untrusted server authentication with secure processing...

IET Biometrics

Research Article

Privacy preserving biometric-based remoteauthentication with secure processing unit onuntrusted server

ISSN 2047-4938Received on 23rd April 2018Revised 25th June 2018Accepted on 13th August 2018doi: 10.1049/iet-bmt.2018.5101www.ietdl.org

Thi Ai Thao Nguyen1, Tran Khanh Dang1 1Faculty of Computer Science and Engineering, Ho Chi Minh City University of Technology, VNUHCM, Vietnam

E-mail: [email protected]

Abstract: Biometric-based authentication systems offer undeniable benefits to users. However, biometric features arevulnerable to attacks, especially those happening over transmission network or at the stored biometric templates. In this work,we propose a novel biometric-based remote authentication framework to deal with malicious attacks over the transmissionchannel and at the untrusted server. More concretely, the proposed framework is not only resistant against attacks on thenetwork but also protects biometric templates stored in the untrusted server's database, thanks to the combination of fuzzycommitment protocol and non-invertible transformation techniques. The notable feature as compared to previous biometricbased remote authentication framework is its ability to defend the sensitive data against different kinds of insider attacks. Theserver's administrator is incapable of utilizing information saved in its database to impersonate the clients and deceive the wholesystem because secure computing in the server is guaranteed by employing a secure coprocessor embedded in the server. Inaddition, the system performance is maintained with the support of random orthonormal project, which reduces computationalcomplexity while preserving its accuracy.

1 IntroductionIn a modern world, services for people's daily needs are beingdigitalised. E-commerce happens everywhere, in every aspect oflife. As e-commerce is being used as widely as of today, anessential need for its long survival, beside quality, is security. Thefirst security method to be mentioned is authentication. Atraditional authentication method that most e-commerce providersare using is username/password. However, this method is revealingits natural setbacks. A password cannot differentiate a legal userfrom an imposter who is somehow able to access to the user'spassword. Besides, the more complicated – more secured apassword is, the harder it is for users to remember. That is to say, a‘true’ password is difficult for people to remember but easy forcomputer to figure out. Especially, with recent technologydevelopment, computer ability is being enhanced, meaningpassword cracking chance is rising too. For that reason, biometricbased authentication method was born, and with its advantages,this method is gradually replacing its predecessor. The firstadvantage is that biometric (such as face, voice, iris, fingerprint,palm-print, gait, signature,…) reflects a specific individual whichhelps preventing multi-user usage from one account [1]. Moreover,using a biometric method is more convenient for users since theydo not have to remember or carry anything.

However, advantages are accompanied with challenges. Usageof method related to biometric requires technology to eliminateinterferences happening when sensors process biometric features.Besides, concerns of security and privacy, especially in remotearchitecture, are also put on table. The fact that human has alimited number of biometric traits makes users cannot change theirbiometric over and over like password once it is compromised [2].Moreover, some sensitive information could be revealed ifbiometric templates are stored directly in database server withoutprotecting by strong security techniques. In this case, the user'sprivacy could be violated as the attackers can track their activitiesby means of cross-matching whenever a user employs the samebiometrics across different applications. In other words, the user'sbiometric template can be used for other purposes than theintended ones. For example, hackers can steal a fingerprinttemplate in bank's database, then use it to look for the criminalrecords or cross-link to person's health records. A more challengingsituation occurs if an attacker has ability to reconstruct actual

biometric images from stolen digital templates. In conclusion, theauthenticating servers should not be trustworthy to process a user'splaint biometric, and the level of trust of these servers should bediscussed more. Last but not least, the network security is also theimportant component in biometric based remote authenticationscheme. When the authentication process is carried out over aninsecure network, anyone with their curiosity can approach thebiometric information transmitted [3, 4].

Authentication over insecure public networks or with untrustedservers raises more concerns in privacy and security. The firstconcern is related to the security of the plain biometric templateswhich cannot be replaced once compromised. The second is how toprevent the server itself from taking advantage our registered datato impersonate ourselves. Therefore, the goal of this study is topresent an effective approach for preserving privacy in biometric-based remote authentication systems. Concretely, biometrictemplates stored in a database is protected against the leakage ofprivate information while preserving the revocability property.Besides preventing the outside attacks, our proposed protocol isalso resistant to the attacks from inside, i.e. the authenticatingserver.

The remaining parts of this paper are organised as follows. Insection 2, related work is briefly reviewed to show what have beendone and their limitations. From that point, we present ourmotivation to fill the gap. In section 3, we introduce crucial relatedtechniques about biometric template protection. Section 4 discussesthe approach for the secure computation problem. In the nextsection, our proposed protocol is described in detail. In section 6,experimental results with different datasets will be shown toevaluate the false accepts/rejects as well as equal error rates. Insection 7, the security and efficiency analysis is presented tocomplementarily demonstrate for the practical value of our newlyintroduced proposal. Finally, concluding remarks and future workare presented in section 8.

2 Related worksAlong with the rapid growth of internet, the remote authenticationservice was widespread and its security became a topic which hasattracted the attention of many researchers. One of the first ideasabout security in remote authentication was that a user identifies

IET Biom.© The Institution of Engineering and Technology 2018

1

himself to a system by sending his secret password. In 1981,Lamport [5] was one of the pioneers who implemented thismethod. However, the users' passwords stored into the server'sdatabase is the weakness of this approach. The fact that thesepasswords not only could be easily compromised by an outsideattacker or even a database administrator, but also were guessedwithout any difficulties leads to an unsecure authentication process.In 1985, Shamir [6] proposed the idea of using smart card issuedby a key generation centre (trusted third party) instead ofgenerating and storing a private key or a password in a server'sdatabase. However, this kind of authenticating scheme is just idealfor closed group of users. In 2004, Das et al. [7] introduced apassword-based authentication scheme with a dynamic user'sidentity. In this scheme, the function of a user's identity seemed tobe eliminated because its value was changed for each login. Forthis reason the scheme was vulnerable to the guessing passwordattacks, the insider attacks,… In 2006, Yoon [8] proposed asecurity improvement on remote authentication using smart cards.Unlike the previous system, the authentication phase returned twokeys for authentication and password encryption, respectively.Moreover, Yoon included timestamp into transmitted messages toagainst the replay attack. The major shortcomings of their proposalwas the lack of the agreement of the session key between client andserver in case the authentication was successful. In 2011, Sandeepet al. [9] proposed a similar protocol with the random nonce valueembedded in the user's key. This enhancement made users' keysself-modify every time users requested, and reduced the possibilityof insider attacks. However, this design unintentionally gave achance for attackers to impersonate the server and its users. Insummary, most of password-based authentication systems werestuck on the same security problems about how to protect users'passwords from inside and outside attacks, how to share the sessionkeys,…

Biometric recognition systems which use sensors to captureuser's biometric features for authentication have been graduallyreplacing password-based systems for their convenience. In earlystage of development, conventional biometric systems storedbiometric templates directly in the database. Therefore, thetemplates could be easily abused by attackers outside or even theadministrator who had the privileges to control all the data in theserver. Privacy violations were unavoidable in such systems. Users'activities could be tracked, some sensitive information could beleaked, or even attackers could impersonate the legitimate owner ofthe biometric template during the authentication process. Over theyears, there have been plenty of works which research onpreserving privacy in biometric-based authentication systems.Biometric template protection is one of indispensable part to thisresearch field. In [10], Jain et al. presented a detailed survey ofvarious biometric template protection schemes (as illustrated inFig. 1) and discussed their strengths and weaknesses in light of thesecurity and accuracy dilemma. There are two approaches to dealwith this issue, including feature transformation and biometriccryptosystem. The first approach identified as cancellablebiometrics allows users to replace a compromised biometrictemplate while reducing the amount of information revealed. Inthis approach, biometric templates are transformed using a functiondefined by a user-specific factor such as a key, a password, or arandom string… The goal of this approach is to provide diversityand unlinkability by using different transforming functions fordifferent applications involving the same set of users. Anotheradvantage of this approach is the ability to guarantee therevocability, when a user can revoke his/her compromised templateand replace it with a new one without having to change thebiometric data. However, some methods of this approach cannotachieve an acceptable performance while others are unrealisticunder assumptions from a practical viewpoint [3], and the majordrawback of this approach is the security level is lower than that ofthe other. The second approach combines the biometrics andcryptography technique in order to take advantages of both. Theprevious schemes employing these methods aim at generating akey, which is derived from the biometric template or bound withthe biometric template, and some helper data. Both the biometrictemplate and the key are then discarded, only the helper data is

stored in the database for reproducing the biometric or the secretkey later. Nevertheless, the biometric cryptosystem seem to losethe revocability property. On this account, some recent studies tendto integrate the advantages of both approaches to enhance not onlythe security but also the performance of the system. Hybridapproach is the combination two or more methods to create a singletemplate protection scheme. Very recently, in 2018, thecombination of secure sketch and ANN (Artificial NeuralNetwork) was proposed [11]. The ANN with high noisy tolerancecapacity can not only enhance the recognition by learning thedistinct features, but also assure the revocable and non-invertibleproperties for the transformed template. In addition, the securesketch's construction can reduce the false rejection ratesignificantly due to its error correction ability. The fuzzy vault wascombined with periodic function based transformation in [12], orwith the non-invertible transformation to conduct a secure onlineauthentication in [13]. The homomorphic cryptosystem wasemployed in fuzzy commitment scheme to achieve the blindauthentication in [14]. Another combination approach wasintroduced in [15]. In this work, we are going to integrate the idealof fuzzy commitment and the non-invertible transformation toguarantee the security for user's biometric template.

In recent years, many biometric-based remote authenticationprotocols have been proposed. However, most previous protocolsonly protect the client side and the transmission channel,neglecting the server side. In [16], the authors utilises BiometricEncryption Key (BEK) to encrypt Private Key and safeguardPrivate Key. The BioPKI system proposed in the paper turnedaround the security of private key, and eliminated the biometricfeature out of security aspects.

In 2011, Kai Xi et al. [17] proposed a bio-cryptographicsecurity protocol for remote authentication in mobile computingenvironment. In this protocol, fingerprint was used for verification,and the genuine points were protected by the fuzzy vault techniquewhich randomly inserts a great number of chaff points into the setof genuine points. All elements in the newly created set were givenindex numbers. However, the authors focused only on the securityof the client side (mobile devices) and the transmission channel.The server was supposed to have higher security strength, so theauthors did not care about the attacks on the server or even theattacks from the server. In addition, the authors argued that toprevent replay attack and brute force attack, a biometric-basedsession key was generated separately from the set of a genuinepoints; nonetheless, the server only had the list of index numbers ofthese points so it was unable to generate the key independently asdescribed in [17].

In 2013, Hisham et al. [18] presented another approach thatcombined steganography and biometric cryptosystem in order toobtain the secure mutual authentication and key exchange betweenclient and server in remote architecture. In this paper, the authorsprovided some references for proving that hiding biometric data ina cover image based on steganography technique can increase thesecurity of transferring biometric data between unsecure networks[19]. Moreover, in order to protect biometric template stored in theauthentication server while preserving the revocability property,the protocol employed the invertible transformation techniqueusing random orthonormal matrices to project biometric featurevectors into other spaces while preserving the original distances.The new approach obtained not only the secure mutualauthentication but also the immunity from replay and other remoteattacks. However, the authors have not considered the ability thatthe authentication server itself stoles the data in its own database toimpersonate its users in order to conduct the illegal transactions. Insummary, almost current researches only focus on biometrictemplate protection or how to defend against the attack fromoutside; they have not spent enough concerns for the attacks frominside yet. More concretely speaking, the ability that the serveraccesses into the system on behalf of a user and carries out somecriminal actions should be taken into account.

In addition, the scalability property needs to be discussed morein the remote authentication architecture. When the number ofusers and servers is growing, the number of templates whichbelongs to a user could be large, and each server has to manage

2 IET Biom.© The Institution of Engineering and Technology 2018

Thao Nguyen

Highlight

idea

Thao Nguyen

Highlight

Thao Nguyen

Highlight

every user's template. That design makes the system resource-consuming and vulnerable to different types of attacks. Toguarantee the scalability properties, Fengling et al. presented abiometric-based remote authentication which employed theKerberos protocol [20]. A biometric-Kerberos authenticationprotocol was suitable for e-commerce applications. The benefit ofKerberos is that expensive session-based user authentication can beseparated from cheaper ticket-based resource access. However, theAchilles' heel of the proposed scheme is Key Distributed Center(KDC) – authentication server which is supposed to be trusted.Therefore, there were no techniques protecting the privateinformation of client against the insider attacks.

In 2010 study, Maneesh et al. [3] introduced a new concept inbiometric-based authentication system – Blind authentication. Thisframework was blind in the sense that it revealed only user'sidentity, and no additional information about the user or hisbiometric data were disclosed to authentication server or vice-versa. To guarantee this requirement in a remote authentication,users traditionally encrypted his authentication data before sendingit to a server. Then, the server was required to carry out all thecomputations in the encrypted domain including comparing twoencrypted data. However, biometric data is considered as a noisydata, hence, it seems extremely hard for the server to recognise twosimilar biometric data in its encrypted domain. The authors wentthrough this difficulty by designing the classifier in the plainfeature space. All computations required for authentication weredone by this trained classifier, completely in the encrypted domain.However, the users and the server treated the classifier as a trustthird party. All users provided the multiple samples of their plaintbiometric templates for the classifier. And the server had no doubtsat all about the classifier parameters sent from the classifier. Therewas nothing to ensure that the classifier was resistant against someattacks.

ESketch [14] was another biometric-based remoteauthentication using homomorphic cryptosystem for protecting auser's privacy from an untrusted server. In this scheme, owing tohomomorphic property, the server only verified whether thebiometric template provided by the user was contained within thelist of registered users without that the particular identity of theuser accessing the system was revealed. In other words, thanks tothe homomorphic cryptosystem, the server could determinewhether the biometric template provided by a user existing in itsdatabase without having to release the user's biometric data orthose that were stored in the database. User's original biometricdata is firstly secured via the fuzzy commitment technique.However, to ensure the security requirement, the client had to

participate in part of the calculation process. The calculationamount at the server side, and even at the client side wasenormous, especially when the number of users surges. This wasone of the setbacks of the system. Additionally, there was anotherweakness related to the system's security. Even though the serversacrificed its resources to protect user's biometric data from thecuriosity of outside attackers and especially inside attackers fromthe server itself during registration process, every user had alreadyprovided his/her original biometric data to the server. That is to say,the security expectation for this system has not been complete.

In another study of 2015 [21], the authors utilised theChebyshev polynomial to secure privacy for remote multi-factorauthentication based biometric. The Chebyshev polynomial ownedsome chaotic properties which were suitable for designing acryptographic system. Specifically, the semi-group property ofenhanced Chebyshev was eligible for implementing a trapdoormechanism. Therefore, the authors applied this property to presentan anonymous authentication protocol. Moreover, the fuzzyextractor and secure sketch were integrated in the proposedprotocol not only to extract the authenticating key from user'sbiometric data but also to protect the biometric template fromoutside attacks. The proposed protocol achieved session keyagreement, and got higher security and less computation cost incomparison with the previous proposal [22]. However, the securityanalysis of this work only focused on how the proposed protocolovercame the drawback of the previous one. If attackers got theability to take administrative privileges or the administratorbecame corrupted, the users were absolutely impersonated.Frankly, this proposal could not resist the inside attacks.

The topic of security in remote authentication using biometricfeatures has recently focused on how to prevent attacked fromwithin. Beside incorporating different biometric templateprotection techniques, the latest works mainly introduce someprotocols that limit the administrator's power over authenticationdata, to avoid cases when the administrator steal user's data storedin the database to impersonate him/her. Recent researches fromgroup of authors Nguyen et al.[23, 24] proposed dividing mainserver to two or more supporting servers specialising in differentfunctions. These servers stored parts of user's authenticationinformation. To ensure the authentication process was complete,these servers had to participate. This limited their influence onuser's sensitive data. Nevertheless, the security was not thoroughsince if these servers colluded with each other; information leakageis always possible. In summary, separating servers did reducechances of inside attacks.

Fig. 1 Categorisation of biometric template protection


3

Table 1 presents a summary of related works in remoteauthentication protocol based biometric. It highlights the mainachievements, as well as the main weakness of the previous works.It also provides some attributes such as biometric templateprotection, cancellable property, level of security, mutualauthentication to get the thoughtful comparison on these protocols.In brief, the main unsolved security issue in remote authenticationsystem is to prevent the attacks from the inside.

The crucial contribution of this work is that we propose ageneralised secure coprocessor-based protocol for preservingprivacy in biometric-based remote authentication system which hasthe ability not only to protect biometric data of clients but also toprevent an authentication server from impersonating its clients.Concretely speaking, the proposal is resistant to the outside attacksfrom an insecure network by combining the orthonormal randomproject with the fuzzy commitment scheme. Moreover, the securecoprocessor is embedded in the server to guarantee the securecomputing which is very important to prevent inside attacks. Themutual authentication and the key agreement are also guaranteed inthis work.

3 Biometric template protection3.1 Fuzzy commitment scheme and error correcting code

Fuzzy commitment scheme as proposed in [25] belongs to the firstclass of biometric cryptosystem approach. It is the combinationtwo popular techniques in the areas of Error Correcting Codes(ECC) and cryptography. To understand how fuzzy commitmentscheme works, we have to learn about ECC. Formally speaking,ECC plays a central role in the fuzzy commitment scheme. Thepurpose of ECC is transmitting a message through the noisychannel which can possibly corrupt the original message. ECCchecks and corrects the corrupted messages if they contains acertain number of errors which this ECC can afford to check. AnECC is also illustrated in Fig. 2.

An ECC contains a set of codewords ∁ ⊆ {0, 1}n, and the pairof Encoder – Decoder components. Given the message spaceℳ = {0, 1}k (k < n), the Encoder component owns thetranslation function (or encoding function) g:ℳ → ∁, this functionmaps a message to a codeword before it is transmitted along anoisy channel. The Decoder component contains the decodingfunction f :{0, 1}n → ℳ. Note that g is a map from ℳ to ∁;however, f is not the inverse map from ∁ to ℳ but a map fromarbitrary n-bit strings to the nearest codeword in ∁. If f can correctup to t bit errors, we say f has a correction capability of t.

In fuzzy commitment scheme, a biometric data is treated as acorrupted codeword. During registration stage, a client providesbiometric template B to server. Server randomly picks a codewordc then calculates B ⊕ c, and the hash version of codeword c. Next,server stores the pair of δ, Hash(c) into the database. Duringauthentication stage, a new biometric with noise B′ is sent to serverby the client. From its side, server calculates c′ = B′ ⊕ δ, proceedsdecoding c′, then compares hash version of the result with Hash(c)previously stored in the database. If the two are matched, client isauthenticated. This process is demonstrated in Fig. 3.

Depending on the applied ECC, there are many variations of thefuzzy commitment. Through researches about fuzzy commitment,the Linear Error Correcting Code (LECC) has been widely used.The LECC is applied to the authentication system using faces orany biometric features which can be represented in vector form.Let take a look at the example below.

The set of codewords ∁ = {100u, 100v} (u, v are randominteger numbers) is defined. Assume the registered biometricfeature is B = (745, 260) . We choose the pair (u, v) = (3, 3), thusthe responding code word is c = (300, 300). The helper data δ iscalculated by the formula B = c + δ; then δ = (445, − 40). In theauthentication phase, the provided biometric feature isB′ = (720, 240). The server uses the helper data δ to calculate thecorrupted codeword c′ = B′ − δ = (275, 280). Here is the processwhich the Decoder has to do to transfer the corrupted codeword c′to the selected codeword c.

The codeword c has a form (100u, 100v) (u, v ∈ ℕ), so we havethe constraints (1) and (2)

275100 − t ≤ u ≤ 275

100 + t (1)

280100 − t ≤ v ≤ 280

100 + t (2)

If we choose the authentication threshold t = 0.25, the pair(u, v) = (3, 3) is calculated. Then the codeword c is recovered. Ifthe threshold t is smaller, the decode process could not recover theoriginal codeword, then the authentication could fail.

3.2 Random orthonormal projection

Random Orthonormal Projection (ROP) is a technique that utilisesan orthonormal matrix to project a set of points into other spaceswhile preserving the distances between points. In the categorisationof template protection schemes proposed by Jain [10], ROPbelongs to the non-invertible transformation approach. Therevocability requirement is satisfied by mapping a biometricfeature into a secure domain through an orthonormal matrix (ℱ)(as illustrated in Fig. 4).

The well-known method to generate an orthonormal matrix isGram-Schmidt process. The inputs of this process is a set oflinearly independent vectors v1, v2, v3, …, vn . However, Gram-Schmidt process requires complex calculations, quite apart fromthe fact that the set of input vectors is randomly generated, thelinearly independent property is not always guaranteed. Insummary, generating an orthonormal matrix of size n × n fromGram-Schmidt process may be a critical problem when applied onconstraint computationally devices like PDA and handheld devices.

Another method to effectively deliver orthonormal matrix wasintroduced in [26]. It can be used to replace traditional method ofGram-Schmidt. Given the biometric feature vector x of size 2n,orthonormal random matrix A of size 2n × 2n, random vector b ofsize 2n, we have the transformation y = Ax + b.

The simple matrix of size 2 × 2 is considered in the formula (3).This matrix is orthonormal for any value of θ

Iθ = cos θ sin θ−sin θ cos θ

(3)

The orthonormal matrix A of size 2n × 2n owns a diagonal which isa set of n orthonormal matrices of size 2 × 2. The other entries of Aare zeros. We present the example of matrix A of size 2n × 2n asshown in the formula (4) where the values θ1, θ2, …, θn are therandom numbers in the range 0:2π

A =

Iθ1 00 Iθ2

⋯ 0⋯ 0

⋮ ⋮0 0

⋱ ⋮⋯ Iθn

=

cos θ1 sin θ1

−sin θ1 cos θ1

… … 0… … 0

⋮ ⋮⋮ ⋮00

00

⋱ ⋱ ⋮⋱ ⋱ ⋮

……

cos θn

−sin θn

sin θn

cos θn

(4)

By using this technique to produce the orthonormal matrix, there isno need for a complex process such as Gram-Schmidt. Beside itseffectiveness in computational complexity, it can also improve thesecurity while guaranteeing intra-class variation. When client is indoubt of his template getting exposed, he only needs to createanother orthonormal matrix A to gain a new transformed template.


Thao Nguyen

Highlight

δ=B⊕c

4 Encrypted computationThe encrypted computation has a potential to solve a variety ofproblems relevant to data privacy and security, including the dataprivacy against malicious/untrusted servers [27–29]. The scenariocan be described like that: a user wants to keep his input secreteven with the service provider, so he encrypts the inputs and sendsthem to the service provider. The service provider is able tocompute on the encrypted inputs and produce the result in someencrypted form. This output is then sent back to its user fordecrypting and getting the actual result. The perfect privacy is no

one but the user sees decrypted data or has knowledge of theprivate key used to encrypt user's data. To achieve this level ofprivacy, the first well-known approach we have to mention is thehomomorphic encryption, and the second one relates to a secureprocessing unit on server. We will elaborate on these approaches asfollows.

4.1 Homomorphic encryption

Homomorphic encryption is a form of encryption which is able toperform the computation on ciphertext, thus generating anencrypted result, which, when decrypted, matches the result of theoperations carried out on the plaintext. In other hand, it ensures theconfidentiality of processed data. This is a crucial reason why thehomomorphic property becomes a desirable feature in moderncommunication systems. It has been applied in many securesystem, such as secure cloud computing system [27], secureinternet voting [30], biometric-based authentication [14], PIR(Private Information Retrieval),… Fig. 5 illustrates the concept ofhomomorphic encryption scheme, where m1 and m2 represents theinput data from clients. Server carries out the computation in theencrypted form and sends the encrypted result to its clients. Thereare two types of homomorphic cryptosytems. Partiallyhomomorphic cryptosystem includes RSA, ElGamal, Pallier,Goldwasser Micali, Benaloh, …which allow homomorphiccomputation of a certain operation on ciphertexts (e.g. addition,multiplication, quadratic function, …). For more details, let take alook at RSA cryptosystem. RSA is a multiplicatively homomorphicencryption where the product of two encrypted inputs matches theencryption of the product of two plaint inputs. However, RSA doesnot have ability to perform on addition operation nor thecombination of multiplications and additions.

The term of fully homomorphic encryption (FHE) wasintroduced by Rivest, Adle-man and Dertouzos in 1978. FHEallows unlimited chaining of operations on the ciphertext space.However, up till now, it has been unclear whether the fullyhomomorphic encryption was practical. In summary, as for thesecurity, the homomorphic encryption is quite appropriate to

Table 1 Comparative result on remote authentication protocolsProtocol Remarks Main weakness Template

protectionCancellable Security Mutual

authenticationBioPKI [16] utilises biometric encryption key

(BEK) to encrypt and safeguardprivate key

do not care about security ofbiometric feature

no no low no

a fingerprint basedbio-cryptographic [17]

stores the index numbers insteadof all genuine points of a

fingerprint

index numbers in server is notreally effective. server is not

secure.

yes no low no

blind authentication[3]

designs the classifier in the plainbiometric feature space

the classifier, treated as atrust third party, has no

protection

no no high no

eSketch [14] applies homomorphiccryptosystem for protecting clients'

privacy from untrusted server.

time complexity in client andserver side is enormous,

especially when the numberof clients surges.

yes no medium no

biometric-Kerberosauthentication [20]

applies Kerberos protocol, anduses watermark to corrupt

fingerprint

no techniques to protectclient's privacy against the

insider attacks

yes yes medium yes

steganography andbiometricauthentication [18]

combines steganography withmulti-factor biometric

cryptosystems

server can steal the data indatabase to impersonate its

client

yes yes medium yes

Chebyshev in remoteauthentication [4]

combines the semi group propertyof Chebyshev polynomials withfuzzy extractor to protect data

through insecure network.

server can steal the data indatabase to impersonate its

client

yes no medium yes

remote authenticationusing fuzzycommitment and non-invertibletransformation [23]

combines fuzzy commitment andnon-invertible transformation toprotect biometric template. To

reduce chances of inside attacks,main server is divided into two

supporting servers.

the supporting servers cancollude with each other

yes yes high yes

Fig. 2 Error correcting code

Fig. 3 Fuzzy commitment scheme


5

guarantee privacy requirement, however it has a largecomputational overhead. This limitation makes homomorphicencryption of complex functions impractical. Especially, when thenumber of users in the system is large, the protocol employinghomomorphic encryption to anonymise its users takes a huge timeto process the data. Another approach to guarantee the privacyresorts to a secure processing unit located on server.

4.2 Secure processing unit on server

To address the concern about the privacy of users' data entrusted toa server, many researchers have mentioned about a trusted thirdparty in their works. In [29], Dang proposed a protocol ensured allsecurity requirements of outsourcing model resorting to a trustedthird party. The use of a trusted third party was to change hismodel, which was very difficult to address directly, to a bettersolved model. In this context, the term ‘trusted third party’ referredto a security protocol which users could count on. However,creating a flawless security protocol for a certain system whichdemands a high level of security is a long-term process. Nowadays,researchers have directed their attention to the hardware-basedtrusted third party which is also called a secure processing unit inserver [28]. With regarding to technology, IBM has introduced thiskind of unit and named it Secure Processor [31].

Secure processors (also called cryptographic processors) arehardware security modules designed to prevent the abuse of dataand key material. Their history began with military ciphermachines and security modules which encrypted PINs that bankcustomers used to authenticate themselves to ATMs [32]. Sincethen, they have been widely used to protect Secure Socket Layer(SSL) key from web servers, to protect proprietary software andalgorithm against theft by employees, or to create smart cards,security chips… In e-commerce era, secure processors haveenabled more applications by ensuring private and authenticprogramme execution even in the event of physical attack. Usingencryption techniques is essential in modern e-commerceapplications. These applications apply encrypted computation inseveral different ways to ensure data privacy & security and also itsintegrity [33–35]. Technically, secure processor is a protectedhardware module and is only accessed into the internal statethrough its I/O interface. This condition allows the module to storesensitive data without the risk of leakage. It is also used as acoprocessor. The term ‘coprocessor’ is used to refer to theadditional processor which provides some advanced functions forthe main CPU. The supplementary functions can be referred as

graphic, digital signal process, string process, encryption, or designI/O interface for peripheral devices… The main purpose of acoprocessor is to accelerate system performance by reducing theworkload of the main general-purpose CPU.

Secure coprocessor is a hardware module containing: a CPU,bootstrap ROM, secure non-volatile memory. This hardwaremodule is physically shielded from penetration, and the I/Ointerface to the module is the only way to access the internal stateof the module. If the shield is broken, a secure coprocessor erasesall critical memory. More concretely speaking, an attacker can beable to break into a secure coprocessor and see its structure.Nevertheless, he can not find out its internal state nor modify itexcept through the normal I/O channels of secure coprocessor.

In fact, many manufacturers have been investing their time andmoney in research and development of secure crypto-processor.For example, IBM has continuously launched a series of securecoprocessors [31]. The earliest product in IBM cryptographiccoprocessor family was the IBM 4758 PCI CryptographicCoprocessor (PCICC), the next ones were the IBM e-business PCICryptographic Accelerator (PCICA), IBM PCI-X CryptographicCoprocessor (4764/CEX2C/PCIXCC), and IBM PCIeCryptographic Coprocessor (4765/CEX4S/CEX3C) – PCIeCC.The latest was the IBM PCIe Cryptographic Coprocessor version 2(CEX5S).

IBM 4765 PCIe Cryptographic Coprocessor is a programmableprocessor. It is used in high end security and high speedcryptographic operations on sensitive data which can not bedisclosed to an unsafe shared computer. In e-commerce era, it is anotable product which allows e-commercial transactions to performsafely and suitable for several cryptographic applications such asPIN generation and verification, Public Key Infrastructureapplications, web-serving applications, smart card application,…Using IBM's Common Cryptography Architecture (CCA) assupporting software program, the processor is able to conductpopular industrial encryption algorithms such as DES, T-DES,SHA, HMAC, RSA, ECC… IBM also provides supportingsoftwares which are known as API. Depending on which version,these API can be extended or replaced to integrate withcryptographic features or specialised requests from the system.Like others cryptographic coprocessors, the IBM 4765 hasprotective shields, sensors, and control circuitry to protect against awide variety of attacks against the system. Moreover, it also owns aunique private/public key pair, which is stored in the device. Thepublic key is certified at the factory by an IBM private key and thecertificate is retained in the coprocessor.

In this work, in order to guarantee the data privacy against thecuriosity of the server, we use a hypothetic secure processing uniton the server whose functions are similar to those of the securecoprocessors in the series released by IBM. However, the fact thatgeneral secure coprocessors are significantly constrained in bothcomputation ability and memory capacity sets the requirement ofreducing the computation in the hypothetic secure processing unitto a minimum in our proposal protocol.

5 Proposal protocol5.1 General architecture

In the rest of the paper, the following notations will be employed:

• B is a biometric feature vector of a client• M is an orthonormal matrix that a client creates.• BTC is a transformed biometric stored in the database as a

template.• H(m) is the hash version of the message m.• BL is a biometric lock of a client.• Pu & Pr are, respectively, the public key and the private key of a

cryptosystem.• EPuX(m) is the encryption of the message m using the public key

of X.• K is the authentication key generated randomly by the client.• EK(m) is the symmetric encryption of the message m using the

secret key K.

Fig. 4 Non-invertible transformation function

Fig. 5 Homomorphic encryption scheme


• S is the secret factor provided by the client in authenticationphase.

• ST is the secret factor of the client which is stored in thedatabase.

• C is a client.• SC is the Secure Processor• CS is the Control Server• PuSC & PrSC are, respectively, the public key and the private

key of SC.

The proposal protocol has two phases. The purpose of theenrolment phase is for a client to register the secure version ofhis/her biometric template to server. The feature vector BT of thebiometric template is generated from the client's biometric data.Then, BT is transformed into a secure space by RandomOrthonormal Projection technique. The result of this module, BTC,is called the cancellable version of BT. Then, BTC is encrypted bythe public key PuSC of a Secure Processor in order to make surethat only this unit can process this kind of data. EPuSC(BTC) andother additional data are transferred to the database of serverthrough the internet.

In the authentication phase, feature vector B is extracted. Then,B is transformed to BC by the Random Orthonormal Projectionmodule. The cancellable version of B is encoded by the client's keyK through the Encode module of Fuzzy Commitment technique.The result of this process is a biometric lock BL, which is sent toserver. Once receiving the packet from its client through internet,Control Server opens the packet and sends BL as well as some datastored in database to Secure Processor. Secure Processor decryptsEPuSC(BTC) by its private key to get BTC. BTC is used to decode thebiometric lock BL to reproduce the client's key K in the Decodemodule of the fuzzy commitment technique. The newly generatedK is sent to another module to verify whether it is the client's keyor not. If matched, the result will send to Control Server tocomplete the verification process. At this time, the server can makesure that the client is really the one he/she declared. However, toguarantee the mutual authentication, the server sends back someinformation from the generated key K to the client. The client hasto check this data to make sure that the server he/she hascommunicated with is the one he/she had registered before. Thegeneral architecture of the whole protocol is illustrated in Fig. 6.

5.2 Enrolment phase

In the enrolment phase, the client employs a random number KMstored on the his/her device to generate the random orthonormalmatrix M (based on the technique described in section 3.2). Afterbeing extracted, the feature vector BT is combined with matrix M toproduce the cancellable version BTC of BT. Then BTC is encryptedby the public key of SC. Besides, the client calculates the hashversion of the serial number ST, hash(ST). Then, he sends thepacket, including EPuSC(BTC) and hash(ST) to server. The process isillustrated in Fig. 7. If the client is in doubt that his authenticationdata has been compromised, he can overwrite the data related to hisbiometric template by replacing the orthonormal matrix M toreproduce the new cancellable biometric template BTC in lieu ofreplacing his biometric data B. One practical application of ourproposal is the face authentication system. The feature vector BT isextracted by a Feature Extractor process from the client's facialimage captured from the sensor. In most face authenticationsystems, the feature vector BT has size of 2n. Therefore, therandom orthonormal matrix M has size of 2n × 2n. And the size ofthe random number KM, which is used to generate the orthonormalmatrix M, is n.

5.3 Authentication phase

In this phase, we apply the ideal of fuzzy commitment scheme toobtain the secure biometric based remote authentication. Instead oftransmitting the plain biometric data over the insecure network asthe original scheme, client sends a biometric lock (BL) or a helperdata to a server. At the server side, a biometric lock is combinedwith the component Y related to the client's biometric which isstored in database at the enrolment phase. The result of thiscombination is the authenticated key. The process is presented byFig. 8.

We provide the Fig. 9 for readers to get overview of the wholeauthentication phase. The more details are described in Fig. 10.

NA is the number which is generated randomly by server everytime client sends a request. It is also called Nonce – Number usedonce because each number is used only one time to ensure that oldcommunications can not be reused in replay attacks. In ourauthentication protocol, two nonces are used, NA – issued from

Fig. 6 General architecture of the entire protocol


7

Thao Nguyen

Highlight

idea

Thao Nguyen

Highlight

remove "the"

Thao Nguyen

Highlight

server and the other, K (also considered as authentication key) –issued from client. The nonces guarantee that attackers can notreused the old messages from not only server but also client in theauthentication process.

At first, client sends a request to server. Server creates a randomnumber NA, then encrypting it by the public key PuC of server, andsending the packet EPuC(NA) to client. Note that all messagesbetween the client and the server over transmission network areprotected by asymmetric cryptosystem (PKI – Public KeyInfrastructure). In the mean of time, client calculates thecancellable biometric data BC from biometric feature B′ and createsorthonormal matrix M from KM. It is clear that the biometricfeature B in registration phase and the biometric feature B′,extracted in authentication phase, of the same person cannot beidentical due to noises. Calculated BC combines with NA to produceanother version of transformed biometric – BO. This step is done to

ensure every time the client sends his/her request, a differentversion of BO is created to avoid replay attack. This BO then,together with the authentication key K, puts into the fuzzycommitment process to generate a biometric lock BL (as describedin Fig. 10). After that, BL is sent to server for authenticationpurpose in step 3.1. At the same time, client retrieves the mobileserial number S, encrypting it by the authentication K, sending theencrypted S to sever in step 3.2.

At server side, after generating the NONCE NA, server encryptsNA by the public key PuSC of Secure Processor. Note that theapplied encryption algorithms in step 4 have to possess thehomomorphic property such as RSA, ElGamal, Pallier,Goldwasser–Micali,… [36]. Server retrieves EPuSC(BTC) from thedatabase, then employs homomorphic encryption to calculateEPuSC(BTO) (as described in section 4.1). BTO is the one timeversion of biometric template, and created from the combination

Fig. 7 Enrolment phase

Fig. 8 Fuzzy commitment in the proposal authentication phase

Fig. 9 Authentication phase in function


between BTC and NA. Control Server (CS) sends EPuSC(BTO) toSecure Processor (SP) in step 5, and sends BL and EK(S) in the nextstep.

Secure Processor is programmed to follow these steps. Oncereceiving EPuSC(BTO) from CS, SP uses its private key to get BTOin step 7. BTO and BL are combined to reproduce the authenticationkey K in step 8. SP, then, uses K to decrypt EK(S) in step 9; then,hashing the result to get hash(S) in the next step. After that, SPperforms the comparison between the newly achieved hash(S) instep 10 and the one retrieved from the server's database. If twoinputs are matched, it means the biometric data client providedthrough BL matches with the transformed biometric template BTOstored in the database and the other authentication factor S is alsosatisfied. The result of the comparison process in step 11 can proveclient is authenticated or not. SP, then, passes the positive result toCS through the combination h(S + K) in step 13. The negativeresult can also be informed to CS through a message. Thecomputation process of SP is done here. We can see all thesensitive data including plain biometric data and the secret factor Shas been computed by SP and only the final result is brought out.

Once receiving h(S + K) in step 13, CS transfers it to client forthe mutual authentication purpose. The client carries out thecomparison between the h(S + K) from server and the one he/shecomputes. If they are match, the server is authenticated. The clientcan feel secure about the authentication server which he/shecommunicated with. Once the mutual authentication is successfullyaccomplished, K is used to protect the communication between theclient and the server.

6 Experimental resultWe apply PCA to extract feature vectors from users' facial images.PCA is trained under the training data set containing 500 images of225 South East Asians, 80 Middle and West Asians, 120 EastAsians, and 80 Europeans.

The accuracy of this hybrid scheme is tested under the databasewhich includes 220 people, each has 20 different facial

expressions. The first image of each users is registered to theauthentication server, the others are used to be tested. The accuracyof the biometric authentication system is evaluated through theseerror rates: FAR, FRR, EER.

• FAR, also known as False Acceptance Rate, accepts an entrancewhen a visitor is invalid. This shows probability of the imposterlogging in and succeeding.

• FRR, also known as False Reject Rate, rejects an entrance whena visitor is valid. This shows probability of the visitor logging in& getting rejected

• EER, also known as Equal Error Rate, is intersection of FAR &FRR, at which FAR equals FRR.

To determine the best threshold to facial recognition system likeour protocol, we need to evaluate each threshold. The value ofthreshold t is calculated by the formula

ti = 0.1 + 0.01 × i, for i ∈ ℕ, and i ∈ [0, 49]

For each value of threshold, the values of FAR and FRR arecalculated by statistics.

• FAR: for each user, his/her first image is compared with allimages of 219 other users in testing data set. Note that each userhas 20 facial images. Therefore, we has 963.600 times ofcomparisons. If two images in these comparisons are matched,the facial recognition system makes a false accept error. Fromthese results, we obtain the False Accept Rate.

• FRR: for each user, we take turn to compare each and everyimage of this user to the rest of his/her other 19 images.Therefore, the number of comparisons is 220 × C2

20 = 41.800.Every comparison which delivers unmatched, the facialrecognition system makes a false reject error. From these results,we obtain the False Reject Rate.

Fig. 10 Authentication phase in detail


9

Figs. 11–13 show the recognition accuracy results in term ofFAR and FRR in three cases: no security methods are applied, onlythe orthonormal matrix is applied, the orthonormal and the fuzzycommitment are applied.

In the first case illustrated in Fig. 11, the FRR and FARintersect at the threshold t ≃ 0.22. At this intersection, the errorrate is about 7%.

In the second case illustrated in Fig. 12, the FRR and FARintersect at the threshold t ≃ 0.28. And at this intersection, the errorrate is also about 7%.

In the hybrid scheme, integrating orthonormal matrix and fuzzycommitment, which is demonstrated in Fig. 13, the intersection ofFRR and FAR (also known as EER) all values at 7%. This figureproves the proposed hybrid scheme delivers a positive result withthe probability of correct recognition of around 93% (the thresholdvalue also depends on the quantising value; however the resultstays the same; in this experimental result, the quantising valuestands at 200). The EER value, in none security method case(demonstrated in Fig. 11), is also 7% with the threshold value is0.22. Addition, in case of applying orthonormal matrix to protectbiometric template (demonstrated in Fig. 12), ERR value is still thesame. Hence, it is pertinent that the recognition performance of ourhybrid scheme is competitive with the non-template protectionones. In summary, the combination of orthonormal matrix andfuzzy commitment in biometric-based authentication system isabsolutely feasible and can be put into practice.

7 Evaluation7.1 Security analysis

The protocol indicates that the authenticity of the client needsfollowing factors:

• Client's biometric data B• The number used once NA sent from server• The token that holds the number KM to generate the random

orthonormal matrix M• The secret factor S.

The multi-factor authentication enhances security since theprobability of stealing client's authentication information to enterthe system is reduced. In this section, we analyse in detail how theproposal protocol is robust against some main attacks.

7.1.1 Biometric template attack: In case of not using the publickey of secure processor to encrypt the data stored in server'sdatabase, the original biometric data still has the protection fromthe non-invertible transformation technique. Server keeps thetransformed version, but it is impossible for server to infer theclient's original biometric data from this template. Usingorthonormal matrix as a non-invertible function ensures therevocability of biometric template. In case the client is in doubtthat his/her biometric template is compromised, he/she only needsto alter parameter KM to produce new orthonormal matrix, thenregisters the new transformed biometric template to the server. Thisprocess is similar to that of changing password in traditionalauthentication system. To sum up, even when attackers steal thedata stored in the database, they can not find out the originalbiometric data nor use cross-matching attack to track clients'activities because the templates which clients register in eachservice are not the same.

7.1.2 Replay attack: Replay attack happens when attackers reuseold information to impersonate either client or server with the aimto deceive the other side. This attack is prevented by using NA andsession key K which are used only once. The system only collapsesonce the attackers steal private key. In that case the attacker is ableto obtain the 3rd message in authentication phase (see Fig. 10) tocalculate BL. After that, the attacker reuses the BL to deceiveserver in a new session. The proposed protocol is immune fromthis type of attack as the BL generated every time the clients

request contains new NA produced by the server. In the event ofattacker using old BL, the authentication process cannot calculateexact authentication key K. More concretely speaking, inauthentication phase, the transformed biometric features, BC atclient side and BTC at server side, are combined with the samenumber NA by a simple addition operation. This action creates aone-time version of the transformed biometric feature; therefore,attacker cannot reuse the old transformed biometric feature todelude the server. Thanks to that, the security of the entire protocolis strengthened without scarifying the accuracy. The accuracy ismaintained because addition operation does not modify intra-classvariation of the biometric features, which results in unchangeddistance between transformed biometric feature & its original. Inother words, the error rate stabilises while security is strengthened.

7.1.3 Man-in-the-middle attack: MITM (Man-in-the-middle)attack considers as an active eavesdropping, attackers make anindependent connection and replays messages between client andserver in order to impersonate one side to delude the other side.Concretely speaking, the communication in this case is controlledby attacker while client or server still believes that they are talkingto each other over a private connection. MITM attack happenswhen the attacker catches the messages between client and serverthen impersonates one side to communicate with the other side. Inour proposed protocol, this type of attack cannot occur since theprotocol presents mutual authentication requirement, not only doesit requires the server to authenticate its right client but also enablesthe client to perform its own process to confirm requested server.

7.1.4 Insider attack: This type of attack happens when theadministrator of authentication server exploits client's data storedin the database to legalise his authentication process on behalf ofthe client. Many previous works [21, 22, 37, 38] have not takeninto account this kind of attack, or their solutions have seemed tobe impractical for huge computational overhead like [14]. In ourprevious work [23], we reduced the risk of insider attack bysplitting authentication server into two different servers. Eachserver had its own function and data. One server possessedtransformed biometric template and some supporting informationto generate authentication key. Authentication function was carriedout by the other server. To perform this function, the second serverhad to receive authentication key calculated by the first server andauthentication information provided by the client. Neither the firstnor the second server could take advantages of the stored data toimpersonate their clients. However, in case the two serverscolluded with each other, they could gather the client's sensitiveinformation they possessed to legalise the access to the system onbehalf of the client. Obviously, the previous solution just reducednot removed the risk. In this work, we have applied the encryptedcomputation field to guarantee data privacy and security against thecuriosity of servers. A secure coprocessor is used to perform theoperation related to client's sensitive data. All these data stored inthe database is encrypted by the public key of the securecoprocessor. Therefore, server can not get to know the client's datanor take advantages of these data to impersonate client. Moreconcretely speaking, though server has all privileges on the storeddata, it can not deceive secure processor nor force it to reveal plainbiometric date of client or even to produce the rightfulauthentication key. Every single physical attempt to access theinternal state of secure processor causes the erasure of its memorycontent.

Based on Table 1, our proposal protocol guarantees all thepopular security issues in biometric based remote authenticationsystem such as biometric template protection, cancellable property,mutual authentication,… We also solve the concern about theinsider attack, and that makes our security level higher than theprevious ones.


Thao Nguyen

Highlight

orthonormal matrix

7.2 Efficiency analysis

Let 2n be the size of the original biometric templates. We need togenerate the 2n × 2n orthonormal matrix which is used totransform the original template to a secure domain.

The time complexity of the entire protocol mostly depends onthe complexity of the fuzzy commitment process and the random

orthonormal projection process. The whole process of the protocol(including enrolment phase and authentication phase) consumes:

• The random orthonormal projection process: two times• The fuzzy commitment process: one time• Some additional operations such as hash, XOR, encrypt and

decrypt operation

Fig. 11 Authentication with original feature vectors

Fig. 12 Authentication with transformed feature vectors by orthonormal matrix

Fig. 13 Authentication with secure feature vectors by orthonormal matrix and fuzzy commitment


11

Based on Tables 2 and 3, the time complexity of the entireprotocol is a polynomial time.

8 ConclusionIn this paper, we have presented an unsusceptible biometric basedremote authentication framework to most of sophisticated attacksover an open network. The proposed protocol combines client'sbiometric with the other authentication factors to achieve the highlevel of security. Thanks to the combination of fuzzy commitmentand non-invertible transformation technologies as well as a mutualchallenge/response, the protocol is resistant to some main attacksto biometric-based authentication system such as biometrictemplate attack, replay attack, man-in-the-middle attack. Moreover,the experimental result shows that the FAR and FRR stand at 7% inboth cases with or without the security mechanism. It proves thatthe recognition performance of our hybrid scheme is competitivewith the non-template protection ones. The remarkablecontribution of this work is that we have embedded a securecoprocessor into the untrusted server to solve the problem of theinside attacks. We eliminate the ability that the administratorutilises the client's authentication information saved in the databaseto impersonate him/her and cheat the system. For the limits incomputation ability and memory capacity of a secure coprocessor,we have designed the communication between a securecoprocessor and its control server in such a way that it has toexecute the minimum computations related to the sensitive data ofusers, and the control server has to do the rest without taking anyadvantage of the users' data. By using the random orthonormalproject instead of traditional orthonormal project, thecomputational complexity is reduced while the accuracy isremained.

9 AcknowledgmentsThis research is funded by Vietnam National University – Ho ChiMinh City (VNUHCM) under grant number C2018-20-13. We alsowant to show a great appreciation to each member of DSTAR Lab

for their enthusiastic supports and helpful advices during the timewe have carried out this research.

10 References[1] Jain, A.K., Ross, A.: ‘Multibiometric systems’, Commun. ACM, 2004, 47, (1),

pp. 34–40[2] Rathgeb, C., Uhl, A.: ‘A survey on biometric cryptosystems and cancelable

biometrics’, EURASIP J. Inf. Secur., 2011, 2011, (1), pp. 1–25[3] Maneesh, U., Anoop, M.N., Kannan, S., et al.: ‘Blind authentication: a secure

crypto-biometric verification protocol’, IEEE Trans. Inf. Forensics Sec., 2010,5, (2), pp. 255–268

[4] Nguyen, T.A.T., Dang, T.K., Truong, Q.C., et al.: ‘Secure biometric-basedremote authentication protocol using Chebyshev polynomials and fuzzyextractor’. AUN/SEED-Net Reginal Conf. on Computer and InformationEngineering, 2017

[5] Lamport, L.: ‘Password authentication with insecure communication’,Commun. ACM, 1981, 24, (11), pp. 770–772

[6] Shamir, A.: ‘Identity-based cryptosystems and signature schemes’, in Blakley,G.R., Chaum, D., (Eds.): ‘Advances in cryptology: proceedings of CRYPTO84’ (Springer Berlin Heidelberg, Berlin, Heidelberg, 1985), pp. 47–53

[7] Manik Lal Das, A.S., Gulati, V. P.: ‘A dynamic ID-based remote userauthentication scheme’, IEEE Trans. Consum. Electron., 2004, 50, (2), pp.629–631

[8] Yoon, E.-J., Yoo, K.-Y.: ‘Improving the dynamic ID-based remote mutualauthentication scheme’, in Meersman, R., Tari, Z., Herrero, P., (Eds.): ‘On themove to meaningful internet systems 2006’ (Springer Berlin Heidelberg,Berlin, Heidelberg), 2006, pp. 499–507

[9] Sood, S.K., Sarje, A.K., Singh, K.: ‘A secure dynamic identity basedauthentication protocol for multi-server architecture’, J. Netw. Comput. Appl.,2011, 34, (2), pp. 609–618

[10] Jain, A.K., Nandakumar, K., Nagar, A.: ‘Biometric template security’,EURASIP J. Adv. Signal Process., 2008, 2008, pp. 1–17

[11] Dang, T.K., Huynh, V.Q.P., Truong, Q.H.: ‘A hybrid template protectionapproach using secure sketch and ANN for strong biometric key generationwith revocability guarantee’, Int. Arab J. Inf. Technol., 2018, 15, (2), pp. 331–340

[12] Dang, T.K., Truong, Q.C., Le, T.B.T., et al.: ‘A combination of fuzzy vault andperiodic transformation for cancelable biometric template. IET biometrics’(The Institution of Engineering and Technology, United Kingdom, 2016), vol.5, pp. 229–235

[13] Lifang, W., Songlong, Y.: ‘A face based fuzzy vault scheme for secure onlineauthentication’. Second Int. Symp. on Data, Privacy and E-Commerce(ISDPE), 2010, pp. 45–49

[14] Failla, P., Sutcu, Y., Barni, M.: ‘Esketch: a privacy-preserving fuzzycommitment scheme for authentication using encrypted biometrics’. Proc. of

Table 2 Complexity of the random orthonormal projection processOperation Description Complexityi. create a set of nrandom elements {θ1,θ2,…,θn}

we employ a random numbergeneration function, and run

this function n times

O(n)

ii. create anorthonormal matrix

the orthonormal matrix which isillustrated as the formula (4)

needs to execute the sine andcosine functions n times.

assume the time complexity of performing sine function is O(s) and consine function isO(c). Therefore, the complexity of generating an orthonormal matrix is

O(nc) + O(ns) = O(2ns) = O(2nc). in our protocol, we choose the ‘Arithmetic geometricmean iteration’ algorithm to perform sine and cosine function, the time complexity of

these functions is O(M(k)log k). In that, size k refers to the number of digits of precision atwhich the function is to be evaluated, M(k) stands for the complexity of the chosen

multiplication algorithm. Therefore, the time complexity of this operation isO(2n ⋅ M(k) ⋅ log(k))

iii. execute non-invertibletransformation

this is the matrix multiplicationoperation between the

orthonormal matrix M(2n × 2n)generated in step 2 and the

biometric feature vectorB(2n × 1).

if the schoolbook matrix multiplication algorithm is employed, the complexity of this stepis O(2n × 2n × 1) = O(4n2). However, M is an orthonormal matrix which all entries except

its diagonal are zero, for each entry in the diagonal, we perform 2 multiplicationoperations and 1 addition operation. Therefore, the complexity of this operation is

O(n ⋅ (2k1.465 + k)). In that, size k refers to the number of digits of precision at which thefunction is to be evaluated, and the algorithm for multiplication operation is ‘3-way Toom-

Cook multiplication’

Table 3 Complexity of the fuzzy commitment processOperation Description Complexityi. calculate XOR operator O(n)ii execute the decodeprocess

in this protocol, the linear error correctingcode is used for decoding. for each

element, it performs the nearestneighbour algorithm.

for each element, we perform a subtraction, an addition, a minimum, amaximum, an iteration with a comparison operation. We have 2n

elements. Therefore, the complexity of this operation isO(2n(log(k) + k + Δ ⋅ log(k)))

iii. hash function O(2n/2)


the 12th ACM Workshop on Multimedia and Security, Roma, Italy, 2010, pp.241–246

[15] Iovane, G., Bisogni, C., Maio, L.D., et al.: ‘An encryption approach usinginformation fusion techniques involving prime numbers and face biometrics’,IEEE Trans. Sustain. Comput., 2018, pp. 1–1, DOI: 10.1109/TSUSC.2018.2793466

[16] Nguyen, T.H.L., Nguyen, T.T.H.: ‘An approach to protect private key usingfingerprint biometric encryption key in BioPKI based security system’. The10th Int. Conf. on Control, Automation, Robotics and Vision, ICARCV, 2008,pp. 1595–1599

[17] Xi, K., Ahmad, T., Han, F., et al.: ‘A fingerprint based bio-cryptographicsecurity protocol designed for client/server authentication in mobilecomputing environment’, Secur. Commun. Netw., 2011, 4, (5), pp. 487–499

[18] Hisham, A.-A., Rasber, R., Sabah, J.: ‘Combining steganography andbiometric cryptosystems for secure mutual authentication and key exchange’.The 8th Int. Conf. for Internet Technology and Secured Transactions(ICITST), 2013, pp. 369–374

[19] Jain, A.K., Uludag, U.: ‘Hiding biometric data’, IEEE Trans. Pattern Anal.Mach. Intell., 2003, 25, (11), pp. 1494–1498

[20] Fengling, H., Alkhathami, M., Van Schyndel, R.: ‘Biometric-Kerberosauthentication scheme for secure mobile computing services’. The 6th Int.Congress on Image and Signal Processing (CISP), 2013, pp. 1694–1698

[21] Zhang, M., Zhang, J., Zhang, Y.: ‘Remote three factor authentication schemebased on fuzzy extractors’, Secur. Commun. Netw., 2015, 8, (4), pp. 682–693

[22] Lee, C.-C., Hsu, C.-W.: ‘A secure biometric-based remote user authenticationwith key agreement scheme using extended chaotic maps’, Nonlinear Dyn.,2013, 71, (1), pp. 201–211

[23] Nguyen, T.A.T., Nguyen, D.T., Dang, T.K.: ‘A multi-factor biometric basedremote authentication using fuzzy commitment and non-invertibletransformation’. Information and Communication Technology: Third IFIP TC5/8 Int. Conf., ICT-EurAsia 2015, and 9th IFIP WG 8.9 Working Conference,CONFENIS 2015, Held as Part of WCC 2015, Daejeon, Korea, October 4–7,2015, Proceedings, I. Khalil, et al., Editors, Springer International Publishing,Cham, 2015, pp. 77–88

[24] Nguyen, T.A.T., Dang, T.K.: ‘Protecting biometrics using fuzzy extractor andnon-invertible transformation methods in Kerberos authentication protocol’,LNCS Trans. Large-Scale Data- and Knowledge-Centered Syst XXXI, 2016,10140, p. 19

[25] Juels, A., Wattenberg, M.: ‘A fuzzy commitment scheme’. Proc. of the 6thACM Conf. on Computer and communications security, Singapore, 1999, pp.28–36

[26] Hisham, A.-A., Harin, S., Sabah, J.: ‘A lightweight approach for biometrictemplate protection’. Proc. of SPIE, 2009

[27] Benzekki, K., Fergougui, A.E., Alaoui, A.E.B.E.: ‘A secure cloud computingarchitecture using homomorphic encryption’, Int. J. Adv. Comput. Sci. Appl.,2016, 7, (2), p. 6

[28] Dang, T.K.: ‘Security issues in outsourced XML databases’. IT Outsourcing:Concepts, Methodologies, Tools, and Applications, 2010, pp. 2052–2081

[29] Dang, T.K.: ‘A practical solution to supporting oblivious basic operations ondynamic outsourced search trees’, Int. J. Comput. Syst. Sci. Eng., 2006, 21,(1), pp. 53–64

[30] Nguyen, T.A.T., Dang, T.K.: ‘Enhanced security in internet voting protocolusing blind signature and dynamic ballots’, Electron. Commer. Res., 2013, 13,(3), pp. 257–272

[31] ‘IBM cryptographic coprocessor, 2018 March 15’, 2018. Available from:https://www-03.ibm.com/security/cryptocards/hsms.shtml

[32] Anderson, R., Bond, M., Clulow, J., et al.: ‘Cryptographic processors – asurvey’, Proc. IEEE, 2006, 94, (2), pp. 357–369

[33] Fletcher, C.W., Dijk, M.V., Devadas, S.: ‘A secure processor architecture forencrypted computation on untrusted programs’. Proc. of the Seventh ACMWorkshop on Scalable Trusted Computing, 2012, pp. 3–8

[34] Maas, M.C., Love, E., Stefanov, E., et al.: ‘Phantom: practical obliviouscomputation in a secure processor’, Proc of the 2013 ACM SIGSACconference on Computer & communications security, Berlin, Germany, 2013,pp. 311–324

[35] Chhabra, S., Solihin, Y., Lal, R., et al.: ‘An analysis of secure processorarchitectures’, Trans. Comput. Sci., 2010, 7, pp. 101–121

[36] Gentry, C., Boneh, D.: ‘A fully homomorphic encryption scheme’, ‘StanfordUniversity Stanford’, 2009, 20, (9), p. 199

[37] Nguyen, T.A.T., Dang, T.K.: ‘Combining fuzzy extractor in biometric-Kerberos based authentication protocol’. Int. Conf. on Advanced Computingand Appications, Ho Chi Minh, Vietnam, 2015, pp. 1–6

[38] Mishra, D., Kumari, S., Khan, M.K., et al.: ‘An anonymous biometric-basedremote user-authenticated key agreement scheme for multimedia systems’,Int. J. Commun. Syst., 2017, 30, (1), DOI: 10.1002/dac.2946


13

https://www-03.ibm.com/security/cryptocards/hsms.shtml

untrusted server authentication with secure processing...

Documents

Transcript of untrusted server authentication with secure processing...