Biometric-Kerberos Authentication Scheme for Secure ... - CiteSeerX

5 downloads 18121 Views 330KB Size Report
Schroeder PK protocol [16], a public key system is used for the first layer of ... possible for the client to modify the ticket without detection. TABLE I: Messages ...
2013 6rd International Congress on Image and Signal Processing (CISP 2013)

Biometric-Kerberos Authentication Scheme for Secure Mobile Computing Services Fengling Han, Mohammed Alkhathami and Ron Van Schyndel School of Information Technology and Computer Science RMIT University, Australia Email:Fengling.han, [email protected] Abstract—Kerberos is an authentication protocol in which client and server can mutually authenticate each other across an insecure network connection. After the identity authentication, client and server can encrypt all of subsequent communications to ensure privacy and data integrity. In this paper, a biometric Kerberos-based user identity authentication scheme is presented. In the scheme, smart phones having computing capability and an internal mobile camera are the only device required at the userend. The combination of owner biometrics and device information will be used for identity authentication. A watermark links the device to its user. The watermark is produced and embedded by using the internal functions of smart phones entirely and the watermark embedding key is the by-product in Kerberos authentication. Only the trusted key distribution center has enough knowledge to detect and remove the watermark. The ticket for the permission to access an application resource will only be issued upon successful biometric authentication. The watermark also offers forensic traceability in a resource constraint environment. As a result, cost effective strong security can be attained in mobile computing services. Keywords—Biometrics, Mobile Computing, Kerberos Authentication, Watermarking.

I.

I NTRODUCTION

With the booming of mobile computing and wireless communication technologies, mobile-commerce (m-commerce) has emerged as a significant service medium. M-commerce delivers more convenient and valuable services to customers than its electronic commerce counterpart. As a result, it creates research and marketing opportunities in healthcare, government and finance domains. M-commerce has been identified as one of the top five key trends hitting retailers both in Australia and USA [1], [2]. M-commerce is inspired by the portability and ubiquity of mobile devices as well as the ease of access to wireless communication networks. In majority of m-commerce applications, a users mobile device usually serves as a terminal and the wireless communication network is used to carry transactions [3]. The portability of mobile devices is the main reason for its popularity, however, it also poses significant security threats to end-users. This is because, unlike desktop machines, mobile devices tend to be more personal, contain more personal information about a particular user, and often be stored in an unsecure way (without even a PIN being used despite its ease of use and the fact that most phones have them). Industry estimates indicate that hundreds of thousands of portable mobile devices are lost every year [4]. The main

978-1-4799-2764-7/13/$31.00 ©2013 IEEE

trouble with the lost devices is the incapability of identity authentication if attackers impersonate the genuine users. The title ”Passwords are pass but biometrics are not mobile” [5] describes exactly the state-of-the-art of identity authentication in m-commerce applications. Biometrics based authentication may replace traditional password-based identity authentication only by using particular scanners. Various types of biometric systems are being investigated for remote identity authentication. Fingerprint, among others, demonstrates the potential in real-world m-commerce applications [6], [7], [8], [9], [10]. Reliable user identity authentication is critical in gaining trust and confidence for widespread deployment of mcommerce applications. Kerberos is a distributed authentication protocol based on trusted third parties [11], [12]. Kerberos protocol provides scalable strong identity authentication over insecure network environments [13], [14]. Combining biometric authentication with Kerberos protocol has been proposed recently [15]. Unfortunately, there is no technical detail on how biometrics is used and how it is protected. A biometric-Kerberos authentication protocol targets at mcommerce applications is proposed in this paper. There are mainly three pairs of message exchanged for users accessing an application resource: authenticate the user identity, returning a session key; obtaining a resource ticket using that session key; and accessing that resource using the ticket. The benefit of using Kerberos is that expensive session-based user authentication can be separated from cheaper ticket-based resource access. Without loss of generality, we consider only smart phones and biometrics are available at the user-end. Network-based authentication and biometrics, while possible, only adds to the complexity of the design considered here, and does not replace any component. Each client needs to register with the trusted key distribution center (KDC). Taking fingerprint biometrics as an example, the information needed in initial exchange messages include: the phone number, the hardcoded device serial number and fingerprint samples acquired by internal camera of smart phones. These add to a biometric template already stored in the KDC. Based on the modified NeedhamSchroeder PK protocol [16], a public key system is used for the first layer of identity authentication. A digital watermark is then generated from the hash value of the mobile serial number, which is then embedded within the fingerprint image at the moment of acquisition. The watermark embedding key is the session key created by the KDC. The successful detection of the watermark depends not only on the session key but

1683

also the hashed mobile serial number pre-stored in KDC. Positive fingerprint matching is possible only on watermark is removal from the host fingerprint. A ticket for accessing to resource server will be issued upon positive minutiae matching. The main contributions of the proposed biometric-Kerberos authentication protocol are: i) watermark links the computing device to owners biometrics, and such a link offers forensic traceability; ii) watermark corrupts fingerprint minutiae, positive minutiae matching is impossible if watermark could not be removed successfully. As a result, forensic traceability and strong security could be achieved in resources constraint mobile computing environment. Using watermarks to prevent matching is a covert way to achieve what would normally be done using encryption, but with the added advantage of forensic trace-ability. The rest of the paper is organized as follows: Section II introduces the basic Kerberos Authentication Protocol. The biometric-Kerberos authentication scheme is proposed in Section III. Watermark embedment to fingerprint is demonstrated in Section IV, Section V concludes the result. II.

instead, it is sent to the client who forwards it to the TGS as part of the application request. Because the ticket is encrypted by using the resource server key, known only by KDC, it is not possible for the client to modify the ticket without detection. TABLE I: Messages involved in identity authentication. Msg. M1 M2 M3 M4 M5 M6

Description to messages shown below Client program sends a request to the AS. AS creates a session key KS and timestamp TS , encrypts them, sends them back to the client. Client decrypts M2 to obtain Ks , then encrypts the service request with network address AReq , sends to TGS. TGS decrypts M3 , create a resource session key KRS , encrypts with KS ; TGS also issues a resource ticket, encrypts it with shared resource server key; sends both ciphers back to client. Client decrypts M4 to obtain KRS , and encrypts the resource request, sends to resource server. resource server decrypts the request, verifies ticket, then offers the service upon successful verification.

Note that SSL version 2 uses a similar idea in a computationally expensive PKI-based protocol to deliver session keys, so that subsequent communication can use it as a computationally cheaper symmetric key.

K ERBEROS AUTHENTICATION P ROTOCOL

Described in detail in [16], the Kerberos authentication scheme is essentially a two part protocol with three entities involved. An authentication server, AS, uses traditional means (i.e. not part of Kerberos) to authenticate a user, and it grants a temporary session key, if successful. The session key is delivered to the user using an AS-generated ticket to allow access to a resource obtained from a resource server such access being controlled by a ticket-granting server (TGS). Since initial authentication is itself not part of the protocol, we seek to extend this as described in the next section. The main benefit of Kerberos is protection of the data path between device and key-distribution center (KDC) on the open network, using a separate stream of access between device and resource, and device and authentication, thus keeping basic authentication to a minimum. The first message pairs exchanged in Fig.1 are the client contacting the KDC to request a ticket, and KDC authenticating the client using its stored information, and then issuing a ticket upon positive authentication. The second message pairs use the session key to request a ticket from a ticket Granting Server (TGS), and the third message pair is to access a service from the resource using this ticket.

Fig. 1: The diagram of Kerberos authentication protocol Table ??shows the process involving messages Mn in detail. The ticket is a certificate issued by KDC, encrypted using the resource server key. It is not sent directly to the TGS,

III.

B IOMETRIC -K ERBEROS AUTHENTICATION P ROTOCOL

Kerberos makes several assumptions in its operations. Firstly, the KDC is assumed to be trustworthy. Our protocol shares this assumption. Secondly, its main threat model is man-in-the-middle attacks, which over an encrypted wireless network seems less likely, but this is nevertheless dealt with below. And thirdly, the client device itself is trustworthy. Our protocol again shares this assumption, but offers a forensic avenue of pursuit when a compromise is detected. In Biometric-Kerberos Authentication Protocol (BKAP), a watermarked fingerprint image links the mobile device to the owners fingerprint. The watermark embedding corrupts fingerprint minutiae significantly but invisibly. As a result, only the valid biometrics acquired by the registered device could pass the identity authentication, then obtain a ticket for subsequent communications. The block diagram of proposed BKAP is shown in Figure 2. In the proposed protocol, there are two physical entities on the client side: a registered mobile device and fingerprint of principal A. A watermark links the mobile device with the fingerprint. The watermark embedding key is the session key created by the Key Distribution Centre (KDC). To prepare for demonstrating the proposed protocol, the following conditions are assumed: i) KDC shares a key with each resource server; ii) KDC stores mobile numbers (as user name), hashed serial numbers of registered mobile devices, and iii) KDC stores fingerprint references of clients. To prevent confusion, public keys and shared keys are represented with capital K, while private keys and session keys generated by KDC are represented with small k. Addressing the vulnerability of wireless communication [4], a public key cryptographic system is used in the first layer authentication, which leads to mutual authentication of a registered mobile device with KDC. Then, fingerprint of a principal A is acquired in order to confirm that the genuine client is actually communicating. This is shown from M1 to M4 .

1684

Fig. 2: Diagram of Biometrics-Kerberos Identity Authentication Scheme.

Step 1: Registered mobile device and KDC mutual authentication. Two messages, M1 and M2 are involved. Mobile device authentication is the first layer authentication. Principal A identifies itself, presents a random number (nonce), RA, together with the mobile number, N, sends to KDC. Based on modified Needham-Schroeder PK protocol [16], these data are encrypted by using public key of KDC (KD). M1 is the ciphertext which can only be read by KDC with its private key. M1 = E {KD , (N, RA )}

(1)

On receiving M1 , KDC decrypts it with its private key, generates a session key KS and a timestamp TS , sends them back together with RA , encrypted by using principal A’s public key, KA . M2 = E {KA , (TS , RA , KS )}

(2)

On receiving M2 , principal A decrypts it using its private key. When RA appeared inside M2 , principal A is sure that a valid KDC is responding because only KDC can decrypt M1 by its private key, and M2 is fresh because it was created while he/she issued the request. Step 2: Biometric authentication. Two messages, M3 and M4, are involved. Fingerprint of principal A, F, is required at this stage. F is captured by the internal camera of the registered mobile device. A digital watermark, W, is calculated by hashing the serial number S, and timestamp TS . W = SHA2 (S, TS )

(3)

The watermark is embedded to the fingerprint image, F, at the instance of capturing. The session key, KS , is used as watermark embedding key. Then watermarked fingerprint, FW , is obtained. Principal A sends FW to KDC together with a service request and resource servers network address, ARS . The data is encrypted by KS . M3 = E {KS , (FW , ARS )}

and logging the timestamp TS . On passing the check, the watermark will be removed from FW , and the original fingerprint will be recovered. Fake fingerprint samples that are not captured by the expected devices will have no such watermark and thus would be recognized easily in KDC. Attempts to fake the watermark without information of session key will also fail due to the inability of detecting the watermark. Furthermore, only valid KDC has enough information to detect, check and remove the watermark. Watermark embedding key is the by-product of Kerberos authentication: the session key created by KDC. To reduce computational cost, watermarked fingerprint is encrypted by session key rather than the public key of KDC. No further workload is incurred for watermark embedding. The watermark technology used has relatively low computational complexity and is sufficiently secure for the task (being fragile), but the protocol does not require any particular technology only that it sufficiently but invisibly obfuscates the minutiae, and (optionally), its presence is detectable even if not decryptable (i.e. wrong session key), as the acquisition time retains some forensic validity. Additional forensic security is possible if the watermark does decrypt properly, but the device ID, S, is wrong, as it indicates an attempt to use the protocol on the wrong device. Additional security is obtained since all versions of FW stored on the device or cached en-route through the network will contain the watermark, and an unwatermarked set of minutiae can only be obtained from the principal A, itself a problem shared by all biometric algorithms. So possession of the device alone by an attacker will not compromise the process. As explained above, a compromised client device cannot prevent subsequent usage by the original principal A, but will leave a forensic trace behind. Positive fingerprint matching is possible only when watermark is removed. Upon successful minutiae matching, a ticket, T, and a resource session key, KSS , will be generate by KDC, both encrypted by using resource server key. And KSS is encrypted by KS . All the encrypted data are sent to Principal A. M4 = E {KRS , (T, KSS )} E {KS , (KSS )}

The first part of M4 is encrypted with shared key between the resource server and KDC. It could not be accessed by principal A, which will be passed to resource server associated with the service request. Step 3: Principal A accesses to resource. Principal A presents the ticket to resource server. The final layer authentication is performed via exchanged message in M5 and M6 , which are exactly the same as those in the basic Kerberos authentication. IV.

(4)

On receiving M3 , KDC decrypts and obtains FW . Now the watermarked fingerprint, FW , will be processed in KDC. Watermark is detected by using KS , it is verified by comparing with the stored hash value of the registered serial number

(5)

WATERMARK E MBEDMENT TO B IOMETRICS

We assume that only smart phones having reasonable computing facility and internal camera are available at the user-end. Both users fingerprint and smart phone information will be used in the BKAP. Fingerprint reference associated with mobile number and hashed serial number are securely

1685

stored in KDC database. As mentioned above, a watermark links the mobile device to users fingerprint. The watermark is produced from hashed mobile serial number, it is then embedded to the fingerprint at the time of image acquisition. Fingerprint acquisition, watermark generation and embedment are all performed using the internal function of smart phones. The watermark embedding key is the session key generated by KDC. Any sufficiently secure and unobtrusive watermark technology can be used.

(a)

(b)

(c)

(d)

Fig. 3: (a) Fingerprint (b) Watermark (c) Watermarked fingerprint (d) Watermark detected without correct key.

A. Watermark Generation and Embedding At the client side, principal A captures fingerprint, F, by mobile camera. And the mobile serial number, S, is extracted and hashed using SHA2 along with a timestamp, TS . W = SHA2 (S, TS ) is then embedded to fingerprint with key KS . The watermarked fingerprint FW is obtained. Discrete Cosine Transform (DCT) has the feature of decomposing an image into different frequency domains, which is described by [17]:

−1 N −1 N X X 1 p(x, y) C(i)C(j) 2N x=0 y=0     (2x + 1)jπ (2y + 1)jπ cos cos 2N 2N

D(i, j) = √

 C(u) =

√1 2

1

if if

u=0 u>0

(6)

(7)

where N is the size of the block that DCT is done on, p(x, y) is the ith element of the image represented by matrix p. If N=8, the DCT block consists of 88 coefficients, and one binary bit of the watermark will be embedded into the coefficient with the highest magnitude of DCT transform. The watermark bit is embedded into the fingerprint by modifying the DCT coefficients according to the following equation: DN = D + (1 + αWi )

(8)

where DN is the new DCT coefficient, D is the original DCT coefficient, Wi is the modified DCT coefficients incurred by watermark embedment. is the watermarking strength. In this work, = 0.3 is chosen imperially. At server side, the inverse DCT reconstructs a sequence from coefficients of DCT: p(i, j) = √

N −1 N −1 X X 1 C(i)C(j) α(u)α(v)D(u, v) 2N u=0 v=0     (2u + 1)jπ (2v + 1)jπ cos cos 2N 2N

(9)

It is ideal that fingerprint features are corrupted significantly with the existence of watermark. In such case, watermark must be removed from the watermarked image using the valid key. Incorrect watermark removal will lead to different set of fingerprint features. As a result, fingerprint matching process will be affected and positive match would not be achieved if the information for removing watermark is not correct or not enough.

B. Simulation 50 fingerprint images from FVC2002 database are chosen randomly as host images. A 32-bit number corresponding to the first 32 bits of the SHA-2 hash of a mobile serial number and timestamp is converted into binary, then used as watermark embeds to the host images. Each host image is divided into 88 blocks, watermark is embedded into the highest component of the middle frequency band of that block. One fingerprint is shown in Figure 3.(a), a watermark is shown in 3.(b). The watermarked fingerprint is shown in 3.(c). If detecting watermark with the valid key, the same watermark as that in 3.(b) will be obtained. Otherwise, a completely different watermark will be detected without the correct key, this is shown in 3.(d). The watermark will be removed at the server side, then original fingerprint sample will be matched against the fingerprint reference stored in KDC database. Preliminary simulation shows that roughly 20 percent of minutiae will be corrupted with the DCT based watermark embedding algorithm. This means that there are around 20 percent discrepancy in terms of minutiae location and orientation in extracted minutiae from the watermarked fingerprint and the original fingerprint. The embedded watermark can be easily detected and removed in the KDC because it has all the valid information. V.

CONCLUSION

A Biometric-Kerberos Authentication Protocol has been proposed. Only a smart phone required as computing device at user-end. Smart phone combined with users biometrics offers secure and reliable single sign-on for mobile commerce applications. A watermark generated from the computing device, makes use of the by-product in Kerberos authentication, is embedded to users biometrics at the instance of fingerprint images acquisition. Such a watermark corrupts minutiae of the host fingerprint images while offers forensic traceability in resource constraint mobile computing services. The positive minutiae matching are possible only when watermark is removed successfully, until then, a ticket will be issued for accessing the resource server. VI.

ACKNOWLEDGMENTS

The work is financially supported by ARC Linkage grant LP120100595. R EFERENCES [1]

1686

M. Hammond. Mobile commerce boom among five key trends hitting retailers, 2012.

[2] [3] [4] [5] [6]

[7]

[8]

[9]

[10]

[11] [12]

[13]

[14] [15]

[16]

[17]

L. Indvik. 5 big trends in mobile commerce. the 2012 e-commerce leaders’ playbook, 2011. L. Wood. Research and markets: Global mobile and m-commerce report, 2012. B. Stephanie. In accepting mobile payment, merchants face higher fraud risk. insurance networking news, 2010. Passwords are pass but biometrics are not mobile. Science News, April 23, 2010. H Abdul Shabeer and P Suganthi. Mobile phones security using biometrics. In Conference on Computational Intelligence and Multimedia Applications, 2007. International Conference on, volume 4, pages 270– 274. IEEE, 2007. Fengling Han, Jiankun Hu, M Alkhathami, and Kai Xi. Compatibility of photographed images with touch-based fingerprint verification software. In Industrial Electronics and Applications (ICIEA), 2011 6th IEEE Conference on, pages 1034–1039. IEEE, 2011. Mohammad Omar Derawi, Bian Yang, and Christoph Busch. Fingerprint recognition with embedded cameras on mobile phones. In Security and Privacy in Mobile Information and Communication Systems, pages 136–147. Springer, 2012. Chulhan Lee, Sanghoon Lee, Jaihie Kim, and Sung-Jae Kim. Preprocessing of a fingerprint image captured with a mobile camera. In Advances in Biometrics, pages 348–355. Springer, 2005. A Al-Gindy, H Al-Ahmad, R Qahwaji, and A Tawfik. A new watermarking scheme for colour images captured by mobile phone cameras. International Journal of Computer Science and Information Security, 9:248–254, 2009. George A Champine, Jr DE Geer, and William N Ruh. Project athena as a distributed computer system. Computer, 23(9):40–51, 1990. Steven M Bellovin and Michael Merritt. Limitations of the kerberos authentication system. ACM SIGCOMM Computer Communication Review, 20(5):119–132, 1990. B Clifford Neuman and Theodore Ts’o. Kerberos: An authentication service for computer networks. Communications Magazine, IEEE, 32(9):33–38, 1994. John T Kohl, B Clifford Neuman, and Y Theodore. The evolution of the kerberos authentication service. 1994. M. S. Shashidhar and D. Suresha. Implementation of secure biometric authentication using kerberos protocol. Inter. Journal of Advanced Research in Computer Science and Software Engineering, 3(3):249– 254, 2013. Roger M Needham and Michael D Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, 1978. Fengling Han and Ron van Schyndel. M-identity and its authentication protocol for secure mobile commerce applications. In Cyberspace Safety and Security, pages 1–10. Springer, 2012.

1687