Secure Sketch for Multiple Secrets

Secure sketches are useful in extending cryptographic schemes to biometric data since they allow recovery of fuzzy secrets under inevitable noise. In practice, secrets derived from biometric data are seldom used alone, but typically employed in a multi-factor or a multimodality setting where multiple secrets with different roles and limitations are used together. To handle multiple secrets, we can generate a sketch for each secret independently and simply concatenate them. Alternatively, we can "mix" the secrets and individual sketches, for example, by taking the first secret as the key to encrypt the sketches of all other secrets. Hence, it is interesting to investigate how the secrets are to be mixed so as to cater for different requirements of individual secrets. We found that, by appropriate mixing, entropy loss on more important secrets (e.g., biometrics) can be "diverted" to less important ones (e.g., password or PIN), thus providing more protection to the former. On the other hand, we found that mixing may not be advisable if the amount of randomness invested in sketch construction is large, or the sketch contains high redundancy, or all secrets are of the same importance. Our analysis provides useful insights and guidelines in the applications of secure sketches in biometric systems.

[1]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[2]  Nasir D. Memon,et al.  Protecting Biometric Templates With Sketch: Theory and Practice , 2007, IEEE Transactions on Information Forensics and Security.

[3]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[4]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[5]  Bart Preneel,et al.  Privacy Weaknesses in Biometric Sketches , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Purdy Ho,et al.  A Dual-Factor Authentication System Featuring Speaker Verification and Token Technology , 2003, AVBPA.

[7]  Raul Sánchez-Reillo Including Biometric Authentication in a Smart Card Operating System , 2001, AVBPA.

[8]  Xavier Boyen,et al.  Reusable cryptographic fuzzy extractors , 2004, CCS '04.

[9]  Dongho Won,et al.  The Vulnerabilities Analysis of Fuzzy Vault Using Password , 2008, 2008 Second International Conference on Future Generation Communication and Networking.

[10]  Berrin A. Yanikoglu,et al.  Realization of correlation attack against the fuzzy vault scheme , 2008, Electronic Imaging.

[11]  Anil K. Jain,et al.  Hardening Fingerprint Fuzzy Vault Using Password , 2007, ICB.

[12]  N. Kiyavash,et al.  Secure Smartcard-Based Fingerprint Authentication ∗ , 2003 .

[13]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 1999, CCS '99.

[14]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[15]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[16]  Raymond N. J. Veldhuis,et al.  Practical Biometric Authentication with Template Protection , 2005, AVBPA.

[17]  Alfred C. Weaver,et al.  Biometric authentication , 2006, Computer.

[18]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[19]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[20]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[21]  Ann Cavoukian,et al.  Biometric Encryption , 2011, Encyclopedia of Cryptography and Security.

[22]  Reza Yousefi-Nooraie,et al.  Dermatoglyphic asymmetry and hair whorl patterns in schizophrenic and bipolar patients , 2008, Psychiatry Research.

[23]  Josef Kittler,et al.  Audio- and Video-Based Biometric Person Authentication, 5th International Conference, AVBPA 2005, Hilton Rye Town, NY, USA, July 20-22, 2005, Proceedings , 2005, AVBPA.

[24]  Jean-Paul M. G. Linnartz,et al.  New Shielding Functions to Enhance Privacy and Prevent Misuse of Biometric Templates , 2003, AVBPA.

[25]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[26]  Jane Adams Biometrics and smart cards , 2000 .

[27]  T. Charles Clancy,et al.  Secure smartcardbased fingerprint authentication , 2003, WBMA '03.

[28]  Ee-Chien Chang,et al.  Hiding Secret Points Amidst Chaff , 2006, EUROCRYPT.

[29]  Rafail Ostrovsky,et al.  Secure Remote Authentication Using Biometric Data , 2005, EUROCRYPT.

[30]  Ee-Chien Chang,et al.  Finding the original point set hidden among chaff , 2006, ASIACCS '06.

[31]  Pim Tuyls,et al.  Capacity and Examples of Template-Protecting Biometric Authentication Systems , 2004, ECCV Workshop BioAW.