(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 5, May 2011
Cancelable Biometrics – A Survey
Indira Chakravarthy
Associate Professor, Dept of Computer Science & EnggGeethanjali College of Engg & TechnologyHyderabad,Indiaindira_sowmya@yahoo.co.in
Dr.VVSSS.Balaram
Prof & Head,Dept of Information TechnologySreeNidhi Institute of Science & TechnologyHyderabad,Indiavbalaram@sreenidhi.edu.in
Dr.B.Eswara Reddy
Associate Professor & Head, Dept of CSEJawaharlal Nehru Technological University, Anantapur,Indiaeswarcsejntua@gmail.com
Abstract
—
In recent times Biometrics has emerged as a reliable,convenient and effective method of user authentication. However,with the increasing use of biometrics in several diverseapplications, concerns about the privacy and security of biometric data contained in the database systems has increased.It is therefore imperative that Biometric systems instillconfidence in the general public, by demonstrating that, thesesystems are robust, have low error rates and are tamper proof. Inthis context, Biometric template security and revocabilitybecomes an important issue. Protecting a biometric templateassumes extreme importance because unlike a password or token,which when compromised can easily be revoked or replaced , abiometric cannot be replaced, once it is compromised. Besides if the same biometric trait is used in multiple applications, a usercan be potentially tracked from one application to the other bycross matching biometric databases. Cancelable biometricsattempts to solve this problem by constructing revocablebiometric templates. This paper attempts to bring out the variousmethods followed by different researchers towards building suchtechnology.
Keywords-
Cancelable biometrics, biometric template, Salting,Biophasoring, Noninvertible transforms, Key binding, Keygeneration.
I.
Introduction
Any Biometric, must in general fulfill the criteria of uniqueness, universality, acceptability, collectability andpermanence. Permanence is a key feature for biometrics whichmeans a biometric must retain its features in particular theuniqueness , unchanged or acceptably changed , over thelifetime of the individual. However, this very feature of permanence has brought biometrics to challenge a new risk.Conventional authentication methods like passwords andtokens have one great advantage that biometrics do not haveviz.,they can be cancelled and replaced by a newer version , if ever they were lost or stolen. On the other hand if biometricdata is ever compromised from a database, by unauthorizedpersons, the genuine owner will lose control over it foreverand lose his/her identity[1]. This makes the biometrictemplates stored in the database stand out as a vulnerability of the authentication system.
A)
A successful attack on the biometric template in thedatabase can lead to the following risks :i)
Template can be replaced by an imposter’s templateto gain unauthorized access.ii)
A physical fake can be created from the template togain access to the system as well as other systemswhich use the same biometric trait.iii)
Stolen template can be replayed to the matcher togain unauthorized access.[6]
B)
Therefore the design of a biometric database should be suchthat , it protects the biometric templates against the abovevulnerabilities. Such a Biometric template protection schemeshould have the following four properties[9].
i)
Diversity :
The secure template must not allow crossmatching across different databases. This propertyensures privacy of user’s data.
ii)
Revocability :
It should be easy to revoke acompromised template and reissue a new template inits place using the same biometric. This propertyensures cancelability.
iii)
Security :
It must be computationally impractical toobtain original biometric template from the securetemplate. This property ensures that physicalspoofing of the biometric is not possible from thestolen template.
iv)
Performance :
Using the secure template in place of original , should not degrade the performance of thesystem.
v)
Intra user variability :
The secure template shouldaccommodate the intra user variability whileacquiring and matching the biometric templatesduring authentication process.
II.
Template protection methods
186http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 5, May 2011
Template protection schemes can be divided intofollowing two categories[5] :a)
Feature transformation approach – which can befurther divided intoi)
Biometric Saltingii)
Non invertible transformsb)
Biometric cryptosystems – further categorized asi)
Key bindingii)
Key generation
Fig 1. Different approaches to template protection
Following sections detail the design of such schemes.
III. Feature transformation schemes
In this method a transformation function is applied tothe original biometric and the transformed template is storedin the system’s database instead of the original template. Theparameters of the transformation function are typically derivedfrom a random key supplied by the user[6]. Thus thetransformed template is represented as
F( T , K )
where
F
represents the transformation function
T
represents the originalbiometric template and
K
represents the user suppliedparameter.
Fig 2 : Matching process with biometric transform scheme
Depending upon the characteristics of the transformationfunction
F
, the feature transformation schemes can be furthercategorized as follows :
A) Biometric Salting :
Biometric salting or
Biohashing
issimilar to password salting incryptography. In cryptographicsalting the password
‘P’
of the user is concatenated with apseudorandom string
‘S’
, a hash is taken over the result , andthe resulting hash
H(P+S)
is stored in the database. InBiometric salting , an auxiliary data like a password or user-specific random number is combined with biometric data , atransformation function is applied to this , to derive atransformed version of the biometric template. Since theauxiliary data is externally derived , and is user specific , if thetemplate is ever compromised it can be easily changed andrevoked by simply changing the auxiliary data. Additionallysince the templates can be different for different applications ,if the template is compromised in one application it does notaffect the security of other applications .On the other hand, since the auxiliary information isuser specified , user has to remember this and present it at thetime of authentication. Hence the security of the saltingscheme is based on the secrecy of the key or password. Furtherthe transformation function is not non invertible meaning if an attacker gains access to the key and the transformedtemplate he/she can recover the original biometric template[5].Teoh et al (2003) proposed a novel two factor authenticatorbased on iterated inner products between tokenized pseudo-random number and the user specific fingerprint feature,which generated from the integrated wavelet and Fourier–Mellin transform, and hence produced a set of user specificcompact code that was coined as BioHashing. BioHashingwas shown to be highly tolerant of data capture offsets, withsame user fingerprint data resulting in highly correlatedbitstrings. Moreover, there was no deterministic way to get theuser specific code without having both token , with randomdata and user fingerprint feature[35].Savvides et al (2004) proposed a scheme thatencrypts the training images used to synthesize the singleminimum average correlation energy filter for biometricauthentication for face recognition . Different templates can beobtained from the same biometric by varying the convolutionkernels thus enabling the cancelability of the templates .Theyshowed theoretically that convolving the training images withany random convolution kernel prior to building the biometricfilter does not change the resulting correlation output peak-to-sidelobe ratios, thus preserving the authenticationperformance. However, the security could be jeopardized via adeterministic deconvolution with a known random kernel[10].An enhancement of cancelable correlation filterencryption was reported by Hirata and Takahashi (2009). Itwas shown that the security is heightened by applying NumberTheoretic Transform, a Fourier-like transform over a finitefield, into biometric data before random kernel convolution[3].Teoh et al (2004,2006) proposed the random multi-space quantization technique . Their technique extracts the
Template protection
methodsFeatureTransformation
BiometricCryptosystemsSaltingNoninvertibletransformsKeyBindingKeyGeneration
Template‘B’Transform‘F’Key‘K’TransformedTemplateF(B,K)MatcherQueryB’Transform‘F’Key‘K’TransformedTemplateF(B,K)
187http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 5, May 2011
most discriminative projections of the face template usingFisher discriminate analysis and then projects the obtainedvectors on a randomly selected set of orthogonaldirections[11]. This random projection defines the saltingmechanism for the scheme. To account for intra-uservariations, the feature vector obtained after random projectionis binarized. The threshold for binarization is selected basedon the criteria that the expected number of zeros in thetemplate is equal to the expected number of ones so as tomaximize the entropy of the template. The security in thisscheme is provided by the user-specific random projectionmatrix. If an adversary gains access to this matrix, she canobtain a ones so as to maximize the entropy of the template.The security in this scheme is provided by the user-specificrandom projection matrix. If an adversary gains access to thismatrix, she can obtain a coarse estimate of the biometrictemplate [6].A variant of BioHashing, known as MultistageRandom Projection (MRP) (Teoh and Chong, 2007) wasproposed to address the stolen-token performance issue. Boththeoretical and experimental analysis showed that theperformance regresses to the original system under stolen-token scenario[3].Lumini et al. (2007) improved the performance of BioHashing under stolen-token scenario by utilizing differentthreshold values and fuse the scores. Their approach improvethe base BioHashing in order to maintain a very low equalerror rate when nobody steals the Hash key, and to reach goodperformance even when an “impostor” steals the Hash key.Lu Leng et al (2005) proposed cancelable PalmCodegenerated from randomized Gabor filters for palmprinttemplate protection[37].Jeong et al (2006) proposed a biometric saltingscheme for face recognition using an appearance basedapproach. In their method , an ICA (Independent ComponentAnalysis ) coefficient vector is extracted from an input faceimage. Some components of this vector are replaced randomlyfrom a Gaussian distribution which reflects the original meanand variance of the components. Then, the vector, with itscomponents replaced, has its elements scrambled randomly. Anew transformed face coefficient vector is generated bychoosing the minimum or maximum component of multiple(two or more) differing cases of such transformed coefficientvectors. If this was compromised, a new feature vector can begenerated by changing the permutation matrix.Lee et al , (2010 ) proposed a new method to generatecancelable bit-strings from fingerprint minutiae. Their methodprovides a simple means to generate cancelable templateswithout requiring pre-alignment of fingerprints. The mainidea is to map the minutiae into a predefined 3 dimensionalarray which consist of small cells and find out which cellsincludes minutiae. One of minutiae is chosen as a referenceminutia and other minutiae are translated and rotated in orderto map the minutiae into the cells based on the position andorientation of the reference minutia. The cells in the 3D arrayare set to 1 if they include more than one minutia otherwisethe cells are set to 0. A 1D bit-string is generated bysequentially visiting the cells in the 3D array. The order of the1D bit-string is permuted according to the type of referenceminutiae and user's PIN so that new templates can beregenerate when needed. Finally, cancelable bit-strings aregenerated by changing the reference minutia into anotherminutia in turn.[13]However the accuracy and vulnerabilities of existingbiometric salting schemes needs further justification (Kong etal., 2008).
B) Non-invertible Transforms :
In this scheme , a oneway ,non invertible function is applied to the original biometric toobtain transformed biometric template. The transformationoccurs in the same signal or feature space as the originalbiometric. The transformation function is so designed that , itis easy to compute in polynomial time but difficult to invert.The parameters of the transformation function are defined by akey which must be available at the time of authentication totransform the query feature set. Since the function is noninvertible , even if this key is compromised , it iscomputationally impossible to invert the transformed templateand arrive at the original biometric template. Thetransformation functions can be application as well as userspecific making the biometric highly revocable.However the main drawback of thisapproach is the trade-off between discriminability andnoninvertibility of the transformation function.Discriminability means , that the transformation functionshould be such that, features from the same user should havehigh similarity in the transformed space and features fromdifferent users should be quite dissimilar aftertransformation.Non invertibility feature ensures that it isdifficult to obtain the original template from the transformedtemplate . It is difficult to design transformation functions thatsatisfy both discriminability and non-invertibility conditionssimultaneously. Also , the transformation function depends onthe biometric features to be used in a specific application.The invertibility issue, was addressed with
BioPhasoring
(Teoh et al., 2006, 2007).BioPhasor is a set of binary code based on iterated mixing between the user-specifictokenised pseudo-random number and the biometric feature.This method enables straightforward revocation of biometrictemplate via token replacement. The transformation is non-invertible and the BioPhasor is able to achieve extremely lowerror rate compare to original biometrics in verificationsetting. The privacy invasion and non-revocable problems inbiometrics could be resolved by revocation of resulting featurethrough the pseudo-random number replacement[13].Nanniand Lumini (2008) presented a quantized underdeterminednon-linear equation system as well as resampled andconcatenation of long BioHash with random subspacetechnique. Other proposals that stem from the idea of user-specific random projection include random correlator (Chonget al., 2006), multiple high dimension random projection (Kimand Toh, 2007), shifted Random Orthonormal Transformation(Wang and Plataniotis, 2007), one-time face template (Lee etal., 2007), 2
n
Discretization (Teoh et al., 2008), Preserving
188http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Cancelable Biometrics - A Survey
In recent times Biometrics has emerged as a reliable, convenient and effective method of user authentication. However, with the increasing use of biometrics in several diverse applications, concerns about the privacy and security of biometric data…
(More)
665
Reads
1
Readcasts
0
Embed Views
More From This User
Notes
Load more
