Attacks and Countermeasures in Fingerprint Based Biometric Cryptosystems

We investigate implementations of biometric cryptosystems protecting fingerprint templates (which are mostly based on the fuzzy vault scheme by Juels and Sudan in 2002) with respect to the security they provide. We show that attacks taking advantage of the system's false acceptance rate, i.e. false-accept attacks, pose a very serious risk --- even if brute-force attacks are impractical to perform. Our observations lead to the clear conclusion that currently a single fingerprint is not sufficient to provide a secure biometric cryptosystem. But there remain other problems that can not be resolved by merely switching to multi-finger: Kholmatov and Yanikoglu in 2007 demonstrated that it is possible to break two matching vault records at quite a high rate via the correlation attack. We propose an implementation of a minutiae fuzzy vault that is inherently resistant against cross-matching and the correlation attack. Surprisingly, achieving cross-matching resistance is not at the cost of authentication performance. In particular, we propose to use a randomized decoding procedure and find that it is possible to achieve a GAR=91% at which no false accepts are observed on a database generally used. Our ideas can be adopted into an implementation of a multibiometric cryptosystem. All experiments described in this paper can fully be reproduced using software available for download.

[1]  Sharath Pankanti,et al.  Fuzzy Vault for Fingerprints , 2005, AVBPA.

[2]  T. Hotz Intrinsic coordinates for fingerprints based on their longitudinal axis , 2009, 2009 Proceedings of 6th International Symposium on Image and Signal Processing and Analysis.

[3]  J. Jeffers,et al.  Fingerprint Alignment for A Minutiae-Based Fuzzy Vault , 2007, 2007 Biometrics Symposium.

[4]  Anil K. Jain,et al.  Multibiometric Cryptosystems Based on Feature-Level Fusion , 2012, IEEE Transactions on Information Forensics and Security.

[5]  Madhu Sudan,et al.  Decoding of Reed Solomon Codes beyond the Error-Correction Bound , 1997, J. Complex..

[6]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[7]  Aggelos Kiayias,et al.  Cryptographic Hardness Based on the Decoding of Reed-Solomon Codes , 2008, IEEE Trans. Inf. Theory.

[8]  Sharath Pankanti,et al.  Fingerprint-Based Fuzzy Vault: Implementation and Performance , 2007, IEEE Transactions on Information Forensics and Security.

[9]  Madhu Sudan,et al.  Maximum-likelihood decoding of Reed-Solomon codes is NP-hard , 1996, IEEE Transactions on Information Theory.

[10]  Ingrid Verbauwhede,et al.  Automatic secure fingerprint verification system based on fuzzy vault scheme , 2005, Proceedings. (ICASSP '05). IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005..

[11]  B. Jovanovic,et al.  A Look at the Rule of Three , 1997 .

[12]  Anil K. Jain,et al.  Securing Fingerprint Template: Fuzzy Vault with Helper Data , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[13]  Shuhong Gao,et al.  A New Algorithm for Decoding Reed-Solomon Codes , 2003 .

[14]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[15]  E. S. Pearson,et al.  THE USE OF CONFIDENCE OR FIDUCIAL LIMITS ILLUSTRATED IN THE CASE OF THE BINOMIAL , 1934 .

[16]  Heinrich Ihmor,et al.  Performance of the Fuzzy Vault for Multiple Fingerprints , 2010, BIOSIG.

[17]  Neal Zierler,et al.  Two-Error Correcting Bose-Chaudhuri Codes are Quasi-Perfect , 1960, Inf. Control..

[18]  Venkatesan Guruswami,et al.  Improved decoding of Reed-Solomon and algebraic-geometric codes , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[19]  Anil K. Jain,et al.  Handbook of Fingerprint Recognition , 2005, Springer Professional Computing.

[20]  Kathy J. Horadam,et al.  Fuzzy Extractors for Minutiae-Based Fingerprint Authentication , 2007, ICB.

[21]  T. Charles Clancy,et al.  Secure smartcardbased fingerprint authentication , 2003, WBMA '03.

[22]  Xudong Jiang,et al.  Fingerprint minutiae matching based on the local and global structures , 2000, Proceedings 15th International Conference on Pattern Recognition. ICPR-2000.

[23]  Carsten Gottschlich Curved Gabor Filters for Fingerprint Image Enhancement , 2011, ArXiv.

[24]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[25]  Peng Li,et al.  An alignment-free fingerprint cryptosystem based on fuzzy vault scheme , 2010, J. Netw. Comput. Appl..

[26]  Sung Bum Pan,et al.  Fast polynomial reconstruction attack against fuzzy fingerprint vault , 2011, The 5th International Conference on New Trends in Information Science and Service Science.

[27]  Anil K. Jain,et al.  A hybrid biometric cryptosystem for securing fingerprint minutiae templates , 2010, Pattern Recognit. Lett..

[28]  Raymond N. J. Veldhuis,et al.  Preventing the Decodability Attack Based Cross-Matching in a Fuzzy Commitment Scheme , 2011, IEEE Transactions on Information Forensics and Security.

[29]  Phong Q. Nguyen,et al.  Noisy Polynomial Interpolation and Noisy Chinese Remaindering , 2000, EUROCRYPT.

[30]  J A Hanley,et al.  If nothing goes wrong, is everything all right? Interpreting zero numerators. , 1983, JAMA.

[31]  T.E. Boult,et al.  Cracking Fuzzy Vaults and Biometric Encryption , 2007, 2007 Biometrics Symposium.

[32]  Axel Munk,et al.  The Fuzzy Vault for Fingerprints is Vulnerable to Brute Force Attack , 2007, BIOSIG.

[33]  Berrin A. Yanikoglu,et al.  Realization of correlation attack against the fuzzy vault scheme , 2008, Electronic Imaging.

[34]  Axel Munk,et al.  Robust Orientation Field Estimation and Extrapolation Using Semilocal Line Sensors , 2009, IEEE Transactions on Information Forensics and Security.

[35]  Arun Ross,et al.  Handbook of Biometrics , 2007 .

[36]  Suela Kodra Fuzzy extractors : How to generate strong keys from biometrics and other noisy data , 2015 .

[37]  Anil K. Jain,et al.  FVC2002: Second Fingerprint Verification Competition , 2002, Object recognition supported by user interaction for service robots.

[38]  Peng Li,et al.  Topological structure-based alignment for fingerprint Fuzzy Vault , 2008, 2008 19th International Conference on Pattern Recognition.

[39]  Jianjiang Feng,et al.  Combining minutiae descriptors for fingerprint matching , 2008, Pattern Recognit..

[40]  Sabih H. Gerez,et al.  An Intrinsic Coordinate System for Fingerprint Matching , 2001, AVBPA.

[41]  Anil K. Jain,et al.  Hardening Fingerprint Fuzzy Vault Using Password , 2007, ICB.

[42]  Anil K. Jain,et al.  Securing fingerprint template: Fuzzy vault with minutiae descriptors , 2008, 2008 19th International Conference on Pattern Recognition.