A Lightweight Privacy-Aware Continuous Authentication Protocol-PACA

As many vulnerabilities of one-time authentication systems have already been uncovered, there is a growing need and trend to adopt continuous authentication systems. Biometrics provides an excellent means for periodic verification of the authenticated users without breaking the continuity of a session. Nevertheless, as attacks to computing systems increase, biometric systems demand more user information in their operations, yielding privacy issues for users in biometric-based continuous authentication systems. However, the current state-of-the-art privacy technologies are not viable or costly for the continuous authentication systems, which require periodic real-time verification. In this article, we introduce a novel, lightweight, privacy-aware, and secure continuous authentication protocol called PACA. PACA is initiated through a password-based key exchange (PAKE) mechanism, and it continuously authenticates users based on their biometrics in a privacy-aware manner. Then, we design an actual continuous user authentication system under the proposed protocol. In this concrete system, we utilize a privacy-aware template matching technique and a wearable-assisted keystroke dynamics-based continuous authentication method. This provides privacy guarantees without relying on any trusted third party while allowing the comparison of noisy user inputs (due to biometric data) and yielding an efficient and lightweight protocol. Finally, we implement our system on an Apple smartwatch and perform experiments with real user data to evaluate the accuracy and resource consumption of our concrete system.

[1]  Engin Kirda,et al.  An Analysis of Malware Trends in Enterprise Networks , 2019, ISC.

[2]  Eduardo Soria-Vazquez,et al.  Some applications of verifiable computation to biometric verification , 2015, 2015 IEEE International Workshop on Information Forensics and Security (WIFS).

[3]  T.E. Boult,et al.  Cracking Fuzzy Vaults and Biometric Encryption , 2007, 2007 Biometrics Symposium.

[4]  Andrew Beng Jin Teoh,et al.  Random Multispace Quantization as an Analytic Mechanism for BioHashing of Biometric and Random Identity Inputs , 2006, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[5]  Stanislav Kurkovsky,et al.  Continuous RFID-enabled authentication and its privacy implications , 2010, 2010 IEEE International Symposium on Technology and Society.

[6]  Claus Vielhauer,et al.  Reverse-engineer methods on a biometric hash algorithm for dynamic handwriting , 2010, MM&Sec '10.

[7]  Aikaterini Mitrokotsa,et al.  Privacy-Preserving Biometric Authentication: Challenges and Directions , 2017, Secur. Commun. Networks.

[8]  Mauro Conti,et al.  Biometric Authentication Methods on Smartphones: A Survey , 2016, PsychNology J..

[9]  Xavier Boyen,et al.  Reusable cryptographic fuzzy extractors , 2004, CCS '04.

[10]  Raheem Beyah,et al.  A privacy‐preserving multifactor authentication system , 2019, Secur. Priv..

[11]  Anil K. Jain,et al.  Biometric Template Security , 2008, EURASIP J. Adv. Signal Process..

[12]  Reihaneh Safavi-Naini,et al.  Reconciling user privacy and implicit authentication for mobile devices , 2015, Comput. Secur..

[13]  Patrick Lacharme,et al.  A Cryptanalysis of Two Cancelable Biometric Schemes Based on Index-of-Max Hashing , 2020, IEEE Transactions on Information Forensics and Security.

[14]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[15]  Debnath Bhattacharyya,et al.  Biometric Authentication: A Review , 2009 .

[16]  Feng Hao,et al.  Combining Crypto with Biometrics Effectively , 2006, IEEE Transactions on Computers.

[17]  Bart Preneel,et al.  Privacy Weaknesses in Biometric Sketches , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Mauro Conti,et al.  A Survey on Homomorphic Encryption Schemes: Theory and Implementation , 2017 .

[19]  Kemal Akkaya,et al.  WACA: Wearable-Assisted Continuous Authentication , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[20]  Christoph Busch,et al.  On application of bloom filters to iris biometrics , 2014, IET Biom..

[21]  William B. Hart,et al.  FLINT : Fast library for number theory , 2013 .

[22]  Pong C. Yuen,et al.  Masquerade attack on transform-based binary-template protection based on perceptron learning , 2014, Pattern Recognit..

[23]  Aikaterini Mitrokotsa,et al.  Security aspects of privacy-preserving biometric authentication based on ideal lattices and ring-LWE , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[24]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[25]  Christoph Busch,et al.  Unlinkable improved multi-biometric iris fuzzy vault , 2016, EURASIP J. Inf. Secur..

[26]  Christophe Rosenberger,et al.  A new soft biometric approach for keystroke dynamics based on gender recognition , 2012, Int. J. Inf. Technol. Manag..

[27]  Reihaneh Safavi-Naini,et al.  Privacy-Preserving Implicit Authentication , 2014, IACR Cryptol. ePrint Arch..

[28]  Qiang Tang,et al.  An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication , 2007, ACISP.

[29]  Raheem A. Beyah,et al.  MACA: A privacy-preserving multi-factor cloud authentication system utilizing big data , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[30]  Onur Canpolat,et al.  A new cryptographic primitive for noise tolerant template security , 2016, Pattern Recognit. Lett..

[31]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[32]  Marina Blanton,et al.  Secure Computation of Biometric Matching , 2009 .

[33]  C. Rathgeb,et al.  Statistical attack against fuzzy commitment scheme , 2012, IET Biom..

[34]  Kiran S. Balagani,et al.  Secure Outsourced Biometric Authentication With Performance Evaluation on Smartphones , 2015, IEEE Transactions on Information Forensics and Security.

[35]  Reihaneh Safavi-Naini,et al.  Cancelable Key-Based Fingerprint Templates , 2005, ACISP.

[36]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[37]  Abbas Acar,et al.  A Usable and Robust Continuous Authentication Framework Using Wearables , 2020, IEEE Transactions on Mobile Computing.

[38]  Julien Bringer,et al.  The best of both worlds: Applying secure sketches to cancelable biometrics , 2008, Sci. Comput. Program..

[39]  Marina Blanton,et al.  On the (non-)reusability of fuzzy sketches and extractors and security in the computational setting , 2011, Proceedings of the International Conference on Security and Cryptography.

[40]  Ruby B. Lee,et al.  Sensor-Based Implicit Authentication of Smartphone Users , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[41]  Dharma P. Agrawal,et al.  Introduction to Wireless and Mobile Systems , 2002 .

[42]  Marjory Da Costa-Abreu,et al.  Using keystroke dynamics for gender identification in social network environment , 2011, ICDP.

[43]  Anil K. Jain,et al.  Biometric template transformation: a security analysis , 2010, Electronic Imaging.

[44]  Nalini K. Ratha,et al.  Generating Cancelable Fingerprint Templates , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[45]  Raheem Beyah,et al.  A privacy‐preserving multifactor authentication system , 2019, Security and Privacy.

[46]  Shital Parasmal Bora,et al.  Biometric Authentication System , 2012 .

[47]  Vincenzo Piuri,et al.  Privacy-preserving fingercode authentication , 2010, MM&Sec '10.

[48]  B. Dorizzi,et al.  Cancelable iris biometrics and using Error Correcting Codes to reduce variability in biometric data , 2009, 2009 IEEE Conference on Computer Vision and Pattern Recognition.

[49]  Anil K. Jain,et al.  Hardening Fingerprint Fuzzy Vault Using Password , 2007, ICB.

[50]  David Zhang,et al.  An analysis of BioHashing and its variants , 2006, Pattern Recognit..

[51]  Kiran S. Balagani,et al.  Secure privacy-preserving protocols for outsourcing continuous authentication of smartphone users with touch data , 2013, 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[52]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[53]  Andreas Uhl,et al.  A survey on biometric cryptosystems and cancelable biometrics , 2011, EURASIP J. Inf. Secur..

[54]  Deian Stefan,et al.  Robustness of keystroke-dynamics based biometrics against synthetic forgeries , 2012, Comput. Secur..

[55]  Jonathan Katz,et al.  Efficient Privacy-Preserving Biometric Identification , 2011, NDSS.

[56]  Manuel Barbosa,et al.  Secure Biometric Authentication with Improved Accuracy , 2008, ACISP.

[57]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[58]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[59]  Andreas Uhl,et al.  Iris-Biometric Hash Generation for Biometric Database Indexing , 2010, 2010 20th International Conference on Pattern Recognition.

[60]  XiaoFeng Wang,et al.  Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems , 2009, USENIX Security Symposium.

[61]  Benjamin Tams,et al.  Decodability Attack against the Fuzzy Commitment Scheme with Public Feature Transforms , 2014, ArXiv.

[62]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[63]  Yong Xiang,et al.  Protection of Privacy in Biometric Data , 2016, IEEE Access.

[64]  Massimo Tistarelli,et al.  Feature Level Fusion of Face and Fingerprint Biometrics , 2007, 2007 First IEEE International Conference on Biometrics: Theory, Applications, and Systems.

[65]  Anil K. Jain,et al.  Biometric Template Protection: Bridging the performance gap between theory and practice , 2015, IEEE Signal Processing Magazine.

[66]  Takeshi Koshiba,et al.  Packed Homomorphic Encryption Based on Ideal Lattices and Its Application to Biometrics , 2013, CD-ARES Workshops.

[67]  Yevgeniy Dodis,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, EUROCRYPT.

[68]  Kiran S. Balagani,et al.  The impact of application context on privacy and performance of keystroke authentication systems , 2018, J. Comput. Secur..

[69]  Axel Munk,et al.  Security Considerations in Minutiae-Based Fuzzy Vaults , 2015, IEEE Transactions on Information Forensics and Security.

[70]  Marina Blanton,et al.  Secure and Efficient Protocols for Iris and Fingerprint Identification , 2011, ESORICS.

[71]  Cheng Li,et al.  Exploiting biometric measurements for prediction of emotional state: A preliminary study for healthcare applications using keystroke analysis , 2014, 2014 IEEE Workshop on Biometric Measurements and Systems for Security and Medical Applications (BIOMS) Proceedings.

[72]  A. Stoianov Cryptographically secure biometrics , 2010, Defense + Commercial Sensing.

[73]  Stark C. Draper,et al.  A Theoretical Analysis of Authentication, Privacy, and Reusability Across Secure Biometric Systems , 2011, IEEE Transactions on Information Forensics and Security.

[74]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.

[75]  Shoukat Ali,et al.  Biometric data transformation for cryptographic domains and its application: poster , 2019, WiSec.

[76]  Vir V. Phoha,et al.  Utilizing linguistically enhanced keystroke dynamics to predict typist cognition and demographics , 2015, Int. J. Hum. Comput. Stud..