A Fingerprint-based User Authentication Scheme ... - Semantic Scholar
A Fingerprint-based User Authentication Scheme for Multimedia Systems *
Chu-Hsing Lin and Yi-Yi Lai Department of Computer Science and Information Engineering, Tunghai University, 181 Section 3, Taichung-kang Road, 407 Taichung, TAIWAN E-mail: *[email protected]; [email protected]
non-interactive password authentications without password tables based on Shamir’s ID-based signature. In 2000, Hwang and Li [3] proposed a new remote user authentication scheme using smart cards based on ElGamal’s cryptosystem [2]. Hwang and Li’s scheme only has to maintain a secret key without storing a password table in the system, but this scheme could not withstand masquerade attack. In 2000, Cheng and Chang [1] pointed out a cryptanalysis of Hwang and Li’s scheme. In 2002, Lee, Ryu, and Yoo [7] proposed a fingerprint-based remote user authentication scheme using smart cards. The Lee-Ryu-Yoo scheme was also based on the ElGamal’s public key cryptosystem with two secret keys. In addition, the Lee-Ryu-Yoo scheme strengthened the system security by verifying the smart card owner’s fingerprint. Their fingerprint verification method is based on minutiae extraction and matching [5,9]. In this article, we point out that the Lee-Ryu-Yoo scheme still exists weakness in security. Their scheme cannot withstand masquerade attack by using two secret keys and fingerprint verification. We present an attack on the Lee-Ryu-Yoo scheme and propose an improved fingerprint-based remote user authentication scheme using smart cards. We improve their scheme by using one-way hash function [10]. Based on the fingerprint verification of their scheme our protocol only needs to maintain one secret key. The scheme we proposed can withstand the masquerade attack and allow the user to choose their password conveniently. The remainder of this paper is organized as follows. In Section 2, we will review the Lee-RyuYoo scheme. In Section 3, we propose a cryptanalysis of the Lee-Ryu-Yoo scheme, In Section 4, we propose our scheme and the security analysis. In Section 5, we have a conclusion.
Abstract In the applications of multimedia communication, besides the content-based authentication, the user authentication is also an important issue to protect the multimedia resources. In this paper, we improve a fingerprint-based remote user authentication proposed by Lee, Ryu and Yoo in 2002. The scheme is novel by introducing a fingerprint-based verification into authentication scheme using smart cards. However, their scheme is vulnerable to masquerade attack. In this article, we propose an improved scheme to enhance the security of their scheme in order to overcome the vulnerability. Our scheme protects the host resources which can only be accessed by authorized users. Keywords: multimedia, user authentication, fingerprint verification, biometrics, smart card, masquerade attack.
1. Introduction Recently, a lot of content-based authentication schemes for authenticating multimedia data have been proposed. Remote user authentication is an issue that cannot be neglected in today’s multimedia communication. Up to now, a number of remote user authentication techniques have been proposed to ensure that the remote user is authorized to access the host resources. In traditional password authentication system, a remote host system has to be able to authenticate the remote login users based on identity and password. In 1981, Lamport [8] proposed a remote password authentication scheme that could authenticate remote users over an insecure channel. In 1990, Hwang, Chen and Laih [4] proposed an
1
0-7803-8603-5/04/$20.00 ©2004 IEEE.
3. Compute t=h(TУPWi) mod (P-1) where T is the current timestamp of the input device and У denotes an exclusive or operation. t 4. Compute M=(IDi) mod P. r 5. Compute C2 =M(PWi) mod P. 6. Send the message C=(IDi, C1 , C2, T ) to the remote host. Authentication Phase: After transmission delay, the system receives the message C at T', where T' is the current timestamp of the system. The system then performs the following operations: 1. The system checks the validity of IDi. If the format of IDi is incorrect, then the system rejects the login request. 2. If (T'-T) ǻT where ǻT denotes the expected valid time interval for transmission delay. The system rejects the login request. SK2 -1 SK1 h(T У PWi) 3. If C2 (C1 ) mod P = (IDi ) , the system accepts the login request. Otherwise, the system rejects the login request.
2. The Lee-Ryu-Yoo Scheme In this section, we briefly review the Lee-RyuYoo scheme. The security of Lee-Ryu-Yoo scheme is based on the ElGamal’s public key cryptosystem with two secret keys. Moreover, the scheme stores public elements on a smart card and each user accesses to his/her smart card by identifying his/her own fingerprint. The fingerprint verification method is based on minutiae extraction and matching. A different map of minutiae will be made when the input device takes a smart card owner’s fingerprint. Then the scheme can generate a onetime random number for the ElGamal’s public key cryptosystem by using the map of minutiae. There are three phases in the Lee-Ryu-Yoo scheme. These phases include a registration phase, a login phase and an authentication phase. Before accessing a remote host, a new user must imprint his/her fingerprint on the input device and submit his/her identity to the system in the registration phase. We review these three phases in the following: Registration Phase: Let P is a large prime number and f is a one-way hash function. Ui denotes a legal user. IDi and PWi denote the Ui’s identity and password respectively. Assume a new user Ui submits his/her IDi to the system for registration. The system calculates the Ui’s password PWi as follows: SK1 IDi' =(IDi) mod P. SK2 PWi=(ID ') mod P.
3. Cryptanalysis of the Lee-Ryu-Yoo Scheme In this section, we shall present a masquerade attack on the Lee-Ryu-Yoo scheme. A legitimate user who registers a legal pair of identity and password can pass the fingerprint verification of his/her own smart card and easily masquerade another valid pair of identity and password without knowing the two secrete keys of the remote host system. We describe the cryptanalysis as follows. Suppose that a user Ui want to masquerade another valid pair of identity and password. He/She submits his/her IDi to the remote host system and imprints his/her fingerprint on the input device for registering a legal user. Note that the remote host system issues Ui a password and a smart card if the registration is successful. And note that for a legal user Ui, the pair of (IDi , PWi ) satisfying the following equations: SK1 IDi'=(IDi) mod P. SK2 SK1ΗSK2 mod P. PWi=(IDi') mod P = (IDi)
i
Where SK1 and SK2 are two secret keys maintained by the system. The registration center stores the public parameters (f, P) on the Ui’s smart card and delivers PWi to the user Ui through a secure channel. The smart card which contains public element (f,P) and user’s fingerprint data possessed by each user will be different. Ui has his/her own smart card that can authenticate his ownership by matching the fingerprint from the extracted minutiae. Login Phase: In this phase, the login user Ui first inserts his/her smart card into the card reader and inputs Ui‘s identity IDi and password PWi, then Ui imprints his/her fingerprint on the input device. If Ui passes the fingerprint verification [6], the smart card performs the following operations: 1. Generate a random number r using the minutiae extracted from the imprint fingerprint. r 2. Compute C1 = (IDi) mod P.
Now, assume that Ui wants to masquerade another pair of valid (IDd ,PWd) of a legal user Ud. SK1 Η SK2
We show that Ui can compute PWd=(IDd) mod P without knowing the two secret keys q SK1,SK2. Ui first computes IDd = IDi mod P,
2
where q is a random number with 1< q < P. As Ui does not know the two secret keys SK1, SK2 of the remote host system, Ui cannot derive PWd directly from IDd. However, Ui can compute the correct PWd corresponding to IDd as follows: SK1ΗSK2
PWd = (IDd)
SK1ΗSK2
= (IDi mod P ) q SK1ΗSK2 SK1ΗSK2
= (IDi
Login Phase: Whenever a user Ui wants to login, Ui has to insert his/her own smart card into the card reader and imprint the fingerprint. Then he/she types in identity IDi and password PWi. If Ui passes the fingerprint verification, Ui’s smart card will perform the following operations: 1. Generate a random number r using the minutiae extracted from the imprint fingerprint. 2. Compute IDi'= h(IDiУPWi). 3. Compute C1 = (IDi')r mod P. 4. Compute t=h(TУPWi') mod (P-1), where T is the current timestamp of the input device and У denotes an exclusive or operation. 5. Compute M=(IDi)t mod P. 6. Compute C2 =M(PWi')r mod P. 7. Send the message C=(IDi, C1 , C2, T, PWi' ) to the remote host system. Authentication phase: After transmission delay, the system receives the message C at T', where T' is the current timestamp of the system. The system then performs the following operations: 1. The system checks whether the format of IDi is correct or not..If the format is incorrect, the system rejects the login request. 2. If (T'-T) ǻT where ǻT denote the expected valid time interval for transmission delay. The system rejects the login request.
mod P
q
= (IDi )
can authenticate his ownership by matching the fingerprint from the extracted minutiae.
mod P
mod P q
mod P ) mod P
q
= (PWi ) mod P. As a result, Ui can pass his/her own smart card fingerprint verification and easily masquerades many valid pairs of (IDd ,PWd )’s that satisfy the authentication phase of PWd =IDd the remote host system.
SK1ΗSK2
mod P to
4. The Enhanced Scheme and Security Analysis In this section, we propose an improved scheme to enhance the security of the Lee-Ryu-Yoo scheme. The enhanced scheme and analysis are described as below:
4.1. Our enhanced scheme The security of our enhanced scheme is based on the property of one-way hash function. So the proposed scheme can solve the problem of the LeeRyu-Yoo scheme. Now, we describe the steps of our scheme as follows. Registration phase: Before accessing a remote host, a new user must imprint his/her fingerprint minutiae and choose his/her identity and password, then he/she offers the identity and password to the registration center. The host system performs the following operations: IDi'= h(IDiУPWi). SK1 PWi' =(IDi') mod P. Where h() is a one-way hash function and SK1 denotes a secret key maintained by the host system. The registration center stores the parameters (h, P, PW i') on the Ui’s smart card and delivers it to the user Ui through a secure channel. The smart card keeps the PWi' and user’s fingerprint minutiae template secretly, and which possessed by each user will be different. Ui has his/her own smart card that
SK1 -1
?
h(TУPWi')
3. Verifying C2 (C1 ) mod P IDi , if being successful, the system accepts the login request. Otherwise, the system rejects the login request.
4.2. The security analysis of our scheme We show that how our scheme withstands the masquerade attack as described in Section 3. Suppose a user Ui registers a pair of legal (IDi,PWi). Now, assume that Ui wants to masquerade another pair of valid (IDd,PWd) of a legal user Ud by using the flaw of security based on the multiplication of exponential function. Due to the one-way hash function h() is a public element stored on the smart card. Assume that Ui is able to compute IDi'= h(IDiУPWi), then Ui can choose a random number q with 1< q < P,
3
q
and compute IDd' = (IDi') mod P. Now, by using the similar computations as in Section 3, Ui can SK1 q derive PWd' = (IDd') mod P = (PWi' ) mod P without knowing the secret key SK1. Under this case, Ui can compute a masquerade IDd' and derive SK1 the associated parameter PWd' = (IDd') mod P.
References [1] C.K. Chan, and L.M. Cheng, “Cryptanalysis of a remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, November 2000, pp. 992-993. [2] T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT31, No. 4, July 1985, pp. 469-472. [3] M.S. Hwang, and L.H. Li, “A new remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 1, February 2000, pp. 28-30. [4] T. Hwang, Y. Chen, and C.S. Laih, “Noninteractive password authentications without password tables,” IEEE Region 10 Conference on Computer and Communication Systems, September 1990, pp. 429-431. [5] I.G. Bae, B.H. Cho, J.S. Kim, J.H. Bae, and K.Y. Yoo, “Online fingerprint verification system using direct minutiae extraction,” 13th International Conference on Computer Applications in Industry and Engineering, November 2000, pp. 120-123. [6] A. Jain, R. Bolle, and S. Pankanti, “Biometrics personal identification in networked society,” Kluwer Academic Publishers, 1999, pp. 369-384. [7] J.K. Lee, S.R. Ryu, and K.Y. Yoo, “Fingerprintbased remote user authentication scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, June 2002, pp. 554-555. [8] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, Vol. 24, No. 11, November 1981, pp. 770-772. [9] N.K. Ratha, K. Karu, S. Chen, and A.K. Jain, “A real-time matching system for large fingerprint databases,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 18, No. 8, August 1996, pp. 799-813. [10] W. Stallings, Cryptography and Network Security Principle and practice, Prentice Hall International, Inc., 3rd edition, 2002, pp. 328-338.
However, Ui still can not masquerade the exact IDd and PWd due to IDd' = h(IDdУPWd). Owing to h() is a one-way hash function, it’s infeasible for Ui to compute a pair of valid (IDd, PWd) from IDd'. While receiving the masqueraded identity IDd and password PWd, the remote host system will reject the login by verifying the illegal (IDd ,PWd) in the authentication phase. Thus, a legal user Ui can not masquerade another pair of valid (IDd ,PWd) to login the remote host system. For this reason, our improved fingerprint-based remote user authentication scheme can withstand masquerade attack and ensure that the remote user is authorized to access the host resources.
5. Conclusion In this paper, we propose a improved biometrics user authentication scheme to protect the host multimedia resources. We present a cryptanalysis of the Lee-Ryu-Yoo scheme by showing that their scheme is vulnerable to masquerade attack. Based on the Lee-Ryu-Yoo fingerprint verification, our scheme can withstand the masquerade attack and secure the access control in multimedia communication.
Acknowledgement: This research is partially supported by the National Science Council, Taiwan, under grant NSC92-2213-E-029-017.
4
Chu-Hsing Lin and Yi-Yi Lai Department of Computer Science and Information Engineering, Tunghai University, 181 Section 3, Taichung-kang Road, 407 Taichung, TAIWAN E-mail: *[email protected]; [email protected]
non-interactive password authentications without password tables based on Shamir’s ID-based signature. In 2000, Hwang and Li [3] proposed a new remote user authentication scheme using smart cards based on ElGamal’s cryptosystem [2]. Hwang and Li’s scheme only has to maintain a secret key without storing a password table in the system, but this scheme could not withstand masquerade attack. In 2000, Cheng and Chang [1] pointed out a cryptanalysis of Hwang and Li’s scheme. In 2002, Lee, Ryu, and Yoo [7] proposed a fingerprint-based remote user authentication scheme using smart cards. The Lee-Ryu-Yoo scheme was also based on the ElGamal’s public key cryptosystem with two secret keys. In addition, the Lee-Ryu-Yoo scheme strengthened the system security by verifying the smart card owner’s fingerprint. Their fingerprint verification method is based on minutiae extraction and matching [5,9]. In this article, we point out that the Lee-Ryu-Yoo scheme still exists weakness in security. Their scheme cannot withstand masquerade attack by using two secret keys and fingerprint verification. We present an attack on the Lee-Ryu-Yoo scheme and propose an improved fingerprint-based remote user authentication scheme using smart cards. We improve their scheme by using one-way hash function [10]. Based on the fingerprint verification of their scheme our protocol only needs to maintain one secret key. The scheme we proposed can withstand the masquerade attack and allow the user to choose their password conveniently. The remainder of this paper is organized as follows. In Section 2, we will review the Lee-RyuYoo scheme. In Section 3, we propose a cryptanalysis of the Lee-Ryu-Yoo scheme, In Section 4, we propose our scheme and the security analysis. In Section 5, we have a conclusion.
Abstract In the applications of multimedia communication, besides the content-based authentication, the user authentication is also an important issue to protect the multimedia resources. In this paper, we improve a fingerprint-based remote user authentication proposed by Lee, Ryu and Yoo in 2002. The scheme is novel by introducing a fingerprint-based verification into authentication scheme using smart cards. However, their scheme is vulnerable to masquerade attack. In this article, we propose an improved scheme to enhance the security of their scheme in order to overcome the vulnerability. Our scheme protects the host resources which can only be accessed by authorized users. Keywords: multimedia, user authentication, fingerprint verification, biometrics, smart card, masquerade attack.
1. Introduction Recently, a lot of content-based authentication schemes for authenticating multimedia data have been proposed. Remote user authentication is an issue that cannot be neglected in today’s multimedia communication. Up to now, a number of remote user authentication techniques have been proposed to ensure that the remote user is authorized to access the host resources. In traditional password authentication system, a remote host system has to be able to authenticate the remote login users based on identity and password. In 1981, Lamport [8] proposed a remote password authentication scheme that could authenticate remote users over an insecure channel. In 1990, Hwang, Chen and Laih [4] proposed an
1
0-7803-8603-5/04/$20.00 ©2004 IEEE.
3. Compute t=h(TУPWi) mod (P-1) where T is the current timestamp of the input device and У denotes an exclusive or operation. t 4. Compute M=(IDi) mod P. r 5. Compute C2 =M(PWi) mod P. 6. Send the message C=(IDi, C1 , C2, T ) to the remote host. Authentication Phase: After transmission delay, the system receives the message C at T', where T' is the current timestamp of the system. The system then performs the following operations: 1. The system checks the validity of IDi. If the format of IDi is incorrect, then the system rejects the login request. 2. If (T'-T) ǻT where ǻT denotes the expected valid time interval for transmission delay. The system rejects the login request. SK2 -1 SK1 h(T У PWi) 3. If C2 (C1 ) mod P = (IDi ) , the system accepts the login request. Otherwise, the system rejects the login request.
2. The Lee-Ryu-Yoo Scheme In this section, we briefly review the Lee-RyuYoo scheme. The security of Lee-Ryu-Yoo scheme is based on the ElGamal’s public key cryptosystem with two secret keys. Moreover, the scheme stores public elements on a smart card and each user accesses to his/her smart card by identifying his/her own fingerprint. The fingerprint verification method is based on minutiae extraction and matching. A different map of minutiae will be made when the input device takes a smart card owner’s fingerprint. Then the scheme can generate a onetime random number for the ElGamal’s public key cryptosystem by using the map of minutiae. There are three phases in the Lee-Ryu-Yoo scheme. These phases include a registration phase, a login phase and an authentication phase. Before accessing a remote host, a new user must imprint his/her fingerprint on the input device and submit his/her identity to the system in the registration phase. We review these three phases in the following: Registration Phase: Let P is a large prime number and f is a one-way hash function. Ui denotes a legal user. IDi and PWi denote the Ui’s identity and password respectively. Assume a new user Ui submits his/her IDi to the system for registration. The system calculates the Ui’s password PWi as follows: SK1 IDi' =(IDi) mod P. SK2 PWi=(ID ') mod P.
3. Cryptanalysis of the Lee-Ryu-Yoo Scheme In this section, we shall present a masquerade attack on the Lee-Ryu-Yoo scheme. A legitimate user who registers a legal pair of identity and password can pass the fingerprint verification of his/her own smart card and easily masquerade another valid pair of identity and password without knowing the two secrete keys of the remote host system. We describe the cryptanalysis as follows. Suppose that a user Ui want to masquerade another valid pair of identity and password. He/She submits his/her IDi to the remote host system and imprints his/her fingerprint on the input device for registering a legal user. Note that the remote host system issues Ui a password and a smart card if the registration is successful. And note that for a legal user Ui, the pair of (IDi , PWi ) satisfying the following equations: SK1 IDi'=(IDi) mod P. SK2 SK1ΗSK2 mod P. PWi=(IDi') mod P = (IDi)
i
Where SK1 and SK2 are two secret keys maintained by the system. The registration center stores the public parameters (f, P) on the Ui’s smart card and delivers PWi to the user Ui through a secure channel. The smart card which contains public element (f,P) and user’s fingerprint data possessed by each user will be different. Ui has his/her own smart card that can authenticate his ownership by matching the fingerprint from the extracted minutiae. Login Phase: In this phase, the login user Ui first inserts his/her smart card into the card reader and inputs Ui‘s identity IDi and password PWi, then Ui imprints his/her fingerprint on the input device. If Ui passes the fingerprint verification [6], the smart card performs the following operations: 1. Generate a random number r using the minutiae extracted from the imprint fingerprint. r 2. Compute C1 = (IDi) mod P.
Now, assume that Ui wants to masquerade another pair of valid (IDd ,PWd) of a legal user Ud. SK1 Η SK2
We show that Ui can compute PWd=(IDd) mod P without knowing the two secret keys q SK1,SK2. Ui first computes IDd = IDi mod P,
2
where q is a random number with 1< q < P. As Ui does not know the two secret keys SK1, SK2 of the remote host system, Ui cannot derive PWd directly from IDd. However, Ui can compute the correct PWd corresponding to IDd as follows: SK1ΗSK2
PWd = (IDd)
SK1ΗSK2
= (IDi mod P ) q SK1ΗSK2 SK1ΗSK2
= (IDi
Login Phase: Whenever a user Ui wants to login, Ui has to insert his/her own smart card into the card reader and imprint the fingerprint. Then he/she types in identity IDi and password PWi. If Ui passes the fingerprint verification, Ui’s smart card will perform the following operations: 1. Generate a random number r using the minutiae extracted from the imprint fingerprint. 2. Compute IDi'= h(IDiУPWi). 3. Compute C1 = (IDi')r mod P. 4. Compute t=h(TУPWi') mod (P-1), where T is the current timestamp of the input device and У denotes an exclusive or operation. 5. Compute M=(IDi)t mod P. 6. Compute C2 =M(PWi')r mod P. 7. Send the message C=(IDi, C1 , C2, T, PWi' ) to the remote host system. Authentication phase: After transmission delay, the system receives the message C at T', where T' is the current timestamp of the system. The system then performs the following operations: 1. The system checks whether the format of IDi is correct or not..If the format is incorrect, the system rejects the login request. 2. If (T'-T) ǻT where ǻT denote the expected valid time interval for transmission delay. The system rejects the login request.
mod P
q
= (IDi )
can authenticate his ownership by matching the fingerprint from the extracted minutiae.
mod P
mod P q
mod P ) mod P
q
= (PWi ) mod P. As a result, Ui can pass his/her own smart card fingerprint verification and easily masquerades many valid pairs of (IDd ,PWd )’s that satisfy the authentication phase of PWd =IDd the remote host system.
SK1ΗSK2
mod P to
4. The Enhanced Scheme and Security Analysis In this section, we propose an improved scheme to enhance the security of the Lee-Ryu-Yoo scheme. The enhanced scheme and analysis are described as below:
4.1. Our enhanced scheme The security of our enhanced scheme is based on the property of one-way hash function. So the proposed scheme can solve the problem of the LeeRyu-Yoo scheme. Now, we describe the steps of our scheme as follows. Registration phase: Before accessing a remote host, a new user must imprint his/her fingerprint minutiae and choose his/her identity and password, then he/she offers the identity and password to the registration center. The host system performs the following operations: IDi'= h(IDiУPWi). SK1 PWi' =(IDi') mod P. Where h() is a one-way hash function and SK1 denotes a secret key maintained by the host system. The registration center stores the parameters (h, P, PW i') on the Ui’s smart card and delivers it to the user Ui through a secure channel. The smart card keeps the PWi' and user’s fingerprint minutiae template secretly, and which possessed by each user will be different. Ui has his/her own smart card that
SK1 -1
?
h(TУPWi')
3. Verifying C2 (C1 ) mod P IDi , if being successful, the system accepts the login request. Otherwise, the system rejects the login request.
4.2. The security analysis of our scheme We show that how our scheme withstands the masquerade attack as described in Section 3. Suppose a user Ui registers a pair of legal (IDi,PWi). Now, assume that Ui wants to masquerade another pair of valid (IDd,PWd) of a legal user Ud by using the flaw of security based on the multiplication of exponential function. Due to the one-way hash function h() is a public element stored on the smart card. Assume that Ui is able to compute IDi'= h(IDiУPWi), then Ui can choose a random number q with 1< q < P,
3
q
and compute IDd' = (IDi') mod P. Now, by using the similar computations as in Section 3, Ui can SK1 q derive PWd' = (IDd') mod P = (PWi' ) mod P without knowing the secret key SK1. Under this case, Ui can compute a masquerade IDd' and derive SK1 the associated parameter PWd' = (IDd') mod P.
References [1] C.K. Chan, and L.M. Cheng, “Cryptanalysis of a remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, November 2000, pp. 992-993. [2] T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT31, No. 4, July 1985, pp. 469-472. [3] M.S. Hwang, and L.H. Li, “A new remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, Vol. 46, No. 1, February 2000, pp. 28-30. [4] T. Hwang, Y. Chen, and C.S. Laih, “Noninteractive password authentications without password tables,” IEEE Region 10 Conference on Computer and Communication Systems, September 1990, pp. 429-431. [5] I.G. Bae, B.H. Cho, J.S. Kim, J.H. Bae, and K.Y. Yoo, “Online fingerprint verification system using direct minutiae extraction,” 13th International Conference on Computer Applications in Industry and Engineering, November 2000, pp. 120-123. [6] A. Jain, R. Bolle, and S. Pankanti, “Biometrics personal identification in networked society,” Kluwer Academic Publishers, 1999, pp. 369-384. [7] J.K. Lee, S.R. Ryu, and K.Y. Yoo, “Fingerprintbased remote user authentication scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, June 2002, pp. 554-555. [8] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, Vol. 24, No. 11, November 1981, pp. 770-772. [9] N.K. Ratha, K. Karu, S. Chen, and A.K. Jain, “A real-time matching system for large fingerprint databases,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 18, No. 8, August 1996, pp. 799-813. [10] W. Stallings, Cryptography and Network Security Principle and practice, Prentice Hall International, Inc., 3rd edition, 2002, pp. 328-338.
However, Ui still can not masquerade the exact IDd and PWd due to IDd' = h(IDdУPWd). Owing to h() is a one-way hash function, it’s infeasible for Ui to compute a pair of valid (IDd, PWd) from IDd'. While receiving the masqueraded identity IDd and password PWd, the remote host system will reject the login by verifying the illegal (IDd ,PWd) in the authentication phase. Thus, a legal user Ui can not masquerade another pair of valid (IDd ,PWd) to login the remote host system. For this reason, our improved fingerprint-based remote user authentication scheme can withstand masquerade attack and ensure that the remote user is authorized to access the host resources.
5. Conclusion In this paper, we propose a improved biometrics user authentication scheme to protect the host multimedia resources. We present a cryptanalysis of the Lee-Ryu-Yoo scheme by showing that their scheme is vulnerable to masquerade attack. Based on the Lee-Ryu-Yoo fingerprint verification, our scheme can withstand the masquerade attack and secure the access control in multimedia communication.
Acknowledgement: This research is partially supported by the National Science Council, Taiwan, under grant NSC92-2213-E-029-017.
4
