Forensic vs. Anti- forensic in Biometrics: Towards Receipt ... · Various specific tools are...
Transcript of Forensic vs. Anti- forensic in Biometrics: Towards Receipt ... · Various specific tools are...
Forensic vs. Anti-forensic in Biometrics: Towards Receipt-freeness and Coercion-Resistance in biometric authentication protocolsKouichi Sakurai1,2
1 : G ra d uate S c hoo l o f I n for m at ion S c ien c e a n d E lec t r i ca l Eng ineer ing , Kyushu Un ivers i ty
2 : I nst i tu te o f System s , I n for m at ion Tec h n o log ies a nd N a n otec hn o log ies , J a p a n ( I S I T )
This work is collaborative research with Yoshifumi Ueshige (Nagasaki Univ.) supported by JSPS KAKENHI Grant
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 1
UNSW Kyushu Cybersecurity Collaboration Workshop March 28-29, 2016
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 2
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 3
1. Biometrics (1)There are many modal of biometric authentication.◦ Examples:
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 4
Facial image Fingerprint Shape of palm Vein
Iris Handwriting Voiceprint
1. BiometricsApplication of biometricsVarious Applications of Biometric Authentication◦ To Close environment:
◦ To Open network: Solution by Cloud Computing
9/29/2017 5
ATM Entrance of controlled area
Health surveillance in developing countries
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Authentication
1. BiometricsPrivacy issues of biometricsSerious Problem: Privacy Protection in Biometrics◦ Various biometric data are required in authentication for
biometrics◦ Enrolled templates◦ Biometric feature of captured samples◦ Intermediate processing data for authentication processes
9/29/2017 6UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Human has 10 fingers, two hands,two eyes, one face….
Do you have much more?
When the above information is compromised, re-
enrollment is quite difficult.
1. BiometricsPrivacy protection techniquesAs countermeasures of the above problem, manytechniques of remote biometrics are proposed◦ Cancelable biometrics◦ Zero-Bio◦ Fuzzy-Vault◦BioEncryption, etc.
9/29/2017 7UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 8
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 9
2. Forensics vs Anti-forensicsForensics : collecting electronic information as evidence for criminal investigation or lawsuit◦ Various specific tools are developed.
9/29/2017 10
various evidence for digital forensics
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
2. Forensics vs Anti-forensicsDigital forensics (1)For example, even if some e-mail as worse evidence has been deleted, some binary data of the e-mail is remained.
9/29/2017 11
DELETE
I feel easy, because ofNO EVIDENCE.
Detect
EVIDENCEUNSW KYUSHU CYBERSECURITY COLLABORATION
WORKSHOP MARCH 28-29, 2016
2. Forensics vs Anti-forensicsDigital forensics (2)Forensics : collecting electronic information as evidence for criminal investigation or lawsuit◦ Various specific tools are developed.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 12
When forensic techniques are abused, he/she can excessively collect privacy
information
2. Forensics vs Anti-forensicsAnti-forensics (1)Anti-forensics : countermeasure against legal investigation and lawsuit◦ Policy◦ No data is left in electric devices
◦ Method:◦ Encryption, Concealment with Rootkit,◦ Wipe of files, Erasure of many logs
9/29/2017 13UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
2. Forensics vs Anti-forensicsAnti-forensics (2)Anti-forensics : countermeasure against legal investigation and lawsuit
9/29/2017 14
Anti-forensics has a side of privacy protection for anxiety against • collection and release of
information from systems with inappropriate setting,
• and excessive collection by third person
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
2. Forensics vs Anti-forensicsAnti-forensics (3)Example:◦ Scene where anti-forensics is
required◦ surveillance camera system◦ Must specify criminal or suspicious
persons◦ Should not leave information about
unrelated people!
9/29/2017 15UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
2. Forensics vs Anti-forensics Related significant key words
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 16
Deniable
Coercion-free
POINT: NO evidence for showing to third persons (coercers)
Anti-forensics
Receipt-freeness
2. Forensics vs Anti-forensicsDeniable vs Undeniable (1)Deniable Cryptography◦ Eg. Message Authentication Code
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 17
Plain textM
Plain textM
MAC a
Plain text with MAC
Alice Bob
HMAC HMAC
MAC a=MAC b?
Yes Plain text is Alice’s message
No Plain text is NOTAlice’s message
MAC a=HMAC(M,sk)
sk sk
MAC a MAC b=HMAC(M,sk)MAC b
2. Forensics vs Anti-forensicsDeniable vs Undeniable (1)Deniable Cryptography◦ Eg. Message Authentication Code
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 18
Plain textM
Plain textM
MAC a
Plain text with MAC
Alice Bob
HMAC HMAC
MAC a=MAC b?
Yes Plain text is Alice’s message
No Plain text is NOTAlice’s message
sk sk
MAC b=HMAC(M,sk)MAC b
Alice wrote this message
I didn’t send such message
MAC a=HMAC(M,sk)MAC a
Third person cannot prove who says truth, because both of them can generate same MAC, like Zero Knowledge Proof.
2. Forensics vs Anti-forensicsDeniable vs Undeniable (2)Deniable Cryptography◦ Eg. Deniable Encryption (Sahai, Waters)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 19
Plain text
AliceEncrypted message
Encryption
Adversary
Indistinguishability obfuscation
I don’t have plaintext!
I cannot prove her fake!
2. Forensics vs Anti-forensics Deniable vs Undeniable (3)Undeniable Cryptography◦ Eg. Digital signature based on public key encryption
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 20
Peggy (Prover, signer)
Vic (Verifier)
Yes
No
MD1=MD2?
Digital signature
Decrypt digital signature MD1
Calculate Message Digest
MD2
Signature is not valid
Message is altered
This is Peggy’ s signature!
2. Forensics vs Anti-forensics Deniable vs Undeniable (4)Undeniable Cryptography◦ Eg. Undeniable Signature (Chaum, Antwerpen, 1990)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 21
Peggy (Prover, signer)
Vic (Verifier)
Digital signature
Yes
No
Challenge
Response
Signature is not valid
Signer sends improper response in an effort to falsely deny a valid signature
success?
This is Peggy’ s signature!
2. Forensics vs Anti-forensics Deniable vs Undeniable (5)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 22
Deniable CryptographyMessage Authentication Code (MAC)Based on sharing secret key
Deniable Encryption (Sahai, Waters)Based on indistinguishability obfuscation
Undeniable CryptographyDigital signature based on public key encryptionBased on public key encryption
Undeniable Signature (Chaum, Antwerpen, 1990)Based on challenge response
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 23
3. Receipt-freeness & Coercion-resistanceWhat is “receipt”?
Electrical voting system
Peggy’s voting result
I can ensure whether Peggy voted for
particular candidate or not!
Adversary
Receipt (Peggy generated)
EVIDENCE
If this scenario is realized, the e-voting system is failure.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 24
3. Receipt-freeness & Coercion-resistanceRisk: Misusing receiptReceipt can be used in voting irregularities
Electrical voting system
Muggy’s voting result
I can sell my voting with the receipt
Receipt (Muggy generated)
EVIDENCE
If this scenario is realized, the e-voting system is failure.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 25
Muggy is floater in this voting
3. Receipt-freeness & Coercion-resistanceReceipt-freeness“Receipt-freeness” is one of request for electrical voting.◦ “Receipt-freeness” means
a voter does not gain any information (a receipt).
◦ No voter can show he/she votes any candidates.
◦ Receipt-freeness is effective in preventing bribery and coercion.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 26
3. Receipt-freeness & Coercion-resistanceRelated works of receipt-freenessReceipt-freeness is studied in e-voting.◦ Meng, Li, Qin, “A Receipt-free Coercion-resistant Remote Internet
Voting Protocol without Physical Assumptions through Deniable Encryption and Trapdoor Commitment Scheme”,Journal of Software, Vol. 5, No. 9, pp. 942-949, SEP. 2010
◦ Kusters, Truderung, Vogt, "Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study", 2011 IEEE Symposium on Security and Privacy
◦ Khader, Ryan, Tang, "Proving Pret a Voter Receipt Free using Computational Security Models", USENIX Journal of Election Technology and Systems (JETS), Volume 1, Number 1, 2013
◦ Howlader, Roy, Mal, "Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment", Information Security and Cryptology -ICISC 2013
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 27
:
^ `
Key Generation using Skin Conductance (Gupta, Gao,2010)
3. Receipt-freeness & Coercion-resistanceCoercion-resistance
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 28
UserAdversary
ANALYSE
Voice
Skin Conductance
generate Cryptographic Key
Cannot generate Cryptographic Key
Yes
No
Coercion?
3. Receipt-freeness & Coercion-resistanceRelated works of coercion-resistanceRelated works:◦ Electrical voting◦ J. Heather, S. Schneider, “A formal framework for modelling coercion
resistance and receipt freeness”, FM 2012: Formal Methods, LNCS Vol. 7436, pp 217-231, 2012.
◦ J. Benaloh, D. Tuinstra, “Receipt-Free Secret-Ballot Elections”, Proceedings of the twenty-sixth annual ACM symposium on Theory of computing (STOC `94), pp. 244-553, 1994.
◦ T. Okamoto, “Receipt-Free Electronic Voting Schemes for Large Scale Elections”, Security Protocols, Vol. 1361 of LNCS, pp 25-35, 1998.
◦ S. Delaune, S. Kremer, M. Ryan, “Verifying Privacy-Type Properties of Electronic Voting Protocols: A Taster”, Towards Trustworthy Elections, Vol. 6000 of LNCS, pp 289-309, 2010.
◦ Online auction◦ N. Dong, H. Jonker, J. Pang, “Analysis of a Receipt-Free Auction Protocol
in the Applied Pi Calculus”, Formal Aspects of Security and Trust, Vol. 6561 of LNCScience, pp 223-238, 2011.
◦ J. Howlader, S. K. Roy, A. K. Mal, “Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment”, Information Security and Cryptology -- ICISC 2013, Vol. 8565 of LNCS, pp 418-434, 2014
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 29
Forensics - Receipt-freeness – Coercion -Deniability
Relationship of the keywords
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 30
PrivacyProtection
Receipt-freeness
Malicious use
Coercion
Adversary
Forensics
Deniability
Coercion-resistance
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 31
4. Subject of our researchOur standpointForensic vs Anti-forensic
9/29/2017 32
Forensic• Collection of digital
evidence
Anti-forensic• Resistance of collecting
digital evidence
Abuse of forensic techniques causes
inappropriate information
collection
Privacy protection is derived from proper using anti-forensics
Our Standpoint
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
4. Subject of our researchNovel Threats of Remote Biometrics
Collecting the above information as evidence = Collecting excessive privacy information
9/29/2017 33UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Client
Server
(Malicious)Third person
Authentication
4. Subject of our researchNovel viewpoint for privacy protectionPossibility of the remainder of some information except authentication results in memory, cache, and so on◦ Intermediate data in authentication phase◦ Enrolled templates◦ Signature of templates◦ Biometric feature of captured samples◦ Other information combined with
each person
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 34
Privacy information
Viewpoint of anti-forensics is required in biometrics for privacy protection
4. Subject of our researchOur SubjectFrom a viewpoint of Anti-Forensic, “Receipt-freeness” and “Coercion-resistance” is required in remote biometrics
This work is first step.◦ This work defines “receipt-freeness” and “coercion-
resistance” of remote biometric authentication protocols.◦ Based on the definition, we analyze some remote biometric
authentication protocols about “receipt-freeness” and “coercion-resistance.”
9/29/2017 35UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 36
5. Receipt-freeness in biometrics“Receipt-freeness”=No evidence◦ If registrant obtains no information of his/her authentication
process (receipts) in any manner, he/she cannot show evidence of his/her authentication to third person.
◦ We can define “receipt-freeness” in biometrics on the analogy to discussion of e-voting.◦ Furthermore, coercion-resistance?
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 37
Access
Malicious third person User Biometric system Server
5. Receipt-freeness in biometricsPoint: Evidence and OpportunityIn order to define “receipt-freeness” of remote biometrics, we consider the following two points:1. Collectable information = Evidence◦ What sorts of information can the authentication server
collect?2. Opportunity of collecting information◦ When can the authentication server gather the above-
mentioned information?
9/29/2017 38UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsCollectable information = EvidenceSpecific information peculiar to remote biometrics◦ Evidence that someone execute authentication process =
Information used for registrants of individual◦ User ID◦ Image data acquired from
sensor devices◦ Template information◦ Extracted feature, etc.
9/29/2017 39
Data derived from living person
Biometric data Uniquely transformed biometric data E.g. hash of templates
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsOpportunity of collecting information
Forensic techniques are used in the following scenes1. Executing authentication process◦ Administrator can gather memory dump
2. Opportunity except authentication process◦ Many processes except authentication◦ Maintenance under system stop
9/29/2017 40UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsDefinition – “Receipt-freeness” We define “receipt-freeness” of remote biometrics as following:
9/29/2017 41UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
No information combined with person is obtained from accumulated logs and related information in authentication server whether in service or not
• Biometric information• Unique data calculated from biometric
information (eg. encrypted data, hash value)
5. Receipt-freeness in biometricsEvaluation of “receipt-freeness”Evaluation of “receipt-freeness” for some remote biometric authentication protocols:◦ Cancelable biometrics (Ratha et al, 2001)◦ Zero-Bio◦ ZeroBio Using Oblivious Neural Network Evaluation Protocol,
(Nagai et al., 2007)◦ ZKIPs for proving “nearness” using commitment (Ogata et al.,
2006)◦ G3C-ZKIP using generated graphs from biometric feature
(Oda et al., 2008)◦ Extensible Personal Authentication Framework using
Biometrics and PKI (Bio PKI) (Okada et al., 2004)
9/29/2017 42UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsCancelable biometrics (1)Ratha et al. proposed◦ Biometric feature is transformed by non-invertible transform
with chosen parameter R.◦ When transformed feature (template) is compromised, re-
enrolment is available with choosing new parameter R’.
9/29/2017 43
client
server
template
matching
result
feature extraction
Selection of R transform
XFR(X)
R
feature extraction
transform
X‘FR(X‘)
R
Enrolment
Authentication
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsCancelable biometrics (2)Image of non-invertible transform
9/29/2017 44UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
One-way function
Eg. random shuffling
Inverse transform
5. Receipt-freeness in biometricsCancelable biometrics (4)In this scheme, and are left on the server.◦ and are evidence of specific persons’
authentication processes.◦ This means “receipt-freeness” is NOT satisfied.
9/29/2017 45
client
server
template
matching
result
feature extraction
Selection of R transform
XFR(X)
R
feature extraction
transform
X‘FR(X‘)
R
Enrolment
Authentication
FR(X) FR(X‘)FR(X) FR(X‘)
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
This data is calculated from extracted feature
5. Receipt-freeness in biometricsZero-BioConcept:◦ Client shows validity of the client’s authentication result and
process to server by Zero-Knowledge Interactive Proof (ZKIP).◦ ZKIP: Prover convinces “I know secret” to verifier without
showing knowledge of “secret”
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 46
ZKIP
ClientServer
• Authentication is done appropriately.
• Auth. Result is valid.
• Server is convinced Client’ s claim.
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (1)Peggy (prover) tries to convince Vic (verifier) of knowing the secret without sending it directly.
I don’ t show “secret” itself.
She knows “secret”, because she answers correctly on all steps.
Peggy Vic
1
1
0
R
A1
A2
Ak
OK
OK
OK
OK1
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 47
I want to say “I know the secret”.
When I randomly choose “0” or “1”, dose she send
correct data?
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (1)Peggy (prover) tries to convince Vic (verifier) of knowing the secret without sending it directly.
I don’ t show “secret” itself.
She knows “secret”, because she answers correctly on all steps.
Peggy Vic
1
1
0
R
A1
A2
Ak
OK
OK
OK
OK1
No “secret” data is known
from the interaction
Zero Knowledge
(ZK)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 48
I want to say “I know the secret”.
When I randomly choose “0” or “1”, dose she send
correct data?
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (2)Characteristic of ZKIP (Sakurai, Itoh, CRYPTO92)◦ ZKIP can be constructed: ◦NOT by parallel execution of 3- move protocol,◦BUT by sequential iteration of 3-move protocol.◦ 3-move protocol can be honest verifier ZK.◦BUT 3 move protocol can NEVER be ZK.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 49
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (3)Sketch of parallel version vs sequential version
𝑃𝑃 𝑉𝑉
a
c
s
r {int.}a=r2
c {1,0}
If c=1,s:= rElse s:= rw
If s2= axc
accept;Else reject
N: Composite Integerx=w2modN((x,w), N) (x, N)
∀ PPT 𝑉𝑉* ,∃Simulator:
c {1,0}s {int.}a:=s2/xc
If 𝑉𝑉*((x,N),a) = cReturn (a, c, s)
Else Go to:
In average, Simulator succeeds in 2 trialsbecause |c| = 1 [bit]
: A Cheating Verifier
c= h(a, M), where M chosen by 𝑉𝑉*
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 50
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (4)Sketch of parallel version vs sequential version
𝑃𝑃 𝑉𝑉a1,a2 ・・・
c1,c2 ・・・
s1,s2 ・・・
a1
c1
s1
ZKIP can be constructed: NOT by parallel executionBUT by sequential iteration
For Soundness, 𝒊𝒊 polynomial
For ZK, Simulator needs 2𝒊𝒊 trials
𝒊𝒊 parallel
a2
c2
s2
𝒊𝒊 sequential
For Soundness, 𝒊𝒊 polynomial
For ZK, Simulator needs𝟐𝟐𝒊𝒊 trials
𝑃𝑃 𝑉𝑉
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 51
5. Receipt-freeness in biometricsZero-Knowledge Interactive Proof (5)Sketch of parallel version vs sequential version
3-move protocol can be honest verifier ZK.BUT 3 move protocol can NEVER be ZK.
𝑃𝑃 𝑉𝑉a:=a1a2 ・・・
c:=c1c2 ・・・
s:=s1s2 ・・・
𝒊𝒊 concatenation
Simulator: c {1,0}𝒊𝒊s {int.}a:=s2/xc
If 𝑉𝑉*((x,N),a) = cReturn (a, c, s)
Else Go to: In average, Simulator succeeds in 2𝒊𝒊 trialsbecause |c| = 𝒊𝒊 [bit]
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 52
5. Receipt-freeness in biometricsZero-Bio (1-1)ZeroBio Using Oblivious Neural Network Evaluation Protocol, (Nagai et al., 2007)◦ ZKIP proves NN distinguishes registrants is calculated correctly
on the client.◦ If ZKIP is end
successfully, the server can verifies the authentication result on the client is valid.
9/29/2017 53UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
ClientCorrectauthentication bycalculating neuralnetworks (NN)
ServerVerificationNN calculatescorrectly
Wij
ZKIP
X‘
YiXi
Common input
5. Receipt-freeness in biometricsZero-Bio (1-2)ZeroBio Using Oblivious Neural Network Evaluation Protocol, (Nagai et al., 2007)◦ In ZKIP, the client send the following information to the server.
◦ This means encrypted output of input layer contains information of biometric data X=(x1, x2, …, xn).
◦ The ZKIP consisted of 3-move protocol.◦ When the ZKIP is parallel executed, some information is
compromised from the execution.◦ From the above reasons, this protocol does NOT satisfy
“receipt-freeness.”
9/29/2017 54UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
�𝒀𝒀𝒊𝒊 = 𝑾𝑾𝟏𝟏𝒙𝒙𝒙𝒙𝟏𝟏𝑾𝑾𝟐𝟐𝒙𝒙
𝒙𝒙𝟐𝟐 ⋯𝑾𝑾𝒏𝒏𝒙𝒙𝒙𝒙𝒏𝒏
5. Receipt-freeness in biometricsZero-Bio (2-1)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Commitment calculated from biometric data X and random
value r is defined.◦ Commitment E(X, r) : homomorphism for addition
◦ Commitments of template and extracted feature are calculated.
◦ From the commitments, “nearness” is proven by Zero-Knowledge Interactive Proof (ZKIP).
9/29/2017 55
client
CalculateE(X’,r’) frominput X’
serverValidate X isnear to X’from E(X,r)and E(X’,r’)
ZKIP
X‘
commitmentE(X,r)
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsZero-Bio (2-2)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Server obtain two commitments E(X,r) and E(X’,r’) as evidence.◦ E(X,r) and E(X’,r) are calculated from biometric raw data
9/29/2017 56
client
CalculateE(X’,r’) frominput X’
serverValidate X isnear to X’from E(X,r)and E(X’,r’)
ZKIP
X‘
commitmentE(X,r)
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsZero-Bio (2-3)ZKIPs for proving “nearness” using commitment (Ogata et al., 2006)◦ Since ZKIP is consisted from 3-step interaction protocol, parallel
execution of the ZKIP compromise unuseful knowledge.◦ Because of the above two
reasons, this protocol does NOT satisfy “receipt-freeness.”
9/29/2017 57
client
CalculateE(X’,r’) frominput X’
serverValidate X isnear to X’from E(X,r)and E(X’,r’)
ZKIP
X‘
commitmentE(X,r)
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsZero-Bio (3-1)G3C-ZKIP using generated graphs from biometric feature (Oda et al., 2008)◦ Graph G(V, E, C) is generated from biometric data◦ V: vertex, E: edge, C: color
◦ Authentication process is using ZKIP proving given graph G(V,E) is 3-colorable (G3C)
9/29/2017 58
Each segmentation of biometric data is quantized with three colors C
Vertices V between different color are connected with graph G
Above graph G is enrolled
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsZero-Bio (3-2)Summarized Protocol
9/29/2017 59
Server Client1. Generation C from
biometric data2. Generation of graph G(V,
E) from C3. Sending G and ID4. Enrolment of G and ID
1. Sending ID2. Sending G 3. Generation of C’ from
acquired biometric data4. Correction of error of C’
using G and C’5. G3C-ZKIP
Enrolment phase
Authentication phase
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsZero-Bio (3-3)Consideration◦ Color information C is not left on Server◦ Reason: Characteristic of zero knowledge of G3C
◦ A part of transformed biometric data is left◦ Edges of graph E is evidence
◦ Since evidence is left on server, this protocol does NOT satisfy “receipt-freeness.”
9/29/2017 60UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsBio PKI (1)Extensible Personal Authentication Framework using Biometrics and PKI (Okada et al., 2004)◦ Server can validate authentication result in client using
certificate of biometric authentication environment
9/29/2017 61UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Client
Biometric device
Certificate
Validity of authentication• Biometric devices
Server
Verification the certificate
Result is trustful.
5. Receipt-freeness in biometricsBio PKI (2)Based on PKI framework, server can verify client’ s result from authentication result & context information (environment of biometric authentication).
9/29/2017 62UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
CA
authentication result and context
Validation resultClient Server (Verifier)
Issuing certificate of personal authentication context
Expiration ListFingerprint, retina, vein, etc.
Biometric device
Template, etc
Personal data storage device
Certificate Security of device, method, accuracy
TTP
Execute authenticationGeneration of authentication result and context
Verification of authentication context
5. Receipt-freeness in biometricsBio PKI (3)Format of authentication result and context information
9/29/2017 63
Generic ContextVersionIssuer NameSubjectChallenge ValueleGeneration TimeProfile Information
Authenticator/Signature
Profile Identifier 1Profile Identifier 2
:
Specific ContextContext Header
Authenticator/Signature
Profile Identifier 1
Specific ContextContext Header
Profile Identifier 2Profile Specific BlockAuthenticator/Signature
Profile Specific Block
Information of personal data storage device
Verification algorithm Hash value of template data Authentication result
Information of authentication device
Unique ID of device Hash value of feature data etc.
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
5. Receipt-freeness in biometricsBio PKI (4)Consideration◦ Client sends authentication result and context of
authentication environment to server (verifier).◦ If the format of “profile specific block” (PSB) contains the
following data, the following evidence is left on the server.◦ Hash value of template◦ Hash value of feature data
◦ This protocol does NOT satisfy “receipt-freeness.”◦ On the other hand, when PSB does not contain the above
data, this case satisfies “receipt-freeness.”
9/29/2017 64UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 65
6. Coercion-resistance in biometricsIdea ◦ We can consider “coercion“ by third person who collect the
privacy information based on “receipt-freeness.”
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 66
Access
Adversary (Coercer) User Biometric system Server
Coercion
Subject: • Defining “coercion-resistance” on biometric authentication
protocols• Analysis of some remote biometric authentication protocols
about “coercion-resistance.”
6. Coercion-resistance in biometricsRe-definition of “receipt-freeness”Assumption of the adversary in this work◦ The adversary can wiretap communication data on
authentication process via insecure open network.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 67
Wiretapping communication data
on the protocol
receipt-free
Evidence to convince• Biometric information• Unique transformed data from
the biometric informationAdversary
User
Authentication
ClientAuthenticationServer
Sniffing
6. Coercion-resistance in biometricsDefinition of “coercion-resistance”Assumption of coercer’s capability◦ Coercer in a distant place can constraint the user during the
user’s authentication process.
Definition of “coercion-resistance”
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 68
User can show no evidence to the abovecoercer.
• Evidence = following information combined with the user biometric information unique transformed data from the related
biometric information
6. Coercion-resistance in biometricsAnalysis of “Coercion-resistance”We analyze “coercion-resistance” based on “receipt-freeness” about the following protocols.◦ Khan and Kumari (BioMed Research Int’ l, 2013)◦ Lin et al. (Wireless Personal Commun., 2015)
User U Client Authentication Server S
Smartcard SC
Registration CenterRC
Registration of Userand Smartcard
Registration of Server(in Lin’ s method)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 69
6. Coercion-resistance in biometricsKhan and Kumari’s protocolTarget: login phase and authentication phase
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 70
User (Ui ) Server (Si )Inputs IDi, PWi and BIOi
SCi calculatesfi←(IDi || PWi) ⊕ gi
When biometric authentication issucceeded, client calculatesM1 = ci⊕fi M2 = ei⊕ri
M3 = M1⊕Rc M4 = (M1 || Rc)⊕IDi
M5 = h (M2 || Rc)
{M3 , M4, M5}Computes
M6 =h (xs || ys) M7 =M3⊕M6IDi = M4⊕(M6 || M7)
If IDi is correct, computesM8 =h (IDi || xs )
When M5=h(M8||M7) is verified,computes
M9 = M8⊕Rs M10 = h (M8 || Rs){M9 , M10}
When M10=h(M2||M11) is verified,computes
M11 =M9⊕M2
M12 = h (M2 || Rc || M11)
{M12}When M12 = h (M8 || M7 || Rs) isverified, accepts login request
(Rs is random number generated bySi)
(Rc is random number generated bySCi)
Computes
Target
6. Coercion-resistance in biometricsKhan and Kumari’s protocolTarget: login phase and authentication phase
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 71
User (Ui ) Server (Si )Inputs IDi, PWi and BIOi
SCi calculatesfi←(IDi || PWi) ⊕ gi
When biometric authentication issucceeded, client calculatesM1 = ci⊕fi M2 = ei⊕ri
M3 = M1⊕Rc M4 = (M1 || Rc)⊕IDi
M5 = h (M2 || Rc)
{M3 , M4, M5}Computes
M6 =h (xs || ys) M7 =M3⊕M6IDi = M4⊕(M6 || M7)
If IDi is correct, computesM8 =h (IDi || xs )
When M5=h(M8||M7) is verified,computes
M9 = M8⊕Rs M10 = h (M8 || Rs){M9 , M10}
When M10=h(M2||M11) is verified,computes
M11 =M9⊕M2
M12 = h (M2 || Rc || M11)
{M12}When M12 = h (M8 || M7 || Rs) isverified, accepts login request
(Rs is random number generated bySi)
(Rc is random number generated bySCi)
Computes
6. Coercion-resistance in biometricsKhan and Kumari’s protocolKey point◦ whether parameters imply the biometric information BIOi or
not.
In this protocol, the following parameters are evaluated:◦𝑀𝑀3 = 𝑀𝑀1 ⊕ 𝑅𝑅𝑐𝑐 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ⊕𝑅𝑅𝑐𝑐◦𝑀𝑀4 = 𝑀𝑀1 ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖◦𝑀𝑀5 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 = ℎ ℎ 𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠 ∥ 𝑅𝑅𝑐𝑐◦𝑀𝑀9 = 𝑀𝑀8 ⊕ 𝑅𝑅𝑠𝑠 = ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ⊕𝑅𝑅𝑠𝑠◦𝑀𝑀10 = ℎ 𝑀𝑀8 ∥ 𝑅𝑅𝑠𝑠 = ℎ(ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ∥ 𝑅𝑅𝑠𝑠)◦𝑀𝑀12 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ 𝑀𝑀11 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ (𝑀𝑀9⊕𝑀𝑀2)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 72
BIOi
6. Coercion-resistance in biometricsKhan and Kumari’s protocolKey point◦ whether parameters imply the biometric information BIOi or
not.
In this protocol, the following parameters are evaluated:◦𝑀𝑀3 = 𝑀𝑀1 ⊕ 𝑅𝑅𝑐𝑐 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ⊕𝑅𝑅𝑐𝑐◦𝑀𝑀4 = 𝑀𝑀1 ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖 = ℎ(𝑥𝑥𝑠𝑠 ∥ 𝑦𝑦𝑠𝑠) ∥ 𝑅𝑅𝑐𝑐 ⊕ 𝐼𝐼𝐼𝐼𝑖𝑖◦𝑀𝑀5 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 = ℎ ℎ 𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠 ∥ 𝑅𝑅𝑐𝑐◦𝑀𝑀9 = 𝑀𝑀8 ⊕ 𝑅𝑅𝑠𝑠 = ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ⊕𝑅𝑅𝑠𝑠◦𝑀𝑀10 = ℎ 𝑀𝑀8 ∥ 𝑅𝑅𝑠𝑠 = ℎ(ℎ(𝐼𝐼𝐼𝐼𝑖𝑖 ∥ 𝑥𝑥𝑠𝑠) ∥ 𝑅𝑅𝑠𝑠)◦𝑀𝑀12 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ 𝑀𝑀11 = ℎ 𝑀𝑀2 ∥ 𝑅𝑅𝑐𝑐 ∥ (𝑀𝑀9⊕𝑀𝑀2)
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 73
BIOiNO biometric information
No one can obtain the “evidence” of the related biometric information used.
6. Coercion-resistance in biometricsKhan and Kumari’s protocolAnalysis◦ No term of biometric information are included in all of the
parameters.
◦ The coercer can order for Ui
◦ He/she cannot observe data included biometric information in the communication.
◦ Ui cannot show the evidence to him/her.
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 74
Receipt-freeness: OK
Coercion-resistance: OK
6. Coercion-resistance in biometricsLin et al.’ s protocolTarget: login phase and authentication phase
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 75
Computes
When 𝑑𝑑 𝑖𝑖∗=di is verified, generate nonce
m and timestamp T on SCi.Computes𝑴𝑴 = 𝒎𝒎 � 𝑷𝑷
{ai, fi, gi }
Computesbij =h (ai || ri)
Generates timestamp of server TjVerifies | Tj - Ti | <△TWhen the above equation is verified,computes𝒇𝒇𝒊𝒊∗ = 𝒂𝒂𝒊𝒊 ⊕ 𝒉𝒉(𝑴𝑴 ∥ 𝑻𝑻𝒊𝒊 ∥ 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊)
{ki}
𝒅𝒅 𝒊𝒊∗= h (ai || h(PWi || BIOi ) || IDi)
bij =D h (IDi | | BIOi) [ci j]fi = ai⊕h (M || Ti || SIDj)
gi =𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 [h(PWi || BIOi ) , M , Ti]
𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊[gi]={h(PWi || BIOi ) , M , Ti}
When 𝑓𝑓𝑖𝑖∗ = 𝑓𝑓𝑖𝑖 is verified, generatesrandom value n and computes𝒊𝒊𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊⨁𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊)) 𝑵𝑵 = 𝒏𝒏 � 𝑷𝑷𝒌𝒌𝒊𝒊 = 𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 𝒊𝒊𝒊𝒊,𝑵𝑵, 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒏𝒏 � 𝑴𝑴
𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊 𝒌𝒌𝒊𝒊 = {𝒊𝒊𝒊𝒊,𝑵𝑵,𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊}𝒊𝒊𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 ⊕ 𝒉𝒉 𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )
𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒎𝒎 � 𝑵𝑵𝒍𝒍𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))
{li}
When 𝑙𝑙𝑖𝑖∗ = 𝑙𝑙𝑖𝑖 is verified, accepts login
𝒍𝒍𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))
Computes
When 𝑗𝑗𝑖𝑖∗ = 𝑗𝑗𝑖𝑖 is verified, computes
User (Ui )Inputs IDi, PWi and BIOi
Server (Sj)
Computes
Target
6. Coercion-resistance in biometricsLin et al.’ s protocolTarget: login phase and authentication phase
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 76
Computes
When 𝑑𝑑 𝑖𝑖∗=di is verified, generate nonce
m and timestamp T on SCi.Computes𝑴𝑴 = 𝒎𝒎 � 𝑷𝑷
{ai, fi, gi }
Computesbij =h (ai || ri)
Generates timestamp of server TjVerifies | Tj - Ti | <△TWhen the above equation is verified,computes𝒇𝒇𝒊𝒊∗ = 𝒂𝒂𝒊𝒊 ⊕ 𝒉𝒉(𝑴𝑴 ∥ 𝑻𝑻𝒊𝒊 ∥ 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊)
{ki}
𝒅𝒅 𝒊𝒊∗= h (ai || h(PWi || BIOi ) || IDi)
bij =D h (IDi | | BIOi) [ci j]fi = ai⊕h (M || Ti || SIDj)
gi =𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 [h(PWi || BIOi ) , M , Ti]
𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊[gi]={h(PWi || BIOi ) , M , Ti}
When 𝑓𝑓𝑖𝑖∗ = 𝑓𝑓𝑖𝑖 is verified, generatesrandom value n and computes𝒊𝒊𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊⨁𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊)) 𝑵𝑵 = 𝒏𝒏 � 𝑷𝑷𝒌𝒌𝒊𝒊 = 𝑬𝑬𝒃𝒃𝒊𝒊𝒊𝒊 𝒊𝒊𝒊𝒊,𝑵𝑵, 𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒏𝒏 � 𝑴𝑴
𝑺𝑺𝒃𝒃𝒊𝒊𝒊𝒊 𝒌𝒌𝒊𝒊 = {𝒊𝒊𝒊𝒊,𝑵𝑵,𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊}𝒊𝒊𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝑺𝑺𝒊𝒊 ⊕ 𝒉𝒉 𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )
𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 = 𝒎𝒎 � 𝑵𝑵𝒍𝒍𝒊𝒊 = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))
{li}
When 𝑙𝑙𝑖𝑖∗ = 𝑙𝑙𝑖𝑖 is verified, accepts login
𝒍𝒍𝒊𝒊∗ = 𝒉𝒉(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ 𝒉𝒉(𝑷𝑷𝑾𝑾𝒊𝒊 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊))
Computes
When 𝑗𝑗𝑖𝑖∗ = 𝑗𝑗𝑖𝑖 is verified, computes
User (Ui )Inputs IDi, PWi and BIOi
Server (Sj)
Computes
BIOi
Communicationdata
=Targets of analysis
6. Coercion-resistance in biometricsLin et al.’ s protocolKey point◦ whether parameters imply the biometric information BIOi or
not.
In this protocol, the following parameters include BIOi.◦ 𝑑𝑑𝑖𝑖 = ℎ(𝑎𝑎𝑖𝑖 ∥ ℎ(𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊) ∥ 𝐼𝐼𝐼𝐼𝑖𝑖)◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]
◦ 𝑗𝑗𝑖𝑖 = ℎ(𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗 ⊕ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]
◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑆𝑆𝑆𝑆𝑖𝑖𝑗𝑗 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 77
BIOi
Communicationdata
=Targets of analysis
6. Coercion-resistance in biometricsLin et al.’ s protocolKey point◦ whether parameters imply the biometric information BIOi or
not.
In this protocol, the following parameters include BIOi.◦ 𝑑𝑑𝑖𝑖 = ℎ(𝑎𝑎𝑖𝑖 ∥ ℎ(𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊) ∥ 𝐼𝐼𝐼𝐼𝑖𝑖)◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]
◦ 𝑗𝑗𝑖𝑖 = ℎ(𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗 ⊕ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]
◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑆𝑆𝑆𝑆𝑖𝑖𝑗𝑗 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 78
Parameters gi, ki, and li imply the termBIOi
It is necessary to analyze whether theseparameters are “evidence” or not.
6. Coercion-resistance in biometricsLin et al.’ s protocolIf the parameters for unique user are not changedamong different authentication sessions, the parameteris regarded as “evidence.”
Analysis of receipt-freeness◦ 𝑔𝑔𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 ,𝑀𝑀,𝑇𝑇𝑖𝑖]◦ 𝑘𝑘𝑖𝑖 = 𝐸𝐸𝑏𝑏𝑖𝑖𝑖𝑖[𝒊𝒊𝒊𝒊,𝑁𝑁, 𝑆𝑆𝐼𝐼𝐼𝐼𝑗𝑗]
◦ 𝑙𝑙𝑖𝑖 = ℎ(𝑺𝑺𝑺𝑺𝒊𝒊𝒊𝒊 ∥ ℎ 𝑃𝑃𝑃𝑃𝑖𝑖 ∥ 𝑩𝑩𝑺𝑺𝑩𝑩𝒊𝒊 )
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 79
NOT change among sessions-EVIDENCE-
change among sessions-NOT EVIDENCE-
Receipt-freeness:
NG
4. Analysis of “Receipt-freeness” and “Coercion-resistance”
Lin et al.’ s protocolAnalysis of coercion-resistance◦ The coercer can order for Ui
◦ He/she can observe data included biometric information,gi and ki in the communication.
◦ Ui can show the parameters to him/her as the“evidence.”
Coercion-resistance: NG
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 80
Agenda1. Biometrics
2. Forensic vs Anti-forensic
3. Receipt-freeness & Coercion-resistance4. Subject of our research
5. Receipt-freeness in biometrics
6. Coercion-resistance in biometrics7. Conclusion
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 81
7. ConclusionThis presentation introduce ◦ Privacy issue of biometrics◦ Related viewpoints:◦ Forensics vs Anti-forensics◦ Receipt-freeness & Coercion-resistance
◦ Our challenge “Receipt-freeness” and “Coercion-resistance” of biometrics
◦ Definition of “Receipt-freeness” and “Coercion-resistance”◦ Evaluation of remote biometric authentication protocols
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 82
7. ConclusionFuture workAnalyze other remote biometric authentication protocols about “receipt-freeness” and “coercion-resistance” ◦ brainwaves◦ H. Bojinov, D. Sanchez, P. Reber, D. Boneh, P. Lincoln,
"Neuroscience Meets Cryptography:Designing Crypto Primitives Secure Against Rubber Hose Attacks", the 21st USENIX Security Symposium (USENIX Security 12), pp. 129-141, Aug. 2012
◦ K. B. Rasmussen, M. Roeschlin, I. Martinovic, G. Tsudik, “Authentication Using Pulse-Response Biometrics”, the Network and Distributed System Security Symposium 2014
Deniability of biometric authentication protocols based on this argument
9/29/2017 UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016 83
Thank you for your attention
9/29/2017 84
Kyushu University
TOKYO
FUKUOKA
1000KM
Kouichi SakuraiFaculty of Information Science and Electrical EngineeringKyushu University
UNSW KYUSHU CYBERSECURITY COLLABORATION WORKSHOP MARCH 28-29, 2016