Using biometric data derived from a biometric characteristic for the purpose of identity authentication provides both security and convenience for an individual to manage his or her personal files, such as private photos, videos, medical records, health records, financial records, work sheets, etc., or other digital assets, such as virtual reality assets, digital arts collections, etc. This is thanks to the unique and permanent linkage of biometric characteristics to the corresponding individual, being usually a natural person. Unlike a cryptographic key or a password that are transferable to other people, who may be either an authorized individual or a malicious attacker, biometric characteristics cannot be transferred from one person to another person. Thus, biometric characteristics can be used as a reliable link between a person's identities and the person himself or herself. This unique link enables biometric data to replace passwords in numerous scenarios.
However, there are challenges to master, if biometric characteristics shall be used for identity authentication purposes: (1) security concerns, (2) privacy concerns, and (3) fuzziness in authentication. As it regards (1) security concerns, while providing convenience to the individual, biometric characteristics' permanence implies that once a biometric template as the references representing the biometric characteristic are lost or hacked the biometric trait cannot be revoked and renewed like passwords. Thus, the individual is subject to a permanent security risk that the lost or stolen biometric data may be used to impersonate the individual. As it regards (2) privacy concerns, in addition to using unique biometric data to crosslink registered services of an individual by his or her unique biometric characteristics, the biometric data itself may disclose personal information, such as the health status in some cases. Finally, as it regards (3) fuzziness in authentication, unlike a password or a secret key that can be exactly matched, biometrics works with probabilities and thus match and non-match decisions are prone to errors.
To tackle the security concerns (1) and privacy concerns (2), the concept of the so-called biometric template protection was proposed, e.g. described by A. Jain, et. al., in “Biometric Template Security”, EURASIP, Journal on Advances in Signal Processing, Volume 2008, January 2008, Article No. 113. Under this concept, biometric templates can be transformed assisted by auxiliary data into diversified and uncorrelated templates in an irreversible and unlinkable way; biometric template protection is also described in ISO/IEC 24745, “Information Technology—Security Techniques—Biometric Information Protection”, 2011.
To cope with the challenges brought by biometrics' fuzziness in authentication (3), and also to ease biometrics' integration into existing cryptographic mechanisms, it was proposed to bind biometric data with an ephemeral secret or a personally-owned secret, such as a PIN, a password, a secret key, etc., to create a protected biometric template. Such binding schemes include (i) the fuzzy commitment scheme, e.g. described by A. Juels et. al., in “A fuzzy commitment scheme”, CCS '99 Proceedings of the 6th ACM conference on Computer and communications security, 1999, (ii) fuzzy vault, e.g. described by A. Juels et. al., in “A fuzzy vault scheme”, Proceedings of 2002 IEEE International Symposium on Information Theory, 2002, (iii) biotokens, e.g. described by T. Boult, in “Revocable Fingerprint Biotokens: Accuracy and Security Analysis”, IEEE CVPR 2007, biohashing (iv), e.g. described by A. Jin., in “Biohashing: two factor authentication featuring fingerprint data and tokenized random number”, Pattern Recognition, Volume 37, Issue 11, November 2004, Pages 2245-2255, biometric password managers (v), e.g. described by B. Yang et. al., in “Cloud Password Manager Using Privacy-Preserved Biometrics”, IEEE IWCCSP 2014, etc. just to name a few examples. All the fore-going protection schemes (i) to (v) usually suffer from performance degradation or insufficient security.
Prior art key binding schemes as used in the fuzzy commitment scheme (i) and fuzzy vault (ii), including the underlying mechanism, as known e.g. from WO 2000/051244 A8, U.S. Pat. No. 8,290,221 B2, US 2007/0180261 A1, or WO 2007/036822 A1 are based on value offsetting or XOR operation, which will easily leak the other party if one of the two inputs to XOR, i.e. the biometric feature data or the secret, is leaked. In the biotoken method (iii), as known from e.g. U.S. Pat. No. 8,838,990 B2, some parts of the biometric templates are not protected. Thus, it is able to establish a linkage across the protected biometric templates from the same plain template. In addition, leakage of the cryptographic key will lead to the decryption of the protected biometric templates. In biohashing (iv), as known e.g. from A. Jin, “Biohashing: two factor authentication featuring fingerprint data and tokenized random number”, Pattern Recognition, Volume 37, Issue 11, Nov. 2004, Pages 2245-2255, leakage of multiple cryptographic keys will lead to the reversibility of the protected biometric templates. In biometric password managers (v), as known e.g. from B. Yang et. al., “Cloud Password Manager Using Privacy-Preserved Biometrics”, IEEE IWCCSP 2014, once the random generated secret is leaked, the individual's master secret will be disclosed as well.
Further, binding of a cryptographic key and biometric data, as known e.g. from US 2013/0004033 A1, is proven to be not secure, as discussed by J. Hermans et. al., in “Shattering the Glass Maze”, International Conference of the Biometrics Special Interest Group (BIOSIG), 2014. Also the biometric performance thereof is not desirable. Still further, a key generation scheme using biometric data, as known from U.S. Pat. No. 6,035,398 A, suffers from low entropy and is not secure enough for authentication uses. Furthermore, In U.S. Pat. No. 7,711,152 B1 or US 2003/0101349 A1, encryption and decryption are separated from the biometric feature comparison, which requires dedicated trusted computing environment like a TPM (Trusted Platform Module) to do the biometric feature comparisons. Moreover, US 2013/0283035 A1 discloses digital file authentication using biometric data, but only a cryptographic hash is used to protect the biometric templates which is practically challenging due to the sensitivity of hashes, which makes protected biometric templates unable to be compared directly.