Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Remote Authentication Using Biometrics Portions of this work done with Xavier Boyen, Yevgeniy Dodis, Rafail Ostrovsky, Adam Smith Jonathan Katz.

Published byVerity Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Remote Authentication Using Biometrics Portions of this work done with Xavier Boyen, Yevgeniy Dodis, Rafail Ostrovsky, Adam Smith Jonathan Katz."— Presentation transcript:

1 Secure Remote Authentication Using Biometrics Portions of this work done with Xavier Boyen, Yevgeniy Dodis, Rafail Ostrovsky, Adam Smith Jonathan Katz * * Work supported by NSF Trusted Computing grant #0310751

2 Motivation “Humans are incapable of securely storing high- quality cryptographic secrets, and they have unacceptable speed and accuracy…. (They are also large [and] expensive to maintain…. But they are sufficiently pervasive that we must design our protocols around their limitations.)” From: “Network Security: Private Communication in a Public World,” by Kaufman, Perlman, and Speciner

3 Possible solutions? (Short) passwords? (Hardware) tokens? Biometrics –Storage of high-entropy data “for free”

4 Problems with biometrics At least two important issues: –Biometrics are not uniformly random –Biometrics are not exactly reproducible Outside the scope of this talk –Are biometrics private? –Sufficiently-high entropy? –Revocation?

5 Previous work I Davida-Frankel-Matt ’98; Monrose- Reiter-(Li)-Wetzel ’99, ’01 Juels-Wattenberg ’99; Frykholm- Juels ’01; Juels-Sudan ’02

6 Previous work II Dodis-Reyzin-Smith ’04 –Their framework and terminology adopted here Boyen ’04 –Two main results –One result information-theoretic; second in RO model

7 Question: Can we use biometric data (coupled with these techniques…) for remote user authentication? –E.g., authentication over an insecure, adversarially-controlled network? Without requiring users to remember additional info, or the use of hardware tokens?

8 Does previous work, work? [DRS04] No! –Assume “secure channel” btw/ user and server –Security vs. passive eavesdropping only [Boyen04] –Focus is on general solutions to different problems –In general, techniques only seem to achieve unidirectional authentication –By focusing on the specific problem of interest, can we do better?

9 Main results Short answer: Yes! –By focusing specifically on remote authentication, we can do better –Two solutions… Compared to [Boyen04]: –Solution in standard model –Solutions tolerating more general errors –Achieve mutual authentication –Improved bounds on the entropy loss

10 First solution Generic, “plug-in” solution whenever data from server may be tampered –In particular, applies to remote authentication –Proven secure in RO model… –Tolerates more general class of errors than [Boyen04] –Mutual authentication

11 Second solution Specific to the case of remote authentication/key exchange –Provably secure in standard model –Lower entropy loss compared to [Boyen04] and previous solution Can potentially be used for lower-entropy biometrics and/or secrets (passwords?) –Still tolerates more general errors and allows mutual authentication (as before)

12 Some background…

13 Security model I Standard model for (key exchange) + mutual authentication [BR93] –Parties have associated set of instances –Adversary can passively eavesdrop on protocol executions –Adversary can actively interfere with messages sent between parties; can also initiate messages of its own

14 Security model II Notion of “partnering” –Informally, two instances are partnered if they execute the protocol with no interference from the adversary –More formally (but omitting some details), instances are partnered if they have identical transcripts

15 Security model III (Mutual) authentication –Instances accept if they are satisfied they are speaking to the corresponding partner (determined by the protocol) –Adversary succeeds if there is an accepting instance which is not partnered with any other instance

16 Security model IV Quantify adversary’s success in terms of its resources –E.g., as a function of the number of sessions initiated by the adversary –“On-line” vs. “off-line” attacks This can give a measure of the “effective key-length” of a solution

17 Recap of [DRS04] Use Hamming distance for simplicity… (m, m’, t)-secure sketch (SS, Rec): –For all w, w’ with d(w,w’)  t: Rec(w’, SS(w)) = w (I.e., “recovery from error”) –If W has min-entropy  m, the average min-entropy of W|SS(W) is  m’ (I.e., “w still hard to guess”)

18 Recap of [DRS04] (m, l, t,  )-fuzzy extractor (Ext, Rec): –Ext(w) -> (R, P) s.t. 1. SD((R, P), (U l,P))   (I.e., R is “close to uniform”) 2. For all w’ s.t. d(w,w’)  t, Rec(w’, P) = R (I.e., “recovery from error”)

19 Applications… [DRS04] assumes that P is reliably transmitted to the user –E.g., “in-person” authentication to your laptop computer No guarantees if P is corrupted

20 [Boyen04] Main focus is reusability of biometric data (e.g., with multiple servers) –Somewhat tangential to our concern here Also defines a notion of security for fuzzy extractors when P may be corrupted…

21 [Boyen04] (Ignoring reusability aspect…) w * chosen; (R, P) = Ext(  (w * )) for some  ; adversary gets P Adversary submits P 1, …  P and  1, …; gets back R 1 = Rec(  1 (w * ), P 1 ), … “Secure” if adv. can’t distinguish R from random (except w/ small prob.)

22 Error model We assume here that d(w *,  i (w * ))  t –I.e., errors occurring in practice are always at most the error-correcting capability of the scheme Under this assumption, [Boyen04] disallows P i = P in adversary’s queries

23 Construction Construction in [Boyen04] achieves security assuming errors are “data- independent” –I.e., constant shifts Construction analyzed in RO model

24 Application to remote authentication Essentially as suggested in [Boyen04]: User Server (R,P) = Ext(w * ) R -> (SK, PK) (w) (P, PK) P, nonce R = Rec(P, w) R -> (SK, PK)  = Sign SK (nonce)  Verify…

25 Security? Intuition: –If adversary forwards P, then user is signing using his “real” secret key Using a secure signature scheme –If adversary forwards P’  P: User computes some R’ and a signature w.r.t. (key derived from) R’ But even R’ itself would not help adversary learn R!

26 But… Unidirectional authentication only –No authentication of server to user The definition of [Boyen04] (seemingly) cannot be used to achieve mutual authentication –Nothing in the definition guarantees that adversary can’t send some P’ and thereby guess R’

27 New constructions

28 Construction I Modular replacement for any protocol based on fuzzy extractors, when P may be corrupted Idea: ensure that for any P’  P, the user will reject –Adversary “forced” to forward real P Sealed (fuzzy) extractor –Allow Rec to return “reject”

29 Error model Defined by a sequence of random variables (W 0, W 1, …) over some probability space  such that for all , i we have d(W 0 (  ), W i (  ))  t More general model than [Boyen04] –Allows data-dependent errors May be too strong…

30 Security definition User has w 0 ; computes (R,P)<-Ext(w 0 ); adversary given P Adversary submits P 1, …, P n  P Adversary succeeds if  i s.t. Rec(w i, P i )  “reject”

31 Application to remote authentication User Server (R,P) = Ext(w * ) (w) (P, R) P, n 1 R = Rec(P, w) c 1 = F R (n 1 ) c 1, n 2 Verify… c 2 = F R (n 2 ) c2c2 (Or run authenticated Diffie-Hellman)

32 Security? If adversary forwards P’  P, user simply rejects If adversary forwards P, then user and server are simply running auth. protocol of [BR93]

33 Constructing sealed extractor First construct secure sketch –Definition similar to that of sealed extractor –Construction is in the RO model Then apply standard extractors (as in [DRS04]) –This conversion is unconditional

34 Constructing sealed sketch Let (SS’, Rec’) be any secure sketch Define (SS, Rec) as follows: SS(w) s’<-SS’(w) h = H(w,s’) output (s’,h) Rec(w’,(s’,h)) w<-Rec’(w,s’) if (h=H(w,s’) and d(w,w’)  t) output w else “reject”

35 Intuition? h “certifies” the recovered value w –But because of the RO model, it does not leak (much) information about w –Also, because of RO model, impossible to generate “forged” h without making (explicitly) a certain query to the RO Adversary doesn’t make this query (except with small probability) since min-entropy of recovered w is still “high enough”

36 Performance? “Entropy loss” of w occurs in essentially three ways –From public part s’ of underlying sketch, and application of (standard) extractor Bounded in [DRS04] –Due to the error model itself Inherent if we are using this strong model –From the sealed extractor construction Roughly a loss of (log Vol t,n ) bits

37 Construction II Specific to remote authentication Idea: “bootstrap” using auth. protocol that can handle non-uniform shared secrets –“Problem” of non-uniformity goes away –All we are left with is the issue of error- correction

38 Specifics… Use a password-only authentication (and key exchange) protocol (PAK)! These were designed for use with “short” passwords… …But no reason to limit their use to this application

39 Brief introduction/review Problem: –Two parties share a password from a (constant-size) dictionary D –If D is “small” (or has low min-entropy), an adversary can always use an on-line attack to “break” the protocol –Can we construct a protocol where this is the best an adversary can do?

40 Introduction/review Specifically, let Q denote the number of “on-line” attacks –Arbitrarily-many “off-line” attacks are allowed Then adversary’s probability of success should be at most Q/D –Or Q/2 min-entropy(D)

41 Introduction/review Can view PAK protocols in the following, intuitive way: –Each on-line attack by the adversary represents a single “guess” of the actual password –This is the best an adversary can do!

42 Constructions? [Bellovin-Merrit]… [BPR,BMP] – definitions, constructions in random oracle/ideal cipher models [GL] – construction in standard model [KOY] – efficient construction in standard model, assuming public parameters

43 Application to remote authentication User Server s = SS(w * ) (w) (s, w * ) s w * = Rec(s, w) Run PAK using “password” (s,w * )

44 Intuition Even if adversary changes s, the value w’ recovered by the user still has “high enough” min-entropy By security of PAK protocol, adversary reduced to guessing this w’

45 Performance? Using a secure sketch is enough –Do not need fuzzy extractor PAK protocol doesn’t need uniform secrets! –Save 2log(1/  ) bits of entropy This approach works even when residual min-entropy is small –Can potentially apply even to mis-typed passwords

46 Summary Two approaches for using biometric data for remote authentication –“Drop-in” solution in RO model –Solution specific to remote authentication in standard model Compared to previous work: –Solutions tolerating more general errors –Achieve mutual authentication –Improved bounds on the entropy loss –Solution in standard model

Download ppt "Secure Remote Authentication Using Biometrics Portions of this work done with Xavier Boyen, Yevgeniy Dodis, Rafail Ostrovsky, Adam Smith Jonathan Katz."

Similar presentations

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Strong Key Derivation from Biometrics

Strong Key Derivation from Biometrics
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google