On the Rila-Mitchell Security Protocols for Biometrics-Based Cardholder Authentication in Smartcards

We consider the security of the Rila-Mitchell security protocols recently proposed for biometrics-based smartcard systems. We first present a man-in-the-middle (MITM) attack on one of these protocols and hence show that it fails to achieve mutual authentication between the smartcard and smartcard reader. In particular, a hostile smartcard can trick the reader into believing that it is a legitimate card and vice versa. We also discuss security cautions that if not handled carefully would lead to attacks. We further suggest countermeasures to strengthen the protocols against our attacks, as well as to guard against the cautions highlighted. Our emphasis here is that seemingly secure protocols when implemented with poor choices of parameters would lead to attacks.

[1]  A. Ganson Fingerprint Classification , 1970, Nature.

[2]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[3]  R. Walgate Tale of two cities , 1984, Nature.

[4]  M. Healy Mathematical methods in medicine, part I: Statistical and analytical techniques, D. Ingram and R. Bloch (eds), Wiley, Chichester, 1984. no of pages: 474. price: £29.95, $45.00 , 1985 .

[5]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[6]  Samy Bengio,et al.  Special Uses and Abuses of the Fiat-Shamir Passport Protocol , 1987, CRYPTO.

[7]  Al Stevens,et al.  C programming , 1990 .

[8]  Russell T. Hurlburt,et al.  Comprehending Behavioral Statistics , 1993 .

[9]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[10]  Paul Syverson,et al.  A Taxonomy of Replay Attacks , 1994 .

[11]  Paul F. Syverson,et al.  A taxonomy of replay attacks [cryptographic protocols] , 1994, Proceedings The Computer Security Foundations Workshop VII.

[12]  Craig I. Watson,et al.  Neural Network Fingerprint Classification , 1994 .

[13]  Miles E. Smid,et al.  Security Requirements for Cryptographic Modules | NIST , 1994 .

[14]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[15]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[16]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[17]  Sharath Pankanti,et al.  Fingerprint enhancement , 1996, Proceedings Third IEEE Workshop on Applications of Computer Vision. WACV'96.

[18]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[19]  Robert B. Fisher,et al.  Hypermedia image processing reference , 1996 .

[20]  Sharath Pankanti,et al.  An identity-authentication system using fingerprints , 1997, Proc. IEEE.

[21]  Boualem Boashash,et al.  Fingerprint feature enhancement using block-direction on reconstructed images , 1997, Proceedings of ICICS, 1997 International Conference on Information, Communications and Signal Processing. Theme: Trends in Information Systems Engineering and Wireless Multimedia Communications (Cat..

[22]  Anil K. Jain,et al.  On-line fingerprint verification , 1996, Proceedings of 13th International Conference on Pattern Recognition.

[23]  Martín Abadi,et al.  Explicit Communication Revisited: Two New Attacks on Authentication Protocols , 1997, IEEE Trans. Software Eng..

[24]  M. Bromba,et al.  DAUMEN ALS SCHLUSSEL , 1998 .

[25]  Paul E. Black,et al.  Dictionary of Algorithms and Data Structures | NIST , 1998 .

[26]  Anil K. Jain,et al.  Fingerprint Image Enhancement: Algorithm and Performance Evaluation , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[27]  Xuding Zhu,et al.  Oriented walk double covering and bidirectional double tracing , 1998, J. Graph Theory.

[28]  Anil K. Jain,et al.  Automatic personal identification using fingerprints , 1998 .

[29]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocols , 1999, RFC.

[30]  Alessandra Lumini,et al.  Fingerprint Classification by Directional Image Partitioning , 1999, IEEE Trans. Pattern Anal. Mach. Intell..

[31]  Marit Köhntopp Technische Randbedingungen für einen datenschutzgerechten Einsatz biometrischer Verfahren , 1999 .

[32]  S. H. Gerez,et al.  A correlation-based fingerprint verification system , 2000 .

[33]  Julian Ashbourn Practical Biometrics: From Aspiration to Implementation , 2000 .

[34]  Václav Matýǎs,et al.  Biometric Authentication Systems , 2000 .

[35]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[36]  Lakhmi C. Jain,et al.  Introduction to fingerprint recognition , 2000 .

[37]  Stefan Santesson,et al.  Internet X.509 Public Key Infrastructure: Qualified Certificates Profile , 2001, RFC.

[38]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[39]  Stefan Santesson,et al.  Internet X.509 Public Key Infrastructure Qualified Certificates Profile , 2001, RFC.

[40]  Robert Müller Fingerprint verification with microprocessor security tokens , 2001 .

[41]  M. Sudan,et al.  Coding theory: tutorial & survey , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[42]  Nalini K. Ratha,et al.  Automated Biometrics , 2001, ICAPR.

[43]  Sharath Pankanti,et al.  On the individuality fingerprints , 2001, Proceedings of the 2001 IEEE Computer Society Conference on Computer Vision and Pattern Recognition. CVPR 2001.

[44]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice,Second Edition , 2002 .

[45]  Gian Luca Marcialis,et al.  Fusion of Multiple Matchers for Fingerprint Verification , 2002 .

[46]  Chris J. Mitchell,et al.  Security Analysis of Smartcard to Card Reader Communications for Biometric Cardholder Authentication , 2002, CARDIS.

[47]  J. L. Wayman,et al.  Best practices in testing and reporting performance of biometric devices. , 2002 .

[48]  Anil K. Jain,et al.  Hierarchical kernel fitting for fingerprint classification and alignment , 2002, Object recognition supported by user interaction for service robots.

[49]  Rae-Hong Park,et al.  ROBUST FINGERPRINT IDENTIFICATION BASED ON HYBRID PATTERN RECOGNITION METHODS , 2002 .

[50]  John Chirillo,et al.  Implementing Biometric Security , 2003 .

[51]  Anil K. Jain,et al.  Multimedia content protection via biometrics-based encryption , 2003, 2003 International Conference on Multimedia and Expo. ICME '03. Proceedings (Cat. No.03TH8698).

[52]  Martin Drahanský,et al.  Biometric Security Systems: Fingerprint and Speech Technology , 2003, IICAI.

[53]  Chris J. Mitchell,et al.  Security Protocols for Biometrics-Based Cardholder Authentication in Smartcards , 2003, ACNS.

[54]  Sharath Pankanti,et al.  Learning fingerprint minutiae location and type , 2003, Pattern Recognit..

[55]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[56]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[57]  Claudia Eckert,et al.  Schutz biometrischer Daten bei Authentisierung auf Smartcards , 2003 .

[58]  Anil K. Jain,et al.  Handbook of Fingerprint Recognition , 2005, Springer Professional Computing.

[59]  Sun-Yuan Kung,et al.  Biometric Authentication: A Machine Learning Approach , 2004 .

[60]  D. M. Hutton,et al.  Biometrics: Identity Verification in a Networked World , 2004 .

[61]  Nalini K. Ratha,et al.  Automatic Fingerprint Recognition Systems , 2011, Springer New York.

[62]  Anil K. Jain,et al.  Biometric cryptosystems: issues and challenges , 2004, Proceedings of the IEEE.

[63]  Arun Ross,et al.  Multibiometric systems , 2004, CACM.

[64]  C. Marzban The ROC Curve and the Area under It as Performance Measures , 2004 .

[65]  Bir Bhanu,et al.  Computational Algorithms for Fingerprint Recognition , 2004, Kluwer International Series on Biometrics.

[66]  Sharath Pankanti,et al.  Guide to Biometrics , 2003, Springer Professional Computing.

[67]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[68]  Carmen García-Mateo,et al.  Multimodal Biometrics , 2007, Ann. des Télécommunications.