`
`19980528 024
`
`56water WE? if;
`5mb~—98’- 0984c,
`comF— 73053¥~~
`
`On Enabling Secure Applications Through Off—line B1ometr1ci’
`
`.
`George I. Dav1da
`
`Identification
`.
`Ya1r Frankel
`
`l‘";“-17
`
`3'
`0 get" i
`
`.
`Brlan J. Matt
`
`Univ. of Wisconsin-Milwaukee
`
`CertCo LLC
`
`Sandia National Laboratories*
`
`Milwaukee, WI
`davida@cs.uwm.edu
`
`New York, NY
`yfrankel©cs.columbia.edu
`
`Albuquerque, NM
`bjmatt©cs.sandia.gov
`
`Abstract
`
`the
`In developing secure applications and systems,
`designers often must incorporate secure user identifi-
`cation in the design specification.
`In this paper, we
`study secure ofl-line authenticated user identification
`schemes based on a biometric system that can measure
`a user’s biometric accurately (up to some Hamming
`distance). The schemes presented here enhance iden-
`tification and authorization in secure applications by
`binding a biometric template with authorization infor-
`mation on a token such as a magnetic strip. Also de-
`veloped here are schemes specifically designed to min-
`imize the compromise of a user’s private biometrics
`data, encapsulated in the authorization information,
`without requiring secure hardware tokens.
`In this paper we furthermore study the feasibility of
`biometrics performing as an enabling technology for
`secure system and application design. We investigate
`a new technology which allows a user’s biometrics to
`facilitate cryptographic mechanisms.
`
`1
`
`Introduction
`
`Secure digital identification schemes are becoming
`increasingly important, as more security applications
`require identification based on physical characteristics
`rather than solely on a user’s knowledge of a secret
`cryptographic key or password. The increased interest
`in such applications, ranging from door access to elec—
`tronic commerce applications, has led to an increased
`interest in methods for secure and accurate identifica—
`tion [8, 5, 18, 17] of individuals as well as machines
`and objects.
`In this paper we are interested in sys-
`tems of identification that use measurable biological
`features, biometrics, which can be readily measured
`at the point of application. It is desirable that such
`measurements be non-invasive and simple to perform.
`One biometric that has been suggested is the iris scan
`[3, 12, 6, 21].
`On—line applications secured through the use of bio-
`metric authentication typically are based on a push or
`
`‘Sandia is a multiprogram laboratory operated by Sandia
`Corporation, a Lockheed Martin Company,
`for the United
`States Department of Energy under Contract DE—ACO4-
`94AL85000.
`
`In both models, the first step is a user
`pull model.
`initialization, which occurs when the user’s biomet—
`ric template is registered with the on—line server. Af-
`ter initialization, when a user wants access that re-
`quires biometric identification, a biometric authoriza-
`tion process is performed. At this time the user’s bio—
`metric is read by a reader.
`In the push model, the
`reader transmits (preferably via a private channel)
`the reading to the on—line server; the on-line server
`then verifies the validity of the reading based on the
`user’s template in the server’s directory; and finally
`the server sends an authenticated acceptance or rejec—
`tion message back to the reader. In the pull model, the
`reader requests the template from the server, and the
`reader performs the verification steps after receiving
`the template over an authenticated and, preferably,
`private channel from the server.
`In both cases, an
`authenticated channel is necessary for some commu—
`nications between the on—line database and the reader.
`The authentication can also provide for a binding of
`a user’s biometric with some form of authorization, as
`established by trust relationships between the reader
`and the on—line database.
`
`Here we are interested in developing biometric
`based identification systems which do not require the
`incorporation of an on—line database for the security
`infrastructure. Such databases are not always practi—
`cal in mobile environments, such as military applica-
`tions, and are often cost prohibitive since they require
`expensive wiring for connectivity or costly wireless de-
`vices.
`In order to remove the connectivity require-
`ments, an off-line biometric system is achieved by in»
`corporating a biometric template on a storage device
`/ token (e .g., magnetic strip or smartcard) which pro-
`vides for a reliable storage medium; however, there are
`no security requirements required of the token. We,
`therefore, will work in the pull model with the storage
`device containing sufficient information to validate the
`authenticity of the user’s acquired biometric template
`to the biometric generated during user initialization.
`To provide for the user biometric/user authorization
`binding, a trusted authorization officer who authenti—
`cates (signs) the user’s biometric template is incorpo-
`rated into our infrastructure.
`
`A biometric identification system which provides
`
`Apple 1028
`Apple 1028
`Apple v. USR
`Apple v. USR
`IPR2018-00810
`|PR2018—00810
`
`DISTRIBUTION OF 11113 DOCUMENT IS UNLlMlTED
`Page 1 of 12
`
`MASTER
`
`DTIC QUALITY INSPECTED 1
`
`Page 1 of 12
`
`
`
`
`
`DISCLAINIER
`
`This report was prepared as an account of work sponsored by an agency of the
`United States Government Neither the United States Government nor any agency
`thereof, nor any of their employees, makes any warranty, express or implied, or
`assumes any legal liability or responsibility for the accuracy, completeness, or use-
`fulness of any information, apparatus, product, or process disclosed. or represents
`that its use would not infringe privately owned rights. Reference herein to~ any spe-
`cific commercial product, process, or service by trade name, trademark, manufac-
`turer, or otherwise does not necessarily constitute or imply its endorsement, recom-
`mendation, or favoring by the United States Government or any agency thereof.
`The views and opinions of authors expressed herein do not necessarily state or
`reflect those of the United States Government or any agency thereof.
`
`
`
`Page 2 of 12
`
`Page 2 of 12
`
`
`
`the user’s biomeric template in the clear may not be
`acceptable to a user, because a user’s biometric tem-
`plate could be used for unacceptable purposes if the
`template is obtained by an unauthorized individual.
`Biometric templates can provides information which
`a user may not want provided readily. For instance, a
`finger print reading can be used for law enforcement
`purposes and an eye scan (retinal or iris) may be able
`to detect medical conditions.
`
`We study the feasibility of protecting a user’s bio
`metric on an insecure device. Such protection may
`be beneficial if the storage device holding the biomet-
`ric template is lost or stolen. This added protection
`may provide for stronger user acceptance, since the
`user’s template is not sent in the clear. In our study
`we propose a classification of secure off-line biometric
`systems according to who, if anyone, in the system
`has a private decryption key (when templates are en-
`crypted).
`An important model to consider is the case where
`neither the user nor the reader maintains private de—
`cryption keys, because it is a scalable solution when
`the user must have authorization amongst multiple
`readers and when password protection is inappropri-
`ate. Providing for authorization bound to a biomet-
`ric template appears to be inherently difficult in this
`model, because the user’s biometric template cannot
`exist in the clear on the storage device.
`To achieve our result we had to overcome several
`hurdles The first is to deal with errors which oc-
`cur during the reading of biometrics. Variances from
`multiple readings of the same user often occur due to
`problems such a scratch on a finger, disease affecting
`blood vessels in the retina, variations in light caus-
`ing changes in the pupil size during iris reading, and
`different positioning of the object being scanned (fin-
`ger, head, etc.). In an off-line system if there are any
`discrepancies between the original template and later
`readings,
`the biometric template cannot be verified
`against the authentication officer’s authentication in-
`formation.
`Another hurdle that had to be overcome is that
`
`cryptographic authentication mechanisms (e.g., a dig-
`ital signature) that the trusted authorization officer
`invokes to bind authorization with a user’s template
`do not necessarily hide all the information of the in-
`put (i.e., provide confidentiality of the message that
`is signed),
`thereby potentially leaking information
`about the user’s biometrics. Let us give an exam-
`ple of a signature scheme SIG which leaks the ac-
`quired message completely. Let sig(m) be the sig-
`nature of a message m; observe as a simple exam-
`ple that one can generate a new secure (unforgeable)
`signature function SIC(m) = (m, sig(m)), (e.g. mes-
`sage/signature pair (m’, (m, sig(m)) is valid if m’ = m
`and Verify(m’, sig(m)) = TRUE). Hence, signature
`functions do not necessarily protect against informa-
`tion leakage of the input. A solution to this problem
`is simple, of course, if the trusted authorization officer
`and reader share a private key.
`It should be noted that our system is also applicable
`to on—line systems where information is stored in an
`on—line database instead of on storage cards. By us-
`
`ing our system in an on-line environment, one is able
`to reduce the security requirements imposed on the
`database. For example, our techniques prevent the
`database manager from reading biometric templates
`directly from the database or archives.
`We also note that designers of secure systems are
`often hampered by the lack of mechanisms to satisfy
`the various requirements of a secure key management
`infrastructure. This infrastructure may have to deal
`with generation of both public and private keys, au-
`thenticated dissemination of keys, and the storage of
`keys, as well as other concerns such as maintaining
`privacy of users and trusted circulation of user autho-
`rizations. The security of this infrastructure is often
`hindered by insufficient mechanisms to secure private
`keys for users. We noticed that when one assumes
`that a user’s biometric information has suflicient un-
`certainty, our technique also allows for the biometric
`template to be used as a private key. Since there may
`not be sufficient entropy (i.e., uncertainty) in a user’s
`biometric, our system allows us to augment password
`encryption with the entropy provided in a biometric.
`Our solutions are based on cryptography. We do
`not assume unproven, and usually expensive, physi—
`cal protection mechanisms such as optical computers
`(see [20]).
`The result we present here has many features:
`
`0 We present off-line identification systems based
`on any biometric technology that can be mea-
`sured accurately (up to some Hamming distance).
`
`a Enhancements also allow for incorporation of au-
`thorization information from a trusted authoriza—
`tion officer. In essence our system binds the user
`identity not only for simple access but for autho-
`rization.
`
`c We classify off-line biometric systems according
`to which entity (e.g., reader, user, authorization
`officer), if any, must maintain a long term private
`decryption key for the purpose of hiding a user’s
`biometric from compromise.
`
`0 Based on our classification of off-line biometrics,
`we discuss the feasibility of designing a system in
`which information stored in the the storage device
`does not compromise the biometric information
`of the individual involved when a card is lost or
`stolen.
`
`o The techniques presented provide for on-line iden-
`tification systems in which the privacy of a bio-
`metric template is protected on the database.
`
`0 We propose an infrastructure and mechanisms
`which allow biometrics to enable cryptographic
`applications when there is sufficient entropy in a
`user’s biometric.
`
`o In presenting our results, we shall relate them to
`the iris technology[3, 12, 6, 21].
`
`Page 3 of 12
`
`Page 3 of 12
`
`
`
`Initial User Biometric Template
`
`Other User Attributes (height, eye color, ...)
`
`Authorization
`
`4—- User Authorization(s)
`
`Officer
`Storage Device
`
`Figure 1: Storage device initialization
`
`2 Model
`
`We shall propose several models in which off-line
`biometrics can be incorporated into a security infras-
`tructure. In order to motivate the design of our off—line
`system, we first analyze in Section 2.1 how an on-line
`system would work and the requirements which may
`be desired for such a system. We then investigate in
`Section 2.2 the off-line model for access control, au—
`thorization and private key storage.
`In our models below we use an authorization ofli—
`cer entity in the architecture. The authorization of-
`ficer’s role is to certify (e.g., authenticate or sign) a
`binding between a user’s biometric template and some
`other attributes of the user. The authorization officer
`is thereby the trusted third party attesting to autho-
`rization as well as to other user attributes. The au—
`thorization ofiicer plays a role that is similar to the
`Certification Authority (CA) in a public key hierar-
`chy (see [22]), except that the authorization officer
`binds biometrics to user attributes, while a CA binds
`a public key to user attributes.
`In considering biometrics, we note that we need to
`make the following assumption:
`
`Assumption 1 (Reproduction): We assume that
`a biometric is not reproduceable. Hence it is unique to
`an individual, but even more importantly, one should
`not be able to artificially generate a “device” with suf-
`ficient characteristics to pass a biometric verification
`of a user.
`
`This assumption must be achieved in any high con-
`sequence application protected by a biometric system,
`in order to provide secure and unique identification.
`Otherwise, an adversary with sufficient probability
`will be able to impersonate a user by reproducing the
`authorized user’s biometric. To provide for such pro—
`tection, properties such as pupillary unrest of an iris
`and blood flow and heat from a finger scan have been
`
`used to support this assumption in some biometric sys
`tems. Throughout this paper we assume the biometric
`system we incorporate into our designs provides suffi—
`cient protection to provide the reproduction assump-
`tion.
`
`2.1 On-line Model
`
`Our architecture for an off—line system is motivated
`by the on—line system. We first briefly review the
`model for an on—line system.
`The primary application of biometriw today in—
`volves the use of an on—line server. During system
`setup biometric readers are connected to a trusted on—
`line server through secure links which are either cryp-
`tographically secured channels or in which physical se—
`curity is established. If cryptographic security is used,
`then a secure key distribution is required.
`User initialization is performed by the user having
`his/her biometric template registered with the on-line
`server. Later, when a user wants access which requires
`the user to pass through a biometric identification,
`a biometric authorization process is performed. The
`user first has his/her biometric read by a reader; the
`reader transmits the reading to the on-line server; the
`on-line server then verifies the validity of the read-
`ing based on the user’s template in the server’s di—
`rectory; and finally the server sends an authenticated
`acceptance or rejection message back to the reader.
`This is the push model for an off-line system.
`In
`the pull model, the reader requests the template from
`the server, and the reader perform the verification
`steps, after receiving the template over an authenti-
`cated and, preferably, private channel from the server.
`Our off—line model below is inspired by the pull
`model. It simulates the on-line transmission of a user’s
`template to the reader with storage device containing
`a user’s biometric (or similar information) for verifi-
`cation authenticated by an authorization officer’s sig-
`nature.
`
`
`
`Page 4 of 12
`
`Page 4 of 12
`
`
`
`
`
` Application
`
`
`
`User Biometric Reading
`
`Legend: a securechannel
`
`E secure component
`
`Figure 2: Secure application with biometric authorization
`
`2.2 Off-line Model
`
`In the off—line system, the biometric authorization
`process cannot have a direct (on-line) information re—
`trieval mechanism. This requirement means that the
`push model cannot be used, because it requires a com-
`munication from the reader to the on-line database
`and back. The pull model, however, can be simulated
`by incorporating a storage token which replicates the
`information sent by the on—line reader. We should
`note, however, that as with any off-line identification
`system, immediate revocation of user privileges is not
`possible. This limitation must be taken into consider—
`ation by the system designer during the development
`of the security architecture.
`We now discuss the workflow in the off-line model.
`
`Initialization process:
`The user initialization process for the off-line model
`is represented in Figure 1. The secure authoriza-
`tion officer takes as input an initial biometric reading,
`called the user biometric template, the authorization
`information defining the set of privileges granted the
`user by the authorization officer, and other user at—
`tributes. As output a storage device such as a mag—
`netic strip card is encoded with information which es-
`tablishes a binding between a user’s biometrics (and,
`possibly, other user attributes) and the user’s autho-
`rization granted by the authorization officer.
`Application process:
`During a secure application, as depicted in Figure 2,
`a reader takes as input the user’s storage device (to-
`ken) and reads the user’s biometric. Given this infor—
`mation, which may also include other user attributes
`not represented in this figure, the user’s authorization
`attributes can be obtained and linked to the autho-
`rization officer. This information may now be securely
`transmitted to the secure application. Note that the
`primary difference between an off-line and on—line sys—
`tem is that the storage device can be replaced by an
`authenticated transmission link to the authorization
`
`officer (or its database) in the on—line system.
`
`Certain principles are incorporated in our model:
`
`1. There must be a binding between a user’s biomet-
`ric and a trusted authorization oflicer. Hence, we
`require a storage device (e.g., magnetic strip or
`smartcard) to store the binding information.
`
`2. There is a need for a scalable solution when pri-
`vacy of a user’s biometric must be protected in
`case a storage device is lost or stolen. The pri-
`mary scalability issues are who must store private
`keys and how much storage must be provided on
`the cards.
`
`Principle 2 suggests an interesting feasibility ques—
`tion. Is it possible to provide a scalable solution and
`protect a user’s biometric, and if so, what requirement
`must be imposed on the security architecture? To an-
`swer the question, we now classify the off-line security
`larchitectures by who, if anyone, must hold a private
`ey.
`
`Private key in reader: If a reader has a private key
`to decrypt biometric information encrypted by
`the authorization oflicer, then there will be no
`leakage of biometric information when a card is
`lost or stolen. However, such a system is not scal-
`able if the memory device has low storage capa-
`bility and the application’s architecture requires
`multiple readers (each with its own private key),
`because a separate encryption of the biometric
`template is required for each reader. This tech-
`nique however, can be effective if there are few
`readers in the architecture.
`
`In Figure 3 we show the information that must be
`stored on a storage device when multiple readers
`are used.
`
`To be effective, this approach requires that the
`readers provide some form of protection for the
`reader’s private key (e.g., FIPS PUB 140-1 stan-
`dards [9]), because if the private key is stolen from
`
`Page 5 of 12
`
`Page 5 of 12
`
`
`
`Storage Device
`
`
`
`
`
`EMT). Ek2(T)' Exam: Ek4(T), Ek5(T)' EMT)» EMT).
`
`Figure 3: Scaling limitation of multiple (reader,key) architecture where each reader holds a different private key.
`
`the device, the adversary is able to read the bio—
`metric from any user’s storage device.
`
`can
`protection
`Password-protection: Password
`hide information stored on a card if the password
`has sufficient entropy. This approach is a scalable
`solution (e.g., using password encryption [16] to
`encrypt the biometric template with a user mem-
`orized password),
`if revealing a password to a
`reader is considered safe and the readers have a
`user password input mechanism. Generally, pass-
`word protection is considered insuflicient, since
`it usually has low entropy and is therefore easily
`guessed. As a result FIP PUB 190 recommends
`the combination of PIN/password and a token for
`user authentication when feasible [10].
`
`No keys or passwords: Potentially, this is the most
`scalable approach with minimal system compo-
`nent requirements for an off-line system. Such
`systems, as will be shown, are possible when the
`entropy in a biometric is large enough.
`
`NOTE: It should be noted that the off—line systems
`we shall discuss are also applicable to on-line systems
`where information is stored in an on—line database in—
`stead of on storage cards. By using our system in an
`on—line environment, one is able to reduce the security
`requirements imposed on the database, where privacy
`restrictions on the information exit.
`
`3 Background
`We briefly present some background from Coding
`Theory and Cryptography that we will need in later
`sections.
`
`3.1 Cryptography
`In order to provide maximum protection of user bio-
`metric information, key material and other sensitive
`information on storage devices, we utilize mechanisms
`which prevent the storage device from leaking infor—
`mation (without the user’s biometric) to an adversary
`of a specified strength. In order to do so we will use
`the tools which we informally discuss below.
`
`Semantically Secure Encryption: In Shannon’s
`theory [19] an encryption algorithm has pefect secrecy
`if a passive adversary, even with em bounded computa-
`tional power, cannot learn anything from any cipher-
`text about its corresponding plaintext, except possibly
`its length. An encryption algorithm is semantically se—
`cure [11] if a passive adversary cannot learn anything
`in expected polynomial time from any ciphertext about
`its corresponding plaintext, except possibly its length.
`A Random Oracle is a publicly known function
`R with the property that when provided a value a: the
`oracle produces a random number R(a:), that is totally
`independent of a: (see, e.g., [1]).
`A Partial Information Hiding Function (i.e.
`an oracle hashing function) [4] can be described in-
`formally as a hashng algorithm H($11: 0 and a ver—
`ification function V(x,c) => {True,
`else} with the
`following properties: 1) infeasible to find a collision,
`i.e. V(a:, c) and V(y, c) cannot both be true if 2: 7e y
`2) information hiding, for a polynomial time adver—
`sary having 0 : H(3:), gives no further information on
`:1: beyond the ability to exhaustively search for x.
`The final tool that we need is Universal One Way
`Hash Function families [14]. A Universal One Way
`Hash Function family is a family of hash functions
`Fk(a:) = c that utilizes a key k to select a member
`of the family. In addition a polynomial bounded ad—
`versary cannot choose an 2:,
`then upon learning k,
`find a collision, i.e. a pair :5 and y,a: aé y such that
`Flatt) = Fk(y)-
`3.2 Coding Theory
`Our interest in error correction codes stems from
`the fact that the biometrics acquired are not mea—
`sured perfectly. Each measurement results in a vector
`that is at some Hamming distance (discussed below)
`from other measurements. Empirical work in measur-
`ing some biometrics, such as the iris, has shown that
`the expected hamming distance between any two bio-
`metric measurements is about 10 percent. Those er-
`rors in the measured vectors appear to be independent.
`Hence error correction is critical to the computation
`of a biometric in this scheme.
`We are interested in two types of error correction:
`Error correction at the point of acquiring the biomet—
`
`Page 6 of 12
`
`
`Page 6 of 12
`
`
`
`ric, and error correction during the verification phase.
`Empirical measurements show that the errors in a bio-
`metric are independent, with a crossover probability
`of .016 [6]. This observation suggests that if several
`measurements of a biometric are subjected to major—
`ity decoding (discussed below) at the time of template
`creation, then that template can then be considered
`the “canonica ” biometric template. Once this canon-
`ical biometric is obtained, error correction check digits
`are computed for this biometric, which will be used as
`will be shown below.
`When a user presents for verification, the same pro—
`cedure is used to arrive at a biometric that is then
`used in the rest of the process to verify identity.
`In
`this phase, error correction is used to remove residual
`errors, using the check digits computed above. This
`process will correct the measured biometric into the
`canonical biometric if the number of errors are within
`the tolerance.
`Hamming Distance: For simplification, we shall
`restrict our discussion of error correcting codes to bi-
`nary codes [2, 13, 15]. The (binary) Hamming weight
`of a codeword 5', denoted by Hw(é), is the number of
`one hits in the codeword. That is, for an n bit string 1
`6': c1|IC2|| - ”on the Hamming Weight of E: ELI cj.
`The Hamming distance of two code words c'i and 62',
`denoted by Hd(c'i, CE), is the number of bits in which
`they differ. That is Hd(c_i,c'§ = Hw(c’i 63 c3 . The
`minimal distance of a code
`is the value
`(0) =
`minc;,c-§Ec(Hd(c’i, 65)).
`Majority decoding: Let 6; = c,~,1||c,-,2]|...||c,-,n
`be n bit code vectors. Given odd m vectors c2, a ma-
`jority decoder computes vector C" = 01||02 ...||Cn,
`where C- = majority(c1 -, .
`.
`. , cmj),
`i.e., Cj
`is the
`majority of 0’s or 1’s of bit j from each of the vec—
`tors. We shall use majority decoding primarily to get
`the best biometric reading possible, thus reducing the
`Hamming distance between successive final readings
`C.
`
`Algebraic decoding: An (N, K, D) code is a code
`of N bit codewords (vectors) where K is the number
`of information digits and D is the minimum distance
`of code. It should be noted that an error correcting
`code ECC with rate K/N can correct T = (D — 1)/2
`errors.
`
`An (N, K, D) code can be represented by a K x N
`generator matrix G of dimension K. G is said to be
`in canonical form if G has the form
`
`G: [IKXK Z P]
`
`where I is a K x K identity matrix and P is a
`K x (N —- K) sub-matrix. An information vector U
`of K bits is encoded into a code vector ‘7 = [7 - G. 17
`has the form [I7 : 5'] , where 6—" is a vector of check
`digits of size N —— K. Alternately, given a genera-
`tor (binary) polynomial G(X) over GF(2) for a cyclic
`(binary) code, one can encode U(X ) into a codeword
`V(X) = XN-KU(X) + (XN-KU(X)) mod G(X).
`
`1Let [I denote string concatenation.
`
`3.2.1 Bounded Distance Decoding
`
`To allow for error correction of a biometric, we encode
`a K bit biometric into an N bit code vector, with
`N — K redundant (or check) digits.
`The description of an (N, K, D) error correctng
`code with rate K/N > %, (using bounded distance de-
`coding of up to 9—211 errors), is provided to the autho-
`rization officer and biometric readers. To ensure that
`an impostor is not accepted, it is important to set the
`error correction capability of the error correcting code
`to a level that prevents an impostor’s biometric from
`being “corrected” into a valid biometric (i.e., that no
`more than the allowed number of errors will be cor—
`
`rected).
`
`4
`
`Identification
`
`Scheme
`
`Assuming
`
`Public Biometrics
`We now discuss an off—line identification protocol
`in which we assume that there is no requirement to
`hide one’s biometric. Based on the reproduction as—
`sumption, the protocol below only protects against an
`adversary trying to prove that its potentially falsified
`biometric is the same as one signed by the authoriza-
`tion officer. Hence, we assume that the biometric can
`be read with sufficient accuracy in the amount of time
`available for the scan (possible with majority decod—
`ing, as discussed in Section 3.2) such that an (N, K, D)
`algebraic code will suffice to remove the remaining er-
`rors from the biometric2.
`The protocol below provides a framework for the
`rest of our discussion:
`
`System Setup: The authorization oflicer generates
`its public and private keys and disseminates its public
`key to the biometric readers. The system also sets up
`an algebraic (N, K, D) code;
`User Initialization: To register, M biometric tem-
`plates of length K are independently generated for the
`user. These M vectors are put through a majority de-
`coder to obtain the user’s K bit template T. Given the
`K information bits T, an N bit codeword THC is con—
`structed, where C." are the check bits in the (N, K, D)
`code defined in system setup. The following four items
`go on the card:
`
`1. Name of the individual, NAME
`
`2. Other public attributes ATTR, such as the issu-
`ing center and a user’s access control list
`
`3. Check digits 6'
`
`4. Sig(NAME, ATTR, i“), where Sig(m) denotes the
`authorization officer’s signature of x.
`
`Biometric Authorization Process (oerification)
`When a user presents a card, M biometric tem—
`plates are independently generated for
`the user.
`
`2Recall that the code is set up such that it can remove enough
`errors to allow the system to recognize the legitimate user of the
`card but not someone else, i.e. bounded distance decoding.
`
`Page 7 of 12
`
`
`
`Page 7 of 12
`
`
`
`These M vectors are put through majority decod—
`ing and bounded distance decoding using the check
`digits C" to obtain the user’s K bit current read-
`ing T’. Then Sig(NAME, ATTR, T) is verified with
`the authorization officer’s public key and message
`NAME, ATTR, T’. Successful signature verification
`implies successful user identification.
`
`5
`
`Identification Schemes with Private
`
`Templates
`We now discuss several off—line identification pro—
`tocols. We remind the reader that in the model dis-
`cussed in Section 2.2, the user obtains a storage device
`containing information on the user’s template and a
`secure authenticated binding with an authorization of-
`ficer. The two trivial cases are when there exists a pri-
`vate key in the reader and when password protection
`is used (See Section 2.1).
`For the rest of this section we make the following
`additional assumption:
`
`Assumption 2 Privacy: It is assumed that a digi-
`tal representation of the biometric cannot be produced
`with sufficient accuracy to pass a biometric authoriza—
`tion process (with respect to a user’s template only and
`not to other biological tests such as pupilary unrest)
`without the cooperation of the subject involved. Hence,
`we assume that the biometric being measured can only
`come from an individual submitting to the measure-
`ment.
`
`We therefore now assume that there is a strong phys—
`ical binding of a biometric to an individual, and that
`the biometric template cannot be “taken” (copied,
`stored, etc.)
`readily. Observe that information held
`by only one person and not obtainable by others is a
`property of a private key. This assumption inspired
`us to investigate how biometrics can enable crypto
`graphic mechanisms.
`One may argue that this assumption 2 is not ac-
`ceptable, especially against a strong adversary. But
`in practice, much as passwords protect computer sys-
`terns, this assumption can be beneficial for systems
`whose adversaries do not have such strengths. More—
`over,
`if one does not accept this assumption,
`then
`one should also not believe that biometric information
`should be kept confidential, since it is readily available
`anyway.
`5.1 Private Biometric
`We now discuss an off—line biometric system which
`provides for privacy of a user’s biometric, assuming
`the privacy assumption holds and sufficient entropy in
`biometric templates.
`
`System Setup: The authorization oflicer generates
`its public and private keys and disseminates its pub-
`lic key to the biometric readers. The system also
`sets up an algebraic (N, K, D) code. We remind the
`reader that we use bounded distance decoding (See
`Section 3.2.1).
`User Initialization: To register, M biometric tem-
`plates of length K are independently generated for the
`
`legitimate user. These M vectors are put through a
`majority decoder to obtain the user’s K bit template
`T. Given the K information digits T, an N digit code-
`word E : T||C' is constructed, where C are the check
`digits, in the (N, K, D) code defined in system setup.
`A storage device is constructed with the following in-
`formation:
`
`1. Name of the individual, NAME
`
`2. Other public attributes ATTR, such as the issu-
`ing center and a user’s access control list.
`
`3. The check digits (3*, of the biometric
`
`4. Sig(Hash(NAME, ATTR, qfhlc» where Sig(x) de-
`notes the authorization o cer s signature of x,
`and Hash(-) is a partial information hiding