Provably Secure Remote Truly Three-Factor Authentication Scheme ...

Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics Prof. Chun-I Fan Chun-I Fan and Yi-Hui Lin Department of Computer Science and Engineering, National Sun Yat-sen University, Taiwan IEEE Transactions on Information Forensics and Security, vol. 4, no. 4, 2009, pp. 933-945.

The final publication is available at http://ieeexplore.ieee.org logo

1 / 40

Outline

Introduction The proposed scheme Logic analysis Security model and definitions Security proofs Conclusions

logo

2 / 40

Introduction

Introduction

logo

3 / 40

Introduction Three-factor systems increase security level.

logo

4 / 40

Introduction An example of the registration process of a biometrics system:

logo

5 / 40

Introduction An example of the verification process of a biometrics system:

logo

6 / 40

Introduction The authentication server should be able to verify something the user knows (e.g., password) something the user has (e.g., smart card) something the user is (e.g., biometric data)

!2@#5$

User

Client PC

Authentication Server

logo

7 / 40

Introduction

The privacy of biometrics is preserved. The server cannot check the biometric data. Card Storage

Terminal Sensor

Image Processing

Template

Decision

Score

Raw Data

Matching

Extracted Features

Yes/No Application

logo

8 / 40

Introduction The biometric data is verified. The privacy is not preserved!! Terminal Raw Data Card Sensor

Image Processing Extracted Features Server

Storage

Template

Matching Score Decision Yes/No Application

logo

9 / 40

Introduction

Our solution of protecting biometric privacy from the server The server gets a transformed template. The random string is saved in the smart card. Registration phase

10001011 Random String Login and verification phase 10001011

Matching

Random String

logo

10 / 40

Introduction Secure sketch technique Our solution of protecting the random string in the smart card from being revealed The random string is combined with the template.

Biometric template with embedded secret

Matching

Secret released

Input biometric data

logo

11 / 40

The Proposed Scheme

logo

12 / 40

The proposed scheme

Initialization phase

public key pk

key pair  pk , sk  secret key x

logo

13 / 40

The proposed scheme

Notations Si

:

A: epk (·) : dsk (·) : EK (·) : DK (·) : : PWi⇤ : Si⇤ : yi :

An encryption function with the biometric template Si as the encryption key An extracting algorithm A public-key encryption function with the server’s public key pk The decryption function corresponding to epk (·) A symmetric encryption function with key K The decryption function corresponding to EK (·) The biometric matching algorithm The password which Ui inputs The biometric sample which Ui inputs The data stored in Ui ’s smart card logo

14 / 40

The proposed scheme Registration phase

Choose IDi , PW i , and r Create S i Compute SS i = r  S i =r⊕S i  IDi , h  PW i  , SS i 

smart card

yi = E x  ID i || h PW i || SS i  Store ID i , yi , h  , pk in a smart card

Store Ψ S (r) in the smart card i

logo

15 / 40

The proposed scheme Login phase

*

*

Input PW i and S i

*

r = A(Ψ S i (r ) , S i ) * * * SS i =δ r (S i )= r⊕S i

C 0 = e pk ( ID i || y i ||u)

C0

C1 Du (C 1)=( SID|| v) Check SID * * C 2= E v ( IDi || h( PW i )|| SS i )

C2

d sk (C 0)=(ID i || y i ||u ) Check ID i D x ( yi )=( ID i || h( PW i )|| SS i ) C 1= E u (SID || v)

*

*

Dv (C 2)=( ID i || h( PW i )|| SS i ) *

Check h (PW i )=h( PW i )

session key: h v 

*

Perform Δ(SS i , SS i )

logo

16 / 40

Logic Analysis

logo

17 / 40

Logic analysis

Are the messages meaningful to me? Where are the messages from? Who am I communicating with? Is the key trusted? Logic analysis shows the completeness of a protocol.

logo

18 / 40

Logic analysis

Steps for analyzing the protocol Step 1: Change the format of the protocol Step 2: Set the goals Step 3: List the assumptions Step 4: Use logic postulates to examine if the goals are achieved

logo

19 / 40

Logic analysis

The achieved goals of our scheme: Message content authentication Message origin authentication General identity authentication Session key establishment

logo

20 / 40

Security Model and Definitions

logo

21 / 40

Security model and definitions ⇧iA,B : Client oracle in i-th session

⇧jB,A : Server oracle in j-th session Execute(⇧iA,B , ⇧jB,A ): Eavesdrop all transmitted data Send(⇧iA,B , m): Send a message to ⇧iA,B Send(⇧jB,A , m): Send a message to ⇧jB,A Leak (⇧iA,B ): the leakage of

1) the password and the data stored in the smart card 2) the biometric data and the data stored in the smart card 3) the password and the biometric data

Reveal(⇧iA,B ): the exposure of the session key Test(⇧iA,B ): Return the real session key or a randomly-chosen string logo

22 / 40

Security model and definitions Definition Matching conversations:

logo

23 / 40

Security model and definitions Discussions of mutual authentication in three-factor scheme: E E E Pr [SuccM_Auth ]  Pr [SuccS_Auth ] + Pr [SuccC_Auth ] E Pr [SuccC_Auth ]  Pr [b1 , b2 , b3 ]  Pr [b1 |b2 , b3 ] +

Pr [b2 |b1 , b3 ] + Pr [b3 |b1 , b2 ]

b1 : The adversary E passes the checking of the password b2 : The adversary E passes the checking of the smart card b3 : The adversary E passes the checking of the biometric data E SuccS_Auth : The adversary E passes the authentication with the client oracle ⇧sA,B successfully. E SuccC_Auth : The adversary E passes the authentication with the server oracle ⇧tB,A successfully. E SuccM_Auth : The adversary E breaks the mutual authentication.

logo

24 / 40

Security model and definitions

Definition A secure three-factor mutual authentication protocol: (1)(Correctness) Matching conversation implies acceptance of ⇧sA,B and ⇧tB,A (2) ⇧sA,B acceptance implies a matching conversation: The probability of No Matching E (k ) is negligible; (3) ⇧tB,A acceptance implies a matching conversation: The probability of No Matching E (k ) is negligible even if any two of the factors are leaked from the client.

logo

25 / 40

Security model and definitions

Definition A secure three-factor mutual authentication and key exchange protocol: It is a secure three-factor mutual authentication protocol. (Correctness) An adversary engages in the execution of the protocol with ⇧iA,B and its partner ⇧jB,A . Then both oracles always share the same session key. For any polynomial-time adversary E, advantageE (k ) = (Pr [Good GuessE (k )] 1/2) is negligible where k is the security parameter and Good GuessE (k ) is the event that the adversary E guesses the right answer to the Test query Test(⇧iA,B ). logo

26 / 40

Security model and definitions Chosen cipher attack (CCA): Public-key encryption scheme

Key_Gen Algorithm (+K, -K) -K

y0, y1, y2, ……,yi x0, x1, x2, ……,xi

Decryption Oracle

Adversary Pr[b'=b]-1/2 (x'0, x'1) y'b, b {0,1}

yb'

Encryption Oracle

y0, y1, y2, ……,yi logo

27 / 40

Chosen cipher attack (CCA): Symmetric encryption scheme

logo

28 / 40

Security Proofs

logo

29 / 40

Security proofs

The proposed scheme P: 1.A ! B : epk (IDA , rA , Ex (IDA , h(PWA ), r (bioA ))) 2.B ! A : ErA (IDB , rB ) 3.A ! B : ErB (IDA , h(PWA ), r (bioA ))

logo

30 / 40

Security proofs

Security Properties Three-Factor Mutual Authentication Server Authentication Client Authentication The leakage of passwords and biometric data The leakage of biometric data and the data stored in smart cards The leakage of the data stored in smart cards and passwords

Secure Key exchange

logo

31 / 40

Security proofs Theorem 1: Mutual Authentication

Lemma 1: (Server Authentication) If there exists an attacker that is accepted by the client, then the public-key encryption scheme is not secure.

pk ( x 0 , x1 )

yb

yb Mf

User A

Server B Execute

Send_A

Attacker

b' Send_B

Decrypt

Test

( pk , sk )

CCA2 Assumption

Simulator

1. A

B : e pk ( ID A , rA , en _ card _ data A )

x0

( IDA , rA , en _ card _ dataA )

2. A

B : E rA ( ID B , rB )

x1

( IDA , rA ' , en _ card _ dataA )

3. A

B : E rB ( ID A , h ( PW A ), bio A )

DrA ( M f ) ( IDB , rB )

b' 0

DrA ' ( M f ) ( IDB , rB )

b' 1

yb epk ( xb ),b

R

{0,1}

logo

32 / 40

Security proofs Theorem 1: Mutual Authentication Lemma 2: Client Authentication

Case 1: The server cannot accept without the client even though the password and the data stored in the card are leaked.

(card _ data 0 , card _ data1 )

PW A , en _ card _ datab , R Mf

en _ card _ datab User A

Server B

Send_A Leak

Attacker

b'

En/Decrypt

Simulator

1.A

B : e pk ( IDA , rA , en _ card _ dataA )

card _ data 0

( ID A , h( PW A ), x A )

en _ card _ datab

2.A

B : ErA ( IDB , rB ) B : ErB ( IDA , h( PWA ), r (bioA ))

( ID A , h( PW A ), x A ' )

b

3.A

card _ data1

en _ card _ dataA

EK ( IDA , h( PWA ), r (bioA ))

DrB (M f ) ( IDA , h( PWA ), x A ) Otherwise, b'

R

Test

k CCA2 Assumption

Execute Send_B

R

EK (card _ datab )

{0,1}

b' 0

{0,1} logo

33 / 40


Case 2: (offline dictionary attack) The server cannot accept without the client even though the biometric data and the data stored in the card are leaked.


x A , en _ card _ data b , R Mf


Server B

Send_A Leak

Attacker

b'

En/Decrypt

Simulator

1.A


card _ data 0

( ID A , h( PW A ), x A )

en _ card _ datab

2.A


( ID A , h( PW A ' ), x A )

b

3.A

card _ data1

en _ card _ dataA


DrB (M f ) ( IDA , h( PWA ), xA ) Otherwise,b'

R

{0,1}

Test

k CCA2 Assumption

Execute Send_B

R

EK (card _ datab )

{0,1}

b' 0 logo

34 / 40


Case 3: The server cannot accept without the client even though the biometric data and the password are leaked.


bioA , PWA

Mf


Server B

Send_A Leak

Attacker

b'

En/Decrypt

Simulator

1.A


card _ data0

( IDA , h( PWA ), x A )

en _ card _ datab

2.A


( IDA , h( PWA ' ), x A ' )

b

3.A

card _ data1

en _ card _ dataA


DrB (M f ) ( IDA , h( PWA ), xA ) Otherwise,b'

R

Test

k CCA2 Assumption

Execute Send_B

R

EK (card _ datab )

{0,1}

b' 0

{0,1} logo

35 / 40

Security proofs Theorem 2: (secure key exchange) If the public-key encryption scheme is secure, then the protocol is a secure key exchange scheme.

pk ( x 0 , x1 )

yb

k c' {0,1}

User A

Server B

b'

Send_A Test Reveal Execute Send_B

Attacker B : e pk ( IDA , rA , en _ card _ data A )

x0

( ID A , rA , en _ card _ data A )

2. A

B : ErA ( IDB , rB )

x1

( ID A , rA ' , en _ card _ data A )

B : ErB ( IDA , h( PW A ), bio A )

c

0

k

c

c'

b' 0. Otherwise , b'

k

h(rB )

h ( rB ), c 1

Test

CCA2 Assumption

Simulator

1. A 3. A

Decrypt

( pk , sk )

k

yb

epk ( xb ),b

R

{0,1}

r R

{0,1} logo

36 / 40

Conclusions

logo

37 / 40

Conclusions

logo

38 / 40

Conclusions

Truly three-factor authentication Strong biometrics privacy Free from maintaining password or biometric databases No time-consuming operations in the smart card Provable security

logo

39 / 40

Thank You!!!

logo

40 / 40