biometric solutions as privacy enhancing technologies · this work is motivated by very recent...
TRANSCRIPT
Biometric Solutions asPrivacy Enhancing Technologies
Christina-Angeliki Toli and Bart Preneel
Department of Electrical EngineeringESAT/COSIC - KU Leuven
Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium{christina-angeliki.toli,bart.preneel}@esat.kuleuven.be
http://www.esat.kuleuven.be/cosic/
Abstract
This research is focused on giving a comprehensive overview of the secure biometricsystems field, analysing it from privacy enhancing technology (PET) perspective. Thewidespread use of biometric systems, the nature of the shared data, the kinds of usecases and the applications introduce privacy risks. Along these line, we are trying torespond to the matters of: “Can really biometrics be characterized as PETs ?” and“In which extent can biometrics be considered as private friendly?” The paper coversdifferent opinions on the major question: “Are biometrics a protection mechanism ofindividual privacy?” The available related literature is discussed, while very recent ad-vances, a number of approaches for biometrics as PETs are presented and the privacyinteractive needs of the users with other units are evaluated. As an illustration, a sit-uation based on on-line biometric access control is figured, where the attitude of theimplicated parties is examined. The aim of this multidisciplinary work is to clarify thestudies on how to develop and ensure the privacy in crypto-biometric techniques andcontribute to efforts for addressing societal impacts of modern technological issues.
Keywords: biometrics, cryptography, privacy enhancing technologies, security, per-sonal data, template protection, crypto-biometrics, pseudo-identity, fingerprint recogni-tion, eFinance service
1 Introduction
Systems that authenticate or automatically recognize a person’s identity by scan-ning his/her biometric characteristics are becoming constantly common, popular andsometimes compulsive. This increasing use has given rise to security and privacy con-cerns [34]. In fact, security and privacy have been presented as two different worldshindering each there. Although biometrics are intended primarily to enhance security,the nature of these data may reveal more information than necessary. Biometrics-basedrecognition systems rely on who a person is, or what someone does, in contrast withother authentication approaches such as passwords or cards. Additionally, the applica-tions may require storing datasets for human authentication or slightly limited accessat the transferred private records to third parties. Despite the fact that over a decade ofresearch has brought many biometric protection proposals, there is still a privacy gapin this relatively young discipline. Existing efforts to protect the privacy are either in-sufficient for laws or too legally restrictive. The biggest challenge in the domain is thecreation and implementation of a technology which respects and prioritize the security
1
issues according to the privacy rights of the involved levels, against potential infringe-ments.
A pressing matter of contention is to study the systems from two separated comple-mentary and conflicted angles. Firstly, the combination of advanced cryptography tech-nology with signal processing can reliably protect the data. State of the art has presentedconcrete mechanisms in order to ensure the high percentages of security. Levels of fu-sion, two or more biometric samples under the same identity (multi-modalities), fuzzyvaults, retrieval protocols, cancellable biometrics and key-based schemes are only fewin the proposed biometric template protection models [13], [38]. Additionally, manyresearches are dedicated to attacks, in the direction of testing and evaluating system’sbehavior against malicious adversaries, non-colluding honest entities and other curiousunauthorised deceivers [15], [16]. Secondly, starting from the point that protection ofinformation is just a part of privacy, we can claim that is really difficult to determinethe balance between unequivocal recognition and user’s identity. The fundamental rightto anonymity and privacy consequently has been internationally established and juristi-cally supported. Biometric data in applications such as eGovernment, airport security,borders control, eFinance and health sector must be protected, flexible to satisfy theneeds of the involved parties and simultaneously, sufficiently efficient to resist attack-ing scenarios [10], [35]. These preconditions have motivated only few recent reports toaddress the great economic, political and social consequences of the design and imple-mentation of privacy friendly biometric systems.
But in reality, can a biometric trait keep its source secret? Bearing in mind that bio-metrics authentication can provide irrefutable proof of user’s identity, then this meansthat these characteristics are something that we carry on, cannot be lost and hardlychanged. One step further, there are applications where the storage of the template in adatabase is demanded. Considering for example, the entrance to a building, every em-ployee’s biometric would have to be recorded, so that the scanners can verify identity.The situation becomes more complicated, since the societies have started experiencingthe facial recognition technology. Cameras from super markets to public places androads are using to identify the people passing through. The new systems are so smartthat present low errors of misidentification. They are taking into account, gait, cloths,hairstyles, soft biometrics even cleanliness and whether conditions to weaken any exter-nal factor that could affect the ability of camera to identify. Another important conceptare the devices which include radio-frequency identification chips or working on-line.If a password management system is the usage of a fingerprint to log in or unlock amobile, laptop or e-mail account, then the security holes should be considered. Expertsin the area frequently talk about how susceptible, users are, to hacking. Internationalcompanies claim that face or fingerprint-enabled log-on never stores the account pass-words, but they also underline that digital privacy of millions of people will alwaysbe week. Putting things into perspective, biometrics has the term: “bring yourself withyou” and a society with pervasive biometric systems would make anonymity a virtualimpossibility.
On the other hand, recently, privacy and security have been treated as two factorsto be cooperatively developed [7]. Requirements are already included in the early stagedesign of a biometric system. This has lead to the opinion that threats are overblownconfusion and misinformation blur the concept that biometrics are not perfect, but it isquite difficult to abuse their types. Human characteristics in computer devices are savedas digits and not as an image. Furthermore, companies tend to use separated, “unique”
2
binary techniques, making unlikely for a trait to be the same across platforms. In gov-ernment agency applications, the data are coded carefully, protecting the template fromhackers, composing computational difficulties to recreate the actual biometric has beingused. As far as the possibilities to steal or spoof are concerned, these are limited to ultrahigh targeted subjects. Obviously, the worst cases scenarios are not exclude, but lawframeworks standardize the developments on the used types of biometric data. More-over, person’s awareness is also foreseeable for most services, giving the opportunity toapprove or not what personal information should be revealed, to whom and why. Thisbrings us to the claim that systems are required to comply with two pieces of legislationdesigned for protect privacy: an individuals right to a private life, while organisationsmust manage and protect any data they hold on.
Privacy is challenged by a continuous stream of security and public safety measures.May be protected in different ways and by multiple means. Biometrics are the modernkey to authentication and identification models and are thought to be far less vulnerableto fraud and forgery. Nonetheless, digital data can easily be copied without informa-tion loss, manipulated at will or forged without traces that could be noticed. In order toguarantee the trustworthiness, security leakage points must be recognised, while someextra criteria need to be defined. Privacy enhancing methods for biometric data canbe a well promising specific guardian of one’s personal identity. Approaching biomet-rics as PETs, under the term: “Privacy friendly biometrics” may increase the publicinterest, relaxing the doubts or fears and contribute to the satisfaction of needs for cit-izens, authorities, governmental institutions, industry and other involved stakeholders,preserving the protection and promoting the human rights and freedom.
This work is motivated by very recent advances in the science of privacy for bio-metric templates and its target is to present and add new information to the studies ofinteraction between biometrics, cryptography and privacy enhanced technologies [22].The time period of the references is carefully selected to serve the research, reflectingthe increasing number of European projects, during the last years, that aim to suggestsolutions for the protection of users identity, underlying the privacy questions accordingto the relevant applications, the legal frameworks etc. The missing point here is to sug-gest and support from both scientific and industrial aspects sustainable solutions thatwill carry forward methodologies that combine the predominant policies with availableand next generation researches. The remainder of this paper is organised as follows:In the next section, the different opinions on privacy friendly biometrics are analysed.The third section presents the privacy standards and the security principals. The forthsection is dedicated to privacy by design methods for biometric systems. After this ex-ploratory for introducing readers to enlightenment, a particular case for financial on-linetransaction based on fingerprint recognition is evaluated. Finally, in the last section, acomprehensive conclusion is given, future approaches and some remarks for discussionon impact assessments.
2 Public Debate: Biometrics versus Privacy - The Role of Security
Notwithstanding biometric verification or identification are intended principally toenhance security and privacy, many issues have conjointly attracted much attention [19],[33]. Respecting the fact that most biometric characteristics are exposed and thereforeare not secret, and considering that others like retina and DNA samples carry sensitivepersonal information, privacy incisiveness could be simply determined as the mean that
3
would not keep covered the data and put in threat aspects of true and real identity ofthe system’s user. Concurrently, within the biometric framework, the ultimate controlover the data is made by the system, allowing, in this way, the availability of accessto authorized users, such as owners and administrators, securely protecting from theunconstitutional ones [7]. To such a degree and having both notions clearly defined, be-low are expressed thoughts that constitute dangerous risks in socio-cultural and ethicalterms and in conditions of technical systems as well.
There are many concerns related to the use of recognition systems in real life ap-plications, where biometrics have seen intrinsically as privacy’s foe and designers, ina broad sense, have to deal with criticism. Their technology is impersonal and any po-tential in covert collection of biometric information will not certainly calm the outcryof people. Particularly, the optional or even the absence user’s permission can provokegathering, sharing and correlating of data, for ambiguous and unintended purposes. Thismight be extended to the undeclared misuse of information for the generation of extraones, without any official condescension, entirely based on lying and deception of pub-lic trust. Dramatic societal effects may be caused to very specific targets of interestsuch as political leaders, whose their biometrics can be copied or removed from deviantsystem’s administrators.
Needless to say that biometrics can be associated by the person to forensic appli-cations. From a point of view, this fact is useful, but some people claim that is risky.Considering an assumption where the hacker lifts a fake biometric trait of good qual-ity, it is difficult in practice but can be true if there is expertise and equipment such as ahigh-resolution scanner equipment. Several detailed methods are successfully dedicatedon the construction of fake finger from silicone and gelatin to fool many commerciallyavailable sensors [16]. Following this unpleasant association, the risks are gradually in-creased from a typical entrance to a personal domain and access in computer devices tolatent possession of validated document. And if personal privileges are suppressed, theconsequences are even worst for problematic insertions threatening national security,like terrorism, and situations relevant to border control, air, land or sea ports safety.
Furthermore, soft biometrics have been determined as the perfect way to pinpoint,track and control people, by reason of reveal gender, ethnicity, religion or other uniquefeatures like their gait or the shape of their ears. The applied areas vary from townsquares, or department stores and banks to airports where passengers allowed to walkfrom check-in to the gate, while their movements monitored and identities verified au-tomatically by cameras. From a streamlined perspective the ultimately goal is offeringthe ability of people’s recognition in natural motion through any scene, but such a sys-tem, even if it is performed by a legitimate authority, collect so intimate personal dataas to become unjustifiably violated for one’s right to anonymity. Moreover, medical de-tails might be elicited by comparing biometrics, during the processes of enrollment andrecognition, a situation which profiles and reports the status with imponderable impactson daily life.
The definition of the term of security for a system based on biometrics has been anobject of interest in the scientific community. A smooth claim is that a biometrics sys-tem can be vulnerable either due to substantial internal failings at its design, like a highpercentage errors rates, or/and because of purposed attacks [21]. For example and in-dependently from the previous mention to forged fingerprints, although it is commonlybelieved that new age systems prevent the possibility of reconstruction the original bio-metric characteristics using the relevant extracted template, recent researches managedthrough algorithms and taking the advantage of the match scores to generate the initialbiometric samples of the user. These assumptions render the protection of any system
4
that can use be deployed by human biometric traits, as a very challenging task. Roughlyspeaking, the Figure 1 illustrates the stages of a cast for a generic system and identifiesthe blocks where potential attacks may occur.
Fig. 1: Classical points of attack in a generic biometric system.
Observing the scheme [7], [16], at the first sensor’s level, during biometric signal ac-quisition from the user, such as the inkless fingerprint scan, a true or copied biometric istransferred or substituted in order to fool the system. Massive attacks on the system cancause the failure, in case this does not happen, an impostor has the chance to resubmitpreviously recorded stored biometric signals or produce preselected ones. The middlestage of matching may be corrupted and start producing preselected match fraudulentscores. In the same area, the value of the score is changed or slightly modified by theintruder, iterated attacks could take place and the behaviour of the system entered undercontrol using the software’s or hardware’s rotes. The database’s sphere is characterizedas imperatively dangerous and involves malicious tampering at the templates from alight reading to modifications, replacement and totally changing the links between thebiometric data that might be distributed over several servers [26]. The communicationchannels across consecutive parts of the system can be intercepted by an eavesdropperwho notices the data transmission, changes surreptitiously the messages in the link, ma-nipulates the scores, decisions and results or makes brute force attacks by exhaustivelytrying to find which input can unlock the region of interest.
Finally, it is pointed out that likewise to a password based or token-based authen-tication systems, automatic biometric recognition systems present similar threats orsecurity gaps at same zones. Cryptography can face different kinds of vulnerabili-ties through anti-spoofing countermeasures or techniques based on liveness detection,multi-modalities etc [29]. It thus seems eminently plausible that security is not enough,
5
as they cannot always cover the prerequisites according to the use cases, purpose ofthe system, the proportionality and location of servers and the basic architecture ofmatching and decision performances. And yet a balance between security and privacyprotection has not found, an event that creates setbacks to research, feeds disbelief andsubsequently realistic public debate.
3 Privacy & Security Principles for Biometric Systems
For any given technology, standards, in national and international levels establishthe size, configuration, or protocol of a product, process, tools or system, determineperformance and define terms so that there is no misunderstanding among developersand users. For biometric approaches, standards specify formats for the interchange ofdata, platform independence, program interfaces, application profiles, calculations, testsand requirements for the results, hence the design is neutral, interoperable and not favorof any particular vendor or modality.
Joint Technical Committee (JTC)/Subcommittee 37 (SC 37) of International Stan-dards Organisation (ISO), International Electrotechnical Commission (IEC), Organisa-tion for the Advancement of Structured Information Standards (OASIS), InternationalCommittee for Information Technology Standards (INCITS) are the organisations whodevelop biometric standards [8]. The covered areas are general guidelines for securityin systems, tokens, smart cards, authentication employments, ID management standardsand cyber-security principles [2]. Privacy principles of data quality are addressed interms of purpose limitation, data minimization, accuracy, completeness, consent, trans-parency, access and rectification, confidentiality, and security. The Figure 2 depicts theinternational biometric standards activities.
Fig. 2: International biometric standards, development activities.
The security requirements of confidentiality, integrity, authenticity, non-repudiationand availiability are necessary for any computer system linked to network [21]. Somesupplementary aspects are commonly associated to biometric applications, authenticity,
6
anonymity, unobservability, revocability and unlinkability which are referred to prohi-bitions against not involved parties to see, handle, map or find relation between humanentities, and pseudonymity for fictitious identities that can replace real ones. Renewabil-ity in biometric properties is extremely important and should be supported by systems,as indicates the necessity for re-enrolment of the same person in a system for updatinghis/her data or add new ones [14]. More specialised works also cover extra design regu-lations for identity references in databases [36]. Permanence which sets the time lengtha stored data could be valid, uniqueness, distribution and linkage of information over-flow in which an attribute discloses private elements that could be extracted and dealswith the transmission, accountability, complexity which defines the dynamic difficultyto acquire, process, store and compare an identity component and others that denote theability of a person to control his/her own data and select which values will be shared.
Organisations and consecutively the legitimate regulations in European or otherUnion Members levels subscribe the practical importance of these activities under theplain function of the markets and the cost avoidance of services that do not conformto such responsibilities and provisions [24]. While, it is maintained an accelerated paceof biometric requirements development, according to the growing use of data miningtechnologies enabling the aggregation and analysis of data from multiple source, thedomination of social networking sites, the cloud computing, the ubiquity of the physicalsensors that transmit geo-location information and the individual’s rights into modernera [3], [27]. As biometric technology matures, interaction will increase among people,markets, and the technology itself. There is a discrimination between organisationalmechanisms and technical measures, therefore different policies need to work alongsideand express mathematically or in natural language the allowed or limited extensions forthe security and privacy lines in biometric technologies [11]. Reliable recognition is acontroversial subject and any conventional official action will usually be deficient with-out the complete comprehension of developers and the acceptance of users, the generaladaption of criteria for any specific assessment in order to be achieved the constructionof a privacy friendly schemes.
4 Biometric Systems as Privacy Enhancing Technologies:Approaches
In this section, a brief description of the basic privacy technology in the biometricssystems design is conferred. From 2012 till to this day, original security strategies andtheir mixtures have been proposed and can be proportionately divided into target cate-gories, reflecting the overall security during the enrollment and verification phases [6],[18]. The concepts try to follow new advances in real life and for that reason are basedon assumptions that involve a user, the entity which performs the identification and thepipeline for the communications and messages between sender and receivers. Severalacademic works are dedicated to analyses of privacy weaknesses in biometric scheme,suggesting the way for direct implementations, criticise the current ones or setting theguiding principle for future researches [28], [30], [36]. In this point, we highlight thatthe authors of this paper, they do not adopt the designation of the referred publishedworks, due to the chaos on the synthesis for the different methods under the umbrellaof the term: “biometric template protection”.
Clearly, the variety of the approaches can be classified to template protection schemesthat aspire to transform the aforementioned data, vertically reducing the possibilities forgeneration of the initial characteristic used for enrollment, and to biometric cryptosys-
7
tems or shortly crypto-biometrics that combine known cryptographic functions to derivekeys from biometric data [7]. The Table 1 presents the summary of the security conceptswhich will be introduced at the next subsections.
Table 1: Main approaches and their work towards security of biometric technologies.
4.1 Features Transformation for Template ProtectionThe philosophy here is the transformation of the given biometric data during en-
rollment, in order to securely stored it in the database, in such a form that it would bealmost impossible to retrieve the genuine from the template. Invertible or non-invertibletechniques, are used and only the distorted data are placed in storage. The assumptionindicates that in case the database is not secure anymore, the functions based on someparameters won’t be accessable and the transformed elements perfectly non invertible.For example, a fingerprint system could store only some unordered minutiae points, per-formance degradation or significant statistical properties of reference ridges that werecounted in a verification technique.
A deeper analysis shows that during invertible choice, where the parameters of thefunction are protected, can bring really low false acceptance rates (FAR), but is morevulnerable to attackers who put in compromise the user’s item which locks and unlocksthe function. Interchangeably, the non-invertible mechanisms are referred to one-wayfunctions making computanionally hard to find the function that was applied to data,even parameters are known. The specific transforms can be used to single or multi-biometrics under the same identity. The authentication is carried out, based on com-parison of the few similarities of the identity property in the transformed domain, al-ways without revealing sensitive information. Early researches showed that it is stillextremely difficult to design functions in such a way that will preserve not only non-invertibility, but also discriminability of the template [31]. At the last section somesuggestions for further research on that are underlined.
4.2 Cancellable Biometrics and RenewabilityInducing cancellability and revocability in biometric systems, the target is once
again the protection after data theft by composing unusable any quotation to biometric
8
template. The method, subscribed in this subsection, requires the storage of the trans-formed version of the biometric template and hence provides higher privacy levels byallowing multiple templates to be associated with the same biometric data. The basicobjectives include the diversity, where is prevented the use of same features across avariety of applications and therefore a large number of protected templates from samefeature is required, re-usability/revocability where the straightforward re-issuance is de-manded for the case of an attack takes place and non-invertibility.
The process will be successful either by the designer of the system, users or underthe collaboration of different involved units in the application. The idea revolves aroundlinks of fuzzy data, the parameters of the functions used for the step between initial styleand stored one and thirdly, helper information that some times are public and character-ize common knowledge secret parts. Literature review has suggested many approachesin these category, and has been examined over numerous biometrics, like fingerprint,signature, voice, face resulting robust reactions for the safety of the examined system[35]. Cancellable or also often referred to as revocable biometrics fall into a variety ofcategories such as fuzzy extractors, biohashing algorithms, error correcting codes andothers.
Renewable biometric references are intricately linked to the concept of cancellablebiometrics serving the user’s privacy purpose to be re-enrolled in a system. The factis that human characteristics may change during time or due to other interferences,such as an injury. At this scenario and as previously presented in 3rd Section from theperspective of the system’s prestige, the potential non-matches, which will be false, willbe increased, from user’s side, the previous processes of authentication and other datacan not be duplicated, while a experienced adversary can steal the element that was usedin the first phase or other valuable clues observing the system at the right moment. Forthese reasons, it is important to be able to replace biometric data that will update theold ones, will keep the helper data secure and linked, allowing the authentication afterrenewal and an attacker won’t be in a position to use previous pieces, gain knowledgefrom the new or correspond any data to the references from the stored template.
4.3 Crypto-biometrics: Key Management
Crypto-biometrics are a well-known and privacy promising technique for the pro-tection of biometric data based on keys, using cryptographic encryption and decryptionalgorithms [25]. Starting from this point, only the involved entities share the keys andin this way they have access to specific components and the corresponded biometricinformation. It is obvious that the generation of keys and the management, control ofbindings between those and the data are not negligible tasks. Mainly, there are twoschemes that named after their role as key generation and binding schemes.
How does the system, which belongs in the area, work? Simply by putting in thegame only these keys and their products to secure all the communication pipelines andtunnels. The idea is luminous because the database contains information about the keysand in some way not the template of the user. To specify, the keys for biometrics in anencrypted domain can be digital, meaning PIN, a password, a credential, or alphanu-meric strings with certified container of attributes that will be recreated only if the cor-rect live biometric sample is presented on verification, which is destroyed at the endof each process [4]. The scheme is fuzzy, as the demanded sample is slightly differenteach time, unlike an encryption key in traditional cryptography. The method offers thepossibility of creating multiple keys from the same biometric under the same human
9
physical identity, something really helpful as allows the interaction across applicationswithout any compromise.
This category belongs to the family of cancellable biometrics, as the followed pro-cedure for keys and biometric samples respectively is the same [17]. Summarizing themethod, generated keys are directly created form the sample and stored in a databaseand a key binding approach is the storage of information coming from the combinationof the biometric trait with randomly generated keys. Both aspects abstain for any trialto store the initial biometric characteristic of the user in a database. For this reason, wesuggest the use of cryptosystems using biometrics as the almost best suited field forbroader public consideration in applications that demand large-scale databases or sufferfor multiple attacks because of their nature, like government or banking services [9].
Industrial efforts and academic research projects have been devoted to designs forthe encryption of biometric domain in real life application for single or multiple biomet-rics using combined methods to enhance public confidence. The advantages include thelack of retention of the biometric image or any stored template, the use of anonymousdatabase models, introducing the unlinkability across domains and thus a greater com-pliance with privacy laws. However, the drawbacks are related to the low percentagesof accuracy for the algorithm in use, dangerous attacks against the template, functionand channels and the adjustment of access control mechanisms in favor of anonymity.
4.4 Multiple Pseudonymous Biometric Identities
Concisely, the purpose of pseudonyms is to obtain controlled linkability and exactlylike a public key, it is coming from the user secret biometric and can be given to a verifierwho is another entity in the system. The user can later re-authenticate using his/her trait.As a source, available technologies have been carefully chosen by the design phaseto accomplish a workable trustworthy and friendly scheme, that combines knowledgefrom previous subsections and serves principals of user’s privacy. Figure 3 illustrates abiometric ecosystem that derives multiple identities for the same attribute.
Fig. 3: Typical design for pseudo-identities from biometric samples.
10
Pseudo-identities are generated independently from an individual for a biometricreference, during an enrollment phase. The embed and one-way functions are subjectto various requirements to safeguard privacy. The encoder verifies the identity and cre-ates possibly additional auxiliary data and uses as an input some supplementary data.These data could result from various approaches that provide renewable and protectedtemplates. The system separates and individualizes elements, which are also generatedpreventing impersonation, bringing obstacles for subjects that have very similar char-acteristics [1]. Both parts are stored in a place, such as local database, token or theircombinations, and is called: “the new protected template”. At the phase of verification,an integrated recoder, in a biometric sensor or a local terminal, is used for the recre-ation, while provided auxiliary data and the user’s trait and supplementary data createa new pseudo-identity. All input data, that are used for this production are immediatelydestroyed. Then a comparator is involved to match the initial with the new identities.The Figure 4 portrays in its high level a framework for renewable biometric references[5].
Fig. 4: Architecture for renewable biometric pseudo-identities.
Cooperative efforts have been done to suggest improvements or other approaches forthe frameworks based on biometric references to pseudonymous identities. Confiden-tiality and integrity are usually compromised during threatening scenarios. Multi-sourceinteroperability, the identity management even in a basic level and the revocability areintricate issues that should be addressed, respecting the privacy principals as those pre-sented in the previous sections [10]. The template protection technologies based on theidea of transformation mechanisms for the protection of any stored template, salting,hashing, shielding functions and fuzzy vault schemes can create the common groundfor any design of identity respecting pseudonymity and coming from fingerprints, facepatterns, iris and other biometrics. Beyond the suitable modalities, under research arestill the minutiae-based fingerprint systems, commonly known as minimal data, that canstrengthen more the security factors, in the act of reducing the information that couldbe correlated.
11
5 Example of Privacy Friendly Biometric Application forAccess Control: From Action to Being
In Figure 5, a model of a secure and privacy compliant biometric based system isbriefly presented. The suggestion involves heterogeneous fields in which science expertsbeyond engineering necessarily have to act synergically to achieve effectively percepti-ble results, respecting the privacy needs of the person. The idea, like others [20], lies totheoretical and empirical studies on the cancellable biometrics, the encryption modelsand the pseudo-identities from references in a domain where users need or want to beidentified using their characteristic like face or fingerprint.
In simple terms, in this particular case, a user desires to check her banking accountthrough the mobile application that the participated bank issues. For login purposesclient uses her fingerprint, while for extra secure authentication, the system unlocksonly if a PIN or a passcode is also provided. The light blue shape shows the creation ofthe template and its transformation to increase security. After minutiae readings (min-imal data) and obtaining the template, it binds it through a cryptographic algorithmof transformation and encryption. The initial biometric, password or helper elementsare erased, the device or the software does not store anything, after the first generationor each matching process or even after revocation. The details of this transaction aretransfered through a shielded communication channel. For the process of verification,as the pink frame presents, an algorithm to reconstruct the key is used and access in anon-biometric database is approved. After all these, the bank would not have access towhole databases on the server without individual’s biometrics. Such a model can be areal reply to the interrogatory relating to the purview of privacy friendly applications.
Beyond the interesting parts of the suggestion, like its strong security points, the“wind” of privacy for the person, the use of different technologies for the performance,there are certainly limitations against the continuing effort to crack down on fraud inits implementation. Fake and high quality fingerprint samples and exposed passcode,compromised database, error mistakes during computation or low accuracy rates for thealgorithm, lack of fuzziness or a sophisticated adversary should be clearly consideredby design.
Fig. 5: eFinance Application Assumption.
12
6 ConclusionIn this paper, we presented the reasons that constitute the secure technology of
private friendly biometry elements, an enticing idea. Biometrics could turn existingidentification systems into something categorically new, a phenomenon more powerfuland at the same time, much more invasive. It is somewhat paradoxical the claims aboutbiometrics inability to change over time, as this is their strength and greatest liability.To cope that, both cryptographic techniques from scientific aspect and legal rules fromLaw side determine the limits of any system that incorporates biometrics allowing aninteraction between man and machine. In light of the foregoing critique, it is underlinedthat the growth of information analysis technology is not the end of privacy, but just anew beginning with profound consequences.
With the example of pseudonymous biometric identities, it has been illustrated thatprivacy technology offers promising solutions to handle identity verification based onbiometric information in a privacy friendly way. European projects, in this arena, arefocused on putting research security suggestions into the context of privacy, in orderto reduce the leeway for misuse and mismanagement of biometric data, fostering con-fidentiality. We support the idea that implementation, not only of the requirements forbiometric template protection, but also the technical standards in applications wouldsatisfy the demands for building the designs, as privacy stipulates. The evaluation of thedevelopments is becoming an increasingly important task in the web enabled world. Forthis reason, different adversary models are considered, while the implementation of thedevelopments in potential representative market segments is the quintessence of risksmitigation and individuals privacy in everyday life services.
6.1 Discussion and Further ResearchSecurity and privacy for biometrics should stop constituting a double edged sword.
Appealing research topics include analysing the risks, defining requirements to guaran-tee person’s privacy, developing proper practices, technologies and architectures withpurpose to implement the needed constraints. Creating a back door to the law, or fittingthe legislative programs into the engineering schemes? One way or another, some es-sential steps must be taken, towards the deep understanding of what is intended. Highlyreliable, anonymous biometric authentication systems deserve further studies and sometopics from current deployments could be investigated in future research.
Indicatively, inspired from classic cryptography, Public key infrastructures (PKI)and protocols are also deployed for handling biometric cryptographic keys for distribu-tion and validation in computer security. Suggestions provide composition, enrollment,authentication and revocation details [12]. The biometric components of the schemesforce user to take action, securing the server validation, for the acceptance of the certifi-cate. In network services, certificate repository and distribution manner including userrecords, keys, biotokens can benefit from improvements in this field. While, some worksare focused on embedding the key to other forms such as bipartite biotokens, where theopportunity is given to the user for handling both the key and access to the documents,the research in field remains away from bringing into reality a full security solution[32]. The techniques could potentially be extended to the replacement of asymmetrickey operations by their symmetric counterparts.
In the same atmosphere, credential schemes using biometric key commitments toprevent unauthorized lending extended the protocols to provide non-transferability [4].However, there is still much work to be done into the integration of anonymous and dig-ital credentials, since there are different performances that they lack tools for a generic
13
architecture ready for direct implementation. Within the examples of automated era-sure and pseudonymous biometric identities, privacy by design could offer promisingsolutions for handling identity verification based on biometric information in a moreprivacy friendly way [10]. Published works on weaknesses for biometric sketches haveexpressed concerns about alterations in their presented results, if they would extend theschemes to continuous biometric sources, where the quantization is used as a pattern oferror correction.
Additionally, it is worth noting that different entities and their combination, suchas multi-biometric approaches should be exploited in a more systematic way in orderto obtain keys or increase in other way the overall accuracy and security of the algo-rithms. The models could become the methodology for using soft biometric attributessimultaneously under different degrees, supporting in this way a privacy framework[23]. Further research should involve implementation in unordered sets such as minu-tiae points and their use in order to surpass the drawbacks of traditional crypto-biometricsystems. This opens up new directions for interfaces from additional biometric informa-tion by different sources and alternative dimensions. In cloud computing environments[37], a biometric-based authentication system can have the advantage of resources andprocessing power, but should shield the verification process and securely prohibits thereconstruction of the samples.
Closing stage, it is open to a question, whether the current and aimed applicationsof biometrics serve their primary objectives, respecting the privacy laws which havesucceed to keep pace with technological changes . And since there is no perfection,guidelines or specific measures should be developed in order to respond to the par-ticularities of crucial identity management applications. Threat analysis could be con-ducted, testing in this way the performances, always considering the points and parts ofthe control where a common attacker, malicious proxies or illegal redistributors may betraced. Further research should include identification of system requirements in orderto examine the deployment of the methods in larger biometrics datasets. In such a way,privacy-preserved biometric secure services, that have established the criteria, evaluateadequately their performance and acknowledge limitations versus hardware, softwareor external factors, could be treated as a confidential mean and a helper method to builda safe and appropriate infrastructure.
Acknowledgments
This research is a part of the KU Leuven contribution as a Partner in EU Project FI-DELITY (Fast and trustworthy Identity Delivery and check with ePassports leveragingTraveler privacy), which is funded by the European Commission, under the Securitytheme of the Seventh Framework Programme (Grant agreement no: 284862).
The authors wish to thank the Project partners, from Engineering, Computer Scienceand Law Departments, for their ideas, colleagues for their support, and reviewers fortheir contribution regarding improvements of this PhD work.
14
References[1] Pseudo-random number generator. In Encyclopedia of Biometrics, page 1100. 2009.[2] ISO/IEC 24745/2011, Information Technology - Security Techniques - Biometric Information Protection,
2011.[3] T. Bhattasali, K. Saeed, N. Chaki, and R. Chaki. A survey of security and privacy issues for biometrics based
remote authentication in cloud. In Computer Information Systems and Industrial Management - 13th IFIPTC8 International Conference, CISIM 2014, Ho Chi Minh City, Vietnam, November 5-7, 2014. Proceedings,pages 112–121, 2014.
[4] D. Bissessar, C. Adams, and D. Liu. Using biometric key commitments to prevent unauthorized lending ofcryptographic credentials. In 2014 Twelfth Annual International Conference on Privacy, Security and Trust,Toronto, ON, Canada, July 23-24, 2014, pages 75–83, 2014.
[5] J. Breebaart, C. Busch, J. Grave, and E. Kindt. A reference architecture for biometric template protectionbased on pseudo identities. In BIOSIG 2008 - Proceedings of the Special Interest Group on Biometrics andElectronic Signatures, 11.-12. September 2008 in Darmstadt, Germany, pages 25–38, 2008.
[6] I. Buhan, E. Kelkboom, and K. Simoens. A survey of the security and privacy measures for anonymousbiometric authentication systems. In Sixth International Conference on Intelligent Information Hiding andMultimedia Signal Processing (IIH-MSP 2010), Darmstadt, Germany, 15-17 October, 2010, Proceedings,pages 346–351, 2010.
[7] P. Campisi, editor. Security and Privacy in Biometrics. Springer, 2013.[8] A. Cavoukian. Privacy by Design: Leadership, methods, and results. In European Data Protection: Coming
of Age, pages 175–202. 2013.[9] A. Cavoukian and A. Stoianov. Encryption, biometric. In Encyclopedia of Biometrics, pages 260–269. 2009.
[10] N. Delvaux, H. Chabanne, J. Bringer, B. Kindarji, P. Lindeberg, J. Midgren, J. Breebaart, T. H. Akkermans,M. van der Veen, R. N. J. Veldhuis, E. Kindt, K. Simoens, C. Busch, P. Bours, D. Gafurov, B. Yang, J. Stern,C. Rust, B. Cucinelli, and D. Skepastianos. Pseudo identities based on fingerprint characteristics. In 4thInternational Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP2008), Harbin, China, 15-17 August 2008, Proceedings, pages 1063–1068, 2008.
[11] C. Diaz and S. Grses. Understanding the landscape of privacy technologies, extended abstract of invited talkin proceedings.
[12] H. Gunasinghe and E. Bertino. Privacy preserving biometrics-based and user centric authentication protocol.In Network and System Security - 8th International Conference, NSS 2014, Xi’an, China, October 15-17,2014, Proceedings, pages 389–408, 2014.
[13] S. G. Kanade, D. Petrovska-Delacretaz, and B. Dorizzi. Cancelable biometrics for better security and privacyin biometric systems. In Advances in Computing and Communications - First International Conference, ACC2011, Kochi, India, July 22-24, 2011, Proceedings, Part III, pages 20–34, 2011.
[14] E. Kindt. The use of privacy enhancing technologies for biometric systems analysed from a legal perspective.In Privacy and Identity Management for Life - 5th IFIP WG 9.2, 9.6/11.4, 11.6, 11.7/PrimeLife InternationalSummer School, Nice, France, September 7-11, 2009, Revised Selected Papers, pages 134–145, 2009.
[15] J. M. G. Linnartz and P. Tuyls. New shielding functions to enhance privacy and prevent misuse of biometrictemplates. In Audio-and Video-Based Biometrie Person Authentication, 4th International Conference, AVBPA2003, Guildford, UK, June 9-11, 2003 Proceedings, pages 393–402, 2003.
[16] S. Marcel, M. S. Nixon, and S. Z. Li, editors. Handbook of Biometric Anti-Spoofing - Trusted Biometricsunder Spoofing Attacks. Advances in Computer Vision and Pattern Recognition. Springer, 2014.
[17] D. Megıas and J. Domingo-Ferrer. Privacy-aware peer-to-peer content distribution using automatically re-combined fingerprints. Multimedia Syst., 20(2):105–125, 2014.
[18] C. L. Miltgen, A. Popovic, and T. Oliveira. Determinants of end-user acceptance of biometrics: Integratingthe ”big 3” of technology acceptance with privacy context. Decision Support Systems, 56:103–114, 2013.
[19] E. Mordini and D. Tzovaras. Second Generation Biometrics: The Ethical, Legal and Social Context, vol-ume 11. Springer, 2012.
[20] M. Mrdakovi and S. Adamovi. Privacy friendly biometrics international scientific conference of it andbusiness-related research. 2015.
[21] D. Ngo, A. Teoh, and J. Hu. Biometric Security. Cambridge Scholars Publisher, 2015.[22] A. Omotosho, O. Adegbola, B. Adelakin, A. Adelakun, and J. Emuoyibofarhe. Exploiting multimodal bio-
metrics in e-privacy scheme for electronic health records. CoRR, abs/1502.01233, 2015.[23] A. A. Othman and A. Ross. Privacy of facial soft biometrics: Suppressing gender but retaining identity. In
Computer Vision - ECCV 2014 Workshops - Zurich, Switzerland, September 6-7 and 12, 2014, Proceedings,Part II, pages 682–696, 2014.
[24] F. L. Podio. Biometric technologies and security - international biometric standards development activities.In Encyclopedia of Cryptography and Security, 2nd Ed., pages 124–130. 2011.
[25] N. K. Ratha, J. H. Connell, and R. M. Bolle. Enhancing security and privacy in biometrics-based authentica-tion systems. IBM Systems Journal, 40(3):614–634, 2001.
[26] A. P. Rebera, M. E. Bonfanti, and S. Venier. Societal and ethical implications of anti-spoofing technologiesin biometrics. Science and Engineering Ethics, 20(1):155–169, 2014.
[27] I. Rubinstein. Big data: The end of privacy or a new beginning? international data privacy law (2013 ), nyuschool of law, public law research paper no. 12-56.
15
[28] N. A. Safa, R. Safavi-Naini, and S. F. Shahandashti. Privacy-preserving implicit authentication. IACR Cryp-tology ePrint Archive, 2014:203, 2014.
[29] K. Simoens, J. Bringer, H. Chabanne, and S. Seys. A framework for analyzing template security and privacy inbiometric authentication systems. IEEE Transactions on Information Forensics and Security, 7(2):833–841,2012.
[30] K. Simoens, P. Tuyls, and B. Preneel. Privacy weaknesses in biometric sketches. In 30th IEEE Symposiumon Security and Privacy (S&P 2009), 17-20 May 2009, Oakland, California, USA, pages 188–203, 2009.
[31] Y. Sutcu, Q. Li, and N. D. Memon. Secure biometric templates from fingerprint-face features. In 2007 IEEEComputer Society Conference on Computer Vision and Pattern Recognition (CVPR 2007), 18-23 June 2007,Minneapolis, Minnesota, USA, 2007.
[32] M. Tistarelli and M. S. Nixon, editors. Advances in Biometrics, Third International Conference, ICB 2009,Alghero, Italy, June 2-5, 2009. Proceedings, volume 5558 of Lecture Notes in Computer Science. Springer,2009.
[33] P. Tsormatzoudi, D. Dimitrova, J. Schroers, and E. Kindt. Privacy by design the case of automated bordercontrol, icri research paper 19. pages 682–696, 2015.
[34] L. Vasiu. Biometric recognition - security and privacy concerns. In ICETE 2004, 1st International Confer-ence on E-Business and Telecommunication Networks, Setubal, Portugal, August 24-28, 2004, Proceedings,page 3, 2004.
[35] K. Wouters, K. Simoens, D. Lathouwers, and B. Preneel. Secure and privacy-friendly logging for egovern-ment services. In Proceedings of the The Third International Conference on Availability, Reliability andSecurity, ARES 2008, March 4-7, 2008, Technical University of Catalonia, Barcelona , Spain, pages 1091–1096, 2008.
[36] B. Yang, C. Busch, J. Bringer, E. Kindt, W. R. Belser, U. Seidel, E. Springmann, U. Rabeler, A. Wolf, andM. Aukrust. Towards standardizing trusted evidence of identity. In DIM’13, Proceedings of the 2013 ACMWorkshop on Digital Identity Management, Berlin, Germany, November 8, 2013, pages 63–72, 2013.
[37] B. Yang, H. Chu, G. Li, S. Petrovic, and C. Busch. Cloud password manager using privacy-preserved biomet-rics. In 2014 IEEE International Conference on Cloud Engineering, Boston, MA, USA, March 11-14, 2014,pages 505–509, 2014.
[38] B. Yang, L. Rajbhandari, C. Busch, and X. Zhou. Privacy implications of identity references in biometricsdatabases. In Eighth International Conference on Intelligent Information Hiding and Multimedia SignalProcessing, IIH-MSP 2012, Piraeus-Athens, Greece, July 18-20, 2012, pages 25–30, 2012.
16