An Efficient Entity Authentication Protocol with Enhanced Security and Privacy Properties

Abstract

User authentication based on biometrics is getting an increasing attention. However, privacy concerns for biometric data have impeded the adoption of cloud-based services for biometric authentication. This paper proposes an efficient distributed two-factor authentication protocol that is privacy-preserving even in the presence of colluding internal adversaries. One of the authentication factors in our protocol is biometrics, and the other factor can be either knowledge-based or possession-based. The actors involved in our protocol are users, user/client devices with biometric sensors, service provider, and cloud for storing protected biometric templates. Contrary to the existing biometric authentication protocols that offer security only in the honest-but-curious adversarial model, our protocol provides enhanced security and privacy properties in the active (or malicious) adversarial model. Specifically, our protocol offers identity privacy, unlinkability, and user data (i.e., the biometric template data and the second factor) privacy against compromised cloud storage service, and preserves the privacy of the user data even if the cloud storage service colludes with the service provider. Moreover, our protocol only employs lightweight schemes and thus is efficient. The distributed model combined with the security and privacy properties of our protocol paves the way towards a new cloud-based business model for privacy-preserving authentication.

A   Proofs

Proof

(of Theorem 1 ). The proof is split into two cases. In the first case, the adversary \(\mathcal {A}\) is given a valid password (e.g., \(\mathcal {A}\) is given \(\textsf {pw}_i\) of user U\(_i\)). In the second case, \(\mathcal {A}\) is given a valid biometrics, (e.g., \(\mathcal {A}\) is given \(b'_i\) of user U\(_i\)). In both cases, if \(\mathcal {A}\) can provide \(b'_i\oplus r_i\) such that \(\textsf {HW}(b_i\oplus b'_i)\le \tau \), then \(\mathcal {A}\) succeeds in impersonating the user U\(_i\).

Case 1: Assume that the attacker can successfully impersonate a user with a non-negligible probability. This means that \(\mathcal {A}\) either (a) can forge the user biometrics and generate \(b'_i\) that matches the reference template \(b_i\) of the user U\(_i\), or (b) knows \(i\leftarrow \textsf {ID}_i\) so that it can collude with \(\textsf {DB}\) to learn \(b_i\). However, the probability of case (a) happening is bounded by the false acceptance rate, which can be bounded to be arbitrarily small, at the price of increased false rejection rate. And case (b) requires that \(\mathcal {A}\) can learn i from \(\textsf {PIR}(i)\) or can derive i from \(\textsf {ID}_i\), which contradicts both the security of the PIR scheme and the fact that \(i\leftarrow \textsf {ID}_i\) is only known to \(\textsf {SP}\). Therefore, \(\mathcal {A}\) cannot impersonate a user knowing only the password.

Case 2: Assume again that the attacker can successfully impersonate a user with a non-negligible probability. As in Case 1, this means that \(\mathcal {A}\) either can guess the password (or the password-generated key \(r_i\)) or knows \(i\leftarrow \textsf {ID}_i\) so that it can collude with \(\textsf {DB}\) to learn \(r_i\). However, while the probability of the former is negligible in \(H_\infty (\textsf {pw})\), the latter requires that \(\mathcal {A}\) can learn i from \(\textsf {PIR}(i)\) or knows \(i\leftarrow \textsf {ID}_i\).

Therefore, \(\mathcal {A}\) cannot successfully impersonate any user without having access to both authentication factors. Note that the use of salt prevents the adversary from practical dictionary attacks. Hence, it is important to salt the KDF, e.g. with the user ID, so that the security of the protocol in Case 2 can be related to \(H_\infty (\textsf {pw})\).

Proof

(of Theorem 2 ). Suppose that the adversary (i.e., the malicious DB) has a non-negligible advantage, i.e., \(\big |\Pr \{\beta =\beta '\}-1/2\big |\ge \textsf {negl}(\lambda )\), where \(\lambda \) is a chosen security parameter for the protocol. Then, that means DB can guess the value of \(\beta \) (or \(i_\beta \)) from PIR \((i_\beta )\) with a non-negligible probability. This in turn implies that DB can break the security of the underlying PIR scheme with a non-negligible probability, which contradicts the assumption that PIR is secure according to Definition 7. \(\square \)

Proof

(of Theorem 3 ). Suppose that the adversary can distinguish \((\textsf {ID}_{i_0},c_{i_0})\) from \((\textsf {ID}_{i_0},c_{i_1})\). Then the adversary can infer from \(\textsf {PIR}(i_0)\) (and the response to the query) the value of \(i_0\), or infer from \(\textsf {ID}_{i_0}\) the value of \(i_0\). This contradicts the security assumptions on the PIR, or the secrecy assumption on the correspondence between \(\textsf {ID}_{i_0}\) and \(i_0\), respectively. \(\square \)

Proof

(of Theorem 4 ). Since the adversary (i.e., malicious SP+DB) has access to \(b_i\oplus r_i\), \(b'_i\oplus r_i\) and \(b_i\oplus b'_i\) only, for all \(i\in [1,N]\), it cannot learn more than what can already be learnt from these about \(b_i\), \(b'_i\) and \(r_i\) (or the password from which the \(r_i\) is generated), as long as the KDF is secure and the password has sufficient min-entropy. The adversary can attempt to guess the value of \(b_i\), \(b'_i\) or \(r_i\) at random using what the information at its disposal, but in order to verify whether the guess is correct, it needs access to an oracle that can answer whether the guessed values are correct. If the KDF is secure and the second factor has sufficient min-entropy, the expected number of queries needed to finally get an affirmative answer from such oracle is exponential in the min-entropy of \(r_i\). \(\square \)