Bio-AKA: An efficient fingerprint based two factor user authentication and key agreement scheme

The fingerprint has long been used as one of the most important biological features in the field of biometrics. It is person-specific and remain identical though out one’s lifetime. Physically uncloneable functions (PUFs) have been used in authentication protocols due to the unique physical feature of it. In this paper, we take full advantage of the inherent security features of user’s fingerprint biometrics and PUFs to design a new user authentication and key agreement scheme, namely Bio-AKA, which meets the desired security characteristics. To protect the privacy and strengthen the security of biometric data and to improve the robustness of the proposed scheme, the fuzzy extractor is employed. The scheme proposed in the paper can protect user’s anonymity without the use of password and allow mutual authentication with key agreement. The experimental results show superior robustness and the simplicity of our proposed scheme has been validated via our performance and security analysis. The scheme can be an ideal candidate for real life applications that requires remote user authentication

Security analysis of a fingerprint-secured USB drive

In response to user demands for mobile data security and maximum ease of use, fingerprint-secured mobile storage devices have been increasingly available for purchase. A fingerprint-secured Universal Serial Bus (USB) drive looks like a regular USB drive, except that it has an integrated optical scanner. When a fingerprint-secured USB drive is plugged into a computer running Windows, a program on this drive will run automatically to ask for fingerprint authentication. (When the program runs the very first time, it will ask for fingerprint enrollment). After a successful fingerprint authentication, a new private drive (for example, drive G:) will appear and data stored on the private drive can be accessed. This private drive will not appear if the fingerprint authentication fails. This thesis studies the security of a representative fingerprint-secured USB drive referred to by the pseudonym AliceDrive. Our results are two fold. First, through black-box reverse engineering and manipulation of binary code in a DLL, we bypassed AliceDrive’s fingerprint authentication and accessed the private drive without actually presenting a valid fingerprint. Our attack is a class attack in that the modified DLL can be distributed to any naive user to bypass AliceDevice’s fingerprint authentication. Second, in our security analysis of AliceDrive, we recovered fingerprint reference templates from memory, which may make AliceDrive worse than a regular USB drive: when Alice loses her fingerprint-secured USB drive, she does not only lose her data, she also loses her fingerprints, which are difficult to recover as Alice’s fingerprints do not change much over a long period of time. In this thesis, we also explore details in integrating fuzzy vault schemes to enhance the security of AliceDrive

Biometrics for internet‐of‐things security: A review

The large number of Internet‐of‐Things (IoT) devices that need interaction between smart devices and consumers makes security critical to an IoT environment. Biometrics offers an interesting window of opportunity to improve the usability and security of IoT and can play a significant role in securing a wide range of emerging IoT devices to address security challenges. The purpose of this review is to provide a comprehensive survey on the current biometrics research in IoT security, especially focusing on two important aspects, authentication and encryption. Regarding authentication, contemporary biometric‐based authentication systems for IoT are discussed and classified based on different biometric traits and the number of biometric traits employed in the system. As for encryption, biometric‐cryptographic systems, which integrate biometrics with cryptography and take advantage of both to provide enhanced security for IoT, are thoroughly reviewed and discussed. Moreover, challenges arising from applying biometrics to IoT and potential solutions are identified and analyzed. With an insight into the state‐of‐the‐art research in biometrics for IoT security, this review paper helps advance the study in the field and assists researchers in gaining a good understanding of forward‐looking issues and future research directions

A New Secure Pairing Protocol using Biometrics

Secure Pairing enables two devices, which share no prior context with each other, to agree upon a security association that they can use to protect their subsequent communication. Secure pairing offers guarantees of the association partner identity and it should be resistant to eavesdropping or to a man-in-the-middle attack. We propose a user friendly solution to this problem. Keys extracted from biometric data of the participants are used for authentication. Details of the pairing protocol are presented along with a discussion of the security features, experimental validation with face recognition data and results of the usability analysis survey

Securing Cloud Storage by Transparent Biometric Cryptography

With the capability of storing huge volumes of data over the Internet, cloud storage has become a popular and desirable service for individuals and enterprises. The security issues, nevertheless, have been the intense debate within the cloud community. Significant attacks can be taken place, the most common being guessing the (poor) passwords. Given weaknesses with verification credentials, malicious attacks have happened across a variety of well-known storage services (i.e. Dropbox and Google Drive) – resulting in loss the privacy and confidentiality of files. Whilst today's use of third-party cryptographic applications can independently encrypt data, it arguably places a significant burden upon the user in terms of manually ciphering/deciphering each file and administering numerous keys in addition to the login password. The field of biometric cryptography applies biometric modalities within cryptography to produce robust bio-crypto keys without having to remember them. There are, nonetheless, still specific flaws associated with the security of the established bio-crypto key and its usability. Users currently should present their biometric modalities intrusively each time a file needs to be encrypted/decrypted – thus leading to cumbersomeness and inconvenience while throughout usage. Transparent biometrics seeks to eliminate the explicit interaction for verification and thereby remove the user inconvenience. However, the application of transparent biometric within bio-cryptography can increase the variability of the biometric sample leading to further challenges on reproducing the bio-crypto key. An innovative bio-cryptographic approach is developed to non-intrusively encrypt/decrypt data by a bio-crypto key established from transparent biometrics on the fly without storing it somewhere using a backpropagation neural network. This approach seeks to handle the shortcomings of the password login, and concurrently removes the usability issues of the third-party cryptographic applications – thus enabling a more secure and usable user-oriented level of encryption to reinforce the security controls within cloud-based storage. The challenge represents the ability of the innovative bio-cryptographic approach to generate a reproducible bio-crypto key by selective transparent biometric modalities including fingerprint, face and keystrokes which are inherently noisier than their traditional counterparts. Accordingly, sets of experiments using functional and practical datasets reflecting a transparent and unconstrained sample collection are conducted to determine the reliability of creating a non-intrusive and repeatable bio-crypto key of a 256-bit length. With numerous samples being acquired in a non-intrusive fashion, the system would be spontaneously able to capture 6 samples within minute window of time. There is a possibility then to trade-off the false rejection against the false acceptance to tackle the high error, as long as the correct key can be generated via at least one successful sample. As such, the experiments demonstrate that a correct key can be generated to the genuine user once a minute and the average FAR was 0.9%, 0.06%, and 0.06% for fingerprint, face, and keystrokes respectively. For further reinforcing the effectiveness of the key generation approach, other sets of experiments are also implemented to determine what impact the multibiometric approach would have upon the performance at the feature phase versus the matching phase. Holistically, the multibiometric key generation approach demonstrates the superiority in generating the bio-crypto key of a 256-bit in comparison with the single biometric approach. In particular, the feature-level fusion outperforms the matching-level fusion at producing the valid correct key with limited illegitimacy attempts in compromising it – 0.02% FAR rate overall. Accordingly, the thesis proposes an innovative bio-cryptosystem architecture by which cloud-independent encryption is provided to protect the users' personal data in a more reliable and usable fashion using non-intrusive multimodal biometrics.Higher Committee of Education Development in Iraq (HCED

Security and accuracy of fingerprint-based biometrics: A review

Biometric systems are increasingly replacing traditional password- and token-based authentication systems. Security and recognition accuracy are the two most important aspects to consider in designing a biometric system. In this paper, a comprehensive review is presented to shed light on the latest developments in the study of fingerprint-based biometrics covering these two aspects with a view to improving system security and recognition accuracy. Based on a thorough analysis and discussion, limitations of existing research work are outlined and suggestions for future work are provided. It is shown in the paper that researchers continue to face challenges in tackling the two most critical attacks to biometric systems, namely, attacks to the user interface and template databases. How to design proper countermeasures to thwart these attacks, thereby providing strong security and yet at the same time maintaining high recognition accuracy, is a hot research topic currently, as well as in the foreseeable future. Moreover, recognition accuracy under non-ideal conditions is more likely to be unsatisfactory and thus needs particular attention in biometric system design. Related challenges and current research trends are also outlined in this paper

Security and accuracy of fingerprint-based biometrics: A review

Biometric systems are increasingly replacing traditional password- and token-based authentication systems. Security and recognition accuracy are the two most important aspects to consider in designing a biometric system. In this paper, a comprehensive review is presented to shed light on the latest developments in the study of fingerprint-based biometrics covering these two aspects with a view to improving system security and recognition accuracy. Based on a thorough analysis and discussion, limitations of existing research work are outlined and suggestions for future work are provided. It is shown in the paper that researchers continue to face challenges in tackling the two most critical attacks to biometric systems, namely, attacks to the user interface and template databases. How to design proper countermeasures to thwart these attacks, thereby providing strong security and yet at the same time maintaining high recognition accuracy, is a hot research topic currently, as well as in the foreseeable future. Moreover, recognition accuracy under non-ideal conditions is more likely to be unsatisfactory and thus needs particular attention in biometric system design. Related challenges and current research trends are also outlined in this paper

Pseudoentropic Isometries: A New Framework for Fuzzy Extractor Reusability

Fuzzy extractors (Dodis \textit{et al.}, Eurocrypt 2004) turn a noisy secret into a stable, uniformly distributed key. \textit{Reusable} fuzzy extractors remain secure when multiple keys are produced from a single noisy secret (Boyen, CCS 2004). Boyen proved that any information-theoretically secure reusable fuzzy extractor is subject to strong limitations. Simoens \textit{et al.} (IEEE S\&P, 2009) then showed deployed constructions suffer severe security breaks when reused. Canetti \textit{et al.} (Eurocrypt 2016) proposed using computational security to sidestep this problem. They constructed a computationally secure reusable fuzzy extractor for the Hamming metric that corrects a \emph{sublinear} fraction of errors. We introduce a generic approach to constructing reusable fuzzy extractors. We define a new primitive called a \emph{reusable pseudoentropic isometry} that projects an input metric space to an output metric space. This projection preserves distance and entropy even if the same input is mapped to multiple output metric spaces. A reusable pseudoentropy isometry yields a reusable fuzzy extractor by 1) randomizing the noisy secret using the isometry and 2) applying a traditional fuzzy extractor to derive a secret key. We propose reusable pseudoentropic isometries for the set difference and Hamming metrics. The set difference construction is built from composable digital lockers (Canetti and Dakdouk, Eurocrypt 2008) yielding the first reusable fuzzy extractor that corrects a {\it linear} fraction of errors. For the Hamming metric, we show that the second construction of Canetti \textit{et al.} (Eurocrypt 2016) can be seen as an instantiation of our framework. In both cases, the pseudoentropic isometry\u27s reusability requires noisy secrets distributions to have entropy in each symbol of the alphabet. Lastly, we implement our set difference solution and describe two use cases

Fuzzy-in-the-Loop-Driven Low-Cost and Secure Biometric User Access to Server

Fuzzy systems can aid in diminishing uncertainty and noise from biometric security applications by providing an intelligent layer to the existing physical systems to make them reliable. In the absence of such fuzzy systems, a little random perturbation in captured human biometrics could disrupt the whole security system, which may even decline the authentication requests of legitimate entities during the protocol execution. In the literature, few fuzzy logic-based biometric authentication schemes have been presented; however, they lack significant security features including perfect forward secrecy (PFS), untraceability, and resistance to known attacks. This article, therefore, proposes a novel two-factor biometric authentication protocol enabling efficient and secure combination of physically unclonable functions, a physical object analogous to human fingerprint, with user biometrics by employing fuzzy extractor-based procedures in the loop. This combination enables the participants in the protocol to achieve PFS. The security of the proposed scheme is tested using the well-known real-or-random model. The performance analysis signifies the fact that the proposed scheme not only offers PFS, untraceability, and anonymity to the participants, but is also resilient to known attacks using light-weight symmetric operations, which makes it an imperative advancement in the category of intelligent and reliable security solutions