Secure Biometric Authentication for Weak Computational Devices Mikhail Atallah (Purdue),Keith Frikken (Purdue), Michael Goodrich (UC- Irvine), Roberto.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Lecture 6 User Authentication (cont)
Secure Multiparty Computations on Bitcoin
Biometry and Security: Secure Biometric Authentication for Weak Computational Devices Author: Zelenevskiy Vladimir Based on the research by M.J. Atallah.
Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.
Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
Notarized Federated Identity Management for Web Services Michael T. Goodrich Roberto Tamassia Danfeng Yao Brown University University of California, Irvine.
1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Laboratories To appear in.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Strong Password Protocols
Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.
Authentication Approaches over Internet Jia Li
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.
Cryptanalysis of Two Dynamic ID-based Authentication
多媒體網路安全實驗室 An Efficient RFID Authentication Protocol for Low-cost Tags Date : Reporter : Hong Ji Wei Authors : Yanfei Liu From : 2008 IEEE/IFIP.
EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Symmetric hash functions for fingerprint minutiae S. Tulyakov, V. Chavan and V. Govindaraju Center for Unified Biometrics and Sensors SUNY at Buffalo,
Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.
Shanti Bramhacharya and Nick McCarty. This paper deals with the vulnerability of RFIDs A Radio Frequency Identifier or RFID is a small device used to.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
1 Common Secure Index for Conjunctive Keyword-Based Retrieval over Encrypted Data Peishun Wang, Huaxiong Wang, and Josef Pieprzyk: SDM LNCS, vol.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Power Point Project Michael Bennett CST 105Y01 ONLINE Course Editor-Paulette Gannett.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Biometrics: A Tool for Information Security 1 Authors: Anil K. Jain, Arun Ross, Sharath Pankanti IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY,
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date: Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16.
Information Systems Design and Development Security Precautions Computing Science.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
Presented by Edith Ngai MPhil Term 3 Presentation
Professor Tzong-Chen Wu
Security Issues.
Information and Network Security
Security in Networking
Revisting Unpredictability-Based RFID Privacy Models
Strong Password Authentication Protocols
Presentation transcript:

Secure Biometric Authentication for Weak Computational Devices Mikhail Atallah (Purdue),Keith Frikken (Purdue), Michael Goodrich (UC- Irvine), Roberto Tamassia (Brown) March 3, 2005

FC 2005 Introduction Biometric Authentication Biometric Authentication Pros: Provides simple authentication mechanism Pros: Provides simple authentication mechanism Cons: Changing is difficult and privacy concerns Cons: Changing is difficult and privacy concerns Difficulties: Difficulties: Readings vary each measurement Readings vary each measurement Standard techniques such as hashing won’t work Standard techniques such as hashing won’t work

FC 2005 Related Work Many schemes Many schemes [Chaum and Pedersen, 1993] [Chaum and Pedersen, 1993] [Davida et al, 1998] [Davida et al, 1998] [Bleumer, 1998] [Bleumer, 1998] [Davida and Frankel, 1999] [Davida and Frankel, 1999] [Juels and Wattenburg, 1999] [Juels and Wattenburg, 1999] [Davida et al, 1999] [Davida et al, 1999] [Juels and Sudan, 2002] [Juels and Sudan, 2002] [Clancy et al, 2003] [Clancy et al, 2003] [Impagliazzo and More, 2003] [Impagliazzo and More, 2003] [Kershbaum et al, 2004] [Kershbaum et al, 2004] [Dodis, 2004] [Dodis, 2004]

FC 2005 Our Goals Lightweight Authentication Scheme Lightweight Authentication Scheme Nothing more than hash functions Nothing more than hash functions Smartcard based Smartcard based No single point of failure No single point of failure Not smartcard Not smartcard Not server Not server Server compromise should not lead to the ability to impersonate user (even to the server) Server compromise should not lead to the ability to impersonate user (even to the server) Goal is to have a Biometric PIN for banking systems Goal is to have a Biometric PIN for banking systems

FC 2005 Framework Reader: Can be on card or other device, but this is what the user uses to read biometric Reader: Can be on card or other device, but this is what the user uses to read biometric Server: Stores information about clients Server: Stores information about clients Comparison Unit: Makes the comparison between the client’s information and server data and grants access Comparison Unit: Makes the comparison between the client’s information and server data and grants access Two biometrics are “close” if their hamming distance is below some threshold (we generalize this to other distances) Two biometrics are “close” if their hamming distance is below some threshold (we generalize this to other distances)

FC 2005 Adversary Model Adversary is defined by resources Adversary is defined by resources Smartcard Smartcard Uncracked (SCU) Uncracked (SCU) Cracked (SCC) Cracked (SCC) Fingerprint (FP) Fingerprint (FP) Eavesdrop Eavesdrop Communication Channel (ECC) Communication Channel (ECC) Server’s Database (ESD) Server’s Database (ESD) Comparison Unit (ECU) = ESD+ECC+”outcome” Comparison Unit (ECU) = ESD+ECC+”outcome” Malicious Malicious Communication Channel (MCC) Communication Channel (MCC) Things that are outside our model Things that are outside our model Adversaries that crack smartcard and give it back to user Adversaries that crack smartcard and give it back to user Malicious Server’s Database Malicious Server’s Database Malicious Comparison Unit Malicious Comparison Unit

FC 2005 Security Requirements Confidentiality: An adversary should not be able to learn the user’s fingerprint Confidentiality: An adversary should not be able to learn the user’s fingerprint Integrity: An adversary should not be able to impersonate the user to the comparison unit Integrity: An adversary should not be able to impersonate the user to the comparison unit Availability: An adversary should not be able to prevent a user from authenticating Availability: An adversary should not be able to prevent a user from authenticating

FC 2005 Confidentiality Have 3 oracles which are acceptable Have 3 oracles which are acceptable Oracle A: {0,1} |f’| → {0,1} where A(f) returns true if f is a match Oracle A: {0,1} |f’| → {0,1} where A(f) returns true if f is a match Oracle B:  → {0,1} log|f’| where B() returns various distances between readings Oracle B:  → {0,1} log|f’| where B() returns various distances between readings Oracle C: {0,1 } |f’| → {0,1} log|f’| where C(f) returns the distance between f and f’ (this is weakly secure) Oracle C: {0,1 } |f’| → {0,1} log|f’| where C(f) returns the distance between f and f’ (this is weakly secure)

FC 2005 False Starts Suppose f 0 and f 1 are readings of a fingerprint Suppose f 0 and f 1 are readings of a fingerprint How does “bank” determine if f 0 is close to f 1 without revealing private information How does “bank” determine if f 0 is close to f 1 without revealing private information Correctness: The distance should be computed correctly Correctness: The distance should be computed correctly Privacy: Minimal information should be revealed about f 0 and f 1 Privacy: Minimal information should be revealed about f 0 and f 1

FC 2005 False Starts False Start #1: False Start #1: Client sends f 1 to bank which compares to f 0 in the clear Client sends f 1 to bank which compares to f 0 in the clear Correct but not private Correct but not private False Start #2: False Start #2: Client sends H(f 1 ) to bank which compares to H(f 0 ) in the clear Client sends H(f 1 ) to bank which compares to H(f 0 ) in the clear Private but not correct Private but not correct

FC 2005 False Starts (cont.) False Start #3: False Start #3: Client sends f 1  r to server that compares it to f 0  r Client sends f 1  r to server that compares it to f 0  r Correct as dist(f 1  r,f 0  r) = dist(f 1,f 0 ) Correct as dist(f 1  r,f 0  r) = dist(f 1,f 0 ) Kind of private: individual bits are protected, but it leaks locations where things change Kind of private: individual bits are protected, but it leaks locations where things change False Start #4: False Start #4: Client sends Π(f 1  r) to server that compares it to Π(f 0  r) for a permutation Π Client sends Π(f 1  r) to server that compares it to Π(f 0  r) for a permutation Π Correct as dist(Π(f 1  r), Π(f 0  r)) = dist(f 1,f 0 ) Correct as dist(Π(f 1  r), Π(f 0  r)) = dist(f 1,f 0 ) Private if permutation is only used once Private if permutation is only used once If it is reused, then it has similar problems as #3 If it is reused, then it has similar problems as #3

FC 2005 Our Protocol Goal is to be able to update r value and permutation Π between each authentication Goal is to be able to update r value and permutation Π between each authentication Assume H is a keyed hash function Assume H is a keyed hash function Before a round, server has Before a round, server has s i  Π i (f i  r i ),H(s i ),H(s i,H(s i+1 )) s i  Π i (f i  r i ),H(s i ),H(s i,H(s i+1 )) Before a round client(smartcard) has: Before a round client(smartcard) has: Π i, r i, s i, s i+1 Π i, r i, s i, s i+1

FC 2005 Protocol -- Authentication 1. Client obtains f i+1, and generates r i+1, s i+2, and Π i+1 2. It sends to the server Π i (f i+1  r i ), s i, and some transaction information T 3. Server tests if H(s i ) matches previously stored value H(s i ) matches previously stored value s i  Π i (f i+1  r i ) is close to the previously stored s i  Π i (f i  r i ) s i  Π i (f i+1  r i ) is close to the previously stored s i  Π i (f i  r i ) 4. If there is a match, then server temporarily performs T, and it sends H(T) back to the user

FC 2005 Protocol -- Update 1. Client tests if transaction information matches request Yes then continue to 2 Yes then continue to 2 No then abort wipe out this set of key information No then abort wipe out this set of key information 2. Client sends to server s i+1  Π i+1 (f i+1  r i+1 ), H(s i+1 ), and H(s i+1,H(s i+2 )) 3. The server verifies that H(s i,H(s i+1 )) matches the previous value If yes, then it commits transaction and updates values If yes, then it commits transaction and updates values If no, it aborts If no, it aborts

FC 2005 Security Summary Confidentiality: The cases where the adversary learns the fingerprint are : (FP) or (SCC and ESD) or (SCU, ESD, and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases Confidentiality: The cases where the adversary learns the fingerprint are : (FP) or (SCC and ESD) or (SCU, ESD, and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases Integrity: The cases where the adversary can impersonate the user are : (SCU and FP) or (SCC and ESD) or (ESD and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases Integrity: The cases where the adversary can impersonate the user are : (SCU and FP) or (SCC and ESD) or (ESD and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases Availability: The cases where the adversary can deny access to the user are : (SCU) or (MCC) or any superset of these cases Availability: The cases where the adversary can deny access to the user are : (SCU) or (MCC) or any superset of these cases

FC 2005 Security Summary ResourcesConfidentialityIntegrityAvailability FPNoStrongStrong SCC and ESD NoNoNo SCU and FP NoNoNo MCC and ESD StrongNoNo SCU, ESD, MCC NoNoNo MCCStrongStrongNo SCUStrongStrongNo SCU and ECU WeakWeakNo

FC 2005 Extensions Extended to other distances Extended to other distances Storage-Computation Tradeoff: Storage-Computation Tradeoff: Previous scheme requires several values to be stored on smartcard (in case of mismatches) Previous scheme requires several values to be stored on smartcard (in case of mismatches) Can reduce storage by increasing computation (similar to SKEY) Can reduce storage by increasing computation (similar to SKEY)

FC 2005 Summary Have introduced lightweight biometric scheme that uses only hash functions Have introduced lightweight biometric scheme that uses only hash functions No single point of failure No single point of failure Future Work: Future Work: Must update values in our protocol Must update values in our protocol