Skip to main content
SpringerLink
Log in

Incorporating biometrics into veiled certificates: preventing unauthorized use of anonymous certificates

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

A leading cause of Identity Theft is that attackers get access to the victim’s personal credentials. We are warned to protect our personal identifiers but we need to share our credentials with various organizations in order to obtain services from them. As a result the safety of our credentials is dependent on both the ability and diligence of the various organizations with which we interact. However, recent data breach incidents are clear proof that existing approaches are insufficient to protect the privacy of our credentials. Using a Design Science methodology, we propose a new technology, veiled certificates, which includes features that prevent fraudulent use of user’s credentials and provides a degree of user anonymity. We also incorporate biometric authentication so that service providers know that they are dealing with the owner of the credentials. Results of a bench scale test that demonstrates the feasibility of the approach are reviewed. We also suggest four major applications which could take advantage of these certificates.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Abbreviations

||:

Concatenation of fields into a message packet

BI:

Reference biometric identity record

BI′:

Sample BI submitted for authentication against BI stored in VC

CA:

Certificate authority

CR j x :

Evidence of individual x’s credential worthiness for regulator j

\( \rho_{{x_{i} }} \) :

Random variable used to obscure biometric information in individual x’s certificate i

D k {M}:

Curly brackets indicate message M has been decrypted using key k

DS :

Digital signature of a message, verifiable with sender’s public key

E k {M}:

Curly brackets indicate message M has been encrypted using key k

ID x :

Identity information of individual x

k i :

Public key used to establish identity with regulating authorities for ith certificate

k −1 i :

Matching private key for k i

K j :

Public key of the regulator j

K −1 j :

Matching private key for K j

\( K_{{x_{i} }} \) :

Public key for individual x’s ith certificate

\( K_{{x_{i} }}^{ - 1} \) :

Matching private key for \( K_{{x_{i} }} \)

H{M}:

Curly brackets indicate that an appropriate hash function is applied on message M to derive a hash (H)

H′{M}:

A hash (H) created using the sample obscured biometric template, \( w\rho_{{x_{i} }}^{\prime } \)

rj :

The jth regulator

SS:

Secure sketch—Publicly Accessible Reproducer [12, 18]

s x :

Symmetric, secret key for individual x

\( ss_{{x_{i} }} \) :

Unique sketch string generated for individual x’s ith certificate

t:

Error tolerance associated with the biometric identification

TS :

Timestamp that specifies the requested lifetime of a VC

VC:

Veiled certificate, a variation of a traditional X.509 digital certificate which supports semi-anonymous credentialing [24]

\( vct_{{x_{i} }} \) :

VC token for individual x’s ith certificate

w :

Reference biometric template based on BI

w′:

Sample biometric template created based on BI′

\( w\rho_{{x_{i} }}^{\prime } \) :

The obscured sample biometric template, created with a sample biometric w′, a public permutation (shuffling) function F [22, 37], and the random value \( \rho_{{x_{i} }} \)

\( w\rho_{{x_{i} }} \) :

The obscured reference biometric template, created with the reference biometric template w, a public permutation (shuffling) function F [22, 37], and the random value \( \rho_{{x_{i} }} \)

References

  1. Adler, A. (2005). Vulnerabilities in biometric encryption systems, Lecture notes in computer science (LNCS) (Vol. 3546, pp. 1100–1109), Springer.

  2. Atallah, M. J., Frikken, K. B., Goodrich, M. T. & Tamassia, R. (2005). Secure biometric authentication for weak computational devices, Lecture Notes in Computer Science, Financial Cryptography and Data Security (Vol 3570, pp. 357–371). Berlin: Springer.

  3. Bhargav-Spantzel, A., Squicciarini, A., & Bertino, E. (2007). Privacy preserving multi-factor authentication with biometrics. Journal of Computer Security, 15(5), 529–560.

    Article  Google Scholar 

  4. Bissessar, D., Adams, C., & Liu, D. (2014). Using biometric key commitments to prevent unauthorized lending of cryptographic credentials. In 2014 Twelfth Annual International Conference on Privacy, Security and Trust (PST) (pp. 75–83). Toronto, ON, July 2014.

  5. Blanton, M., & Hudelson, W. M. P. (2009). Biometric-based non-transferable anonymous credentials, information and communication security, LNCS (vol. 5927).

  6. Bouncy Castle. (2011). Bouncy Castle Crypto APIs (v. 1.7). http://www.bouncycastle.org/csharp/.

  7. Boyen, X. (2004). Reusable cryptographic fuzzy extractors, 11th ACM Conf (pp. 82–91). Washington, DC: CCS.

    Google Scholar 

  8. Brands, S. A. (2000). Rethinking public key infrastructures and digital certificates building in privacy. Cambridge: MIT Press.

    Google Scholar 

  9. Bringer, J., Chabanne, H., & Kindarji, B. (2008). The best of both worlds: applying secure sketches to cancelable biometrics. Science of Computer Programming, 74(1–2), 43–51.

    Article  Google Scholar 

  10. Bringer, J., Chabanne, H. & Kindarji, B. (2009). Anonymous identification with cancelable biometrics. In Proceedings of 6th international symposium on image and signal processing and analysis, 2009. ISPA 2009.

  11. Buhan, I. R., Doumen, J. M., & Hartel, P. H. (2008). Controlling leakage of biometric information using dithering, in 16th European Signal Processing Conference (EUSIPCO). Switzerland: Lausanne.

    Google Scholar 

  12. Burnett, A., Byrne, F., Dowling, T. & Duffy, A. (2007). A biometric identity based signature scheme. International Journal of Network Security, 5(3), 317–326. http://ijns.jalaxy.com.tw/contents/ijns-v5-n3/ijns-2007-v5-n3-p317-326.pdf. Accessed 16 March 2016.

  13. Cavoukian, A. & Stoianov, A. (2009). Biometric encryption: The new breed of untraceable biometrics. In Boulgouris, N. V., Plataniotis, K. N., & Micheli-Tzanakou, E. (eds.), Biometrics: fundamentals, theory, and systems (Chapter 26, pp. 655–718). Wiley-IEEE Press.

  14. Chang, E.-C., Shen, R., & Teo, F. W. (2006). Finding the Original Point Set Hidden among Chaff, Proceedings ACM Symposium ASIACCS’06 (pp. 182–188). Taiwan: Taipei.

    Google Scholar 

  15. Chowdhry, A. (2014). Forbes, MasterCard And Zwipe Unveil Credit Card With Fingerprint Scanner, October 18, 2014. http://www.forbes.com/sites/amitchowdhry/2014/10/18/mastercard-zwipe-fingerprint-sensor-credit-cards/.

  16. Deswarte, Y., & Gambs, S. (2010). A Proposal for a privacy-preserving national identity card. Transactions on Data Privacy, 3, 253–276. http://www.tdp.cat/issues/tdp.a060a10.pdf.

  17. Dike-Anyiam, B., & Rehmani, Q. (2006). Biometric vs. password authentication: A user’s perspective. Journal of Information Warfare, 5(1), 33–45.

    Google Scholar 

  18. Dodis, Y., Ostrovsky, R., Reyzin, L. & Smith A. (2008). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, SIAM Journal on Computing, 38(1), 97–139. http://arxiv.org/pdf/cs.CR/0602007. Accessed 11 Dec 2009.

  19. Dodis, Y., Reyzin, L., & Smith, A. (2004). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. EUROCRYPT 2004 (pp. 523–540). Switzerland: Interlaken.

    Chapter  Google Scholar 

  20. Du, W., & Atallah, M. J. (2001). Secure multi-party computation problems and their applications: A review and open problems. In NSPW’01: Proceedings of the 2001 workshop on New security paradigms (pp. 13–22). ACM Press.

  21. Fierrez, J., Ortega-Garcia, J., Torre-Toledano, D., & Gonzalez-Rodriguez, J. (2007). BioSec baseline corpus: A multimodal biometric database. Pattern Recognition, 40(4), 1389–1392.

    Article  Google Scholar 

  22. Fisher, R. A., & Yates, F. (1948) [1938]. Statistical tables for biological, agricultural and medical research (3rd edn., pp. 26–27). London: Oliver & Boyd.

  23. FVC2006. (2006). FVC2006: The Fourth International Fingerprint Verification Competition. http://bias.csr.unibo.it/fvc2006/.

  24. Gerdes, J. H., Kalvenes, J., & Huang, C.-T. (2009). Multi-dimensional credentialing using veiled certificates: Protecting privacy in the face of regulatory reporting requirements. Computers and Security, 28(5), 248–259.

    Article  Google Scholar 

  25. Hao, F., Anderson, R. & Daugman, J. (2006). Combining Crypto with Biometrics Effectively. IEEE Transactions on Computers, 55(9), 1081–1088. (See also: Technical report No. 640, University of Cambridge, Computer Laboratory, July 2005. http://www.cl.cam.ac.uk/TechReports/).

  26. Hardekoph, B. (2015). The Big Data Breaches of 2014, Forbes. http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/, 1/13/2015.

  27. Harmon, K., & Reyzin, L. (2008). An implementation of syndrome encoding and decoding for binary BCH codes, secure sketches and fuzzy extractors. http://www.cs.bu.edu/~reyzin/code/fuzzy.html.

  28. Harrell, E., & Langton, L. (2012). Victims of identity theft, 2012, U.S. Department of Justice. http://www.bjs.gov/content/pub/pdf/vit12.pdf. Accessed 30 March 2016.

  29. Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.

    Google Scholar 

  30. Hong, L., Wan, Y., & Jain, A. K. (1998). Fingerprint image enhancement: Algorithms and performance evaluation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 20(8), 777–789.

    Article  Google Scholar 

  31. ISO 2009, ISO/IEC IS 15408-1. (2009). http://webstore.iec.ch/preview/info_isoiec15408-1%7Bed3.0%7Den.pdf; current as of September 2012.

  32. ITRC. (2015). Identity theft resource center breach report hits record high in 2014. Identity Theft Resource Center, January 12, 2015.

  33. ITU (International Telecommunications Union). (2014). X.509: Information technologyOpen systems interconnectionThe directory: Public-key and attribute certificate frameworks. http://www.itu.int/rec/T-REC-X.509.

  34. Jain, A. K., Nandakumar, K. & Nagar, A. (2008). Biometric template security. EURASIP Journal on Advances in Signal Processing, Article ID 579416, 1–17, Hindawi Publishing Corporation. doi:10.1155/2008/579416.

  35. Jain, A. K., Prabhakar, S., Hong, L., & Pankanti, S. (2000). Filterbank-based fingerprint matching. In IEEE Transactions on Image Processing (pp. 846–859).

  36. Kholmatov, A. & Yanikoglu, B. (2008). Realization of correlation attack against fuzzy vault scheme. In Proceedings of. security, forensics, steganography, and watermarking of multimedia contents (p. 6819).

  37. Knuth, D. E. (1969). Seminumerical algorithms. The art of computer programming 2 (pp. 139–140). Reading, MA: Addison–Wesley.

  38. Liu, E., Liang, J., Pang, L., Xie, M., & Tian, J. (2010). Minutiae and modified biocode fusion for fingerprint-based key generation. Journal of Network and Computer Applications, 33(3), 221–235.

  39. Luping, J. (2007). Binary fingerprint image thinning using template-based PCNNs. IEEE Transactions on Systems, Man, and Cybernetics. Part B, Cybernetics, 37(5), 1407–1413.

    Article  Google Scholar 

  40. Mathews, A. (2015). Anthem: Hacked database included 78.8 million people. The Wall Street Journal. 2/24/2015. http://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364.

  41. Nandakumar, K., A. Nagar & A. K. Jain, (2007). Hardening Fingerprint Fuzzy Vault Using Password, Proceedings of ICB 2007, Seoul, Korea, August 27-29, 2007. LNCS, Springer, 4642, 927–937. http://biometrics.cse.msu.edu/Publications/SecureBiometrics/NandakumarNagarJain_FpFuzzyVaultHardening_ICB2007.pdf. Accessed 15 June 2010.

  42. Paquin, C. (2011). U-Prove Cryptographic Specification V1.1. http://research.microsoft.com/pubs/166969/U-Prove%20Cryptographic%20Specification%20V1.1.pdf. Accessed 17 Sept 2011.

  43. Paquin, C. (2011). U-Prove technology overview, V1.1. http://research.microsoft.com/pubs/166980/U-Prove%20Technology%20Overview%20V1.1.pdf. Accessed 17 Sept 2011.

  44. Peterson, H. (2014). How to use a ‘fake’ credit card to protect yourself from hackers, Business Insider. http://www.businessinsider.com/abine-maskme-protects-against-hackers-2014-1.

  45. Pfitzmann, A & Köhntopp, M. (2001). Anonymity, unobservability, and pseudonymityA proposal for terminology, Lecture Notes in Computer Science # 2009 (pp. 1–9). Designing Privacy Enhancing Technologies, Berlin: Springer.

  46. Pfitzmann, A. & Hansen, M. (2010). A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (version v0.34, Aug. 10, 2010). http://dud.inf.tu-dresden.de/Anon_Terminology.shtml. Accessed 16 Sept 2012.

  47. Ponemon Institute. (2014). Is your company ready for a big data breach? The second annual study on data breach preparedness. Ponemon Institute, September 15, 2014. http://www.ponemon.org/library/is-your-company-ready-for-a-big-data-breach-the-second-annual-study-on-data-breach-preparedness. Accessed 16 April 2015.

  48. Scheirer, W. J. & Boult, T. E. (2007). Cracking fuzzy vaults and biometric encryption. In Biometric Consortium Conference, Baltimore, Sept. 2007.

  49. Shoup, V. (2009). NTL: A library for doing number theory (v. 5.5.2). http://www.shoup.net/ntl/. Accessed 15 April 2012.

  50. Stallings, W. (2006). Cryptography and network security: principles and practice (4th ed.). Englewood Cliffs: Prentice Hall.

    Google Scholar 

  51. Stoianov, A., Kevenaar, T. & Van der Veen, M. (2009). Security issues of biometric encryption. In IEEE TIC-STH Symposium on Information Assurance, Biometric Security and Business Continuity (pp. 34–39), Sept. 2009, Toronto, Canada.

  52. Taherdoost, H., Sahibuddin, S., & Jalaliyoon, N. (2011). Smart card security; technology and adoption. International Journal of Security, 5(2), 74–84. http://www.cscjournals.org/manuscript/Journals/IJS/Volume5/Issue2/IJS-84.pdf. Accessed 16 March 2016.

  53. Vijayan, J. (2014). Computerworld, Banks push for tokenization standard to secure credit card payments. http://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html.

  54. Westervelt, R., (2009). Health net healthcare data breach affects 1.5 million, SearchSecurity.com. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,00.html. Accessed 6 Nov 2009.

  55. Yang, D., Xu, B., Yang, B., & Wang, J. (2012). 2012 Eighth international conference on computational intelligence and security (pp. 452–456).

Download references

Author information

Authors and Affiliations

  1. Department of Integrated Information Technology, University of South Carolina, Columbia, SC, USA

    John H. Gerdes Jr.

  2. Department of Computer Science and Engineering, University of South Carolina, Columbia, SC, USA

    Chin-Tser Huang

  3. Computer Science and Engineering, Al-Azhar University, Cairo, Egypt

    Mohamed A. Sharaf

Authors
  1. John H. Gerdes Jr.
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chin-Tser Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohamed A. Sharaf
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John H. Gerdes Jr..

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gerdes, J.H., Huang, CT. & Sharaf, M.A. Incorporating biometrics into veiled certificates: preventing unauthorized use of anonymous certificates. Electron Commer Res 17, 289–316 (2017). https://doi.org/10.1007/s10660-016-9222-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10660-016-9222-y

Keywords

Search

Navigation