With the rapid proliferation of biometric systems in both desktop and mobile devices, using biometrics as means of identity verification or identification has raised much public concerns about the security and privacy of biometric data over the last decade. Public worry about violation of user privacy is not uncommon, since the biometric data is inextricably bound to one’s identity and a compromise would lead to a permanent loss of their identity. A most recent example of threat reported by FireEye, a security firm, shows that HTC One Max (an Android-based smart phone) stores fingerprint image in unencrypted/unprotected plain text with world readable permission (FireEye report, 2015).
Based on the categorization proposed by Ratha et al. (2001), there are eight levels of attacks that can be launched against a biometric system. In this thesis, the eight levels of attacks are compiled and re-organized into seven attacks. An overview of these seven attack points is demonstrated by the Fig.
1.4.
Fig. 1.4: Seven attack points in a biometric system (adopted from Ratha et al., 2001).
1. Spoofing: A fake biometric trait such as latex imitate of a fingerprint may be presented at the sensor.
2. Replay Attack: An illegal data is injected into the channel between sensor and feature extractor and the data may be resubmitted to the system.
3. Overrides Feature Extractor: The feature extraction module may be substituted by a Trojan horse program that generates pre-defined feature sets for matching.
4. Channel Attack: The genuine feature sets may be replaced by the synthetic feature sets during the transmission between feature extractor and matcher; or the data passing between the system database and matcher module may be altered.
5. Overrides Matcher: A Trojan horse program may be injected and replace the matcher to perform the intention of the attack.
6. Overrides Decision: The final decision generated by the matcher may be overridden during the transmission between the matcher module and the application.
7. Database Attack: The original templates stored in the database may be revised or even removed and new templates may be intentionally introduced for intrusion.
In this thesis, the 7th attack (i.e. database attack) mentioned above is addressed and the focus is to design a biometric template protection method.
This is due to the fact that database attack is one of the most potentially damaging attacks, which leads to the serious security breaches and privacy threats of biometric templates (Jain et al., 2008). Jain et al. (2008) also highlighted three vulnerabilities on the consequences of biometric template attack: (1) unauthorized access of biometric system by replacing the genuine template with imposter’s template; (2) genuine template can be illegally gained to create a physical spoof, thus, compromise both system security and user privacy; (3) stolen template can be involved in various abuse e.g. cross- matching, function creep etc.
For these inextricable mazes, a biometric system with strong template protection needs to be designed urgently. In general, the design criteria for biometric template protection scheme are (Teoh et al., 2006; Jain et al., 2008;
Maltoni et al., 2009):
across different applications must be prevented.
Cancelability. A new template can be reissued once the old template is compromised.
Irreversibility/Non-invertibility. It should be computationally infeasible to derive the original biometric template from the protected template and the helper data.
Performance preservation. The accuracy performance of an unprotected system should be preserved or improved.
Generally, biometric template protection refers a set of techniques that mitigate the aftermaths due to the compromise of biometric templates databases for the purpose of malicious use. Technically, biometric template protection is to design a protect function and apply it into unprotected template to generate protected template as depicted in Fig. 1.5. The template protection methods proposed in literature can be broadly divided into two categories, namely, feature transformation approach (or cancellable biometrics) and biometric cryptosystem (or helper data methods) (Jain et al., 2008) as shown in Fig. 1.6.
Fig. 1.5: Approach of biometric template protection.
Fig. 1.6: Categorization of Biometric Template Protection Methods (adopted from Jain et al., 2008).
Cancellable biometrics (Ratha et al., 2007; Jain et al., 2008) is truly meant designed for biometric template protection. It refers to the irreversible transform of the biometric template to ensure security and privacy of the actual biometric template. Hence, instead of the original biometric data, only the transformed templates are stored. If a cancellable biometric template is compromised, a new template can be re-generated from the same biometrics.
The schemes of cancellable biometrics vary according to different biometric modality and fingerprint minutia oriented template is solely focused in this thesis. Fig. 1.7 illustrates a block diagram of cancellable biometrics.
Fig. 1.7: A block diagram of cancellable biometrics.
On the other hand, biometric cryptosystem serves the purpose of either securing the cryptographic key using biometric feature (key binding) or directly generating the cryptographic key from biometric feature (key generation) (Jain et al., 2008). For key binding approach, two well-known instances, fuzzy commitment and fuzzy vault, are proposed by Juels and Wattenberg (1999) and Juels and Sudan (2006) respectively. On the other hand, Dodis et al. (2008) introduced the key generation primitives, known as secure sketch and fuzzy extractor.