Private biometrics
Encyclopedia
A form of biometrics
, also called Biometric Encryption or BioCryptics, in which the prover is protected against the misuse of template data by a dishonest verifier.
Biometric identification requires that a verifier searches for matches in a data base that contains data about the entire population. This introduces the security and privacy threat that the verifier who steals biometric templates from some (or even all) persons in the data base can perform impersonation attacks. When a private verification system is used on a large
scale, the reference data base has to be made available to many different verifiers, who, in general, cannot be trusted.
Information stolen from a data base can be misused to construct artificial biometrics to impersonate people. Creation of artificial biometrics is possible even if only part of the template is available.
To develop an insight in the security aspects of biometrics, one can distinguish between verification and private verification. In a typical verification situation, access to the reference template allows a malicious verifier to artificially construct measurement data that will pass the verification test, even if the prover has never exposed herself to a biometric measurement after the enrollment.
In private verification, the reference data should not leak relevant information to allow the verifier to (effectively) construct valid measurement data. Such protection is common practice for storage of computer passwords. When a computer verifies a password
, it does not compare the password typed by the user
with a stored reference copy. Instead, the password is processed by a cryptographic one-way function F and the outcome is compared against a locally stored reference string F(y ). So y is only temporarily available on the system hardware, and no stored data allows calculation of y. This prevents attacks from the inside by stealing unencrypted or decryptable secrets.
may differ from experiment to experiment. In particular if one of the biometric parameters has a value close to a quantization threshold, minor amounts of noise can change the outcome. Minor changes at the input of a cryptographic function are amplified and the outcome will bear no resemblance to the expected outcome. This property, commonly referred to as ‘confusion
’ and ‘diffusion
’, makes it less trivial to use biometric data as input to a cryptographic function. The notion of near matches or distance between enrollment and operational measurements vanishes after encryption
or any other cryptographically strong operation. Hence, the comparison of measured data with reference data can not be executed in the encrypted domain without prior precautions to contain the effect of noise.
Meanwhile, it is important to realize that protection of the reference data stored in a database
is not a complete solution to the above-mentioned threats. After having had an opportunity to measure operational biometric data, a dishonest verifier uses these measurement data. This can happen without anyone noticing it: Victor grabs the fingerprint image left behind on a sensor. This corresponds to grabbing all keystrokes including the plain passwords typed by a user.
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
, also called Biometric Encryption or BioCryptics, in which the prover is protected against the misuse of template data by a dishonest verifier.
Biometric identification requires that a verifier searches for matches in a data base that contains data about the entire population. This introduces the security and privacy threat that the verifier who steals biometric templates from some (or even all) persons in the data base can perform impersonation attacks. When a private verification system is used on a large
scale, the reference data base has to be made available to many different verifiers, who, in general, cannot be trusted.
Information stolen from a data base can be misused to construct artificial biometrics to impersonate people. Creation of artificial biometrics is possible even if only part of the template is available.
To develop an insight in the security aspects of biometrics, one can distinguish between verification and private verification. In a typical verification situation, access to the reference template allows a malicious verifier to artificially construct measurement data that will pass the verification test, even if the prover has never exposed herself to a biometric measurement after the enrollment.
In private verification, the reference data should not leak relevant information to allow the verifier to (effectively) construct valid measurement data. Such protection is common practice for storage of computer passwords. When a computer verifies a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
, it does not compare the password typed by the user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
with a stored reference copy. Instead, the password is processed by a cryptographic one-way function F and the outcome is compared against a locally stored reference string F(y ). So y is only temporarily available on the system hardware, and no stored data allows calculation of y. This prevents attacks from the inside by stealing unencrypted or decryptable secrets.
Comparison with handling computer passwords
The main difference between password checking and biometric private verification is that during biometric measurements it is unavoidable that noise or other aberrations occur. Noisy measurement data are quantized into discrete values before these can be processed by any cryptographic function. Due to external noise, the outcome of the quantizationQuantization
Quantization is the procedure of constraining something from a relatively large or continuous set of values to a relatively small discrete set...
may differ from experiment to experiment. In particular if one of the biometric parameters has a value close to a quantization threshold, minor amounts of noise can change the outcome. Minor changes at the input of a cryptographic function are amplified and the outcome will bear no resemblance to the expected outcome. This property, commonly referred to as ‘confusion
ConFusion
ConFusion is an annual science fiction convention organized by the Stilyagi Air Corps and its parent organization, the Ann Arbor Science Fiction Association. Commonly, it is held the third weekend of January. It is the oldest science fiction convention in Michigan, a regional, general SF con...
’ and ‘diffusion
Diffusion
Molecular diffusion, often called simply diffusion, is the thermal motion of all particles at temperatures above absolute zero. The rate of this movement is a function of temperature, viscosity of the fluid and the size of the particles...
’, makes it less trivial to use biometric data as input to a cryptographic function. The notion of near matches or distance between enrollment and operational measurements vanishes after encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
or any other cryptographically strong operation. Hence, the comparison of measured data with reference data can not be executed in the encrypted domain without prior precautions to contain the effect of noise.
Meanwhile, it is important to realize that protection of the reference data stored in a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
is not a complete solution to the above-mentioned threats. After having had an opportunity to measure operational biometric data, a dishonest verifier uses these measurement data. This can happen without anyone noticing it: Victor grabs the fingerprint image left behind on a sensor. This corresponds to grabbing all keystrokes including the plain passwords typed by a user.