Modelling and Simulation of a Biometric Identity-Based Cryptography

Government information is a vital asset that must be kept in a trusted environment and efficiently managed by authorised parties. Even though e-Government provides a number of advantages, it also introduces a range of new security risks. Sharing confidential and top-secret information in a secure manner among government sectors tends to be the main element that government agencies look for. Thus, developing an effective methodology is essential and it is a key factor for e-Government success. The proposed e-Government scheme in this paper is a combination of identity-based encryption and biometric technology. This new scheme can effectively improve the security in authentication systems, which provides a reliable identity with a high degree of assurance. This paper also demonstrates the feasibility of using finite-state machines as a formal method to analyse the proposed protocols. Finally we showed how Petri Nets could be used to simulate the communication patterns between the server and client as well as to validate the protocol functionality. Keywords—e-Government; identity-based cryptosystem; biometrics; mutual authentication; finite-state machine; Petri net.

One of the main issues concerning the security perspective in e-Government is to grant access to authorised users as well as the need to verify that the user is really who they claim to be.The most common solution to this problem is to deploy a PKI [3] and digital signatures in large-scale e-Government systems.Even though PKI supports strong authentication and digital signature, it has a few disadvantages.For example, users must be pre-enrolled, certificate directories can leak some critical information, key recovery is difficult and costly and boundary services (anti-spam, anti-virus, archiving) integration is very difficult [4].
Thus, to take full advantage of the capabilities of e-Government, end users need robust security solutions to achieve assurance when dealing with e-Government systems.A variant of public key cryptography that derives public keys directly from unique identity information (such as an e-mail address) known by the user is called Identity-Based Cryptography (IBC).This approach has recently received considerable attention from researchers [5,6,7,8,9], as the development of ID-Based Cryptography offers great flexibility and obviates the requirement for user certificates, since the identity of the user can be transformed into encryption keys and used for authentication.
To develop a new secure cryptosystem for e-Government, several schemes were investigated to determine which protocol would be suitable for the research.We propose a biometric-ID-based scheme using Elliptic Curve Cryptosystem (ECC), which is an improved combination scheme derived from two schemes [10,11].The proposed scheme is secure under the Computational Diffie-Hellman Assumption (CDHA) and tackles the security drawbacks of He et al.'s scheme and Li and Hwang's scheme.To overcome these, we applied a symmetric key cryptosystem to prevent attackers from altering or gaining any important information in the login and authentication messages.
The structure of this paper is organised as follows.In Section 2, we review related works on ID-Based Cryptography and Biometric authentication and briefly describe both He et al.'s and Li and Hwang's schemes.In Section 3, we design the new Biometric-ID-based Authentication Scheme.In Section 4, we model the new protocol with finite-state machines.In Section 5, we model the new protocol with Petri Nets to simulate the communication.We then provide a brief discussion on security analysis and comparisons with related schemes in Section 6.Finally, the conclusion is given in Section 7. www.ijarai.thesai.org

II. REVIEW OF RELATED WORK
Without a secure and trusted infrastructure, organisations such as governments would leave data electronically unsecured and vulnerable to attacks.Therefore, governments are constantly looking for ways to deliver secure and reliable services.ID-Based Cryptography introduces a lightweight key management and offers encryption for data confidentiality and robust authentication, which are prerequisites for securing high-value transactions.
The idea of ID-based cryptography was originally proposed by Shamir in 1984 [12], but practical ID-based encryption schemes were not developed until recently.In 2001, Boneh & Franklin [5] developed a fully functional IDbased encryption scheme which can be constructed efficiently by using Weil pairing on elliptic curves.
In ID-based cryptosystems, there is a trusted third party called a Private Key Generator (PKG) who is responsible for generating the secret keys for all users.As a result, a PKG holds the users' private keys.If a PKG is malicious, it can impersonate any user and therefore decrypt any cipher text or forge signature on any message.This can lead to a problem known as key escrow [13,14].
There is no question that the Identity-Based Encryption (IBE) scheme brings many advantages such as eliminating the need to distribute public keys.The enforcement of the private key generation by the Private Key Generator raises concerns of key escrow and/or privacy surrounding the management of private keys.To address this particular problem of key escrow, an implementation of biometric identification systems can be used as a private key.Biometric technology and verification systems offer a number of benefits to government sectors and users [15,16].
He et al. [10] proposed an ID-based remote mutual authentication with key agreement scheme on ECC.This protocol attempts to cope with many of the well-known security and efficiency problems.However, the scheme has a potential flaw that may lead to man-in-the-middle attack and impersonation attack [17,18].It can be seen that, if an attacker E eavesdrops and listens to the communication between S i and and masquerade as a legal user.
Li and Hwang [11] proposed an efficient biometrics-based remote user authentication scheme using smart cards.The security of their scheme is based on one-way hash functions, biometric verification, smart card and it uses a nonce.The scheme is very efficient in computation cost, which has been proved to be relatively low compared with other related schemes [24,25,26,27].The scheme is composed of four phases: the registration phase, the login phase, the authentication phase and password change phase.
One of the key characteristics of the cryptographic hash function is that the outputs are very sensitive to small perturbations in their inputs.Hash functions cannot be applied directly when the input data are noisy such as biometrics [28].Therefore, a secure one-way hash function cannot be used for biometric verification.In the login phase of Li-Hwang's scheme, the user computes h(B i ) based on a personal biometric template B i .Then the biometric authentication process relies on comparing the hash value h(B i ) with f i .However, the scheme does not seem to be able to handle natural variation in the biometrics.For example, when the user logs in, his fresh biometric sample has to match exactly the template recorded during the registration phase, which never happens in practice.Thus, the protocol is fundamentally flawed and does not fulfil the basic objectives of a biometric authentication protocol.As a result, this may prevent a legal user from passing biometric verification at the login phase.So, Li-Hwang's scheme is vulnerable to denial-of-service attack.The scheme is also prone to man-in-the-middle attack and impersonation attack.The attacker can cheat the server by impersonating the user or can impersonate the server to cheat the user without knowing any secret information [29,30,31] Combining ID based cryptography with biometric techniques can effectively improve the security in authentication systems, which provides a reliable identity with a high degree of assurance.The biometric technology is regarded as a powerful solution due to its unique link to an individual identity, which almost impossible to fake.Thus, a biometric identity is an inherent trait, which will always remain with the person all the time.In another words, using biometric techniques in IBE will mean that the person will always have their private key available.

III. PROPOSED SCHEME
This research will focus on secure e-Government systems and improve their authentication and communication.To guarantee the security of these distributed systems, biometrics verification and ID-based cryptography are used.The proposed protocol is based on the following assumptions:  We assume that shared secrets in registration phase will never be disclosed.
 We assume that cryptographic algorithms are secure.For example, it is impossible to decrypt a ciphertext without prior knowledge of the secret key.
 We assume that both client and server are able to generate a random number securely.
The security of the proposed scheme is based on the intractability of the following two mathematical problems on elliptic curves [5,10] The proposed scheme consists of four phases: system initialising phase, registration phase, login phase, and authentication phase.The notations used throughout this paper are summarised in Table 1.

A. System initializing phase
In this phase, we follow the steps in He et al.'s scheme where the server S i generates parameters of the system.
Step 1: S i chooses an elliptic curve equation Step 2: S i selects a base point P with the order n over E P (a, b) Step 3: S i selects its master key x and secret information y and computes public key Pub_K s = xP Step 4: The server chooses four secure one-way hash functions H 1 (.), H 2 (.), H 3 (.),H 4 (.), where H(.) is a known hash function that takes a string and assigns it to a point on the elliptic curve, i.e.H(A) = QA on E, where C is usually based on the identity The server also chooses a message authentication code MAC k (m).Then, it keeps x private and publishes {F p , E, n, P,

B. Registration Phase
A user C i with identifier ID C i should be registered first before using the services provided by R i .Users may use their employee number as an identity when contacting R i for authorisation.In this phase, C i needs to perform the following steps.
Step 1: User C i inputs their ID C i , personal biometrics Bio C i , on a specific biometric device, and provides the password PW C i to R i via a secure channel (or to the registration centre in person).
Step 2: R i reads current timestamp T S i , and computes the following: Step 3: R i computes C i 's private key using the system private key x and C i 's public key.
Step 4: R i stores {ID C i , H 4 (.), Enc{ } a /Dec{ } a , f i , e i , τ, Pr_K C i } on a secure database and sends it to the user via a secure channel, where Enc{ } a /Dec{ } a is a symmetric encryption with secret key a and and τ is a predetermined threshold [28] for biometric verification.

C. Login Phase
The user C i sends a login request to the server S i and performs the following steps: Step 1: C i enters the ID C i and PW C i , and then S i verifies the authenticity of client's identity and password.
Step 2: C i submits the Bio C i on specific biometric device, and then verifies the following: ) ≥ τ Step 3: if the above does not hold, it means the biometric information does not match the template www.ijarai.thesai.orgstored in the system.Thus Ci does not pass the biometric verification process and the authentication scheme is terminated.Otherwise, Ci passes the biometric verification and computes the following: Where r C i ∈ Z * n is a random number generated by the user.For this step, the random value r C i is introduced to mask the hash of the secret value H 4 (ID C i || y).
Step 4: , where T C i is a timestamp denoting the current time.
Step 5: Finally, C i encrypts the message } a and sends it to the server S i.

D. Authentication Phase
After receiving the request login message, S i and C i will perform the following steps for mutual authentication.
Step 1: Si decrypts the message {IDCi, TCi, W1, M3, MACk(IDCi, TCi, W1, M3)}a, then checks the validity of I i and the freshness of i. he freshness of i is checked by performing -TCi ≤ , where is the time when i receives the above message and is a valid time interval.he case where IDCi is not valid or TCi is not fresh, then Si aborts the current session.
Step 2: If Step 1 holds, Si computes the following: with the key k.S i will quit the current session if the check produces a negative result.
Step 3: If Step 2 holds, Si chooses a random number RSi ∈ Z*n and computes the following: where T S i is a timestamp denoting the current time Where M 5 is the random value r C i of the user C i and only S i can unmask the value because it can compute and checks the freshness of T S i is by performing T'-T S i ≤ T, where T is the time when C i receives the above message and T is the expected time interval for the transmission delay.
Step 6: C i verifies whether with the key k.C i will quit the current session if the check produces a negative result.
Step 7: If it holds, C i believes that S i is authenticated and then computes the following: Where M 9 is the random value r S i of the server S i and only the client C i , which know Step 8: C i sends the encrypted message {M 9, MAC k (M 9 ) } a to S i Step 9: After receiving C i 's message, S i decrypts Enc{M 9 } a and check the integrity of MAC k (M 9 ).Then, S i verifies whether M 9 ≟ H 4 (M 6 || r S i ) Step 10: If the above mentioned holds, S i accept C i 's login request or otherwise rejects it

IV. BEHAVIOUR MODELLING AND STATE MACHINE
Verification is a crucial step in designing security protocols.A Finite-State Machine (FSM) is a powerful tool to simulate software architecture and communication protocols.FSM can only model the control part of a system and consists of a finite number of states, finite number of events, and finite number of transitions.An FSM may be regarded as a fivetuple [32] : (Q, ∑, , σ, ԛ  The FSM is used to model the communication channel of proposed protocol between the Client C i and the Server S i .www.ijarai.thesai.orgSince the exchange of packets follows a pattern defined by a finite set of rules, it will be described by creating three finitestate machines FSM server , FSM register and FSM client .

A. Server FSM
The FSM at the server side represents the various on-going communications with the client at any point of time.It is modelled using 10 states and 22 transitions as detailed below.Fig. 1 shows the transitions diagram for the FSM server .
1) The FSM server will loop itself as the server is waiting for clients.The machine advances to the next state once it is triggered by a login/enrol transition accordingly.
2) When the FSM server is in the state S1, it checks the validity of the received ID.If ID proved to be incorrect, S i will request C i to enter the valid ID for three times and FSM server will loop until C i enters the valid ID or if the attempts exceed three times.In the latter case, the C i 's account will be blocked and FSM server changes state to S4 from state S1.Generally, three attempts are made through our protocol steps to allow common errors.
3) When the FSM server is in the state S2, it is triggered by valid ID and it is now waiting for a valid PW.Once S i receives PW, it verifies its validity.If PW proved to be wrong, S i will request C i to enter the valid PW for three times and FSM server will loop until C i enters the valid PW or if the attempts exceed three times.In the latter case, the C i 's account will be blocked and FSM server changes state to S4 from state S2.
4) When the FSM server is in the state S3, it is triggered by valid PW and it is now waiting for a valid Bio.Once Si receives Bio, it verifies its validity by comparing the imprinted Bio with the template stored.If Bio does not match the stored template, S i will request C i to enter the valid Bio up to three times and the FSM server will loop until C i enters the valid PW or if the attempts exceed three times.In the latter case, the C i 's account will be blocked and the FSM server changes state to S4 from state S3.

5) In state S5, the FSM server waits until receiving the login request SYN = {ID C i , T C i , W1, M3, MAC k (ID C i , T C i , W 1 , M 3 )} a from the FSMclient to establish a connection by performing three-ways-handshake. 6) While in State S5, the FSM server checks the validity of ID, freshness of T and the integrity of MAC k . Then S i generates a random number and timestamp in order to calculate the session key sk = H 3 (ID C i , T C i , T S i , W 1 , W 2 , K S i ). After that, Si replies SYN/ACK = {ID
At any stage of FSM server , FSM server aborts the current session and changes to state S9 if the timeout exceeds the defined TIME_WAIT while waiting for packets.This feature helps to prevent an infinite wait when the FSM client fails to response.

B. Client FSM
The FSM at the client side represents the various on-going transmissions with the server at any point of time.It is modelled using 9 states and 21 transitions as detailed below.Fig. 1 shows the transitions diagram for the FSM client .
1) First, the FSM client is in the initial state C0 that is when the request for register/login is initiated by itself.While in state C0, the FSM server checks whether C i is enrolled or not.The next state will www.ijarai.thesai.org2) In states C1, C2, C3, the FSM client is waiting for validating ID, PW, and Bio.Once the client credentials are validated, the FSM client triggers itself and changes to state C5.
3) In states C1, C2, C3, the client may require to re-enter ID, PW, Bio in case if they were incorrect.However, the client's account will be blocked if the number of attempts exceeds three trials, which change the above states to state C4.

6) While in state C6, the FSM client computes the shared session key sk = H 3 (ID C i , T C i , T S i , W 1 , W 2 , K C i ) and finalises the handshake procedure by sending ACK = {M 9 } a to S i . 7) In state C7, the FSM client is waiting to be authenticated by S i . 8) In state C8, the client terminates the current session if one of the following occurs:
 Negative result when checking the integrity of MAC k At any stage of FSM client , FSM client aborts the current session and changes to state C9 if the timeout exceeds the defined TIME_WAIT while waiting for packets.This feature helps to prevent an infinite wait when the FSM server fails to response.

C. Register FSM
The FSM at Registration side represents the various ongoing transmissions with the server and client at any point of time.It is modelled using 4 states and 7 transitions as detailed below.Fig. 1 shows the transitions diagram for the FSM register .
1) First, the FSM register is triggered if the client is not enrolled R0, that is when the request for register is initiated by www.ijarai.thesai.orgFSM client .While in state C0, the FSM server checks whether C i is enrolled.
2) When once C i enters ID, FSM register changes to state R1 and validates the format of ID.FSM register triggers itself.Then FSM register asks C i to enter PW and changes to state R2.
3) In state R2, on receiving PW for the first time, FSM register requires C i to re-enter PW for confirmation.Then it triggers and changes to the state R3.
4) In state R3, C i is required to submit multiple scans of the biometric data to increase accuracy.Once the acquisition process is complete, FSM register trigger itself and sends a message to R0, which indicates that the enrolment is successful.

V. PROTOCOL MODEL AND PETRI NETS
Due to the unique characteristics possessed by cryptographic protocols, analysis and evaluation tend to be more difficult than normal protocols.Petri Nets (PN) [33] offer a way to simulate the communication patterns between the server and client as well as to validate the protocol functionality.
Petri nets are a finite-state analysis approach that explicitly provides a graphical description for cryptographic protocols.The formal definition of a Petri net is shown in Table 2 [35].Generally Petri nets focus on specific properties such as liveness, deadlock, livelock, boundedness and safeness [34,35,36].Typically, a petri net must consist of the following components [35]:  A set of places (drawn as circles in the graphical representation) represent conditions and possible states of the system.
 A set of transitions (drawn as rectangles or thick bars) represent a change of state which is caused by events or actions.
 A set of arcs (drawn as arrows) connecting a place to a transition and vice versa.
 Tokens (drawn as black dots) occupy places to represent the truth of the associated condition.
A Petri net structure N=(P, T, F, W) without any specific initial marking is denoted by N.
A Petri net with the given initial marking is denoted by (N,M 0 ).
Our technique involves simulation and verification by using Time-arc Petri nets.Initially, we build a PN model for client-server without intruder using TAPAAL simulation and verification software [37].Moreover, it is worth to consider the following: a) Define the places and transitions and declare their functionalities b) Implement a token passing scheme once the initial marking is set.
c) Assess the model behaviour by examine reachability, boundedness, liveness.
The Petri net model in Fig. 2 represents the proposed protocol.The definitions of the places and transitions used in this model are illustrated in Table 3 and Table 4, respectively.
In our PN model, places mostly represent storage for requests, messages, ciphers, or session keys.Transitions represent actions that transform a current state to a new one.For example, the following events produce a new state: encryption, decryption, verification, and computations.Tokens are modelled in PN as shown in Fig. 2 to represent the key agreement and message exchange between the client and server.During simulation, the token firing rule imitates the three-way handshake procedure.After modeling the proposed protocol, it is essential to examine the behavioral properties of the model.Detailed behavioral properties for Petri nets can be found in [35].Generating Reachability graph (Fig. 3) allows identifying the presence and absence behaviors of the modeled protocol.

A. Reachability:
Reachability or coverability can be conducted by numerating all states.In other words, deriving all the possible marking the protocol can reach in the model.This method can clearly identify all the enabled transition starting from the initial state and generating new states after firing transitions.The PN shown in Fig. 2 is bounded.This is evident from the reachability graph (Fig. 3), all set of reachable marking M i , where i={0,1,2,…,19} are said to be reachable, that is to say there exists a sequence of transition firings which transform one marking state to another.

B. Boundedness and safeness:
Boundedness helps to detect overflows in the modeled system.This property is an indication of stability behavior of model.It is evident that the proposed PN is structurally bounded, for each place in the net hold at most 2 tokens given an initial marking m 0 , that is to say that there are a finite number of states in the modeled protocol.Thus, the PN has no self-loop and satisfies the condition [35]:

A Petri net is k-bounded if all its places are k-bounded A Petri net is structurally bounded if it is bounded in any initial marking
Hence, We can say that the PN is structurally 2-bounded, however, the PN is not safe because there are two nodes (P 1 , P 2 ) contains more than one token.It does not fulfill the safeness condition, which is 1-boundedness.

C. Liveness
The PN has a finite number of dead markings.The transitions (T 5 , T 11 , T 17 ) connected to places (P 8 , P 17 , P 24 ) respectively are not live if the protocol runs smoothly.Apart from that, the rest of places and their corresponding firing transitions are live.Occurrence of deadlocks (Rejection state) as shown in Fig. 3 is a result for aborting the current session between the client and serve; the token age exceeds the deadline.
Since PN contains deadlocks and not live, then the PN is considered not reversible.

VI. SECURITY ANALYSIS AND COMPARISIONS
The analysis suggests that the proposed scheme is welldesigned for data confidentiality by using symmetric M 0 : {2, 2, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0}  [38].The client and server transmit the MAC value during the login and authentication phases.However, both client and server will be aware if an attacker alters the message because the integrity check of MAC value fails.When the communication session between C i and S i is over, the session key sk is discarded and a new session key is used in every protocol run to prevent a replay attack.

Mutual authentication and session key agreement
Based on FSM model and PN model, we proved that the protocol accomplished mutual authentication and secret session key agreement between a remote client and the server by establishing three-way challenge-response handshake technique.First, the client C i sends the login request message ) < τ holds.According to [31], the Bio * C i could pass the verification process even though there is some slight difference between Bio C i , Bio * C i .
As for the computation cost, the proposed protocol is relatively low cost and efficient since only symmetric encryption; hash operations and XOR operations are required.Moreover, it is based on ECC which has significant advantages over other public-key cryptography.ECC provides the same security level of RSA cryptosystem but with a shorter key length and faster computation [39] In Table 5, we summarised the performance and demonstrated comparisons between the proposed scheme and other related schemes.The evaluation parameters are defined in Table 6.Even though the number of operations is more than in other schemes, our scheme holds other security properties.The proposed protocol is based on a two-factor user authentication mechanism and it is obvious that it takes few more hash operations and XOR operations for the server and client.Due to the security weaknesses in related schemes, we applied symmetric encryption and symmetric decryption to ensure the confidentiality and the integrity of transmitted packets.Therefore this feature makes the proposed scheme effective.

VII. CONCLUSION AND FUTURE WORK
The paper demonstrates how a combination of ID-based encryption with biometrics can be effective and more suited to e-Government environments.Moreover, the new biometricidentity-based scheme can be integrated into e-Government systems as the main authentication method and for secure communication as well.The proposed scheme is aimed to initiate secure authentication and communication between the client and server by building a robust mechanism between communicating government parties.The presented protocol is described as a three-way handshake procedure to establish a reliable connection and ensure secure data sharing.Moreover, we have simulated and validated the behaviour of the proposed protocol by using finite-state machines and Petri nets.
In future, an in-depth security analysis and evaluation will be conducted to thoroughly assess for security vulnerabilities and weaknesses.Furthermore, it is essential to consider using Petri Nets to add an intruder model and implement a tokenpassing scheme.At this stage, we will examine different attacks, such as impersonation attack, man-in-the-middle attack, and replay attack against the proposed scheme and verify its security.
0 ), where:  Q: finite set of symbols denoting states  ∑: set of symbols denoting the possible inputs  : set of symbols denoting the possible outputs  σ: transition function mapping to Qx∑ to Qx  ԛ 0 є Q : initial state.

Fig. 1 .
Fig.1.Proposed protocol FSM model be decided according to the condition ClientReg == True.

Fig. 2 .
Fig.2.The Petri net graph representing the new protocol.

TABLE .
p A finite field E An elliptic curve over a finite field F G The group of elliptic curve points on E P A point on elliptic curve E with order n xP Denotes point multiplication on elliptic curve y A piece of secret information maintained by the server (x, Pub_K s ) The server S's Private/Public key pair, where Pub_K s = xP r C i , r S i A random number chosen by the C i and S i respectively H(.)A secure one-way hash function MAC k (m) The secure message authentication code of m under the key k XOR operation  H 1 (.): a secure one-way hash function, where H 1 : {0, 1}* → Z * n  H 2 (.): a secure one-way hash function, where H 2 : {0, 1}* → Z * p  H 3 (.): a secure one-way hash function, where H 3 : {0, 1}* → Z * p  H 4 (.):a secure one-way hash function, where H 4 : {0, 1}* → Z * p

T 1 T 2 T 3 T 4 P 9
Message Authentication Code function (MAC).Typically, the MAC function takes as input a secret key and data block and produces a hash value 1 P 2 P 3 P 10 P 11 is authenticat 1 P 4 P 10 P 11 is P 5 P 10 P 11 is P 6 P 10 P 11 is P 7 P 10 P 11 is P 10 P 11 is P 8 P 10 P 11 the server S i .Then S i verifies the received message by checking the MAC integrity.After validating, S i sends a challenge message {ID C i ,T S i , W 2 , M 6 , M 7, MAC k (ID C i , T S i , W 2 , M 6 , M 7 )} to C i .Next, C i check thevalidity of the received message M 7 ≟ H 4 (M 4 || r C i ) and accept or reject the server request according to the verification result.Finally, C i sends a response message M 9 = H 4 (H 4 (ID C i || y) r S i ) || r S i ) to S i .Upon receiving the message, S i verifies if M 9 ≟ H 4 (M 6 || r S i ) holds.If so, S i authenticates client C i and allows him to get access.During the process, both S i and C i compute the session key sk = H 3 (ID C i , T C i , T S i , W 1 , W 2 , (r S i .rC i .P)) successfully.