Remote Password Authentication Scheme with ... - Semantic Scholar
Remote Password Authentication Scheme with Smart Cards and Biometrics12 Chun-I Fan*, Yi-Hui Lin, and Ruei-Hau Hsu Department of Computer Science and Engineering National Sun Yat-sen University Kaohsiung 804, Taiwan * E-mail: [email protected] Abstract-More and more researchers combine biometrics with passwords and smart cards to design remote authentication schemes for the purpose of high-degree security. However, in most of these authentication schemes proposed in the literature so far, biometric characteristics are verified in the smart cards only, not in the remote servers, during the authentication processes. Although this kind of design can prevent the biometric data of the users from being known to the servers, it will result in that they are not real three-factor authentication schemes and therefore some security flaws may occur since the remote servers do not indeed verify the security factor of biometrics. In this paper we propose a truly three-factor remote authentication scheme where all of the three security factors, passwords, smart cards, and biometric data, are examined in the remote servers. Especially, the proposed scheme fully preserves the privacy of the biometric data of every user, that is, the scheme does not reveal the biometric data to anyone else, including the remote servers. Furthermore, we also demonstrate that the proposed scheme is immune to both the replay attacks and the offline-dictionary attacks and it satisfies the requirement of low-computation cost for smart-card users. Keywords: Passwords, Smart cards, Biometrics, Three-factor security, Remote authentication
I. INTRODUCTION Passwords either can be guessed easily or are hard to be memorized. Smart cards may be illegally shared by dishonest entities and they may be also lost easily. Due to the uniqueness and the characteristics of biometrics, they are quite suitable for user authentication and can also redeem the drawbacks inherited from passwords and smart cards in remote authentication schemes. Therefore, making use of biometric-based methods for remote authentication becomes more and more popular. However, there are two problems when we apply biometric characteristics to remote authentication. One is that some biometric characteristics may be easily revealed and they cannot be changed forever. Hence, it is infeasible to take these biometric characteristics as keys for encryption [12]. The other is that the guarantees of biometric capture devices. A good biometric capture device can perform a liveness test simultaneously when capturing biometric characteristics [12]. 1
This work was supported in part by TWISC@NCKU, National Science Council under the Grants NSC 94-3114-P-006-001-Y. 2 This research was partially supported by the National Science Council of the ROC (Taiwan) under grant NSC 95-2219-E-110-004.
Nevertheless, the servers cannot check whether the capture devices the remote users adopt in distributed environments are qualified or not. Therefore, an attacker can pass the liveness checking on the biometric characteristic of some user if the attacker can obtain a duplicate of the user’s biometric data, for example, the attacker can get the fingerprint of the user from her/his cup. In this paper we integrate passwords, smart cards, and biometrics and then construct a secure three-factor authentication scheme that can solve the above problems. Since only the users who own correct passwords, biometric characteristics, and data in their smart cards are allowed to login the remote server successfully, three-factor authentication is much more secure than two-factor (only passwords and smart cards needed) authentication. Each of the three factors, i.e., passwords, smart cards, and biometrics, has its own advantages and disadvantages and they are complement to each other. Furthermore, adding biometric characteristics into an authentication scheme does not burden the users with any inconvenient operation [12]. Besides, the technology of integrating fingerprint sensors into smart cards is quite mature such that it is more difficult for the attackers to steal the users’ fingerprints through the capture devices [4]. Several three-factor authentication schemes have been proposed in the literature. Lee et al. proposed a fingerprint-based remote user authentication scheme using smart cards [6] in 2002. In the scheme, every user has to insert her/his smart card into a card reader and then inputs her/his fingerprint and password in the login phase. The fingerprint will be checked according to the fingerprint template stored in the card and some parameters will be randomly generated from the user’s fingerprint minutiae. Unfortunately, the scheme was attacked by Lin et al. [2] and Chang et al. [1] in 2004, respectively. Lin et al. [2] mentioned that a registered user can create many valid pairs of identities and passwords to masquerade as other legal users in the scheme of [6]. Chang et al. [1] pointed out that Lee et al. scheme [6] is unworkable and cannot resist the conspiring attack. Kim et al. proposed an ID-based password authentication scheme using smart cards and fingerprints [5] in 2003. In 2004, Scott [9] showed that it is insecure because an attacker can impersonate a legal user successfully. Another scheme was proposed by Lin et al. in 2004 [2]. The scheme combines passwords and fingerprint minutiae templates into super passwords and provides offline password
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
change. However, Mitchell et al. [4] indicated that the operation of password change is vulnerable because smart cards do not have enough ability to check the correctness of old passwords. Some attacks on three-factor authentication schemes are valid due to the lack of the checking on fingerprints in the servers’ sides. Since these schemes perform the checking on fingerprints in the cards, the servers do not learn that whether the fingerprints are correct or not. To cope with the problem, in our proposed scheme all of the users’ fingerprints will be verified by the server. Besides, most of the users are not willing to reveal their fingerprints to others, even to the servers, since the biometric characteristics cannot be changed forever and they may be also applied to other activities. Hence, how to keep the biometric characteristics secret is another important issue. Our scheme also aims at the protection for each user’s biometric data against the server and anyone else. In addition to the security and privacy issues, the proposed scheme is tailored to achieve the low-computation property for smart-card environments. The rest of the paper is organized as follows. In Section II, we will introduce the basic ideas of this research. In Section III, we propose a secure three-factor remote authentication scheme. Both the performance and the security of the proposed scheme are examined in Section IV. In Section V, we will compare the proposed scheme with other three-factor authentication schemes [2, 5, 6]. Finally, a concluding remark is given in Section VI. II. BASIC IDEAS In most biometric-based authentication schemes with smart cards [2, 5, 6], the checking processes on biometric characteristics are performed in smart cards, not in the servers, where the checking flow is shown in Figure 1. Biometric characteristics cannot be changed and their owners may make use of these biometric characteristics to act as the authentication factors in other different servers. Such designs make it impossible for the servers or anyone else to obtain the biometric characteristics of any user. Although the privacy of the users is guaranteed, the servers cannot verify the correctness of the users’ biometric characteristics such that they are not truly three-factor authentication schemes and may degenerate into two-factor ones from the servers’ points of view. In other words, attackers may pass the authentication processes performed by the servers through passwords and cards only. We proposed another mechanism of biometric authentication with smart cards. As illustrated in Figure 2, the biometric data of each user is examined in the server. It solves the problem that we mentioned above and achieves truly three-factor security. However, we must deal with the following derivational problem: how to let the server be able to check the correctness of the users’ biometric characteristics without knowing the exact values of them? Our idea is to randomly choose a string and mix the biometric characteristics of some user with the string by performing the exclusive-or (XOR) operation on them before the server checks the
biometric characteristics. The XOR operation is a bit-oriented operation. Consequently, it does not affect the matching result or score if the matching is to check the Hamming distance between two biometric strings. However, if the matching is not based on the Hamming distance, it will only have two possible results, “equal” or “not equal”. The idea is shown in Figure 3. The user randomly selects a string and combines it with her/his fingerprint data via the exclusive-or operation. The combined string is stored in the smart card in the registration phase. The smart card then combines the same randomly-chosen string with the fingerprint minutiae data input in the login phase. Finally, the two combined strings created in the registration phase and the login phase, respectively, are sent to the server for matching. Therefore, in the protocol, the server cannot learn the exact value of the user’s biometric data while the server can check its correctness.
Figure 1. A typical verification procedure on biometric characteristics
Figure 2. The flow chart of the proposed verification procedure
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
2. 3.
Figure 3. The proposed idea of the fingerprint matching
III. OUR SCHEME In this section, we will propose a three-factor remote authentication protocol. The proposed protocol consists of three phases: the initialization phase, the registration phase, and the login and authentication phase. In the initialization phase, the server prepares some security parameters. Every user registers with the server in the registration phase. In the login and authentication phase, each registered user interacts with the server that can verify whether the login process is successful or not. The details of the three phases are described as follows. A. Initialization Phase 1. The server randomly chooses two distinct large primes (p, q) where p ≡ q ≡ 3 (mod 4) and then computes n = p×q. 2. The server randomly selects a string x as its key for symmetric encryption and keeps (x, p, q) secret. B. Registration Phase 1. Let user Ui with identity IDi be about to register with the server. She/He randomly chooses a string r and determines the value of her/his password PWi . The user obtains her/his fingerprint image via a sensor and then extracts the minutiae from the fingerprint image to form a template of the fingerprint. Let Si represent the fingerprint template of Ui. Thus, Ui computes SSi = r⊕Si. 2. Ui sends (IDi, h(PWi ), SSi) to the server through a secure channel where h(.) is a public one-way hash function. 3. The server computes yi = Ex(h(x)||IDi ||h(PWi )||SSi ) where Ex(.) denotes a symmetric encryption function using the key x. The server stores IDi, yi, h(.), and n in a smart card. 4. The server sends the smart card to Ui in a secure manner. 5. Ui stores r in the smart card. C. Login and Authentication Phase 1. Ui inputs her/his password PWi * and her/his fingerprint via the sensor on the smart card. Let Si * represent the input fingerprint data after
4. 5.
6. 7.
performing the process of minutiae extraction. Ui computes SSi * = r⊕Si* in the smart card, where r was stored in the smart card. She/He then derives u = r⊕r’ and ki = (IDi ||yi ||u)2 mod n where r’ is randomly chosen by Ui. Ui sends C0 = (IDi ||ki ) to the server. The server decrypts ki by performing Rabin’s algorithm [7] where there are four different results of the decryption. The server can acquire (yi, u) from the decryption result with a prefix IDi. The server then decrypts yi via key x and obtains (h(x)||IDi ||h(PWi )||SSi ). It checks the value of h(x). If it is correct, the server will consider that the card is valid. The server then compares the value of the IDi in yi with that of the IDi in ki. If they are equivalent, the server keeps (h(PWi )||SSi ) which will be used latter. The server computes SSi ’ = u⊕SSi, which equals to r’⊕Si, yi ’ = Ex(h(x)||IDi ||h(PWi )||SSi’), and C1 = Eu(h(u)||yi’||v) where v is randomly chosen by the server and u was received in Step 2. The server sends C1 to Ui. Ui uses u generated in Step 1 to decrypt C1 and then obtains (h(u)||yi’||v). She/He checks the value of h(u) to ensure that C1 does come from the server. Besides, Ui can get yi’ and v from the decryption result. Ui deletes (yi, r) and stores (yi ’, r’) in the card. Finally, Ui forms C2 = Ev(h(v)||h(PWi *)||SSi *). Ui sends C2 to the server. The server uses v generated in Step 3 to decrypt C2. And then check the value of h(v) in the result of the decryption to make sure that C2 was indeed sent by Ui . Finally, the server checks whether h(PWi *) = h(PWi ) and the matching score between SSi * and SSi is beyond a pre-defined threshold value or not. If true, the server accept the login request of Ui .
SS i = r ⊕ S i
IDi , h( PWi ), SSi y i = E x ( h( x) || IDi || h( PWi ) || SSi )
[ IDi , h(.), n, yi ]smart card
[ IDi , h(.), n, yi , r ]smart card
U i : user i x : the server' s secret key IDi : the identity of U i h(.) : a one - way hash function PWi : the password of U i [.]smart card : [.] in the smart card S i : the fingerprin t minutae of U i : a secure channel r : a string randomly chosen by U i
1-4244-0357-X/06/$20.00 ©2006 IEEE
Figure 4. The registration phase
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
SSi * = r ⊕ S i * u = r ⊕ r' ki = ( IDi || yi || u ) 2 mod n C0 = ( IDi || ki )
C0 D p , q ( ki ) = ( IDi || yi || u ) D x ( yi ) = ( h( x ) || IDi || h( PWi ) || SS i ) Check h( x), IDi SS i ' = u ⊕ SS i yi ' = E x (h( x) || IDi || h( PWi ) || SSi ' ) C1 = Eu ( h(u ) || y i '|| v)
C1
Du (C1 ) = (h(u ) || yi '|| v ) Check h(u ) [ IDi , h(.), n, yi ' , r ' ]smart card C2 = E v (h(v) || h( PWi *) || SS i *) C2
Dv (C 2 ) = (h(v) || h( PWi *) || SS i *) Check h( v) Check if h( PWi *) = h( PWi ) Check if SS i * ≅ SS i
PWi * : the password which U i inputs S i * : the fingerprin t minutae which U i inputs r ': a string randomly chosen by the user E K (.) : an encryption function with key K DK (.) : a decryption function w ith key K Figure 5. The login and authentication phase
IV. DISCUSSIONS In this section, the performance and the security of the proposed scheme will be discussed. 1. Low computation for the smart card: In the login and authentication phase, the user only requires to perform one modular multiplication, one symmetric encryption operation, one symmetric decryption operation, few hash and exclusive-or operations in the smart card. Compared with the schemes of [2, 5, 6] where at least two modular exponentiation operations are required for every user in each of [2, 5, 6], the proposed one is much more user efficient than the schemes of [2, 5, 6] in computation. 2. Passwords chosen by the users themselves: In our scheme, users are allowed to choose their passwords, not decided by the server. It will make the users easily remember their own passwords. 3. Not requiring clock synchronization and delay-time limitation: In timestamp-based authentication schemes, the clocks of the server and all users’ computers must be synchronized one another and the transmission delay time of the login message also has to be limited. To eliminate the requirement of clock synchronization and the limitation of transmission delay time, our scheme is based on nonce instead of timestamps. 4. Withstanding the replay attack:
The replay attack is that the attackers re-submit the login messages transmitted between some user and the server and attempt to impersonate the user to login the server. In the message ki = (IDi ||yi ||u)2 mod n, (IDi ||yi ||u) is encrypted by Rabin’s public-key encryption algorithm [7] and it can only be decrypted by the server. It is intractable for the attackers to derive u from (IDi ||yi ||u)2 mod n sent by the server without p and q. Therefore, if the attackers re-submit the message ki to the server, they cannot impersonate user i to login the server since they cannot form correct C2 to pass the verification process without correct h(v), where v is randomly chosen by the server in this instance of the protocol. 5. Server authentication: Any illegal server cannot cheat a user to log into it without (p, q) in the proposed scheme. Since it cannot obtain the correct u randomly chosen by the user from the message ki = (IDi ||yi ||u)2 mod n, the login process will be terminated by the user through verifying h(u) in C1. 6. Withstanding the offline dictionary attack without the smart card: The offline dictionary attack without the smart card is that the attackers attempt to determine whether each of their guessed passwords is correct or not via the intercepted messages transmitted between some user and the server. If the user’s password is weak and the attackers have enough information to check whether each of their guessed passwords is correct or not, then the attack will be successful, i.e., the attackers can guess and obtain the correct password of the user. Let the attackers intercept C0, C1, and C2 transmitted between the user and the server in the proposed protocol. However, both h(PW) and h(PW*) are encrypted via the secret symmetric keys unknown to the attackers. It turns out that the offline dictionary attack without the smart card is invalid in the proposed protocol. 7. Withstanding the offline dictionary attack with the smart card: The offline dictionary attack with the smart card is defined as: the attackers attempt to determine whether each of their guessed passwords is correct or not via the information stored in the smart card of some user and the intercepted messages transmitted between the user and the server. Let the attackers obtain IDi, yi, h(.), n, and r stored in the card of the user and intercept C0, C1, and C2 transmitted between the user and the server in the proposed protocol. Compared with the offline dictionary attack without the smart card, the additional information known by the attackers in this attack is (yi, r) only because IDi, h(.), and n are public. Since yi a ciphertext under the symmetric encryption with the secret key x kept by the server, the attackers cannot decrypt yi to obtain h(PWi ) and then check whether each of their guessed passwords is correct or not via h(PWi ). Furthermore, it is computationally infeasible for the attackers to derive u and v with or without yi since breaking Rabin’s public-key encryption is as intractable as factoring n. Therefore, the
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
offline dictionary attack with the smart card is also invalid in the proposed protocol. V. THREE-FACTOR SECURITY Since passwords, fingerprints, and smart cards are key security factors in remote authentication schemes, a secure scheme should guarantee that any attacker could not break the scheme unless she/he can obtain all of three factors. 1. Password+Fingerprint+Smart card: If the attacker does not have any of the three factors, that is, the scheme is under the protection of the password, the fingerprint, and the smart card, then she/he will fail in Step 3 of the login and authentication phase without the card. This is because that the server will check (h(x), IDi) in yi, which are encrypted by key x and stored in the card, and x is kept secret by the server. 2. Password+Fingerprint: We assume that the attacker obtains the smart card, that is, the scheme is only under the protection of the password and the fingerprint. The attacker will fail in Step 7 of the login and authentication phase. Although h(PWi ) and SSi are stored in the smart card, they are encrypted by the secret key x of the server. Therefore the attacker cannot derive the value of h(PWi ) and SSi to pass the checking process in Step 7. 3. Fingerprint+Smart card: Assume that the attacker obtains the password, that is, the scheme is only under the protection of the fingerprint and the smart card. The attacker will fail in Step 3 of the login and authentication phase because the attacker has no ability to create a valid yi of user i. Even if the attacker replays the messages {IDi, ki}, she/he will still fail in the step 7 owing to the checking on h(v). 4. Password+Smart card: Assume that the attacker obtains the fingerprint, that is, the scheme is only under the protection of the password and the smart card. The situation is the same as the above. 5. Password: We assume that the attacker obtains the fingerprint and the smart card, that is, the scheme is under the protection of the password only. The scheme is still secure since the attacker cannot perform the dictionary attacks to guess the correct password successfully, which have been addressed in the previous section. 6. Fingerprint: We assume that the attacker obtains the password and the smart card, that is, the scheme is only under the protection of the fingerprint. The attacker will fail in Step 7 of the login and authentication phase because the attacker cannot derive the fingerprint from the smart card and the transmitted messages. 7. Smart card: Assume that the attacker obtains the password and the fingerprint, that is, the authentication scheme is under the protection of the smart card only. The attacker will fail in Step 3 of the login and authentication phase as the attacker has no ability to create a valid yi of user i. From the above discussions, the proposed scheme is secure
as long as at least one of the three security factors is unknown to the attackers. We will also take the above criteria to examine the schemes of [2, 5, 6]. We assume that the attacker can obtain the contents of a smart card as long as she/he can get the smart card. Since the scheme of [6] is unworkable [1], the server does not have the ability to authenticate the users. Besides, in the scheme of [5], the authors of [9] have indicated that the attacker can impersonate a user to login the server. Therefore the above two schemes are insecure even though the attacker does not get any of the three security factors. In the scheme of [2], if the attacker obtains the smart card and the password of a registered user, she/he will successfully login the server without passing the checking of the fingerprint matching. VI. CONCLUSIONS The proposed scheme can prevent all of the attacks that we have mentioned in this paper and it is also suitable for the smart-card environment due to the low-computation property. Especially, our approach does not reveal the users’ fingerprints or biometric data to the server such that it is a secure three-factor authentication scheme with full privacy protection for the biometric data of every user against anyone else. REFERENCES [1] C.C. Chang and I.C. Lin, ”Remarks on fingerprint-based remote user authentication scheme using smart cards,” ACM SIGOPS Operating Systems Review, Vol. 38, No. 4 , pp. 91-96, 2004. [2] C.H. Lin and Y.Y. Lai, “A flexible biometrics remote user authentication Scheme,” Computer Standards & Interfaces, Vol. 27, No. 1, pp. 19-23, 2004. [3] F.A. Afsar, M. Arif, and M. Hussain, “Fingerprint identification and verification system using minutiae matching,” Proceedings of National Conference on Emerging Technologies, pp. 141-146, 2004. [4] C.J. Mitchell and Q. Tang, ”Security of the Lin-Lai smart card based user authentication scheme,” Technical Report, http://www.rhul.ac.uk/ mathematics/techreports, 2005. [5] H.S. Kim, J.K. Lee, and K.Y. Yoo, “ID-based password authentication scheme using smart cards and fingerprints,” ACM SIGOPS Operating Systems Review, Vol. 37, No. 4, pp. 32-41, 2003. [6] J.K. Lee, S.R. Ryu and K.Y. Yoo, “Fingerprint-based remote user authentication scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, pp. 554-555, 2002. [7] M.O. Rabin, “Digitalized signatures and public-key functions as intractable as factorizations,” Technical Report, MIT/LCS/TR212, MIT Lab., Computer Science, Cambridge, Mass. Jan. 1979. [8] M. Rejman-Greene, ”Secure authentication using biometric methods,” Information Security Technical Report, Vol. 7, No. 3, pp. 30-40, 2002 [9] M. Scott, “Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints,” ACM SIGOPS Operating Systems Review, Vol. 38, No. 2, pp. 73-75, 2004. [10] L. Rila and C.J. Mitchell, ”Security protocols for biometrics-based cardholder authentication in smartcards,” Lecture Notes in Computer Science, Vol. 3482, Springer-Verlag, pp. 488-497, 2005. [11] U. Uludag, S. Pankanti, S. Prabhakar and A.K. Jain, ”Biometric cryptosystems: issues and challenges,” Proc. of the IEEE, Special Issue on Multimedia Security for Digital Rights Management, Vol. 92, No. 6, 2004. [12] V. Matyas Jr. and Z. Riha, ”Toward Reliable User Authentication through Biometrics,” IEEE Security & Privacy, Vol. 1, No. 3, pp. 45-49, 2003.
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
I. INTRODUCTION Passwords either can be guessed easily or are hard to be memorized. Smart cards may be illegally shared by dishonest entities and they may be also lost easily. Due to the uniqueness and the characteristics of biometrics, they are quite suitable for user authentication and can also redeem the drawbacks inherited from passwords and smart cards in remote authentication schemes. Therefore, making use of biometric-based methods for remote authentication becomes more and more popular. However, there are two problems when we apply biometric characteristics to remote authentication. One is that some biometric characteristics may be easily revealed and they cannot be changed forever. Hence, it is infeasible to take these biometric characteristics as keys for encryption [12]. The other is that the guarantees of biometric capture devices. A good biometric capture device can perform a liveness test simultaneously when capturing biometric characteristics [12]. 1
This work was supported in part by TWISC@NCKU, National Science Council under the Grants NSC 94-3114-P-006-001-Y. 2 This research was partially supported by the National Science Council of the ROC (Taiwan) under grant NSC 95-2219-E-110-004.
Nevertheless, the servers cannot check whether the capture devices the remote users adopt in distributed environments are qualified or not. Therefore, an attacker can pass the liveness checking on the biometric characteristic of some user if the attacker can obtain a duplicate of the user’s biometric data, for example, the attacker can get the fingerprint of the user from her/his cup. In this paper we integrate passwords, smart cards, and biometrics and then construct a secure three-factor authentication scheme that can solve the above problems. Since only the users who own correct passwords, biometric characteristics, and data in their smart cards are allowed to login the remote server successfully, three-factor authentication is much more secure than two-factor (only passwords and smart cards needed) authentication. Each of the three factors, i.e., passwords, smart cards, and biometrics, has its own advantages and disadvantages and they are complement to each other. Furthermore, adding biometric characteristics into an authentication scheme does not burden the users with any inconvenient operation [12]. Besides, the technology of integrating fingerprint sensors into smart cards is quite mature such that it is more difficult for the attackers to steal the users’ fingerprints through the capture devices [4]. Several three-factor authentication schemes have been proposed in the literature. Lee et al. proposed a fingerprint-based remote user authentication scheme using smart cards [6] in 2002. In the scheme, every user has to insert her/his smart card into a card reader and then inputs her/his fingerprint and password in the login phase. The fingerprint will be checked according to the fingerprint template stored in the card and some parameters will be randomly generated from the user’s fingerprint minutiae. Unfortunately, the scheme was attacked by Lin et al. [2] and Chang et al. [1] in 2004, respectively. Lin et al. [2] mentioned that a registered user can create many valid pairs of identities and passwords to masquerade as other legal users in the scheme of [6]. Chang et al. [1] pointed out that Lee et al. scheme [6] is unworkable and cannot resist the conspiring attack. Kim et al. proposed an ID-based password authentication scheme using smart cards and fingerprints [5] in 2003. In 2004, Scott [9] showed that it is insecure because an attacker can impersonate a legal user successfully. Another scheme was proposed by Lin et al. in 2004 [2]. The scheme combines passwords and fingerprint minutiae templates into super passwords and provides offline password
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
change. However, Mitchell et al. [4] indicated that the operation of password change is vulnerable because smart cards do not have enough ability to check the correctness of old passwords. Some attacks on three-factor authentication schemes are valid due to the lack of the checking on fingerprints in the servers’ sides. Since these schemes perform the checking on fingerprints in the cards, the servers do not learn that whether the fingerprints are correct or not. To cope with the problem, in our proposed scheme all of the users’ fingerprints will be verified by the server. Besides, most of the users are not willing to reveal their fingerprints to others, even to the servers, since the biometric characteristics cannot be changed forever and they may be also applied to other activities. Hence, how to keep the biometric characteristics secret is another important issue. Our scheme also aims at the protection for each user’s biometric data against the server and anyone else. In addition to the security and privacy issues, the proposed scheme is tailored to achieve the low-computation property for smart-card environments. The rest of the paper is organized as follows. In Section II, we will introduce the basic ideas of this research. In Section III, we propose a secure three-factor remote authentication scheme. Both the performance and the security of the proposed scheme are examined in Section IV. In Section V, we will compare the proposed scheme with other three-factor authentication schemes [2, 5, 6]. Finally, a concluding remark is given in Section VI. II. BASIC IDEAS In most biometric-based authentication schemes with smart cards [2, 5, 6], the checking processes on biometric characteristics are performed in smart cards, not in the servers, where the checking flow is shown in Figure 1. Biometric characteristics cannot be changed and their owners may make use of these biometric characteristics to act as the authentication factors in other different servers. Such designs make it impossible for the servers or anyone else to obtain the biometric characteristics of any user. Although the privacy of the users is guaranteed, the servers cannot verify the correctness of the users’ biometric characteristics such that they are not truly three-factor authentication schemes and may degenerate into two-factor ones from the servers’ points of view. In other words, attackers may pass the authentication processes performed by the servers through passwords and cards only. We proposed another mechanism of biometric authentication with smart cards. As illustrated in Figure 2, the biometric data of each user is examined in the server. It solves the problem that we mentioned above and achieves truly three-factor security. However, we must deal with the following derivational problem: how to let the server be able to check the correctness of the users’ biometric characteristics without knowing the exact values of them? Our idea is to randomly choose a string and mix the biometric characteristics of some user with the string by performing the exclusive-or (XOR) operation on them before the server checks the
biometric characteristics. The XOR operation is a bit-oriented operation. Consequently, it does not affect the matching result or score if the matching is to check the Hamming distance between two biometric strings. However, if the matching is not based on the Hamming distance, it will only have two possible results, “equal” or “not equal”. The idea is shown in Figure 3. The user randomly selects a string and combines it with her/his fingerprint data via the exclusive-or operation. The combined string is stored in the smart card in the registration phase. The smart card then combines the same randomly-chosen string with the fingerprint minutiae data input in the login phase. Finally, the two combined strings created in the registration phase and the login phase, respectively, are sent to the server for matching. Therefore, in the protocol, the server cannot learn the exact value of the user’s biometric data while the server can check its correctness.
Figure 1. A typical verification procedure on biometric characteristics
Figure 2. The flow chart of the proposed verification procedure
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
2. 3.
Figure 3. The proposed idea of the fingerprint matching
III. OUR SCHEME In this section, we will propose a three-factor remote authentication protocol. The proposed protocol consists of three phases: the initialization phase, the registration phase, and the login and authentication phase. In the initialization phase, the server prepares some security parameters. Every user registers with the server in the registration phase. In the login and authentication phase, each registered user interacts with the server that can verify whether the login process is successful or not. The details of the three phases are described as follows. A. Initialization Phase 1. The server randomly chooses two distinct large primes (p, q) where p ≡ q ≡ 3 (mod 4) and then computes n = p×q. 2. The server randomly selects a string x as its key for symmetric encryption and keeps (x, p, q) secret. B. Registration Phase 1. Let user Ui with identity IDi be about to register with the server. She/He randomly chooses a string r and determines the value of her/his password PWi . The user obtains her/his fingerprint image via a sensor and then extracts the minutiae from the fingerprint image to form a template of the fingerprint. Let Si represent the fingerprint template of Ui. Thus, Ui computes SSi = r⊕Si. 2. Ui sends (IDi, h(PWi ), SSi) to the server through a secure channel where h(.) is a public one-way hash function. 3. The server computes yi = Ex(h(x)||IDi ||h(PWi )||SSi ) where Ex(.) denotes a symmetric encryption function using the key x. The server stores IDi, yi, h(.), and n in a smart card. 4. The server sends the smart card to Ui in a secure manner. 5. Ui stores r in the smart card. C. Login and Authentication Phase 1. Ui inputs her/his password PWi * and her/his fingerprint via the sensor on the smart card. Let Si * represent the input fingerprint data after
4. 5.
6. 7.
performing the process of minutiae extraction. Ui computes SSi * = r⊕Si* in the smart card, where r was stored in the smart card. She/He then derives u = r⊕r’ and ki = (IDi ||yi ||u)2 mod n where r’ is randomly chosen by Ui. Ui sends C0 = (IDi ||ki ) to the server. The server decrypts ki by performing Rabin’s algorithm [7] where there are four different results of the decryption. The server can acquire (yi, u) from the decryption result with a prefix IDi. The server then decrypts yi via key x and obtains (h(x)||IDi ||h(PWi )||SSi ). It checks the value of h(x). If it is correct, the server will consider that the card is valid. The server then compares the value of the IDi in yi with that of the IDi in ki. If they are equivalent, the server keeps (h(PWi )||SSi ) which will be used latter. The server computes SSi ’ = u⊕SSi, which equals to r’⊕Si, yi ’ = Ex(h(x)||IDi ||h(PWi )||SSi’), and C1 = Eu(h(u)||yi’||v) where v is randomly chosen by the server and u was received in Step 2. The server sends C1 to Ui. Ui uses u generated in Step 1 to decrypt C1 and then obtains (h(u)||yi’||v). She/He checks the value of h(u) to ensure that C1 does come from the server. Besides, Ui can get yi’ and v from the decryption result. Ui deletes (yi, r) and stores (yi ’, r’) in the card. Finally, Ui forms C2 = Ev(h(v)||h(PWi *)||SSi *). Ui sends C2 to the server. The server uses v generated in Step 3 to decrypt C2. And then check the value of h(v) in the result of the decryption to make sure that C2 was indeed sent by Ui . Finally, the server checks whether h(PWi *) = h(PWi ) and the matching score between SSi * and SSi is beyond a pre-defined threshold value or not. If true, the server accept the login request of Ui .
SS i = r ⊕ S i
IDi , h( PWi ), SSi y i = E x ( h( x) || IDi || h( PWi ) || SSi )
[ IDi , h(.), n, yi ]smart card
[ IDi , h(.), n, yi , r ]smart card
U i : user i x : the server' s secret key IDi : the identity of U i h(.) : a one - way hash function PWi : the password of U i [.]smart card : [.] in the smart card S i : the fingerprin t minutae of U i : a secure channel r : a string randomly chosen by U i
1-4244-0357-X/06/$20.00 ©2006 IEEE
Figure 4. The registration phase
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
SSi * = r ⊕ S i * u = r ⊕ r' ki = ( IDi || yi || u ) 2 mod n C0 = ( IDi || ki )
C0 D p , q ( ki ) = ( IDi || yi || u ) D x ( yi ) = ( h( x ) || IDi || h( PWi ) || SS i ) Check h( x), IDi SS i ' = u ⊕ SS i yi ' = E x (h( x) || IDi || h( PWi ) || SSi ' ) C1 = Eu ( h(u ) || y i '|| v)
C1
Du (C1 ) = (h(u ) || yi '|| v ) Check h(u ) [ IDi , h(.), n, yi ' , r ' ]smart card C2 = E v (h(v) || h( PWi *) || SS i *) C2
Dv (C 2 ) = (h(v) || h( PWi *) || SS i *) Check h( v) Check if h( PWi *) = h( PWi ) Check if SS i * ≅ SS i
PWi * : the password which U i inputs S i * : the fingerprin t minutae which U i inputs r ': a string randomly chosen by the user E K (.) : an encryption function with key K DK (.) : a decryption function w ith key K Figure 5. The login and authentication phase
IV. DISCUSSIONS In this section, the performance and the security of the proposed scheme will be discussed. 1. Low computation for the smart card: In the login and authentication phase, the user only requires to perform one modular multiplication, one symmetric encryption operation, one symmetric decryption operation, few hash and exclusive-or operations in the smart card. Compared with the schemes of [2, 5, 6] where at least two modular exponentiation operations are required for every user in each of [2, 5, 6], the proposed one is much more user efficient than the schemes of [2, 5, 6] in computation. 2. Passwords chosen by the users themselves: In our scheme, users are allowed to choose their passwords, not decided by the server. It will make the users easily remember their own passwords. 3. Not requiring clock synchronization and delay-time limitation: In timestamp-based authentication schemes, the clocks of the server and all users’ computers must be synchronized one another and the transmission delay time of the login message also has to be limited. To eliminate the requirement of clock synchronization and the limitation of transmission delay time, our scheme is based on nonce instead of timestamps. 4. Withstanding the replay attack:
The replay attack is that the attackers re-submit the login messages transmitted between some user and the server and attempt to impersonate the user to login the server. In the message ki = (IDi ||yi ||u)2 mod n, (IDi ||yi ||u) is encrypted by Rabin’s public-key encryption algorithm [7] and it can only be decrypted by the server. It is intractable for the attackers to derive u from (IDi ||yi ||u)2 mod n sent by the server without p and q. Therefore, if the attackers re-submit the message ki to the server, they cannot impersonate user i to login the server since they cannot form correct C2 to pass the verification process without correct h(v), where v is randomly chosen by the server in this instance of the protocol. 5. Server authentication: Any illegal server cannot cheat a user to log into it without (p, q) in the proposed scheme. Since it cannot obtain the correct u randomly chosen by the user from the message ki = (IDi ||yi ||u)2 mod n, the login process will be terminated by the user through verifying h(u) in C1. 6. Withstanding the offline dictionary attack without the smart card: The offline dictionary attack without the smart card is that the attackers attempt to determine whether each of their guessed passwords is correct or not via the intercepted messages transmitted between some user and the server. If the user’s password is weak and the attackers have enough information to check whether each of their guessed passwords is correct or not, then the attack will be successful, i.e., the attackers can guess and obtain the correct password of the user. Let the attackers intercept C0, C1, and C2 transmitted between the user and the server in the proposed protocol. However, both h(PW) and h(PW*) are encrypted via the secret symmetric keys unknown to the attackers. It turns out that the offline dictionary attack without the smart card is invalid in the proposed protocol. 7. Withstanding the offline dictionary attack with the smart card: The offline dictionary attack with the smart card is defined as: the attackers attempt to determine whether each of their guessed passwords is correct or not via the information stored in the smart card of some user and the intercepted messages transmitted between the user and the server. Let the attackers obtain IDi, yi, h(.), n, and r stored in the card of the user and intercept C0, C1, and C2 transmitted between the user and the server in the proposed protocol. Compared with the offline dictionary attack without the smart card, the additional information known by the attackers in this attack is (yi, r) only because IDi, h(.), and n are public. Since yi a ciphertext under the symmetric encryption with the secret key x kept by the server, the attackers cannot decrypt yi to obtain h(PWi ) and then check whether each of their guessed passwords is correct or not via h(PWi ). Furthermore, it is computationally infeasible for the attackers to derive u and v with or without yi since breaking Rabin’s public-key encryption is as intractable as factoring n. Therefore, the
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
offline dictionary attack with the smart card is also invalid in the proposed protocol. V. THREE-FACTOR SECURITY Since passwords, fingerprints, and smart cards are key security factors in remote authentication schemes, a secure scheme should guarantee that any attacker could not break the scheme unless she/he can obtain all of three factors. 1. Password+Fingerprint+Smart card: If the attacker does not have any of the three factors, that is, the scheme is under the protection of the password, the fingerprint, and the smart card, then she/he will fail in Step 3 of the login and authentication phase without the card. This is because that the server will check (h(x), IDi) in yi, which are encrypted by key x and stored in the card, and x is kept secret by the server. 2. Password+Fingerprint: We assume that the attacker obtains the smart card, that is, the scheme is only under the protection of the password and the fingerprint. The attacker will fail in Step 7 of the login and authentication phase. Although h(PWi ) and SSi are stored in the smart card, they are encrypted by the secret key x of the server. Therefore the attacker cannot derive the value of h(PWi ) and SSi to pass the checking process in Step 7. 3. Fingerprint+Smart card: Assume that the attacker obtains the password, that is, the scheme is only under the protection of the fingerprint and the smart card. The attacker will fail in Step 3 of the login and authentication phase because the attacker has no ability to create a valid yi of user i. Even if the attacker replays the messages {IDi, ki}, she/he will still fail in the step 7 owing to the checking on h(v). 4. Password+Smart card: Assume that the attacker obtains the fingerprint, that is, the scheme is only under the protection of the password and the smart card. The situation is the same as the above. 5. Password: We assume that the attacker obtains the fingerprint and the smart card, that is, the scheme is under the protection of the password only. The scheme is still secure since the attacker cannot perform the dictionary attacks to guess the correct password successfully, which have been addressed in the previous section. 6. Fingerprint: We assume that the attacker obtains the password and the smart card, that is, the scheme is only under the protection of the fingerprint. The attacker will fail in Step 7 of the login and authentication phase because the attacker cannot derive the fingerprint from the smart card and the transmitted messages. 7. Smart card: Assume that the attacker obtains the password and the fingerprint, that is, the authentication scheme is under the protection of the smart card only. The attacker will fail in Step 3 of the login and authentication phase as the attacker has no ability to create a valid yi of user i. From the above discussions, the proposed scheme is secure
as long as at least one of the three security factors is unknown to the attackers. We will also take the above criteria to examine the schemes of [2, 5, 6]. We assume that the attacker can obtain the contents of a smart card as long as she/he can get the smart card. Since the scheme of [6] is unworkable [1], the server does not have the ability to authenticate the users. Besides, in the scheme of [5], the authors of [9] have indicated that the attacker can impersonate a user to login the server. Therefore the above two schemes are insecure even though the attacker does not get any of the three security factors. In the scheme of [2], if the attacker obtains the smart card and the password of a registered user, she/he will successfully login the server without passing the checking of the fingerprint matching. VI. CONCLUSIONS The proposed scheme can prevent all of the attacks that we have mentioned in this paper and it is also suitable for the smart-card environment due to the low-computation property. Especially, our approach does not reveal the users’ fingerprints or biometric data to the server such that it is a secure three-factor authentication scheme with full privacy protection for the biometric data of every user against anyone else. REFERENCES [1] C.C. Chang and I.C. Lin, ”Remarks on fingerprint-based remote user authentication scheme using smart cards,” ACM SIGOPS Operating Systems Review, Vol. 38, No. 4 , pp. 91-96, 2004. [2] C.H. Lin and Y.Y. Lai, “A flexible biometrics remote user authentication Scheme,” Computer Standards & Interfaces, Vol. 27, No. 1, pp. 19-23, 2004. [3] F.A. Afsar, M. Arif, and M. Hussain, “Fingerprint identification and verification system using minutiae matching,” Proceedings of National Conference on Emerging Technologies, pp. 141-146, 2004. [4] C.J. Mitchell and Q. Tang, ”Security of the Lin-Lai smart card based user authentication scheme,” Technical Report, http://www.rhul.ac.uk/ mathematics/techreports, 2005. [5] H.S. Kim, J.K. Lee, and K.Y. Yoo, “ID-based password authentication scheme using smart cards and fingerprints,” ACM SIGOPS Operating Systems Review, Vol. 37, No. 4, pp. 32-41, 2003. [6] J.K. Lee, S.R. Ryu and K.Y. Yoo, “Fingerprint-based remote user authentication scheme using smart cards,” Electronics Letters, Vol. 38, No. 12, pp. 554-555, 2002. [7] M.O. Rabin, “Digitalized signatures and public-key functions as intractable as factorizations,” Technical Report, MIT/LCS/TR212, MIT Lab., Computer Science, Cambridge, Mass. Jan. 1979. [8] M. Rejman-Greene, ”Secure authentication using biometric methods,” Information Security Technical Report, Vol. 7, No. 3, pp. 30-40, 2002 [9] M. Scott, “Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints,” ACM SIGOPS Operating Systems Review, Vol. 38, No. 2, pp. 73-75, 2004. [10] L. Rila and C.J. Mitchell, ”Security protocols for biometrics-based cardholder authentication in smartcards,” Lecture Notes in Computer Science, Vol. 3482, Springer-Verlag, pp. 488-497, 2005. [11] U. Uludag, S. Pankanti, S. Prabhakar and A.K. Jain, ”Biometric cryptosystems: issues and challenges,” Proc. of the IEEE, Special Issue on Multimedia Security for Digital Rights Management, Vol. 92, No. 6, 2004. [12] V. Matyas Jr. and Z. Riha, ”Toward Reliable User Authentication through Biometrics,” IEEE Security & Privacy, Vol. 1, No. 3, pp. 45-49, 2003.
1-4244-0357-X/06/$20.00 ©2006 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2006 proceedings.
