2008 10th Intl. Conf.
on Control, Automation, Robotics and Vision
Hanoi, Vietnam, 17–20 December 2008
An Approach to Protect Private Key using Fingerprint
Biometric Encryption Key
in BioPKI based Security System
NGUYEN Thi Hoang Lan
Faculty of Information Technology
Hanoi University of Technology
Hanoi, Vietnam
Email: lannth@it-hut.edu.vn
Abstract—In traditional Public Key Infrastructure (PKI)
system, Private Key could be stored in central database or store
distributed in smart-card and delivered to the users. The Private
Key is usually protected by passwords that are easily guessed or
stolen and thus lead to the collapse of the whole system. Current
trend for PKI system is based on physiological and behavioral
characteristics of persons, known as biometrics. This approach
can increase the security of Private Key because in theory, the
biometric features could not be guessed or forged. However, this
approach still reveals a gap that is the vulnerability of storage
device of Private Key and biometrics data. Malefactors can
attack directly to these storage devices and steal user
identification information. In this paper, we propose a solution
that uses Biometric Encryption Key (BEK) to encrypt Private
Key and protect Private Key in a secure way for both of two these
kind of information. We also present the BEK generation
algorithm and the BioPKI system to support this solution and
then we illustrate the experimental results.
Keywords—Biometric Security System, Cryptography,
Fingerprint, Biometric Encryption Key (BEK), BioPKI system,
User Authentication, Verification, Biometric sample, Biometric
template.
I. INTRODUCTION
PKI system is based by an asymmetric cryptography system
in which each user has a couple of keys including one Private
Key and one Public Key for an application. The key pair is
related to each other mathematically but one could not be
guessed or computed from the other. Users can use their
Public Key to encrypt a message and only their corresponding
Private Key could decrypt the encrypted message and vice
versa. Nowadays, the Public Key Infrastructure (PKI) is
common in e-transaction and has been integrated in many
applications
As we can see that the most difficult and crucial problem in
PKI system is the Private Key protection. The security of
private key almost decides the security of the PKI system as
well as the reliability of digital signature or of encryption
978-1-4244-2287-6/08/$25.00 
c 2008 IEEE
NGUYEN Thi Thu Hang
Faculty of Information Technology
Hanoi University of Technology
Hanoi, Vietnam
Email: anhtranglunglinh14@yahoo.com
message applications. When private key is protected by a six-
to-eight-characters password, its level of security will reduces
dramatically because a person may use the same password for
his e-mail account, his network logon, on-line banking
account, or office access privilege... Therefore, his password
can be easily revealed with inappropriate users. More over, it
only makes sure that the authenticated person knows the
password but it does not necessarily mean that he is the right
person. True personal authentication can only be achieved
through biometrics [1, 4, 5, 7, and 9].
Biometrics is physiological or behavioral characteristics of
human such as fingerprint, hand geometry, face, retina, iris,
palm print, voice, signature, ADN [2, 6] those usually used in
automated person recognition system. A numerous researchers
have studied and developed strong combinations of the two
emerging technologies: biometrics and cryptography in
security applications. Specifically, the combination of
biometrics and PKI into a framework is called BioPKI system
[8]. However, there are still many challenges to BioPKI
technology. Although we use biometrics – a secure way to
authenticate Private Key, how we can be against the steal of
biometrics data and Private Key immediately at storage place.
To solve that problem, in this paper we propose a solution that
uses Biometric Encryption Key (BEK) to protect Private Key
in BioPKI systems and we also propose BEK generation
algorithm to implement this solution. We will use BEK that is
generated from the fingerprint biometrics of users to encrypt
their Private Key. At storage place, we only store encrypted
Private Key and the hash values of BEK so that no one could
steal these important information and therefore no forgery
could be made.
The paper is organized as follows: section 1 introduces the
problem, in section 2 we present in detail the BEK generation
algorithm, in section 3 we present the solution of using BEK
to protect Private Key, our illustration of this solution into BK
BioPKI system which is implemented and developed at our
laboratory and our experiment results. Eventually, section 5 is
the discussion and conclusion part.
1595 ICARCV 2008
 II. BIOMETRIC ENCRYPTION KEY GENERATION ALGORITHM
In the section, we present in detail the BEK generation
algorithm.
A. Acquirement and Feature Extraction
We use the fingerprint’s local features that are the
minutiae points to generate the BEKs. In practical situations,
the signal acquisition is not perfect, it causes extraneous
variations in the acquired biometric signal, and moreover the
signal is not deterministic. The ridge structures in poor-
qualified fingerprint images are not always well-defined and
hence they cannot be correctly detected. In order to ensure
that the performance of the minutiae extraction algorithm was
robust with respect to the quality of input digital fingerprint
images, an enhancement algorithm which can improve the
clarity of the ridge structures is necessary [10]. In addition, to
receive a more correct result, the person’s fingerprint
acquirement should be repeated with L times. We have L
fingerprint biometric templates and L set of minutiae points.
x Fingerprint enhancement
The purpose of this task is to remove the undesired noise
and preserve the true ridge and furrow structures. We need to
concentrate on the most important properties of fingerprint
images: orientation and frequency. A common way for this
task is to use a band-pass filter that is tuned to the
corresponding frequency and orientation. Gabor filters have
both frequency-selective and orientation-selective properties
and have optimal joint solution in both spatial and frequency
domain. Therefore, it is suitable to use Gabor filters as band-
pass filters to remove the noise and preserve true ridge/valley
structures [10].
The even-symmetric Gabor filter has the general form:
coordinates. The next step is quantizing the coordinates and
re-computing the position of minutiae points. The important
problem is to determine the position of the centre or the core
point of the fingerprint image. The centre point has to be not
affected by any translation and rotation of the fingerprint
image. Three popular methods are including [5]: Method
basing on the minutiae gravity center, method basing on Ridge
Count (RC) and method basing on the Orientation Field (OF).
We used the method basing on ridge count.
In each fingerprint image we found a set of minutiae points,
in practical the set have about 70-80 minutiae. Each minutia
point of ith fingerprint image template (i = 1...L) with the
number of minutiae ni (j= 1…ni), is represented by items
following:
j j
  P ij = ( xi , y i ) (2)
j j
where ( xi , y i ) are the coordinates of the minutiae P ij .
After L repetitions of fingerprint acquirement and minutiae
extraction, we create the final set of k minutiae points which
are the highest probability minutiae points in L sets to generate
the BEK set. The k can be chosen (base on experience) as
follows:
12 d k d 20 (3)
The output of feature extraction is the set:
j j
 P ij = {P i | PL = ( xi , y i ), I = 1.. nP } (4)
B. Biometric Encryption Key Generation
Basing on the idea presented in [5], this set of minutiae
points is used to generate a set of BEK for each person. If the
minutiae set have k point, the BEK set was computed as:
Nr Combination = Ckm (5)
where parameter m is chosen basing on practical experience.
Then the BEK set K was as follows:
K = {Kr | r =1…Nr combination} (6)
­° 1 ª xcosI2  ycosI2 º½°
H(x, y :I, f ) exp® «  »¾cos 2S fxcosI C. Hash Computation
2 Gx2 Gy2 ¼»°
¯° ¬« ¿ The BEK set K is encrypted by hash computation h is used
(1) to. The components from the set Kr are taken as the input of
where I is the orientation of the Gabor filter, f is the the hash function h. After the computation of all hashes, the
output set is:
frequency of a sinusoidal plane wave, and Gx and G y are the H = {h(Kr)| Kr € K} (7)
space constant of the Gaussian envelope along x and y axes, where H is the whole set of hash values from all BEK items
respectively [11]. from set K
In H, only hash values of respective BEK are saved. The
x Feature extraction position of items in H corresponds to the positions of items in
Various methods of fingerprint feature extraction and K. The set H has again Nr Combination components.
recognition have been proposed [2, 5, and 9]. We have D. Private Key Encryption and Certificate Creation
developed the algorithms presented in [5]. The main steps of
minutiae extraction are the following: Locate the fingerprint Each key Kr of the BEK set K is used to encrypt the Private
centre, extract the minutiae points and create the final set of Key P as the cipher C:
minutiae. After locating the centre point, we create a Kr
coordinates for the fingerprint in which the centre point is the g : P o C, C g K r ( P)
(8)
origin of the coordinates. We continue to find the reference
where g is denoted as the encryption process of symmetrical
point that is the nearest minutiae point to the centre point. The
cryptography.
two points create the horizontal axis (x-axis) for the

1596
 Using equations (5) and (6) we can generate the following
set:
S ^g Kr ( P) K r  K , r 1...NrCombination
The set S has again Nr Combination components
The position of item Sr in S corresponds to the position of
item Hr in H and K. One hand two sets H and S were stored in
Database at Client PC. On the other hand the set H also could
be included at the part “extension” of standard certificate
X509 to increase the security of user authentication process.
The part “extension” of the certificate looks as follows:
Ext = {id,false,(Hr| Hr €H, r=1…NrCombination )}
III. BIOPKI SYSTEM USING BIOMETRIC ENCRYPTION KEY TO
PROTECT PRIVATE KEY
Nowadays, a number of researches on combining
cryptography with biometric have been studied and developed
[3, 12]. In this section, we will present in detail our proposed
BioPKI systems using BEK set to encrypt Private Key.
A. The Authentication Algorithm using Biometric Encryption
Key to Protect Private Key
In the Figure 1, we present our BioPKI system as the
solution using Biometric Encryption Key to Protect Private
Key. The operations of the biometric security system consist
of enrollment and verification phases. The system takes the
online live fingerprint images as biometric samples. Now we
use Futronic's FS80 USB2.0 scanner to acquire the online
fingerprint images.
Figure 1. Schematic diagram of the algorithm using Biometric Encryption
Key to protect Private Key in BioPKI System
On enrollment phase, the BEK generation algorithm is used
to create the BEK set K from the acquired fingerprint image
(see Eq. 6). We then use this set of the Biometric Keys to
encrypt Private Key, the result of this step is a set P of
Encrypted Private Key (see Eq. 8). After encrypting Private
Key, the K set was hashed into the corresponding set H. All the
` (9)
three sets H, K, P have the same number of components. At the
end of the enrollment phase, both the Private Key and the BEK
are discarded. The encrypted Private Key set and the hashed
value set of BEK provide an excellent privacy protection and
can be stored either in a database or locally (smart card, token,
laptop, cell phone, etc.). Besides, the biometrics information is
also included in certificates.
On verification phase, the certificate was authenticated.
The user presents her fresh Fingerprint image, which was used
to generate in succession the BEKs. These BEK are also
hashed in succession. With each hashed BEK created, it was
compared with stored hashed BEK value set, if there is a good
(10) match, we will use the corresponding BEK to this hashed BEK
value to decrypt the corresponding encrypted Private Key in
the stored encrypted Private Key set and stop the process of
generating BEK, if there is no match, the process of retrieving
Private Key fails. At the end of verification, the fresh
Fingerprint and BEK set are discarded once again and the
Private Key is released in the case of successful
authentication.
Obviously, with this solution, we could eliminate the
vulnerability of storage problem of Biometric Data and Private
Key.
B. BioPKI Framework and Implementation
In this section, we propose a BioPKI framework, called
BK-BioPKI, in which the biometric authentication algorithm
using Biometric Encryption Key is implemented to Protect
Private Key. The BK-BioPKI framework is shown in the
Figure 2.
Figure 2. BK-BioPKI framework
The BK-BioPKI system is a PKI system with a single CA
architecture that uses the fingerprint biometric to authenticate
users and protect Private Keys. The system provides each user
a couple of key: Private Key and Public Key so that the user
1597
could use one of the key to decrypt the message that is
encrypted by another key. The Private Key is kept by the user,
while the Public Key is published in the Internet. CA
(Certificate Authorization) is the most important component of
PKI system; it authorizes the validity of Public Key and binds
each Public Key with corresponding user by issue certificates.
It also responds to manage certificates, revoke certificates and
extend time of validity of certificates. Another component of
PKI is RA (Registration Authorization). RA is created to help
CA in the problem of checking the validity of information that
users submit when they want to request a certificate. Now the
RA component is implemented at PC client (RA-Users). Many
applications could be built on the infrastructure of the BioPKI
system, for example: Digital Signature, Message Encryption
or Network Access Control…
The integration model of the BK-BioPKI system is
illustrated in the Figure 3. The biometric security system is
integrated into RA-Users of the BioPKI system. The main
process of the BK-BioPKI framework is following:
x Certificate Request:
- Create account and log in the system: To create a certificate,
users need to create an account to log in the system
- Provide information: When the user has logged in, at client
PC, the user needs to provide his identification information
such as: full name, email address, telephone number… and
scan his fingerprint in order to request a certificate.
- Generate a Key pair: A pair of Public Key and Private Key
is generated at client PC.
- Extract Biometric Feature: The acquired fingerprint will pass
through some steps of image processing: enhancement,
thinning, feature extraction. After that, a set of minutiae points
was specified.
- Generate Fingerprint Encryption Key (BEK): We use this set
of minutiae points to generate the set of BEKs.
- Hash the BEK set: Using MD5 algorithm, the BEK set K is
encrypted by hash computation. The hashed value of BEK set
was stored at database in client PC so that users’ biometrics
data will not be stolen.
- Encrypt and Store: Using DES algorithm, the Private Key is
encrypted by the BEK set K. The encrypted Private Key set is
also then saved at database in client PC.
- Identification information and Public Key was sent to CA to
request a certificate.
x Private Key Retrieval:
When a user wants to retrieve his Private Key, he was
asked to scan fingerprint and the minutiae set was extracted by
the same algorithm in the enrollment process. The same key
generation and hash algorithm with ones used in the
enrollment process are used to generate and hash the BEKs.
However, this step has a little difference. The BEK is
1598
generated and hashed one after the other. Each BEK that is
generated and hashed was compared with hashed values stored
in Client’ database. If there is a match between these hashed
values with those ones stored in user’s database. We can use
the corresponding BEK to decrypt the encrypted Private Key.
After the Private Key is decrypted, it needs not to be presented
for the user. It could be used immediately for the targeted
application.
Figure 3. Integration Model
C. Experimental Results
We have implemented the BK-BioPKI system using the
C++ language and library OpenSSL at our laboratory network
so that we could experiment and prove the correctness of our
above BEK based Private Key protection algorithm. In our
implementation BK- BioPKI system, we apply the references
to the certificate standard X509, encryption library OpenSSL
[11]. We already experiment the whole system on two types of
fingerprint image: fingerprint image database and live
fingerprint image acquired by the device Futronic's FS82 USB
2.0 scanner.
The first results are promised. In the following we present
the experimental results in the two cases:
x The experiment result with the FVC Fingerprint
image database 2004 (Fingerprint Verification Competition
2004) downloaded from the website:
http://bias.csr.unibo.it/fvc2004.
This database has 100 different types of fingerprint in
which each type of fingerprint has 8 different images with 8
different conditions of scanning:
- Type 1: The finger was placed with deviation from the
center and placed lightly.
- Type 2: The finger was placed at the right of the center,
but placed lightly.
- Type 3: The finger was placed with standard, and placed
moderately.
- Type 4: The fingerprint contacted with scanner unequally
with the inclination toward the fingertip.
- Type 5: The fingerprint contacted with scanner unequally.
with the inclination toward the finger-end.
 - Type 6: The finger was placed askew. System. We have proposed the solution for Bio-PKI system in
- Type 7: The finger was dry and the image was dim. which the Biometric Encryption Key (BEKs) are generated
- Type 8: The finger was wet and the image was blurred. and used to encrypt Private Keys and to protect Private Keys.
The proposed algorithm and our BK-BioPKI system have
The Table 1 shows the experiment results with above
been effectively implemented at our laboratory. The first
database using FRR (False Rejection Rate) and FAR (False
experiment results show that by using the Fingerprint
Acceptance Rate). With FRR, one type of fingerprint was
Encryption Key, the Private Key could be securely and well
verified with other image types of the same fingerprint. With
protected. In fact, the degree of accuracy of our solution
FAR, the experiment was done in individual types, each image
depends much on the accuracy of the centre point locating
was verified with other images in the same type.
algorithm. In our experiment, we use the Ridge Count
algorithm [5] in which the centre point is specified correctly
TABLE 1. EXPERIMENT RESULT WITH FVC DATABASE.
only when the fingerprint is scanned exactly. The inclination
False Acceptance Rate False Rejection
of the fingerprint when it is scanned will lead to the translation
Image Type of the centre point. So we implement automatically a
FAR(%) Rate FRR (%
Type 1 20 20 calibration process for the acquired live fingerprint images to
Type 2 20 20
improve the solution. The results are encouraging. With the
facility of modern Fingerprint scanner device, our solution
Type 3 15 15
could attain the level of accuracy more than 70% or the sum of
Type 4 20 60 FRR (False Rejection Rate) and FAR (False Acceptance Rate)
Type 5 20 60 is just less than 30%.
Type 6 10 80 However, it is only the first experiments for the solution.
Type 7 30 40 We have to continue to improve and to develop the BioPKI
system in real situation beyond the scale of laboratory.
Type 8 40 40
ACKNOWLEDGMENT
x The experiment result with live fingerprint The paper is supported by the National Project of the
BioPKI based Security System in collaboration with the
Experiment result with live fingerprints that were acquired
Malaysia Multimedia University. We would like to thank our
by the device Futronic's FS82 USB 2.0 Fingerprint scanner
college for helpful discussions and collaborations.
that has following specifications: “Fingerprint scanning
window size is 16x24mm; Image resolution is 480x320 pixel,
REFERENCES
500 DPI; Raw fingerprint image file size is 150K byte; with
Live Finger Detection (LFD)”. This is a simple scanner, with [1] Anil K. Jain and Arun Ross, “Multibiometric Systems, Journal
Communications of the ACM”, Vol. 47, No. 1 2004.
low price. It provides only the fingerprint images in the type of [2] K. Delac, M.Grgic, “A survey of biometric recognition methods”, 46th
*.bmp, not accompanied with image processing software. International Symposium Electronics in Marine, ELMAR-2004, Zadar,
In this experiment, 130 different people were asked to scan Croatia. pp 1-6, June 2004.
10 times a finger. All the images were placed to scan with [3] F. Hao, R. Anderson, J. Daugman, “Combining cryptography with
biometrics effectively”, Computer Laboratory - University of Cambridge, No.
high standard: placed at the center of scanner and placed 640, 7-2005.
moderately. There are in total 1300 fingerprint images. This [4] F. Hao, C.W. Chan, “Private key generation from on-line handwritten
experiment measures both the FRR (False Rejection Rate) and signatures,” Information Management & Computer Security - Nanyang
FAR (False Acceptance Rate). With FRR, one fingerprint of Technological University, Singapore, 2002.
[5] Martin Drahanský, “Biometric Security System Fingerprint Recognition
one person was verified with the rest of 4 images of the same Technology”, PhD thesis, Brno University of Technology, Czech Republic,
person. With FAR, each image of one person was verified March 2005.
with other fingerprints of other people. The experiment result [6]. Michael Goh Kah Ong, Tee Comie, Andrew Teoh Beng Jin, David Ngo
is shown in the Table 2. Chek Ling, “An automated palmprint recognition system”, Journal of Image
Vision Computing, No.23, pp 501-515, Jan. 2005.
[7] Uludag, Anil K. Jain et al “Biometric Cryptosystems: Issues and
TABLE 2. EXPERIMENT RESULT WITH THE ONLINE LIVE Challenges”, Proceedings of the IEEE, Vol.92, No. 6, pp. 948-960, June
FINGERPRINTS ACQUIRED BY THE FS82 USB 2.0 SCANNER. 2004..
[8] Yoshifumi Ueshige, “A Study on Biometrics Authentication in BioPKI”,
Number of False Acceptance Rate False Rejection Institute of Systems & Information Technologies, KYUSHU, 2005
Images FAR(%) Rate FRR (%) [9] D.Maltoni, D.Maio, A.K.Jain, S.Prabhakar, Handbook of Fingerprint
Recognition, Springer, New York, 2003.
1300 20 30
[10] Lin Hong, Yifei Wan, Anil Jain, Fingerprint Image Enhancement:
Algorithm and Performance Evaluation, IEEE transaction on Pattern Analysis
and Machine Intelligence, vol. 20, no. 8, pp.777-789, May 1998.
IV. DISCUSSION AND CONCLUSION [11] OpenSSL, http://www.openssl.org
[12] PhD Alex Stoianow, PhD Ann Cavoukian, Biometric Encryption: A
In this paper, we present an approach to Protect Private
positive – Sum Technology that Achieves Strong Authentication, Security
Key using Fingerprint Biometric Encryption Key in BioPKI AND Privacy, Information and Privacy Commissioner/Ontario, March 2007.

1599