a secure email system based on fingerprint authentication scheme
DESCRIPTION
A Secure Email System Based on Fingerprint Authentication Scheme. Author : Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu Date : 2008-03-04. Outline. Introduction Fingerprint Authentication Scheme Implementation Manipulation - PowerPoint PPT PresentationTRANSCRIPT
1
A Secure Email System Based on Fingerprint Authentication Scheme
Author: Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang
Prestented by Chia Jui Hsu Date: 2008-03-04
2
3
Outline
• Introduction
• Fingerprint Authentication Scheme
• Implementation
• Manipulation
• Security Analysis
• Conclusion
• References
4
Introduction
• Inherent shortcoming and flaw of PKI– Certificates are not easily located– There need strict online requirement– Validating policy is time-consuming and
difficult to administer– Certificates leak data and users must pre-
enroll
5
• Inherent shortcoming and flaw of IBE– It is difficult in prove self-identity to Trust
Authority (TA) and authenticate email sender’s identity.
6
• This paper proposes a new secure email system based on a fingerprint authentication scheme which combines fingerprint authentication technology with IBE scheme.
7
Fingerprint Authentication Scheme
• Setup
• Encryption
• Decryption
• Verification
8
Setup
• TA initializes a secure area• Constructs a supersingular elliptic curve s
atisfying Weil Diffie-Hellman (WDH)
• TA chooses three secrets s,u,v
9
Encryption
• Step1– Usb-keyA authenticates A
• Step2– Usb-keyA generates A’s signature FPSA
• Step3– Obtains authentication data AUTHA
• Step4– CIPH1 = EncAB+Hash(EncAB)+AUTHA+r P‧
10
Decryption
• When receiving the email from A, B computes the session key KAB with his private KAB of identifier and uses KAB to decrypt EncAB to get M.
11
Verification
• When B wants to verify A's identity, TA provides online identity authentication service.
• Receiving AUTHA sent from B, TA first encrypts it and obtains A's onsite fingerprint summary bA , then verifies the signature FPSA by verification function Ver .
12
• If Ver is true, TA matches bA with the registered fingerprint summary bA stored in database by function FPM . TA returns the matching result to B after encryption and signature. Finally, B verifies A's identity.
13
Implementation
• TA
• Email-client
14
TA
15
User registration
• Step1– generate bA
• Step2– TA enrolls A’s identifier: IDA
• Step3– TA computes A’s fingerprint certificate CA
• Step4– TA computes A’s QFP-A and DFP-A
• Step5– TA writes the public params { P,PT-pub, Ppub
Ponline, H, H1, H2, Sig } and A's personal params { DFP-
A,,CA, RA, bA } into Usb-keyA, and handsover into A.
16
Usb-key
• We integrate fingerprint sensor and USB token into one device called Usb-key. The Usb-key is able to capture and process fingerprint image. There is an independent time
• Besides, it also contains fingerprint summary matching algorithm and Identity-Based Signature algorithm (Sig and Ver ), and be able to be protected against duplication of private key of fingerprint.
17
Online Secret-key distribution
• Step1(B→TA)– CIPH2=Cpri+Hash(Cpri)+c. P
• Step2– Use Ver and FPM to authenticate B’s identity
• Step3(TA→B)– CIPH3=Cback+Hash(Cback)
• Step4– B obtains his private key of identifier from TA
18
Online Identity authentication
• B sends A's authentication data to TA. TA authenticates A's identity and returns matching result to B.
19
Online Identifier update
• Assume B wants to update his identifier, he could apply to TA online for relevant service.
• B computes Cpri which also contains B's new string. Then B sends CIPH2 to TA. After authenticating B's identity, TA provides update service requested by B.
20
• TA recomputes B's identifier and fingerprint certificate, encrypts them with the session key and obtains Cupdate, then returns CIPH4 to B where
CIPH4= Cupdate +Hash(Cupdate)
• B takes new idetifier and figerprint certificate instead of in Usb-keyB
21
Email-client
• Local login authentication
• Encryption and decryption
• Intercommunication with Usb-key
• Intercommunication with TA
22
Intercommunication with TA
• Private key of identifier distribution
• Email sender’s identity authentication
• Identifier update
23
Manipulation
• Step1
• Step2
• Step3
• Step4
• Step5
• Step6
24
Security Analysis
• C pretends B to ask TA for B’s private key of identifier
• Cpretends A to send an email to B
• B pretends A to send email to other users like D or TA
25
C pretends B to ask TA for B’s private key of identifier
user C
26
C pretends A to send an email to B
user C
27
B pretends A to send email to other users like D or TA
user C
28
Conclusion
• In the system, we user Usb-key to keep secret data and help completing relevant encryption process. Usb-key can only be used by its legitimate owner. Thus the system successfully combines cryptographic key with legitimate users.
29
References
• http://ieeexplore.ieee.org/xpl/RecentCon.jsp?punumber=4258655
• http://zh.wikipedia.org/wiki/Wiki