Cover ERCIM News 63

This issue in pdf
(64 pages; 30Mb)


Cover ERCIM News 62
previous issue:
Number 62
July 2005:
Special theme:
Multimedia Informatics

previous issues online

Next issue:
January 2006

Next Special theme:
Emergent Computing

Call for the next issue

About ERCIM News

< Contents ERCIM News No. 63, October 2005
SPECIAL: Security and Trust Management

Flexible, TCP/IP-Based and Platform-Independent Management of Biometric Data for Access Control Systems

by Burkhard Stiller

The use of biometric data for access control, eg fingerprint scans, offers a simplification of room access control or a key-management function. A detailed cost analysis of existing systems shows that in addition to specific security requirements, the loss of physical keys or magnetic access cards can increase the overall costs dramatically. A large employee turnover, a large number of access points, such as doors and gates, and various user- as well as key-groups compounds the situation. A biometric data management approach would solve these problems and additionally, would ensure that keys could not be passed on to different personnel.

The collaborative project ‘Biometric Access Control’, run with the ITIS e.V. (located at the University of Federal Armed Forces, Munich, Germany) and Biometronix GmbH (Munich, Germany), has developed a new, platform-independent, flexible and TCP/IP-based Biometric Local Area Network Control Center (BioLANCC) in support of both access-control systems and single sign-on solutions.

The following example illustrates the motivation behind the current work on networked biometric data control centres. Consider a holding company with its headquarters and human resources department in Munich, and two external research laboratories in Budapest and Zürich. Since the main administration server in Munich hosts all the access rights of employees, visitors, temporary employees and cleaning staff, Munich has an overview of the entire company. Access rights may be changed (employee relocation), withdrawn (employee retirement), or added (new employment). Of course, the two research labs in Budapest and Zürich also need to be able to change access rights according to their local requirements. In addition, many different types of access-control hardware, such as fingerprint scanners, need to be grouped according to labs, research groups, or buildings. Such an organization demonstrates the administrative and organizational gains to be achieved with BioLANCC.

Thus, the development of BioLANCC was driven by a detailed organizational requirements analysis, key security requirements, and the need for an operation on multiple hardware devices as well as on different operating systems. The logically centralized management approach includes distributed access and maintenance of single users’ access. In particular, the fast and efficient support of access rights for temporary employees, or students in an academic environment, is a beneficial feature not found in any other existing system. Remote and centralized control have been integrated based on a networked TCP/IP solution.

The interactions between the attacker and the system modelled as a stochastic game.

Figure 1 depicts the system’s architecture. The implementation basis is determined by a two-tier, Java-programmed application, which accesses an SQL database. The initial use of MySQL is in the process of being replaced by a Postgress database. In addition, a three-tier version is under development, in which multiple thin management clients will be supported. BioLANCC’s specific features include the standardized use of an IP network for communications between all biometric access devices and the control centre, and full platform independency; currently supported are Windows, Linux, Solaris, and Mac OS X. Other features are the integration of multiple hardware devices (based on an open device interface and the BioAPI), a flexible user and device-group management, a time-zone manager for users and devices, and a user-selectable, graphical interface for all management operations (drag and drop). Finally, a reporting module customizable by the user allows for the supervision and backtracking of correct access as well as the investigation of, for example, error reports and failed authentications.

BioLANCC has been successfully implemented at the Department of Computer Science of the University of Federal Armed Forces in Munich. The system includes eighteen fingerprint scanners and caters for several hundred permanent and temporary employees, including professors, research assistants and students. At this stage, fingerprint scanners (V20 devices) from Identix are in use; this installation is currently the largest biometric access control system of its type in Europe. During the course of the project, additional requirements were identified and are being integrated. This covers the BioAPI mentioned above, as well as different types of biometric hardware devices (eg iris scanners). A device wizard offers the possibility of integrating a new access point easily into the system. Multilingual support is also at hand. Finally, its continued effective operation in a harsh academic environment demonstrates BioLANCC’s robustness.


Please contact:
Burkhard Stiller, University of Zurich, Switzerland and ITIS e.V. Munich, Germany