Secure Biometric Secure Biometric Authentication for Weak Authentication for Weak Computational DevicesComputational Devices

Mikhail Atallah (Purdue) ,Keith Mikhail Atallah (Purdue) ,Keith Frikken (Purdue), Michael Goodrich Frikken (Purdue), Michael Goodrich

(UC-Irvine), Roberto Tamassia (UC-Irvine), Roberto Tamassia (Brown)(Brown)

March 3, 2005March 3, 2005

FC 2005FC 2005

IntroductionIntroduction

Biometric AuthenticationBiometric Authentication Pros: Provides simple authentication Pros: Provides simple authentication

mechanismmechanism Cons: Changing is difficult and privacy Cons: Changing is difficult and privacy

concernsconcerns Difficulties:Difficulties:

Readings vary each measurementReadings vary each measurement Standard techniques such as hashing won’t Standard techniques such as hashing won’t

workwork

FC 2005FC 2005

Related WorkRelated Work

Many schemesMany schemes [Chaum and Pedersen, 1993][Chaum and Pedersen, 1993] [Davida et al, 1998][Davida et al, 1998] [Bleumer, 1998][Bleumer, 1998] [Davida and Frankel, 1999][Davida and Frankel, 1999] [Juels and Wattenburg, 1999][Juels and Wattenburg, 1999] [Davida et al, 1999][Davida et al, 1999] [Juels and Sudan, 2002][Juels and Sudan, 2002] [Clancy et al, 2003][Clancy et al, 2003] [Impagliazzo and More, 2003][Impagliazzo and More, 2003] [Kershbaum et al, 2004][Kershbaum et al, 2004] [Dodis, 2004][Dodis, 2004]

FC 2005FC 2005

Our GoalsOur Goals

Lightweight Authentication SchemeLightweight Authentication Scheme Nothing more than hash functionsNothing more than hash functions

Smartcard basedSmartcard based No single point of failureNo single point of failure

Not smartcardNot smartcard Not serverNot server

Server compromise should not lead to the ability Server compromise should not lead to the ability to impersonate user (even to the server)to impersonate user (even to the server)

Goal is to have a Biometric PIN for banking Goal is to have a Biometric PIN for banking systemssystems

FC 2005FC 2005

FrameworkFramework

Reader: Can be on card or other device, but Reader: Can be on card or other device, but this is what the user uses to read biometricthis is what the user uses to read biometric

Server: Stores information about clientsServer: Stores information about clients Comparison Unit: Makes the comparison Comparison Unit: Makes the comparison

between the client’s information and server between the client’s information and server data and grants accessdata and grants access

Two biometrics are “close” if their hamming Two biometrics are “close” if their hamming distance is below some threshold (we distance is below some threshold (we generalize this to other distances)generalize this to other distances)

FC 2005FC 2005

Adversary ModelAdversary Model

Adversary is defined by resourcesAdversary is defined by resources SmartcardSmartcard

Uncracked (SCU)Uncracked (SCU) Cracked (SCC)Cracked (SCC)

Fingerprint (FP)Fingerprint (FP) Eavesdrop Eavesdrop

Communication Channel (ECC)Communication Channel (ECC) Server’s Database (ESD)Server’s Database (ESD) Comparison Unit (ECU) = ESD+ECC+”outcome”Comparison Unit (ECU) = ESD+ECC+”outcome”

MaliciousMalicious Communication Channel (MCC)Communication Channel (MCC)

Things that are outside our modelThings that are outside our model Adversaries that crack smartcard and give it back to userAdversaries that crack smartcard and give it back to user Malicious Server’s DatabaseMalicious Server’s Database Malicious Comparison UnitMalicious Comparison Unit

FC 2005FC 2005

Security RequirementsSecurity Requirements

Confidentiality: An adversary should not Confidentiality: An adversary should not be able to learn the user’s fingerprintbe able to learn the user’s fingerprint

Integrity: An adversary should not be Integrity: An adversary should not be able to impersonate the user to the able to impersonate the user to the comparison unitcomparison unit

Availability: An adversary should not be Availability: An adversary should not be able to prevent a user from able to prevent a user from authenticatingauthenticating

FC 2005FC 2005

ConfidentialityConfidentiality

Have 3 oracles which are acceptableHave 3 oracles which are acceptable Oracle A: {0,1}Oracle A: {0,1}|f’||f’|→{0,1} where A(f) →{0,1} where A(f)

returns true if f is a matchreturns true if f is a match Oracle B: Oracle B: →{0,1}→{0,1}log|f’|log|f’| where B() returns where B() returns

various distances between readingsvarious distances between readings Oracle C: {0,1 Oracle C: {0,1 }}|f’||f’|→{0,1}→{0,1}log|f’|log|f’| where C(f) where C(f)

returns the distance between f and f’ returns the distance between f and f’ (this is weakly secure)(this is weakly secure)

FC 2005FC 2005

False StartsFalse Starts

Suppose fSuppose f00 and f and f11 are readings of a are readings of a fingerprintfingerprint

How does “bank” determine if fHow does “bank” determine if f00 is close is close to fto f11 without revealing private without revealing private informationinformation

Correctness: Correctness: The distance should be The distance should be computed correctlycomputed correctly

Privacy:Privacy: Minimal information should be Minimal information should be revealed about frevealed about f00 and f and f11

FC 2005FC 2005

False StartsFalse Starts

False Start #1:False Start #1: Client sends fClient sends f11 to bank which compares to to bank which compares to

ff00 in the clear in the clear Correct but not privateCorrect but not private

False Start #2:False Start #2: Client sends H(fClient sends H(f11) to bank which ) to bank which

compares to H(fcompares to H(f00)) in the clearin the clear Private but not correctPrivate but not correct

FC 2005FC 2005

False Starts (cont.)False Starts (cont.)

False Start #3:False Start #3: Client sends fClient sends f11r to server that compares it to fr to server that compares it to f00r r Correct as dist(fCorrect as dist(f11r,fr,f00r) = dist(fr) = dist(f11,f,f00)) Kind of private: individual bits are protected, but Kind of private: individual bits are protected, but

it leaks locations where things change it leaks locations where things change False Start #4:False Start #4:

Client sends Client sends ΠΠ((ff11r) to server that compares it to r) to server that compares it to ΠΠ(f(f00r) for a permutation r) for a permutation ΠΠ

Correct as dist(Correct as dist(ΠΠ((ff11r), r), ΠΠ((ff00r)) = dist(fr)) = dist(f11,f,f00)) Private if permutation is only used oncePrivate if permutation is only used once If it is reused, then it has similar problems as #3If it is reused, then it has similar problems as #3

FC 2005FC 2005

Our ProtocolOur Protocol

Goal is to be able to update r value and Goal is to be able to update r value and permutation permutation ΠΠ between each between each authenticationauthentication

Assume H is a keyed hash functionAssume H is a keyed hash function Before a round, server hasBefore a round, server has

ssiiΠΠii(f(fiirrii),H(s),H(sii),H(s),H(sii,H(s,H(si+1i+1))))

Before a round client(smartcard) has:Before a round client(smartcard) has: ΠΠii, r, rii, s, sii, s, si+1i+1

FC 2005FC 2005

Protocol -- AuthenticationProtocol -- Authentication

1.1. Client obtains fClient obtains fi+1i+1, and generates r, and generates ri+1i+1, s, si+2i+2, and , and ΠΠi+1i+1

2.2. It sends to the server It sends to the server ΠΠii(f(fi+1i+1rrii), s), sii, and some , and some transaction information Ttransaction information T

3.3. Server tests ifServer tests if• H(sH(sii) matches previously stored value) matches previously stored value

• ssiiΠΠii(f(fi+1i+1rrii) is close to the previously stored ) is close to the previously stored ssiiΠΠii(f(fiirrii))

4.4. If there is a match, then server temporarily If there is a match, then server temporarily performs T, and it sends H(T) back to the userperforms T, and it sends H(T) back to the user

FC 2005FC 2005

Protocol -- UpdateProtocol -- Update

1.1. Client tests if transaction information matches Client tests if transaction information matches requestrequest

• Yes then continue to 2Yes then continue to 2• No then abort wipe out this set of key informationNo then abort wipe out this set of key information

2.2. Client sends to server sClient sends to server si+1i+1ΠΠi+1i+1(f(fi+1i+1rri+1i+1)), , H(sH(si+1i+1), and H(s), and H(si+1i+1,H(s,H(si+2i+2)) ))

3.3. The server verifies that The server verifies that H(sH(sii,H(s,H(si+1i+1)) matches )) matches the previous valuethe previous value

• If yes, then it commits transaction and updates If yes, then it commits transaction and updates valuesvalues

• If no, it abortsIf no, it aborts

FC 2005FC 2005

Security SummarySecurity Summary

Confidentiality: The cases where the adversary Confidentiality: The cases where the adversary learns the fingerprint are : (FP) or (SCC and ESD) learns the fingerprint are : (FP) or (SCC and ESD) or (SCU, ESD, and MCC) or weakly in the case of or (SCU, ESD, and MCC) or weakly in the case of (SCU and ECU) or any superset of these cases(SCU and ECU) or any superset of these cases

Integrity: The cases where the adversary can Integrity: The cases where the adversary can impersonate the user are : (SCU and FP) or (SCC impersonate the user are : (SCU and FP) or (SCC and ESD) or (ESD and MCC) or weakly in the case and ESD) or (ESD and MCC) or weakly in the case of (SCU and ECU) or any superset of these casesof (SCU and ECU) or any superset of these cases

Availability: The cases where the adversary can Availability: The cases where the adversary can deny access to the user are : (SCU) or (MCC) or deny access to the user are : (SCU) or (MCC) or any superset of these casesany superset of these cases

FC 2005FC 2005

Security SummarySecurity Summary

ResourcesResources ConfidentialiConfidentialityty

IntegrityIntegrity AvailabilityAvailability

FPFP NoNo StrongStrong StrongStrong

SCC and ESDSCC and ESD NoNo NoNo NoNo

SCU and FPSCU and FP NoNo NoNo NoNo

MCC and ESDMCC and ESD StrongStrong NoNo NoNo

SCU, ESD, MCCSCU, ESD, MCC NoNo NoNo NoNo

MCCMCC StrongStrong StrongStrong NoNo

SCUSCU StrongStrong StrongStrong NoNo

SCU and ECUSCU and ECU WeakWeak WeakWeak NoNo

FC 2005FC 2005

ExtensionsExtensions

Extended to other distances Extended to other distances Storage-Computation Tradeoff:Storage-Computation Tradeoff:

Previous scheme requires several values Previous scheme requires several values to be stored on smartcard (in case of to be stored on smartcard (in case of mismatches)mismatches)

Can reduce storage by increasing Can reduce storage by increasing computation (similar to SKEY)computation (similar to SKEY)

FC 2005FC 2005

SummarySummary

Have introduced lightweight Have introduced lightweight biometric scheme that uses only biometric scheme that uses only hash functionshash functions

No single point of failureNo single point of failure Future Work:Future Work:

Must update values in our protocolMust update values in our protocol