Practical security and privacy attacks against biometric hashing using sparse recovery

Biometric hashing is a cancelable biometric verification method that has received research interest recently. This method can be considered as a two-factor authentication method which combines a personal password (or secret key) with a biometric to obtain a secure binary template which is used for authentication. We present novel practical security and privacy attacks against biometric hashing when the attacker is assumed to know the user’s password in order to quantify the additional protection due to biometrics when the password is compromised. We present four methods that can reconstruct a biometric feature and/or the image from a hash and one method which can find the closest biometric data (i.e., face image) from a database. Two of the reconstruction methods are based on 1-bit compressed sensing signal reconstruction for which the data acquisition scenario is very similar to biometric hashing. Previous literature introduced simple attack methods, but we show that we can achieve higher level of security threats using compressed sensing recovery techniques. In addition, we present privacy attacks which reconstruct a biometric image which resembles the original image. We quantify the performance of the attacks using detection error tradeoff curves and equal error rates under advanced attack scenarios. We show that conventional biometric hashing methods suffer from high security and privacy leaks under practical attacks, and we believe more advanced hash generation methods are necessary to avoid these attacks.

[1]  Anil K. Jain,et al.  Handbook of Fingerprint Recognition , 2005, Springer Professional Computing.

[2]  Xuebing Zhou,et al.  Privacy and Security Assessment of Biometric Template Protection , 2012, it Inf. Technol..

[3]  Christoph Busch,et al.  Robust minutiae hash for fingerprint template protection , 2010, Electronic Imaging.

[4]  David Zhang,et al.  An Analysis on Invertibility of Cancelable Biometrics based on BioHashing , 2005, CISST.

[5]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[6]  M. Turk,et al.  Eigenfaces for Recognition , 1991, Journal of Cognitive Neuroscience.

[7]  Paul A. Viola,et al.  Robust Real-Time Face Detection , 2001, Proceedings Eighth IEEE International Conference on Computer Vision. ICCV 2001.

[8]  Dimitrios Hatzinakos,et al.  LBP-based biometric hashing scheme for human authentication , 2010, 2010 11th International Conference on Control Automation Robotics & Vision.

[9]  Sharath Pankanti,et al.  Fuzzy Vault for Fingerprints , 2005, AVBPA.

[10]  Frans M. J. Willems,et al.  Information Leakage in Fuzzy Commitment Schemes , 2010, IEEE Transactions on Information Forensics and Security.

[11]  Andrew Beng Jin Teoh,et al.  Biometric hash: high-confidence face recognition , 2006, IEEE Transactions on Circuits and Systems for Video Technology.

[12]  Kiyoung Moon,et al.  Inverse operation and preimage attack on BioHashing , 2009, 2009 IEEE Workshop on Computational Intelligence in Biometrics: Theory, Algorithms, and Applications.

[13]  Laurent Jacques,et al.  Robust 1-Bit Compressive Sensing via Binary Stable Embeddings of Sparse Vectors , 2011, IEEE Transactions on Information Theory.

[14]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[15]  Cagatay Karabat,et al.  A Cancelable Biometric Hashing for Secure Biometric Verification System , 2009, 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[16]  E.J. Candes,et al.  An Introduction To Compressive Sampling , 2008, IEEE Signal Processing Magazine.

[17]  Nalini K. Ratha,et al.  An Analysis of Minutiae Matching Strength , 2001, AVBPA.

[18]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[19]  Pong C. Yuen,et al.  Masquerade attack on transform-based binary-template protection based on perceptron learning , 2014, Pattern Recognit..

[20]  Yaniv Plan,et al.  One‐Bit Compressed Sensing by Linear Programming , 2011, ArXiv.

[21]  Anil K. Jain,et al.  Biometric Template Security , 2008, EURASIP J. Adv. Signal Process..

[22]  Sharath Pankanti,et al.  Biometric Recognition: Security and Privacy Concerns , 2003, IEEE Secur. Priv..

[23]  Ton Kalker,et al.  On the security of biohashing , 2010, Electronic Imaging.

[24]  Alejandro F. Frangi,et al.  This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. , 2022 .

[25]  Loris Nanni,et al.  An improved BioHashing for human authentication , 2007, Pattern Recognit..

[26]  Mike E. Davies,et al.  Iterative Hard Thresholding for Compressed Sensing , 2008, ArXiv.

[27]  Andreas Uhl,et al.  Iris-Biometric Hash Generation for Biometric Database Indexing , 2010, 2010 20th International Conference on Pattern Recognition.

[28]  Anil K. Jain,et al.  Audio- and Video-based Biometric Person Authentication , 1997, Lecture Notes in Computer Science.

[29]  Andrew Beng Jin Teoh,et al.  Secure Hashing of Dynamic Hand Signatures Using Wavelet-Fourier Compression with BioPhasor Mixing and Discretization , 2006, EURASIP J. Adv. Signal Process..

[30]  Luminita Vasiu,et al.  Biometric Recognition - Security and Privacy Concerns , 2004, ICETE.

[31]  David Zhang,et al.  An analysis of BioHashing and its variants , 2006, Pattern Recognit..

[32]  Christophe Rosenberger,et al.  Preimage attack on BioHashing , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[33]  Richard G. Baraniuk,et al.  1-Bit compressive sensing , 2008, 2008 42nd Annual Conference on Information Sciences and Systems.

[34]  Jana Dittmann,et al.  Handwriting Biometric Hash Attack: A Genetic Algorithm with User Interaction for Raw Data Reconstruction , 2010, Communications and Multimedia Security.