Provably Secure Remote Truly Three-Factor ... something the user knows (e.g., password) something .... It is a secure three-factor mutual authentication protocol.
Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics Prof. Chun-I Fan Chun-I Fan and Yi-Hui Lin Department of Computer Science and Engineering, National Sun Yat-sen University, Taiwan IEEE Transactions on Information Forensics and Security, vol. 4, no. 4, 2009, pp. 933-945.
The final publication is available at http://ieeexplore.ieee.org logo
1 / 40
Outline
Introduction The proposed scheme Logic analysis Security model and definitions Security proofs Conclusions
logo
2 / 40
Introduction
Introduction
logo
3 / 40
Introduction Three-factor systems increase security level.
logo
4 / 40
Introduction An example of the registration process of a biometrics system:
logo
5 / 40
Introduction An example of the verification process of a biometrics system:
logo
6 / 40
Introduction The authentication server should be able to verify something the user knows (e.g., password) something the user has (e.g., smart card) something the user is (e.g., biometric data)
!2@#5$
User
Client PC
Authentication Server
logo
7 / 40
Introduction
The privacy of biometrics is preserved. The server cannot check the biometric data. Card Storage
Terminal Sensor
Image Processing
Template
Decision
Score
Raw Data
Matching
Extracted Features
Yes/No Application
logo
8 / 40
Introduction The biometric data is verified. The privacy is not preserved!! Terminal Raw Data Card Sensor
Image Processing Extracted Features Server
Storage
Template
Matching Score Decision Yes/No Application
logo
9 / 40
Introduction
Our solution of protecting biometric privacy from the server The server gets a transformed template. The random string is saved in the smart card. Registration phase
10001011 Random String Login and verification phase 10001011
Matching
Random String
logo
10 / 40
Introduction Secure sketch technique Our solution of protecting the random string in the smart card from being revealed The random string is combined with the template.
Biometric template with embedded secret
Matching
Secret released
Input biometric data
logo
11 / 40
The Proposed Scheme
logo
12 / 40
The proposed scheme
Initialization phase
public key pk
key pair pk , sk secret key x
logo
13 / 40
The proposed scheme
Notations Si
:
A: epk (·) : dsk (·) : EK (·) : DK (·) : : PWi⇤ : Si⇤ : yi :
An encryption function with the biometric template Si as the encryption key An extracting algorithm A public-key encryption function with the server’s public key pk The decryption function corresponding to epk (·) A symmetric encryption function with key K The decryption function corresponding to EK (·) The biometric matching algorithm The password which Ui inputs The biometric sample which Ui inputs The data stored in Ui ’s smart card logo
14 / 40
The proposed scheme Registration phase
Choose IDi , PW i , and r Create S i Compute SS i = r S i =r⊕S i IDi , h PW i , SS i
smart card
yi = E x ID i || h PW i || SS i Store ID i , yi , h , pk in a smart card
Store Ψ S (r) in the smart card i
logo
15 / 40
The proposed scheme Login phase
*
*
Input PW i and S i
*
r = A(Ψ S i (r ) , S i ) * * * SS i =δ r (S i )= r⊕S i
C 0 = e pk ( ID i || y i ||u)
C0
C1 Du (C 1)=( SID|| v) Check SID * * C 2= E v ( IDi || h( PW i )|| SS i )
C2
d sk (C 0)=(ID i || y i ||u ) Check ID i D x ( yi )=( ID i || h( PW i )|| SS i ) C 1= E u (SID || v)
*
*
Dv (C 2)=( ID i || h( PW i )|| SS i ) *
Check h (PW i )=h( PW i )
session key: h v
*
Perform Δ(SS i , SS i )
logo
16 / 40
Logic Analysis
logo
17 / 40
Logic analysis
Are the messages meaningful to me? Where are the messages from? Who am I communicating with? Is the key trusted? Logic analysis shows the completeness of a protocol.
logo
18 / 40
Logic analysis
Steps for analyzing the protocol Step 1: Change the format of the protocol Step 2: Set the goals Step 3: List the assumptions Step 4: Use logic postulates to examine if the goals are achieved
logo
19 / 40
Logic analysis
The achieved goals of our scheme: Message content authentication Message origin authentication General identity authentication Session key establishment
logo
20 / 40
Security Model and Definitions
logo
21 / 40
Security model and definitions ⇧iA,B : Client oracle in i-th session
⇧jB,A : Server oracle in j-th session Execute(⇧iA,B , ⇧jB,A ): Eavesdrop all transmitted data Send(⇧iA,B , m): Send a message to ⇧iA,B Send(⇧jB,A , m): Send a message to ⇧jB,A Leak (⇧iA,B ): the leakage of
1) the password and the data stored in the smart card 2) the biometric data and the data stored in the smart card 3) the password and the biometric data
Reveal(⇧iA,B ): the exposure of the session key Test(⇧iA,B ): Return the real session key or a randomly-chosen string logo
22 / 40
Security model and definitions Definition Matching conversations:
logo
23 / 40
Security model and definitions Discussions of mutual authentication in three-factor scheme: E E E Pr [SuccM_Auth ] Pr [SuccS_Auth ] + Pr [SuccC_Auth ] E Pr [SuccC_Auth ] Pr [b1 , b2 , b3 ] Pr [b1 |b2 , b3 ] +
Pr [b2 |b1 , b3 ] + Pr [b3 |b1 , b2 ]
b1 : The adversary E passes the checking of the password b2 : The adversary E passes the checking of the smart card b3 : The adversary E passes the checking of the biometric data E SuccS_Auth : The adversary E passes the authentication with the client oracle ⇧sA,B successfully. E SuccC_Auth : The adversary E passes the authentication with the server oracle ⇧tB,A successfully. E SuccM_Auth : The adversary E breaks the mutual authentication.
logo
24 / 40
Security model and definitions
Definition A secure three-factor mutual authentication protocol: (1)(Correctness) Matching conversation implies acceptance of ⇧sA,B and ⇧tB,A (2) ⇧sA,B acceptance implies a matching conversation: The probability of No Matching E (k ) is negligible; (3) ⇧tB,A acceptance implies a matching conversation: The probability of No Matching E (k ) is negligible even if any two of the factors are leaked from the client.
logo
25 / 40
Security model and definitions
Definition A secure three-factor mutual authentication and key exchange protocol: It is a secure three-factor mutual authentication protocol. (Correctness) An adversary engages in the execution of the protocol with ⇧iA,B and its partner ⇧jB,A . Then both oracles always share the same session key. For any polynomial-time adversary E, advantageE (k ) = (Pr [Good GuessE (k )] 1/2) is negligible where k is the security parameter and Good GuessE (k ) is the event that the adversary E guesses the right answer to the Test query Test(⇧iA,B ). logo
26 / 40
Security model and definitions Chosen cipher attack (CCA): Public-key encryption scheme
Key_Gen Algorithm (+K, -K) -K
y0, y1, y2, ……,yi x0, x1, x2, ……,xi
Decryption Oracle
Adversary Pr[b'=b]-1/2 (x'0, x'1) y'b, b {0,1}
yb'
Encryption Oracle
y0, y1, y2, ……,yi logo
27 / 40
Chosen cipher attack (CCA): Symmetric encryption scheme
logo
28 / 40
Security Proofs
logo
29 / 40
Security proofs
The proposed scheme P: 1.A ! B : epk (IDA , rA , Ex (IDA , h(PWA ), r (bioA ))) 2.B ! A : ErA (IDB , rB ) 3.A ! B : ErB (IDA , h(PWA ), r (bioA ))
logo
30 / 40
Security proofs
Security Properties Three-Factor Mutual Authentication Server Authentication Client Authentication The leakage of passwords and biometric data The leakage of biometric data and the data stored in smart cards The leakage of the data stored in smart cards and passwords
Secure Key exchange
logo
31 / 40
Security proofs Theorem 1: Mutual Authentication
Lemma 1: (Server Authentication) If there exists an attacker that is accepted by the client, then the public-key encryption scheme is not secure.
pk ( x 0 , x1 )
yb
yb Mf
User A
Server B Execute
Send_A
Attacker
b' Send_B
Decrypt
Test
( pk , sk )
CCA2 Assumption
Simulator
1. A
B : e pk ( ID A , rA , en _ card _ data A )
x0
( IDA , rA , en _ card _ dataA )
2. A
B : E rA ( ID B , rB )
x1
( IDA , rA ' , en _ card _ dataA )
3. A
B : E rB ( ID A , h ( PW A ), bio A )
DrA ( M f ) ( IDB , rB )
b' 0
DrA ' ( M f ) ( IDB , rB )
b' 1
yb epk ( xb ),b
R
{0,1}
logo
32 / 40
Security proofs Theorem 1: Mutual Authentication Lemma 2: Client Authentication
Case 1: The server cannot accept without the client even though the password and the data stored in the card are leaked.
(card _ data 0 , card _ data1 )
PW A , en _ card _ datab , R Mf
en _ card _ datab User A
Server B
Send_A Leak
Attacker
b'
En/Decrypt
Simulator
1.A
B : e pk ( IDA , rA , en _ card _ dataA )
card _ data 0
( ID A , h( PW A ), x A )
en _ card _ datab
2.A
B : ErA ( IDB , rB ) B : ErB ( IDA , h( PWA ), r (bioA ))
( ID A , h( PW A ), x A ' )
b
3.A
card _ data1
en _ card _ dataA
EK ( IDA , h( PWA ), r (bioA ))
DrB (M f ) ( IDA , h( PWA ), x A ) Otherwise, b'
R
Test
k CCA2 Assumption
Execute Send_B
R
EK (card _ datab )
{0,1}
b' 0
{0,1} logo
33 / 40
Security proofs Theorem 1: Mutual Authentication Lemma 2: Client Authentication
Case 2: (offline dictionary attack) The server cannot accept without the client even though the biometric data and the data stored in the card are leaked.
(card _ data 0 , card _ data1 )
x A , en _ card _ data b , R Mf
en _ card _ datab User A
Server B
Send_A Leak
Attacker
b'
En/Decrypt
Simulator
1.A
B : e pk ( IDA , rA , en _ card _ dataA )
card _ data 0
( ID A , h( PW A ), x A )
en _ card _ datab
2.A
B : ErA ( IDB , rB ) B : ErB ( IDA , h( PWA ), r (bioA ))
( ID A , h( PW A ' ), x A )
b
3.A
card _ data1
en _ card _ dataA
EK ( IDA , h( PWA ), r (bioA ))
DrB (M f ) ( IDA , h( PWA ), xA ) Otherwise,b'
R
{0,1}
Test
k CCA2 Assumption
Execute Send_B
R
EK (card _ datab )
{0,1}
b' 0 logo
34 / 40
Security proofs Theorem 1: Mutual Authentication Lemma 2: Client Authentication
Case 3: The server cannot accept without the client even though the biometric data and the password are leaked.
(card _ data 0 , card _ data1 )
bioA , PWA
Mf
en _ card _ datab User A
Server B
Send_A Leak
Attacker
b'
En/Decrypt
Simulator
1.A
B : e pk ( IDA , rA , en _ card _ dataA )
card _ data0
( IDA , h( PWA ), x A )
en _ card _ datab
2.A
B : ErA ( IDB , rB ) B : ErB ( IDA , h( PWA ), r (bioA ))
( IDA , h( PWA ' ), x A ' )
b
3.A
card _ data1
en _ card _ dataA
EK ( IDA , h( PWA ), r (bioA ))
DrB (M f ) ( IDA , h( PWA ), xA ) Otherwise,b'
R
Test
k CCA2 Assumption
Execute Send_B
R
EK (card _ datab )
{0,1}
b' 0
{0,1} logo
35 / 40
Security proofs Theorem 2: (secure key exchange) If the public-key encryption scheme is secure, then the protocol is a secure key exchange scheme.
pk ( x 0 , x1 )
yb
k c' {0,1}
User A
Server B
b'
Send_A Test Reveal Execute Send_B
Attacker B : e pk ( IDA , rA , en _ card _ data A )
x0
( ID A , rA , en _ card _ data A )
2. A
B : ErA ( IDB , rB )
x1
( ID A , rA ' , en _ card _ data A )
B : ErB ( IDA , h( PW A ), bio A )
c
0
k
c
c'
b' 0. Otherwise , b'
k
h(rB )
h ( rB ), c 1
Test
CCA2 Assumption
Simulator
1. A 3. A
Decrypt
( pk , sk )
k
yb
epk ( xb ),b
R
{0,1}
r R
{0,1} logo
36 / 40
Conclusions
logo
37 / 40
Conclusions
logo
38 / 40
Conclusions
Truly three-factor authentication Strong biometrics privacy Free from maintaining password or biometric databases No time-consuming operations in the smart card Provable security
logo
39 / 40
Thank You!!!
logo
40 / 40