Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

姚琳,范庆娜,孔祥维

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.01.079

2010-01-01

Abstract:Traditional authorization with a variety of secure and privacy limitations,cannot satisfy the security needs of the internet environment,this paper proposed an identity authentication scheme based on biometric encryption.By adopting the biometric encryption,protected the biometric and key of the user well.The scheme could prevent unauthorized users from accessing and avoid unauthorized use of resources.The experiment results show that the scheme can distinguish the genuine users from imitated users though the face expressions very much.The scheme provided perfect authentication,and secure the communication well.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0149173

IF: 3.7

2016-01-01

PLoS ONE

Abstract:With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.'s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Haochen M. Kotoi-Xie,Takumi Moriyama

2024-04-16

Abstract:In this writing, we introduce a novel biometric-authenticated key exchange protocol that allows secure and privacy-preserving key establishment between a stateless biometric sensing system and a "smart" user token that possesses biometric templates of the user. The protocol yields a shared secret incorporating random nonce from both parties when they positively authenticate each other. Mutual positive authentication here is defined as when the feature vector calculated from the sensor data captured by the biometric sensing system only differs from the feature vector stored as the biometric template within the user token by less than a predefined threshold. The parties exchange only randomized data and cryptographically derived verifiers; no significant information regarding the vectors is ever exchanged. The protocol essentially utilizes the BBKDF scheme for feature vector matching, and as a result, the threshold is compared per component of the two vectors to be matched. This fact makes it straightforward to employ multiple biometric modalities. The protocol also allows online authentication where the biometric sensing system can potentially send multiple queries derived from different sensor data samples, in one or more rounds. The protocol is designed in such a way that the user token can very efficiently answer a multitude of such queries. This makes the protocol especially suitable for interactive systems while posing a minimal computational burden on the user token. The biometric sensing system can be made stateless, i.e. user registration in advance is not required. Furthermore, the protocol is bidirectionally privacy-preserving in the sense that unless mutual authentication is achieved first, neither the biometric sensing system, nor the user token can gain useful information, respectively regarding the biometric template, or sensor-data-derived feature vectors.

Cryptography and Security

Hong Yen Tran,Jiankun Hu,Wen Hu

2024-05-19

Abstract:Existing fuzzy extractors and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (reusable/reissued identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable averaged computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of only 448 bytes.

Cryptography and Security

Zhigang Tao,Yingtian Hu,Xiaoping Wang

DOI: https://doi.org/10.1088/1755-1315/252/3/032210

2019-01-01

Abstract:Biometrics is a highly efficient method of personal identification in civil fields. In this paper, we present a new biometrics system based on inner-knuckle-print (IKP). A new IKP image acquisition device with a finger guide is built for restricting the finger posture in a friendly way. A modified maximum curvature point method is proposed for feature extraction; it can extract the central region of the IKP line pattern robustly against illumination variation. The experimental results show that the proposed method achieves the equal error rate of 0.36%, performing better other traditional methods. In addition, it works in real-time.

Chengqi Wang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.1007/s11042-016-4198-0

IF: 2.577

2016-01-01

Multimedia Tools and Applications

Abstract:With the increase of security requirements, numerous biometrics based authentication schemes that apply the smart card technology are proposed for multimedia medicine information systems in the last several years. Recently, Lu et al. presented a biometrics based authentication and key agreement scheme using extended Chebyshev chaotic maps. Unfortunately, we find that their scheme is still insecure with respect to issues such as flaws in the both login phase and password change phase. And we show that their scheme is vulnerable to the Denial-of-Service attack, user impersonation attack and server masquerade attack, which also fails to achieve the user anonymity. In order to remedy these weaknesses, we retain the useful properties of Lu et al.’s scheme to propose a robust biometrics based authentication and key agreement scheme for multimedia medicine information systems. The informal and formal security analysis of our scheme are given respectively, which demonstrate that our scheme satisfies the desirable security requirements. Furthermore, the proposed scheme provides some significant features which are not considered in most of the related schemes, such as, biometric information protection and user re-registration or revocation. Thus, our scheme resists the known attacks and is efficient for practical applications in the multimedia medicine information systems.

Qian Wang,Shengshan Hu,Kui Ren,Meiqi He,Minxin Du,Zhibo Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_10

2015-01-01

Abstract:Biometric identification has been incredibly useful in the law enforcement to authenticate an individual’s identity and/or to figure out who someone is, typically by scanning a database of records for a close enough match. In this work, we investigate the privacy-preserving biometric identification outsourcing problem, where the database owner outsources both the large-scale encrypted database and the computationally intensive identification job to the semi-honest cloud, relieving itself from data storage and computation burden. We present new privacy-preserving biometric identification protocols, which substantially reduce the computation burden on the database owner. Our protocols build on new biometric data encryption, distance-computation and matching algorithms that novelly exploit inherent structures of biometric data and properties of identification operations. A thorough security analysis shows that our solutions are practically-secure, and the ultimate solution offers a higher level of privacy protection than the-state-of-the-art on biometric identification outsourcing. We evaluate our protocols by implementing an efficient privacy-preserving fingerprint-identification system, showing that our protocols meet both the security and efficiency needs well, and they are appropriate for use in various privacy-preserving biometric identification applications.

Li Yang,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0194093

IF: 3.7

2018-01-01

PLoS ONE

Abstract:According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Chang Xu,Lvhan Zhang,Liehuang Zhu,Chuan Zhang,Kashif Sharif

DOI: https://doi.org/10.1109/trustcom53373.2021.00063

2021-01-01

Abstract:Biometrics identification has been used in a growing number of fields in recent years, since it is more secure, classified and convenient. With the development of cloud computing, database systems are able to upload large amounts of biometric data to cloud server for storage and identification to save local memory and improve computational efficiency. However, this involves potential privacy concerns because of the introduction of third-party platforms. In this paper, we achieve computational and communication efficiency in biometric identification, while preserving the privacy of data. Specifically, the database system firstly encrypts all biometric data and query data. Then, it sends the ciphertext to a cloud server to carry out matching tasks. Finally, the cloud server returns the index of final matches to the system so that it can check whether the biometric vector is legal or not. Detailed security analysis indicates that the proposed scheme can resist powerful attacks. Beyond that, Experiments show that the scheme is more efficient in computation and communication than stat of art biometric identification schemes.

Liehuang Zhu,Chuan Zhang,Chang Xu,Ximeng Liu,Cheng Huang

DOI: https://doi.org/10.1109/access.2018.2819166

IF: 3.9

2018-01-01

IEEE Access

Abstract:Biometric identification has become increasingly popular in recent years. With the development of cloud computing, database owners are motivated to outsource the large size of biometric data and identification tasks to the cloud to get rid of the expensive storage and computation costs, which, however, brings potential threats to users' privacy. In this paper, we propose an efficient and privacy-preserving biometric identification outsourcing scheme. Specifically, the biometric To execute a biometric identification, the database owner encrypts the query data and submits it to the cloud. The cloud performs identification operations over the encrypted database and returns the result to the database owner. A thorough security analysis indicates that the proposed scheme is secure even if attackers can forge identification requests and collude with the cloud. Compared with previous protocols, experimental results show that the proposed scheme achieves a better performance in both preparation and identification procedures.

Sam Grierson,William J Buchanan,Craig Thomson,Baraq Galeb,Chris Eckl

2024-11-26

Abstract:Biometric systems, while offering convenient authentication, often fall short in providing rigorous security assurances. A primary reason is the ad-hoc design of protocols and components, which hinders the establishment of comprehensive security proofs. This paper introduces a formal framework for constructing secure and privacy-preserving biometric systems. By leveraging the principles of universal composability, we enable the modular analysis and verification of individual system components. This approach allows us to derive strong security and privacy properties for the entire system, grounded in well-defined computational assumptions.

Cryptography and Security

Xinying Yu,Kejun Zhang,Zhufeng Suo,Jun Wang,Wenbin Wang,Bing Zou

DOI: https://doi.org/10.1016/j.jksuci.2024.102166

IF: 9.006

2024-08-30

Journal of King Saud University - Computer and Information Sciences

Abstract:Biometric recognition is extensive for user security authentication in the Industrial Internet of Things (IIoT). However, the potential leakage of biometric data has severe repercussions, such as identity theft or tracking. Existing authentication schemes primarily focus on protecting biometric templates but often overlook the "one-authentication multiple-access" mode. As a result, these schemes still confront challenges related to privacy leakage and low efficiency for users who frequently access the server. In this regard, this paper proposes an efficient authentication scheme syncretizing physical unclonable function (PUF) and revocable biometrics in IIoT. Specifically, we design a revocable biometric template generation method syncretizing the user's biometric data and the device's PUF to enhance the security and revocability of the dual identity information. Given the generated revocable biometric template and the secret sharing, our scheme implements secure authentication and key negotiation between users and servers. Additionally, we establish an access boundary and an authentication validity period to permit multiple accesses following one authentication, thus significantly decreasing the computational cost of the user-side device. We leverage BAN logic and the ROR model to prove our scheme's security. Informal security analysis and performance comparison demonstrate that our scheme satisfies more security features with higher authentication efficiency.

computer science, information systems

Changsong Jiang,Chunxiang Xu,Yunxia Han,Zhao Zhang,Kefei Chen

DOI: https://doi.org/10.1109/tifs.2024.3372812

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Multi-factor authenticated key exchange (AKE) enables a user to be authenticated by a server using multiple factors and negotiate a shared session key to protect subsequent communications. Most existing multi-factor AKE schemes utilize biometrics as one factor due to their uniqueness and invariance properties. To support matching for noisy biometrics and protect them, fuzzy extractors are employed to extract a constant random string from varying biometric measurements without disclosing biometric data. However, the fuzzy extractors used in these schemes merely work on biometrics with an entropy rate greater than the error rate. Hence these schemes are unsuitable for biometrics with low entropy rates. In this paper, we propose a secure two-factor AKE scheme dubbed AHEAD from passwords and biometrics, which eliminates the limitation of biometric entropy rates. In AHEAD, we conceive a matching mechanism to simultaneously check whether an input biometric measurement with low entropy rates is close enough to the registered one, and whether an input password exactly matches the registered password. The mechanism allows a valid user to generate a secret element shared with the server in an oblivious way. By adopting a randomization technique, the secret element can be randomized for derivation of session keys. The security and efficiency of AHEAD are demonstrated by formal security proofs and experimental evaluations.

computer science, theory & methods,engineering, electrical & electronic

Chuan Zhang,Liehuang Zhu,Chang Xu

DOI: https://doi.org/10.1016/j.ins.2017.05.006

IF: 8.1

2017-01-01

Information Sciences

Abstract:Biometric identification has played an important role in achieving user authentication. For efficiency and economic savings, biometric data owners are motivated to outsource the biometric data and identification tasks to a third party, which however introduces potential threats to user's privacy. In this paper, we propose a new privacy-preserving biometric identification scheme which can release the database owner from heavy computation burden. In the proposed scheme, we design concrete biometric data encryption and matching algorithms, and introduce perturb terms in each biometric data. A thorough analysis indicates that our schemes are secure, and the ultimate scheme offers a high level of privacy protection. In addition, the performance evaluations via extensive simulations demonstrate our schemes' efficiency. (C) 2017 Elsevier Inc. All rights reserved.

Mingming Jiang,Shengli Liu,You Lyu,Yu Zhou

DOI: https://doi.org/10.1109/tmc.2022.3207830

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:Biometric features are quite suitable for identity authentication due to its inherent properties – universality, uniqueness and persistence. In fact, biometric authentication has been widely used in our daily life, especially in mobile devices. However, biometric features are quite sensitive, and once a feature is leaked to an evil adversary, it cannot be used in authentication any more. This leads to a push on research of biometric privacy protection. In this paper, we propose a face-based authentication system with the help of a computational secure sketch. The computational secure sketch takes charge of error tolerance on the face samplings. Then the face features of the same user are used to extract an authentication key, which is in turn used to do the identity authentication for the user. The computational security of the computational secure sketch makes sure that the public information obtained by the adversary does not affect the pseudorandomness of the authentication key, hence the privacy of face features is guaranteed. Moreover, the privacy protection technique in our face-based authentication system can be extended to other biometric-based authentication.

computer science, information systems,telecommunications

Junhao Lai,Taotao Wang,Shengli Zhang,Qing Yang,Soung Chang Liew

2024-09-26

Abstract:Digital identity plays a vital role in enabling secure access to resources and services in the digital world. Traditional identity authentication methods, such as password-based and biometric authentications, have limitations in terms of security, privacy, and scalability. Decentralized authentication approaches leveraging blockchain technology have emerged as a promising solution. However, existing decentralized authentication methods often rely on indirect identity verification (e.g. using passwords or digital signatures as authentication credentials) and face challenges such as Sybil attacks. In this paper, we propose BioZero, an efficient and privacy-preserving decentralized biometric authentication protocol that can be implemented on open blockchain. BioZero leverages Pedersen commitment and homomorphic computation to protect user biometric privacy while enabling efficient verification. We enhance the protocol with non-interactive homomorphic computation and employ zero-knowledge proofs for secure on-chain verification. The unique aspect of BioZero is that it is fully decentralized and can be executed by blockchain smart contracts in a very efficient way. We analyze the security of BioZero and validate its performance through a prototype implementation. The results demonstrate the effectiveness, efficiency, and security of BioZero in decentralized authentication scenarios. Our work contributes to the advancement of decentralized identity authentication using biometrics.

Cryptography and Security