Page 179 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 179
ICT for Health: Networks, standards and innovation
5.2 Password-authenticated transport layer 5.3 Two-factor biometric authenticated key
security exchange
In their 2016 paper on password authentication in the SG17 should create a new standard that provides a strong,
transport layer security (TLS) protocol, Manulis, Stebila, two-factor identity authentication solution based on PAKE.
Kiefer and Denham noted that password authentication is The new standard should expand the current ITU-T X.1035
"perhaps the most prominent and human-friendly user protocol processing to include a step for matching a user
authentication mechanism widely deployed on the Web" biometric sample to a reference template associated with
[16]. The authors described the many threats associated their server account and password. For purposes of
with user reliance for the protection of their credentials on biometric matching, the user could be enrolled in a
secure server-authenticated TLS channels established using biometric system local to the server, or they could be
a public key infrastructure (PKI) [16]. They attribute these enrolled in a separate system that provides a remote
threats to PKI-related problems including that "security matching service. The later case could enable 'biometric
fully relies on a functional X.509" PKI that in practice may portability', allowing a user to enroll one time in a biometric
be flawed, and on "users correctly validating the server’s system, then subsequently to be matched from any device.
X.509 certificate" without being phished by an attacker [16].
These assumptions about PKI implementations have been In current ITU-T X.1035 protocol processing, a user
shown not to be unreliable. attempting authentication sends the server an encrypted
message along with their account name. The server locates
The authors note that many PKI failures in TLS are due to the password associated with the account and derives the
the "problems with the trustworthiness of certification key needed to decrypt the message and authenticate the user.
authorities (CAs), inadequate deployment of certificate When a biometric sample is included by the user in the
revocation checking, ongoing threats from phishing attacks, encrypted authentication attempt, the server can use this
and the poor ability of the users to understand and validate biometric sample to further authenticate the user with a
certificates" [16]. Rather than rely on the rare case where second authentication factor.
users possess the personal certificates needed to benefit
from mutual authentication, the authors propose using The confidentiality of the authentication-attempt message is
PAKE as "part of the TLS handshake protocol" [16]. provided using a symmetric key derived from the user
Following the execution of PAKE in the TLS handshake, password. The user can safely include their biometric
"the key output by PAKE" would be used as "the TLS pre- sample in the encrypted message, since the PAKE protocol
master secret" for deriving "further encryption keys protects the confidentiality of their personally identifiable
according to the TLS specification" [16]. information (PII) from phishing and man-in-the-middle
attack. Only the intended message recipient, the server that
Though PAKE techniques have been standardized for years shares the user account password, can derive the key
in Recommendation ITU-T X.1035 and in ISO/IEC, there needed to decrypt the message and gain access to the user
has been no PAKE standard "agreed upon and implemented biometric sample.
in existing web browser and server technologies" [16].
SG17 should standardize PAKE for use as an option in the When biometric matching is performed local to the server,
TLS handshake. This would broaden the use of PAKE as a at a minimum, the user biometric sample must be included
standalone authentication technique to its use in a protocol in the encrypted user message. When more than one
widely used to conduct online electronic commerce biometric technology type is supported, an identifier of the
transactions and to provide secure communications between type of sample being presented for authentication must also
internet applications. be included. It is possible for a biometric matching system
to support multiple technology types, so more than one
Adding PAKE to TLS would enable all users to benefit sample and type may be presented by the user for
from "secure password authentication" in "any application authentication. The format and processing of these values
that makes use of TLS", without requiring users to possess should be standardized by SG17 to promote vendor
X.509 certificates [16]. ITU standardization of PAKE usage interoperability.
in the handshake would allow "standard TLS mechanisms
for key derivation and secure record-layer communication" Biometric matching may be performed on a system remote
to continue being used [16]. An ITU-T standard for using to the server authenticating the user. In this case, the
PAKE in TLS would provide users the convenience and encrypted user authentication-attempt must also identify the
low cost of passwords and the security benefits of mutual location of the remote matching service for each biometric
authentication. By making PAKE available to users as a type being presented for authentication. The unique
PKI alternative, the threats to users from phishing and man- biometric reference template identifier associated with the
in-the-middle attacks that are known to plague TLS could user enrolled in a biometric system, and the type of the
be addressed. biometric sample should also be included. A standardized
schema for exchanging this information as an encrypted
attribute should be standardized by SG17.
– 159 –