Thursday, September 5, 2019

Protection of Biometric Templates

Protection of Biometric Templates Protection of Biometric Templates Stored on an Authentication Card by Salting the Templates Problem Statement The proposed research addresses the problem of protection of biometric data stored on templates using a system-on-card approach for smart cards by proposing a method to salt the templates. Research Statement This research proposes a robust and resilient method to salt the templates stored and matched on-card. It prepares a salt using a fingerprint template of a randomly chosen finger, the serial number of authentication card and a system generated random PIN. The salt is used to encrypt the templates of different fingerprint templates created and stored on card. During authentication, a template of the finger chosen randomly to prepare the salt during the enrollment phase is obtained and a PIN is provided by user. These two inputs along with the serial number of card is used to prepare the salt and again encrypt the live template provided by user for authentication. Once, the stored encrypted template and the created encrypted template matches, the user can be considered genuine and granted access further. This method is implemented on system-on-card smart cards to provide users more security and privacy. Abstract This research proposes to provide a secure method to prepare salt for encryption of templates stored on the authentication card using what I am, what I have and what I know which is highly resistant to known attacks against match on card technology. The user will be provided with a Java card with an embedded fingerprint reader on the card. The user has to provide a fingerprint which will be captured by reader embedded on-card and this fingerprint will be used to prepare salt along with serial number of Java card and a 4-digit PIN input by user. The salt will be prepared to encrypt the live template of another fingerprint chosen randomly by system, generated by the system on Java card. The encrypted live template and the stored salted template will be compared to establish if the user is genuine or not. The user will be authenticated based on the values of decision if it passes a certain threshold value. Resources The resources we intend to use to complete this research is Google Scholar, IEEE Xplore, Research Gate. Connection to the courses of the MISSM Program Various courses of MISSM program are linked to the proposed research as described below: Cryptography: The basics of Biometrics and JAVA card technology, using challenge and response for any type of environment such as banking, high-security settings etc. Also, RSA certificates for web authentication during communication with server. Security policies: Different policies and standards governing the management of biometric data i.e. ISO/IEC standards etc. Also, different policies that can be implemented to ensure sound use of proposed method. Governance Risk and Control: Considering the advantage of defense-in-depth concept by adding an additional layer of security for the notion of risk management in physical access authentication /security. Review of related research The research related to this proposal contains the discussion of match-on card and system-on-card approach and how system-on-card technology provides additional security and privacy to user. The review is divided into four section as described below: Fingerprint Authentication Systems Biometrics are automated methods of establishing a persons identity based on his/her physical or behavioral characteristics [1]. There are various physical characteristics that can be used for authentication system such as iris, fingerprint, palmprint, hand vein pattern etc. For each biometric authentication system, a biometric is chosen based on various factors such as Universality, Uniqueness, Accuracy, Maturity, Durability as described in Smart Cards and Biometrics [2]. Fingerprints is most widely used from the date of origin of biometrics. The following matrix table clearly shows that fingerprint is most suitable biometric trait that can be used. Fig 1. Report of Defense Science Board Task Force on Defense Biometrics [2] Like any other authentication system, fingerprint authentication system also consists of four basic fundamental components Input mechanism, Matching methodologies, Decision making procedures and database of biometric information. A conventional biometric authentication system consists of two phases: Enrollment and Verification as explained in Fig 2 [3]. Fig 2. Framework for Fingerprint Authentication System [3] During Enrollment phase, user is asked to input a fingerprint. Different features are extracted from this fingerprint and a template is created by a one-way function that transforms the features extracted into a mathematical form using different functions. This template is stored in a database which is used during second phase of authentication i.e. Verification. During Verification phase, user is again asked to provide fingerprint. Again a template called live template from the input fingerprint is generated and then the stored template in database and live template are compared to authenticate the user as genuine or not. The proposed research focus on template protection algorithm to protect the biometric template (or reference) before storing them in database. Templates are generated by extracting specific features from a biometric trait (in this case it is fingerprint) of user. The template is a short hand description [12] which provides essential information about the original fingerprint. Templates can be stored in database as such without passing them through any protection algorithm, which will save time and less resources are required for whole process. But unprotected templates are very serious threat to the integrity of whole fingerprint authentication system (or any biometric authentication system). Also, the template can be easily manipulated and is used for speed of comparison. As demonstrated by Ross et. al. in [13] that information can be extracted out of the template and original fingerprint can be regenerated.ÂÂ   In their paper, three level of information was obtained from the minutiae template of fingerprint. The information about orientation field, fingerprint class and friction ridge structure was extracted out and based on that information the fingerprint was synthesized again. It proves the notion that getting original fingerprint from the template is nearly impossible to be untrue. Hence, the protection of template is very crucial and cannot be ignored. Fingerprint templates are generated from specific features of the fingerprint input by user. Fingerprint template includes information for each minutiae point, such are position of the point on an XY-axis, distance of one minutia from all others or gradient information of each minutia. Gradient information gives the slope of the line segment extending from minutia being described [12] as shown in fig. All this information for each minutia of a finger makes a fingerprint template for a finger. Similarly, template for each finger can be constructed and stored in database. Templates can be a two dimensional matrix in which rows represents each minutia and column represents different type of information about that minutia. Examples of standardized and widely used template formats are ANSI INCITS 378-2004 and ISO/IEC 19794-2. ANSI INCITS 378-2004 template format consist of three standards for fingerprint data interchange which are as follows: ANSI INCITS 377-2004 Finger Pattern Data Interchange Format This standard defines the content, format and units of measurement for the exchange of finger image data that may be used in the verification or identification process of a subject [14]. It exchanges unprocessed image of fingerprint. This standard is used where there is no limit on the resources such as storage and transmission time. ANSI INCITS 378-2004 Finger Minutiae Format For Data Interchange The Finger Minutiae Format for Data Interchange standard specifies a method of creating biometric templates of fingerprint minutiae, such as ridge endings and bifurcations [14]. The structure of minutia data format is defined in the figure below. The extended data blocks contain additional information about the minutia. Fig Structure Minutia Data Format extracted out from [14]. ANSI INCITS 381-2004 Finger Image-Based Data Interchange Format The Finger Pattern Based Interchange Format standard specifies a method of creating biometric templates of fingerprint biometric information using ridge pattern measurements found in fingerprints. The fingerprint image is reduced and then grouped into small cells of 5*5 pixels. Then these cells are analyzed separately [14]. The template generated may be used for two principal purposes [14] which are identification and verification. In both cases a live template is generated from fingerprint input by user is compared with the template stored in database. The chances of these two templates being an exact match is very small because of dirt, injury or poor quality of fingerprint itself [14]. Therefore, a threshold value is specified which is called a correlation coefficient [14]. The value of this coefficient must be set particular to the application. This is because, if this value is high then there a high chance of FRR and if this value is low, then there is high chance of FAR. Examples of application of fingerprint authentication system are law enforcement for identification of criminals, airports to provide rapid services to a high number of passengers etc. In a conventional fingerprint authentication system, there are various points of attack as identified by Ratha et. al. [4] which can be exploited by an adversary as seen in Fig 3 [5]. Different attacks that can be performed on these points can be grouped into four categories [5]: Attacks at user interface: These types of attacks use fake finger made of gelatin or latex and fabricated fingerprint is given as input to reader device that captures the fingerprint. These types of attacks can be mitigated by developing hardware and software solutions more sensitive to the liveness of the fingerprint. Attacks at interfaces between modules: Different modules of fingerprint authentication systems communicate with each other. For example, fingerprint reader sends the fingerprint image to feature extractor module (Fig 3) through a communication channel. And if, this channel is not secured physically or cryptographically [5] then the data can be intercepted and attacker can get access to the original fingerprint. Another attack that can be performed is to launch replay or hill- climbing attacks [5]. Attacks on the modules: An adversary can attack either the communication channel or the modules itself. If the channel is secured using cryptographic measures that does not secure the entire authentication system. An attacker can execute various attacks to take possession of modules and force them to work according to his/her will and intentions. This can cause system to deny even the legitimate user and allow illegitimate user by feeding wrong input or modifying the decision. Attacks on the template database: The templates stored in database can be attacked and is one of the most potentially damaging attack [5]. These attacks can be performed either to modify the templates or retrieve the original fingerprint. Fig 3. Points of attack in a generic biometric authentication system [5] All these attacks can compromise the authentication system and present a threat to access privileges of sensitive data or location. Some of the attacks that can be performed and described in figure above include presenting synthetic finger made from either silicone or gelatin. This synthetic finger has a fingerprint printed on the side facing the sensor. Then this fake finger is used to give system input. This attack can be countered by improving the liveness detection of the hardware as well as software as described in [15]. Replay of old data can be mitigated by limiting the number of attempts an individual can make before permanently locking out the person from the system. Communication channel which is used to transmit template from database to matcher module can be intercepted and template can be obtained while in transit. So, additional security measures are needed to be taken such as establishing encrypted channels which is again an overhead. If the template is modified in tra nsit, then attacker can perform DoS attack and prevent genuine user from getting access to the system. Similarly, if the final decision can be modified and allows the foster to enter into system. Also, if the matcher is overridden by attacker then the decision of the matching is compromised without any doubt and hence, the whole system is compromised. Smart Card Smart cards are also called Integrated Circuits Card (ICC) in ISO/IEC 7816 standard. These types of cards are made of plastic with a metallic chip inside it. There are two types of chips as described in [11] which are memory chips and microprocessor chips. Memory chips consists of control logic [11] and are used for storage purposes. These chips are used to store data only. Whereas, microprocessor chips have a programmable processing unit along with a calculation unit and little storage to carry put various operations. A plastic card with microprocessor chip is called smart card [11]. These type of cards can be used for various purposes such as payment, authentication, document storage, portable files storage etc. For different applications of the smart card require different operations to be performed by CPU embedded in the chip. CPU of the smart cards require power to carry out the operations which is the reason that a card reader device is necessary component of the authentication system. The smart card and card reader terminal communicates with each other to transfer data. Terminal requires different information and responses from the card to carry out the desired operations. To get required service, terminal sends a request to the card which is received by on-card application and executes the operations as requested and provide terminal with responses. The communication between the card and the terminal is protected by establishing a secure channel. Also, different cryptographic algorithms are used for protection of information transmitted between terminal and the card. These algorithms are processed using the calculation unit embedded in the microprocessor chip. The secure channel is established using cryptographic protocols. The transmission occurs similar to communication using OSI reference model [11]. The transmission of data between card and the reader takes place in units called APDU (Application Protocol Data Unit). There are two types of APDUs which are categorized as command APDUs and response APDUs.ÂÂ   ISO/IEC 7816-4 defines a command set consisting of various commands (some are mandatory and others are optional) for development of the applications by different industries. The basic idea behind this approach is that an application developed by any vendor will be compatible with the chip card. Structure of APDU can be found in Appendix. Smart cards have card managers to administer and manage all the card system services [12] and operations. It can be viewed as an entity that provides functions very similar to runtime environment of card, represents the card issuer and verifies the users identity. It can also be seen as three different entities as described in GlobalPlatform Card Specification 2.1.1, as follows: The GlobalPlatform Environment The Issuer Security Domain The Cardholder Verification Methods Issuer Security Domain can be considered as entity representing card issuer on-card. It consists of data that shall be stored on-card as listed below [12]: Sr, No, Name (Tag of ISO/IEC 7816) Description a. Issuer Identification Number (Tag 42) Maps the card to a particular card management system. It is of variable length. b. Card Image Number (Tag 45) Used by card management system to identify the card among its database. Also, has variable length. c. Card Recognition Data Provides information about the card before communication starts between card and card management system. It is contained in Directory Discretionary Template (Tag 73) d. On-card key Information Different keys are stored in persistent memory of card. Key consists of various attributes such as key identifier, key version number, associated cryptographic algorithm and key length. All key components associated with an entity (e.g. symmetric and asymmetric key are two different entities) has same key identifier Keys are managed by Issuer Security Domain These data in Issuer Security Domain can be accessed using GET DATA command. Fingerprint Match-on-card and Fingerprint System-on-card In a conventional biometric authentication system, a template generated during verification is sent to server where it is matched with the stored template in database. Live template must be protected against attacks while in transit to server. Even though templates are results of one-way function but original fingerprint image can still be prepared using different attacks. To address the problem of template compromise in transit, modules of biometric authentication systems described in Fig 3 can be grouped together. These types of groupings can be used to counter the attacks described above. In the article Encyclopedia of Biometric, Chen Tai Pang, Yau Wei Yun, Jiang Xudong and Mui keng Terrence explained four different types of approaches that can be taken to group the modules and placing grouped components of authentication system on an authentication card (which is also called a smart card) such as Java card. These approaches are a) Template on-card b) Match-on-card c) Work sharing on-card d) System-on-card This research focuses on limitations of Match-on-card approach and features of System-on-card approach that overcome these limitations. These approaches are described below. Also, the limitations and how they affect the integrity of biometric authentication system is also defined. Match-on-card is defined as the process of performing comparison and decision making on an integrated circuit (IC) card or smartcard where the biometric reference data is retained on-card to enhance security and privacy [6]. During enrollment, the template generated from the fingerprint is stored on the secure area of cards storage. To accomplish on-card matching, live template is generated after capturing and feature extraction of fingerprint of user using an interface device. This live template is uploaded to the card for verification process. On-card matching follows the same process flow as defined in fig 4 but with Matcher and Database module that has stored template on-card. Matching function executes on- card rather than on a server. This solves the problem of attack on interfaces of modules described above. Fig 3 explains match-on-card process for biometric verification [6]. Fig 4. On-card matching process [6] User inputs his/her fingerprint using Biometric terminal. Features are extracted from the input and a live template (or here its called query template) is generated. This query template is generated off-card but sent to card for matching. Cards matcher module retrieves the stored template from the secure storage area of card and compare two templates. This comparison result is handed over to on-card application and thus, original template and the result always resides on the card. Dotted line represents the application firewall that restricts the access of application to matching module [6]. Attacks on interfaces between modules also stems to attacks on database in which templates are stored. If the interfaces or the communication channel is compromised, then the data travelling among different modules can also be compromised. If not intercepted, at least modification can be performed to execute DoS attack for a legitimate user. To deal with this limitation, system-on-card approach can be used. System-on-card means the whole biometric verification process, including the acquisition, is performed on the smartcard. The smartcard incorporates the entire biometric sensor, with processor and algorithm [6]. Fig 5. System-on-card Technology [6] Smartcard equipped with fingerprint reader is inserted into an interface device which provides time and power to card. Then user is asked to provide his/her fingerprint which is captured by the fingerprint reader on-card. Different features are extracted out from the fingerprint and different incorporated algorithms on-card [6] transforms that input into a mathematical form (template). The template is stored in secure area of cards storage. The whole process takes place on-card providing more security and privacy to user. System-on-card is more secure because the template stored and query template is always present on-card and only the result is sent to host-side application. Template Security This research focus on the security of the template before storing it in database. Fingerprint of an individual is very unique. It makes it an ideal factor for authentication systems. No two persons can have same fingerprints providing high security, privacy and integrity to authentication systems using fingerprint. Even though this makes the biometrics strong among all other factors of authentication but it also is its weakest point. Unlike any other computational algorithms, biometric information of a person is unique and once compromised, cannot be recreated. It makes the protection of templates very crucial to protect the integrity of biometric authentication systems. Two approaches can be considered to secure the templates. Either, a) database can be protected against different attacks by implementing various security measures such as firewalls or b) templates can itself be protected against attacks so that even if the database is compromised, original fingerprint can still be protected. Since, the template itself is very specific information which makes it quite useless for attacker to get original fingerprint image from template. But it is still possible to create original fingerprint using the algorithm defined in [13]. According to ISO/IEC 24745 [7] standard, all the Biometric Template Protection Systems must fulfill three main requirements: Noninvertibility: It should very difficult to retrieve the original template from the final protected template reference stored in database. The noninvertibility prevents the abuse of stored biometric data for launching spoof or replay attacks, thereby improving the security of the biometric system [3]. Revocability: It should be computationally difficult to obtain the original biometric template from multiple instances of protected biometric reference derived from the same biometric trait of an individual [3]. It makes it possible for issuer to issue a new template to user in case of a compromise, without bothering about the probability of success for an attacker using the old template. Nonlinkability: It should be tough to establish relationship among different instances of templates derived from same biometric characteristic of user. The nonlinkability property prevents cross-matching across different applications, thereby preserving the privacy of the individual [3]. Methods for Biometric Template Protection As described by Anil K. Jain, Karthik Nandakumar and Abhishek Nagar in their article Biometric Template Security [8], Template protection schemes can be categorized into two main groups viz. feature transformation and biometric cryptosystem as shown in fig 6. Fig 6. Template Protection approaches [8] In feature transformation, a feature transformation function is applied to the biometric template [8]. The new template generated after feature transformations is stored in database rather than the template generated after feature extraction. This transformation provides more security because it makes the template more random and make it almost impossible for attacker to guess the original template and hence more difficult to obtain original fingerprint image. Two methods for feature transformation are: Salting and Nonivertible transform. Salting: It is also called biohashing. In this approach a biometric template (fingerprint template, here) is taken as input and a mathematical function is applied defined by a specific key. A token number or a key is used to increase the entropy of the template and so makes the template difficult for attacker to guess [2]. Salting is the name given because the key used in this method is called salt to protect the template. This approach is invertible which means using the key, original template can be obtained from transformed template. Transformation function that satisfy the requirements of this approach can be designed. Noninvertible Transform: This approach is similar to previous one i.e. salting with a little difference that this method is invertible which means a transformed template is very difficult to invert to original template. Non-invertible transform refers to a one-way function that is easy to compute but hard to invert [8]. Hence, more security is provided in this approach because if the key is known to attacker, he/she still cannot retrieve original template. Comparing these two approaches based on the description above, non-invertible transform seems an obvious choice for security. But thats not true. This is so because, salting in invertible but it supports revocability property of biometric template protection. It means if a key is leaked and transformed template is accessible to attacker then the template can be easily replaced using a new key. Also, key usage causes low FAR. Whereas, non-invertible transform presents a tradeoff between discriminability and non-invertibility [8]. It means the transformed template using different features of same user should be same but different from another user along with fulfilling noninvertible property. It is difficult to design such transformation function [8]. Salting is done using a specific key or token. Any key or token used for salting is secure Description of Proposed Research Considering the above knowledge, the research will focus on a method to protect the template stored on card. The proposed method will protect biometric template stored on card by salting the template. The research will focus mainly on the proposed method of salting the template. Also, other elements as required will be included in the research to propose a robust and secure system that use the method for salting. It is assumed that enrollment phase is done in a secure environment and verification phase can be done in an untrusted zone. The research will look deep into the method to develop a more random and strong salt for biometric template protection. System-on-card approach will be used because of the privacy and security level provided is maximum as shown in Fig 7. All the computation and execution is done on card and the terminal is only sent the final YES/NO to grant access to user. The method uses following elements: Authentication card with fingerprint reader embedded on card Various Templates Random Number Generator Serial Number of Java Card PIN Cryptographic Certificates using RSA asymmetric key cryptography Counter The proposed method uses three fundamental components of biometric authentication system: Who am I (Live Template) What I have (Authentication Card) What I know (PIN) These three components are not only used for authentication of a user but also for salting the template stored on card. At the time of enrollment, Java card with fingerprint reader is inserted into the terminal (to provide power and time to card). User is asked to input fingerprint (who I am) of a finger chosen randomly by system. Then the system generates salt using serial number of Java card (what I have) and randomly generated 4-digit PIN (what I know). User has to remember this PIN for verification as it will be forgotten forever after enrollment process is finished. Salt prepared by combining three components is then used to encrypt the templates to be stored on the card. Fig 7. Java card with fingerprint reader Salt prepared can be written in a generalized form as: Salt = Serial number of authentication card + Template of fingerprint from a finger chosen randomly + Randomly generated PIN by enrollment system. During verification, the users inserts the card into terminal and has to provide: Fingerprint used during enrollment phase to prepare salt 4-digit PIN Using these inputs and the serial number stored on the chip of Java card, the salt is prepared again. Then user is asked again to provide fingerprint of a randomly chosen finger by system. A query template is generated again and is salted using the salt prepared. Then two salted templates are compared, and if decision pass the threshold value then user can be considered authentic and the decision is sent to server through terminal to grant user access. Certificated signed with digital signatures using RSA asymmetric encryption (using 4096 bits) are used for communicating the decision with server. Each time a decision is sent to server, counter on server increments by 1, if the user fails to authenticate otherwise resets to zero. If the counter reaches 4 (user fails to authenticate itself 4 times consecutively) then the Java card is blocked and requires reset by issuing body. Performing all the activities (from reading fingerprint to decision making) on-card, provides highest security, little privacy concern, interoperability, scalability and mobility [9]. To summarize the whole process, it can

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.