Privacy Protection in Distributed Fingerprint-based Authentication

Biometric authentication is getting increasingly popular due to the convenience of using unique individual traits, such as fingerprints, palm veins, irises. Especially fingerprints are widely used nowadays due to the availability and low cost of fingerprint scanners. To avoid identity theft or impersonation, fingerprint data is typically stored locally, e.g., in a trusted hardware module, in a single device that is used for user enrollment and authentication. Local storage, however, limits the ability to implement distributed applications, in which users can enroll their fingerprint once and use it to access multiple physical locations and mobile applications afterwards. In this paper, we present a distributed authentication system that stores fingerprint data in a server or cloud infrastructure in a privacy-preserving way. Multiple devices can be connected and perform user enrollment or verification. To secure the privacy and integrity of sensitive data, we employ a cryptographic construct called fuzzy vault. We highlight challenges in implementing fuzzy vault-based authentication, for which we propose and compare alternative solutions. We conduct a security analysis of our biometric cryptosystem, and as a proof of concept, we build an authentication system for access control using resource-constrained devices (Raspberry Pis) connected to fingerprint scanners and the Microsoft Azure cloud environment. Furthermore, we evaluate the fingerprint matching algorithm against the well-known FVC2006 database and show that it can achieve comparable accuracy to widely-used matching techniques that are not designed for privacy, while remaining efficient with an authentication time of few seconds.Comment: This is an extended version of the paper with the same title which has been accepted for publication at the Workshop on Privacy in the Electronic Society (WPES 2019

A Test bed dedicated to the Study of Vulnerabilities in IEC 61850 Power Utility Automation Networks

International audienceIndustrial control systems rely more and more on digital technologies. Although the cyber risk such technologies induce is widely judged as serious, especially for critical infrastructures, these systems have generally not been designed to serve cybersecurity purposes. Instead they were thought first for serving operational efficiency. It thus becomes critical to study cyber threats in industrial environments and experimental test beds are needed to evaluate risks, physical consequences of cyber incidents, and performance of countermeasures. The test bed we present here focuses on studying cyber risks and their mitigation in IEC 61850 power utility automation systems. The operational part is composed of engineering computers, supervision software, off-the-shelf intelligent relays (Intelligent Electronic Device – IED), a hardware-in-the-loop process simulation, and the cybersecurity tools include an attack generation station and a network analyzer. In this paper, we present the operational part, giving details on the power grid hardware-in-the-loop simulation and its importance in the understanding of cyber consequences on the global system. The article concludes giving preliminary experimental results showing consequences of a false data injection attack on a simple electrical architecture

Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps

Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highly non-trivial task that requires expert knowledge and depends upon the available security tools, ease of integration into the DevOps pipeline, as well as support for IT and OT interfaces and protocols. This paper addresses the aforementioned problem focusing on the automated validation of ISA/IEC 62443-4-2 standard component requirements. We present an extensive qualitative analysis of the standard requirements and the current tooling landscape to perform validation. Our analysis demonstrates the coverage established by the currently available tools and sheds light on current gaps to achieve full automation and coverage. Furthermore, we showcase for every component requirement where in the CI/CD pipeline stage it is recommended to test it and the tools to do so

Cybersecurity of smart-grid control systems: Intrusion detection in IEC 61850 automation systems

National audienceCette thèse porte sur la problématique de la cybersécurité dans les infrastructures IEC 61850, en particulier la détection d’intrusion. Le travail réalisé a d’abord consisté à enrichir ce standard d’une fonction dédiée. Dans un deuxième temps nous avons travaillé à la conception d’une architecture IEC 61850 résiliente aux attaques sur le réseau temps-réel GOOSE. Des sondes de détections ont été développées et testées. Une AMDE est en cours pour nous permettre de synthétiser un mode de fonctionnement alternatif en cas de corruption du réseau GOOSE