Promising One-Time Bio-MAC Using Iris Features and ...

Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)

Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles

62

Promising One-Time Bio-MAC Using Iris Features and Duplicate

Steganography in Cloud Computing

Zaid Ameen Abduljabbar1,2, Mohammed Abdulridha Hussain1,2, Ali A.Yassin1,2,

Ayad Ibrahim1, Mustafa Salah Khalifa1, Zaid Alaa Hussien3

1 University of Basrah, College of Education for Pure Sciences, Basrah, Iraq.

2Al-Kinoouze University College, Technical Computer Engineering Dept.

3Southern Technical University, Basrah, Iraq.

Corresponding author:

[email protected]

Abstract

Cloud computing is the promising revolution in the field of information technology for

both the research community and leading companies. However, Be that as it may, it

experiences various issues as far as security issues. Authentication and integrity

consider a critical issue in the data security field and various interestings have been

raised to perceive or ensure any tampering with exchanges of data between two sender

and receiver within the cloud environment. Many methods in this field can be powerless

against known modification and malicious attacks. A powerful method is therefore

needed to prevent any modification or manipulation of a data during transmission. In

this paper, we propose a new message authentication code (MAC) based on combining

feature extraction of the user’s iris and duplicate steganography based discrete wavelet

transformation steganography. The result of combination is to preserve the user’s

message integrity and to prevent malicious attacks such as, insider, forgery and replay

attacks. Our proposed scheme enjoys important several security attributes such as bio-

key management, a user’s one-time bio-key, phase key agreement, robust message

anonymity, data integrity for a user’s message , duplicate steganography and one time

MAC for each user’s session. Finally, our security analysis and experimental results

demonstrate and prove the invulnerability and efficiency of our proposed scheme.

Keywords: Cloud Computing; Iris; Duplicate Steganography; One Time Bio-key; One

Tim Message Authentication Code; MAC.

http://journals.kunoozu.edu.iq/1/issue/4/articles



63

مكررة في الحوسبة Steganographyو Irisلمرة واحدة لميزات Bio-MACمستقبل استخدام

السحابية

الخلاصة

مجال تكنولوجيا المعلومات لكل من مجتمع البحث والشركات الرائدة. الحوسبة السحابية هي الثورة الواعدة في

ومع ذلك ، فبقدر ما يكون الأمر ، فإنها تواجه مشكلات متنوعة بقدر ما تتعلق بقضايا الأمان. تعتبر المصادقة

لاعب في والنزاهة مشكلة مهمة في مجال أمان البيانات ، وقد تم إثارة اهتمامات مختلفة لإدراك أو ضمان أي ت

تبادل البيانات بين مرسلين وجهاز استقبال داخل البيئة السحابية. يمكن أن تكون العديد من الطرق في هذا المجال

عاجزة ضد التعديل المعروف والهجمات الخبيثة. لذلك هناك حاجة إلى طريقة قوية لمنع أي تعديل أو معالجة

( يستند إلى الجمع بين MACرمزًا جديداً لمصادقة الرسائل )للبيانات أثناء الإرسال. في هذه الورقة ، نقترح

استخراج ميزة قزحية المستخدم وبيانات إخفاء المعلومات المقلوبة المستندة إلى إخفاء المعلومات. نتيجة الجمع هي

غيل. الحفاظ على سلامة رسالة المستخدم ومنع الهجمات الخبيثة مثل الهجمات من الداخل والتزوير وإعادة التش

يتمتع مخططنا المقترح بالعديد من سمات الأمان المهمة ، مثل إدارة المفاتيح الحيوية ، والمفتاح الحيوي لمرة واحدة

، والاتفاق الرئيسي للمرحلة ، وإخفاء الهوية القوية للرسالة ، وسلامة البيانات لرسالة المستخدم ، وإخفاء المعلومات

عمل لكل مستخدم. أخيرًا ، يظُهر تحليل الأمان والنتائج التجريبية الخاصة بنا واحدة لكل جلسةالمكررة ، ومرة

وإثبات عدم حصانة وكفاءة مخططنا المقترح.

: الحوسبة السحابية. قزحية؛ تكرار إخفاء المعلومات ؛ وقت واحد الحيوية الرئيسية ؛ واحد تيم الكلمات المفتاحية

رسالة التوثيق رمز ؛ ماك.

I.INTRODUCTION

In recent years a huge volume of many different types of data has been transferred over

the Internet as a result of the rapid growth of modern information digitalization

techniques such as cloud computing [1]. Text is one of the most significant and most

widely used mediums for transmitting data, along with image, audio, and video. Cloud

computing is generally regarded as the next generation’s computing infrastructure and

as an effective way of enabling users to utilize large volume of resources and to provide

an efficient and readily available on-demand service[2]. However, cloud computing

faces many security challenges, as seen in the IDCs statistics [3]. Its successful

deployment depends on the existence of strong security safety techniques. Due to the

essential need for message protection when two parties are transmitting within the cloud

environment, efficient and robust automatic methods are required to identify and

validate the contents of text messages. In the others words, the protection of messages




64

against malicious attacks such as replay, forgery and insider attacks is one of the most

important security issues in fields such as cloud computing and green computing.

However, the issues of message authentication and integrity have been addressed as

urgent matters and many achievements have been presented by researchers in recent

years [1, 4-10]. There is a common way to preventing the manipulation of messages

during transmission between two endpoints, which is cryptography of one-way hash

functions [4-10].

Unfortunately there are some drawbacks related to MAC research can be shown more

detailed in the Related Works Section. The major drawback of MAC is the fact it does

not appear to be capable of ensuring the high level of security required when it is used

alone as pure MAC. For this reason, the authors Zhenxing Liu et. al. [9] have integrated

the MAC with the timestamp factor. This allows the hashed value to be changed once

and every user’s message to be used one time.

The above problems can be overcome by combining more powerful and assurance

factors with MAC. Thus, in this paper, we proposed an efficient and secure scheme for

protection of text from being manipulated or tampering during transmitting between

users in the cloud environment. The algorithm integrates a biometric technique which

involves the use of the robust iris features extracted by using 2-D Gabor filter after an

intersection between the sender’s iris and the receiver’s iris, crypto-hash function, and

double steganography. These are used together to protect the user’s message from being

modified. Thus, MAC is generated through the combination of these robust features to

make it more and more resistant to malicious attacks such as insider attack. Thereafter,

the one-time bio-hashed value is hidden in a cover image using duplicate

steganography. We prove that our proposed scheme keeps these attributes based on the

generation of one-time bio-key management assumption, duplicate steganography, and

the anonymity message code with regard to messages in the interchange between sender

and receiver. Our proposed scheme is a well plot procedure with respect to various

queries and requires regular verification to decrease the audit costs per verification

phase. Also, our paper provides integrity in terms of cloud security, which involves

high rank and exigent issues related to cloud computing, as mentioned in IDC’s

statistics [3].

The main contributions of our scheme to the cloud environment in general, and to

message authentication and integrity in particular are: (1) Our proposed scheme




65

addresses all the previous weaknesses, creating a new robust message authentication

scheme which uses the robust features extraction from shared biometric iris

information, cryptography as a one-way hash function, and duplicate steganography to

protect a message integrity and authentication. (2) Both service providers and users can

achieve robust authenticated phase keys. (3) It is computationally efficient as well as

providing simple integration with the available infrastructure. (4) Our scheme is very

effective against many attacks such as replay attacks, insider attacks and reflection

attacks. (5) The main idea behind our efficient scheme has been to find the best choice

of parameter value to reduce the computational cost of cloud audit services.

This paper is organized as follows. Section II describes in depth the most significant

and widespread text authentication solutions as well as comparing them with our

scheme. Section III shows the review preliminaries concepts underlying our proposed

scheme, while in Section IV we describe the proposed scheme both in terms of

configuration phases and verification phases. Section V contains a security analysis

with respect to the well-known attacks. In Section VI the implementation and

performance is described. Finally, Section VII concludes the paper.

II.RELATED WORKS

Previously, various authors have proposed different message authentication code

(MAC) schemes to provide authentication and integrity to the transmitted messages.

The concept of message anonymity has presented by N. Rabadi and S. Mahmud [4],

who have proposed a protocol for message authentication by MAC from vehicle to

vehicle for providing anonymity, authentication and message integrity. The concept of

hash MAC anonymity depends on the timestamp, which is a one-time factor used to

generate an anonymous message. The authors have proved that the processing time for

a MAC is less than that for a digital signature. However, this scheme suffers from

additional cost because it requires an extra hardware device on each vehicle which

would need to be a tamper-resistant hardware device that saves its ID and the shared

symmetric secret. Moreover, the security analysis of the proposed protocol has not

discussed, whether the author’s work is clear about whether the proposed approach

could prevent authentication and maintain integrity against various attacks.




66

We present a robust scheme here to overcome these problems via the cloud environment

and iris biometrics. Our work used 𝐶𝑆𝑃 𝑎𝑛𝑑 𝑅𝑆𝐴 to establish phase key agreement

between users also; it used one-time bio-key to generate the robust message anonymity.

Moreover, it does not need to use extra device for a tamper-resistant where, iris

biometric is more and more descriptive (each user has its own unique iris from eye to

eye) and more secure (e.g. much harder be stolen) as long its using duplicate

steganography to hide bio-MAC.

Three years later the same concept was represented by Zhenxing Liu et. al. [5] who

suggested a hash-based secure interface between two entities over the Internet which

uses a one-time shared private key, a public hash function, a timestamp and a validity

period to generate on-time message anonymity. The weakness of this scheme is that the

authors only briefly discussed the security analysis. Also it is not clear which types of

attacker it could be withstood. The idea of integrating the function of a smart card with

a one-way hash function has been presented by Zi-ming Zhao et al. [6] who proposed

creating an efficient user-to-user authentication scheme in a peer-to-peer environment.

In spite of using a public key infrastructure, the authors firstly used a one-way hash

function and secondly a smart card to provide a strong security and minimal

computational cost scheme. The drawback of a smart card is that it is a complex device,

and that a card a reader would need to be added as an extra cost. It also requires

additional middleware application to create a match between a smart card and

communication standards. Our work oversteps this drawback by using iris biometric

features, where the user’s iris data is taken once only and can be used for the followings

valid user logins. Moreover, the smart card could be stolen or lost, while in our scheme

no sender can guess or steal the iris of the receiver and vice versa, because we use a

bio-shared image, which has been generated from the intersection between sender’s iris

and receiver’s iris.

Another idea for a one-time key was introduced by Castiglione A. et al. [7] who

proposed a robust one-time authentication protocol, based on two cryptographically

strong building blocks, an Authenticated key exchange and a keyed Hash Message

Authentication Code (HMAC) between two endpoints. This enables transparent mutual

authentication between two endpoints. Moreover, Key Setup, Key Scheduling and Key


http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Castiglione,%20A..QT.&newsearch=true



67

Update operations are accomplished independently by both endpoints. Therefore, this

scheme suffers from drawback in the form of complexity in which more operations are

required (Key Setup, Key Scheduling and Key Update). In particular, our scheme

presents a one-time authentication scheme by using once key and random numbers, in

which the MAC is valid only for one user’s login and involves good coordination

between simplicity and security. Moreover, our scheme is more robust in that it

integrates an iris biometric key with a keyed-has function, that provides robust message

anonymity.

The concept of a biometric key was proposed by Al-Assam, H. et. al. [8] who suggested

a scheme that combines steganography with biometric cryptosystems effectively to

ensure robust remote mutual authentication between two parties as well as a key

exchange that facilitates one-time stego-keys. The aim behind this scheme was to hide

the one-time bio-key via transferring over insecure channel also to prevent replay

attacks. The weakness of this approach is that the steganography technique is requires

more computational cost. Our scheme overcomes this issue by sending the start point

and the endpoint of iris features vector between sender and receiver, instead of sending

an explicit key between them so that, the steganography is not required. Moreover, in

our design, since the sender and receiver have shared information about their irises

which is bio-shared image, this offers mutual authentication and establishes a trusting

relationship between them. Thus the user will be able to tell whether the message is

coming from an authenticate user or not. Recently, Z. A. Abduljabbar [9], have

introduced the idea of a one-time biometric MAC based on a one-time biometric key

extracted from a manual signature. In contrast, we have generated the one-time

biometric key from the characteristics of the iris, which is more powerful than the

manual signature. In addition, both the one-time bio-key and the bio-MAC have been

hidden in duplicated manner based on DWT.

In [10], Jin Xu et al. present an efficient One-Key Carter-Wegman Message

Authentication Code called a One-key Galois Message Authentication Code

(OGMAC). This scheme uses one key and a universal hash function, instead of two

keys. Moreover, our scheme is made more robust by embedding the iris features with a

cryptographic one-way hash function along with duplicate steganography to provide

simplicity and security.




68

Unfortunately, we may observe that most of above schemes have several drawbacks. In

our design we propose a new text authentication approach to generating a secure and

robust hash function that depends on features extraction from both the sender’s and

receiver’s iris (bio-shared image). Firstly, the features are extracted from a bio-shared

image by using 2D Gabor filter to construct a wide range 1024-D features vector.

Secondly, the one-time bio-key is generated and integrated with a cryptography hash

function to generate secure biometric one-time message code anonymity. Thirdly, this

bio-MAC is safely protected by duplicate steganography. Finally the result of message

integrity is done at the receiver or verification phase. Furthermore, our scheme provides

the combination of many securing features including the user’s iris features extraction,

a one-time bio-key for each user’s login which is extracted from a wide range of iris

features, uses the robust user’s message anonymity by means of the use of a salt-key

𝑆𝑘 and other using random numbers, phase key agreement and a one-time message key

for each user’s login. These characteristics can protect messages from being modified.

The security analysis and experimental results show that our scheme is robust, secure

and efficient from the viewpoint of low time processing for generating and verifying

MACs. The security features are shown in Table I and we present a comparison of

security properties in Table II.

Table I. Security Features

Feature Definition

C1 One time key is generated once when the valid user wants to submit a

message.

C2 Bio-key is extracted from iris features by using 2-D Gabor filter.

C3 The MAC of user’s message is secure when he wants to perform login

phase for sending message to another user, where the acting MAC is

unknown by using one-time bio-key and random numbers.

C4 Phase key agreement has been established between sender and receiver

via 𝐶𝑆𝑃 and RSA techniques. They can use this key in the following

user’s logins.

C5 Sender and receiver can authenticate each other by using bio-shared

image which is contains shared information of sender’s iris and receiver’s

iris.




69

C6 One-time bio-key extracted from Shared bio-image for transmitting

message between sender and receiver.

C7 RSA asymmetric encryption/decryption approach provides a secure

channel through configuration phase.

C8 Message transmitted between sender and receiver over cloud

environment.

C9 Using duplicate steganography to hide one-time biometric MAC

Table VI. Comparison of Authentication Schemes

Feature Our

Schem

e

N. Rabadi

and and S.

Mahmud

[4]

Zhenxing

Liu et. al.

[5]

Zi-ming

Zhao et.

al.[6]

Castiglion

e A. et. al.

[7]

Al-Assam,

H. et. al.

[8]

Abduljabb

ar Z. A [9]

C1 Yes No Yes No Yes Yes Yes

C2 Yes No Yes No No Yes Yes

C3 Yes Yes Yes No No No Yes

C4 Yes Yes Yes Yes Yes Yes Yes

C5 Yes Yes No Yes Yes Yes Yes

C6 Yes No No No No Yes Yes

C7 Yes No No No No No Yes

C8 Yes No Yes No No No Yes

C9 Yes No No No No No No

III.PRELIMINARIES AND REQUIREMENTS

A. RSA

This scheme was proposed in 1977 by Ronald Rivest, Adi Shamir and Leonard

Adleman. The security of RSA was based on the difficulty of factoring large numbers.

However, it is several times slower than others such as AES and elliptic curves.

C1: One time key; C2: Bio-key; C3: one-time message anonymity; C4: Session key agreement; C5: Mutual

authentication between two parties; C6: Biometrics key management; C7 Secure channel; C8: Cloud

environment; C9: Duplicate Steganography






70

Therefore, it is used to encrypt pieces of data, for reasons such as for encrypting keys

to be transmitted between two entities over an insecure channel [11]. Thus, the RSA

concept for public key and private key cryptography in our work is to establish a secure

distributing of the sender’s iris, the receiver’s iris and a shared-key between sender,

receiver and cloud service provider to be employed in the registration phase and the

verification phase in an insecure communication channel.

B. Features extraction of iris

Iris recognition is one of the most promising approaches because it has its own patterns

from eye to eye and individual to individual, which can lead to uniqueness, stability,

and noninvasiveness [12]. However, the bio-key in our proposed scheme has been

generated from iris features. The 2-DGabor filter has been applied in our scheme to

extract features form normalized irises to construct a bio-key, which will be used to

generate a message authentication key. Many researchers have proposed and achieved

diverse methods to extract the significant features from the normalized iris. A Gabor

filter is a often extracted for iris recognition [12]. Daugman [13] takes a 2D Gabor filter

as well as S. Hariprasath [14] 2D Gabor filter is adopted in his work. However, Gabor

Filters have Gaussian shape both in the spatial and frequency domains. For this reason,

they are stable in several transformations including translation, rotation, and scaling.

Also their noise tolerance is remarkable. This robustness makes Gabor filters appealing

for object recognition and therefore widely used to extract features from an iris image

in the iris recognition system [14].

For this reason, a Gabor filter has been used in our scheme to extract data from the

normalized iris data and we use the preprocessing method described in [14] for

localizing and normalizing the iris. Also, we define a region of interest (ROI) as defined

in [15]. We then normalize the ROI into a rectangular block of 256 × 64 pixels (as

shown in figure. 1).

Figure. 1 Preprocessing of iris




71

A set of 2-D real Gabor filters with various orientations 𝜃 = 0°, 45°, 90° 𝑎𝑛𝑑 135°)

are used to filter the normalized iris image. Some examples of the filtered image are

shown in figure 2. Each filtered image is then equally divided into 16×16 blocks, while

the mean of each block is computed. Thus, we can obtain 16×16×4 = 1024 values from

an iris image. After normalizing each value to an integer in the range [0, 1024], the

outcome is a 1024-D feature vector:

𝑉 = (𝑋1, 𝑋2, 𝑋3, 𝑋4, … … . . , 𝑋1024)

C. Hash Functions

SHA Family: The Secure Hash Algorithm is a family of cryptographic hash functions

issued by the National Institute of Standards and Technology (NIST) as a U.S. Federal

Information Processing Standard (FIPS). SHA-0: is the original version of the 160-bit

hash function issued in 1993 under the name ‘SHA’. It was replaced shortly after issued

by the slightly revised version SHA-1. It was issued by the NIST in 1995 as a Federal

Information Processing Standard [20] as a new and more robust function to be used in

cryptographic applications. The same design of MD5 has been used for SHA-1.IT

works on 512-bit blocks and generates digests of 160 bits (20-byte). SHA-1 has been

applied by many governments in order to enforce industry security standards. It is

considerably sturdier against malicious attacks [33, 34]. Another family of hash

functions was presented by NSA. This consists of two closed hash functions, but the

block sizes are different and are known as SHA-256 and SHA-512. Also, the word sizes

are different; SHA-256 uses 32-bit words where SHA-512 uses 64-bit words. There are

also brief versions of each standard, known as SHA-224 and SHA-384 [16].

Figure. 2 Filtered images by2-D real Gabor filter




72

IV.OUR PROPOSED SCHEME

Our proposed scheme is composed of two phases, the Configuration phase and

Verification phase. The Configuration phase is performed only once. A bio-shared

image and shared key is received by both the sender and the receiver. The Verification

phase will be invoked every time a user wants to send an authenticated message to

another user. In the configuration phase, the main components (Cloud Service Provider,

Sender, Receiver) also use RSA, a cryptographic hash function ℎ(. ) and a symmetric

key encryption/decryption 𝐸𝑛𝑐(. )/𝐷𝑒𝑐 (. ).It is important to emphasize that they only

need to run an RSA for secure data transmission among (𝐶𝑆𝑃, 𝑆, 𝑎𝑛𝑑 𝑅 ) over an

insecure channel. Therefore, such an operation is necessary only for the configuration

phase and not for the later ones. Therefore, the 𝐶𝑆𝑃 is not needed in the run time. The

configuration phase performs the following steps:

The RSA is run by (𝐶𝑆𝑃, 𝑆, 𝑎𝑛𝑑 𝑅 ) in order to generate a public key and private

key which will be used to secure irises transmitting from sender and receiver to

𝐶𝑆𝑃. Then, the (𝐶𝑆𝑃 ) sends the public key 𝑃𝑈𝐶𝑆𝑃 to the both sender (𝑆) and

receiver (𝑅) for encrypting their irises (𝐼𝑅𝑠, 𝐼𝑅𝑟 ) and return them to the

(𝐶𝑆𝑃 ).

Upon receiving the encrypted (𝐼𝑅𝑠, 𝐼𝑅𝑟 ), the 𝐶𝑆𝑃 decrypts the received irises

by using its private key 𝑃𝑅𝐶𝑆𝑃, saves (𝐼𝑅𝑠, 𝐼𝑅𝑟 ), generates a bio-shared image

by intersection (𝑆ℎ = 𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟) and computes a shared key 𝑆ℎ𝑘 = 𝐹𝑋(𝑆ℎ)

as shown in figure 4, where FX refers to a function to extract features, it

employed 2-D Gabor filter to extract features from the normalized iris data.

Having done this, 𝐶𝑆𝑃 encrypts (𝑆ℎ, 𝑆ℎ𝑘) by using (𝑃𝑈𝑆,𝑃𝑈𝑅) and transmits

them both to the sender and receiver respectively. Finally, both the sender and

receiver decrypt the received (𝑆ℎ, 𝑆ℎ𝑘) by using their private key (𝑃𝑅𝑆, 𝑃𝑅𝑅).

After the configuration phase, the sender/receiver can use his or her bio-shared

image to extract features, and then generate a one time, anonymous key and a

bio-key for completing the verification phase.

The verification phase is described as follows.




73

1. 𝑆 → 𝑅: 𝑀, 𝑀′, 𝐼𝑖′, 𝐸′, 𝑃. S performs the following steps:

Assume sender’s message is M.

Generate one time salt-key Sk = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖, 𝐸 : Where FX represents a

function to compute feature extraction, Ii and E are the start point and end point

of the extracted features. Both 𝐼𝑖, 𝐸 are selected randomly once. The E parameter

must not exceed the length of the feature vector, which is 1024.

Generate random number 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐸)) → 𝑃 and compute a

one time anonymous message code (If the sender resends the same message to

the receiver or vice versa) 𝑀′ = ℎ(𝑀||𝑆𝑘||𝑟𝑖).

Compute 𝐼𝑖′ = 𝐼𝑖⨁𝑆ℎ𝑘 and 𝐸′ = 𝐸⨁𝐼𝑖

Ii’ and E’, can be separately stored in the cover image.

Embed the (M’) into the cover-image using duplicate steganography mechanism

[17].

Send M and the cover-image, which consists of (M’, I’i, and E’), to R.

2. 𝑅 Checks the integrity of receiver’s message as follows:

I’i, E

’ can be extracted from the cover-image separately.

Compute 𝐼𝑖′′ = 𝐼𝑖

′⨁𝑆ℎ𝑘 and 𝐸′′ = 𝐸′⨁Ii′′

Regenerate 𝑆𝑘′ = 𝐹𝑋(𝑆ℎ(𝐼𝑖′′, 𝐸) depending on the features extracted position

(𝐼𝑖′′) and the end point of extracted features (𝐸′′). Extract random number 𝑟𝑖

′ =

𝐹𝑋(𝑆ℎ(𝑃 ∈ (𝐼𝑖′′, 𝐸′′))). Then, 𝑅 computes 𝑀′′ = ℎ(𝑀′||𝑆𝑘′||𝑟𝑖

′) if it

matches 𝑀′′with 𝑀′, the Receiver ensures the integrity of the message that is

submitted by the sender. Otherwise, the verification phase terminates.

V.SECURITY ANALYSIS

Here, we argue that the proposed scheme can also withstand several threats to security

such as replay attack and insider attack. Our proposed scheme has a number of merits

and contains a one-time bio-key, a one-time anonymous message code, key agreement,

and duplicate steganography.

Theorem 1. Our proposed scheme can provide robust user message anonymity.

Proof. Assuming a sender/receiver attempts to resend the same message which has been

sent previously, if an adversary tries to eavesdrop on the sender’s login request




74

(𝑀, 𝑀′, Ii′, 𝐸′, 𝑃), he cannot use the same sender’s message authentication code (𝑀′ =

ℎ(𝑀||𝑆𝑘||𝑟𝑖)) because the sender generates once for each sender’s request (𝑟𝑖 𝑎𝑛𝑑 𝑆𝑘)

. So, ri 𝑎𝑛𝑑 𝑆𝑘 have been extracted from the intersection of receiver’s iris and the

sender’s iris 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐿)) → 𝑃; 𝑆𝑘 = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖, 𝐸; 𝑆ℎ =

𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟. Where FX is a function required to compute feature extraction, 𝐼𝑖 and 𝐸

are the start and end points of extracted features. Both 𝐼𝑖 , 𝐸 are selected randomly once.

Additionally, an adversary does not have the main keys (𝑆ℎ, 𝐼𝑖′, 𝐸′, 𝑃) to compute the

crypto hash function 𝑀′. Hence, it is much harder for an adversary to disclose the

sender’s message authentication code. Clearly, our proposed scheme can support users’

message anonymity (see Table III).

Table III: Explain message anonymity

Message MAC

Zaid Ameen ‘51a113eaf788ab2f5bc8eeef6c97329daec6897e’

Zaid Ameen ‘729d17aa029c59c0da60373ceb306695dbf238dd’

Theorem 2. Our proposed scheme can provide biometric message authentication code.

Proof. The biometric operator can identify a person by means of particular

physiological features such as iris recognition. Iris is the most effective form of security

used in biometric topics and can overcomes well-known attacks. In the configuration

phase, the sender (𝑆) and receiver (𝑅) send their irises (𝐼𝑅𝑠, 𝐼𝑅𝑟) to the CSP through

a secure channel. Then the 𝐶𝑆𝑃 saves (𝐼𝑅𝑠, 𝐼𝑅𝑟), generates a bio-shared image (𝑆ℎ =

𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟) and sends 𝑆ℎ to sender and receiver. During the verification phase, when

the sender/ receiver wishes to send message from one to other, a biometric-message

authentication code 𝑀′ = ℎ(𝑀||𝑆𝑘||𝑟𝑖) must be generated, based on salt-key 𝑆𝑘 =

𝐹𝑋(𝑆ℎ) → 𝐼𝑖 , 𝐸 and a random number 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐸)) → 𝑃. Clearly, our

proposed scheme can supported biometric message authentication codes.

Theorem 3. Our proposed scheme can provide biometric-key management.

Proof. In our proposed scheme, when the sender sends a message (𝑀) to the receiver

or vice versa, a secret Salt-key 𝑆𝑘 = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖 , 𝐸 is used to compute 𝑀′ =

ℎ(𝑀||𝑆𝑘||𝑟𝑖). Additionally, the mechanism of computing 𝑆𝑘 is based on (𝐼𝑖 , 𝐸), where




75

𝐼𝑖 is the start point of the extracted features and 𝐸 is the end point of extracted features.

Both 𝐼𝑖 , 𝐸 are selected one time randomly and concealed in cover-image using duplicate

sreganography. As a result, an attacker cannot access the session keys, so is still unable

to obtain the main operators (𝑆𝑘, 𝑆ℎ) that generated at configuration phase by 𝐶𝑆𝑃 and

that generated (𝐼𝑖, 𝐸, 𝑃) at verification phase by sender. Therefore, our work supports

biometric-key management.

Theorem 4. Our scheme can prevent a replay attack.

Proof. An attacker performs a replay attack by eavesdropping the login message which

sent by a rightful sender to the receiver. While the interchange is over between sender

and receiver, an attacker reuses this message to impersonate the valid user when he

logs-off the system. In our proposed scheme, each new sender’s longing request should

be identical with CSP’s keys 𝑆ℎ, 𝑆ℎ𝑘, 𝐼𝑅𝑠, 𝐼𝑅𝑟 .Therefore; an adversary cannot pass any

replayed message to the receiver’s verification. As a result, an adversary fails to apply

this type of attack and our proposed scheme is much harder to replay attack.

Theorem 5. Our scheme can prevent a forgery attack or a parallel-session attack.

Proof. If any adversary is attempting impersonation, a valid session message 𝑀, 𝑀′, 𝐼𝑖′,

𝐸′, 𝑃 Can be accessed by using secret parameters 𝑆ℎ, 𝑆𝑘, 𝑆ℎ𝑘, 𝑟𝑖, 𝐼𝑖 , 𝐸, 𝑃. An adversary

does not have any information about 𝑆ℎ, 𝑆ℎ𝑘, 𝐼𝑅𝑠, 𝐼𝑅𝑟 to compute(𝑀′, 𝐼𝑖′, 𝐸′, 𝑃). Lastly,

an adversary will fail to forge a valid session message and therefore, cannot use a

forgery attack. Our proposed scheme can thus prevent forgery attack.

VI.IMPLEMENTATION AND RESULTS

To evaluate the efficiency and accuracy of our proposed scheme, we have executed

several experiments. Firstly figure 3 shows the time processing of the verification

phase. The average time for the verification phase of our scheme is equal to 0.268

seconds for each user who denotes the excelling solution of our proposed. This average

time has been obtained from 200 runs of our proposed scheme, with each run consisting

of 10000 users. Furthermore, the evaluation parameters are shown in Table IV. The

time requirement for our proposed scheme is shown in Table V. Secondly, with regard

to system efficiency, we study the accuracy of our work. In practical terms, figure 4




76

shows that we get 100% accurate results from 10,000 users in our experiment. For

greater visibility, we use 2,000 users in figure 3 and 5,000 users in figure 4.

Table IV: Evaluation parameters

Symbol Definition

𝑇𝑅𝑆𝐴 Time processing of RSA .

𝑇ℎ Time processing of a hash function.

𝑇𝑋𝑜𝑟 Time processing of Xor function.

𝑇𝑂𝑝𝑟 Time processing of mathematical

operations such as multiplication,

addition and subtraction.

𝑇|| Time processing of concatenation

function.

𝑇𝑆𝑇 Time processing of duplicate

steganography.

Figure 3 shows the performance of our proposed scheme

Phase CSP Sender Receiver

Configurati

on

𝑇𝑅𝑆𝐴

+ 𝑇𝑂𝑝𝑟 𝑇𝑅𝑆𝐴 𝑇𝑅𝑆𝐴

Verificatio

n

4𝑇𝑂𝑝𝑟 + 1𝑇ℎ

+ 2𝑇|| + 𝑇𝑋𝑜𝑟

+ 𝑇𝑆𝑇

2𝑇𝑂𝑝𝑟 + 𝑇ℎ + 2𝑇||

+ 𝑇𝑋𝑜𝑟 + 𝑇𝑆𝑇

Total 𝑇𝑅𝑆𝐴

+ 𝑇𝑂𝑝𝑟

𝑇𝑅𝑆𝐴 + 4𝑇𝑂𝑝𝑟 +

1𝑇ℎ + 2𝑇|| +

𝑇𝑋𝑜𝑟+𝑇𝑆𝑇

𝑇𝑅𝑆𝐴 + 2𝑇𝑂𝑝𝑟

+ 𝑇ℎ + 2𝑇||

+ 𝑇𝑋𝑜𝑟 + 𝑇𝑆𝑇

Table V. Performance of our proposed scheme




77

Figure 4 shows the accuracy result of our proposed scheme

VII.CONCLUSION

Firstly our paper, as mentioned above, includes a literature review of achievements and

weak points related to data integrity and authentication over recent years. Our paper

presents a new and efficient biometric message authentication code between users in

the cloud computing environment. The excelling method emerged from the iris-

biometrics features extraction to generate symmetric bio-key. The aim behind this

scheme is to provide more roles and prevent known attacks. However, the substantial

aspects and advantages are that, firstly, an adversary may fail to get the keys because

this depends on iris feature extraction. Secondly, an adversary may not get the bio-

shared image because it depends on the intersection of sender and receivers’ irises.

0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500

2400

2600

2800

3000

3200

3400

Sender

Receiver

Accu

racy

Sender's/Reciver's Attempts




78

Thirdly, it provides a one-time bio-key that leads to one-time message anonymity.

Fourthly, it provides biometrics key management. Fifthly, authentication is linked to

the user’s biometric. Additionally, the proposed scheme has the ability to resist replay

attacks and forgery attacks, as shown in the security analysis section. Finally, the

performance of our presented scheme has been evidenced to achieve robust security

with minimal time processing and the cost compares with predecessors’ schemes. We

can conclude that the integration between shared iris biometric features of two

endpoints, the cryptography one-way hash function, and duplicate steganography is

secure enough to prevent the message from being modified by transferring between

users. Furthermore, this technique can be used to maintain the authentication of the

transferred message, verify the integrity of the received message, and prove the origin

of the sender. Overall, our scheme provides simplicity of use and security.

Acknowledgements

This article is an extended version of our paper entitled ‘‘An efficient and robust one-

time message authentication code scheme using feature extraction of iris in cloud

computing’’ that is published in the 2014 IEEE International Conference on on Cloud

Computing and Internet of Things (IEEE CCIOT 2014), Changchun, China, 13-14 Dec.

2014.




79

References

1.T. Rethika, Ivy Prathap, R. Anitha, and S.V. Raghavan, A novel approach to

watermark text documents based on Eigen values, Proc. of the Ninth International

Conference on Network and Service Security (N2S) IEEE, Paris, France, 24-26 June

2009, pp.1-5.

2.Hoang T. Dinh, Chonho Lee, Dusit Niyato, and Ping Wang, A survey of mobile cloud

computing: architecture, applications, and approaches, Wireless Communications and

Mobile Computing, Wiley, 2012.

3.Anthony T. Velte, Toby J. Velte Robert Elsenpeter, Cloud Computing: A Practical

Approach, McGraw-Hill Companies, 2010, pp.35.

4.N. Rabadi and S. Mahmud, Drivers’ anonymity with a short message length for

vehicle-to-vehicle communications network, Proc. of the fifth IEEE Consumer

Communications and Networking Conference (CCNC), Las Vegas, NV, USA, 10-12

Jan. 2008, pp. 132–133.

5.Zhenxing Liu , Lallie H.S., Lu Liu, Yongzhao Zhan, Kaigui Wu, A hash-based secure

interface on plain connection, Proc. of the sixth International ICST Conference on

Communications and Networking in China (CHINACOM), Harbin, China, 17-19 Aug.

2011. pp. 1236 – 1239.

6.Zi-ming Zhao, Yan-fei Liu, Hui Li, Yi-xian Yang, An efficient user-to-user

authentication scheme in peer-to-peer system, Proc. of the First International

Conference on Intelligent Networks and Intelligent Systems ICINIS ‘08. Wuhan, China,

Nov. 1-3, 2008, pp. 263-266.

7.Castiglione A., De Santis, A., Castiglione A., Palmieri F., An efficient and transparent

one-time authentication protocol with non-interactive key scheduling and update, Proc.

of the 28th International Conference on Advanced Information Networking and

Applications (AINA), Victoria, BC, Canada, 13-16 May 2014, pp. 351-358.

8.Al-Assam H., Rashid R., Jassim S., Combining steganography and biometric

cryptosystems for secure mutual authentication and key exchange, Proc. of the 8th



http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.De%20Santis,%20A..QT.&newsearch=true


http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Palmieri,%20F..QT.&newsearch=true

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Al-Assam,%20H..QT.&newsearch=true

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Rashid,%20R..QT.&newsearch=true

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Jassim,%20S..QT.&newsearch=true



80

International Conference for Internet Technology and Secured Transactions (ICITST),

London, UK, 9-12 Dec. 2013, pp.369-374.

9.Abduljabbar Z. A., Abduljabbar Zaid A. and Mohammed R. J, Towards One-Time

Biometric-message Authentication Code in Cloud Computing. Journal of Engineering

and Applied Sciences, vol. 13, No. 19, 2019.

10.Jin Xu, Dayin Wang, Dongdai Lin and Wenling Wu, An efficient one-key Carter-

Wegman message authentication code, Proc. Of the Volume (2) International

Conference on Computational Intelligence and Security, Guangzhou, China, 3-6 Nov.

2006. Pp.1331-1334.

11.William Stallings, Cryptography and Network Security: Principles and Practice,

Prentice Hall, 6th Edition, 2013.

12.S. Prabhakar, S. Pankanti, A. K. Jain, Biometric recognition: Security and privacy

concerns. In proceedings of the IEEE Security & Privacy, IEEE Computer Society,

Vol.1, No. 2, March/April 2003. Pp. 33-42.

13.Daugman, J., How iris recognition works, IEEE Transaction on Circuits and

Systems for Video Technology. Vol. 14, No. 1, Jan. 2004, Pp. 21 – 30.

14.S. Hariprasath, V. Mohan, Biometric personal identification based on iris

recognition using complex wavelet transformations, Proc. of the International

Conference on Computing, Communication and Networking (ICCCN), St. Thomas, VI,

USA, 18-20 Dec. 2008, Pp. 1-5.

15.L. Yu, D. Zhang and K. Wang, The relative distance of key point based iris

recognition, Pattern Recognition Pattern Recognition, Vol. 40, No. 2, February, 2007,

Pp.423-430.

16.R.L. Rivest, The MD message digest algorithm, In S. Vanstone, editor, Advances in

Cryptology - CRYPTO’ 0, LNCS 5, 2011, Pp. 1-11.

17.P. V. Nadiya and B. M. lmran, “Image Steganography in DWT Domain using

Double-stegging with RSA Encryption,” in Proceedings of the International

Conference on Signal Processing Image Processing & Pattern Recognition (ICSIPR),

Coimbatore, India, pp. 283 -287, Feb. 2013.


Promising One-Time Bio-MAC Using Iris Features and ...

Documents

Transcript of Promising One-Time Bio-MAC Using Iris Features and ...