Biometrics presents an accurate method for personal identification and authentication. Biometric data that may be used for identification and authentication include, but are not limited to: facial characteristics; fingerprints; hand geometry; capillary arrangement in the retina; iris ring color; signature; vein arrangement, e.g. on the back of the hand; voice tone, pitch, cadence and frequency patterns; and DNA structure. Especially useful is fingerprint information in that to date no two individuals have been found having identical fingerprints. Furthermore, fingerprints are easily obtained and are often left on surfaces touched or handled by an individual making them ideal for crime and missing person investigations.
Although fingerprints provide a reliable means of establishing the identity of an individual, their use presents its own vulnerabilities.
There are many applications where a secured identity is useful, e.g. for bank account access; security risk area access, e.g. for defense and secret or potentially dangerous research and development; restricted materials obtainment, e.g. munitions and other weapons and potentially dangerous chemicals and biologic materials; and personal information security, e.g. medical records and information. As an example, in healthcare applications, “health cards” provide a convenient method to expedite billing and claim processing, The information that can be stored includes medical history, insurance provider information and personal details. Identity theft is a serious problem in this area, as well as others, with an increasing number of patients using stolen identities to seek treatment to which they are not entitled causing financial losses to providers. Biometric identification in this area, e.g. fingerprints, is thus an answer to increasing identity theft.
A current disadvantage of biometric identification is that passwords and tokens such as smart cards can be reissued or revoked easily when they are compromised; however, if a biometric template, e.g. a fingerprint template, is compromised, it cannot be reissued since a person has a limited number of fingerprints. There are also pertinent issues of privacy when are used across several applications or organizations. The major concern is the possible sharing and misuse of fingerprint databases between organizations and agencies without the user's knowledge. Therefore a method and system is required where the privacy and security of fingerprint data is ensured. Further the system should allow re-enrollment and replacement if the original fingerprint data is compromised.
Existing literature in fact suggests “cancelable” or “private” biometrics as a method of securing biometric templates, see e.g. Ratha et al., “Enhancing Security and Privacy in Biometrics-based Authentication System”, IBM Systems Journal, Vol. 40, No. 3, pp 614-634, 2001, incorporated by reference as background art. In the Ratha et al. method, the biometric is altered using a deterministic and fixed non-invertible transformation (biometric hashing) before the template is enrolled
In order to prevent compromise of fingerprint data, hashed values of fingerprints may be used. A hash function is a transformation that takes an input string and returns a value, which is called the hash value. Hash functions can be non-invertible and it make it virtually impossible to recover the original fingerprint from the hash value. Recently Biometric systems like fingerprints have been used for authentication and identification purposes. Biometrics, though proven to be more secure and efficient than password-protected systems are probabilistic and not all-or-none like passwords. Even a slight change in the acquisition of a fingerprint can lead to a totally different hash value, which might not and probably will not match the stored template. The possibility that a database with biometric data is compromised is also one of the main concerns in implementing biometric identification systems. Also, biometric systems if compromised cannot be changed, as e.g. fingerprint is unique to a person and if compromised cannot be replaced by a new one. A system that is capable of doing this will be a cancelable biometric system. We have devised a system for biometric data, in particular fingerprint data, to be stored and transmitted securely. In addition, it can be cancelled in case the transmitted data is compromised.
To the best of our knowledge, there is no existing system in the field. Existing fingerprint systems are not secure and identification/authorization is carried out on the actual template of the fingerprints stored. This leads to severe security concerns if the database is compromised. Whereas a patented technology ‘Biometric Encryption’ by Soutar et al (U.S. Pat. Nos. 5,680,460, 5,712,912, 6,219,794 and 5,790,668) describes secure key management using biometrics for encryption, it uses biometrics in securing keys and PINS and matching is based on the image of the fingerprint. Also the fingerprint image is encrypted and during matching decrypted back. Thus, it is not compliant to industry standards of minutiae matching and also the actual fingerprint is exposed during matching. In Bioscrypt the whole fingerprint image is considered. The problem we are solving is the securing the biometric data itself and in addition make it a cancelable one. Davida et al. (cited in 18-b below) presented an authentication algorithm based on error correcting codes, which have been used in communication systems and barcodes. However, amount of error correction is very limited and possible only if the data can be represented in some ordered fashion, which is not practical for biometric systems.
The situation we are facing here is analogous to a password based authentication system where we would like successful authentication even if the password provided is almost same. Is it possible to construct a person authentication algorithm if we allow the password to change slightly? Error correcting codes [8] have successfully been utilized in such situations of recovering changed data and their use might be appropriate here. Indeed, Davida et al.[2] presented an authentication algorithm based on error correcting codes. In this algorithm, error correcting digits are generated from the biometric data and some other verifying data, and stored in the database. During authenticating stage, possibly changed biometric data is combined with stored error-correcting digits and error correction is performed. The amount of correction required serves as a measure of the authentication success. This algorithm was later modified as fuzzy commitment scheme in the work of Juels and Wattenberg [5] and some of its properties were derived. Kuan et al. [7] presented a method for extracting cryptographic keys from dynamic handwritten signatures. A similar approach for face templates was presented by Kevenaar et al. [6] in which they generate binary feature vectors from biometric face data that can be protected by using helper data introduced into this bit sequence.
In fingerprint based biometric authentication systems, minutiae based matching has become a de facto standard. A fingerprint is made of a series of ridges and furrows on the surface of the finger. The uniqueness of a fingerprint can be determined by the pattern of ridges and furrows as well as the minutiae points. Minutiae points are local ridge characteristics that occur at either a ridge bifurcation or a ridge ending. Correlation based techniques have proven to be inefficient and at times infeasible being highly sensitive to translation and rotation. The task of fingerprint matching requires that the two prints be aligned in the best possible alignment. After alignment, the number of matching minutiae points determine how good the match is. In our work we use ideas similar to [3] to combine results of localized matchings into the whole fingerprint recognition algorithm. In that work localized matching consists of matching minutia triplets using such features as angles and lengths between minutia points. For each minutia feature vector of length 3 (x,y,θ) and its two nearest neighbors, a secondary feature vector of length 5 is generated which is based on the Euclidean distances and orientation difference between the central minutia and its nearest neighbors. Matching is performed on these secondary features. In contrast, for localized matchings in this work we keep only limited information about matched neighborhoods, so that minutia positions cannot be restored. Global matching is essentially finding a cluster of localized matchings with similar rotation(r) and transformation(t) parameters. It seems that proposed algorithm of Uludag and Jain[13] might also use this 2-stage technique.
Thus none of the approaches previously discussed can directly be extended to fingerprints. Fingerprint data with minutia positions as features presents additional challenges for designing hashes. Minutia sets of two fingerprints usually do not coincide, it has been nearly impossible to introduce some order in a minutia set, and global transformation parameters are usually present between corresponding minutiae. Error correcting codes require that the original sequence be in some ordered fashion in order to locate and then try to correct the errors in the modified sequence. A fuzzy vault algorithm (Juels and Sudan [4]) improves upon a fuzzy commitment scheme in trying to solve challenges and also uses error-correcting codes. The security of the algorithm relies on the addition of chaff points, or, in the case of fingerprint vault, false minutia points. The attacker would try to find a subset of points well intersecting with non-chaff point set. Thus more chaff points provides better security, but arguably worse vault unlocking performance. The application of fuzzy vault to fingerprint identification appeared in the work of Clancy et al. [1]. That paper showed realistic expectations on the numbers of chaff points and associated attack complexity. The algorithm used the asssumption that fingerprints are aligned, and corresponding minutiae had similar coordinates. To address the frequent impossibility to properly align fingerprint images, Uludag and Jain [13] proposed to use features independent of global rotation and translation. It is still unclear if their approach will work. Soutar et al. [10] took another approach to secure fingerprint biometrics. The algorithm operates on images by constructing special filter in Fourier space encoding key data. The data can be retrieved only by presenting similar fingerprint image to the decoder. The matching procedure is correlation based, thus translations of images are possible but not rotations. The main difficulty in producing hash functions for fingerprint minutiae is the inability to somehow normalize fingerprint data, for example, by finding specific fingerprint orientation and center. If fingerprint data is not normalized, then the values of any hashing functions are destined to be orientation/position dependent.
A major difficulty in producing hash functions for fingerprint minutia is thus the ability to somehow normalize fingerprint data, for example by finding specific fingerprint orientation and center. If fingerprint data is not normalized, then the values of any hashing functions are destined to be orientation, position, size dependent.