Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. S.R. Jenifer Raja Shermila / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 4, July-August 2012, pp.375-379 A Five-Ways Fuzzy Authentication for Secured Banking S.R. Jenifer Raja Shermila Centre For Information Technology And Engineering, M S University, TirunelveliABSTRACT Data security is an important issue in In this work the communication security iscurrent scenario of banking financial operation discussed. At the time of data communication fromspecially with transaction of secure and an Auto Teller Machine to bank server the rise ofconfidential data. It must be send with high the banking system becomes a more and moresecurity at the time of communication. In this important security issue. In order to makework various types of authentication factors that communication security from ATM to Bank andare used in secure banking data transmissions to from Bank to ATM a new level of security shouldmake more data security are discussed. Secure emerge. Normally ATM verifies the authenticationand efficient authentication scheme has been a of a user with single key pin security which isvery important issue with the development of smart-card-based password authentication but this isnetworking technologies. The conversion not only not sufficient to protect this information in asignificantly improves the information assurance network transaction. Smart-card-based passwordat low cost but also protects client privacy in authentication provides two factor authentications,distributed systems. In addition, the framework namely a successful login requires the client to haveretains several practice friendly properties, a valid smart card and a correct password. While itwhich is of independent interest. The main provides stronger security guarantees than passwordimplementation of the Project is to get the Finger authentication, it could also fail if bothPrint, Radio Frequency Identification (RFID) authentication factors are compromised (e.g., anand the Personal Identification Number (PIN) attacker has successfully obtained the password andfrom the User for the Authentication. If the the data in the smart card). To protect this type ofFinger Print is same but not so clear then the secure data bank follows various authenticationMain Server will generate the Token number to factors to protect their transactions. Three Factorthe User’s Mobile number as One Time Authentication [1] are considered using thePassword (OTP). This generated OTP would be following,given using Key Pad Matrix. So the Server willbe verifying User’s Finger Print, RFID card, PIN  RFIDnumber and OTP via Key Pad Matrix. This will  PIN Numberdefinitely ensure proper security of the user.  Biometrics (Finger Print) Every User is provided with RFID Card for theKeywords – Authentication, Distributed systems, initial Authentication Scheme, then the user will beSecurity, Privacy, PIN, RFID card, Biometrics. giving the PIN number is provided during the Registration Period itself.I. INTRODUCTION Then the user is permitted to give his / her In competitive market globalization, Finger Print to the main server. If the Finger Print isincreased competition, the demand for innovative exactly matched, the user is allowed for theproducts, and new technology implementation, the transaction. If the Finger Print is doubtful and notbanking industry is changing at least as fast as any exactly matched with the registered Finger Printother industry. Auto Teller Machine (ATM) is one image then Server sends One Time Password asof the important innovation of banking competition SMS Alert to the User‟s Mobile Number. This Onewhich provides the banking operations outside the Time Password which is generated as SMS is givenbank premises. It mainly used to withdrawal money by the User to the main server for authentication. Infrom it. To provide the security at user level it works the normal three factor Authentication Scheme, weon a single pin security for secure banking operation use following Authentication Proceduresat user level. But it is not sufficient to protect theinformation which are send by the ATM to bank 1. User PIN number along with Keypad IDserver and vice versa. There are three types of 2. RFID Tagsecurities provided by the banks to protect the ATM 3. Finger Print Imagethese are: (a) Physical security, (b) Software In the case of Fuzzy Concept, where the Finger Printsecurity and (c) Communication security. is not matched but matched to the maximum extent, 375 | P a g e
  2. 2. S.R. Jenifer Raja Shermila / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 4, July-August 2012, pp.375-379and the server has suspicion, then the following was given by Lin and Lai to fix that flaw. Theprocedure is followed, new protocol, however, has several other security vulnerabilities [1] Xinyi Huang, Yang Xiang, 1. User PIN number along with Keypad ID Jianying Zhou and Robert H. Deng proposed to 2. RFID Tag authenticate clients by three factors namely password, 3. Finger Print Image smart card and Biometrics. Fan and Lin [2] 4. One Time Password (OTP) Generation to proposed a three-factor authentication scheme with the user‟s Mobile Number privacy protection on biometrics. The essential 5. OTP given by the user to the server. approach of their scheme is as follows: 1) During theall those are used together for authentication. For registration, the client chooses a random string andFinger print Fuzzy Logic is applied for Exact encrypts it using his/her biometric template; 2)Mapping and Proper Authentication. The result (called sketch) is stored in the smart card; and 3) During the authentication, the client1.1 Motivation must convince the server that he/she can decrypt the The motivation of this paper is to sketch, which needs correct biometrics (close to theinvestigate a systematic approach for the design of biometric template in the registration). As we shallsecure five-factor authentication with the protection show shortly, our fuzzy implementation employs aof user privacy. Five-factor authentication is different approach. The client in our frameworkintroduced to incorporate the advantages of the uses his/her finger impression, RFID card and theauthentication based on PIN, RFID card, fingerprint PIN for authentication purpose. The main serverOTP and keypad ID. A well designed five-factor will generate One Time Password (OTP) and send itauthentication protocol can greatly improve the to the User‟s Mobile number when the fingerinformation assurance in distributed systems. impression does not match exactly with the existingHowever, the previous research on three-factor finger impression in the database. The keypad id isauthentication is confusing and not satisfactory. provided to the user during Account Registration. This leads to a fuzzy implementation of biometric1.2 Security Issues with five-factor authentication system for secured The existing three-factor authentication banking from a generic framework for threeprotocols are flawed and cannot meet security authentication: preserving security and privacy inrequirements in their applications. Even worse, distributed system.some improvements of those flawed protocols arenot secure either. The research history of five-factor 2. PRELIMINARIESauthentication can be summarized in the following This section reviews the definitions ofdiagram. RFID card-based authentication, five factor authentication and finger print and fuzzy logic.1.3 Privacy Issues Along with the improved security 2.1 RFID card-based authenticationfeatures, five-factor authentication also raises Radio-frequency identification (RFID) is theanother subtle issue on how to protect the use of a wireless non-contact radio system to transferbiometric data. The authentication factors are not data from a tag attached to an object, for the purposesonly the privacy information of the owner, but of automatic identification and tracking. Some tagsalso closely related to security in the require no battery and are powered by the radio wavesauthentication process. As biometrics cannot be used to read them. Others use a local power source.easily changed, the breached biometric The tag contains electronically stored informationinformation (either on the server side or the client which can be read from up to several meters (yard)side) will make the biometric authentication away. Unlike a bar code, the tag does not need to betotally meaningless. However, this issue has within line of sight of the reader and may bereceived less attention than it deserves from embedded in the tracked object.protocol designers. We believe it is worthwhile, 2.2 Five-Factor Authenticationboth in theory and in practice, to investigate afuzzy implementation for five-factor Five Factor authentication is very similar toauthentication, which can preserve the security three factor based authentication, with onlyand the privacy in distributed systems. difference that it requires OTP and keypad ID as1.4 Related Work additional authentication factor. Several authentication protocols have been 2.3 Fingerprint Recognitionproposed to integrate biometric authentication with Fingerprint recognition technologies analyzepassword authentication and/or smart-card global pattern schemata on the fingerprint, along withauthentication. An improved authentication protocol small unique marks known as minutiae, which are the 376 | P a g e
  3. 3. S.R. Jenifer Raja Shermila / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 4, July-August 2012, pp.375-379ridge endings and bifurcation or branches in the 3. A Fuzzy Implementation of Biometrics withfingerprint ridges. Five Factor Authentication System 3.1 Registration. Every user has to register in the bank in order to become an authorized user. The registration procedure is as follows: 1. The customer must have to provide their basic information like username, address, contact information email id, photo proofs and other required information. 2. We assume that there is a device for extracting the fingerprint template and carrying out all calculations in a fuzzy extractor. This step does not involve any fingerprint template and carrying out all calculation in a fuzzy extractor. This step does not involve any interaction with the authentication server. Fig.1.1 Fingerprint minutiae 3.1.1 Customer Verification TechniquesThe data extracted from fingerprints are extremelydense, where density explains why fingerprints are a Customer verification is a related but separatevery reliable means of identification. Fingerprint process from that of authentication. Customerrecognition systems store only data describing the verification complements the authentication processexact fingerprint minutiae whereas image of actual and should occur during account origination.fingerprints are not retained. Fingerprint scanners Verification of personal information may bemay be built into computer keyboards or pointing achieved in three ways:devices (mice), or may be stand-alone scanning • Positive verification: To ensure that materialdevices attached to a computer. information provided by applicant matches information available from trusted third party2.4 Fuzzy logic sources. More specifically, a financial institution canFuzzy logic is a form of many-valued logic, it deals verify a potential customers identity by comparing thewith reasoning that is approximate rather than fixed applicants answers to a series of detailed questionsand exact. In contrast with traditional logic theory, against information in a trusted database (e.g., awhere binary sets have two-valued logic: true or false, reliable credit report) to see if the informationfuzzy logic variables may have a truth value that supplied by the applicant matches information inranges in degree between 0 and 1. Fuzzy logic has the database. As the questions become morebeen extended to handle the concept of partial truth, specific and detailed, correct answers provide thewhere the truth value may range between completely financial institution with an increased level oftrue and completely false. confidence that the applicant is who they say they are. • Logical verification: To ensure that information2.5 One Time Password (OTP) provided is logically consistent with the telephone area The purpose of a one-time password code, ZIP code and street address.(OTP) is to make it more difficult to gain •Negative verification: To ensure that informationunauthorized access to restricted resources, like a provided has not previously been associated withcomputer account. Traditionally static passwords fraudulent activity. For example, applicantcan more easily accessed by an unauthorized information can be compared against fraudintruder given enough attempts and time. By databases to determine whether any of theconstantly altering the password, as it done with a information is associated with known incidents ofone-time password, this risk can be greatly fraudulent behaviour.reduced. In the case of commercial customers, the sole2.5.1 OTP over SMS reliance on online electronic database comparison A common technology used for the techniques is not adequate since certain documentsdelivery of OTPs is short message service (SMS). (e.g., bylaws) needed to establish an individualsBecause SMS is a ubiquitous communication channel, right to act on a company‟s behalf is not availablebeing available in all handsets and with a large from databases. Institutions still must rely oncustomer-base, SMS messaging has the greatest traditional forms of personal identification andpotential to reach all consumers with a low total document validation combined with electroniccost of ownership. verification tools. 377 | P a g e
  4. 4. S.R. Jenifer Raja Shermila / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 4, July-August 2012, pp.375-379 The information provided are then stored in thedatabase of the server after all verification. Oncethe information registered is true then the Servergenerates a RFID card which contains all theinformation related to the user. The client is givenRFID card, PIN number and Keypad ID along withthe keypad to perform the transaction. As in the existing authentication protocols, weassume the registration phase is performed in asecure and reliable environment, and particularly thedevice is trusted for its purpose. After a successfulregistration, the client will have a RFID card, keypadwith keypad ID and the initial PIN.3.2 Login-Authentication The client first inserts the RFID card into a cardreader which will extract the data. After that, the cliententers the PIN and his/her fingerprint data. Afingerprint scanner is used for extraction at this phase. Fig.1.2 Login-Authentication OverviewThe login procedure is as follows This completes the description of the 5-Factor-Login-1. The PIN that the user enter should match Authentication protocol in our work.with already existing one in the database otherwise 3.3 PIN-Changethe user cannot proceed further.2. Once the PIN matches perfectly the user has to After a successful login, the client cangive his/her fingerprint on the fingerprint scanner. change his/her PIN. The server allows the client toFuzzy logic is applied as soon as the fingerprint is change the old PIN with new PIN and updates the data in the RFID card accordingly.obtained on the fingerprint scanner. If thefingerprint matches exactly (100%) with existing 3.4 Fingerprint-Selectionfingerprint in the database then the user will be Similarly, one can change the fingerprint (usingallowed for transaction. any one of the 5 fingers) used for authentication. To3. If obtained fingerprint matches less than 60% do so, the client has to record fingerprints of all thewith the existing fingerprint in the database, fingers in the database. The change of selectedtransaction cannot be performed. fingerprint will be updated in the RFID card4. If the fingerprint of the user is partially true automatically.(60% - 99%) then OTP will be generatedautomatically and sent to the real user‟s mobileusing “RSA” algorithm. 4. CONCLUSION5. The generated OTP must be entered using the Preserving security and privacy is akeypad which is already updated with the keypad challenging issue in distributed systems. ThisID. paper makes a step forward in solving this issue6. The user is allowed for transaction if the OTP by proposing a fuzzy implementation ofmatches perfectly. biometrics with five-factor authentication to protect services and resources from unauthorized use. The authentication is based on password, RFID card, OTP, fingerprint and keypad ID. Our work not only demonstrates how to obtain secure five-factor authentication from three- factor authentication, but also addresses issues of biometric authentication in distributed systems (e.g., client privacy). The analysis shows that the work satisfies all security requirements on five-factor authentication and has several other practice-friendly features. The future work is to fully identify the practical threats on five-factor authentication and develop concrete five-factor authentication protocols with better performances. 378 | P a g e
  5. 5. S.R. Jenifer Raja Shermila / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 4, July-August 2012, pp.375-379REFERENCES Elliott, “Privacy Preserving Multi-Factor Authentication with Biometrics,” J. Computer[1] Xinyi Huang, Yang Xiang, Jianying Zhou Security, vol. 15, no. 5, pp. 529-560, 2007. and Robert H. Deng, “A Generic framework for three factor authentication: Preserving [10] U. Uludag, S. Pankanti, S. Prabhakar, and security and privacy in distributed systems” A.K. Jain, “Biometric Cryptosystems: IEEE Trans. Parallel and distributed system Issues and Challenges,” Proc. Vol. 22, no. 8, pp. 1390-1397, August 2011. IEEE, Special Issue on Multimedia Security for Digital Rights[2] C.-I. Fan and Y.- H. Lin, “Provably Secure Management, vol. 92, no. 6, pp. 948- Remote Truly Three- Factor 960,June 2004. Authentication Scheme with Privacy Protection on Bio- metrics,” IEEE Trans. Information [11] C.-I. Fan and Y.-H. Lin, “Provably Secure Forensics and Security, vol. 4, no. 4, pp. 933- Remote Truly Three- Factor 945, Dec. 2009. Authentication Scheme with Privacy Protection on Bio- metrics,” IEEE Trans.[3] C.H. Lin and Y.Y. Lai, “A Flexible Information Forensics and Security, vol. 4, Biometrics Remote User Authentication no. 4, pp. 933-945, Dec. 2009. Scheme,” Computer Standards Interfaces, vol. 27, no. 1, pp. 19-23, Nov. 2004. [12] C.T. Li and M.-S. Hwang, “An Efficient Biometrics-Based Remote User[4] M.K. Khan and J. Zhang, “Improving the Authentication Scheme Using Smart Security of „A Flexible Biometrics Remote Cards,” J. Network and User Authentication Scheme‟,” Computer Computer Applications, vol. 33, no. 1, pp. Standards Interfaces, vol. 29, no. 1, pp. 82-85, 1-5, 2010. Jan. 2007. [13 ]P.C. Kocher, J. Jaffe, and B. Jun,[5] H. Tian, X. Chen, and Y. Ding, “Analysis of “Differential Power Analysis,” Proc. Int‟l Two Types Deniable Authentication Cryptology Conf.(CRYPTO), pp. 388-397, Protocols,” Int‟l J. Network Security, vol. 9, 1999. no. 3, pp. 242-246, July 2009. [14] Y. Dodis, L. Reyzin, and A. Smith,[6] E.J. Yoon and K.Y. Yoo, “A New “Fuzzy Extractors: How to Generate Strong Efficient Fingerprint-Based Remote User Keys from Biometrics and Other Noisy Authentication Scheme for Multimedia Data,” Proc. Int‟l Conf. Theory and Systems,” Proc. Ninth Int‟l Conf. Applications of Cryptographic Techniques Knowledge-Based Intelligent Information and (Eurocrypt), pp. 523-540, 2004. Eng. Systems (KES), 2005. [15] M.-H. Lim and A.B.J. Tech,[7] Y. Lee and T. Kwon, “An improved “Cancelable Biometrics,” Scholarpedia, vol. Fingerprint-Based Remote User 5, no. 1, p. 9201,2010 Authentication Scheme Using Smart Cards,” Proc. Int‟l Conf. [16] T.S. Messerges, E.A. Dabbish, and Computational Science and Its R.H. Sloan, “Examining Smart-Card Applications (ICCSA), 2006. Security under the Threat of Power Analysis Attacks,” IEEE Trans.[8 M. Scott, “Cryptanalysis of an ID-Based Computers, vol. 51, no.5, pp.541-552, May Password Authentication Scheme Using 2002. Smart Cards and Fingerprints,” ACM SIGOPS Operating Systems Rev., vol. 38, [17] Y.Dodis, L. Reyzin, and A. Smith, “Fuzzy no. 2, pp. 73- Extractors: How to Generate Strong Keys 75, Apr. 2004. from Biometrics and Other Noisy Data,” Proc. Int‟l Conf. Theory and Applications[9] A. Bhargav-Spantzel, A.C. Squicciarini, of Cryptographic Techniques (Eurocrypt), pp. E.Bertino, S. Modi, M. Young, and S.J. 523- 540, 2004. 379 | P a g e