Abstract
In this work we propose a protocol combining a Physical Unclonable Function (PUF) with Password-based Authenticated Key Exchange (PAKE). The resulting protocol provides mutual multifactor authentication between client and server and establishes a session key between the authenticated parties, important features that were not found simultaneously in the literature of PUF-based authentication. The combination can be adapted to support a panic password which allows the client to notify the server in case of emergency. Moreover, a novel protocol for two-factor transaction authentication is proposed. This ensures that only parties authenticated in the current session can realize valid bank transactions.
The authors thank Intel Labs for funding the project “Physical Unclonable Functions for SoC Devices” in which scope this work was conducted.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We consider any additional credential as another authentication factor (such as biometric information).
- 2.
This is the only user interaction with the protocol, besides making the transaction request. The other operations are done by software.
References
Pappu, R., Recht, B., Taylor, J., Gershenfeld, N.: Physical one-way functions. Science 97, 2026–2030 (2002)
Gassend, B., Clarke, D., van Dijk, M., Devadas, S.: Silicon physical random functions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pp. 148–160. ACM (2002)
Armknecht, F., Maes, R., Sadeghi, A.-R., Sunar, B., Tuyls, P.: Memory leakage-resilient encryption based on physically unclonable functions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 685–702. Springer, Heidelberg (2009)
Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: Proceedings of the 44th Annual Design Automation Conference (DAC 2007), pp. 9–14. ACM (2007)
Maes, R., Van Herrewege, A., Verbauwhede, I.: PUFKY: a fully functional PUF-based cryptographic key generator. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 302–319. Springer, Heidelberg (2012)
Delvaux, J., Gu, D., Peeters, R., Verbauwhede, I.: A Survey on Lightweight Entity Authentication with Strong PUFs. COSIC Internal Report (2015). http://www.cosic.esat.kuleuven.be/publications/article-2497.pdf
Tuyls, P., Škorić, B.: Strong authentication with physical unclonable functions. In: Petković, M., Jonker, W. (eds.) Security, Privacy, and Trust in Modern Data Management Data-Centric Systems and Applications, pp. 133–148. Springer, Heidelberg (2007)
Busch, H., Katzenbeisser, S., Baecher, P.: PUF-based authentication protocols – revisited. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 296–308. Springer, Heidelberg (2009)
Frikken, K.B., Blanton, M., Atallah, M.J.: Robust authentication using physically unclonable functions. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 262–277. Springer, Heidelberg (2009)
Maes, R.: An accurate probabilistic reliability model for silicon PUFs. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 73–89. Springer, Heidelberg (2013)
Helfmeier, C., Boit, C., Nedospasov, D., Seifert, J.-P.: Cloning physically unclonable functions. In: International Symposium on Hardware-Oriented Security and Trust (HOST 2013), pp. 1–6. IEEE, June 2013
Katzenbeisser, S., Kocabaş, U., Rožić, V., Verbauwhede, I., Sadeghi, A.-R., Wachsmann, C.: PUFs: myth, fact or busted? a security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012)
Holcomb, D.E., Fu, K.: Bitline PUF: building native challenge-response PUF capability into any SRAM. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 510–526. Springer, Heidelberg (2014)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE Computer Society Symposium on Research in Securityand Privacy, pp. 72–84. IEEE, May 1992
Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26, 5–26 (1996)
Bellare, M., Rogaway, P.: The AuthA Protocol for Password-based Authenticated Key Exchange, Technical report, Citeseer (2000)
Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Bresson, E., Chevassut, O., Pointcheval, D.: Proof of security for password-based key exchange (IEEE P1363 AuthA Protocol and Extensions). ACMCCS 3, 241–250 (2003)
Abdalla, M., Catalano, D., Chevalier, C., Pointcheval, D.: Efficient two-party password-based key exchange protocols in the UC framework. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 335–351. Springer, Heidelberg (2008)
Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 241–250. ACM (2003)
Miller, S.P., Neuman, B.C., Schiller, J.I., Saltzer, J.H.: Kerberos Authentication and Authorization System. In: Project Athena Technical Plan, Citeseer (1987)
Steiner, J.G., Neuman, B.C., Schiller, J.I.: Kerberos: an authenticationservice for open network systems. In: USENIX Winter, pp. 191–202 (1988)
Lam, K.-Y., Gollmann, D.: Freshness assurance of authentication protocols. In: Deswarte, Y., Eizenberg, G., Quisquater, J.-J. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 261–271. Springer, Heidelberg (1992)
Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 115–131. Springer, Heidelberg (2006)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)
Merkle, R.C.: Protocols for public key cryptosystems. In: IEEE Symposium on Security and Privacy, vol. 1109, pp. 122–134 (1980)
Fan, L., Cao, P., Almeida, J., Broder, A.Z.: Summary cache: a scalable wide-area web cache sharing protocol. IEEE/ACM Trans. Network. (TON) 8, 281–293 (2000)
Dworkin, M.J.: SP 800-38D. Recommendation for block cipher modes ofoperation: Galois/Counter Mode (GCM) and GMAC (2007). http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Clark, J., Hengartner, U.: Panic passwords: authenticating under duress. In: Proceedings of the 3rd Conference on Hot Topics in Security (HOTSEC2008). USENIX Association, Berkeley, pp. 8:1–8:6 (2008)
Popp, N., Bajaj, S., Hallam-Baker, P.: Hybrid authentication. US Patent App. 10/864,501, January 2005
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Resende, A.C.D., Mochetti, K., Aranha, D.F. (2016). PUF-Based Mutual Multifactor Entity and Transaction Authentication for Secure Banking. In: Güneysu, T., Leander, G., Moradi, A. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2015. Lecture Notes in Computer Science(), vol 9542. Springer, Cham. https://doi.org/10.1007/978-3-319-29078-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-29078-2_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29077-5
Online ISBN: 978-3-319-29078-2
eBook Packages: Computer ScienceComputer Science (R0)