Password management has become a major drain on corporate resources, especially those with dozens of applications, each with their own passwords cryptic passwords requirements, and password aging methods.  As a result, end-users are forced with write-down lists of their passwords, and some larger Oracle shops have a full-time employee dedicated to fixing "I forgot my password" issues.   

For complete support for biometric single sign-on for any Oracle databases, just call for Oracle biometrics support.

The use of passwords to validate access rights dates back to Roman times, and thousands of years ago Roman soldiers memorized spoken passwords to gain access to camps.  I imagine that the Romans probably used Roman passwords phrases, maybe like these:

• Sharpei Diem - Seize the wrinkled dog
• DBA Non Carborundum - Don't let the DBA wear you down
• Quantum materiae materietur marmota monax si marmota monax materiam possit materiari? - How much wood would a woodchuck chuck if a woodchuck could chuck wood?
• Domino vobiscum - The pizza guy is here
• Fac ut gaudeam - Make my day

Anyway, as our access requirements became more sophisticated over the next two millenniums, the age-old problem of using passwords has caused its own data security crisis.    Managing database security has always been a daunting challenge and there are two age-old problems with traditional password-based access:

• Too Many Passwords - Single sign-on tools such as IBM's Resource Access Control Facility (RACF) and Oracle single sign-on (SSO) have been quite expensive to manage.  Single sign-on tools only work for specific types of applications (i.e. web pages, Oracle sign-on), and comprehensive single sign-on tools have failed miserably.
   
• Cryptic passwords - Because individual applications desire to make their users change passwords frequently and to use non-obvious passwords (including numbers, at least 7 characters long), end-users everywhere are being forced to write-down their many passwords.

With end-users bypassing the security by keeping lists of passwords, Oracle database security managers are challenged to find alternate ways to positively identify end-users and control their access to confidential database information.

Who Goes There?

The positive identification of an end-user is the most critical component of any biometrics application and there have been several areas where external identification technology has been explored:

• Iris Recognition - The human iris is as distinctive as a fingerprint.  The cameras are expensive, but the technology is being effectively-used by US border control.
   
• Fingerprint recognition - This is the most cost-effective and widely-used positive recognition technology today with units available for under $40.
   
• Facial Recognition - Used only by governments today, high-speed computers are used to identify individual faces from different perspectives.
   

	Tongue recognition - The human tongue is unique, but the display of the tongue proved both messy and embarrassing. Tongue piercing and messy saliva hindered efforts to develop an effective optical tongue reader.

	Iris recognition is used by the United States Immigration and Border Control to positively identify travelers.  The technology now offers cameras that capture a reliable iris image from all international travelers entering the USA.

Iris Camera	Fingerprint reader

Lets take a closer look at biometrics for Oracle databases.

Fingerprint biometrics and Oracle

Fingerprint readers have been around since the 1980's when they were used by the government for access to classified military and research areas.  This fingerprint technology was refined such that even a severed finger could not be used to gain access and only a real, live finger would trigger system access.  Most of the fingerprint readers have a very small footprint (less than 50 megabytes of disk), and plug-and-play with Windows XP machines, plugging into USB devices.

Biometric fingerprint readers for Oracle allow users to log into any system simply by the touch of a finger, and they will not need to remember a usernames or passwords.    The user will touch the reader which will authenticate access by the fingerprint and invoke the appropriate Oracle application and sign them onto the Oracle database application.

Fingerprint readers for credit card authentication
 

Seiko Epsom has developed a paper thin fingerprint reader that has great promise for self-authentication of credit cards and other small devices that require security and authentication.

"The fingerprint sensor's ultra-thin profile means it can easily be incorporated into a variety of commonly used items. Among the applications that Seiko Epson is targeting are self-authenticating credit cards, in which a tiny on-card processor is used to compare the captured fingerprint data with the user's fingerprint data stored in an embedded memory.

A non-matching fingerprint would render the card unusable, preventing abuse in the case of loss or theft.

This article also notes that biometric fingerprint readers are being introduced for cell phones to prevent unauthorized calls: "Scan your digits to lock and unlock the phone. Sweet, eh?"

Biometric fingerprint reader fraud

However, there are some recent reports that the cheaper fingerprint readers can be fooled with gummi bears:

"A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera...

he took latent fingerprints from a glass, which he enhanced with a cyanoacrylate adhesive (super-glue fumes) and photographed with a digital camera. Using PhotoShop, he improved the contrast of the image and printed the fingerprint onto a transparency sheet...

From this he made a gelatine finger using the print on the PCB, using the same process as before. Again this fooled fingerprint detectors about 80 per cent of the time."

Fingerprint Access to Oracle Systems

Oracle has offered several tools and utilities to aid in the passwords management problem, but none offer a complete biometric solution.  Let's take a closer look at these biometrics methods as they apply to finger print sign-on to Oracle databases:

• Single Sign-On - Many tools such as Oracle Application Server 10g (and Oracle9iAS) offer a single sign-on facility (SSO) to allow a single place for password management, but we still have the issue of storing the passwords and invoking the application on behalf of the fingerprint authenticated end-user.
   
• Oracle Biometrics Manager - Oracle8 Enterprise Manager (OEM) offered a Biometrics Manager to allow the DBA to administer biometric credentials (fingerprints) of Oracle database end-users that use the Oracle Advanced Networking Option, but this option was dropped in later releases of OEM.
   
• Remote Authentication Dial-In User Service (RADIUS) - Oracle has a RADIUS biometrics environment (and "smart cards") whereby access is controlled at the Oracle*Net level.  The RADIUS approach stored the master fingerprints, user ID and password in either LDAP or Oracle tables. The RADIUS approach can automatically start and sign-in end-users on Oracle databases that are written in Oracle SQL*Forms, SQL*Reports, and OCI or PL/SQL programs.

As we can see, there is no Oracle generic solution is required for positive identification of an end-user, and access to a SQL*Forms application will be very different than an HTML-DB application.  The access method is also dependent upon the type of end-user access within the Oracle database.  Oracle offers four major types of end-user access, and customized fingerprint interface software is required for each type of Oracle access:

• Oracle Users with direct privileges- The end-user has a user ID within Oracle and specific privileges and roles are granted to the end-user. 
   
• Oracle Users with Virtual Private Databases - In Oracle VPD (a.k.a. row-level security, or RLS), the end-users queries are constrained by dynamic "where clauses" that restrict the rows that they may access within any table.
   
• Oracle Users with Grant Execute privileges - In the "grant execute" model, each user is granted access to specific procedures and they take-on the access privileges of the procedure owner, but only while executing the stored procedure.
   
• External Security - Many large Oracle vendor applications (i.e. SAP) control access via the application layer.  At sign-on time, the application signs-on the end-user to Oracle with a generic ID and controls their data access programmatically.  We also see Oracle Application Server Single Sign-on (SSO) utility to consolidate end-user passwords for multiple applications.

Despite the use of finger prints for authentication, Oracle still requires passwords and these must be stored in a secure area for the biometrics software to perform a proxy sign-on.  Most DBA's who implement finger print biometrics will choose to use pre-written software, or write a custom interface to the password files.  The downside to pre-written biometric tools is that they store the user ID and password on the PC, whereby a custom solution would allow the Oracle database to store the proxy sign-on information.

Pre-written biometrics software

If using the Microsoft fingerprint reader, each end-user fingerprint will be registered using the Microsoft Registration Wizard and stored on the PC.   When the user first visits a website that requires a password, the user touches the Fingerprint Reader with the registered finger.   Then the user enters the username and password they are given.   

The information is saved together.   The next time the user needs to access the website, the user simply touches the fingerprint reader and they will be automatically logged in. The user will not need to remember or use their username and password again.  This tool is perfect for web-based Oracle applications where the invocation is done via URL, such as Oracle HTML-DB applications.

Customized Oracle biometrics

For more sophisticated biometrics controls, an Oracle database table is required to store the fingerprint master, the default application to invoke, and the user ID and password:

At finger swipe time, a custom API retrieves the "fingerprint master" and the device software authenticates the end-user.  Once positive identification is achieved, the Oracle table provides the username, password and application stub.  The end-user is then signed-onto the application with this information (Figure 1):

Figure 1 - Custom Oracle database biometric sign-on

Conclusions on Oracle Biometrics

With the inherent problems associated with passwords Oracle security administrators are finding that Oracle biometrics is a more secure and cost-effective solution.  Oracle biometrics system offer more secure environments and also remove the need to dedicate a help-desk person to manage changing passwords for hundreds of end-users.

The falling prices of biometrics hardware (fingerprint readers for under $31) have started a movement to use biometrics with Oracle.  Most Oracle shops will use pre-written biometrics software (Motorola Biometrics) or they write Oracle biometrics solutions using Oracle RADIUS or Oracle Single Sign-on. 

The most robust Oracle biometrics solutions employ an API to store the fingerprint master, user ID and password in a secure Oracle table, and they use this table to allow the device to provide the authentication and invoke the application on the end-users behalf.  These custom solution also have the benefit of being usable for a variety of Oracle front-end including SQL*Forms, OCI, J2EE, Java, HTML-DB and others. 

For expert consulting on Oracle biometrics from my staff, click here.

References:

·        Oracle Public Key Infrastructure-Based Authentication

·        Secure Sockets Layer (SSL) Authentication in Oracle Advanced Security

·        Entrust/PKI Support in Oracle Advanced Security

·        Standard PKI Support in Oracle Advanced Security

·        RADIUS with Oracle Advanced Security

·        Kerberos and CyberSafe with Oracle Advanced Security

·        Smart Cards with Oracle Advanced Security

·        Token Cards with Oracle Advanced Security

·        Biometric Authentication with Oracle Advanced Security