Abstract
User authentication based on biometrics is getting an increasing attention. However, privacy concerns for biometric data have impeded the adoption of cloud-based services for biometric authentication. This paper proposes an efficient distributed two-factor authentication protocol that is privacy-preserving even in the presence of colluding internal adversaries. One of the authentication factors in our protocol is biometrics, and the other factor can be either knowledge-based or possession-based. The actors involved in our protocol are users, user/client devices with biometric sensors, service provider, and cloud for storing protected biometric templates. Contrary to the existing biometric authentication protocols that offer security only in the honest-but-curious adversarial model, our protocol provides enhanced security and privacy properties in the active (or malicious) adversarial model. Specifically, our protocol offers identity privacy, unlinkability, and user data (i.e., the biometric template data and the second factor) privacy against compromised cloud storage service, and preserves the privacy of the user data even if the cloud storage service colludes with the service provider. Moreover, our protocol only employs lightweight schemes and thus is efficient. The distributed model combined with the security and privacy properties of our protocol paves the way towards a new cloud-based business model for privacy-preserving authentication.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631â648. Springer, Heidelberg (2010)
Daugman, J.: The importance of being random: statistical principles of iris recognition. Pattern Recogn. 36(2), 279â291 (2003)
Rua, E.A., Maiorana, E., Castro, J.L.A., Campisi, P.: Biometric template protection using universal background models: an application to online signature. IEEE Trans. Inf. Forensics Secur. 7(1), 269â282 (2012)
Rabin, M.O.: How to exchange secrets with oblivious transfer. IACR Cryptology ePrint Archive 2005, 187 (2005)
Yao, A.C.C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science, pp. 162â167. IEEE (1986)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223â238. Springer, Heidelberg (1999)
Goldwasser, S., Micali, S.: Probabilistic encryption & how to play mental poker keeping secret all partial information. In: STOC, pp. 365â377. ACM (1982)
Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965â981 (1998)
Ostrovsky, R., Skeith III, W.E.: A survey of single-database private information retrieval: techniques and applications. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 393â411. Springer, Heidelberg (2007)
Bringer, J., Chabanne, H., IzabachĂšne, M., Pointcheval, D., Tang, Q., Zimmer, S.: An application of the Goldwasser-Micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96â106. Springer, Heidelberg (2007)
Barbosa, M., Brouard, T., Cauchie, S., de Sousa, S.M.: Secure biometric authentication with improved accuracy. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 21â36. Springer, Heidelberg (2008)
Stoianov, A.: Cryptographically secure biometrics. In: SPIE 7667, Biometric Technology for Human Identification VII, pp. 76670C-1â76670C-12 (2010)
Simoens, K., et al.: A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans. Inf. Forensics Secur. 7(2), 833â841 (2012)
Abidin, A., Mitrokotsa, A.: Security aspects of privacy-preserving biometric authentication based on ideal lattices and ring-lwe. In: Proceedings of the IEEE Workshop on Information Forensics and Security, pp. 1653â1658 (2014)
Abidin, A., Pagnin, E., Mitrokotsa, A.: Attacks on privacy-preserving biometric authentication. In: Proceedings of the 19th Nordic Conference on Secure IT Systems (NordSec 2014), pp. 293â294. Tromso, Norway (2014)
Pagnin, E., Dimitrakakis, C., Abidin, A., Mitrokotsa, A.: On the leakage of information in biometric authentication. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 265â280. Springer, Heidelberg (2014). doi:10.1007/978-3-319-13039-2_16
Abidin, A., Matsuura, K., Mitrokotsa, A.: Security of a privacy-preserving biometric authentication protocol revisited. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 290â304. Springer, Heidelberg (2014)
Syta, E., Wolinsky, D., Fischer, M., Silberschatz, A., Ford, B., Gallegos-Garcıa, G.: Efficient and privacy-preserving biometric authentication. Yale University Technical Report TR1469 (2012)
Lee, J., Ryu, S., Yoo, K.: Fingerprint-based remote user authentication scheme using smart cards. Electron. Lett. 38(12), 554â555 (2002)
Lin, C.H., Lai, Y.Y.: A flexible biometrics remote user authentication scheme. Comput. Stand. Interfaces 27(1), 19â23 (2004)
Khan, M.K., Zhang, J.: Improving the security of flexible biometrics remote user authentication scheme. Comput. Stand. Interfaces 29(1), 82â85 (2007)
Li, C.T., Hwang, M.S.: An efficient biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1), 1â5 (2010)
Li, X., Niu, J.W., Ma, J., Wang, W.D., Liu, C.L.: Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1), 73â79 (2011)
Li, X., Niu, J., Khan, M.K., Liao, J.: An enhanced smart card based remote user password authentication scheme. J. Netw. Comput. Appl. 36(5), 1365â1371 (2013)
Kaliski, B.: PKCS #5: password-based cryptography specification version 2.0. RFC 2898 (2000)
Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 121â134. Springer, Heidelberg (1998). doi:10.1007/BFb0030415
Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245â261. Springer, Heidelberg (2005)
Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: FOCS, pp. 364â373. IEEE Computer Society (1997)
Ostrovsky, R., Skeith III, W.E.: A survey of single-database private information retrieval: techniques and applications. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 393â411. Springer, Heidelberg (2007)
Goldberg, I.: Improving the robustness of private information retrieval. In: IEEE SP 2007, pp. 131â148. IEEE (2007)
Gasarch, W.: A survey on private information retrieval. Bull. EATCS 82, 72â107 (2004)
Acknowledgements
This work was funded by the European Commission through the FP7 project âEKSISTENZ,â with grant number: 607049.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
AÂ Â Â Proofs
AÂ Â Â Proofs
Proof
(of Theorem 1 ). The proof is split into two cases. In the first case, the adversary \(\mathcal {A}\) is given a valid password (e.g., \(\mathcal {A}\) is given \(\textsf {pw}_i\) of user U\(_i\)). In the second case, \(\mathcal {A}\) is given a valid biometrics, (e.g., \(\mathcal {A}\) is given \(b'_i\) of user U\(_i\)). In both cases, if \(\mathcal {A}\) can provide \(b'_i\oplus r_i\) such that \(\textsf {HW}(b_i\oplus b'_i)\le \tau \), then \(\mathcal {A}\) succeeds in impersonating the user U\(_i\).
Case 1: Assume that the attacker can successfully impersonate a user with a non-negligible probability. This means that \(\mathcal {A}\) either (a) can forge the user biometrics and generate \(b'_i\) that matches the reference template \(b_i\) of the user U\(_i\), or (b) knows \(i\leftarrow \textsf {ID}_i\) so that it can collude with \(\textsf {DB}\) to learn \(b_i\). However, the probability of case (a) happening is bounded by the false acceptance rate, which can be bounded to be arbitrarily small, at the price of increased false rejection rate. And case (b) requires that \(\mathcal {A}\) can learn i from \(\textsf {PIR}(i)\) or can derive i from \(\textsf {ID}_i\), which contradicts both the security of the PIRÂ scheme and the fact that \(i\leftarrow \textsf {ID}_i\) is only known to \(\textsf {SP}\). Therefore, \(\mathcal {A}\) cannot impersonate a user knowing only the password.
Case 2: Assume again that the attacker can successfully impersonate a user with a non-negligible probability. As in Case 1, this means that \(\mathcal {A}\) either can guess the password (or the password-generated key \(r_i\)) or knows \(i\leftarrow \textsf {ID}_i\) so that it can collude with \(\textsf {DB}\) to learn \(r_i\). However, while the probability of the former is negligible in \(H_\infty (\textsf {pw})\), the latter requires that \(\mathcal {A}\) can learn i from \(\textsf {PIR}(i)\) or knows \(i\leftarrow \textsf {ID}_i\).
Therefore, \(\mathcal {A}\) cannot successfully impersonate any user without having access to both authentication factors. Note that the use of salt prevents the adversary from practical dictionary attacks. Hence, it is important to salt the KDF, e.g. with the user ID, so that the security of the protocol in Case 2 can be related to \(H_\infty (\textsf {pw})\).
Proof
(of Theorem 2 ). Suppose that the adversary (i.e., the malicious DB) has a non-negligible advantage, i.e., \(\big |\Pr \{\beta =\beta '\}-1/2\big |\ge \textsf {negl}(\lambda )\), where \(\lambda \) is a chosen security parameter for the protocol. Then, that means DB can guess the value of \(\beta \) (or \(i_\beta \)) from PIR \((i_\beta )\) with a non-negligible probability. This in turn implies that DB can break the security of the underlying PIR scheme with a non-negligible probability, which contradicts the assumption that PIR is secure according to Definition 7. \(\square \)
Proof
(of Theorem 3 ). Suppose that the adversary can distinguish \((\textsf {ID}_{i_0},c_{i_0})\) from \((\textsf {ID}_{i_0},c_{i_1})\). Then the adversary can infer from \(\textsf {PIR}(i_0)\) (and the response to the query) the value of \(i_0\), or infer from \(\textsf {ID}_{i_0}\) the value of \(i_0\). This contradicts the security assumptions on the PIR, or the secrecy assumption on the correspondence between \(\textsf {ID}_{i_0}\) and \(i_0\), respectively. \(\square \)
Proof
(of Theorem 4 ). Since the adversary (i.e., malicious SP+DB) has access to \(b_i\oplus r_i\), \(b'_i\oplus r_i\) and \(b_i\oplus b'_i\) only, for all \(i\in [1,N]\), it cannot learn more than what can already be learnt from these about \(b_i\), \(b'_i\) and \(r_i\) (or the password from which the \(r_i\) is generated), as long as the KDF is secure and the password has sufficient min-entropy. The adversary can attempt to guess the value of \(b_i\), \(b'_i\) or \(r_i\) at random using what the information at its disposal, but in order to verify whether the guess is correct, it needs access to an oracle that can answer whether the guessed values are correct. If the KDF is secure and the second factor has sufficient min-entropy, the expected number of queries needed to finally get an affirmative answer from such oracle is exponential in the min-entropy of \(r_i\). \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Abidin, A., RĂșa, E.A., Preneel, B. (2016). An Efficient Entity Authentication Protocol with Enhanced Security and Privacy Properties. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)