CYBR171 - Advanced Digital Authentication and BiAuthentication II - Tokens (software) and Biometrics| Lecture 10 (Week 4) [From Recording]

The Evolution of Digital Keys and Authentication Systems

Modern authentication is moving far beyond the primitive stages of a simple username and password login. Historically, hardware pieces represented a degree of safety where a single password acted much like a physical key with specific notches fitting a specific lock. This concept has been translated into digital formats, employing asymmetric and symmetric thinking regarding key structures. Currently, these systems have become highly intricate, often involving multi-factor authentication (MFA) that exceeds three total factors of inclusion. This complexity includes technical processes such as the generation of hashes and the registration of unique salt values to specific hash keys, which are then tied to an individual user’s profile. We are currently in the initial stages of understanding how to secure data, and there is significant room for future research regarding the nature of trusted access in these evolving systems.

Procedural Frameworks for Access and Analysis

There is a specific five-step procedure used to categorize the processing of hardware and key access. This process begins with Step 1: Setting up the measurement equipment. Step 2 involves opening a particular key access point, followed by Step 3: Removing the protection layers surrounding particular chips. Step 4 consists of collecting technical measurements, and finally, Step 5 is the process of working out the private key. This staging provides a framework for understanding how to access and stage authentication effectively. While this five-step process covers hardware analysis, other tribal processing models like the Porphyry method exist. The Porphyry process consists of 10 distinct stages by design, which dictate how an entity enters a space, maintains access within that space, and exits safely and rapidly—often within milliseconds. This model reflects a shift toward machine-to-human and machine-to-machine interactions.

The Three Paradigms of Identification

Authentication has transitioned across three major phases within the lifecycle of identifying secrets. The first phase is defined by something the user knows, such as a password or a secret. The second phase involves something the user possesses, such as a concrete physical token or hardware device. The third and current phase moves into the realm of the individual being the key themselves. This is known as biometrics, where unique domains of the human body serve as concrete identifying codes. This eliminates the need for carrying physical objects and instead utilizes inherent biological traits. This field is being explored heavily in advanced university studies, as software tokens and dynamic connectivity continue to present new challenges for identification.

Corporate Infrastructure and Outsourcing Vulnerabilities

Corporate entities like IBM, Microsoft, Amazon Web Services (AWS), and Google are leaders in infrastructure support, but they face risks when integrating outsourced products or content management systems (CMS). Platforms such as WordPress, Silverstrike, and Joomla often contain inherent vulnerabilities when they are first downloaded. When a corporation imports an outsourced product onto its platform, it inadvertently brings along the vulnerabilities of that software. For instance, if a company like Weta—which maintains a very strong, "black box" protection infrastructure—were to partner with a firm like Pickpock that utilizes open-source software, the open-source vulnerabilities could compromise Weta’s system. In such scenarios, the risk becomes exponential as the organizational vulnerability expands to include the flaws of the imported software. Attackers often target these specific platform vulnerabilities to gain access to the more valuable underlying infrastructure.

Malware, Viruses, and Technical Exploits

The primary goal of deploying a virus or malware is to eavesdrop on a system, take control of the software, or extract secrets from the database. Removing secrets can be as simple as downloading a CSV file containing the corporate agent’s IP address and digital assets. To defend against this, 2FA (Two-Factor Authentication) is used to verify the human agent. However, attackers and defenders are constantly engaged in a game of "chalk and cheese," as seen in the interactions between agents often personified as Bob, Anne, and Eve. Technical vulnerabilities often exist at specific port numbers. For example, a web hosting port like Port 80808080 might be attacked more frequently than a secure banking gateway. Attackers use sniffing software like Wireshark to identify open port numbers and exploit weakly protected gateways.

Digital Identity and Biometric Recognition Standards

The National Institute of Standards and Technology (NIST) provides protocols to regulate authentication and prevent humans from giving away too much information through manipulation. These standards, such as the use of SHA-256\text{SHA-256} protocols, allow for the monitoring of credentials and the modeling of authentication steps within neuro-adaptive systems. Cyber security experts use these frameworks to calculate risk based on the chosen authentication method. Biometrics involves the automated recognition of individuals based on biological and behavioral characteristics, such as iris patterns, eye scans, fingerprints, and location data. This process relies on algorithms to determine the match between a person’s presented traits and their stored nature of authenticity.

Convolutional Neural Networks and Matching Logic

Facial identification often utilizes Convolutional Neural Networks (CNN) through a four-step evolutionary process. The first step captures the image, followed by multiple iterations of convolution to fine-tune the data. This involves cycles of forward propagation (pushing the feature data forward) and backward propagation (adjusting based on errors) to isolate unique facial characters. The system compares the live image against a stored biometric template. The authentication decision is based on a matching score; for example, a system might ask if an 80%80\% match is sufficient to grant access. This logic is not purely binary (true or false) but rather ambiguous, operating in a fuzzy range between 00 and 11. A match of 100%100\% represents the original image, while a match of 20%20\% or below would result in rejection. The threshold for access is a critical decision made by developers, as it determines the balance between security and accessibility.

Ethics, Errors, and the Future of Authenticity

Biometric systems encounter specific errors, categorized as False Match Rates (FMR) and False Non-Match Rates (FNMR). If these thresholds are set incorrectly, it can lead to widespread discrimination within facial recognition systems. Furthermore, the rise of deep fakes—artificial digital humans that appear indistinguishable from real humans—poses a threat to the concept of provenance and the protection of individual identity. As the technology for creating deep fakes improves, the community must develop better detection methods for law enforcement and security purposes. Authentic identity is no longer just about authentication; it is about provenance and providence in an increasingly blurry digital landscape.

Questions & Discussion

During the session, students inquired about practical assignments and course requirements. One student asked about performing SSH (Secure Shell) tasks and creating a terminal, to which the instructor advised visiting the lab and consulting the group. Another discussion centered on the inclusion of AWS in the cryptography assignment. It was clarified that some course coordinators are AWS people and are creating a community for students to sign up and engage with the learning lab, as AWS and Microsoft are major industry players. Regarding the upcoming test, the instructor confirmed that it covers content from week one to week six, primarily focusing on weeks two to six. The test is expected to be multiple-choice, focusing on the understanding of various technical techniques rather than pure memorization. Guest lecturers are intended to keep students in touch with industry trends but do not usually speak directly to the assignment tasks.