Koen Simoens

Privacy Weaknesses in Biometric Sketches

The increasing use of biometrics has given rise to new privacy concerns. Biometric encryption systems have been proposed in order to alleviate such concerns: rather than comparing the biometric data directly, a key is derived from these data and subsequently knowledge of this key is proved. One specific application of biometric encryption is the use of biometric sketches: in this case biometric template data are protected with biometric encryption. We address the question whether one can undermine a users privacy given access to biometrically encrypted documents, and more in particular, we examine if an attacker can determine whether two documents were encrypted using the same biometric. This is a particular concern for biometric sketches that are deployed in multiple locations: in one scenario the same biometric sketch is deployed everywhere; in a second scenario the same biometric data is protected with two different biometric sketches. We present attacks on template protection schemes that can be described as fuzzy sketches based on error-correcting codes. We demonstrate how to link and reverse protected templates produced by code-offset and bit-permutation sketches.

Dynamic random projection for biometric template protection

Random projection provides a good diversification effect for biometric template protection but is drawing increasing security concerns under the token-stolen (or public parameter) case. We propose a dynamic random projection method to alleviate these security concerns due to the stolen token by increasing the computational complexity to search for the unprotected biometric features. This is achieved by a projection process which dynamically assembles a random projection matrix from a set of candidate projection vectors. The selection of projection vectors is decided by the biometric feature vector itself and thus forms a nonlinear projection process. The proposed method permits the public and secure storage of all the candidate random vectors without the need for external secret keys. Experiments on the 800 samples in the database FVC2002DB2_A demonstrate the well-kept biométrie performance of the proposed method.

A Framework for Analyzing Template Security and Privacy in Biometric Authentication Systems

In this correspondence, we analyze the vulnerabilities of biometric authentication protocols with respect to user and data privacy. The goal of an adversary in such context is not to bypass the authentication but to learn information either on biometric data or on users that are in the system. We elaborate our analysis on a general system model involving four logical entities (sensor, server, database, and matcher), and we focus on internal adversaries to encompass the situation where one or a combination of these entities would be malicious. Our goal is to emphasize that when going beyond the usual honest-but-curious assumption much more complex attacks can affect the privacy of data and users. On the one hand, we introduce a new comprehensive framework that encompasses the various schemes we want to look at. It presents a system model in which each internal entity or combination of entities is a potential attacker. Different attack goals are considered and resulting requirements on data flows are discussed. On the other hand, we develop different generic attacks. We follow a blackbox approach in which we consider components that perform operations on biometric data but where only the input/output behavior is analyzed. These attack strategies are exhibited on recent schemes such as the distributed protocol of Bringer (ACISP 2007), which is based on the Goldwasser-Micali cryptosystem, the related protocol of Barbosa (ACISP 2008), which uses the Paillier cryptosystem, and the scheme of Stoianov (SPIE 2010), that features the Blum-Goldwasser cryptosystem. All these schemes have been developed in the honest-but-curious adversary model and show potential weaknesses when considered in our malicious insider attack model.

Criteria towards metrics for benchmarking template protection algorithms

Traditional criteria used in biometric performance evaluation do not cover all the performance aspects of biometric template protection (BTP) and the lack of well-defined metrics inhibits the proper evaluation of such methods. Previous work in the literature focuses, in general, on a limited set of criteria and methods. This paper provides the first holistic approach to the evaluation of biometric template protection that is able to cover a whole range of methods. We present a selection of well-defined criteria and some metrics that are compliant with the reference architecture for template protection as defined in the recently adopted standard ISO/IEC 24745 (2011), which is applicable to nearly all known BTP methods. The criteria have been grouped in three categories of performance: technical, protection, and operational.

Secure and Privacy-Friendly Logging for eGovernment Services

In this paper we present a scheme for building a logging- trail for processes related to eGovernment services. A citizen can reconstruct the trail of such a process and verify its status if he is the subject of that process. Reconstruction is based on hand-overs, special types of log events, that link data stored by multiple logging servers, which are not necessarily trusted. Our scheme is privacy-friendly in the sense that only the authorised subject, i.e. the citizen, can link the different log entries related to one specific process. The scheme is also auditable; it allows logging servers to show that they behave according to a certain policy.

A Survey of the Security and Privacy Measures for Anonymous Biometric Authentication Systems

The challenge in applying the known information theoretical measures for biometric authentication systems is that on one hand these measures are defined in a specific context and on the other hand there are several constructions known for the protection of biometric information. The goal of this work is to organize and conceptualize the existing knowledge in the area of security of biometrics and build a bridge between the formal model of cryptography and the practical view of the signal processing area. It is the scope of this paper to build and present the framework where results from both cryptography and signal processing can be integrated.

Reversing protected minutiae vicinities

In this paper we analyze the template protection method for minutiae-based fingerprint biometrics as proposed by Yang and Busch (BTAS 2009). This method is based on a self-aligning and non-invertible parameterized transformation that is applied to minutiae vicinities. Two attack strategies to invert protected vicinities are presented and we point out that the attack complexity is well below the estimates in the original paper. Improvements to increase the complexity are suggested.

Increased resilience in threshold cryptography: sharing a secret with devices that cannot store shares

Threshold cryptography increases security and resilience by sharing a private cryptographic key over different devices. Many personal devices, however, are not suited for threshold schemes, because they do not offer secure storage, which is needed to store shares of the private key. We present a solution that allows to include devices without them having to store their share. Shares are stored in protected form, possibly externally, which makes our solution suitable for low-cost devices with a factory-embedded key, e.g., car keys and access cards. By using pairings we achieve public verifiability in a wide range of protocols, which removes the need for private channels. We demonstrate how to modify existing discrete-log based threshold schemes to work in this setting. Our core result is a new publicly verifiable distributed key generation protocol that is provably secure against static adversaries and does not require all devices to be present.

Blackbox Security of Biometrics (Invited Paper)

We analyze the security of biometric template protection methods that involve trusted hardware. The methods are defined in the black box security model, i.e., we consider components that perform operations on the biometric data they contain and only the input-output behaviour of these components is analyzed. The functionality that is implemented by these black boxes is assumed to be known, but as opposed to the white-box model no intermediate values can be observed. We illustrate our approach and demonstrate that additional countermeasures may be needed to protect the stored biometric data.

Insights on identity documents based on the Belgian case study

Efficient eGovernment and eCommerce require the ability to authenticate citizens and transactions online, whereas the increasing mobility of citizens demands reliable identification. Identity documents tend to become the most popular form of identity tokens used for these purposes. An important problem, however, is that they can easily be passed on or used by a fraudster. We discuss the use of identity documents and the problem of linking these documents with their genuine holder. We discuss ePassports and eID cards in general using the Belgian identity documents as a reference.