research-article

Biometrics-Authenticated Key Exchange for Secure Messaging

Authors:
Mei Wang

Wuhan University, Wuhan, China

Wuhan University, Wuhan, China
View Profile

,
Kun He

Wuhan University, Wuhan, China

Wuhan University, Wuhan, China
View Profile

,
Jing Chen

Wuhan University, Wuhan, China

Wuhan University, Wuhan, China
View Profile

,
Zengpeng Li

Shandong University, Qingdao, China

Shandong University, Qingdao, China
View Profile

,
Wei Zhao

Science and Technology on Communication Security Laboratory, Chengdu, China

Science and Technology on Communication Security Laboratory, Chengdu, China
View Profile

,
Ruiying Du

Wuhan University, Wuhan, China

Wuhan University, Wuhan, China
View Profile

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2021Pages 2618–2631https://doi.org/10.1145/3460120.3484746

Published:13 November 2021Publication History

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 2618–2631

ABSTRACT

Secure messaging heavily relies on a session key negotiated by an Authenticated Key Exchange (AKE) protocol. However, existing AKE protocols only verify the existence of a random secret key (corresponding to a certificated public key) stored in the terminal, rather than a legal user who uses the messaging application. In this paper, we propose a Biometrics-Authenticated Key Exchange (BAKE) framework, in which a secret key is derived from a user's biometric characteristics that are not necessary to be stored. To protect the privacy of users' biometric characteristics and realize one-round key exchange, we present an Asymmetric Fuzzy Encapsulation Mechanism (AFEM) to encapsulate messages with a public key derived from a biometric secret key, such that only a similar secret key can decapsulate them. To manifest the practicality, we present two AFEM constructions for two types of biometric secret keys and instantiate them with irises and fingerprints, respectively. We perform security analysis of BAKE and show its performance through extensive experiments.

Supplemental Material

BAKE10144_1.mp4

mp4

315.2 MB

Download

References

Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. 2015. Solving the Closest Vector Problem in 2n Time - The Discrete Gaussian Strikes Again!. In Proc. of FOCS. IEEE Computer Society.Google Scholar
Muhammad Ejaz Ahmed, Il-Youp Kwak, Jun Ho Huh, Iljoo Kim, Taekkyung Oh, and Hyoungshick Kim. 2020. Void: A Fast and Light Voice Liveness Detection System. In Proc. of USENIX Security Symposium. USENIX Association.Google Scholar
László Babai. 1986. On Lovász' Lattice Reduction and the Nearest Lattice Point Problem. Comb., Vol. 6, 1 (1986), 1--13.Google Scholar
Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento. 2017. A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM. IACR Cryptol. ePrint Arch. (2017). http://eprint.iacr.org/2017/993.Google Scholar
José Becerra, Dimiter Ostrev, and Marjan Skrobot. 2018. Forward Secrecy of SPAKE2. In Proc. of IEEE ProvSec .Google ScholarCross Ref
Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1998. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols (Extended Abstract). In Proc. of TCC. ACM.Google ScholarDigital Library
Mihir Bellare, David Pointcheval, and Phillip Rogaway. 2000. Authenticated Key Exchange Secure against Dictionary Attacks. In Proc. of EUROCRYPT. Springer.Google ScholarCross Ref
Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei P. Skorobogatov, and Ross J. Anderson. 2014. Chip and Skim: Cloning EMV Cards with the Pre-play Attack. In Proc. of S & P. IEEE Computer Society.Google Scholar
Xavier Boyen. 2004. Reusable Cryptographic Fuzzy Extractors. In Proc. of CCS. ACM.Google ScholarDigital Library
Xavier Boyen, Yevgeniy Dodis, Jonathan Katz, Rafail Ostrovsky, and Adam D. Smith. 2005. Secure Remote Authentication Using Biometric Data. Proc. of EUROCRYPT. Springer.Google Scholar
Ran Canetti, Benjamin Fuller, Omer Paneth, Leonid Reyzin, and Adam D. Smith. 2021. Reusable Fuzzy Extractors for Low-Entropy Distributions. J. Cryptol., Vol. 34, 1 (2021), 2.Google ScholarDigital Library
Melissa Chase, Apoorvaa Deshpande, Esha Ghosh, and Harjasleen Malvai. 2019. SEEMless: Secure End-to-End Encrypted Messaging with lesstextless/textgreater Trust. In Proc. of CCS. ACM.Google Scholar
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2020. A Formal Security Analysis of the Signal Messaging Protocol. J. Cryptol., Vol. 33 (2020), 1914--1983.Google ScholarDigital Library
Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. 2018. On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees. In Proc. of CCS. ACM.Google ScholarDigital Library
Cas Cremers, Jaiden Fairoze, Benjamin Kiesl, and Aurora Naska. 2020. Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice. In Proc. of CCS. ACM.Google ScholarDigital Library
John Daugman. 1993. High Confidence Visual Recognition of Persons by a Test of Statistical Independence. IEEE Trans. Pattern Anal. Mach. Intell., Vol. 15, 11 (1993), 1148--1161.Google ScholarDigital Library
John Daugman. 2016. Information Theory and the IrisCode. IEEE Trans. Inf. Forensics Secur., Vol. 11, 2 (2016), 400--409.Google ScholarDigital Library
Yevgeniy Dodis, Leonid Reyzin, and Adam D. Smith. 2004. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proc. of EUROCRYPT. Springer.Google Scholar
Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin, and Sophia Yakoubov. 2018. Fuzzy Password-Authenticated Key Exchange. In Proc. of EUROCRYPT. Springer.Google Scholar
Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic. 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. In Proc. of NDSS. The Internet Society.Google Scholar
Andreas Erwig, Julia Hesse, Maximilian Orlt, and Siavash Riahi. 2020. Fuzzy Asymmetric Password-Authenticated Key Exchange. In Proc. of ASIACRYPT. Springer.Google Scholar
Facebook. 2017. Messenger Secret Conversatinos, Technical Whitepaper. https://about.fb.com/wp-content/uploads/2016/07/messenger-secret-conversations-technical-whitepaper.pdf. (2017).Google Scholar
Paul Feldman. 1987. A Practical Scheme for Non-interactive Verifiable Secret Sharing. In Proc. of FOCS. IEEE Computer Society.Google ScholarDigital Library
Benjamin Fuller, Xianrui Meng, and Leonid Reyzin. 2013. Computational Fuzzy Extractors. In Proc. of ASIACRYPT. Springer.Google Scholar
Yang Gao, Wei Wang, Vir V. Phoha, Wei Sun, and Zhanpeng Jin. 2019. EarEcho: Using Ear Canal Echo for Wearable Authentication. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., Vol. 3, 3 (2019), 81:1--81:24.Google ScholarDigital Library
Henri Gilbert, Matthew J. B. Robshaw, and Yannick Seurin. 2008. HB(^# ): Increasing the Security and Efficiency of HB(+). In Proc. of EUROCRYPT. Springer.Google Scholar
Wire Swiss GmbH. 2018. Wire Security Whitepaper. https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf. (2018).Google Scholar
Yiliang Han. 2021. Design of An Active Infrared Iris Recognition Device. In Proc. of IPEC. IEEE Computer Society.Google ScholarCross Ref
Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 2008. An Introduction to Mathematical Cryptography .Springer.Google ScholarDigital Library
Nicholas J. Hopper and Manuel Blum. 2001. Secure Human Identification Protocols. In Proc. of ASIACRYPT. Springer.Google Scholar
Anil K. Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. 1999. FingerCode: A Filterbank for Fingerprint Representation and Matching. In Proc. of CVPR. IEEE Computer Society.Google ScholarCross Ref
Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. 2018. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Proc. of EUROCRYPT. Springer.Google Scholar
Ari Juels and Stephen A. Weis. 2005. Authenticating Pervasive Devices with Human Protocols. In Proc. of CRYPTO. Springer.Google Scholar
Xiangyu Liu, Shengli Liu, Dawu Gu, and Jian Weng. 2020. Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security. In Proc. of ASIACRYPT. Springer.Google Scholar
Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of Fingerprint Recognition, Second Edition. Springer.Google Scholar
Biometric System Lab-University of Bologna. 2004. Fingerprint Verification Competition 2004. http://bias.csr.unibo.it/fvc2004/. (2004).Google Scholar
Sylvain Pasini and Serge Vaudenay. 2006. SAS-Based Authenticated Key Agreement. In Proc. of PKC. Springer.Google Scholar
David Pointcheval and Sé bastien Zimmer. 2008. Multi-factor Authenticated Key Exchange. In Proc. of ACNS. Springer.Google Scholar
Mingping Qi, Jianhua Chen, and Yitao Chen. 2018. A Secure Biometrics-based Authentication Key Exchange Protocol for Multi-server TMIS using ECC. Comput. Methods Programs Biomed., Vol. 164 (2018), 101--109.Google ScholarCross Ref
Aditya Singh Rathore, Weijin Zhu, Afee Daiyan, Chenhan Xu, Kun Wang, Feng Lin, Kui Ren, and Wenyao Xu. 2020. SonicPrint: a Generally Adoptable and Secure Fingerprint Biometrics in Smart Devices. In Proc. of MobiSys. ACM.Google ScholarDigital Library
Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent E. Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Proc. of SOUPS. USENIX Association.Google Scholar
Lior Rotem and Gil Segev. 2018. Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal. In Proc. of CRYPTO. Springer.Google Scholar
Jö rg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Mü ller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proc. of CCS. ACM.Google ScholarDigital Library
Signal. 2021. Signal Technical Information. https://signal.org/docs/. (2021).Google Scholar
Dimitrios Sikeridis, Panos Kampanakis, and Michael Devetsikiotis. 2020. Post-Quantum Authentication in TLS 1.3: A Performance Study. In Proc. of NDSS. The Internet Society.Google ScholarCross Ref
Statista. 2021. Most popular global mobile messenger apps as of January 2021, based on number of monthly active users. https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/. (2021).Google Scholar
Nirvan Tyagi, Paul Grubbs, Julia Len, Ian Miers, and Thomas Ristenpart. 2019. Asymmetric Message Franking: Content Moderation for Metadata-Private End-to-End Encryption. In Proc. of CRYPTO. Springer.Google Scholar
Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. 2015. SoK: Secure Messaging. In Proc. of S &P. IEEE Computer Society.Google ScholarDigital Library
Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proc. of IEEE S & P .Google ScholarCross Ref
Serge Vaudenay. 2005. Secure Communications over Insecure Channels Based on Short Authenticated Strings. In Proc. of CRYPTO. Springer.Google Scholar
WhatsApp. 2016. WhatsApp Encryption Overview. https: //www.whatsapp.com/security/WhatsApp- Security- Whitepaper.pdf. (2016).Google Scholar
Wikipedia. 2021. Public Key Infrasstructure. https://en.wikipedia.org/wiki/Public_key_infrastructure. (2021).Google Scholar
Cong Wu, Kun He, Jing Chen, Ziming Zhao, and Ruiying Du. 2020. Liveness is Not Enough: Enhancing Fingerprint Authentication with Behavioral Biometrics to Defeat Puppet Attacks. In Proc. of USENIX Security Symposium. USENIX Association.Google Scholar
Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian. 2019. Strongly Secure Authenticated Key Exchange from Supersingular Isogenies. In Proc. of ASIACRYPT. Springer.Google Scholar
Chen Yan, Yan Long, Xiaoyu Ji, and Wenyuan Xu. 2019. The Catcher in the Field: A Fieldprint based Spoofing Detection for Text-Independent Speaker Verification. In Proc. of CCS. ACM .Google ScholarDigital Library
Jiang Zhang, Zhenfeng Zhang, Jintai Ding, Michael Snook, and Özgür Dagdelen. 2015. Authenticated Key Exchange from Ideal Lattices. In Proc. of EUROCRYPT. Springer.Google Scholar
Bing Zhou, Jay Lohokare, Ruipeng Gao, and Fan Ye. 2018. EchoPrint: Two-factor Authentication using Acoustics and Vision on Smartphones. In Proc. of MobiCom. ACM.Google ScholarDigital Library
Kai Zhou and Jian Ren. 2018. PassBio: Privacy-Preserving User-Centric Biometric Authentication. IEEE Trans. Inf. Forensics Secur., Vol. 13, 12 (2018), 3050--3063.Google ScholarDigital Library

Index Terms

Biometrics-Authenticated Key Exchange for Secure Messaging
1. Security and privacy
  1. Network security
    1. Security protocols
  2. Security services
    1. Authentication
      1. Biometrics

Recommendations

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

This paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK⁺ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction ...
Read More
Strongly secure authenticated key exchange from factoring, codes, and lattices

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random ...
Read More
An efficient strongly secure authenticated key exchange protocol without random oracles

Since the introduction of extended Canetti-Krawczyk eCK security model for two-party key exchange, many protocols have been proposed to provide eCK security. However, most of those protocols are provably secure in the random oracle model or rely on ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
November 2021
3558 pages
ISBN:9781450384544
DOI:10.1145/3460120
General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 November 2021
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authenticated key exchange
biometrics
fuzzy extractor
secure messaging
verifiable secret sharing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 987
  Total Downloads
- Downloads (Last 12 months)208
- Downloads (Last 6 weeks)24
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Biometrics-Authenticated Key Exchange for Secure Messaging

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism

Strongly secure authenticated key exchange from factoring, codes, and lattices

An efficient strongly secure authenticated key exchange protocol without random oracles

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Biometrics-Authenticated Key Exchange for Secure Messaging

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism

Strongly secure authenticated key exchange from factoring, codes, and lattices

An efficient strongly secure authenticated key exchange protocol without random oracles

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media