On the Generation of X.509v3 Certificates with Biometric Information
description
Transcript of On the Generation of X.509v3 Certificates with Biometric Information
![Page 1: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/1.jpg)
Martínez-Silva et al.
On the Generation of X.509v3 Certificates
withBiometric Information
![Page 2: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/2.jpg)
Martínez-Silva et al.
Motivation
![Page 3: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/3.jpg)
Martínez-Silva et al.
Public Key Cryptography
• Conceptually, it was invented in 1976 by Diffie and Hellman.
• In 1977 (30 years ago!) RSA the first practical public key cryptosystem was invented.
![Page 4: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/4.jpg)
Martínez-Silva et al.
Public Key Cryptography
• Some major examples of public key cryptosystems are:
– RSA
– DSA
– ECC
– NTRU
• Although public key cryptography allows the definition of digital signatures and their verification in a reliable way, this mechanism is not enough for preventing attacks.
![Page 5: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/5.jpg)
Martínez-Silva et al.
Digital Certificate Benefits• Secure Key Authentication
– Avoids attacks such as man-in-the-middle
• Key Revocation
– A certificate indicates valid periods of operation
• Non-repudiation
– A user cannot deny his/her public key.
• Policy Applications
– It helps to concert security policies among a large community
![Page 6: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/6.jpg)
Martínez-Silva et al.
X.509v3 Certificate• X.509 certificates version 3, were defined as
an IETF standard [RFC2459, 1999].
• It is composed by three main structures: TBS certificate (TBSCertificate), algorithm identifier (signature-Algorithm) and digital signature (signatureValue).
• The TBS certificate and algorithm identifier consists of ten common fields, six of them mandatory and four optional.
• Additionally, an X.509v3 certificate must be formatted according to the (Abstract Syntax Notation One) ASN.1 language
![Page 7: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/7.jpg)
Martínez-Silva et al.
X.509 v3 Digital certificate
![Page 8: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/8.jpg)
Martínez-Silva et al.
Biometric Digital Certificate: Why?
• By incorporating biometric information, it allows a stronger and more robust authentication.
• For certain applications will be important to make sure that the biometric information presented to a system really belongs to a given user and that that biometric data has been certificated by an authority.
• Similarly, it may help to avoid that a user denies his biometric information
![Page 9: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/9.jpg)
Martínez-Silva et al.
Technical Contributions
we present the kernel implementation of a Mobile Certification Authority (MCA), with the following features:
• Our MCA kernel is able to issue digital certificates fully complying with the X.509v3 standard;
• it supports either RSA or ECDSA as a public key cryptosystem engine and;
• it can incorporate biometric-based user identification information (in the form of fingerprint recognition) to the digital certificate.
![Page 10: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/10.jpg)
Martínez-Silva et al.
Research Contributions
• We provide a performance comparison between RSA and elliptic curve cryptosystems as a public key crypto-engines.
• Among the NIST-recommended elliptic curves we establish which one is the more suitable for mobile devices such as PDAs.
• We assessed the space/bandwidth needed for a X.509v3 certificate with and without biometric information.
• We give a concrete example of a biometric ECC/RSA certificate fully complying with the X.509v3 standard.
![Page 11: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/11.jpg)
Martínez-Silva et al.
Generating/validating X.509v3 Certificates
![Page 12: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/12.jpg)
Martínez-Silva et al.
TBS Certificate Generation
![Page 13: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/13.jpg)
Martínez-Silva et al.
X.509v3 Certificate Generation.
![Page 14: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/14.jpg)
Martínez-Silva et al.
X.509v3 certificate Parsing
![Page 15: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/15.jpg)
Martínez-Silva et al.
X.509v3 certificate Verification
![Page 16: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/16.jpg)
Martínez-Silva et al.
Mobile Certification Authority
![Page 17: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/17.jpg)
Martínez-Silva et al.
Main Architecture
![Page 18: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/18.jpg)
Martínez-Silva et al.
Elliptic Curve Cryptography Library
![Page 19: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/19.jpg)
Martínez-Silva et al.
PDA Specification
HP iPAQ Pocket PC h5550
Operating System Windows Pocket PC'03
Processor Intel XScale @ 400MHz
Memory 128MB SDRAM;48MB ROM
Biometric Reader FingerChip technology with BioAPI Library
![Page 20: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/20.jpg)
Martínez-Silva et al.
PDA Application
![Page 21: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/21.jpg)
Martínez-Silva et al.
Experimental Results
![Page 22: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/22.jpg)
Martínez-Silva et al.
Biometric ECC X.509v3 Digital ASN.1
![Page 23: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/23.jpg)
Martínez-Silva et al.
Key Generation Timings
![Page 24: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/24.jpg)
Martínez-Silva et al.
Digital Signature/Verification Timings
![Page 25: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/25.jpg)
Martínez-Silva et al.
Certificates sizes comparison with and without biometric
information.
![Page 26: On the Generation of X.509v3 Certificates with Biometric Information](https://reader035.fdocuments.us/reader035/viewer/2022062423/568148ba550346895db5d559/html5/thumbnails/26.jpg)
Martínez-Silva et al.
Conclusions• fingerprint biometric information increases the
size of all certificates considered by about 1K byte, but there is room for improvements.
• A rather surprising result was that the size difference between the RSA-based and ECDSA-based digital certificates is fairly small.
• We confirmed that ECDSA is more efficient than RSA. Concretely, when working with constrained computational environments and/or wireless applications, the NIST-163K-ECDSA appears to be the ideal selection.