Template and Database Security in Biometrics Systems
This guest post is submitted by Kyla Stewart
Biometric systems have proven to be a convenient, reliable and robust solution to the long-running problem of identity management and user authentication. The technology has found application in everything from door locks to banking. But as the pace of biometric system adoption accelerates each year, there are growing concerns about the privacy and security of this technology. User confidence in biometric technology will greatly hinge on the ability of deploying organizations to demonstrate that the systems have low risk of tampering and error.
Core Components of a Biometric System
A biometric system comprises at least 6 components—sensor (scans biometric data of user), feature extractor (processes biometric information to extract feature set that distinguishes different users), template (the extracted feature set for each user), template database (the indexed repository for user templates), matcher (compares user template with biometric information captured to authenticate a new login session to ensure they match) and the decision module (makes the decision on whether the provided biometric information is a match and subsequently allows or denies access).
Why Templates and Template Database Security is Key
Of the six core components, the template and template database (read more about Database Management System) are perhaps the most pivotal in ensuring the integrity of a biometric authentication system. That’s because unlike tokens and passwords, a compromised template cannot be easily revoked then reissued.
The template is critical in ensuring the system maintains an extremely accurate recognition performance in the context of numerous and varied users. Ergo, a template protection mechanism with solid security and excellent recognition performance is crucial to ensuring that the proliferation of biometric systems into nearly every facet of life continues.
Types of Biometric Template Protection Schemes
Here’s a look at some of the most popular approaches to securing biometric system templates and template databases.
Salting
Salting is also referred to as biohashing and is a protection method whereby biometric features are transformed through a function that’s defined by a password or user-specific-key. Since the transformation in salting is invertible, the key must be either stored securely or recalled from memory by the user during authentication.
The additional information (a key in this case) increases the biometric template’s entropy and makes it extremely difficult for an attacker to guess the template. The key reduces false accept rates. And because the key is specific to a user, multiple templates can be generated using different keys for the same user biometric. In the event that a template is compromised, the template can be revoked and replaced with a new one that uses a different key.
Salting has some drawbacks too though. If the key is compromised, the user template itself isn’t secure thanks to the invertible transformation. An adversary can therefore use this as an avenue to recover the original template. Another disadvantage is that salting can degrade recognition performance where there are large intra-user variations since matching occurs in the transformed domain.
Non-Invertible Transform
Like the name suggests, this type of protection entails securing the template by applying a transformation function to it that’s non-invertible. Non-invertible means it’s a one-way function that’s easily computed but is statistically difficult to invert. The parameters of the function are based on a key that has to be available during authentication to change the query feature set.
The defining benefit of non-invertible transform is that even in instances where the transformed template and/or key are exposed, it’s hard (in brute force terms) for an adversary to reconstitute the original template. It therefore provides better security than salting. The transform also allows the realization of revocability and diversity using user-specific and application-specific transformation functions.
The main disadvantage of non-invertible transform is the trade-off between non-invertability and discriminability. It’s difficult to design transformation functions that satisfy these two conditions at the same time i.e. makes it hard for an adversary to obtain the original or close approximation of the feature set and also preserves the discriminability of the feature set.
Key Binding
Here, the template is secured by binding it with a key inside a cryptographic framework. A single object that embeds both template and key is stored as helper data in the database. The helper data doesn’t divulge significant information about the template or the key thus making it hard to computationally decode the template or key without using the biometric data.
Often, helper data combines the biometric template and a key-derived error-correcting code. If a biometric input differs from the biometric template within a certain tolerance, the codeword for a similar error tolerance is recovered and decoded to retrieve the precise codeword and thus recover the embedded key. Key recovery implies successful matching.
Tolerance for intra-user variation is the primary advantage of key binding protection schemes. On the other hand, key binding may cause lower matching accuracy, is restricted in revocability and diversity, and requires that the helper data is meticulously designed.
Key Generation
Direct key generation from biometric information seems like a natural, practical proposition. However, the intra-user variability is a major impediment. Early key generation cryptosystems relied on user-centered quantization. Quantization information is kept as helper data that’s leverage during authentication to accommodate intra-user variation.
More recently, key generation schemes adopted fuzzy extractor and secure sketch concepts. The fuzzy extractor generates a key from biometric features while the secure sketch is helper data that exposes only a tiny amount of information about the template. Nevertheless, key generation’s main drawback is the difficulty in generating a cryptographic with high entropy and stability.
Note that you don’t have to have just one type of template protection in a biometric system. It’s possible and advisable to combine more than one approach to create a hybrid scheme. That way, in the event that one mode of template protection succumbs to an adversary, they’ll still be faced with the near impossibility of surmounting the rest as well.