Adaptive Weak Secrets for Authenticated Key Exchange*

This paper describes biometric-based cryptographic techniques that use weak secrets to provide strong, multi-factor and mutual authentication, and establish secure channels for subsequent communications. These techniques rely on lightweight cryptographic algorithms for confidential information exchange. Lightweight algorithms are suitable for use in resource constrained environments such as the Internet of Things where implementations require efficient execution, limited access to memory and small code size. Password Authenticated Key Exchange, and Biometric Authenticated Key Exchange protocols based on user knowledge extracted from biometric sensor data, both rely on weak secrets. These secrets are shared between a client and an access controlled server, and used as inputs to Diffie-Hellman key establishment schemes. DiffieHellman provides forward secrecy, prevents user credentials from being exposed during identity authentication attempts, and thwarts man-in-the-middle and phishing attacks. This paper describes the operation of these protocols using an adaptive knowledge substitution process that frequently modifies the weak secrets used for protocol operation without requiring disruptive user password changes. The password substitution strings used to implement this process can be far longer and more complex than the weak secrets people can easily memorize. The process described in this paper allows people with diverse abilities to use simple, easily recalled, quickly entered passwords and still benefit from the strength of long, complex strings when operating cryptographic protocols.