Generating stable biometric keys for flexible cloud computing authentication using finger vein

ARTICLE IN PRESS JID: INS [m3Gsc;January 2, 2017;14:13] Information Sciences 0 0 0 (2017) 1–17 Contents lists available at ScienceDirect Informat...

Download PDF

3MB Sizes 1 Downloads 35 Views

Report

Full Text

ARTICLE IN PRESS

JID: INS

[m3Gsc;January 2, 2017;14:13]

Information Sciences 0 0 0 (2017) 1–17

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein Zhendong Wu a,∗, Longwei Tian b, Ping Li c, Ting Wu a, Ming Jiang d, Chunming Wu e a

School of Cyberspace, Hangzhou Dianzi University, Hangzhou, 310018, China School of Communication Engineering, Hangzhou Dianzi University, Hangzhou, 310018, China c School of Computer Science, Guangzhou University, Guangzhou, 510006, China d School of Computer Science and Technology, Hangzhou Dianzi University, Hangzhou, 310018, China e School of Computer Science and Technology, Zhejiang University, Hangzhou, 310058, China b

a r t i c l e

i n f o

Article history: Received 13 March 2016 Revised 29 October 2016 Accepted 31 December 2016 Available online xxx Keywords: Cloud computing Biometric keys User-authentication Finger vein High-dimensional space projection

a b s t r a c t Cloud computing is profoundly changing the way of data storage, transfer and process. User authentication is the ﬁrst security barrier for cloud computing. However, the security of traditional biometric-template-based authentication technology has been challenged because of the information leakage of biometric templates and insuﬃcient user-key strength, which is limited by the ability of the user to memorize keys. In this paper, we propose a new bio-key generation algorithm named FVHS, which combines the advantages of both biometrics authentication and user-key authentication. It directly generates stable and sufﬁciently strong bio-key sequences from ﬁnger vein biometrics. Based on FVHS, a new framework for cloud computing authentication is presented that provides a more ﬂexible, convenient, and secure user authentication. The key idea of FVHS is that through combining machine learning, biometrics, and cryptography technologies, we can mine a special feature vector from the biometrics space that can be separated and stabilized into a ﬁxed number sequence in a higher-dimensional space. Both a theoretical analysis and experimental veriﬁcation show that FVHS can extract stable bio-keys from high quality ﬁnger vein images. FVHS can extract a ﬁnger vein bio-key with a Genuine Accept Rate of more than 99.9%, while the False Accept Rate is less than 0.8% and Equal Error Rate is less than 0.5%. Meanwhile, the security strength can reach 256 bits. © 2016 Elsevier Inc. All rights reserved.

1. Introduction In recent years, with the rapid growth in network computing power and vastly improved intelligent data processing capabilities, data-centric network services have developed rapidly. Cloud computing is one of the most original network services paradigms, and in this paradigm, there will be a large number of data-centric network applications to serve us such as data sharing [12], data storage [22,33], big data management [3], and medical information systems [45]. For most network services, reliable authentication is the starting point. There are many studies on cloud computing access authentication that ∗

Corresponding author. E-mail addresses: [email protected] (Z. Wu), [email protected] (L. Tian), [email protected] (P. Li), [email protected] (T. Wu), [email protected] (M. Jiang), [email protected] (C. Wu). http://dx.doi.org/10.1016/j.ins.2016.12.048 0020-0255/© 2016 Elsevier Inc. All rights reserved.

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 2

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

mainly concentrate on the topic of ﬁne-grained access control servers [19,35,37] for different users. However, because of the limits of human memory, people tend to use only one key to login to all network applications. This behaviour is very vulnerable to social engineering dictionaries, eavesdropping, spooﬁng, and other network attacks. In the cloud computing environment, how to overcome a user’s memory limitations to provide rich, personalized authentication credentials and to manage their documents is an important research topic. Biometrics, because of its inherent natural connection with the user’s identity and no need for key memorization, has been widely studied and used. Biometrics technology has been rapidly adopted in a wide variety of security applications such as electronic and physical access control, electronic commerce, digital rights management, and background checking [40]. If biometric technology can be embedded effectively in cloud computing, a more secure and convenient user authentication scheme can be achieved. This paper proposes a new cloud security certiﬁcation scheme by developing a new bio-key generation technology. As shown in Fig. 1(a), a user generally uses a single key to log on to all network services. Moreover, in order to reduce the burden on his or her memory, the key is often relatively simple. However, since individual keys are often generated as regular and simple strings, they are very vulnerable to social engineering attacks. For instance, for large-scale “hit library” attacks, the hit success rate is near 80% [13,28]. If we can extract stable random sequences that are 256 bits in length from biological characteristics and maintain biometrics security, social engineering attacks will lose their effectiveness. By combining the bio-key sequence with the characteristic sequence for a service, a user can be equipped with dedicated keys for each service. The keys do not need to be remembered and can be updated at any time. We propose a new bio-key generation algorithm that can extract stable bio-key sequences from ﬁnger vein patterns. Furthermore, its security strength can reach 256 bits. We then propose an embedded bio-key cloud computing service authentication framework, as shown in Fig. 1(b), that can generate a unique key with suﬃcient strength for each network service without the need for users to remember it. This framework improves user-key management security and is suitable for the cloud computing era. The contributions of this paper can be summarized as follows: • We provide a new bio-key generation scheme that directly extracts stable key sequences with suﬃcient strength from biometrics using machine learning techniques. We implement this scheme for ﬁnger veins and prove the effectiveness of the algorithm. • We design a new cloud computing user-authentication framework. By combining the bio-keys of users and speciﬁc characteristics of cloud computing services, the framework provides a unique key with suﬃcient strength for each cloud computing service as well as a ﬂexible key update process, reducing users’ key management burden. The rest of the paper is organized as follows. Section 2 discusses related work, and Section 3 introduces the ﬁnger vein bio-key generation algorithm. In Section 4, we introduce the details of our cloud computing user-authentication framework. A security analysis of the bio-key generation algorithm and framework is described in Section 5. In Section 6, we present the experimental results of the new ﬁnger vein bio-key generation algorithm. Finally, our conclusions are drawn in Section 7. 2. Related work Given the increase in cloud computing services, users usually use only one key to login to all services. Traditional single sign-on (SSO) schemes [1] employ a Passport and OpenID as the solution. OpenID is a decentralized SSO mechanism that has been widely adopted by many Internet service providers such as Yahoo and Google [38]. The OpenID solution can solve the user authentication management problem, but it cannot solve the problem that a user single key is vulnerable to social engineering attacks. Recently, research on access authentication of cloud computing have mainly concentrated on ﬁnegrained access control [26,49], secure data sharing [18,20,25], privacy protection [25,38], and cloud search services [7,46]. Zhou et al. [49] proposed a patient self-controllable multi-level privacy-preserving cooperative authentication scheme, which implements three levels of security and preserves privacy in the distributed healthcare cloud computing systems. Joseph et al. [26] introduced a new ﬁne-grained two-factor authentication scheme for web-based cloud computing services. They presented a mechanism of two-factor authentication using a user key and a lightweight security device. Li et al. [18,20] discussed cloud deduplication and the outsourced revocation problem. They used a convergent key to provide data conﬁdentiality during deduplication. Using a convergence key, they attempted to formally address the problem of authorized data deduplication and proposed a secure hybrid cloud architecture that can solve the problem of deduplication with differential privileges. Liu et al. [25] also proposed a shared authority scheme based on the privacy-preserving authentication protocol (SAPA, Shared Authority based Privacy-preserving Authentication protocol), which enhances a user’s shared access security in private using an anonymous access mechanism. Overall, these studies are mostly concerned with server access control and few consider the convenience and safety of user keys. Nevertheless, user key security is the foundation of cloud service security. Fu et al. [7] studied searchable encryption over outsourced data, and introduced a scheme for a personalized multikeyword ranked search over encrypted data while preserving privacy in cloud computing. Xia et al. [46] presented a secure multi-keyword ranked search scheme over encrypted cloud data, which simultaneously supports dynamic update operations like the deletion and insertion of documents. Recently, biometrics has been well-studied [6,8,10,31]. There are three main kinds of bio-key schemes: Fuzzy Vault, Fuzzy Commitment, and dynamic bio-key generation. Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS Z. Wu et al. / Information Sciences 000 (2017) 1–17

[m3Gsc;January 2, 2017;14:13] 3

Fig. 1. User authentication using biometrics in a variety of cloud computing scenarios.

Fuzzy Vault is a classic biometric encryption scheme. However, this scheme cannot work well in network environments because servers need to store biometric templates or their converted templates. Uludag et al. [39] implemented ﬁngerprint vaults under the assumption that ﬁngerprint features are pre-aligned. Helper data which contained the maximum curvature points and maximum curvatures on ﬁngerprint ridges, were used to solve the calibration problem [30]. Although the alignment issues could be solved, the biometric cryptosystem still suffered from security issues. Zhang et al. [48] found that as long as two register vault templates and helper data were collected, the success rate of attacking a biometric cryptosystem reached 60% in the case of a nine order polynomial, for instance, when analyzing cross-matching loopholes in the Fuzzy Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 4

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

Fig. 2. FVHS ﬂow chart.

Vault scheme. This cloud lead to information leakage [34]. In order to better protect biological templates, a cancelable biometric template was proposed [8,15,17]. It is designed to use a one-way or multi-way deformable biological template that is unlinkable and irreversible once it has been recognized in a new space. However, a cancelable template would reduce the recognition rate while increasing the burden of server management. Another recent research topic is Fuzzy Commitment. The scheme can deal with Hamming errors in different biometric samples, demanding a ﬁxed-length binary biometric feature of high distinction. However, it is diﬃcult to design an effective and stable key generation algorithm. The key generated by the algorithm is usually short and unstable. Nagar et al. [29] extracted ﬁngerprint features from minutia and ridges. Bringer et al. [4] focused on the selection of the Error Correction Code (ECC). Li et al. [21] employed minutia triplets as the basic input features to extract feature strings and then used Linear Discriminant Analysis (LDA) to reduce the dimension of these strings and eliminate correlation among ﬁngers. Rathgeb et al. [32] tried to use a feature fusion technology to achieve a more eﬃcient ECC. Iris cryptosystems were also implemented [50]. Despite various efforts that have been made on this scheme, it still suffers from a short and unstable key. In addition, it has to save an “encrypted” template, which is obtained by an XOR operation of the ﬁxed-length biometric feature and corresponding code-word. Usually, the code-word contains the secret, and it suffers from vulnerability to the decodability attack [14]. Thus, this scheme cannot work very well in network environments either. Based on dynamic key generation, biometric encryption is a promising scheme. It extracts a bio-key directly from the biometric template. The advantage of this scheme lies in the fact that it does not need to store templates or biometrics. Moreover, the dynamic keys binding a user’s identity can work together with current main cloud storage security technologies. To generate a stable key, a bio-key requires highly consistent biometrics, even for the reproducible keys. Nevertheless, biometric samples usually do not meet this requirement because of environmental and physiological factors. Atah et al. [2] used a combination of stable features from the human voice to generate bio-keys directly with a novel feature concatenation method. Sheng et al. [36] modeled the intra and inter-user variation of statistical features extracted from metric samples by clustering the data into natural clusters with a fuzzy genetic clustering algorithm. A reliable key was then generated by selecting the most consistent features for each user individually. Lim et al. [23] used a dynamic reliability-dependent bit allocation algorithm for biometric discretization to allocate bits dynamically to every feature element based on a Binary Reﬂected Gray Code. Although the bio-key can be extracted by these schemes, it will still encounter short keys or a relatively long keys with a high Equal Error Rate (EER). Vivek et al. [41] designed a bio-key generator based on Shamir’s secret sharing scheme, which can be used for On-Device-Encryption. Wu et al. [43] proposed a new ﬁngerprint encryption scheme that protects a bio-key in a polynomial, and utilized a high-dimensional space projection to obtain stable polynomial coeﬃcients, so as to solve the stable bio-key. Although there are some dynamic bio-key generation experiments that achieve a relatively high degree of accuracy, in the dynamic bio-key generation ﬁeld, there is still not a clear theoretical model telling us how to systematically extract stable bio-keys from fuzzy biometric features and specifying the upper bound of the accuracy of the bio-key. With the development of machine learning technology [11,42,44], ﬁnger vein recognition technology continues to progress. Liu et al. [27] used a classical manifold learning technology–LLE algorithm to recognize ﬁnger vein patterns. When the ﬁnger vein is acquired under good conditions, the above method can obtain a fairly good recognition rate. By selecting the exact region of interest and strengthening vein texture, Yang et al. [47] improved the ﬁnger vein recognition rate. Liu et al. [24] and Cheng et al. [5] both used feature points to recognize ﬁnger vein images. However, Liu et al. [24] used local directional binary patterns to describe the information around the feature points, and Cheng et al. [5] learned ﬁnger vein minutiae position features using a deep neural network. 3. Finger vein high-dimensional space self-stabilization (FVHS) algorithm Because human biological characteristics themselves have a certain ambiguity, extracting a stable bio-key from them is usually considered impossible. In this paper, we propose a new ﬁnger vein bio-key generation algorithm using a highdimensional space self-stabilization technology called FVHS, which can extract stable bio-keys from ﬁnger vein samples. The crucial concept of FVHS is that by taking into account the correlation between each of the biometric features, we can use a self-calibration technique in high-dimensional space to generate a stable bio-key. A ﬂow chart of FVHS is shown in Fig. 2, and it consists of four parts: ﬁnger vein feature extraction, feature vector self-stabilization, sequence-separation in high-dimensional biometric space, and stable bio-key extraction. 3.1. Finger vein feature extraction The ﬁnger vein feature extraction is composed of two parts: ﬁnger vein image preprocessing and ﬁnger vein feature extraction using manifold learning. Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS Z. Wu et al. / Information Sciences 000 (2017) 1–17

[m3Gsc;January 2, 2017;14:13] 5

Fig. 3. Finger vein feature extraction steps.

Fig. 4. Finger vein similarity feature extraction using manifold learning.

3.1.1. Finger vein image preprocessing The ﬁnger vein image preprocessing is shown in Fig. 3. Starting from Fig. 3(a), the image undergoes gray normalization and other operations to give Fig. 3(e); after image segmentation, ﬁltering and de-noising, reﬁnement, deburring, and other operations, Fig. 3(j) is obtained. Further details of the process are given in [5,24,27,47]. After the ﬁnger vein feature extraction (as shown in Fig. 3), the extracted feature vectors can be used for identiﬁcation. However, the number of feature points and level of stability are still insuﬃcient for extracting the key. In order to overcome these diﬃculties, we propose a ﬁnger vein similarity feature extraction algorithm based on biological manifold learning, as shown in Fig. 4. Two images (Fig. 3(e) and (j)) are inputted into the Biometric Vector Similarity Manifold Learning algorithm (BV-SML, Algorithm 1) to obtain two feature sequences. By splicing the two sequences, we obtain the ﬁnger vein biometric vector. These two images are used because two pictures can provide more abundant biological information, and the effective use of the information in these features will help us extract a bio-key of suﬃcient length. Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

ARTICLE IN PRESS

JID: INS 6

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

Algorithm 1 BV-SML. Step Step Step Step Step

1. Collect a ﬁnger vein picture training database. 2. Take L samples from an individual as training samples to form set Mi . 3. Use Equations (1)– (3) to solve projection matrix Wi . 4. Obtain ﬁnger vein image vector Pi of the ith individual. 5. Obtain biometric vector xi of the ith individual by projection operation xi = Wi T · Pi .

3.1.2. Finger vein feature extraction using manifold learning The ﬁnger vein initial feature vector extracted from Fig. 3(e) and (j) by Similarity Manifold Learning is a more stable and similar ﬁnger vein biometric vector. In contrast to general manifold learning algorithms, the Similarity Manifold Learning algorithm focuses on extracting a feature sequence that is as stable as possible while keeping the recognition rate as high as possible. The details of Similarity Manifold Learning are as follows. Suppose a total of n individuals participate in a test. Each takes L samples as training samples and the remaining T samples as test samples. The ith personal training sample set Mi is denoted as follows:

Mi = [xi1 , xi2 , . . . , xiL ], xir ∈ Rd , 1 ≤ i ≤ n, 1 ≤ r ≤ L, d ∈ N+ , where xir denotes a one-dimensional column vector containing the ith individual and rth sample value information. Using Mi , we solve projection matrix Wi so that cost function Ji (Wi ) is minimized. Matrix Wi is a nonlinear projection matrix exclusively belonging to the ith individual. Cost function Ji (Wi ) denotes the similarity between the different training samples of the same individual. Matrix Wi can be solved as follows:

Ji (Wi ) =

L n Wi T · xir − Wi T · xi r=1

j=1 j=i

2

⎡

⎤

L n

= tr (Wi T ⎣

r=1

(xir − xi )(xir − xi )T ⎦Wi )

j=1 j=i

= tr (Wi HiWi ) T

Deﬁnition 1. Hi =

L

r=1

n j=1 j=i

(1)

(xir − xi )(xir − xi )T

Solving for the eigenvalues and eigenvectors of matrix Hi , we can obtain the eigenvalues and eigenvectors of matrix Wi .

Hi · w = λw

(2)

Here, {w1 , w2 , . . . , wdz } denotes the eigenvectors, and {λ1 , λ2 , . . . , λdz } denotes the eigenvalues. We choose dz eigenvalues and their corresponding eigenvectors as follows:

λ1 ≥ λ2 ≥ . . . ≥ 0 ≥ . . . ≥ λdz , s.t. λ1 ≤ , λdz ≤

(3)

Combining vectors {w1 , w2 , . . . , wdz }, we obtain matrix Wi . By adjusting parameters , we can get

Ji (Wi ) ≤ ε ,

ε ∈ R+

Using the projection of matrix Wi , we can achieve a higher degree of similarity among the biometric vectors of the ith person in the new biometric space. 3.2. Feature vector self-stabilization The projection results obtained from the Similarity Manifold Learning still contain some instability. Hence, we propose a method for stabilizing the biometric vector called Biometric Vector Self-Stabilization (BV-SS, Algorithm 2). Let biometric vector x = ([x]1 , [x]2 , · · · , [x]n )T ∈ Rn , [x]i , i ∈ {1, 2, . . . , n} denote a single biometric component and ([x] j1 , [x] j2 , . . . , [x] jd ), j1 , j2 , . . . , jd ∈ {1, 2, . . . , n} denote a d-dimensional biometric component of a collection. Further, ζ d (·) denotes a d-dimensional biometric component convolution operator calculated as follows:

ζd ([x] j1 , [x] j2 , . . . , [x] jd ) =

a1 [x] j1 + a2 [x] j2 , . . . , ad [x] jd ( di=1 ai )/d

(4)

where

ai ∈ R,

j1 , j2 , . . . , jd ∈ {1, 2, . . . , n}

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

ARTICLE IN PRESS

JID: INS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

7

Algorithm 2 BV-SS. Step 1. Slide a d-dimensional window n − d + 1 times across biometric vector x = ([x]1 , [x]2 , · · · , [x]n )T . Step 2. Use operator ζd (· ) for sliding window d-dimensional feature component convolution, calculated as:

ζd ([x] j1 , [x] j1 +1 , . . . , [x] j1 +d ) =

[x] j1 + [x] j1 +1 , . . . , [x] j1 +d d

j1 ∈ (1, 2, . . ., n − d + 1 )

,

Step 3. Use the n − d + 1 convolution results to generate the following (n − d + 1)-dimensional biometric vector:

x = ([x]1 , [x]2 , · · · , [x]n−d+1 )T

Algorithm 2 leads to the following lemma: Lemma 1. Assume that each biometric component follows a normal distribution, which is denoted as [x]i ∼ N(μi , σ 2 i ). After Algorithm 2, the mean variance of the new biometric components [x]i is less than the mean variance of pre-processing biometric

components [x]i , i.e., D([x]i ) < D([x]i ). Proof. The well-known arithmetic mean inequality is

(x1 + x2 + x3 + · · · + xd )2

x1 2 + x2 2 + x3 2 + · · · + xd 2 ≥ The equality holds if and only if holds.

D ( [x]i ) =

=

d

.

(5)

x1 = x2 = x3 = . . . = xd . Because [x]i follows a normal distribution, the following equation

[x]i + [x]i+1 + . . . + [x]i+d−1 ui + ui+1 + · · · + ui+d−1 − d d

2

([x]i − ui ) + ([x]i+1 − ui+1 ) + · · · + ([x]i+d−1 − ui+d−1 )

2

d

According to Eq. (5),

([x]i − ui )2 + ([x]i+1 − ui+1 )2 + · · · + ([x]i+d−1 − ui+d−1 )2 d

≥

2

d

≥

([x]i − ui ) + ([x]i+1 − ui+1 ) + . . . + ([x]i+d−1 − ui+d−1 ) ([x]i − ui ) + ([x]i+1 − ui+1 ) + ... + ([x]i+d−1 − ui+d−1 )

2

d

Because in an actual sampling environment, equality does not hold, we obtain

⇒ D([x]i ) > D([x]i ). 3.3. Sequence-separation in high-dimensional space After Algorithms 1–2 are complete, the obtained biometric sequence has good stability. However, the discrimination between individuals is not ideal. Directly extracting a key from it will lead to a high False Accept Rate (FAR). Using an accurate projection into high-dimensional space, however, the biometric sequence between individuals can be separated more eﬃciently. Deﬁnition 2. Let X be a subset of Rn . Function K(x, z), deﬁned on X × X, is called the kernel function, if there is a mapping from X to the Hilbert space H.

: x → (x ) ∈ H For any x, z ∈ X, K(x, z ) = ((x ) · (z )) are established, where (·) denotes the inner product in H. Some common kernel functions are as follows: Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

ARTICLE IN PRESS

JID: INS 8

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

(1) Polynomial kernel K(x, z ) = p(K1 (x, z )), where p(x ) = aq xq + · · · + a1 x + a0 is a q-order polynomial with whole positive coeﬃcients x−z 2 (2) Gaussian kernel K(x, z ) = exp(− 2 ) (3) Sigmoid kernel function K(x, z ) = tanh(γ (x · z ) + λ ) This paper selects the polynomial kernel function used for the sequence separation. The key idea of the high-dimensional space projection algorithm is that the biometric input sequence is divided into several sub-sequences. Each sub-sequence is mapped to the high-dimensional space in the projection operation using the kernel function. The resulting projection creates a new biometric sequence output. We can prove that there is a highdimensional space projection: if the biometric sequences of different individuals gain a certain level of distinction, then the output sequence discrimination between individuals can be greater than any real value D0 , D0 ∈ R+ along with the increase in the number of spatial dimensions. Lemma 2. The difference between the kernel function mapping

(x ) − (z )22 = K(x, x ) + K(z, z ) − 2K(x, z ) is satisﬁed. Proof.

(x ) − (z )22 = ((x ) · (x )) + ((z ) · (z )) − 2((x ) · (z )) = K(x, x ) + K(z, z ) − 2K(x, z ) A biometric input vector is represented as xi, r ∈ X ∈ Rn , i ∈ (1, m), r ∈ (1, l) where m is the number of individuals and l is the number of samples of the same individual. Condition 1. The biometric sequences of different individuals has some degree of differentiation that satisﬁes:

x j − x¯i 2 > xi − x¯i 22 > , 1 ≤ i = j ≤ m, 2

where x¯i denotes the mean of the samples, ·22 denotes the 2-norm operation, and is a constant, where ∈ R and > 1.0. The difference condition between the samples from the same individual

0 ≤ xi − x¯i 22 ≤ D1 ,

D 1 ∈ R + ,1 ≤ i ≤ m

is satisﬁed. Deﬁne the high-dimensional space mapping function as follows:

d (x ) = (x|x|x| . . .), d = 1, 2, 3, 4, 5, . . . , d

where “x|x” denotes two x sequences that are spliced together. After the biometric vectors are projected into high-dimensional space, the discrimination between individuals zi,d j , which is expressed as:

2

zi,d j = d (x j ) − d (x¯i ) − d (xi ) − d (x¯i )2 , 2

2

1 ≤ i = j ≤ m,

is satisﬁed. Lemma 3.

K((x|x ), (x|x )) = 2K(x, x ) Proof.

K((x|x ), (x|x )) =

x x

·

x x

= (x · x ) + (x · x ) = 2K(x, x )

According to Lemma 2, taking d = 2, we get

zi,2 j = 2 (x j ) − 2 (x¯i )22 − 2 (xi ) − 2 (x¯i )2 2

= K((x j |x j ), (x j |x j )) + K((x¯i |x¯i ), (x¯i |x¯i )) − 2K((x j |x j ), (x¯i |x¯i )) − K((xi |xi ), (xi |xi )) − K((x¯i |x¯i ), (x¯i |x¯i )) + 2K((xi |xi ), (x¯i |x¯i ))

(6)

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

ARTICLE IN PRESS

JID: INS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

9

According to Lemma 3, Eq. (6) can be derived as follows

zi,2 j = 2K(x j , x j ) + 2K(x¯i , x¯i ) − 4K(x j , x¯i ) − 2K(xi , xi ) − 2K(x¯i , x¯i ) + 4K(xi , x¯i ) = 2(K(x j , x j ) − 2K(x j , x¯i ) − K(xi , xi ) + 2K(xi , x¯i )) = 2zi,1 j

(7)

In the same way, we obtain the following:

1 1 1 zi,1 j = zi,2 j = zi,4 j = zi,8 j = . . . 2 4 8

(8)

Theorem 1. If the degree of distinction between individual biometric sequences satisﬁes Condition 1, then ∀D0 > 0, D0 ∈ R, ∃d > 1, d ∈ Z, ∀d : d > d ⇒ zi,d j > D0 . Proof. By Condition 1, zi,1 j > 1.0, and from Eqs. (7) and (8), we get

⎫ ⎪ ⎬

zi,1 j > 1.0 d = D 0

⎪ 1 1 1 ⎭ zi,1 j = zi,2 j = zi,4 j = zi,8 j = . . . 2

4

D

⇒ zi, j 0 > D0

8

⇒ zi,d j > D0 , d > d = D0 . Theorem 1 states that as the number of dimensions of the biometric-space projection increases, biometric sequence discrimination becomes greater than a pre-set value. 3.4. Extraction of stable bio-keys After processing by Algorithm 1 and 2 and the high-dimensional space projection, biometric sequences can reach a good degree of stability and separation, from which the bio-key can be extracted. For each individual, a quantization method is employed to obtain a deterministic sequence of numbers and auxiliary Boolean vector BL for extracting the unique bio-key sequence. The quantization formula can be written as follows:

(x ) =

⎧ ⎪ ⎨ D2 + (D2 + 1 ) · i (D2 + 1 ) · i < x ≤ (D2 + 1 ) · i + D2 (i = 0, 1, · · ·), mod (D2 , 2 ) = 0 2

⎪ ⎩ D2 − 1 + D2 · i 2

(9)

(i − 1 ) · D2 + 1 < x ≤ D2 · i(i = 1, 2, · · ·), mod (D2 , 2 ) = 1

The quantization threshold D2 is the range of an interval in which a number lies. For example, if D2 = 10 and a feature sequence is (156, 39), 156 is quantized to 159 as it is in the interval (154 164], and 39 is changed to be 38 for the interval (33 43]. Overall, (156, 39) is quantized to (159, 38). After quantization, we obtain biometric sequences xt . Auxiliary vector BL is calculated as follows: (1) We have xt , 1 ≤ i ≤ n, 1 ≤ j ≤ L, where there are n individuals, and L samples. (2) An individual’s L feature samples are combined into a matrix A of dl rows and L columns. (3) If (A[i][0]== A[i][1] . . . == A[i][L − 1] ), then BL[i] = 1, else BL[i] = 0, 1 ≤ i ≤ dl. The result of this calculation is vector BL. Using BL, we extract sequence yt from xt , where yt is the Bio-Key. 4. Cloud computing user-authentication framework based on ﬁnger vein bio-keys With bio-key generation algorithm FVHS, we can determine the ﬁnger vein uniquely associated with bio-key Kbio . Using these unique bio-keys, a ﬂexible user-authentication framework can be designed for cloud computing services. Using a combination of a Kbio and cloud computing service URL, a unique sequence is obtained that can be used for identity authentication, as shown in Fig. 5. The speciﬁc authentication process is shown in Fig. 6. The authentication framework uses a challenge-response mode. Bio-keys Kbio and Kc are generated ﬁrst, where Kc is a random number used to protect Kbio . In addition, Khi is the shared secret between the user and authentication center. By encrypting the corresponding URL of various services with the shared secret, we get the login key. A service may correspond to a set of keys, each of which is determined by the address of the URL. The key length is suﬃciently long, and users do not need to remember it. The authentication center only needs to store Khi , and the user can ﬂexibly generate a different login key according to the change of services. Moreover, Khi and the login key can be replaced at any time. Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 10

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

Fig. 5. Cloud computing the user-authentication framework based on bio-keys.

Fig. 6. Schematic diagram of user authentication process using Kbio .

5. Security analysis In this section, attacks on the ﬁnger vein bio-key and cloud computing user-authentication framework are discussed.

5.1. Finger vein bio-key attacks There are generally two types of attacks on ﬁnger vein bio-keys: spooﬁng attacks and brute force attacks. Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

11

5.1.1. Spooﬁng attack In this attack, an attacker spoofs the user via phishing or a similar method to perform a biometric authentication on the remote server. Because of the user’s unique biological characteristics, as long as the deception is successful, attackers will have long-term user rights. Traditional authentication methods based on biological template matching are vulnerable to spooﬁng attacks, because the authentication process requires the user to deliver the bio-template to a remote server for comparison. Although the use of biological template deformation can protect the template, the deformation function is often easy to obtain by an attacker in practice. Meanwhile, function parameters can be cracked by a brute force attack and cross comparison. Bio-template protection technology hence still faces large threats. The ﬁnger vein bio-key scheme generates long keys with secure bits directly, but it does not save and compare biological templates. An attacker cannot obtain a user’s bio-template directly through a network-spooﬁng attack. That is, the networkspooﬁng attack (obtaining a user’s bio-template) is ineffective for ﬁnger vein bio-key authentication, because the ﬁnger vein bio-key authentication does not retain the user’s bio-template. However, a local Trojan can steal a user’s ﬁnger vein image in the generation process. Dealing with this problem is beyond the scope of this paper. 5.1.2. Brute force attack When considering this attack, we assume that an attacker is trying to recover the bio-key by a brute force attack and he or she can get the auxiliary vector BL. First, the attacker may calculate the ﬁnger vein template ranges, which, in general, are in the interval [0, 255]. If an attacker can navigate to each biometric component, it may be appropriate to narrow the scope of the above, and it can be assumed that each biometric component contains a 4-bit security key, while there are 32–64 feature points that consists of 128–256 bits in length. These 128–256 bits can be regarded as a random number. That is, the generated bio-key and 128–256-bit random number have the same security strength. If an attacker cannot get the auxiliary vector BL, he or she would ﬁrst need to guess the BL vector from the full biometric vector and then guess the quantized value of each biometric component. The total guessing time is: ( ) · 2(4×dz ) , where d ∈ dz d

(1024, 10240) and dz ∈ (32, 64). Here, d denotes the total number of features that may be extracted. Based on the fact that an attacker will take 13 years to make 2.5 × 109 attempts, as stated in [16], when using a 3.4 GHz processor, a successful attack would be longer than the minimum time of 500 years. 5.2. Security of the cloud computing user-authentication framework Supposing the user’s ﬁnger vein is safe, then the security of the cloud computing user-authentication framework is equivalent to the username plus 256-bit random key authentication security. 6. Experimental results and analysis This section examines the performance of the proposed ﬁnger vein bio-key generation algorithm FVHS. Three steps are carried out in the experiment to evaluate the 1) biometric identiﬁcation, 2) sequence-separation, and 3) bio-key generation performance of FVHS. The biometric identiﬁcation test is a test of the performance of BV-SML (Algorithm 1). The biometric sequences separation degree test is a test of the performance of BV-SS (Algorithm 2). Finally, the bio-key generation test is a test of the performance of FVHS (Algorithm 3). Algorithm 3 FVHS. Step Step Step Step Step Step

1. Process the ﬁnger vein image using Algorithm 1 (BV-SML) to extract feature sequence x. 2. Process feature sequence x using Algorithm 2 (BV-SS) to extract feature sequence x . 3. Process feature sequence x using high-dimensional kernel function to calculate biometric sequence x . 4. Use biometric sequence x and calculate the Auxiliary Boolean Vector BL . 5. Extract a random vector 128-256 bits in length from BL to obtain BL. 6. Extract Bio-Key y using BL.

We selected two ﬁnger vein databases to evaluate the performance of FVHS: (1) 64FV_Net01, a library of 64 human ﬁnger veins acquired over the Internet with a high image quality and (2) 70FV_Hdu01, a library of 70 human ﬁnger veins self-collected in a laboratory environment with a medium image quality. 64FV_Net01 is an in-house database with 64 ﬁnger veins and 15 samples for each ﬁnger vein, and the image size is 70 × 150. 70FV_Hdu01 is a self-collected database with 70 ﬁnger veins and 8 samples for each ﬁnger vein. The image size is 140 × 300. We use the Genuine Accept Rate (GAR) and FAR as the main indicators to measure the test identiﬁcation and generation performance. 6.1. Biometric identiﬁcation performance of the FVHS The FVHS algorithm can be used to identify the biological features of ﬁnger vein patterns with a little modiﬁcation. Algorithm 1 can extract the biological feature sequence and identify individuals using the minimum distance. Three typical ﬁnger vein recognition algorithms are compared with Algorithm 1: Feature Points + Hausdorff Distance (FP+HD) [16], Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 12

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17 Table 1 Identiﬁcation performance of BV-SML in the 64FV_Net01 library. Decision Threshold (DT)

GAR(%)

FAR(%)

300 400 500 600 800 10 0 0

96.88 98.05 99.02 99.61 100.0 100.0

0.00 0.00 0.13 0.67 5.08 16.29

Table 2 Identiﬁcation performance of BV-SML in the 70FV_Hdu01 library. Decision Threshold (DT)

GAR(%)

FAR(%)

400 500 600 800 10 0 0 1200

94.64 96.72 98.93 99.64 99.64 100.0

0.00 0.00 0.00 0.31 3.50 15.02

Table 3 Lowest ERR in the optimal parameter condition (%).

64FV_Net01 70FV_Hdu01

FP+HD

2DPCA+2DFLD

KPCA

BV-SML

5.61 6.35

1.26 0.92

2.25 1.89

0.53 0.34

Two Dimensional Principal Component Analysis plus Two Dimensional Fisher Linear Discriminant analysis (2DPCA+2DFLD) [9] and Kernel Principal Component Analysis (KPCA). Algorithm 1 can extract stable biological features via similarity manifold learning techniques, and the experimental results show that this method is more stable and consistent than other classical methods. For ease of comparison, all algorithms take half of the samples as the training samples, and the other half of the samples are used as the test samples. Algorithm 1 uses different variables T and to control the similarity and obtain different values of FAR and GAR. The results are shown in Tables 1 and 2, which show the results for the 64FV_Net01 database and 70FV_Hdu01 database, respectively. It is observed that values of between 10−2 and 10−8 have a very small impact on the performance of the algorithms. Therefore, we set = 10−4 for all further experiments, and is not listed in the result. Tables 1 and 2 show that the overall recognition performance of Algorithm 1 is stable and its recognition rate is high. Algorithm 1 does not use an image alignment algorithm, because the ﬁnger positions are generally ﬁxed when the ﬁnger vein is acquired, and hence, the sampled ﬁnger vein image has a natural alignment characteristic. There is a critical decision threshold (DT) value, and if this threshold value is exceeded, the FAR rises sharply. This threshold is different for different ﬁnger vein libraries. This means that different ﬁnger vein recognition devices need to adjust the threshold to achieve the best recognition status. For clarity, we compare the performance of different algorithms using the Equal Error Rate (ERR) indicator and Detection Error Tradeoff (DET) curves. The results are shown in Table 3 and Figs. 7 and 8. These results show that the performance of Algorithm 1 is more stable than that of the other algorithms, and the recognition effect is better. Because the ﬁnger vein texture extraction process will inevitably lead to image feature discontinuities and blur, this will affect the accuracy of feature point extraction, and algorithm FP+HD performs less well than the other algorithms. In conclusion, for alignment insensitive and light sensitive ﬁnger vein images, Algorithm 1 can extract more stable features and achieve better biometric discrimination than existing classical biometric algorithms. 6.2. Sequence-separation performance of FVHS Algorithm 2 (BV-SS) plus a high-dimensional space projection can eﬃciently separate biometric sequences. In order to test the separate effects of the algorithm, the biometric sequences before and after space projection are compared. We randomly chose three components from two biometric sequences extracted from the 64FV_Net01 library, processed by Algorithm 1, Algorithm 2, and high-dimensional space projection processing. The images in Fig. 9 show the distribution of the three components in the feature space before and after the separation projection. The red circle indicates that if there is no projection operation, the left three components are located on the right. It can be seen that the spatial distance between the components increased signiﬁcantly, while the distance between the samples of the same individuals increased insigniﬁcantly. Figs. 10 and 11 show more detailed images of the separation effect of the biometric sequences. The average Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS Z. Wu et al. / Information Sciences 000 (2017) 1–17

[m3Gsc;January 2, 2017;14:13] 13

Fig. 7. DET curves for 64FV_Net01.

Fig. 8. DET curves for 70FV_Hdu01.

Fig. 9. Sequence-separation effect.

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 14

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

Fig. 10. Spatial distance before Algorithm 2 + high-dimensional space projection.

Fig. 11. Spatial distance after Algorithm 2 + high-dimensional space projection.

spatial distance between 64 feature vectors is shown in Figs. 10 and 11, which respectively show the spatial distance before and after the Algorithm 2 + high-dimensional space projection procedure. Note that the coordinate scale of Fig. 11 is 104 . 6.3. Bio-key generation performance of FVHS We evaluated the performance of Algorithm 3 using the two ﬁnger vein libraries 64FV_Net01 and 70FV_Hdu01. The performance of Algorithm 3 was tested in two ways: 1) by adjusting the algorithm parameters and observing the changes of GAR and FAR and 2) by comparing it with the other algorithms using the EER and security strength. Algorithm 3 can widen the distance between the characteristics of different individuals, reduce or stabilize the distance between the characteristics of the same individual, and obtain a better bio-key extraction success rate and security strength than any other algorithm, to the best of our knowledge. As shown in Section 6.1, we take half of the samples as training samples, and the remaining half as test samples. The FVHS algorithm has ﬁve steps, as shown below: (1) (2) (3) (4)

Use the best parameters obtained in Section 6.1 for Algorithm 1. Set d = 8 for Eq. (4) in Algorithm 2. Deﬁne the high-dimensional kernel function (x ) = (x |x )2 . Use parameter T0 to denote the distance threshold used to generate vector BL in the training phase, and use parameter T1 to denote the distance threshold used in the testing phase. (5) In order to facilitate the calculation, use the ﬁrst 64 components for a key generation test, and use the test results to approximate the experimental results of random extraction. The ﬁrst test results are shown in Tables 4 and 5. The Threshold Dynamic Range (TDR) is the mean value range of the feature component. The security strength of a single component is calculated as log2 (TDR/DT), and is normally larger than 4 bits. The security strength of the bio-key is calculated as 64 × 4bits = 256bits, where 64 is the number of extracted Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS Z. Wu et al. / Information Sciences 000 (2017) 1–17

[m3Gsc;January 2, 2017;14:13] 15

Table 4 Bio-key generation performance of FVHS in 64FV_Net01 library (T0=30, T1=30, Threshold Dynamic Range = 0 ∼ 3.89 × 104 , Security strength = 64 × 4bits = 256bits). Decision Threshold (DT)

GAR(%)

FAR(%)

550 600 630 650 680 700

99.22 99.61 99.61 99.61 100.0 100.0

0.42 0.57 0.66 0.72 0.87 0.80

Table 5 Bio-key generation performance of FVHS in 70FV_Hdu01 library (T0 = 30, T1 = 30, Threshold Dynamic Range = 0 ∼ 1.16 × 105 , Security strength = 64 × 4bits = 256bits). Decision Threshold (DT)

GAR(%)

FAR(%)

1100 1300 1500 1700 1900 2100

92.14 92.86 94.29 94.29 94.29 97.14

0.18 0.23 0.37 0.59 0.87 1.26

Table 6 Algorithm performance comparison in the 64FV_Net01 library. 64FV_Net01

PCA+LDA+ECC

Data Clustering

FVHS

EER Security Strength

>4.0 <64 bits

>10.0 <50 bits

<0.5 >128 bits

biometric components. In 64FV_Net01, which has good quality images, FVHS obtains good bio-key generation performance, as shown in Table 4. However, in 70FV_Hdu01, which has poor quality images, the performance of the FVHS algorithm is not so ideal. One of the reasons is that the number of training samples is insuﬃcient, and FVHS is unable to extract keys again. If the FVHS algorithm could carry out the second key extraction operation, the accuracy of the proposed bio-key would be further improved. The performances of different algorithms were also compared using ERR and security strength indicators. At present, we have not retrieved the relevant literature for other ﬁnger vein bio-key generation methods. This experiment instead used ﬁngerprint bio-key generation methods for ﬁnger vein bio-key testing. We compared two typical bio-key generation methods with the FVHS algorithm, similar Fuzzy Commitment methods (PCA+LDA+ECC) [21] and bio-key generation based on Data Clustering [36]. The Fuzzy Vault method is not used for comparison, because, in essence, it is not a method to generate a key, but to extract the stored key. Hence, it can often have a higher extraction accuracy, but the key security is in doubt because it has a slow computing speed that limits its security strength. Because of its threshold (T, n) speed restrictions, its security is generally within about 128–256 bits. The test results are shown in Table 6, and the intuitive results are shown in Fig. 12. The FVHS algorithm has a clear advantage over current dynamic key generation algorithms. 7. Conclusions and future work Existing biometric key generation methods are not satisfactory with respect to accuracy rate and security-bit length. Fuzzy Vault-based biometric encryption has the risk of information leakage for stored biometric templates. Fuzzy Commitment-based biometric encryption needs to store an “encrypted” template, and it has a short and unstable key. Although there are some dynamic biometric key generation schemes, they suffer from a low number of effective bits. The proposed ﬁnger vein bio-key generation algorithm FVHS can extract a stable 128–256 bit security key from the ﬁnger vein biometric sequence. Using the extracted bio-key, we can provide a ﬂexible user authentication policy in cloud computing, as the users do not need to remember the keys, but the service can provide a dedicated key for each cloud service. If the bio-key system could be widely applied, it would greatly reduce the number of weak network keys. There are still some drawbacks in FVHS. Biometric accuracy can be further improved in FVHS’s pre-processing stage. FVHS’s separation function is not ideal because the separation speed is too slow, and it does not support “intertwined” feature separation. We plan to further study and propose more eﬃcient and supported intertwined feature separation functions. There is a wide range Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS 16

ARTICLE IN PRESS

[m3Gsc;January 2, 2017;14:13]

Z. Wu et al. / Information Sciences 000 (2017) 1–17

Fig. 12. Performance comparison of different algorithms.

of bio-key applications to explore, and we will investigate in more depth the use of bio-key technology to improve the eﬃciency and security of key management in cloud computing. Acknowledgement This work was supported by Zhejiang Science Fund (No. LY16F020016), National Key Research and Development Program of China (No. 2016YFB0800201), Zhejiang Province Science and Technology Innovation Program(No. 2013TD03), National Natural Science Foundation of China (No. 61472091), Distinguished Young Scholars Fund of Department of Education(No. Yq2013126), and Guangdong Province, Natural Science Foundation of Guangdong Province for Distinguished Young Scholars (No. 2014A030306020). References [1] A. Armando, R. Carbone, L. Compagna, J. Cuéllar, G. Pellegrino, A. Sorniotti, An authentication ﬂaw in browser-based single sign-on protocols: impact and remediations, Comput. Secur. 33 (2013) 41–58. [2] J.A. Atah, G. Howells, Key generation in a voice based template free biometric security system, in: European Workshop on Biometrics and Identity Management, Springer, 2009, pp. 170–177. [3] J. Baek, Q.H. Vu, J.K. Liu, X. Huang, Y. Xiang, A secure cloud computing based framework for big data information management of smart grid, IEEE Trans. Cloud Comput. 3 (2) (2015) 233–244. [4] J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, G. Zemor, Theoretical and practical boundaries of binary secure sketches, IEEE Trans. Inf. Forensics Secur. 3 (4) (2008) 673–683. [5] C. Chen, Z. Wu, P. Li, J. Zhang, Y. Wang, H. Li, A ﬁnger vein recognition algorithm using feature block fusion and depth neural network, in: International Symposium on Intelligence Computation and Applications, Springer, 2015, pp. 572–583. [6] G.S. Eskander, R. Sabourin, E. Granger, A bio-cryptographic system based on oﬄine signature images, Inf. Sci. 259 (2014) 170–191. [7] Z. Fu, K. Ren, J. Shu, X. Sun, F. Huang, Enabling personalized search over encrypted outsourced data with eﬃciency improvement (2015) 1–12. [8] M. Gomez-Barrero, C. Rathgeb, J. Galbally, C. Busch, J. Fierrez, Unlinkable and irreversible biometric template protection based on bloom ﬁlters, Inf. Sci. 370 (2016) 18–32. [9] F.-X. Guan, K. Wang, J. Liu, H. MA, Bi-direction weighted (2d) 2pca with eigenvalue normalization one for ﬁnger vein recognition, Pattern Recognit. Artif. Intell. 24 (3) (2011) 417–424. [10] G. Haupt, T. Mozer, Assessing biometric authentication: a holistic approach to accuracy, Biom. Technol. Today 2015 (3) (2015) 5–8. [11] G. Hinton, Where do features come from? Cognit. Sci. 38 (6) (2014) 1078–1101. [12] X. Huang, J.K. Liu, S. Tang, Y. Xiang, K. Liang, L. Xu, J. Zhou, Cost-effective authentic and anonymous data sharing with forward security, IEEE Trans. Comput. 64 (4) (2015) 971–983. [13] S. Ji, S. Yang, X. Hu, W. Han, Z. Li, R. Beyah, Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords(2016) 1–10. [14] E.J. Kelkboom, J. Breebaart, T.A. Kevenaar, I. Buhan, R.N. Veldhuis, Preventing the decodability attack based cross-matching in a fuzzy commitment scheme, IEEE Trans. Inf. Forensics Secur. 6 (1) (2011) 107–121. [15] S.H. Khan, M.A. Akbar, F. Shahzad, M. Farooq, Z. Khan, Secure biometric template generation for multi-factor authentication, Pattern Recognit. 48 (2) (2015) 458–472. [16] A. Kumar, K.V. Prathyusha, Personal authentication using hand vein triangulation and knuckle shape, IEEE Trans. Image Process. 18 (9) (2009) 2127–2136. [17] C. Li, J. Hu, A security-enhanced alignment-free fuzzy vault-based ﬁngerprint cryptosystem using pair-polar minutiae structures, IEEE Trans. Inf. Forensics Secur. 11 (3) (2016) 543–555. [18] J. Li, X. Chen, M. Li, J. Li, P.P. Lee, W. Lou, Secure deduplication with eﬃcient and reliable convergent key management, IEEE Trans. Parallel Distrib. Syst. 25 (6) (2014) 1615–1625. [19] J. Li, X. Huang, J. Li, X. Chen, Y. Xiang, Securely outsourcing attribute-based encryption with checkability, IEEE Trans. Parallel Distrib. Syst. 25 (8) (2014) 2201–2210. [20] J. Li, J. Li, X. Chen, C. Jia, W. Lou, Identity-based encryption with outsourced revocation in cloud computing, IEEE Trans. Comput. 64 (2) (2015) 425–437. [21] P. Li, X. Yang, H. Qiao, K. Cao, E. Liu, J. Tian, An effective biometric cryptosystem combining ﬁngerprints with error correction codes, Expert Syst. Appl. 39 (7) (2012) 6562–6574. [22] K. Liang, W. Susilo, J.K. Liu, Privacy-preserving ciphertext multi-sharing control for big data storage, IEEE Trans. Inf. Forensics Secur. 10 (8) (2015) 1578–1589. [23] M.-H. Lim, A.B.J. Teoh, K.-A. Toh, An eﬃcient dynamic reliability-dependent bit allocation for biometric discretization, Pattern Recognit. 45 (5) (2012) 1960–1971.

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048

JID: INS

ARTICLE IN PRESS Z. Wu et al. / Information Sciences 000 (2017) 1–17

[m3Gsc;January 2, 2017;14:13] 17

[24] F. Liu, G. Yang, Y. Yin, S. Wang, Singular value decomposition based minutiae matching method for ﬁnger vein recognition, Neurocomputing 145 (2014) 75–89. [25] H. Liu, H. Ning, Q. Xiong, L.T. Yang, Shared authority based privacy-preserving authentication protocol in cloud computing, IEEE Trans. Parallel Distrib. Syst. 26 (1) (2015) 241–251. [26] J.K. Liu, M.H. Au, X. Huang, R. Lu, J. Li, Fine-grained two-factor access control for web-based cloud computing services, IEEE Trans. Inf. Forensics Secur. 11 (3) (2016) 484–497. [27] Z. Liu, Y. Yin, H. Wang, S. Song, Q. Li, Finger vein recognition with manifold learning, J. Netw. Comput. Appl. 33 (3) (2010) 275–282. [28] R. Maurya, Social engineering: manipulating the human, 1, Scorpio Net Security Services, 2013. [29] A. Nagar, S. Rane, A. Vetro, Alignment and bit extraction for secure ﬁngerprint biometrics, IS&T/SPIE Electronic Imaging, International Society for Optics and Photonics, 2010. 75410N–75410N [30] K. Nandakumar, A.K. Jain, S. Pankanti, Fingerprint-based fuzzy vault: implementation and performance, IEEE Trans. Inf. Forensics Secur. 2 (4) (2007) 744–757. [31] V. Odelu, A.K. Das, A. Goswami, A secure biometrics-based multi-server authentication protocol using smart cards, IEEE Trans. Inf. Forensics Secur. 10 (9) (2015) 1953–1966. [32] C. Rathgeb, A. Uhl, P. Wild, Iris-biometric fuzzy commitment schemes under image compression, in: Iberoamerican Congress on Pattern Recognition, Springer, 2013, pp. 374–381. [33] Y.-J. Ren, J. Shen, J. Wang, J. Han, S.-Y. Lee, Mutual veriﬁable provable data auditing in public cloud storage, (2015) 16(2), 317–323. [34] W.J. Scheirer, T.E. Boult, Cracking fuzzy vaults and biometric encryption, in: Biometrics Symposium, 2007, IEEE, 2007, pp. 1–6. [35] J. Shen, H. Tan, S. Moh, I. Chung, Q. Liu, X. Sun, Enhanced secure sensor association and key management in wireless body area networks, J. Commun. Netw. 17 (5) (2015) 453–462. [36] W. Sheng, S. Chen, G. Xiao, J. Mao, Y. Zheng, A biometric key generation method based on semisupervised data clustering, IEEE Trans. Syst. Man Cybern. 45 (9) (2015) 1205–1217. [37] M. Sookhak, A. Gani, M.K. Khan, R. Buyya, Dynamic remote data auditing for securing big data storage in cloud computing, Inf. Sci. (2015) 1–12. [38] J.-L. Tsai, N.-W. Lo, A privacy-aware authentication scheme for distributed mobile cloud computing services, IEEE Syst. J. 9 (3) (2015) 805–815. [39] U. Uludag, S. Pankanti, A.K. Jain, Fuzzy vault for ﬁngerprints, in: International Conference on Audio-and Video-Based Biometric Person Authentication, Springer, 2005, pp. 310–319. [40] B. Violino, Biometric security is on the rise, (http://www.csoonline.com/article/2891475/identity- access/biometric- security- is- on- the- rise.html). [41] S.S. Vivek, R. Ramasamy, Biometrie key generator with applications in on-device encryption, in: Innovations in Information Technology (IIT), 2015 11th International Conference on, IEEE, 2015, pp. 273–277. [42] X. Wen, L. Shao, Y. Xue, W. Fang, A rapid learning algorithm for vehicle classiﬁcation, Inf. Sci. 295 (2015) 395–406. [43] Z. Wu, B. Liang, L. You, Z. Jian, J. Li, High-dimension space projection-based biometric encryption for ﬁngerprint with fuzzy minutia, Soft comput. 20 (12) (2016) 4907–4918. [44] Z. Wu, J. Yuan, J. Zhang, H. Huang, A hierarchical face recognition algorithm based on humanoid nonlinear least-squares computation, J. Ambient Intell. Humaniz. Comput. 7 (2) (2016) 229–238. [45] F. Xhafa, J. Wang, X. Chen, J.K. Liu, J. Li, P. Krause, An eﬃcient phr service system supporting fuzzy keyword search and ﬁne-grained access control, Soft comput. 18 (9) (2014) 1795–1802. [46] Z. Xia, X. Wang, X. Sun, Q. Wang, A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data, IEEE Trans. Parallel Distrib. Syst. 27 (2) (2016) 340–352. [47] J. Yang, Y. Shi, Towards ﬁnger-vein image restoration and enhancement for ﬁnger-vein recognition, Inf. Sci. 268 (2014) 33–52. [48] R. Zhang, E. Liu, H. Zhao, L. Pang, Improved cancelable ﬁngerprint fuzzy vault system, J. Xidian University 38 (4) (2011) 173–180. [49] J. Zhou, X. Lin, X. Dong, Z. Cao, Psmpa: patient self-controllable and multi-level privacy-preserving cooperative authentication in distributedm-healthcare cloud computing system, IEEE Trans. Parallel Distrib. Syst. 26 (6) (2015) 1693–1703. [50] X. Zhou, A. Kuijper, C. Busch, Retrieving secrets from iris fuzzy commitment, in: 2012 5th IAPR International Conference on Biometrics (ICB), IEEE, 2012, pp. 238–244.

Please cite this article as: Z. Wu et al., Generating stable biometric keys for ﬂexible cloud computing authentication using ﬁnger vein, Information Sciences (2017), http://dx.doi.org/10.1016/j.ins.2016.12.048