Cancellable Biometrics CSE666 Biometrics Measurable verifiable and unique physical characteristic or behavioral trait of an individual Database Enrolment Feature Extraction Acquisition Matcher Individual Feature Extraction Outcome Security and Privacy Issues Attacks on the biometric Attacks on the Authentication System Spoofing Replay Attack Fake biometric gummy finger face image Injecting templates in input by circumventing sensor Tampering Substitution Altering feature sets to obtain high scores Replacing the template in the database Stealing Overriding Acquiring the original template database network Altering Yes No response from system Trojan Horse Replacing system component with malicious program Research Directions Liveness detection Biometric Encryption Cancelable Biometrics Challenges Biometric Variance Samples from same user change with time Inconsistent Presentation fingers placed differently pressure applied Irreproducible Presentation Glasses moustache cuts bruises Imperfect Representation Unordered slight change in signal sensors Biometric Matching Score probability based 0 1 Securing Biometrics Securing Biometrics Original space p1 p2 Hash space p1 h p2 Comparison with plaintext Avalanche Effect input is changed slightly the output changes significantly Example Rumplestiltskin Rmpetltkn Secret Drop chars at 2 5 7 9 12 14 Can it be inverted to the secret Rmpetltkn Rmpetltkn Drop chars at 2 5 7 9 12 14 Can it be inverted to the secret Noisy Situation Rmplestilskin Rplsiskn Match Secret Rmpetltkn Drop chars at 2 5 7 9 12 14 Properties Repeatable Different instances of the biometric sample from the same user should produce the same key Security The key has to be non invertible The key should not leak information about the template or the user Properties Discriminability Samples from different individuals should produce different keys Cancelability Keys could be cancelled Reusability Keys can be reissued easily Secure Biometrics Security Less susceptible to security attacks Compliance with privacy laws Cancelability revoked if compromised reissued easily Anonymity Removing true identity from the biometric No retention of original biometric Multiplicity Use of single biometric for multiple accounts Cannot be cross verified or identified SCAM Properties Farooq et al 2007 Existing Methods Philosophy I Generate stable representation of biometrics Use conventional security algorithms Perform matching in encrypted domain Philosophy II Cannot generate reproducible representations Devise non invertible transforms Perform matching in new domain Existing Methods Biometric Encryption I Error Correcting Codes I Fuzzy Schemes I Non invertible Transforms II Others I II Existing Approaches Davida Frankel Matt 1998 use error correcting codes features should be ordered Biometric encryption Soutar et al 1998 use filters for Fourier transform of fingerprint image translation is accounted for but not rotation example of such filters for face verification Existing Approaches Ratha Connell Bolle 2001 polynomial transform need alignment Existing Approaches Fuzzy vault Juels Sudan 2002 Applications to fingerprints Clancy et al 2003 p x k n x n k0 Limitation Features should have similar values does not account for global image transformations Chaff points Secret k Locking set of points Database Reconstruct polynomial Unlocking set of points Auxilliary Data Additional Data to facilitate alignment Helper Data Systems Orientation Field Flow Curves Tuyls et al 03 04 05 Polynomial Projection Uludag and Jain 06 Error Correcting Codes Error correcting codes were designed to restore possibly corrupt data a1 ak an data symbols d n k codes check symbols designed minimum distance of the code Valid codes in n dimensional code space d d 1 2 Recoverable subset of codes Error Correcting Codes for Biometrics Davida et al 1998 a1 ak original biometric data ak 1 an error correcting codes h a1 ak some hash of original biometric data Instead of original data keep error correcting code data and hash in the database Matching a1 ak ak 1 an a1 ak h a1 ak h a1 a k perform error correction and get Verify Random Multispace Quantization Teoh et al 2006 Use biometrics represented by a fixed feature vector e g face projections by PCA LDA FDA Project onto multiple random subspaces derived from external input key b b Rk b If dimension of projection space is less than the dimension of original space the transformation is non invertible Variation For binary templates discard some bits and make XOR with random vector Advantages Actual biometric not stored Auxiliary information increases inter user variation Error rates low if key is not stolen Easy to generate revoke reissue Disadvantages Alignment of query and template an issue Case when key is stolen Multiplicity attacks still succeed Biometric Hardening Monrose et al 99 01 01 02 Reminiscent to password salting Password Hardened Password Biometric The security improvements are questionable lost key Transforms Non invertible transforms of biometrics Key based and keyless systems proposed Enrolment Verification Ft x T k Gt x Ft x T k Gt x Transforms Advantages Compatible with standard representations Security Cancelability Anonymity Multiplicity Disadvantages Some methods require registration Key less systems usually have low accuracies Surface Folding X x K G x y K cos F x y Y y K G x y K sin F x y mod G x y rand 2 Locally Smooth but not globally smooth Ratha et al 07 Surface Folding Advantages Achieves cancelability security and multiplicity Compatible with standard minutiae based representations Compatible with existing point based matchers Disadvantages Alignment of query and template is an issue Assume stable points core and delta for alignment Low Security Symmetric Hashing Tulyakov et al 2007 Represent Minutia as complex numbers x y z x yi x y i 2 2 x2 y2 x y Denote z x 2 y 2 magnitude of z x y i z cos i sin Then z z z z 2 2 z x yi z y x Transformation of minutiae set f z rz t rz z r z z t rz t r r cos i sin Multiplying by r means rotating by angle and scaling by factor r Hash functions of minutia points Consider following functions of minutia positions h1 c1 c2 cn c1 c2 cn h2 c1 c2 cn c1 c2 cn 2 2 2 hm c1 c2 cn c1 c2 cn m m m The values of these symmetric functions do not depend on the order of minutia points Hash of transformed minutiae What happens with hash functions if minutia point set is transformed h1 c1 c2 cn c1 c2 cn rc1 t rc2 t rcn t r c1 c2 cn nt rh1 c1 c2 cn