Protection of Biometric Templates

Protection of Biometric TemplatesProtection of Biometric Templates Stored on an Au becausetication humour by Salting the TemplatesProblem StatementThe proposed research addresses the problem of security measure of biometric selective information inventoryd on guidebooks employ a organisation-on- taunt approach for overbold tease by proposing a system to salt the templets.Research StatementThis research proposes a robust and resilient regularity to salt the guidebooks stored and cope withed on-card. It put ups a salt utilise a fingermark template of a randomly chosen finger, the serial consider of earmark card and a system generated random PIN. The salt is utilisationd to encrypt the templates of contrary fingerprint templates created and stored on card. During dependableation, a template of the finger chosen randomly to set the salt during the enrollment phase is obtained and a PIN is entrustd by drug drug user. These two inputs along with the serial take of card is apply to prepargon the salt and again encrypt the live template extendd by user for authentication. Once, the stored encrypted template and the created encrypted template matches, the user potty be considered genuine and portioned advance further. This method is implemented on system-on-card shiny cards to provide users more security and privacy.AbstractThis research proposes to provide a secure method to prep atomic weigh 18 salt for encryption of templates stored on the authentication card exploitation what I am, what I have and what I know which is highly resistant to known issuerages against match on card technology.The user exit be provided with a deep brown card with an embedded fingerprint reader on the card. The user has to provide a fingerprint which will be captured by reader embedded on-card and this fingerprint will be used to prepare salt along with serial publication of Java card and a 4-digit PIN input by user. The salt will be vigilant t o encrypt the live template of an opposite fingerprint chosen randomly by system, generated by the system on Java card. The encrypted live template and the stored season template will be compared to establish if the user is genuine or not. The user will be authenticated based on the values of decision if it passes a certain threshold value.ResourcesThe resources we intend to use to complete this research is Google Scholar, IEEE Xplore, Research Gate.Connection to the courses of the MISSM ProgramVarious courses of MISSM program are linked to the proposed research as depict belowCryptography The fundamentals of Biometrics and JAVA card technology, using challenge and response for any type of environment much(prenominal) as banking, high-security settings etc. Also, RSA certificates for web authentication during dialogue with server.Security policies Different policies and standards governing the management of biometric data i.e. ISO/IEC standards etc. Also, unalike policies that skunk be implemented to ensure sound use of proposed method.Governance insecurity and Control Considering the advantage of defense-in-depth concept by adding an additional layer of security for the notion of risk management in physical access authentication /security. examine of related research The research related to this proposal contains the discussion of match-on card and system-on-card approach and how system-on-card technology provides additional security and privacy to user. The review is divided into 4 section as expound belowfingermark Authentication SystemsBiometrics are automated methods of establishing a persons identity based on his/her physical or behavioral characteristics 1. There are various physical characteristics that burn down be used for authentication system such as iris, fingerprint, palmprint, hand vein anatomy etc. For each biometric authentication system, a biometric is chosen based on various factors such as Universality, Uniqueness, Accuracy, Mat urity, Durability as described in flip Cards and Biometrics 2. fingerprints is most astray used from the date of origin of biometrics. The following matrix table clearly shows that fingerprint is most suitable biometric indication that can be used.Fig 1. Report of Defense Science Board Task Force on Defense Biometrics 2Like any other authentication system, fingerprint authentication system also consists of four basic fundamental components Input mechanism, Matching methodologies, Decision making procedures and database of biometric info. A conventional biometric authentication system consists of two phases Enrollment and Verification as explained in Fig 2 3.Fig 2. Framework for Fingerprint Authentication System 3During Enrollment phase, user is asked to input a fingerprint. Different features are extracted from this fingerprint and a template is created by a one-way play that transforms the features extracted into a mathematical form using different numbers. This template is stored in a database which is used during second phase of authentication i.e. Verification.During Verification phase, user is again asked to provide fingerprint. Again a template called live template from the input fingerprint is generated and then the stored template in database and live template are compared to authenticate the user as genuine or not.The proposed research focus on template certificate algorithm to protect the biometric template (or reference) before storing them in database. Templates are generated by extracting specific features from a biometric trace (in this case it is fingerprint) of user. The template is a short hand description 12 which provides essential information intimately the pilot burner fingerprint. Templates can be stored in database as such without passing them through any protection algorithm, which will save time and less resources are required for whole process. But unprotected templates are actually serious threat to the integrity of whol e fingerprint authentication system (or any biometric authentication system). Also, the template can be easily manipulated and is used for hie of comparison.As demonstrated by Ross et. al. in 13 that information can be extracted out of the template and captain fingerprint can be regenerated. In their paper, cardinal level of information was obtained from the minutiae template of fingerprint. The information about orientation field, fingerprint class and friction ridge structure was extracted out and based on that information the fingerprint was synthesized again. It proves the notion that striketing genuine fingerprint from the template is nearly impossible to be untrue. Hence, the protection of template is very crucial and cannot be ignored.Fingerprint templates are generated from specific features of the fingerprint input by user. Fingerprint template includes information for each minutiae point, such are position of the point on an XY-axis, surmount of one minutia from all others or gradient information of each minutia. Gradient information gives the slope of the line segment extending from minutia being described 12 as shown in fig. All this information for each minutia of a finger makes a fingerprint template for a finger. Similarly, template for each finger can be constructed and stored in database. Templates can be a two dimensional matrix in which rows represents each minutia and column represents different type of information about that minutia. Examples of standardized and widely used template formats are ANSI INCITS 378-2004 and ISO/IEC 19794-2.ANSI INCITS 378-2004 template format consist of three standards for fingerprint data interchange which are as followsANSI INCITS 377-2004 Finger Pattern entropy Interchange FormatThis standard defines the content, format and units of measurement for the exchange of finger regard data that may be used in the verification or identification process of a subject 14. It exchanges unprocessed image of fing erprint. This standard is used where there is no limit on the resources such as computer memory and transmission time.ANSI INCITS 378-2004 Finger Minutiae Format For Data InterchangeThe Finger Minutiae Format for Data Interchange standard specifies a method of creating biometric templates of fingerprint minutiae, such as ridge endings and bifurcations 14. The structure of minutia data format is defined in the figure below. The extended data blocks contain additional information about the minutia.Fig complex body part Minutia Data Format extracted out from 14.ANSI INCITS 381-2004 Finger Image-Based Data Interchange FormatThe Finger Pattern Based Interchange Format standard specifies a method of creating biometric templates of fingerprint biometric information using ridge pattern measurements found in fingerprints. The fingerprint image is reduced and then grouped into small cells of 5*5 pixels. Then these cells are analyzed separately 14.The template generated may be used for two p rincipal purposes 14 which are identification and verification. In both cases a live template is generated from fingerprint input by user is compared with the template stored in database. The chances of these two templates being an exact match is very small because of dirt, injury or poor quality of fingerprint itself 14. Therefore, a threshold value is specified which is called a correlation coefficient 14. The value of this coefficient essential be set limited to the application. This is because, if this value is high then there a high chance of FRR and if this value is low, then there is high chance of FAR. Examples of application of fingerprint authentication system are law enforcement for identification of criminals, airports to provide rapid services to a high number of passengers etc.In a conventional fingerprint authentication system, there are various points of glide path as identified by Ratha et. al. 4 which can be exploited by an adversary as seen in Fig 3 5. Differe nt attacks that can be performed on these points can be grouped into four categories 5Attacks at user interface These types of attacks use shammer finger made of gelatin or latex and fabricated fingerprint is granted as input to reader device that captures the fingerprint. These types of attacks can be excuse by developing hardware and software solutions more splendid to the liveness of the fingerprint.Attacks at interfaces amidst modules Different modules of fingerprint authentication systems communicate with each other. For example, fingerprint reader sends the fingerprint image to feature extractor module (Fig 3) through a conversation channel. And if, this channel is not secured physically or cryptographically 5 then the data can be intercepted and assailant can get access to the original fingerprint. Another attack that can be performed is to launch replay or hill- climbing attacks 5.Attacks on the modules An adversary can attack either the communication channel or the modules itself. If the channel is secured using cryptographic measures that does not secure the complete authentication system. An attacker can execute various attacks to take possession of modules and force them to work according to his/her will and intentions. This can cause system to cross even the legitimate user and allow illegitimate user by feeding wrong input or modifying the decision.Attacks on the template database The templates stored in database can be attacked and is one of the most potentially damaging attack 5. These attacks can be performed either to modify the templates or retrieve the original fingerprint.Fig 3. Points of attack in a generic biometric authentication system 5All these attacks can compromise the authentication system and present a threat to access privileges of sensitive data or location. Some of the attacks that can be performed and described in figure above include presenting synthetic finger made from either silicone or gelatin. This synthetic f inger has a fingerprint printed on the side facing the sensor. Then this fake finger is used to give system input. This attack can be promiseed by improving the liveness detection of the hardware as well as software as described in 15. instant replay of old data can be mitigated by limiting the number of attempts an individual can make before permanently locking out the person from the system. Communication channel which is used to transmit template from database to matchmaker module can be intercepted and template can be obtained while in transit. So, additional security measures are needed to be taken such as establishing encrypted channels which is again an overhead. If the template is modified in transit, then attacker can perform DoS attack and prevent genuine user from getting access to the system. Similarly, if the final decision can be modified and allows the sustain to enter into system. Also, if the matcher is overridden by attacker then the decision of the matching is compromised without any doubt and indeed, the whole system is compromised.Smart CardSmart cards are also called Integrated Circuits Card (ICC) in ISO/IEC 7816 standard. These types of cards are made of plastic with a metallic chip inside it. There are two types of chips as described in 11 which are memory chips and microprocessor chips. Memory chips consists of control logic 11 and are used for storage purposes. These chips are used to store data only. Whereas, microprocessor chips have a programmable processing unit along with a calculation unit and little storage to carry put various operations. A plastic card with microprocessor chip is called smart card 11.These type of cards can be used for various purposes such as payment, authentication, document storage, takeout files storage etc. For different applications of the smart card require different operations to be performed by CPU embedded in the chip. CPU of the smart cards require power to carry out the operations which is t he reason that a card reader device is necessary component of the authentication system. The smart card and card reader last communicates with each other to transfer data.Terminal requires different information and responses from the card to carry out the desired operations. To get required service, terminal sends a request to the card which is received by on-card application and executes the operations as requested and provide terminal with responses. The communication between the card and the terminal is protected by establishing a secure channel. Also, different cryptographic algorithms are used for protection of information transmitted between terminal and the card. These algorithms are processed using the calculation unit embedded in the microprocessor chip. The secure channel is established using cryptographic protocols. The transmission occurs similar to communication using OSI reference model 11.The transmission of data between card and the reader takes place in units calle d APDU (Application Protocol Data Unit). There are two types of APDUs which are categorized as command APDUs and response APDUs. ISO/IEC 7816-4 defines a command set consisting of various commands (some are mandatory and others are optional) for development of the applications by different industries. The basic idea behind this approach is that an application developed by any vendor will be compatible with the chip card. Structure of APDU can be found in Appendix.Smart cards have card managers to administer and manage all the card system services 12 and operations. It can be viewed as an entity that provides functions very similar to runtime environment of card, represents the card issuer and verifies the users identity. It can also be seen as three different entities as described in GlobalPlatform Card Specification 2.1.1, as followsThe GlobalPlatform EnvironmentThe Issuer Security DomainThe Cardholder Verification MethodsIssuer Security Domain can be considered as entity represent ing card issuer on-card. It consists of data that shall be stored on-card as listed below 12Sr, No,Name (Tag of ISO/IEC 7816) commenta.Issuer Identification Number (Tag 42)Maps the card to a particular card management system.It is of variable length.b.Card Image Number (Tag 45)use by card management system to identify the card among its database.Also, has variable length.c.Card Recognition DataProvides information about the card before communication starts between card and card management system.It is contained in Directory Discretionary Template (Tag 73)d.On-card key InformationDifferent keys are stored in persistent memory of card. describe consists of various attri unlesses such as key identifier, key version number, associated cryptographic algorithm and key length.All key components associated with an entity (e.g. symmetric and asymmetric key are two different entities) has corresponding key identifierKeys are managed by Issuer Security DomainThese data in Issuer Security Doma in can be accessed using GET DATA command.Fingerprint Match-on-card and Fingerprint System-on-cardIn a conventional biometric authentication system, a template generated during verification is sent to server where it is matched with the stored template in database. Live template must be protected against attacks while in transit to server. Even though templates are results of one-way function but original fingerprint image can still be prepared using different attacks.To address the problem of template compromise in transit, modules of biometric authentication systems described in Fig 3 can be grouped together. These types of groupings can be used to counter the attacks described above. In the article Encyclopedia of Biometric, subgenus Chen Tai Pang, Yau Wei Yun, Jiang Xudong and Mui keng Terrence explained four different types of approaches that can be taken to group the modules and placing grouped components of authentication system on an authentication card (which is also called a smart card) such as Java card. These approaches are a) Template on-card b) Match-on-card c) Work sharing on-card d) System-on-cardThis research focuses on limitations of Match-on-card approach and features of System-on-card approach that overcome these limitations. These approaches are described below. Also, the limitations and how they affect the integrity of biometric authentication system is also defined.Match-on-card is defined as the process of performing comparison and decision making on an integrated roundabout (IC) card or smartcard where the biometric reference data is retained on-card to enhance security and privacy 6. During enrollment, the template generated from the fingerprint is stored on the secure area of cards storage. To attain on-card matching, live template is generated afterwards capturing and feature extraction of fingerprint of user using an interface device. This live template is uploaded to the card for verification process.On-card matching follows th e same process flow as defined in fig 4 but with Matcher and Database module that has stored template on-card. Matching function executes on- card quite an than on a server. This solves the problem of attack on interfaces of modules described above. Fig 3 explains match-on-card process for biometric verification 6.Fig 4. On-card matching process 6 drug user inputs his/her fingerprint using Biometric terminal. Features are extracted from the input and a live template (or here its called query template) is generated. This query template is generated off-card but sent to card for matching. Cards matcher module retrieves the stored template from the secure storage area of card and compare two templates. This comparison result is handed over to on-card application and thus, original template and the result always resides on the card. Dotted line represents the application firewall that restricts the access of application to matching module 6.Attacks on interfaces between modules also st ems to attacks on database in which templates are stored. If the interfaces or the communication channel is compromised, then the data travelling among different modules can also be compromised. If not intercepted, at least alteration can be performed to execute DoS attack for a legitimate user. To deal with this limitation, system-on-card approach can be used.System-on-card means the whole biometric verification process, including the acquisition, is performed on the smartcard. The smartcard incorporates the entire biometric sensor, with processor and algorithm 6.Fig 5. System-on-card Technology 6Smartcard equipped with fingerprint reader is inserted into an interface device which provides time and power to card. Then user is asked to provide his/her fingerprint which is captured by the fingerprint reader on-card. Different features are extracted out from the fingerprint and different incorporated algorithms on-card 6 transforms that input into a mathematical form (template). The template is stored in secure area of cards storage. The whole process takes place on-card providing more security and privacy to user. System-on-card is more secure because the template stored and query template is always present on-card and only the result is sent to host-side application.Template SecurityThis research focus on the security of the template before storing it in database. Fingerprint of an individual is very unique. It makes it an ideal factor for authentication systems. No two persons can have same fingerprints providing high security, privacy and integrity to authentication systems using fingerprint. Even though this makes the biometrics strong among all other factors of authentication but it also is its weakest point. Unlike any other computational algorithms, biometric information of a person is unique and once compromised, cannot be recreated. It makes the protection of templates very crucial to protect the integrity of biometric authentication systems.Two appro aches can be considered to secure the templates. Either, a) database can be protected against different attacks by implementing various security measures such as firewalls or b) templates can itself be protected against attacks so that even if the database is compromised, original fingerprint can still be protected. Since, the template itself is very specific information which makes it quite useless for attacker to get original fingerprint image from template. But it is still possible to create original fingerprint using the algorithm defined in 13.According to ISO/IEC 24745 7 standard, all the Biometric Template Protection Systems must fulfill three main requirementsNoninvertibility It should very difficult to retrieve the original template from the final protected template reference stored in database. The noninvertibility prevents the abuse of stored biometric data for launching spoof or replay attacks, thereby improving the security of the biometric system 3.Revocability It shou ld be computationally difficult to obtain the original biometric template from two-fold instances of protected biometric reference derived from the same biometric trait of an individual 3. It makes it possible for issuer to issue a new template to user in case of a compromise, without bothering about the probability of success for an attacker using the old template.Nonlinkability It should be tough to establish relationship among different instances of templates derived from same biometric characteristic of user. The nonlinkability property prevents cross-matching across different applications, thereby preserving the privacy of the individual 3.Methods for Biometric Template ProtectionAs described by Anil K. Jain, Karthik Nandakumar and Abhishek Nagar in their article Biometric Template Security 8, Template protection schemes can be categorized into two main groups viz. feature transformation and biometric cryptosystem as shown in fig 6.Fig 6. Template Protection approaches 8In fea ture transformation, a feature transformation function is applied to the biometric template 8. The new template generated after feature transformations is stored in database rather than the template generated after feature extraction. This transformation provides more security because it makes the template more random and make it almost impossible for attacker to guess the original template and hence more difficult to obtain original fingerprint image. Two methods for feature transformation are Salting and Nonivertible transform.Salting It is also called biohashing. In this approach a biometric template (fingerprint template, here) is taken as input and a mathematical function is applied defined by a specific key. A token number or a key is used to increase the entropy of the template and so makes the template difficult for attacker to guess 2. Salting is the name given because the key used in this method is called salt to protect the template. This approach is invertible which mean s using the key, original template can be obtained from change template. Transformation function that satisfy the requirements of this approach can be designed.Noninvertible Transform This approach is similar to previous one i.e. salting with a little rest that this method is invertible which means a transformed template is very difficult to invert to original template. Non-invertible transform refers to a one-way function that is easy to compute but hard to invert 8. Hence, more security is provided in this approach because if the key is known to attacker, he/she still cannot retrieve original template.Comparing these two approaches based on the description above, non-invertible transform seems an obvious choice for security. But thats not true. This is so because, salting in invertible but it supports revocability property of biometric template protection. It means if a key is leaked and transformed template is accessible to attacker then the template can be easily replaced usin g a new key. Also, key usage causes low FAR. Whereas, non-invertible transform presents a tradeoff between discriminability and non-invertibility 8. It means the transformed template using different features of same user should be same but different from another user along with fulfilling noninvertible property. It is difficult to design such transformation function 8.Salting is through using a specific key or token. Any key or token used for salting is secureDescription of Proposed ResearchConsidering the above knowledge, the research will focus on a method to protect the template stored on card. The proposed method will protect biometric template stored on card by salting the template. The research will focus mainly on the proposed method of salting the template. Also, other elements as required will be included in the research to propose a robust and secure system that use the method for salting. It is assumed that enrollment phase is done in a secure environment and verification phase can be done in an untrusted zone.The research will look deep into the method to develop a more random and strong salt for biometric template protection. System-on-card approach will be used because of the privacy and security level provided is supreme as shown in Fig 7. All the computation and execution is done on card and the terminal is only sent the final YES/NO to grant access to user.The method uses following elementsAuthentication card with fingerprint reader embedded on cardVarious TemplatesRandom Number Generator accompanying Number of Java CardPINCryptographic Certificates using RSA asymmetric key cryptographyCounterThe proposed method uses three fundamental components of biometric authentication systemWho am I (Live Template)What I have (Authentication Card)What I know (PIN)These three components are not only used for authentication of a user but also for salting the template stored on card.At the time of enrollment, Java card with fingerprint reader is inserted in to the terminal (to provide power and time to card). User is asked to input fingerprint (who I am) of a finger chosen randomly by system. Then the system generates salt using serial number of Java card (what I have) and randomly generated 4-digit PIN (what I know). User has to remember this PIN for verification as it will be forgotten forever after enrollment process is finished. Salt prepared by combining three components is then used to encrypt the templates to be stored on the card.Fig 7. Java card with fingerprint readerSalt prepared can be written in a generalized form asSalt = Serial number of authentication card + Template of fingerprint from a finger chosen randomly + Randomly generated PIN by enrollment system.During verification, the users inserts the card into terminal and has to provideFingerprint used during enrollment phase to prepare salt4-digit PINUsing these inputs and the serial number stored on the chip of Java card, the salt is prepared again. Then user is asked again to provide fingerprint of a randomly chosen finger by system. A query template is generated again and is salted using the salt prepared. Then two salted templates are compared, and if decision pass the threshold value then user can be considered authentic and the decision is sent to server through terminal to grant user access. Certificated signed with digital signatures using RSA asymmetric encryption (using 4096 bits) are used for communicating the decision with server. Each time a decision is sent to server, counter on server increments by 1, if the user fails to authenticate otherwise resets to zero.If the counter reaches 4 (user fails to authenticate itself 4 times consecutively) then the Java card is blocked and requires reset by issuing body. Performing all the activities (from reading fingerprint to decision making) on-card, provides highest security, little privacy concern, interoperability, scalability and mobility 9.To summarize the whole process, it can