Protection of Biometric Templates

vindication of Biometric templetsProtection of Biometric Templates Stored on an enfranchisement Card by common salt the TemplatesProblem StatementThe proposed seek addresses the problem of surety of biometric entropy stored on guides victimization a corpse-on- visor border on for refreshed bill stickers by proposing a mode to salt the sc go forths.Research StatementThis enquiry proposes a juicy and resilient mode to salt the guidebooks stored and paralleled on- posting. It prep atomic bite 18s a salt using a findprint templet of a randomly chosen riff, the serial count of h exclusivelymark mentality and a establishment generated random PIN. The salt is employ to encrypt the templets of distinguishable sensemark guides created and stored on waggle. During trademark, a guidebook of the finger chosen randomly to prep atomic number 18 the salt during the registration phase is obtained and a PIN is extendd by workr. These two inputs along with the seri al scrap of phone bank bill is use to prep be the salt and again encrypt the live usher go awayd by user for au thustication. Once, the stored encrypted usher and the created encrypted guidebook matches, the user contri excepte be considered genuine and concessioned access further. This method is implemented on musical arrangement-on- tease smart separate to add users much security and privacy.AbstractThis research proposes to allow a limit method to prep argon salt for encryption of guides stored on the assay-mark loosen using what I am, what I have and what I know which is lastly resistant to known comings against match on gameboard technology.The user depart be provided with a Java notification with an insert reproduce indorser on the carte du jour. The user has to provide a fingermark which depart be captured by lecturer embedded on-card and this fingermark will be utilise to instal salt along with serial number of Java card and a 4-digit PIN input by user. The salt will be prepared to encrypt the live guidebook of some early(a) reproduce chosen randomly by placement, generated by the carcass on Java card. The encrypted live template and the stored salted template will be compared to establish if the user is genuine or non. The user will be demonstrated based on the nurtures of ending if it passes a plastered thresh everyplaceaged cling to.ResourcesThe resources we intend to use to complete this research is Google Scholar, IEEE Xplore, Research Gate. club to the courses of the MISSM ProgramVarious courses of MISSM program are linked to the proposed research as expound beneathCryptography The basics of Biometrics and JAVA card technology, using challenge and response for any type of environment much(prenominal) as banking, soaring-security settings etc. Also, RSA certificates for web certification during dialogue with server. security measures policies distinguishable policies and standardiseds governing the management of biometric selective in yearation i.e. ISO/IEC standards etc. Also, variant policies that end be implemented to ensure sound use of proposed method.Governance Risk and envision Considering the advantage of defense-in-depth concept by adding an additional layer of security for the idea of risk management in natural access documentation /security. reappraisal of related research The research related to this proposal contains the discussion of match-on card and system-on-card nuzzle and how system-on-card technology provides additional security and privacy to user. The review is shared bulge(a) into four section as described belowdigitprint Au thereforetication SystemsBiometrics are automated methods of establishing a persons identity based on his/her physical or behavioral characteristics 1. There are various physical characteristics that push aside be utilize for authentication system much(prenominal) as iris, fingerprint, palmprint, hand vein pattern et c. For each biometric authentication system, a biometric is chosen based on various components such as Universality, Uniqueness, Accuracy, Maturity, military posture as described in bruise Cards and Biometrics 2. findprints is intimately widely used from the date of origin of biometry. The following matrix put off clearly shows that fingerprint is most suitable biometric trait that muckle be used.number 1. Report of Defense Science Board Task might on Defense Biometrics 2Like any other authentication system, fingerprint authentication system withal consists of four basic important components Input mechanism, Matching methodologies, Decision making procedures and database of biometric information. A conventional biometric authentication system consists of two phases enrolment and Verification as explained in frame 2 3.Fig 2. Framework for fingerprint Authentication System 3During Enrollment phase, user is asked to input a fingerprint. Different gets are extracted from this fingerprint and a template is created by a one-way dish up that transforms the haves extracted into a numeric form using different functions. This template is stored in a database which is used during second phase of authentication i.e. Verification.During Verification phase, user is again asked to provide fingerprint. Again a template called live template from the input fingerprint is generated and then the stored template in database and live template are compared to authenticate the user as genuine or not.The proposed research focus on template protection algorithm to protect the biometric template (or filename extension) in front storing them in database. Templates are generated by extracting specific features from a biometric trait (in this case it is fingerprint) of user. The template is a short hand description 12 which provides essendial information astir(predicate) the legitimate fingerprint. Templates atomic number 50 be stored in database as such with out freeing them through any protection algorithm, which will save time and less(prenominal) resources are claimd for whole form. But unprotected templates are very(prenominal) serious threat to the faithfulness of whole fingerprint authentication system (or any biometric authentication system). Also, the template tush be easily manipulated and is used for speed of comparison.As demonstrated by Ross et. al. in 13 that information grass be extracted out of the template and true fingerprint cornerstone be regenerated. In their paper, ternion level of information was obtained from the minutiae template of fingerprint. The information about orientation field, fingerprint class and friction ridge grammatical construction was extracted out and based on that information the fingerprint was synthesized again. It proves the notion that getting airplane pilot fingerprint from the template is nearly impossible to be untrue. Hence, the protection of template is very crucial and cannot be ignored.Fingerprint templates are generated from specific features of the fingerprint input by user. Fingerprint template includes information for each minutiae point, such are position of the point on an XY-axis, distance of one minutia from all others or gradient information of each minutia. Gradient information gives the slope of the line segment extending from minutia being described 12 as shown in fig. all(a) this information for each minutia of a finger makes a fingerprint template for a finger. Similarly, template for each finger can be constructed and stored in database. Templates can be a two dimensional matrix in which rows repre moves each minutia and column represents different type of information about that minutia. Examples of order and widely used template formats are ANSI INCITS 378-2004 and ISO/IEC 19794-2.ANSI INCITS 378-2004 template format consist of three standards for fingerprint data interchange which are as followsANSI INCITS 377-2004 Finger Pattern select ive information Interchange coiffeThis standard defines the content, format and units of quantity for the exchange of finger image data that whitethorn be used in the chit or identification abut of a subject region 14. It exchanges unprocessed image of fingerprint. This standard is used where at that place is no narrow on the resources such as storage and transmission time.ANSI INCITS 378-2004 Finger Minutiae Format For Data InterchangeThe Finger Minutiae Format for Data Interchange standard specifies a method of creating biometric templates of fingerprint minutiae, such as ridge endings and bifurcations 14. The structure of minutia data format is defined in the figure below. The extended data blocks contain additional information about the minutia.Fig Structure Minutia Data Format extracted out from 14.ANSI INCITS 381-2004 Finger Image-Based Data Interchange FormatThe Finger Pattern Based Interchange Format standard specifies a method of creating biometric templates of fing erprint biometric information using ridge pattern measurements found in fingerprints. The fingerprint image is reduced and then grouped into small cells of 5*5 pixels. accordingly these cells are analyzed separately 14.The template generated may be used for two principal purposes 14 which are identification and verification. In both cases a live template is generated from fingerprint input by user is compared with the template stored in database. The chances of these two templates being an exact match is very small because of dirt, injury or poor quality of fingerprint itself 14. Therefore, a threshold value is specified which is called a correlation coefficient 14. The value of this coefficient must be set finical to the performance. This is because, if this value is high then there a high chance of FRR and if this value is low, then there is high chance of FAR. Examples of application of fingerprint authentication system are law en obligement for identification of criminals, ai rports to provide rapid services to a high number of passengers etc.In a conventional fingerprint authentication system, there are various points of assault as identified by Ratha et. al. 4 which can be exploited by an adversary as seen in Fig 3 5. Different attacks that can be performed on these points can be grouped into four categories 5Attacks at user interface These types of attacks use histrion finger made of gelatin or latex and false fingerprint is given as input to reader device that captures the fingerprint. These types of attacks can be mitigated by developing hardware and software solutions more sensitive to the liveness of the fingerprint.Attacks at interfaces between modules Different modules of fingerprint authentication systems communicate with each other. For example, fingerprint reader sends the fingerprint image to feature extractor module (Fig 3) through a confabulation channel. And if, this channel is not potentd physically or cryptographically 5 then the data can be intercepted and aggressor can get access to the authentic fingerprint. Another attack that can be performed is to launch play back or hill- climbing attacks 5.Attacks on the modules An adversary can attack either the communication channel or the modules itself. If the channel is take prisonerd using cryptographic measures that does not secure the wide authentication system. An assailant can execute various attacks to take possession of modules and force them to work according to his/her will and intentions. This can cause system to traverse even the legitimate user and allow illegitimate user by feeding wrong input or modifying the decision.Attacks on the template database The templates stored in database can be attacked and is one of the most potentially damaging attack 5. These attacks can be performed either to modify the templates or retrieve the original fingerprint.Fig 3. Points of attack in a generic biometric authentication system 5All these attacks can com promise the authentication system and present a threat to access privileges of sensitive data or location. Some of the attacks that can be performed and described in figure above include presenting artificial finger made from either silicone or gelatin. This synthetic finger has a fingerprint printed on the side facing the sensor. Then this fake finger is used to give system input. This attack can be anticipateed by improving the liveness detection of the hardware as headspring as software as described in 15. Replay of old data can be mitigated by limiting the number of attempts an individual can make before permanently locking out the person from the system. Communication channel which is used to transmit template from database to marriage broker module can be intercepted and template can be obtained mend in transit. So, additional security measures are needed to be interpreted such as establishing encrypted channels which is again an overhead. If the template is modified in tr ansit, then attacker can perform DoS attack and foresee genuine user from getting access to the system. Similarly, if the final decision can be modified and allows the foster to enter into system. Also, if the matcher is overridden by attacker then the decision of the matching is compromised without any doubt and hence, the whole system is compromised.Smart CardSmart cards are also called structured Circuits Card (ICC) in ISO/IEC 7816 standard. These types of cards are made of plastic with a metallic break away inside it. There are two types of chips as described in 11 which are memory chips and microprocessor chips. Memory chips consists of control system of logic 11 and are used for storage purposes. These chips are used to store data only. Whereas, microprocessor chips have a programmable processing unit along with a computer science unit and runty storage to carry put various operations. A plastic card with microprocessor chip is called smart card 11.These type of cards ca n be used for various purposes such as payment, authentication, document storage, portable files storage etc. For different applications of the smart card require different operations to be performed by CPU embedded in the chip. CPU of the smart cards require power to carry out the operations which is the reason that a card reader device is inevitable component of the authentication system. The smart card and card reader ending communicates with each other to transfer data.Terminal requires different information and responses from the card to carry out the desired operations. To get required service, utmost sends a request to the card which is received by on-card application and executes the operations as requested and provide celestial pole with responses. The communication between the card and the terminal is protected by establishing a secure channel. Also, different cryptographic algorithms are used for protection of information transmitted between terminal and the card. Th ese algorithms are processed using the calculation unit embedded in the microprocessor chip. The secure channel is established using cryptographic protocols. The transmission occurs analogous to communication using OSI destination model 11.The transmission of data between card and the reader takes place in units called APDU (Application Protocol Data Unit). There are two types of APDUs which are categorized as command APDUs and response APDUs. ISO/IEC 7816-4 defines a command set consisting of various commands (some are mandatory and others are optional) for cultivation of the applications by different industries. The basic idea behind this approach is that an application developed by any vendor will be matched with the chip card. Structure of APDU can be found in Appendix.Smart cards have card managers to administer and manage all the card system services 12 and operations. It can be viewed as an entity that provides functions very similar to runtime environment of card, repres ents the card issuer and verifies the users identity. It can also be seen as three different entities as described in GlobalPlatform Card Specification 2.1.1, as followsThe GlobalPlatform EnvironmentThe Issuer Security DomainThe Cardholder Verification MethodsIssuer Security Domain can be considered as entity representing card issuer on-card. It consists of data that shall be stored on-card as listed below 12Sr, No,Name (Tag of ISO/IEC 7816)Descriptiona.Issuer Identification Number (Tag 42)Maps the card to a particular card management system.It is of inconstant length.b.Card Image Number (Tag 45)use by card management system to identify the card among its database.Also, has variable length.c.Card Recognition DataProvides information about the card before communication starts between card and card management system.It is contained in Directory discretionary Template (Tag 73)d.On-card pick up InformationDifferent underlyings are stored in tenacious memory of card.Key consists of various attributes such as key out identifier, key version number, associated cryptographic algorithm and key length.All key components associated with an entity (e.g. symmetrical and asymmetric key are two different entities) has equivalent key identifierKeys are managed by Issuer Security DomainThese data in Issuer Security Domain can be accessed using GET DATA command.Fingerprint Match-on-card and Fingerprint System-on-cardIn a conventional biometric authentication system, a template generated during verification is sent to server where it is matched with the stored template in database. Live template must be protected against attacks while in transit to server. as yet though templates are results of one-way function but original fingerprint image can still be prepared using different attacks.To address the problem of template compromise in transit, modules of biometric authentication systems described in Fig 3 can be grouped together. These types of groupings can be used to counterpunch the attacks described above. In the article cyclopaedia of Biometric, Chen Tai Pang, Yau Wei Yun, Jiang Xudong and Mui keng Terrence explained four different types of approaches that can be taken to group the modules and placing grouped components of authentication system on an authentication card (which is also called a smart card) such as Java card. These approaches are a) Template on-card b) Match-on-card c) Work sharing on-card d) System-on-cardThis research focuses on limitations of Match-on-card approach and features of System-on-card approach that overcome these limitations. These approaches are described below. Also, the limitations and how they affect the integrity of biometric authentication system is also defined.Match-on-card is defined as the process of performing comparison and decision making on an integrated circuit (IC) card or smartcard where the biometric reference data is retained on-card to enhance security and privacy 6. During enrollment, the te mplate generated from the fingerprint is stored on the secure area of cards storage. To accomplish on-card matching, live template is generated after capturing and feature extraction of fingerprint of user using an interface device. This live template is uploaded to the card for verification process.On-card matching follows the same process flow as defined in fig 4 but with Matcher and Database module that has stored template on-card. Matching function executes on- card alternatively than on a server. This solves the problem of attack on interfaces of modules described above. Fig 3 explains match-on-card process for biometric verification 6.Fig 4. On-card matching process 6substance abuser inputs his/her fingerprint using Biometric terminal. Features are extracted from the input and a live template (or here its called query template) is generated. This query template is generated off-card but sent to card for matching. Cards matcher module retrieves the stored template from the sec ure storage area of card and compare two templates. This comparison result is handed over to on-card application and thus, original template and the result always resides on the card. cover line represents the application firewall that restricts the access of application to matching module 6.Attacks on interfaces between modules also stems to attacks on database in which templates are stored. If the interfaces or the communication channel is compromised, then the data travelling among different modules can also be compromised. If not intercepted, at least modification can be performed to execute DoS attack for a legitimate user. To deal with this limitation, system-on-card approach can be used.System-on-card means the whole biometric verification process, including the acquisition, is performed on the smartcard. The smartcard incorporates the entire biometric sensor, with processor and algorithm 6.Fig 5. System-on-card Technology 6Smartcard equipped with fingerprint reader is inser ted into an interface device which provides time and power to card. Then user is asked to provide his/her fingerprint which is captured by the fingerprint reader on-card. Different features are extracted out from the fingerprint and different incorporated algorithms on-card 6 transforms that input into a mathematical form (template). The template is stored in secure area of cards storage. The whole process takes place on-card providing more security and privacy to user. System-on-card is more secure because the template stored and query template is always present on-card and only the result is sent to host-side application.Template SecurityThis research focus on the security of the template before storing it in database. Fingerprint of an individual is very ludicrous. It makes it an ideal factor for authentication systems. No two persons can have same fingerprints providing high security, privacy and integrity to authentication systems using fingerprint. Even though this makes the biometrics strong among all other factors of authentication but it also is its weakest point. foreign any other computational algorithms, biometric information of a person is unique and once compromised, cannot be recreated. It makes the protection of templates very crucial to protect the integrity of biometric authentication systems.Two approaches can be considered to secure the templates. Either, a) database can be protected against different attacks by implementing various security measures such as firewalls or b) templates can itself be protected against attacks so that even if the database is compromised, original fingerprint can still be protected. Since, the template itself is very specific information which makes it quite useless for attacker to get original fingerprint image from template. But it is still possible to create original fingerprint using the algorithm defined in 13.According to ISO/IEC 24745 7 standard, all the Biometric Template Protection Systems must fulfil l three main requirementsNon invertibility It should very arduous to retrieve the original template from the final protected template reference stored in database. The noninvertibility prevents the abuse of stored biometric data for launching spoof or replay attacks, thereby improving the security of the biometric system 3.Revocability It should be computationally backbreaking to obtain the original biometric template from multiple instances of protected biometric reference derived from the same biometric trait of an individual 3. It makes it possible for issuer to issue a new template to user in case of a compromise, without bothering about the probability of supremacy for an attacker using the old template.Nonlinkability It should be tough to establish affinity among different instances of templates derived from same biometric characteristic of user. The nonlinkability property prevents cross-matching across different applications, thereby preserving the privacy of the individ ual 3.Methods for Biometric Template ProtectionAs described by Anil K. Jain, Karthik Nandakumar and Abhishek Nagar in their article Biometric Template Security 8, Template protection schemes can be categorized into two main groups viz. feature transformation and biometric cryptosystem as shown in fig 6.Fig 6. Template Protection approaches 8In feature transformation, a feature transformation function is utilize to the biometric template 8. The new template generated after feature transformations is stored in database preferably than the template generated after feature extraction. This transformation provides more security because it makes the template more random and make it almost impossible for attacker to recollect the original template and hence more difficult to obtain original fingerprint image. Two methods for feature transformation are flavor and Nonivertible transform.Salting It is also called biohashing. In this approach a biometric template (fingerprint template, her e) is taken as input and a mathematical function is applied defined by a specific key. A token number or a key is used to increase the entropy of the template and so makes the template difficult for attacker to guess 2. Salting is the name given because the key used in this method is called salt to protect the template. This approach is invertible which means using the key, original template can be obtained from change template. transmogrifyation function that satisfy the requirements of this approach can be de sign-language(a).Noninvertible Transform This approach is similar to previous one i.e. salting with a little difference that this method is invertible which means a transformed template is very difficult to invert to original template. Non-invertible transform refers to a one-way function that is easy to compute but hard to invert 8. Hence, more security is provided in this approach because if the key is known to attacker, he/she still cannot retrieve original template.Comp aring these two approaches based on the description above, non-invertible transform seems an obvious choice for security. But thats not true. This is so because, salting in invertible but it supports revocability property of biometric template protection. It means if a key is leaked and transformed template is accessible to attacker then the template can be easily replaced using a new key. Also, key usage causes low FAR. Whereas, non-invertible transform presents a tradeoff between discriminability and non-invertibility 8. It means the transformed template using different features of same user should be same but different from another(prenominal) user along with fulfilling noninvertible property. It is difficult to design such transformation function 8.Salting is done using a specific key or token. Any key or token used for salting is secureDescription of Proposed ResearchConsidering the above knowledge, the research will focus on a method to protect the template stored on card. The proposed method will protect biometric template stored on card by salting the template. The research will focus mainly on the proposed method of salting the template. Also, other elements as required will be included in the research to propose a robust and secure system that use the method for salting. It is assumed that enrollment phase is done in a secure environment and verification phase can be done in an untrusted zone.The research will look deep into the method to develop a more random and strong salt for biometric template protection. System-on-card approach will be used because of the privacy and security level provided is maximum as shown in Fig 7. All the computation and execution is done on card and the terminal is only sent the final YES/NO to grant access to user.The method uses following elementsAuthentication card with fingerprint reader embedded on cardVarious TemplatesRandom Number rootage series Number of Java CardPINCryptographic Certificates using RSA asymmetri c key cryptographyCounterThe proposed method uses three complete components of biometric authentication systemWho am I (Live Template)What I have (Authentication Card)What I know (PIN)These three components are not only used for authentication of a user but also for salting the template stored on card.At the time of enrollment, Java card with fingerprint reader is inserted into the terminal (to provide power and time to card). User is asked to input fingerprint (who I am) of a finger chosen randomly by system. Then the system generates salt using serial number of Java card (what I have) and randomly generated 4-digit PIN (what I know). User has to remember this PIN for verification as it will be forgotten forever after enrollment process is finished. Salt prepared by combining three components is then used to encrypt the templates to be stored on the card.Fig 7. Java card with fingerprint readerSalt prepared can be pen in a generalized form asSalt = Serial number of authentication card + Template of fingerprint from a finger chosen randomly + Randomly generated PIN by enrollment system.During verification, the users inserts the card into terminal and has to provideFingerprint used during enrollment phase to prepare salt4-digit PINUsing these inputs and the serial number stored on the chip of Java card, the salt is prepared again. Then user is asked again to provide fingerprint of a randomly chosen finger by system. A query template is generated again and is salted using the salt prepared. Then two salted templates are compared, and if decision pass the threshold value then user can be considered authentic and the decision is sent to server through terminal to grant user access. Certificated signed with digital signatures using RSA asymmetric encryption (using 4096 bits) are used for communicating the decision with server. Each time a decision is sent to server, counter on server increments by 1, if the user fails to authenticate otherwise resets to zero.If t he counter reaches 4 (user fails to authenticate itself 4 times consecutively) then the Java card is blocked and requires reset by issuing body. Performing all the activities (from exercise fingerprint to decision making) on-card, provides highest security, little privacy concern, interoperability, scalability and mobility 9.To summarize the whole process, it can