Meng-Hui Lim

A non-invertible Randomized Graph-based Hamming Embedding for generating cancelable fingerprint template☆

Abstract Biometric technology is likely to provide a new level of security to various applications. Yet if the stored biometric template is compromised, invasion of user privacy is inevitable. Since biometric is irreplaceable and irrevocable, such an invasion implies a permanent loss of identity. In this paper, a fingerprint template protection technique is proposed to secure the fingerprint minutiae. Remarkably, by incorporating Randomized Graph-based Hamming Embedding (RGHE), the generated binary template can be strongly protected against inversion. The proposed method adopts a minutiae descriptor, dubbed as minutiae vicinity decomposition (MVD) to derive a set of randomized geometrical invariant features together with random projection. The discrimination of randomized MVD is then enhanced by User-specific Minutia Vicinities Collection scheme and embedded into a Hamming space by means of Graph-based Hamming Embedding. The resultant binary template enjoys four merits: (1) strong concealment of the minutia vicinity, thus effectively protects the location and orientation of minutiae. (2) Well preservation of the discriminability of MVD in the Hamming space with respect to the Euclidean space without accuracy performance degradation. (3) Template is revocable due to user-specific random projection. (4) Speedy matching attributed to bit-wise operations. Promising experimental results on FVC2002 database vindicate the feasibility of the proposed technique.

An enhanced ID-based deniable authentication protocol on pairings

Deniability is defined as a privacy property which enables protocol principals to deny their involvement after they had taken part in a particular protocol run. Lately, Chou et al. had proposed their ID-based deniable authentication protocol after proving the vulnerability to Key-Compromise Impersonation (KCI) attack in Cao et al.s protocol. In addition, they claimed that their protocol is not only secure, but also able to achieve both authenticity and deniability properties. However, in this paper, we demonstrate that Chou et al.s protocol is not flawless as it remains insecure due to its susceptibility to the KCI attack. Based on this, we propose an enhanced scheme which will in fact preserves the authenticity, the deniability and the resistance against the KCI attack.

An enhanced one-round pairing-based tripartite authenticated key agreement protocol

A tripartite authenticated key agreement protocol is generally designed to accommodate the need of three specific entities in communicating over an open network with a shared secret key, which is used to preserve confidentiality and data integrity. Since Joux proposed the first pairing-based one-round tripartite key agreement protocol in 2000, numerous authenticated protocols have been proposed after then. However, most of them have turned out to be flawed due to their inability in achieving some desirable security attributes. In 2005, Lin-Li had identified the weaknesses of Shims protocol and subsequently proposed their improved scheme by introducing an extra verification process. In this paper, we prove that Lin-Lis improved scheme remains insecure due to its susceptibility to the insider impersonation attack. Based on this, we propose an enhanced scheme which will not only conquer their defects, but also preserves the desired security attributes of a key agreement protocol.

Cryptanalysis on Improved Chou et al.'s ID-Based Deniable Authentication Protocol

A deniable authentication protocol enables the protocol participants to authenticate their respective peers, while able to deny their participation after the protocol execution. This protocol can be extremely useful in some practical applications such as online negotiation, online shopping and electronic voting. Recently, we have improved a deniable authentication scheme proposed by Chou et al. due to its vulnerability to the key compromise impersonation attack in our previous report. However, we have later discovered that our previous enhanced protocol is vulnerable to the insider key compromise impersonation attack and key replicating attack. In this paper, we will again secure this protocol against these attacks and demonstrate its heuristic security analysis.

Cryptanalysis of Tso et al.'s ID-based tripartite authenticated key agreement protocol

A tripartite authenticated key agreement protocol is generally designed to accommodate the need of three specific entities in communicating over an open network with a shared secret key, which is used to preserve confidentiality and data integrity. Since Joux [6] initiates the development of tripartite key agreement protocol, many prominent tripartite schemes have been proposed subsequently. In 2005, Tso et al. [15] have proposed an ID-based non-interactive tripartite key agreement scheme with k-resilience. Based on this scheme, they have further proposed another one-round tripartite application scheme. Although they claimed that both schemes are efficient and secure, we discover that both schemes are in fact breakable. In this paper, we impose several impersonation attacks on Tso et al.s schemes in order to highlight their flaws. Subsequently, we propose some applicable enhancements which will not only conquer their defects, but also preserve the security attributes of an ideal key agreement protocol.

Generating Fixed-Length Representation From Minutiae Using Kernel Methods for Fingerprint Authentication

The ISO/IEC 19794-2-compliant fingerprint minutiae template is an unordered and variable-sized point set data. Such a characteristic leads to a restriction for the applications that can only operate on fixed-length binary data, such as cryptographic applications and certain biometric cryptosystems (e.g., fuzzy commitment). In this paper, we propose a generic point-to-string conversion framework for fingerprint minutia based on kernel learning methods to generate discriminative fixed length binary strings, which enables rapid matching. The proposed framework consists of four stages: (1) minutiae descriptor extraction; (2) a kernel transformation method that is composed of kernel principal component analysis or kernelized locality-sensitive hashing for fixed length vector generation; (3) a dynamic feature binarization; and (4) matching. The promising experimental results on six datasets from fingerprint verification competition (FVC)2002 and FVC2004 justify the feasibility of the proposed framework in terms of matching accuracy, efficiency, and template randomness.

Biometric Feature-Type Transformation: Making templates compatible for secret protection

Biometrics refers to physiological (i.e., face, fingerprint, hand geometry, etc.) and behavioral (i.e., speech, signature, keystroke, etc.) traits of a human identity. As these traits are unique to individuals, biometrics can be used to identify users reliably in many authentication applications, such as access control and e-commerce. Most biometric authentication systems offer great convenience without requiring the users to possess or remember any secret credentials. For applications that demand greater security, biometrics can be used in complement with passwords and security tokens to offer a multifactor authentication.

A secure and efficient three-pass authenticated key agreement protocol based on elliptic curves

Key agreement protocol is of fundamental importance in providing data confidentiality and integrity between two or more parties over an insecure network. In 2004, Popescu [14] proposed an authenticated key agreement protocol in which its security is claimed. However, Yoon and Yoo [19] discovered its vulnerabilities two years later and proposed an improved variant of it. In this paper, we highlight the vulnerability of this improved variant under the LaMacchia et al.s extended Canetti-Krawczyk security model [12]. With this, we propose another enhanced version of Popescus protocol which offers stronger security features and appears to be significantly more efficient than Yoon-Yoos scheme. In order to justify our claims, we present a thorough heuristic security analysis on our scheme and compare the computational cost and security attributes with the surveyed schemes.

An Efficient Multi-server Password Authenticated Key Agreement Scheme Revisited

In 2007, Hu-Niu-Yang put forward an improved efficient password authenticated key agreement scheme for multi-server architecture based on Chang-Lees scheme proposed in 2004. This scheme is claimed to be more efficient and is able to overcome a few existing deficiencies in Chang-Lees scheme. However, we find that this scheme is not as ideal as described by the authors. Specifically, the fulfillment of forward secrecy property is delusively claimed and some potential threats to their scheme have been negligently uncovered in their security analysis. In this paper, we will discuss these issues in depth.

Identifying Recurrent and Unknown Performance Issues

For a large-scale software system, especially an online service system, when a performance issue occurs, it is desirable to check whether this issue has occurred before. If there are past similar issues, a known remedy could be applied. Otherwise, a new troubleshooting process may have to be initiated. The symptom of a performance issue can be characterized by a set of metrics. Due to the sophisticated nature of software systems, manual diagnosis of performance issues based on metric data is typically expensive and laborious. In this paper, we propose a Hidden Markov Random Field (HMRF) based approach to automatic identification of recurrent and unknown performance issues. We formulate the problem of issue identification as a HMRF-based clustering problem. Our approach incorporates the learning of metric discretization thresholds and the optimization of issue clustering. Based on the learned thresholds and cluster centroids, we can achieve accurate identification of recurrent issues and unknown issues. Experimental evaluations on an open benchmark and a large-scale industrial production system show that our approach is effective and outperforms the related state-of-the-art approaches.