5 research outputs found
Oblivious Extractors and Improved Security in Biometric-based Authentication Systems
We study the problem of biometric-based authentication with template confidentiality. Typical schemes addressing this problem, such as Fuzzy Vaults (FV) and Fuzzy Extractors (FE), allow a server, aka Authenticator, to store “random looking” Helper Data (HD) instead of biometric templates in clear. HD hides information about the corresponding biometric while still enabling secure biometric-based authentication. Even though these schemes reduce the risk of storing biometric data, their correspondent authentication procedures typically require sending the HD (stored by the Authenticator) to a client who claims a given identity. The premise here is that only the identity owner - i.e., the person whose biometric was sampled to originally generate the HD - is able to provide the same biometric to reconstruct the proper cryptographic key from HD. As a side effect, the ability to freely retrieve HD, by simply claiming a given identity, allows invested adversaries to perform offline statistical attacks (a biometric analog for dictionary attacks on hashed passwords) or re-usability attacks (if the FE scheme is not reusable) on the HD to eventually recover the user’s biometric.
In this work we develop Oblivious Extractors: a new construction that allows an Authenticator to authenticate a user without requiring neither the user to send a biometric to the Authenticator, nor the server to send the HD to the client. Oblivious Extractors provide concrete security advantages for biometric-based authentication systems. From the perspective of secure storage, an oblivious extractor is as secure as its non-oblivious fuzzy extractor counterpart. In addition, it enhances security against aforementioned statistical and re-usability attacks. To demonstrate the construction’s practicality, we implement and evaluate a biometric-based authentication prototype using Oblivious Extractors
Server-Aided Continuous Group Key Agreement
Continuous Group Key Agreement (CGKA) -- or Group Ratcheting -- lies at the
heart of a new generation of scalable End-to-End secure (E2E)
cryptographic multi-party applications. One of the most important (and first
deployed) CGKAs is ITK which underpins the IETF\u27s upcoming Messaging
Layer Security E2E secure group messaging standard. To scale beyond the group
sizes possible with earlier E2E protocols, a central focus of CGKA protocol
design is to minimize bandwidth requirements (i.e. communication
complexity).
In this work, we advance both the theory and design of CGKA culminating in
an extremely bandwidth efficient CGKA. To that end, we first generalize
the standard CGKA communication model by introducing server-aided CGKA
(saCGKA) which generalizes CGKA and more accurately models how most E2E protocols are deployed in
the wild. Next, we introduce the SAIK protocol; a modification of ITK,
designed for real-world use, that leverages the new capabilities available to
an saCGKA to greatly reduce its communication (and computational) complexity
in practical concrete terms.
Further, we introduce an intuitive, yet precise, security model for saCGKA.
It improves upon existing security models for CGKA in several ways. It more
directly captures the intuitive security goals of CGKA. Yet, formally it also
relaxes certain requirements allowing us to take advantage of the saCGKA
communication model. Finally, it is significantly simpler making it more
tractable to work with and easier to build intuition for. As a result, the
security proof of SAIK is also simpler and more modular.
Finally, we provide empirical data comparing the (at times, quite
dramatically improved) complexity profile of SAIK to state-of-the art CGKAs.
For example, in a newly created group with 10K members, to change the group
state (e.g. add/remove parties) ITK requires each group member download
1.38MB. However, with SAIK, members download no more than 2.7KB