Top

Published in:

2020 | OriginalPaper | Chapter

Security Requirements for Store-on-Client and Verify-on-Server Secure Biometric Authentication

Authors : Haruna Higo, Toshiyuki Isshiki, Masahiro Nara, Satoshi Obana, Toshihiko Okamura, Hiroto Tamiya

Published in: Emerging Technologies for Authorization and Authentication

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The Fast IDentity Online Universal Authentication Framework (FIDO UAF) is an online two-step authentication framework designed to prevent biometric information breaches from servers. In FIDO UAF, biometric authentication is firstly executed inside a user’s device, and then online device authentication follows. While there is no chance of biometric information leakage from the servers, risks remain when users’ devices are compromised. In addition, it may be possible to impersonate the user by skipping the biometric authentication step.

To design more secure schemes, this paper defines Store-on-Client and Verify-on-Server Secure Biometric Authentication (SCVS-SBA). Store-on-client means that the biometric information is stored in the devices as required for FIDO UAF, while verify-on-server is different from FIDO UAF, which implies that the result of biometric authentication is determined by the server. We formalize security requirements for SCVS-SBA into three definitions. The definitions guarantee resistance to impersonation attacks and credential guessing attacks, which are standard security requirements for authentication schemes. We consider different types of attackers according to the knowledge on the internal information.

We propose a practical concrete scheme toward SCVS-SBA, where normalized cross-correlation is used as the similarity measure for the biometric features. Experimental results show that a single authentication process takes only tens of milliseconds, which means that it is fast enough for practical use.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter NoCry: No More Secure Encryption Keys for Cryptographic Ransomware

next chapter Reflexive Memory Authenticator: A Proposal for Effortless Renewable Biometrics

Android keystore system. https://developer.android.com/training/articles/keystore

FIDO Alliance. https://fidoalliance.org/

Bringer, J., Chabanne, H.: An authentication protocol with encrypted biometric data. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 109–124. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_8CrossRef

Bringer, J., Chabanne, H., Izabachène, M., Pointcheval, D., Tang, Q., Zimmer, S.: An application of the Goldwasser-Micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96–106. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73458-1_8CrossRef

Bringer, J., Chabanne, H., Lescuyer, R.: Software-only two-factor authentication secure against active servers. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 285–303. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_15CrossRef

Bringer, J., Chabanne, H., Patey, A.: Privacy-preserving biometric identification using secure multiparty computation: an overview and recent trends. Signal Process. Mag. 30(2), 42–52 (2013)CrossRef

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetMATHCrossRef

Fuller, B., Reyzin, L., Smith, A.: When are fuzzy extractors possible? In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 277–306. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_10CrossRef

Hassner, T., et al.: Pooling faces: template based face recognition with pooled face images. In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, June 2016

10.

Higo, H., Isshiki, T., Mori, K., Obana, S.: Privacy-preserving fingerprint authentication resistant to hill-climbing attacks. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E101.A(1), 138–148 (2018)MATHCrossRef

11.

Hirano, T., Hattori, M., Ito, T., Matsuda, N.: Cryptographically-secure and efficient remote cancelable biometrics based on public-key homomorphic encryption. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 183–200. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41383-4_12MATHCrossRef

12.

Isshiki, T., Araki, T., Mori, K., Obana, S., Ohki, T., Sakamoto, S.: New security definitions for biometric authentication with template protection: toward covering more threats against authentication systems. In: International Conference of the Biometrics Special Interest Group (BIOSIG), pp. 1–12 (2013)

13.

Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Proceedings of the 6th ACM Conference on Computer and Communications Security, pp. 28–36. ACM, New York (1999)

14.

Karna, D.K., Agarwal, S., Nikam, S.: Normalized cross-correlation based fingerprint matching. In: 2008 Fifth International Conference on Computer Graphics, Imaging and Visualisation, pp. 229–232, August 2008

15.

Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S.M., Maffei, M., Schröder, D.: Simple password-hardened encryption services. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1405–1421. USENIX Association, Baltimore (2018)

16.

Martinez-Diaz, M., Fierrez-Aguilar, J., Alonso-Fernandez, F., Ortega-Garcia, J., Siguenza, J.: Hill-climbing and brute-force attacks on biometric systems: a case study in match-on-card fingerprint verification. In: 40th Annual IEEE International Carnahan Conferences Security Technology, ICCST 2006, pp. 151–159, October 2006

17.

Masi, I., Trãn, A.T., Hassner, T., Leksut, J.T., Medioni, G.: Do we really need to collect millions of faces for effective face recognition? In: Leibe, B., Matas, J., Sebe, N., Welling, M. (eds.) ECCV 2016. LNCS, vol. 9909, pp. 579–596. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46454-1_35CrossRef

18.

Matsuda, T., Takahashi, K., Murakami, T., Hanaoka, G.: Fuzzy signatures: relaxing requirements and a new construction. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 97–116. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_6MATHCrossRef

19.

National Institute of Standards and Technology (NIST): FIPS PUB 186-4: Digital Signature Standard (DSS) (2013)

20.

OpenSSL Software Foundation: OpenSSL. https://www.openssl.org/

21.

Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22CrossRef

22.

Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)MathSciNetMATHCrossRef

23.

Tuyls, P., Akkermans, A.H.M., Kevenaar, T.A.M., Schrijen, G.-J., Bazen, A.M., Veldhuis, R.N.J.: Practical biometric authentication with template protection. In: Kanade, T., Jain, A., Ratha, N.K. (eds.) AVBPA 2005. LNCS, vol. 3546, pp. 436–446. Springer, Heidelberg (2005). https://doi.org/10.1007/11527923_45CrossRef

24.

Yasuda, M., Shimoyama, T., Kogure, J., Yokoyama, K., Koshiba, T.: New packing method in somewhat homomorphic encryption and its applications. Secur. Commun. Netw. 8(13), 2194–2213 (2015)MATHCrossRef

25.

Yoo, J.C., Han, T.H.: Fast normalized cross-correlation. Circ. Syst. Signal Process. 28(6), 819 (2009)MATHCrossRef

Title: Security Requirements for Store-on-Client and Verify-on-Server Secure Biometric Authentication
Authors: Haruna Higo
Toshiyuki Isshiki
Masahiro Nara
Satoshi Obana
Toshihiko Okamura
Hiroto Tamiya
Publisher: Springer International Publishing
Book: Emerging Technologies for Authorization and Authentication
Print ISBN: 978-3-030-39748-7

Electronic ISBN: 978-3-030-39749-4

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-39749-4_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner