promising one-time bio-mac using iris features and
TRANSCRIPT
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
62
Promising One-Time Bio-MAC Using Iris Features and Duplicate
Steganography in Cloud Computing
Zaid Ameen Abduljabbar1,2, Mohammed Abdulridha Hussain1,2, Ali A.Yassin1,2,
Ayad Ibrahim1, Mustafa Salah Khalifa1, Zaid Alaa Hussien3
1 University of Basrah, College of Education for Pure Sciences, Basrah, Iraq.
2Al-Kinoouze University College, Technical Computer Engineering Dept.
3Southern Technical University, Basrah, Iraq.
Corresponding author:
Abstract
Cloud computing is the promising revolution in the field of information technology for
both the research community and leading companies. However, Be that as it may, it
experiences various issues as far as security issues. Authentication and integrity
consider a critical issue in the data security field and various interestings have been
raised to perceive or ensure any tampering with exchanges of data between two sender
and receiver within the cloud environment. Many methods in this field can be powerless
against known modification and malicious attacks. A powerful method is therefore
needed to prevent any modification or manipulation of a data during transmission. In
this paper, we propose a new message authentication code (MAC) based on combining
feature extraction of the user’s iris and duplicate steganography based discrete wavelet
transformation steganography. The result of combination is to preserve the user’s
message integrity and to prevent malicious attacks such as, insider, forgery and replay
attacks. Our proposed scheme enjoys important several security attributes such as bio-
key management, a user’s one-time bio-key, phase key agreement, robust message
anonymity, data integrity for a user’s message , duplicate steganography and one time
MAC for each user’s session. Finally, our security analysis and experimental results
demonstrate and prove the invulnerability and efficiency of our proposed scheme.
Keywords: Cloud Computing; Iris; Duplicate Steganography; One Time Bio-key; One
Tim Message Authentication Code; MAC.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
63
مكررة في الحوسبة Steganographyو Irisلمرة واحدة لميزات Bio-MACمستقبل استخدام
السحابية
الخلاصة
مجال تكنولوجيا المعلومات لكل من مجتمع البحث والشركات الرائدة. الحوسبة السحابية هي الثورة الواعدة في
ومع ذلك ، فبقدر ما يكون الأمر ، فإنها تواجه مشكلات متنوعة بقدر ما تتعلق بقضايا الأمان. تعتبر المصادقة
لاعب في والنزاهة مشكلة مهمة في مجال أمان البيانات ، وقد تم إثارة اهتمامات مختلفة لإدراك أو ضمان أي ت
تبادل البيانات بين مرسلين وجهاز استقبال داخل البيئة السحابية. يمكن أن تكون العديد من الطرق في هذا المجال
عاجزة ضد التعديل المعروف والهجمات الخبيثة. لذلك هناك حاجة إلى طريقة قوية لمنع أي تعديل أو معالجة
( يستند إلى الجمع بين MACرمزًا جديداً لمصادقة الرسائل )للبيانات أثناء الإرسال. في هذه الورقة ، نقترح
استخراج ميزة قزحية المستخدم وبيانات إخفاء المعلومات المقلوبة المستندة إلى إخفاء المعلومات. نتيجة الجمع هي
غيل. الحفاظ على سلامة رسالة المستخدم ومنع الهجمات الخبيثة مثل الهجمات من الداخل والتزوير وإعادة التش
يتمتع مخططنا المقترح بالعديد من سمات الأمان المهمة ، مثل إدارة المفاتيح الحيوية ، والمفتاح الحيوي لمرة واحدة
، والاتفاق الرئيسي للمرحلة ، وإخفاء الهوية القوية للرسالة ، وسلامة البيانات لرسالة المستخدم ، وإخفاء المعلومات
عمل لكل مستخدم. أخيرًا ، يظُهر تحليل الأمان والنتائج التجريبية الخاصة بنا واحدة لكل جلسةالمكررة ، ومرة
وإثبات عدم حصانة وكفاءة مخططنا المقترح.
: الحوسبة السحابية. قزحية؛ تكرار إخفاء المعلومات ؛ وقت واحد الحيوية الرئيسية ؛ واحد تيم الكلمات المفتاحية
رسالة التوثيق رمز ؛ ماك.
I.INTRODUCTION
In recent years a huge volume of many different types of data has been transferred over
the Internet as a result of the rapid growth of modern information digitalization
techniques such as cloud computing [1]. Text is one of the most significant and most
widely used mediums for transmitting data, along with image, audio, and video. Cloud
computing is generally regarded as the next generation’s computing infrastructure and
as an effective way of enabling users to utilize large volume of resources and to provide
an efficient and readily available on-demand service[2]. However, cloud computing
faces many security challenges, as seen in the IDCs statistics [3]. Its successful
deployment depends on the existence of strong security safety techniques. Due to the
essential need for message protection when two parties are transmitting within the cloud
environment, efficient and robust automatic methods are required to identify and
validate the contents of text messages. In the others words, the protection of messages
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
64
against malicious attacks such as replay, forgery and insider attacks is one of the most
important security issues in fields such as cloud computing and green computing.
However, the issues of message authentication and integrity have been addressed as
urgent matters and many achievements have been presented by researchers in recent
years [1, 4-10]. There is a common way to preventing the manipulation of messages
during transmission between two endpoints, which is cryptography of one-way hash
functions [4-10].
Unfortunately there are some drawbacks related to MAC research can be shown more
detailed in the Related Works Section. The major drawback of MAC is the fact it does
not appear to be capable of ensuring the high level of security required when it is used
alone as pure MAC. For this reason, the authors Zhenxing Liu et. al. [9] have integrated
the MAC with the timestamp factor. This allows the hashed value to be changed once
and every user’s message to be used one time.
The above problems can be overcome by combining more powerful and assurance
factors with MAC. Thus, in this paper, we proposed an efficient and secure scheme for
protection of text from being manipulated or tampering during transmitting between
users in the cloud environment. The algorithm integrates a biometric technique which
involves the use of the robust iris features extracted by using 2-D Gabor filter after an
intersection between the sender’s iris and the receiver’s iris, crypto-hash function, and
double steganography. These are used together to protect the user’s message from being
modified. Thus, MAC is generated through the combination of these robust features to
make it more and more resistant to malicious attacks such as insider attack. Thereafter,
the one-time bio-hashed value is hidden in a cover image using duplicate
steganography. We prove that our proposed scheme keeps these attributes based on the
generation of one-time bio-key management assumption, duplicate steganography, and
the anonymity message code with regard to messages in the interchange between sender
and receiver. Our proposed scheme is a well plot procedure with respect to various
queries and requires regular verification to decrease the audit costs per verification
phase. Also, our paper provides integrity in terms of cloud security, which involves
high rank and exigent issues related to cloud computing, as mentioned in IDC’s
statistics [3].
The main contributions of our scheme to the cloud environment in general, and to
message authentication and integrity in particular are: (1) Our proposed scheme
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
65
addresses all the previous weaknesses, creating a new robust message authentication
scheme which uses the robust features extraction from shared biometric iris
information, cryptography as a one-way hash function, and duplicate steganography to
protect a message integrity and authentication. (2) Both service providers and users can
achieve robust authenticated phase keys. (3) It is computationally efficient as well as
providing simple integration with the available infrastructure. (4) Our scheme is very
effective against many attacks such as replay attacks, insider attacks and reflection
attacks. (5) The main idea behind our efficient scheme has been to find the best choice
of parameter value to reduce the computational cost of cloud audit services.
This paper is organized as follows. Section II describes in depth the most significant
and widespread text authentication solutions as well as comparing them with our
scheme. Section III shows the review preliminaries concepts underlying our proposed
scheme, while in Section IV we describe the proposed scheme both in terms of
configuration phases and verification phases. Section V contains a security analysis
with respect to the well-known attacks. In Section VI the implementation and
performance is described. Finally, Section VII concludes the paper.
II.RELATED WORKS
Previously, various authors have proposed different message authentication code
(MAC) schemes to provide authentication and integrity to the transmitted messages.
The concept of message anonymity has presented by N. Rabadi and S. Mahmud [4],
who have proposed a protocol for message authentication by MAC from vehicle to
vehicle for providing anonymity, authentication and message integrity. The concept of
hash MAC anonymity depends on the timestamp, which is a one-time factor used to
generate an anonymous message. The authors have proved that the processing time for
a MAC is less than that for a digital signature. However, this scheme suffers from
additional cost because it requires an extra hardware device on each vehicle which
would need to be a tamper-resistant hardware device that saves its ID and the shared
symmetric secret. Moreover, the security analysis of the proposed protocol has not
discussed, whether the author’s work is clear about whether the proposed approach
could prevent authentication and maintain integrity against various attacks.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
66
We present a robust scheme here to overcome these problems via the cloud environment
and iris biometrics. Our work used 𝐶𝑆𝑃 𝑎𝑛𝑑 𝑅𝑆𝐴 to establish phase key agreement
between users also; it used one-time bio-key to generate the robust message anonymity.
Moreover, it does not need to use extra device for a tamper-resistant where, iris
biometric is more and more descriptive (each user has its own unique iris from eye to
eye) and more secure (e.g. much harder be stolen) as long its using duplicate
steganography to hide bio-MAC.
Three years later the same concept was represented by Zhenxing Liu et. al. [5] who
suggested a hash-based secure interface between two entities over the Internet which
uses a one-time shared private key, a public hash function, a timestamp and a validity
period to generate on-time message anonymity. The weakness of this scheme is that the
authors only briefly discussed the security analysis. Also it is not clear which types of
attacker it could be withstood. The idea of integrating the function of a smart card with
a one-way hash function has been presented by Zi-ming Zhao et al. [6] who proposed
creating an efficient user-to-user authentication scheme in a peer-to-peer environment.
In spite of using a public key infrastructure, the authors firstly used a one-way hash
function and secondly a smart card to provide a strong security and minimal
computational cost scheme. The drawback of a smart card is that it is a complex device,
and that a card a reader would need to be added as an extra cost. It also requires
additional middleware application to create a match between a smart card and
communication standards. Our work oversteps this drawback by using iris biometric
features, where the user’s iris data is taken once only and can be used for the followings
valid user logins. Moreover, the smart card could be stolen or lost, while in our scheme
no sender can guess or steal the iris of the receiver and vice versa, because we use a
bio-shared image, which has been generated from the intersection between sender’s iris
and receiver’s iris.
Another idea for a one-time key was introduced by Castiglione A. et al. [7] who
proposed a robust one-time authentication protocol, based on two cryptographically
strong building blocks, an Authenticated key exchange and a keyed Hash Message
Authentication Code (HMAC) between two endpoints. This enables transparent mutual
authentication between two endpoints. Moreover, Key Setup, Key Scheduling and Key
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
67
Update operations are accomplished independently by both endpoints. Therefore, this
scheme suffers from drawback in the form of complexity in which more operations are
required (Key Setup, Key Scheduling and Key Update). In particular, our scheme
presents a one-time authentication scheme by using once key and random numbers, in
which the MAC is valid only for one user’s login and involves good coordination
between simplicity and security. Moreover, our scheme is more robust in that it
integrates an iris biometric key with a keyed-has function, that provides robust message
anonymity.
The concept of a biometric key was proposed by Al-Assam, H. et. al. [8] who suggested
a scheme that combines steganography with biometric cryptosystems effectively to
ensure robust remote mutual authentication between two parties as well as a key
exchange that facilitates one-time stego-keys. The aim behind this scheme was to hide
the one-time bio-key via transferring over insecure channel also to prevent replay
attacks. The weakness of this approach is that the steganography technique is requires
more computational cost. Our scheme overcomes this issue by sending the start point
and the endpoint of iris features vector between sender and receiver, instead of sending
an explicit key between them so that, the steganography is not required. Moreover, in
our design, since the sender and receiver have shared information about their irises
which is bio-shared image, this offers mutual authentication and establishes a trusting
relationship between them. Thus the user will be able to tell whether the message is
coming from an authenticate user or not. Recently, Z. A. Abduljabbar [9], have
introduced the idea of a one-time biometric MAC based on a one-time biometric key
extracted from a manual signature. In contrast, we have generated the one-time
biometric key from the characteristics of the iris, which is more powerful than the
manual signature. In addition, both the one-time bio-key and the bio-MAC have been
hidden in duplicated manner based on DWT.
In [10], Jin Xu et al. present an efficient One-Key Carter-Wegman Message
Authentication Code called a One-key Galois Message Authentication Code
(OGMAC). This scheme uses one key and a universal hash function, instead of two
keys. Moreover, our scheme is made more robust by embedding the iris features with a
cryptographic one-way hash function along with duplicate steganography to provide
simplicity and security.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
68
Unfortunately, we may observe that most of above schemes have several drawbacks. In
our design we propose a new text authentication approach to generating a secure and
robust hash function that depends on features extraction from both the sender’s and
receiver’s iris (bio-shared image). Firstly, the features are extracted from a bio-shared
image by using 2D Gabor filter to construct a wide range 1024-D features vector.
Secondly, the one-time bio-key is generated and integrated with a cryptography hash
function to generate secure biometric one-time message code anonymity. Thirdly, this
bio-MAC is safely protected by duplicate steganography. Finally the result of message
integrity is done at the receiver or verification phase. Furthermore, our scheme provides
the combination of many securing features including the user’s iris features extraction,
a one-time bio-key for each user’s login which is extracted from a wide range of iris
features, uses the robust user’s message anonymity by means of the use of a salt-key
𝑆𝑘 and other using random numbers, phase key agreement and a one-time message key
for each user’s login. These characteristics can protect messages from being modified.
The security analysis and experimental results show that our scheme is robust, secure
and efficient from the viewpoint of low time processing for generating and verifying
MACs. The security features are shown in Table I and we present a comparison of
security properties in Table II.
Table I. Security Features
Feature Definition
C1 One time key is generated once when the valid user wants to submit a
message.
C2 Bio-key is extracted from iris features by using 2-D Gabor filter.
C3 The MAC of user’s message is secure when he wants to perform login
phase for sending message to another user, where the acting MAC is
unknown by using one-time bio-key and random numbers.
C4 Phase key agreement has been established between sender and receiver
via 𝐶𝑆𝑃 and RSA techniques. They can use this key in the following
user’s logins.
C5 Sender and receiver can authenticate each other by using bio-shared
image which is contains shared information of sender’s iris and receiver’s
iris.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
69
C6 One-time bio-key extracted from Shared bio-image for transmitting
message between sender and receiver.
C7 RSA asymmetric encryption/decryption approach provides a secure
channel through configuration phase.
C8 Message transmitted between sender and receiver over cloud
environment.
C9 Using duplicate steganography to hide one-time biometric MAC
Table VI. Comparison of Authentication Schemes
Feature Our
Schem
e
N. Rabadi
and and S.
Mahmud
[4]
Zhenxing
Liu et. al.
[5]
Zi-ming
Zhao et.
al.[6]
Castiglion
e A. et. al.
[7]
Al-Assam,
H. et. al.
[8]
Abduljabb
ar Z. A [9]
C1 Yes No Yes No Yes Yes Yes
C2 Yes No Yes No No Yes Yes
C3 Yes Yes Yes No No No Yes
C4 Yes Yes Yes Yes Yes Yes Yes
C5 Yes Yes No Yes Yes Yes Yes
C6 Yes No No No No Yes Yes
C7 Yes No No No No No Yes
C8 Yes No Yes No No No Yes
C9 Yes No No No No No No
III.PRELIMINARIES AND REQUIREMENTS
A. RSA
This scheme was proposed in 1977 by Ronald Rivest, Adi Shamir and Leonard
Adleman. The security of RSA was based on the difficulty of factoring large numbers.
However, it is several times slower than others such as AES and elliptic curves.
C1: One time key; C2: Bio-key; C3: one-time message anonymity; C4: Session key agreement; C5: Mutual
authentication between two parties; C6: Biometrics key management; C7 Secure channel; C8: Cloud
environment; C9: Duplicate Steganography
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
70
Therefore, it is used to encrypt pieces of data, for reasons such as for encrypting keys
to be transmitted between two entities over an insecure channel [11]. Thus, the RSA
concept for public key and private key cryptography in our work is to establish a secure
distributing of the sender’s iris, the receiver’s iris and a shared-key between sender,
receiver and cloud service provider to be employed in the registration phase and the
verification phase in an insecure communication channel.
B. Features extraction of iris
Iris recognition is one of the most promising approaches because it has its own patterns
from eye to eye and individual to individual, which can lead to uniqueness, stability,
and noninvasiveness [12]. However, the bio-key in our proposed scheme has been
generated from iris features. The 2-DGabor filter has been applied in our scheme to
extract features form normalized irises to construct a bio-key, which will be used to
generate a message authentication key. Many researchers have proposed and achieved
diverse methods to extract the significant features from the normalized iris. A Gabor
filter is a often extracted for iris recognition [12]. Daugman [13] takes a 2D Gabor filter
as well as S. Hariprasath [14] 2D Gabor filter is adopted in his work. However, Gabor
Filters have Gaussian shape both in the spatial and frequency domains. For this reason,
they are stable in several transformations including translation, rotation, and scaling.
Also their noise tolerance is remarkable. This robustness makes Gabor filters appealing
for object recognition and therefore widely used to extract features from an iris image
in the iris recognition system [14].
For this reason, a Gabor filter has been used in our scheme to extract data from the
normalized iris data and we use the preprocessing method described in [14] for
localizing and normalizing the iris. Also, we define a region of interest (ROI) as defined
in [15]. We then normalize the ROI into a rectangular block of 256 × 64 pixels (as
shown in figure. 1).
Figure. 1 Preprocessing of iris
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
71
A set of 2-D real Gabor filters with various orientations 𝜃 = 0°, 45°, 90° 𝑎𝑛𝑑 135°)
are used to filter the normalized iris image. Some examples of the filtered image are
shown in figure 2. Each filtered image is then equally divided into 16×16 blocks, while
the mean of each block is computed. Thus, we can obtain 16×16×4 = 1024 values from
an iris image. After normalizing each value to an integer in the range [0, 1024], the
outcome is a 1024-D feature vector:
𝑉 = (𝑋1, 𝑋2, 𝑋3, 𝑋4, … … . . , 𝑋1024)
C. Hash Functions
SHA Family: The Secure Hash Algorithm is a family of cryptographic hash functions
issued by the National Institute of Standards and Technology (NIST) as a U.S. Federal
Information Processing Standard (FIPS). SHA-0: is the original version of the 160-bit
hash function issued in 1993 under the name ‘SHA’. It was replaced shortly after issued
by the slightly revised version SHA-1. It was issued by the NIST in 1995 as a Federal
Information Processing Standard [20] as a new and more robust function to be used in
cryptographic applications. The same design of MD5 has been used for SHA-1.IT
works on 512-bit blocks and generates digests of 160 bits (20-byte). SHA-1 has been
applied by many governments in order to enforce industry security standards. It is
considerably sturdier against malicious attacks [33, 34]. Another family of hash
functions was presented by NSA. This consists of two closed hash functions, but the
block sizes are different and are known as SHA-256 and SHA-512. Also, the word sizes
are different; SHA-256 uses 32-bit words where SHA-512 uses 64-bit words. There are
also brief versions of each standard, known as SHA-224 and SHA-384 [16].
Figure. 2 Filtered images by2-D real Gabor filter
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
72
IV.OUR PROPOSED SCHEME
Our proposed scheme is composed of two phases, the Configuration phase and
Verification phase. The Configuration phase is performed only once. A bio-shared
image and shared key is received by both the sender and the receiver. The Verification
phase will be invoked every time a user wants to send an authenticated message to
another user. In the configuration phase, the main components (Cloud Service Provider,
Sender, Receiver) also use RSA, a cryptographic hash function ℎ(. ) and a symmetric
key encryption/decryption 𝐸𝑛𝑐(. )/𝐷𝑒𝑐 (. ).It is important to emphasize that they only
need to run an RSA for secure data transmission among (𝐶𝑆𝑃, 𝑆, 𝑎𝑛𝑑 𝑅 ) over an
insecure channel. Therefore, such an operation is necessary only for the configuration
phase and not for the later ones. Therefore, the 𝐶𝑆𝑃 is not needed in the run time. The
configuration phase performs the following steps:
The RSA is run by (𝐶𝑆𝑃, 𝑆, 𝑎𝑛𝑑 𝑅 ) in order to generate a public key and private
key which will be used to secure irises transmitting from sender and receiver to
𝐶𝑆𝑃. Then, the (𝐶𝑆𝑃 ) sends the public key 𝑃𝑈𝐶𝑆𝑃 to the both sender (𝑆) and
receiver (𝑅) for encrypting their irises (𝐼𝑅𝑠, 𝐼𝑅𝑟 ) and return them to the
(𝐶𝑆𝑃 ).
Upon receiving the encrypted (𝐼𝑅𝑠, 𝐼𝑅𝑟 ), the 𝐶𝑆𝑃 decrypts the received irises
by using its private key 𝑃𝑅𝐶𝑆𝑃, saves (𝐼𝑅𝑠, 𝐼𝑅𝑟 ), generates a bio-shared image
by intersection (𝑆ℎ = 𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟) and computes a shared key 𝑆ℎ𝑘 = 𝐹𝑋(𝑆ℎ)
as shown in figure 4, where FX refers to a function to extract features, it
employed 2-D Gabor filter to extract features from the normalized iris data.
Having done this, 𝐶𝑆𝑃 encrypts (𝑆ℎ, 𝑆ℎ𝑘) by using (𝑃𝑈𝑆,𝑃𝑈𝑅) and transmits
them both to the sender and receiver respectively. Finally, both the sender and
receiver decrypt the received (𝑆ℎ, 𝑆ℎ𝑘) by using their private key (𝑃𝑅𝑆, 𝑃𝑅𝑅).
After the configuration phase, the sender/receiver can use his or her bio-shared
image to extract features, and then generate a one time, anonymous key and a
bio-key for completing the verification phase.
The verification phase is described as follows.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
73
1. 𝑆 → 𝑅: 𝑀, 𝑀′, 𝐼𝑖′, 𝐸′, 𝑃. S performs the following steps:
Assume sender’s message is M.
Generate one time salt-key Sk = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖, 𝐸 : Where FX represents a
function to compute feature extraction, Ii and E are the start point and end point
of the extracted features. Both 𝐼𝑖, 𝐸 are selected randomly once. The E parameter
must not exceed the length of the feature vector, which is 1024.
Generate random number 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐸)) → 𝑃 and compute a
one time anonymous message code (If the sender resends the same message to
the receiver or vice versa) 𝑀′ = ℎ(𝑀||𝑆𝑘||𝑟𝑖).
Compute 𝐼𝑖′ = 𝐼𝑖⨁𝑆ℎ𝑘 and 𝐸′ = 𝐸⨁𝐼𝑖
Ii’ and E’, can be separately stored in the cover image.
Embed the (M’) into the cover-image using duplicate steganography mechanism
[17].
Send M and the cover-image, which consists of (M’, I’i, and E’), to R.
2. 𝑅 Checks the integrity of receiver’s message as follows:
I’i, E
’ can be extracted from the cover-image separately.
Compute 𝐼𝑖′′ = 𝐼𝑖
′⨁𝑆ℎ𝑘 and 𝐸′′ = 𝐸′⨁Ii′′
Regenerate 𝑆𝑘′ = 𝐹𝑋(𝑆ℎ(𝐼𝑖′′, 𝐸) depending on the features extracted position
(𝐼𝑖′′) and the end point of extracted features (𝐸′′). Extract random number 𝑟𝑖
′ =
𝐹𝑋(𝑆ℎ(𝑃 ∈ (𝐼𝑖′′, 𝐸′′))). Then, 𝑅 computes 𝑀′′ = ℎ(𝑀′||𝑆𝑘′||𝑟𝑖
′) if it
matches 𝑀′′with 𝑀′, the Receiver ensures the integrity of the message that is
submitted by the sender. Otherwise, the verification phase terminates.
V.SECURITY ANALYSIS
Here, we argue that the proposed scheme can also withstand several threats to security
such as replay attack and insider attack. Our proposed scheme has a number of merits
and contains a one-time bio-key, a one-time anonymous message code, key agreement,
and duplicate steganography.
Theorem 1. Our proposed scheme can provide robust user message anonymity.
Proof. Assuming a sender/receiver attempts to resend the same message which has been
sent previously, if an adversary tries to eavesdrop on the sender’s login request
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
74
(𝑀, 𝑀′, Ii′, 𝐸′, 𝑃), he cannot use the same sender’s message authentication code (𝑀′ =
ℎ(𝑀||𝑆𝑘||𝑟𝑖)) because the sender generates once for each sender’s request (𝑟𝑖 𝑎𝑛𝑑 𝑆𝑘)
. So, ri 𝑎𝑛𝑑 𝑆𝑘 have been extracted from the intersection of receiver’s iris and the
sender’s iris 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐿)) → 𝑃; 𝑆𝑘 = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖, 𝐸; 𝑆ℎ =
𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟. Where FX is a function required to compute feature extraction, 𝐼𝑖 and 𝐸
are the start and end points of extracted features. Both 𝐼𝑖 , 𝐸 are selected randomly once.
Additionally, an adversary does not have the main keys (𝑆ℎ, 𝐼𝑖′, 𝐸′, 𝑃) to compute the
crypto hash function 𝑀′. Hence, it is much harder for an adversary to disclose the
sender’s message authentication code. Clearly, our proposed scheme can support users’
message anonymity (see Table III).
Table III: Explain message anonymity
Message MAC
Zaid Ameen ‘51a113eaf788ab2f5bc8eeef6c97329daec6897e’
Zaid Ameen ‘729d17aa029c59c0da60373ceb306695dbf238dd’
Theorem 2. Our proposed scheme can provide biometric message authentication code.
Proof. The biometric operator can identify a person by means of particular
physiological features such as iris recognition. Iris is the most effective form of security
used in biometric topics and can overcomes well-known attacks. In the configuration
phase, the sender (𝑆) and receiver (𝑅) send their irises (𝐼𝑅𝑠, 𝐼𝑅𝑟) to the CSP through
a secure channel. Then the 𝐶𝑆𝑃 saves (𝐼𝑅𝑠, 𝐼𝑅𝑟), generates a bio-shared image (𝑆ℎ =
𝐼𝑅𝑠 ∩ 𝐼𝑅𝑟) and sends 𝑆ℎ to sender and receiver. During the verification phase, when
the sender/ receiver wishes to send message from one to other, a biometric-message
authentication code 𝑀′ = ℎ(𝑀||𝑆𝑘||𝑟𝑖) must be generated, based on salt-key 𝑆𝑘 =
𝐹𝑋(𝑆ℎ) → 𝐼𝑖 , 𝐸 and a random number 𝑟𝑖 ∈ 𝐹𝑋(𝑆ℎ) = 𝐹𝑋(𝑆ℎ(𝐼𝑖, 𝐸)) → 𝑃. Clearly, our
proposed scheme can supported biometric message authentication codes.
Theorem 3. Our proposed scheme can provide biometric-key management.
Proof. In our proposed scheme, when the sender sends a message (𝑀) to the receiver
or vice versa, a secret Salt-key 𝑆𝑘 = 𝐹𝑋(𝑆ℎ) → 𝐼𝑖 , 𝐸 is used to compute 𝑀′ =
ℎ(𝑀||𝑆𝑘||𝑟𝑖). Additionally, the mechanism of computing 𝑆𝑘 is based on (𝐼𝑖 , 𝐸), where
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
75
𝐼𝑖 is the start point of the extracted features and 𝐸 is the end point of extracted features.
Both 𝐼𝑖 , 𝐸 are selected one time randomly and concealed in cover-image using duplicate
sreganography. As a result, an attacker cannot access the session keys, so is still unable
to obtain the main operators (𝑆𝑘, 𝑆ℎ) that generated at configuration phase by 𝐶𝑆𝑃 and
that generated (𝐼𝑖, 𝐸, 𝑃) at verification phase by sender. Therefore, our work supports
biometric-key management.
Theorem 4. Our scheme can prevent a replay attack.
Proof. An attacker performs a replay attack by eavesdropping the login message which
sent by a rightful sender to the receiver. While the interchange is over between sender
and receiver, an attacker reuses this message to impersonate the valid user when he
logs-off the system. In our proposed scheme, each new sender’s longing request should
be identical with CSP’s keys 𝑆ℎ, 𝑆ℎ𝑘, 𝐼𝑅𝑠, 𝐼𝑅𝑟 .Therefore; an adversary cannot pass any
replayed message to the receiver’s verification. As a result, an adversary fails to apply
this type of attack and our proposed scheme is much harder to replay attack.
Theorem 5. Our scheme can prevent a forgery attack or a parallel-session attack.
Proof. If any adversary is attempting impersonation, a valid session message 𝑀, 𝑀′, 𝐼𝑖′,
𝐸′, 𝑃 Can be accessed by using secret parameters 𝑆ℎ, 𝑆𝑘, 𝑆ℎ𝑘, 𝑟𝑖, 𝐼𝑖 , 𝐸, 𝑃. An adversary
does not have any information about 𝑆ℎ, 𝑆ℎ𝑘, 𝐼𝑅𝑠, 𝐼𝑅𝑟 to compute(𝑀′, 𝐼𝑖′, 𝐸′, 𝑃). Lastly,
an adversary will fail to forge a valid session message and therefore, cannot use a
forgery attack. Our proposed scheme can thus prevent forgery attack.
VI.IMPLEMENTATION AND RESULTS
To evaluate the efficiency and accuracy of our proposed scheme, we have executed
several experiments. Firstly figure 3 shows the time processing of the verification
phase. The average time for the verification phase of our scheme is equal to 0.268
seconds for each user who denotes the excelling solution of our proposed. This average
time has been obtained from 200 runs of our proposed scheme, with each run consisting
of 10000 users. Furthermore, the evaluation parameters are shown in Table IV. The
time requirement for our proposed scheme is shown in Table V. Secondly, with regard
to system efficiency, we study the accuracy of our work. In practical terms, figure 4
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
76
shows that we get 100% accurate results from 10,000 users in our experiment. For
greater visibility, we use 2,000 users in figure 3 and 5,000 users in figure 4.
Table IV: Evaluation parameters
Symbol Definition
𝑇𝑅𝑆𝐴 Time processing of RSA .
𝑇ℎ Time processing of a hash function.
𝑇𝑋𝑜𝑟 Time processing of Xor function.
𝑇𝑂𝑝𝑟 Time processing of mathematical
operations such as multiplication,
addition and subtraction.
𝑇|| Time processing of concatenation
function.
𝑇𝑆𝑇 Time processing of duplicate
steganography.
Figure 3 shows the performance of our proposed scheme
Phase CSP Sender Receiver
Configurati
on
𝑇𝑅𝑆𝐴
+ 𝑇𝑂𝑝𝑟 𝑇𝑅𝑆𝐴 𝑇𝑅𝑆𝐴
Verificatio
n
4𝑇𝑂𝑝𝑟 + 1𝑇ℎ
+ 2𝑇|| + 𝑇𝑋𝑜𝑟
+ 𝑇𝑆𝑇
2𝑇𝑂𝑝𝑟 + 𝑇ℎ + 2𝑇||
+ 𝑇𝑋𝑜𝑟 + 𝑇𝑆𝑇
Total 𝑇𝑅𝑆𝐴
+ 𝑇𝑂𝑝𝑟
𝑇𝑅𝑆𝐴 + 4𝑇𝑂𝑝𝑟 +
1𝑇ℎ + 2𝑇|| +
𝑇𝑋𝑜𝑟+𝑇𝑆𝑇
𝑇𝑅𝑆𝐴 + 2𝑇𝑂𝑝𝑟
+ 𝑇ℎ + 2𝑇||
+ 𝑇𝑋𝑜𝑟 + 𝑇𝑆𝑇
Table V. Performance of our proposed scheme
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
77
Figure 4 shows the accuracy result of our proposed scheme
VII.CONCLUSION
Firstly our paper, as mentioned above, includes a literature review of achievements and
weak points related to data integrity and authentication over recent years. Our paper
presents a new and efficient biometric message authentication code between users in
the cloud computing environment. The excelling method emerged from the iris-
biometrics features extraction to generate symmetric bio-key. The aim behind this
scheme is to provide more roles and prevent known attacks. However, the substantial
aspects and advantages are that, firstly, an adversary may fail to get the keys because
this depends on iris feature extraction. Secondly, an adversary may not get the bio-
shared image because it depends on the intersection of sender and receivers’ irises.
0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500
2400
2600
2800
3000
3200
3400
Sender
Receiver
Accu
racy
Sender's/Reciver's Attempts
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
78
Thirdly, it provides a one-time bio-key that leads to one-time message anonymity.
Fourthly, it provides biometrics key management. Fifthly, authentication is linked to
the user’s biometric. Additionally, the proposed scheme has the ability to resist replay
attacks and forgery attacks, as shown in the security analysis section. Finally, the
performance of our presented scheme has been evidenced to achieve robust security
with minimal time processing and the cost compares with predecessors’ schemes. We
can conclude that the integration between shared iris biometric features of two
endpoints, the cryptography one-way hash function, and duplicate steganography is
secure enough to prevent the message from being modified by transferring between
users. Furthermore, this technique can be used to maintain the authentication of the
transferred message, verify the integrity of the received message, and prove the origin
of the sender. Overall, our scheme provides simplicity of use and security.
Acknowledgements
This article is an extended version of our paper entitled ‘‘An efficient and robust one-
time message authentication code scheme using feature extraction of iris in cloud
computing’’ that is published in the 2014 IEEE International Conference on on Cloud
Computing and Internet of Things (IEEE CCIOT 2014), Changchun, China, 13-14 Dec.
2014.
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
79
References
1.T. Rethika, Ivy Prathap, R. Anitha, and S.V. Raghavan, A novel approach to
watermark text documents based on Eigen values, Proc. of the Ninth International
Conference on Network and Service Security (N2S) IEEE, Paris, France, 24-26 June
2009, pp.1-5.
2.Hoang T. Dinh, Chonho Lee, Dusit Niyato, and Ping Wang, A survey of mobile cloud
computing: architecture, applications, and approaches, Wireless Communications and
Mobile Computing, Wiley, 2012.
3.Anthony T. Velte, Toby J. Velte Robert Elsenpeter, Cloud Computing: A Practical
Approach, McGraw-Hill Companies, 2010, pp.35.
4.N. Rabadi and S. Mahmud, Drivers’ anonymity with a short message length for
vehicle-to-vehicle communications network, Proc. of the fifth IEEE Consumer
Communications and Networking Conference (CCNC), Las Vegas, NV, USA, 10-12
Jan. 2008, pp. 132–133.
5.Zhenxing Liu , Lallie H.S., Lu Liu, Yongzhao Zhan, Kaigui Wu, A hash-based secure
interface on plain connection, Proc. of the sixth International ICST Conference on
Communications and Networking in China (CHINACOM), Harbin, China, 17-19 Aug.
2011. pp. 1236 – 1239.
6.Zi-ming Zhao, Yan-fei Liu, Hui Li, Yi-xian Yang, An efficient user-to-user
authentication scheme in peer-to-peer system, Proc. of the First International
Conference on Intelligent Networks and Intelligent Systems ICINIS ‘08. Wuhan, China,
Nov. 1-3, 2008, pp. 263-266.
7.Castiglione A., De Santis, A., Castiglione A., Palmieri F., An efficient and transparent
one-time authentication protocol with non-interactive key scheduling and update, Proc.
of the 28th International Conference on Advanced Information Networking and
Applications (AINA), Victoria, BC, Canada, 13-16 May 2014, pp. 351-358.
8.Al-Assam H., Rashid R., Jassim S., Combining steganography and biometric
cryptosystems for secure mutual authentication and key exchange, Proc. of the 8th
Al-Kunooze Scientific Journal ISSN 2706-6231 (Online) , ISSN 2706-6223 (Print)
Vol.(1)(1). August2019 http://journals.kunoozu.edu.iq/1/issue/4/articles
80
International Conference for Internet Technology and Secured Transactions (ICITST),
London, UK, 9-12 Dec. 2013, pp.369-374.
9.Abduljabbar Z. A., Abduljabbar Zaid A. and Mohammed R. J, Towards One-Time
Biometric-message Authentication Code in Cloud Computing. Journal of Engineering
and Applied Sciences, vol. 13, No. 19, 2019.
10.Jin Xu, Dayin Wang, Dongdai Lin and Wenling Wu, An efficient one-key Carter-
Wegman message authentication code, Proc. Of the Volume (2) International
Conference on Computational Intelligence and Security, Guangzhou, China, 3-6 Nov.
2006. Pp.1331-1334.
11.William Stallings, Cryptography and Network Security: Principles and Practice,
Prentice Hall, 6th Edition, 2013.
12.S. Prabhakar, S. Pankanti, A. K. Jain, Biometric recognition: Security and privacy
concerns. In proceedings of the IEEE Security & Privacy, IEEE Computer Society,
Vol.1, No. 2, March/April 2003. Pp. 33-42.
13.Daugman, J., How iris recognition works, IEEE Transaction on Circuits and
Systems for Video Technology. Vol. 14, No. 1, Jan. 2004, Pp. 21 – 30.
14.S. Hariprasath, V. Mohan, Biometric personal identification based on iris
recognition using complex wavelet transformations, Proc. of the International
Conference on Computing, Communication and Networking (ICCCN), St. Thomas, VI,
USA, 18-20 Dec. 2008, Pp. 1-5.
15.L. Yu, D. Zhang and K. Wang, The relative distance of key point based iris
recognition, Pattern Recognition Pattern Recognition, Vol. 40, No. 2, February, 2007,
Pp.423-430.
16.R.L. Rivest, The MD message digest algorithm, In S. Vanstone, editor, Advances in
Cryptology - CRYPTO’ 0, LNCS 5, 2011, Pp. 1-11.
17.P. V. Nadiya and B. M. lmran, “Image Steganography in DWT Domain using
Double-stegging with RSA Encryption,” in Proceedings of the International
Conference on Signal Processing Image Processing & Pattern Recognition (ICSIPR),
Coimbatore, India, pp. 283 -287, Feb. 2013.