Abstract
Traditionally, a user requires substantial trust in a workstation for correctly handling her credentials (e.g. password/login). Unfortunately, malware and compromised software makes them unsuitable for secure credential management. Credentials are easily stolen and the user cannot trust what is being displayed on her workstation, obstructing informed consent.
This paper presents a new solution that addresses these issues. Credentials are bound to the owner using biometrics, effectively impeding abuse through credential sharing and theft. The biometric verification is performed on the client side, preserving the privacy of the user. The solution ensures that the user is correctly informed about the pending authentication, preventing abuse by malware. To demonstrate the feasibility of our approach, a prototype was implemented.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Bichsel, P., Camenisch, J., De Decker, B., Lapon, J., Naessens, V., Sommer, D.: Data-minimizing authentication goes mobile. In: De Decker, B., Chadwick, D.W. (eds.) CMS 2012. LNCS, vol. 7394, pp. 55–71. Springer, Heidelberg (2012)
Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard java card. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 600–610. ACM, New York (2009)
Blanton, M., Hudelson, W.M.P.: Biometric-based non-transferable anonymous credentials. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 165–180. Springer, Heidelberg (2009)
Bleumer, G.: Biometric yet privacy protecting person authentication. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 99–110. Springer, Heidelberg (1998)
Brasser, F.F., Bugiel, S., Filyanov, A., Sadeghi, A.-R., Schulz, S.: Softer smartcards - usable cryptographic tokens with secure execution. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 329–343. Springer, Heidelberg (2012)
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004)
Camenisch, J.: Protecting (anonymous) credentials with the trusted computing group’s TPM V1.2. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments. IFIP, vol. 201, pp. 135–147. Springer, Boston (2006)
Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 21–30. ACM, New York (2002)
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)
Intel Corporation. LaGrande technology preliminary architecture specification. Intel Publication no. D52212 (May 2006)
Deswarte, Y., Gambs, S.: A proposal for a privacy-preserving national identity card. Trans. Data Privacy 3(3), 253–276 (2010)
Deswarte, Y., Gambs, S.: The challenges raised by the privacy-preserving identity card. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 383–404. Springer, Heidelberg (2012)
Advanced Micro Devices. AMD64 architecture programmer’s manual: Volume 2: System programming. AMD Publication no. 24594 rev. 3.11 (December 2005)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
Trusted Computing Group. TCG TPM specification, http://www.trustedcomputinggroup.org/resources/tpm_main_specification
Hao, F., Anderson, R., Daugman, J.: Combining crypto with biometrics effectively. IEEE Trans. Comput. 55(9), 1081–1088 (2006)
Impagliazzo, R., More, S.M.: Anonymous credentials with biometrically-enforced non-transferability. In: Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, WPES 2003, pp. 60–71. ACM, New York (2003)
Jain, A.K., Flynn, P., Ross, A.A.: Handbook of Biometrics. Springer-Verlag New York, Inc., Secaucus (2007)
Jain, A.K., Nandakumar, K., Nagar, A.: Biometric template security. EURASIP J. Adv. Signal Process, 113:1–113:17 (January 2008)
McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. SIGOPS Oper. Syst. Rev. 42(4), 315–328 (2008)
Mostowski, W., Vullers, P.: Efficient U-Prove implementation for anonymous credentials on smart cards. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 243–260. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Vossaert, J., Lapon, J., De Decker, B., Naessens, V. (2013). Client-Side Biometric Verification Based on Trusted Computing. In: De Decker, B., Dittmann, J., Kraetzer, C., Vielhauer, C. (eds) Communications and Multimedia Security. CMS 2013. Lecture Notes in Computer Science, vol 8099. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40779-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-40779-6_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40778-9
Online ISBN: 978-3-642-40779-6
eBook Packages: Computer ScienceComputer Science (R0)