On the Security Risk of Cancelable Biometrics

Over the years, a number of biometric template protection schemes, primarily based on the notion of "cancelable biometrics" (CB) have been proposed. An ideal cancelable biometric algorithm possesses four criteria, i.e., irreversibility, revocability, unlinkability, and performance preservation. Cancelable biometrics employed an irreversible but distance preserving transform to convert the original biometric templates to the protected templates. Matching in the transformed domain can be accomplished due to the property of distance preservation. However, the distance preservation property invites security issues, which are often neglected. In this paper, we analyzed the property of distance preservation in cancelable biometrics, and subsequently, a pre-image attack is launched to break the security of cancelable biometrics under the Kerckhoffs's assumption, where the cancelable biometrics algorithm and parameters are known to the attackers. Furthermore, we proposed a framework based on mutual information to measure the information leakage incurred by the distance preserving transform, and demonstrated that information leakage is theoretically inevitable. The results examined on face, iris, and fingerprint revealed that the risks origin from the matching score computed from the distance/similarity of two cancelable templates jeopardize the security of cancelable biometrics schemes greatly. At the end, we discussed the security and accuracy trade-off and made recommendations against pre-image attacks in order to design a secure biometric system.Comment: Submit to P

A Cryptanalysis of Two Cancelable Biometric Schemes based on Index-of-Max Hashing

Cancelable biometric schemes generate secure biometric templates by combining user specific tokens and biometric data. The main objective is to create irreversible, unlinkable, and revocable templates, with high accuracy in matching. In this paper, we cryptanalyze two recent cancelable biometric schemes based on a particular locality sensitive hashing function, index-of-max (IoM): Gaussian Random Projection-IoM (GRP-IoM) and Uniformly Random Permutation-IoM (URP-IoM). As originally proposed, these schemes were claimed to be resistant against reversibility, authentication, and linkability attacks under the stolen token scenario. We propose several attacks against GRP-IoM and URP-IoM, and argue that both schemes are severely vulnerable against authentication and linkability attacks. We also propose better, but not yet practical, reversibility attacks against GRP-IoM. The correctness and practical impact of our attacks are verified over the same dataset provided by the authors of these two schemes.Comment: Some revisions and addition of acknowledgement

Near-collisions and their Impact on Biometric Security

Biometric recognition encompasses two operating modes. The first one is biometric identification which consists in determining the identity of an individual based on her biometrics and requires browsing the entire database (i.e., a 1:N search). The other one is biometric authentication which corresponds to verifying claimed biometrics of an individual (i.e., a 1:1 search) to authenticate her, or grant her access to some services. The matching process is based on the similarities between a fresh and an enrolled biometric template. Considering the case of binary templates, we investigate how a highly populated database yields near-collisions, impacting the security of both the operating modes. Insight into the security of binary templates is given by establishing a lower bound on the size of templates and an upper bound on the size of a template database depending on security parameters. We provide efficient algorithms for partitioning a leaked template database in order to improve the generation of a master-template-set that can impersonates any enrolled user and possibly some future users. Practical impacts of proposed algorithms are finally emphasized with experimental studies

PBio: Enabling Cross-organizational Biometric Authentication Service through Secure Sharing of Biometric Templates

Prior works in privacy-preserving biometric authentication mostly focus on the following setting. An organization collects users\u27 biometric data during registration and later authorized access to the organization services after successful authentication. Each organization has to maintain its own biometric database. Similarly each user has to release her biometric information to multiple organizations; Independently, government authorities are making their extensive, nation-wide biometric database available to agencies and organizations, for countries that allow such access. This will enable organizations to provide authentication without maintaining biometric databases, while users only need to register once. However privacy remains a concern. We propose a privacy-preserving system, PBio, for this new setting. The core component of PBio is a new protocol comprising distance recoverable encryption and secure distance computation. We introduce an encrypt-then-split mechanism such that each of the organizations holds only an encrypted partial biometric database. This minimizes the risk of template reconstruction in the event that the encrypted partial database is recovered due to leak of the encryption key. PBio is also secure even when the organizations collude. A by-product benefit is that the use of encrypted partial templates allows quicker rejection for non-matching instances. We implemented a cloud-based prototype with desktop and Android applications. Our experiment results based on real remote users show that PBio is highly efficient. A round-trip authentication takes approximately 74ms (desktop) and 626ms (Android). The computation and communication overhead introduced by our new cryptographic protocol is only about 10ms (desktop) and 54ms (Android)

Iris Template Protection Based on Local Ranking

Biometrics have been widely studied in recent years, and they are increasingly employed in real-world applications. Meanwhile, a number of potential threats to the privacy of biometric data arise. Iris template protection demands that the privacy of iris data should be protected when performing iris recognition. According to the international standard ISO/IEC 24745, iris template protection should satisfy the irreversibility, revocability, and unlinkability. However, existing works about iris template protection demonstrate that it is difficult to satisfy the three privacy requirements simultaneously while supporting effective iris recognition. In this paper, we propose an iris template protection method based on local ranking. Specifically, the iris data are first XORed (Exclusive OR operation) with an application-specific string; next, we divide the results into blocks and then partition the blocks into groups. The blocks in each group are ranked according to their decimal values, and original blocks are transformed to their rank values for storage. We also extend the basic method to support the shifting strategy and masking strategy, which are two important strategies for iris recognition. We demonstrate that the proposed method satisfies the irreversibility, revocability, and unlinkability. Experimental results on typical iris datasets (i.e., CASIA-IrisV3-Interval, CASIA-IrisV4-Lamp, UBIRIS-V1-S1, and MMU-V1) show that the proposed method could maintain the recognition performance while protecting the privacy of iris data

Instant Privacy-Preserving Biometric Authentication for Hamming Distance

In recent years, there has been enormous research attention in privacy-preserving biometric authentication, which enables a user to verify him or herself to a server without disclosing raw biometric information. Since biometrics is irrevocable when exposed, it is very important to protect its privacy. In IEEE TIFS 2018, Zhou and Ren proposed a privacy-preserving user-centric biometric authentication scheme named PassBio, where the end-users encrypt their own templates, and the authentication server never sees the raw templates during the authentication phase. In their approach, it takes about 1 second to encrypt and compare 2000-bit templates based on Hamming distance on a laptop. However, this result is still far from practice because the size of templates used in commercialized products is much larger: according to NIST IREX IX report of 2018 which analyzed 46 iris recognition algorithms, size of their templates varies from 4,632-bit (579-byte) to 145,832-bit (18,229-byte). In this paper, we propose a new privacy-preserving user-centric biometric authentication (HDM-PPBA) based on Hamming distance, which shows a big improvement in efficiency to the previous works. It is based on our new single-key function-hiding inner product encryption, which encrypts and computes the Hamming distance of 145,832-bit binary in about 0.3 seconds on Intel Core i5 2.9GHz CPU. We show that it satisfies simulation-based security under the hardness assumption of Learning with Errors (LWE) problem. The storage requirements, bandwidth and time complexity of HDM-PPBA depend linearly on the bit-length of biometrics, and it is applicable to any large templates used in NIST IREX IX report with high efficiency

Preimage Attack on BioHashing

International audienceBiometric recognition is more and more employed in authentication and access control of various applications. Biometric data are strongly linked with the user and do not allow revocability nor diversity, without an adapted post-processing. Cancelable biometrics, including the very popular algorithm BioHashing, is used to cope with the underlying privacy and security issues. The principle is to transform a biometric template in a BioCode, in order to enhance user privacy and application security. These schemes are used for template protection of several biometric modalities, as fingerprints or face and the robustness is generally related to the hardness to recover the original biometric template by an impostor. In this paper, we propose to use genetic algorithms to approximate the original biometric feature and spoof the authentication system. We show through experimental results on fingerprints the efficiency of the proposed attack on the BioHashing algorithm, by approximating the original FingerCode, given the seed and the corresponding BioCode