research-article

Biometrics-Authenticated Key Exchange for Secure Messaging

Authors:

Ruiying DuAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 2618 - 2631

https://doi.org/10.1145/3460120.3484746

Published: 13 November 2021 Publication History

Abstract

Secure messaging heavily relies on a session key negotiated by an Authenticated Key Exchange (AKE) protocol. However, existing AKE protocols only verify the existence of a random secret key (corresponding to a certificated public key) stored in the terminal, rather than a legal user who uses the messaging application. In this paper, we propose a Biometrics-Authenticated Key Exchange (BAKE) framework, in which a secret key is derived from a user's biometric characteristics that are not necessary to be stored. To protect the privacy of users' biometric characteristics and realize one-round key exchange, we present an Asymmetric Fuzzy Encapsulation Mechanism (AFEM) to encapsulate messages with a public key derived from a biometric secret key, such that only a similar secret key can decapsulate them. To manifest the practicality, we present two AFEM constructions for two types of biometric secret keys and instantiate them with irises and fingerprints, respectively. We perform security analysis of BAKE and show its performance through extensive experiments.

Supplementary Material

MP4 File (BAKE10144_1.mp4)

Presentation video-Biometrics-Authenticated Key Exchange for Secure Messaging

Download
315.24 MB

References

[1]

Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. 2015. Solving the Closest Vector Problem in 2n Time - The Discrete Gaussian Strikes Again!. In Proc. of FOCS. IEEE Computer Society.

[2]

Muhammad Ejaz Ahmed, Il-Youp Kwak, Jun Ho Huh, Iljoo Kim, Taekkyung Oh, and Hyoungshick Kim. 2020. Void: A Fast and Light Voice Liveness Detection System. In Proc. of USENIX Security Symposium. USENIX Association.

[3]

László Babai. 1986. On Lovász' Lattice Reduction and the Nearest Lattice Point Problem. Comb., Vol. 6, 1 (1986), 1--13.

[4]

Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento. 2017. A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM. IACR Cryptol. ePrint Arch. (2017). http://eprint.iacr.org/2017/993.

[5]

José Becerra, Dimiter Ostrev, and Marjan Skrobot. 2018. Forward Secrecy of SPAKE2. In Proc. of IEEE ProvSec .

[6]

Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1998. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols (Extended Abstract). In Proc. of TCC. ACM.

Digital Library

[7]

Mihir Bellare, David Pointcheval, and Phillip Rogaway. 2000. Authenticated Key Exchange Secure against Dictionary Attacks. In Proc. of EUROCRYPT. Springer.

[8]

Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei P. Skorobogatov, and Ross J. Anderson. 2014. Chip and Skim: Cloning EMV Cards with the Pre-play Attack. In Proc. of S & P. IEEE Computer Society.

[9]

Xavier Boyen. 2004. Reusable Cryptographic Fuzzy Extractors. In Proc. of CCS. ACM.

Digital Library

[10]

Xavier Boyen, Yevgeniy Dodis, Jonathan Katz, Rafail Ostrovsky, and Adam D. Smith. 2005. Secure Remote Authentication Using Biometric Data. Proc. of EUROCRYPT. Springer.

[11]

Ran Canetti, Benjamin Fuller, Omer Paneth, Leonid Reyzin, and Adam D. Smith. 2021. Reusable Fuzzy Extractors for Low-Entropy Distributions. J. Cryptol., Vol. 34, 1 (2021), 2.

Digital Library

[12]

Melissa Chase, Apoorvaa Deshpande, Esha Ghosh, and Harjasleen Malvai. 2019. SEEMless: Secure End-to-End Encrypted Messaging with lesstextless/textgreater Trust. In Proc. of CCS. ACM.

[13]

Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2020. A Formal Security Analysis of the Signal Messaging Protocol. J. Cryptol., Vol. 33 (2020), 1914--1983.

Digital Library

[14]

Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. 2018. On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees. In Proc. of CCS. ACM.

Digital Library

[15]

Cas Cremers, Jaiden Fairoze, Benjamin Kiesl, and Aurora Naska. 2020. Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice. In Proc. of CCS. ACM.

Digital Library

[16]

John Daugman. 1993. High Confidence Visual Recognition of Persons by a Test of Statistical Independence. IEEE Trans. Pattern Anal. Mach. Intell., Vol. 15, 11 (1993), 1148--1161.

Digital Library

[17]

John Daugman. 2016. Information Theory and the IrisCode. IEEE Trans. Inf. Forensics Secur., Vol. 11, 2 (2016), 400--409.

Digital Library

[18]

Yevgeniy Dodis, Leonid Reyzin, and Adam D. Smith. 2004. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proc. of EUROCRYPT. Springer.

[19]

Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin, and Sophia Yakoubov. 2018. Fuzzy Password-Authenticated Key Exchange. In Proc. of EUROCRYPT. Springer.

[20]

Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic. 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. In Proc. of NDSS. The Internet Society.

[21]

Andreas Erwig, Julia Hesse, Maximilian Orlt, and Siavash Riahi. 2020. Fuzzy Asymmetric Password-Authenticated Key Exchange. In Proc. of ASIACRYPT. Springer.

[22]

Facebook. 2017. Messenger Secret Conversatinos, Technical Whitepaper. https://about.fb.com/wp-content/uploads/2016/07/messenger-secret-conversations-technical-whitepaper.pdf. (2017).

[23]

Paul Feldman. 1987. A Practical Scheme for Non-interactive Verifiable Secret Sharing. In Proc. of FOCS. IEEE Computer Society.

Digital Library

[24]

Benjamin Fuller, Xianrui Meng, and Leonid Reyzin. 2013. Computational Fuzzy Extractors. In Proc. of ASIACRYPT. Springer.

[25]

Yang Gao, Wei Wang, Vir V. Phoha, Wei Sun, and Zhanpeng Jin. 2019. EarEcho: Using Ear Canal Echo for Wearable Authentication. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., Vol. 3, 3 (2019), 81:1--81:24.

Digital Library

[26]

Henri Gilbert, Matthew J. B. Robshaw, and Yannick Seurin. 2008. HB(^# ): Increasing the Security and Efficiency of HB(+). In Proc. of EUROCRYPT. Springer.

[27]

Wire Swiss GmbH. 2018. Wire Security Whitepaper. https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf. (2018).

[28]

Yiliang Han. 2021. Design of An Active Infrared Iris Recognition Device. In Proc. of IPEC. IEEE Computer Society.

[29]

Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 2008. An Introduction to Mathematical Cryptography .Springer.

Digital Library

[30]

Nicholas J. Hopper and Manuel Blum. 2001. Secure Human Identification Protocols. In Proc. of ASIACRYPT. Springer.

[31]

Anil K. Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. 1999. FingerCode: A Filterbank for Fingerprint Representation and Matching. In Proc. of CVPR. IEEE Computer Society.

[32]

Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. 2018. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Proc. of EUROCRYPT. Springer.

[33]

Ari Juels and Stephen A. Weis. 2005. Authenticating Pervasive Devices with Human Protocols. In Proc. of CRYPTO. Springer.

[34]

Xiangyu Liu, Shengli Liu, Dawu Gu, and Jian Weng. 2020. Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security. In Proc. of ASIACRYPT. Springer.

[35]

Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of Fingerprint Recognition, Second Edition. Springer.

[36]

Biometric System Lab-University of Bologna. 2004. Fingerprint Verification Competition 2004. http://bias.csr.unibo.it/fvc2004/. (2004).

[37]

Sylvain Pasini and Serge Vaudenay. 2006. SAS-Based Authenticated Key Agreement. In Proc. of PKC. Springer.

[38]

David Pointcheval and Sé bastien Zimmer. 2008. Multi-factor Authenticated Key Exchange. In Proc. of ACNS. Springer.

[39]

Mingping Qi, Jianhua Chen, and Yitao Chen. 2018. A Secure Biometrics-based Authentication Key Exchange Protocol for Multi-server TMIS using ECC. Comput. Methods Programs Biomed., Vol. 164 (2018), 101--109.

[40]

Aditya Singh Rathore, Weijin Zhu, Afee Daiyan, Chenhan Xu, Kun Wang, Feng Lin, Kui Ren, and Wenyao Xu. 2020. SonicPrint: a Generally Adoptable and Secure Fingerprint Biometrics in Smart Devices. In Proc. of MobiSys. ACM.

Digital Library

[41]

Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent E. Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Proc. of SOUPS. USENIX Association.

[42]

Lior Rotem and Gil Segev. 2018. Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal. In Proc. of CRYPTO. Springer.

[43]

Jö rg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Mü ller, Juraj Somorovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-End Encryption. In Proc. of CCS. ACM.

Digital Library

[44]

Signal. 2021. Signal Technical Information. https://signal.org/docs/. (2021).

[45]

Dimitrios Sikeridis, Panos Kampanakis, and Michael Devetsikiotis. 2020. Post-Quantum Authentication in TLS 1.3: A Performance Study. In Proc. of NDSS. The Internet Society.

[46]

Statista. 2021. Most popular global mobile messenger apps as of January 2021, based on number of monthly active users. https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/. (2021).

[47]

Nirvan Tyagi, Paul Grubbs, Julia Len, Ian Miers, and Thomas Ristenpart. 2019. Asymmetric Message Franking: Content Moderation for Metadata-Private End-to-End Encryption. In Proc. of CRYPTO. Springer.

[48]

Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. 2015. SoK: Secure Messaging. In Proc. of S &P. IEEE Computer Society.

Digital Library

[49]

Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proc. of IEEE S & P .

[50]

Serge Vaudenay. 2005. Secure Communications over Insecure Channels Based on Short Authenticated Strings. In Proc. of CRYPTO. Springer.

[51]

WhatsApp. 2016. WhatsApp Encryption Overview. https: //www.whatsapp.com/security/WhatsApp- Security- Whitepaper.pdf. (2016).

[52]

Wikipedia. 2021. Public Key Infrasstructure. https://en.wikipedia.org/wiki/Public_key_infrastructure. (2021).

[53]

Cong Wu, Kun He, Jing Chen, Ziming Zhao, and Ruiying Du. 2020. Liveness is Not Enough: Enhancing Fingerprint Authentication with Behavioral Biometrics to Defeat Puppet Attacks. In Proc. of USENIX Security Symposium. USENIX Association.

[54]

Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian. 2019. Strongly Secure Authenticated Key Exchange from Supersingular Isogenies. In Proc. of ASIACRYPT. Springer.

[55]

Chen Yan, Yan Long, Xiaoyu Ji, and Wenyuan Xu. 2019. The Catcher in the Field: A Fieldprint based Spoofing Detection for Text-Independent Speaker Verification. In Proc. of CCS. ACM .

Digital Library

[56]

Jiang Zhang, Zhenfeng Zhang, Jintai Ding, Michael Snook, and Özgür Dagdelen. 2015. Authenticated Key Exchange from Ideal Lattices. In Proc. of EUROCRYPT. Springer.

[57]

Bing Zhou, Jay Lohokare, Ruipeng Gao, and Fan Ye. 2018. EchoPrint: Two-factor Authentication using Acoustics and Vision on Smartphones. In Proc. of MobiCom. ACM.

Digital Library

[58]

Kai Zhou and Jian Ren. 2018. PassBio: Privacy-Preserving User-Centric Biometric Authentication. IEEE Trans. Inf. Forensics Secur., Vol. 13, 12 (2018), 3050--3063.

Digital Library

Cited By

Gorski MWodo W(2024)Analysis of Biometric-Based Cryptographic Key Exchange Protocols—BAKE and BRAKECryptography10.3390/cryptography80200148:2(14)Online publication date: 6-Apr-2024
https://doi.org/10.3390/cryptography8020014
Wang MChen JHe KYu RDu RQian Z(2024)UFinAKA: Fingerprint-Based Authentication and Key Agreement With Updatable Blind CredentialsIEEE/ACM Transactions on Networking10.1109/TNET.2023.331113032:2(1110-1123)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3311130
Tran HHu JHu W(2024)Biometrics-Based Authenticated Key Exchange With Multi-Factor Fuzzy ExtractorIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.346862419(9344-9358)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3468624
Show More Cited By

Index Terms

Biometrics-Authenticated Key Exchange for Secure Messaging
1. Security and privacy
  1. Network security
    1. Security protocols
  2. Security services
    1. Authentication
      1. Biometrics

Recommendations

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

This paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK⁺ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction ...
Strongly secure authenticated key exchange from factoring, codes, and lattices

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random ...
An efficient strongly secure authenticated key exchange protocol without random oracles

Since the introduction of extended Canetti-Krawczyk eCK security model for two-party key exchange, many protocols have been proposed to provide eCK security. However, most of those protocols are provably secure in the random oracle model or rely on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
1,055
Total Downloads

Downloads (Last 12 months)159
Downloads (Last 6 weeks)20

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gorski MWodo W(2024)Analysis of Biometric-Based Cryptographic Key Exchange Protocols—BAKE and BRAKECryptography10.3390/cryptography80200148:2(14)Online publication date: 6-Apr-2024
https://doi.org/10.3390/cryptography8020014
Wang MChen JHe KYu RDu RQian Z(2024)UFinAKA: Fingerprint-Based Authentication and Key Agreement With Updatable Blind CredentialsIEEE/ACM Transactions on Networking10.1109/TNET.2023.331113032:2(1110-1123)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3311130
Tran HHu JHu W(2024)Biometrics-Based Authenticated Key Exchange With Multi-Factor Fuzzy ExtractorIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.346862419(9344-9358)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3468624
Jiang CXu CHan YZhang ZChen K(2024)Two-Factor Authenticated Key Exchange From Biometrics With Low Entropy RatesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337281219(3844-3856)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372812
Bauspieß PSilde TPoljuha MTullot ACostache ARathgeb CKolberg JBusch C(2024)BRAKE: Biometric Resilient Authenticated Key ExchangeIEEE Access10.1109/ACCESS.2024.338091512(46596-46615)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380915
Zhang LZhu YRen WZhang YChoo K(2023)Privacy-Preserving Fast Three-Factor Authentication and Key Agreement for IoT-Based E-Health SystemsIEEE Transactions on Services Computing10.1109/TSC.2022.314994016:2(1324-1333)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSC.2022.3149940
Hu HWu YWeng JWei KLiu ZHuang FZhang Y(2023)Attacks on Acceleration-Based Secure Device Pairing With Automatic Visual TrackingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329049518(3991-4005)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3290495
Wu YWeng JWang ZWei KWen JLai JLi X(2023)Attacks and Countermeasures on Privacy-Preserving Biometric Authentication SchemesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316262320:2(1744-1755)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3162623
Braeken A(2023)Highly Efficient Bidirectional Multifactor Authentication and Key Agreement for Real-Time Access to Sensor DataIEEE Internet of Things Journal10.1109/JIOT.2023.328450110:23(21089-21099)Online publication date: 1-Dec-2023
https://doi.org/10.1109/JIOT.2023.3284501
Bootle JFaller SHesse JHostáková KOttenhues J(2023)Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting CodesAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8742-9_4(110-142)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8742-9_4
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents