Marcelo Damasceno de Melo
User Verification Using Behavioural Cancelable
Templates
Marcelo Damasceno de Melo
User Verification Using Behavioural Cancelable Templates
Thesis submitted to PostGraduate Programme in Systems and Computation of Informatics and Applied Mathematics Department of Fe-deral University of Rio Grande do Norte as requirement to obtain the title of PhD in Com-puter Science.
Federal University of Rio Grande do Norte - UFRN
Exact and Earth Sciences Center
Informatics and Applied Mathematics Departament
PostGraduate Programme in System and Computation
Orientador: Prof
a. Dr
a. Anne Magály de Paula Canuto
Melo, Marcelo Damasceno de.
User verification using behavioural cancelable templates / Marcelo Damasceno de Melo. - Natal, 2016.
158f: il.
Orientadora: Profa. Dra. Anne Magály de Paula Canuto. Thesis (PhD) - Federal University of Rio Grande do Norte. Exact and Earth Sciences Center. Informatics and Applied Mathematics Departament. PostGraduate Programme in System and Computation.
1. Biometria comportamental. 2. Biometrias canceláveis. 3. Proteção de template. 4. Funções não inversíveis. 5. Funções canceláveis. 6. Verificação de usuários. I. Canuto, Anne Magály de Paula. II. Título.
Catalogação da Publicação na Fonte
Marcelo Damasceno de Melo
User Verification Using Behavioural Cancelable Templates
Thesis submitted to PostGraduate Programme in Systems and Computation of Informatics and Applied Mathematics Department of Fe-deral University of Rio Grande do Norte as requirement to obtain the title of PhD in Com-puter Science.
Approved Thesis. Natal-Brasil, 07/03/2016:
Profa
. Dra
. Anne Magály de Paula Canuto
Orientadora
Prof. Dr. Benjamín René Callejas Bedregal
Convidado Interno
Prof. Dr. João Carlos Xavier Júnior
Convidado Externo ao Programa
Prof. Dr. George Darmiton da Cunha Cavalcanti
Convidado Externo
Prof. Dr. André Ponce de Leon F. de Carvalho
Convidado Externo
Agradecimentos
Inicialmente gostaria de agradecer à meus pais, Marcos Antônio e Luizete Damasceno. Considero esta fase como uma das últimas na formação acadêmica. Desde o começo desta formação (graduação), meus pais foram meu grande apoio, tendo mudado suas vidas para me acompanhar em Maceió neste mundo que é a Ciência da Computação. Assim, agradeço de todo meu coração e alma aos meus pais. Sem eles, eu não estaria completando esta importante fase da minha vida. À meu irmão, Marcos Augusto, “Marquinhos”, que seu modo de vida tranquilo, levando tudo com bons olhos me faz repensar a vida desta forma também. Às vezes, sua imagem é a inversa da minha em um espelho, mas a alegria de viver, de ver cada um crescer está compartilhado em nossas veias. À minha esposa, Alia Titara. Desde os meus 15/16 anos está ao meu lado. Por me apoiar e suportar durante a minha estadia de uma ano na Inglaterra sozinha, com nossa filha Arya. Agradeço imensamente o seu apoio e entender que morar fora do país sempre foi um sonho de vida. Lembro todos os dias que quis retornar para ficar com nossa filha, você dizia: “Lembre o que você foi fazer aí. Logo, logo você estará de volta.” Claro a minha filha Arya Myrcella, my little star, que todos os dias estava comigo, mesmo a distância em meu coração e papel de parede. Como minha mãe diz, só sabe o que é pai quando se é pai. A minha sogra, Aila Maria. Que durante este tempo apoiou com seu jeito o meu sucesso. Sei perceber as pequenas ações. Obrigado. E a meu futuro filho/a, que neste momento parece fechar um ciclo. O ciclo de estudante a um ciclo de profissional acadêmico.
À minha orientadora, Anne Magaly, com seu jeito doce e sua compreensão que cada um tem seu tempo. Obrigado por esta parceria e por me apresentar e proporcionar grandes oportunidades. Sem seu apoio, eu não teria completado esta tão querida fase de minha vida, meu título de doutor. À Norman Poh, meu orientador durante meu doutorando sanduíche na University of Surrey. Norman me mostrou como a ciência feita de forma séria pode trazer frutos importantes para a sociedade. Que o trabalho árduo e constante, proporciona resultados. Obrigado pelo suporte durante um ano longe de minha família.
Aos amigos que fiz durante esta jornada, Valério, Issac e Cleverton. Obrigado pelas conversas e momentos de descontração. Aos amigos que compartilharam grandes momentos em Surrey: Veronika, Poh Joh, Huda, Franciskos, Josy, Andreas (um brasileiro), Stathis, Costas, Anna, Paul, Fran, Cherry e Maria Luiza.
Resumo
Verificar a identidade de usuários é um problema enfrentado diariamente por pessoas e sistemas que autorizam o acesso de pessoas levando em conta características físicas e documentos apresentados. Entretanto, esforços ainda precisam ser aplicados na resolução de questões relacionadas a precisão do sistema verificador e na falsificação de objetos e informações pessoais.Assim, o uso de biometria pode minimizar ou resolver estas dificuldades. Infelizmente, a substituição de traços biométricos em caso de comprometimento na segurança de sistemas biométricos é dificultoso. Deste modo, o uso de funções não inversíveis é proposto com o objetivo de distorcer os traços biométricos, adicionando assim a característica cancelável aos dados biométricos.
Esta tese analisa algumas soluções para verificação de usuários através do uso de biometrias comportamentais canceláveis. Especificamente, as soluções são baseadas no TouchAlytics, uma base de dados com traços realizados por usuários em uma tela touchscreen presente em smartphones. As soluções analisadas contituem no uso de classificadores e comitê de classificadores para resolução do problema de verificação de usuários. Além das soluções descritas, esta tese analisa o uso de múltiplos template biométrico canceláveis utilizando um comitê de classificadores (Esquemas de Proteção de Privacidade Múltipla). Esta tese também apresenta uma discussão facetada do impacto da chave em uma função cancelável. Para isso, apresentamos um estudo empírico na qual utiliza chave única ou chaves diferentes para proteção dos templates biométricos dos usuários. Além disso, um estudo do impacto do tamanho da chave na precisão de um sistema de verificação biométrico é discutido. A partir dos resultados encontrados, a geracão e armazenamento da chave cancelável em telefones móveis é analisado.
gerada por sistema para autenticação de usuário em dispositivos móveis usando múltiplos templates biométricos canceláveis
Abstract
The verification of user identity is a daily problem faced by people or systems that authorize people taking account physical and document characteristics. However, efforts need to be spent to resolve related questions to accuracy of verification system and falsification of objects and personal information. Thus, Biometrics proposes to decrease or to resolve these difficulties. Unfortunately, the substitution of biometric traces in the case of compromise is difficult. Hence, the use of non-invertible functions can be used to protect biometric traces. Consequently, these functions allow that biometric templates becomes cancelable/revocable.
This thesis analysis some solutions to user verification using cancelable behavioural biometrics. Specifically, our solutions are based on TouchAlytics, a dataset of touchscreen strokes performed in smartphones. The analysed solutions are based on the use of single classifiers and ensemble system to resolve the user verification problem. In addition, this thesis analysis the use of multiple cancelable templates using ensemble system (Multiple-Privacy Protection Schemes). This thesis also presents a discussion of key impact in cancelable functions. Thus, we perform an empiric study using single or different user key values in cancelable functions. Moreover, a study of the impact of key length is discussed based on the accuracy of biometric system. Based on the results, it is discussed the generation and storage of cancelable keys in mobile devices.
In summary, we have demonstrated that the use of transformation functions usually pro-vides similar or better performance than unprotected biometric data, except in BioHashing function. In addition, the use of multiple protected templates processed by ensemble system outperformed the previous results in single classifiers and ensemble systems. Moreover, we showed that biometric systems with cancelable templates preserves the user privacy, i.e, it provides lower False Acceptance and False Rejection Errors in Unknown Key attacks and similar performance to unprotected biometric samples in Known Key Attacks. Based on key length experiments, we observe a perceptible continuous improvement when the key increases in Interpolation and BioHashing method in both key knowledge attacks. In contrast, Double Sum has minor improvements but the importance is that the performance does not decrease when user key increases. In conclusion, based on our findings, we propose the use of a single user key generated by system to authenticate users in mobile devices using multiple cancelable biometric templates.
Keywords: Behavioural Biometrics, Cancelable Biometrics, Template Protection,
Lista de ilustrações
Figura 1 – Identification and Verification Task using Biometric System Modules.
Source: (37) . . . 36
Figura 2 – Illustration of BioConvolving procedure using W = 3. Source: (47). . . 49
Figura 3 – An example of a decision tree. Source: (2) . . . 63
Figura 4 – Example of a Multi-Layer Perceptron . . . 66
Figura 5 – An illustration of the general framework of an ensemble system . . . 68
Figura 6 – Organization of the Methodology . . . 74
Figura 7 – Generation of cancelable biometric samples for each user . . . 75
Figura 8 – Inter Session BoxPlots. . . 85
Figura 9 – Inter Week BoxPlots. . . 86
Figura 10 – Intra Session BoxPlots. . . 87
Figura 11 – Better Ensemble Boxplots for Original and Cancelable Functions . . . 88
Figura 12 – Flowchart represents the system architecture . . . 91
Figura 13 – BoxPlot of MPPS scenarios using horizontal strokes . . . 93
Figura 14 – BoxPlot of MPPS scenarios using scrolling strokes . . . 94
Figura 15 – BoxPlot of relative change of EER(%) using horizontal scenarios . . . 95
Figura 16 – BoxPlot of relative change of EER(%) using scrolling scenarios . . . 96
Figura 17 – Cross Match Rate Attack scenarios Illustration. a) The attacker inserts a protected template f(xj, k2 j) in order to access application 1. b) The attacker inserts a protected templatef(xj, k1 j) in order to access application 2.. . . 106
Figura 18 – DET curve of all scenarios protected with Interpolation transformation function. (a) Scrolling Strokes; (b) Horizontal Strokes. . . 116
Figura 19 – DET curve of all scenarios protected with BioHashing transformation function. (a) Scrolling Strokes; (b) Horizontal Strokes. . . 117
Figura 20 – DET curve of all scenarios protected with BioConvolving transformation function. (a) Scrolling Strokes; (b) Horizontal Strokes. . . 118
Figura 21 – DET curve of all scenarios protected with DoubleSum transformation function. (a) Scrolling Strokes; (b) Horizontal Strokes. . . 120
Figura 23 – DET curves for Interpolation Unknown Key Attack. (a) Heterogeneous Scrolling Strokes; (b) Homogeneous Scrolling Strokes; (c) Heterogeneous -Horizontal Strokes; (d) Homogeneous - -Horizontal Strokes. . . 134
Figura 24 – DET curves for BioHashing Known Key Attack. (a) Heterogeneous Scrolling Strokes; (b) Homogeneous Scrolling Strokes; (c) Heterogeneous -Horizontal Strokes; (d) Homogeneous - -Horizontal Strokes. . . 135
Figura 25 – DET curves for BioHashing Unknown Key Attack. (a) Heterogeneous Scrolling Strokes; (b) Homogeneous Scrolling Strokes; (c) Heterogeneous -Horizontal Strokes; (d) Homogeneous - -Horizontal Strokes. . . 136
Figura 26 – DET curves for BioConvolving Known Key Attack. (a) Heterogeneous Scrolling Strokes; (b) Homogeneous Scrolling Strokes; (c) Heterogeneous -Horizontal Strokes; (d) Homogeneous - -Horizontal Strokes. . . 137
Figura 27 – DET curves for BioConvolving - Unknown Key Attack. (a) Heterogeneous - Scrolling Strokes; (b) Homogeneous - Scrolling Strokes; (c) Heterogeneous - Horizontal Strokes; (d) Homogeneous - Horizontal Strokes. . . 138
Figura 28 – DET curves for DoubleSum Known Key Attack. (a) Heterogeneous Scrolling Strokes; (b) Homogeneous Scrolling Strokes; (c) Heterogeneous -Horizontal Strokes; (d) Homogeneous - -Horizontal Strokes. . . 139
Lista de tabelas
Tabela 1 – Average Equal Error Rate - Scrolling Strokes . . . 77
Tabela 2 – Average Equal Error Rate - Horizontal Strokes. . . 78
Tabela 3 – Comparative Analysis of Ensemble structures and Single Classifiers for Scrolling dataset . . . 81
Tabela 4 – Comparative Analysis of Ensemble structures and Single Classifiers for Horizontal dataset . . . 81
Tabela 5 – Mean Results using Scrolling Traits . . . 82
Tabela 6 – Mean Results using Horizontal Traits . . . 82
Tabela 7 – Voting - EER - Percentage. Source: (16) . . . 93
Tabela 8 – Mathematical Formulation of Key Knowledge Attack in Homogeneous and Heterogeneous scenarios . . . 109
Tabela 9 – Cross Match Effort Points - shows the effort in points which an attacker needs to spend to invade a biometric system protected by MPPS . . . 112
Tabela 10 – EER by scenario and Template Protection Method using Scrolling Strokes classified by SVM. . . 113
Tabela 11 – EER by scenario and Template Protection Method using Horizontal Strokes classified by SVM. . . 114
Tabela 12 – Heterogeneous vs. Homogeneous Statistical Test using Known Key Attack Scores . . . 121
Lista de abreviaturas e siglas
ANN Artificial Neural Network
PIN Personal Identification Number
FMR False Matching Rate
FNMR False non matching Rate
DCS Dynamic Classifier Selection
LCA Local Class Accuracy
EER Equal Error Rate
FAR False Acceptance Rate
FRR False Rejection Rate
MPPS Multi Privacy Protection Schemes
MLP Multi Layer Perceptron
SVM Support Vector Machine
kNN K-Nearest Neighbours
NB Naive Bayes
DET Detection Error Trade-off
ROC Receiver Operating Characteristics Curve
Sumário
1 INTRODUCTION . . . . 25
1.1 Research Problem and Motivations . . . 27
1.2 Thesis Statement. . . 28
1.3 Contributions . . . 29
1.4 Published Papers . . . 31
1.5 Thesis Organization . . . 32
2 BIOMETRIC BASED RECOGNITION. . . . 33
2.1 Biometrics . . . 33
2.1.1 Biometric Modalities . . . 34
2.2 Biometric System. . . 35
2.2.1 Verification and Identification Task . . . 35
2.2.2 Biometric System Metrics . . . 36
2.3 Advantages and Limitation of Biometrics . . . 37
2.4 Multibiometric System. . . 38
2.4.1 Multibiometric Factors . . . 38
2.5 Chapter Conclusion . . . 40
3 TEMPLATE PROTECTION . . . . 41
3.1 Introduction . . . 41
3.2 Biometric Cryptosystems . . . 43
3.3 Feature Transformation . . . 43
3.4 Cancelable Biometrics . . . 44
3.5 Cancelable Functions. . . 45
3.5.1 Interpolation . . . 46
3.5.2 BioHashing . . . 47
3.5.3 BioConvolving . . . 48
3.5.4 Double Sum. . . 49
3.6 Function of Key in Cancelable Functions . . . 50
3.6.1 Key Storage . . . 51
3.6.2 Key Generation . . . 53
3.6.3 Key Length . . . 53
3.8 Conclusion . . . 56
4 STATISTICAL LEARNING AND ENSEMBLE METHODS . . . . 59
4.1 Statistical Learning . . . 59
4.1.1 Evaluation of Classifiers . . . 60
4.2 Classification Methods . . . 61
4.2.1 k-NN . . . 62
4.2.2 Decision Tree . . . 63
4.2.3 Naive-Bayes . . . 65
4.2.4 Artificial Neural Network . . . 65
4.2.5 Support Vector Machine . . . 67
4.3 Ensemble Systems . . . 68
4.3.1 Learning Strategies in Ensemble Systems . . . 69
4.3.2 Ensemble Systems for Cancelable Biometrics . . . 70
4.4 Chapter Conclusion . . . 70
5 USER AUTHENTICATION USING A CANCELABLE BEHAVIOURAL MODALITY: SINGLE CLASSIFIERS AND ENSEMBLE SYSTEMS . 71
5.1 Touchalytics . . . 71
5.2 Methodology . . . 73
5.2.1 Data Preprocessing Module . . . 74
5.2.2 Decision Module for Single Classifiers and Ensemble Systems . . . 75 5.2.2.1 Single Classifier . . . 76
5.2.2.2 Ensemble System . . . 76
5.3 Single Classifier Experiments . . . 77
5.3.1 Contribution . . . 79
5.4 Ensemble System Experiments . . . 79
5.4.1 Contributions . . . 83
5.5 Chapter Conclusion . . . 84
6 MULTI-PRIVACY PROTECTION SCHEMES . . . . 89
6.1 Introduction . . . 89
6.2 Methodology . . . 90
6.3 Results and Discussion . . . 92
6.4 Chapter Conclusion . . . 96
7 IMPACT OF KEY STORAGE IN CANCELABLE FUNCTIONS. . . . 99
7.1.1 Contributions and Contrast with the Literature . . . 101
7.1.2 Our findings. . . 101
7.2 Notation and Methodology . . . 102
7.2.1 Original Domain . . . 102
7.2.2 Transformed Domain . . . 104
7.3 Homogeneous and Heterogeneous Key . . . .107
7.4 Experimental Scenarios . . . 108
7.4.1 Scenario 1 - Heterogeneous Key - Unknown Key. . . 108
7.4.2 Scenario 2 - Heterogeneous Key - Known Key . . . 108
7.4.3 Scenario 3 - Homogeneous Key - Unknown Key . . . 109
7.4.4 Scenario 4 - Homogeneous Key - Known Key . . . 109
7.5 Methodology . . . 109
7.6 Analysis of Cross Match Attack Effort . . . .111
7.7 Baseline Performance (unprotected samples) vs. Attack Scenarios . . 112 7.7.1 Interpolation . . . 115
7.7.2 BioHashing . . . 115
7.7.3 BioConvolving . . . 115
7.7.4 Double Sum. . . 119
7.8 Comparison of the Security/Performance of the Biometric System using Homogeneous and Heterogeneous Key Scenario . . . 119
7.8.1 Interpolation . . . .121
7.8.2 BioHashing . . . 122
7.8.3 BioConvolving . . . 123
7.8.4 DoubleSum . . . 123
7.9 MPPS and the use of a single key . . . .124
7.10 Chapter Conclusion . . . .124
8 IMPACT OF KEY LENGTH IN CANCELABLE FUNCTIONS . . . . 127
8.1 Introduction . . . .127
8.1.1 Findings . . . 128
8.2 Methods to Increase the Key Length . . . 129
8.2.1 Interpolation . . . 129
8.2.2 BioHashing . . . 130
8.2.3 BioConvolving . . . 130
8.2.4 Double Sum. . . 131
8.3 Results and Discussion . . . .131
8.3.2 BioHashing . . . 132
8.3.3 BioConvolving . . . .134
8.3.4 DoubleSum . . . 135
8.4 Chapter Conclusion . . . 138
9 CONCLUSIONS . . . . 141
9.1 Use of Single and Ensemble System . . . .141
9.2 Multi-Privacy Protection Schemes . . . 142
9.3 Attacks Based on Key Knowledge . . . 142
9.4 Key Length . . . 143
9.5 Implication of Our Findings . . . .144
9.5.1 Recommended Biometric System Configuration . . . 145
9.5.2 Key Management . . . 145
9.6 Thesis Limitation . . . 146
9.7 Future Work. . . .147
9.8 Acknowledgements . . . 148
25
1 Introduction
Currently most computer systems use a username-password method for user authenti-cation (35). The username-password combination contains several flaws regarding security, logistics and reliability on process of storage and use of authentication methods.
For instance, the use of username-password method brings some problems such as the use of a single combination of username-password in different systems and an increase of user stress to remember long and complex passwords. A set of services is compromised if a unique combination of username-password is compromised as well. Moreover, different complex passwords increase user stress and tend users to write down these passwords in physical media, such as post-it notes. Thus, authentication methods need to be secure, accurate, provide variability in user credentials without long and complex password inconvenience.
Biometrics has been studied in order to minimize such problems caused by the username-password authentication methods (25). Biometrics can be considered as the science of establishing person’s identity using his anatomical or behavioural traits. Biometric traits have a number of desirable properties with respect such as reliability, convenience, universality, and so forth. Due to these characteristics, Biometrics has been increasingly studied over the last years and it is currently present in several authentication systems such as machines which control employees entrance or critical systems access, among others (72).
Biometric modalities can be divided in two categories: physical and behavioural. Physical modalities are usually related to the body features, such as face, fingerprint, iris recognition, hand geometry, among others. Unlike physical biometrics, behavioural biometrics are related to user behaviour/actions (76). Behavioural biometrics use conduct patterns, such as gait or human-computer interactions (93). Behavioural modalities can be considered non-intrusive, i.e, users are not aware of information has being collected.
26 Capítulo 1. Introduction
biometric template.
Due to biometric characteristics, biometric traits are permanently associated with a user. Template protection methods have being increasingly adopted to address security of biometric templates (38). Cancelable functions transform or intentionally-distort biometric data in order to protect the sensitive user information (64). Furthermore, the distorted biometric features are used to replace original features. Thus, in the case of system compromise, the templates are removed and a new enrolment process is executed in order to create new cancelable templates for the same enrolled users.
Cancelable physical modalities have been widely reported in the literature. In (44,55), the authors show that cancelable methods provide similar or worst performance than biometric system without template protection. However, little has been done to behavioural modalities because they are considered complex and they are under changes along time. Thus, this thesis uses a behavioural modality due to its novelty and complexity (87, 93)
Cancelable methods usually require a biometric template and a user key in order to protect a biometric template (46). Thus, the key influences the generation of protected template. In other words, the user key has an important role in the generation of protected biometric template. Few studies have evaluated the effect of the key in recognition performance of biometric systems (46,62). Therefore, the user key must be studied in order to understand its impact in the biometric system performance since the key is a user-specific information and it is used to generate secure templates.
Although the use of cancelable biometrics bridges the gap between the convenience of biometric authentication and security vulnerabilities, cancelable functions produce noise data and depend on a user key to encode a biometric sample (72,73). The use of cancelable templates tend to decrease the performance of biometric-based systems, since the inter variance of cancelable templates is usually higher than unprotected templates. Therefore, powerful recognition methods need to be used to deal with protected template noise.
Classifiers have been used to categorize users using their biometric templates (46,73). However, standard classification methods are not powerful enough to recognize protected genuine templates. Therefore, the fusion of information or decision has been used to improve the recognition performance of biometric systems (36).
1.1. Research Problem and Motivations 27
• multimodal system, which combines multiple biometric traits collected by different
sensors;
• multi-algorithmic system, which uses different algorithms on the same biometric
moda-lity;
• multi-sample system, which combines several samples or instances of the same biometric modality;
• multi-sensor system, which recognises a user based on one biometric modality through
the combination of different sensors (of the same modality).
A special case of multi-algorithmic biometric system is to use several biometric feature representations, leading to a multi-feature biometric system. Although some progress on biometric information fusion includes the combination of auxiliary, non-discriminatory information such as user-specific characteristics and biometric sample quality (67), as well as combining multiple biometrics in the context of template protection (74), the property of using multiple protection schemes is not often systematically evaluated, at least not in the context of information fusion.
The use of behaviour modalities has attracted some research efforts (93). However, template protection methods decrease the recognition performance of biometric system. Thus, new methods need to be proposed and implemented in order to keep a desirable performance of biometric system using protected biometric templates, in particular, using behavioural modalities. In addition, the user key must be evaluated in order to understand its contribution to the security and performance of biometric system. These subjects are the main research objects of this thesis.
1.1 Research Problem and Motivations
Biometrics is a class of methods for identification and verification of users which use behavioural and physical characteristics. Unfortunately, biometric systems may suffer some security faults such as spoofing (79) and fraudulent access to enrolled biometric samples (72). Moreover, exploration of unprotected templates can result in total or partial user identity, consequently, a privacy breach. Thus, template protection methods should be applied in order to protect personal information presented in biometric samples.
28 Capítulo 1. Introduction
user-dependent and has strong impact in the template protection (49). Therefore, the key has an important role in the performance and quality of cancelable methods.
Biometrics is a solution that does not require the use of passwords or devices in order to verify or identify a user. However, the non-necessity of passwords or tokens/smartcards in template protection solutions are false. Therefore, new templates protection methods that do not require such passwords or devices need to be developed. Based on this, one of our hypotheses is that a classifier trained using a specific user key is biased on the key instead biometric features. Consequently, a biometric system classifier has a high probability to recognize the key rather than biometric features.
The use of tokens, smartcards and passwords suffers problems related to inappropriate sharing or loss of device/password. Thus, in possession of such information, an impostor can increase his success entrance rate. As consequence, token/smartcard solution exposes the biometric system. Therefore, solutions which do not use tokens, smartcards and user keys must be explored.
Few studies discuss how to store a cancelable function key. Among the reviewed studies, only (39) deals with key storage issues. The authors relate that the hash key can be stored in smart cards, tokens or inside the device in an encrypted format. In summary, discussions about key storage issues such as usability and security needs to be investigated.
Lack of security analysis of template transformation is present in most studies in biometric literature. Most of the template protection studies assume that a protected template is free of decoding and linkage attacks. Unfortunately, this is not true (46). Therefore, the vulnerability of a template transformation scheme to intrusion and linkage attacks should be reported (56).
Nevertheless, the use of cancelable methods in order to protect biometric samples are well accepted in the community. However, it suffers some problems such as accuracy loss and key attacks. In order to improve performance and security, several solutions have been proposed but not so fully described and discussed in one single document.
1.2 Thesis Statement
Based on the research problems and motivations discussed, we formulate the following research hypothesis:
1.3. Contributions 29
we can develop an empirical study of the impact of key storage and key length in the performance of biometric systems.
The main objective of this thesis is to propose an authentication method which uses cancelable biometric templates, in particular a behavioural modality. In addition, we expect to outperform the existing methods when possible. Cancelable data and behavioural modalities have an inherent complexity, hence, we expect that the use of ensemble systems and multiple cancelable functions at the same time increases the performance of biometric systems than the use of standard methods, single classifiers. Indeed, another novelty presented in this thesis is a study of the impact of the key length and storage methods in the performance and usability of cancelable methods. Biometrics fields is well researched but there is enough room for innovation, such our contribution in use multiple cancelable functions and the proposal to use a system key instead a different key for each enrolled user.
1.3 Contributions
During the literature review, it was observed that few studies analysed the use of cancelable functions applied to a behavioural modality. Thus, the main contribution of this thesis is to propose and analyse a new authentication method which uses a behavioural modality and able to keep or outperform the performance of standard methods (which use unprotected templates). Moreover, as specific contributions of this thesis regarding the use of cancelable functions, we can cite:
1. Use of single classifiers. We show in Chapter 5, Section 5.3, that single classifiers
have been used to classify genuine and impostors users using cancelable templates. Unfortunately, single classifiers do not show reasonable performance leading to the use of powerful methods such as ensemble systems.
2. Use of Ensemble Systems.We show in Chapter5, Section5.4, that ensemble systems
have been used with the same objectives of contribution 1. Ensemble system overcome the accuracy achieved by single classifiers. Thus, the use of multiple classifiers is suggested rather single classifiers.
30 Capítulo 1. Introduction
this proposal we use the classifier score to fuse the different outputs instead decision fusion. The decision fusion was performed in Chapter 5.
4. Systematic study about key storage issues. The storage of the required key is relevant because the user has to remember or carry a token that contains the key. In general, these characteristics would defeat the purpose of biometrics as a convenient mechanism that cannot be lost or forgotten. Specifically, we consider the scenario of storing the key of a cancelable function in a consumer-grade mobile device which is as well as a biometric authentication device. This scenario has widespread use (85) but a best practice has not been discussed by any empirical study. The discussion and the proposed solution to key storage issues and key attacks are present in the Chapter 7.
5. Systematic study about the use of homogeneous and heterogeneous key.
Commonly each user adopt its own key to protect his data (46, 49). However, to the best of our knowledge, there is no study that evaluates the idea to use a single key for all users in a cancelable method. Thus, this thesis evaluates the performance of cancelable functions using a single and different keys for all users.
6. Systematic study about key knowledge attack. The key required by cancelable
methods can be shared or leaked to biometric system attackers. Consequently, impostors are able to increase the rate of false acceptance. In Chapter 7, Section7.3 we propose that the best solution is to use cancelable methods and to store the key in an unprotected format. The key does not affect the user privacy in non-invertible functions because it is hard in a feasible time to decode the protected template. Unfortunately, this solution allows non-authorized users to use this key to authenticate himself as a different user. Therefore, the biometric system that uses cancelable functions which uses unprotected key needs to be powerful enough to identify biometric features of an impostor.
7. Definition of usability and intrusion threats metrics based on classifier. A
biometric system which uses cancelable biometrics suffers some security vulnerabilities such as increase of false rejection errors and linkage attacks. Hence, this thesis analysis the user verification performance as well as defines some metrics related to usability and intrusion threats in order to evaluate the biometric system vulnerabilities.
8. Systematic Study of Key Length. The key length affects the performance of
1.4. Published Papers 31
We conclude that the key length has not any direct relation with the accuracy because its size does not increase the accuracy of user verification using the analysed biometric modality.
9. Implication of our findings in mobile authentication. Based on our findings,
we suggest that authentication system of mobile should use touch screen interaction as authentication information. In addition, we propose that the system protects the generated template with cancelable functions and store the used single key in an unprotected format. This proposal, specifically, is based on the results achieved ensemble systems using homogeneous key under known key attacks.
1.4 Published Papers
The study published (15) provides the first developed insights about the behavioural modality (touch screen interaction dataset), cancelable functions and classifiers. In the mentioned study, we show that it is possible to use cancelable behavioural modality. However, there is room for further development. The Section 5.3 presents the used methodology and the achieved results.
Subsequently, we decided to invest in ensemble methods in order to analyse ways to improve the achieved results. As a result, the second study was written to report the results and discussion achieved by ensemble methods (17). The study proposes the use of different decision fusion rules to compare which rule is appropriate to the problem. Moreover, an extended version of this article was published in the Journal of Information Assurance & Security (16).
We observed that the ensemble methods outperformed single classifiers. Ensemble methods use different classifiers in order to resolve the same problem. Thus, we decided to try this technique using different cancelable versions of the same biometric template with ensemble system. We named this idea as Multi-Privacy Protection Schemes (MPPS). Multi-Protection Schemes is a combination of cancelable versions of the same dataset in order to increase the performance of a biometric system (18). The published study reports the idea, methodology and results of such approach. The Chapter 6discusses MPPS in details.
32 Capítulo 1. Introduction
the achieved results for the discussed problems.
1.5 Thesis Organization
The thesis is organized in 10 chapters and it is structured as follows.
Chapter 1 [Introduction] Presents the main used concepts, contributions of this
thesis and an overview of the published studies.
Chapter 2 [Biometric Recognition] Origins, motivation, basic concepts and state
of art of biometrics is presented.
Chapter 3 [Template Protection] Origins, basic concepts and state of art of template protection, cancelable functions are presented.
Chapter 4 [Statistical Learning and Ensemble Methods]Origins, concepts of
the used algorithms and ensemble methods are discussed in this chapter.
Chapter 5 [User Authentication Using a Cancelable Behavioural Modality: Single Classifiers and Ensemble Systems]The used dataset, methodology and achieved
results are presented and discussed in this chapter. The results of single classifiers and ensemble methods are compared in order to obtain an answer of which approach is indicated to the faced problem.
Chapter 6 [Multi-Privacy Protection Schemes] This chapter presents the
con-cept, methodology and results of multiple cancelable functions applied to the same modality. We named this approach as Multi-Privacy Protection Schemes.
Chapter 7 [Impact of Key Storage in Cancelable Functions]An investigation
of the impact of the key storage is analysed in this chapter. We compare the performance using a different or a unique key for all users of a biometric system. A further investigation is done emulating an attack when an impostor knows or does not know the key used by a genuine user. Discussions based on the achieved results are done and solutions for such problems are proposed.
Chapter 8 [Impact of Key Length in Cancelable Functions] An investigation
of the impact of the key length is analysed in this chapter. We compare the performance of the analysed cancelable functions using a different key lengths. Similarly of Chapter 7, we emulate an attack when an impostor knows or does not know the key used by a genuine user. Discussions based on the achieved results are done.
Chapter 9 [Conclusions] Contributions, limitations, opportunities for future work,
33
2 Biometric Based Recognition
A different number of systems require the correct identification of an authorized user to access the correspondent features of system. Unfortunately, authentication methods present different problems related to security and usability. Biometrics is one of used technologies which minimize such problems.
Biometric recognition refers to the automatic recognition of individuals using biological characteristics. Biological characteristics are categorized by physical and behavioural features. Thus, biometric recognition is based on the possession instead of knowledge e.g. an individual presents his fingerprint (possession) instead of a password (knowledge). In this chapter we will summarize the main concepts, strength, limitation of biometrics.
2.1 Biometrics
It is fundamental to humans to use biological characteristics to recognize other humans or animals (37). The biologic recognition is a crucial skill inherent to human being. Due to its success, system developers want to emulate this ability in computers.
A biological characteristic (physical or behavioural) is considered a biometric if it satisfies such properties:
• Universality: all individuals should have this biological characteristic;
• Distinctiveness: two people should be different according to this characteristic;
• Permanence: biological properties should have low variance over time;
• Collectability: biological characteristic must be measured, preferably in an easy way.
Unfortunately such requirements are not fully satisfied. For example, fingerprint modality does not satisfy the permanence and universality requirement because it suffers damages along time and some individuals have biological problems where fingerprint ridges are not evident.
A biometric system should present the following properties:
• Performance: refers to accuracy and speed of the system and its influenced factors;
34 Capítulo 2. Biometric Based Recognition
• Circumvention: refers how secure the biometric system is against fraudulent methods.
Due to biometric characteristics, the biometric system is used in identification and authentication solutions. An identification solutions compares an unknown biometric sample against a biometric database. In contrast, an authentication service compare a claimed biometric sample against an identified enrolled sample present in a biometric database. In short, an identification method compares a biometric sample against all enrolled samples (1:n comparisons) and an authentication method compares the claimed sample against only one enrolled one (1:1 comparison).
In summary, a biometric system must use biometric characteristics which satisfy biometric requirements. In addition, it should be precise, fast, with good acceptance by the users and secure against deceitful techniques.
Biometrics has been used in different types of applications. It is possible to classify its usage in three fields: (1) Commercial: application login, ATM; (2) Government: national ID card, passport, border control and (3) Forensic: body recognition, missing people, criminal identification. Therefore, Biometrics has been used with success in different fields and the improvement on biometrics presents potential benefits in people’s life.
2.1.1 Biometric Modalities
Physical Biometrics represents the biological characteristics known as “human parts”. Example of physical biometrics are fingerprint, iris, hand, blood pressure. These modalities are well known by the researchers and used in industry (9). Due to its large use it is known as classical modalities.
In contrast, behavioural modalities use behaviour patterns in order to recognize an individual. Examples of such modality are gait, signature, key typing, computer usage and touch screen strokes (93). Such biometrics is not so well used due to high variance among sessions and collectability challenges. Consequently, behavioural modalities have high potential use and open problems in literature.
2.2. Biometric System 35
2.2 Biometric System
A biometric system is a pattern recognition software capable to match enrolled biometric samples against claimed user samples. In other words, a biometric system classify or identify a genuine user based on features present in a biometric sample. In this section we present and explain the main modules present in a biometric system.
A biometric system is composed mainly by four modules: acquisition, feature extraction, matcher and database (37).
1. Acquisition: collects biometric samples in order to transformed them in processed digitalized format. The biometric samples are collected using sensors. The sensors can be present in the same local of biometric system or remotely.
2. Feature extraction module: responsible to extract the features of raw biometric samples. The extracted features can satisfy the performance and security requirements. Examples of extracted features are position, velocity and angle. In addition, the feature extraction module transforms the extracted features in a format compatible to the system, known as biometric template. Usually, the acquisition and feature extraction modules are implemented inside sensors.
3. Matcher: responsible to compare and decide if a claimed biometric template belongs to an enrolled user. The system decision is based on the similarity score between the query and enrolled templates.
4. Biometric database: store and manage the enrolled biometric templates. Normally a quality step is performed before to store a biometric template in the database. This step are recommended to assure the quality of the stored biometric templates. Usually, multiple user templates are stored along the time in the database. This several number of templates reflects the variation suffered by the biometric sample along the time.
Each module is responsible for a crucial role of a biometric system and all the described modules is required for its proper work.
2.2.1
Verification and Identification Task
The Figure1illustrates how a biometric system works in verification and identification task. A verification problem can be formally described as a comparison problem of an enrolled and query template xj and x′j, for xj, xj′ ∈ Xj, j ∈ {1, . . . , J} ≡ J users and Xj are all the
36 Capítulo 2. Biometric Based Recognition
0≤match(xj, x′j)≤1. Thematch function measures the similarity between xj and x′j. Thus,
the score s is termed as similarity or matching score. If s≥τ, τ ∈ R, where τ is predefined
threshold, the biometric templatesxj and x′j belongs to the same user, otherwise the query
templatex′
j does not belongs to the user j. The upper part of the Figure 1 illustrates the
verification process.
An identification problem is formally similar to the verification problem. The second part of Figure1 illustrates the identification task. Instead of compare a query template x′ against only axj, the identification task comparesx′ against all the enrolled templatesxJstored
in the database. Thus, the query template x′ belong to the user
maxj(match(x′, x′j) ≥ τ),
otherwise refutes the presence of an enrolled user compatible with the query template. Thus, an identification task performsJ comparisons. In contrast, a verification problem performs only one comparison.
Figura 1 – Identification and Verification Task using Biometric System Modules. Source: (37)
2.2.2 Biometric System Metrics
The matching score s = match(x′j, xj) measures how similar the query template x′j
and enrolled template xj are. Thus, higher the score, more confident the system is that the
2.3. Advantages and Limitation of Biometrics 37
samples from the same person is called genuine distribution and from different users is called impostor distribution.
A biometric system generates two different type of errors:
1. two templates from different persons are classified as from the same individual (false match);
2. two templates from the same individual are classified as a different user (false non-match).
These errors are also called False Acceptance Rate (FAR) and False Rejection Rate (FRR).
Due to the thresholdτ, there is a trade-off between FAR and FRR. If τ is small the system performs more FAR. In contrast, if τ is big the system is more restricted, i.e, the
system has a higher FRR. Usually, the biometric system performance is exhibited using a ROC plot. A ROC plot shows the FAR and FRR values for different τ values.
Published results use minimum FAR and FRR. However, FAR and FRR are not critical enough measures because are application dependent. Thus, most of the studies relate the value when FAR and FRR are the same. This point is recognized as Equal Error Rate (EER). EER is application independent and provides a realistic metric to compare new results to published ones.
The definition of a threshold value of a biometric system is application dependent. Some applications require low values of false acceptance. One example of these application is an ATM machine. A great amount of false acceptance generates a huge loss of money but a large amount of false rejection just upset a loyal customer. In contrast, some applications requires a low number of false rejection. For example, a criminal investigation that wants to recognize potential suspects of a crime. In this case, it is important do not miss any suspect because missing a true suspect can damage the police work. Thus, it is important to set an appropriate threshold depending on the application characteristics.
2.3 Advantages and Limitation of Biometrics
38 Capítulo 2. Biometric Based Recognition
Biometric cannot be lost, shared or forgotten. In addition, on-line biometric systems require users to be present in the authentication point. Thus, problems found in knowledge and token based methods are not present in biometric solutions.
Biometrics systems present some limitation such as inconvenience in some scenarios. Suppose a biometric identification system which operates with a FAR=0.001. In a scenario such as criminal identification applied in an airport, for each 200,000 people, it is generated 200 false alarms. Therefore in some scenarios the lack of accuracy in the biometric field present problems such as user inconvenience and privacy disruption.
2.4 Multibiometric System
Multibiometric System (MBS) proposes to use different templates in order to identify or authenticate an individual (36). A MBS can be categorized in different ways based on (1) the use of different modalities, (2) modality instances, (3) different samples and (4)
different matching and feature extraction algorithms. Thus, MBS is able to resolve some limitation of unimodal biometric system. Multibiometric System has been used in different applications (29,58, 80).
The use of different modalities or samples minimize the unimodal limitation. Unfortu-nately, biometric modalities do not full satisfy the biometric requirements such as universality, distinctiveness, permanence and collection. For example, the use of fingerprint and iris mi-nimize the permanence problem related to fingerprint and the collection problem presents in iris sampling. The use of MBS resolve some limitation and increase the performance and security of biometric system.
Multibiometric System increase the performance due to use of several source of information provided by the different biometric modalities. In addition, MBS can improve the security because it is hard for example to produce different number of spoofed samples at the same time. Moreover, MBS can implement multiple challenge-response method.
Biometric multiple challenge-response method allows a biometric system to ask different modalities in real time in order to authenticate an individual. For example, an ATM can ask a user to provide specific fingers and iris. Thus, a MBS can increase the security level providing tools against spoofing and replication attacks.
2.4.1 Multibiometric Factors
2.4. Multibiometric System 39
information will be integrated, and the trade-off between accuracy and costs.
The number and the type of biometric modalities should be driven by the nature of application, financial and computational costs related and the relation among the modalities. It is important to highlight that there is a direct relation between the number of modalities and system cost. For example, in an automatic gate which use voice, iris and gait, the biometric system must provide three different sensors, microphone, iris scanner and video camera, respectively. Consequently, financial and computational costs increase with the number of modalities.
A multimodal biometric system can operate in three modes: serial, parallel and hierarchical mode (59). Serial mode process a new biometric modality only after the complete process of previous modality. Mainly, this mode is used for filter identities using a fast modality and in next modalities which provides more distinctness. On the other hand, parallel mode receives all the biometric templates at the same time. Serial mode presents a smaller interaction time in an authentication task because in this mode a biometric system does not need to use all the modalities in order to verify a genuine user. In contrast, a parallel form requires all the modalities. Finally, in hierarchical mode, the modalities and matching algorithms are organized in a tree format.
A multimodal biometric system can be categorized due to modalities integration. The possible biometric integration are:
1. Sensor: different information originated from different sensors are combined;
2. Biometric Modalities: different biometric modalities are combined. For example, in a smartphone, an authentication method can combines the face and the voice of phone owner (52);
3. Multiple Sample: different sample of the same biometric is provided to the system. For example, fingerprint samples of different fingers or different face pictures with different light conditions;
4. Multiple Representation and Algorithms: use of different representation (biometric features) of the same biometric sample or different matching functions/algorithms (41).
Multimodal Biometric System can use three levels to fusion the provided templates (13). Some authors call this as decision level as well. The decision levels are:
40 Capítulo 2. Biometric Based Recognition
However, this fusion level faces some challenges because the features must be in the same format, which is difficult in some applications.
2. Score Fusion: the final decision of the biometric system is calculated using the matching score of different matching algorithms. Each matching algorithm receives a template and the output score is used in the fusion calculation. Some fusion rules are used such as: min, max, min-max, median, sum-rule.
3. Decision Fusion: this decision level synthesizes the final decision from individual decisions from independent biometric system.
2.5 Chapter Conclusion
Biometrics is an important field for identification and verification of users. It was discussed that a biometric modality and a biometric system should satisfy some properties. Unfortunately, there is not an optimal biometric modality and biometric system which fully satisfy all the properties. Therefore, there are some challenges and limitations to be explored.
Some limitations of unimodal biometric systems are resolved by multibiometric system. Multibiometric system proposes to use different biometric “views” of an individual. Thus, the use of different sample/modalities increase the security and the accuracy of the biometric system. However, the increase of biometric modalities increase financial and computational costs and user inconvenience.
One important point is to protect the biometric template against improper use. Non-authorized access of biometric templates generates privacy issues such as access to personal information. Furthermore, it is not possible to replace an unprotected biometric template because individuals only have a unique biometric sample. Thus, a biometric advantage becomes a security limitation.
Template protection methods propose to resolve security and privacy issues related to biometric template. The next chapter will discuss the concept, method types, advantages and limitations of template protection technique.
41
3 Template Protection
3.1 Introduction
A biometric template is a digital representation of a biometric sample. Consequently, a template contains sensitive user information such as health and personal information. Due to the strong link between individuals and biometric traits, the exposure of enrolled templates compromise the system security and user’s privacy (61). Furthermore, a biometric trait is unique, consequently, it is hard to change when compromised. Therefore, a biometric template in its original format is not an ideal design because it exposes the biometric system and users. In addition, it will be almost impossible to use again the same biometric trait due its uniqueness.
A biometric template has some vulnerabilities (38) such as: (1) a template can be replaced by an impostor’s template; (2) a physical spoof can be created from a stored template; (3) a stolen template can be replayed. Thus, biometric systems must implement template
protection methods in order to minimize these system vulnerabilities and user privacy.
Template protection is a set of methods specialized in preserving the privacy and biometric characteristics of users (75). Protected templates should not provide sensitive user information such as full or partial user identity, sensitive user information or allow cross match between biometric systems. Therefore, template protection methods do not provide sensitive biometric data to attackers.
A template database which implements a template protection method stores only protected templates rather than templates in its original form (72). Furthermore, a template database does not store personal information but information generated from biometric traits. Thus, the adoption of template protection avoid vulnerability points related to biometric template and template database. Therefore, in the case of biometric system compromise, user’s information is protected due to storage of only protected templates.
According to (38), an ideal protected template presents the following four properties:
1. Diversity: a protected template does not allow cross match of users among biometric systems;
42 Capítulo 3. Template Protection
3. Security: it is computationally hard to obtain original biometric features from a protected template.
4. Performance: the accuracy of biometric system should not decrease due to protected template.
Unfortunately, until 2008, all protection methods present in the literature do not provide all the properties (38).
In most operational biometric systems, a biometric template is protected using encryp-tion techniques (61, 64). However, encryption techniques show three main drawbacks: (1) the biometric template is secure until the encryption key is secure; (2) for each authentication, a secure template needs to be decrypted in order to match a query template. Thus, in some moment, the unprotected template will be available; (3) the match process cannot happen in encrypted domain because encryption methods are distortion sensitive. Therefore, new protection methods such as feature transformation and cryptosystems have been developed.
Template protection schemes can be classified in two different categories: (i) feature transformation (56) and (ii) biometric cryptosystem (57). Feature transformation schemes transforms or intentionally distorts the original biometric samples to protect the user’s data. Hence, only the distorted data is stored and used in the biometric system. In contrast, biometric cryptosystems propose securing a cryptographic key using biometric features or generating a cryptographic key straight from the biometric features (38).
Unfortunately, template protection methods decrease the performance of biometric systems (27). The authors achieved higher equal error rate in protected templates compared with unprotected version. In addition, six algorithms are able to achieve an equal error rate (EER) inferior to 0.3% using unprotected templates of FingerPrint Verification Competition (FVC-STD-1.0). However using protected templates, the lowest EER was 1.54% (9). Therefore, powerful template protection methods which provides information security and comparable unprotected database performance need to be developed.
3.2. Biometric Cryptosystems 43
3.2 Biometric Cryptosystems
Biometric cryptosystems are methods which use stored public information, know as, helper data. The helper data is used to extract the cryptograpic keykj from a query biometric
x′
j during the matching process. However, this helper data cannot reveal relevant information
about biometric template. Thus, cryptosystems generate and store a dependent information called helper data.
Valid cryptosystems were successful applied to some modalities such as fingerprint (45), face (90), iris (91) and multibiometrics (60). However, such studies present low accuracy rates and some limitation compared to the use of unprotected templates. Therefore, even with these problems, cryptosystem literature has been explored in order to overcome them.
Biometric cryptosystem methods are mainly classified in two categories: key-binding and key generation schemes. Key-binding methods generates a helper data through a key binding process. In contrast, key generation schemes, the helper data is generated from the original biometric system. Consequently, the cryptographic key is generated from the helper data.
Unfortunately, cryptosystem schemes present usability and security problems. Key binding does not allow revocability and diversity. Moreover, key generation schemes do not produce keys with high stability and entropy. Consequently, cryptosystem methods do not satisfy different properties that should be present in optimal protected templates. Therefore, due to the related problems, we focus our thesis in another template protection category: feature transformation methods.
3.3 Feature Transformation
Feature transformation is an important class of template protection methods deployed to protect biometric template. These methods use a function f to protect a biometric template xj using a specific user key kj, thus, f(xj, kj) generates a protected template for a user
j ∈ {1, . . . , n}. The key kj is generated randomly or through a user password. Due to
characteristics of function f,f(xj, kj)6=f(xj, kp), where kj 6=kp.
As previously discussed, a transformed template f(xj, kj) is stored in the template
database and used instead of the original template xj. Therefore, a biometric system which
uses a feature transformed approach accepts a query templatex′
j if classif y(f(x
′
j, kj), θj)> τ
using a trained user classifier classif y(. . . , θj) in the transformed space f(x′j, kj), where θj is
44 Capítulo 3. Template Protection
Feature transformation methods are classified as salting or non-invertible methods. The function f is invertible in salting feature transformation schemes (38), i.e., an
at-tacker can generate the original template xj from a stolen protected template f(xj, kj):
f−1(
f(xj, kj), kj) = xj = since kj is known and f(xj, kj) ∈ Xj. Therefore, the user key kj
must be protected in salting methods. In contrast, non-invertible transformation function is generally a one-way function, i.e, it is hard to invert a transformed template f(xj, kj) even a
known key kj : xj 6=f−1(f(xj, kj), kj). Thus, an attacker cannot reconstruct the biometric
sample or discover a full or partial identity of the user in a feasible computational time even in possession of user key kj. In other words, in the case of a non-invertible function, if a
user-specific key is compromised, the template is still secure. Therefore, feature transformation techniques using non-invertible functions is ideal to protect biometric data.
Cryptosystems and feature transformation methods have their own strengths and limitations. The main challenge of cryptosystems is develop methods which decrease linkability generated by key generation schemes. On the other hand, the feature transformation techniques challenge is to find a method which provides noninvertibility and it is tolerant to intra-user variation. A way to resolve these limitations is to use hybrid solutions (24). For example, it is possible to use a hybrid solution to use secure a feature transformation template using a cryptosystem method. However, hybrid solution is not the focus of this thesis.
Cancelable methods are template protection methods that in case of security faults the protected templates can be cancelled (revoked). Thus, it is possible to generate a new protected template changing the key valuekj. From now on, we will use the term cancelable biometrics
for salting and non-invertible functions which satisfy this property. In fact, this thesis uses non-invertible functions due to its fundamental contributions that overcome limitations present in cryptosystem methods.
3.4 Cancelable Biometrics
Biometric features are user-specific and it is hard to be replaced in case of being stolen. In other words, biometric characteristics are unique by user and compromised biometric features are sometimes impossible to change or to adapt. Therefore, a template must be revocable.
Cancelable templates are obtained from the use of a user parameter (key) kj in
cancelable function f(xj, kj). If another k′j is used another different template is generated,
i.e. f(xj, kj) =6 f(xj, k′j). Thus, it is possible to generate different templates using different
3.5. Cancelable Functions 45
Usually, the security problems faced by biometric system are template replacement and template replay attacks (7). Hence, biometric templates must be stored in a protected way using a protection scheme that provides all the template properties: (1) Diversity; (2) Revocability; (3) Security and (4) Performance (38). Unfortunately it is difficult to define a template protection method that can satisfy all these properties.
The main limitation of cancelable functions is the trade-off between discriminability and security. Unfortunately, cancelable functions decrease the discriminability due to generated noise (75). Consequently, powerful matching methods and cancelable functions must be developed to balance this trade-off. Thus, a feature transformation function should keep the discriminability of biometric features and it should be hard to obtain the original from a transformed template.
A way to keep the discriminability and security of protected templates is to use different cancelable biometric systems at same time. Unfortunately, the use multi-algorithms (cancelable methods) requires the presentation of different key to each cancelable method. As a positive consequence, the user needs to carry or remember several keys which generates an inconvenient system interaction.
This thesis shows that it is possible to increase accuracy of biometric systems maintai-ning security. Thus, a Multi-Privacy Protection Scheme proposed by us (18) presents this inte-raction problem because an individual needs to present n different keyskj ∈Rm |j = 1, . . . , n
and m∈N to eachfc cancelable function. In view of this fact, Chapter 7evaluates the use of
a unique key in multi-algorithm system. As a consequence, the individual does not need to remember several keys because the key can be stored inside of the biometric system or in a smart card.
The next section presents the used cancelable functions. The section focus in how the transformation function works, its strengths and limitation.
3.5 Cancelable Functions
Cancelable functions transform biometric templates in a protected format. It is com-putationally hard to obtain the original format from a cancelable template (38). In addition, it is possible to generate new cancelable templates from the same biometric sample changing user specific parameters.
pro-46 Capítulo 3. Template Protection
vide better recognition performance than systems using non-modified data due to complexity present in cancelable biometric samples.
In this section, we analyse four different cancelable functions: Interpolation, BioHashing, BioConvolving and Double Sum. These cancelable functions have been chosen due its perfor-mance, simplicity and non-invertible characteristics. The cited cancelable methods can be applied to physical and behavioural modalities (7). Indeed, our previous studies (15,16,17,18) show that it is possible to apply these cancelable functions to a behavioural modality using different settings.
3.5.1 Interpolation
This technique consists in generating a new biometric model by extracting function points resultant of attributes interpolation process. The interpolation process is based on polynomial interpolation and the cited attributes compose the original biometric modelxj.
Protected templatesM is generated through keys kj applied in the interpolated polynomial
M = fI(kj). Thus, the main idea of interpolation method is to achieve an interpolated
polynomialfI using an unprotected template xj. Consequently, based on the dependability
key, a new cancelable template is generated through use of kj.
Although simple and fast, the inversion of the polynomial function is difficult. As a consequence, it generates a good security level. Therefore, interpolation satisfy two out of four feature transformation requirements: revocability and security. Revocability because it is possible to cancel an enrolled template replacing it for a new template using a new key
k2
j 6=kj and security because it is difficult to decode a cancelable template.
The following steps describe how interpolation method works:
1. Given the original biometric template xj ∈ Rn for user j, where n is the number
of attributes of xj. A function fI(xj) ∈ Rn is obtained through interpolation of the
attributes of biometric template. Thus, it is created one function fI(x) for each user.
Therefore, in order to approximate the function to the discrete data, it is important to use a polynomial function with a significant degree g, usually given by the greater degree supported by the system;
2. Within range of the function domain xj ∈Rn, a vector of random numberskj ∈Rd is
generated to all biometric data. kj has uniformly distributed pseudo-random numbers,
where d is the dimension. The number of coefficients d is given empirically and can
