Secure biometric template generation for multi-factor authentication

In the light of recent security incidents, leading to compromise of services using single factor authentication mechanisms, industry and academia researchers are actively investigating novel multi-factor authentication schemes. Moreover, exposure of unprotected authentication data is a high risk threat for organizations with online presence. The challenge is how to ensure security of multi-factor authentication data without deteriorating the performance of an identity verification system? To solve this problem, we present a novel framework that applies random projections to biometric data (inherence factor), using secure keys derived from passwords (knowledge factor), to generate inherently secure, efficient and revocable/renewable biometric templates for users? verification. We evaluate the security strength of the framework against possible attacks by adversaries. We also undertake a case study of deploying the proposed framework in a two-factor authentication setup that uses users? passwords and dynamic handwritten signatures. Our system preserves the important biometric information even when the user specific password is compromised – a highly desirable feature but not existent in the state-of-the-art transformation techniques. We have evaluated the performance of the framework on three publicly available signature datasets. The results prove that the proposed framework does not undermine the discriminating features of genuine and forged signatures and the verification performance is comparable to that of the state-of-the-art benchmark results.     

A strong user authentication scheme with smart cards for wireless communications

Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.     

基于生物加密的认证机制

为克服传统认证技术在保护安全和隐私方面的不足,提出了一种基于生物加密的身份认证模型。运用生物加密技术对用户脸部特征和密钥进行保护,防止非授权用户的访问和非授权资源的使用。实验结果表明,尽管人的面部表情变化多端,基于生物加密技术的认证系统仍能正确区分真正的用户与仿冒用户,起到很好的认证效果,保证了安全通信。     

Intelligent agents for the management of complexity in multimodal biometrics

Current approaches to personal identity authentication using a single biometric technology are limited, principally because no single biometric is generally considered both sufficiently accurate and user-acceptable for universal application. Multimodal biometrics can provide a more adaptable solution to the security and convenience requirements of many applications. However, such an approach can also lead to additional complexity in the design and management of authentication systems. Additionally, complex hierarchies of security levels and interacting user/provider requirements demand that authentication systems are adaptive and flexible in configuration. In this paper we consider the integration of multimodal biometrics using intelligent agents to address issues of complexity management. The work reported here is part of a major project designated IAMBIC (Intelligent Agents for Multimodal Biometric Identification and Control), aimed at exploring the application of the intelligent agent metaphor to the field of biometric authentication. The paper provides an introduction to a first-level architecture for such a system, and demonstrates how this architecture can provide a framework for the effective control and management of access to data and systems where issues of privacy, confidentiality and trust are of primary concern. Novel approaches to software agent design and agent implementation strategies required for this architecture are also highlighted. The paper further shows how such a structure can define a fundamental paradigm to support the realisation of universal access in situations where data integrity and confidentiality must be robustly and reliably protected .     

普适环境下基于生物加密的认证机制

普适计算的出现对网络通信中的安全和隐私提出了新的挑战,传统的认证技术已经不能满足普适环境的安全需求。提出了一种普适环境中用于完成服务使用者与提供者之间双向认证及密钥建立的机制。该机制高度融合了生物加密技术和Diffie-Hellman密钥交换技术,在不泄露用户隐私的情况完成双向认证。该机制提供了安全的建立密钥的算法,并且通过使用生物加密技术实现了访问控制策略的区别对待。经分析证明,该协议能很好地抵抗各种攻击,尤其是拒绝服务（DoS）攻击。     

Secure cloud file sharing scheme using blockchain and attribute-based encryption

This paper presents a novel collaboration scheme for secure cloud file sharing using blockchain and attribute-based encryption(ABE). Blockchain enables us to implement access control as a smart contract between data owner and users. Each data owner creates its own smart contract where in a data user can request to access a specific file by registering a transaction. In response transaction, the data owner sends the required credential to the user thereby enabling her/him to decrypt the intended file on the cloud storage. This scheme is decentralized, fault tolerant and secured against DoS attacks. The cipher-key, which is used for file encryption, is embedded into a set of coefficients of a polynomial so-called access polynomial. It is attached to the encrypted file on the cloud storage as a metadata. The data user can restore the cipher-key by means of the credential receiving in response transaction and access polynomial. The data owner uses ABE scheme in response transaction to impose her/him access policy to the file as well as preserving user anonymity. This scheme supports fast revocation of the user access by means of updating the access polynomial coefficients and without any communication overhead to non-revoked users. Through formal verification, we show that the scheme is secure in terms of secrecy of credential information and authentication of participants. Finally, the evaluation results show that our scheme is scalable with acceptable performance up to 20,000 users.     

An agent-based user-authentication system

Managing the necessary public and private keys in a large organization is a serious challenge. Software agents can be an adaptive and responsive mechanism for managing users trying to connect to network resources. BTexact Technologies Intelligent Systems Laboratory has developed the Phobos agent architecture. Phobos uses a distributed team of cooperative autonomous agents to collectively authenticate user access requests. The advantages are that the agents can query multiple information sources to select the level of trust to delegate to a user and that n agents must concur to authenticate the user, hence increasing overall security. Phobos provides numerous security services to automate user authentication and trust-management processes.     

一种基于集成可信身份识别和访问管理方法的安全可信网络框架

本文提出一种基于集成可信身份识别和访问管理方法的安全可信网络框架,该框架提供了一种灵活建模和描述数字用户身份的机制,同时支持基于事务的隐私保护和个人数据获取,以及灵活的第三方问责机制与端到端的安全交流,从而完成可信认证。     

Innovative Hetero-Associative Memory Encoder (HAMTE) for Palmprint Template Protection

Many types of research focus on utilizing Palmprint recognition in user identification and authentication. The Palmprint is one of biometric authentication (something you are) invariable during a person’s life and needs careful protection during enrollment into different biometric authentication systems. Accuracy and irreversibility are critical requirements for securing the Palmprint template during enrollment and verification. This paper proposes an innovative HAMTE neural network model that contains Hetero-Associative Memory for Palmprint template translation and projection using matrix multiplication and dot product multiplication. A HAMTE-Siamese network is constructed, which accepts two Palmprint templates and predicts whether these two templates belong to the same user or different users. The HAMTE is generated for each user during the enrollment phase, which is responsible for generating a secure template for the enrolled user. The proposed network secures the person’s Palmprint template by translating it into an irreversible template (different features space). It can be stored safely in a trusted/untrusted third-party authentication system that protects the original person’s template from being stolen. Experimental results are conducted on the CASIA database, where the proposed network achieved accuracy close to the original accuracy for the unprotected Palmprint templates. The recognition accuracy deviated by around 3%, and the equal error rate (EER) by approximately 0.02 compared to the original data, with appropriate performance (approximately 13 ms) while preserving the irreversibility property of the secure template. Moreover, the brute-force attack has been analyzed under the new Palmprint protection scheme.     

Construction of a secure two-factor user authentication system using fingerprint information and password

User authentication is highly necessary technology in a variety of services. Many researchers have proposed a two-factor authentication scheme using certificate and OTP, smartcard and password, and so on. Two-factor authentication requires an additional factor rather than one-factor authentication. Therefore, loss or exposure can occur, since users always must carry and manage the additional device or factor. For this reason, biometric authentication, used in many services, needs a verification method of the user without an additional factor. Fingerprinting is widely used in service due to excellent recognition, low cost device, and less user-hostile. However, fingerprint recognition always uses the same fingerprint template, due to the inalterability. This causes a problem of reusable fingerprint by a malicious attacker. Therefore, we proposed a secure two-factor user authentication system using fingerprint information and password to solve the existing two-factor problem. The proposed scheme is secure against reuse of a fingerprint. It does not need an extra device, so efficiency and accessibility are improved.     

Model for adaptable context-based biometric authentication for mobile devices

It becomes possible to take advantage of seamless biometric authentication on mobile devices due to increasing quality and quantity of built-in sensors, increasing processing power of the devices, and wireless connectivity. However, practical effectiveness of the biometric authentication application depends on user’s environment conditions that can decrease the accuracy of biometrics recognition or make the acquisition process undesirable for mobile user in a given moment, i.e., effectiveness depends on usage context. In this paper, context-based biometric authentication model for mobile devices is proposed. It enables determining the most accurate authentication method at the moment along with the most accurate form of interacting with a user w.r.t. authentication process. The generic model designed and verified with proof-of-concept implementation constitutes a foundation for building further adaptable and extensible multi-factor context-dependent systems for mobile authentication.     

On estimating performance indices for biometric identification

This paper investigates an information theoretic approach for formulating performance indices for the biometric authentication. Firstly, we formulate the constrained capacity, as a performance index for biometric authentication system for the finite number of users. Like Shannon capacity, constrained capacity is formulated using signal to noise ratio which is estimated from known statistics of users’ biometric information in the database. Constrained capacity of a user and of biometric system is fixed, given the database and the matching function. Experimental analysis using real palmprint and hand geometry images illustrates use of constrained capacity to estimate: (i) performance gains from the cohort information, (ii) the effective number of user-specific cohorts for a user and for the biometric system, (iii) information content of biometric features, and (iv) the performance of score level fusion rules for multimodal biometric system. Secondly, this paper investigates a rate-distortion framework for formulating false random correspondence probability as performance of a generic biometric. Our analysis concludes that constrained capacity can be a promising addition to performance of a biometric system. Similarly, individuality expressed as false random correspondence probability can be the performance index of a biometric trait.     

Spatiotemporal analysis of human activities for biometric authentication

This paper presents a novel framework for unobtrusive biometric authentication based on the spatiotemporal analysis of human activities. Initially, the subject’s actions that are recorded by a stereoscopic camera, are detected utilizing motion history images. Then, two novel unobtrusive biometric traits are proposed, namely the static anthropometric profile that accurately encodes the inter-subject variability with respect to human body dimensions, while the activity related trait that is based on dynamic motion trajectories encodes the behavioral inter-subject variability for performing a specific action. Subsequently, score level fusion is performed via support vector machines. Finally, an ergonomics-based quality indicator is introduced for the evaluation of the authentication potential for a specific trial. Experimental validation on data from two different datasets, illustrates the significant biometric authentication potential of the proposed framework in realistic scenarios, whereby the user is unobtrusively observed, while the use of the static anthropometric profile is seen to significantly improve performance with respect to state-of-the-art approaches.     

An anonymous and efficient remote biometrics user authentication scheme in a multi server environment

As service demands rise and expand single-server user authentication has become unable to satisfy actual application demand. At the same time identity and password based authentication schemes are no longer adequate because of the insecurity of user identity and password. As a result biometric user authentication has emerged as a more reliable and attractive method. However, existing biometric authentication schemes are vulnerable to some common attacks and provide no security proof, some of these biometric schemes are also either inefficient or lack sufficient concern for privacy. In this paper, we propose an anonymous and efficient remote biometric user authentication scheme for a multi-server architecture with provable security. Through theoretical mathematic deduction, simulation implementation, and comparison with related work, we demonstrate that our approach can remove the aforementioned weaknesses and is well suited for a multi-server environment.     

基于生物特征的门限群签名机制

提出了一种基于生物特征的（k,n）门限群签名机制,使用这种机制可以让系统中的用户使用自己的生物特征对自己的身份进行认证,以代表整个群体对消息进行签名。基于生物特征的认证可以使用用户的指纹或者虹膜等生物特征信息来恢复预先分配给他的秘密。提出了基于生物特征的门限签名体制。在该体制中有一个包含n个用户的群体。每个用户的秘密存在一个防篡改的smart卡中,用户使用自己的生物特征对自己的身份实现认证,认证通过后,smart卡可以代表用户进行签名。当系统中有任意k个或者多于k个用户认证通过,整个系统就可以形成一个代表该群体的签名。     

A novel user-participating authentication scheme

When utilizing services over public networks, a remote user authentication mechanism forms a first line of defense by rejecting illegal logins from unauthorized users. On-line applications over the Internet such as E-learning, on-line games, etc. are ever more common; remote user participation via networks plays a vital role in security and should be guaranteed. Without this countermeasure, malicious users are likely to enable agents to communicate with remote on-line systems. While existing remote user authentication schemes rarely address this issue, this paper highlights the problem of guaranteeing remote user participation. This proposed user authentication scheme benefits from combining CAPTCHA techniques and visual secret sharing to ensure deliberate human interaction. This scheme provides mutual authentication and is secure against certain known attacks, as well as low in computation cost.     

Enhanced authentication for outsourced educational contents through provable block possession

In recent years, the volume of educational contents has been explosively increased thanks to the rapid development of multimedia technologies. Furthermore, the development of smart devices has made various educational institutes use them as effective learning tools. Since more and more educational contents become available not only at school zone but at a variety of online learning systems, it becomes increasingly unaffordable for a single educational contents provider to store and process them locally. Therefore, many educational contents providers are likely to outsource the contents to cloud storage for cost saving. These phenomena raise one serious concern: how to authenticate educational contents users in a secure and efficient way? The most widely used password-based authentication suffers from numerous drawbacks in terms of security. Multi-factor authentication protocols based on diverse communication channels such as SMS, biometric, hardware token could enhance security, however they inevitably bring poor usability. To this end, we present a data block-based authentication scheme, which provides provable security and guarantees usability invariant such that users do nothing but entering a password. In addition, the proposed scheme supports efficient user revocation. To the best of our knowledge, our scheme is the first data block-based authentication scheme for outsourced educational contents that is provably secure without usability degradation. The experiment on Amazon EC2 cloud shows that the proposed scheme guarantees nearly constant time for user authentication.     

A novel transparent user authentication approach for mobile applications

ABSTRACT

With the rapid growth of smartphones and tablets in our daily lives, securing the sensitive data stored upon them makes authentication of paramount importance. Current authentication approaches do not re-authenticate in order to re-validate the user’s identity after accessing a mobile phone. Accordingly, there is a security benefit if authentication can be applied continually and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond the point of entry. To this end, this paper suggests a novel transparent user authentication method for mobile applications by applying biometric authentication on each service within a single application in a secure and usable manner based on the risk level. A study involving data collected from 76 users over a one-month period using 12 mobile applications was undertaken to examine the proposed approach. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Interestingly, when the participants were divided into three levels of usage (high, medium and low), the average intrusive authentication request was 3% which indicates a clear enhancement and suggests that the system would add a further level of security without imposing significant inconvenience upon the user.     

Enhancing secure access to sensor data with user privacy support

With the development of solutions like 6LoWPAN, the implementation of IP technology in sensor devices is already a reality. Therefore, sensors can be natively integrated in the Internet, becoming globally addressable by any other Internet-connected party. Despite the huge potential of this approach, it also gives place to new threats, being one of the most critical ones the effective protection of the information gathered by sensors from unauthorised remote access attempts. A suitable solution to address this issue is the Ladon security protocol, which provides resource-deprived devices with end-to-end authentication, authorisation and key establishment mechanisms. Once the critical security issue has been solved, additional concerns arise. Specially remarkable is the protection of user privacy in order to prevent potential eavesdroppers from tracking users’ access trends and obtaining behavioural patterns. In this regard, authentication and authorisation processes deserve an special consideration, since they imply conveying user identity-related information to the targeted services. In this paper, we present a privacy-enhanced Ladon protocol by integrating the original protocol with the PrivaKERB user privacy framework for Kerberos. Due to the severe resource limitations that characterise the targeted environments, a performance evaluation of the proposed solution is carried out in order to prove that it meets the performance requirements of the considered environments in terms of energy cost and additional delay for each secure session establishment. The obtained results show that privacy-enhanced Ladon is a secure and efficient solution to implement privacy-supporting authentication and authorisation processes in resource-deprived environments.     

保护用户数量信息的安全虹膜识别方案

由于传统密码认证方式的不便,生物特征识别技术凭借其便捷、可靠、安全可溯源等特性脱颖而出。在不同的生物特征识别技术中,虹膜识别已被证明能提供较高的识别性能和稳定性,常被用于一些安全性要求较高的领域(如机密组织的认证管理等)。在这些领域中,合法用户数量信息往往也属于机密信息,是不能泄露的,近年来针对虹膜识别的攻击手段也越加先进,通过获得的数量信息可能推测出更多的其他信息,造成更大的安全隐患。但是现有的安全虹膜识别方案仅考虑满足可撤销性、不可逆性和不可连接性,未考虑保护用户数量信息。本文提出一种保护用户数量信息的安全虹膜识别方案,每个用户通过自身虹膜特征随机选择的结果及系统参数共同决定该用户的注册模板数量,攻击者难以根据服务器中存储的虹膜模板数量推测出合法用户数量。该方案能够有效地与现有的安全虹膜识别方案进行结合。理论分析结果表明,本文方案能够保护合法用户数量信息、保护新增用户数量信息、预防关联攻击、并且除了能够保持原始安全虹膜识别方案的可撤销性和不可连接性之外,还能进一步提升原始安全虹膜识别方案的不可逆性。实验结果表明,攻击者准确猜对合法用户数量信息的概率不足15%,且相对误差以及相对期望误差均超过10%,因此本文方案能有效保护用户数量信息,并且不会对原始安全虹膜识别方案的识别精度的影响造成较大影响,差异在0.55%之内。