Biometrics in e-voting are important to validate the user i.e., biometrics can deny the access to the unauthorised users. We can use both behavioural and physical biometrics some of the biometric methods that can be implemented in e-voting are "Fingerprint scanner, Iris Scan, Face Recognition, Voice Recognition, Signature, Multi Model biometrics and DNA analysis." Biometric usage needs some database to maintain, and that database should be confidential we need to manage data securely.
In creating a biometric system reliable we need to study various issues like sensing to measurement procedures, signal analysis and interpretation to quality assessment, extraction to classification and analysis, knowledge creation to extraction, algorithms to data structure, system engineering to software engineering etc.. if we concentrate on these issues the biometric system will be more reliable.
In practice they are more reliable while using multi model i.e., using two types in a single biometric system this is shown in the following figure 1.
In the above multi model we use both fingerprint scanner and iris scan, when a user enters he need to be authenticated here first he need to scan the fingerprint and then iris scan, when both authentications are accepted the user is cast to vote. Hence by using this the False Acceptance Rate & False Rejection Rate will be less.
Basically there are two of recognition errors they are False Acceptance Rate (FAR) and False Rejection Rate (FRR). False Acceptance is nothing but when an unauthorized user is accepted by the biometric system. False Rejection means when an authorized user is wrongly rejected by the biometric system. If we try to decrease one error by varying their threshold values the other will increases simultaneously. So we can reduce the risk of only one error, these errors depends upon the threshold values that are operated at a particular point which is also a detection point. Error rates cannot be very low at the same time for both errors, there is a meaningful detection threshold point which is set different for different applications. If the threshold value is high FAR can be close to zero, in the same way if the threshold value is low the FRR will be close to zero. Usually biometric systems will have low FAR for better security.
These FAR and FRR will vary in different biometric systems for example let us assume the error rates for some biometric system, they are for Fingerprint recognition the FAR & FRR is only 0.20%, for Voice recognition the FAR is 2% - 5% and FRR is 10% - 20%, and in Face recognition the FAR is 1% and FRR is 10%. So we can see there is lot of difference in each biometric system, the best method is fingerprint recognition because it has low FAR & FRR when compared to other two.
Spoofing:- spoofing is an intelligent way of attack on biometric security system. Where an individual attempts to manipulate data corresponded between data acquired by the biometric system and an individual and the individual itself. Then the individual try to manipulate the system by introducing the information that does not belong to him at the time of registering or at the authentication stage.
There are different kinds of spoofing attacks
"Biometric devices themselves are susceptible to a variety of attacks. Ratha, Connell & Boyle (2001)"
â€¢Presenting a fake biometric
â€¢ Attacking by pre recorded data in iris scan and face recognition.
â€¢Data manipulation of biometric in storage
When we consider the E-governance system all the data is stored in electronic format which can be easily breached, for implementing E-governance it has to obtain all the biometric information from the citizen and store it in a secured environment.
Presenting a fake biometric :- presenting a fake biometric is much easy, as everyone leave their impressions all around in our daily life. A person who wants to breach it can use these impressions by lifting them with a gelatine material and use it according to the device used for authentication/identification.
Attacking by pre recorded data in iris scan and face recognition :- attacking by a pre recorded data is easy an easy method to spoof an iris device and a face recognition by using high resolution images and a face mask for facial recognition.
Data manipulation of biometric in storage :- Data manipulation of biometric in storage is where the data can be altered in the storage servers.
Changing biometric data between device and storage:-changing biometric data between device and storage is also called as man in the middle attack. Where the man hacks the system and receives all the information there he alters the information and sends it.
There is no security system that is fully secured off spoofing in this world, every system is breakable. The technologies used for preventing spoofing are only helpful in spending more time and cost. Security system and spoofing are directly proportional to each other the more we implement the more chances of spoofing.
Trust:"AÂ legalÂ arrangementÂ in which anÂ individual givesÂ fiduciaryÂ controlÂ ofÂ propertyÂ to aÂ personÂ or institutionÂ (theÂ trustee)Â for the benefit ofÂ beneficiaries."
Now- a-days biometrics are using in every secure section. Like passports and visas in UK and Europe, and in France biometrics are used for national id cards, also there is a proposal for UK identity cards and for security financial bank transactions and to access laptops and computers. As a part of this many pilot projects are going on for biometric enabled e voting in 2000 - 2002.
In EU project called E-pool has developed a project which aim is to cast the vote through biometric technology they conduct biometric based e-voting for the people who unable travel, the voters has to give their biometrics at the time of registration. Then they issued a biometric card which contains biometric data. The voter in the booth put their finger prints into a reader which checks information of the card, then vote has cast electronically the data sent to central computers. The EUÂ Bio Security Initiative (Biosec), a research project set up in 2003,Â sees biometrics asÂ the key technology for guaranteeing the security of personal data.
By above all we can tell people can trust the biometric based e voting because they are very secure and they are trustable by home office so we can tell people are trusting this method
In the e-voting the cost of the biometric is based on the infrastructure of the biometric system used and also this cost mainly depends on enrolment infrastructure and voting infrastructure. In the enrolment infrastructure they need to enrol all people and they need to store data of the user, this will handle all biometric data of the users that are going to vote, and in the voting infrastructure, this will handle the process of voting in which this must be able to authenticate the participant in the official period according to the given biometric proofs. This whole process need to store data in large amount so this costs little high.
Storing of the data is a part of the security infrastructure, and this security infrastructure also have two requirements they are personalization and privacy, personalization depends on the security mechanisms such as how secure the data should be, And privacy depends on the secrecy of the voter to whom he votes for.
Question 2 :
Introducing e-passport and biometric enabled ID cards raises issues in terms of security. One main difference from the existing passport is that they are stored with digitised biometric data such as fingerprint, iris scan etc., they cannot forge easily, the false acceptance rate is also less. Ones the biometric data cannot withdraw ones compromised, so this can be revealed to the trusted system. Ones this biometric data falls on criminal hands the data can be abused like using data other than the declared purpose and sharing them and deleting data after use.
By considering the above offences the passport inspection system is not treated as trustworthy, so to overcome this problem Extended Access Control (EAC) provides the solution. This EAC has some unique constraints like Resource-constrained relying party, No trusted time source, Sporadic connectivity & User interface. By using these constraints the e-passport systems are designed.
This EAC has a framework, explains about the architecture. The architecture is as shown following figure.
This architecture will be followed by many countries, they will operate all components of architecture. Here in the architecture there are two states issuer state and accepting state and the function of the architecture is as follows:
First the Country Verifying Certification Authority (CVCA) verifies the foreign and domestic documents with Document Verifier and this Document Verifies issues DV certificate, and then this will in turn with inspection system to verify e-passport after verifying this issues IS certificate. CVCA provides a embedded key by DV and this is responsible for signing the content and IS authorizes to view the content of the e-passport.
Payments can be made online securely by using SSl/TLS techniques. The payments are done in the internet so the user should connect to the internet using the browser, to make the web server secure we must use RSA techniques between the browser and the remote server. For the secure web pages they use HTTPS address which is the combination of Hypertext Transfer Protocol and SSL / TSL protocols to provide encryption techniques.
SSL is secure socket layer uses a cryptographic system which uses public key and private key one is known to all and other is secret key. The web browsers that support SSL such as IE use some protocols to provide confidential information like credit card numbers. For payments through credit cards they use HTTPS connections which are completely on RSA security.
In the payroll service provider the documents will be exchanged with clients by using HTTPS web server, the files can be uploaded here and the client download files by logged in, but there are no of security issues, such as the is not secure after transferring, also not secure when it is in the remote server. Also when the information is located in the other end and if third party access the information the data can lose easily because the server may not be in the same area it can be located in any part of the world, so when using RSA with HTTPS this will provide security for online banking & shopping.
RSA in this combination provides 3 essential services they are:
The code created cannot be cracked.
Only one user can decrypt the data.
Encryption proof is available.
When all these techniques used the user can send data very effectively and securely over internet.