Secure Remote Authentication Using Biometric Data

Biometric data offer a potential source of high-entropy, secret information that can be used in cryptographic protocols provided two issues are addressed: (1) biometric data are not uniformly distributed; and (2) they are not exactly reproducible. Recent work, most notably that of Dodis, Reyzin, and Smith, has shown how these obstacles may be overcome by allowing some auxiliary public information to be reliably sent from a server to the human user. Subsequent work of Boyen has shown how to extend these techniques, in the random oracle model, to enable unidirectional authentication from the user to the server without the assumption of a reliable communication channel. We show two efficient techniques enabling the use of biometric data to achieve mutual authentication or authenticated key exchange over a completely insecure (i.e., adversarially controlled) channel. In addition to achieving stronger security guarantees than the work of Boyen, we improve upon his solution in a number of other respects: we tolerate a broader class of errors and, in one case, improve upon the parameters of his solution and give a proof of security in the standard model. 1 Using Biometric Data for Secure Authentication Biometric data, as a potential source of high-entropy, secret information, have been suggested as a way to enable strong, cryptographically-secure authentication of human users without requiring them to remember or store traditional cryptographic keys. Before such data can be used in existing cryptographic protocols, however, two issues must be addressed: first, biometric data are not uniformly distributed and hence do not offer provable security guarantees if used ⋆ Supported by NSF CAREER award 0133806 and Trusted Computing grant 0311095. ⋆⋆ Supported by NSF CAREER award 0447075 and Trusted Computing grants 0310751 and 0310499. ⋆ ⋆ ⋆ Supported in part by a gift from Teradata, an Intel equipment grant, an OKAWA research award, and an NSF Cybertrust grant. as is, say, as a key for a pseudorandom function. While the problem of nonuniformity can be addressed using a hash function, viewed either as a random oracle [2] or a strong extractor [20], a second and more difficult problem is that biometric data are not exactly reproducible, as two biometric scans of the same feature are rarely identical. Thus, traditional protocols will not even guarantee correctness when the parties use a shared secret derived from biometric data. Much work has focused on addressing these problems in efforts to develop secure techniques for biometric authentication [8, 15, 19, 14, 22, 21]. Most recently, Dodis, Reyzin, and Smith [9] showed how to use biometric data to securely derive cryptographic keys which could then be used, in particular, for the purposes of authentication. Roughly speaking (see Section 2 for formal definitions), they introduce two primitives: a secure sketch which allows recovery of a shared secret given a close approximation thereof, and a fuzzy extractor which extracts a uniformly distributed string s from this shared secret in an error-tolerant manner. Both primitives work by constructing a “public” string pub which is stored by the server and transmitted to the user; loosely speaking, pub encodes the redundancy needed for error-tolerant reconstruction. The primitives are designed so as to be “secure” even when an adversary learns the value of this public string. Unfortunately, although these primitives suffice to obtain security in the presence of an eavesdropping adversary who learns pub as it is sent to the user, the work of Dodis et al. does not address the issue of malicious modification of pub. As a consequence, their work does not provide a method for secure authentication in the presence of an active adversary who may modify the messages sent between the server and the user. Indeed, depending on the specific sketch or fuzzy extractor being utilized, an adversary who maliciously alters the public string sent to a user may be able to learn that user’s biometric data in its entirety. A “solution” is for the user to store pub himself rather than obtain it from the server (or to authenticate pub using a certificate chain), but this defeats the purpose of using biometric data in the first place: namely, to avoid the need for the user to store any additional cryptographic information — even if that information need not be kept secret. Boyen [5], inter alia, partially addresses potential adversarial modification of pub (although his work focuses primarily on the orthogonal issue of re-using biometric data with multiple servers, which we do not explicitly address here). The main drawback of his technique in our context is that it provides only unidirectional authentication from the user to the server. Indeed, Boyen’s approach cannot be used to achieve authentication of the server to the user since his definition of “insider security” (cf. [5, Section 5.2]) does not preclude an adversary from knowing the (incorrect) value s of the shared secret recovered by the user when the adversary forwards a specially crafted pub to this user; if the adversary knows s, then from the viewpoint of the user the adversary can do anything the server could do, and hence authentication of the server to the user is impossible. The lack of mutual authentication implies that — when communicating over an insecure network — the user and server cannot securely establish a shared session key with which to encrypt and authenticate future messages: the user may unwittingly share a key with an adversary who can then decrypt any data sent by that user as well as authenticate arbitrary data. 1.1 Our Contributions In this paper, we provide the first full solution to the problem of secure remote authentication using biometric data: in particular, we show how to achieve mutual authentication and/or authenticated key exchange over a completely insecure channel. We offer two constructions. The first one is a generic solution which protects against modification of the public value pub in any context in which secure sketches or fuzzy extractors are used; thus, this solution serves as a drop-in replacement that “compiles” any protocol which is secure when pub is assumed to be transmitted reliably into one which is secure even when pub might be tampered with (we do not formalize this notion of “compilation”, but rather view it as an intuitive way to understand our results). Our second construction is specific to the settings of remote authentication and key exchange, where it offers some improvements to the generic solution. Compared with the work of Boyen [5], which was mostly concerned with the re-usability of biometrics, our constructions enjoy the following key advantages: – Both of our solutions tolerate a stronger class of errors. In particular, Boyen’s work only allows for data-independent errors, whereas our analysis handles arbitrary (but bounded) errors. We remark that small yet data-dependent errors seem natural in the context of biometric data. – Our second solution is proven secure in the standard model. – Our second solution achieves improved bounds on the entropy loss, on the order of 128 bits of entropy for practical choices of the parameters. This point is particularly important since the entropy of certain biometric features is roughly this order of magnitude (e.g., 173–250 bits for an iris scan [8, 13]). Organization. We review some basic definitions as well as the sketches/fuzzy extractors of Dodis et al. [9] in Section 2. In Section 3 we introduce the notion of robust sketches/fuzzy extractors which are resilient to modification of the public value, and can be used as a generic replacement for sketches/fuzzy extractors in any application. Our second solution, which is specific to the problem of using biometric data for authentication and offers some advantages with respect to our generic construction, is described in Section 4.