ABSTRACT
Secure messaging heavily relies on a session key negotiated by an Authenticated Key Exchange (AKE) protocol. However, existing AKE protocols only verify the existence of a random secret key (corresponding to a certificated public key) stored in the terminal, rather than a legal user who uses the messaging application. In this paper, we propose a Biometrics-Authenticated Key Exchange (BAKE) framework, in which a secret key is derived from a user's biometric characteristics that are not necessary to be stored. To protect the privacy of users' biometric characteristics and realize one-round key exchange, we present an Asymmetric Fuzzy Encapsulation Mechanism (AFEM) to encapsulate messages with a public key derived from a biometric secret key, such that only a similar secret key can decapsulate them. To manifest the practicality, we present two AFEM constructions for two types of biometric secret keys and instantiate them with irises and fingerprints, respectively. We perform security analysis of BAKE and show its performance through extensive experiments.
Supplemental Material
- Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. 2015. Solving the Closest Vector Problem in 2n Time - The Discrete Gaussian Strikes Again!. In Proc. of FOCS. IEEE Computer Society.Google Scholar
- Muhammad Ejaz Ahmed, Il-Youp Kwak, Jun Ho Huh, Iljoo Kim, Taekkyung Oh, and Hyoungshick Kim. 2020. Void: A Fast and Light Voice Liveness Detection System. In Proc. of USENIX Security Symposium. USENIX Association.Google Scholar
- László Babai. 1986. On Lovász' Lattice Reduction and the Nearest Lattice Point Problem. Comb., Vol. 6, 1 (1986), 1--13.Google Scholar
- Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento. 2017. A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM. IACR Cryptol. ePrint Arch. (2017). http://eprint.iacr.org/2017/993.Google Scholar
- José Becerra, Dimiter Ostrev, and Marjan Skrobot. 2018. Forward Secrecy of SPAKE2. In Proc. of IEEE ProvSec .Google ScholarCross Ref
- Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1998. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols (Extended Abstract). In Proc. of TCC. ACM.Google ScholarDigital Library
- Mihir Bellare, David Pointcheval, and Phillip Rogaway. 2000. Authenticated Key Exchange Secure against Dictionary Attacks. In Proc. of EUROCRYPT. Springer.Google ScholarCross Ref
- Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei P. Skorobogatov, and Ross J. Anderson. 2014. Chip and Skim: Cloning EMV Cards with the Pre-play Attack. In Proc. of S & P. IEEE Computer Society.Google Scholar
- Xavier Boyen. 2004. Reusable Cryptographic Fuzzy Extractors. In Proc. of CCS. ACM.Google ScholarDigital Library
- Xavier Boyen, Yevgeniy Dodis, Jonathan Katz, Rafail Ostrovsky, and Adam D. Smith. 2005. Secure Remote Authentication Using Biometric Data. Proc. of EUROCRYPT. Springer.Google Scholar
- Ran Canetti, Benjamin Fuller, Omer Paneth, Leonid Reyzin, and Adam D. Smith. 2021. Reusable Fuzzy Extractors for Low-Entropy Distributions. J. Cryptol., Vol. 34, 1 (2021), 2.Google ScholarDigital Library
- Melissa Chase, Apoorvaa Deshpande, Esha Ghosh, and Harjasleen Malvai. 2019. SEEMless: Secure End-to-End Encrypted Messaging with lesstextless/textgreater Trust. In Proc. of CCS. ACM.Google Scholar
- Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2020. A Formal Security Analysis of the Signal Messaging Protocol. J. Cryptol., Vol. 33 (2020), 1914--1983.Google ScholarDigital Library
- Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. 2018. On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees. In Proc. of CCS. ACM.Google ScholarDigital Library
- Cas Cremers, Jaiden Fairoze, Benjamin Kiesl, and Aurora Naska. 2020. Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice. In Proc. of CCS. ACM.Google ScholarDigital Library
- John Daugman. 1993. High Confidence Visual Recognition of Persons by a Test of Statistical Independence. IEEE Trans. Pattern Anal. Mach. Intell., Vol. 15, 11 (1993), 1148--1161.Google ScholarDigital Library
- John Daugman. 2016. Information Theory and the IrisCode. IEEE Trans. Inf. Forensics Secur., Vol. 11, 2 (2016), 400--409.Google ScholarDigital Library
- Yevgeniy Dodis, Leonid Reyzin, and Adam D. Smith. 2004. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proc. of EUROCRYPT. Springer.Google Scholar
- Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin, and Sophia Yakoubov. 2018. Fuzzy Password-Authenticated Key Exchange. In Proc. of EUROCRYPT. Springer.Google Scholar
- Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic. 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. In Proc. of NDSS. The Internet Society.Google Scholar
- Andreas Erwig, Julia Hesse, Maximilian Orlt, and Siavash Riahi. 2020. Fuzzy Asymmetric Password-Authenticated Key Exchange. In Proc. of ASIACRYPT. Springer.Google Scholar
- Facebook. 2017. Messenger Secret Conversatinos, Technical Whitepaper. https://about.fb.com/wp-content/uploads/2016/07/messenger-secret-conversations-technical-whitepaper.pdf. (2017).Google Scholar
- Paul Feldman. 1987. A Practical Scheme for Non-interactive Verifiable Secret Sharing. In Proc. of FOCS. IEEE Computer Society.Google ScholarDigital Library
- Benjamin Fuller, Xianrui Meng, and Leonid Reyzin. 2013. Computational Fuzzy Extractors. In Proc. of ASIACRYPT. Springer.Google Scholar
- Yang Gao, Wei Wang, Vir V. Phoha, Wei Sun, and Zhanpeng Jin. 2019. EarEcho: Using Ear Canal Echo for Wearable Authentication. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., Vol. 3, 3 (2019), 81:1--81:24.Google ScholarDigital Library
- Henri Gilbert, Matthew J. B. Robshaw, and Yannick Seurin. 2008. HB(^# ): Increasing the Security and Efficiency of HB(+). In Proc. of EUROCRYPT. Springer.Google Scholar
- Wire Swiss GmbH. 2018. Wire Security Whitepaper. https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf. (2018).Google Scholar
- Yiliang Han. 2021. Design of An Active Infrared Iris Recognition Device. In Proc. of IPEC. IEEE Computer Society.Google ScholarCross Ref
- Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 2008. An Introduction to Mathematical Cryptography .Springer.Google ScholarDigital Library
- Nicholas J. Hopper and Manuel Blum. 2001. Secure Human Identification Protocols. In Proc. of ASIACRYPT. Springer.Google Scholar
- Anil K. Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. 1999. FingerCode: A Filterbank for Fingerprint Representation and Matching. In Proc. of CVPR. IEEE Computer Society.Google ScholarCross Ref
- Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. 2018. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Proc. of EUROCRYPT. Springer.Google Scholar
- Ari Juels and Stephen A. Weis. 2005. Authenticating Pervasive Devices with Human Protocols. In Proc. of CRYPTO. Springer.Google Scholar
- Xiangyu Liu, Shengli Liu, Dawu Gu, and Jian Weng. 2020. Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security. In Proc. of ASIACRYPT. Springer.Google Scholar
- Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of Fingerprint Recognition, Second Edition. Springer.Google Scholar
- Biometric System Lab-University of Bologna. 2004. Fingerprint Verification Competition 2004. http://bias.csr.unibo.it/fvc2004/. (2004).Google Scholar
- Sylvain Pasini and Serge Vaudenay. 2006. SAS-Based Authenticated Key Agreement. In Proc. of PKC. Springer.Google Scholar
- David Pointcheval and Sé bastien Zimmer. 2008. Multi-factor Authenticated Key Exchange. In Proc. of ACNS. Springer.Google Scholar
- Mingping Qi, Jianhua Chen, and Yitao Chen. 2018. A Secure Biometrics-based Authentication Key Exchange Protocol for Multi-server TMIS using ECC. Comput. Methods Programs Biomed., Vol. 164 (2018), 101--109.Google ScholarCross Ref
- Aditya Singh Rathore, Weijin Zhu, Afee Daiyan, Chenhan Xu, Kun Wang, Feng Lin, Kui Ren, and Wenyao Xu. 2020. SonicPrint: a Generally Adoptable and Secure Fingerprint Biometrics in Smart Devices. In Proc. of MobiSys. ACM.Google ScholarDigital Library
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent E. Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Proc. of SOUPS. USENIX Association.Google Scholar
- Lior Rotem and Gil Segev. 2018. Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal. In Proc. of CRYPTO. Springer.Google Scholar
- Jö rg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Mü ller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proc. of CCS. ACM.Google ScholarDigital Library
- Signal. 2021. Signal Technical Information. https://signal.org/docs/. (2021).Google Scholar
- Dimitrios Sikeridis, Panos Kampanakis, and Michael Devetsikiotis. 2020. Post-Quantum Authentication in TLS 1.3: A Performance Study. In Proc. of NDSS. The Internet Society.Google ScholarCross Ref
- Statista. 2021. Most popular global mobile messenger apps as of January 2021, based on number of monthly active users. https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/. (2021).Google Scholar
- Nirvan Tyagi, Paul Grubbs, Julia Len, Ian Miers, and Thomas Ristenpart. 2019. Asymmetric Message Franking: Content Moderation for Metadata-Private End-to-End Encryption. In Proc. of CRYPTO. Springer.Google Scholar
- Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. 2015. SoK: Secure Messaging. In Proc. of S &P. IEEE Computer Society.Google ScholarDigital Library
- Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proc. of IEEE S & P .Google ScholarCross Ref
- Serge Vaudenay. 2005. Secure Communications over Insecure Channels Based on Short Authenticated Strings. In Proc. of CRYPTO. Springer.Google Scholar
- WhatsApp. 2016. WhatsApp Encryption Overview. https: //www.whatsapp.com/security/WhatsApp- Security- Whitepaper.pdf. (2016).Google Scholar
- Wikipedia. 2021. Public Key Infrasstructure. https://en.wikipedia.org/wiki/Public_key_infrastructure. (2021).Google Scholar
- Cong Wu, Kun He, Jing Chen, Ziming Zhao, and Ruiying Du. 2020. Liveness is Not Enough: Enhancing Fingerprint Authentication with Behavioral Biometrics to Defeat Puppet Attacks. In Proc. of USENIX Security Symposium. USENIX Association.Google Scholar
- Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian. 2019. Strongly Secure Authenticated Key Exchange from Supersingular Isogenies. In Proc. of ASIACRYPT. Springer.Google Scholar
- Chen Yan, Yan Long, Xiaoyu Ji, and Wenyuan Xu. 2019. The Catcher in the Field: A Fieldprint based Spoofing Detection for Text-Independent Speaker Verification. In Proc. of CCS. ACM .Google ScholarDigital Library
- Jiang Zhang, Zhenfeng Zhang, Jintai Ding, Michael Snook, and Özgür Dagdelen. 2015. Authenticated Key Exchange from Ideal Lattices. In Proc. of EUROCRYPT. Springer.Google Scholar
- Bing Zhou, Jay Lohokare, Ruipeng Gao, and Fan Ye. 2018. EchoPrint: Two-factor Authentication using Acoustics and Vision on Smartphones. In Proc. of MobiCom. ACM.Google ScholarDigital Library
- Kai Zhou and Jian Ren. 2018. PassBio: Privacy-Preserving User-Centric Biometric Authentication. IEEE Trans. Inf. Forensics Secur., Vol. 13, 12 (2018), 3050--3063.Google ScholarDigital Library
Index Terms
- Biometrics-Authenticated Key Exchange for Secure Messaging
Recommendations
Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityThis paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK+ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction ...
Strongly secure authenticated key exchange from factoring, codes, and lattices
An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random ...
An efficient strongly secure authenticated key exchange protocol without random oracles
Since the introduction of extended Canetti-Krawczyk eCK security model for two-party key exchange, many protocols have been proposed to provide eCK security. However, most of those protocols are provably secure in the random oracle model or rely on ...
Comments