Abstract
As many vulnerabilities of one-time authentication systems have already been uncovered, there is a growing need and trend to adopt continuous authentication systems. Biometrics provides an excellent means for periodic verification of the authenticated users without breaking the continuity of a session. Nevertheless, as attacks to computing systems increase, biometric systems demand more user information in their operations, yielding privacy issues for users in biometric-based continuous authentication systems. However, the current state-of-the-art privacy technologies are not viable or costly for the continuous authentication systems, which require periodic real-time verification. In this article, we introduce a novel, lightweight, <underline>p</underline>rivacy-<underline>a</underline>ware, and secure <underline>c</underline>ontinuous <underline>a</underline>uthentication protocol called PACA. PACA is initiated through a password-based key exchange (PAKE) mechanism, and it continuously authenticates users based on their biometrics in a privacy-aware manner. Then, we design an actual continuous user authentication system under the proposed protocol. In this concrete system, we utilize a privacy-aware template matching technique and a wearable-assisted keystroke dynamics-based continuous authentication method. This provides privacy guarantees without relying on any trusted third party while allowing the comparison of noisy user inputs (due to biometric data) and yielding an efficient and lightweight protocol. Finally, we implement our system on an Apple smartwatch and perform experiments with real user data to evaluate the accuracy and resource consumption of our concrete system.
- [n.d.]. https://www.zdnet.com/article/symantec-sacks-sta ff-for-issuing-unauthorized-google-certificates/. Accessed: 2020-1-20.Google Scholar
- [n.d.]. https://www.theverge.com/2019/3/21/18275837/face book-plain-text-password-storage-hundreds-millions-users. Accessed: 2020-1-20.Google Scholar
- [n.d.]. https://scikit-learn.org/stable/modules/generate d/sklearn.feature_selection.chi2.html. Accessed: 2020-1-20.Google Scholar
- [n.d.]. https://scikit-learn.org/stable/modules/generate d/sklearn.feature_selection.f_classif.html. Accessed: 2020-1-20.Google Scholar
- [n.d.]. KISS FFT. https://github.com/mborgerding/kissfft. Accessed: 2019-07-01.Google Scholar
- Aysajan Abidin and Aikaterini Mitrokotsa. 2014. Security aspects of privacy-preserving biometric authentication based on ideal lattices and ring-LWE. In 2014 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 60–65.Google Scholar
Cross Ref
- Abbas Acar, Hidayet Aksu, Kemal Akkaya, and A. Selcuk Uluagac. 2018. WACA: Wearable-assisted continuous authentication. IEEE Security and Privacy Workshops (SPW) (2018).Google Scholar
- A. Acar, H. Aksu, A. S. Uluagac, and K. Akkaya. 2020. A usable and robust continuous authentication framework using wearables. IEEE Transactions on Mobile Computing (2020), 1–1. DOI:https://doi.org/10.1109/TMC.2020.2974941Google Scholar
- Abbas Acar, Hidayet Aksu, A. Selcuk Uluagac, and Mauro Conti. 2017. A survey on homomorphic encryption schemes: Theory and implementation. arXiv preprint arXiv:1704.03578 (2017). Google Scholar
Digital Library
- Abbas Acar, Wenyi Liu, Raheem Bayeh, Kemal Akkaya, and Arif Selcuk Uluagac. 2019. A privacy-preserving multifactor authentication system. Security and Privacy 2, 5 (2019), e88.Google Scholar
Cross Ref
- Abbas Acar, Long Lu, A. Selcuk Uluagac, and Engin Kirda. 2019. An analysis of malware trends in enterprise networks. In International Conference on Information Security. Springer, Cham, 360–380.Google Scholar
Cross Ref
- Acceptto. [n.d.]. Your Employee and Customer Logins Have Already Been Hacked. https://www.acceptto.com/.Google Scholar
- Dharma P. Agrawal and Q. A. Zeng. 2003. Introduction to wireless and mobile systems, brooks. Cole-Thomson Learning (2003). Google Scholar
Digital Library
- Shoukat Ali, Koray Karabina, and Emrah Karagoz. 2019. Biometric data transformation for cryptographic domains and its application: Poster. In 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2019), (Miami, FL, May 15-17, 2019).304–305. DOI:https://doi.org/10.1145/3317549.3326302 Google Scholar
Digital Library
- Russell Ang, Rei Safavi-Naini, and Luke McAven. 2005. Cancelable key-based fingerprint templates. In Australasian Conference on Information Security and Privacy. Springer, 242–252. Google Scholar
Digital Library
- Kevin Atighehchi, Loubna Ghammam, Koray Karabina, and Patrick Lacharme. 2020. A cryptanalysis of two cancelable biometric schemes based on index-of-max hashing. IEEE Transactions on Information Forensics and Security 15 (2020), 2869–2880.Google Scholar
Cross Ref
- Kiran S. Balagani, Paolo Gasti, Aaron Elliott, Azriel Richardson, and Mike O’Neal. [n.d.]. The impact of application context on privacy and performance of keystroke authentication systems. Journal of Computer SecurityPreprint ([n. d.]), 1–14.Google Scholar
- M. Barbosa, T. Brouard, S. Cauchie, and S. Sousa. 2008. Secure biometric authentication with improved accuracy. Information Security and Privacy, Lecture Notes in Computer Science 5107 (2008). Springer, 21–36. Google Scholar
Digital Library
- Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé. 2014. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In Advances in Cryptology – EUROCRYPT 2014, Phong Q. Nguyen and Elisabeth Oswald (Eds.). Springer Berlin, Berlin, 1–16.Google Scholar
Cross Ref
- M. Barni, T. Bianchi, D. Catalano, M. Raimondo, R. Labati, P. Failla, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. 2010. Privacy-preserving fingercode authentication. In ACM Workshop on Multimedia and Security (2010), 231–240. Google Scholar
Digital Library
- Debnath Bhattacharyya, Rahul Ranjan, Farkhod Alisherov, and Minkyu Choi. 2009. Biometric authentication: A review. International Journal of u-and e-Service, Science and Technology 2, 3 (2009), 13–28.Google Scholar
- Blackberry. [n.d.]. BlackBerry Persona Adaptive Security and AI to Protect Mobile Endpoints.https://www.blackberry.com/us/en/products/blackb erry-persona#industry-focus.Google Scholar
- Marina Blanton and Mehrdad Aliasgari. 2009. Secure Computation of Biometric Matching. Department of Computer Science and Engineering, University of Notre Dame, Tech. Rep. 3 (2009), 2009.Google Scholar
- M. Blanton and M. Aliasgari. 2011. On the (non-)reusability of fuzzy sketches and extractors and security in the computational setting. In International Conference on Security and Cryptography (SECRYPT’11) (2011).Google Scholar
- M. Blanton and P. Gasti. 2011. Secure and efficient protocols for iris and fingerprint identification. In, European Symposium on Research in Computer Security(ESORICS’11). (2011), 190–209. Google Scholar
Digital Library
- X. Boyen. 2004. Reusable cryptographic fuzzy extractors. In 11th ACM Conference on Computer and Communications Security (2004), 82–91. Google Scholar
Digital Library
- J. Bringer, H. Chabanne, M. Izabachène, D. Pointcheval, Q. Tang, and S. Zimmer. 2007. An application of the Goldwasser-Micali cryptosystem to biometric authentication. In Information Security and Privacy, Lecture Notes in Computer Science, vol. 4586 (2007), Springer, 96–106. Google Scholar
Digital Library
- J. Bringer, H. Chabanne, and B. Kindarji. 2008. The best of both worlds: Applying secure sketches to cancelable biometrics. Science of Computer Programming 74 (2008), 43–51. Google Scholar
Digital Library
- Julien Bringer, Hervé Chabanne, Firas Kraïem, Roch Lescuyer, and Eduardo Soria-Vázquez. 2015. Some applications of verifiable computation to biometric verification. In 2015 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 1–6.Google Scholar
Cross Ref
- David Guy Brizan, Adam Goodkind, Patrick Koch, Kiran Balagani, Vir V. Phoha, and Andrew Rosenberg. 2015. Utilizing linguistically enhanced keystroke dynamics to predict typist cognition and demographics. International Journal of Human-Computer Studies 82 (2015), 57–68. Google Scholar
Digital Library
- Paul M. Burger. 2001. Biometric authentication system. US Patent 6,219,439.Google Scholar
- Tom Cocagne. [n.d.]. Minimal C implementation of the Secure Remote Password protocol (version 6a). https://github.com/cocagne/csrp.Google Scholar
- Y. Dodis, L. Reyzin, and A. Smith. 2004. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Advances in Cryptology (Eurocrypt 2004). Lecture Notes in Computer Science vol. 3027 (2004), Springer, 523–540. Updated by Y. Dodis, L. Reyzin, and A. Smith in 2008.Google Scholar
Cross Ref
- David Evans, Yan Huang, Jonathan Katz, and Lior Malka. 2011. Efficient privacy-preserving biometric identification. In 17th Conference Network and Distributed System Security Symposium (NDSS).Google Scholar
- Michael Fairhurst and Márjory Da Costa-Abreu. 2011. Using keystroke dynamics for gender identification in social network environment. In 4th International Conference on Imaging for Crime Detection and Prevention (ICDP’11). IET, 1–6.Google Scholar
Cross Ref
- Michael Fairhurst, Cheng Li, and Meryem Erbilek. 2014. Exploiting biometric measurements for prediction of emotional state: A preliminary study for healthcare applications using keystroke analysis. In 2014 IEEE Workshop on Biometric Measurements and Systems for Security and Medical Applications (BIOMS). IEEE, 74–79.Google Scholar
Cross Ref
- Y. Feng, M-H. Lim, and P. Yuen. 2014. Masquerade attack on transform-based binary-template protection based on perceptron learning. Pattern Recognition 47 (2014), 3019–3033.Google Scholar
Cross Ref
- Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security 8, 1 (2013), 136–148. Google Scholar
Digital Library
- Gatekeeper. [n.d.]. Continuous Authentication. https://gkaccess.com/support/glossary/continuous-authentication/.Google Scholar
- Romain Giot and Christophe Rosenberger. 2012. A new soft biometric approach for keystroke dynamics based on gender recognition. International Journal of Information Technology and Management 11, 1–2 (2012), 35–49. Google Scholar
Digital Library
- Sathya Govindarajan, Paolo Gasti, and Kiran S. Balagani. 2013. Secure privacy-preserving protocols for outsourcing continuous authentication of smartphone users with touch data. In 2013 IEEE 6th International Conference on Biometrics: Theory, Applications and Systems (BTAS). IEEE, 1–8.Google Scholar
- F. Hao. 2006. Combining crypto with biometrics effectively. IEEE Trans. Comput. 55 (2006), 1081–1088. Google Scholar
Digital Library
- W. Hart, F. Johansson, and S. Pancratz. 2013. FLINT: Fast Library for Number Theory. Version 2.4.0, http://flintlib.org.Google Scholar
- Anil K. Jain, Karthik Nandakumar, and Abhishek Nagar. 2008. Biometric template security. EURASIP Journal on Advances inSignal Processing 2008 (2008), 113. Google Scholar
Digital Library
- A. Jin, D. Ling, and A. Goh. 2004. Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition 37 (2004), 2245–2255. Google Scholar
Digital Library
- A. Juels and M. Sudan. 2006. A fuzzy vault scheme. Designs, Codes and Cryptography 38 (2006), 237–257. Google Scholar
Digital Library
- A. Juels and M. Wattenberg. 1999. A fuzzy commitment scheme. In 6th ACM Conference on Computer and Communications Security (1999), 28–36. Google Scholar
Digital Library
- Sanjay Kanade, Dijana Petrovska-Delacrétaz, and Bernadette Dorizzi. 2009. Cancelable iris biometrics and using error correcting codes to reduce variability in biometric data. In IEEE Conference on Computer Vision and Pattern Recognition, 2009 (CVPR 2009). IEEE, 120–127.Google Scholar
Cross Ref
- Koray Karabina and Onur Canpolat. 2016. A new cryptographic primitive for noise tolerant template security. Pattern Recognition Letters 80 (2016), 70–75. Google Scholar
Digital Library
- Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel, and Jane You. 2006. An analysis of BioHashing and its variants. Pattern Recognition 39, 7 (2006), 1359–1368. Google Scholar
Digital Library
- L. F. Kozachenko and Nikolai N. Leonenko. 1987. Sample estimate of the entropy of a random vector. Problemy Peredachi Informatsii 23, 2 (1987), 9–16.Google Scholar
- H. Krawczyk. [n.d.]. The OPAQUE Asymmetric PAKE Protocol draft-krawczyk-cfrg-opaque-00. https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-00.Google Scholar
- Hugo Krawczyk. 2005. HMQV: A high-performance secure Diffie-Hellman protocol. In Annual International Cryptology Conference. Springer, 546–566. Google Scholar
Digital Library
- Karl Kümmel and Claus Vielhauer. 2010. Reverse-engineer methods on a biometric hash algorithm for dynamic handwriting. In 12th ACM Workshop on Multimedia and Security. ACM, 67–72. Google Scholar
Digital Library
- Stan Kurkovsky, Ewa Syta, and Bernardo Casano. 2010. Continuous RFID-enabled authentication and its privacy implications. In 2010 IEEE International Symposium on Technology and Society. IEEE, 103–110.Google Scholar
Cross Ref
- Wei-Han Lee and Ruby B. Lee. 2017. Sensor-based implicit authentication of smartphone users. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 309–320.Google Scholar
- Wenyi Liu, A. Selcuk Uluagac, and Raheem Beyah. 2014. MACA: A privacy-preserving multi-factor cloud authentication system utilizing big data. In 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 518–523.Google Scholar
Cross Ref
- A. Nagar, K. Nandakumar, and A. Jain. 2010. Biometric template transformation: A security analysis. In Proceedings of SPIE, Electronic Imaging, Media Forensics and Security II 7541 (2010), 1–15. Invited paper.Google Scholar
- K. Nandakumar and A. Jain. 2015. Biometric template protection: Bridging the performance gap between theory and practice. IEEE Signal Processing Magazine 32 (2015), 88–100.Google Scholar
Cross Ref
- K. Nandakumar, A. Nagar, and A. Jain. 2007. Hardening fingerprint fuzzy vault using password. In Advances in Biometrics, Lecture Notes in Computer Science, vol. 4642 (2007), 927–937. Google Scholar
Digital Library
- I. Natgunanathan, A. Mehmood, Y. Xiang, G. Beliakov, and J. Yearwood. 2016. Protection of privacy in biometric data. IEEE Access 4 (2016), 880–892.Google Scholar
Cross Ref
- Elena Pagnin and Aikaterini Mitrokotsa. 2017. Privacy-preserving biometric authentication: Challenges and directions. Security and Communication Networks 2017 (2017).Google Scholar
- Plurilock. [n.d.]. GLOSSARY TERM Continuous Authentication. https://www.plurilock.com/products/adapt/.Google Scholar
- Plurilock. [n.d.]. Plurilock Successfully Meets Second Milestone in Department of Homeland Security Contract. https://www.plurilock.com/press-release/pluriloc k-successfully-meets-second-milestone-in-department-of-homeland-security-contract/.Google Scholar
- N. Ratha, S. Chikkerur, J. Connell, and R. Bolle. 2007. Generating cancelable fingerprint templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 29 (2007), 561–572. Google Scholar
Digital Library
- Nalini K. Ratha, Jonathan H. Connell, and Ruud M. Bolle. 2001. Enhancing security and privacy in biometrics-based authentication systems. IBM Systems Journal 40, 3 (2001), 614–634. Google Scholar
Digital Library
- Christian Rathgeb, Frank Breitinger, Christoph Busch, and Harald Baier. 2014. On application of Bloom filters to iris biometrics. IET Biometrics 3, 4 (2014), 207–218.Google Scholar
Cross Ref
- C. Rathgeb, B. Tams, J. Wagner, and C. Busch. 2016. Unlinkable improved multi-biometric iris fuzzy vault. EURASIP Journal on Information Security 26 (2016), 1–16.Google Scholar
- Christian Rathgeb and Andreas Uhl. 2010. Iris-biometric hash generation for biometric database indexing. In 2010 20th International Conference on Pattern Recognition (ICPR). IEEE, 2848–2851. Google Scholar
Digital Library
- Christian Rathgeb and Andreas Uhl. 2011. A survey on biometric cryptosystems and cancelable biometrics. EURASIP Journal on Information Security 2011, 1 (2011), 3.Google Scholar
Cross Ref
- C. Rathgeb and A. Uhl. 2012. Statistical attack against fuzzy commitment scheme. IET Biometrics 1 (2012), 94–104.Google Scholar
Cross Ref
- Ajita Rattani, Dakshina Ranjan Kisku, Manuele Bicego, and Massimo Tistarelli. 2007. Feature level fusion of face and fingerprint biometrics. In 2007 1st IEEE International Conference on Biometrics: Theory, Applications, and Systems. IEEE, 1–6.Google Scholar
Cross Ref
- Nashad Ahmed Safa, Reihaneh Safavi-Naini, and Siamak F. Shahandashti. 2014. Privacy-preserving implicit authentication. In IFIP International Information Security Conference. Springer, 471–484.Google Scholar
- W. Scheirer and T. Boult. 2007. Cracking fuzzy vaults and biometric encryption. In Biometrics Symposium (2007), 1–6.Google Scholar
- Jaroslav Šeděnka, Sathya Govindarajan, Paolo Gasti, and Kiran S. Balagani. 2015. Secure outsourced biometric authentication with performance evaluation on smartphones. IEEE Transactions on Information Forensics and Security 10, 2 (2015), 384–396.Google Scholar
Digital Library
- Siamak F. Shahandashti, Reihaneh Safavi-Naini, and Nashad Ahmed Safa. 2015. Reconciling user privacy and implicit authentication for mobile devices. Computers & Security 53 (2015), 215–233. Google Scholar
Digital Library
- K. Simoens, P. Tuyls, and B. Preneel. 2009. Privacy weaknesses in biometric sketches. In 2009 30th IEEE Symposium on Security and Privacy (2009), 188–203. Google Scholar
Digital Library
- Dawn Xiaodong Song, David Wagner, and Xuqing Tian. 2001. Timing analysis of keystrokes and timing attacks on SSH. In Proceeding of the 10th USENIX Security Symposium. USENIX Association, Berkley, CA, 337–352. Google Scholar
Digital Library
- Riccardo Spolaor, QianQian Li, Merylin Monaro, Mauro Conti, Luciano Gamberini, and Giuseppe Sartori. 2016. Biometric authentication methods on smartphones: A survey.PsychNology Journal 14, 2 (2016).Google Scholar
- Deian Stefan, Xiaokui Shu, and Danfeng Daphne Yao. 2012. Robustness of keystroke-dynamics based biometrics against synthetic forgeries. Computers & Security 31, 1 (2012), 109–121. Google Scholar
Digital Library
- A. Stoianov. 2010. Cryptographically secure biometric. SPIE, Biometric Technology for Human Identification VII 7667 (2010). 12 pages.Google Scholar
Cross Ref
- B. Tams. 2014. Decodability attack against the fuzzy commitment scheme with public feature transforms. arxiv.org/abs/1406.1154.pdf.Google Scholar
- B. Tams, P. Mihailescu, and A. Munk. 2015. Security considerations in minutiae-based fuzzy vaults. IEEE Transactions on Information Forensics and Security 10 (2015), 985–998.Google Scholar
Digital Library
- A. Teoh, A. Goh, and D. Ngo. 2006. Random multispace quantization as an analytic mechanism for BioHashing of biometric and random identity inputs. IEEE Transactions on Pattern Analysis and Machine Intelligence 28 (2006), 1892–1901. Google Scholar
Digital Library
- Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings o the Annual Network and Distributed System Security Symposium 20th NDSS 2013, 24-27 February. 1–16.Google Scholar
- Y. Wang, S. Rane, S. Draper, and P. Ishwar. 2012. A theoretical analysis of authentication, privacy, and reusability across secure biometric systems. IEEE Transactions on Information Forensics and Security 7 (2012), 1825–1840. Google Scholar
Digital Library
- Tom Wu. [n.d.]. The Stanford SRP Homepage. http://srp.stanford.edu/.Google Scholar
- Masaya Yasuda, Takeshi Shimoyama, Jun Kogure, Kazuhiro Yokoyama, and Takeshi Koshiba. 2013. Packed homomorphic encryption based on ideal lattices and its application to biometrics. In International Conference on Availability, Reliability, and Security. Springer, 55–74.Google Scholar
Cross Ref
- Kehuan Zhang and XiaoFeng Wang. 2009. Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems. In Proceedings of the USENIX Security Symposium. 17–32. Google Scholar
Digital Library
Index Terms
A Lightweight Privacy-Aware Continuous Authentication Protocol-PACA
Recommendations
Privacy preserving multi-factor authentication with biometrics
DIM '06: Proceedings of the second ACM workshop on Digital identity managementAn emerging approach to the problem of reducing the identity theft is represented by the adoption of biometric authentication systems. Such systems however present however several challenges, related to privacy, reliability, security of the biometric ...
Continuous User Authentication System: A Risk Analysis Based Approach
AbstractWith the expansion of smart device users, the security mechanism of these devices in terms of user authentication has been advanced a lot. These mechanisms consist of a pattern based authentication, biometric based authentication, etc. For ...
Security of a Privacy-Preserving Biometric Authentication Protocol Revisited
Proceedings of the 13th International Conference on Cryptology and Network Security - Volume 8813Biometric authentication establishes the identity of an individual based on biometric templates e.g. fingerprints, retina scans etc.. Although biometric authentication has important advantages and many applications, it also raises serious security and ...






Comments