Upload
francis-frye
View
35
Download
1
Embed Size (px)
DESCRIPTION
Secure Biometric Authentication for Weak Computational Devices. Mikhail Atallah (Purdue) ,Keith Frikken (Purdue), Michael Goodrich (UC-Irvine), Roberto Tamassia (Brown) March 3, 2005. Introduction. Biometric Authentication Pros: Provides simple authentication mechanism - PowerPoint PPT Presentation
Citation preview
Secure Biometric Secure Biometric Authentication for Weak Authentication for Weak Computational DevicesComputational Devices
Mikhail Atallah (Purdue) ,Keith Mikhail Atallah (Purdue) ,Keith Frikken (Purdue), Michael Goodrich Frikken (Purdue), Michael Goodrich
(UC-Irvine), Roberto Tamassia (UC-Irvine), Roberto Tamassia (Brown)(Brown)
March 3, 2005March 3, 2005
FC 2005FC 2005
IntroductionIntroduction
Biometric AuthenticationBiometric Authentication Pros: Provides simple authentication Pros: Provides simple authentication
mechanismmechanism Cons: Changing is difficult and privacy Cons: Changing is difficult and privacy
concernsconcerns Difficulties:Difficulties:
Readings vary each measurementReadings vary each measurement Standard techniques such as hashing won’t Standard techniques such as hashing won’t
workwork
FC 2005FC 2005
Related WorkRelated Work
Many schemesMany schemes [Chaum and Pedersen, 1993][Chaum and Pedersen, 1993] [Davida et al, 1998][Davida et al, 1998] [Bleumer, 1998][Bleumer, 1998] [Davida and Frankel, 1999][Davida and Frankel, 1999] [Juels and Wattenburg, 1999][Juels and Wattenburg, 1999] [Davida et al, 1999][Davida et al, 1999] [Juels and Sudan, 2002][Juels and Sudan, 2002] [Clancy et al, 2003][Clancy et al, 2003] [Impagliazzo and More, 2003][Impagliazzo and More, 2003] [Kershbaum et al, 2004][Kershbaum et al, 2004] [Dodis, 2004][Dodis, 2004]
FC 2005FC 2005
Our GoalsOur Goals
Lightweight Authentication SchemeLightweight Authentication Scheme Nothing more than hash functionsNothing more than hash functions
Smartcard basedSmartcard based No single point of failureNo single point of failure
Not smartcardNot smartcard Not serverNot server
Server compromise should not lead to the ability Server compromise should not lead to the ability to impersonate user (even to the server)to impersonate user (even to the server)
Goal is to have a Biometric PIN for banking Goal is to have a Biometric PIN for banking systemssystems
FC 2005FC 2005
FrameworkFramework
Reader: Can be on card or other device, but Reader: Can be on card or other device, but this is what the user uses to read biometricthis is what the user uses to read biometric
Server: Stores information about clientsServer: Stores information about clients Comparison Unit: Makes the comparison Comparison Unit: Makes the comparison
between the client’s information and server between the client’s information and server data and grants accessdata and grants access
Two biometrics are “close” if their hamming Two biometrics are “close” if their hamming distance is below some threshold (we distance is below some threshold (we generalize this to other distances)generalize this to other distances)
FC 2005FC 2005
Adversary ModelAdversary Model
Adversary is defined by resourcesAdversary is defined by resources SmartcardSmartcard
Uncracked (SCU)Uncracked (SCU) Cracked (SCC)Cracked (SCC)
Fingerprint (FP)Fingerprint (FP) Eavesdrop Eavesdrop
Communication Channel (ECC)Communication Channel (ECC) Server’s Database (ESD)Server’s Database (ESD) Comparison Unit (ECU) = ESD+ECC+”outcome”Comparison Unit (ECU) = ESD+ECC+”outcome”
MaliciousMalicious Communication Channel (MCC)Communication Channel (MCC)
Things that are outside our modelThings that are outside our model Adversaries that crack smartcard and give it back to userAdversaries that crack smartcard and give it back to user Malicious Server’s DatabaseMalicious Server’s Database Malicious Comparison UnitMalicious Comparison Unit
FC 2005FC 2005
Security RequirementsSecurity Requirements
Confidentiality: An adversary should not Confidentiality: An adversary should not be able to learn the user’s fingerprintbe able to learn the user’s fingerprint
Integrity: An adversary should not be Integrity: An adversary should not be able to impersonate the user to the able to impersonate the user to the comparison unitcomparison unit
Availability: An adversary should not be Availability: An adversary should not be able to prevent a user from able to prevent a user from authenticatingauthenticating
FC 2005FC 2005
ConfidentialityConfidentiality
Have 3 oracles which are acceptableHave 3 oracles which are acceptable Oracle A: {0,1}Oracle A: {0,1}|f’||f’|→{0,1} where A(f) →{0,1} where A(f)
returns true if f is a matchreturns true if f is a match Oracle B: Oracle B: →{0,1}→{0,1}log|f’|log|f’| where B() returns where B() returns
various distances between readingsvarious distances between readings Oracle C: {0,1 Oracle C: {0,1 }}|f’||f’|→{0,1}→{0,1}log|f’|log|f’| where C(f) where C(f)
returns the distance between f and f’ returns the distance between f and f’ (this is weakly secure)(this is weakly secure)
FC 2005FC 2005
False StartsFalse Starts
Suppose fSuppose f00 and f and f11 are readings of a are readings of a fingerprintfingerprint
How does “bank” determine if fHow does “bank” determine if f00 is close is close to fto f11 without revealing private without revealing private informationinformation
Correctness: Correctness: The distance should be The distance should be computed correctlycomputed correctly
Privacy:Privacy: Minimal information should be Minimal information should be revealed about frevealed about f00 and f and f11
FC 2005FC 2005
False StartsFalse Starts
False Start #1:False Start #1: Client sends fClient sends f11 to bank which compares to to bank which compares to
ff00 in the clear in the clear Correct but not privateCorrect but not private
False Start #2:False Start #2: Client sends H(fClient sends H(f11) to bank which ) to bank which
compares to H(fcompares to H(f00)) in the clearin the clear Private but not correctPrivate but not correct
FC 2005FC 2005
False Starts (cont.)False Starts (cont.)
False Start #3:False Start #3: Client sends fClient sends f11r to server that compares it to fr to server that compares it to f00r r Correct as dist(fCorrect as dist(f11r,fr,f00r) = dist(fr) = dist(f11,f,f00)) Kind of private: individual bits are protected, but Kind of private: individual bits are protected, but
it leaks locations where things change it leaks locations where things change False Start #4:False Start #4:
Client sends Client sends ΠΠ((ff11r) to server that compares it to r) to server that compares it to ΠΠ(f(f00r) for a permutation r) for a permutation ΠΠ
Correct as dist(Correct as dist(ΠΠ((ff11r), r), ΠΠ((ff00r)) = dist(fr)) = dist(f11,f,f00)) Private if permutation is only used oncePrivate if permutation is only used once If it is reused, then it has similar problems as #3If it is reused, then it has similar problems as #3
FC 2005FC 2005
Our ProtocolOur Protocol
Goal is to be able to update r value and Goal is to be able to update r value and permutation permutation ΠΠ between each between each authenticationauthentication
Assume H is a keyed hash functionAssume H is a keyed hash function Before a round, server hasBefore a round, server has
ssiiΠΠii(f(fiirrii),H(s),H(sii),H(s),H(sii,H(s,H(si+1i+1))))
Before a round client(smartcard) has:Before a round client(smartcard) has: ΠΠii, r, rii, s, sii, s, si+1i+1
FC 2005FC 2005
Protocol -- AuthenticationProtocol -- Authentication
1.1. Client obtains fClient obtains fi+1i+1, and generates r, and generates ri+1i+1, s, si+2i+2, and , and ΠΠi+1i+1
2.2. It sends to the server It sends to the server ΠΠii(f(fi+1i+1rrii), s), sii, and some , and some transaction information Ttransaction information T
3.3. Server tests ifServer tests if• H(sH(sii) matches previously stored value) matches previously stored value
• ssiiΠΠii(f(fi+1i+1rrii) is close to the previously stored ) is close to the previously stored ssiiΠΠii(f(fiirrii))
4.4. If there is a match, then server temporarily If there is a match, then server temporarily performs T, and it sends H(T) back to the userperforms T, and it sends H(T) back to the user
FC 2005FC 2005
Protocol -- UpdateProtocol -- Update
1.1. Client tests if transaction information matches Client tests if transaction information matches requestrequest
• Yes then continue to 2Yes then continue to 2• No then abort wipe out this set of key informationNo then abort wipe out this set of key information
2.2. Client sends to server sClient sends to server si+1i+1ΠΠi+1i+1(f(fi+1i+1rri+1i+1)), , H(sH(si+1i+1), and H(s), and H(si+1i+1,H(s,H(si+2i+2)) ))
3.3. The server verifies that The server verifies that H(sH(sii,H(s,H(si+1i+1)) matches )) matches the previous valuethe previous value
• If yes, then it commits transaction and updates If yes, then it commits transaction and updates valuesvalues
• If no, it abortsIf no, it aborts
FC 2005FC 2005
Security SummarySecurity Summary
Confidentiality: The cases where the adversary Confidentiality: The cases where the adversary learns the fingerprint are : (FP) or (SCC and ESD) learns the fingerprint are : (FP) or (SCC and ESD) or (SCU, ESD, and MCC) or weakly in the case of or (SCU, ESD, and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases(SCU and ECU) or any superset of these cases
Integrity: The cases where the adversary can Integrity: The cases where the adversary can impersonate the user are : (SCU and FP) or (SCC impersonate the user are : (SCU and FP) or (SCC and ESD) or (ESD and MCC) or weakly in the case and ESD) or (ESD and MCC) or weakly in the case of (SCU and ECU) or any superset of these casesof (SCU and ECU) or any superset of these cases
Availability: The cases where the adversary can Availability: The cases where the adversary can deny access to the user are : (SCU) or (MCC) or deny access to the user are : (SCU) or (MCC) or any superset of these casesany superset of these cases
FC 2005FC 2005
Security SummarySecurity Summary
ResourcesResources ConfidentialiConfidentialityty
IntegrityIntegrity AvailabilityAvailability
FPFP NoNo StrongStrong StrongStrong
SCC and ESDSCC and ESD NoNo NoNo NoNo
SCU and FPSCU and FP NoNo NoNo NoNo
MCC and ESDMCC and ESD StrongStrong NoNo NoNo
SCU, ESD, MCCSCU, ESD, MCC NoNo NoNo NoNo
MCCMCC StrongStrong StrongStrong NoNo
SCUSCU StrongStrong StrongStrong NoNo
SCU and ECUSCU and ECU WeakWeak WeakWeak NoNo
FC 2005FC 2005
ExtensionsExtensions
Extended to other distances Extended to other distances Storage-Computation Tradeoff:Storage-Computation Tradeoff:
Previous scheme requires several values Previous scheme requires several values to be stored on smartcard (in case of to be stored on smartcard (in case of mismatches)mismatches)
Can reduce storage by increasing Can reduce storage by increasing computation (similar to SKEY)computation (similar to SKEY)
FC 2005FC 2005
SummarySummary
Have introduced lightweight Have introduced lightweight biometric scheme that uses only biometric scheme that uses only hash functionshash functions
No single point of failureNo single point of failure Future Work:Future Work:
Must update values in our protocolMust update values in our protocol