Biometric security using cryptography

BIOMETRIC SECURITYUSING CRYPTOGRAPHY

Presented By: SAMPAT PATNAIK

Regd. No: 0601213054,8th Semester,Dept. of CSE

Contents : Introduction to Cryptography & Biometric Security

Principle & Standards Of Biometrics

Methods to secure a key using Biometrics

Biometric Encryption

User Based Cryptographic Keys & their Generation

Similarities & Differences Between UserID and Biometric-based Keys

Advantages & Threats to Biometric System

Applications of Biometric Systems

Conclusion

Introduction to Cryptography :

Encryption DecryptionCiphertext

Plain Text Plain Text

Sender Reciever

Shared Key

Cryptography :

Cryptography is an important feature of computer security. It is dependent on

the secrecy of the secret or private key.

The user chooses an easily remembered pass code that is used to encrypt the

cryptographic key and this key is then stored in a database.

Security of the cryptographic key is weak due to practical problems of

remembering pass codes.

Since the pass code is not directly tied to a user, the system is unable to

differentiate between the legitimate user and the attacker.

“BIOS” life►

“METRON” measurement►

Study of automated methods for uniquely recognizing humans based upon

one or more intrinsic physical or behavioral traits for authentication

purposes.

Measurable characteristics of the individual based on their physiological

features / behavioral patterns that can be used to recognize or verify their

identity.

Introduction to Biometric Security :

“Everyone in the world is unique, and this

uniqueness

can be used for identity verification.”

Uniqueness : Distinction between individuals

Permanence : Resistance to ageing

Collectability : Ease to obtain a biometric for measurement.

Performance : Accuracy, speed, robustness of the biometric system.

Acceptability :Degree of approval of a technology.

Circumvention : Anomalies in the authentication system.

Principle & Standards Of Biometrics :

PHYSICAL ATTRIBUTES

•Fingerprints•Eye retinas & irises•Facial patterns •Hand measurement •Ear shape.

BEHAVIORAL ATTRIBUTES

• Signature

• Keystrokes

BEHAVIORAL& PHYSICAL ATTRIBUTES

• Voice

BIOMETRICS

Fingerprint Recognition (DERMATOGLYPHICS)

Fingerprints are unique to each individual and no two fingerprints are alike.

Fingerprint recognition is most widely accepted biometrics among the

technology being used today.

Converts the image of a fingerprint into a mathematical template of the print's

minutiae points.

Fingerprints contains pattern of ridges and valleys as well as minutia points.

Scanners : Optical scanners, Thermal scanners, Capacitances (solid state

scanner), Minutia based, Correlation based.

Fingerprint Recognition (CONTD.)

Voice Authentication:

Creates a voiceprint based on the

inflection points of your speech,

emphasizing the highs and lows specific

to your way of talking.

Iris Recognition :

An authenticam takes the pictures of

person’s iris. The image is analyzed and a

512 byte code is generated. The code is then

compared with the iris imprints in the

database and used to determine the

individual’s authorisation level.

Discriminate between individuals with

identical DNA like monozygotic twins.

Other Methodologies:

Face Recognition A camera captures the image of the face. Features and discrete areas are analyzed.

Keystroke Dynamics The system analyses the characteristic rhythm of a person's typing.

Hand Geometry A picture of the hand is taken. Features like3D shape, length, width of fingers and shape of knuckles are recorded.

Signature verification

Users signature digital graphic tablet. The system analyses speed, stroke order, stroke count and pressure .

Methods to secure a key

using Biometrics: (Method - I)First one involves remote template matching and key storage. In this method

biometric image is captured and compared with a corresponding template. If

the user is verified, the key is released.

Drawback :

The main problem here is use of an insecure storage media

Hide the cryptographic key within the enrollment template itself via a secret

bit-replacement algorithm. When the user is successfully authenticated, this

algorithm extracts the key bits from the appropriate locations and releases

the key.

Drawback:

The key will be retrieved from the same location in a

template each time a different user is authenticated

Methods to secure a key

using Biometrics: (Method - II)

Using data derived directly from a biometric image is another method. In

this manner biometric templates are used as a cryptographic key.

Drawback:

Sensitivities due to environmental and physiological factors,

and compromising of the cryptographic keys stand as a big obstacle

Methods to secure a key

using Biometrics: (Method - III)

A new and exciting technique is developed by Mytec Technologies

Inc. and named as Biometric Encryption™.

During the enrollment phase, the process combines the biometric

image with a digital key to create a secure block of data known as BioScrypt™

and then the key is retreived using the biometric during the verification phase.

Methods to secure a key

using Biometrics: (Method - IV)

Biometric Encryption:

It provides a mechanism for the linking and retrieval of a digital key using a

biometric. This biometric might be a 2D image such as fingerprint, palm

print, face, iris or retina.

The resulting digital key is then used as a cryptographic key.

Note: The key is completely independent of the biometric data so that the

use of the biometric is not forfeited if the key is ever compromised

and can be easily modified or updated.

User Based Cryptographic Keys:

Cryptographic systems require a secret key or a random number which must

be tied to an individual through an identifier. This identifier indeed could be a

globally unique user id or biometric data.

Pseudorandom numbers are generated by a PRNG (pseudo random number

generator). The resulting pseudorandom number can be used directly as a

key or adjusted with user-dependent data (userID or biometric data).

User Dependent Key Generation:

User dependent key generation is done in two ways:

First the key generation algorithm could be modified by using the user-

dependent data.

Second PRNG could be modified which is accomplished using a front-end or

back-end approach. In front-end manner, the definition of the key is extended

to include a user-specific data component. In back-end manner,

pseudorandom numbers are treated as intermediate values and processed

further.

Cryptographic Keys Generated From Voice :

Similar to image-type biometrics, human voice is a good biometric to

generate a cryptographic key.

For the goal of unpredictability, i.e. applying automatic speech recognition to

recognize the password spoken and then simply using the password, as a

cryptographic key is way. But it is not secure.

One solution is a user utters a password to his/her device and that

device would generate a key. Repeated utterance of the same password

by the same user would improve the security of the key after successful

matches with his/her previous recorded utterances.

Cryptographic Keys Generated From Voice : (Contd.)

Similarities Between UserID and Biometric-based Keys:

Both of them are different for each user.

Both of them are non-secret data. It is clear to see that userID data is non-secret.

Similarly biometric data is insecure in some sense because there is no practical

way to prevent the capture of user biometric data outside the biometric system.

Differences Between UserID and Biometric-based Keys:

Biometric data is obtained or derived from the user whereas userID is

assigned to a user.

Except the accidents biometric data can not be changed. But userID can easily

be changed.

Set of userIDs may be dense and it is easy to enumerate the set. Unlikely, set of

biometric data is not dense and this makes it infeasible to enumerate the

biometric data for each user.

Biometrics directly authenticates the person, not indirectly through a

password or token.

Biometrics features are difficult to steal; thereby making biometrics

authentication very strong.

The Biometrics feature is eminently portable, and is unlikely to be lost.

Another advantage of biometrics authentication systems is user cannot share

or forget his retina or fingerprint, while a password and username are easily

forgotten.

Advantages Of Biometric System :

Threats to Biometric System:

As with any IT security system, biometric-based security policy

must deal with the threats from the workers of the organization who can

damage any software or hardware component of the system. Attackers

may also change the statistical recognition parameters of the components

and decrease the recognition rates.

Organizational

Software

Physical

• Attacks on the biometric sensor/Acquisition device

Example: usage of artificial or disembodied dead features like a cut-off

finger in the fingerprint case.

• Communication channel attacks (man-in-the-middle attacks)

The first type is just eavesdropping. If the channel between the sensor

and the feature extraction unit or the one between the reference database and

the matching unit is attacked, the attacker will gain information about the

biometric data. In the second type, purposeful use or change is done to the

intercepted data for subsequent introduction back into the system

Threats to Biometric System: (Contd.)

• Iris Recognition

It is Relatively expensive; requires large amount of computer

storage; may not be generally accepted by public.

• Voice Verification

Works well over the telephone but requires large amount of

computer storage; people's voices can change; background noises can interfere.

Other Drawbacks of Biometric System:

PC access and internet security (Computer network security, Internet

transaction, Laptop security, Application level security)

Physical area security(military, government, banking, voting, prisons)

Employee record check

Mobile phones: network access & theft protection

Mobile financial transaction: Credit cards & ATM cards.

Applications:

Reliable user authentication is highly significant in this web enabled world.

Consequences of an insecure authentication system can be catastrophic and

may include loss of information, denial of service and loss of data integrity.

Biometric Encryption™ and Bioscrypt™ are high security means of protecting

the critical data of government, police departments, army and big firms.

The current generation of biometric identification devices offer cost and

performance advantages over manual security procedures.

All these methods have shown that, using biometrics for identification or

verification-based security systems and cryptosystems, is a promising

technology

Conclusion:

www.ieeexplore.ieee.org

www.cscjournals.org

www.en.wikipedia.org

C.Soutar, D.Roberge, A.Stoianov, R.Gilroy and B.V.K.V.Kumar,

“Biometric Encryption™ using image processing”

M. Peyravian, S. M. Matyas, A. Roginsky, N. Zunic, “Generating user-

based Cryptographic keys and random numbers”

References:

Thank You