Biometric Cryptosystems

Presenters:

Yeh Po-Yin

Yang Yi-Lun

Cryptosystem

User authenticationCryptographic keys

Login password

RSA Public keys

Cryptographic Keys

Long and random

Stored somewhereComputer

Smart card

Released base on user password

User password

Short and simple

Easily guessed“password”

Same as account

Birth date

Tel #

Use the same password everywhere

What if?

A single password is compromised while user uses the same password across different applications?

A complex password is written down some easily accessible locations?

The device which stores the cryptographic keys had been cracked?

Traditional cryptosystems

Base on secret keys

Forgotten

Lost

Stolen

Repudiation

Biometric authentication

More reliable

Can not be lost or forgotten

Difficult to copy, share, and distribute

Hard to forge

Unlikely to repudiate

Relatively equal security level

Biometric

No biometric is optimal

Depends on the requirement of the application

Comparison of biometricsProperties

Universality

Distinctiveness

Permanence

Collect ability

AttributesPerformance

Acceptability

Circumvention

Biometric signal variations

Inconsistent presentation

Irreproducible presentation

Imperfect signal acquisition

Biometric Matcher

Exact match is not very useful

Aligning

Matching score

Fingerprint Identify minutiae neighbors

Performance

Two type of errorsFalse match ( false accept )

False non-match ( false reject )

Error ratesFalse match rate ( FMR )

False non-match rate ( FNMR )

Tradeoff relation

Biometric keys

Biometric-based authentication

User authenticationBiometric component

Cryptographic systemKey release on positive match

Biometric key database

Cryptographic key

User name

Biometric template

Access privileges

Other personal information

What if?

The theft of biometric data crack into the biometric key database?

Hacking Attack

Definition

Hacker

Cracker

AttackDisturbance

Block

Incursion

Attacking Step

Decide targetEasy

Worth

Purpose

Gain informationFirewall

System

Detect pathPing

Traceroute

Hopping site

Bot

Make incursion

Types of attack

Interruptionattack on availability

Interceptionattack on confidentiality

Modificationattack on integrity

Fabricationattack in authentication

Reference 資安演習防護講義

Common form of attack

Denial of Service (DoS) attacks

Distributed Denial of Service (DDoS) attacks

Trojan Horse

Virus

Websites

Worm

Sniffing

Spoofing

Bug

Buffer overflow

Protection

Firewall

Antivirus program

Update

Close non-necessary program

Close non-necessary internet service

Scan computer

Back to biometric keys

Is it possible to issue a new biometric template if the biometric template in an application is compromised?

Is it possible to use different template on different applications?

Is it possible to generate a cryptographic key using biometric information?

Solving Q1 and Q2

Store H(x) instead of x

H is the transform function

x is the original biometric signal

Solving Q3

Hide the key within the user’s biometric template

Biometric key generation or binding

Bind a private key into the user biometric information

Both key and biometric are inaccessible to attacker

No biometric matching at all

Conclusion

Combining difficulties

Existing biometric authentication technologies is not perfect

Difficult to align the representations in the encrypted domain

Should not have systematic correlation between the identity and the key

Reference

Umut Uludag, Sharath Pankanti, Salil Probhakar, and Anil K. Jain “Biometric Cryptosystems: Issues and Challenges”, Proceedings of IEEE, 2004

Uludag U, Anil Jain “ Securing Fingerprint Template: Fuzzy Vault with Helper Data”, Computer Vision and Pattern Recognition Workshop, 2006 Conference on

http://www.crucialp.com/resources/tutorials/website-web-page-site-optimization/hacking-attacks-how-and-why.php

資安演習防護講義http://www.hacker.org.tw/?c=articles_show&articleid=882

http://www.gamez.com.tw/viewthread.php?tid=58607

http://www.symantec.com/region/tw/enterprise/article/todays_hack.html