Cloud Password Manager Using Privacy-Preserved Biometrics

Using one password for all web services is not secure because the leakage of the password compromises all the web services accounts, while using independent passwords for different web services is inconvenient for the identity claimant to memorize. A password manager is used to address this security-convenience dilemma by storing and retrieving multiple existing passwords using one master password. On the other hand, a password manager liberates human brain by enabling people to generate strong passwords without worry about memorizing them. While a password manager provides a convenient and secure way to managing multiple passwords, it centralizes the passwords storage and shifts the risk of passwords leakage from distributed service providers to a software or token authenticated by a single master password. Concerned about this one master password based security, biometrics could be used as a second factor for authentication by verifying the ownership of the master password. However, biometrics based authentication is more privacy concerned than a non-biometric password manager. In this paper we propose a cloud password manager scheme exploiting privacy enhanced biometrics, which achieves both security and convenience in a privacy-enhanced way. The proposed password manager scheme relies on a cloud service to synchronize all local password manager clients in an encrypted form, which is efficient to deploy the updates and secure against untrusted cloud service providers.

[1]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[2]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Hai Jin,et al.  Anonymous Password Authentication Scheme by Using Digital Signature and Fingerprint in Cloud Computing , 2012, 2012 Second International Conference on Cloud and Green Computing.

[4]  Raghav Bhaskar,et al.  Analysis of Two Token-Based Authentication Schemes for Mobile Banking , 2010 .

[5]  Patrick Elftmann Secure Alternatives to Password-based Authentication Mechanisms submitted , 2006 .

[6]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[7]  Richard P. Ayers,et al.  Picture Password: A Visual Login Technique for Mobile Devices , 2003 .

[8]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[9]  Michael Baentsch,et al.  Remote Client Authentication , 2008, IEEE Security & Privacy.

[10]  Cesare Pautasso,et al.  Push-Enabling RESTful Business Processes , 2011, ICSOC.

[11]  Jan De Clercq,et al.  Single Sign-On Architectures , 2002, InfraSec.

[12]  Karthikeyan Bhargavan,et al.  Web-based Attacks on Host-Proof Encrypted Storage , 2012, WOOT.

[13]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[14]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Nasir D. Memon,et al.  A secure biometric authentication scheme based on robust hashing , 2005, MM&Sec '05.

[16]  Eliot Estep Mobile HTML5: Efficiency and Performance of WebSockets and Server-Sent Events , 2013 .

[17]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[18]  Christoph Busch,et al.  Biometric template protection , 2009, Datenschutz und Datensicherheit - DuD.

[19]  Parekh Tanvi,et al.  Token Based Authentication Using Mobile Phone , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[20]  Robert D. van der Mei,et al.  Applications of polling systems , 2011, ArXiv.

[21]  Iehab Al Rassan,et al.  A biometric-based authentication system for web services mobile user , 2010, MoMM.

[22]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[23]  Lindsay I. Smith,et al.  A tutorial on Principal Components Analysis , 2002 .

[24]  Navpreet Kaur Walia,et al.  Survey on Mobile Cloud Computing , 2024, Advances in Robotic Technology.

[25]  Giovanni Pilato,et al.  Biometric Features for Mobile Agents Ownership , 2004 .

[26]  Harsh Kumar,et al.  Graphical Password Authentication Schemes: Current Status and Key Issues , 2013 .

[27]  Wazir Zada Khan,et al.  A Graphical Password Based System for Small Mobile Devices , 2011, ArXiv.

[28]  Christoph Busch,et al.  Dynamic random projection for biometric template protection , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[29]  Anil K. Jain,et al.  Biometric Template Security , 2008, EURASIP J. Adv. Signal Process..

[30]  Anil K. Jain,et al.  An Introduction to Biometric Authentication Systems , 2005 .

[31]  Andreas Uhl,et al.  A survey on biometric cryptosystems and cancelable biometrics , 2011, EURASIP J. Inf. Secur..

[32]  Chen Li,et al.  An extended UsernameToken-based approach for REST-style Web Service Security Authentication , 2009, 2009 2nd IEEE International Conference on Computer Science and Information Technology.

[33]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.