• No results found

Three-Factor Scheme Combination (Biometric, Smartcard and Password)

4.3 Investigative Methodologies

5.2.7. Three-Factor Scheme Combination (Biometric, Smartcard and Password)

This section details the elements of the three-factor scheme (Biometric, Smartcard, and Password), whose purpose is to achieve an acceptable security level as well as enabling less information to be stored on the smartcard.

5.2.7.1. Smartcard

There are three different types of smart card used authentication of the users, which are Mactch-on-Card (MoC), YesCard and NoCard. They may be susceptible to attack in traditional biometric systems, however by using symmetric encryption primitives, these attacks can be thwarted [114, 119]. Structurally, the smartcard chip contains a communication port for exchanging data and control information with the external world. It is the ideal container for cryptographic secrets such as symmetric secret keys and asymmetric private keys, and the use of a contactless smartcard chip is now mandatory for numerous travel documents [114, 119] and national ID programs. Here, the role of the electronic chip is to authenticate the document (something-we-have) using cryptographic tools [116, 119].

We set the goal of reducing the information stored on the smartcard in light of other approaches that used the smartcard with incorporated biometrics. These can be built in

160

two different ways. First, a biometric template can be saved on the smartcard for identification purposes, which is risky in terms of security because of the greater amount of information saved on the smartcard. The second approach saves an unlocking encryption key and a key locked by biometric modality, which still means that important information is available on the smartcard if an attacker succeeds in unlocking the key [116, 119]. In contrast to these approaches, our smartcard stores only secret shares (Yn coordinates) and does not itself provide any important

information to potential hackers, showing the strength of Shamir‘s secret scheme, as well as the strength of the combination of the three factors (smartcard, password and biometrics).

5.2.7.2. Password

A password is certainly the oldest and best known solution for providing user authentication. Although this sounds simple to use, care must be taken about how the password is communicated. A secure channel must be provided between the authenticator (the system or person controlling the authentication) and the applicant (the candidate user), notably at the primary exchange to set up the shared password. If these minimal precautions are not taken, very simple man-in-the-middle attacks such as eavesdropping become possible. Furthermore, it is also used to demonstrate the secret sharing primarily so that other selected biometric modalities can be considered but for ease of use, the example passwords are used.

One of the most widely used password-based authentications is the PIN (Personal Identification Number) code, authorising the use of a banking card. In this case, precautions must be taken when entering the PIN code, as it is very easy to spy over

161

For the purposes of this research, it was decided that the user should create their own password under several conditions, as follows:

1- Minimum length 10 digits.

2- Must contain one uppercase letter (A-Z). 3- Must contain one lowercase letter (a-z). 4- Must contain one number (0-9).

5- Must contain one symbol.

5.2.7.3. Biometric

Biometric authentication has the advantage of checking the user‘s unique personal

characteristics. The use of biometric data is now mandatory for numerous travel documents [115, 119] and national ID programs. Here, the idea was to use multimodal biometric systems to generate the biometric secret key directly. As investigation in each modality would be time-consuming, it was decided to use the iris modality, which can effectively be considered as two different biometric modalities (left and right iris). Because Shamir‘s secret first style needs three modalities to work, we decided to use a password as the third modality, as shown in Figure 5.8 above, to explore this new enhancement of biometric security by direct key generation.

5.2.7.4. Three-Factor Scheme

Three factor scheme involving biometric password and smart card has been tested by [73, 119], which is produced the significant high security level that is why the current study followed the same approach to enhance the security and performance of the system. It also allowed the system to perform with the biometric and smart card while missing the third factor (password).

162

Any combination of two from the three authentication factors will sacrifice at least one of the relevant security criteria. Something-we-know with something-we-are will sacrifice privacy because no personal device entails the use of a database to centralize all biometric data. Something we have with something-we-are will sacrifice a secret in the architecture since biometrics are public data. Something-we-have with something- we-know will sacrifice real user authentication since there is no proof of a link between the user and their card or PIN code [119].

Moreover, some applications need to duplicate one factor in the authentication scheme; sometimes, we need to show both ID card and passport, or we need to present both face and fingerprints, or we need to enter a password to log in to a system and then enter another password to access the application we intend to use. For instance, the use of smartcard, PIN code, fingerprints and facial recognition is still three-factor rather than four-factor authentication (as is sometimes suggested in press releases and

marketing messages). In today‘s digital world, most communication channels are

insecure as the first goal is to provide user convenience. When delivering a password or biometric data, particular attention must be paid to this communication channel to guard against very simple methods of bypassing authentication. The use of cryptographic tools is mandatory to ensure the security of any three-factor authentication; the ultimate solution is to combine three-factor authentication with a Public Key Infrastructure (PKI). However, PKI is difficult and costly to set up, manage and maintain, and simpler solutions must be considered for providing secure communications over insecure channels [118, 119] and ensuring confidentiality and integrity of data [117, 119].

163

1- Iris modality (left and right) considered as something-we-are, where the user will be asked to provide their iris samples during the enrollment and authentication phases.

2- Password as something-we-know, considered for present purposes as a third modality, where the user will be asked to create their password during enrollment and will then be asked to provide it during the authentication phase. 3- Smartcard as something-we-have that will carry secret shares (Yn coordinates),

using Shamir‘s secret scheme first style called linear equation technique, where secret shares will be created in the enrollment phase and saved on the smartcard.