Biometrics-Based RSA Cryptosystem for Securing Real-Time Communication

: Real-time online communication technology has become increasingly important in modern business applications. It allows people to easily connect with business partners over the Internet through the camera lens on digital devices. However, despite the fact that users can identify and conﬁrm the identity of the person in front of the camera, they cannot verify the authenticity of messages between communication partners. It is because the tunnel for the video is not the same as the tunnel that delivers the messages. To protect conﬁdential messages, it is essential to establish a secure communication channel between users. This paper proposes a biometrics-based RSA cryptosystem to secure real-time communication in business. The idea put forward is to generate a cryptographic public key based on a user’s biometric information without using Public Key Infrastructure (PKI) and establish a secured channel in a public network. In such a way, the key must be veriﬁed with the user’s biometrics online. Since the key is derived from the user’s biometrics, it is strongly user-dependent and works well to convince others of the authenticity of the owner. Additionally, the derived biometric key is self-certiﬁed with the user’s biometrics, which means the cost of certiﬁcate storage, delivery and revocation can be signiﬁcantly reduced.


Introduction
In the day-to-day workings of developed economies, this decade has already witnessed an extraordinary evolution in the technology of E-Commerce. Over the past decade, communication technology has become increasingly important in modern business applications. New electronic communications have made real-time online communication very common in E-Commerce, such as video conferencing, smart space and collaborative business [1][2][3]. Real-time online communication offers people a convenient communication channel and now people can easily contact others on the Internet anywhere and anytime [4]. Moreover, most people now have digital devices, which makes it even more convenient to connect with others. Most of these devices provide a camera that enables users to see the communication partners through camera lens. Nowadays, real-time online communication is a kind of face-to-face communication accompany message exchanging. For some real-time video communication situations, confidential and sensitive messages are usually conveyed between partners at the same time. For examples: in telemedicine [5], doctors diagnose patients' problem in real time video communication and the confidential medical information are exchanged simultaneously; in remote collaboration [6], valuable business information and documents are transmitted during Therefore, our aim in this paper is to take advantage of real-time online communication to capture an image of the communication partner to authenticate the public key of the partner and then exchange a session key to protect the communication. Accordingly, the basic idea of this paper is to generate a cryptographic public key from a user's biometrics, especially for RSA-one of the most widely used cryptosystems in the world today. In this method, the key must be verified with the presence of the user's biometrics. The key is derived from the user's biometrics and is strongly user-dependent. It is very easy to convince others about the authenticity of the owner. Additionally, the derived biometrics key also significantly reduces the costs associated with certificates (i.e., reduction of cost of storage, delivery and revocation) because the key is self-certified with the user's biometrics. Once the public key is verified, digital envelope technology can be applied to secure the content of the communication without worrying about an impostor. Therefore, in this paper, without using PKI to provide the certificate to prove the correlation between a user's identity and his/her public key, schemes for the RSA cryptosystem and fuzzy extractors are used to authenticate and generate key agreement. Taking advantage of real-time communication, people can check on each other through the camera in real time and a third party is unnecessary.
The remainder of this paper is organized as follows. Section 2 presents related work for the proposed cryptosystem. The proposed scheme is described in Section 3. Section 4 presents our simulation of the proposed scheme. Section 5 discusses the security of the proposed scheme. Finally, Section 6 draws conclusions.

Related Works
The major analytical operations required within the proposed biometrics-based encryption system are a portion of the RSA, including unbalanced RSA and fuzzy extractors, which are illustrated in this section.

RSA
In 1978, Ron Rivest, Adi Shamir and Leonard Adleman proposed a public-key cryptography algorithm called RSA [10], which is based on the difficulty of factoring large integers. This algorithm with complex number generation, exponential manipulation and modular mathematics has become a mainstay of Internet security. In the RSA scheme, a user creates and publishes a public key that is the product of two large prime numbers and keeps the prime factors secret. With the user's public key, the other user can use the public key to encrypt a message. Only the owner of public key who has knowledge of the prime factors can decode the message. The RSA scheme involves three steps, including key generation, encryption and decryption, which are illustrated as follows: that is, d is the modular multiplicative inverse of e (modulo λ(n))

1.
Key generation: a. Generate two large random primes p and q and the size of two prime numbers should be of similar length. b.
Public key is (N, e); private key is d.

Unbalanced RSA
Based on the difficulty of factoring integers or computing discrete logarithms in an infinite field, RSA is able to achieve a computationally secure method. However, advances in computational number theory and the availability of computing power have rapidly increased, which means that the sizes of moduli need to be increased to assure safety.
In 1995, Shamir proposed a variant RSA cryptosystem called unbalanced RSA [28]. The difference between unbalanced RSA and traditional RSA is the size of prime numbers p and q. In traditional RSA, the size of p and q are the same and are chosen by the user. However, in unbalanced RSA, the size of p and q are different.
Shamir observes that the RSA cryptosystem is usually used to exchange short messages, such as exchanging a session key for symmetric cryptosystems or authentication information, so limiting clear text m in the range of [0, p − 1] is not a serious constraint. Since the legitimate recipient only needs to carry out operations for modulo p, the other prime q can be chosen to be large enough to prevent attacks by general integer factorization algorithms. For example, for extremely cautious users, Shamir suggests choosing a p of 500 bits and a q of 4500 bits.
In unbalanced RSA, let G be a publicly known random bit generator that can convert the users' identity u into a unique 5000 bit value t, as t = G(u). Once the users produce their unique value t, they choose a random prime number p with 500 bits. The users restrict the other prime number q in the range [a, a + 250] where a is bigger than or equal to t/p, so that N = pq is very close to the target value t. It is clear that the difference between N and t, that is, s = N − t, is about 550 bits. Then the users can publish s as their own public key and the other users can recover modulus N of the user by having the user's identity u and public key s, as N = G(u) + s.
Later, Gilbert et al. [29] pointed out that a malicious attacker could recover the user's secret keys from simple implementations of Shamir's algorithm. Shamir observed that a redundancy in the message could avoid having the attacker forge a message that is bigger than a prime number p to get the user's private keys. However, Gilbert et al. pointed out that it does not suffice to add just any redundancy to the message. The malicious attacker can betray the secret keys of the users through their action. Above all, it is necessary to use the redundancy in plaintexts carefully, so that the recipients cannot reveal any decrypted message.

Fuzzy Extractors
The secret component of cryptography traditionally relies on uniformly distributed and precisely reproducible random strings. Since biometric data is not a fixed value each time it is measured, it is not suitable to directly generate the key from biometric data. In 2008, Dodis et al. presented a scheme to demonstrate how to transform biometric data into a cryptographic key that was primitively called a fuzzy extractor [30]. In the scheme, the biometric data is extracted to a random string R in a noise tolerant way. Suppose the biometric data is inputted again as b', if the difference between b and b' is under the threshold, the extracted string R can be recovered. To reproduce the extracted string R, the aid of a helper string P is provided. Three metrics are used to construct fuzzy extractor scheme: (1) Hamming metric, which is the number of symbol positions that differ between b and b': (2) Set difference metric, which is the size of the symmetric difference of two input sets between b and b'; and (3) Edit metric, which is the number of insertions and deletions needed to convert b' into b.
Fuzzy extractor generator Gen. is shown in Figure 1, which can transform the inputted biometric data into a helper string P for a fixed length and an extracted string R. The owner of biometric data can reproduce the extracted string R by inputting his/her biometric b' which is limited within a range with a threshold and a published helper string P to create a representation of fuzzy extractors Rep., as shown in Figure 2.

Proposed Scheme
In the proposed scheme, the users' public keys are produced from their biometric values and session key is exchanged. Figure 3 shows a communication scenario for the proposed scheme. In this scenario, user Alice wants to talk to Bob through real-time communication software. Before they start to chat formally, they can see each other clearly through the video. As they say hello and confirm that the other side is their communication partner, they can begin to execute the key agreement protocol. The proposed scheme is divided into two phases: the initialization phase and the authentication and key agreement phase. In initialization phase, the communication partners produce their public

Proposed Scheme
In the proposed scheme, the users' public keys are produced from their biometric values and session key is exchanged. Figure 3 shows a communication scenario for the proposed scheme. In this scenario, user Alice wants to talk to Bob through real-time communication software. Before they start to chat formally, they can see each other clearly through the video. As they say hello and confirm that the other side is their communication partner, they can begin to execute the key agreement protocol. The proposed scheme is divided into two phases: the initialization phase and the authentication and key agreement phase. In initialization phase, the communication partners produce their public keys from the biometric information obtained from each user's face. In the authentication and key agreement phase, the user authenticates the identity of their communication partner. Furthermore,

Proposed Scheme
In the proposed scheme, the users' public keys are produced from their biometric values and session key is exchanged. Figure 3 shows a communication scenario for the proposed scheme. In this scenario, user Alice wants to talk to Bob through real-time communication software. Before they start to chat formally, they can see each other clearly through the video. As they say hello and confirm that the other side is their communication partner, they can begin to execute the key agreement protocol.

Proposed Scheme
In the proposed scheme, the users' public keys are produced from their biometric values and session key is exchanged. Figure 3 shows a communication scenario for the proposed scheme. In this scenario, user Alice wants to talk to Bob through real-time communication software. Before they start to chat formally, they can see each other clearly through the video. As they say hello and confirm that the other side is their communication partner, they can begin to execute the key agreement protocol. The proposed scheme is divided into two phases: the initialization phase and the authentication and key agreement phase. In initialization phase, the communication partners produce their public keys from the biometric information obtained from each user's face. In the authentication and key agreement phase, the user authenticates the identity of their communication partner. Furthermore, they can recover and verify the communication partner's public key and then exchange the session key with them. Before introducing the proposed scheme, the notions used in our scheme are The proposed scheme is divided into two phases: the initialization phase and the authentication and key agreement phase. In initialization phase, the communication partners produce their public keys from the biometric information obtained from each user's face. In the authentication and key Sustainability 2018, 10, 3588 6 of 15 agreement phase, the user authenticates the identity of their communication partner. Furthermore, they can recover and verify the communication partner's public key and then exchange the session key with them. Before introducing the proposed scheme, the notions used in our scheme are described in Table 1.

Initialization Phase
In the initialization phase, both Alice and Bob need to use their own webcam to capture their face information in order to produce their public key. Afterwards, by using a scheme for fuzzy extractors, they can produce their own extracted string R. Utilizing the concept of unbalanced RSA, they can produce their private RSA keys. Finally, the communication partners broadcast some information in a public network to help the other party recover and verify the public key.
In the initialization phase for the users, Alice and Bob, prepare their public keys and produce their RSA private keys as shown in Figure 4, which is detailed in the following steps: Step 1. Users Alice and Bob capture their respective faces using their own camera to produce biometric information b A and b B . Step 2. Helper string P and extracted string R are produced by using fuzzy extractors.
Step 3. Generator G transforms the extracted string into value t A with a fixed length. The size of t A is close to N of RSA.
Step 4. Alice and Bob randomly choose a large prime number p.
Step 5. Using prime number p and value t, Alice and Bob produce public value a.
Step 6. Randomly choose a prime number q. To let q multiplied by p be closed to value t, the size of q is restricted in a fixed range [a, a + 2 a ], where a is a security attribute.
Step 7. According to Steps 4 and 6, we can get the prime numbers, p and q, of the RSA and calculate N = p × q.
Step 8. The difference between N and t is s, that is, s = N − t. And both of the users will publish s and P to provide the other with the ability to recover their information.
It is special in the scheme that extracted string R can be converted into the public key N of RSA. An unbalanced RSA scheme is typically applied to a smart card and the size of prime numbers p and q are different. However, this feature of unbalanced prime numbers is not suitable in the proposed scheme. In other words, there are no smart cards used in our scheme. Moreover, it is unnecessary to store any information. The problem of storage can be ignored. Hence, the size of the prime numbers is similar. face information in order to produce their public key. Afterwards, by using a scheme for fuzzy extractors, they can produce their own extracted string R. Utilizing the concept of unbalanced RSA, they can produce their private RSA keys. Finally, the communication partners broadcast some information in a public network to help the other party recover and verify the public key.
In the initialization phase for the users, Alice and Bob, prepare their public keys and produce their RSA private keys as shown in Figure 4, which is detailed in the following steps: Step 1.
Users Alice and Bob capture their respective faces using their own camera to produce biometric information bA and bB.
Helper string P and extracted string R are produced by using fuzzy extractors.
Generator G transforms the extracted string into value tA with a fixed length. The size of tA is close to N of RSA.
Step 4. Alice and Bob randomly choose a large prime number p.
Step 5. Using prime number p and value t, Alice and Bob produce public value a.
Randomly choose a prime number q. To let q multiplied by p be closed to value t, the size of q is restricted in a fixed range , 2 , where is a security attribute.

Authentication and Key Agreement Phase
After beginning contact with the other party, Bob can check if the other side is the real person whom he wants to talk with by using his camera. Because he is familiar with Alice, he makes a determination of whether she is the real person, or someone pretending to be her. As he confirms that Alice is the person he wants to talk with, he presses the camera to obtain Alice's biometric template which is then used to check Alice's public key.
Concurrently, Alice makes a determination through the video that Bob is her expected communication partner and she presses a button to capture Bob's biometric template. In other words, Alice can verify the public key of Bob by herself from the video. As soon as she confirms that the communication partner is correct, she will start to verify the correctness of Bob's public key. Bob does the same. Subsequently, both of them are in mutual authentication. The authentication and key agreement phase are shown in Figure 5, which is described in detail as follows: Step 3.1 Using Gen. of the fuzzy extractor, Alice can recover Bob's extracted string R B .
Step 3.2 In order to get Bob's modus N B , Alice inputs Bob's extracted string R B , to obtain the value t B .
Step 3.3 Following the previous step, Alice uses the value t B and the public information s B , which she obtained in the initialization phase to compute Bob's modus N B . Step 3.4 In this step, Alice can use Bob's N B and Bob's public key e B to encrypt the random number K A and send the encrypted message C A to Bob. Step 4.1 Using Gen. of the fuzzy extractor, Bob can recover Alice's extracted string R A .
Step 4.2 Bob inputs Alice's extracted string R A , to obtain the value t A .
Step 4.3 Bob will use the value t A and the public information s A , which he obtained in the initialization phase to compute Alice's modus N A . Step 4.4 Bob uses his private key d B to decrypt the message C A sent from Alice.
Step 4.5 Then Bob chooses the random number K B . Bob can use Alice's N A and Alice's public key e A to encrypt the random number K B and send this to Alice. The session key is H(K A ||K B ).
Step 5.1 As Alice receives the message C B , she decrypts the message and gets K B . Alice can compute the session key as H(K A ||K B ).
Concurrently, Alice makes a determination through the video that Bob is her expected communication partner and she presses a button to capture Bob's biometric template. In other words, Alice can verify the public key of Bob by herself from the video. As soon as she confirms that the communication partner is correct, she will start to verify the correctness of Bob's public key. Bob does the same. Subsequently, both of them are in mutual authentication. The authentication and key agreement phase are shown in Figure 5, which is described in detail as follows: Step 3.1 Using Gen. of the fuzzy extractor, Alice can recover Bob's extracted string RB. By using the fuzzy extractor scheme, both Alice and Bob can produce the others' extracted string R. With the aid of the public value s, they can compute the other person's public key N, in order to exchange the value for the communication to compute the session key.

Simulations
The main objective of this paper is to provide the concept of taking advantage of biometric information for authenticating and generating key agreement without using PKI to protect real-time online communication. To further prove the applicability of this method, we developed a prototype system using our proposed biometrics based on RSA to secure real-time communication. Java was used as our major implementation tool and Javacv 1.4.1 was used to interact with the camera to capture the face from a user. Face++ was used to capture facial features. The experiment was conducted on an Asus PC running Windows 10 and an Intel i7-6700H1 CPU with 16 GB RAM in Taichung, Taiwan. Figure 6 shows the screen capture of the simulated prototype system of the proposed biometrics-based RSA cryptosystem. In this study, user Ally Chen wants to talk to Bob through the real-time communication system. Before they start to chat formally, they can see each other clearly through the video. As they say hello and confirm that the other side is their communication partner, they can begin to execute the key agreement protocol and convey message in secure tunnel. In the initialization phase, users need to capture their face biometrics by using their own cameras. By using Face++, the user received three feedback digits, including lift angle, horizontal rotation degree and plane rotation degree. With these feedback digits, a user adjusts their head to obtain consistent face features with minimal distortion. A face image with minimal distortion utilizing the combination of these three digits is then captured to derive a public key and an error-correcting code. Here, we used a (7, 4, 3) hamming code as our error-correcting code. A 3-bit error correcting code was generated for each feature value for a given face. It is noted that the amount of feature nodes generated by Face++ is up to 108; however, only 10 were used as feature nodes in our prototype system. Forty-five distance values can be derived by linking two of ten feature nodes. With three feature nodes, we can derive the other 8 distance values. To sum up, there are 53 distance values that serve as the feature values to derive a public key for a user. Following the quantization concept described in Sutcu et al.'s method [31], the above 53 values can be mapped to 16 quantization levels and each level requires 4 digits to represent the level. To increase the precision of our prototype system, one digit representing gender was added to the public key for a user. Therefore, the total digit amount of a user public key is 53*4+1 = 213 bits. Once a user's public key is generated, his/her corresponding private key can be derived according to the generation rule given in RSA. As mentioned, each feature value has a 3-bit error-correcting code that needs to be generated. Therefore, the total error correcting code was 175 bits (53*3+2 scaling references). Here, scaling references are two reference values that serve as the scaling ratio and are used to make sure that a justified public key can be derived that is not affected by zoom in or zoom out.
User can decide to keep the generated private key and the error correcting code or not. It is worth to mention that the proposed biometrics-based scheme would not introduce any overhead in the normal communication. It is because that in our proposed scheme demonstrated in Section 3, both public-private key pair is generated real-time and only used once to exchange a random number and then create a secure communication channel for two users. Therefore, not only public key but also private key and error correcting code are not necessary to be stored. User always can use the camera to capture the face image of his/her communication partner to derive the corresponding public key. Next, the private key can be obtained based on the RSA algorithm. In our simulation environment, the public key and private key can be generated in one minute. In other words, the proposed cryptosystem is very suitable for real-time communication. Although the prototype system is simulated in PC environment, the proposed cryptosystem can also be implemented in smartphone or other mobile device with lower processing power. Although it takes a little longer for generating the public-private key pair, the key pair is only generated once during establishing secure communication channel for users. There is no extra cryptographic computing in the proposed cryptosystem once the secure channel is established. Therefore, the real-time communication would be guaranteed, even if the device is with lower processing power. It is noted that the amount of feature nodes generated by Face++ is up to 108; however, only 10 were used as feature nodes in our prototype system. Forty-five distance values can be derived by linking two of ten feature nodes. With three feature nodes, we can derive the other 8 distance values. To sum up, there are 53 distance values that serve as the feature values to derive a public key for a user. Following the quantization concept described in Sutcu et al.'s method [31], the above 53 values can be mapped to 16 quantization levels and each level requires 4 digits to represent the level. To increase the precision of our prototype system, one digit representing gender was added to the public key for a user. Therefore, the total digit amount of a user public key is 53*4+1 = 213 bits. Once a user's public key is generated, his/her corresponding private key can be derived according to the generation rule given in RSA. As mentioned, each feature value has a 3-bit error-correcting code that needs to be generated. Therefore, the total error correcting code was 175 bits (53*3+2 scaling references). Here, scaling references are two reference values that serve as the scaling ratio and are used to make sure that a justified public key can be derived that is not affected by zoom in or zoom out.
User can decide to keep the generated private key and the error correcting code or not. It is worth to mention that the proposed biometrics-based scheme would not introduce any overhead in the normal communication. It is because that in our proposed scheme demonstrated in Section 3, both public-private key pair is generated real-time and only used once to exchange a random number and then create a secure communication channel for two users. Therefore, not only public key but also private key and error correcting code are not necessary to be stored. User always can use the camera to capture the face image of his/her communication partner to derive the corresponding public key. Next, the private key can be obtained based on the RSA algorithm. In our simulation environment, the public key and private key can be generated in one minute. In other words, the proposed cryptosystem is very suitable for real-time communication. Although the prototype system is simulated in PC environment, the proposed cryptosystem can also be implemented in smartphone or other mobile device with lower processing power. Although it takes a little longer for generating the public-private key pair, the key pair is only generated once during establishing secure communication channel for users. There is no extra cryptographic computing in the proposed cryptosystem once the secure channel is established. Therefore, the real-time communication would be guaranteed, even if the device is with lower processing power.

Security Analysis and Discussion
This section first discusses the security of the proposed biometrics-based RSA cryptosystem for use in real-time communication. Then the proof with Burrows-Abadi-Needham (BAN) logic [32] of the proposed scheme is demonstrated to prove that our scheme can achieve the session key agreement. Finally, the comparisons of security features with two existing schemes [26,27] are also listed to demonstrate the superiority of the proposed scheme.

Security Analysis
During the phases of authentication and key agreement, some information is transferred between two parties in a public network. The public information, s and P, are shared in the authentication phase. Suppose that the malicious adversary gets the information s and P, then the adversary can recover both Alice's and Bob's public key N. Based on RSA security, the public key N of RSA is primarily public, so the problem about leaked information is not concerned with the leak of a user's secret keys.
Considering another condition in the proposed scheme, if the adversary intercepts Alice's public information, s A and P A , the adversary can try choosing proper prime numbers p ma and q ma , such that p ma ·q ma = N ma . Then the adversary may attempt to create forged public information s ma , such that N ma = t A + s ma and publish the forged public information s ma and Alice's helper string P A to Bob. However, Alice's public information is published in the initialization phase and thus the adversary needs to know Alice's t A in the beginning to produce a proper s ma and N ma . But the information for t A is produced during the authentication and key agreement phase, thus it is initially unknown to the adversary. Moreover, each of the communications will be regenerated each time, thus the values known from this exchange cannot be used the next time.
If the adversary wants to use the principle of a replay attack to steal the message between Alice and Bob, the adversary will send the wrong message by utilizing the users' public key. However, the session key is determined by Alice and Bob, thus the forged message cannot let H( The attacks proposed by Gilbert et al. [20] also do not affect the security of our scheme. In the attacks, they assumed the sender is malicious and wants to betray the secret keys of the recipient. That means the recipient has not authenticated the identity of the sender. In the proposed scheme, however, mutual authentication occurs before exchanging messages. Aside from the next communication between the communication partners, all of the phases will be executed once again, so the secret keys of the RSA are not the same as in the previous exchange. Although a malicious actor may steal the secret keys of the recipient at this time, the secret keys are not suitable for use in a future exchange.

Proof with BAN Logic
In 1990, Burrows et al. design a formal logic analysis for authentication and key agreement schemes, it is called the BAN logic model [32]. Hence, we use BAN logic model to prove that our scheme can achieve the session key agreement. In order to describe formal semantics and analysis procedures, the notations and logical postulate rules used in BAN logic model are given as Table 2 [32,33]. Table 2. Notations and rules used in BAN logic model.

Notations Description
P, Q Two principals X, Y Two statements P|≡ X The principal P believes the statement X P|∼ X The principal P once said the statement X P X The principal P see the statement X | K −→ P The principal P has a public key K P K ←→ Q The principals P and Q use the shared key to communicate #(X) The statement X is fresh

{X} K
The statement X encrypted under the public key K (Note that the matching private key is denoted K − 1) • The message-meaning rule In the authentication and key agreement phase, the message exchange steps are written in M 1 and M 2 .
We transform generic message exchange steps, M 1 and M 2 , into the idealized form, I 1 and I 2 .
We know that Alice uses her webcam to capture bob's face information for obtaining the public key of Bob. Alice also generates K A and verifies N b . Hence, we give the three assumptions apply to Alice: Three similar assumptions apply to Bob: Next, with I 1 , I 2 and the assumptions we will prove that the proposed scheme can achieve the session key agreement under BAN logic model, as following: Theorem: Our scheme can achieve the session key agreement under BAN logic model.

Proof:
In our scheme, Alice and Bob together coordinate the session key K = H(K A ||K B ). They must believe that this session key is shared between them. Hence, the goals are listed: G 1 . Alice| ≡ Alice K ←→ Bob and G 2 . Bob| ≡ Alice K ←→ Bob. Applying the freshness rule to A 3 , we could derive: Applying the freshness rule to R 1 and A 2 , we could derive: Applying the message-meaning rule to A 1 and I 2 , we could derive: Applying the nonce-verification rule to R 1 and R 3 , we could derive: From R 4 , we could deduce that Alice believes in Bob believes in K B , that is, Applying the session-key rule to R 2 and R 5 , we could derive the goal G 1 : Applying the freshness rule to A 6 , we could derive: Applying the freshness rule to R 6 and A 5 , we could derive: Applying the message-meaning rule to A 4 and I 1 , we could derive: Applying the nonce-verification rule to R 6 and R 8 , we could derive: From R9, we could deduce that Bob believes in Alice believes in K A , that is, Applying the session-key rule to R 7 and R 10 , we could derive the goal G 2 : Therefore, according to the above inference processes, we have proven that the proposed scheme can achieve the session key agreement under BAN logic model.

Comparisons
To demonstrate the advantage, the comparisons of security features with related schemes are listed in this section. Since the proposed scheme is the very first biometrics-based cryptosystem for securing real-time communication, we could only compare it with related schemes that also used biometric information for user authentication. Table 3 shows the security features provided by our scheme and other biometrics-based authentication schemes [26,27]. It is clear from comparison results listed in Table 3 that our scheme supports more security features which are crucial for real-time communication than other schemes. It is worth mentioning that, in our scheme, the key must be verified with the presence of the user's biometrics instead of using smart card in other schemes. Therefore, our proposed scheme can resist the smart card attack. The key in our scheme is derived from the user's biometrics and is strongly user-dependent, which is very easy to convince others about the authenticity of the owner. In addition, since the key is self-certified with the user's biometrics during real-time communication, no database is required to store biometrics information in the cryptosystem. Once the key is verified, digital envelope technology can be applied to secure the content of the communication without worrying about an impostor. Therefore, the derived biometrics key can not only significantly reduce the costs associated with storage, delivery and revocation but also resist database capture attack and man-in-the-middle attack.

Conclusions
This paper proposed a novel biometrics-based scheme for authenticated key agreement in real-time communication. With the universality of video cameras in communication devices, we assumed that communication partners can see each other through the Internet in real-time. The main objective of this paper is to provide the concept of taking advantage of biometric information for authenticating and generating key agreement without using PKI to protect real-time online communication. The proposed scheme makes use of a user's intuition to authenticate the other person who is known to her/him. Additionally, users' identities are confirmed with current encounters, rather than based on previous or future encounters. Even if the communication partners are not familiar with each other, it means the face-to-face mutual authentication function is not triggered under this situation, the proposed system still can derive users' public key based on users' biometrics and then guarantees the security of the communication between two parties just likes the conventional public key cryptographic system. Since the PKI and third-party certifier is not involved in the proposed scheme, the proposed scheme is more practical compared with the conventional public key cryptographic system. Moreover, the public key with our scheme is produced from the user's biometric information and thus the relation between user identity and the public key is relative robust To confirm the applicability of the proposed scheme, a prototype system is simulated. It is proved that a public/ private key pair can be generated in one minute. In other words, it confirms the proposed scheme is able to support real-time communication. The security analysis of the proposed scheme demonstrates that the proposed scheme is secure enough to resist malicious attacks. The proposed scheme is demonstrated to prove that our scheme can achieve the session key agreement with the proof with BAN logic. Moreover, the comparisons of security features with existing biometrics-based authentication schemes also demonstrate the superiority of the proposed scheme. Although the prototype system is demonstrated able to support real-time communication, the simulation is conducted in PC environment in this work. In the future, we will try to implement the proposed scheme in smartphone or other mobile device to show the performance in devices with lower processing power. In addition, different authentication strategy, such as hybrid authentication protocol, can be proposed to deal with the situation when communication partners are not familiar with each other.