Uploaded by raj shankar

Fingerprint Authentication for Wireless Implants

advertisement
Fingerprint Authentication for Supporting
Emergency Access to Wireless Implants
IMD
Feature Extraction and
Template Enrollment
Guanglou Zheng, Wencheng Yang, Craig Valli, Rajan
Shankaran and Mehmet A. Orgun
Implantable Medical Devices (IMDs), such as pacemakers and
cardiac defibrillators, normally perform critical therapeutic functions
for patients automatically. Security mechanisms designed for the
IMDs should not compromise their medical functions, especially in
the emergency situations when doctors require access to the IMDs
immediately without the presence of security credentials. In order to
achieve this goal, we design a fingerprint-based authentication scheme
for the IMDs in this letter. The emergency access to the IMD is provided
by doctors simply measuring the patient’s fingerprint. An alignment-free
fingerprint template is generated by using the Delaunay triangulation
technique and stored in the IMD for the automatic authentication
process. The experiment shows that this fingerprint-based authentication
algorithm has a low ERR value and thus can be used to provide security
protection for the IMDs.
Introduction: Implantable Medical Devices (IMDs), such as artificial
pacemakers and implantable cardiac defibrillators (ICDs), perform
a variety of health monitoring and critical therapeutic functions
automatically. A device programmer communicates with the IMD
through the wireless channel in order to transmit medical data from and
configure treatment parameters into the IMD. Nonetheless, recent studies
have demonstrated successful attacks on the IMD through the wireless
channel by using a commercial off-the-shelf programmer [1].
The unique challenge in the IMD security design is security vs.
accessibility [2, 3]. Security mechanisms should not hinder access to
the IMDs for medical treatment, especially in an emergency situation.
The conventional security key-based mechanism requires the security
key or credential to be deployed beforehand. However, in emergencies,
there is a high chance that a patient would be taken the nearest hospital
where the security credential of that patient’s IMD may not already
be pre-deployed. Proposals relying on the patient to provide the key
or credential are not viable, since the patient may forget to bring the
credential or be not in a position to provide one (for example, the
patient could be unconscious). However, any genuine doctor/authorized
medical professional should be able to provide immediate emergency
treatment to the patients by circumventing the underlying rigorous
security mechanism is needed in the IMD system.
Currently, biometric security is proposed to be a promising mechanism
to address this challenge because it can identify or verify the identity
of people by using intrinsic physical or behavioral characteristics. In
emergencies, doctors can gain access to the IMD by measuring body
characteristics of the patient. For instance, electrocardiogram (ECG)
based security mechanisms have been investigated wherein both the
IMD and the programmer are required to measure and process realtime ECG signals synchronously [4, 5, 6], which is energy-consuming
for a tiny implanted wireless device. Hei et al. [7] proposed to use the
iris pattern-based verification technique to provide access control to the
IMD. In this letter, we explore the use of the well-known fingerprint
authentication technique for securing the IMDs. With this technique,
doctors can gain access to the IMD and perform emergency treatment by
simply measuring the patient’s fingerprint in a situation where adequate
security credentials cannot be furnished by any other means. To the best
of our knowledge, we make the first attempt to design the fingerprintbased authentication scheme for addressing the IMD security issues.
IMD Security Requirements: A security scheme for the IMD needs to
achieve the trade-off between security and accessibility. Besides this,
the scheme has to be lightweight, especially for the IMD, since it has
limited resources. The IMD and its programmer compose an asymmetric
system in terms of their resources and extensible functions. The IMD
is a tiny wireless device with limited resources but is implanted in the
human’s body in order to perform life-saving functions for patients, e.g.,
cardiac pacemakers. Its battery is normally expected to last 5-10 years,
although it is non-rechargeable and non-replaceable [3]. On the other
hand, the programmer, as an external device, can be kept in a hospital
setting with no battery concerns. Its functions, e.g., computation and
communications, can be extended easily to adapt to the changes in the
ELECTRONICS LETTERS
20th April 20171
Vol. 00
Query Feature
Extraction
Fingerprint Scanner
Programmer
Fig. 1 The architecture of fingerprint based authentication for supporting
emergency access to implantable medical devices.
IMD. Therefore, an analysis of any security scheme that is undertaken
must focus on resource-related overheads at the IMD end rather than at
the programmer end.
Fingerprint Authentication Architecture: Fig. 1 shows an architecture
of the fingerprint based authentication scheme for the IMD. In this
architecture, the IMD is implanted in the patient’s body and can
communicate with an external programmer via the wireless channel. In
order to use the fingerprint-based authentication scheme, the following
functions and hardware need to be added to the existing IMD system: (a)
A fingerprint scanner which is added to the programmer, as shown in the
Fig. 1; (b) The fingerprint feature extraction function in the programmer;
(c) The fingerprint-based verification function in the IMD; (d) A wireless
communication protocol for exchanging authentication-related messages.
The overall authentication process is explained as below. (1) Template
enrollment: Features of the patient’s fingerprint are extracted and the
template is enrolled in the IMD before the implantation surgery. (2)
Query feature extraction: The programmer captures a fingerprint image
from the scanner and extracts query features from the image. (3)
Authentication: The programmer sends the query features to the IMD by
using the custom-designed wireless communication protocol. The IMD
then verifies the query features against the template stored in its memory.
(4) The IMD responds to the programmer according to the outcome of the
authentication process. The IMD permits the programmer to exchange
data with itself if the authentication is successful. Otherwise, the access
to the IMD is blocked. In the emergency situation, doctors who do not
possess the pre-deployed security key can gain access to the IMD by
easily measuring the patient’s fingerprint.
Advantages of the Scheme: This fingerprint-based authentication scheme
is lightweight, especially for the IMD. In this scheme, the IMD stores
the fingerprint template and performs the authentication process by
comparing the template with its received query features. The template
enrollment is completed before the IMD is implanted into the body. So,
it won’t consume any resources except the memory. Nonetheless, the
programmer is required to capture the fingerprint image and extract query
features in every authentication attempt. However, since the IMD system
is an asymmetric system and the programmer is an external device,
the resource consumption in the programmer is not the main concern.
Compared with the ECG-based security schemes, this scheme requires
less resources in the IMD. This is because in the ECG-based schemes, the
IMD is required to process real-time ECG signals and generate random
binary sequences in each authentication attempt [4, 5, 6], which is quite
resource-consuming. In contrast, by using this scheme, the IMD stores
the biometric template and uses it directly in each verification process.
Fingerprint Feature Extraction: Types of features extracted from the
fingerprint image include gray-scale values, ridge structure patterns
and minutiae. Obviously, the authentication process in the IMD has to
be executed automatically. As discussed by Jain et al. [8], automatic
fingerprint identification and authentication systems typically rely on
representing the two most prominent structures: ridge endings and ridge
bifurcations, which are collectively called minutiae. Furthermore, the
fingerprint template has to be alignment-free in order to facilitate the
automatic authentication process. So, we construct triangles from the set
of minutiae points and utilize these triangles as fingerprint features for
No. 00
the authentication purpose. These triangles represent relative distance
information of the fingerprint image and thus can be used for the
alignment-free authentication. In order to tolerate elastic distortions of
the image, we employ the Delaunay triangulation technique to generate
the triangles from the set of minutiae.
The feature extraction process from each Delaunay triangle is
presented below. Each Delaunay triangle is formed by connecting three
minutiae as vertices. After capturing the fingerprint image, a set of
minutiae, M = {mi }, can be obtained from the image, denoted by:
M = {mi } = {(xi , yi , θi , γi )}
(1)
where (xi , yi ) is the coordinate value of the location of mi in a Cartesian
coordinate system. θi is the orientation of its associated ridge and γi is
the minutiae type (a binary value) which is defined as γi = 0 for ridge
endpoints and γi = 1 for the bifurcations.
The three vertices of a Delaunay triangle, (mj , mk , ml ), are in the set
M . For each edge of the triangle, e.g., the edge, ejk , between vertices
mj and mk , features that are extracted for the authentication purpose are
denoted by:
Fjk = (djk , αjk , βjk , γjk )
where djk is the length of the edge, denoted by:
p
djk =
(xj − xk )2 + (yj − yk )2
(a)
(2)
(3)
that the best EER value is 10.7% when we require feature vectors of more
than 4 triangles can match between the template and the query.
Conclusion: In this letter, we have designed a fingerprint-based
authentication scheme for IMDs. This scheme can support the access to
the IMD in an emergency scenario where medical practitioners cannot
obtain its security credential immediately. This emergency access will
be authorized by simply measuring the patient’s fingerprint. In order
to facilitate the automatic authentication process, the alignment-free
fingerprint template is generated and stored in the IMD. The Delaunay
triangulation technique is employed and features of each triangle are
obtained for the alignment-free purpose. The experiment shows that this
fingerprint-based authentication algorithm has a low ERR value and thus
can be used to provide security for the IMDs. In the future work, we will
investigate a lightweight fingerprint matching algorithm and perform a
comprehensive experimental analysis for the scheme.
denoted by:
yj − yk
xj − xk
− θj
(4)
βjk is the difference between the orientation angles θj and θk , denoted
by:
βjk = min (|θj − θk |, 2π − |θj − θk |)
(c)
Fig. 2 The process of the Delaunay triangulation. (a) A fingerprint image with
detected minutia points. (b) A Voronoi diagram which partitions the plane into
cells. (c) Delaunay triangulation of the minutiae.
αjk is the angle difference between θj and the orientation of the edge,
αjk = tan−1
(b)
(5)
γjk is defined as the type of the edge based on the types of the minutiae
it connects. It is 2-bit binary value with the most significant bit as γj and
the least significant bit as γk , denoted by γjk = (γj |γk )2 where | is a
concatenating symbol.
Following the same process, features of the other two edges of the
triangle, ekl and elj , can be represented as Fkl and Flj , respectively. If
there are N triangles constructed from the set of minutiae, M , for the nth
n , F n , F n } which
triangle, its features can be represented by LF n = {Fjk
kl
lj
has 12 elements. Therefore, the set of features of the fingerprint template
can be represented as LF = {LF n |n = 1, 2, · · · , N }.
G. Zheng, W. Yang and C. Valli (Security Research Institute, Edith
Cowan University, Perth, WA 6027, Australia)
R. Shankaran and M.A. Orgun (Department of Computing, Macquarie
University, Sydney, NSW 2109, Australia)
E-mail: g.zheng@ecu.edu.au
References
Experiment Analysis: This fingerprint authentication scheme is
evaluated over the public database FVC2002 DB2 [9] which has
images captured from 100 different fingers and each finger has eight
different images. The Verifinger SDK [10] which is designed for
biometric systems developer and integrators is utilized in order to extract
minutia dataset from fingerprint images. The process of the Delaunay
triangulation is illustrated in Fig. 2. A captured fingerprint image is
shown in Fig. 2 (a) in which minutia points are detected and marked out
in red dots. Fig. 2 (b) is a Voronoi diagram which partitions the plane into
cells around each minutia point, mi , so that all points in the Voronoi cell
around mi are closer to mi than any other minutiae. With the Voronoi
diagram, the Delaunay triangulation is achieved by connecting minutia
points of each pair of neighbouring Voronoi cells as shown in Fig. 2 (c).
The performance of the fingerprint-based authentication algorithm is
evaluated in terms of False Rejection Rate (FRR) and False Acceptance
Rate (FAR). Specifically, the FRR is the rate of falsely rejecting a
fingerprint image from a genuine finger while the FAR is the rate
of falsely accepting an image from a different person’s finger or a
counterfeited fingerprint image. The first image from each finger is used
as a template while the second one from the same finger is a query
image to calculate the FRR. Similarly, the second image from a different
finger is adopted as a query to compute the FAR. Normally, the optimal
system performance can be achieved when the FAR equals the FRR,
which is called the Equal Error Rate (EER). In the experiment, the
threshold of different elements between a triangle in the template and
its corresponding one in the query is pre-set as 2, which means it only
allows one element difference for 12 elements in each triangle feature
vector, LF n , when performing the authentication. The experiment shows
1 Halperin D., Heydt-Benjamin T.S., Ransford B. and Clark, S. S.:
’Pacemakers and implantable cardiac defibrillators: Software radio
attacks and zero-power defenses’, in Proc. IEEE Symp. Secur. Privacy,
2008, pp. 129–142.
2 Gollakota S., Hassanieh H., Ransford B., Katabi D. and Fu K., ’They
can hear your heartbeats: non-invasive security for implantable medical
devices’, in Proc. ACM SIGCOMM Conf. Comput. Commun. Secur.,
2011, 41, (4), pp. 2–13.
3 Zheng G., Shankaran R., Orgun M.A., Qiao L. and Saleem K.: ’Ideas
and challenges for securing wireless implantable medical devices: A
review’, IEEE Sensors J., 2017, 17 (3), pp. 562–576.
4 Rostami M., Juels A. and Koushanfar F.: ’Heart-to-heart (H2H):
authentication for implanted medical devices’, in Proc. ACM
SIGCOMM Conf. Comput. Commun. Secur., 2013, pp. 1099–1112.
5 Xu F., Qin Z., Tan C.C., Wang B. and Li Q.: ’IMDGuard: Securing
implantable medical devices with the external wearable guardian’, in
Proc. IEEE INFOCOM, Apr. 2011, pp. 1862–1870.
6 Zheng G., Fang G., Shankaran R. and Orgun M.A.: ’Encryption for
implantable medical devices using modified one-time pads’, IEEE
Access, 2015, 3, pp. 825–836.
7 Hei X. and Du X.: ’Biometric-based two-level secure access control
for implantable medical devices during emergencies’, in Proc. IEEE
INFOCOM, 2011, pp. 346–350.
8 Jain A.K., Hong L., Pankanti S. and Bolle R.: ’An identityauthentication system using fingerprints’, Proceedings of the IEEE,
1997, 85, (9), pp. 1365–1388.
9 FVC2002 fingerprint databases, http://bias.csr.unibo.it/fvc2002/databases.asp,
accessed: 2017-04-10.
10 NeuroTechnology
Inc.,
Verifinger
SDK
software
tool,
www.neurotechnology.com/verifinger.html, accessed: 2017-04-10.
2
Download