How Ti Secure Biometric Templates

How secure are biometric templates?

Maintaining the security of the biometric templates is of utmost importance as any attack on the biometric templates can lead to a failure of the biometric system.

So what happens if a user's biometric template gets stolen or hacked into? From a general standpoint, the hacker cannot do much with a series of zeroes and ones or a probability curve. It's not straightforward as stealing a user's credit card.

Also, biometric device vendors use one-way encoding of biometric data in their devices. This means the template cannot be used to reconstruct the original biometric pattern.

Biometric templates are more secure than other traditional authentication systems, such as the token –based and knowledge-based systems. However, at a deeper technical level, biometric templates, just like any other technology, are also prone to failures and hacking.

The vulnerabilities of biometric templates are listed below:

A template can be replaced by an impostor's template.
A physical spoof can be created from the original template.
The stolen template can be relayed to the matching module to gain unauthorized access to the system.
If not properly secured, biometric templates can be used by adversaries to cross-match across different databases to covertly track a person without their consent.

How to secure biometric templates?

The major challenge in designing a biometric protection scheme is that it should be able to handle intrauser variability in the acquired biometric identifiers.

A robust biometric template protection scheme which is capable of handling intrauser variability should ideally have the following four properties.

Properties of secured biometric templates

Diversity

A stolen fingerprint template from a bank's database can be used to search a criminal database or cross-link to a user's health records. To stop such unauthorized access, secure biometric templates should not allow cross-matching across databases. Hence user's privacy is protected.

Revocability

If a biometric template gets compromised, it should be straightforward to revoke the template and generate a new one based on the same biometric trait.

Security

The biometric template protection scheme should use one-way encoding for the biometric data thus making it computationally difficult to reconstruct the biometric pattern from a stolen template. This will also prevent a hacker from creating a physical spoof of the biometric trait.

Performance

The performance of the biometric system should not get degraded due to the biometric template protection scheme.

Biometric template protection techniques

Let us look at the different biometric template protection techniques to prevent adversary attacks on biometric templates. The diagram given below shows the different categories of Biometric Template Protection schemes.

Figure: Categories of biometric template protection schemes

Feature transformation approach

In the feature transformation approach, the acquired biometric template is transformed using a transformation function and only the transformed template is stored in the database. The same transformation function will also be used to transform the query and then will be matched against the transformed template in the database. The parameters of the transformation function are usually derived from a random key or password.

The feature transformation approach is further sub-divided into two categories, depending on the characteristics of the transformation function – Bio-hashing or salting and Noninvertible transform. In salting, the transformation function is invertible which means the original template can be restored if one can gain access to the key and the transformed template. Hence, the security of the salting scheme is dependent on the key or password.

On the other hand, noninvertible transformation as the name suggests is not invertible. It is a one-way function which makes it computationally difficult to invert a transformed template to the original template even if the key is known.

Biometric cryptosystem

In this template protection scheme, helper data is stored. Helper data is some public information about the biometric template and does not reveal any significant information about the stored template. Biometric cryptosystems are also known as helper data protection methods. The helper data is required to extract a cryptographic key from the query biometric template and then matching is performed indirectly by verifying the validity of the extracted cryptographic key. Error coding techniques will be typically used to handle the intrauser variations.

Depending on how the helper data is obtained, biometric cryptosystems are further classified into two categories: key binding and key generation systems. In key binding biometric cryptosystem, the helper data is obtained by binding a key with the biometric template. It is difficult to obtain either the key or the original template using only the helper data. Hence, security of stored templates is maintained. In a key generation biometric cryptosystem, the helper data is derived only from the biometric template and the key is generated from the helper data and the query biometric features.

When one or more template protection approaches are used, it is known as hybrid template protection scheme.

Let us look at each of the template protection schemes in further detail and their advantages that make biometric templates extremely secure and robust.

Salting or bio-hashing

In salting or biohashing, the features from a biometric template are transformed using a transformation function defined by a cryptographic key or password. This key or password is specified by the user. This key needs to be securely stored and remembered by the user for future authentication. This additional requirement of remembering the key increases the entropy of the biometric template and makes it difficult for the hacker to reconstruct the original template.

The advantage to using a key results in lower false acceptance rates. Also, since the key is user-specific multiple templates can be generated for the same user by using different keys. If a template gets stolen, a new template can be generated easily by using a different user-specific key and the compromised template can be revoked.

Noninvertible transform

In noninvertible transform, a one-way function is used to secure the biometric template. This one-way function is easy to compute but very hard to invert. The parameters of the transformation function are defined by a key and it must be present at the time of authentication. With this approach, the hacker cannot recover the original template even if he has the stolen key and the transformed template because it is computationally difficult.

The noninvertible transform protection scheme provides better security as compared to the salting approach, since the original template cannot be recovered even when the key is compromised. Diversity and revocability can be achieved by using application-specific and user-specific transformations respectively.

Noninvertible transformation functions leave the biometric template in the original space even after the transformation. In this approach, intrauser variations are handled by applying the same biometric matcher on the transformed features as on the original feature set. Templates that lie in the same feature space even after the application of a transformation function are referred to as cancellable templates. Three noninvertible transformation functions can be used to generate cancellable fingerprint templates – Cartesian, poplar and functional. These functions can be used to transform fingerprint minutiae data such that a minutiae matcher can still be applied to the transformed minutiae. In Cartesian transformation, the fingerprint image is projected as a rectangular grid and each cell is shifted to a new position in the grid corresponding to the translations set by the key. The poplar transformation is similar to Cartesian transformation except that the image is now tessellated into a number of shells and each shell is divided into sectors. These sectors can be varying in size and restrictions are placed on the translation vector generated from the key so that the radial distance of the transformed sector is not very different than the radial distance of the original position.

In all the three transforms, it is quite possible that two or more minutiae can map to the same point in the transformed domain. In the Cartesian transformation, two or more cells can be mapped onto a single cell. The upside to this is even if an adversary knows the key and hence the transformation between cells, he still cannot figure out the original cell to which a minutia belongs. So the transform becomes noninvertible and deters hackers.

Key-binding biometric cryptosystem

In this template protection scheme, the biometric template is secured by binding it with a cryptographic key. This is then stored as a single entity in the templates database as helper data. This helper data is usually a combination of an error correcting code and the biometric template. This helper data does not reveal much information about the key or the template and it is computationally infeasible to decode the key or the biometric template without knowing the user's biometric data.

The advantage of this approach is that it is tolerant to intrauser variations in biometric data.

Key generating biometric cryptosystem

In this approach, the cryptographic key is derived directly from the biometric data. There are two key generation techniques – secure sketches and fuzzy extractors. The secure sketch is helper data that provides some information about the biometric template which is sufficient enough to exactly reconstruct the template when presented with a query that is close to the template. The fuzzy extractor generates a cryptographic key from the biometric features. The idea of directly generating cryptographic key from biometrics seems a very appealing template protection technique and can also be very useful in cryptographic applications.