Cancelable Templates for Sequence-Based Biometrics with ... - ATVS

More documents

Recommendations

Info

526 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 3, MAY 2010Fig. 1. Points of attack in a generic biometric system (adapted from [3]).As a proof of concept, we apply the proposed BioConvolvingprotection scheme to signature biometrics, extendingthe authors’ works presented in [10] and [11]. Specifically,the signature representation here employed comprises a highernumber of signature sequences, and a detailed renewability andsecurity analysis is carried out.Specifically, this paper is organized as follows. In Section II,the different solutions which have been investigated in therecent past to secure biometric templates are analyzed. The proposedapproach for the protection of sequence-based biometrictemplates is illustrated in Section III, and its security analysis isoutlined in Section IV. The state of the art on signature-basedauthentication schemes and on signature template protectionapproaches is outlined in Section V. The application of theproposed scheme to on-line signature biometrics is presentedin Section VI, which details both the employed signature representationand the employed template matcher. The experimentalsetup is described in Section VII. The authentication and therenewability performances of the proposed protection approachare discussed in Sections VIII and IX, respectively. Eventually,some conclusions are drawn in Section X.II. BIOMETRIC TEMPLATE SECURITYA biometric system can be roughly sketched as that in Fig. 1and consists of a sensor module, a feature extractor module, amatcher, a database, and an application device which is drivenby the matcher output. As discussed in [3] and also shown inFig. 1, eight possible vulnerable points can be identified in abiometric system. Specifically, some attacks can be perpetratedat the sensor level, at the feature extractor level, or againstthe channel interconnecting two modules, in order to steal orsubstitute the acquired biometric information with fake or otherimpostor data.Other attacks are related to the biometric templates generatedby the feature extractor module, which are stored in thedatabase or matched against previously stored templates. Thebiometric templates are the targets of the attacks either atthe database level or at the interconnecting channel level.Finally, the matcher and the output to the device applicationcan be attacked to override the system decision.The unauthorized access to both raw biometric data andbiometric templates is among the most dangerous threats tousers’ privacy and security. Several techniques for biometrictemplate protection have been studied in the literature. Amongthem, classical cryptographic techniques [12] can be employedto secure the transmission of biometric data over reliable butinsecure channels and to store data in such a way that they areintelligible only by using a proper cryptographic key. However,when using these techniques, it is necessary to perform thematch after decryption, and therefore, no protection is providedduring the matching.On the other hand, data hiding techniques [13] can be usedto insert additional information, namely, the watermark, intoa digital object. Within this respect, data hiding techniquescomplement encryption, since the message can remain in thehost data even when decryption has been done. The use ofdata hiding techniques for biometrics protection has alreadybeen proposed for fingerprints [14] and signatures [15], amongothers.The problem of providing protection to the biometric templatesalso during the matching process can be solved with newtechniques such as cancelable biometrics, also known as anonymousor revocable biometrics. Cancelable biometrics have beenintroduced in [16], where template protection has been achievedby applying an intentional and repeatable modification to theoriginal biometric template. The transformation must be designedin such a way to satisfy the following properties.1) Renewability: It should be possible to revoke a templateand to reissue a new one based on the same biometricdata. The new templates should not match with the onesrevoked in order to provide diversity. This property isneeded to ensure the user’s privacy.2) Security: It should not be possible, or computationallyunfeasible, to obtain the original raw biometric data fromthe stored secured template. This property is needed toprevent an adversary from reconstructing biometric traitsfrom a single stolen template, as well as from severalstolen templates (this is commonly referred to as therecord multiplicity attack). In fact, although it was commonlybelieved that it is not possible to reconstruct theoriginal biometric characteristics from the correspondingextracted template, some concrete counter examples havebeen provided in the recent literature [17], [18].3) Performance: The biometric recognition error ratesshould not degrade significantly with the introduction ofa template protection scheme, with respect to an unprotectedapproach. Moreover, the recognition performancesshould not be sensitive to the employed modifications:Even when applying different distortions to the same biometricdata, the recognition performances should show avery low variance.Authorized licensed use limited to: Univ Autonoma de Madrid. Downloaded on May 06,2010 at 15:31:46 UTC from IEEE Xplore. Restrictions apply.
MAIORANA et al.: CANCELABLE TEMPLATES FOR SEQUENCE-BASED BIOMETRICS 527A detailed discussion regarding the requirements of a properlydefined cancelable biometrics can also be found in [19].Designing a template protection scheme that is able to properlysatisfy each of the aforementioned properties is not a trivialtask, mainly due to the unavoidable intrauser variability shownby every biometric trait. Different solutions have already beenproposed for the generation of secure and renewable templates.A recent survey of published methods has been presented in[20], where the authors have classified the existing approachesinto two categories: biometric cryptosystems and feature transformationapproaches.A. Biometric Cryptosystems for Template ProtectionBiometric cryptosystems combine cryptographic keys withtransformed versions of the input biometrics to generate thesecured templates [21]. In this process, some public information,namely, helper data, is generated. Biometric cryptosystemscan be further divided into key binding systems, wherethe helper data are obtained by combining the key with thebiometric template, and key generation systems, where boththe helper data and the key are directly generated from thebiometric template. Two of the most well-known examples ofkey binding approaches are the fuzzy commitment [22] and thefuzzy vault [23], which represent general schemes that can beapplied to different biometrics such as fingerprints or face [24],[25]. Typically, these approaches are able to manage the intrauservariations in biometric data by exploiting the capabilitiesof error correcting codes. However, it is generally not possibleto use sophisticated and dedicated matchers, thus reducing thesystem matching accuracy. Moreover, it has been proven thatthe fuzzy vault is vulnerable to the record multiplicity attack[26]: If an adversary has access to two different vaults obtainedfrom the same data, he can easily identify the genuine points inthe two vaults. On the other hand, the proposed key generationbiometric cryptosystems have been more difficult to implementin practice [27].B. Feature Transformations for Template ProtectionIn a feature transformation approach, a function that is dependenton some parameters, which can be used as a key, isapplied to the input biometric to generate the protected templates.The employed function can be either invertible, resultingin a salting approach, whose security is based on the protectionof the function parameters, or noninvertible, when a one-wayfunction is applied to the template and it is computationallyhard to invert the function even if the transformation parametersare known. The use of the methods belonging to the first categorytypically results in low false acceptance rates; however, if auser-specific key is compromised, the user template is no longersecure due to the invertibility of the transformation. Examplescan be found in [28] and [29].On the contrary, when noninvertible transforms are used,even if the key is known by an adversary, no significantinformation can be acquired on the template, thus obtainingbetter security than when using a salting approach, which relieson the key security. Moreover, in contrast with cryptosystemapproaches, the transformed templates can remain in the samefeature space of the original ones, being then possible to employstandard matchers to perform authentication in the transformeddomain. This guarantees performances that are similar to thoseof an unprotected approach. In addition to the performancebenefits of using standard matchers in the transformed domain,these methods typically result in matching scores which canbe fused in multibiometric approaches. Therefore, the use oftransform-based approaches for template protection in multibiometricssystems allows using either score-level fusion techniques[30] or decision-level fusion techniques [31], whereasonly the latter, which is less effective than the former, canbe employed when biometric cryptosystems are considered.Unfortunately, it seems to be difficult to design transformationfunctions which can satisfy both the discriminability and thenoninvertibility properties simultaneously.The concept of achieving template security through the applicationof noninvertible transformations has been first presentedin [16], where it has been referred to as cancelablebiometrics as that in [32], although this expression has beenlater conceived in a more general sense. One of the first publishedworks including experimental evidence on the feasibilityof noninvertible transforms for biometric template protectionis [33], where a geometric transform has been employed toprotect minutia templates. However, the protection scheme in[33] introduces a significant performance degradation, and thematching score between fingerprints transformed with differentkeys is relatively high, thus greatly reducing the useful keyspace. More general geometric transforms (Cartesian, polar,and functional) have been later studied in [34], where betterperformances have been achieved. However, with reference tothe best approach presented in [34], only a small fraction of thedata, namely, 8%, is noninvertible in practice [35]. Moreover,all the approaches for template protection in [33] and [34] arevulnerable to a record multiplicity attack: Having access to twoor more different transformed versions of the same minutiapattern, it is possible to identify the original positions of theconsidered minutiae [36].A registration-free construction of cancelable fingerprinttemplates has also been proposed in [37]. From each detectedminutia, a square patch is extracted and transformed usingan orthogonal transformation matrix. The approach presentedin [37], being able to withstand also a record multiplicityattack, is more robust than the one proposed in [34], but itexhibits lower verification performances than the one obtainedin [34].Voice-based cancelable templates were proposed in [38],where a noninvertible transformed version of the originallyacquired voiceprint is generated. The original biometrics cannotbe obtained from the template stored in the server duringenrollment, even if the keys employed for transformations aredisclosed.III. GENERATING CANCELABLE SEQUENCE-BASEDBIOMETRIC TEMPLATESThe proposed BioConvolving approach provides protectionto templates characterized by a set of discrete finite sequencesAuthorized licensed use limited to: Univ Autonoma de Madrid. Downloaded on May 06,2010 at 15:31:46 UTC from IEEE Xplore. Restrictions apply.
Page 1: IEEE TRANSACTIONS ON SYSTEMS, MAN,
Page 5 and 6: MAIORANA et al.: CANCELABLE TEMPLAT
Page 7 and 8: MAIORANA et al.: CANCELABLE TEMPLAT
Page 9: MAIORANA et al.: CANCELABLE TEMPLAT
Page 12 and 13: 536 IEEE TRANSACTIONS ON SYSTEMS, M
Page 14: 538 IEEE TRANSACTIONS ON SYSTEMS, M

Cancelable Templates for Sequence-Based Biometrics with ... - ATVS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?