A PUF-and biometric-based lightweight hardware solution to increase security at sensor nodes

Security is essential in sensor nodes which acquire and transmit sensitive data. However, the constraints of processing, memory and power consumption are very high in these nodes. Cryptographic algorithms based on symmetric key are very suitable for them. The drawback is that secure storage of secret keys is required. In this work, a low-cost solution is presented to obfuscate secret keys with Physically Unclonable Functions (PUFs), which exploit the hardware identity of the node. In addition, a lightweight fingerprint recognition solution is proposed, which can be implemented in low-cost sensor nodes. Since biometric data of individuals are sensitive, they are also obfuscated with PUFs. Both solutions allow authenticating the origin of the sensed data with a proposed dual-factor authentication protocol. One factor is the unique physical identity of the trusted sensor node that measures them. The other factor is the physical presence of the legitimate individual in charge of authorizing their transmission. Experimental results are included to prove how the proposed PUF-based solution can be implemented with the SRAMs of commercial Bluetooth Low Energy (BLE) chips which belong to the communication module of the sensor node. Implementation results show how the proposed fingerprint recognition based on the novel texture-based feature named QFingerMap16 (QFM) can be implemented fully inside a low-cost sensor node. Robustness, security and privacy issues at the proposed sensor nodes are discussed and analyzed with experimental results from PUFs and fingerprints taken from public and standard databases.Ministerio de Economía, Industria y Competitividad TEC2014-57971-R, TEC2017-83557-

Biometric Fuzzy Extractor Scheme for Iris Templates

In: The 2009 World Congress in Computer Science, Computer Engineering, and Applied Computing (WORLDCOMP'09), The 2009 International Conference on Security and Management (SAM'09), Vol II, Proceedings 563--569. H.R. Arabnia and K. Daimi (Eds.), Las Vegas (USA), July, 2009Biometric recognition offers a reliable and natural solution to the problem of user authentication by means of her physical and behavioral traits. An iris template protection scheme which associates and retrieves a secret value with a high level of security, is proposed. The security is guaranteed thanks to the requirements of fuzzy extractors. The implementation of the scheme is done in Java and experimental results are performed to calculate its False Acceptance Rate and its False Rejection Rate.This work has been partially supported by Ministerio de Industria, Turismo y Comercio (Spain), in collaboration with CDTI and Telefónica I+D under the project SEGUR@ (CENIT-2007 2004).Peer reviewe

Towards Secure Identity-Based Cryptosystems for Cloud Computing

The convenience provided by cloud computing has led to an increasing trend of many business organizations, government agencies and individual customers to migrate their services and data into cloud environments. However, once clients’ data is migrated to the cloud, the overall security control will be immediately shifted from data owners to the hands of service providers. When data owners decide to use the cloud environment, they rely entirely on third parties to make decisions about their data and, therefore, the main challenge is how to guarantee that the data is accessible by data owners and authorized users only. Remote user authentication to cloud services is traditionally achieved using a combination of ID cards and passwords/PINs while public key infrastructure and symmetric key encryptions are still the most common techniques for enforcing data security despite the missing link between the identity of data owners and the cryptographic keys. Furthermore, the key management in terms of the generation, distribution, and storage are still open challenges to traditional public-key systems. Identity-Based Cryptosystems (IBCs) are new generations of public key encryptions that can potentially solve the problems associated with key distribution in public key infrastructure in addition to providing a clear link between encryption keys and the identities of data owners. In IBCs, the need for pre-distributed keys before any encryption/decryption will be illuminated, which gives a great deal of flexibility required in an environment such as the cloud. Fuzzy identity-based cryptosystems are promising extensions of IBCs that rely on biometric modalities in generating the encryption and decryption keys instead of traditional identities such as email addresses. This thesis argues that the adoption of fuzzy identity-based cryptosystems seems an ideal option to secure cloud computing after addressing a number of vulnerabilities related to user verification, key generation, and key validation stages. The thesis is mainly concerned with enhancing the security and the privacy of fuzzy identity-based cryptosystems by proposing a framework with multiple security layers. The main contributions of the thesis can be summarised as follows. 1. Improving user verification based on using a Challenge-Response Multifactor Biometric Authentication (CR-MFBA) in fuzzy identity-based cryptosystems that reduce the impacts of impersonators attacks. 2. Reducing the dominance of the “trusted authority” in traditional fuzzy identity-based cryptosystems by making the process of generating the decryption keys a cooperative process between the trusted authority server and data owners. This leads to shifting control over the stored encrypted data from the trusted authority to the data owners. 3. Proposing a key-validity method that relies on employing the Shamir Secret Sharing, which also contributes to giving data owners more control over their data. 4. Further improving the control of data owners in fuzzy identity-based cryptosystems by linking the decryption keys parameters with their biometric modalities. 5. Proposing a new asymmetric key exchange protocol based on utilizing the scheme of fuzzy identity-based cryptosystems to shared encrypted data stored on cloud computing

Improved security and privacy preservation for biometric hashing

We address improving verification performance, as well as security and privacy aspects of biohashing methods in this thesis. We propose various methods to increase the verification performance of the random projection based biohashing systems. First, we introduce a new biohashing method based on optimal linear transform which seeks to find a better projection matrix. Second, we propose another biohashing method based on a discriminative projection selection technique that selects the rows of the random projection matrix by using the Fisher criterion. Third, we introduce a new quantization method that attempts to optimize biohashes using the ideas from diversification of error-correcting output codes classifiers. Simulation results show that introduced methods improve the verification performance of biohashing. We consider various security and privacy attack scenarios for biohashing methods. We propose new attack methods based on minimum l1 and l2 norm reconstructions. The results of these attacks show that biohashing is vulnerable to such attacks and better template protection methods are necessary. Therefore, we propose an identity verification system which has new enrollment and authentication protocols based on threshold homomorphic encryption. The system can be used with any biometric modality and feature extraction method whose output templates can be binarized, therefore it is not limited to biohashing. Our analysis shows that the introduced system is robust against most security and privacy attacks conceived in the literature. In addition, a straightforward implementation of its authentication protocol is su ciently fast enough to be used in real applications

Biometric Cryptosystems : Authentication, Encryption and Signature for Biometric Identities

Biometrics have been used for secure identification and authentication for more than two decades since biometric data is unique, non-transferable, unforgettable, and always with us. Recently, biometrics has pervaded other aspects of security applications that can be listed under the topic of ``Biometric Cryptosystems''. Although the security of some of these systems is questionable when they are utilized alone, integration with other technologies such as digital signatures or Identity Based Encryption (IBE) schemes results in cryptographically secure applications of biometrics. It is exactly this field of biometric cryptosystems that we focused in this thesis. In particular, our goal is to design cryptographic protocols for biometrics in the framework of a realistic security model with a security reduction. Our protocols are designed for biometric based encryption, signature and remote authentication. We first analyze the recently introduced biometric remote authentication schemes designed according to the security model of Bringer et al.. In this model, we show that one can improve the database storage cost significantly by designing a new architecture, which is a two-factor authentication protocol. This construction is also secure against the new attacks we present, which disprove the claimed security of remote authentication schemes, in particular the ones requiring a secure sketch. Thus, we introduce a new notion called ``Weak-identity Privacy'' and propose a new construction by combining cancelable biometrics and distributed remote authentication in order to obtain a highly secure biometric authentication system. We continue our research on biometric remote authentication by analyzing the security issues of multi-factor biometric authentication (MFBA). We formally describe the security model for MFBA that captures simultaneous attacks against these systems and define the notion of user privacy, where the goal of the adversary is to impersonate a client to the server. We design a new protocol by combining bipartite biotokens, homomorphic encryption and zero-knowledge proofs and provide a security reduction to achieve user privacy. The main difference of this MFBA protocol is that the server-side computations are performed in the encrypted domain but without requiring a decryption key for the authentication decision of the server. Thus, leakage of the secret key of any system component does not affect the security of the scheme as opposed to the current biometric systems involving cryptographic techniques. We also show that there is a tradeoff between the security level the scheme achieves and the requirement for making the authentication decision without using any secret key. In the second part of the thesis, we delve into biometric-based signature and encryption schemes. We start by designing a new biometric IBS system that is based on the currently most efficient pairing based signature scheme in the literature. We prove the security of our new scheme in the framework of a stronger model compared to existing adversarial models for fuzzy IBS, which basically simulates the leakage of partial secret key components of the challenge identity. In accordance with the novel features of this scheme, we describe a new biometric IBE system called as BIO-IBE. BIO-IBE differs from the current fuzzy systems with its key generation method that not only allows for a larger set of encryption systems to function for biometric identities, but also provides a better accuracy/identification of the users in the system. In this context, BIO-IBE is the first scheme that allows for the use of multi-modal biometrics to avoid collision attacks. Finally, BIO-IBE outperforms the current schemes and for small-universe of attributes, it is secure in the standard model with a better efficiency compared to its counterpart. Another contribution of this thesis is the design of biometric IBE systems without using pairings. In fact, current fuzzy IBE schemes are secure under (stronger) bilinear assumptions and the decryption of each message requires pairing computations almost equal to the number of attributes defining the user. Thus, fuzzy IBE makes error-tolerant encryption possible at the expense of efficiency and security. Hence, we design a completely new construction for biometric IBE based on error-correcting codes, generic conversion schemes and weakly secure anonymous IBE schemes that encrypt a message bit by bit. The resulting scheme is anonymous, highly secure and more efficient compared to pairing-based biometric IBE, especially for the decryption phase. The security of our generic construction is reduced to the security of the anonymous IBE scheme, which is based on the Quadratic Residuosity assumption. The binding of biometric features to the user's identity is achieved similar to BIO-IBE, thus, preserving the advantages of its key generation procedure