document using biometrics based digital signature key generation, thus, combining ... invasive and correctly identifies the maker of the transaction. Some of the.
Novel Biometric Digital Signature System for Electronic Commerce Applications by
Pawan Kumar Janbandhu
School of Electrical and Electronic Engineering
A thesis submitted to the Nanyang Technological University in fulfillment of the requirement for the degree of Master of Engineering 2002
Acknowledgements
I am thankful to Dr. M. Y. Siyal for his guidance and support throughout this research. I would like to thank all the research students and staff members working in Information Systems Research Laboratory for their timely help whenever required.
I am also thankful to Ronald Rivest for suggesting me methods to generate cryptographic key of desired length from a biometric template of any size and John Daugman for his helpful email replies pertaining to iris recognition.
Pawan Kumar Janbandhu
i
Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research done by me and has not been submitted for a higher degree to any other University or Institute.
………………………
………………………………………
Date
Pawan
ii
Kumar
Janbandhu
Summary Personal identification numbers (PIN), passwords, smart cards or digital certificates are some of the means employed for user authorization in various electronic commerce applications. However, these means do not really identify a person, but only knowledge of some data or belonging of some determined object. This thesis introduces the notion of Biometric Signature: a new approach to digitally sign a document using biometrics based digital signature key generation, thus, combining the advantages of Public Key Infrastructure, PKI (integrity, confidentiality, authentication and non-repudiation) and biometrics (exact user identification instead of his belongings like computers, smartcards, tokens etc. or what he remembers like passwords, PIN etc.).
The proposed Biometric Signatures addresses following objectives.
1. Allow accurate personal identification of the individual who creates a digital signature.
2. Resolve key management issue in PKI which is to provide more secure solution for protecting private keys with minimum storage requirement.
3. Avoid biometric template storage or transmission to anyone thus preventing misuse of the biometric template by the communicating party for user authentication and permit multiple passwords generation using same biometric template.
The proposed Biometric Signatures are secure, efficacious, faster, convenient, noninvasive and correctly identifies the maker of the transaction. Some of the contributions of the thesis are investigation of PKI and biometric technology, denomination of the proposed biometric-PKI system as Biometric Signatures,
iii
investigation of iris and DNA to be used as biometrics for Biometric Signatures as both are unique, highly accurate and stable over one‘s lifetime, integration of iris templates with two existing and widely used digital signature algorithms, RSA and DSA for Biometric Signatures and investigation of the problems associated with them individually, suggestion of modifications required in key generation process for Biometric Signatures using the two algorithms, RSA and DSA to facilitate certificate renewal without forfeiting the use of the biometric forever and fortify the security of the biometric template in case of security breach and discussion of JAVA implementation results for Biometric Signatures using both approaches with and without modifications.
iv
Contents Acknowledgements ................................................................................................... i Summary .................................................................................................................. iii List of Figures .......................................................................................................... ix List of Tables ............................................................................................................ x List of Abbreviations .............................................................................................. xi 1
Introduction ...................................................................................................... 1 1.1 Internet Security ........................................................................................... 1 1.2 Basic Requirements for Secure Internet based Commercial Applications .. 4 1.3 Motivation .................................................................................................... 6 1.3.1 Problems with PKI and Biometrics....................................................... 6 1.4 Scope and Objectives ................................................................................... 9 1.5 Major Contributions of the Thesis ............................................................. 10 1.6 Organization of the Thesis ......................................................................... 11
2
Literature Review: PKI and Biometrics ...................................................... 12 2.1 Background ................................................................................................ 12 2.2 Public Key Infrastructure (PKI) ................................................................ 13 2.2.1 Encryption and Decryption ................................................................. 13 2.2.2 Symmetric Key Cryptography ............................................................ 13 2.2.2.1 DES .............................................................................................. 14 2.2.2.2 AES .............................................................................................. 15 2.2.3 Asymmetric Key Cryptography .......................................................... 15 2.2.4 Block and Stream Ciphers .................................................................. 16 2.2.5 Key Length and Encryption Strength ................................................. 17 2.2.6 Block Chaining ................................................................................... 18 2.2.7 Message Digest algorithms ................................................................. 18 2.2.8 Digital Signatures................................................................................ 18 2.2.9 Diffie-Hellman key-agreement algorithm........................................... 20 2.2.10 Digital Certificates ............................................................................ 21 2.2.10.1 Types of Digital Certificates ...................................................... 23
v
2.2.10.2 X.509 Digital Certificate ............................................................ 25 2.2.11 Trust in PKI....................................................................................... 27 2.2.12 Certificate Management .................................................................... 29 2.2.12.1 Certificate Issuance .................................................................... 29 2.2.12.2 Key Management ....................................................................... 30 2.2.12.3 Certificate Status, Revocation and Renewal .............................. 31 2.2.12.4 Registration Authorities ............................................................. 32 2.2.13 PKCS Standards ................................................................................ 32 2.2.14 SSL .................................................................................................... 33 2.2.15 SET………………………………………………………………….34 2.2.16 Pretty Good Privacy .......................................................................... 35 2.2.17 Virtual Private Networks .................................................................. 35 2.2.18 Need of Biometrics in Electronic Commerce…………………...….36 2.3 Biometrics .................................................................................................. 36 2.3.1 Description of various biometric technologies ................................... 37 2.3.1.1 Finger-scan ................................................................................... 37 2.3.1.2 Fingerprints vs. Finger-scans ....................................................... 38 2.3.1.3 Facial-scan ................................................................................... 38 2.3.1.4 Voice-scan.................................................................................... 39 2.3.1.5 Iris-scan ........................................................................................ 39 2.3.1.6 Retina-scan ................................................................................... 40 2.3.1.7 Hand-scan .................................................................................... 40 2.3.1.8 Signature-scan .............................................................................. 41 2.3.1.9 Keystroke-scan ............................................................................. 41 2.3.2 Biometric Template ............................................................................ 41 2.3.3 Identification and Verification ............................................................ 42 2.3.4 Biometrics based user authentication system ..................................... 44 2.3.5 Accuracy of a biometric ...................................................................... 45 2. 4 Summary ................................................................................................... 46 3
Proposed Novel Biometric Digital Signature System ................................. 47 3.1 Background ................................................................................................ 47 3.2 Biometric Signature: Digital Signature using Biometrics ......................... 48 3.2.1 Selection of Biometric for Biometric Signatures ................................ 49 3.2.2 Iris Recognition: Emerging biometric technique ................................ 50 3.2.2.1 Accuracy and Speed of Iris Recognition System ......................... 51 3.2.2.2 Integrating Iris Recognition with Electronic Commerce Applications ............................................................................................. 52 3.2.3 Human Genome – DNA...................................................................... 54 3.2.3.1 DNA Template Preparation Systems ........................................... 56 3.3 Biometric Signature using RSA algorithm ................................................. 56 3.4 Biometric Signature using Digital Signature Algorithm (DSA) ................ 59 3.5 Role of Hash Functions for Biometric Signatures ..................................... 64 3.5.1 MD5 .................................................................................................... 65 3.5.2 Secure Hash Algorithm (SHA1) ......................................................... 66
vi
3.5.4 Security of MD5 and SHA1 ............................................................... 67 3.6 Security of Biometric Signatures, Certificate Revocation and Renewal.... 68 3.7 Summary .................................................................................................... 69 4
Modified Private Key Generation for Biometric Signatures ..................... 70 4.1 Background……………………………………………………………………….70 4.2 Modified Private Key Generation for Biometric Signatures using RSA….71 4.2.1 Description of Hashed Message Authentication Code (HMAC) ........ 73 4.2.1.1 Security of HMAC ....................................................................... 75 4.3 Modified Private Key Generation for Biometric Signatures using DSA ... 75 4.4 Role of random number, R in generating Biometric Signatures ................ 76 4.5 Storage Requirement for Biometric Signatures ......................................... 77 4.5.1 Storage requirement for Biometric Signatures using RSA Algorithm 77 4.5.2 Storage requirement for Biometric Signatures using DSA algorithm 77 4.6 Overall Security of Biometric Signatures .................................................. 78 4.7 Problems in Implementing Biometrics for Practical Purposes ................. 79 4.8 Summary .................................................................................................... 79
5
Results and Discussion .................................................................................... 81 5.1 Background .............................................................................................. 841 5.2 JAVA Implementation and Computation Platform .................................... 81 5.3 Implementation - Part I : Biometric Signatures without Modifications .... 82 5.3.1 Discussion of Experimental Results ................................................... 83 5.4 Implementation – Part II : Biometric Signatures with Modifications ....... 84 5.4.1 Discussion of Experimental Results ................................................... 85 5.5 Implementation – Part III : Comparative Key Generation speeds for various biometrics ...................................................................................... 86 5.5.1 Discussion of Experimental Results ................................................... 87 5.6 Summary .................................................................................................... 87
6
Conclusion and Recommendations .............................................................. 89 6.1 Review ........................................................................................................ 89 6.2 Merits of the Proposed Biometric Digital Signature System .................... 92 6.3 Future Work Recommendations ................................................................. 93
Author’s Publications ............................................................................................ 96 Bibliography ........................................................................................................... 97 A
JAVA Implementation Notes ..................................................................... 106
vii
B
Sample Program Outputs of Java Implementation of Biometric Signatures……………………………………………………………… ...108 B.1 Biometric Signature using DSAwithSHA1 with 1024 bit modulus length (with modifications). ................................................................................ 109 B.2 Biometric Signature using RSAwithSHA1 with 4096 bit modulus length (without modifications) ............................................................................ 111
viii
List of Figures 2.1 Symmetric Key Cryptography…………………………………………………14 2.2 Asymmetric Key Cryptography………………………………………………..16 2.3 Digital Signature……………………………………………………………….20 2.4 Digital Certificate………………………………………………………………23 2.5 X.509 Digital Certificate……………………………………………………….27 2.6 Certificate chain…………………………………………………….………….29 2.7 PKI architecture……………………………………………………………..…31 2.8 Biometric based user authentication system…………………………………...44 2.9 FAR and FRR relationship for iris recognition………………………………...46 3.1 Anatomy of human eye………………………………………………………...50 3.2 A human iris and its Iriscode™………….…………..………………………...52 3.3 Basic structure of human DNA…….………………………………………….55 3.4 Biometric Signature using RSA algorithm…………………………………….58 3.5 Biometric Signature using DSA ……………………………………………….63 4.1 Modified private key generation for Biometric Signatures using RSA……..…72 4.2 Modified private key generation for Biometric Signatures using DSA………..76
ix
List of Tables 2.1 Average template size for various biometric technologies…………………….42 5.1 Biometric Signature speeds using RSA algorithm for Different Modulus Lengths with a 512 byte decryption exponent, d…..………………………......82 5.2 Biometric Signature speeds using DSA for Different Modulus Lengths with a 160-bit exponent ..………………………………………………………83 5.3 Biometric Signature speeds using RSA algorithm with modifications………...84 5.4 Biometric Signature speeds using DSA with modifications………………...…85 5.5 Comparative key generation speeds for various biometrics …………………..86
x
List of Abbreviations ABBREVIATIONS
FULL EXPRESSIONS
ACL AES ATM CA CRL DES DoS DNA DSA ERR FAR FRR IMAP IP LDAP MAC MIME OBI OCSP OFX PGP PIN PKCS PKI PoS RA RNA RSA SEAL SET SHA SSL S/MIME TCP VPN
Access Control Lists Advanced Encryption Standard Automated Teller Machines Certification Authority Certificate Revocation Lists Data Encryption Standard Denial of Service Deoxyribonucleic acid Digital Signature Algorithm Equal Error Rate False Accept Rate False Rejection Rate Internet Message Access Protocol Internet Protocol Lightweight Directory Access Protocol Message Authentication Code Multipurpose Internet Mail Extensions Open Buying on Internet Online Certificate Status Protocol Open Financial Exchange Pretty Good Privacy Personal Identification Numbers Public Key Cryptographic Standard Public Key Infrastructure Point of Sales Registration Authority Ribonucleic Acid Rivest, Shamir Adleman Software-optimized Encryption Algorithm Secure Electronic Transactions Secure Hash Algorithm Server Socket Layer Secure Multipurpose Internet Mail Extension Transmission Control Protocol Virtual Private Networks
xi
Chapter 1
Introduction Electronic commerce is performing business using electronic medium like internet. Internet security is a major concern in today‘s digital era. Solid security mechanisms and identification techniques are required to make electronic commerce a complete success. Internet security, basic requirements for performing secure electronic commerce applications, motivation, scope and objectives of this research and major contributions of this thesis are discussed in detail in this chapter.
1.1 Internet Security Internet offers low cost but insecure mean to reach people. Although access to internet facilities allows sharing of resources and database worldwide, it puts any corporate database at risk, especially in electronic commerce applications where the information transmitted involves financial data, company or personal information and other crucial information that needs to be protected from eavesdroppers. Due to the ubiquity of internet, it is difficult to control and trace intrusions or attacks by unauthorized people, hackers etc. Some of the common security threats for any computer network are:
Eavesdropping: Privacy of information is compromised e.g. someone can learn a sensitive information like credit card number or record a sequence of packets and use it for replay attacks to gain access to a system [13-16].
Tampering: Tampering is altering information while in transit. Manipulation of the information content of packets corrupts confidence in the integrity of data.
1
Manipulating the packets that control how the network functions or the parts of a packet that control where the network sends it puts the network in jeopardy [13-16].
Impersonation: Any one can masquerade as a legitimate user (spoofing) and defraud the system. Once, the impersonator manages to login into a network as a legitimate user, he has access to all the resources provided to that legitimate user. Carelessness in handling passwords, and the ease with which they can be stolen, make them a very week security mechanism that offers more comfort than protection. Another example of impersonation is misrepresentation by an organization itself e.g. an organization can pretend to be an online shopping store when it is a site that takes credit card payments only and never sends any goods [1316].
Denial of service: Attackers can attack the routers (stop forwarding the packets) or flood the network with extraneous traffics thereby causing ―denial of service‖ attack. DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they're very easy to launch, difficult (sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker, without also refusing legitimate requests for service. The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests, much less any legitimate requests (hits on the web site running there, for example) [13-16].
2
Several mechanisms are available today to secure a network. Some of the common tools employed for internet security are firewalls, audit tools, encryption products and anti-virus software some of which are described below. Denial of service attack are prevented by protecting the routing update packets sent by the routing protocols using passwords, checksum and encryption. Another way is to using packet filtering to prevent obviously forged packets from entering into your network address space [15]. Replay attacks are nullified by incorporating a sequence number in the authentication header. Network and system scanners are used to survey network interfaces like web servers, firewalls etc. for insecure services and other known vulnerabilities. Cryptography based authentication tokens and access control lists provide protection against unauthorized access to services and data [14].
Firewall is a prevention tool that controls access by individual, internet service, time of day, source and destination or other parameters e.g. it can limit the downloading of Java Applets or ActiveX code to only approved users and sites [16], block viruses before they enter the network or block access to pornographic websites. In other words firewalls are a single point of defense with controlled and audited access to services, both from inside and outside an organization‘s private network. However firewalls cannot guarantee protection from people who are already inside a network. The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the application layer and hence, such firewalls are known as Application Gateways. Other types of firewalls are known as Packet Filtering Firewalls. Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent to it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing the security policy with regard to what sorts of access one allows the outside world to have to his/her internal network, and
3
vice versa. Systems that use both; security of the application layer gateways with the flexibility and speed of packet filtering, are called hybrid firewalls.
A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If one needs to connect several offices together, this might very well be the best way to do it.
1.2 Basic Requirements for Secure Internet based Commercial Applications Solid security mechanisms and irrefutable authentication techniques are required to provide end to end security and boost the confidence of customers in various internet-based commercial applications like transfer of credit card numbers, order forms, personal information, online banking etc. This is necessary to pursue the customers to switch to web based applications from the traditional way of performing commerce and make e-commerce a complete success. The four basic requirements to perform secure business on internet are [17-29]:
Confidentiality: Information content cannot be seen by anyone other than the sender and the receiver. Confidentiality in paper based world is achieved simply by placing the private letters in an envelope and sealing it. However, in electronic world, confidentiality is achieved by transforming the information (message) into unrecognizable form before transmission, using process known as encryption and then converting it back to plaintext using reverse process known as decryption. These processes, namely, encryption and decryption are described later in chapter two in detail. A good and strong encryption technique must ensure that the information cannot be read, copied modified or disclosed without proper authorization from the message originator and also must provide the protection during message transmission.
4
Integrity: No one can alter your message while in transmission. Ensuring message integrity is to make sure that the message has not been changed since it was sent. On paper, one can predict whether a letter has been changed or added by looking at the handwriting or the typing. However, in case of electronic messages (which consists of ones and zeroes), we need techniques that could provide us with the ability to compare the original message with the received one. To avoid unauthorized modification of information, check sum mechanism is performed on the message, and the result known as message digest is sent together with the plain message to the receiver. At the receiver side, he/she can compute and compare the message digest by applying the same algorithm as the one that the message originator used to compute the message digest.
Authentication: Only authorized person can access the service. To authenticate an entity in the internet, he/she must be equipped with something that can prove the origin of the information. In paper-based communication, this is proven by individual‘s signature. In case of electronic documents, it is done using digital certificate.
Non-repudiation: Neither receiver nor sender can deny knowledge of transaction. To repudiate is to refuse to acknowledge. In the internet, where nobody can see each other, the protection of non-repudiation is highly needed especially in electronic commerce. It is to avoid an entity involved in the transaction to later deny that the transaction ever took place.
Public key cryptography (cryptography which involves encryption and decryption using public and private keys) meets all these four requirements for electronic commerce security. It involves encryption/decryption for confidentiality and generating and verifying digital signatures to prove message integrity and identification. A digital signature is a piece of information which can be created by
5
the signer who holds the private signing key and which can be verified by anyone through the signer‘s public verification key for the authentication purpose. Thus, digital signatures inherently provide a mechanism for non-repudiation or origin, whereby the signer cannot falsely deny having signed the message data. We now present our motivation behind this research by identifying the problems associated with PKI and biometrics.
1.3
Motivation
Public Key Infrastructure, PKI is a comprehensive structure that incorporates public key cryptography to provide message integrity, confidentiality, authentication and non-repudiation in electronic commerce applications through a chain of certificate authorities (CA), registration authorities (RA) etc. and various protocols. Biometrics are a person‘s unique physical (fingerprints, hand or palm geometry, retina, iris or facial) and behavioral (signature, voice, keystroke pattern and gait) characteristics that are also utilized in various commercial applications to identify an individual accurately. We now identify common problems associated with PKI and biometrics which formed the prime source of motivation for this research.
1.3.1 Problems with PKI and Biometrics Accessing sensitive database, storing and transmitting sensitive information on internet makes necessary the application of automated user authentication. Authentication can be based on one of the following:
Something you remember – a password, PIN or piece of personal information (such as your mother‘s maiden name).
Something you have – a card key, smart card/ token or
Something you are – a biometric.
If the authentication is based on a single factor such as a password or a personal identification number (PIN), the security can be easily breached. In order to make
6
authentication more secure, two-factor authentication is used which involves ―something you have‖ (smartcards/tokens) [41][42] and ―something you know (PIN/password ) together. However, use of PINs, passwords, smart cards or digital certificates for automated user authentication do not really identify a person, but only knowledge of some data or belonging of some determined object e.g. PKI (public key infrastructure) cannot assure the identity of the maker of a transaction, it can only identify the maker‘s computer. An imposter can masquerade as a legitimate user and defraud the system. The third factor - ―something you are‖ which is essentially a biometric, which, as described before is a person‘s unique physical or behavioral characteristic that can be used to identify the individual and is the most secure and convenient tool to identify a person with sufficient legal background, since, it cannot be borrowed, stolen, forgotten, and forged [64].
Another major problem associated with PKI algorithms is management of private keys. They can be stored on disks or on smart cards. If such a key e.g. the private key of a CA is stored in a server protected by 6 or 8 character password, it is prone to attacks by hackers etc. Storing private keys on smart cards is a good idea but even smart cards could be lost or stolen. This key management issue can be resolved by utilizing biometrics for private key access. One example is, Toronto based Mytech Technologies, Inc., has developed a process known as Biometric Encryption in which the biometric image is combined with a digital key (to be used as cryptographic key) during enrollment to create a secure block of data known as Bioscrypt in such a way that neither the key nor the biometric can be independently obtained from it [48][55]. The cryptographic key is retrieved during verification by combining the biometric image with the Bioscrypt. Since, key is independent of the biometric, use of biometric is not forfeited even if the key is compromised. However, this requires tighter integration of biometrics with the operating system to prevent attacks from hackers.
Researchers have invented a new mechanism to minimize the risk of security breach of private key: distributed generation of RSA keys over more than one server,
7
thereby, dividing the key in shares for each server [10-12]. This will not only increase the effort required by hackers to steal the private key and therefore discourage them from even attempting but can also be used to delegate the authority of signing documents to more than one person in the company to minimize errors or misuse from people within the company.
In case of biometric technologies, various issues impede the use of biometrics for identification (other than stability and accuracy) in spite of uniqueness like the use of a single source of biometrics for a range of applications e.g. use of same template by health and insurance agencies might lead to selection of preferred clients [1]. Also, if same template is being used for user authentication for online banking then any unauthorized person can break into other people‘s bank account. This might discourage people to allow storage or transmission of biometrics over internet (even after being hashed) for user identification for electronic commerce applications to another party. One of the solutions suggested to minimize risk of database template misuse is to use different versions of the biometric template-generating algorithm per organization to prevent cross readability of templates between different organizations.
Another problem with biometric technologies is that one cannot change the biometric ―password‖ frequently e.g. in a system employing fingerprint technology for user authentication, one can change the password only 9 times [72]. One solution suggested to generate multiple passwords using the same biometric template is to use partial disclosure of the user template from client to the server [1]. Using these methods one still needs to maintain the biometric template database.
The problems identified with PKI and biometrics till now are the main source of motivation for our proposed novel biometric digital signature system which addresses many of these issues. We will now discuss the scope and objectives of our proposal.
8
1.4 Scope and Objectives Scope of this thesis is PKI-biometric combination for electronic commerce security. We have targeted PKI-biometrics combination because of lack of robust solution for key management in case of PKI and various problems pertaining to biometrics like misuse of stored templates and lack of solution for multiple key generation using the same biometric template.
Main objectives of the proposed PKI–biometric combination system for electronic commerce security are as follows:
1. Integrate biometrics with PKI (digital signatures) so as to make use of the advantages offered by both (confidentiality, integrity, authentication and nonrepudiation by PKI and accurate personal identification by biometrics) to its maximum for internet based commercial applications e.g. provide a solution for exact user identification in PKI instead of his or her belongings (computers, smartcards, disks etc.) or what he/she remembers (passwords, PINs).
2. Resolve key management issue in PKI which is to provide more secure solution for protecting private keys with minimum storage requirement.
3. Avoid biometric template storage or transmission requirement for user authentication to prevent misuse of templates by the communicating party. In addition the biometric-PKI solution should also provide a mean to generate multiple passwords (as many as required) using the same biometric template.
9
1.5 Major Contributions of the Thesis Major contributions of this thesis are as follows:
1. The thesis discusses E-Commerce Security (PKI) and biometrics and identifies individual problems associated with them.
2. This thesis proposes a new approach to integrate biometrics with PKI to sign documents digitally using biometrics that is secure, efficacious, non-invasive (in case of iris), highly accurate, and easy to implement and use. The proposed system combines the advantages of both digital signatures and biometrics i.e. with this system it is now possible to identify the maker of a transaction accurately instead of his belongings or his knowledge. The system can also be used for personal authentication.
3. Denominates the proposed biometric-PKI system to generate digital signatures using biometrics as ―Biometric Signature‖.
4. Discusses Biometric Signatures using iris recognition and also suggests DNA as another best biometric for Biometric Signatures.
5. Investigates integration of two widely used digital signature algorithms, RSA and DSA with biometrics for Biometric Signatures and discusses problems associated with them individually.
6. Suggests modifications required to both systems (Biometric Signatures using RSA and DSA) for allowing certificate renewal and further fortify the security of the biometric template.
10
7. Provides convenient method to renew the private key generated from a stable biometric template with no restriction on number of private keys that can be generated from the same biometric template.
8. Suggest two methods to generate private key of desired length from a biometric template (of a stable biometric) of any size.
9. Illustrates speeds of the two systems to generate Biometric Signatures using RSA and DSA (with and without modifications) using JAVA implementation.
1.6 Organization of the Thesis The remaining part of the thesis is organized as follows. Chapter 2 discusses the principles behind cryptography, main components of PKI and biometric technology in detail. This chapter serves as background for our proposal discussed in following chapters. Chapter 3 describes our proposal for biometric based digital signature system using two widely used digital signature algorithms, RSA and DSA based on iris recognition and DNA. Chapter 4 suggests modifications required for Biometric Signatures using RSA and DSA algorithms to enable private and public key renewal and fortify the security of the biometric template. Chapter 5 gives implementation results of Biometric Signatures using the two digital signature algorithms with and without modifications. This chapter also gives comparative speeds for key generation using the proposed two biometric signature systems for various biometrics. Chapter 6 concludes the thesis and suggests future work directions.
11
Chapter 2
Literature Review: PKI and Biometrics 2.1 Background Due to authenticity, confidentiality, integrity and non-repudiation offered by public key cryptography, it finds use in wide applications like email clients in the form of S/MIME, PGP/MIME, Virtual Private Networks (VPNs) to prevent eavesdropping, various e-commerce protocols and standards e.g. Secure Electronic Transactions, SET protocol developed by Visa and Mastercard and others to secure credit card transactions [37][38][30], Server Socket Layer, SSL, a session layer protocol from Netscape for securing exchanges between client and a server [30][38][39]. Other standards and protocols where public key cryptography is employed are Open buying on Internet, OBI standard to exchange purchase orders between buyers and sellers [40][57] and Open Financial Exchange, OFX standard for exchange of information between consumers and financial institutions to secure transactions on wireless medium using [58], Wireless Application Protocol, WAP [52,53,59], automated registration authority systems, time stamping services, etc. Public Key Infrastructure (PKI) is a comprehensive system that provides the public key cryptography based encryption and digital signature services to applications requiring authenticity, confidentiality, integrity and non-repudiation. It comprises of certification
authorities
(CAs),
registration
authorities
(RAs),
certificate
management (generation, storage, maintenance and revocation) policies and procedures, key backup and recovery, support for cross certification, etc [32-34].
12
Because many e-commerce transactions can result in legal actions (e.g. contracts) that bind the respective parties, it is important to verify that the parties in a business transaction really are the people they purport to be and are authorized agents of the companies they represent. Using biometric for personal identification, one can be assured that only the right person has made the transaction. In this chapter, the main components governing electronic commerce security (cryptography and PKI) and biometrics are discussed in detail. This chapter serves as the background for our proposal described in the following chapters. We start by investigating various concepts underlying the principles of cryptography and PKI architecture in the following section.
2.2 Public Key Infrastructure (PKI) 2.2.1 Encryption and Decryption Encryption is the process of disguising information using a mathematical function known as cryptographic algorithm or a cipher in such a way so as to hide its content. The encrypted form is known as ciphertext. Decryption is the process of transferring ciphertext back to the original message using the same algorithm. The security of the algorithm depends on how difficult it is to retrieve the original message from the ciphertext by discovering a number known as key that must be used by the algorithm to encrypt or decrypt the message. The mathematics of keeping messages secret is called as cryptography. (Note: A branch of cryptography known as visual cryptography is a secret sharing scheme that uses human visual system to perform the computations [24]).
2.2.2 Symmetric Key Cryptography In symmetric key cryptography (also known as private key cryptography), the encryption key can be calculated from the decryption key and vice versa. For most
13
symmetric key algorithms, the encryption and decryption keys are the same. The sender and receiver both share the secret key, keeping the key to them self. The sender encrypts the message using the shared secret/private key and sends it to the receiver. Receiver decrypts the message using the same key to retrieve the message as shown in Fig. 2.1. Some of the widely used symmetric key algorithms include DES, AES, Triple-DES, IDEA, RC2 and RC5 [45-48]. A brief description of DES and
AES
algorithms
is
given
below.
Figure 2.1 Symmetric Key Cryptography 2.2.2.1 DES Data Encryption Standard, DES is a symmetric block cipher that requires same key for encryption and decryption. The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control of a 56-bit key. Deciphering must be accomplished using the same key as for enciphering, but with the schedule of addressing the key bits altered so that the deciphering process is the reverse of the enciphering process. After an initial permutation, the block is broken into a right half and a left half, each 32-bits long. Then the algorithm undergoes 16 rounds of identical operations in which data blocks are combined with the key. After the sixteenth round, the right and left halves are joined, and a final permutation (inverse of final permutation) completes the algorithm.
14
2.2.2.2 AES The Advanced Encryption Standard (AES) specifies a Federal Information Processing Standards Publications, FIPS approved cryptographic algorithm, Rijndael that can be used to protect electronic data [73]. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Rijndael was designed to handle additional block sizes and key lengths, however they are not adopted in the AES standard. The cipher has a variable block length and key length. Keys size of 128, 192, or 256 bits are used to encrypt blocks with length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily to multiples of 32 bits. Rijndael can be implemented very efficiently on a wide range of processors and in hardware.
2.2.3 Asymmetric Key Cryptography Asymmetric key cryptography, also known as public-key cryptography, is the technique first identified by Diffie and Hellman in which encryption and decryption involves different keys. The two keys are known as public key and private key and either can be used for encryption and decryption. A user gives his or her public key to other users, keeping the private key with himself or herself. Data encrypted with a public key can be decrypted only with the corresponding private key, and vice versa as shown in Fig 2.2 below. The algorithm used for encrypting or decrypting data with a public or private key is known as public-key algorithm. Some examples of public-key algorithms are RSA, ElGamal and Elliptic Curve Cryptosystems (ECC) [45-48]. RSA algorithm will be described in Chapter 3 as part of our proposal.
15
Figure 2.2 Asymmetric Key Cryptography
The key size for symmetric key algorithms is usually much smaller than that used for asymmetric key algorithms. Therefore, public key algorithms are more secure than private key algorithms. However, asymmetric key algorithms require more computation and therefore take more time for encryption and decryption than symmetric key algorithms. Hence, when large amount of data is to be transmitted, asymmetric algorithms can be used to send a symmetric key which can be used to encrypt additional data.
2.2.4 Block and Stream Ciphers Stream ciphers are an important class of encryption algorithms. They encrypt individual characters (usually binary digits) of a plaintext message one at a time, using an encryption transformation which varies with time. By contrast, block ciphers tend to simultaneously encrypt groups of characters of a plaintext message using a fixed encryption transformation. Stream ciphers are generally faster than block ciphers in hardware implementation, and have less complex hardware circuitry. They are also more appropriate, and in some cases mandatory (e.g., in some telecommunications applications), when buffering is limited or when characters must be individually processed as they are received. Because they have limited or no error propagation, stream ciphers may also be advantageous in
16
situations where transmission errors are highly probable. Examples of stream ciphers are RC4, Software-optimized Encryption Algorithm, SEAL etc. Block ciphers can be either symmetric-key or public-key. Examples of symmetric key block ciphers are DES, IDEA, SAFER, RC5 etc. Examples of symmetric key block ciphers are RSA, ElGamal, Rabin etc.
2.2.5 Key Length and Encryption Strength The strength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher used and the length of the key. For example, the difficulty of discovering the key for the RSA cipher most commonly used for public-key encryption depends on the difficulty of factoring large numbers that are the product of two large prime numbers of approximately equal size [8][49]. Encryption strength is often described in terms of the size of the keys used to perform the encryption: in general, longer keys provide stronger encryption. Key length is measured in bits. For example, 128-bit keys for use with the RC4 symmetric-key cipher supported by SSL provide significantly better cryptographic protection than 40-bit keys for use with the same cipher. Roughly speaking, 128-bit RC4 encryption is 3 x 1026 times stronger than 40-bit RC4 encryption. Different ciphers may require different key lengths to achieve the same level of encryption strength. The RSA cipher used for public-key encryption, for example, can use only a subset of all possible values for a key of a given length, due to the nature of the mathematical problem on which it is based. Other ciphers, such as those used for symmetric key encryption, can use all possible values for a key of a given length, rather than a subset of those values. Thus a 128-bit key for use with a symmetric-key encryption cipher would provide stronger encryption than a 128-bit key for use with the RSA public-key encryption cipher. Thus, it is recommended that RSA public-key encryption cipher must use a 512-bit key (or longer) to be considered cryptographically strong. Symmetric key ciphers
17
can achieve approximately the same level of strength with a 64-bit key. Even this level of strength may be vulnerable to attacks in the near future.
2.2.6 Block Chaining Block chaining is done in order to assure that the intermediate data blocks in a message are not being replaced by an attacker while transmission. Chaining adds a feedback mechanism to a block cipher. The results of the encryption of previous blocks are fed back into the encryption of the current block. Each ciphertext block is dependent not just on the plaintext block that generated it but on all the previous plaintext blocks. In cipher block chaining (CBC) mode, the plaintext is XORed with the previous ciphertext block before it is encrypted and so on. Decryption is just opposite of this process. After a ciphertext block is decrypted it is XORed with the resultant text obtained after next block is decrypted and so on until the end of the message.
2.2.7 Message Digest algorithms A message-digest algorithm or one way hash function is a method of reducing a message of any length to a string of a fixed length, called the message digest, in such a way that it is computationally infeasible to find a collision (two messages with the same message digest) or to find a message with a given, predetermined message digest. One-way hash functions (content of the hashed data cannot be deduced from the hash) find use in many applications including digital signatures. Some of the well known examples of one way hash functions are SHA1 (160-bit output), MD2, MD5 (128 bit output) [45-48]. SHA1 and MD5 will be described in detail in next chapter as part of our proposal.
2.2.8 Digital Signatures Digital Signature is the way to sign documents digitally so as to prove signer‘s identity and maintain message integrity [34-36]. A digital signature algorithm is
18
an algorithm that transforms a message of any length under a private key to a signature in such a way that it is computationally infeasible to find two messages with the same signature, to find a message with a given, predetermined signature, or to find the signature of a given message without knowledge of the private key. The typical implementation of digital signature involves a message-digest algorithm and a public-key algorithm for encrypting the message digest (i.e., a message-digest encryption algorithm) in the following way (also see Fig. 2.3):
Sender reduces the message m to a message digest H(m) with a message-digest algorithm, encrypts the message digest H(m) with his private key, P, obtaining an encrypted message digest P(H(m)). He sends the message m and the encrypted message digest P(H(m)) to the receiver in encrypted form using key agreement algorithm*. The two parts together form the digitally signed message.
Receiver decrypts the encrypted message digest P(H(m)) with sender's public key, obtaining the message digest H(m), computes message digest H‘(m) from the message and compares it to the message digest H(m). If the two are the same, he accepts the message. * Key agreement is a method whereby two parties, without prior arrangements, exchange messages in such a way that they agree upon a secret key that is known only to them. Key agreement can be achieved with a public-key algorithm, or with other methods. A key-agreement algorithm is an algorithm for achieving key agreement. Diffie-Hellman is a key-agreement algorithm invented by Diffie and Hellman involving exponentiation modulo a large prime number. The difficulty of breaking Diffie-Hellman is generally considered to be equal to the difficulty of computing discrete logarithms modulo a large prime number [39][45-48].
19
Figure 2.3 Digital Signature
2.2.9 Diffie-Hellman key-agreement algorithm Diffie-Hellman key-agreement algorithm was development by Diffie and Hellman in 1976. It is a method to securely exchange the keys that encrypt data. DiffieHellman accomplishes this secure exchange by creating a "shared secret" (sometimes called a "key encryption key") between two communication parties. The shared secret then encrypts the symmetric key (for symmetric key algorithms e.g. DES, Triple DES, IDEA, Blowfish, etc.) for secure transmission. The protocol has two system parameters p and g which are public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, which has the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = gk mod p Suppose, Alice and Bob want to agree on a shared secret key using the DiffieHellman key agreement protocol. 1. Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers {1, ?, p-2}. 2. Then they derive their public values using parameters p and g and their private values. Alice's public value is given by:
20
ga mod p and Bob's public value is given by: gb mod p. 3. They then exchange their public values. 4. Alice computes: gab = (gb)a mod p, and Bob computes: gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k. The protocol depends on the discrete logarithm problem (all of the fast algorithms known for computing discrete logarithms modulo p, where p is a large prime, are forms of the index-calculus algorithm) for its security. It assumes that it is computationally infeasible to calculate the shared secret key k = gab mod p given the two public values ga mod p and gb mod p when the prime p is sufficiently large. It is known that breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms under certain assumptions.
2.2.10 Digital Certificates A digital certificate is an electronic document signed by a trusted certification authority (CA) that is used to identify the owner (an individual, a server, a company or other entity) and associate the owner with a public key thereby developing trust in his public key (Fig.2.4).
21
Typical certification process is described below.
Alice sends a "certification request" containing her name and her public key to a certification authority.
The certification authority forms a special message m from Alice's request and signs the special message m under its private key, obtaining a signature S. The certification authority returns the message m and the signature S to Alice; the two parts together form a certificate.
Alice sends the certificate to Bob to convey trust in her public key.
Bob verifies the signature S under the certification authority's public key. If the signature verifies, he accepts Alice's public key.
As with an ordinary digital signature, anyone can verify at any time that the certificate was signed by the certification authority, without access to any secret information. This application assumes that Bob knows the certification authority's public key. Bob can develop trust in the certification authority's public key recursively, if he has a certificate containing the certification authority's public key signed by a superior certification authority that he already trusts. In this sense, a certificate is a stepping stone in digital trust [43][44]. Ultimately, one need only trust the public keys of a small number of top-level certification authorities. Through a chain of certificates, trust in a large number of users' signatures can then be established.
22
Figure 2.4 Digital Certificate 2.2.10.1 Types of Digital Certificates Five kinds of certificates are commonly used with Netscape products [33]: 1. Server SSL certificates. Used to identify servers to clients via SSL (server authentication). Server authentication may be used with or without client authentication. Server authentication is a requirement for an encrypted SSL session. Example: Internet sites that engage in electronic commerce usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that they are dealing with a web site identified with a particular company. The encrypted SSL session
23
ensures that personal information sent over the network, such as credit card numbers, cannot easily be intercepted.
2. Client SSL certificates: Used to identify clients to servers via SSL (client authentication). Typically, the identity of the client is assumed to be the same as the identity of a human being, such as an employee in an enterprise. Examples: A bank gives a customer a client SSL certificate that allows the bank's servers to identify that customer and authorize access to the customer's accounts. A company might give a new employee a client SSL certificate that allows the company's servers to identify that employee and authorize access to the company's servers.
3. S/MIME certificates. Used for signed and encrypted email. As with client SSL certificates, the identity of the client is typically assumed to be the same as the identity of a human being, such as an employee in an enterprise. A single certificate may be used as both an S/MIME certificate and an SSL certificate. Examples: A company deploys combined S/MIME and SSL certificates solely for the purpose of authenticating employee identities, thus permitting signed email and client SSL authentication but not encrypted email. Another company issues S/MIME certificates solely for the purpose of both signing and encrypting email that deals with sensitive financial or legal matters.
4. Object-signing certificates. Used to identify signers of Java code, JavaScript scripts, or other signed files. Example: A software company signs software distributed over the Internet to provide users with some assurance that the software is a legitimate product of that company. Using certificates
24
and digital signatures in this manner can also make it possible for users to identify and control the kind of access downloaded software has to their computers.
5. CA certificates. Used to identify CAs. Client and server software use CA certificates to determine what other certificates can be trusted. Example: The CA certificates stored in Communicator determine what other certificates that copy of Communicator can authenticate. An administrator can implement some aspects of corporate security policies by controlling the CA certificates stored in each user's copy of Communicator.
2.2.10.2 X.509 Digital Certificate Digital certificates are represented according to X.509 v3 (modified version of X.509) specification recommended by International Telecommunications Union, ITU
and
International
Organization
for
Standardization/International
Electrotechnical Commission, ISO/IEC in 1997. Every X.509 certificate consists of two sections (Fig 2.5): 1. The data section includes the following information: a. The version number of the X.509 standard supported by the certificate. b. The certificate's serial number. Every certificate issued by a CA has a serial number that is unique among the certificates issued by that CA. c. Information about the user's public key, including the algorithm used and a
representation of the key itself.
25
d. The DN of the CA that issued the certificate. e. The period during which the certificate is valid (for example, between 1:00 p.m. on February 22, 2001 and 1:00 p.m. February 23, 2001) as shown in Fig 2.5. f. The DN of the certificate subject (for example, in a client SSL certificate this would be the user's DN), also called the subject name. g. Optional certificate extensions, which may provide additional data used by the
client or server. For example, the certificate type extension indicates
the type of certificate — that is, whether it is a client SSL certificate, a server SSL certificate, a certificate for signing email, and so on. Certificate extensions can also be used for a variety of other purposes. 2. The signature section includes the following information: a. The cryptographic algorithm, or cipher, used by the issuing CA to create its own digital signature. b. The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.
26
Figure 2.5 X.509 Digital Certificate
2.2.11 Trust in PKI Every client or server software that supports certificates maintains a collection of trusted CA certificates. These CA certificates determine which other certificates the software can validate i.e. which issuers of certificates the software can trust. In the simplest case, the software can validate only certificates issued by one of the CAs for which it has a certificate. It's also possible for a trusted CA certificate to be part of a chain of CA certificates, each issued by the CA above it in a certificate hierarchy. In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements; or
27
it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates. CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure 2.6 shows a certificate chain leading from a certificate that identifies some entity through a subordinate CA certificate to the CA certificate for the root CA. Certificate chain verification is the process of making sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Netscape software uses the following procedure for forming and verifying a certificate chain, starting with the certificate being presented for authentication: 1. The certificate validity period is checked against the current time provided by the verifier's system clock. 2. The issuer's certificate is located. The source can be either the verifier's local certificate database (on that client or server) or the certificate chain provided by the subject (for example, over an SSL connection). 3. The certificate signature is verified using the public key in the issuer's certificate. If the issuer's certificate is trusted by the verifier in the verifier's certificate database, verification stops successfully here. Otherwise, the issuer's certificate is checked to make sure it contains the appropriate subordinate CA indication in the Netscape certificate type extension, and chain verification returns to step 1 to start again, but with this new certificate.
28
Figure 2.6 Certificate Chain Other than X.509 standard, several other standards are issued to facilitate PKI. The public key cryptography standards, PKCS#1-15 standards are produced by RSA Laboratories to facilitate various phases of public key cryptography e.g. certificate requests to CA, key storage, Diffie-Hellman key agreement etc. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, SET, S/MIME, and SSL [31]. IEEE has adopted IEEE P1363 standard for public key cryptography [60].
2.2.12 Certificate Management 2.2.12.1 Certificate Issuance
29
The process of issuing a certificate depends on the certificate authority, CA that issues it and the purpose for which it is issued. Different CAs have different procedures for issuing different kinds of certificates. Certificate requests can be made using HTTP, SMTP or CRS (certificate request syntax) protocols (see Fig. 2.7). In some cases the only requirement may be your email address and at the other end, for certificates that identify people who can authorize large expenditures or make other sensitive decisions, the issuing process may require notarized documents, a background check, and a personal interview.
Keys can be generated by client directly or generated centrally by the CA and distributed to users via an LDAP (Lightweight Directory Access Protocol) directory discussed below. Local key generation provides maximum non-repudiation, but may involve more participation by the user in the issuing process. Keys can be stored in a password protected directory, smart cards etc. 2.2.12.2 Key Management Before a certificate can be issued, the public key it contains and the corresponding private key must be generated. Sometimes it may be useful to issue a single person one certificate and key pair for signing operations, and another certificate and key pair for encryption operations. Separate signing and encryption certificates make it possible to keep the private signing key on the local machine only, thus providing maximum non-repudiation, and to back up the private encryption key in some central location where it can be retrieved in case the user loses the original key or leaves the company. Keys can be generated by client software or generated centrally by the CA and distributed to users via an LDAP directory. There are trade-offs involved in choosing between local and centralized key generation. For example, local key generation provides maximum non-repudiation, but may involve more participation by the user in the issuing process. Flexible key management capabilities are essential for most organizations.
30
Figure 2.7 PKI architecture 2.2.12.3 Certificate Status, Revocation and Renewal As part of their certificate control systems, CAs populate directories with certificates. Client applications can then access the directory to retrieve a certificate within that PKI. Certificates are retrieved based on a parameter, such as name or email address. LDAP is the most popular standard used to talk to directories (Fig 2.7). It supports reading from and writing to directories. However, most end user applications might only need to read.
Certificates are valid only for a period of time. It cannot be used before and after that period. When the certificate expires it can be renewed depending on CA‘s policy. They can also be revoked whenever required e.g. in case someone‘s private key is stolen or if an employee leaves a company. Therefore, before using a
31
certificate, it is essential to check its ―status‖.
Every CA publishes CRLs
(Certificate Revocation Lists) which are lists of all revoked certificates in a PKI. In SSL, each time a certificate is presented for authentication, it is checked directly with the issuing CA. CRLs are stored on Directories and can be downloaded by end user applications. However, in a large PKI, the size of a CRL can be huge (> 500K) and it would be infeasible to download the whole CRL. OCSP (Online Certificate Status Protocol) is an alternative to a CRL. Instead of downloading a whole CRL, you just ask a central OCSP server, the status of a particular certificate (Fig 2.7).
2.2.12.4 Registration Authorities Registration authorities are the intermediate entities between certifying authorities and the clients. They act as a front end to a CA by receiving end entity requests, authenticating them, and forwarding them to the CA. After receiving the response from a CA, they notify the end entities of the results. RAs can be helpful in scaling a PKI across different departments, geographical areas, or other operational units with varying policies and authentication requirements.
2.2.13 PKCS Standards The Public-Key Cryptography Standards, PKCS are specifications produced by RSA Laboratories [31] in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. A brief description of each PKCS is given below. 1.
PKCS #1: RSA Cryptography Standard
2.
PKCS #2: incorporated into PKCS #1
3.
PKCS #3: Diffie-Hellman Key Agreement Standard
4.
PKCS #4: incorporated into PKCS #1
5.
PKCS #5: Password-Based Cryptography Standard
6.
PKCS #6: Extended-Certificate Syntax Standard
7.
PKCS #7: Cryptographic Message Syntax Standard
32
8.
PKCS #8: Private-Key Information Syntax Standard
9.
PKCS #9: Selected Attribute Types
10.
PKCS #10: Certification Request Syntax Standard
11.
PKCS #11: Cryptographic Token Interface Standard
12.
PKCS #12: Personal Information Exchange Syntax Standard
13.
PKCS #13: Elliptic Curve Cryptography Standard
14.
PKCS #14: Pseudorandom Number Generation Standard
15.
PKCS #15: Cryptographic Token Information Format Standard
Detail description of each can be found at RSA Security website [49].
2.2.14 SSL The Secure Sockets Layer (SSL) protocol, which was originally developed by Netscape, is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. SSL is widely used on the Internet, especially for interactions that involve exchanging confidential information such as credit card numbers. The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and routing of data over the Internet. Other protocols, such as the HyperText Transport Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access Protocol (IMAP), run "on top of" TCP/IP in the sense that they all use TCP/IP to support typical application tasks such as displaying web pages or running email servers. The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP [63]. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks:
33
SSL server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity.
SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSLenabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity.
An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering — that is, for automatically determining whether the data has been altered in transit.
2.2.15 SET Secure Electronic Transaction, SET standard was developed by Visa and MasterCard as a way to facilitate secure payment card transactions over the Internet. SET relies on cryptography and digital certificates to ensure message confidentiality and security at every point of transaction process. In order to make purchase electronically, the buyer/client sends the order form and a signed encrypted authorization to a merchant that passes the authorization to his bank. The bank checks the digital signature and decrypts the credit card number. Bank verifies
34
the credit card with the issuer of the credit card. If the bank gets a valid return, it informs the merchant that it is all right to proceed with the transaction. The user gets the goods and a receipt and the merchant returns to the bank to verify the transaction and request the funds for the purchase.
2.2.16 Pretty Good Privacy PGP, which stands for Pretty Good Privacy, is a free and widely available encryption program that lets you protect files and electronic mail. It uses asymmetrical 1024-bit keys to accomplish the coding and decoding of messages. First the plaintext is compressed. A session key (randomly number) is generated and the compressed message is encrypted using the key and a symmetric encryption algorithm to generate ciphertext. The temporary session key is then encrypted with receiver‘s public key. The ciphertext and the encrypted session key is then send to the receiver. The receiver decrypts the encrypted session key with his private key. Once, the session key is obtained, receiver then decrypts the ciphertext to obtain original plaintext (message). Because it uses state-of-the-art public key cryptography, PGP can be used to authenticate messages, as well as keep them secret. Thus, with PGP, one can digitally "sign" a message when you send it. By checking the digital signature at the other end, the recipient can be sure that the message was not changed during transmission and that the message actually came from real sender.
2.2.17 Virtual Private Networks Internet being unsecure and considering the large expense in private leased lines, many organizations prefer to have VPNs (Virtual Private Networks) which is a secure and low cost solution for communication between company‘s different branches/offices situated in different geographical areas. Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both
35
offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate. The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ―internal‖ resources without providing those resources to everyone on the Internet. VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet (through company‘s internet service provider, ISP), is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world. A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If one needs to connect several offices together, this could be the best way to do it.
2.2.18 Need of Biometrics in Electronic Commerce The main advantage of PKI is that it offers integrity, confidentiality, authentication and non-repudiation (described in detail in chapter 1) through a chain of CA‘s and RAs by means of digital certificates and various protocols. However, as mentioned in chapter 1, PKI does not guarantee the identity of the person who originated the digital signature. It can only guarantee the person‘s password, PIN computer, smartcard etc. In next section, we will investigate biometric technologies in detail which guarantee unique personal identification.
2.3 Biometrics A biometric is a person‘s unique physical or behavioral characteristic that can be used to identify the individual. Physical characteristics include fingerprints, hand or palm geometry, retina, iris and facial characteristics. Behavioral characteristics include signature, voice, keystroke pattern and gait [3][7][56]. Fingerprint technology is the most widely used biometric today. Due to uniqueness, biometric is the only way to identify a person with sufficient legal background. All biometric
36
based verification techniques undergo live detection test. The goal of live samples detection is not to check for dead body parts. Instead, live detection is designed to prevent use of a token – a sharable item such as a fake finger or mask capable of defeating biometric systems. Hardware used to acquire biometric samples is known as acquisition device.
The automated process of locating and encoding distinctive characteristics from a biometric sample in order to generate a template is called as feature extraction. The feature extraction process may include various degrees of image or sample processing in order to locate a sufficient amount of accurate data. For example, voice-scan technologies can filter out certain frequencies and patterns, and fingerscan technologies can thin the ridges present in a fingerprint image to the width of a single pixel. Furthermore, if the sample provided is inadequate to perform feature extraction, the biometric system will generally instruct the user to provide another sample, often with some type of advice or feedback. The manner in which biometric systems extract features is a closely guarded secret, and varies from vendor to vendor. A brief summary of some commonly used biometric systems, individual live detection tests, acquisition devices and common physiological and behavioral characteristics used in feature extraction are mentioned below.
2.3.1 Description of various biometric technologies 2.3.1.1 Finger-scan When prompted, the user gently places his or her finger on a postage-stamp sized optical or silicon surface. This surface, known as a platen, is built into a peripheral device, mouse, keyboard, or Personal Computer Memory Card International Association, PCMCIA card. The user generally must hold the finger in place for 1-2 seconds, during which automated comparison and matching takes place. After a successful match, the user has access to programs, files, or resources. Typical verification time from ―system ready‖ prompt: 2-3 seconds [64].
37
Live Detection Test: There are many different ways that finger samples are acquired. Some systems rely on the unique conductive nature of a live finger. Others measure blood flow or ensure the ridges at the periphery of the print are arrayed as is normal in live finger placement.
Acquisition Device: Finger-scan desktop peripheral, PCMCIA card, mouse, chip or reader embedded in keyboard [64].
Feature Extraction: Location and direction of ridge endings and bifurcations on fingerprint.
2.3.1.2 Fingerprints vs. Finger-scans The aura of criminality that accompanies the term "fingerprint" has not significantly impeded the acceptance of finger-scan technology, because the two authentication methods are very different. Fingerprinting, as the name suggests, is the acquisition and storage of the image of the fingerprint. Fingerprinting was for decades the common ink-and-roll procedure, used when booking suspects or conducting criminal investigations. More advanced optical or non-contact fingerprinting systems (known as live-scan), which normally utilize prints from several fingers, are currently the standard for forensic usage. They require 250kb per finger for a high-quality image. Finger-scan technology also acquires the fingerprint, but doesn't store the full image. It stores particular data about the fingerprint in a much smaller template, requiring from 250-1000 bytes. After the data is extracted, the fingerprint is not stored. Significantly, the full fingerprint cannot be reconstructed from the finger-scan template [64]. 2.3.1.3 Facial-scan User faces the camera, preferably positioned within 24 inches of the face. Generally, the system will locate one‘s face very quickly and perform matches against the claimed identity. In some situations, the user may need to alter his facial
38
aspect slightly to be verified. Typical verification time from ―system ready‖ prompt: 3-4 seconds [64]. Live Detection Test - Facial-scan systems can require users to change their facial expressions (e.g., blink eyes or smile) in order for a template to be successfully generated.
Feature Extraction: Relative position and shape of nose, position of cheekbones.
Acquisition Device: video camera, PC camera, single-image camera. 2.3.1.4 Voice-scan User positions him or herself near the acquisition device (microphone, telephone). At the prompt, user either recites enrollment passphrase or repeats passphrase given by the system. Typical verification time from ―system ready‖ prompt: 4-6 seconds [64].
Live Detection test: Some voice scan systems can generate a random sequence of numbers for each verification. This makes it difficult to utilize a pre-recorded voiceprint. Lower fidelity recording devices are also generally incapable of capturing the high and low frequencies necessary to verify.
Feature Extraction: Frequency, cadence, and duration of vocal pattern.
Acquisition Device: microphone, telephone.
2.3.1.5 Iris-scan User positions him or herself near the acquisition device (peripheral or standalone camera). User centers eye on device so he or she can see the eye‘s reflection. Depending on the device, the user is between 2-18 inches away. Capture and
39
verification are nearly immediate. Typical verification time from ―system ready‖ prompt: 3-5 seconds [64].
Live Detection Test: Iris-scan systems can vary the amount of light shone on the eye and record the dilation of the pupil.
Feature Extraction: Furrows and striations in iris.
Acquisition Device: Infrared-enabled video camera, PC camera.
2.3.1.6 Retina-scan User looks into a small opening on a desktop or wall-mounted device. User holds head very still, looking at a small green light located within the device. Typical verification time from ―system ready‖ prompt: 10-12 seconds [64].
Live Detection Test: Within minutes of death, the vein structure of the retina would likely deteriorate to the point that a retina-scan would no longer authenticate a user. Feature Extraction: Blood vessel patterns on retina. Acquisition Device: proprietary desktop or wall-mountable unit. 2.3.1.7 Hand-scan User places hand, palm-down, on an 8X10 metal surface with five guidance pegs. Pegs ensure that fingers are placed properly, ensure correct hand position. Typical verification time from ―system ready‖ prompt: 2-3 seconds [64].
Live Detection Test: Hand-scan does not check for a live biometric sample. Theoretically, an amputated hand would be able to verify on a hand-scan system, although the fingers would need to be positioned such that they are placing pressure on the correct pegs.
40
Feature Extraction: Height and width of bones and joints in hands and fingers.
Acquisition Device: proprietary wall-mounted unit.
2.3.1.8 Signature-scan User positions himself to sign on tablet (if applicable). When prompted, user signs name in tablet‘s capture area. Typical verification time from ―system ready‖ prompt: 4-6 seconds [64]. Live Detection Test: There is no way to generate a ‗dead‘ signature.
Feature Extraction: Speed, stroke order, pressure, and appearance of signature.
Acquisition Device: signature tablet, motion-sensitive stylus.
2.3.1.9 Keystroke-scan User types his or her password or passphrase. Typical verification time from ―system ready‖ prompt: 2-3 seconds [64].
Feature Extraction: Keyed sequence, duration between characters.
Acquisition Device: Keyboard or keypad.
2.3.2 Biometric Template Biometric template is a comparatively small but highly distinctive file derived from the features of a user‘s biometric sample or samples, used to perform biometric matches. A template is created after a biometric algorithm locates features in a biometric sample. The concept of the template is one of biometric technology’s defining elements, although not all biometric systems use templates to perform
41
biometric matching: some voice-scan systems utilize the original sample to perform a comparison [64].
Voice Scan
2000-10,000
Signature Scan
1,500
Facial Scan
1300
Iris –Scan
512
Finger Scan
250
Retina Scan
96
Hand Scan
9
Table 2.1 Average template size for various biometric technologies (in bytes) The size of a template varies by technology and vendor. Table 2.1 depicts the typical sizes for the leading biometric technologies [64]. In some instances, specific vendors may utilize larger or smaller templates depending on the requirements of a given application. Template size can also vary depending on the size of the sample, such as the signature length and complexity, the length of a voice passphrase, or the number of characters in a typed password.
Biometrics are being used in many applications like physical access control, national ID database to confirm identity, ticketless travel, commuting and maintaining health records, online banking via internet and ATMs, secure computer log-on, website access, password file access etc.
2.3.3 Identification and Verification The two primary uses of biometrics are identification and verification.
Identification (1:N, one-to-many, recognition): Identification is the process of determining a person‘ s identity by performing matches against multiple biometric templates. Identification systems are designed to determine identity based solely on
42
biometric information. There are two types of identification systems: positive identification and negative identification [64]. Positive identification systems are designed to find a match for a user‘s biometric information in a database of biometric information.
Negative identification systems search databases in the same fashion, comparing one template against many, but are designed to ensure that a person is not present in a database. This prevents people from enrolling twice in a system, and is often used in large-scale public benefits programs in which users enroll multiple times to gain benefits under different names.
Verification (1:1, matching, authentication): Verification is the process of establishing the validity of a claimed identity by comparing a verification template to an enrollment template. Verification requires that an identity be claimed, after which the individual‘s enrollment template is located and compared with the verification template. Some verification systems perform very limited searches against multiple enrollee records.
For example, a user with three enrolled finger-scan templates may be able to place any of the three fingers to verify, and the system performs 1:1 matches against the user‘ s enrolled templates until a match is found.
43
Figure 2.8 Biometrics based authentication system
2.3.4 Biometrics based user authentication system A biometrics based user authentication system comprises following steps (see Fig. 2.8): 1. Capture the biometric. 2. Process the biometric and extract and enroll the biometric template. 3. Store the template in a central repository. 4. Live scan the chosen biometric. 5. Process and extract the biometric template. 6. Match the scanned biometric against stored templates. 7. If verified allow access or perform intended business application. 8. Record audit trail with respect to system use.
44
2.3.5 Accuracy of a biometric Performance of biometric systems is characterized in terms of error rates and speed [56][64]. There are two types of errors. When a biometric measurement from a live subject is compared to that subject's enrolled template and the system fails to match the two, a "false reject" event occurs. The probability of this happening is the False Reject Rate or FRR. There is also a possibility that the measurement from a live subject will be so similar to a template from another, different, person that a match will be (erroneously) declared. This second type of error is called a "false accept" event and the associated probability is called the false accept rate or FAR. The FAR achieved by a particular biometric directly reflects the fundamental power and specificity of the technology. To achieve a low FAR the biological entity measured must be absolutely unique to the individual, and the algorithm used to measure the entity must capture this uniqueness very effectively. Crossover or Equal Error Rate (ERR) is the point at which FRR is equal to FAR [2-7]. Fig. 2.9 shows a rough sketch of probability density vs. hamming distance for imposters and legitimate users for iris recognition [6]. Hamming distance is the percentage of bits that differ between two binary strings (templates): one that is enrolled and one that is acquired during verification. The region under first hump is the region for correct accept rate and that under second hump is correct reject rate. Regions for FAR and FRR are shown with horizontal and vertical bars. As is evident from the figure, FAR and FRR are inversely related i.e. increase in one results in decrease in other and vice versa. For most biometrics, FAR is usually pre specified at 1.
p, q, and g are public and can be shared among a group of users.
Generation of Private Key:
4. Compute hash of 512 byte biometric template using one way hash function like SHA1, compute the nearest number to this hash that is less than q and assign that number to x (a 160-bit private key).
Generation of Public Key: 6. y = gx mod p (Note: y is a p - bit public key)
Signature Generation:
7. Compute:
60
a. k = random integer with 0
