skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Increasing Security of WebIDs Through Biometrics
We are creating a streamlined way to adapt WebIDs [1], and biometrics [2] to the cyber world. This involves building a user authentication system that enables quick, fast and secure access. It is understood that compared to traditional username and password user authentication, WebIDs are designed to provide such services. Nevertheless, if an intruder either has direct access to the user's computer or somehow gets the unique certificate of the user, important information can be stolen with solely the use of WebIDs. Since biometric data (e.g. fingerprints, iris scanning, etc.) is unique and not easily duplicated, this possibility can be avoided by including biometrics in the authentication process. We also include an enrollment protocol that checks whether a user has a WebID while trying to access a server. If they do, we allow the user access to the server, and if they do not, by accessing their own server, we register the user for a WebID with their permission. Implementing these features in the WebID protocol will greatly enhance user authentication safety.  more » « less
Award ID(s):
1900087
PAR ID:
10296834
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
2020 IEEE SoutheastCon
Page Range / eLocation ID:
1 to 5
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security)
    Biometrics have been widely adopted for enhancing user authentication, benefiting usability by exploiting pervasive and collectible unique characteristics from physiological or behavioral traits of human. However, successful attacks on "static" biometrics such as fingerprints have been reported where an adversary acquires users' biometrics stealthily and compromises non-resilient biometrics. To mitigate the vulnerabilities of static biometrics, we leverage the unique and nonlinear hand-surface vibration response and design a system called Velody to defend against various attacks including replay and synthesis. The Velody system relies on two major properties in hand-surface vibration responses: uniqueness, contributed by physiological characteristics of human hands, and nonlinearity, whose complexity prevents attackers from predicting the response to an unseen challenge. Velody employs a challenge-response protocol. By changing the vibration challenge, the system elicits input-dependent nonlinear "symptoms" and unique spectrotemporal features in the vibration response, stopping both replay and synthesis attacks. Also, a large number of disposable challenge-response pairs can be collected during enrollment passively for daily authentication sessions. We build a prototype of Velody with an off-the-shelf vibration speaker and accelerometers to verify its usability and security through a comprehensive user experiment. Our results show that Velody demonstrates both strong security and long-term consistency with a low equal error rate (EER) of 5.8% against impersonation attack while correctly rejecting all other attacks including replay and synthesis attacks using a very short vibration challenge. 
    more » « less
  2. ; ; (, 2019 IEEE Conference on Communications and Network Security)
    Biometrics have been used increasingly heavily for identity authentication in many critical public services, such as border passes or security check points. However, traditional biometrics-based identity management systems collect and store personal biometrical data in a centralized server or database, and an individual has no control over how her biometrics will be used for what purpose. Such kind of systems can result in serious security and privacy issues for sensitive personal data. In this paper, we design a novel approach to leveraging biometrics and blockchain/smart contract to enable secure and privacy preserving identity management. The basic idea is to use blockchain to store an authority's attestation and the transformed value of an individual's biometrics. The stored data on the blockchain is then controlled by smart contracts which define various access control policies, e.g., access parties, access times, etc. The owner of the biometrical data can flexibly change the access control policies through a white list, a timer and other methods to any identity verifiers. We used the well-known Ethereum platform to implement the proposed approach and tested the effectiveness as well as the flexibility of various access control policies. 
    more » « less
  3. ; ; ; ; ; ; ; ; (, IEEE/ACM Transactions on Networking)
    Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s tapping rhythm. In addition to verifying the RFID card’s identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user’s secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero. 
    more » « less
  4. ; ; ; ; ; (, Network and Distributed Systems Security (NDSS) Symposium)
    Reliably identifying and authenticating smartphones is critical in our daily life since they are increasingly being used to manage sensitive data such as private messages and financial data. Recent researches on hardware fingerprinting show that each smartphone, regardless of the manufacturer or make, possesses a variety of hardware fingerprints that are unique, robust, and physically unclonable. There is a growing interest in designing and implementing hardware-rooted smartphone authentication which authenticates smartphones through verifying the hardware fingerprints of their built-in sensors. Unfortunately, previous fingerprinting methods either involve large registration overhead or suffer from fingerprint forgery attacks, rendering them infeasible in authentication systems. In this paper, we propose ABC, a real-time smartphone Authentication protocol utilizing the photo-response non-uniformity (PRNU) of the Built-in Camera. In contrast to previous works that require tens of images to build reliable PRNU features for conventional cameras, we are the first to observe that one image alone can uniquely identify a smartphone due to the unique PRNU of a smartphone image sensor. This new discovery makes the use of PRNU practical for smartphone authentication. While most existing hardware fingerprints are vulnerable against forgery attacks, ABC defeats forgery attacks by verifying a smartphone’s PRNU identity through a challenge response protocol using a visible light communication channel. A user captures two time-variant QR codes and sends the two images to a server, which verifies the identity by fingerprint and image content matching. The time-variant QR codes can also defeat replay attacks. Our experiments with 16,000 images over 40 smartphones show that ABC can efficiently authenticate user devices with an error rate less than 0.5%. 
    more » « less
  5. ; ; ; (, Proc. IEEE Int. Conf. on Consumer Electronics (ICCE))
    Biometric recognition, or simply biometrics, is the use of biological attributes such as face, fingerprints or iris in order to recognize an individual in an automated manner. A key application of biometrics is authentication; i.e., using said biological attributes to provide access by verifying the claimed identity of an individual. This paper presents a framework for Biometrics-as-a-Service (BaaS) that performs biometric matching operations in the cloud, while relying on simple and ubiquitous consumer devices such as smartphones. Further, the framework promotes innovation by providing interfaces for a plurality of software developers to upload their matching algorithms to the cloud. When a biometric authentication request is submitted, the system uses a criteria to automatically select an appropriate matching algorithm. Every time a particular algorithm is selected, the corresponding developer is rendered a micropayment. This creates an innovative and competitive ecosystem that benefits both software developers and the consumers. As a case study, we have implemented the following: (a) an ocular recognition system using a mobile web interface providing user access to a biometric authentication service, and (b) a Linux-based virtual machine environment used by software developers for algorithm development and submission. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email