Biometric cryptosystems: issues and challenges

In traditional cryptosystems, user authentication is based on possession of secret keys; the method falls apart if the keys are not kept secret (i.e., shared with non-legitimate users). Further, keys can be forgotten, lost, or stolen and, thus, cannot provide non-repudiation. Current authentication systems based on physiological and behavioral characteristics of persons (known as biometrics), such as fingerprints, inherently provide solutions to many of these problems and may replace the authentication component of traditional cryptosystems. We present various methods that monolithically bind a cryptographic key with the biometric template of a user stored in the database in such a way that the key cannot be revealed without a successful biometric authentication. We assess the performance of one of these biometric key binding/generation algorithms using the fingerprint biometric. We illustrate the challenges involved in biometric key generation primarily due to drastic acquisition variations in the representation of a biometric identifier and the imperfect nature of biometric feature extraction and matching algorithms. We elaborate on the suitability of these algorithms for digital rights management systems.     

基于生物特征和混沌映射的多服务器身份认证方案

基于密码的用户远程认证系统已被广泛应用,近年来的研究发现,单一口令系统容易遭受字典分析、暴力破解等攻击,安全性不高.生物特征与密码相结合的认证方式逐渐加入远程认证系统中,以提高认证系统的安全水平.但现有认证系统通常工作在单一服务器环境中,扩展到多服务器环境中时会遇到生物特征模板和密码容易被单点突破、交叉破解的问题.为了克服以上问题,提出了一种基于生物特征和混沌映射的多服务器密钥认证方案,该方案基于智能卡、密码和生物特征,可明显提高多服务器身份认证系统的安全性及抗密码猜解的能力.     

基于PKI和PMI的生物认证系统研究

生物认证技术作为一种准确高效的身份认证方法越来越广泛的应用于身份认证领域。但是目前还没有一种面向开放式网络的通用生物认证系统出现。由于在开放式网络中,基于X.509的公钥基础设施和权限管理基础设施(PMI)是目前应用广泛且有效的身份认证技术和权限管理技术,所以在PKI和PMI技术基础上,该文创新性的提出了一种基于生物证书的能实现身份认证和权限管理的通用生物认证系统。最后通过设计一个能实现身份认证和权限管理系统的高安全性生物智能卡,验证了基于PKI和PMI生物认证系统的可行性和可操作性。     

Authentication gets personal with biometrics

Securing the exchange of intellectual property and providing protection to multimedia contents in distribution systems have enabled the advent of digital rights management (DRM) systems. User authentication, a key component of any DRM system, ensures that only those with specific rights are able to access the digital information. It is here that biometrics play an essential role. It reinforces security at all stages where customer authentication is needed. Biometric recognition, as a means of personal authentication, is an emerging signal processing area focused on increasing security and convenience of use in applications where users need to be securely identified. In this article, we outline the state-of-the-art of several popular biometric modalities and technologies and provide specific applications where biometric recognition may be beneficially incorporated. In addition, the article also discussed integration strategies of biometric authentication technologies into DRM systems that satisfy the needs and requirements of consumers, content providers, and payment brokers, securing delivery channels and contents.     

Secure Face Authentication Framework in Open Networks

In response to increased security concerns, biometrics is becoming more focused on overcoming or complementing conventional knowledge and possession‐based authentication. However, biometric authentication requires special care since the loss of biometric data is irrecoverable. In this paper, we present a biometric authentication framework, where several novel techniques are applied to provide security and privacy. First, a biometric template is saved in a transformed form. This makes it possible for a template to be canceled upon its loss while the original biometric information is not revealed. Second, when a user is registered with a server, a biometric template is stored in a special form, named a ‘soft vault’. This technique prevents impersonation attacks even if data in a server is disclosed to an attacker. Finally, a one‐time template technique is applied in order to prevent replay attacks against templates transmitted over networks. In addition, the whole scheme keeps decision equivalence with conventional face authentication, and thus it does not decrease biometric recognition performance. As a result, the proposed techniques construct a secure face authentication framework in open networks.     

An efficient and lightweight multi‐scroll chaos‐based hardware solution for protecting fingerprint biometric templates

This paper presents a new efficient and lightweight approach for enhancing the security of biometric models, namely, fingerprint templates, against possible attacks. The proposed design is based on Vernam stream cipher in which the key generator is designed in the hardware manner. The designed cryptosystem consists of using multi‐scroll chaotic system that is characterized by a large key space and can be generated N×N grid multi‐scroll attractors, with a good behavior of chaotic dynamic. The hardware approach is carried out through describing Euler method by VHDL. Field‐programmable gate array (FPGA) experimental results validate the developed architecture while still providing a good compromise between hardware resources and performance. Indeed, security analysis also shows that the designed encryption algorithm is robust against statistical, brute force, and entropy attacks. Therefore, it can be considered as a lightweight security solution, which could be very useful in many embedded applications namely securing biometric authentication systems.     

An Improve Three Factor Remote User Authentication Scheme Using Smart Card

In this digital era, two entities can exchange the messages over internet even through the physical distance between them is much far. Before exchange they require to authenticate each other via authentication scheme. Biometric is one of the unique feature for each entity and can be accustomed to identify the authenticity of the entity. Motivated by this, many researchers had proposed the various schemes based on biometric feature for authentication using smart card. As smart card is not a temper resistance consummately, various attacks have been identified by the researchers in the biometric based authentication schemes. In this paper we review Wen et al.’s scheme and we find that Wen et al.’s scheme is vulnerable to insider attack, denial of service attack and user anonymity cannot achieve by them. Then we propose new remote user authentication algorithm where our algorithm is secure.     

Privacy-preserving authenticated key agreement scheme based on biometrics for session initiation protocol

A secure key agreement scheme plays a major role in protecting communications between the users using voice over internet protocol over a public network like the internet. In this paper we present a strong security authenticated key agreement scheme for session initiation protocol (SIP) by using biometrics, passwords and smart cards. The proposed scheme realizes biometric data protection through key agreement process meanwhile achieving the verification of the biometric value on the SIP server side which is very important in designing a practical authenticated key agreement for SIP. The main merits of our proposed scheme are: (1) the SIP server does not need to maintain any password or verification table; (2) the scheme can provide user identity protection—the user’s real identity is protected by a secure symmetric encryption algorithm and the elliptic curve discrete logarithm problem, and it is transmitted in code; (3) the scheme can preserve the privacy of the user’s biometric data while the biometric matching algorithm is performed at the SIP server side, even if the server does not know the biometric data in the authentication process. Performance and security analysis shows that our proposed scheme increases efficiency significantly in comparison with other related schemes.     

A new three-factor authentication and key agreement protocol for multi-server environment

Several password and smart-card based two-factor security remote user authentication protocols for multi-server environment have been proposed for the last two decades. Due to tamper-resistant nature of smart cards, the security parameters are stored in it and it is also a secure place to perform authentication process. However, if the smart card is lost or stolen, it is possible to extract the information stored in smart card using power analysis attack. Hence, the two factor security protocols are at risk to various attacks such as password guessing attack, impersonation attack, replay attack and so on. Therefore, to enhance the level of security, researchers have focused on three-factor (Password, Smart Card, and Biometric) security authentication scheme for multi-server environment. In existing biometric based authentication protocols, keys are generated using fuzzy extractor in which keys cannot be renewed. This property of fuzzy extractor is undesirable for revocation of smart card and re-registration process when the smart card is lost or stolen. In addition, existing biometric based schemes involve public key cryptosystem for authentication process which leads to increased computation cost and communication cost. In this paper, we propose a new multi-server authentication protocol using smart card, hash function and fuzzy embedder based biometric. We use Burrows–Abadi–Needham logic to prove the correctness of the new scheme. The security features and efficiency of the proposed scheme is compared with recent schemes and comparison results show that this scheme provides strong security with a significant efficiency.

     

一种新的基于指纹与人脸特征级融合的模糊金库方案

针对基于生物特征的模糊金库易受相关攻击导致密钥和生物特征模板丢失以及基于单生物特征的模糊金库的认证性能不可靠的问题,提出了一种新的基于指纹与人脸特征级融合的模糊金库方案。该方案对指纹特征与人脸特征分别进行不可逆变换,并基于Diffie-Hellman算法在特征级变换后将指纹与人脸特征融合为一个模板。最后,将所得的融合模板用来构建模糊金库,通过更新随机矩阵使金库具备可撤销特性,有效抵御相关攻击,实现可靠的身份认证。实验结果表明,本文方案提高了系统的可靠性和多生物特征模板的安全性。     

Two-factor authenticated key agreement protocol based on biometric feature and password

A new two-factor authenticated key agreement protocol based on biometric feature and password was proposed.The protocol took advantages of the user’s biological information and password to achieve the secure communication without bringing the smart card.The biometric feature was not stored in the server by using the fuzzy extractor technique,so the sensitive information of the user cannot be leaked when the server was corrupted.The authentication messages of the user were protected by the server’s public key,so the protocol can resist the off-line dictionary attack which often appears in the authentication protocols based on password.The security of the proposed protocol was given in the random oracle model provided the elliptic computational Diffie-Hellman assumption holds.The performance analysis shows the proposed protocol has better security.     

基于生物特征标识的无线传感器网络三因素用户认证协议

为满足高安全级别场景（如军事、国家安全、银行等）的应用需求,进一步提高无线传感器网络用户认证协议的安全性,提出了基于生物特征识别的三因素用户认证协议.针对Althobaiti协议无法防御节点妥协攻击、模拟攻击、中间人攻击和内部特权攻击的安全缺陷,增加智能卡和密码作为协议基本安全因素,并利用生物特征标识信息生成函数与回复函数处理的生物特征标识作为附加安全因素;在密钥管理中,为每个节点配置了与网关节点共享唯一密钥,保证认证过程的独立性与安全性;实现用户自主选择与网关节点的共享密钥,提高公共信道通信的安全性;在网关节点不参与的情况下,设计密码和生物特征标识更新机制,保证二者的新鲜性.通过Dolev-Yao拓展威胁模型的分析与AVISPA的OFMC分析终端的仿真,结果证明该认证协议克服了Althobaiti协议安全缺陷,且对计算能力的需求小于公钥加密.权衡安全性与计算成本,该协议适用于资源受限且安全需求高的无线传感器网络应用.     

Biometrics — Real Identities for a Virtual World

Biometric methods offer an alternative approach to authentication of individuals, using distinctive physical features of the body (such as fingerprints) or characteristic actions of people (e.g. digitised forms of written signatures). Although systems have been available for over thirty years, there is now a sound understanding of how they can be used to best effect, based upon continued research studies, experience gained in trials and deployments, and the development of cheaper and smaller devices. The activities of standardisation bodies point to the increasing maturity of these technologies. However, widespread use of biometric methods will depend upon other factors, e.g. strong business cases that justify whole life costs against the total costs of ownership of existing authentication methods, and the acceptance of such methods by consumers, citizens and employees.     

Two-factor ( biometric and password) authentication keyexchange on lattice based on key consensus

In the post-quantum era, the password-based authentication key exchange (PAKE) protocol on lattice has the characteristics of convenience and high efficiency, however these protocols cannot resist online dictionary attack thatis a common method used by attackers. A lattice-based two-factor ( biometric and password) authentication keyexchange (TFAKE) protocol based on key consensus (KC) is proposed. The protocol encapsulates the hash valueof biometric information and password through a splittable encryption method, and compares the decapsulatedinformation with the server's stored value to achieve the dual identity authentication. Then the protocol utilizes theasymmetric hash structure to simplify the calculation steps, which increases the calculation efficiency. Moreover,KC algorithm is employed in reducing data transmission overhead. Compared with the current PAKE protocol, theproposed protocol has the characteristics of hybrid authentication and resisting online dictionary attack. And itreduces the number of communication rounds and improves the efficiency and the security of protocol application.     

Biometric Inspired Mobile Network Authentication and Protocol Validation

This paper pioneers an experimentation on assessing security and performance of a well-established biometric authentication protocol. Using the gold standard in software reliability, a path-oriented software quality control tool, the work exploits the attack surface leveraging path analysis. The test not only identifies security vulnerabilities in a system but also pinpoints those vulnerabilities at real security risk to optimize resource allocation. The automated holistic examination of the authentication process reveals a weakness in the biometric authentication protocol at study. The attack map generated from the analysis directs its improvement. Reexamination validates the security of the protocol. The work also studies the computational complexity of the protocol, thereby, recommends the key length suitable to biometric authentication for wireless body area networks.     

Authentication using Finger Knuckle Prints

Automated security is one of the major concerns of modern times. Secure and reliable authentication systems are in great demand. A biometric trait like the finger knuckle print (FKP) of a person is unique and secure. Finger knuckle print is a novel biometric trait and is not explored much for real-time implementation. In this paper, three different algorithms have been proposed based on this trait. The first approach uses Radon transform for feature extraction. Two levels of security are provided here and are based on eigenvalues and the peak points of the Radon graph. In the second approach, Gabor wavelet transform is used for extracting the features. Again, two levels of security are provided based on magnitude values of Gabor wavelet and the peak points of Gabor wavelet graph. The third approach is intended to authenticate a person even if there is a damage in finger knuckle position due to injury. The FKP image is divided into modules and module-wise feature matching is done for authentication. Performance of these algorithms was found to be much better than very few existing works. Moreover, the algorithms are designed so as to implement in real-time system with minimal changes.     

Lightweight PUF based authentication scheme for fog architecture

Fog computing improves efficiency and reduces the amount of bandwidth to the cloud. In many use cases, the internet of things (IoT) devices do not know the fog nodes in advance. Moreover, as the fog nodes are often placed in open publicly available places, they can be easily captured. Therefore, it should be ensured that even if the key material is leaked from the fog devices, the previously generated session keys and the identity of the devices can be kept secret, i.e. satisfying anonymity, unlinkability, perfect forward secrecy and resistance against stolen devices attack. Such demands require a multi-factor authentication scheme, which is typically done by providing input of the user with password or biometric data. However, in real use case scenarios, IoT devices should be able to automatically start the process without requiring such manual interaction and also fog devices need to autonomously operate. Therefore, this paper proposes a physical unclonable function (PUF) based mutual authentication scheme, being the first security scheme for a fog architecture, capable of providing simultaneously all these suggested security features. In addition, we also show the resistance against other types of attacks like synchronization and known session specific temporary information attack. Moreover, the scheme only relies on symmetric key based operations and thus results in very good performance, compared to the other fog based security systems proposed in literature.

     

Biometric authentication based on PCG and ECG signals: present status and future directions

Due to the great advances in biomedical digital signal processing, new biometric traits have showed noticeable improvements in authentication systems. Recently, the ElectroCardioGram (ECG) and the PhonoCardioGraph (PCG) have been proposed as novel biometrics. This paper aims to review the previous studies related to the usage of the ECG and PCG signals in human recognition. In addition, we discuss briefly the most important techniques and methodologies used by researchers in the preprocessing, feature extraction and classification of the ECG and PCG signals. At the end, we introduce some future considerations that can be applied in this topic such as: the fusion between different techniques previously used, use both ECG and PCG signals in a multimodal biometric authentication system and building a prototype system for real-time authentication.     

Wireless Network Security Based on the Image Address Masking (IAM) Mechanism

A multimodal biometric system is applied to recognize individuals as authentication, identification and verification for claimed identity. Multimodal biometrics increases the security level accuracy, spoof of attacks, noise in collected data, intra-class variations, inter-class variations, non universality etc. In this paper a multi modal biometric algorithm is designed by integrating iris, palm print, face and signature based on encoded discrete wavelet transform for image analysis and authentication. Multi level wavelet based fusion approach is applied, integrated and encoded into single composite image for matching decision. It reduces the memory size, increases the recognition accuracy and ERR using multimodal biometric approach when compared to individual biometric traits. The complexity of fusion and the reconstruction algorithm is suitable for many real time applications.     

融合人脸特征与密码算法的身份认证系统

利用人脸识别技术、活体检测技术,结合国密算法,设计了一个基于模糊承诺算法的身份认证系统。提出一种多值量化方法来提高数据相似性,并采用多样本组的特征数据清洗方式提高数据稳定性,以解决常见的生物特征认证中误识率和拒识率较高且难以平衡的问题。在注册阶段,采集多组128维人脸特征数据,清洗后获得平均值,基于一个阈值区间将每个维度的数据量化为4 b二进制数。将量化完成后的数据作为加密密钥,以BCH编码为纠错码,使用模糊承诺算法将认证服务器产生的秘密密钥加密存储在客户端。在认证阶段,实时采集的人脸特征数据经过量化后,利用BCH纠错提取出秘密密钥,将秘密密钥作为协商密钥,基于传统身份认证协议实现客户端与认证服务器之间的认证过程。通过实验证实,采用上述方法实现的身份认证系统可将误识率降低至0%,拒识率降低到1%以内。