An Identification System Combined with Fingerprint and Cryptography

Hao Li and Peishun Liu

Department of Computer Science, Ocean University of China, Qingdao, 260071, China
liups@ouc.edu.cn

Abstract PIN by fingerprint as the access control to smart card and

it is weakness anti this attack. In this paper, fingerprint is
In this paper, a design schema of a security added into user's private key which served as a security
authentication system combined with fingerprint parameter, and user's secret key is was separated into key
identification and public key cryptography is explored, parameters and fingerprint, by secret splitting mechanism,
and its specific security mechanism is discussed in detail. which makes the secret key to be bounded with user's
In our schema, fingerprint is added into user's private key information. This will increase the security of secret key
and served as a security parameter, such that user's ultimately.
secret key is separated into secret key parameters and The rest of the paper is organized as follows. In Section 2,
fingerprint, by secret splitting mechanism, which makes an overview of biometrics-based personal authentication
the secret key to be bounded with user's information. This is presented; the results of our investigation of personal
will increase the security of secret key ultimately. In such authentication system technologies are given in Section 3
an authentication system, the diplex authentication in detail. The performance of a prototype system is
technologies --- fingerprint and smart card --- are described in Section 4.
adopted, and the user fingerprint needn’t to be
transmitted during the authentication process, which can 2. Abstract model of fingerprint matching
protect user's privacy effectively.
A fingerprint is unique and permanent to a given
1. Introduction individual, so it can serve as his or her identification.
Fingerprint identification is inherently voluntary. Your
Fingerprint is one of the most widely used biometric finger cannot be read unless you place it on the
techniques in the world today. It is a rapidly evolving fingerprint reader. In fingerprint applications, fake
technology that has been widely used in forensics, such as fingerprint attack is a serious concern. Building vitality
criminal identification and prison security, and has the detection mechanisms in the fingerprint recognition
potential to be widely adopted in a very broad range of system hardware and software is one of the ways to solve
civilian applications. the problem [6-7]. Fingerprint devices can incorporate
Using fingerprint to make a personal identification has vitality detection by measuring optical, electric, or
the following characteristics [1]: thermal properties of human skin or other biomedical
x Universality, which means that every person characteristics, for instance, pulse. Finally, nowadays
should have the characteristic, fingerprint systems are non-intrusive and non-threatening.
x Uniqueness, which indicates that no two persons The typical fingerprint identification has three phases:
should be the same in terms of the characteristic, fingerprint acquisition, feature extraction and decision-
x Permanence, which means that the characteristic making, the algorithm can be referred to [2, 3, 4]. Figure
should be invariant with time, and 1 contains block diagrams of a verification system, there
x Collectability, which indicates that the are two performing tasks in fingerprint verification
characteristic can be measured quantitatively. system: user enrollment and Verification. The enrollment
However, fingerprint is only a cluster of bits, there is module registers each individual into the system database.
no different if compared it with security key, from the During the enrollment phase, a fingerprint sensor first
point of view of computer. In the network the fingerprint scans the individual’s fingerprint to produce its digital
identification system is not secure if without protection; representation. The system generally performs a quality
attackers can send the fingerprint data to the check to ensure that successive stages can reliably process
authentication server directly while bypassed the the acquired sample. To facilitate matching, a feature
fingerprint capture equipment. The presently existing extractor processes the input sample to generate a
systems combining fingerprint with smart card replace compact but expressive representation, called a template.

Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06)
0-7695-2581-4/06 $20.00 © 2006 IEEE
 Depending on the application, the system might store the is stored in CA’s database that protected by encryption
template in its central database or record it on a smart and also in her smart card. Her sign private key is
card issued to the individual. generated in the smart card; the generation processes are
During the identification phase, the same initial described as follows:
procedure is carried out. The person to be authenticated Generates large prime number p and q, and keeps them
indicates his identity and places his finger on the secret, compute n=p*q, Alice’s private key is her
fingerprint scanner; a digital image of his fingerprint is fingerprint f A , her public key is ᧶
captured; and a minutiae pattern is extracted from the
1
captured fingerprint image and fed to a matching e f A mod(( p  1)(q  1)) ,
algorithm, which matches it against the person’s minutiae to ensure calculable, it is recommended that the length
template stored in the system database to establish the
of n is 2048 bits. f A , p and q are saved into smart card.
identity.
(2) Authentication process

Figure 2. Authentication process

Figure 1. Fingerprint verification system Figure 2 shows the process of cardholder

authentication system consisting of a smart card and a
tamper-resistant card reader. The card reader with a
3. Our Proposed Authentication system fingerprint scanner has a function to capture fingerprints
and to preprocess them. Alice places her finger on the
The quality of the initial authentication process fingerprint scanner of card reader; a digital image of her
determines the level of trust that can be placed in the fingerprint is captured; and a minutiae pattern f A is
'
certificates. The solution we proposed is based on
fingerprint identification and smart card, the main idea is extracted from the captured fingerprint image in the
that fingerprint verification technology is combined with feature extraction module and then is fed to matching
smart card to protect the private key, the card matches the module in smart card, which matches it with her minutiae
cardholder's fingerprint and the template in it and template stored in the smart card to establish the identity.
furthermore, integrate user’s private key with his If unsuccessful, the system will prompt Alice to put her
fingerprint which relates user’s key with his information. finger again, and after several continuous failures the
The fingerprint verification method used in smart card is smart card will be locked.
based on minutia extraction and matching, the
specification can be referred to [5, 6, 7]. (3) Revocation process
Next we will give the workflow in the system. Our If Alice’s smart card is lost or she does not need the
proposal is to integrate the user’s fingerprint with his/her certificate, she should revoke it. CA will verify her
private key. RSA is used as the signature algorithm here. identity and destroy the fingerprint minutiae pattern f A
Parameters of the system: Let p and q are large prime she stored, and then revoke her certificate.
number, n=p*q. The legal user is Alice. Remote access control using this algorithm is
processed as follows.
(1) Enrollment Suppose Alice has been enrolled in CA and gotten her
To use the system, Alice must enroll in the smart card, now she wants to login remote server S, the
authentication system (CA) and get her smart card. CA steps of authentication are the following:
authenticates her identification by fingerprint
identification. Her minutiae pattern f A (100-200 bytes)
is extracted from the captured fingerprint image and then

Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06)
0-7695-2581-4/06 $20.00 © 2006 IEEE
 (1) Alice sends login request SR᧹ ( I A , I S , R A ) to the physiological or behavioral characteristics (such as cuts
and bruises on the finger), ambient conditions (such as
CA, where I A is her identity, I S is the identity of the S, temperature and humidity), and the user-interaction with
R A is a fresh generated random number. the sensor (such as finger placement). Therefore, the f A
(2) The CA checks I A and I S after receiving SR, if is unique and security.
In the proposed system, a means of secret splitting is
succeeds, it responses with SP= E s ( I S , I A , R A , RS ) , applied to protect private key, cardholder’s private key of
where SP is the message I S , I A , R A and RS ᧤ RS is a is divided into two parts: his (or her) fingerprint and his
(or her) private key parameters. Moreover, only after the
different random number from R A ᧥ signed by the cardholder is authenticated successfully the private key is
private key s of CA. generated, which increases the security of private key.
(3) Alice verifies the SP signature and checks Additionally, no other user needs the cardholder’s
fingerprint except for the cardholder and CA, which
I A , I S , R A after receiving the SP. If succeeds, she inserts
protects his private.
her smart card into the card reader, puts her finger on the Computational work in the signature verification stage
sensor. a digital image of her fingerprint is captured; and is the same as that in standard RSA signature algorithm. It
'
a minutiae pattern f A is extracted. After fingerprint was mainly carried through in the smart card, to generate
identification, if successes the smart card calculates the the private key and to sign a message in smart card. We
following parameters: developed a prototype of the proposed system using the
smart card and evaluated the performance of the system.
e' ( f A ' ) 1 mod(( p  1)(q  1)) , The card has a single-chip microcomputer, its internal
where the private key is f A ' . Then signs the message clock is 3.58 MHz and the microcomputer includes an
EEPROM (32 KB), a ROM (64 KB), and a RAM (32
( I A , I S , R A , RS ) and outputs the signature EQ= KB). The chip matching function is embedded in the
EV ( I A , I S , R A , RS ) . The e' must be encrypted by ROM space as a part of the operating system. The results
of a performance evaluation indicated that the verification
encrypt public key of CA, it is E P (e' ) . Alice sends EQ processing time was about 5.75 sec. on average.
and E P (e' ) to the server S.
(4) After received EQ and E P (e' ) , CA first decrypts 5 Conclusions
E P (e' ) and gets e' , then calculates : Our protocol has several features and improvements
f A ' (e' ) 1 mod(( p  1)(q  1)) , over the existing smart-card based remote authentication
one protocol:
and matches it with f A stored in CA’s database. If (1) Integrating fingerprint into private key as a
success, CA then verifies the signature EQ and checks security parameter that connects the private key
whether I A , I S , RS , R A are the same as above or not. If with user’s information;
(2) Using secret splitting mechanism the private key
all succeed, Alice’s identity is verified, otherwise her
is separated into two parts: private key parameters
login request is denied.
and fingerprint, which increases the security of
In the above process, Alice uses her smart card only
private key, and
once when logins the remote server. The protocol is
(3) In our promoted authentication system, the diplex
similar to the existing authentication systems that used
authentication technologies---fingerprint and
Public-Key cryptography, and it is compatible with
smart card---are adopted, and user’s fingerprint
existing systems.
need not to be transmitted in the authentication
process, which protects user's privacy.
4. Security and performance consideration Moreover the proposed system employs the standard
electronic authentication based on the PKI, and is easily
Security of the above protocol is based on the security added to the existing user authentication system combined
of RSA algorithm, attacker cannot recover the e' after he with smart card and PKI.
obtained user’s fingerprint. Two samples of the same
fingerprint from the same person, for example, two
impressions of your right index finger, are not exactly the
same because of imperfect imaging conditions (such as
sensor noise and dry fingers), changes in the user-

Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06)
0-7695-2581-4/06 $20.00 © 2006 IEEE
 Reference IEEE AESS Systems Magazine, September 2002, pp.12-
15.
[1] N. K. Ratha and A. K. Jain, “A real-time matching [7] J. K. Lee, S. R. Ryu, and K. Y. Yoo, “Fingerprint-
system for large fingerprint database,” IEEE Trans based remote user authentication scheme using smart
Pattern Anal, March 18, 1996, pp. 799-813. cards,” Electronics Letters, 6th June 2002, pp. 554-55.
[2] I. Bae, “Online fingerprint verification system using [8] A. Noore, “Highly robust biometric smart card
direct minutia extraction,” in Proc. ISCA 13th Int. Conf. design,” IEEE Transaction on Consumer Electronics,
Computer Applications in Industry and Engineering, 2000, pp. 1059-1064.
2000, pp. 120-123. [9] G. Haghez, F. Koeune, and J. Quisquater,
[3] S. Pankanti, S. Prabhakar, and A. K. Jain, “On the “Biometrics, access control, smart cards: a not so simple
individuality of fingerprints,” IEEE Transactions on combination,” in Proceedings of the Fourth Working
Pattern Analysis and Machine Intelligence, 2002, 24(8), Conference on Smart Card Research and Advanced
pp. 1010-1025. Applications (CARDIS 2000), Bristol, United Kingdom,
[4] A. K. Jain et al. “An identity authentication system Kuwer Academic Publishers, 2000, pp. 273-288.
using fingerprints,” in Proceedings of the IEEE, 1997, pp. [10] C. L. Lin, H. M. Sun, and T. Hwang, “Attacks and
85(9), pp. 1365-1388. solutions on strong-password authentication,” IEICE
[5] M. Mimura, S. Ishida, and Y. Seto, “Fingerprint Trans Commune, 2001, E84-B (9), pp. 2622-2627.
verification system on smart card,” WPM P-1.03, 2002, [11] S. Prabhakar, S. Pankanti, A. J. Biometric,
pp. 182-183. “Recognition: Security and privacy concerns,” IEEE
[6] R. Sanchez-Reillo, C. Sanchez-Aavila, “Fingerprint Security and Privacy,” 2003, March/April, pp. 33-42.
verification using smart cards for access control systems,”

Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06)
0-7695-2581-4/06 $20.00 © 2006 IEEE