Private Eyes: Secure Remote Biometric Authentication

Ewa Syta, Michael J. Fischer, David Wolinsky, Abraham Silberschatz, Gina Gallegos-Garcia, Bryan Ford

2015

Abstract

We propose an efficient remote biometric authentication protocol that gives strong protection to the user’s biometric data in case of two common kinds of security breaches: (1) loss or theft of the user’s token (smart card, handheld device, etc.), giving the attacker full access to any secrets embedded within it; (2) total penetration of the server. Only if both client and server are simultaneously compromised is the user’s biometric data vulnerable to exposure. The protocol works by encrypting the user’s biometric template in a way that allows it to be used for authentication without being decrypted by either token or server. Further, the encrypted template never leaves the token, and only the server has the information that would enable it to be decrypted. We have implemented our protocol using two iris recognition libraries and evaluated its performance. The overall efficiency and recognition performance is essentially the same compared to an unprotected biometric system.

References

  1. Anderson, R. and Kuhn, M. (1996). Tamper resistance-a cautionary note. In Proceedings of the second Usenix workshop on electronic commerce, volume 2.
  2. Ballard, L., Kamara, S., Monrose, F., and Reiter, M. K. (2008). Towards practical biometric key generation with randomized biometric templates. In Conference on Computer and Communications Security.
  3. Bellare, M. and Yee, B. (2003). Forward-security in privatekey cryptography. In Topics in Cryptology - CT RSA.
  4. Blum, L., Blum, M., and Shub, M. (1986). A simple unpredictable pseudo random number generator. SIAM J. Comput.
  5. Boyd, M., Carmaciu, D., Giannaros, F., Payne, T., and Snell, W. (2010). Iris recognition (project iris). http://projectiris.co.uk/.
  6. Daugman, J. (2002). How iris recognition works. IEEE Trans. on Circuits and Systems for Video Technology.
  7. Dodis, Y., Ostrovsky, R., Reyzin, L., and Smith, A. (2008). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput.
  8. Dodis, Y., Reyzin, L., and Smith, A. (2004). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In EUROCRYPT.
  9. FIDOa (2014). FIDO alliance: Mission. http://fidoalliance.org/about.
  10. FIDOb (2014). FIDO alliance: Specifications overview. http://fidoalliance.org/specifications.
  11. Gentry, C. (2009). A fully homomorphic encryption scheme. PhD thesis, Stanford University.
  12. Goldreich, O. (2001). Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press.
  13. Hong, S., Jeon, W., Kim, S., Won, D., and Park, C. (2008). The vulnerabilities analysis of fuzzy vault using password. In International Conference on Future Generation Communication and Networking.
  14. Institute of Automation, Chinese Academy of Sciences CASIA (2012). Iris image databases. http://www.cbsr.ia.ac.cn/english/IrisDatabase.asp.
  15. Jain, A., Ross, A., and Nandakumar, K. (2011). Introduction to Biometrics. Springer.
  16. Jain, A. K., Nandakumar, K., and Nagar, A. (2008). Biometric template security. EURASIP J. Adv. Signal Process.
  17. Jin, A., Ling, D., and Goh, A. (2004). Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition.
  18. Juels, A. and Sudan, M. (2006). A fuzzy vault scheme. Designs, Codes and Cryptography.
  19. Juels, A. and Wattenberg, M. (1999). A fuzzy commitment scheme. In ACM Conference on Computer and Communications Security.
  20. Kessler, G. C. (1996). Passwords - strengths and weaknesses. http://www.garykessler.net/library/password.html.
  21. Kong, A., Cheung, K.-H., Zhang, D., Kamel, M., and You, J. (2006). An analysis of biohashing and its variants. Pattern Recognition.
  22. Lindell, Y. and Pinkas, B. (2007). An efficient protocol for secure two-party computation in the presence of malicious adversaries. In Advances in CryptologyEUROCRYPT 2007. Springer.
  23. Lumini, A. and Nanni, L. (2007). An improved biohashing for human authentication. Pattern Recognition.
  24. Masek, L. and Kovesi, P. (2003). Matlab source code for a biometric identification system based on iris patterns. Technical report, University of Western Australia.
  25. Nagar, A. (2012). Biometric Template Security. Dissertation, Michigan State University.
  26. Nandakumar, K., Nagar, A., and Jain, A. K. (2007). Hardening fingerprint fuzzy vault using password. In International Conference on Advances in Biometrics.
  27. Rane, S., Nagar, A., and Vetro, A. (2010). Method and system for binarization of biometric data. US Patent App. 12/688,089.
  28. Ratha, N. K., Connell, J. H., and Bolle, R. M. (2001). Enhancing security and privacy in biometrics-based authentication systems. IBM Syst. J.
  29. Rathgeb, C. and Uhl, A. (2011). A survey on biometric cryptosystems and cancelable biometrics. EURASIP Journal on Information Security.
  30. Smart (2011). Smart cards and biometrics. A Smart Card Alliance Physical Access Council White Paper. Publication Number: PAC-11002.
  31. Syta, E., Fischer, M. J., , Wolinsky, D., Silberschatz, A., García, G. G., and Ford, B. (2015). Private Eyes: Secure Remote Biometric Authentication (Extended Version). Technical Report TR1510, Yale University.
  32. VeriSign (2012). Symantec Corporation web site. http://www.verisign.com/.
  33. Waraksa, T. J., Michaels, P. A., Slaughter, S. A., Poirier, J. A., and Rea, I. B. (1995). Rolling code for a keyless entry system. US Patent 5,412,379.
Download


Paper Citation


in Harvard Style

Syta E., J. Fischer M., Wolinsky D., Silberschatz A., Gallegos-Garcia G. and Ford B. (2015). Private Eyes: Secure Remote Biometric Authentication . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 243-250. DOI: 10.5220/0005539602430250


in Bibtex Style

@conference{secrypt15,
author={Ewa Syta and Michael J. Fischer and David Wolinsky and Abraham Silberschatz and Gina Gallegos-Garcia and Bryan Ford},
title={Private Eyes: Secure Remote Biometric Authentication},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={243-250},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005539602430250},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Private Eyes: Secure Remote Biometric Authentication
SN - 978-989-758-117-5
AU - Syta E.
AU - J. Fischer M.
AU - Wolinsky D.
AU - Silberschatz A.
AU - Gallegos-Garcia G.
AU - Ford B.
PY - 2015
SP - 243
EP - 250
DO - 10.5220/0005539602430250