Integrating Biometric Techniques with an Electronic Signature for Remote Authentication
by Luca Bechelli, Stefano Bistarelli, Fabio Martinelli, Marinella Petrocchi and Anna Vaccarelli
Biometric technologies are currently used for physical access controls. Scientists at CNR aim to integrate this technology with certificates, signatures and smartcards to handle remote authentication.
A project is currently under way at IIT-CNR, in collaboration with two industrial partners, which aims at the integration of biometric devices with digital signature technology (in conformity with current Italian standards). The results of the activity are being tested periodically by other CNR Institutes interested in this technology. The main objective of the project is the definition of standards that guarantee:
All these steps will be necessary to guarantee non-repudiation between authenticated users.
User authentication with biometric techniques does not require 'knowledge' of a secret piece of information, such as the traditional PIN, but requests that the user performs specific 'actions', necessary for a live acquisition of public biometric information.
This is why biometric techniques are used today for physical access controls or for other activities that require the presence of the user. The effective presence of the user during authentication guarantees that the biometric information is not intercepted, stolen or improperly used. Our aim is to perform remote authentication (eg logon to a remote system or unlock of a smart card to sign a document) and to guarantee the presence of the user by using special communication protocols between the biometric device and the smartcard.
The main problems with the use of biometric techniques are:
If these two constraints are not realised, a malicious user could use his own biometric details together with a third party identity (responsibility attack), or attach his identity to third party biometric information (credit attack).
In our work, the biometric information is represented by a fingerprint. During the enrolment phase, a fingerprint template of the user is stored in a secure environment (in our solution inside the smartcard). For integrity and authenticity purposes, the (hashed) fingerprint is then inserted in an 'attribute certificate' signed by an Attribute Authority. In the same smartcard we also store an X.509 certificate of the user, which will be used to digitally sign documents.
In order to validate the fingerprint-identity pair, two important pieces of information are added to the attribute certificate:
This type of solution guarantees:
In conclusion, biometric techniques work well if the verifier can check two things:
If the system cannot do this, then it fails. In fact, biometrics data provide unique identifiers, but are not secret.
We plan to extend the implementation employing Match-On-Card (where the extraction of the certificate is performed on the card and the match on the system) and System-On-Card technologies (where match, extraction and storage of the template are performed inside the card).
This work has been carried out within a scientific cooperation between IIT-CNR and BiometriKa, an Italian company.