ADVANCED BIOMETRIC ATM MACHINEWITH AES 256 AND STEGANOGRAPHY

IMPLEMENTATIONRishigesh Murugesh

Department of InformaticsTechnical University of Munich

Munich, Germanyrishigesh.murugesh@tum.de

AbstractThe main objective of this system is to make ATMtransactions as secure as possible. This system replaces theconventional ATM card with Fingerprint. Therefore, users donthave to carry a plastic card to withdraw money. The Fingerprintand the phone number of all users are stored in the systemdatabase during Registration. Fingerprints are used to identify aPersons genuinity. A Fingerprint scanner is used to get thefingerprint of the user, after which the system requests for thePIN (Personal Identification Number). Once the user enters thePIN, the user is prompted to enter the OTP (One Time Password)which is a 4-digit random password sent by the server to theusers registered mobile number. On cross verification with thedata stored in the system database, the user is allowed to make atransaction. The underlying mechanism involves combining theconcepts of Cryptography and Steganography. The PIN and OTPare encrypted using AES 256. Then the encrypted data issteganographed with the fingerprint image which acts as theBASE image. The Steganographed image is sent to the server,where it is de-steganographed and verified with the dataavailable in the system database.

KeywordsATM; OTP; PIN; HVS; Triple DES; AES 256;Cryptography; Steganography

I. INTRODUCTION

An automated teller machine or automatic tellermachine (ATM) is a computerized telecommunications devicethat provides the clients of a financial institution with access tofinancial transactions in a public space without the need for acashier, human clerk or bank teller. On most modern ATMs,the customer is identified by inserting a plastic ATM card witha magnetic strip or a plastic smart card with a chip thatcontains a unique card number and some security informationsuch as an expiration date. Authentication is provided by thecustomer entering a personal identification number (PIN).Using an ATM, customers can access their bank accounts inorder to make cash withdrawals, debit card cash advances, andcheck their account balance.

Fraud against ATMs and people's attempts to usethem takes several forms. Once user's bank card is lost and thepassword is stolen, the criminal will draw all cash in theshortest time, which will bring enormous financial losses tocustomer. There have also been a number of incidents of fraud

by Man-in-the-middle attacks, where criminals have attachedfake keypads or card readers to existing ATM machines. Theyare used to record customers' PINs and bank card informationin order to gain unauthorized access to their accounts.Encryption of personal information, required by law in manyjurisdictions, is used to prevent fraud. Sensitive data in ATMtransactions are usually encrypted with DES, but transactionprocessors now usually require the use of Triple DES.

II. STEGANOGRAPHY

Steganography is the art and science of writinghidden messages in such a way that no one, apart from thesender and intended recipient, suspects the existence of themessage, a form of security through obscurity. Coding secretmessages in digital images is by far the most widely used ofall methods. This is because it can take advantage of thelimited power of the human visual system (HVS). Theadvantage of steganography over cryptography is thatmessages do not attract attention to themselves.

There are two types of compression used in digitalimages, lossy and lossless. Lossy compression such as (.JPEG)greatly reduces the size of a digital image by removing excessimage data and calculating a close approximation of theoriginal image. Lossless compression techniques, as the namesuggests, keeps the original digital image in tact without thechance of loss. It is for this reason, lossless compressiontechnique is chosen for steganographic uses.

Least significant bit (LSB) encoding is by far themost popular of the coding techniques used for digital images.By using the LSB of each byte (8 bits) in an image for a secretmessage, you can store 3 bits of data in each pixel for 24-bitimages and 1 bit in each pixel for 8-bit images.

Masking and filtering techniques for digital imageencoding such as Digital Watermarking are more popular withlossy compression techniques such as (.JPEG). This techniqueactually extends images data by masking the secret data overthe original data as opposed to hiding information inside of thedata. The beauty of Masking and filtering techniques are thatthey are immune to image manipulation which makes thesepossible uses very robust.

IEEE- Fourth International Conference on Advanced Computing, ICoAC 2012MIT, Anna University, Chennai. December 13-15, 2012

978-1-4673-5584-1/12/$31.002012 IEEE

III. AES 256 ALGORIT

Advanced Encryption Standard is digital data. It was originally called Rijndaeadopted worldwide. In theory cracking an AESis close to impossible, since the combinatimassive. It uses a symmetric key algorithm, same key for encryption and decryption.principle of substitution- permutation networksoftware and hardware platforms. The AES use of three cipher keys, each of difference s128, 192 and 256 bit encryption. Each encrcauses the algorithm to behave slightly difincreasing key sizes not only offer a larger numwhich you can scramble the data, but alcomplexity of the cipher algorithm.

AES operates on a 44 column-majobytes, termed the state, although some vershave a larger block size and have additionalstate. The key size used for an AES ciphnumber of repetitions of transformation routhe input, called the plaintext, into the final ocipher text. The number of cycles of repetition

10 cycles of repetition for 128 bit key 12 cycles of repetition for 192 bit key 14 cycles of repetition for 256 bit key

Each round consists of several processingone that depends on the encryption key itself.rounds are applied to transform cipher texoriginal plaintext using the same encryption ke

A. Performance of the Algorithm

High speed and low RAM requiremeof the AES selection process. Thus AES perwide variety of hardware, from 8-bit smartperformance computers. On a Pentium Pro, requires 18 clock cycles / byte, equivalent toabout 11 MiB/s for a 200 MHz processor. On GHz throughput is about 60 MiB/s. On Isupporting AES-NI instruction set extensionabout 400MiB/s per thread.

B. AES vs. Triple DES

Anyone today, who wants high secupowerful version of DES called Triple-encrypting with Triple-DES, two 56-bit keData is encrypted via DES three times, the first key, the second time by the second key aby the first key once more.

AES has more elegant mathematical it, and only requires one pass to encrypt designed from the ground up to be fast, unbrto support the tiniest computing devices ima

THM

used to encryptl. AES has beenS encrypted codeons of keys aresince it uses the Based on the

k, it is fast in bothalgorithm makesstrengths namelyryption key sizefferently, so thember of bits withlso increase the

or order matrix ofions of Rijndaell columns in theher specifies theunds that convertoutput, called then is as follows:

ys.ys.ys.

g steps, including. A set of reversext back into theey.

ents were criteriarforms well on at cards to high-AES encryption

o a throughput ofa Pentium M 1.7ntel i5/i7 CPUsns throughput is

urity, uses a more-DES. To starteys are selected.first time by the

and the third time

formulas behinddata. AES was

reakable and ableaginable. The big

differentiators between AES and Tof security, but superior performresources.

TABLE I. COMPARISON BETWEE

IV. FINGERPRINT RECOGNISINETWORK

Fingerprints are one of mused to identify individuals and veto be used for recognizing a personbe unique and not subject to changeformed by friction ridges of the skinare permanent and unchangeable on

The three basic patterns oarch, loop, and whorl:

Arch pattern Loop pattern

The major Minutia featureridge ending, bifurcation, and short

Ridge ending Bifurcation

Triple-DES are not strengthmance and better use of

N AES AND TRIPLE DES

ITION USING NEURALKS

many forms of biometricserify their identity. In ordern, the human trait needs toe. Fingerprints are imprintsn and thumbs. The patterns

n each finger.of fingerprint ridges are the

Whorl pattern

es of fingerprint ridges are:ridge (or dot):

Short ridge

IEEE-ICoAC 2012

The various processes that are involved in fingerprintrecognition using neural networks are:

Image acquisition: Converts a scene into an array ofnumber that can be manipulated by a computer.

Edge detection and thinning: They are parts of thepreprocessing which involves removing noise,enhancing the picture and if necessary, segmentingthe image into meaning regions.

Feature extraction: The image is represented by a setof numerical features to remove redundancy fromthe data and reduce its dimension.

Classification: A class label is assigned to the imageby examining its extracted features and comparingthem with the class that the classifier has leanedduring its training stage.

The first phase of the work is to capture thefingerprint image and convert it to a digital representation.Histogram equalization technique is used to increase thecontrast if the illumination condition is poor. Binarization isusually performed by using Laplacian edge detection operator.The binary image is further enhanced by a thinning algorithmwhich reduces the image ridges to a skeleton structure.Selection of good feature is a crucial step in the process sincethe next stage only sees these features and acts upon them. Amultilayer perceptron network of three layers is trained todetect the minutiae in the thinned part image. Contour tracingis used to find one or more turning points which are used asreference points. The recognition rate of the fingerprintsdepends on the quality of the fingerprints and effectiveness ofthe preprocessing system.

A. Fingerprint Identification

The system recognizes an individual by searching thetemplates of all the users in the database for a match.Therefore, the system conducts a one-to-many comparison toestablish an individuals identity. It fails if the subject is notsaved in the system database. Identification is a criticalcomponent in negative recognition applications where thesystem establishes whether the person is who he/she denies tobe. The purpose of negative recognition is to prevent a singleperson from using multiple identities. Identification may alsobe used in positive recognition for convenience where the useris not required to claim an identity.

B. Fingerprint Verification

The verification problem may be formally posed asfollows: given an input feature vector Xq which is extractedfrom the biometric data and a claimed identity, determine if (I,Xq) belongs to class 1 or 2, where 1 indicates that the claimis true and 2 indicates that the claim is false Typically, Xq is

matched against Xi, the biometric template corresponding touser, to determine its category. Thus

1, if S (Xq, Xi) t2, otherwise

where S is the function that measures the similarity betweenfeature vectors Xq and Xi, andt is a predefined threshold. Thevalue S (Xq, Xi) is termed as a similarity or matching scorebetween the biometric measurements of the user and theclaimed identity. Therefore, every claimed identity isclassified into 1 or 2 based on the variables Xq, I, Xi, and thefunction. Note that fingerprint measurements of the sameindividual taken at different times are almost never identical.This is the reason for introducing the threshold term t.

V. PROPOSED SYSTEM

The main purpose of this proposed system is toestablish a highly secured money transaction system. Existingsystem possess lot of threat, due to lack of security features. Inthis system, protection to user integrity is given the highestpriority. In addition to the existing peripherals, all we need is agood quality fingerprint scanner. Today, fingerprint devicesare by far the most popular form of biometric security used,with a variety of systems on the market intended for generaland mass market usage. Long gone are the huge bulkyfingerprint scanners; now a fingerprint scanning device can besmall enough to be incorporated into a laptop. Once thisbiometric component has been incorporated to the existingsystem, we can make the transaction almost threat-free.

Firstly, the user has to input his/her fingerprint usingthe biometric scanner. Fingerprint scanning essentiallyprovides an identification of a person based on the acquisitionand recognition of those unique patterns and ridges in afingerprint. Once the fingerprint has been read by scanner, thescreen prompts the user to enter the secret PIN. The secret PINcan be set according to users choice. Once the user enters the4-digit secret PIN, the interface prompts for the OTP. OTP(One Time Password) is a random 4-digit number sent to theusers registered mobile number by the server. The user has toenter the 4-digit OTP sent to the mobile number. Only if allthe details entered by the user is accurate, the user is shownthe transaction page.

VI. BEHIND-THE-SCENE WORKING MECHANISM

Just with the addition of a Biometric component, wecannot assure a threat-free money transaction. It is thealgorithm that needs to be incorporated that makes the systemhighly secure. In this system, we intend to make use of twotechniques, namely Cryptography and Steganography.

Cryptography is process of encrypting informationusing a key. We use AES 256 algorithm to encrypt the PINand the OTP. AES 256 encryption is better than Triple DESalgorithm, which is currently in use.

IEEE-ICoAC 2012

Steganography is the art of hiding the existence andthe content of confidential message by embedding it inside amedia file such as image, video, or audio. In the proposedsystem, we intend to use the finger print image captured by thefingerprint scanner as the BASE image. Using the concept ofsteganography, we hide the AES 256 encrypted code (PIN +OTP) inside the fingerprint image.

All the above mentioned process takes place at theclient side (ATM machine) and the steganographed image issent to the server. At the server side, the image is de-steganographed to retrieve the fingerprint image and theencrypted code. Then, the process of decryption takes place toextract the PIN and the OTP sent to the registered usersmobile number. Once all the data is made available, the servermakes cross verification to the data stored in the Systemdatabase. Each fingerprint is associated with a Bank account.All the details of the user that are associated with the bankaccount are stored in the system database. The account detailsare retrieved using the de-steganographed fingerprint. If all thedata give a successful match, the user is shown the transactionpage.

VII. IMPORTANT ACHIEVEMENTS OF THEPROPOSED SYSTEM

One huge change incorporated to the system, is theuse of Biometrics. The user does not have to carry aseparate ATM card to make the transaction. The usercan simply make a transaction using his finger. Usinga Biometric is far more secure than using a magneticstrip card, as every fingerprint is unique.

In addition to securing the system using a PIN, wealso provide an OTP feature which further increasesthe complexity of the system. Even if the PIN of theuser is available to the wrong person, he may nothave access to the OPT. As the OTP is only sent tothe authorized mobile number registered to the user.

Use of AES 256 algorithm provides concreteprotection to the system. AES can encrypt datamuch faster than Triple-DES, as DES essentiallyencrypts a message or document three times.

During the communication between the client and theserver, even if the intruder hacks the connection lineand gets access to the data, he may only get thesteganographed fingerprint image. He may never beable to decode the encrypted data within the image.Only with decrypted data the hacker may forge atransaction.

VIII. CONCLUSION

This paper means to conclude that, the conventionalsystem needs to be replaced with Biometric system where the

transaction process becomes easier, reliable, secure, andtension free in which no body has to carry any kind of card.Fingerprints are one of many forms of biometrics used toidentify individuals and verify their identity. It is based on thecharacteristics of fingerprint, like stability and reliability.Fingerprint allows the recognition of a person throughquantifiable physiological characteristics that verify theidentity of an individual. Today companies have realized thatfingerprint scanning is an effective means of security. AES256 encryption provides solid security features required for thesystem. Steganography mechanism provides very little clue tomiddle man attacks. With the availability low cost efficientbiometric scanners, this system is sure to provide a newexperience to the users , who can feel the ease of use and atthe same time satisfied as no compromise has been made tothe security component of the system.

REFERENCE

[1] Federal Information Processing Standards Publication 197,Advanced Encryption Standard (AES), Nov 26, 2001.

[2] Related-key Cryptanalysis of the Full AES-192 and AES-256,Alex Biryukov and Dmitry Khovratovich, , Universityof Luxembourg, 29 May 2009.

[3] Implementation of ATM security by using Fingerprintrecognition and GSM, Pennam Krishnamurthy andMaddhusudhan Reddy, International Journal of Electronicand computing Engineering Volume 3, Issue (1).

[4] A brief Introduction of Biometric and fingerprint paymenttechnology, Dileep Kumar and Yeonseung Ryu,International Journal of Advance Science and TechnologyVol. 4 , March 2009.

[5] Online Credit Card Transaction using fingerprintRecognition, M.Umamaheshwari, S.Sivasubramanian andB.Harish Kumar, International Journal of Engineering andTechnology Vol. 2 (5), 2010, 320-322.

[6] Novel technique for steganography in fingerprints Images:Design and Implementation, Hanan Mahmoud andAljoharah Al-Dawood.

IEEE-ICoAC 2012

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 200 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/CreateJDFFile false /Description >>> setdistillerparams> setpagedevice