Biometrics-Based Authenticated Key Exchange with Multi-Factor Fuzzy Extractor

TL;DR

This paper introduces a multi-factor fuzzy extractor combining biometrics and secrets to enhance security in authenticated key exchange, enabling mutual authentication and re-issuance of credentials even if compromised.

Contribution

It proposes a novel multi-factor fuzzy extractor and a secure protocol with features like mutual authentication, impersonation prevention, and credential re-issuance, surpassing existing methods.

Findings

Achieved a 0.04% EER on finger vein dataset

Authentication time of 0.93 seconds on average

Communication overhead of 448 bytes

Abstract

Existing fuzzy extractors and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (reusable/reissued identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable averaged computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of only 448 bytes.