Panchal 2020

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2020.2987564, IEEE
Transactions on Cloud Computing
1
Designing Secure and Efficient Biometric-Based

Secure Access Mechanism for Cloud Services
Gaurang Panchal, Student Member, IEEE, Debasis Samanta, Senior Member, IEEE,
Ashok Kumar Das, Senior Member, IEEE, Neeraj Kumar, Senior Member, IEEE,
Kim-Kwang Raymond Choo, Senior Member, IEEE
Abstract—The demand for remote data storage and compu- based on the underlying assumption that the remote server
tation services is increasing exponentially in our data-driven responsible for authentication is a trusted entity in the network.
society; thus, the need for secure access to such data and services. Specifically, a user first registers with a remote server. This
In this paper, we design a new biometric-based authentication
protocol to provide secure access to a remote (cloud) server. In is needed to ensure the authorization of the owner. When a
the proposed approach, we consider biometric data of a user user wishes to access a server, the remote server authenticates
as a secret credential. We then derive a unique identity from the user and the user also authenticates the server. Once
the user’s biometric data, which is further used to generate both verifications are successfully carried out, the user obtains
the user’s private key. In addition, we propose an efficient access to the services from some remote server.
approach to generate a session key between two communicating
parties using two biometric templates for a secure message One key limitation in existing authentication mechanisms
transmission. In other words, there is no need to store the is that the user’s credentials are stored in the authentication
user’s private key anywhere and the session key is generated server, which can be stolen and (mis)used to gain unauthorized
without sharing any prior information. A detailed Real-Or- access to various services. Also, to ensure secure and fast
Random (ROR) model based formal security analysis, informal communication, existing mechanisms generally use symmetric
(non-mathematical) security analysis and also formal security
verification using the broadly-accepted Automated Validation of key cryptography, which requires a number of cryptographic
Internet Security Protocols and Applications (AVISPA) tool reveal keys to be shared during the authentication process. This
that the proposed approach can resist several known attacks strategy results in an overhead to the authentication protocols.
against (passive/active) adversary. Finally, extensive experiments Designing secure and efficient authentication protocols is
and a comparative study demonstrate the efficiency and utility challenging, as evidenced by the weaknesses revealed in the
of the proposed approach.
published protocols of Jiang et al. [13], Althobaiti et al. [14],
Index Terms—Authentication, biometric-based security, cloud Xue et al. [15], Turkanovic et al. [16], Park et al. [17], Dhillon
service access, session key. and Kalra [18], Kaul and Awasthi [19] and Kang et al. [20] –
see also Section II. Therefore, in this paper we seek to design
I. I NTRODUCTION a secure and efficient authentication protocol. Specifically, we
will first provide an alternative to conventional password-based
Loud services are a norm in our society. However,
C providing secure access to cloud services is not a trivial
task, and designing robust authentication, authorization and ac-
authentication mechanism. Then, we demonstrate how one can
build a secure communication between communicating parties
involved in the authentication protocol, without having any
counting for access is an ongoing challenge, both operationally secret pre-loaded (i.e., shared) information.
and research-wise. A number of authentication mechanisms In the proposed approach, we consider a fingerprint image
have been proposed in the literature, such as those based of a user as a secret credential. From the fingerprint image,
on Kerberos [1], OAuth [2] and OpenID [3] (see [1], [4]– we generate a private key that is used to enroll the user’s
[12]). Generally, these protocols seek to establish a secure credential secretly in the database of an authentication server.
delegated access mechanism among two communicating en- In the authentication phase, we capture a new biometric
tities connected in a distributed system. These protocols are fingerprint image of the user, and subsequently generate the
private key and encrypt the biometric data as a query. This
G. Panchal is with the Department of Computer Science and Engineering,
Indian Institute of Technology, Kharagpur 721 302, India (e-mail: gau- queried biometric data is then transmitted to the authentication
rangqip1@gmail.com). server for matching with the stored data. Once the user is
D. Samanta is with the Department of Computer Science and Engi- authenticated successfully, he/she is ready to access his/her
neering, Indian Institute of Technology, Kharagpur 721 302, India (e-mail:
dsamanta@iitkgp.ac.in). service from the desired server. To obtain secure access to
A. K. Das is with the Center for Security, Theory and Algorithmic Research, the service server, mutual authentication between the user and
International Institute of Information Technology, Hyderabad 500 032, India authentication server, and also between the user and service
(e-mail: iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in).
N. Kumar is with the Department of Computer Science and Engineering, server have been proposed using a short-term session key.
Thapar University, Patiala 147 004, India (e-mail: neeraj.kumar@thapar.edu). Using two fingerprint data, we present a fast and robust
K.-K. R. Choo is with the Department of Information Systems and Cyber approach to generate the session key. In addition, a biometric-
Security, The University of Texas at San Antonio, San Antonio, TX 78249,
USA (e-mail: raymond.choo@fulbrightmail.org). based message authenticator is also generated for message
(Corresponding Author: Kim-Kwang Raymond Choo). authenticity purpose.
2168-7161 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 08:38:29 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2020.2987564, IEEE
2
We summarize the key contributions/benefits related to the scheme is vulnerable to privileged insider attacks, where an
proposed approach as below. internal user of the trusted authority (i.e., an insider attacker)
1) An effective way to transmit the user’s biometric data having the registration information of a registered user can
through the unsecured network channels to an authenti- mount other attacks in the system, such as user impersonation
cation server is presented. attacks. Moreover, it was also shown that this scheme does
2) We propose an approach to generate a revocable private not provide proper authentication, and fails to support new
key directly from an irrevocable fingerprint image. There sensor node deployment in a target field. As a countermeasure,
is no need to store the private key or a direct form of the Das [22] presented an improved and efficient three factor
user’s biometric data anywhere. authentication scheme, where the three factors are a smart
3) We mitigate the limitation in traditional mechanisms card, the user’s password and the user’s personal biometrics.
that require the user’s credentials to be stored in the However, the scheme proposed by Das [22] does not preserve
authentication server. sensor node anonymity.
4) We introduce a novel way to generate session keys. Althobaiti et al. [14] proposed a biometric-based user au-
5) In traditional authentication protocol, each entity requires thentication mechanism for WSNs. However, their scheme is
some preloaded information; thus, incurring some over- insecure against impersonation attacks and man-in-the-middle
head. We introduce a new mechanism to avoid the need attacks [23]. Das [23] then proposed a new biometric-based
for secret pre-loaded information. user authentication approach. Xue et al. [15] also designed a
6) A message authentication mechanism, as an alternative temporal-credential-based mutual authenticated key agreement
to the existing message authentication protocols (i.e., mechanism for WSNs. In their scheme, the remote authorized
Message Authentication Code (MAC)), is introduced. users are permitted to access authorized sensor nodes in
In the next section, we will review existing biometric- order to obtain information and also to send some important
based authentication schemes, prior to presenting the proposed commands to the sensor nodes in WSN. In this scheme, the
biometric-based authentication approach in Section III. We GWN issues temporal credentials to each user and sensor
then evaluate the performance and security of the proposed node deployed in WSN with the help of the password-based
protocol in Sections IV and V, respectively. Specifically, we authentication mechanism. Later, Li et al. [24] demonstrated
demonstrate that the protocol is secure in the presence of a that Xue et al.’s scheme fails to resist stolen-verifier, off-
Dolev-Yao (DY) adversary [21]. Then, a comparative study is line password guessing, insider, many logged-in users, and
presented in Section VI. Finally, Section VII concludes the smart card lost attacks. He et al. [25] also demonstrated that
paper. Xue et al.’s scheme is insecure against user impersonation,
off-line password guessing, modification and sensor node
impersonation attacks.
II. R ELATED W ORK Turkanovic and Holbl [26], and Turkanovic et al. [16]
In this section, we mainly discuss existing biometric-based proposed other user authenticated key agreement approaches.
user authentication schemes that have been presented in the However, Turkanovic et al.’s scheme [16] is insecure against
literature. smart card theft, offline password guessing, user imperson-
Based on the authentication types and factors being used, ation, offline identity guessing, and sensor node impersonation
the user authentication protocols can be classified into three attacks [27]. Park et al. [17] designed a privacy-preserving
categories: 1) single-factor, 2) two-factor and 3) three-factor. biometric-based user authentication mechanism using smart
In a single-factor authentication protocol, only one factor can card, which uses hashing operation for biometric verification.
be used (for example, user’s smart card/mobile device or pass- However, the scheme is insecure against denial-of-service
word or personal biometrics). In a two-factor authentication (DoS) attacks [28].
scheme, the user’s smart card or mobile device and password Dhillon and Kalra [18] designed a biometric based user
can be used. On the other hand, in a three-factor authentication authenticated key agreement mechanism for secure access
scheme, the user’s smart card/mobile device, password and to services provided by Internet of Things (IoT) devices.
biometrics can be used. Though this scheme uses lightweight operations, it does not
Jiang et al. [13] designed a password based user authenti- protect against DoS attacks as it uses the perceptual hashing
cation scheme for wireless sensor networks (WSNs). This is a (biohashing) operation instead of fuzzy extractor [28]. This is
two-factor authentication scheme as it relies on both a smart primarily because the biohashing technique hardly creates a
card and some password. During the user registration process, unique value BH(BIOi ) from the biometric data BIOi of a
an authorized user registers or re-registers with the trusted legitimate user Ui at different input times though it may reduce
gateway node (GW N ). The GW N then issues a smart card output error [28], where BH(·) is the biohashing function.
having the relevant credentials that are stored on the smart Kaul and Awasthi [19] designed an authenticated key agree-
card. In addition, all the deployed sensor nodes are registered ment scheme, but it was later revealed to be insecure against
through a secure channel with the GW N and obtain their user impersonation and off-line password guessing attacks
respective secret credentials. Using the pre-loaded credentials, [20]. In addition, the scheme of Kaul and Awasthi [19] does
a legitimate user authenticates with a designated sensor node not preserve user anonymity. Therefore, Kang et al. [20]
with the help of the GW N during the login and authentication proposed an enhanced bioemtric-based user authentication
phases. However, Das [22] later showed that this particular scheme. However, this scheme is insecure against DoS attacks
3
Client’s Fingerprint PreCalcu process Remote server

image I1 Cancelable feature
Biometric
set F’2 of I2 Synthetic
features F1 of I1 Session key tic ge
the fingerprint
generation Features set Syn int ima image
Session key
F2 of I2 ge rpr repository
generation fin I2
1 Authentication request K
K
K / Cancelable feature set F’2 of I2
Client’s private key Client Authentication Krs
KC Server User
(C) Fingerprint
2 Authentication reply (AS) Data
Repository
4 3
Service access Service request
Cancelable feature
Synthetic set F’1 of I1
fingerprint K
image Session key
repository Krs Resource generation
K
Server
Synthetic fingerprint image I2 (RS) Features
set F2 of I2
Fig. 1: The proposed BioCAP: An overview
and also impersonation attacks where a privileged-insider III. T HE P ROPOSED P ROTOCOL

attacker can easily mount such an attack.
In this section, we first discuss about the system model and
Xia et al. [29] designed a local descriptor, called the Weber threat model used in the proposed biometric-based authentica-
local binary, to facilitate fingerprint liveness detection. Their tion protocol (BioCAP), prior to presenting the various phases
mechanism is based on Support Vector Machine (SVM). In in BioCAP.
another work, Yuan et al. [30] introduced a binary pattern (BP)
neural network, which replies on fingerprint liveness detection.
In their approach, the Laplacian operator is applied to obtain A. System Model
the image gradient values. After that, different parameters for An overview of BioCAP is shown in Fig. 1, which comprises
the BP neural network are tested in order to attain superior three entities. These entities are client(s) (C), authentication
detection precision. We refer the interested reader to [31] for a server(s) (AS) and some resource server (RS). AS contains a
comprehensive literature review of fingerprint-based biometric database of users’ registered data, while AS generates RS’s
authentication methods. private key during the deployment phase and it is shared
between AS and RS. In addition, both AS and RS include a
Huang et al. [32] introduced two different specific security
large repository of a similar set of synthetic fingerprint images.
threats based on the smart-card-based password authentication
Some synthetic fingerprint databases, such as some publicly
mechanisms for distributed system. In their system, a user
available databases, are used in the proposed approach.
needs valid smart card and corresponding password to have a
successful authentication. They also considered two different When C wishes to access a service from RS, C first sends
adversaries: first one is an adversary having pre-computed data an authentication request to AS. AS verifies C’s request and
stored in smart card and second one is an adversary having sends a reply message to C upon successful verification. Once
with different data stored in smart card. C obtains the authentication reply message, C sends a service
request to RS for getting the access. RS then verifies the service
Wang and Wang [33] introduced different property of user request. If the service request is verified successfully, RS sends
privacy perversion in two-factor authentication schemes for a reply to C. C and RS mutually authenticate each other.
wireless sensor networks (WSNs). They designed two different A session key between C and AS, and C and RS are used
representative schemes to reveal the challenges and subtleties for subsequent secure message communications. Further, the
in designing two-facto authentication for privacy preserving message authenticity is controlled by a message authenticator.
for WSNs. They also introduced a game-based security model BioCAP has two key processes, namely: user registration
for two-factor authentication. and user authentication. The user registration requires private
key generation, whereas user authentication requires genera-
Wang et al. [34] proposed three different identity-based user tion of the session key and the message authenticator. BioCAP
authentication schemes to reveal the challenges in authentica- provides a provision to rollover the private key of a user. In
tion schemes for mobile devices. They also considered session- addition, BioCAP is secure, computationally less expensive,
specific temporary information attack, impersonation attack and overcomes the inherent weaknesses of biometric verifi-
and also poor usability. Several other authentication protocols cation. Moreover, BioCAP does not need pre-shared keys,
[35], [36], [37], [38] have been also proposed in the literature and provides smooth mutual authentication mechanism and
to provide the security in wireless sensor networks and mass demands less number of keys to be managed from application
storage devices. and user point of view.
4
I1 I2
P1 Feature F1 Session Key F2' ( F2' , F2'' ) Cancelable
F2 Feature
S th
P2
feature sets r1 , r2 extraction
extraction Generation Synthetic
r3 PreCalcu Step-1 generation fingerprint
image
Random number
F1 r3 Random
number r1 , r2 generation
Synthetic
generation K1 fingerprint
'' r1 , r2 image
Cancelable
feature set
F2 repository
generation F1' Session key

K2
generation
PreCalcu Step-2
Fig. 2: PreCalcu process
B. Threat Model that is significantly easier to compute in forward direction but

We follow the broadly-accepted “Dolev-Yao (DY) threat not in the backward direction [42]. One can also use SHA-256
model” [21] in this paper. The DY model permits an adversary, [41] to achieve high security in the proposed scheme.
say A not only to intercept the messages during communica- We use the codeword in order to generate the crypto-
tion, but also allows to modify, delete or even inject false graphic keys. For this purpose, the implementation of the
messages during communication among the network entities. codeword generation can be obtained at https://github.com/
Thus, under the DY model, the communication among the gauranggithun/BioKAP.git. Next, we define the security mech-
network entities happens over a public channel. We further anism as follows.
assume that the clients are not trusted in the network, whereas
Definition 1. An encryption mechanism (Gen, Enc, Dec)
the authentication servers (AS) and resource server (RS) are
over a plaintext message space is perfectly secure if for an
semi-trusted entities in the network. In a password-based au- eav
adversary A, P [P rivKA,Π = 1] = 12 .
thentication mechanism, password guessing attack is feasible
if low-entropy passwords are used. On the other hand, in Definition 1 states that the probability of breaking the entire
a biometric-based authentication mechanism biometric data system with respect to key is half. Our approach holds this
guessing attack using brute-force attacks is computationally property, which is provided in Theorem 1.
infeasible. However, A can perform other potential attacks,
such as replay, man-in-the-middle, privileged-insider, denial- Theorem 1. A key generation scheme is perfectly secure, if
of-service and biometric data guessing attacks, and also stolen
eav
for an adversary A the condition P r[P rivKA,Π = 1] = 12
smart card and password guessing attacks (for password- holds.
based authentication schemes). In addition, A can also tamper
Proof. In the proposed key generation mechanism, we have
with stored biometric information and with stolen biometric
K = {K0 , K1 } and Ki ∈ Cdj where i = 0, 1 and 1 ≤ j ≤ 4,
information.
where Cdj represents the j th codeword. From a key indistin-
In the following, we will the phases in our proposed
guishability property, it follows that P r[c ∈ C0 |m = m0 ] =
BioCAP.
P r[c ∈ C0 |m = m1 ], where c indicates ciphertext and C0,1
is ciphertext bit position. Therefore, the advantage of A is
C. User’s Private Key Generation Adv = P r[P rivKA,Π eav
= 1] = P r[b = b0 ] = P r[b =
From a captured user’s fingerprint image, we extract all eav eav
0]P r[P rivKA,Π = 1|b = 0] +P r[b = 1]P r[P rivKA,Π =
minutiae points. In order to increase the accuracy in feature ex- 1
1|b = 1] = 2 (P r[Adv = 0|b = 0] + P r[Adv = 1|b =
traction, we first align the fingerprint image. From this aligned 1]). Let Adv output 0 when c = C0 and output 1 when
fingerprint image, we select the consistent region. The consis- c P = C1 . Then, we have, C =P C0 ∪ C1 . Thus, Adv =
tent region can be defined as the fingerprint region, which has 1
2 PC0 P r[c ∈ C0 |m = m0 ]+ P
( C1 P r[c ∈ C1 |m = m1 ])
a high chance of appearance in any captured fingerprint image. = P C0 P r[c ∈ C0 |m = m 1 ] + C1 P r[c ∈ C1 |m = m1 ]
We select this consistent region to extract the minutiae points. = 21 C0 ∪C1 P r[c ∈ C|m = m1 ] = 21 . Hence, the theorem
To select a set of minutiae points from the consistent region, follows.
we propose to use a horizontal segment. Horizontal segment
is a small area of the consistent region, which has the highest
number of minutiae points. We select these minutiae points to We argue that Theorem 1 holds for the proposed codeword
generate a Trellis diagram of the convolution coding [39] and mechanism. Since the advantage probability of A is almost
finally, a codeword from it. The details process of codeword half, indistinguishability is achieved in our proposed protocol.
generation is discussed in [40]. Let’s refer to this codeword as Next bit unpredictability of KC : Let KC =
BioCode, which can then be used to generate a private key KC (K1 , K2 , · · · Kn ) be a distribution on {0, 1}n . KC is next bit
as KC = H(BioCode ./ Kr ), where Kr is a random number unpredictable if for every adversary algorithm Alg, there exists
generated by C’s application, H represents a standard hash a negligible function (n) such that P r[Alg(K1 , K2 , Ki−1 ) =
function (e.g., Secure Hash Algorithm (SHA-1) [41]) and ./ Ki ] ≤ 21 + (n). It is worth noting that the next bit unpre-
represents a one-way transformation of two input parameters dictability is almost similar to pseudorandomness [42].
5
D. Session Key Generation P2 , P1 ’s application begins PreCalcu Step-2. P1 takes C’s

fingerprint image (say I1 ) and does the following.
To generate a session key between two principles P1 (say,
Feature extraction from I1 : To extract the features from
client C) and P2 (say, authentication server AS), we take two
I1 , we follow the same line-angle based feature extraction
different biometric fingerprint data. P1 takes C’s fingerprint
method as in PreCalcu Step-1. Let F1 be the feature set
image and P2 takes a synthetic fingerprint image. The session
generated from I1 , that is,
key generation process is denoted as PreCalcu process. This
process starts execution as soon as P1 loads its application F1 = {(l11 , a11 ), (l12 , a12 ), · · · , (l1n1 , a1n1 )},
to begin a session. PreCalcu comprises PreCalcu Step-1 and
PreCalcu Step-2 – see Fig. 2. When an application is loaded where n1 is the number of minutiae points detected in I1 .
in P1 ’s machine, P2 ’s will run PreCalcu Step-1. When P1 From F1 , we select T number of minutiae points. That is,
receives a reply from P2 , P1 runs PreCalcu Step-2. F1 = {(l11 , a11 ), (l12 , a12 ), · · · , (l1T , a1T )}
PreCalcu Step-1: In this process, P2 randomly selects
a synthetic fingerprint image from the synthetic fingerprint Session key generation by P1 : Using F20 , P1 calculates the
database. Let S th synthetic fingerprint image (say I2 ) be following.
randomly selected by P2 , where 1 ≤ S ≤ Sh, Sh is the
K10 = {[(l21 ∗ r2 )a21 ∗r1 mod p]a11 ∗r3 × [(l22 ∗ r2 )a22 ∗r1
total number of synthetic fingerprint images in the database.
Line-angle based feature extraction from I2 : Let M2 = mod p]a12 ∗r3 × · · · × [(l2T ∗ r2 )a2T ∗r1 mod p]a1T ∗r3 }
{m21 , m22 , · · · , m2n2 } be the set of all extracted minutiae
Here, r3 is a positive random number generated by P1 . P1
points in increasing order of their x-coordinate values, where
then calculates the hash key of K10 using any standard hash
n2 denotes the number of minutiae points in I2 . The Euclidean
function H(·) to generate a session key K1 as K1 = H(K10 ).
distance between two minutiae points, say m2i and m2(i+1)
Cancelable feature set generation of F1 : P1 makes F1
where i = 1 to n2 − 1, is calculated. The Euclidean distance
cancelable. To do this, P1 uses F200 and does the following.
between points x and y is considered as the length of the line
segment connecting them. In order words, in the Cartesian F10 = {(l21 ∗ r2 mod p)(a11 ∗r3 ) , (l22 ∗ r2
coordinates, if x = (x1 , x2 , · · · , xn ) and y = (y1 , y2 , · · · , yn )
mod p)(a12 ∗r3 ) , · · · , (l2T ∗ r2 mod p)(a1T ∗r3 ) }
are two points in Euclidean n-space, the distance (d) from x
to y, (vice-versa, from y to x) ispgiven Pn by the Pythagorean Let P C2 = [F10 ]. Then, P1 sends P C2 to P2 . P2 uses P C2
2
formula as d(x, y) = d(y, x) = i=1 (yi − xi ) . We also and generates K2 as follows.
calculate the inclination of the connecting line between m2i Session key generation at P2 : P2 uses F10 and features of
and m2(i+1) . Note that the angle inclination of a line is the I2 to generate the session key. That is,
angle formed by the intersection of the line and the x-axis. Let
F2 be the set of tuples {(l2i , a2i ) | i = 1 to n2 − 1}, where l2i K20 = {[(l21 ∗ r2 )a11 ∗r3 mod p]a21 ∗r1 × [(l22 ∗ r2 )a12 ∗r3
is the Euclidean distance, a2i is the inclination between two mod p]a22 ∗r1 × · · · × [(l2T ∗ r2 )(a1T ∗r3 ) mod p]a2T ∗r1 }
minutiae points m2i and m2(i+1) in M2 . That is,
F2 = {(l21 , a21 ), (l22 , a22 ), · · · , (l2(n2 −1) , a2(n2 −1) )} P2 calculates the hash value of K20 and generates the session
key K2 using K2 = H(K20 ). We may note that both generated
In order to maintain uniformity in the number of minutiae keys K1 and K2 are the same. In this way, we generate the
points in any image, we consider a universal number say T . session key between two communication parties. We denote
The NIST recommendation for the value of T is 50, which is such a session key as K.
the minimum number of minutiae points be in any fingerprint
image [42]. Then, we represent F2 as
E. Message Authenticator Generation
F2 = {(l21 , a21 ), (l22 , a22 ), · · · , (l2T , a2T )}
In BioCAP, AS initiates an authenticator after the com-
Cancelable feature sets generation from F2 : We generate pletion of PreCalcu Step-1. To generate an authenticator, AS
two cancelable feature sets F20 and F200 from F2 as randomly selects one minutiae point from the fingerprint I2 .
Let the randomly selected minutiae point be Pr (x, y), r is a
F20 = {(l21 ∗ r2 )(a21 ∗r1 ) mod p, (l22 ∗ r2 )(a22 ∗r1 ) mod p, random number, 1 ≤ r ≤ n, n is the number of minutiae
· · · , (l2T ∗ r2 )(a2T ∗r1 ) mod p} (1) points of the fingerprint I2 . Let Bv be the authenticator, that
F200 = {(l21 ∗ r2 ) mod p, (l22 ∗ r2 ) mod p, is, Bv = (x ∗ r1 )(y∗r2 ) .
· · · , (l2T ∗ r2 ) mod p} AS then encrypts Bv using the session key K. Let the
encrypted form of the authenticator be Bv0 . AS sends Bv and
Here, r1 and r2 are two positive random numbers and p is a Bv0 with the communication message. We call [Bv ,Bv0 ] as the
prime number generated by P2 . P2 then sends F20 , F200 to P1 . biometric-based authenticator. The recipient encrypts Bv using
This message P C1 = [F20 , F200 ] is loaded in P1 ’s machine dur- the session key K. Let the encrypted form of Bv be Bv00 .
ing application loading phase in P1 . This completes PreCalcu Recipient then compares Bv00 with Bv0 . If there is a match,
Step-1. then the recipient believes that the message is from the genuine
PreCalcu Step-2: On receiving P C1 = [F20 , F200 ] from sender.
6
I11 I12 I13 I14 I15
I21 I22 I23 I24 I15
I31 I32 I33 I34 I35
I41 I42 I43 I44 I45
I51 I52 I53 I54 I56
I61 I62 I63 I64 I65
Fig. 3: (a) Straight lines detected using all the blocks; (b) Straight lines detected using core point; (c) Straight lines detected
using delta point
F. User Registration Encryption of Freg using KC : We encrypt Freg using KC

0
(C’s private key) as Freg = EKC (Freg ), where E represents
Prior to the registration process, BioCAP executes PreCalcu an encryption function.
process and both C and AS possess their current session key C’s biometric index calculation: During the time of
say K. C does the following. authentication, AS needs to retrieve C’s enrolled data in AS’s
Block-based feature extraction: C’s application captures a database. To make the retrieval faster, we propose the concept
new fingerprint image (say Ireg ) of C. We extract minutiae of biometric index as follows. We first calculate the biometric
points from Ireg and make minutiae pairs. In order to generate index of C using C’s BioCode (see Section III-C) as Bx =
a pair of minutiae points, we first divide Ireg into a number H(Gx ./ BioCode), where Gx is a number generated by AS
of small square blocks (Fig. 3(a)). We traverse each block in during application deployment process and it is stored in C’s
Ireg , make the pairs of minutiae points by considering each application. Gx is a common number available to all users’
minutiae point belongs to each block to all the minutiae points applications, and hence, AS can send the encrypted Gx using
belong to its surrounding eight connected blocks. This way, we the already established session key K to all Cs securely.
traverse all the blocks and make pairs of minutiae points. We C’s rollover parameter (R) calculation: We propose a
calculate the Euclidean distances and angles of all the straight rollover parameter, in case, at a later stage if C wants to
lines so obtained. rollover (or change) KC . To calculate the rollover parameter
We make minutiae pairs by considering a core point and of C, we use Kr and C’s private key KC . Let R be the
each minutiae point belonging to the surrounding eight blocks rollover parameter of C, then R can be obtained as R =
of the core point detected block (Fig. 3(b)). Similarly, we H(Kr ./ KC ), where, Kr is the random number generated
choose the delta point and each minutiae point belonging during the time of C’s private key generation (see Eqn. 1).
to the surrounding eight connected blocks of the delta point We encrypt Kr using the hash key of BioCode. Let Kb be
detected block (Fig. 3(c)). For each pair generated using the the hash key of BioCode, that is, Kb = H(BioCode). Using
core point and delta point, we calculate the Euclidean distances Kb , we encrypt Kr . Let Kr0 be the encrypted form of Kr .
and angles. In biometrics and fingerprint scanning, the delta Also, we encrypt Bx using the session key K. Let Bx0 be the
point is considered as a pattern of a fingerprint and it is the encrypted form of Bx . Finally, let R0 be the encrypted form
point on a friction ridge at or nearest to the point of divergence of R using K.
0
of two type lines. C sends [Freg , Bx0 , R0 , Kr0 ] to AS. AS decrypts Bx0 and
0
Let F1 denotes a set of the Euclidean distances (li ) and R using the current session key K and gets Bx and R,
0
angles (ai ) of each pair for all the blocks, F2 denotes a respectively. AS then stores [Freg , Bx , R, Kr0 ] in the database
set of Euclidean distances (li0 ) and angles (a0i ) of each pair and this completes the registration process.
using core point and let F3 denotes a set of the Euclidean
distances (li00 ) and angles (a00i ) using delta point, then F1 = G. User Authentication
{(l1 , a1 ), · · · , (lz1 , az1 )}, F2 = {(l10 , a01 ), · · · , (lz0 2 , a0z2 )} and A user’s authentication process begins with the session
F3 = {(l100 , a001 ), · · · , (lz003 , a00z3 )} where z1 , z2 , z3 denote the key generation with PreCalcu process. Let, the session key
sizes of F1 , F2 and F3 , respectively. We concatenate F1 , F2 between C and AS at this time be K.
and F3 and make a common set. Let Freg represents a common The user authentication process is carried out in two phases.
set, that is, Freg = {F1 ||F2 ||F3 }, where the size of Freg is In the first phase, C fetches the secret Kr0 from the database
z = z1 + z2 + z3 . of AS. In the second phase, C uses the fetched secret (Kr0 ) to
7
send his biometric feature to AS for verification purpose. A message, then we represent it as AS REP-2 = [ST 00 , S 0 ,
detail of the authentication process is as follows. r10 , r20 , p0 , ST 0 , Bv , Bv0 ].
C’s Request1 to AS: Let I 0 be the newly captured 3) AS sends AS REP-2 to C.
fingerprint image of C. From I 0 , calculate BioCode for C. C’s request to RS: Upon the receipt of AS REP-2 from
Using this BioCode, calculate the biometric index as AS, C does the following.
Bx = H(Gx ./ BioCode) (2) 1) C verifies received Bv and Bv0 using his session key K.
Upon successful verification C believes that the received
Encrypt Bx using the session key K. Let be the encrypted Bx0 message AS REP-2 is genuine.
form, then send Bx0 to AS. 2) After the message is verified, C decrypts ST 0 using the
AS’s Reply1 to C: Upon receipt of C’s request, AS session key K and gets the service ticket ST .
decrypts Bx0 using session key K and gets Bx . Next, AS 3) C sends service request RS REQ=[ST 0 , ST 00 , S 0 , r10 , r20 ,
searches for Bx in the database and if it is found, it returns p0 ] to RS.
associated Kr0 to C as AS’s reply message. RS’s reply to C: Upon receipt of RS REQ message, RS
C’s Request2 to AS: In this phase, C generates key using does the following.
BioCode, that is Kb = H(BioCode). Upon receipt of Kr0 , C 1) Decryption of [ST 00 , S 0 , r10 , r20 , p0 ] except ST 0 using Krs
decrypts it using Kb as Kr = DKb (Kr0 ), where D represents and gets [ST , S, r1 , r2 , p].
decryption function. C does the following. 2) RS selects S th synthetic fingerprint image from its finger-
1) C’s private key generation: C uses the value of Kr and print database. RS uses this fingerprint and r1 , r2 and p to
BioCode to generate his private key as follows. generate the session key K.
3) Using this session key K, RS decrypts ST 0 and gets
KC = H(BioCode ./ Kr ) (3) STtemp .
4) RS compares STtemp with ST . If both are matched, then
2) Feature set generation: From the fingerprint I 0 , we gener-
RS generates a message authenticator, say Bv and encrypts
ate query feature set (say Fqry ) using the line-angle based
it to Bv0 using K.
feature extraction method.
5) RS sends RE REP=[Bv , Bv0 ] to C.
3) Encryption of Fqry and KC : C encrypts Fqry and KC
0
using session key K and gets Fqry and KC0
in the encrypted C’s service access: Upon receipt of RE REP, C first
0 0
form. C then sends [Fqry , KC ] to AS. verifies the received Bv and Bv0 for the message authenticity.
If the message is authenticated, then C and RS uses ST
0 0
AS’s Reply2 to C: AS first decrypts Fqry and KC using for service access. This way, C can access a service from
the session key K and gets Fqry and KC . RS. A figure summarizing the messages exchanged between
1) Fetch the record from the database: Using the received the entities for the user authentication phase of the proposed
index value Bx , AS fetches the encrypted biometric data scheme is shown in Fig.4.
Freg from the database which is stored along with Bx .
0
2) Decryption of fetched biometric data: AS decrypts Freg H. C’s Private Key Rollover Mechanism
using the received private key KC . Let Freg be the de- In BioCAP, we proposed a mechanism to rollover a user’s
0
crypted form of Freg . Note that Freg contains three feature enrolled credentials. The rollover mechanism allows the user
sets, that is to change his credentials (namely Kr , KC and Freg ) by his
Freg = {F1 ||F2 ||F3 } (4) own wish. This mechanism is divided into two phases. In the
Freg will be compared with the query biometric data. first phase (we call it RL REQ-1), C sends his biometric index
3) Decryption of query biometric data: AS decrypts Fqry 0 to AS. AS searches it in the database. If the biometric index is
using the session key K. Let Fqry be the decrypted form found in the database, then AS fetches the associated Kr from
0
of Fqry , then Fqry can be represented as follows. the database and sends to C as RL REP-1. In second phase
(say RL REQ-2), C uses the received Kr and generates a new
Fqry = {F10 ||F20 ||F30 } (5) set of enrollment credentials. These credentials are then sent to
AS compares Freg and Fqry to verify the user. To find the AS. Then, AS updates the received credentials in the database
similarity between Freg and Fqry , we use the SVM Ranking and sends an acknowledgment to C (RL REP-2). The detail
based mechanism which has been discussed in [40]. steps are as follows.
Upon the successful verification of C, AS sends a reply RL REQ-1: It is started with the execution of PreCalcu
message to C. The generation of a reply message takes the using a newly captured fingerprint image of C say IR and
following steps. requisite session key K between C and AS to make the current
1) AS randomly generates a service token ST and encrypts it session ready.
using the session key K. Let ST 0 be the encrypted form From the newly captured fingerprint image, C generates
of ST . AS also generates an authenticator Bv and encrypts the biometric index Bx . Then C encrypts Bx using K and
it to Bv0 using K. generates Bx0 . C sends [Bx0 ] to AS.
2) AS encrypts [ST , S, r1 , r2 , p] using RS’s private key Krs RL REP-1: Upon receipt of RL REQ-1 message, AS de-
and gets [ST 00 , S 0 , r10 , r20 , p0 ]. Let AS REP-2 be the reply crypts Bx0 using K and gets Bx . AS searches for Bx in the
8
Cancelable feature set F’2 of I2

Client’s private key Client Authentication
K KC (C) Server
Cancelable feature set F’2 of I2 Bv and B’v
(AS)
Comparison
K Cancelable feature Synthetic fingerprint I2

set F’1 of I1 image
Krs
Synthetic
User
fingerprint Synthetic Fingerprint
image I2 fingerprint Data
image
repository Resource repository
Repository
Server
(RS)
Fig. 4: Summary of messages exchanged between entities for the user authentication
database. If there is a match in the database, it fetches the IV. E XPERIMENTAL R ESULTS
associated Kr0 from the database and sends it to requested C.
In our experiments, we used fingerprint images from two
publicly available fingerprint databases, namely: FVC2004
RL REQ-2: Upon receipt of Kr0 ,
C generates Kb , that is,
database [43] and NIST Special database [44]. The FVC2004
Kb = H(BioCode). C does the following.
database includes the following: 1) DB1: optical sensor
1) Decrypts Kr0 using Kb and gets Kr . “V300” by CrossMatch, 2) DB2: optical sensor “U.are.U
2) Generates C’s private key KC as KC = H(BioCode ./ 4000” by Digital Persona, 3) DB3: thermal sweeping sensor
Kr ). “FingerChip FCD4B14CB” by Atmel and 4) DB4: synthetic
3) Generates existing rollover parameter Rold as Rold = fingerprint generation. In addition, we also consider DB5 as
H(Kr ./ KC ). the NIST Special database. Specifically, DB1 to DB4 are de-
4) Generates a new rollover parameter Rnew as Rnew = noted as Set A and DB5 as Set B database. We then preformed
H(Krnew ./ KC ). Here, Krnew is a fresh randomly our experiments on a machine with Intel(R) Core(TM) i5-
generated C’s secret. C encrypts Rnew using session key 2400 CPU @ 3.10 GHz processor, running MATLAB 7.11
K and gets Rnew0
. and Windows 7 OS.
5) Generates new C’s private key KCnew as KCnew = Our observations are summarized as follows.
H(BioCode ./ Krnew ). 1) Distinctiveness of BioCode: We classify this experiment
6) C encrypts Krnew using Kb and gets Kr0 new . into two parts. First, we generate BioCodes from the intra-
7) Generates new biometric features from IR (using the instances of a user and find the distinctiveness among them.
feature extraction method as followed in user registration Second, we generate BioCodes using fingerprints of all users
step) to generate Fnew . C encrypts Fnew using KCnew and and find the distinctiveness of BioCodes obtained. The results
0
gets Fnew . observed are summarized in Table I. As several of the finger-
8) Generates a new biometric index Bxnew as Bxnew = print images are very noisy and blurred; hence, our approach
H(Gx ./ BioCode). C encrypts Bxnew using the session could not achieve 100% accuracy. Further, it may be noted
key K and gets Bx0 new . that none of the BioCodes generated from the intra-instances
9) Encrypts Rold using the session key K and gets Rold0
. matched with the BioCodes generated from the inter-instances
of the users. In the intra-class (intra-instance) variation, a
0
C sends [Fnew , Kr0 new , Rnew
0 0
, Rold ] to AS. user may incorrectly interacts with a sensor, which typically
results in such variations. On the other hand, in the inter-
RL REP-2: Upon receipt of RL REQ-2, AS does the fol- class (inter-instance) similarities, there may be a large number
lowing. of users in a biometric system, which results in inter-class
overlap in the feature space of multiple users. More precisely,
0
1) Decrypts Rold using session key K and gets Rold . the performance of the distinctiveness solely depends on the
0
2) Updates the tuple [Freg , Bx , R, Kr0 ] by [Fnew
0
, Bx , accuracy in the feature extraction approach used.
0 0
Rnew , Krnew ] if R = Rold .
3) AS sends an acknowledgment message to the requested TABLE I: Distinctiveness of BioCode
C upon the successful updates operation of the rollover
% intra-instances generate % inter-instances generate
process. Database
same code same code
The principle used in rollover strategy is also applicable to Set A 93.35% 0%

enroll the same user C with the different private key to Set B 95.12% 0%
different AS for other access to Cloud resources.
9
2) BioCode testing using Statistical Test Suite: We perform TABLE III: Randomness test for BioCodes using Dieharder
the randomness measurement test using both NIST Statistical No. Statistical Test Name P -value Test Result
Test Suite [44] and Dieharder Random Number Test Suite 1. Diehard Birthdays Test 0.08354 Passed
[45]. We generate 1120 BioCodes from (800+320) fingerprint 2. Diehard OPERM5 Test 0.07485 Passed
images, where each fingerprint image produces a BioCode with 3. Diehard 32 × 32 Binary Rank Test 0.05771 Passed
a minimum 336 binary bits. Hence, the input file to the NIST 4. Diehard 6x8 Binary Rank Test 0.0000 Failed
5. Diehard Bitstream Test 0.060004 Passed
test and Dieharder suite will have a minimum 1120 × 336
6. Diehard OPSO 0.0000 Failed
binary bits. Our analysis based on the two tests suite is 7. Diehard OQSO Test 0.0000 Failed
discussed in the following. 8. Diehard DNA Test 0.492288 Passed
Based on the NIST recommendation, if P -value is greater 9. Diehard Count the 1s (stream) Test 0.511102 Passed
than or equal to 0.01, the bit sequence will become random. 10. Diehard Count the 1s Test (byte) 0.002741 Weak
Our approach passed 13 of 16 tests – see Table II, which 11. Diehard Parking Lot Test 0.00078 Weak
Diehard Minimum Distance (2d
suggests that the biometric-based convolution code according 12.
Circle) Test
0.612441 Passed
to our approach satifies NIST’s recommended randomness and Diehard 3d Sphere (Minimum Dis-
13. 0.214872 Passed
pseudo-random patterns for cryptographic applications. Based tance) Test
on the Dieharder randomness test suit, we also observed that 14. Diehard Squeeze Test 0.122573 Passed
15. Diehard Sums Test 0.399742 Passed
out of the 26 tests, our approach cleared 16 tests – see Table
16. Diehard Runs Test 0.0278 Weak
III. 17. Diehard Craps Test 0.12581 Passed
18. Marsaglia and Tsang GCD Test 0.0000 Failed
TABLE II: Randomness test for BioCodes using NIST Test 19. STS Monobit Test 0.0000 Failed
Suit 20. STS Runs Test 0.001147 Weak
21. STS Serial Test (Generalized) 0.0021891 Weak
No. Statistical Test Name P -value Test Result
22. RGB Bit Distribution Test 0.0000 Failed
1. Frequency 0.6822 Passed RGB Generalized Minimum Dis-
2. Block Frequency 0.2318 Passed 23. 0.0000 Failed
tance Test
3. Cumsum-Forward 0.0259 Passed 24. RGB Permutations Test 0.0000 Failed
4. Cumsum-Reverse 0.0188 Passed 25. RGB Lagged Sum Test 0.0000 Failed
5. Runs 0.240 Passed RGB Kolmogorov-Smirnov Test
26. 0.0000 Failed
6. Long Runs of Ones 0.6602 Passed Test
7. Rank 0.1841 Passed
8. Spectral DFT 0.0069 Failed
9. Non-overlapping Templates 0.4168 Passed false positive, whereas 0.73% false negative and 99.86% true
10. Overlapping Templates 0.0078 Failed
negative.
11. Universal 0.3997 Passed
12. Approximation Entropy 0.3021 Passed
TABLE IV: Similarity in feature vectors
13. Random Excursions 0.3188 Passed
14. Random Excursions Variant 0.0066 Failed Intra-instance Inter-instance
15. Linear Complexity 0.0134 Passed Database True positive False negative False positive True negative
16. Serial Test 0.0278 Passed DB1 98.97% 1.03% 0.08% 99.92%
DB2 99.15% 0.85% 0.05% 99.95%
DB3 98.72% 1.28% 0.10% 99.90%
3) Indistinguishability of KC : Let A : {0, 1}∗ × {0, 1}∗ → DB4 99.60% 0.40% 0.28% 99.72%
{0, 1}∗ be an efficient permutation. We say that KC is a strong NIST 99.89% 0.11% 0.17% 99.83%
Average 99.27% 0.73% 0.14% 99.86%
pseudo-random permutation if and only if for all probabilistic
polynomial time (PPT) distinguisher D, there exist a function
which is negligible such that
−1
V. S ECURITY A NALYSIS
−1
P r[DFk (.),Fk (.)
(n) = 1] − P r[Df (.),f (.)
(n) = 1] ≤ (n) We will now demonstrate the robustness of BioCAP with
where k ← {0, 1}n is selected uniformly at random and f is respect to different known attacks using both formal and infor-
selected uniformly from the permutation sets on n-bit strings. mal security analysis. In addition, we use the widely-accepted
The proposed KC satisfy the indistinguishability property, a“Automated Validation of Internet Security Protocols and
that is, for every two keys KC0 , KC1 ∈ {0, 1}n , an at- Applications (AVISPA)” tool [46] to show that BioCAP is
tacking method/algorithm Alg runs in time ≤ t(n), that is, secure against replay and man-in-the-middle attacks.
P r[Alg(Ek (mi ) = i) ≤ 21 + (n)], hence indistinguishability.
4) Similar Feature Vector Generation: For the experiment, A. Formal Security Analysis Using Real-Or-Random (ROR)
we attempt to verify the feature vectors generated using the Model
block-based approach from the intra-instances of the users. In recent years, the Real-Or-Random (ROR) model [47],
We also attempt to verify the feature vectors generated from [48] based formal security analysis has become very popular
the inter-instances of the users. The observed results are then in analyzing the security of authentication protocols in the
expressed as a confusion matrix, which is provided in Table literature [49]–[54]. The ROR model permits an adversary,
IV. On average 99.27% cases are true positive and 0.14% say A, to interconnect with an ith instance P i of an executing
10
entity (e.g., a client C, AS or RS), and also to access various number of bits in BioCode, respectively, then
queries, such as Send, Execute, Reveal and Test, which are qh2 qs
BioCAP
essential for simulating a real attack. The purpose of these AdvA ≤ + .
|Hash| 2lb −1
queries is tabulated in Table V.
We define the “semantic security” of the proposed BioCAP Proof. We follow the similar proof of this theorem as pre-
in Definition 2. sented in [55]. Here, we have three defined games, say Gj ,
BioCAP
j = 0, 1, 2. If we denote SuccGj as an event wherein A can
Definition 2. Let AdvA denotes the “advantage of A guess the random bit c in Gj accurately, A’s advantage in win-
running in polynomial time to break the semantic security of ning the game Gj is denoted by AdvA,G BioCAP
= P r[SuccGj ].
j
BioCAP, and derive the session key (K) and the service token The description of each game is provided below.
(ST )”. Then, AdvABioCAP
= |2P r[c0 = c] − 1|, where c and
0 Game G0 : Under this game, the actual attack is executed
c respectively denote the correct and guessed bits. •
by A against the proposed BioCAP in the ROR model.
As the bit c needs to be selected randomly before G0
TABLE V: Various queries and their descriptions begins, it follows from the semantic security defined in
Query Significance Definition 2 that
Send(P i , m) This query helps A in sending a BioCAP
AdvA BioCAP
= |2.AdvA,G − 1|. (6)
0
message m to P i , and also receiv-
ing its response from P i , which is • Game G1 : This game corresponds to an eavesdrop-
modeled as an “active attack” ping attack in which A can eavesdrop all the messages
Execute(C, AS, RS) It helps A in eavesdropping the Request1 , Reply1 , Request2 , AS REP-2, RS REQ and
messages exchanged among C, AS RE REP among C, AS and RS during the user au-
and RS, which is modeled as a thentication process by executing the Execute query
“passive (eavesdropping) attack” tabulated in Table V. At the end of this game, A needs to
Reveal(P i ) It helps A to know the session key execute the Reveal and T est queries in order to verify
K that is created between P i and whether the derived session key K and service token ST
its partner are actual or random numbers. Only eavesdropping of
Test(P i ) It helps A to make a request to these messages does not at all increase the probability
P i for the session key K, and P i in deriving K and ST . Since the games G0 and G1 are
outputs “probabilistically the result indistinguishability, we have
of a flipped unbiased coin c” BioCAP
AdvA,G BioCAP
= AdvA,G . (7)
1 0
In addition, we also define the “one-way collision-resistant • Game G2 : In this game, we add the simulations of the
hash function” in Definition 3 for analyzing the security of the Send and Hash queries, and it is then modeled as an
proposed BioCAP. Furthermore, the “one-way cryptographic active attack. From the intercepted messages Request1 ,
hash function H(·)” is modeled as a random oracle, say Reply1 , Request2 , AS REP-2, RS REQ and RE REP
Hash. As H(·) is public, it is apparent that all the involved among C, AS and RS during the user authentication
participants including A have access to the Hash oracle. process, there will be no hash collision as these are
safeguarded by the collision-resistant H(·) (see Definition
Definition 3. A “one-way hash function”, say H: {0, 1}∗ 3) and symmetric encryption using the session key K and
→ {0, 1}lh , is a “deterministic function” that produces a other secret key Kb , and random numbers. Moreover, the
fixed length (lh bits) output string H(x) ∈ {0, 1}lh as “hash probability of guessing correct BioCode of the client C
value or message digest” for any arbitrary length input string is approximately 21lb [56]. If we limit the number of non-
x ∈ {0, 1}∗ . Let AdvA Hash
(th ) denote the “advantage of A in matching biometric inputs, applying the birthday paradox,
Hash
attacking hash collision in time th ”. Then, AdvA (th ) = we obtain the following relation:
P r[(a, b) ←r A : a 6= b, H(a) = H(b)], where a random
event X’s probability is P r(X) and (a, b) ←r A indicates BioCAP BioCAP qh2 qs
|AdvA,G − AdvA,G |≤ + l . (8)
that “the pair (a, b) is randomly picked by A”. An (ζ, th )-
1 2
2.|Hash| 2 b
adversary A attacking H(·)’s collision resistance means that Since all the queries are executed by A, it is only
Hash
“A’s the runtime will be at most th with AdvA (th ) ≤ ζ”. remaining for A to guess the bit c for winning the game
once the T est query is made by A. It then follows that
We now prove the semantic security of the proposed Bio-
CAP in Theorem 2. 1
BioCAP
AdvA,G
. = (9)
2 2
Theorem 2. Suppose a polynomial-time adversary A is run-

ning against the proposed BioCAP scheme under the ROR Eqs. (6), (7) and (8) give the following relation:
model. If qh , qs , |Hash| and lb denote the number of Hash 1 BioCAP BioCAP 1
.AdvA = |AdvA,G − |
queries, the number of Send queries, the range space of 2 0
2
BioCAP BioCAP
a “one-way collision-resistant hash function H(·)” and the = |AdvA,G1
− AdvA,G2 |. (10)
11
Next, Eqs. (8) and (10) give the following result: BioCode from the compromised Freg or Fqry . Therefore, the
compromised Freg or Fqry will neither help an attacker to
1 BioCAP qs qh2
.AdvA ≤ + . (11) login into the system nor to generate a BioCode.
2 2.|Hash| 2lb
Case 2 (When KC is compromised): If KC is known to
At the last, multiplying both sides of Eq. (11) by a factor of 0 0
an attacker, he cannot decrypt Fqry because Fqry is encrypted
2 and simplifying, we obtain the desired result as
2
qh using the session key K. Later, if an attacker sends the
AdvABioCAP
≤ |Hash| + 2lqbs−1 . 0
fake authentication request using intercepted [Fqry , KC0
], then
0
Fqry will be useless for AS. This is because, the session
0
B. Informal Security Analysis and Other Discussions key may not exits using which Fqry was encrypted. Hence,
compromised KC is no more useful for an attacker.
1) Security of BioCode: Panchal et al. [57] has shown that
a BioCode needs at least 168 bits. Therefore, the minimum 5) Replay Attack: We consider the following scenarios:
number of brute-force trials to guess a BioCode is at least
2168 which takes minimum 1014 years! Hence, it is difficult • C’s Request2 to AS: If an attacker intercepts [Fqry 0
,KC 0
]
for an attacker to guess a BioCode in real-time. (which are encrypted using session key K) and sends
2) Security of Biometric Data: The main focus of providing it to AS before C sends it to AS. In this situation,
the security for stored biometric data is to prevent its illegit- AS verifies the attacker’s request successfully and sends
imate use from the remote server. This is conceivable only the reply message [ST 00 ,S 0 ,r10 ,r20 ,p0 ,ST 0 ,Bv ,Bv0 ] to the
when there is a provision to make the stored data legible or attacker. The attacker will not be able to decrypts the
accessible by the remote server administrator. In BioCAP, we reply message because ST 00 , S 0 , r10 , r20 , p0 are encrypted
encrypt the C’s biometric data Freg using the private key KC using RS’s private key and ST 0 , Bv , Bv0 cannot be
to make it illegible. It may be noted that the C’s private key decrypted because session key K is not available with
(KC ) is not accessible to any remote premise. Therefore, any an attacker. Hence, replaying C’s request will not help
one except the client, does not have any privilege to decrypt the attacker to login.
the stored biometric data. If the stored biometric data is stolen • C’s request to RS: If an attacker send RS REQ = [ST 0 ,
or lost, then also it will be useless due to its illegible form. ST 00 , S 0 , r10 , r20 , p0 ] to RS. In this situation, RS verifies
Hence, the stolen verifier attack is not possible. the message RS REQ successfully. RS then generates
3) Biometric Data Guessing Attack: The constitution of [Bv , Bv0 ] and sends back to the attacker. The attacker’s
original feature set Freg or Fqry is as follows. On the average machine cannot verify the message because of the lack
each fingerprint generate 60-70 straight lines. So, total number of the session key K. Also, the attacker cannot decrypt
of lengths and angles becomes 120-140, approximately. Hence, ST 0 without session key K. Hence, an attempt to illegal
our feature sets (Freg or Fqry ) contains minimum 120 values. service access will be intercepted.
The length value is ranging from 1 to 70 × 2 pixels. This
is because the block size of an image is 70 × 70 pixel. 6) Identity Management: Our proposed approach identifies
This block size is decided based on the experiments. The the genuine entities C, AS, and RS during the authentication
angle values is ranging from 1 to 360 degree. Therefore the phase if a fake entity tries to attack during the authentication
possible combinations for the feature sets (Freg or Fqry ) is process.
(60P140 + 60P360 ). To apply brute-force on this combination,
attacker requires at least 1012 years to guess it correctly. • If RS authenticates ST 0 and ST 00 using its private key
4) Man-in-the-Middle Attack: If an attacker intercepts a Krs , RS believes that C and AS are genuine.
biometric data during its transmission, then an attacker will • If C authenticates the message which is received from
not gain any information about the original biometric data AS, C believes that AS is genuine.
of a client C. This is because, we transmit the biometric • If C authenticates Bv and Bv0 which are sent by RS, C
0
data (Freg ) in an encrypted form (Freg ). It is encrypted also believes that RS is genuine.
using C’s private key (KC ). Here, an attacker does not have
any knowledge about the private key (KC ). Therefore, the 7) Resilience against C and Multiple ASs Compromise
man-in-the-middle attack is impossible for an attacker. In the Attacks: If C is registered with multiple authentication servers,
following, we consider two cases. say AS1 and AS2 , our approach generates two different
Case 1 (When Freg or Fqry is compromised): In this identities for C. Thus, two different authentication servers AS1
situation, an attacker can try to login the system using Freg or and AS2 enroll with C using two different Kr1 and Kr1 val-
Fqry . But, during the authentication request (C’s Request1 to ues, respectively. In addition, AS1 and AS2 contain different
AS), C needs to send biometric index Bx . To generate Bx , biometric indexers Gx1 and Gx2 , respectively. Therefore, C
BioCAP requires BioCode of C, which can only be generated can have different index values for different ASs. Further,
from C’s fingerprint. It may be noted that using Freg or Fqry , if C’s credentials {Freg or KC } of AS1 are compromised,
an attacker cannot generate BioCode, because Freg or Fqry Freg or KC will not be useful for AS2 . This is because the
contains the straight lines information (line and angle based enrollment in AS2 is done using different values of KC , Kr ,
features) while BioCode is generated using minutiae points of Gx , Bx . Hence, even if AS1 is compromised, an attacker will
the consistent region. Hence, there is no chance of generating not get any advantage over AS2 .
12
C. Formal Security Verification Using AVISPA: Simulation played_by C

Study def=
local State: nat,
In this section, we demonstrate the resilience of BioCAP Bx, Bx1, Gx, BioCode, Kr, K, Fqry, Fqry1: text,
Kc, Kc1, ST, R1, R2: text
against replay and man-in-the-middle attacks using AVISPA
const sp1, sp2 : protocol_id
[46], which has been used to determine whether a security init State := 0
protocol is “safe”, “unsafe” or “inconclusive” against pas-
sive/active attacks [49]–[51], [54]. AVISPA comprises “On- transition
the-fly model checker (OFMC)”, “Constraint-Logic-based %%% User authentication phase
1. State = 0 /\ Rcv(start) =|>
Attack Searcher (CL-AtSe)”, “SAT-based Model-Checker State’ := 1 /\ Bx’ := H(Gx.BioCode)
(SATMC)” and “Tree Automata based on Automatic Approxi- /\ Bx1’ := {Bx’}_K
mations for the Analysis of Security Protocols (TA4SP)”. The /\ secret({Gx,BioCode}, sp1, {C})
designed security protocol is implemented using the “High- /\ secret({K}, sp2, {C, AS, RS})
%%% Send Request_1 to AS
Level Protocol Specification Language (HLPSL)”, which is /\ Snd(Bx1’)
a “role-oriented” language containing optional basic roles %%% Receive Reply_1 from AS
and mandatory roles (session, goal and environment). The 2. State = 1 /\ Rcv({Kr’}_K) =|>
mandatory roles contain the composition of the sessions State’ := 2 /\ Fqry1’ := {Fqry}_K
/\ Kc’ := H(BioCode.Kr’)
along with globally defined constants. The HLPSL code is /\ Kc1’ := {Kc’}_K
then transformed to the “Intermediate Format (IF)” using the %%% Send Request_2 to AS
HLPSL2IF translator, and the IF serves as an input to one /\ Snd(Fqry1’.Kc1’)
of OFMC, CL-AtSe, SATMC and/or TA4SP to produce the %%% Receive RS_REP−2 from AS
3. State = 2 /\ Rcv({ST’.R1’.R2’.H(R1’.R2’).{H(R1’.R2’)}_K}_K) =|>
“Output Format (OF)”. Currently, SATMC and TA4SP do not %%% Send RS_REQ to RS
support bitwise XOR operations. The OF has the following State’ := 3 /\ Snd({ST’.R1’.R2’}_K)
sections [46]: 4. State = 3 /\ Rcv({H(R1’.R2’).{H(R1’.R2’)}_K}_K) =|>
• SUMMARY defines “whether the tested security protocol State’ := 4 /\ witness(AS, C, as_c_kr, Kr’)
is safe, unsafe, or whether the analysis is inconclusive”. /\ witness(AS, C, as_c_st, ST’)
• DETAILS indicates “a detailed explanation of why the /\ witness(AS, C, as_c_r1, R1’)
/\ witness(AS, C, as_c_r2, R2’)
tested protocol is concluded as safe, or under what
end role
conditions the test application or protocol is exploitable
using an attack, or why the analysis is inconclusive”. Fig. 5: Role for client C in HLPSL implementation
• PROTOCOL means “the HLPSL specification of the
target protocol in the IF”.
• GOAL is “the goal of the analysis which is being per- top-level role, environment, is always defined and it defines
formed by AVISPA using HLPSL specification”. the execution of the protocol in term of session role. The
• BACKEND indicates “the name of the back-end that is session role specifies each iteration of the protocol. It is worth
used for the analysis”. noticing that the intruder i is also treated as a legitimate agent.
• At the end, “the trace of a possible attack to the tested The confidentiality (privacy) goal is achieved through the
protocol, if any, along with some statistics and relevant “secrecy of” declaration, whereas the authentication goal is
comments” is produced. done through the “authentication on” declaration. For further
details of HLPSL implementation the readers are referred
The detailed discussions on AVISPA and its HLPSL imple- to documentations provided in [46]. According to AVISPA
mentation documentations are provided in [46]. specifications [46], we need three verifications for our scheme:
In our HLPSL implementation, we defined three basic roles “executability checking on non-trivial HLPSL specifications”,
(the roles for the client (C), authentication server (AS) and “replay attack checking” and “Dolev-Yao (DY) model check-
resource server (RS)), and the compulsory roles for the ing” [21]. We simulated BioCAP using OFMC and CL-AtSe
session, goal as well as environment. For example, we have backends using “SPAN, the Security Protocol ANimator for
provided the role of C in Fig. 5, and the roles for the session, AVISPA” tool [58]. The simulation results reported in Fig. 7
goal & environment in Fig. 6. In the role of C, C first clearly demonstrate that the proposed scheme is secure against
sends the message Request1 to the AS via public channel replay and man-in-the-middle attacks.
and receives the message Reply1 from the AS. Later, C
sends the message Request2 to the AS and in response, it VI. C OMPARATIVE S TUDY WITH E XISTING S CHEMES
receives the message RS REP − 2 from the AS. Finally, C
sends the message RS REQ to the RS. By the declaration In this section, we will now present the performance
“secret({K}, sp2, {C, AS, RS})”, it signifies that the secret evaluation of the proposed scheme with four other related
K is shared among the entities C, AS, and RS. The notation authentication schemes.
“{Bx’} K” means that Bx0 is encrypted by the key K. The
declaration “witness(AS, C, as c r1, R1’)” tells that AS has A. Performance Comparison with Kerberos
freshly generated the value R10 for the C which is already The comparison between our approach and Kerberos is
included in a message that is sent to C by the AS. In Fig. 6, the summarized below:
13
%%% Role for the session attacker can easily take user ID from the communication
role session (C, AS, RS: agent, message and gets the ticket from the server. The intercepted
H: hash_func) ticket can be used for man-in-the-middle attack, replay
def= attack, stolen verifier attack etc.
local Sn1, Sn2, Sn3,
Rv1, Rv2, Rv3: channel (dy)
3) An attacker can get the information about the clients
composition (K-anonymity) who are currently logged in leading to
client (C, AS, RS, H, Sn1, Rv1) impersonation and denial of service attacks.
/\ authserver (C, AS, RS, H, Sn2, Rv2) 4) A client and authentication server always generates a
/\ resourceserver (C, AS, RS, H, Sn3, Rv3) shared key by hashing the password. The shared key can be
end role guessed by password guessing attack or dictionary attack.
5) Once client receives the message from the authentication
%%% Role for the goal & environment
role environment() server, it does not verify the received message and proceed
def= further to interact with the service server.
const c, as, rs: agent,
h: hash_func,
sp1, sp2, as_c_kr, as_c_st,
B. Performance Comparison with OAuth and OpenID
as_c_r1, as_c_r2: protocol_id The major security flaws in OAuth and OpenID protocol
intruder_knowledge = {c, as, rs, h} are that they are suffered from a vulnerability called open
composition redirect (i.e. open redirect attack) [59], [60]. In this attack,
session(c, as, rs, h)
/\ session(i, as, rs, h)
an attacker can redirect the response of the authentication
/\ session(c, i, rs, h) server to malicious location rather than the originally requested
/\ session(c, as, i, h) client. This attack might jeopardize the “token” of the client,
end role which could be used to access user information from the
authentication server. If the “token” has a high privilege, the
goal attacker could obtain more sensitive information too.
%%% Confidentiality (privacy)
secrecy_of sp1, sp2
%%% Authentication C. Performance Comparison with Other User Authentication
authentication_on as_c_kr, as_c_st, Schemes
as_c_r1, as_c_r2
end goal We compare the performance of our approach with the
environment() existing biometric-based user authentication schemes of Park
et al. [17], Dhillon and Kalra [18], Kaul and Awasthi [19], and
Fig. 6: Role for session, goal and environment in HLPSL Kang et al. [20]. In this section, we use the same evaluation
implementation metrics used in the studies of [61]–[66].
We compare the communication costs comparison among
SUMMARY SUMMARY the proposed scheme and other schemes [17], [18], [19], [20]
SAFE SAFE in Table VI. We apply the following assumptions to compute
DETAILS DETAILS
BOUNDED_NUMBER_OF_SESSIONS BOUNDED_NUMBER_OF_SESSIONS the number of bits needed for transmission of the messages
PROTOCOL TYPED_MODEL during the login and authentication phases: biometric index
/home/akdas/span/testsuite PROTOCOL Bx is 164 bits, secret Kr0 is 128 bits, secret Kc0 is 128 bits
/results/auth−biocap.if /home/akdas/span/testsuite 0
GOAL /results/auth−biocap.if and Fqry is 128 bits. Therefore, during authentication, in first
as specified GOAL message we send 288 bits long message and in second message
BACKEND As specified
of 256 bits long message. The communication costs needed
OFMC BACKEND
CL−AtSe for the schemes of Park et al. [17], Dhillon and Kalra [18],
STATISTICS STATISTICS Kaul and Awasthi [19], and Kang et al. [20] are 2528 bits,
TIME 43 ms Analysed : 0 state
Reachable : 0 state
3040 bits, 704 bits and 960 bits, respectively.
parseTime 0 ms
visitedNodes: 29 nodes Translation: 0.03 seconds
depth: 4 plies Computation: 0.01 seconds TABLE VI: Comparison of communication overheads
Protocol No. of messages No. of bits
Fig. 7: Analysis of simulation results under CL-AtSe and
OFMC Our 2 544
[17] 2 2528
[18] 4 3040
1) It requires a number of keys (one long-term, three short- [19] 2 704
term and two private keys), which is an overhead and leads [20] 2 960
to a computationally expensive protocol.
2) A client always sends his user ID in clear form to the We then compare the computational costs comparison
authentication server and authentication server issues a among the proposed scheme and other schemes [17], [18],
ticket if user ID is found in the database. Therefore, an [19], [20] in Table VII. We denote the notations Th , Tbh
14
and Texp as the time needed to execute hashing, biohashing features is presented in Table VIII, and these features SF F1 –
and modular exponentiation operations, respectively. We apply SF F14 are also used in the studies of [61], [62].
the existing experimental results reported in [49] as follows: The tampering attacks against stored and stolen biometric
Th ≈ 0.00032s, Tbh ≈ 0.0171s and Texp ≈ 0.0192s, assuming information mean that whether an adversary A having the
that time needed for biohashing operation is almost same as biometric information of a legal user can derive secret in-
that for an elliptic curve point multiplication. Based on these formation (i.e., session key). By privileged-insider attack, a
results, the computational costs needed for the schemes of Park trusted user within the organization may act as a privileged-
et al. [17], Dhillon and Kalra [18], Kaul and Awasthi [19], and insider and obtain the secret credentials of a registered user
Kang et al. [20] are 7Th + 6Texp ≈ 117.44 ms, 20Th ≈ 6.40 during the registration, and then attempt to misuse those
ms, 15Th ≈ 4.80 ms and Tbh +13Th ≈ 21.26 ms, respectively. obtained credentials. In the replay attack, A tries to record the
The computation cost of our approach for a user is 2Th ≈ 0.64 transmitted messages and then mislead another legal entity
ms and for a server is 3Th ≈ 0.96 ms. In our approach, the by re-utilizing the information during the communication.
number of hash operations for a client is two and that is for a Under the man-in-the-middle attack, A may eavesdrop the
server is 3. Therefore, there are five hash computations, which communicated messages between the entities and then attempt
needs approximately 1.6 ms. No exponential and biohashing to update/modify/delete the messages contents delivered to the
operations are involved in our approach. It is clear to observe receivers. If an attacker A having a lost/stolen smart card of
that our scheme requires less computation cost as compared a registered user can extract all the credentials stored into its
to that for other schemes. memory by using the power analysis attacks [67] and then
attempt to derive the secret credentials of that user. A Denial-
TABLE VII: Comparison of computation overheads
of-Service (DoS) attack is treated as an event which resists a
Protocol User Server Device Total cost system/network’s capability to execute its expected functional-
Our 2Th 3Th − 5Th ities, such as resource depletion. Under impersonation attack, a
≈ 0.64 ms ≈ 0.96 ms ≈ 1.6 ms
[17] 4Th + 3Texp 3Th + 3Texp − 7Th + 6Texp recipient believes that the message has come from a legitimate
≈ 58.88 ms ≈ 58.56 ms ≈ 117.44 ms entity and the adversary plays legitimate role of the sender. If
[18] 8Th 7Th 5Th 20Th a password-based scheme is used, an adversary A may try to
≈ 2.56 ms ≈ 2.24 ms ≈ 1.60 ms ≈ 6.40 ms
[19] 10Th 5Th − 15Th
guess a legal user’s password (either online or offline mode)
≈ 3.20 ms ≈ 1.60 ms ≈ 4.80 ms using the eavesdropped messages as well as stored information
[20] Tbh + 8Th 5Th − Tbh + 13Th in the system and/or a user’s smart card/mobile device. Finally,
≈ 19.66 ms ≈ 1.60 ms ≈ 21.26 ms
anonymity leads to straightly from any and all failures of
traceability property.
TABLE VIII: Comparison of security & functionality features It is observed that proposed BioCAP provides a better
security for the biometric template stored in server, private key
Feature [17] [18] [19] [20] Our generation for a user. Further, in contrast to the state of the art
SF F1 × × × × X authentication schemes, it does not require any password or
SF F2 × × × × X smart card. As a result, the BioCAP has a strength and merit
SF F3 × X × × X for the practical implementation in real life applications. In
SF F4 X X X X X this regard, we compare our work with the existing related
SF F5 X X X X X works, which is shown in Table VIII.
SF F6 × × X × X
SF F7 × X X × X
TABLE IX: Experimental results comparison with existing
SF F8 × X × X X
SF F9 X X X × X mechanisms
SF F10 X × × X X Protocol Execution Time Memory Capacity
SF F11 X X X X X
SF F12 × × × × X [68] 2.094 s 640 bits
SF F13 X X X × X [69] 0.018 s 896 bits
SF F14 X X X × X [70] 0.012 s 384 bits
Note: SF F1 : tampering attack against stored biometric informa- [71] 0.0105 s 768 bits
tion; SF F2 : tampering attack against stolen biometric information [72] 0.014 s 640 bits
from server; SF F3 : privileged-insider attack; SF F4 : replay attack; Our 0.0012 s 544 bits
SF F5 : man-in-the-middle-attack; SF F6 : denial-of-service attack;
SF F7 : stolen smart card attack; SF F8 : offline password guessing
attack; SF F9 : user impersonation attack; SF F10 : preservation of We also compared our approach with existing biometric
anonymity; SF F11 : requirement of pre-loaded information; SF F12 : based remote authentication mechanisms. Specifically, we
cryptographic key generation provision; SF F13 : requirement of executed our approach on the cloud application server using
password; SF F14 : mutual authentication.
×: a scheme is insecure against a particular attack or it does not publicly freely available cloud services. We have used Amazon
support a particular feature; X: a scheme is secure against a particular free trial resizable compute capacity in the cloud with the
attack or it supports a particular feature. minimum configuration provided by AWS for testing purpose.
We have utilized MATLAB R2014b, AWS SDK for .NET,
A comparative summary of the security and functionality and C#. We have assumed that there is a secure connection
15
via the Secure Sockets Layer (SSL) [73] between client and [11] G. Wettstein, J. Grosen, and E. Rodriguez, “IDFusion: An open archi-
server for biometric data communication. The comparative tecture for Kerberos based authorization,” Proc. AFS and Kerberos Best
Practices Workshop, June 2006.
analysis is shown in Table IX. We considered two parameters, [12] M. Walla, “Kerberos explained,” Windows 2000 Advantage Magazine,
namely: execution time and memory capacity. We calculated 2000.
the time once the data is received by the cloud server and [13] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user
authentication scheme with unlinkability for wireless sensor networks,”
then perform the computation. The data transmission cost may Peer-to-Peer Networking and Applications, vol. 8, no. 6, pp. 1070–1081,
differ based on the network capacity. It is observed that the 2015.
proposed approach needs less time as compared to that of [14] O. Althobaiti, M. Al-Rodhaan, and A. Al-Dhelaan, “An efficient biomet-
ric authentication protocol for wireless sensor networks,” International
other existing mechanisms. Also, the memory capacity of the Journal of Distributed Sensor Networks, vol. 2013, pp. 1–13, 2013,
proposed approach is comparable with the existing approaches. Article ID 407971, http://dx.doi.org/ 10.1155/2013/407971.
[15] K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based
mutual authentication and key agreement scheme for wireless sensor
VII. C ONCLUDING R EMARKS networks,” Journal of Network and Computer Applications, vol. 36,
no. 1, pp. 316 – 323, 2013.
Biometric has its unique advantages over conventional pass- [16] M. Turkanovic, B. Brumen, and M. Holbl, “A novel user authentication
word and token-based security system, as evidenced by its and key agreement scheme for heterogeneous ad hoc wireless sensor
increased adoption (e.g., on Android and iOS devices). networks, based on the internet of things notion,” Ad Hoc Networks,
vol. 20, pp. 96 – 112, 2014.
In this paper, we introduced a biometric-based mechanism [17] M. Park, H. Kim, and S. Lee, “Privacy Preserving Biometric-Based User
to authenticate a user seeking to access services and com- Authentication Protocol Using Smart Cards,” in 17th International Con-
putational resources from a remote location. Our proposed ference on Computational Science and Engineering, Chengdu, China,
2014, pp. 1541–1544.
approach allows one to generate a private key from a finger- [18] P. K. Dhillon and S. Kalra, “A lightweight biometrics based remote user
print biometric reveals, as it is possible to generate the same authentication scheme for IoT services,” Journal of Information Security
key from a fingerprint of a user with 95.12% accuracy. Our and Applications, vol. 34, pp. 255 – 270, 2017.
[19] S. D. Kaul and A. K. Awasthi, “Security Enhancement of an Improved
proposed session key generation approach using two biometric Remote User Authentication Scheme with Key Agreement,” Wireless
data does not require any prior information to be shared. A Personal Communications, vol. 89, no. 2, pp. 621–637, 2016.
comparison of our approach with other similar authentication [20] D. Kang, J. Jung, H. Kim, Y. Lee, and D. Won, “Efficient and
Secure Biometric-Based User Authenticated Key Agreement Scheme
protocols reveals that our protocol is more resilient to several with Anonymity,” Security and Communication Networks, vol. 2018, pp.
known attacks. 1–14, 2018, Article ID 9046064, https://doi.org/10.1155/2018/9046064.
[21] D. Dolev and A. C. Yao, “On the security of public key protocols,”
Future research includes exploring other biometric traits and IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208,
also multi-modal biometrics for other sensitive applications 1983.
(e.g., in national security matters). [22] A. K. Das, “A secure and robust temporal credential-based three-factor
user authentication scheme for wireless sensor networks,” Peer-to-Peer
Networking and Applications, vol. 9, no. 1, pp. 223–244, 2016.
ACKNOWLEDGMENTS [23] ——, “A secure and effective biometric-based user authentication
scheme for wireless sensor networks using smart card and fuzzy
The authors are grateful to the reviewers and the Associate extractor,” International Journal of Communication Systems, vol. 30,
Editor for their invaluable feedback. The corresponding author no. 1, pp. 1–25, 2017.
[24] C. T. Li, C. Y. Weng, and C. C. Lee, “An advanced temporal credential-
was supported in part by the National Science Foundation based security scheme with mutual authentication and key agreement
(NSF) Centers of Research Excellence in Science and Tech- for wireless sensor networks,” Sensors, vol. 13, no. 8, pp. 9589–9603,
nology (CREST) under Grant HRD-1736209. 2013.
[25] D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-credential-
based mutual authentication and key agreement scheme for wireless
R EFERENCES sensor networks,” in International Symposium on Wireless and pervasive
Computing (ISWPC), Taipei, Taiwan, 2013, pp. 1–6.
[1] C. Neuman, S. Hartman, K. Raeburn, “The kerberos network authenti- [26] M. Turkanovic and M. Holbl, “An improved dynamic password-based
cation service (v5),” RFC 4120, 2005. user authentication scheme for hierarchical wireless sensor networks,”
[2] “OAuth Protocol.” [Online]. Available: http://www.oauth.net/ ELEKTRONIKA IR ELEKTROTECHNIKA, vol. 19, no. 6, pp. 109 – 116,
[3] “OpenID Protocol.” [Online]. Available: http://openid.net/ 2013.
[4] G. Wettstein, J. Grosen, and E. Rodriguez, “IDFusion: An open archi- [27] R. Amin and G. P. Biswas, “A secure light weight scheme for user
tecture for Kerberos based authorization,” Proc. AFS and Kerberos Best authentication and key agreement in multi-gateway based wireless sensor
Practices Workshop, June 2006. networks,” Ad Hoc Networks, vol. 36, pp. 58–80, 2016.
[5] A. Kehne, J. Schonwalder, and H. Langendorfer, “A nonce-based pro- [28] C.-C. Chang and N.-T. Nguyen, “An Untraceable Biometric-Based
tocol for multiple authentications,” ACM SIGOPS Operating System Multi-server Authenticated Key Agreement Protocol with Revocation,”
Review, vol. 26, no. 4, pp. 84–89, 1992. Wireless Personal Communications, vol. 90, no. 4, pp. 1695–1715, 2016.
[6] B. Neuman and S. Stubblebine, “A note on the use of timestamps as [29] Z. Xia, C. Yuan, R. Lv, X. Sun, N. N. Xiong, and Y. Shi, “A Novel
nonces,” Oper. Syst. Rev., vol. 27, no. 2, pp. 10–14, 1993. Weber Local Binary Descriptor for Fingerprint Liveness Detection,”
[7] J. Astorga, E. Jacob, M. Huarte, and M. Higuero, “Ladon : end- IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2018,
to-end authorisation support for resource-deprived environments,” IET doi: 10.1109/TSMC.2018.2874281.
Infomration Security, vol. 6, no. 2, pp. 93–101, 2012. [30] C. Yuan, X. Sun, and Q. M. J. Wu, “Difference co-occurrence matrix
[8] S. Zhu, S. Setia, and S. Jajodia, “LEAP: efficient security mechanisms using BP neural network for fingerprint liveness detection,” Soft Com-
for large-scale distributed sensor networks,” Washington D.C., USA, puting, vol. 23, no. 13, pp. 5157–5169, 2019.
October 2003, pp. 62–72. [31] W. Yang, S. Wang, J. Hu, G. Zheng, and C. Valli, “Security and Accuracy
[9] A. Perrig, R. Szewczyk, D. Tygar, V. Wen, and D. Culler, “SPINS: of Fingerprint-Based Biometrics: A Review,” Symmetry, vol. 11, no. 2,
security protocols for sensor networks,” ACM Wireless Networking, 2019. [Online]. Available: https://www.mdpi.com/2073-8994/11/2/141
vol. 8, no. 5, pp. 521–534, 2002. [32] X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu, “Further Observa-
[10] P. Kaijser, T. Parker, and D. Pinkas, “SESAME: The solution to security tions on Smart-Card-Based Password-Authenticated Key Agreement in
for open distributed systems,” Computer Communications, vol. 17, no. 7, Distributed Systems,” IEEE Transactions on Parallel and Distributed
pp. 501–518, 1994. Systems, vol. 25, no. 7, pp. 1767–1775, 2014.
16
[33] D. Wang and P. Wang, “On the anonymity of two-factor authentication [55] A. K. Das, M. Wazid, N. Kumar, A. V. Vasilakos, and J. J. P. C.
schemes for wireless sensor networks: Attacks, principle and solutions,” Rodrigues, “Biometrics-Based Privacy-Preserving User Authentication
Computer Networks, vol. 73, pp. 41 – 57, 2014. Scheme for Cloud-Based Industrial Internet of Things Deployment,”
[34] D. Wang, H. Cheng, D. He, and P. Wang, “On the Challenges in IEEE Internet of Things Journal, vol. 5, no. 6, pp. 4900–4913, 2018.
Designing Identity-Based Privacy-Preserving Authentication Schemes [56] V. Odelu, A. K. Das, and A. Goswami, “A Secure Biometrics-Based
for Mobile Devices,” IEEE Systems Journal, vol. 12, no. 1, pp. 916–925, Multi-Server Authentication Protocol Using Smart Cards,” IEEE Trans-
2018. actions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–
[35] D. He, S. Zeadally, N. Kumar, and J. Lee, “Anonymous Authentication 1966, Sep. 2015.
for Wireless Body Area Networks With Provable Security,” IEEE [57] G. Panchal, D. Samanta, and S. Barman, “Biometric-based cryptography
Systems Journal, vol. 11, no. 4, pp. 2590–2601, 2017. for digital content protection without any key storage,” Multimedia
[36] D. He, N. Kumar, J. Lee, and R. S. Sherratt, “Enhanced three-factor Tools and Applications, pp. 1–22, 2017. [Online]. Available: https:
security protocol for consumer USB mass storage devices,” IEEE //doi.org/10.1007/s11042-017-4528-x
Transactions on Consumer Electronics, vol. 60, no. 1, pp. 30–37, 2014. [58] AVISPA, “SPAN, the Security Protocol ANimator for AVISPA,” 2019,
[37] D. He, N. Kumar, J. Chen, C.-C. Lee, N. Chilamkurti, and S.-S. Yeo, http://www.avispa-project.org/. Accessed on February 2019.
“Robust anonymous authentication protocol for health-care applications [59] S. Sun and K. Beznosov, “The Devil is in the (Implementation) Details:
using wireless medical sensor networks,” Multimedia Systems, vol. 21, An Empirical Analysis of OAuth SSO Systems,” in 19th ACM Con-
no. 1, pp. 49–60, 2015. ference on Computer and Communications Security (CCS’12), Raleigh,
[38] D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-credential- North Carolina, USA, October 2012.
based mutual authentication and key agreement scheme with pseudo [60] C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, “Discov-
identity for wireless sensor networks,” Information Sciences, vol. 321, ering Concrete Attacks on Website Authorization by Formal Analysis,”
pp. 263 – 277, 2015. The open archive HAL (HAL Id: hal-00815834), pp. 1–50, 2013.
[39] R. Johannesson and K. S. Zigangirov, Fundamentals of Convolutional [61] D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authen-
Coding, 2nd ed. Wiley-IEEE Press, 2015. tication with Security Beyond Conventional Bound,” IEEE Transactions
[40] G. Panchal and D. Samanta, “A novel approach to fingerprint biometric- on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722,
based cryptographic key generation and its applications to storage 2018.
security,” Computers & Electrical Engineering, vol. 69, pp. 461–478, [62] D. Wang, W. Li, and P. Wang, “Measuring Two-Factor Authentication
2018. Schemes for Real-Time Data Access in Industrial Wireless Sensor
[41] “Secure Hash Standard,” FIPS PUB 180-1, National Institute of Networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9,
Standards and Technology (NIST), U.S. Department of Commerce, pp. 4081–4092, 2018.
April 1995. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf. [63] J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano, “The Quest to
Accessed on January 2019. Replace Passwords: A Framework for Comparative Evaluation of Web
[42] J. Katz and Y. Lindell, Introduction to Modern Cryptography, Chapter Authentication Schemes,” in IEEE Symposium on Security and Privacy
6. New York, USA: CRC Press, Taylor & Francis Group. (S&P), San Francisco, CA, USA, 2012, pp. 553–567.
[43] FVC2004 Fingerprint Databases. [Online]. Available: http://bias.csr. [64] E. Erdem and M. T. Sandıkkaya, “OTPaaS–One Time Password as a
unibo.it/fvc2004/Downloads Service,” IEEE Transactions on Information Forensics and Security,
[44] “NIST Special Database 4 (Fingerprint),” Dec. 2013. [Online]. vol. 14, no. 3, pp. 743–756, 2019.
Available: http://www.nist.gov/srd/nistsd4.cfm [65] H. Luo, G. Wen, and J. Su, “Lightweight three factor scheme for real-
[45] R. Brown, “Dieharder: A random number test suite,” August time data access in wireless sensor networks,” Wireless Networks, 2018.
2019. [Online]. Available: https://webhome.phy.duke.edu/∼rgb/General/ [66] S. Roy, A. K. Das, S. Chatterjee, N. Kumar, S. Chattopadhyay, and
dieharder.php J. J. P. C. Rodrigues, “Provably Secure Fine-Grained Data Access
[46] AVISPA, “Automated Validation of Internet Security Protocols and Ap- Control Over Multiple Cloud Servers in Mobile Cloud Computing Based
plications,” 2019, http://www.avispa-project.org/. Accessed on February Healthcare Applications,” IEEE Transactions on Industrial Informatics,
2019. vol. 15, no. 1, pp. 457–468, 2019.
[47] R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and [67] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” in
their use for building secure channels,” in International Conference on Proceedings of 19th Annual International Cryptology Conference
the Theory and Applications of Cryptographic Techniques– Advances in (CRYPTO’99), LNCS, vol. 1666, Santa Barbara, California, USA, 1999,
Cryptology (EUROCRYPT’01). Innsbruck (Tyrol), Austria: Springer, pp. 388–397.
2001, pp. 453–474. [68] Y. An, “Security improvements of dynamic ID-based remote user
[48] ——, “Universally Composable Notions of Key Exchange and Secure authentication scheme with session key agreement,” 15th International
Channels,” in International Conference on the Theory and Applica- Conference on Advanced Communications Technology (ICACT’13), pp.
tions of Cryptographic Techniques– Advances in Cryptology (EURO- 1072–1076, 2013.
CRYPT’02), Amsterdam, The Netherlands, 2002, pp. 337–351. [69] J. Chou, C. Huang, Y. Huang, and Y. Chen, “Efficient two-
[49] J. Srinivas, A. K. Das, N. Kumar, and J. Rodrigues, “Cloud Centric pass anonymous identity authentication using smart card,” IACR
Authentication for Wearable Healthcare Monitoring System,” IEEE Cryptology ePrint Archive, pp. 402–410, 2013. [Online]. Available:
Transactions on Dependable and Secure Computing, 2018, DOI: https://eprint.iacr.org/2013/402
10.1109/TDSC.2018.2828306. [70] Y. Chang, W. Tai, and H. Chang, “Untraceable dynamic-identity-based
[50] J. Srinivas, A. K. Das, M. Wazid, and N. Kumar, “Anonymous remote user authentication scheme with verifiable password update,”
lightweight chaotic map-based authenticated key agreement protocol for International Journal of Communication Systems, vol. 27, no. 11, pp.
industrial Internet of Things,” IEEE Transactions on Dependable and 3430–3440, 2014.
Secure Computing, 2018, DOI: 10.1109/TDSC.2018.2857811. [71] S. Kumari, M. K. Khan, and X. Li, “An improved remote user
[51] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Design authentication scheme with key agreement,” Computers & Electrical
of Secure User Authenticated Key Management Protocol for Generic IoT Engineering, vol. 40, no. 6, pp. 1997–2012, 2014.
Networks,” IEEE Internet of Things Journal, vol. 5, no. 1, pp. 269–282, [72] S. Kaul and A. Awasthi, “Security enhancement of an improved remote
Feb 2018. user authentication scheme with key agreement,” Wireless Personal
[52] C. Chang and H. Le, “A Provably Secure, Efficient, and Flexible Communications, vol. 89, no. 2, pp. 621–637, 2016.
Authentication Scheme for Ad hoc Wireless Sensor Networks,” IEEE [73] W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T.
Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366, Polk, S. Gupta, and E. A. Nabbus, “NIST Special Publication 800-
2016. 63-2: Electronic Authentication Guideline,” 2013, National Institute of
[53] S. Roy, S. Chatterjee, A. K. Das, S. Chattopadhyay, S. Kumari, and Standards and Technology (NIST), U.S. Department of Commerce.
M. Jo, “Chaotic Map-Based Anonymous User Authentication Scheme Accessed on July 2019.
With User Biometrics and Fuzzy Extractor for Crowdsourcing Internet
of Things,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2884–
2895, Aug 2018.
[54] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure
Remote User Authenticated Key Establishment Protocol for Smart
Home Environment,” IEEE Transactions on Dependable and Secure
Computing, 2017, doi: 10.1109/TDSC.2017.2764083.
17
Gaurang Panchal (M’13) received the Ph.D de- Neeraj Kumar (M’16, SM’17) received the Ph.D.
gree in Computer Science and Engineering from degree in computer science and engineering from
IIT Kharagpur, India, in 2017, the M.Tech. degree Shri Mata Vaishno Devi University, Katra (J&K),
in Computer Engineering from Dharmsinh Desai India, in 2009. He was a Post-Doctoral Research
University, in 2007 and the B.Tech. degree in In- Fellow at Coventry University, Coventry, U.K. He
formation Technology from the Saurashtra Univer- is currently a full Professor with the Department
sity, India, in 2003. He is presently working as a of Computer Science and Engineering, Thapar Uni-
Lead Security Analyst in Siemens Technology and versity, Patiala, India. He has authored more than
Services Pvt. Ltd., Bangalore, India and working on 350 technical research papers published in leading
Cyber Security, IoT Trustworthy, Biometric, Threat journals and conferences from the IEEE, Elsevier,
and Risk Analysis, Vulnerability Management. Springer, etc. He is in the editorial board of ACM
Computing Survey, IEEE Transactions on Sustainable Computing, IEEE
Network Magazine, IEEE Communication Magazine, Journal of Network and
Computer Applications (Elsevier), Computer Communications (Elsevier) and
International Journal of Communication Systems (Wiley).
Debasis Samanta (M’05, SM’10) received the

B.Tech. degree in Computer Science and Engineer-
ing from Calcutta University, the M. Tech. degree in
Computer Science and Engineering from Jadavpur
University, and Ph.D. degree in Computer Science
and Engineering from IIT Kharagpur. He is actively
working in the field of Human Computer Interaction.
He has developed multi-modal interaction technique,
text entry mechanisms in Indian languages, which
are new of their kinds to bridge the digital divide.
In addition to this his research interest includes
crypto biometric system, information security and Cloud security. He is an
author of 3 books and more than 70 journals and 110 conference papers of
international repute. He is currently Honorary Member of editorial Board of
the International Journal of Biosciences and Technology, USA and member
of Editorial Board of the International Journal of Communication Networks
Kim-Kwang Raymond Choo (SM’15) received the
and Distributed Systems, U.K. He is the recipient of Best Author of the Year
Ph.D. in Information Security in 2006 from Queens-
Award by Computer Society of India, Best Paper award by 8th ADCOM
land University of Technology, Australia. He current
Conference, Microsoft Valued Professional award by Microsoft, USA and
holds the Cloud Technology Endowed Professorship
Author of the Best Selling Book by Prentice Hall of India, New Delhi.
at The University of Texas at San Antonio. In
2016, he was named the Cybersecurity Educator of
the Year - APAC (Cybersecurity Excellence Awards
are produced in cooperation with the Information
Security Community on LinkedIn), and in 2015 he
and his team won the Digital Forensics Research
Challenge organized by Germany’s University of
Erlangen-Nuremberg. He is the recipient of the 2019 IEEE Technical Com-
Ashok Kumar Das (M’17–SM’18) received the
mittee on Scalable Computing (TCSC) Award for Excellence in Scalable
Ph.D. degree in computer science and engineering,
Computing (Middle Career Researcher), 2018 UTSA College of Business
the M.Tech. degree in computer science and data
Col. Jean Piccione and Lt. Col. Philip Piccione Endowed Research Award
processing, and the M.Sc. degree in mathematics
for Tenured Faculty, Outstanding Associate Editor of 2018 for IEEE Access,
from IIT Kharagpur, India. He is currently an Asso-
British Computer Society’s 2019 Wilkes Award Runner-up, 2019 EURASIP
ciate Professor with the Center for Security, Theory
Journal on Wireless Communications and Networking (JWCN) Best Paper
and Algorithmic Research, IIIT Hyderabad, India.
Award, Korea Information Processing Society’s Journal of Information Pro-
His current research interests include cryptography,
cessing Systems (JIPS) Survey Paper Award (Gold) 2019, IEEE Blockchain
network security and blockchain. He has authored
2019 Outstanding Paper Award, International Conference on Information
over 210 papers in international journals and confer-
Security and Cryptology (Inscrypt 2019) Best Student Paper Award, IEEE
ences in the above areas, including more than 180
TrustCom 2018 Best Paper Award, ESORICS 2015 Best Research Paper
reputed journal papers. Some of his research findings are published in top cited
Award, 2014 Highly Commended Award by the Australia New Zealand
journals, such as the IEEE Transactions on Information Forensics and Security,
Policing Advisory Agency, Fulbright Scholarship in 2009, 2008 Australia
IEEE Transactions on Dependable and Secure Computing, IEEE Transactions
Day Achievement Medallion, and British Computer Society’s Wilkes Award
on Smart Grid, IEEE Internet of Things Journal, IEEE Transactions on
in 2008. He is also a Fellow of the Australian Computer Society, and Co-
Industrial Informatics, IEEE Transactions on Vehicular Technology, IEEE
Chair of IEEE Multimedia Communications Technical Committee’s Digital
Transactions on Consumer Electronics, IEEE Journal of Biomedical and
Rights Management for Multimedia Interest Group.
Health Informatics, IEEE Consumer Electronics Magazine, IEEE Access and
IEEE Communications Magazine. He was a recipient of the Institute Silver
Medal from IIT Kharagpur. He is on the editorial board of KSII Transactions
on Internet and Information Systems, International Journal of Internet Tech-
nology and Secured Transactions (Inderscience), and IET Communications,
is a Guest Editor for Computers & Electrical Engineering (Elsevier) for
the special issue on Big data and IoT in e-healthcare and for ICT Express
(Elsevier) for the special issue on Blockchain Technologies and Applications
for 5G Enabled IoT, and has served as a Program Committee Member in
many international conferences. He also severed as one of the Technical
Program Committee Chairs of the International Congress on Blockchain and
Applications (BLOCKCHAIN’19), Avila, Spain, June 2019.

Panchal 2020

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Panchal 2020

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Designing Secure and Efficient Biometric-Based

Client’s Fingerprint PreCalcu process Remote server

Fig. 1: The proposed BioCAP: An overview

and also impersonation attacks where a privileged-insider III. T HE P ROPOSED P ROTOCOL

generation F1' Session key

Fig. 2: PreCalcu process

B. Threat Model that is significantly easier to compute in forward direction but

D. Session Key Generation P2 , P1 ’s application begins PreCalcu Step-2. P1 takes C’s

I11 I12 I13 I14 I15

I21 I22 I23 I24 I15

I31 I32 I33 I34 I35

I41 I42 I43 I44 I45

I51 I52 I53 I54 I56

I61 I62 I63 I64 I65

F. User Registration Encryption of Freg using KC : We encrypt Freg using KC

Cancelable feature set F’2 of I2

K Cancelable feature Synthetic fingerprint I2

The principle used in rollover strategy is also applicable to Set A 93.35% 0%

Theorem 2. Suppose a polynomial-time adversary A is run-

C. Formal Security Verification Using AVISPA: Simulation played_by C

Debasis Samanta (M’05, SM’10) received the

You might also like