Criteria Towards Metrics for Benchmarking Template Protection Algorithms Koen Simoens K.U.Leuven – COSIC 3 rd Edward van der Meulen Seminar Heverlee, 7 December 2011 Outline • Introduction and background – How we got where we are today How we got where we are today – ISO 24745, a generic model • Performance categories – Technical performance – Protection performance – Operational performance • Conclusion K. Simoens 3rd Edward van der Meulen Seminar 2 1
Introduction K. Simoens 3rd Edward van der Meulen Seminar 3 Biometric System Security N. K. Ratha, J. H. Connell, and R. M. Bolle. 2001. Enhancing Security and Privacy in Biometrics-Based Authentication Systems. IBM Syst. J. 40(3):614-634. 1. Present fake biometrics to the sensor; 2. Replay attack and sensor bypass; 3. Corrupt feature extraction 4. Tamper with the extracted features 5. Corrupt the matcher 6. Stored 6. Modify or replace stored templates Template(s) 7. Manipulate template retrieval 8. Override match result 7. yes/no Feature Sensor Matcher Extractor 2. 4. 8. 1. 3. 5. K. Simoens 3rd Edward van der Meulen Seminar 4 2
Impersonation • If you can read a password, you can use it • Reference template allows constructing artificial prints – Ross, A., J. Shah, and A.K. Jain. 2007. From Template to Image: Reconstructing Fingerprints from Minutiae Points. IEEE Trans. Pattern Anal. Mach. Intell. 29(4): 544-560. • “Fig. 29. Reconstructing the ridge structure. (a) Original fingerprint and its minutiae plot. (b) Estimated orientation map. (c) Enhanced ridge structure after application of the Verifinger software.” K. Simoens 3rd Edward van der Meulen Seminar 5 Sensitive Information • Sensitive information in biometric data – Sometimes speculative – Not sure how much remains in the “template” Examples • Brushfield spots (ring of iris speckles) – Wallis Hugh R E. 1951. The Significance of Brushfield's Spots in the Diagnosis of Mongolism in Infancy. Arch Dis Child 26(130):495–500. – http://en.wikipedia.org/wiki/Brushfield_spots • “Brushfield spots are small white or grayish/brown spots on the periphery of the iris in the human eye (…) These spots are normal in children (Kunkmann-Wolffian bodies) but are also a feature of the chromosomal disorder Down syndrome. They occur in 35–78% of newborn infants with Down syndrome.[2] They are much more likely to occur in Down syndrome children of the Caucasian race than children of Asian heritage.[3]” • Dermatoglyphic patterns – R. Yousefi-Nooraie and S. Mortaz-Hedjri. 2008. Dermatoglyphic asymmetry and hair whorl patterns in schizophrenic and bipolar patients. Psychiatry Research 157(1–3):247–250 • “Bipolar cases tended to present an excess of Ridge Dissocation (…) and a significant increase of Abnormal Feature/aberrant pattern (…), both in palms and fingers… We found that subtle dermatoglyphic alterations (presented both in fingers and palms) were more frequent in patients with severe bipolar disorder than in controls.” K. Simoens 3rd Edward van der Meulen Seminar 6 3
Biometric Data Increasingly Shared EU aims to stop 'visa shopping‘ : Schengen states to share visa data (2007-06-08) • In the EU, supervised access to the biometric databases of the European Visa Information System (VIS) is granted to policy and Europol. • http://www.theregister.co.uk/2007/06/08/schengen_visa_data/ India to issue all 1.2 billion citizens with biometric ID cards (2009-07-15) • Mr Nilekani, who left … to take up his new job, wants the cards to be linked to a “ubiquitous online database” accessible from anywhere . • http://www.telegraph.co.uk/news/worldnews/asia/india/5831929/India-to-issue-all-1.2- billion-citizens-with-biometric-ID-cards.html DHS develops shared biometrics database with DOD (2011-03-08) • In the USA, the Department of Homeland Security (DHS) is developing a joint database with the Department of Defence (DOD) for the purpose of accessing current biometric data stored by DOD. • • http://homelandsecuritynewswire com/dhs-develops-shared-biometrics-database-dod http://homelandsecuritynewswire.com/dhs-develops-shared-biometrics-database-dod And increasingly… • Captured (airports, ePassports) • Intrusive (full body scanner) • Covert (on the fly/move): – face, fingerprint, iris, vein, … K. Simoens 3rd Edward van der Meulen Seminar 7 Images: http://en.wikipedia.org/wiki/Full_body_scanner , http://www.reuters.com/article/2008/03/25/us-security-fingerprints-idUSN2538685320080325 Observations Privacy and Privacy and Biometrics for Data “Security” Protection • Biometrics are a success • Biometrics are no longer in your pocket • Security and privacy issues stemming from the use of biometrics – Impersonation, sensitive, linkability (unique identifiers) – S. Prabhakar, S. Pankanti, and A.K. Jain. 2003. Biometric Recognition: Security and Privacy Concerns. IEEE Security and Privacy 1(2):33-42. • Increasing but conflicting demands K. Simoens 3rd Edward van der Meulen Seminar 8 4
Protecting Biometric Reference Data • Biometric template protection to bridge the gap – Simple objectives • Biometric data should be protected (do not store reference data in the clear) • • Maintain capability to identify or verify identity Maintain capability to identify or verify identity • Different approaches – Template-level protection => BTP • Fuzzy commitment, fuzzy vault, cancellable biometrics,… – System-level protection • Physical security, procedures, encryption, hardware-based/-assisted (smartcards, TPM) – Protocol-level • Advanced protocols relying on crypto primitives (MPC, homomorphic encryption, PIR) • Main challenges: – Hide biometric data ( irreversibility ) – Prevent cross-matching of hidden data ( unlinkability ) – Maintain performance /accuracy without giving up functionality • Performance loss in early solutions K. Simoens 3rd Edward van der Meulen Seminar 9 Examples 5
Biometric Authentication I am Bob • Bob claims and proves identity towards system – Identity verification = compare proof b ’ against reference b Id tit ifi ti f b ’ i t f b • Two prints of same finger never exactly the same – Verification is similarity check (as opposed to passwords) K. Simoens 3rd Edward van der Meulen Seminar 11 Cryptographer’s Approaches • Try to get rid of the noise – Use error-correcting codes – Store some additional data to help you Store some additional data to help you – Then reliably reconstruct bits (biometric data, secret, …) – “I can still use my cryptographic hash function” • Hurray! – Example: fuzzy commitment • Juels, A. and M. Wattenberg. 1999. A Fuzzy Commitment Scheme. CCS ‘99. Proc. 28-36. • Do comparison in the encrypted domain or use multi- party computation (MPC) • Requirement: biometric data encoded as binary string K. Simoens 3rd Edward van der Meulen Seminar 12 6
Code-Offset Construction • Introduced as the fuzzy commitment scheme – Juels, A. and M. Wattenberg. 1999. A Fuzzy Commitment Scheme. CCS ‘99. Proc. 28-36. • Enroll sample b – Output and store v = c - b and H(c) – c is a codeword of an [n,k,d] -code chosen uniformly at random – H is a cryptographic hashing function – Entropy loss L= n L= n - k (redundancy bits) • V Verify fresh sample b ’ using v if f h l b ’ i – Decoding : Dec(v + b ’ ) = c ’ – Verification by comparing H(c ’ ) = H(c) – Allows reconstruction of enrolment data ⇔ d (b,b ’ ) t • Dec(v + b ’ ) - v = b K. Simoens 3rd Edward van der Meulen Seminar 13 Template Space • Consider biometric templates as points in 2D plane Disclaimer: simplified visualization K. Simoens 3rd Edward van der Meulen Seminar 14 7
Space Segmentation • Special points in the plane: codewords (dots) • Codewords divide the space in segments (squares) K. Simoens 3rd Edward van der Meulen Seminar 15 Error-correcting Code • A binary linear error-correcting code C – Denoted as an [n,k,d] code – Consists of 2 k codewords of length n – Consists of 2 codewords of length n – Can correct up to t errors – The minimum distance d = 2t+1 – With encoding and decoding procedures <Enc,Dec> • Example: [7,4,3] Hamming code (t=1) – Set of 128 words of which 16 are code words – Corrects 1 bit-error – Corrects 1 bit-error – X = Enc(0011) = 0011010 – Dec(Y = 0111010) = 0011010 (actually 0011) K. Simoens 3rd Edward van der Meulen Seminar 16 8
Error-Correcting Codes • Decoding = move points inside circle to center • Points outside a circle are not decodable K. Simoens 3rd Edward van der Meulen Seminar 17 Enrolment • Code offset (translation) v = c - v = c - b is auxiliary data • Codeword c is reference stored securely as H(c) • Translation to codeword to perform decoding around b T l ti t d d t f d di d b • Diversification: shift squares, any codeword can be ref. b v c K. Simoens 3rd Edward van der Meulen Seminar 18 9
Verification • A new sample b ’ is presented by Bob – Shift new sample b ’ (translation preserves distance) – Decode v + b to c and verify if H(c ) = H(c) Decode v + b ’ to c ’ and verify if H(c ’ ) = H(c) • Cancel noise instead of similarity/distance score b’ b v+b’ t K. Simoens 3rd Edward van der Meulen Seminar 19 Verification Failed • Either the sample decodes to the wrong codeword, H(c ’ ) ≠ H(c) , or it does not decode at all c’ c K. Simoens 3rd Edward van der Meulen Seminar 20 10
Recommend
More recommend