Improved cloud security using bio-metric mobile app.
This paper focuses on a cloud based framework for handling the details of any entity: an individual, an organization's data and application in the cloud in a more secured manner using improved biometric image processing techniques. The usage of cloud services by an organization or an individual user reduces the capital investment cost as well the recurring costs. Because the cloud user does not own any resources; rather use the services from the cloud on pay/use basis or otherwise referred as subscription basis. When we do not own any physical resources, the organization is relieved of maintenance of resources too; thereby, an organization may concentrate on its mainstream business; rather than IT infrastructure.
The recent study conducted by Cloud Security Alliance, an organization that works towards implementing best security solutions for open cloud infrastructure, reveals that more and more users start using the cloud services since 2008 and the users base keeps growing. Also the growth in using smart phones increases in an exponential manner and the cloud is accessible via mobile interface too. All data in conventional systems is getting shifted to cloud environment. The data is huge and heterogeneous in format due to nature of the data and its dependencies. Data is to be provided in time as and when required by the users. Due importance has to be given for risk avoidance than cost saving, as threat for the data exists and data may get changed during communication across users and over network.
Hence, security becomes one of the most challenging on-going research areas in cloud computing because the cloud user stores his/her organization's important data to public cloud infrastructure and also tries to access required data from remote cloud servers which is not controlled and managed by the cloud user. When the cloud user prefers cloud servers than his/her own on-premises servers, control of those remote cloud servers is out of the scope of the cloud user and hence security of organization's data becomes an issue.
This research paper concentrates mainly on bio-metric image processing and tries to evolve an approach on how to incorporate the security features in cloud using the bio-metric image processing techniques. The definition for Bio-Metrics as per , 'Bio-Metric Technologies are automated methods of verifying or recognizing the identity of a living person on a physiological or behavioural characteristic'. The keyword "automated methods" conveys us a lot: the authentication is done by a machine, may be a computer, and now the smart phone.
Then we look upon another important keyword "person" that needs to be thoroughly analysed and understood. The physiological and behavioural characteristics of people vary definitely, if the take into account: DNA, hair, finger print, iris image, body odour etc. The simple id/password mechanism for security has become more trivial to hack; henceidentifying the correct user to access the cloud resources by using biometrics-based authentication over other authentication methods, is being widely practiced and there has been a significant increase in the use of biometrics for user authentication in recent years, in the banking, financial services and insurance sectors.
The importance of biometrics-based authentication systems that are designed to withstand security issues when employed in critical applications, especially in independent remote applications such as e-commerce, banking is to be clearly addressed. Our focus is towards using such bio-metric authentication systems in cloud environment where an enterprise's business data is stored in remote servers. When the cloud users possess the present day android based, or iOSbased smart phones, the biometrics authentication becomes simpler.
In this paper we discuss few of the bio-metric based authentication systems, especially finger print based authentication and also identify the serious issues in systems implementing biometrics-based authentication, and present improved methods to overcome of these security issues, when private data is ported to a public cloud .
A. The Need for Bio-metrics:
The relationship between man and man has reduced and the relationship between man and machine has increased. The digital divide is narrowing down. While talking about the conversation between man and machine, the process of identification arises. When we use machines in public environment say the cloud, and then identification of the user is very much necessary. The thin gap between man and machine is reduced using various methods and bio-metrics authentication is also one important technology amongst them. The various bio-metric techniques used in the present day are: face, fingerprint, iris image, voice recognition, hand geometry, retinal pattern, signature, thermo-grams etc. 
Some bio-metric techniques are still in pipeline viz. odor, ear, keystroke, DNA, hair. In our paper, fingerprint authentication mechanism is analyzed and the way to incorporate such authentication mechanism in a cloud environment to provide secured services to the data owner is discussed.
B. Finger-print Identification:
The process of identification in this networked world is inevitable. When we use web services like mail, banking, ecommerce, and for the present day, when we use cloud, we have identification mechanisms like userid, password, one time pin etc. Identification process  can be well understood as: 'something you possess' and 'somethingyou know'. An example scenario is: we possess ATM card and we know its PIN number. What if we lose our ATM card and most of the users have their PIN as year of birth kind of data. If an imposter possesses our ATM and has our PIN, then the identification process fails.
In order to improve this vulnerable identification process, we use bio-metrics to strengthen the identification process in this networked world. What could be taken as bio-metric identification? The answer is any human physiological or behavioral characteristic could be accounted as a bio-metric identification provided that satisfies few properties as detailed: i) universality--all human should possess, ii) uniqueness - no two humans have the same, iii) permanence--should not vary with time and iv) collectability- quantifiable.
The bio-metric based authentication is widely used in many of the applications: banking, e-commerce and now in cloud environment too to ensure security of data in storage as well during communication.
C. Finger Print--Authentication:
Fingerprints are unique amongst individuals. In the field of Astrological Science, fingerprints provide vital information to predict about future life of an individual. Finger prints are graphical flow-like ridges in palm of a human. Finger print is captured digitally using a finger print scanner, such hardware components are being incorporated in the present day mobile phones. Hence adding biometrics security to the cloud infrastructure will not be a problem for the present day as its hardware counterpart is less expensive and can also be easily interfaced with the existing system.
Ridge ending and ridge bifurcation are the two important characteristic features in finger print of any human user. A common algorithm has been developed and widely used: "automatic fingerprint identification system" that consists of two steps: off-line and on-line. In the off-line phase, a fingerprint is captured using the hardware device, and the captured image's quality is improved using different algorithms; then significant features of the fingerprint are extracted and stored in a database as a template. In the on-line phase, the fingerprint of the user is captured, enhanced and features of the fingerprint are extracted, and is compared with the template stored in the database during on-line phase. The steps are illustrated in the figure 1.
Though we have many other biometric solutions, fingerprint identification system is widely used for many reasons. Comparing to other biometric techniques, the advantages of fingerprint-based identification are as detailed below:
(1) uniqueness of the fingerprint--the minutiae details of individual ridges and furrows are permanent and unchanging.
(2) The fingerprint is easily captured using low cost fingerprint scanner. (3) Fingerprint is unique for every person. So it can be used to form multiple levels of security to improve cloud systems.
The above figure clearly explains the simple methodology of fingerprint verification. In off-line process, the fingerprint of all users are captured and stored in a database. Before storing the raw or original image, the image is enhanced. The fingerprint image when captured for the first time may contain unwanted data ie noise. Because our hands being the most used part of our body may contain wetness, dry, oily or grease; and these images may be treated as noise while capturing the original finger print. And hence, to remove the noise, image enhancement techniques like adaptive filtering and adaptive thresholding.
The standard form factor for the image size is 0.5 to 1.25 inches square and 500 dots per inch. In the above original image, the process of adaptive filtering and thresholding are carried out. The redundancy of parallel ridges is a useful characteristic in image enhancement process. We can determine the flow by applying adaptive, matched filter even though there may be discontinuities in a particular ridge. This filter is applied to every pixel in the image and the incorrect ridges are removed by applying matched filter. Thereby, the noise is removed and the enhanced image is shown in figure 3.
The enhanced image undergoes feature extraction process wherein: binarization and thinning take place. All fingerprint images do not share same contrast properties as the force applied while pressing may vary for each instance. Hence, the contrast variation is removed by this binarization process using local adaptive thresholding.
When the width of the ridges is reduced down to a single pixel, an improved fingerprint image is obtained and this feature extraction process is called Thinning. The resultant feature extraction is shown below figure 4.
The process of minutiae extraction is done as the last step in feature extraction and then the final image is stored in database. When the image is thinned down, it is very easy to extract the features: the minutiae are straightforward to detect and the endings are found at the termination points of thin lines and the bifurcations are found at the junctions of three lines.
Once we are able to identify valid minutia points in a thinned image, then we have to extract two important data from the enhanced, thinned image based on the significant minutia points: they are ridge ending (x,y) location, and the direction of the ending bifurcation. Although minutia type is usually determined and stored, many fingerprint matching systems do not use this information because discrimination of one from the other is often difficult. The result of the feature extraction stage is what is called a minutia template, as shown in figure 5. This is a list of minutiae with accompanying attribute values. An approximate range on the number of minutiae found at this stage is from 10 to 100. If each minutia is stored with type (1 bit), location (9 bits each for x and y),and direction (8 bits), then each will require 27 bits--say 4 bytes--and the template will require up to 400 bytes. It is not uncommon to see template lengths of 1024 bytes.
Now, the online process starts. At the verification stage, the fingerprint of the cloud user who wants to access cloud services is captured and his template is compared with the fingerprint database. Minutiae are grouped based on their proximity and referred as neighborhood minutiae. Rather checking each and every processed minutia with the stored minutia, this grouping of neighborhood minutiae helps in easy and quicker matching process. Usually, three or more minutiae are grouped as one neighborhood minutiae.
Each of the neighborhood minutiaeis located at a certain distance and relative orientation from each other. First matching of neighborhood minutiae is carried out between the two images; if similarity is found to a satisfactory threshold, then few neighborhood minutiae are sampled and the individual minutia in the neighborhood minutiae of the users current fingerprint image and the database stored image are compared further. As each minutia has its own attributes of type and minutia direction, individual minutiae are also compared. If comparison indicates only small differences between the neighborhood in the stored fingerprint and that in the current user's fingerprint, then these neighborhoods are said to match. This process is carried out for all the neighborhood patterns exhaustively and if enough similarities are found, then the fingerprints are said to match. Another method for matching the fingerprint images is called template matching. A graph pattern has to be conceived by interconnecting the minutiae and is compared with the shapes of graphs joining fingerprint minutiae. This is illustrated in Figure 6. A 1:1 matching cannot be carried out and we use a threshold value termed as match score, usually a number ranging between 0 and 1. Higher the value, higher is the match.
D. Security in Cloud Environment:
Present daycompanies have 90% of their business operations on cloud services, and the rest is taken care by building in-house servers . The service level agreements that are entered between the cloud user and cloud vendor says that the security issues related to cloud services will be the responsibility of the cloud vendor and the user has no role on that and SLSs also state many encryption standards and security algorithms that have been implemented in the public cloud infrastructure. But the truth is that some cloud service providers have good security features while most of the cloud service providers do not. There are many advantages of cloud services, mainly reduction in OPEX (operational cost) and CAPEX (capital cost): which is why the cloud service model is being used extensively, but they are beyond our discussion.
In general cloud provides hardware and software services to individual users or to an enterprise. The specific cloud services are explained as SPI framework that are listed below:
SaaS: Software as a Service
PaaS: Platform as a Service
IaaS: Infrastructure as a Service
The present day cloud deployment has many deployment models: public cloud, private cloud, community cloud, hybrid cloud. Though the SPI framework in cloud provides exhaustive hardware and software resources on a pay per basis to heterogeneous users, risk exists in terms of security. For the present day, though multiple security techniques are implemented and few algorithms in pipeline, a separate consortium - Cloud Security Alliance concentrates mainly on security issues .
The Cloud Security Alliance, the consortium that contributes for the growth and development in cloud and more specifically about security issues have discussed a lot in their conference held in 2009. One of the issues in security domain is about Identity and Access Management. As per the Identity Access Management of Cloud Security Alliance, focus is emphasized on following main areas:
a) Identification of authorized users as well restricting unauthorized and maintaining a database
b) Bio-metric authentication while accessing enterprise's resources stored in the cloud across public Internet
c) User Profile Management and Defining Access Control Policies.
Here comes our focus on bio-metric image processing techniques. In order to ensure that no security breach happens while porting our enterprise's applications and business critical data to the third party, due importance has to be given. Though many conventional security techniques like encryption, key management and authentication are widely implemented, it is emphasized that additional security techniques like usage of biometric image processing may be given a thought and the research is focused in incorporating bio-metrics in cloud security.
E. Bio-Metrics in the Cloud Security:
Besides thethree primary services offered by any cloud -SPI, for the present day all cloud vendorsshould implement bio-metric based authentication, which ensures secured access of one's data and application when stored in a public cloud. An example scenario is: as a result of technological advancements in the banking sector and the growing customer transition towards e-commerce industries, there has been a rapid increase in the volume of online transactions in the recent years. Financial institutions offer customers with easy and convenient transaction features and also offer facilities to transfer funds through mobile devices such as smartphones and tablet computers. Internet-based financial transactions in several sectors including the banking, financial services, insurance, healthcare, and retail industries are vulnerable to cyber-attacks. In a typical e-commerce application, when the user makes financial transactions online, the security measures followed are as detailed below:
i) User-id and password for net-banking
ii) Verified by Visa process for plastic cards
iii) OTP-one time PIN number, etc
The same process may be followed when a cloud user or an organization stores data and application in a public cloud. To strengthen the security algorithms, bio-metrics authentication must be combined with the above conventional methods.Market research analysts working in the domain of cloud security implementing biometrics have predicted that the global fingerprint module market will grow impressively and its benefit will be reaped by the cloud user by 2020 ie a secured public cloud will be available for users.
This necessity for a secure mode of transaction over public cloud infrastructure will induce more cloud vendors to implement effective bio-metric authentication systems, which in turn, may evolve as "Bio-metrics as a Service"--a new cloud service to be offered to ensure secured data communication between the consumer and the vendor. Biometrics as a service has the same benefits as any other cloud-based service. It is cost-effective, scalable, reliable and hardware agnostic, making enhanced security accessible anytime and anywhere.
C. Two/Three-Factor Authentication:
Many business organizations suggest that their employee carry his/her own device ( BYOD - bring your own device) policy. This results in using client devices like smart phones, tablet pcs, that will help us in implementing in multiple levels of security in cloud environment. This will lead to the development of advanced technologies, where mobile OEMs will integrate mobile devices with fingerprint scanner software and sensors.The growing business environments in many domains that operate in cloud require more access control mechanisms. Reduction in cost cannot be compromised for security of a user's or organizational data and application that are stored in cloud.
To build a secured cloud, multiple levels of authentication may be implemented; i) organizational level, ii) personnel level. We may think of adopting two/three-factor authentication method, a vital function that implements strong multiple security levels, thereby reducing the possibility of security breaches when data flows to and fro between cloud user and a public cloud vendor through the public Internet.
Two/three-factor authentication ensures that claimant cloud users are authenticated by two or three methods as listed below:
a) Claimant cloud usersmust remember--password or PIN
b) Claimant cloud usersmust possess--token or smart card (two-factor authentication)
c) Claimant cloud user's bio-metric characteristic--such as a fingerprint (three-factor authentication)
Because strong authentication security requires multiple levels of identification at login (user-id/pwd, followed by swiping of any plastic card and then by bio-metrics), to access the data stored in the cloud. This method is widely recognized as the most secure software authentication method for authenticating access to data and applications. In the present day, the client devices used by a cloud user are desktops, laptops, smart-phones or tablet pcs. In all these devices, finger print scanner is available or the module can be added with minimal cost. Hence, when a cloud user logs in to a public cloud and uses its resources,
a) The conventional user-id/pwd mechanism
b) Finger print authentication will be combined together, so as to ensure secured communication between cloud user and the cloud vendor.
D. Out-of-band authentication:
Out-of-band authentication is often implemented in financial sectors and other organizations that require higher security requirements. Two or three connections are to be established between the cloud user and the cloud vendor. Each one of the channel will be used for exchange of user-id/pwd, another one for authentication plastic card data and the third one for exchange of bio-metrics data. When these channels are out-of-band, trying to hack those channels becomes more difficult.Some other methods for out-of-band authentication is the practice of requiring the user to make a phone call from a registered number or respond to an automatically-generated phone call from the institution or keying in the onetime pin received.
To strengthen the security further, voiceprint/fingerprint technology may be used to provide biometric verification. Another method is to require the user to text a code displayed after login from their registered smart-phone to the cloud network.Out-of-band authentication secures communications with only a slight increase in complexity for a user. The methods are also much easier and inexpensive to deploy. This method can also be combined with two-factor authentication in cloud for improved security.
Embedding a special fingerprint sensor oradding external hardware as a fingerprint reader will be costly and will influence the mobilesimplicity. Utilizing the existing camera in a mobile phone to capture fingerprint images as abiometric sensor is inexpensive to implement.The proposed solution is using a fingerprint-recognition system to obtain the fingerprint image through the mobile phone camera. But 25% of present day smart phones come with finger print scanner. Hence smart phones become a good interface to access cloud in a secured manner. People also work on developing simple apps that ensures secured access to cloud vendors; and these apps can be easily installed and used in smart phones. Web based application are on the run that ensures secured cloud access. Cloud Access Manager of Dell is one such application. We intend to develop a mobile based app that ensures secured access to and fro in the cloud environment.
Biometrics in cloud technology may help cloud users to ensure their information security while the cloud vendors may consider this to be a cost effective security solution. As the devices increase in the market with incorporation of biometric technology, it becomes easy for user to adopt biometric for security on clouds. The combination of biometric and cloud computing in mobile devices offers users the more convenient and secure space in taking their data out of homes and offices and put in cloud environment.
The world of bio-metrics is not limited. The spirituality says that every object: living or non-living is a bundle of vibrations and those are unique in nature. If working of brain can be simulated, then the day is not far to identify the unique vibration of each and every human being and that factor would be the 100% bio-metric data which could act as a key when cloud security issues are addressed.
For the present day, the two-factor authentication method,discussed in this paper: fingerprint authentication and user-id/pwd mechanism may be amalgamated and implemented for data and application security in cloud. We also try to strengthen the security using out-of-band authentication with two-factor authentication method. Biometricrecognition is being used now in mobile devices. The proposed solution for authenticatingcloud users using the existing mobile device camera or the scanner as a fingerprint sensorto obtain a fingerprint image, and then process it and recognize it.Our research focus is on: usage of biometric image processing techniques: mainly on fingerprint authentication and extending this service as a mobile application to ensure secured cloud access between the data owner and the cloud vendor.
[1.] Jain, Anil, Ross, Arun A., Nandakumar, Karthik "Introduction to Biometrics", Springer, ISBN 978-0-38777326-1, DOI 10.1007/978-0-387-77326-1
[2.] "Biometric Authentication Systems", [Online], Available: www.biometrics.org.
[3.] "Center for Biometrics and Security Research", [Online], Available: www.cbsr.ia.ac.cn
[4.] Lawrence O'Gorman, Chatham, "Fingerprint Identification".
[5.] Joseph P Campbell, "Biometrics: Personal Identification in Networked Society",
[6.] Subra Kumarasamy & Sitaraman Lalshminarayana, 2016. "Cloud Security", Cloud Security Alliance, Conference.
[7.] Asai, K., H. Izumisawa, H. Owada, S. Kinoshita and S. Matsuno, 1987. "Method and Device for Matching Fingerprints with Precise Minutia Pairs Selected from Coarse Pairs, US Patent 4646352.
[8.] Berry, J., 1994. "The history and development of fingerprinting," in Advances in Fingerprint Technology, (H. C. Lee and R. E. Gaensslen, ed.s), CRC Press, Florida, pp: 1-38.
[9.] Eshera, M.A. and R.E. Sanders, 1997. "Fingerprint Matching System," US Patent 5613014.
[10.] Ferris, S., R.L. Powers and T. Lindh, 1997. "Hyperladder Fingerprint Matcher," US Patent5631972.
[11.] Gonzalez, R.C. and Richard E. Woods, 1992. Digital Image Processing, Addison-Wesley, Massachusetts.
[12.] Inglis, D., L. Manchanda, R. Comizzoli, A. Dickinson, E. Martin, S. Mendis, P. Silverman, G. Weber, B. Ackland and L. O'Gorman, 1998. "A robust, 1.8V, 250 microwatt, direct contact 500dpi fingerprint sensor," IEEE Solid State Circuits Conference, San Francisco.
[13.] Jain, K., L. Hong and R. Bolle, 1997. "On-line fingerprint verification," IEEE Trans. Pattern Analysis and Machine Intelligence, 19(4): 302-313.
[14.] Jain, K., L. Hong, S. Pankanti and R. Bolle, 1997. "An Identity-Authentication System Using Fingerprints," Proceedings of the IEEE, 85(9): 1365-1388.
[15.] Karu, K. and A.K. Jain, 1995. "Fingerprint Classification," Pattern Recognition, Vol. 29, No. 3,Pattern on the Surface of an Object," US Patent 5448649.
[16.] Higgins, 1990. "YOHO Speaker Verification," Speech Research Symposium, Baltimore.
[17.] Higgins, L. Bahler, and J. Porter, 1991. "Speaker Verification Using Randomized PhrasePrompting," Digital Signal Processing, 1(2): 89-106.
[18.] Higgins, L. and R.E. Wohlford, "A New Method of Text-Independent Speaker Recognition," In International Conference on Acoustics, Speech, and Signal Processing.
[19.] Mohamed Haghighat, Saman Zounouz, Mohamed Abdel, "CloudID:TrustWorthy Cloud Based and cross-enterprise bio-metric identification," In Elsevier- Expert Systems with Applications, 42(21): 7905-7916.
[20.] Itakura, 1975. "Line Spectrum Representation of Linear Predictive Coefficients," Transactions of the Committee on Speech Research, Acoustical Society of Japan, S75: 34.
[21.] Kang and L. Fransen, 1985. Low Bit Rate Speech Encoder Based on Line-Spectrum-Frequency, NRL, NRL Report 8857.
[22.] Iehab AL Rassan, Hanan Al Shaher, 2013. "Securiing mobile cloud using finger print authentication," In International Journal of Network Security & Its Applications (IJNSA), 5: 6.
(1) Dr. N. Venakatesan and (2) M. Rathan Kumar
(1) Department of Information Technology, Bharathiyar College of Engineering Technology, Karaikal, India.
(2) Research Scholar, PRIST University, Thanjavur, India.
Received 7 June 2016; Accepted 12 October 2016; Available 20 October 2016
Address For Correspondence:
Dr. N. Venakatesan, Department of Information Technology, Bharathiyar College of Engineering Technology, Karaikal, India.
Caption: Fig. 1: Flow of Diagram representing the Fingerprint Identification
Caption: Fig. 2: Original Fingerprint Image
Caption: Fig. 3: Enhanced Fingerprint Image
Caption: Fig. 4: Feature Extraction--After Binarization and Thinning
Caption: Fig. 5: Minutiae Template
Caption: Fig. 6: Few-Matching in online process
|Printer friendly Cite/link Email Feedback|
|Author:||Venakatesan, N.; Kumar, M. Rathan|
|Publication:||Advances in Natural and Applied Sciences|
|Date:||Sep 15, 2016|
|Previous Article:||Vlsi implementation of gabor filter based image edge detection.|
|Next Article:||Well-organized handover mechanism of Pmipv6 grounded on multi-homing technology.|