Biometric Cryptosystems
Presenters:
Yeh Po-Yin
Yang Yi-Lun
Cryptosystem
User authentication
Cryptographic keys
Login password
RSA Public keys
Cryptographic Keys
Long and random
Stored somewhere
Computer
Smart card
Released base on user password
User password
Short and simple
Easily guessed
“password”
Same as account
Birth date
Tel #
Use the same password everywhere
What if?
A single password is compromised
while user uses the same password
across different applications?
A complex password is written down
some easily accessible locations?
The device which stores the
cryptographic keys had been cracked?
Traditional cryptosystems
Base on secret keys
Forgotten
Lost
Stolen
Repudiation
Biometric authentication
More reliable
Can not be lost or forgotten
Difficult to copy, share, and distribute
Hard to forge
Unlikely to repudiate
Relatively equal security level
Biometric
No biometric is optimal
Depends on the requirement of the
application
Comparison of biometrics
Properties
Universality
Distinctiveness
Permanence
Collect ability
Attributes
Performance
Acceptability
Circumvention
Biometric signal variations
Inconsistent presentation
Irreproducible presentation
Imperfect signal acquisition
Biometric Matcher
Exact match is not very useful
Aligning
Matching score
Fingerprint
Identify minutiae neighbors
Performance
Two type of errors
False match ( false accept )
False non-match ( false reject )
Error rates
False match rate ( FMR )
False non-match rate ( FNMR )
Tradeoff relation
Biometric keys
Biometric-based authentication
User authentication
Biometric component
Cryptographic system
Key release on positive match
Biometric key database
Cryptographic key
User name
Biometric template
Access privileges
Other personal information
What if?
The theft of biometric data crack into
the biometric key database?
Hacking Attack
Definition
Hacker
Cracker
Attack
Disturbance
Block
Incursion
Attacking Step
Decide target
Easy
Worth
Purpose
Gain information
Firewall
System
Detect path
Ping
Traceroute
Hopping site
Bot
Make incursion
Types of attack
Interruption
attack on availability
Interception
attack on confidentiality
Modification
attack on integrity
Fabrication
attack in authentication
Reference 資安演習防護講義
Common form of attack
Denial of Service (DoS) attacks
Distributed Denial of Service (DDoS)
attacks
Trojan Horse
Virus
Websites
Worm
Sniffing
Spoofing
Bug
Buffer overflow
Protection
Firewall
Antivirus program
Update
Close non-necessary program
Close non-necessary internet service
Scan computer
Back to biometric keys
Is it possible to issue a new biometric
template if the biometric template in
an application is compromised?
Is it possible to use different template
on different applications?
Is it possible to generate a
cryptographic key using biometric
information?
Solving Q1 and Q2
Store H(x) instead of x
H is the transform function
x is the original biometric signal
Solving Q3
Hide the key within the user’s
biometric template
Biometric key generation or binding
Bind a private key into the user
biometric information
Both key and biometric are
inaccessible to attacker
No biometric matching at all
Conclusion
Combining difficulties
Existing biometric authentication
technologies is not perfect
Difficult to align the representations in
the encrypted domain
Should not have systematic
correlation between the identity and
the key
Reference
Umut Uludag, Sharath Pankanti, Salil Probhakar, and Anil K.
Jain “Biometric Cryptosystems: Issues and Challenges”,
Proceedings of IEEE, 2004
Uludag U, Anil Jain “ Securing Fingerprint Template: Fuzzy
Vault with Helper Data”, Computer Vision and Pattern
Recognition Workshop, 2006 Conference on
http://www.crucialp.com/resources/tutorials/website-webpage-site-optimization/hacking-attacks-how-and-why.php
資安演習防護講義
http://www.hacker.org.tw/?c=articles_show&articleid=882
http://www.gamez.com.tw/viewthread.php?tid=58607
http://www.symantec.com/region/tw/enterprise/article/todays_
hack.html