Crypto-Biometric Authentication Scheme for ATM Banking Systems

Sandeep kumar s (1CB11SCS14) 1st year M.Tech (CSE)

Abstract: There is an urgent need for improving security in banking region. With the advent of ATM though banking became a lot easier it even became a lot vulnerable. The chances of misuse of this much hyped 'insecure' baby product (ATM) are manifold due to the exponential growth of 'intelligent' criminals day by day. ATM systems today use no more than an access card and PIN for identity verification. In this scheme, cryptography and biometric techniques are fused together for person authentication to ameliorate the security level.This situation is unfortunate since tremendous progress has been made in biometric identification techniques, including finger printing, facial recognition etc. We introduce the development of a system that integrates fingerprint authentication technology into the identity verification process used in ATMs. The development of such a system would serve to protect consumers and financial institutions alike from fraud and other breaches of security. ATMs are now a normal part of daily life, it explores the accessibility barriers that ATMs present to people with a variety of disabilities, particularly examining the access barriers experienced by the people who are blind, vision impaired or who have reading, learning or intellectual disabilities. References
[1] F.Han, J.Hu, X.Yu, Feng, Zhou: A novel hybrid cryptobiometric authentication scheme for ATM based banking applications, Springer-Verlag Berlin Heidelberg, (2005) 675-681. [2] F.Han, J.Hu, X.Yu, Feng, Zhou: A New Way of Generating Grid-Scroll Chaos and its Application to Biometric Authentication, IEEE, (2005) 61-66. [3] Jain, A.K., Prabhakar S., Hong, L.: A multichannel approach to fingerprint classification, IEEE Trans. On Pattern Anal. Machine Intell., 21 (1999) 348-35 [4] Penev and Atick, Joseph J. Local Feature Analysis: A General Statistical Theory for Object Representation. Network: Computation in Neural Systems, Vol. 7, No. 3, pp. 477-500, 1996.

Introduction
Biometrics based authentication is a potential candidate to replace password-based authentication. Among all the biometrics, fingerprint based identification is one of the most mature and proven technique. Cryptography provides the necessary tools for accomplishing secure and authenticated transactions. It not only protects the data from theft or alteration, but also can be used for user authentication. In a conventional cryptographic system, the user authentication is possession based. The weakness of such authentication systems is that it cannot assure the identity of the maker of a transaction; it can only identify the makers belongings (cards) or what he remembers (passwords, PINs etc.) Automatic biometric authentication is an emerging field to address this problem. Fingerprint authentication is the most popular method among biometric authentication. However, it is infeasible to encrypt such a large volume of image using conventional cryptography for the purpose of centralized fingerprint matching. A strong interest in biometric authentication is to integrate encryption key with biometrics. The paper aims at developing a novel crypto-biometric authentication scheme in ATM banking systems. It mainly reduces the accessing time, when compared with manual based banking system. ATMs are now a normal part of daily life, it explores the accessibility barriers that ATMs present to people with a variety of disabilities, particularly examining the access barriers experienced by the people who are blind, vision impaired or who have reading, learning or intellectual disabilities. Together with the development of biometric authentication, integrated biometrics and cryptosystems has also been addressed. In this paper, an embedded crypto-biometric authentication protocol is proposed. The fingerprint image acquired from the user is encrypted in the ATM terminal for authentication. The encrypted image is then transmitted over the secured channel to the central banking terminal. In the banking terminal fingerprint image is decrypted. The decrypted image is compared with the fingerprint templates. The authentication is valid if the minutiae matching are successful.

1.1 Authentication:

Authentication is the act of establishing or confirming something (or someone) as authentic, that is that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors. In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. The sender being authenticated may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.

In a web of trust, authentication is a way to ensure users are who they say they are that the user who attempts to perform functions in a system is in fact the user who is authorized to do so.

1.2 Difference between Authentication and Authorization:

Authorization is often thought to be identical to that of authentication, many widely adopted standard of protocols, obligatory regulations, and even statutes are based on this assumption. However, more precise usage describes authentication as the process of verifying a person's identity, while authorization is the process of verifying that a

known person has the authority to perform a certain operation. Authentication, therefore, must precede authorization. For example, when you show proper identification to a bank teller, you could be authenticated by the teller, and you would be authorized to access information about your bank accounts. You would not be authorized to access accounts that are not your own.

1.3 Authentication Factors:

The authentication factors humans are generally classified into four cases:

Something the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition, unique bio-electric signals produced by the living body, or other biometric identifier)

Something the user has (e.g., ID card, security token, software token or cell phone) Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN)). Something the user does (e.g., voice recognition, signature, or gait).

FINGERPRINT VERIFICATION
Fingerprinting is probably the best-known biometric- method of identification used for 100 years. Advances in computer technology and communication networks have made even huge fingerprint databases available for instant searches. Among all the biometric techniques, fingerprint-based Identification is the oldest method that has been successfully used in numerous applications. Everyone is known to have unique, immutable fingerprints. A fingerprint is made of a series of ridges and furrows on the surface of the finger. The uniqueness of a fingerprint can be determined by the pattern of ridges and furrows as well as minutiae points. Minutiae points are local ridge characteristics that occur at either a ridge bifurcation or a ridge ending. There are a variety of approaches to fingerprint verification. Some try to emulate the traditional police method of matching minutiae, others are straight pattern matching devices, and some adopt a unique approach all of their own, including thermal properties and ultrasonic. Fingerscan technology is the leading biometric authentication technology in use today with the greatest variety of fingerprint devices presently available. This is partially due to the historical use of the fingerprint in law enforcement as well as the fact that the technology lends itself to a more affordable solution

VIEW OF A FINGER PRINT

FINGERSCAN
Fingerscan is an authentication terminal which verifies a persons identity from their finger image. When a user places their finger on the terminals scanner the image is electronically read, analysed, and compared with a previously recorded image of the same finger which has been stored in the fingerscan database. Users call up their finger image by keying in an identification number. This ID number does not need to be classified as it is not part of the security system it simply retrieves the image that will be compared to the users finger scan.

THE TECHNOLOGY BEHIND FINGERSCAN

Fingerscan is a biometrics product which involves using some unique biological characteristic or physical property of an individual to verify that persons claimed identity. Biometrics-based identification replaces systems which rely on something a person has in their possession, such as a key or ID card, or something a person knows, such as a password or privileged information. The imaging process is based on digital holography, using an electrooptical scanner about the size of a thumbprint. The scanner reads three-dimensional data from the finger such as skin undulations, and ridges and valleys, to create a unique pattern that is composed into a template file and recorded in the fingerscan database.

The pattern is not a fingerprint and a fingerprint cannot in any way be created from the template. A template can only be compared with a newly presented live finger image and not with other templates. One reason for this is that the data capture process used to create a template is

random. If two templates were created one after another for the same finger, each template would be different. This eliminates the possibility of database matching and enhances users privacy. BIOMETRIC TEMPLATE SECURITY CHALLENGES Establishing the identity of an individual is of paramount importance in several civilian and government applications where errors in recognition can undermine the integrity of the system. Example of such applications includes international border control, access to nuclear facilities, airport security, issuance of passports or driver licences, etc. Traditionally, a combination of ID cards (token-based security) and PINs/passwords (knowledge-based security) has been used to validate the identity of an individual. These methods are, however, vulnerable to the wiles of an impostor and cannot be reliably used in large-scale applications such as border control, where the throughput is required to be in the order of thousands of users per day. The advent of biometrics has introduced a secure and efficient alternative to traditional authentication schemes. Biometrics is the science of establishing or determining an identity based on the physiological or behavioral traits of an individual. These traits include fingerprints, facial features, iris, hand geometry, voice, signature, etc. In conjunction with traditional authentication schemes, biometrics is a potent tool for establishing identity. A typical biometric system comprises of several modules. The sensor module acquires the raw biometric data of an individual in the form of an image, video, audio or some other signal. The feature extraction module operates on the biometric signal and extracts a salient set of features to represent the signal; during user enrolment the extracted feature set, labeled with the users identity, is stored in the biometric system and is known as a template. The matching module compares the feature set extracted during authentication with the enrolled template(s) and generates match scores. The decision

Module processes these match scores in order to either determine or verify the identity of an individual. Thus, a biometric system may be viewed as a pattern recognition system whose function is to classify a biometric signal into one of several identities. various types of threats as discussed below . 1. Circumvention: An intruder may gain access to the system protected by biometrics and peruse sensitive data such as medical records pertaining to a legitimately enrolled user. Besides violating the privacy of the enrolled user, the impostor can also modify sensitive data. 2. Repudiation: A legitimate user may access the facilities offered by an application and then claim that an intruder had circumvented the system. A bank clerk, for example, may modify the financial records of a customer and then deny responsibility by claiming that an intruder could have possibly stolen her biometric data. 3. Covert acquisition: An intruder may surreptitiously obtain the raw biometric data of a user to access the system. For example, the latent fingerprints of a user may be lifted from an object by an intruder and later used to construct a digital or physical artefact of that users finger. 4. Collusion: An individual with wide super-user privileges (such as an administrator) may deliberately modify system parameters to permit incursions by an intruder. 5. Coercion: An impostor may force a legitimate user (e.g., at gunpoint) to grant him access to the system. 6. Denial of Service (DoS): An attacker may overwhelm the system resources to the point where legitimate users desiring access will be refused service. For example, a server that processes access requests can be flooded with a large number of bogus requests, thereby overloading its computational resources and preventing valid requests from being processed.

Several different levels of attacks that can be launched against a biometric system:
(i) a fake biometric trait such as an artificial finger may be presented at the sensor, (ii) illegally

intercepted data may be resubmitted to the system, (iii) the feature extractor may be replaced by a Trojan horse program that produces pre-determined feature sets, (iv) legitimate feature sets may be replaced with synthetic feature sets, (v) the matcher may be replaced by a Trojan horse program that always outputs high scores thereby defying system security, (vi) the templates stored in the database may be modified or removed, or new templates may be introduced in the database, (vii) the data in the communication channel between various modules of the system may be altered, and (viii) the final decision.

Figure: Vulnerabilities in a biometric system

A template represents a set of salient features that summarizes the biometric data (signal) of an individual. Due to its compact nature, it is commonly assumed that the template cannot be used to elicit complete information about the original biometric signal. Furthermore, since the templates are typically stored in an encrypted form, it is substantially difficult to decrypt and determine the contents of the stored template (without the knowledge of correct decrypting keys). Thus, traditionally, template-generating algorithms have been viewed as one-way algorithms. However, in the recent literature there have been techniques presented that contradict these assumptions. Uludag and Jain devised a synthetic template generator (STG) that also uses the Hill Climbing Attack (attack level 4 in Figure 1) to determine the contents of a target fingerprint template (Di) for the ith user (see Figure 2). The minutiae template is assumed to be a sequence of (r; c; q) values representing the location and orientation of component fingerprint minutiae. The STG begins by generating a fixed number of synthetic templates each comprising of randomly generated minutiae points. These templates are compared against the target template in the database (via the matcher) and the synthetic template resulting in the best match score is retained. The retained template is then modified iteratively via the following four operations: (i) the r, c and q values of an existing minutia are perturbed, (ii) an existing minutia is replaced with a new minutia, (iii) a new minutia is added to the template, and (iv)an existing minutia is deleted. The modified template (Ti j) is compared against the target template and the match score (S(Di; Ti, j)) computed. This process, viz., modifying the current synthetic template and comparing it against the target template, is repeated until the match score exceeds a pre-determined threshold. The authors used this scheme to break into 160 fingerprint accounts; their algorithm required only 271 iterations, on an average, to exceed the matching threshold for each one of those 160 accounts.

Figure: Algorithm to synthesize minutiae templates In the realm of template transformation, the so-called biometric cryptosystems are gaining popularity (for a survey on existing techniques, see [16]). These systems combine biometrics and cryptography at a level that allows biometric matching to effectively take place in the cryptographic domain, hence exploiting the associated higher security. For example, Uludag et al. convert fingerprint templates (minutiae data) into point lists in 2D space, which implicitly hide a given secret (e.g., a 128-bit key). The list does not reveal the template data, since it is augmented with chaff points to increase security. The template data is identified only when matching minutiae data from an input fingerprint is available. The system is observed to operate at a Genuine Accept Rate (GAR) of 76% with no false accepts on a database comprising of 229 users.

Over view of atm Automated teller machine is a mechanical device that has its roots embedded in the accounts and records of a banking institution [3]. It is a machine that allows the bank customers to carry out banking transactions like, deposits, transfers, balance enquiries, mini statement, withdrawal and fast cash etc. Notwithstanding, we lived in a world where people no longer want to encounter long queues for any reason, they dont not want to wait for too long time before they are attended to and this has led to the increasing services being rendered by banks to further improve the convenience of banking through the means of electronic banking. On this note the advent of ATM is imperative, although with its own flaws. Crime at ATMs has become a nationwide issue that faces not only customers, but also bank operators. Security measures at banks can play a critical, contributory role in preventing attacks on customers. These measures are of paramount importance when considering vulnerabilities and causation in civil litigation and banks must meet certain standards in order to ensure a safe and secure banking environment for their customers. Basically, the ATM scam involves thieves putting a thin, clear, rigid plastic sleeve into the ATM card slot. When you insert your card, the machine can't read the strip, so it keeps asking you to re-enter your PIN number. Meanwhile, someone behind you watches as you tap in your number. Eventually you give up, thinking the machine has swallowed your card and you walk away. The thieves then remove the plastic sleeve complete with card, and empty your account. The main fact that many of the customers have never used an ATM before and are completely unfamiliar with that concept therefore they are very unlikely to memorize and remember a PIN. Furthermore, there is a sense of mistrust with PINs. People may feel that it is unsafe because if they lose their card they worry

that someone will find and somehow be able to determine their PIN and steal their money from the ATM. To keep it in mind we proposed a combined technique i.e. costumers insert their card & PIN, if costumers insert valid PIN then access is grant to another security approved process i.e. biometric fingerprint. Using valid PIN & biometric fingerprint costumer can access ATM transaction process i.e. deposits, transfers, balance enquiries, mini statement, Fast cash & withdrawal etc. By using fingerprint recognition customers are more comfortable with the idea of saving their money with the bank because they understand that if they lose their ATM card, no one can replicate their fingerprint and take their money. The way to avoid this is to run your finger along the card slot before you put your card in. The sleeve has a couple of tiny prongs that the thieves need to get the sleeve out of the slot, and you'll be able to feel them. The primary focus of this work is on developing a biometric strategy (Fingerprint) to enhance the security features of the ATM for effective banking transaction and more comfortable feature i.e. we proposed another option for nominee user because in case a card holder faces an accident, then the transactions process is not possible. To keep this drawback in mind we consider nominees fingerprint sample for second user to do the transaction while actual card holder unable to do the transactions. Actually PIN code are changeable but fingerprint are not changeable, so card holder may changes his/her PIN code while maintaining ones own secrecy and may permit his/her nominee with giving updated PIN code for transactions. We have considered the left & right thumb impression of an individual; it has been observed that there is no any match in these samples in any case. We have also observed that thumb impression samples have been taken in different angles & different forces.

EXISTING BANKING IN INDIA There is no doubt that rapid development of banking technology has changed the way in dealing with banking activities. One of the examples is automatic teller machine (ATM). Using ATM, a customer is able to conduct several banking activities such as cash withdrawal, money transfer, paying phone and electricity bills beyond official hours and physical interaction with bank staff. In short, ATM provides customers a quick and convenient way to access their bank accounts and to conduct financial transactions. Password or personal identification number (PIN) is one of important aspects in ATM security system which is commonly used to secure and protect financial information of customers from unauthorized access. The system compares the code against a stored list of authorized passwords and users. PIN typically in a form of four digit combination of numbers that entered through ATM panel. If the code is legitimate, the system allows access at the security level approved for the owner of the account fig. 1: shows the existing banking transactions system. In general, PIN is sufficient to protect against fraud and effectively eliminating most common attempts to gain unauthorized access. The four digit PIN is also easy to memorize and can be typed quickly with few errors and is quite difficult to be cracked if it is managed properly. The most recent cases show that the thefts have used sophisticated cracking programs to steal ATM holders money very easily, some people who live in todays high tech society which are bombarded everyday by so many numbers such as social security number, computer password, credit card number and so on. Sometimes they are confusing, difficult to be recalled immediately which of course can lead to a serious problem. Sometimes it is written down on small piece of paper or on ATM card in order to anticipate such event. The strength of PIN as a security system is

weakened since the likelihood of the code leaking to other people increased. A personal identification number (PIN) can be used in much the same as a password. It is numerical in format and like a password that should be kept secret. The most common use of the PIN is in automatic teller machines (ATM). Most commonly PINs are 4-digit numbers in the range 0000-9999 resulting in 10,000 possible numbers, so that an attacker would need to guess an average of 5000 times to get the correct PIN. Biometrics is a rapidly evolving technology that is being widely used in forensics, such as criminal identification and prison security, and that has the potential to be used in a large range of civilian application areas. Biometrics can be used to prevent unauthorized access to ATMs, cellular phones, smart cards, desktop PCs, workstations, and computer networks.

Figure: Existing banking transactions system

Biometric authentication has become more and more popular in the banking and finance sector [2]. The idea of fingerprint is not only for security but also to overcome the lack of customer understanding on ATM concept. We proposed ATM with biometric, a fingerprint security system, in order to meet its customers needs who many of them have savings account and need to have access to their money during non-banking hours. Operated using only a smart card and a fingerprint scanner, the machines offer excellent security to card holders since there is very low possibility of fraud. If a customer loses the card, it is difficult for another person to use it because of the digital fingerprint. By using fingerprint recognition customers are more comfortable with the idea of saving their money with the bank because they understand that if they lose their ATM card, no one can replicate their fingerprint and take their money. Fingerprint authentication is the most popular method among biometric authentication, fingerprint based identification is one of the most mature and proven technique [1]. In banking system Biometrics holds the promise of fast, easy-to-use, accurate, reliable, and less expensive authentication for a variety of applications [5]. At the time of transaction customers enrolment their fingerprint to a high resolution fingerprint scanner. The fingerprint image is transmitted to the central server via secured channel. At the banking terminal the minutiae extraction and matching are performed to verify the presented fingerprint image belongs to the claimed user in bank database. The authentication is signed if the minutiae matching are successful. The proposed scheme is fast and more secure. Fig. : 2 Shows the whole procedures for proposed banking biometric application system in India. A basic biometric authentication system consists of five main components. These are: sensor, feature extractor, fingerprint/template database, and matcher and decision module. The function of the sensor is to scan the biometric trait of the user. The function of the feature extraction module is to extract the feature set from the

scanned biometric trait. This feature set is then stored into the template database. The matcher modules takes two inputs, i.e. feature set from the template database and feature set of the user who wants to authenticate him and compares the similarity between the two sets. The last module, i.e., the verification module makes the decision about the matching of the two feature sets. Biometrics is a rapidly evolving technology that is being widely used in forensics, such as criminal identification and prison security, and that has the potential to be used in a large range of civilian application areas. Biometrics can be used to prevent unauthorized access to ATMs, cellular phones, smart cards, desktop PCs, workstations, and computer networks. Working This research is being carried out for the sole purpose of designing a three factor authentication metrics, that is, the ATM ID number, the PIN number and the Biometric feature (fingerprint) both card holder & nominees. It is expected that the customer should possess an ATM card, to know and remember his/her PIN number and to enrol his/her fingerprint into the fingerprint device/reader adapter into the system. After which the fingerprint database compares the live sample provided by the customer with the template in the database, for identification proposed shows in figure 3. On confirmation that the information provided is true, that customer is granted access to the ATM system, for why proposed verification process shows in figure 4.

Hybrid Crypto-Biometric Authentication Protocol (HCBA)

Generally, there are two basic fingerprint authentication schemes, namely the local and the centralized matching. In the central matching scheme, fingerprint image captured at the terminal is sent to the central server via the network, and then is matched against the minutiae template stored in the central server.

Figure 1: Schematic of embedded crypto biometric authentication system. There are three phases in HCBA: registration, login and authentication. In the registration phase, the fingerprints of a principal A are enrolled and the derived fingerprint templates are stored in the central server. The public elements and some private information are stored on smartcard. The login phase is performed at an ATM terminal equipped with a smartcard reader and a fingerprint sensor. In the authentication phase, the fingerprint image is then encrypted and transmitted to central server via secured channel. At the banking terminal the image is decrypted using 128 bit private key algorithm. The encrypted image is transmitted to the central server via

Secured channel. At the banking terminal the image is decrypted using the same key. Based on the decrypted image, minutiae extraction and matching are conducted to verify the presented fingerprint image belongs to the claimed user. The authentication is signed if the minutiae matching are successful. The hybrid smartcard and ATM based fingerprint authentication protocol is shown in Fig.1.1

Figure 2: Diagram of the new hybrid chaotic-biometric authentication protocol (HCBA)

The smartcard releases its ID and private key after being input at the terminal. The first layer of mutual authentication is done via messages 1 and 2 as following: 1. Alice sends message 1 EB (A, RA) to identify herself A together with a random number (nonce) RA, by using the principal B (bank)s public key. 2. Message 1 can only be read by principal B with its private key. Then B generates its own random number (nonce) RB and sends it together with RA in message 2 EA (RA, RB) encrypted with Alices public key. When Alice sees RA inside the message 2, she is sure B is responding and it is fresh for she sent RA milliseconds ago and only B can open the message 1 with Bs private key. Conventional public key cryptographic protocols (modified Needham-Schroeder PK protocol ) can be used to exchange further challenge-response messages.

Fingerprint is integrated to complete the process of mutual authentication which is illustrated via messages 3, 4 and diagrams within the bank server as shown in Fig.2. In this process, Alice needs to provide her fingerprint, then the terminal will encrypt it. The encryption key Kf can be generated from the raw fingerprint image, and is transmitted to the central server via secure channel (such as RSA cryptography).

When B finds RB in message 3, it knows that the message 3 must come from Alices smartcard and also fresh. Message 4 is the encrypted fingerprint of Alice. After being verified that the smartcard belongs to the claimed user Alice, the En(FP) in message 4 is recovered. At this stage, the bank B can still not be sure the fingerprint is from Alice. The recovered fingerprint is then matched against Alices fingerprint template. If the minutiae matching are successful, then B will process the message m. Till now, the authentication phase is finished.

ENCRYPTION AND DECRYPTION ALGORITHMS

Encryption is the process of converting plain image into cipher image. Plain image in our paper is the unsecured form of fingerprint image. By using the appropriate keys, plain image is encrypted into cipher image before transmitting through the secured channel.

Figure: AES Algorithm, 3a encryption, 3b decryption AES Algorithm The advanced encryption standard (AES) is a replacement to DES as the federal standard. AES has already received widespread use because of its standard definition, high security and freedom patent entanglements. In cryptography, the Advanced Encryption Standard (AES) is also known as Rijndael algorithm. Unlike its predecessor DES, Rijndael is an iterated block cipher which supports variable block length and key length. Both lengths can be independently specified as 128, 192 or 256 bits. It has a variable number of iterations: 10, 12 and 14 for key lengths of 128, 192 or 256 bits respectively. In this paper, a 128 bit block and key length are assumed, although the design could be adopted without difficulty to other block and key lengths. AES is fast in both software and hardware, relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale

AES consists of following steps Key Generation Initial Round Rounds (i) Sub Bytes a non-linear substitution step where each byte is replaced with another according to a lookup table. (ii) Shift Rows a transposition step where each row of the state is shifted cyclically a certain number of steps. (iii) Mix Columns a mixing operation which operates on the columns of the state, combining the four bytes in each column. (iv) Add Round Key each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule. Final Round (no Mix Columns) Key Generation Encryption keys are vital to the security of the cipher, which can be derived in the following three ways: From the randomly chosen values of pixels and their coordinates in raw image. Randomly choose 5-10 points in the raw fingerprint image. The vertical and horizontal position of pixels, as well as the gray level values of each point is served as key. Mod operations are conducted. The key consists of the remainders and a supplementary digit that makes the sum of key equals to N. For example, in a 300300 gray level fingerprint image, there are five points picked up, their coordinates and pixels values are: (16,17,250); (68,105,185); (155,134,169); (216,194,184); (268,271,216). After conducting mod(40) and mod(10) operations for the coordinates and the gray level values, respectively. The result is: (16,17,0); (28,25,5); (35,14,9); (16,34,4);(28,31,6). The sum of above five groups numbers is S8=268. At last, a supplementary

Digit N Sm =300-268=32 is the last digit of the key. The encryption key is: {16, 17, 0, 28, 25, 5, 35, 14, 9, 16, 34, 4, 28, 31, 6, 32}. From the stable global features (overall pattern) of fingerprint image. Some global features such as core and delta are highly stable points in a fingerprint, which have the potential to be served as cryptography key. Some byproduct information in the processing of fingerprint image can be used as the encryption key.For example, the Gabor filter bank parameters are: concentric bands is 7, the number of sectors considered in each band is 16, each band is 20 pixels wide; there are 12 ridge between core and delta, the charges of the core and delta point are 4.8138e-001 and 9.3928e-001, and the period at a domain is 16. Gabor filter with 50 cycles per image width. Then the key could be: {7, 16, 20, 12, 4, 8, 13, 8, 9, 39, 28, 27, 1, 16,50, 42}. The last digit is the supplementary digit to make the sum of key equals to N. From the pseudo random number generator based on chaotic map. One can also use the pseudo random number generator introduced in to produce the key. The users can choose how to generate keys in their scheme. To encrypt a fingerprint image, three to six rounds of iterations can hide the image perfectly; each iteration is suggested to use different key and different way to generate the keys

Simulation and Evaluation Simulations The gray level fingerprint image is shown Fig.4(a). The first 3D permutation is performed with the key {16, 17, 0, 28, 25, 5, 35, 14, 9, 16, 34, 4, 28, 31, 6, 32}. After first round 3D permutation, the encrypted fingerprint image is shown in Fig.4(b). The second round permutation is performed with the key {7, 16, 20, 12, 4, 8, 13, 8, 9, 39, 28, 27, 1, 16, 50, 42}. After that, the image is shown in Fig.4(c). The third round permutation is finished with a key {1, 23, 8, 19, 32, 3, 25, 12, 75, 31, 4, 10, 14, 5, 25,13}. After this, the image is shown in Fig.4(d), which is random looking.

Figure. 4. Fingerprint and the encrypted image. (a) Original image; (b) One round of iterations; (d) Three rounds of iterations.

iteration;(c) Two rounds of

Statistical and Strength Analysis Statistical analysis. The histogram of original fingerprint image is shown in Figure.5(a). After 2D chaotic mapping, the pixels in fingerprint image can be permuted, but as the encrypted fingerprint image has the same gray level distribution, they have the same histogram as that in Fig.5(a). As introduced in Section 3, 3D chaotic map can change the gray level of the image greatly. After one round and three

rounds 3D substitution, the histograms are shown in Fig.5(b) and (c) respectively, which is uniform, and has much better statistic character, so the fingerprint image can be well hidden. Cryptographic strength analysis. In the known plaintext and cipher text only type of attack were studied: the cipher technique is secure with respect to a known plaintext type of attack. With the diffusion mechanism, the encryption technique is safe to cipher text type of attack. As the scheme proposed here use different keys in different rounds of iterations, and the length is not constrained, it can be chosen according to the designers requirement; there is a much large key space than that Fridrich claimed

CONCLUSION An embedded Crypto-Biometric authentication scheme for ATM banking systems has been proposed. The claimed users fingerprint is required during a transaction. The fingerprint image is encrypted via 3D chaotic map as soon as it is captured, and then transmitted to the central server using symmetric key algorithm. The encryption keys are extracted from the random pixel distribution in a raw image of fingerprint, some stable global features of fingerprint and/or from pseudo random number generator. Different rounds of iterations use different keys. At the banking terminal the image is decrypted using the same key. Based on the decrypted image, minutiae extraction and matching are performed to verify the presented fingerprint image belongs to the claimed user.

Future enhancement
Future work will focus on the study of stable features (as part of encryption key) of fingerprint image, which may help to set up a fingerprint matching dictionary so that to narrow down the workload of fingerprint matching in a large database.

References
[1] F.Han, J.Hu, X.Yu, Feng, Zhou: A novel hybrid cryptobiometric authentication scheme for ATM based banking applications, Springer-Verlag Berlin Heidelberg, (2005) 675-681. [2] N.Selvaraju, G.Sekar: A Method to Improve the Security Level of ATM Banking Systems Using AES Algorithm, International Journal of Computer Applications (0975 8887), Volume 3 No.6, June (2010). [3] Ratha, N.K, Karu, K. Chen, S., Jain, A.K.: A real-time matching system for large fingerprint databases, IEEE Trans. on Pattern Anal. Machine Intell., 18 (1996) 799-813. [4] J. Daemen, V. Rijmen, ``the Block Cipher Rijndael,'' Smart Card Research and Applications, LNCS 1820, J.-J. Quisquater and B. Schneier, Eds., Springer-Verlag, 2000, pp. 277-284. [5] A. K.Jain, Arun Ross, Umut Uludag: Biometric cryptosystems: Issue and challenges, Proceedings of the EUSIPCO (2005).