SLIDE 1 Biometrics & Security
Seminar
Fingerprint-based Fuzzy Vault: Implementation and Performance
Based on the journal article of K. Nandakumar, A. K. Jain and S. Pankanti Presenter: Marko Pascan Seminar instructors: Laila El Aimani and Deniz Sarier
B-IT Bonn, 14.12.2009
SLIDE 2
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 3
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 4 Cryptography Vs Biometric Cryptosystems
Traditional cryptography
Widely used, high, proven security Assumption: cryptographic keys are only known to
legitimate user (keys must be kept secret)
AES, RSA, ... Encryption: C = EKE(P) (P-plain text, KE-encryption key) Decryption: P = DKD(C) (C-cipher text, KD-decryption key) Need long keys, e.g. 128 bits for AES Main challenge: maintain the secrecy of the keys Store keys in a secure location, use alternative auth.
mechanism (e.g. password based auth.) to control access to keys
Problem: passwords stolen or forgotten Password problem: Simple password: easy to remember, compromise security Complex password: difficult to remember, expensive to
maintain
[1]
SLIDE 5 Cryptography Vs Biometric Cryptosystems (contd.)
Alternative: biometric authentication Identity established based on anatomical and
behavioral traits: face, fingerprint, speech (voice), eye (iris), hand, etc
Stronger: biometric traits cannot be lost or
forgotten
Biometrics Cryptography Biometric Cryptosystems
SLIDE 6
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 7 Motivation for Fuzzy Vault
Security and privacy of biometric systems
major issue
How robust is the system against attacks? What happens if biometric template is stolen? Can privacy of the users be preserved when a
security breach occurs?
Protect the user template (stored locally or
centrally)
Need method that can compensate for intra-
class variations in the biometric data (samples
- f biometric traits obtained over a period of
time): different angles, amounts of pressure, chapped skin, etc.
SLIDE 8
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 9 Background and Definitions
Fingerprint
Unique, immutable for each individual Made of a series of ridges and furrows on the surface of the finger Uniqueness of a fingerprint can be determined by the pattern of
ridges and furrows as well as the minutiae points
Minutiae points are local ridge characteristics that occur at either a
ridge bifurcation or a ridge ending.
[2]
Input fingerprint Fingerprint with minutiae Matching of two fingerprints. Illustration of intra-class variability
y x
SLIDE 10 Background and Definitions (contd.)
Finite Field (Algebra)
Galois field -a field that contains finitely many elements Example: Galois Field with (cardinality) 65536 elements: F = GF(216) In presented implementation of fuzzy vault arithmetic is done in
GF(216)
CRC (Cyclic Redundancy Check)
Hash-function used to detect accidental changes in raw data In presented implementation of fuzzy vault 16-bit CRC code was
used (CRC-16)
Unordered sets
Relative positions of set elements do not change the characteristics
- f the set, i.e. {2, -5, 1} conveys the same information as {-5, 1, 2}
SLIDE 11 Background and Definitions (contd.)
Lagrange Interpolation
Interpolating set of data points with a interpolation polynomial in
Lagrange form (Lagrange polynomial)
Formally: given a set of k+1 data points (x0, y0),..., (xk, yk), where no
two xj are the same, interpolation polynomial in the Lagrange form is linear combination of Lagrange basis polynomials:
SLIDE 12
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 13 Fuzzy Vault
Introduced by Juels and Sudan (2002) Cryptographic construction designed to work
with (biometric) features represented as unordered sets
In brief:
Alice places a secret K in a vault and locks it with
unordered set A
Bob uses an unordered set B to unlock the vault and
access K
Successful iff B and A overlap substantially
[1]
SLIDE 14 Fuzzy Vault: Example 1
1
Alice selects a polynomial p of variable x that encodes secret k (e.g fixes coefficients of p according to k) k = (1, -3, 1), she chooses deg(p)=2: p(x) = x2 - 3x + 1
2
Alice's unordered set: A = {-1, -2, 3, 2}
3
Alice computes the polynomial projections of A: {A, p(A)} = {(-1,5),(-2,11),(3,1), (2,-1)}
4
She adds some (let's say 2) randomly generated chaff points that do not lie on p: C = {(0,2), (1,0)}
5
Final point set R = {(-1,5),(-2,11),(3,1), (2,-1), (0,2), (1,0)}
6
Bob has unordered set B = {4, 2, -2, 3}. To access secret k he needs to separate 3 (deg(p) + 1) genuine points from R to reconstruct p
7
A ∩ B = {-2, 3, 2}, which is substantial overlap
SLIDE 15 Fuzzy Vault (contd.)
Security is based on infeasibility of polynomial reconstruction problem
Definition: Polynomial Reconstruction Problem Given a set of points in a finite field { x 〈
i, yi〉}i=1..n, and
parameters n, k and w, output any polynomial p such that degree of p is less then k and p(xi)=yi for at least n-w values of index i. [3]
Differently put: solve for the degree D polynomial P, given D+1 points passing through it
A genuine finger can separate at least D + 1 genuine points from chaff points and use them to reconstruct P
SLIDE 16
Fuzzy Vault: Parameters
r – number of points in the vault that lie on the
polynomial p
e.g number of minutiae that can be extracted from
fingerprint
s – number of chaff points -> security of the
vault
n – degree of polynomial p -> tolerance to
errors in biometric data
SLIDE 17
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 18 Fingerprint Fuzzy Vault
Fuzzy vault operating on the fingerprint
minutiae features
Minutiae represented as triplet (u, v, Θ) Fuzziness from the variability of biometric data Requires pre-aligned biometric templates or
alignment during decoding of fuzzy vault
Pre-aligned biometric templates non-realistic
assumption
v u
SLIDE 19 Fingerprint Fuzzy Vault: Example
[5]
SLIDE 20
Contents
Cryptography Vs Biometric Cryptosystems Biometric Cryptosystem Modes Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 21
Proposed Implementation
Uses both location of minutiae points in the image
(u,v) and orientation attribute (Θ) -> more chaff points possible (harder to decode by attacker)
u,v – indicate the row and the column indicies in the
image
Θ – orientation of the minutiae with respect to the
horizontal axis (1 < Θ < 360)
Generate several candidate secrets (Lagrange
interpolation) and use CRC to detect correct polynomial
Template and query automatically aligned before
decoding (helper data)
Higher computational cost – large number of
interpolations
SLIDE 22 Vault Encoding
Obtain template minutiae set MT = {mi
T}, i = 1, .., NT
NT- number of minutiae in T
Estimate quality of each minutia in T -> qT = {q(mi
T)}, i = 1, .., NT
Quality index in spatial domain: partition given image into a lattice of blocks b x b. Estimates the local coherence of gradients (gray) in non-
[6]
Extract helper data (explained later) => template helper data HT
1
SLIDE 23 Vault Encoding (contd.)
Sort minutiae based on their quality, select best-quality minutiae
Select only well-separated minutiae (unique values in field F) – minimal distance is greater then some threshold δ1 (configurable) where Δ(Θi, Θj) = min (|Θi, Θj|, 360 - |Θi, Θj|), βM=0.2 (determined empirically in order to eliminate as many chaff points as possible when unlocking)
Selected minutiae: SMT = {mj
T}, j=1, .., r
Possible failure to capture (FTC) error if NT < r
2
SLIDE 24 Vault Encoding (contd.)
Iteratively generate chaff point set CM = {mk}, k=1, ..., s as follows
Chaff point m = (u,v,θ) is randomly chosen such that u ∈ {1,.., U}, v ∈ {1,...,V} and θ ∈ {1,...,360}
Chaff point added to CM if DM between m and all points in SMT CM ∪ is greater than δ1
3 V U
SLIDE 25 Vault Encoding (contd.)
Minutiae attributes (both genuine and chaff points) are quantized and represented as bit strings of lengths Bu, Bv, Bθ
Quantization: account for slight variations in minutiae data
Translate to lie in square tessellation of the 2D image plane
Bu, Bv and Bθ chosen such that Bu+ Bv + Bθ = 16 (in experiments 6, 5 and 5 respectively)
Encoded in F = GF(216) =>
Genuine points: X = {xj}, j=1, .., r,
Chaff points: Y = {yk}, k=1, .., s
4
SLIDE 26 Vault Encoding (contd.)
Append a 16-bit CRC code to secret K to obtain K' containing 16(n+1) bits, where n is the the degree of the encoding polynomial
IBM CTC-16
5
SLIDE 27 Vault Encoding (contd.)
K' encoded into a polynomial P of degree n in field F by partitioning into (non-overlapping) (n + 1) 16-bit values c0, ..., cn
These are the coefficients of polynomial P
6
SLIDE 28 Vault Encoding (contd.)
P evaluated at all the points in selected minutiae set X => P(X) = {P(xj)}, j=1,..,r
Locking set: L = {(xj, P(xj))}, j=1,..,r
Obtain set Z = {zk}, k=1,..,s randomly (zk ∈ F), such that zk ≠ P(yk)
Chaff set is defined then C = {(yk,zk)}, k=1,..,s
V' = L C ∪
7
SLIDE 29 Vault Encoding (contd.)
Randomly reorder V' to obtain (finally) vault V={(ai,bi)}, i=1,..,t and t = r + s
Store only V and HT in the system
8
SLIDE 30 Vault Decoding
Obtain query minutiae set MQ = {mi
Q}, i = 1, .., NQ and the helper data set HQ
from query fingerprint image Q.
Estimate quality of each minutia in Q => qQ = {q(mi
Q)}, i = 1, .., NQ
1
SLIDE 31 Vault Decoding (contd.)
Obtain aligned query minutiae set MAQ = {mi
AQ}, i = 1, .., NQ
ICP (Iterative Closes Point) based alignment of MQ using helper data (explained later)
2
SLIDE 32 Vault Decoding (contd.)
Based on quality, select r minutiae from set MAQ => SMQ = {mj
Q}, j=1, .., r
Selected minutiae are well separated (as defined in encoding process)
Possible failure to capture (FTC) error if NQ < r
3
SLIDE 33 Vault Decoding: Filtering Chaff Points
4
SLIDE 34 Vault Decoding: Filter Chaff Points (contd.)
Represent abscissa values of the vault (A) as 16-bit strings
Minutiae decoding:
Partition 16-bit strings into 3 substrings of lengths Bu, Bv, Bθ,
Convert substrings into quantized minutia attribute values u, v and θ => MV = {mi
V}, i=1,..,t, where mi = (ui, vi, θi)
Coarse filter: mi ∈ MV is not marked as a chaff point if minimum distance DM between mi and all selected minutiae in the query mj
Q
∈ SMQ is less then δ2 (tuned parameter) => SMV = {mk
V}, k=1,..,NV , where NV << s
Apply minutiae matcher algorithm to find correspondences between SMV and SMQ, and add only those elements of SMV to unlocking set L' = {(a'i, b'i)}, i=1,..,r', 0≤r'≤r
SLIDE 35 Vault Encoding (contd.)
If r' < (n+1) => authentication failure
If r' ≥ (n +1) => consider all possible subsets L'' of size (n+1) of L'
Use Lagrange Interpolation to obtain P*(x) = c*nxn + c*n-1xn-1+...+c*0
5
SLIDE 36 Vault Decoding (contd.)
Concatenate c*n , c*n-1 ,.., c*0 => 16(n+1)-bit K*
Apply CRC to K*
If there is no error correct secret K is decoded
Else, repeat the same procedure for the next candidate L''
6
SLIDE 37
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 38
Helper Data and Fingerprint Alignment
First step in matching 2 fingerprint images –
align them
Difficult problem in any fingerprint based auth.
system
Even harder in a biometric cryptosystem (fuzzy
vault) -> original fingerprint template is not available during auth.
Fuzzy Vault proposed by Nandakumar et. al.
uses helper data to assist alignment
Helper data stored as public information, along
with vault
SLIDE 39 Helper Data Extraction
Used high curvature points of field flow curve -> set of linear segments whose tangent direction at each point is parallel to the orientation field direction at that point
Flow curve: set of points {lj}, j = 1,..,J, where J is number of points in curve and lj = (λj, μj) is a point in fingerprint image
Curvature value (ω) of a point lj: ωlj = 1 – cos αlj
ωlj minimum (0) if there is no change in direction and maximum (2) if change in direction is π
Tuple h = (λ, μ, ω) added to helper data if ω > σ (0.3 in experiments)
[5]
SLIDE 40 Helper Data Based Alignment
Goal: align query minutiae set with the enrollment template
Use Iterative Closest Point (ICP) algorithm:
Step 1: translate center of mass of points in HQ so that it coincides with the center of mass of points in HT
Step 2: Iterate until convergence (or max number of iterations)
Compute the set of correspondences between points in HT and HQ ->
find the distance between hi
T = (λi T, μi T, ωi T) and hi Q = (λi Q, μi Q, ωi Q)
as: d(hi
T,hi Q)= (λi T-λi Q)2 + (μi T-μi Q)2 + α|ωi T-ωi Q|
α determines the contribution of curvature based distance
Step 3: compute transformation that minimizes the mean square error between the paired points. Apply transformation to MQ and HQ
ICP algorithm outputs transformation F
[7]
SLIDE 41 Fingerprint Alignment: Example
High curvature points are global features
Do not reveal any information about minutia attributes
Helper data doesn't contain enough information to estimate the orientation field
Helper data does not affect the security
SLIDE 42
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 43 Experimental Results
Performance evaluated on 2 fingerprint databases
One or two impressions for encoding and decoding
Varied parameters of fuzzy vault: r, n (related to the size of secret to be secured), t, s, δ1, δ2
Fixing r leads to several FTC errors => fix the range of r determining exact value for each user
Criteria for evaluation:
Failure to capture rate (FTCR): number of well-separated minutiae < r
Genuine accept rate (GAR): percentage of attempts by genuine users that resulted in successful authentication
False accept rate (FAR): percentage of attempts made by impostors that resulted in decoding of the vault
SLIDE 44
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 45 Vulnerability of Fuzzy Vault
Brute force attack: r=24, s=200 => number of combination 3,3 x 1015
Minutiae comes in clusters => attacker could use statistical models for the minutiae distribution to classify points of the vault and brute- force attack perceived genuine points
Defense based on number of chaff points and tuning of the vault parameters
- P. Mihailescu [8] proposes a brute force attack to break the vault,
that can recover secret S in R=C (r/t) ⋅
k, where C<8k log
⋅
2(k) (cost of
Lagrange interpolation of a polynomial of degree k)
r – no. of chaff points t – no. of genuine points k – degree of polynomial
Previous authors claimed that with carefully choosing parameters
- ne can achieve security of O(269) operations for an attack
With attack proposed in[8] and using vault implementation as in [7], attack can be done in ~O(236)
SLIDE 46 Vulnerability of Fuzzy Vault
How to increase security of fuzzy vault:
1 Use more fingers – use e.g 2 fingers for creating the vault 2 Non – random chaff points – use hexagonal grid 3 Quizzes using additional minutiae information – with each
minutia attach a quiz solvable by Bob
SLIDE 47
Contents
Cryptography Vs Biometric Cryptosystems Motivation for Fuzzy Vault Background and Definitions Fuzzy Vault Fingerprint Fuzzy Vault Proposed Implementation Helper Data and Fingerprint alignment Experimental Results Vulnerability of Fuzzy Vault Conclusion
SLIDE 48
Conclusion
Fuzzy vault – biometric cryptosystem Fingerprint fuzzy vault with better
implementation shown
Automatic alignment of template and query
data
Implementation experimentally evaluated Vulnerability of Fuzzy Vault – fuzzy vault
broken
Possible improvements: more fingers, non-
random chaff points, etc
SLIDE 49 References
[1] Ulmut Uludag and Anil K. Jain, “Fingerprint based Fuzzy Vault” (presentation), (www.biometrics.org/bc2005)
[2] Salil Prabhakar, Anil Jain, “Fingerprint Identification”, http://www.cse.msu.edu/biometrics/fingerprint.html
[3] Jean-S´ebastien Coron, “Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem”
[4] Umut Uldag, Sharath Pankanti, Anil K. Jain, “Fuzzy Vault for Fingerprints”
[5] K. Nandakumar, A. Jain, S. Pankanti, “Fingerprint-based Fuzzy Vault: Implementation and Performance”
[6] Y. Chen, S. Dass and A,l Jain, “Fingerprint Quality Indices for Predicting Authentication Performance”
[7] U. Uludag, A. Jain, “Securing Fingerprint Template: Fuzzy Vault with Helper Data”
[8] P. Mihailescu, “The Fuzzy Vault for Fingerprints is Vulnerable to Brute Force Attack”
SLIDE 50
Questions?
