Biometric authentication systems offer a natural and reliable solution to the challenging problem of accurate user verification in a variety of identity management applications ranging from international border crossings to securing of information in databases. But this widespread deployment has also raised concerns about the privacy and security of biometric technology. To gain public confidence and acceptance, the system designers will have to demonstrate the robustness of this technology and also that these systems are tamper-proof in addition to having low error rates. And, one of the crucial steps in the design of a secure biometric system is protection of the users’ templates that are stored in a central database. Biometric template security is a very important issue due to the fact that unlike passwords and tokens, a compromised template cannot be revoked and reissued.
So, what is the definition of a biometric template? It is a snapshot of the distinct physical or behavioural characteristics that have been extracted from the biometric sample of an individual and will be used during the authentication process. Initially, a sensor captures an image of your hand, finger or eye. This image or even multiple images then becomes a master-profile from which the unique features of the hand, finger or eye are extracted and converted into a mathematical file. It is these mathematical files that become known as the biometric templates and not the images that were extracted and created.
How is biometric data stored?
There are four major locations in which biometric data can be stored – a token or smart card, a central database on a server, on a workstation or directly on the sensor device.
Storing the template on a token provides the advantage that the data is not centrally stored and hence does not traverse the network. The users carry the information from location to location which gives them the feeling that they control their personal identification data. The drawback includes higher implementation costs.
When templates are stored in a central repository on a server, it overcomes the problem of users authenticating from multiple locations. This data however needs to be encrypted to avoid any potential intruders from sniffing this data off the network and replaying the authentication session.
Storing the templates on individual workstations seems to be a reasonable middle ground between storing on a central database and storing on a sensing device. First, a workstation is more difficult to steal physically as compared to a small sensing device. Moreover, storing the data in a distributive manner creates less privacy concerns and prevents a focal point of attack for intruders. The drawback however is that users cannot authenticate from multiple locations. One of the main advantages of storing the templates on the sensing device itself is that it provides quick responses during future authentication.
Biometric template security, challenges and solutions
There are four critical points where biometric templates are most vulnerable to hacking and theft. These points are –
Just after the creation of the template and includes both the enrollment and the verification templates.
The database where the templates are actually stored.
In a client-server topology, hacking can occur during the transmission of the templates from the biometric system to the central server.
In a hosted environment where the templates database resides with a third party.
These security challenges can be overcome with the help of template protection schemes.
Ideally, a biometric template protection scheme should have the following four properties:
- Diversity: It must not allow cross-matching across databases in order to ensure the user’s privacy.
- Security: It must be computationally difficult to obtain the original biometric template from a secured one. This will prevent intruders from creating a spoof of the biometric trait from a stolen template.
- Performance: It should not degrade the recognition performance i.e. FAR and FRR of the biometric system.
Biometric template protection schemes
There are two broad categories of biometric template protection schemes – feature transformation approach and biometric cryptosystem.
The feature transformation approach involves applying a transformation function (F) to the biometric template (T) whose parameters are typically derived from a random key (K) or password. Only the transformed template (F (T; K)) will be stored in the database. The same transformation function is then applied to query features (Q) and the transformed query (F (Q; K)) will then be matched against the transformed template (F (T; K)).
The feature transform scheme can be further divided into two categories depending on the characteristics of the transformation function (F) – salting and non-invertible transforms. The F is invertible in salting which means if intruders gain access to the key and the transformed template, they will be able to recover the original biometric template or its close approximation. The security of this scheme is therefore based on the secrecy of the password or key. In non-invertible schemes, a one-way function is typically applied on the template and it is therefore computationally difficult to recover the original template even if the key is known.
Biometric cryptosystems store some public information known as helper data about the biometric template. During matching, this helper data is used to extract a cryptographic key from the query biometric features. In this approach, the matching is performed indirectly by verifying the validity of the extracted key. Depending on how the helper data is obtained, these systems are further categorised into key binding and key generation systems. In a key binding system, the helper data is obtained by binding a key with the biometric template. It should be noted that neither the key nor the original template can be recovered given only the helper data. In key generation cryptosystems, the helper data is derived only from the biometric template whereas the cryptographic key is generated from the query biometric features and the helper data.