Novel biometric digital signature system for electronic commerce applications.

Novel Biometric Digital Signature System
for Electronic Commerce Applications




by


Pawan Kumar Janbandhu
















School of Electrical and Electronic Engineering





A thesis submitted to the Nanyang Technological University
in fulfillment of the requirement for the degree of
Master of Engineering

2001

i
Acknowledgements





I am thankful to Dr. M. Y. Siyal for his guidance and support throughout this
research. I would like to thank all the research students and staff members working
in Information Systems Research Laboratory for their timely help whenever
required.

I also am thankful to Ronald Rivest for suggesting me methods to generate
cryptographic key of desired length from a biometric template of any size and John
Daugman for his helpful email replies pertaining to iris recognition.


Pawan Kumar Janbandhu

ii
Statement of Originality



I hereby certify that the work embodied in this thesis is the result of original
research done by me and has not been submitted for a higher degree to any other
University or Institute.




……………………… ………………………………………
Date Pawan Kumar Janbandhu

iii
Summary


Personal identification numbers (PIN), passwords, smart cards or digital certificates
are some of the means employed for user authorization in various electronic
commerce applications. However, these means do not really identify a person, but
only knowledge of some data or belonging of some determined object. This thesis
introduces the notion of Biometric Signature: a new approach to digitally sign a
document using biometrics based digital signature key generation, thus, combining
the advantages of Public Key Infrastructure, PKI (integrity, confidentiality,
authentication and non-repudiation) and biometrics (exact user identification instead
of his belongings like computers, smartcards, tokens etc. or what he remembers like
passwords, PIN etc.).

The proposed Biometric Signatures addresses following objectives.

1. Allow accurate personal identification of the individual who creates a digital
signature.

2. Resolve key management issue in PKI which is to provide more secure
solution for protecting private keys with minimum storage requirement.

3. Avoid biometric template storage or transmission to anyone thus preventing
misuse of the biometric template by the communicating party for user
authentication and permit multiple passwords generation using same
biometric template.

The proposed Biometric Signatures are secure, efficacious, faster, convenient, non-
invasive and correctly identifies the maker of the transaction. Some of the
contributions of the thesis are investigation of PKI and biometric technology,
denomination of the proposed biometric-PKI system as Biometric Signatures,

iv
investigation of iris and DNA to be used as biometrics for Biometric Signatures as
both are unique, highly accurate and stable over one’s lifetime, integration of iris
templates with two existing and widely used digital signature algorithms, RSA and
DSA for Biometric Signatures and investigation of the problems associated with
them individually, suggestion of modifications required in key generation process
for Biometric Signatures using the two algorithms, RSA and DSA to facilitate
certificate renewal without forfeiting the use of the biometric forever and fortify the
security of the biometric template in case of security breach and discussion of
JAVA implementation results for Biometric Signatures using both approaches with
and without modifications.

v
Contents


Acknowledgements ................................................................................................... i

Summary.................................................................................................................. iii

List of Figures.......................................................................................................... ix

List of Tables ............................................................................................................ x

List of Abbreviations .............................................................................................. xi

1 Introduction...................................................................................................... 1
1.1 Internet Security........................................................................................... 1
1.2 Basic Requirements for Secure Internet based Commercial Applications .. 4
1.3 Motivation .................................................................................................... 6
1.3.1 Problems with PKI and Biometrics....................................................... 6
1.4 Scope and Objectives ................................................................................... 9
1.5 Major Contributions of the Thesis ............................................................... 9
1.6 Organization of the Thesis ......................................................................... 11

2 Literature Review: PKI and Biometrics ...................................................... 12
2.1 Background ................................................................................................ 12
2.2 Public Key Infrastructure (PKI) ................................................................ 13
2.2.1 Encryption and Decryption ................................................................. 13
2.2.2 Symmetric Key Cryptography ............................................................ 13
2.2.2.1 DES .............................................................................................. 14
2.2.2.2 AES .............................................................................................. 15
2.2.3 Asymmetric Key Cryptography.......................................................... 15
2.2.4 Block and Stream Ciphers .................................................................. 16
2.2.5 Key Length and Encryption Strength ................................................. 17
2.2.6 Block Chaining ................................................................................... 18
2.2.7 Message Digest algorithms ................................................................. 18
2.2.8 Digital Signatures................................................................................ 18
2.2.9 Diffie-Hellman key-agreement algorithm........................................... 20
2.2.10 Digital Certificates ............................................................................ 21
2.2.10.1 Types of Digital Certificates ...................................................... 23

vi
2.2.10.2 X.509 Digital Certificate............................................................ 25
2.2.11 Trust in PKI....................................................................................... 27
2.2.12 Certificate Management.................................................................... 29
2.2.12.1 Certificate Issuance.................................................................... 29
2.2.12.2 Key Management ....................................................................... 30
2.2.12.3 Certificate Status, Revocation and Renewal .............................. 31
2.2.12.4 Registration Authorities ............................................................. 32
2.2.13 PKCS Standards................................................................................ 32
2.2.14 SSL.................................................................................................... 33
2.2.15 SET………………………………………………………………….34
2.2.16 Pretty Good Privacy.......................................................................... 35
2.2.17 Virtual Private Networks .................................................................. 35
2.2.18 Need of Biometrics in Electronic Commerce…………………...….36
2.3 Biometrics .................................................................................................. 36
2.3.1 Description of various biometric technologies ................................... 37
2.3.1.1 Finger-scan................................................................................... 37
2.3.1.2 Fingerprints vs. Finger-scans ....................................................... 38
2.3.1.3 Facial-scan ................................................................................... 38
2.3.1.4 Voice-scan.................................................................................... 39
2.3.1.5 Iris-scan........................................................................................ 39
2.3.1.6 Retina-scan................................................................................... 40
2.3.1.7 Hand-scan .................................................................................... 40
2.3.1.8 Signature-scan.............................................................................. 41
2.3.1.9 Keystroke-scan............................................................................. 41
2.3.2 Biometric Template ............................................................................ 41
2.3.3 Identification and Verification............................................................ 42
2.3.4 Biometrics based user authentication system ..................................... 44
2.3.5 Accuracy of a biometric...................................................................... 45
2. 4 Summary ................................................................................................... 46

3 Proposed Novel Biometric Digital Signature System ................................. 47
3.1 Background ................................................................................................ 47
3.2 Biometric Signature: Digital Signature using Biometrics ......................... 48
3.2.1 Selection of Biometric for Biometric Signatures................................ 49
3.2.2 Iris Recognition: Emerging biometric technique................................ 50
3.2.2.1 Accuracy and Speed of Iris Recognition System......................... 51
3.2.2.2 Integrating Iris Recognition with Electronic Commerce
Applications ............................................................................................. 52
3.2.3 Human Genome – DNA...................................................................... 54
3.2.3.1 DNA Template Preparation Systems ........................................... 56
3.3 Biometric Signature using RSA algorithm................................................. 56
3.4 Biometric Signature using Digital Signature Algorithm (DSA) ................ 59
3.5 Role of Hash Functions for Biometric Signatures ..................................... 64
3.5.1 MD5 .................................................................................................... 65
3.5.2 Secure Hash Algorithm (SHA1) ......................................................... 66

vii
3.5.4 Security of MD5 and SHA1............................................................... 67
3.6 Security of Biometric Signatures, Certificate Revocation and Renewal.... 67
3.7 Summary .................................................................................................. 699

4 Modified Private Key Generation for Biometric Signatures ..................... 70
4.1 Background……………………………………………………………………….70
4.2 Modified Private Key Generation for Biometric Signatures using RSA….71
4.2.1 Description of Hashed Message Authentication Code (HMAC)........ 73
4.2.1.1 Security of HMAC....................................................................... 75
4.3 Modified Private Key Generation for Biometric Signatures using DSA ... 75
4.4 Role of random number, R in generating Biometric Signatures................ 76
4.5 Storage Requirement for Biometric Signatures ......................................... 77
4.5.1 Storage requirement for Biometric Signatures using RSA Algorithm 77
4.5.2 Storage requirement for Biometric Signatures using DSA algorithm
.................................................................................................................... 777
4.6 Overall Security of Biometric Signatures .................................................. 78
4.7 Problems in Implementing Biometrics for Practical Purposes ................. 79
4.8 Summary .................................................................................................... 79

5 Results and Discussion.................................................................................... 81
5.1 Background ................................................................................................ 84
5.2 JAVA Implementation and Computation Platform .................................... 81
5.3 Implementation - Part I : Biometric Signatures without Modifications .... 82
5.3.1 Discussion of Experimental Results ................................................... 83
5.4 Implementation – Part II : Biometric Signatures with Modifications ....... 84
5.4.1 Discussion of Experimental Results ................................................... 85
5.5 Implementation – Part III : Comparative Key Generation speeds for
various biometrics...................................................................................... 86
5.5.1 Discussion of Experimental Results ................................................... 87
5.6 Summary .................................................................................................... 87

6 Conclusion and Recommendations .............................................................. 89
6.1 Review ........................................................................................................ 89
6.2 Merits of the Proposed Biometric Digital Signature System .................. 922
6.3 Future Work Recommendations............................................................... 934

Author’s Publications .......................................................................................... 966

Bibliography ......................................................................................................... 977

viii
A JAVA Implementation Notes ................................................................... 1066




B Sample Program Outputs of Java Implementation of Biometric
Signatures…………………………………………………………………
1088
B.1 Biometric Signature using DSAwithSHA1 with 1024 bit modulus length
(with modifications). .............................................................................. 1099
B.2 Biometric Signature using RSAwithSHA1 with 4096 bit modulus length
(without modifications) .......................................................................... 1111

ix
List of Figures



2.1 Symmetric Key Cryptography…………………………………………………14

2.2 Asymmetric Key Cryptography………………………………………………..16

2.3 Digital Signature……………………………………………………………….20

2.4 Digital Certificate………………………………………………………………23

2.5 X.509 Digital Certificate……………………………………………………….27

2.6 Certificate chain…………………………………………………….………….29

2.7 PKI architecture……………………………………………………………..…31

2.8 Biometric based user authentication system…………………………………...44

2.9 FAR and FRR relationship for iris recognition………………………………...46

3.1 Anatomy of human eye………………………………………………………...50

3.2 A human iris and its Iriscode™………….…………..………………………...52

3.3 Basic structure of human DNA…….………………………………………….55

3.4 Biometric Signature using RSA algorithm…………………………………….58

3.5 Biometric Signature using DSA ……………………………………………….63

4.1 Modified private key generation for Biometric Signatures using RSA……..…72

4.2 Modified private key generation for Biometric Signatures using DSA………..76

x
List of Tables



2.1 Average template size for various biometric technologies…………………….42

5.1 Biometric Signature speeds using RSA algorithm for Different Modulus
Lengths with a 512 byte decryption exponent, d…..………………………......82

5.2 Biometric Signature speeds using DSA for Different Modulus Lengths
with a 160-bit exponent ..………………………………………………………83

5.3 Biometric Signature speeds using RSA algorithm with modifications………...84

5.4 Biometric Signature speeds using DSA with modifications………………...…85

5.5 Comparative key generation speeds for various biometrics …………………..86

xi
List of Abbreviations


ABBREVIATIONS FULL EXPRESSIONS

ACL Access Control Lists
AES Advanced Encryption Standard
ATM Automated Teller Machines
CA Certification Authority
CRL Certificate Revocation Lists
DES Data Encryption Standard
DoS Denial of Service
DNA Deoxyribonucleic acid
DSA Digital Signature Algorithm
ERR Equal Error Rate
FAR False Accept Rate
FRR False Rejection Rate
IMAP Internet Message Access Protocol
IP Internet Protocol
LDAP Lightweight Directory Access Protocol
MAC Message Authentication Code
MIME Multipurpose Internet Mail Extensions
OBI Open Buying on Internet
OCSP Online Certificate Status Protocol
OFX Open Financial Exchange
PGP Pretty Good Privacy
PIN Personal Identification Numbers
PKCS Public Key Cryptographic Standard
PKI Public Key Infrastructure
PoS Point of Sales
RA Registration Authority
RNA Ribonucleic Acid
RSA Rivest, Shamir Adleman
SEAL Software-optimized Encryption Algorithm
SET Secure Electronic Transactions
SHA Secure Hash Algorithm
SSL Server Socket Layer
S/MIME Secure Multipurpose Internet Mail Extension
TCP Transmission Control Protocol
VPN Virtual Private Networks

1
Chapter 1

Introduction


Electronic commerce is performing business using electronic medium like internet.
Internet security is a major concern in today’s digital era. Solid security
mechanisms and identification techniques are required to make electronic
commerce a complete success. Internet security, basic requirements for performing
secure electronic commerce applications, motivation, scope and objectives of this
research and major contributions of this thesis are discussed in detail in this chapter.


1.1 Internet Security

Internet offers low cost but insecure mean to reach people. Although access to
internet facilities allows sharing of resources and database worldwide, it puts any
corporate database at risk, specially in electronic commerce applications where the
information transmitted involves financial data, company or personal information
and other crucial information that needs to be kept sage from eavesdroppers. Due to
the ubiquity of internet, it is difficult to control and trace intrusions or attacks by
unauthorized people, hackers etc. Some of the common security threats for any
computer network are:

Eavesdropping: Privacy of information is compromised e.g. someone can learn a
sensitive information like credit card number or record a sequence of packets and
use it for replay attacks to gain access to a system [13-16].

Tampering: Tampering is altering the information while in transit. Manipulation of
the information content of packets corrupts confidence in the integrity of data.

2
Manipulating the packets that control how the network functions or the parts of a
packet that control where the network sends it, puts the network in jeopardy [13-
16].

Impersonation: Any one can masquerade as a legitimate user (spoofing) and
defraud the system. Once, the impersonator manages to login into a network as a
legitimate user, he has access to all the resources provided to that legitimate user.
Carelessness in handling passwords, and the ease with which they can be stolen,
make them a very week security mechanism that offers more comfort than
protection. Another example of impersonation is misrepresentation by an
organization itself e.g. an organization can pretend to be an online shopping store
when it is a site that takes credit card payments only and never sends any goods [13-
16].

Denial of service: Attackers can attack the routers (stop forwarding the packets) or
flood the network with extraneous traffics thereby causing “denial of service”
attack. DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult
to address. These are the nastiest, because they're very easy to launch, difficult
(sometimes impossible) to track, and it isn't easy to refuse the requests of the
attacker, without also refusing legitimate requests for service. The premise of a DoS
attack is simple: send more requests to the machine than it can handle. There are
toolkits available in the underground community that make this a simple matter of
running a program and telling it which host to blast with requests. The attacker's
program simply makes a connection on some service port, perhaps forging the
packet's header information that says where the packet came from, and then
dropping the connection. If the host is able to answer 20 requests per second, and
the attacker is sending 50 per second, obviously the host will be unable to service
all of the attacker's requests, much less any legitimate requests (hits on the web site
running there, for example) [13-16].

3
Several mechanisms are available today to secure a network. Some of the common
tools employed for internet security are firewalls, audit tools, encryption products
and anti-virus software some of which are described below.
Denial of service attack are prevented by protecting the routing update packets sent
by the routing protocols using passwords, checksum and encryption. Another way is
to using packet filtering to prevent obviously forged packets from entering into your
network address space [15].
Replay attacks are nullified by incorporating a sequence number in the
authentication header. Network and system scanners are used to survey network
interfaces like web servers, firewalls etc. for insecure services and other known
vulnerabilities. Cryptography based authentication tokens and access control lists
provide protection against unauthorized access to services and data [14].

Firewall is a prevention tool that controls access by individual, internet service,
time of day, source and destination or other parameters e.g. it can limit the
downloading of Java Applets or ActiveX code to only approved users and sites [16],
block viruses before they enter the network or block access to pornographic
websites. In other words firewalls are a single point of defense with controlled and
audited access to services, both from inside and outside an organization’s private
network. However firewalls cannot guarantee protection from people who are
already inside a network. The first firewalls were application gateways, and are
sometimes known as proxy gateways. These are made up of bastion hosts that run
special software to act as a proxy server. This software runs at the application layer
and hence, such firewalls are known as Application Gateways. Other type of
firewalls are known as Packet Filtering Firewalls. Packet filtering is a technique
whereby routers have ACLs (Access Control Lists) turned on. By default, a router
will pass all traffic sent to it, and will do so without any sort of restrictions.
Employing ACLs is a method for enforcing the security policy with regard to what
sorts of access one allows the outside world to have to his/her internal network, and