ABSTRACT
This paper describes Biometric System’s architecture
and integration with cellular technologies. First I have Increasing security concerns and ease of management
explained the conceptual framework of biometric more state governments are turning towards
identification architecture., followed by mobile VPN Biometrics verification of it’s citizen. The Unique
introduction and possibly alternatives to utilize mobile Identification Authority of India (UIDAI), initiated
VPN to interconnect components of Biometric UID (Unique Identification) project, where it plans to
architecture. provide biometric identity to each of citizen as
optional to ID proof such as PAN card, voting Card,
Driving license etc, as used today. The vision of UID
is to make a national database, containing biometric
information such as finger prints cards of citizens,
INTRODUCTION which can be used by security agencies, Income tax
Biometrics (ancient Greek: bios ="life", metron department, Police and other related institutes.
="measure") is the study of automated methods for
uniquely recognizing humans based upon one or more This paper describes conceptual framework to use
intrinsic physical or behavioral traits. In contrast with cellular backhaul to interconnect biometric client to
probably every other method of authentication, central data repository.
biometric authentication aims to be completely non-
transferable. Examples of physical characteristics BIOMETRIC IDENTIFICATION
include fingerprints, eye retinas and irises, facial
patterns and hand measurements, while examples of ARCHITECTURE
mostly behavioral characteristics include signature,
gait and typing patterns. Voice is considered a mix of Biometric identification Architecture incorporate a
both physical and behavioral characteristics. reader, scanner and camera for the capture of a
biometric identifier (e.g. fingerprint or facial image),
which is converted by software into digital format
(template) for storage and comparison against other
records held in a Central database repository(UID in
our case)
Copyright:
Permission to make digital or hard copies of all or part of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial
advantage and that copies bear this notice. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
TACTiCS – TCS Technical Architects’ Conference’09 Figure 1: Architecture
TACTiCS 09’ -1
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
General biometric architecture is mainly divided into I propose to use Cellular technologies((GSM,
three parts. CDMA2000, Wimax)., because of their omni present
nature and easy provisional aspects.
Data Collector: A device to collect the biometric
data (Figure prints, Iris, Voice etc), convert into The proposed architecture is to connect bio scannesr to
digital template and send it to Central database available cellular technology via encrypted mobile
for processing. VPN service.. (See figure 2)
Transmission: To carry Biometric template to
central server using telecommunication
technologies. It involves, secured transmission,
compress-decompress and signal processing.
Central Database: Central data repository
process the data in order to render an
authentication decision based on matching
process of stored to current process. (see
Figure 1)
Operation
All biometric systems run in two separate
processing phases:
1) Enrolment 2) Verification Figure 2: Biometric using cellular backhaul framework
Enrolment
In this processing phase the individual subject VPN
provides samples of a biometric characteristic to
establish a new so called reference template. The public Internet was specifically designed to
quickly route traffic between any two connected
Verification points. The Internet is composed of countless network
After the enrolment, the subject is known by the devices that are administered by different
biometric system. When the subject provides a query organizations. No one organization can control or be
template, it is processed and compared with the saved responsible for the privacy and integrity of data as it
reference templates of all enrolled templates, stored travels over the Internet. The Internet is sometimes
repository database. viewed as an insecure means of transmitting data
because there are opportunities for modification and
The output of the system may be a simple yes/no, or deletion of data. A variety of well publicized attacks
an identity credential with identity information about and viruses have made it painfully obvious that the
the subject or a list of identity data that correspond to Internet is insecure. VPN (Virtual Private Network )
the best matches for a client system. The measured addresses the lack of security on the Internet, by
accuracy of a template is an estimate of how reliable a providing authentication and encryption between two
comparison can be made between the stored template end points.
and the user’s template, that is scanned later for
authentication. The enrollment quality is expressed as (See figure 3)
a percent score between 0 and 100. For example, a
user may have an enrollment quality of 72 percent..
CELLULAR INTEGRATION
TACTiCS 09’ -2
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
network. VPNs are logical networks that connect authentication, and protection against replays, but does
physical networks or single hosts to each other by not provide secrecy. On the other hand, ESP supports
forming encrypted tunnels over public networks. VPN confidentiality, connectionless integrity, anti-replay
guarantee privacy and security, allowing companies to protection, and optional data origin authentication.
communicate information—no matter how sensitive it
is—over the Internet inexpensively.
Connectivity
TACTiCS 09’ -3
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
drawback of IPsec is its complexity, as it incorporates network, and a VPN client in their mobile or fixed
a considerable number of independent protocols, devices. All that the private network IT department
which operate in multiple modes . needs to do is to provision a VPN gateway connected
to the Internet and capable of terminating a particular
. type of tunneling, and establish a proper set of policies
and security procedures. The service provider offering
Internet access service cannot access the end-to-end
MOBILE VPN IMPLEMENTION encrypted private data being transmitted between
remote user and private network, and hence it will not
A Mobile VPN extends the VPN concept to mobile have to be entrusted with it.
environment. Devices such as hand held biometric
scanners are used to generate data applications/template.
These devices establish an IPSec VPN tunnel from their
handheld device (smart phone or PDA) to IPSec gateway
over the Internet using wireless connection such as Global
System for Mobile Communications (GSM), General
Packet Radio Service (GPRS), 3G telecom technologies
(UMTS, CDMA Evdo) or wireless LAN (WLAN). This
wireless VPN tunnel allows hand held scanners to access
their centralized database with ensured authentication and
encrypted traffic
IP tunneling is central to implementing MVPN. IP
tunnels are paths that IP packets follow while
encapsulated within the payload portion of another
packet. These encapsulated packets are sent to Figure 5: Voluntary VPN (GPRS)
destination endpoints from originating endpoints via
public (non-secure) channels. There are two basic
tunneling methods for implementing IP VPNs — end- While voluntary tunneling provides a simple, secure
to-end or “voluntary;” and network- based or end-to-end solution for access to private networks, it
“compulsory”. MVPNs based on voluntary tunneling also leads to extra encapsulation overhead over last-
are implemented by providing users with public hop wireless links. Also, this is a less efficient, more
internet access and then enabling them to establish a costly use of radio resources. In volume-based
VPN on top of this access to get access to corporate charging scenarios for instance, such overhead could
VPN gateways. Network-based 'compulsory tunneling', significantly
in contrast, is based on the idea that the wireless increase corporate costs for remote connectivity.
operator's network infrastructure itself features the Voluntary tunneling carries a number of other
intelligence and functionality necessary for the drawbacks as well. For example, it requires that
deployment of MVPNs, and that these tunnels need mobile nodes be given public addresses allowing end-
not be established by the end-user via their mobile to-end transparent IP connectivity. In addition, it
device. requires complex encryption and decryption
algorithms, which can increase the complexity and
cost of mobile devices, which typically have low
Voluntary MVPN
processing power and are often battery power
consumption limited.
Voluntary IP VPN provides remote users with the Also, with voluntary tunneling, applications that need
ability to create a tunnel from their terminals(bio to inspect or modify encapsulated packets will be
scanners), to certain tunnel termination point, such as unable to get access to user traffic. This means that
a VPN gateway(Central database repository) that QoS solutions, traffic-shaping mechanisms,
resides within the private network, hosting central monitoring equipment and firewalls will fail to
database repository. For this to happen, remote access perform their functions, and encapsulated (secured)
device, such as biometric scanner must support packets cannot
tunneling protocol, IPSEC) This type of VPN service be modified by the Network Address Translation
is depicted in Figure 5, which uses mobile dial-up (NAT) protocol.
access over a GPRS network as an example. In this
scenario, the remote user establishes a VPN
connection to a private network after a wireless carrier Compulsory MVPN
grants him or her Internet access.
Voluntary VPN carries a number of significant A service provider may offer compulsory VPN service
advantages. For private network IT administrators and by concatenating or chaining multiple tunnels or
often for remote users, this is the simplest way to provisioning a single tunnel for a part of a data path
establish a remote access VPN. Remote users simply between two participating endpoints. For example, a
need access to the Internet or any other public IP compulsory VPN can be based on a tunnel created
TACTiCS 09’ -4
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
between a private network and a service provider and battery-life-consuming. Also, the user is not involved
not extended to reach all the way to a remote user that in VPN creation and only needs to request the service
is using the network access service. As a result, with when accessing the service provider's network.
compulsory VPN service the remote user does not
need to have any involvement into VPN establishment Compulsory VPN presents a number of other
process and is "forced" to use the available significant advantages to service providers. Offering
preprovisioned service whenever the access to the and marketing compulsory VPN as a feature can
private network is required, hence the name. This potentially enable new business models and carrier
VPN type assumes that the operator's network service offerings. With the voluntary approach, service
infrastructure features the intelligence and providers do not get involved in provisioning and
functionality necessary to support VPN services based often are not even aware of the existence of encrypted
on the tunnels or sets of tunnels provisioned between and encapsulated traffic unless they offer special
the private network and service provider's networks access points to the Internet associated to publicly
rather than all the way to the end-user device. In both routable IP addresses or NAT traversal-compliant
cases, the enterprise must preestablish a detailed SLA devices. In contrast, compulsory VPN access offerings
with the service provider responsible for VPN service can be marketed in different forms by carriers to a
and must trust it to handle its valuable data with the variety of private enterprises and ISPs interested in
necessary care and confidentiality. outsourcing their remote access function. This will
bring new revenue streams, along with greater
In this kind VPN, tunneling protocols (GTP for differentiation from the competition service offerings.
GPRS/GSM and GRE for CDMA EvDo) is used to
tunnel the data traffic between access network to Another benefit of compulsory VPN for service
gateway and from gateway to VPN server, IPSEC providers lies in greater control over the user. In a
tunnel is being established (Figure 6). compulsory model, the service provider is usually
involved in user authentication and IP address
assignment (though the latter might be a mixed
blessing in some situations), which allows it to control
user provisioning to a greater extent. IP addresses can
be assigned to remote users from the customers'
networks private address space, thus saving the usage
of publicly routable IP addresses from the provider
side.
TACTiCS 09’ -5
BIOMETRIC IDENTIFICATION ARCHITECTURE: INTEGRATION WITH CELLULAR TECHONOLOGIES
CONCLUSION REFEERENCES
Biometric Identification architecture can utilize
existing cellular network to interconnect it’s major Mobile VPNs for Next Generation GPRS and
components for enrolment and verification purpose. UMTS Networks by Lucent TechnologieS
2.5 G and 3G Cellular networks offers Mobile VPN
technology to connect handheld bio-scanners with the
Mobile VPN for CDMA 3G Data Networking by
central database repository in secured tunnel,
Lucent Technologies
providing end to end security and integrity of data.
IPSEC architecture provides end to end secured,
Mobile VPN for GPRS Data Networking by
authenticated and encrypted VPN tunnel framework,
Lucent Technologies
which can be used to carry highly sensitive biometric
information. Voluntary MVPN, provides end to end
IPSEC tunnel between client ( bio-scanners) and MOBILE IP VPN CONNECTIVEY AND
server (central data repository), while Compulsory SECURITY By Trologix
MVPN provides IPSEC tunnel between gateway and
VPN server, while GTP/GRE tunnel between VPN BioAPI Best Practices, Implementation Notes
client and server. and Security Appendix by The BioAPI
The decision to select MVPN implementation, Consortium
depends on how much authority data repository
owners network (UIDAI) wants to delegate with BioAPI Specification Version 1.1 Developed by
service provider, capacity of the existing network of The BioAPI Consortium
wireless service provider and QoS/SLA requirement.
Mobile Biometric Identification by Motorola
TACTiCS 09’ -6