Enhancing Security of One-Time Password Using

Proceedings of the 9th INDIACom; INDIACom-2015; IEEE Conference ID: 35071 2015 2 International Conference on “Computing for Sustainable Global Development”, 11 th - 13th March, 2015 Bharati Vidyapeeth's Institute of Computer Applications and Management (BVICAM), New Delhi (INDIA) nd

Enhancing Security of One-Time Password Using Elliptic Curve Cryptography with Finger-Print Biometric Dindayal Mahto

Dilip Kumar Yadav

Department of Computer Applications, National Institute of Technology (NIT), Jamshedpur-14, INDIA Email Id: [email protected]

Department of Computer Applications, National Institute of Technology (NIT), Jamshedpur-14, INDIA Email Id: [email protected]

Abstract – Security of one-time password (OTP) is essential because nowadays most of the e-commerce transactions are performed with the help of this mechanism. OTP is used to counter replay attack / eavesdropping. Replay Attack / eavesdropping is one form of attack on computing system connected to the Internet or Intranet. For achieving 112 bits of security level, RSA algorithm needs key size of 2048 bits, while Elliptic Curve Cryptography (ECC) needs key size of 224-255 bits. Another issue with most of the existing implementation of security models is storage of secret keys. Stored keys are often protected by poorly selected user passwords that can either be guessed or obtained through brute force attacks. This is a weak link in a security model and can potentially compromise the integrity of sensitive data. Combining biometrics with cryptography is seen as a possible solution. This paper suggests an enhanced security model of OTP system using ECC with finger-print biometric. This model also suggests more security with less key length and there is no need to store any private key anywhere. It focuses to create and share secret key without transmitting any private key so that no one could access the secret key except themselves.

E-commerce tasks, online banking, and sharing of information and many more within a fraction of seconds with the parties who may be located in any places of the digital world. The security is required for dual purposes. They are, i) to protect customers’ privacy ii) to protect against fraud [23]. While more than two parties communicate to each other then they worry about confidentiality, data authentication, nonrepudiation etc [19]. In order to mitigate these issues, we can apply cryptography with biometric features.

Keywords – Biometrics, Elliptic Curve Cryptograph, Fingerprint, One-Time Password, Online Banking. NOMENCLATURE ECC-Elliptic Curve Cryptography OTP-One-Time Password I. INTRODUCTION Electronic-commerce (E-commerce) is trading by means of information and communication technology. It includes all aspects of trading, including commercial market making, ordering, supply chain management, and the transfer of money [9]. We are living in digital arena, where most of the business transaction is performed with the help of computers and computer networks. Computer networks provide platform to do

Biometrics is about measuring unique personal features, such as a subject’s voice, fingerprint, or iris. It has the potential to identify individuals with a high degree of assurance, thus providing a foundation for trust. While comparing with traditional identification/authentication systems, biometrics offers greater security. Cryptography, on the other hand, concerns itself with the projection of trust: with taking trust from where it exists to where it is needed [12]. Most of the researches were demonstrating that Biometric is the ultimate solution for identification and authentication, since it is proved as reliable and universally acceptable identification / authentication methods in many application areas [3]. Due to the popularity of biometrics and cryptography, the information security is becoming as a common demand in all applications area. The identification and authentication enhancement using cryptography and biometrics are providing high assurance [15], [33]. We proposed an algorithm for enhancing the security of OTP using ECC with finger-print biometric. The principal attraction of ECC compared to RSA is that it offers higher security per bit with smaller key size [2]. Since ECC has smaller key size, hence it also reduced the computation power, memory and bandwidth. This paper is organized as follows. Section-II describes related works and literature. Section-III describes OTP. Section-IV describes detailed review of the ECC. Section-V describes finger-print biometric. Section-VI explains the proposed

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.301

Proceedings of the 9th INDIACom; INDIACom-2015; IEEE Conference ID: 35071 2015 2 International Conference on “Computing for Sustainable Global Development”, 11th - 13th March, 2015 nd

model. Section-VII describes the results and discussion of the proposed model. Section-VIII describes conclusion and future scope. II. RELATED WORKS The main problem of asymmetric cryptography is the management of private key. No one should be able to access someone else’s private key. It needs to store in such a place which is protected from unauthorized accessing. This is vulnerable to attack of hackers. This creates big problem in asymmetric cryptography. Thus it can be solved by the use of biometric template. Private key can be generated directly by the biometric template. Since private key can be generated dynamically from one’s biometric template, so there is no need to store private key anymore and network becomes more secure and safe. Some of the suggested approaches are given by [1],[4], [6], [7], [14], [19], [20], [22], [25], [28], [30], [32]. III. ONE-TIME PASSWORD (OTP) One form of attack on computing system connected to the Internet is eavesdropping on network connections to obtain login id’s and password of legitimate user. The captured login id and password are, at a later time, used gain access to the system. The OTP system is designed to counter this type of attack. There are two sides to the operation of the OTP system. On the client side, the appropriate OTP must be generated. On the host side, the server must verify the OTP and permit the secure changing of the user’s secret pass-phrase [11]. IV. ECC In 1985, Neil Koblitz [21] and Victor S. Miller [17] independently proposed the use of ECC. Since 1985, there have been a lot of studies concerning ECC. The use of ECC is very inviting for various reasons [8], [19]. The first and probably most important reason is that ECC offers better security with a shorter key length than any other public-key cryptography. ECC-160 provides comparable security to RSA-1024 and ECC224 provides comparable security to RSA-2048 [10]. There is huge importance of shorter key lengths especially in applications having limited memory resources because shorter key length requires less memory for key storage purpose. ECC also require less hardware resources than conventional public key cryptography. It has been analyzed that the computation power required for cracking ECC is approximately twice the power required for cracking RSA. ECC provides higher level of security due to its complex mathematical operation. Mathematics used for ECC is considerably more difficult and deeper than mathematics used for conventional cryptography. In fact this is the main reason, why elliptic curves are so good for cryptographic purposes, but it also means that in order to implement ECC more understanding of mathematics is required. A. Mathematics behind ECC

There are two families of elliptic curve which are used in cryptography application [26].  Elliptic Curves over GF(2m)  Elliptic Curves over Zp. Elliptic curves defined over GF(2m), the variables and coefficient and their calculation all take on values in GF(2m). Elliptic Curves over Zp, we use a cubic equation in which the variables and co-efficient all take on values in the set of integers from 0 through (p-1) and in which calculations are performed modulo p. Cryptographer noticed that elliptic curves behaved conveniently when operations were performed with prime modulo. The elliptic curve is in the form y2 mod p = (x3+ ax + b) mod p (1) Where, 4a3+ 27b2 != 0 (2) and p is a prime number and a, b is the parameter of the curve; here variables and coefficient are all restricted to elements of a finite field. This paper is based on elliptic curves over Zp. For example, elliptic curve is as follow: y2 mod 11 = (x3+ ax + 2) mod 11 (3) B. Arithmetic Operation in ECC The rule of mathematical operation on elliptic curve is different from that of the conventional mathematical operations. If we want to add two points and other arithmetic operations of elliptic curve then we have to follow the given below rules[17], [21], [26]. The rules for addition over Ep(a, b). For all points P, Q 2 Ep(a, b): Rule 1: P + O (Infinity) = P Rule 2: If P = (x1, y1), then P + (x1, -y1) = O. Rule 3: If P = (x1, y1) and Q = (x2, y2) with P! = -Q, then R = P + Q = (x3, y3) is determined by the following rules: x3 =(t2 - x1 - x2) mod p y3 =(t(x1-x3)- y1) mod p where, t = ((y2 - y1) / (x2 - x1)) mod p, if P! = Q and, t = ((3x12 + a) / 2y1) mod p, if P = Q Rule of Multiplication: It is defined as repeated addition. Suppose P is a point on elliptic curve P = (x1, y1). Thus 8*P=P+P+P+P+P+P+P+P =2P+2P+2P+2P =4P+4P C. Points on ECC For any operation on elliptic curve, first of all we have to find the all point of that curve [27]. Thus for finding the point on the curve firstly we have to chose any elliptic curve. Suppose y2 mod p = (x3+ ax + b) mod p (4) is an elliptic curve where 4a3+ 27b2 != 0 (5) Then points on this curve are the set Ep(a, b) consisting of all pairs of integers (x, y), which satisfy the above equation

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.302

Enhancing Security of One-Time Password Using Elliptic Curve Cryptography with Finger-Print Biometric

together with the point (0,0). Method for finding the points on the curve is as follows: Points on ECC  Determine the L.H.S of elliptic curve for all (x, y) Zp.  Determine the R.H.S of elliptic curve for all x, y Zp.  Choose the Pair of corresponding value of x and y as a pair for all x, y Z p for which L.H.S. = R.H.S.  All pairs of such (x, y) are the point on the curve. Example: If in the above curve, value of p=11, a=1, b=1, then points on the elliptic curve are (0,1), (2,0), (3,3), (3,8), (4,5) etc.

over time and that each pattern is unique to an individual. With these findings, he was the first to implement a system using fingerprints and handprints to identify an individual in 1877. By 1896, police forces in India realized the benefit of using fingerprints to identify criminals, and they began collecting the fingerprints of prisoners along with their other measurements. VI. PROPOSED MODEL The architecture of the proposed model is shown in Figure 1.

D. Elliptic Curve Diffie-Hellman Algorithm Elliptic curve Diffie-Hellman algorithm is the DiffieHellman algorithm for the elliptic curve [13]. The original DiffieHellman algorithm is based on the multiplicative group modulo p [5], while the elliptic curve Diffie-Hellman (ECDH) protocol is based on the additive elliptic curve group. We assume that the underlying field GF (p) is selected and the curve E with parameters a, b, and the base point P is set up. The order of the base point P is equal to n. The standards often suggest that we select an elliptic curve with prime order, and therefore, any element of the group would be selected and their order will be the prime number n. At the end of the protocol the communicating parties end up with the same value K which is a point on the curve. Some parts of this value can be used as a secret key to a secret-key encryption algorithm. Suppose there are two users Alice and Bob. According to the Diffie-Hellman the key generation and exchange is as follows. Key generation and key exchange  Alice uses his finger-print feature for his private key dA which is less than n.  Alice generates a public key PA = dA * G; the public key is a point in Ep(a, b).  Bob similarly uses his finger-print features for his private key dB which is less than n.  Bob computes a public key PB = dB* G.  Alice generates the secret key k = dA* PB.  Bob generates the secret key k = dB * PA. By exchanging the key through this method both Bob and Alice can communicate safely. Bob can use the secret value he computed to build an encrypting key. When Alice gets the message from Bob, she uses the secret value she computed to build the decrypting key. It is the same secret value, so they use the same key. Thus what Bob encrypts Alice can decrypt. V. FINGER-PRINT BIOMETRIC Finger-prints have been scientifically studied for many years in our society. The characteristics of fingerprints were studied as early as 1600s. Meanwhile, using fingerprints as a means of identification first occurred in the mid-1800s. Sir William Herschel, in 1859, discovered that fingerprints do not change

Fig. 1. Architecture of the Proposed Model

In this paper we are using finger-print features of bank customers for generating secret keys, and then the keys are used in ECC to provide data communication security while sending the OTP from Bank Transaction Server to customer. A. Steps of the proposed methodology Following are the steps of the proposed methodology:  Bank Transaction server generates OTP.  Encryption module gets OTP as its input in a plaintext.  Encryption Module generates cipher-text against plain-text of OTP.  Ciper-text gets transmitted over communication channel to the user’s mobile.  User mobile gets cipher-text.  Decryption module at recipient-end gets executed in a decryption enabled devices and plain-text gets generated.  The plain-text generated in the step-6, entered as input for OTP for the transaction in the input box of OTP.

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.303

Proceedings of the 9th INDIACom; INDIACom-2015; IEEE Conference ID: 35071 2015 2 International Conference on “Computing for Sustainable Global Development”, 11th - 13th March, 2015 nd

B. Method for generating public key and private key First of all users’ finger-print features are scanned through finger-print sensor unit and then same are extracted for registrations purpose known as enrollment and later these features are used for authentication. Finger-print authentication process consists of two essential procedures: enrollment and authentication. Taking the following steps completes each procedure: To generate private key, we take the finger-print of the user and generate its hash value with the help of MD5 cryptographic hash function.

generated OTP message m to be sent as a point P m (x, y) as shown in the Figure 3.

Fig. 3. Plain-text points before encryption

It is the point Pm that will be encrypted as a cipher text and subsequently decrypted. After mapping of points [24] with user OTP characters on elliptic curve, they can encrypt the message by following steps:  Encryption Module encodes the OTP m as P m = (x,y)  The module chooses a public variable, k=20. Compute, x=m*k+i; varying i from 1 to k-1 and try to get an integral value of y. Thus, m is encoded as (x,y). The decoding is simple: m=floor((x-1)/k). The cipher text is a pair of points: Cm = k * G, Pm + k * PB Encryption module sends this cipher text as shown in the Figure 4 to Bob.

Fig. 2. Enrollment and Authentication Steps

This resultant hash value is the private key of the user. Suppose this value is dA for user Alice and dB for user Bob. Now to generate public key in ECC with the help with this private key is as follows:  Both user choose the same large prime ’p’ and the elliptic curve parameter ’a’ and ’b’ such that y2 mod p = (x3+ ax +b) mod p; (6) where, 4a3+ 27b2 !=0 (7)  Now choose any one point G(x, y) from this elliptic curve. This point is called the base point of the curve.  Compute PA = dA * G(x, y); This PA is called the public key of user Alice. To generate public key of user Bob same operation can be performed with the help of the private key of user Bob. C. OTP Message Encryption Bank Transaction server generates OTP to be sent to the user Bob, and then first task in this system is to encode the

Fig. 4. Cipher-text points after encryption

D. OTP Message Decryption For Message decryption Bob has to follow following steps:  Bob multiplies the first point in the pair by his secret key and subtracts the result from the second point: =Pm + k * PB - dB * k * G =Pm + k(dBG) - dB(k * G) =Pm  The message Pm is the required message of Bob, which is sent by Bank Transaction Server is shown in the Figure 3.

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.304

Enhancing Security of One-Time Password Using Elliptic Curve Cryptography with Finger-Print Biometric 

Bob enters plain text of OTP in the Bank Transaction Input screen and then transaction gets executed. [4]

VII. RESULT AND DISCUSSION Traditional methods for implementing public key infrastructure and encryption and decryption techniques face lots of problem such as key management, key storing, key privacy etc. Our proposed approach can handle such problems. Here we are using finger-print as a private key so that there is no need to store any private key and also finger-print has lots of merits over other biometrics like it is most user friendly and cheaper too. Finger-print recognition also has some outstanding features like universality, permanence, uniqueness and accuracy. As we are using ECC, so we can achieve high level security with very shorter key size [15]. Thus it also solves the key size problem. As we know that ECC requires very complex mathematical operation (because of elliptic curve Diffie-Hellman problem, which is harder than discrete logarithmic problem), therefore security strength per bit is also very high.

[5]

[6]

[7]

[8]

VIII. CONCLUSION AND FUTURE SCOPE In this paper, a very secure communication of the OTP in the network is illustrated with the help of ECC and finger-print biometric. The main advantage of ECC is that it requires very less key size and gives high level of security with cheaper biometric recognition system and there is no need to store any private key anywhere. At present e-commerce business is growing very rapidly. Most of the banking systems use OTP in the form of plain-text for the money transaction of e-commerce business, which is very insecure and totally dependent on the Short Message Services (SMS) providing communication client/server. The proposed model mitigates the drawback of the present e-commerce transaction system. The proposed model also can be employed for any other type of secure data communication systems, which is communicated through SMS. ACKNOWLEDGMENT We would like to thank our colleagues, Head of Deptartment, Dean (R & C) and Director of our Institute for supporting directly or indirectly in this research work.

[9]

[10]

[11] [12]

[13]

REFERENCES [1]

[2]

[3]

Lucas Ballard, Seny Kamara, and Michael K. Reiter. “The practical subtleties of biometric key generation”, In Proceedings of the 17th Conference on Security Symposium, SS’08, Berkeley, USENIX Association CA, USA, pages 61–74, 2008. E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. “Recommendation for key management part 1: General (revision 3)”. NIST Special Publication 800-57, pages 1–147, July 2012. Nandini C. and Shylaja B. “Efficient cryptographic key generation from fingerprint using symmetric hash

[14]

[15]

[16]

functions”, Research and Reviews in Computer Science, International Journal of, 2(4), 2011. B. Chen and V. Chandran. “Biometric based cryptographic key generation from faces”, In Digital Image Computing Techniques and Applications, 9th Biennial Conference of the Australian Pattern Recognition Society on, pages 394–401, Dec 2007. W. Diffie and M.E. Hellman. “New directions in cryptography”, Information Theory, IEEE Transactions on, 22(6):644–654, Nov 1976. Y. Dodis, L. Reyzin, and A. Smith. “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data”, In Christian Cachin and JanL. Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, of Lecture Notes in Computer Science, Springer Berlin Heidelberg, volume 3027, pages 523–540, 2004. Hao Feng and Chan Choong Wah. “Private key generation from online handwritten signatures”, Information Management & Computer Security, 10(4):159–164, 2002. S.P. Ganesan. “An asymmetric authentication protocol for mobile devices using elliptic curve cryptography”, In Advanced Computer Control (ICACC), 2010 2nd International Conference on, volume 4, pages 107–109, March 2010. S.G.E. Garrett and P.J. Skevington “An introduction to electronic commerce”, BT Technology Journal, 17(3):11–16, 1999. Nils Gura, Arun Patel, Arvinderpal Wander, Hans Eberle, and SheuelingChang Shantz. “Comparing Elliptic Curve Cryptography and RSA on 8-bit cpus”, In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic Hardware and Embedded Systems CHES 2004, volume 3156 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, pages 119–132, 2004. N. Haller. “The s/key one-time password system”, Network Working Group, 1995. F. Hao, R. Anderson, and J. Daugman. “Combining crypto with biometrics effectively”, IEEE Transactions on Computers, 55(9):1081–1088, 2006. MEL H.X. and BAKER D. “Cryptography decrypted”, In Oxford Handbook of Innovation. Addison Wesley; 1 edition, Oxford, 2000. Andrew Teoh Beng Jin, David Ngo Chek Ling, and Alwyn Goh. “Personalised cryptographic key generation based on FaceHashing”, Computers & Security, 23:606–614, 2004. Dindayal Mahto and Dilip Kumar Yadav. “Network security using ECC with Biometric”, In Quality, Reliability, Security and Robustness in Heterogeneous Networks, volume 115 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Springer Berlin Heidelberg, pages 842–853, 2013. NELSON Tabassi, E., Wilson, C.L., Watson, C.I.,

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.305

Proceedings of the 9th INDIACom; INDIACom-2015; IEEE Conference ID: 35071 2015 2 International Conference on “Computing for Sustainable Global Development”, 11th - 13th March, 2015 nd

[17]

[18]

[19]

[20]

[21] [22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

“Fingerprint image quality, NFIQ”, National Institute of Standards and Technology, NISTIR 7151, 2004 Victor S. Miller. “Use of elliptic curves in cryptography”, In HughC. Williams, editor, Advances in Cryptology CRYPTO 85 Proceedings, of Lecture Notes in Computer Science, Springer Berlin Heidelberg, volume 218, pages 417–426, 1986. Naoto Miura, Akio Nagasaka, and Takafumi Miyatake. “Extraction of finger-vein patterns using maximum curvature points in image profiles”, IEICE - Trans. Inf. Syst., E90-D(8):1185–1194, August 2007. S. Mohammadi and S. Abedi. “ECC-based biometric signature: A new approach in electronic banking security”, In Electronic Commerce and Security, 2008 International Symposium on, pages 763–766, Aug 2008. Fabian Monrose, Michael K. Reiter, Qi Li, and Susanne Wetzel, “Cryptographic key generation from voice, In Proceedings of the 2001 IEEE Symposium on Security and Privacy, SP ’01, Washington, DC, USA, IEEE Computer Society, pages 202–, 2001. Koblitz N. “Elliptic curve cryptosystems”, Mathematics of Computation, 48(177):203–209, 1987. M.R. Ogiela and L. Ogiela. “Image based cryptobiometric key generation”, In Intelligent Networking and Collaborative Systems (INCoS), 2011 Third International Conference on, pages 673–678, Nov 2011. Ganesan R. and Vivekanandan K. “A secured hybrid architecture model for internet banking (e-banking)” Journal of Internet Banking and Commerce, 14(1):1–17, 2009. O. S. Rao and S. P. Setty. “Efficient mapping methods for elliptic curve cryptosystems”, Engineering Science and Technology, International Journal of, 2(8):3651– 3656, Aug 2010. Christian Rathgeb and Andreas Uhl. “Privacy preserving key generation for iris biometrics”, In Bart De Decker and Ingrid Schaumller-Bichl, editors, Communications and Multimedia Security, of Lecture Notes in Computer Science, Springer Berlin Heidelberg, volume 6109, pages 191–200, 2010. Certicom Research, “Standards for efficient cryptography-sec 1. Recommended Elliptic Curve Domain Parameters”, September 2000. Ren Schoof and Par Ren E Schoof. “Counting points on elliptic curves over finite fields”, Journal de Theorie des Nombres de Bordeaux 7, pages 219–254, 1995. Yoichi Shibata, Masahiro Mimura, Kenta Takahashi, and Masakatsu Nishigaki. “A study on biometric key generation from fingerprints: Fingerprint-key generation from stable feature value”, In Security and Management, pages 45–51, 2007. Can Wang, Hong Liu, and Xing Liu. “Contact-free and pose-invariant hand-biometric-based personal identification system using rgb and depth data”, Journal of Zhejiang University SCIENCE C, 15(7):525–536, 2014.

[30]

[31]

[32]

[33]

Yongjin Wang and K.N. Plataniotis. “Fuzzy vault for face based cryptographic key generation”, In Biometrics Symposium, 2007, pages 1–6, Sept 2007. Masaki Watanabe. “Finger-print authentication”, In NaliniK. Ratha and Venu Govindaraju, editors, Advances in Biometrics, Springer London, pages 75– 88, 2008. Lifang Wu, Xingsheng Liu, Songlong Yuan, and Peng Xiao. “A novel key generation cryptosystem based on face features”, In Signal Processing (ICSP), 2010 IEEE 10th International Conference on, pages 1675–1678, Oct 2010. Peng Zhang, Jiankun Hu, Cai Li, Mohammed Bennamoun, and Vijayakumar Bhagavatula, “A pitfall in fingerprint bio-cryptographic key generation”, Advances in network and system security, Computers & Security, 30(5):311 – 319, 2011.

Copy Right © INDIACom-2015; ISSN 0973-7529; ISBN 978-93-80544-14-4

7.306