Fuzzy Commitment

advertisement
Fuzzy Commitment
DIMACS Workshop on Cryptography: Theory Meets Practice
15 October 2004
Ari Juels
RSA Laboratories
ajuels@rsasecurity.com
Part I:
Data secrecy in biometric
authentication systems
The Classical View of Biometric
Authentication
Is it Woody? Yes, it’s Woody!
The Classical View of Biometric
Authentication
=
?
Is it Woody? Yes, it’s Woody!
The Classical View of Biometric
Authentication
=
?
Hello,
Mr. Woody Allen
In these scenarios, biometric
data need not be kept secret
• Spoofing is difficult with human
oversight
• Indeed, your face is public anyway
• (Assuming, of course, that passport is
not a forgery)
But what happens when…
A human-guided process
=
?
Becomes automated?
=
?
Secrecy of biometric data is now
more important to security
• Reason 1: Automation
will mean relaxation
of human oversight
– More opportunity for
spoofing
– Spoofing iris / face
readers with printed
images, “gummy”
fingers, etc.
Schiphol airport: Iris scanning
Secrecy of biometric data is now
more important to security
• Reason 2: Spillover
into remote / home
authentication!
Server
Woody’s PC
And revocation is hard!
First password
Second password
Yet passports will transmit
biometrics via RFID to any
standard reader…
ICAO (International Civil
Aviation Organization) standard –
imminent adoption through DHS
effort
Clandestine scanning
10cm range under legal conditions
How much with a rogue reader?
One meter?
How much from eavesdropping
on legitimate reader?
Optical keys / Faraday cages?
But isn’t my face public anyway?
Suppose you want to copy a painting…
snapshot
professional photo
•Facial images require special conditions for matching to work. In U.K., you’re
not allowed to smile in passport photos any longer!
•Best for forger to have target image, i.e., one in passport serving as basis for
authentication
•Iris and fingerprint are harder to capture than face
Copying a biometric is somewhat like copying a painting…
Part II:
Towards secrecy in biometric
authentication systems
Cryptographic tools for
password secrecy
password
Cryptographic tools for
password secrecy
h (password, salt)
password
Epassword[key]
Password-based
key agreement
Cryptographic tools for
biometric secrecy ?
h(
E
, salt)
[key]
Finger-based
key agreement?
Problem: Biometrics are variable,
i.e., error-prone…
• Differing angles of
presentation
!
• Differing amounts of pressure
• Chapped skin

and standard crypto does not tolerate errors!
We want “fuzzy” cryptography
• Error-tolerant crypto primitives
– E.g., Dk’ [ Ek[m] ] = m
if k ≈ k’
• Body of “fuzzy” crypto literature:
– Davida, Frankel, & Matt ’98
– “Biometric encryption” (breakable)
– Juels & Wattenberg ’99 (“fuzzy commitment”)
Application of FJ ‘01 to “life questions” now in RSA product…
–
–
–
–
Monrose, Reiter, & Wetzel ’99 + follow-on
Juels & Sudan ’01
Dodis, Rezyin, & Smith ’04
Boyen in ten minutes…
But no rigorous application to real biometrics yet!
Why everybody has nice eyes
• An iriscode has an
estimated 250 bits of
entropy!
– Contrast 1/10,000 false
acceptance for
fingerprints…
– Most people have two eyes!
• Hamming distance is the
metric for iriscode
similarity
– E. g. , fuzzy commitment
applies directly…
iriscode
iris
Why it’s not so easy…
• An iriscode can be as long as 4096 bits
– Where are those 250 bits of entropy hidden?
– Bits are not independent…
• Signal processing data folded into iriscode
• Eyelids, eyelashes, and reflections can
occlude much of iris
• We could get only 37 pairs of eyes for
experiments…
A first attempt
Tricks:
1. Use staggered samples: yields up to 75 independent bits
2. Use multiple scans to reduce error rate
3. Play some ad-hoc tricks with signal-processing data
Result: Able to extract a 60-bit or so key from a pair of irises,
but how much were methods fitted to data?
Conclusion
• Ongoing work (joint with Mike Szydlo & Brent
Waters)
– Trying to understand iriscode distribution
– Need programming help!
• Other groups trying to apply fuzzy crypto to
fingerprints
• Natural place where theory (crypto) meets
practice (the human being)
– … and error-prone devices too, e.g., POWFs, PUFs…
• With biometrics on the march, imminent
surge of interest in these techniques?
Download