to a greater extent. IP addresses can
be assigned to remote users from the customers'
networks private address space, thus saving the usage
of publicly routable IP addresses from the provider
side.
Voluntary vS Compulsory MVPN
Table 1, describes the comparison between voluntary
and compulsory MVPN.
Voluntary MVPN Compulsory MVPN
Workes on with Public
Works on Private IP
IP( limited resource)
Enterprise has full control Service provider has full
over policies control over policies
Air bandwidh overhead
Less overhead on Air
upto 30%
QoS SLA not supported QoS SLA supported
Hand held devices
requires to support IPSEC Network gateway requies to
(CPU and power support IPSEC
limitation)
Does support NAT with NAT
Do not support NAT
traversal functionality
Table 1: Comparison between Voluntary & Compulsory MVPN
-5
 BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES

CONCLUSION REFEERENCES
Biometric Identification architecture can utilize
existing cellular network to interconnect it’s major  Mobile VPNs for Next Generation GPRS and
components for enrolment and verification purpose. UMTS Networks by Lucent TechnologieS
2.5 G and 3G Cellular networks offers Mobile VPN
technology to connect handheld bio-scanners with the
 Mobile VPN for CDMA 3G Data Networking by
central database repository in secured tunnel,
Lucent Technologies
providing end to end security and integrity of data.
IPSEC architecture provides end to end secured,
 Mobile VPN for GPRS Data Networking by
authenticated and encrypted VPN tunnel framework,
Lucent Technologies
which can be used to carry highly sensitive biometric
information. Voluntary MVPN, provides end to end
IPSEC tunnel between client ( bio-scanners) and  MOBILE IP VPN CONNECTIVEY AND
server (central data repository), while Compulsory SECURITY By Trologix
MVPN provides IPSEC tunnel between gateway and
VPN server, while GTP/GRE tunnel between VPN  BioAPI Best Practices, Implementation Notes
client and server. and Security Appendix by The BioAPI
The decision to select MVPN implementation, Consortium
depends on how much authority data repository
owners network (UIDAI) wants to delegate with  BioAPI Specification Version 1.1 Developed by
service provider, capacity of the existing network of The BioAPI Consortium
wireless service provider and QoS/SLA requirement.
 Mobile Biometric Identification by Motorola

 The Universal Biometric System by H. M. N.

Dilum Bandara, S. M. Ravindra P. De Silva, and
P. W. H. Dasun Weerasinghe, Department of
Computer Science and Engineering, University of
Moratuwa, Sri Lanka.

 The Evolution of Mobile VPN and its

Implications for Security by NSN network

 IPsec-based end-to-end VPN deployment over

UMTS by Christos Xenakis and Lazaros
Merakos ,Department of Informatics &
Telecommunications .University of Athens,
15784 Athens, Greece

 Connect Devices in Patrol Vehicles by Digi

networks

 Oracle Advanced Security Administrator's Guide

Release 8.1.7

 Mobile VPN—Delivering Advanced Services in

Next Generation Wireless Systems by Alex
Shneyderman and Alessio Casati (etutorials.org)

TACTiCS 09’ -6