03-07-2013, 03:18 PM
Biometric Template Transformation: A Security Analysis
Biometric Template.pdf (Size: 851.32 KB / Downloads: 112)
ABSTRACT
One of the critical steps in designing a secure biometric system is protecting the templates of the users that
are stored either in a central database or on smart cards. If a biometric template is compromised, it leads to
serious security and privacy threats because unlike passwords, it is not possible for a legitimate user to revoke
his biometric identifiers and switch to another set of uncompromised identifiers. One methodology for biometric
template protection is the template transformation approach, where the template, consisting of the features
extracted from the biometric trait, is transformed using parameters derived from a user specific password or
key. Only the transformed template is stored and matching is performed directly in the transformed domain.
In this paper, we formally investigate the security strength of template transformation techniques and define
six metrics that facilitate a holistic security evaluation. Furthermore, we analyze the security of two well-
known template transformation techniques, namely, Biohashing and cancelable fingerprint templates based on
the proposed metrics. Our analysis indicates that both these schemes are vulnerable to intrusion and linkage
attacks because it is relatively easy to obtain either a close approximation of the original template (Biohashing) or
a pre-image of the transformed template (cancelable fingerprints). We argue that the security strength of template
transformation techniques must also consider the computational complexity of obtaining a complete pre-image
of the transformed template in addition to the complexity of recovering the original biometric template.
INTRODUCTION
Biometric recognition has a number of advantages over the traditional authentication mechanisms based on
tokens (e.g., ID cards) or passwords. This is because of the inalienable and distinctive nature of the biometric
traits. However, biometric systems are not fool-proof and a critical vulnerability that is unique to biometric
systems is the compromise of the stored templates. Stolen templates can be used by an adversary to create
biometric spoofs1, 2(see Figure 1), which in turn can be used to gain illegitimate access to systems that employ
the same biometric trait of the user. Even when spoof creation is difficult, a stolen template can be replayed
to the biometric system in order to circumvent it (intrusion attack). Since biometric traits are supposed to be
permanent and unique to an individual, stolen templates can also be used to link a user across databases (linkage
attack) or glean additional information about the user such as race, gender and certain medical conditions.3
Unlike passwords, it is not possible for a legitimate user to revoke his biometric template and switch to another
uncompromised template. Hence, ensuring the security of biometric templates is essential for gaining public
trust and acceptance, which in turn will promote the widespread deployment of biometric systems.
Vector based template transformation
In the vector based techniques, the biometric templates are represented as a vector and the dissimilarity between
two vectors is usually computed as the Euclidean distance. One of the main requirements of a vector based
template transformation function is the preservation of distances between the vectors after transformation. Bio-
hashing13 is one such technique (see Figure 3), where the feature vector is transformed by multiplying it with and
orthogonal transformation matrix and thresholding the individual elements. Due to increased inter-class variation
and preservation of intra-class variation Biohashing significantly improves the matchign performance. However,
if the key is known to the adversary, the matching performance typically degrades due to the quantization of
features and dimensionality reduction.
Interest point based template transformation
Fingerprints are most commonly represented by a set of points, called minutiae. Hence, many fingerprint template
transformation techniques are based on minutiae as the initial representation. Furthermore, to use the available
minutiae-based fingerprint matchers in the transformed domain, it is desirable to have the final representation
also in the form of a set of minutiae. To satisfy this criterion, Ratha et al.23 proposed the use of cancelable
fingerprint templates designed using three different minutiae transformation techniques, namely, cartesian, polar
and functional (see Figure 4). In the cartesian transformation, the fingerprint is regularly tessellated into a set
of rectangles and these rectangles are displaced according to the associated key. The polar transformation is
similar to the cartesian transformation except that the fingerprint is divided into a number of shells and each
shell is divided into sectors. Since the size of sectors is different for different shells, some restrictions are placed
on the displacement of the sectors based on the password. In case of the functional transformation, two different
functions are used: a mixture of 2D Gaussians and electric potential field in 2D charge distribution. These
functions are evaluated at the minutiae locations to obtain the translation corresponding to that minutia.
SECURITY ANALYSIS OF TEMPLATE TRANSFORMATION
We focus on the vulnerability of a template transformation scheme to intrusion and linkage attacks that can
be staged using the knowledge of a stored template. Intrusion means gaining access to a biometric recognition
system by presenting falsified authentication data to the system. Intrusion undermines one of the fundamental
benefits of using a biometric system, which is non-repudiation. On the other hand, linkage attacks involve cross-
matching across biometric systems to track the users covertly and this compromises the privacy of the user.
Hence, it is important to analyze the probability of success of these two attacks in a biometric system.
CONCLUSIONS
When a user’s biometric template information falls into the hands of an adversary, it can seriously undermine the
security (intrusion threats) of the biometric system and privacy (linkage threats) of the user. Hence, biometric
template protection is a critical problem that needs to be addressed to enhance the public acceptance of biometric
technology. Considering the recent surge in the number of techniques being developed for protecting the biometric
templates, it is essential to develop a set of measures which can evaluate the strength of these techniques. One of
the well known approaches for template protection is the template or feature transformation technique. Compared
to biometric cryptosystems, template transformation schemes have certain advantages like easy revocability and
flexibility in the matcher design. But these advantages are stymied by the lack of a thorough security analysis
of these techniques.