11-06-2014, 02:23 PM
Combining cryptography with biometrics effectively
Combining cryptography.pdf (Size: 226.85 KB / Downloads: 22)
Abstract
We propose the first practical and secure way to integrate the iris biometric into
cryptographic applications. A repeatable binary string, which we call a biometric
key, is generated reliably from genuine iris codes. A well-known difficulty has been
how to cope with the 10 to 20% of error bits within an iris code and derive an error-
free key. To solve this problem, we carefully studied the error patterns within iris
codes, and devised a two-layer error correction technique that combines Hadamard
and Reed-Solomon codes. The key is generated from a subject’s iris image with
the aid of auxiliary error-correction data, which do not reveal the key, and can be
saved in a tamper-resistant token such as a smart card. The reproduction of the
key depends on two factors: the iris biometric and the token. The attacker has to
procure both of them to compromise the key. We evaluated our technique using
iris samples from 70 different eyes, with 10 samples from each eye. We found that
an error-free key can be reproduced reliably from genuine iris codes with a 99.5%
success rate. We can generate up to 140 bits of biometric key, more than enough
for 128-bit AES. The extraction of a repeatable binary string from biometrics opens
new possible applications, where a strong binding is required between a person and
cryptographic operations. For example, it is possible to identify individuals without
maintaining a central database of biometric templates, to which privacy objections
might be raised.
Introduction
A number of researchers have studied the interaction between biometrics and cryptogra-
phy, two potentially complementary security technologies. Biometrics is about measuring
unique personal features, such as a subject’s voice, fingerprint, or iris. It has the potential
to identify individuals with a high degree of assurance, thus providing a foundation for
trust. Cryptography, on the other hand, concerns itself with the projection of trust: with
taking trust from where it exists to where it is needed.
A strong combination of biometrics and cryptography might, for example, have the
potential to link a user with a digital signature she created with a high level of assurance.
For example, it will become harder to use a stolen token to generate a signature, or for
a user to falsely repudiate a signature by claiming that the token was stolen when it was
not.
Past work
We now provide a more detailed survey of recent research on extracting biometric keys [7,
8, 9, 10, 11, 12]. Monrose, Reiter, Li and Wetzel were among the first: their system [11]
is based on key-stroke dynamics. A short binary string is derived from the user’s typing
patterns and then combined with her password to form a hardened password. Each key-
stroke feature is discretized as a single bit, which allows some error tolerance for feature
variation. The short string is formed by concatenating the bits. In a follow-up paper,
Monrose, Reiter and Wetzel proposed a more reliable implementation based on voice
biometrics, but with the same discretization methodology [8]. Their paper reports an
improvement in performance: the entropy of the biometric key is increased from 12 bits
to 46 bits, while the false rejection rate falls from 48.4% to 20% [8].
Hao and Chan made use of handwritten signatures in [10]. They defined forty-three
signature features extracted from dynamic information like velocity, pressure, altitude
and azimuth. Feature coding was used to quantize each feature into bits, which were
concatenated to form a binary string. This achieved on average 40-bit key entropy with
a 28% false rejection rate; the false acceptance rate was about 1.2% [10].
Algorithms
In this section, we present the detailed design of our coding scheme. The design was
driven by the error characteristics of iris codes, which are 256-byte strings of phase infor-
mation derived from an infrared image of an iris by demodulating it with complex-valued
2D-Gabor wavelets [3]. The errors, seen as the differences between different observations
of the same iris, are of two types. First, there is a background of random errors, due
to CCD camera pixel noise, iris distortion and image-capture effects that cannot be ef-
fectively corrected by the preparatory signal processing. Second, there are burst errors,
due largely to undetected eyelashes and specular reflections, whether from the cornea or
from spectacles. Efforts are made by the standard Daugman algorithms to identify these;
along with the string representing the iris code, the software returns a mask string indi-
cating those bits that are considered suspect. However, the identification of eyelashes and
reflections is not perfect; faint reflections and out-of-focus eyelashes in particular lead to
burst errors.
Basic scheme
We will first describe a basic two-factor scheme without a password. The key depends on
a combination of a biometric and a token, which stores error-correction information. We
assume it is difficult for the attacker to procure both factors, and we will initially assume
if the attacker obtains the token, he will have the full knowledge of the data stored on it.
The initial design goal is thus to ensure that the compromise of a single factor will not
reveal the key. In the next section, we will show how to extend the scheme to three factors
by adding a user password, and we will also consider two levels of attacker: a common
attacker who can merely use a token if he steals it, and a highly-skilled attacker who can
extract all the secrets from a stolen token.
Figure 1 shows an overall picture of our design. To bridge the gap between the fuzziness
of iris biometric and the exactitude of cryptography, we use a two-layer error correction
method. The outer layer uses a Hadamard code to correct random errors at the binary
level, while the inner layer uses a Reed-Solomon code to correct errors at the block level,
i.e. burst errors.
Conclusion
In this paper, we tackled the most difficult problem for merging cryptography and bio-
metrics: how to generate a repeatable string from a biometric in such a way that it can
be revoked. Previous attempts have almost all had quite unacceptable false-reject rates.
Most of them also have problems with revocation, have produced too-short keys, and
have not been well-tested. We have shown how to generate keys robustly from iris bio-
metric measurements, using associated error-correction data that can be changed to yield
different keys. Our scheme produces long enough keys; it can produce different keys for
different applications, so that an attack on one does not give an attack on all; it supports
revocation; its security case is founded on extensive research in the application area, as
well as a statistical lower-bound argument; and we have shown that its false-reject rate is
under half a percent. This makes it feasible, we believe, for many practical uses.