Zhou, Xuebing; Fellner, Dieter W.; Veldhuis, Raymond N. J.
Privacy and Security Assessment of Biometric Template Protection
Biometrics enables convenient authentication based on a person's physical or behavioral characteristics. In comparison with knowledge- or token-based methods, it links an identity directly to its owner. Furthermore, it can not be forgotten or handed over easily. As biometric techniques have become more and more efficient and accurate, they are widely used in numerous areas. Among the most common application areas are physical and logical access controls, border control, authentication in banking applications and biometric identification in forensics.
In this growing field of biometric applications, concerns about privacy and security cannot be neglected. The advantages of biometrics can revert to the opposite easily. The potential misuse of biometric information is not limited to the endangerment of user privacy, since biometric data potentially contain sensitive information like gender, race, state of health, etc. Different applications can be linked through unique biometric data. Additionally, identity theft is a severe threat to identity management, if revocation and reissuing of biometric references are practically impossible. Therefore, template protection techniques are developed to overcome these drawbacks and limitations of biometrics. Their advantage is the creation of multiple secure references from biometric data. These secure references are supposed to be unlinkable and non-invertible in order to achieve the desired level of security and to fulfill privacy requirements.
The existing algorithms can be categorized into transformation-based approaches and biometric cryptosystems. The transformation-based approaches deploy different transformation or randomization functions, while the biometric cryptosystems construct secrets from biometric data. The integration in biometric systems is commonly accepted in research and their feasibility according to the recognition performance is proved. Despite of the success of biometric template protection techniques, their security and privacy properties are investigated only limitedly.
This predominant deficiency is addressed in this thesis and a systematic evaluation framework for biometric template protection techniques is proposed and demonstrated:
Firstly, three main protection goals are identified based on the review of the requirements on template protection techniques. The identified goals can be summarized as security, privacy protection ability and unlinkability. Furthermore, the definitions of privacy and security are given, which allow to quantify the computational complexity estimating a pre-image of a secure template and to measure the hardness of retrieving biometric data respectively.
Secondly, three threat models are identified as important prerequisites for the assessment. Threat models define the information about biometric data, system parameters and functions that can be accessed during the evaluation or an attack. The first threat model, so called naive model, assumes that an adversary has very limited information about a system. In the second threat model, the advanced model, we apply Kerckhoffs' principle and assume that essential details of algorithms as well as properties of biometric data are known. The last threat model assumes that an adversary owns large amount of biometric data and this allows him to exploit inaccuracy of biometric systems. It is called the collision threat model.
Finally, a systematic framework for privacy and security assessment is proposed. Before an evaluation process, protection goals and threat models need to be clarified. Based on these, the metrics measuring different protection goals as well as an evaluation process determining the metrics will be developed. Both theoretical evaluation with metrics such as entropy, mutual information and practical evaluation based on individual attacks can be used.
The framework for privacy and security assessment is applied on the biometric cryptosystems: fuzzy commitment for 3D face and iris recognition is assessed. I develop my own 3D face recognition algorithm based on the depth distribution of facial sub-surfaces and integrate it in the fuzzy commitment scheme. The iris recognition is based on an open source algorithm using Gabor filter. It is implemented in the fuzzy commitment scheme with the two layer coding method as proposed by Hao et al.
Both features, the 3D face features and the iris features, represent local characteristics of the modalities. Thus, strong dependency within these features is observed. The second order dependency tree is applied to describe the distribution of 3D face features. The Markov model is applied to characterize the statistical properties of iris features. Thus, security and privacy of these algorithms can be measured with theoretical metrics. Due to strong feature dependency, the achieved security is much smaller than the secret size, which is the assumed security in a perfect secure case with uniformly identically distributed features.
Moreover, the unlinkability is analyzed. The analysis shows that these protected systems are less vulnerable to leakage amplification. However, the secure templates contain much personal identifiable information. We demonstrate the attacks, which can identify a subject by linking auxiliary data stored in his secure templates. Cross matching is assessed with the performance of these attacks.
Additionally, the characteristic of iris features is exploited to perform an attack retrieving features from secure templates. The efficiency of the practical attack confirms the result of the theoretical assessment of privacy with conditional entropy.
The coding process plays a very important role for the security and privacy properties in the fuzzy commitment scheme. Designing a coding method should not only focus on the improvement of code rate. As shown in this thesis, security and privacy properties can be enhanced significantly by changing the dependency pattern in iris features and 3D face features. Therefore, the coding process should be adapted to properties of the underlying biometric features to increase the security and privacy performance.
The security and privacy assessment within this thesis is completed by a comparison of two fuzzy commitment algorithms with the fuzzy vault algorithm for fingerprint recognition. Here, different threat models as well as the corresponding protection goals are considered. The fuzzy vault system has the best performance regarding security and irreversibility of biometric features. However, all of these systems are vulnerable to cross matching. The comparison results show that the proposed evaluation framework provides the fundamental basis for benchmarking different template protection algorithms.
The proposed framework is also validated with the existing security analysis on transformation-based approaches. Unlike the analysis on biometric cryptosystems, the security is dependent on the hardness of transformation functions or randomization processes. Therefore, the presented analysis is based on efficiency of different kinds of attacks, which measure different protection goals in the appropriate threat models. The security of these approaches depends on the transformation parameters. The knowledge of these parameters allows generating a pre-image, while it is still hard to estimate the original biometric features practically. However, privacy leakage amplifications are still possible.
This thesis defines a systematic evaluation framework, which adheres to essential criteria and requirements of biometric template protection techniques. Its applicability is demonstrated with the analysis of template protection algorithms for different biometric modalities. The assessment presented in this thesis is fundamental for a thorough analysis. Furthermore, it provides provable evidence on security and privacy performance. Therefore, it is the fundamental tool for technical innovation and improvement and helps system designers in selecting a suitable template protection algorithm for their applications and needs. It creates a basis for certification and benchmarking of biometric template protection. mehr