Biometric security using cryptographyPresentation Transcript
Introduction to Cryptography & Biometric Security Principle & Standards Of Biometrics Methods to secure a key using Biometrics Biometric Encryption User Based Cryptographic Keys & their Generation Similarities & Differences Between UserID and Biometric-based Keys Advantages & Threats to Biometric System Applications of Biometric Systems Conclusion
Cryptography is an important feature of computer security. It is dependent onthe secrecy of the secret or private key.The user chooses an easily remembered pass code that is used to encrypt thecryptographic key and this key is then stored in a database.Security of the cryptographic key is weak due to practical problems ofremembering pass codes.Since the pass code is not directly tied to a user, the system is unable todifferentiate between the legitimate user and the attacker.
“BIOS” ► life “METRON” measurementStudy of automated methods for uniquely recognizing humans based uponone or more intrinsic physical or behavioral traits for authenticationpurposes.Measurable characteristics of the individual based on their physiologicalfeatures / behavioral patterns that can be used to recognize or verify theiridentity.
“Everyone in the world is unique, and this uniqueness can be used for identity verification.”Uniqueness : Distinction between individualsPermanence : Resistance to ageingCollectability : Ease to obtain a biometric for measurement.Performance : Accuracy, speed, robustness of the biometric system.Acceptability :Degree of approval of a technology.Circumvention : Anomalies in the authentication system.
Fingerprints are unique to each individual and no two fingerprints are alike.Fingerprint recognition is most widely accepted biometrics among thetechnology being used today.Converts the image of a fingerprint into a mathematical template of the printsminutiae points.Fingerprints contains pattern of ridges and valleys as well as minutia points.Scanners : Optical scanners, Thermal scanners, Capacitances (solid statescanner), Minutia based, Correlation based.
Creates a voiceprint based on theinflection points of your speech,emphasizing the highs and lows specificto your way of talking.
An authenticam takes the pictures ofperson’s iris. The image is analyzed and a512 byte code is generated. The code is thencompared with the iris imprints in thedatabase and used to determine theindividual’s authorisation level.Discriminate between individuals withidentical DNA like monozygotic twins.
A camera captures the image of the face. Face Recognition Features and discrete areas are analyzed. The system analyses the characteristic rhythmKeystroke Dynamics of a persons typing. A picture of the hand is taken. Features like3D Hand Geometry shape, length, width of fingers and shape of knuckles are recorded. Signature Users signature digital graphic tablet. The verification system analyses speed, stroke order, stroke count and pressure .
First one involves remote template matching and key storage. In this methodbiometric image is captured and compared with a corresponding template. Ifthe user is verified, the key is released.Drawback : The main problem here is use of an insecure storage media
Hide the cryptographic key within the enrollment template itself via a secretbit-replacement algorithm. When the user is successfully authenticated, thisalgorithm extracts the key bits from the appropriate locations and releasesthe key.Drawback: The key will be retrieved from the same location in a template each time a different user is authenticated
Using data derived directly from a biometric image is another method. Inthis manner biometric templates are used as a cryptographic key.Drawback: Sensitivities due to environmental and physiological factors, and compromising of the cryptographic keys stand as a big obstacle
A new and exciting technique is developed by Mytec Technologies Inc.and named as Biometric Encryption™. During the enrollment phase, the process combines the biometric imagewith a digital key to create a secure block of data known as BioScrypt™ andthen the key is retreived using the biometric during the verification phase.
It provides a mechanism for the linking and retrieval of a digital key using abiometric. This biometric might be a 2D image such as fingerprint, palmprint, face, iris or retina.The resulting digital key is then used as a cryptographic key. Note: The key is completely independent of the biometric data so that the use of the biometric is not forfeited if the key is ever compromised and can be easily modified or updated.
Cryptographic systems require a secret key or a random number which mustbe tied to an individual through an identifier. This identifier indeed could be aglobally unique user id or biometric data.Pseudorandom numbers are generated by a PRNG (pseudo random numbergenerator). The resulting pseudorandom number can be used directly as akey or adjusted with user-dependent data (userID or biometric data).
User dependent key generation is done in two ways: First the key generation algorithm could be modified by using the user- dependent data. Second PRNG could be modified which is accomplished using a front-end or back-end approach. In front-end manner, the definition of the key is extended to include a user-specific data component. In back-end manner, pseudorandom numbers are treated as intermediate values and processed further.
Similar to image-type biometrics, human voice is a good biometric togenerate a cryptographic key.For the goal of unpredictability, i.e. applying automatic speech recognition torecognize the password spoken and then simply using the password, as acryptographic key is way. But it is not secure.
One solution is a user utters a password to his/her device and thatdevice would generate a key. Repeated utterance of the same passwordby the same user would improve the security of the key after successfulmatches with his/her previous recorded utterances.
Both of them are different for each user.Both of them are non-secret data. It is clear to see that userID data is non-secret.Similarly biometric data is insecure in some sense because there is no practicalway to prevent the capture of user biometric data outside the biometric system.
Biometric data is obtained or derived from the user whereas userID isassigned to a user.Except the accidents biometric data can not be changed. But userID can easilybe changed.Set of userIDs may be dense and it is easy to enumerate the set. Unlikely, set ofbiometric data is not dense and this makes it infeasible to enumerate thebiometric data for each user.
Biometrics directly authenticates the person, not indirectly through apassword or token.Biometrics features are difficult to steal; thereby making biometricsauthentication very strong.The Biometrics feature is eminently portable, and is unlikely to be lost.Another advantage of biometrics authentication systems is user cannot shareor forget his retina or fingerprint, while a password and username are easilyforgotten.
Software Organizational Physical As with any IT security system, biometric-based security policy mustdeal with the threats from the workers of the organization who candamage any software or hardware component of the system. Attackersmay also change the statistical recognition parameters of the componentsand decrease the recognition rates.
• Attacks on the biometric sensor/Acquisition device Example: usage of artificial or disembodied dead features like a cut-off finger in the fingerprint case.• Communication channel attacks (man-in-the-middle attacks) The first type is just eavesdropping. If the channel between the sensor and the feature extraction unit or the one between the reference database and the matching unit is attacked, the attacker will gain information about the biometric data. In the second type, purposeful use or change is done to the intercepted data for subsequent introduction back into the system
• Iris Recognition It is Relatively expensive; requires large amount of computer storage; may not be generally accepted by public.• Voice Verification Works well over the telephone but requires large amount of computer storage; peoples voices can change; background noises can interfere.
PC access and internet security (Computer network security, Internettransaction, Laptop security, Application level security)Physical area security(military, government, banking, voting, prisons)Employee record checkMobile phones: network access & theft protectionMobile financial transaction: Credit cards & ATM cards.
Reliable user authentication is highly significant in this web enabled world.Consequences of an insecure authentication system can be catastrophic andmay include loss of information, denial of service and loss of data integrity.Biometric Encryption™ and Bioscrypt™ are high security means of protectingthe critical data of government, police departments, army and big firms.The current generation of biometric identification devices offer cost andperformance advantages over manual security procedures.All these methods have shown that, using biometrics for identification orverification-based security systems and cryptosystems, is a promisingtechnology
www.ieeexplore.ieee.org www.cscjournals.org www.en.wikipedia.org C.Soutar, D.Roberge, A.Stoianov, R.Gilroy and B.V.K.V.Kumar, “Biometric Encryption™ using image processing” M. Peyravian, S. M. Matyas, A. Roginsky, N. Zunic, “Generating user- based Cryptographic keys and random numbers”