Presentation Outline
1.
2.
3.
4.
5.
6.
7.
Biometrics
Automatic systems that use measurable,
physical or physiological characteristics or
behavioural traits to identify or verify an
individual.
Fingerprints, face, iris, finger/palm veins, voice,
hand/finger geometry, retina, dynamic signature,
keystroke dynamics, gait, palmprints, ECG, DNA (in
the future)
3
4
Jain et al, 2008
Retina
Keystroke dynamics
Jain et
al, 2004
Finger veins
Hitachi, 2006
Biometric Applications
Forensic applications (Criminal
investigation; Crime prevention; Remains
identification; Parenthood determination)
Governmental applications (National ID;
Driver's license; Border crossing; Terrorist
watchlists; Welfare; Casinos; Access
control)
Military applications (Identifying insurgents
in Iraq and Afghanistan war zones using
portable fingerprint, face and iris scan)
Enterprise applications (Access control;
Time/attendance control; Biometric logon) 6
Privacy 101:
Fair Information Practices
10
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure,
Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
11
Privacy Security
12
Prevailing Model:
Privacy vs. Security: A Zero-Sum Game
13
14
15
Privacy-Enhancing Technologies
(PETs)
PETs empower individuals to manage their own identities
and personally-identifiable information (PII).
PETs express fair information principles by:
1.
2.
3.
Privacy by Design
1. Proactive not Reactive; Preventative not
Remedial
2. Privacy as the Default
3. Privacy Embedded into Design
4. Full Functionality Positive-Sum, not
Zero-Sum
5. End-to-End Lifecycle Protection
6. Visibility and Transparency
7. Respect for User Privacy
17
20
Function creep
Linkage of the databases
Expanded surveillance, discrimination
Negative impacts of errors, false matches, etc.
Diminished oversight
Absence of individual knowledge or consent
Loss of personal control
Misuse of data (data breach, ID fraud, theft)
Loss of user confidence, acceptance, trust, & use
22
Spoofing
Replay attacks
Substitution attack
Tampering
Masquerade attack
Trojan horse attacks
Overriding Yes/No response
Insufficient accuracy
24
25
Fingerprint minutiae
26
Adler, 2004
27
Minutiae standards
ANSI-INCITS 378-2004, Information Technology
Finger Minutiae Format for Data Interchange, 2004.
ISO/IEC 19794-2:2005, Information Technology
Biometric Data Interchange FormatsPart 2: Finger
Minutiae Data, 2005.
Basic minutiae information (coordinates, angles, and
types) is always stored; extended data are allowed.
29
Minutiae template
Original image
Reconstructed image
31
Adapted from P. Mohanty, S. Sarkar, and R. Kasturi, Privacy and security issues related
to match scores, in IEEE Workshop on Privacy Research In Vision, CVPRW, 2006.
33
Match-on-Card
Matching in encrypted domain (e.g., via
homomorphic encryption)
34
Untraceable Biometrics
Class of emerging technologies that
seek to irreversibly transform the
biometric data provided by the user
35
Untraceable Biometrics
no storage of biometric image or conventional
biometric template;
the original biometric image/template cannot be
recreated from the stored information, i.e. it is
untraceable;
a large number of untraceable templates for the same
biometric can be created for different applications;
the untraceable templates from different applications
cannot be linked;
the untraceable template can be changed or
cancelled.
36
Untraceable Biometrics:
Biometric Encryption (BE)
Cancellable Biometrics (CB)
37
40
0101100101
Biometric Image
Biometric Template
100110100010
010
BE binding
algorithm
110011001011
..110
Biometrically-encrypted key is stored
41
110011001011
..110
Verification
101100101010
000
BE retrieval
algorithm
0101100101
Key retrieved
42
100110100010010
140-bit key:
0101100101
Map to 2048-bit Error Correcting Code (ECC) codeword:
010101101001...100
XOR:
110011001011...110
Store as a biometrically-encrypted key
43
101100101010000
Retrieve biometrically-encrypted key:
110011001011...110
XOR:
011111100001...110
If the number of errors is within the ECC bound, the ECC will
decode the correct 140-bit key:
0101100101
44
BE technological challenges
Make the number of bit errors for a legitimate user
as low as possible (accommodate natural variations
of biometrics);
Make FAR as low as possible;
Design a powerful, efficient, and secure Error
Correcting Code;
Make the biometrically-encrypted key (also called
helper data) resilient against attacks;
Develop BE applications.
45
Advantages of
Biometric Encryption
BE technologies can enhance both privacy and security:
1. NO retention of biometric image or template
2. Multiple / cancellable / revocable identifiers
3. Improved security of personal data and
communications
4. Greater public confidence, acceptance, and use; greater
compliance with privacy & data protection laws
5. Suitable for large-scale applications
46
Advantages of
Biometric Encryption (contd)
6.
Core BE technologies
Possible Applications
and Uses of Biometric Encryption
Cancellable Biometrics
CB technologies apply a secret transform to the
biometric;
the transform can be invertible or not;
both the transformed template and the secret
transform are stored;
on verification, the same transform is applied to a
fresh biometric sample, and two transformed
templates are matched;
the output of CB verification is a Yes/No response.
50
Cancellable Biometrics
51
52
53
(Morpho)
54
Match-on-Card with BE
55
58
The outcome
Live field test at Woodbine facilities: Correct
Identification Rate (CIR) is 91% without BE,
and 90% with BE negligible accuracy impact
BE reduces False Acceptance Rate (FAR) by up
to 50% - huge accuracy improvement!
Accuracy exceeds state-of-the-art for facial
recognition
Triple-win: privacy, security, and accuracy
(unexpected) all improved!
Deployed in most Ontario gaming sites by 2012
59
Galaxy S5
60
iPhone 5S features
the fingerprint is used for log-on and for payments for
iTunes and Apple store;
equipped with Authentec TouchID capacitive RF sensor;
the sensor is located under the Home button and covered
with a thin sapphire disk;
there is a metal ring around the Home button, which is
an RF antenna/electrode for the Authentec sensor;
there is 360 degrees readability;
it is claimed that there is a liveness detection because RF
waves penetrate the sub-epidermal, and even that a dead
finger wouldnt work - FALSE;
61
IPC Publications
Ann Cavoukian and Alex Stoianov, Biometric Encryption: A Positive-Sum
Technology that Achieves Strong Authentication, Security AND Privacy (March
2007) at www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf
Ann Cavoukian, Alex Stoianov, and Fred Carter, Biometric Encryption:
Technology for Strong Authentication, Security AND Privacy. In IFIP, Policies and
Research in Identity Management; Eds. E. de Leeuw, Fischer-Hbner, S., Tseng,
J., Borking, J.; (Boston: Springer), v. 261, pp. 5777, 2008.
A. Cavoukian and A. Stoianov, Biometric Encryption: The New Breed of
Untraceable Biometrics. Chapter in Boulgouris, N. V., Plataniotis, K. N., MicheliTzanakou, E., eds.: Biometrics: fundamentals, theory, and systems. Wiley, London
(2009).
Ann Cavoukian and Alex Stoianov. Biometric Encryption. In Encyclopedia of
Biometrics. Springer, 2009. http://www.ipc.on.ca/images/Resources/bio-encryptchp.pdf
Ann Cavoukian and Max Snijder, The Relevance of Untraceable Biometrics and
Biometric Encryption: A Discussion of Biometrics for Authentication Purposes.
http://www.ipc.on.ca/images/Resources/untraceable-be.pdf
Ann Cavoukian, Fingerprint Biometrics: Address Privacy Before Deployment
(2008). http://www.ipc.on.ca/images/Resources/fingerprint-biosys-priv.pdf
63
How to Contact Us
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone:
Web:
E-mail:
65
Additional Slides
66
69