Fingerprint Authentication for Supporting Emergency Access to Wireless Implants IMD Feature Extraction and Template Enrollment Guanglou Zheng, Wencheng Yang, Craig Valli, Rajan Shankaran and Mehmet A. Orgun Implantable Medical Devices (IMDs), such as pacemakers and cardiac defibrillators, normally perform critical therapeutic functions for patients automatically. Security mechanisms designed for the IMDs should not compromise their medical functions, especially in the emergency situations when doctors require access to the IMDs immediately without the presence of security credentials. In order to achieve this goal, we design a fingerprint-based authentication scheme for the IMDs in this letter. The emergency access to the IMD is provided by doctors simply measuring the patient’s fingerprint. An alignment-free fingerprint template is generated by using the Delaunay triangulation technique and stored in the IMD for the automatic authentication process. The experiment shows that this fingerprint-based authentication algorithm has a low ERR value and thus can be used to provide security protection for the IMDs. Introduction: Implantable Medical Devices (IMDs), such as artificial pacemakers and implantable cardiac defibrillators (ICDs), perform a variety of health monitoring and critical therapeutic functions automatically. A device programmer communicates with the IMD through the wireless channel in order to transmit medical data from and configure treatment parameters into the IMD. Nonetheless, recent studies have demonstrated successful attacks on the IMD through the wireless channel by using a commercial off-the-shelf programmer [1]. The unique challenge in the IMD security design is security vs. accessibility [2, 3]. Security mechanisms should not hinder access to the IMDs for medical treatment, especially in an emergency situation. The conventional security key-based mechanism requires the security key or credential to be deployed beforehand. However, in emergencies, there is a high chance that a patient would be taken the nearest hospital where the security credential of that patient’s IMD may not already be pre-deployed. Proposals relying on the patient to provide the key or credential are not viable, since the patient may forget to bring the credential or be not in a position to provide one (for example, the patient could be unconscious). However, any genuine doctor/authorized medical professional should be able to provide immediate emergency treatment to the patients by circumventing the underlying rigorous security mechanism is needed in the IMD system. Currently, biometric security is proposed to be a promising mechanism to address this challenge because it can identify or verify the identity of people by using intrinsic physical or behavioral characteristics. In emergencies, doctors can gain access to the IMD by measuring body characteristics of the patient. For instance, electrocardiogram (ECG) based security mechanisms have been investigated wherein both the IMD and the programmer are required to measure and process realtime ECG signals synchronously [4, 5, 6], which is energy-consuming for a tiny implanted wireless device. Hei et al. [7] proposed to use the iris pattern-based verification technique to provide access control to the IMD. In this letter, we explore the use of the well-known fingerprint authentication technique for securing the IMDs. With this technique, doctors can gain access to the IMD and perform emergency treatment by simply measuring the patient’s fingerprint in a situation where adequate security credentials cannot be furnished by any other means. To the best of our knowledge, we make the first attempt to design the fingerprintbased authentication scheme for addressing the IMD security issues. IMD Security Requirements: A security scheme for the IMD needs to achieve the trade-off between security and accessibility. Besides this, the scheme has to be lightweight, especially for the IMD, since it has limited resources. The IMD and its programmer compose an asymmetric system in terms of their resources and extensible functions. The IMD is a tiny wireless device with limited resources but is implanted in the human’s body in order to perform life-saving functions for patients, e.g., cardiac pacemakers. Its battery is normally expected to last 5-10 years, although it is non-rechargeable and non-replaceable [3]. On the other hand, the programmer, as an external device, can be kept in a hospital setting with no battery concerns. Its functions, e.g., computation and communications, can be extended easily to adapt to the changes in the ELECTRONICS LETTERS 20th April 20171 Vol. 00 Query Feature Extraction Fingerprint Scanner Programmer Fig. 1 The architecture of fingerprint based authentication for supporting emergency access to implantable medical devices. IMD. Therefore, an analysis of any security scheme that is undertaken must focus on resource-related overheads at the IMD end rather than at the programmer end. Fingerprint Authentication Architecture: Fig. 1 shows an architecture of the fingerprint based authentication scheme for the IMD. In this architecture, the IMD is implanted in the patient’s body and can communicate with an external programmer via the wireless channel. In order to use the fingerprint-based authentication scheme, the following functions and hardware need to be added to the existing IMD system: (a) A fingerprint scanner which is added to the programmer, as shown in the Fig. 1; (b) The fingerprint feature extraction function in the programmer; (c) The fingerprint-based verification function in the IMD; (d) A wireless communication protocol for exchanging authentication-related messages. The overall authentication process is explained as below. (1) Template enrollment: Features of the patient’s fingerprint are extracted and the template is enrolled in the IMD before the implantation surgery. (2) Query feature extraction: The programmer captures a fingerprint image from the scanner and extracts query features from the image. (3) Authentication: The programmer sends the query features to the IMD by using the custom-designed wireless communication protocol. The IMD then verifies the query features against the template stored in its memory. (4) The IMD responds to the programmer according to the outcome of the authentication process. The IMD permits the programmer to exchange data with itself if the authentication is successful. Otherwise, the access to the IMD is blocked. In the emergency situation, doctors who do not possess the pre-deployed security key can gain access to the IMD by easily measuring the patient’s fingerprint. Advantages of the Scheme: This fingerprint-based authentication scheme is lightweight, especially for the IMD. In this scheme, the IMD stores the fingerprint template and performs the authentication process by comparing the template with its received query features. The template enrollment is completed before the IMD is implanted into the body. So, it won’t consume any resources except the memory. Nonetheless, the programmer is required to capture the fingerprint image and extract query features in every authentication attempt. However, since the IMD system is an asymmetric system and the programmer is an external device, the resource consumption in the programmer is not the main concern. Compared with the ECG-based security schemes, this scheme requires less resources in the IMD. This is because in the ECG-based schemes, the IMD is required to process real-time ECG signals and generate random binary sequences in each authentication attempt [4, 5, 6], which is quite resource-consuming. In contrast, by using this scheme, the IMD stores the biometric template and uses it directly in each verification process. Fingerprint Feature Extraction: Types of features extracted from the fingerprint image include gray-scale values, ridge structure patterns and minutiae. Obviously, the authentication process in the IMD has to be executed automatically. As discussed by Jain et al. [8], automatic fingerprint identification and authentication systems typically rely on representing the two most prominent structures: ridge endings and ridge bifurcations, which are collectively called minutiae. Furthermore, the fingerprint template has to be alignment-free in order to facilitate the automatic authentication process. So, we construct triangles from the set of minutiae points and utilize these triangles as fingerprint features for No. 00 the authentication purpose. These triangles represent relative distance information of the fingerprint image and thus can be used for the alignment-free authentication. In order to tolerate elastic distortions of the image, we employ the Delaunay triangulation technique to generate the triangles from the set of minutiae. The feature extraction process from each Delaunay triangle is presented below. Each Delaunay triangle is formed by connecting three minutiae as vertices. After capturing the fingerprint image, a set of minutiae, M = {mi }, can be obtained from the image, denoted by: M = {mi } = {(xi , yi , θi , γi )} (1) where (xi , yi ) is the coordinate value of the location of mi in a Cartesian coordinate system. θi is the orientation of its associated ridge and γi is the minutiae type (a binary value) which is defined as γi = 0 for ridge endpoints and γi = 1 for the bifurcations. The three vertices of a Delaunay triangle, (mj , mk , ml ), are in the set M . For each edge of the triangle, e.g., the edge, ejk , between vertices mj and mk , features that are extracted for the authentication purpose are denoted by: Fjk = (djk , αjk , βjk , γjk ) where djk is the length of the edge, denoted by: p djk = (xj − xk )2 + (yj − yk )2 (a) (2) (3) that the best EER value is 10.7% when we require feature vectors of more than 4 triangles can match between the template and the query. Conclusion: In this letter, we have designed a fingerprint-based authentication scheme for IMDs. This scheme can support the access to the IMD in an emergency scenario where medical practitioners cannot obtain its security credential immediately. This emergency access will be authorized by simply measuring the patient’s fingerprint. In order to facilitate the automatic authentication process, the alignment-free fingerprint template is generated and stored in the IMD. The Delaunay triangulation technique is employed and features of each triangle are obtained for the alignment-free purpose. The experiment shows that this fingerprint-based authentication algorithm has a low ERR value and thus can be used to provide security for the IMDs. In the future work, we will investigate a lightweight fingerprint matching algorithm and perform a comprehensive experimental analysis for the scheme. denoted by: yj − yk xj − xk − θj (4) βjk is the difference between the orientation angles θj and θk , denoted by: βjk = min (|θj − θk |, 2π − |θj − θk |) (c) Fig. 2 The process of the Delaunay triangulation. (a) A fingerprint image with detected minutia points. (b) A Voronoi diagram which partitions the plane into cells. (c) Delaunay triangulation of the minutiae. αjk is the angle difference between θj and the orientation of the edge, αjk = tan−1 (b) (5) γjk is defined as the type of the edge based on the types of the minutiae it connects. It is 2-bit binary value with the most significant bit as γj and the least significant bit as γk , denoted by γjk = (γj |γk )2 where | is a concatenating symbol. Following the same process, features of the other two edges of the triangle, ekl and elj , can be represented as Fkl and Flj , respectively. If there are N triangles constructed from the set of minutiae, M , for the nth n , F n , F n } which triangle, its features can be represented by LF n = {Fjk kl lj has 12 elements. Therefore, the set of features of the fingerprint template can be represented as LF = {LF n |n = 1, 2, · · · , N }. G. Zheng, W. Yang and C. Valli (Security Research Institute, Edith Cowan University, Perth, WA 6027, Australia) R. Shankaran and M.A. Orgun (Department of Computing, Macquarie University, Sydney, NSW 2109, Australia) E-mail: g.zheng@ecu.edu.au References Experiment Analysis: This fingerprint authentication scheme is evaluated over the public database FVC2002 DB2 [9] which has images captured from 100 different fingers and each finger has eight different images. The Verifinger SDK [10] which is designed for biometric systems developer and integrators is utilized in order to extract minutia dataset from fingerprint images. The process of the Delaunay triangulation is illustrated in Fig. 2. A captured fingerprint image is shown in Fig. 2 (a) in which minutia points are detected and marked out in red dots. Fig. 2 (b) is a Voronoi diagram which partitions the plane into cells around each minutia point, mi , so that all points in the Voronoi cell around mi are closer to mi than any other minutiae. With the Voronoi diagram, the Delaunay triangulation is achieved by connecting minutia points of each pair of neighbouring Voronoi cells as shown in Fig. 2 (c). The performance of the fingerprint-based authentication algorithm is evaluated in terms of False Rejection Rate (FRR) and False Acceptance Rate (FAR). Specifically, the FRR is the rate of falsely rejecting a fingerprint image from a genuine finger while the FAR is the rate of falsely accepting an image from a different person’s finger or a counterfeited fingerprint image. The first image from each finger is used as a template while the second one from the same finger is a query image to calculate the FRR. Similarly, the second image from a different finger is adopted as a query to compute the FAR. Normally, the optimal system performance can be achieved when the FAR equals the FRR, which is called the Equal Error Rate (EER). In the experiment, the threshold of different elements between a triangle in the template and its corresponding one in the query is pre-set as 2, which means it only allows one element difference for 12 elements in each triangle feature vector, LF n , when performing the authentication. The experiment shows 1 Halperin D., Heydt-Benjamin T.S., Ransford B. and Clark, S. S.: ’Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses’, in Proc. IEEE Symp. Secur. Privacy, 2008, pp. 129–142. 2 Gollakota S., Hassanieh H., Ransford B., Katabi D. and Fu K., ’They can hear your heartbeats: non-invasive security for implantable medical devices’, in Proc. ACM SIGCOMM Conf. Comput. Commun. Secur., 2011, 41, (4), pp. 2–13. 3 Zheng G., Shankaran R., Orgun M.A., Qiao L. and Saleem K.: ’Ideas and challenges for securing wireless implantable medical devices: A review’, IEEE Sensors J., 2017, 17 (3), pp. 562–576. 4 Rostami M., Juels A. and Koushanfar F.: ’Heart-to-heart (H2H): authentication for implanted medical devices’, in Proc. ACM SIGCOMM Conf. Comput. Commun. Secur., 2013, pp. 1099–1112. 5 Xu F., Qin Z., Tan C.C., Wang B. and Li Q.: ’IMDGuard: Securing implantable medical devices with the external wearable guardian’, in Proc. IEEE INFOCOM, Apr. 2011, pp. 1862–1870. 6 Zheng G., Fang G., Shankaran R. and Orgun M.A.: ’Encryption for implantable medical devices using modified one-time pads’, IEEE Access, 2015, 3, pp. 825–836. 7 Hei X. and Du X.: ’Biometric-based two-level secure access control for implantable medical devices during emergencies’, in Proc. IEEE INFOCOM, 2011, pp. 346–350. 8 Jain A.K., Hong L., Pankanti S. and Bolle R.: ’An identityauthentication system using fingerprints’, Proceedings of the IEEE, 1997, 85, (9), pp. 1365–1388. 9 FVC2002 fingerprint databases, http://bias.csr.unibo.it/fvc2002/databases.asp, accessed: 2017-04-10. 10 NeuroTechnology Inc., Verifinger SDK software tool, www.neurotechnology.com/verifinger.html, accessed: 2017-04-10. 2