Shuffling is not sufficient: Security analysis of cancelable iriscodes based on a secret permutation

Since the seminal paper of Ratha et al. in 2001 that introduced cancelable biometrics, inner permutation of biometric templates has been widely suggested as one of the basic components to protect biometric data against compromised or cross-checking between two databases. In this paper, we study the case of iris biometrics where an inner permutation corresponds to shuffling the bits of a template in order to diversify the stored data. We analyze the security brought by a permutation and underline the impact of non-uniformity of templates on the robustness of cancelable biometrics: we introduce new attack strategies on permuted biometric databases that enable to reconstruct part of the permutation, leading to a potential privacy leakage. We finally suggest ways to improve efficiently the protection, by designing specific countermeasures, with no impact on accuracy and a low impact on the overall architecture of the system.

[1]  John Daugman,et al.  How iris recognition works , 2002, IEEE Transactions on Circuits and Systems for Video Technology.

[2]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[3]  Raymond N. J. Veldhuis,et al.  Preventing the Decodability Attack Based Cross-Matching in a Fuzzy Commitment Scheme , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Kwok-Tung Lo,et al.  Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks , 2011, Signal Process..

[5]  Anthony Vetro CHAPTER 11 – Securing Biometric Data , 2009 .

[6]  Andreas Uhl,et al.  A survey on biometric cryptosystems and cancelable biometrics , 2011, EURASIP J. Inf. Secur..

[7]  Sergey Yekhanin,et al.  Secure Biometrics Via Syndromes , 2005 .

[8]  John Daugman,et al.  Probing the Uniqueness and Randomness of IrisCodes: Results From 200 Billion Iris Pair Comparisons , 2006, Proceedings of the IEEE.

[9]  Ahmad Hussein SECURING BIOMETRIC DATA , 2010 .

[10]  Arjan Kuijper,et al.  Retrieving secrets from iris fuzzy commitment , 2012, 2012 5th IAPR International Conference on Biometrics (ICB).

[11]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[12]  Ross J. Anderson,et al.  Combining cryptography with biometrics effectively , 2005 .

[13]  Julien Bringer,et al.  The best of both worlds: Applying secure sketches to cancelable biometrics , 2008, Sci. Comput. Program..