This invention relates to the protection of data, in particular a method for guaranteeing authenticity and integrity of digitized data on the basis of biometric features.
In the course of increasing globalization in almost all areas of the economy, particularly new information technologies are of ever greater importance. This primarily applies to the progressive use of electronic communication networks, the best known form presumably being the Internet. The increasing international exchange of goods and services makes it absolutely necessary for information to be transmitted safely. At present, the value of monetary transactions many times exceeds that of the exchange of goods. This data traffic is handled at present in some form over electronic communication networks (e.g. electronic transactions such as e-commerce). This form of communication, as in the nonelectronic sphere, involves the need for the parties to the transaction to be able to rely on statements (in particular declarations of intention) during the transaction both on the content and on the identity of the other party. Since such electronic transactions (on-line transactions) normally involve no direct contact of the parties and the data are only present in electronic form, however, this cannot be achieved by face-to-face interaction as usual otherwise. Without the possibility of authentication and protection of transaction data against manipulation, realization is inconceivable. A reliable check of data integrity is also of great importance with respect to the protection of electronic stored personal data. Digital signatures are one way of ensuring the authenticity and integrity of data. Only authorized persons, groups or machines can make changes on data. Additionally, anyone can ascertain whether a signature is authentic.
Known signature methods use a so-called asymmetric encryption method. The basic course of such a method will be outlined in the following.
For each participant in the signature system a key pair is generated, for example a secret and a public key, which have a certain mathematical relationship to each other. To generate the digital signature the sender uses his secret key, normally as a special signature feature. The document to be signed is first compressed by a so-called hash method, the resulting digest linked with the secret key according to a predetermined algorithm and the result appended to the document to be transferred as a digital signature. The recipient now likewise compresses the document and compares this digest with the digest contained in the digital signature which results by decrypting the signature with the sender's public key. In case of a match it is certain that the sent and received texts are the same, i.e. there have been neither manipulations nor transfer errors. It is also certain that only the sender, who is in the possession of the secret key, can have generated the signature because the public key would otherwise not “fit,” i.e. no transformation to the original digest could have taken place.
The security of modem signature methods is based on the fact that the private signature key cannot be determined according to the current level of knowledge even if the plaintext, the signed text and the affiliated public signature key are available to the attacker. An example of an asymmetric encryption method is RSA. The RSA method was named after its developers: Ronald L. Rivest, Adi Shamir and Leonard Adleman, who presented the method in 1977 (“On Digital Signatures and Public Key Cryptosystems,” MIT Laboratory for Computer Science Technical Memorandum 82, April 1977) and in 1978 (“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM 2/1978). RSA is based on number-theory considerations, it being assumed that large numbers are difficult to factorize, i.e. resolve into prime factors. This is the so-called factorization problem. The assumed computing effort is so great that the encryption can virtually not be broken by a brute-force attack if the keys are suitably chosen. No cryptanalytic attacks are published.
Thus, such an asymmetric encryption method permits a signed document to be associated uniquely with a signature key. The association of a signed document with a person or organization is still problematic, however. For it to succeed, the following conditions must be guaranteed. Firstly, only the rightful owner has access to his private signature key and, secondly, each public key has the rightful owner of the affiliated private key associated therewith in unique fashion.
To meet the first condition there is the possibility of identifying the rightful owner of the signature key by biometric features.
To meet the second condition many systems include so-called trusted third parties: third parties who are not directly involved in the transaction and whose trustworthiness can be considered certain. The system of mutual trust and checks is frequently called the trust model.
Examples of the use of signature methods for authentication and checking data integrity are: contracts concluded electronically over the Internet or another data network; electronic transactions (cf. e-commerce); controlled access to resources (e.g. data connections or external memory systems); process control data which are exported and read into production plants; personal data management (e.g. patient data management or in government agencies).
As with every security system, there are numerous possibilities of attack with signature methods known today. These are presented in a table in FIG. 6.
Known signature systems are for example so-called smart card systems. Many systems based on smart cards offer good protection against attacks on the key itself (cryptanalytic attacks), brute-force attacks (BFA) and attacks on the hardware on which the key is stored. However, replay and fake-terminal attacks (RA) as well as attacks on the users are relatively promising, i.e. smart card systems are a security risk with respect to such attacks.
Some systems attempt to protect users from theft of the signature key. Both PINs and biometric methods are employed. Attacks on the trust model (TMA) are not even discussed by most providers of authentication systems.
In the following, a conventional system combining digital signatures and the measurement of biometric features shall be described. Both the customer's private signature key and a sample or prototype (the so-called template) of the digital representation of the measured biometric feature are present in stored form. The following specific authentication steps are taken. The user identifies himself, for example by entering a PIN or by a biometric feature being read. The biometric data are validated by comparison with a template. If the distance of the measured feature from the prototype is smaller than a threshold value, the transaction is enabled. This comparison is effected in readers or a central clearinghouse. In the latter case the biometric data—encrypted or in plaintext—are transferred over networks. The private signature key is released. The user identifies himself by signing the document digitally. The RSA method or another asymmetric encryption method is usually implemented. It is frequently implemented on a smart card or other tamper-resistant hardware. The signed hardware. The signed document is transferred over a network. The cryptographic operation is validated by means of the user's public signature key.
The security of said methods is based on the private signature key not leaving the smart card. “Man in the middle” attacks (MMA) on the private signature key itself are thus impossible as long as the smart card remains in the legitimate owner's hands.
An example of a method wherein both the customer's private signature key and a prototype of the digital representation of the measured biometric feature are present in stored form can be found in WO 09912144 A1.
The method proposed in WO 09912144 A1 provides that the template is present in stored form in a central clearinghouse. The latter digitally signs in the user's name if the distance of the measured biometric feature from the prototype is smaller than a threshold value.
However, the method proposed in WO 09912144 A1 has the disadvantage that it inherently involves some security problems. Firstly, the user must trust the reader into which the biometric feature is read, the clearinghouse and the public networks. Fake-terminal attacks are thus possible. Then the digital representation of the biometric feature can be read into the reader (so-called replay attack (RA)). Secondly, attacks on the reader or on the entity in which the template is stored (SKT) are also possible. Such attacks are aimed at reading the template of the digital representation of the measured biometric feature. Such attacks can also be performed online (MMA). Thirdly, the data associated with the template of the digital representation of the measured biometric feature can be exchanged (STX).
WO 09850875 describes a so-called biometric identification method using a digital signature method and biometry. This method prevents the template of the digital representation of the measured biometric feature from being exchanged (STX) by storing it in a so-called biometric certificate. The template, as well as user data associated therewith, are validated and digitally signed by a certifying authority. This prevents the user data associated with the template from being exchanged. However, the disadvantage is that this cannot exclude the possibility of replay attacks.
WO 98/52317 likewise describes a digital signature method. The method according to WO 98/52317 attempts to thwart STT and STX attacks by doing without storage of the digital representation (template) of the biometric feature (BM). In an initialization phase the BM is used to create a so-called instance, i.e. representative or specific example of a class, of a problem whose solution is the BM. The digital representation is thus not explicitly stored, but hidden in the instance of the problem. WO 98/52317 proposes designing the problem so that the digital representation is hidden in a mass of similar data (camouflage).
The capture of a biometric feature for further computer-aided processing presupposes analog-to-digital conversion, which will often yield rounding errors in the digitized measured values since the resolving power is always finite, albeit very exact. Furthermore, it is unrealistic to assume that the user will always adopt exactly the same positions with respect to the measuring sensor system when biometric features are captured. Measurements of behavioral biometric features involve the additional problem that the user cannot be expected to exactly replicate his behavior twice. However, the point of using biometric features is precisely their absolutely unique association with a person (e.g. fingerprint, retina, etc.). Therefore, information about the necessary fault-tolerance or about how the varying measured values are to yield a unique association is imperative. WO 98/52317 provides no information about how great the fault-tolerance of this method is. It likewise remains unclear how great the amount of camouflaging information must be for the solution to the problem not to be read. This is a necessary condition for quantifying or even just estimating the security of the method.
DE 4243908 A1 attempts to prevent PKT, TA, STT and STX attacks by doing without storage of the private signature key and without storage of the digital representation of the biometric feature. This is done in the following way. Biometric feature ABM is measured. Biometric feature ABM is digitized. From the digital representation of the biometric feature a so-called fixed-length individual value IW is calculated. From individual value IW the sender's private signature key SK(A) is calculated. The message is encrypted by means of said key SK(A).
However, it is disadvantageous that the calculation of IW is to be done by means of function f, which has a certain fault-tolerance, since it is unclear how this fault-tolerance, which is of crucial importance, is to be determined for such a function. The application requires merely that it assign the same individual value to two users “only with such low probability as is compatible with the security of the system.” It is likewise disadvantageous that it is unclear which functions or classes of functions are to have the properties required in the application. The description of the application instead permits the conclusion that, although collision freedom is required for function f, i.e. it should be impossible to find two input values for the same function value, it is nevertheless to have a certain fault-tolerance. Such a function having these diametrically opposed conditions can by definition not exist. The result of this is that invariably reproducible generation of the same private key from new measured values of the same biometric feature is not possible free of doubt, i.e. signed documents or data cannot be identified or authenticated with known public keys.
US005832091A describes a method for obtaining a unique value from a fingerprint. This method works as follows. In a first step the fingerprint is Fourier transformed. Then the Fourier coefficients are subjected to imaging which depends on the template of the fingerprint and the resolution of the measuring instrument. From the inverse transform a unique value is obtained from which a signature key can be determined. The method has the following disadvantages, however. The method works only for fingerprints, the method requires a Fourier transform, for the imaging dependent on the template it cannot be determined how much information about the template it reveals. Thus, it is not possible to quantify the security against brute-force attacks, and the method only corrects errors which are due to the resolving power of the measuring instrument. It remains unclear whether errors resulting e.g. from dirt or small injuries of the fingertips are also corrected.
All stated methods thus share the disadvantage of not permitting any quantitative statements about the computing effort of a brute-force attack and thus the protection from decryption. Thus, they are inaccessible to quantification of the protection by biometry.