Forensic vs. Anti- forensic in Biometrics: Towards Receipt ... · Various specific tools are...

Forensic vs. Anti-forensic in Biometrics: Towards Receipt-freeness and Coercion-Resistance in biometric authentication protocolsKouichi Sakurai1,2

1 : G ra d uate S c hoo l o f I n for m at ion S c ien c e a n d E lec t r i ca l Eng ineer ing , Kyushu Un ivers i ty

2 : I nst i tu te o f System s , I n for m at ion Tec h n o log ies a nd N a n otec hn o log ies , J a p a n ( I S I T )

This work is collaborative research with Yoshifumi Ueshige (Nagasaki Univ.) supported by JSPS KAKENHI Grant

9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 1

UNSW Kyushu Cybersecurity Collaboration Workshop March 28-29, 2016

Agenda1. Biometrics

2. Forensic vs Anti-forensic

3. Receipt-freeness & Coercion-resistance4. Subject of our research

5. Receipt-freeness in biometrics

6. Coercion-resistance in biometrics7. Conclusion


Agenda1. Biometrics






1. Biometrics (1)There are many modal of biometric authentication.◦ Examples:


Facial image Fingerprint Shape of palm Vein

Iris Handwriting Voiceprint

1. BiometricsApplication of biometricsVarious Applications of Biometric Authentication◦ To Close environment:

◦ To Open network: Solution by Cloud Computing

9/29/2017 5

ATM Entrance of controlled area

Health surveillance in developing countries

UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016

Authentication

1. BiometricsPrivacy issues of biometricsSerious Problem: Privacy Protection in Biometrics◦ Various biometric data are required in authentication for

biometrics◦ Enrolled templates◦ Biometric feature of captured samples◦ Intermediate processing data for authentication processes

9/29/2017 6UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016

Human has 10 fingers, two hands,two eyes, one face….

Do you have much more?

When the above information is compromised, re-

enrollment is quite difficult.

1. BiometricsPrivacy protection techniquesAs countermeasures of the above problem, manytechniques of remote biometrics are proposed◦ Cancelable biometrics◦ Zero-Bio◦ Fuzzy-Vault◦BioEncryption, etc.


Agenda1. Biometrics






2. Forensics vs Anti-forensicsForensics : collecting electronic information as evidence for criminal investigation or lawsuit◦ Various specific tools are developed.

9/29/2017 10

various evidence for digital forensics


2. Forensics vs Anti-forensicsDigital forensics (1)For example, even if some e-mail as worse evidence has been deleted, some binary data of the e-mail is remained.

9/29/2017 11

DELETE

I feel easy, because ofNO EVIDENCE.

Detect

EVIDENCEUNSW KYUSHU CYBERSECURITY COLLABORATION

WORKSHOP MARCH 28-29, 2016

2. Forensics vs Anti-forensicsDigital forensics (2)Forensics : collecting electronic information as evidence for criminal investigation or lawsuit◦ Various specific tools are developed.


When forensic techniques are abused, he/she can excessively collect privacy

information

2. Forensics vs Anti-forensicsAnti-forensics (1)Anti-forensics : countermeasure against legal investigation and lawsuit◦ Policy◦ No data is left in electric devices

◦ Method:◦ Encryption, Concealment with Rootkit,◦ Wipe of files, Erasure of many logs


2. Forensics vs Anti-forensicsAnti-forensics (2)Anti-forensics : countermeasure against legal investigation and lawsuit

9/29/2017 14

Anti-forensics has a side of privacy protection for anxiety against • collection and release of

information from systems with inappropriate setting,

• and excessive collection by third person


2. Forensics vs Anti-forensicsAnti-forensics (3)Example:◦ Scene where anti-forensics is

required◦ surveillance camera system◦ Must specify criminal or suspicious

persons◦ Should not leave information about

unrelated people!


2. Forensics vs Anti-forensics Related significant key words


Deniable

Coercion-free

POINT: NO evidence for showing to third persons (coercers)

Anti-forensics

Receipt-freeness

2. Forensics vs Anti-forensicsDeniable vs Undeniable (1)Deniable Cryptography◦ Eg. Message Authentication Code


Plain textM

Plain textM

MAC a

Plain text with MAC

Alice Bob

HMAC HMAC

MAC a=MAC b?

Yes Plain text is Alice’s message

No Plain text is NOTAlice’s message

MAC a=HMAC(M,sk)

sk sk

MAC a MAC b=HMAC(M,sk)MAC b

2. Forensics vs Anti-forensicsDeniable vs Undeniable (1)Deniable Cryptography◦ Eg. Message Authentication Code


Plain textM

Plain textM

MAC a

Plain text with MAC

Alice Bob

HMAC HMAC

MAC a=MAC b?

Yes Plain text is Alice’s message

No Plain text is NOTAlice’s message

sk sk

MAC b=HMAC(M,sk)MAC b

Alice wrote this message

I didn’t send such message

MAC a=HMAC(M,sk)MAC a

Third person cannot prove who says truth, because both of them can generate same MAC, like Zero Knowledge Proof.

2. Forensics vs Anti-forensicsDeniable vs Undeniable (2)Deniable Cryptography◦ Eg. Deniable Encryption (Sahai, Waters)


Plain text

AliceEncrypted message

Encryption

Adversary

Indistinguishability obfuscation

I don’t have plaintext!

I cannot prove her fake!

2. Forensics vs Anti-forensics Deniable vs Undeniable (3)Undeniable Cryptography◦ Eg. Digital signature based on public key encryption


Peggy (Prover, signer)

Vic (Verifier)

Yes

No

MD1=MD2?

Digital signature

Decrypt digital signature MD1

Calculate Message Digest

MD2

Signature is not valid

Message is altered

This is Peggy’ s signature!

2. Forensics vs Anti-forensics Deniable vs Undeniable (4)Undeniable Cryptography◦ Eg. Undeniable Signature (Chaum, Antwerpen, 1990)


Peggy (Prover, signer)

Vic (Verifier)

Digital signature

Yes

No

Challenge

Response

Signature is not valid

Signer sends improper response in an effort to falsely deny a valid signature

success?

This is Peggy’ s signature!

2. Forensics vs Anti-forensics Deniable vs Undeniable (5)


Deniable CryptographyMessage Authentication Code (MAC)Based on sharing secret key

Deniable Encryption (Sahai, Waters)Based on indistinguishability obfuscation

Undeniable CryptographyDigital signature based on public key encryptionBased on public key encryption

Undeniable Signature (Chaum, Antwerpen, 1990)Based on challenge response

Agenda1. Biometrics






3. Receipt-freeness & Coercion-resistanceWhat is “receipt”?

Electrical voting system

Peggy’s voting result

I can ensure whether Peggy voted for

particular candidate or not!

Adversary

Receipt (Peggy generated)

EVIDENCE

If this scenario is realized, the e-voting system is failure.


3. Receipt-freeness & Coercion-resistanceRisk: Misusing receiptReceipt can be used in voting irregularities

Electrical voting system

Muggy’s voting result

I can sell my voting with the receipt

Receipt (Muggy generated)

EVIDENCE

If this scenario is realized, the e-voting system is failure.


Muggy is floater in this voting

3. Receipt-freeness & Coercion-resistanceReceipt-freeness“Receipt-freeness” is one of request for electrical voting.◦ “Receipt-freeness” means

a voter does not gain any information (a receipt).

◦ No voter can show he/she votes any candidates.

◦ Receipt-freeness is effective in preventing bribery and coercion.


3. Receipt-freeness & Coercion-resistanceRelated works of receipt-freenessReceipt-freeness is studied in e-voting.◦ Meng, Li, Qin, “A Receipt-free Coercion-resistant Remote Internet

Voting Protocol without Physical Assumptions through Deniable Encryption and Trapdoor Commitment Scheme”,Journal of Software, Vol. 5, No. 9, pp. 942-949, SEP. 2010

◦ Kusters, Truderung, Vogt, "Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study", 2011 IEEE Symposium on Security and Privacy

◦ Khader, Ryan, Tang, "Proving Pret a Voter Receipt Free using Computational Security Models", USENIX Journal of Election Technology and Systems (JETS), Volume 1, Number 1, 2013

◦ Howlader, Roy, Mal, "Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment", Information Security and Cryptology -ICISC 2013


:

^ `

Key Generation using Skin Conductance (Gupta, Gao,2010)

3. Receipt-freeness & Coercion-resistanceCoercion-resistance


UserAdversary

ANALYSE

Voice

Skin Conductance

generate Cryptographic Key

Cannot generate Cryptographic Key

Yes

No

Coercion?

3. Receipt-freeness & Coercion-resistanceRelated works of coercion-resistanceRelated works:◦ Electrical voting◦ J. Heather, S. Schneider, “A formal framework for modelling coercion

resistance and receipt freeness”, FM 2012: Formal Methods, LNCS Vol. 7436, pp 217-231, 2012.

◦ J. Benaloh, D. Tuinstra, “Receipt-Free Secret-Ballot Elections”, Proceedings of the twenty-sixth annual ACM symposium on Theory of computing (STOC `94), pp. 244-553, 1994.

◦ T. Okamoto, “Receipt-Free Electronic Voting Schemes for Large Scale Elections”, Security Protocols, Vol. 1361 of LNCS, pp 25-35, 1998.

◦ S. Delaune, S. Kremer, M. Ryan, “Verifying Privacy-Type Properties of Electronic Voting Protocols: A Taster”, Towards Trustworthy Elections, Vol. 6000 of LNCS, pp 289-309, 2010.

◦ Online auction◦ N. Dong, H. Jonker, J. Pang, “Analysis of a Receipt-Free Auction Protocol

in the Applied Pi Calculus”, Formal Aspects of Security and Trust, Vol. 6561 of LNCScience, pp 223-238, 2011.

◦ J. Howlader, S. K. Roy, A. K. Mal, “Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment”, Information Security and Cryptology -- ICISC 2013, Vol. 8565 of LNCS, pp 418-434, 2014


Forensics - Receipt-freeness – Coercion -Deniability

Relationship of the keywords


PrivacyProtection

Receipt-freeness

Malicious use

Coercion

Adversary

Forensics

Deniability

Coercion-resistance

Agenda1. Biometrics






4. Subject of our researchOur standpointForensic vs Anti-forensic

9/29/2017 32

Forensic• Collection of digital

evidence

Anti-forensic• Resistance of collecting

digital evidence

Abuse of forensic techniques causes

inappropriate information

collection

Privacy protection is derived from proper using anti-forensics

Our Standpoint


4. Subject of our researchNovel Threats of Remote Biometrics

Collecting the above information as evidence = Collecting excessive privacy information


Client

Server

(Malicious)Third person

Authentication

4. Subject of our researchNovel viewpoint for privacy protectionPossibility of the remainder of some information except authentication results in memory, cache, and so on◦ Intermediate data in authentication phase◦ Enrolled templates◦ Signature of templates◦ Biometric feature of captured samples◦ Other information combined with

each person


Privacy information

Viewpoint of anti-forensics is required in biometrics for privacy protection

4. Subject of our researchOur SubjectFrom a viewpoint of Anti-Forensic, “Receipt-freeness” and “Coercion-resistance” is required in remote biometrics

This work is first step.◦ This work defines “receipt-freeness” and “coercion-

resistance” of remote biometric authentication protocols.◦ Based on the definition, we analyze some remote biometric

authentication protocols about “receipt-freeness” and “coercion-resistance.”


Agenda1. Biometrics






5. Receipt-freeness in biometrics“Receipt-freeness”=No evidence◦ If registrant obtains no information of his/her authentication

process (receipts) in any manner, he/she cannot show evidence of his/her authentication to third person.

◦ We can define “receipt-freeness” in biometrics on the analogy to discussion of e-voting.◦ Furthermore, coercion-resistance?


Access

Malicious third person User Biometric system Server

5. Receipt-freeness in biometricsPoint: Evidence and OpportunityIn order to define “receipt-freeness” of remote biometrics, we consider the following two points:1. Collectable information = Evidence◦ What sorts of information can the authentication server

collect?2. Opportunity of collecting information◦ When can the authentication server gather the above-

mentioned information?


5. Receipt-freeness in biometricsCollectable information = EvidenceSpecific information peculiar to remote biometrics◦ Evidence that someone execute authentication process =

Information used for registrants of individual◦ User ID◦ Image data acquired from

sensor devices◦ Template information◦ Extracted feature, etc.

9/29/2017 39

Data derived from living person

Biometric data Uniquely transformed biometric data E.g. hash of templates


5. Receipt-freeness in biometricsOpportunity of collecting information

Forensic techniques are used in the following scenes1. Executing authentication process◦ Administrator can gather memory dump

2. Opportunity except authentication process◦ Many processes except authentication◦ Maintenance under system stop


5. Receipt-freeness in biometricsDefinition – “Receipt-freeness” We define “receipt-freeness” of remote biometrics as following:


No information combined with person is obtained from accumulated logs and related information in authentication server whether in service or not

• Biometric information• Unique data calculated from biometric

information (eg. encrypted data, hash value)

5. Receipt-freeness in biometricsEvaluation of “receipt-freeness”Evaluation of “receipt-freeness” for some remote biometric authentication protocols:◦ Cancelable biometrics (Ratha et al, 2001)◦ Zero-Bio◦ ZeroBio Using Oblivious Neural Network Evaluation Protocol,

(Nagai et al., 2007)◦ ZKIPs for proving “nearness” using commitment (Ogata et al.,

2006)◦ G3C-ZKIP using generated graphs from biometric feature

(Oda et al., 2008)◦ Extensible Personal Authentication Framework using

Biometrics and PKI (Bio PKI) (Okada et al., 2004)


5. Receipt-freeness in biometricsCancelable biometrics (1)Ratha et al. proposed◦ Biometric feature is transformed by non-invertible transform

with chosen parameter R.◦ When transformed feature (template) is compromised, re-

enrolment is available with choosing new parameter R’.

9/29/2017 43

client

server

template

matching

result

feature extraction

Selection of R transform

XFR(X)

R

feature extraction

transform

X‘FR(X‘)

R

Enrolment

Authentication


5. Receipt-freeness in biometricsCancelable biometrics (2)Image of non-invertible transform


One-way function

Eg. random shuffling

Inverse transform

5. Receipt-freeness in biometricsCancelable biometrics (4)In this scheme, and are left on the server.◦ and are evidence of specific persons’

authentication processes.◦ This means “receipt-freeness” is NOT satisfied.

9/29/2017 45

client

server

template

matching

result

feature extraction

Selection of R transform

XFR(X)

R

feature extraction

transform

X‘FR(X‘)

R

Enrolment

Authentication

FR(X) FR(X‘)FR(X) FR(X‘)


This data is calculated from extracted feature

5. Receipt-freeness in biometricsZero-BioConcept:◦ Client shows validity of the client’s authentication result and

process to server by Zero-Knowledge Interactive Proof (ZKIP).◦ ZKIP: Prover convinces “I know secret” to verifier without

showing knowledge of “secret”


ZKIP

ClientServer

• Authentication is done appropriately.

• Auth. Result is valid.

• Server is convinced Client’ s claim.

5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (1)Peggy (prover) tries to convince Vic (verifier) of knowing the secret without sending it directly.

I don’ t show “secret” itself.

She knows “secret”, because she answers correctly on all steps.

Peggy Vic

1

1

0

R

A1

A2

Ak

OK

OK

OK

OK1


I want to say “I know the secret”.

When I randomly choose “0” or “1”, dose she send

correct data?

5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (1)Peggy (prover) tries to convince Vic (verifier) of knowing the secret without sending it directly.

I don’ t show “secret” itself.

She knows “secret”, because she answers correctly on all steps.

Peggy Vic

1

1

0

R

A1

A2

Ak

OK

OK

OK

OK1

No “secret” data is known

from the interaction

Zero Knowledge

(ZK)


I want to say “I know the secret”.

When I randomly choose “0” or “1”, dose she send

correct data?

5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (2)Characteristic of ZKIP (Sakurai, Itoh, CRYPTO92)◦ ZKIP can be constructed: ◦NOT by parallel execution of 3- move protocol,◦BUT by sequential iteration of 3-move protocol.◦ 3-move protocol can be honest verifier ZK.◦BUT 3 move protocol can NEVER be ZK.


5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (3)Sketch of parallel version vs sequential version

𝑃𝑃 𝑉𝑉

a

c

s

r {int.}a=r2

c {1,0}

If c=1,s:= rElse s:= rw

If s2= axc

accept;Else reject

N: Composite Integerx=w2modN((x,w), N) (x, N)

∀ PPT 𝑉𝑉* ,∃Simulator:

c {1,0}s {int.}a:=s2/xc

If 𝑉𝑉*((x,N),a) = cReturn (a, c, s)

Else Go to:

In average, Simulator succeeds in 2 trialsbecause |c| = 1 [bit]

: A Cheating Verifier

c= h(a, M), where M chosen by 𝑉𝑉*



𝑃𝑃 𝑉𝑉a1,a2 ・・・

c1,c2 ・・・

s1,s2 ・・・

a1

c1

s1

ZKIP can be constructed: NOT by parallel executionBUT by sequential iteration

For Soundness, 𝒊𝒊 polynomial

For ZK, Simulator needs 2𝒊𝒊 trials

𝒊𝒊 parallel

a2

c2

s2

𝒊𝒊 sequential

For Soundness, 𝒊𝒊 polynomial

For ZK, Simulator needs𝟐𝟐𝒊𝒊 trials

𝑃𝑃 𝑉𝑉



3-move protocol can be honest verifier ZK.BUT 3 move protocol can NEVER be ZK.

𝑃𝑃 𝑉𝑉a:=a1a2 ・・・

c:=c1c2 ・・・

s:=s1s2 ・・・

𝒊𝒊 concatenation

Simulator: c {1,0}𝒊𝒊s {int.}a:=s2/xc

If 𝑉𝑉*((x,N),a) = cReturn (a, c, s)

Else Go to: In average, Simulator succeeds in 2𝒊𝒊 trialsbecause |c| = 𝒊𝒊 [bit]


5. Receipt-freeness in biometricsZero-Bio (1-1)ZeroBio Using Oblivious Neural Network Evaluation Protocol, (Nagai et al., 2007)◦ ZKIP proves NN distinguishes registrants is calculated correctly

on the client.◦ If ZKIP is end

successfully, the server can verifies the authentication result on the client is valid.


ClientCorrectauthentication bycalculating neuralnetworks (NN)

ServerVerificationNN calculatescorrectly

Wij

ZKIP

X‘

YiXi

Common input

5. Receipt-freeness in biometricsZero-Bio (1-2)ZeroBio Using Oblivious Neural Network Evaluation Protocol, (Nagai et al., 2007)◦ In ZKIP, the client send the following information to the server.

◦ This means encrypted output of input layer contains information of biometric data X=(x1, x2, …, xn).

◦ The ZKIP consisted of 3-move protocol.◦ When the ZKIP is parallel executed, some information is

compromised from the execution.◦ From the above reasons, this protocol does NOT satisfy

“receipt-freeness.”


�𝒀𝒀𝒊𝒊 = 𝑾𝑾𝟏𝟏𝒙𝒙𝒙𝒙𝟏𝟏𝑾𝑾𝟐𝟐𝒙𝒙

𝒙𝒙𝟐𝟐 ⋯𝑾𝑾𝒏𝒏𝒙𝒙𝒙𝒙𝒏𝒏

5. Receipt-freeness in biometricsZero-Bio (2-1)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Commitment calculated from biometric data X and random

value r is defined.◦ Commitment E(X, r) : homomorphism for addition

◦ Commitments of template and extracted feature are calculated.

◦ From the commitments, “nearness” is proven by Zero-Knowledge Interactive Proof (ZKIP).

9/29/2017 55

client

CalculateE(X’,r’) frominput X’

serverValidate X isnear to X’from E(X,r)and E(X’,r’)

ZKIP

X‘

commitmentE(X,r）


5. Receipt-freeness in biometricsZero-Bio (2-2)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Server obtain two commitments E(X,r) and E(X’,r’) as evidence.◦ E(X,r) and E(X’,r) are calculated from biometric raw data

9/29/2017 56

client



ZKIP

X‘

commitmentE(X,r）


5. Receipt-freeness in biometricsZero-Bio (2-3)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Since ZKIP is consisted from 3-step interaction protocol, parallel

execution of the ZKIP compromise unuseful knowledge.◦ Because of the above two

reasons, this protocol does NOT satisfy “receipt-freeness.”

9/29/2017 57

client



ZKIP

X‘

commitmentE(X,r）


5. Receipt-freeness in biometricsZero-Bio (3-1)G3C-ZKIP using generated graphs from biometric feature (Oda et al., 2008)◦ Graph G(V, E, C) is generated from biometric data◦ V: vertex, E: edge, C: color

◦ Authentication process is using ZKIP proving given graph G(V,E) is 3-colorable (G3C)

9/29/2017 58

Each segmentation of biometric data is quantized with three colors C

Vertices V between different color are connected with graph G

Above graph G is enrolled


5. Receipt-freeness in biometricsZero-Bio (3-2)Summarized Protocol

9/29/2017 59

Server Client1. Generation C from

biometric data2. Generation of graph G(V,

E) from C3. Sending G and ID4. Enrolment of G and ID

1. Sending ID2. Sending G 3. Generation of C’ from

acquired biometric data4. Correction of error of C’

using G and C’5. G3C-ZKIP

Enrolment phase

Authentication phase


5. Receipt-freeness in biometricsZero-Bio (3-3)Consideration◦ Color information C is not left on Server◦ Reason: Characteristic of zero knowledge of G3C

◦ A part of transformed biometric data is left◦ Edges of graph E is evidence

◦ Since evidence is left on server, this protocol does NOT satisfy “receipt-freeness.”


5. Receipt-freeness in biometricsBio PKI (1)Extensible Personal Authentication Framework using Biometrics and PKI (Okada et al., 2004)◦ Server can validate authentication result in client using

certificate of biometric authentication environment


Client

Biometric device

Certificate

Validity of authentication• Biometric devices

Server

Verification the certificate

Result is trustful.

5. Receipt-freeness in biometricsBio PKI (2)Based on PKI framework, server can verify client’ s result from authentication result & context information (environment of biometric authentication).


CA

authentication result and context

Validation resultClient Server (Verifier)

Issuing certificate of personal authentication context

Expiration ListFingerprint, retina, vein, etc.

Biometric device

Template, etc

Personal data storage device

Certificate Security of device, method, accuracy

TTP

Execute authenticationGeneration of authentication result and context

Verification of authentication context

5. Receipt-freeness in biometricsBio PKI (3)Format of authentication result and context information

9/29/2017 63

Generic ContextVersionIssuer NameSubjectChallenge ValueleGeneration TimeProfile Information

Authenticator/Signature

Profile Identifier 1Profile Identifier 2

:

Specific ContextContext Header

Authenticator/Signature

Profile Identifier 1

Specific ContextContext Header

Profile Identifier 2Profile Specific BlockAuthenticator/Signature

Profile Specific Block

Information of personal data storage device

Verification algorithm Hash value of template data Authentication result

Information of authentication device

Unique ID of device Hash value of feature data etc.


5. Receipt-freeness in biometricsBio PKI (4)Consideration◦ Client sends authentication result and context of

authentication environment to server (verifier).◦ If the format of “profile specific block” (PSB) contains the

following data, the following evidence is left on the server.◦ Hash value of template◦ Hash value of feature data

◦ This protocol does NOT satisfy “receipt-freeness.”◦ On the other hand, when PSB does not contain the above

data, this case satisfies “receipt-freeness.”


Agenda1. Biometrics






6. Coercion-resistance in biometricsIdea ◦ We can consider “coercion“ by third person who collect the

privacy information based on “receipt-freeness.”


Access

Adversary (Coercer) User Biometric system Server

Coercion

Subject: • Defining “coercion-resistance” on biometric authentication

protocols• Analysis of some remote biometric authentication protocols

about “coercion-resistance.”

6. Coercion-resistance in biometricsRe-definition of “receipt-freeness”Assumption of the adversary in this work◦ The adversary can wiretap communication data on

authentication process via insecure open network.


Wiretapping communication data

on the protocol

receipt-free

Evidence to convince• Biometric information• Unique transformed data from

the biometric informationAdversary

User

Authentication

ClientAuthenticationServer

Sniffing

6. Coercion-resistance in biometricsDefinition of “coercion-resistance”Assumption of coercer’s capability◦ Coercer in a distant place can constraint the user during the

user’s authentication process.

Definition of “coercion-resistance”


User can show no evidence to the abovecoercer.

• Evidence = following information combined with the user biometric information unique transformed data from the related

biometric information

6. Coercion-resistance in biometricsAnalysis of “Coercion-resistance”We analyze “coercion-resistance” based on “receipt-freeness” about the following protocols.◦ Khan and Kumari (BioMed Research Int’ l, 2013)◦ Lin et al. (Wireless Personal Commun., 2015)

User U Client Authentication Server S

Smartcard SC

Registration CenterRC

Registration of Userand Smartcard

Registration of Server（in Lin’ s method）


6. Coercion-resistance in biometricsKhan and Kumari’s protocolTarget: login phase and authentication phase


User (Ui ) Server (Si )Inputs IDi, PWi and BIOi

SCi calculatesfi←(IDi || PWi) ⊕ gi

When biometric authentication issucceeded, client calculatesM1 = ci⊕fi M2 = ei⊕ri

M3 = M1⊕Rc M4 = (M1 || Rc)⊕IDi

M5 = h (M2 || Rc)

{M3 , M4, M5}Computes

M6 =h (xs || ys) M7 =M3⊕M6IDi = M4⊕(M6 || M7)

If IDi is correct, computesM8 =h (IDi || xs )

When M5=h(M8||M7) is verified,computes

M9 = M8⊕Rs M10 = h (M8 || Rs){M9 , M10}


M11 =M9⊕M2

M12 = h (M2 || Rc || M11)

{M12}When M12 = h (M8 || M7 || Rs) isverified, accepts login request

(Rs is random number generated bySi)

(Rc is random number generated bySCi)

Computes

Target

6. Coercion-resistance in biometricsKhan and Kumari’s protocolTarget: login phase and authentication phase


User (Ui ) Server (Si )Inputs IDi, PWi and BIOi

SCi calculatesfi←(IDi || PWi) ⊕ gi

When biometric authentication issucceeded, client calculatesM1 = ci⊕fi M2 = ei⊕ri

M3 = M1⊕Rc M4 = (M1 || Rc)⊕IDi

M5 = h (M2 || Rc)

{M3 , M4, M5}Computes

M6 =h (xs || ys) M7 =M3⊕M6IDi = M4⊕(M6 || M7)

If IDi is correct, computesM8 =h (IDi || xs )


M9 = M8⊕Rs M10 = h (M8 || Rs){M9 , M10}


M11 =M9⊕M2

M12 = h (M2 || Rc || M11)

{M12}When M12 = h (M8 || M7 || Rs) isverified, accepts login request

(Rs is random number generated bySi)

(Rc is random number generated bySCi)

Computes

6. Coercion-resistance in biometricsKhan and Kumari’s protocolKey point◦ whether parameters imply the biometric information BIOi or

not.

In this protocol, the following parameters are evaluated:◦𝑀𝑀3 = 𝑀𝑀1 ⊕ 𝑅𝑅𝑐𝑐 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ⊕𝑅𝑅𝑐𝑐◦𝑀𝑀4 = 𝑀𝑀1 ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖◦𝑀𝑀5 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 = ℎ ℎ 𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠 ∥ 𝑅𝑅𝑐𝑐◦𝑀𝑀9 = 𝑀𝑀8 ⊕ 𝑅𝑅𝑠𝑠 = ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ⊕𝑅𝑅𝑠𝑠◦𝑀𝑀10 = ℎ 𝑀𝑀8 ∥ 𝑅𝑅𝑠𝑠 = ℎ(ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ∥ 𝑅𝑅𝑠𝑠)◦𝑀𝑀12 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ 𝑀𝑀11 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ (𝑀𝑀9⊕𝑀𝑀2)


BIOi

6. Coercion-resistance in biometricsKhan and Kumari’s protocolKey point◦ whether parameters imply the biometric information BIOi or

not.

In this protocol, the following parameters are evaluated:◦𝑀𝑀3 = 𝑀𝑀1 ⊕ 𝑅𝑅𝑐𝑐 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ⊕𝑅𝑅𝑐𝑐◦𝑀𝑀4 = 𝑀𝑀1 ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖◦𝑀𝑀5 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 = ℎ ℎ 𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠 ∥ 𝑅𝑅𝑐𝑐◦𝑀𝑀9 = 𝑀𝑀8 ⊕ 𝑅𝑅𝑠𝑠 = ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ⊕𝑅𝑅𝑠𝑠◦𝑀𝑀10 = ℎ 𝑀𝑀8 ∥ 𝑅𝑅𝑠𝑠 = ℎ(ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ∥ 𝑅𝑅𝑠𝑠)◦𝑀𝑀12 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ 𝑀𝑀11 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ (𝑀𝑀9⊕𝑀𝑀2)


BIOiNO biometric information

No one can obtain the “evidence” of the related biometric information used.

6. Coercion-resistance in biometricsKhan and Kumari’s protocolAnalysis◦ No term of biometric information are included in all of the

parameters.

◦ The coercer can order for Ui

◦ He/she cannot observe data included biometric information in the communication.

◦ Ui cannot show the evidence to him/her.


Receipt-freeness: OK

Coercion-resistance: OK

6. Coercion-resistance in biometricsLin et al.’ s protocolTarget: login phase and authentication phase


Computes

When 𝑑𝑑 𝑖𝑖∗=di is verified, generate nonce

m and timestamp T on SCi.Computes𝑴𝑴 = 𝒎𝒎 � 𝑷𝑷

{ai, fi, gi }

Computesbij =h (ai || ri)

Generates timestamp of server TjVerifies | Tj - Ti | <△TWhen the above equation is verified,computes𝒇𝒇𝒊𝒊∗ = 𝒂𝒂𝒊𝒊 ⊕ 𝒉𝒉(𝑴𝑴 ∥ 𝑻𝑻𝒊𝒊 ∥ 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊)

{ki}

𝒅𝒅 𝒊𝒊∗= h (ai || h(PWi || BIOi ) || IDi)

bij =D h (IDi | | BIOi) [ci j]fi = ai⊕h (M || Ti || SIDj)

gi =𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 [h(PWi || BIOi ) , M , Ti]

𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊[gi]={h(PWi || BIOi ) , M , Ti}

When 𝑓𝑓𝑖𝑖∗ = 𝑓𝑓𝑖𝑖 is verified, generatesrandom value n and computes𝒊𝒊𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊⨁𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊)) 𝑵𝑵 = 𝒏𝒏 � 𝑷𝑷𝒌𝒌𝒊𝒊 = 𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 𝒊𝒊𝒊𝒊,𝑵𝑵, 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒏𝒏 � 𝑴𝑴

𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊 𝒌𝒌𝒊𝒊 = {𝒊𝒊𝒊𝒊,𝑵𝑵,𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊}𝒊𝒊𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 ⊕ 𝒉𝒉 𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )

𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒎𝒎 � 𝑵𝑵𝒍𝒍𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))

{li}

When 𝑙𝑙𝑖𝑖∗ = 𝑙𝑙𝑖𝑖 is verified, accepts login

𝒍𝒍𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))

Computes

When 𝑗𝑗𝑖𝑖∗ = 𝑗𝑗𝑖𝑖 is verified, computes

User (Ui )Inputs IDi, PWi and BIOi

Server (Sj)

Computes

Target

6. Coercion-resistance in biometricsLin et al.’ s protocolTarget: login phase and authentication phase


Computes

When 𝑑𝑑 𝑖𝑖∗=di is verified, generate nonce

m and timestamp T on SCi.Computes𝑴𝑴 = 𝒎𝒎 � 𝑷𝑷

{ai, fi, gi }

Computesbij =h (ai || ri)

Generates timestamp of server TjVerifies | Tj - Ti | <△TWhen the above equation is verified,computes𝒇𝒇𝒊𝒊∗ = 𝒂𝒂𝒊𝒊 ⊕ 𝒉𝒉(𝑴𝑴 ∥ 𝑻𝑻𝒊𝒊 ∥ 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊)

{ki}

𝒅𝒅 𝒊𝒊∗= h (ai || h(PWi || BIOi ) || IDi)

bij =D h (IDi | | BIOi) [ci j]fi = ai⊕h (M || Ti || SIDj)

gi =𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 [h(PWi || BIOi ) , M , Ti]

𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊[gi]={h(PWi || BIOi ) , M , Ti}

When 𝑓𝑓𝑖𝑖∗ = 𝑓𝑓𝑖𝑖 is verified, generatesrandom value n and computes𝒊𝒊𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊⨁𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊)) 𝑵𝑵 = 𝒏𝒏 � 𝑷𝑷𝒌𝒌𝒊𝒊 = 𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 𝒊𝒊𝒊𝒊,𝑵𝑵, 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒏𝒏 � 𝑴𝑴

𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊 𝒌𝒌𝒊𝒊 = {𝒊𝒊𝒊𝒊,𝑵𝑵,𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊}𝒊𝒊𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 ⊕ 𝒉𝒉 𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )

𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒎𝒎 � 𝑵𝑵𝒍𝒍𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))

{li}

When 𝑙𝑙𝑖𝑖∗ = 𝑙𝑙𝑖𝑖 is verified, accepts login

𝒍𝒍𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))

Computes

When 𝑗𝑗𝑖𝑖∗ = 𝑗𝑗𝑖𝑖 is verified, computes

User (Ui )Inputs IDi, PWi and BIOi

Server (Sj)

Computes

BIOi

Communicationdata

=Targets of analysis

6. Coercion-resistance in biometricsLin et al.’ s protocolKey point◦ whether parameters imply the biometric information BIOi or

not.

In this protocol, the following parameters include BIOi.◦ 𝑑𝑑𝑖𝑖 = ℎ(𝑎𝑎𝑖𝑖 ∥ ℎ(𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊) ∥ 𝐼𝐼𝐼𝐼𝑖𝑖)◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]

◦ 𝑗𝑗𝑖𝑖 = ℎ(𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗 ⊕ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]

◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑆𝑆𝑆𝑆𝑖𝑖𝑗𝑗 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )


BIOi

Communicationdata

=Targets of analysis

6. Coercion-resistance in biometricsLin et al.’ s protocolKey point◦ whether parameters imply the biometric information BIOi or

not.

In this protocol, the following parameters include BIOi.◦ 𝑑𝑑𝑖𝑖 = ℎ(𝑎𝑎𝑖𝑖 ∥ ℎ(𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊) ∥ 𝐼𝐼𝐼𝐼𝑖𝑖)◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]

◦ 𝑗𝑗𝑖𝑖 = ℎ(𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗 ⊕ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]

◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑆𝑆𝑆𝑆𝑖𝑖𝑗𝑗 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )


Parameters gi, ki, and li imply the termBIOi

It is necessary to analyze whether theseparameters are “evidence” or not.

6. Coercion-resistance in biometricsLin et al.’ s protocolIf the parameters for unique user are not changedamong different authentication sessions, the parameteris regarded as “evidence.”

Analysis of receipt-freeness◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]

◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )


NOT change among sessions-EVIDENCE-

change among sessions-NOT EVIDENCE-

Receipt-freeness:

NG

4. Analysis of “Receipt-freeness” and “Coercion-resistance”

Lin et al.’ s protocolAnalysis of coercion-resistance◦ The coercer can order for Ui

◦ He/she can observe data included biometric information,gi and ki in the communication.

◦ Ui can show the parameters to him/her as the“evidence.”

Coercion-resistance: NG


Agenda1. Biometrics






7. ConclusionThis presentation introduce ◦ Privacy issue of biometrics◦ Related viewpoints:◦ Forensics vs Anti-forensics◦ Receipt-freeness & Coercion-resistance

◦ Our challenge “Receipt-freeness” and “Coercion-resistance” of biometrics

◦ Definition of “Receipt-freeness” and “Coercion-resistance”◦ Evaluation of remote biometric authentication protocols


7. ConclusionFuture workAnalyze other remote biometric authentication protocols about “receipt-freeness” and “coercion-resistance” ◦ brainwaves◦ H. Bojinov, D. Sanchez, P. Reber, D. Boneh, P. Lincoln,

"Neuroscience Meets Cryptography:Designing Crypto Primitives Secure Against Rubber Hose Attacks", the 21st USENIX Security Symposium (USENIX Security 12), pp. 129-141, Aug. 2012

◦ K. B. Rasmussen, M. Roeschlin, I. Martinovic, G. Tsudik, “Authentication Using Pulse-Response Biometrics”, the Network and Distributed System Security Symposium 2014

Deniability of biometric authentication protocols based on this argument


Thank you for your attention

9/29/2017 84

Kyushu University

TOKYO

FUKUOKA

1000KM

Kouichi SakuraiFaculty of Information Science and Electrical EngineeringKyushu University

[email protected]


Forensic vs. Anti- forensic in Biometrics: Towards Receipt ... · Various specific tools are...

Documents

Transcript of Forensic vs. Anti- forensic in Biometrics: Towards Receipt ... · Various specific tools are...