Biometrics based Cryptosystem Design

1
Biometrics based Cryptosystem Design
By Abhishek Nagar 2001057

• Under
• Prof. Santanu Chaudhury
• Dr. Lipika Dey

2

• Cryptosystem
• A mechanism using which one can encode an
  information content to an incomprehensible form
  and also recover the original content when
  desired.
• Biometrics
• Biometrics is the science and technology of
  authentication (i.e. establishing the identity of
  an individual) by measuring the subject person's
  physiological or behavioral features.

3
Motivation

• Normally used cryptosystems have a number of
  associated inconveniences and problems such as
• User needs to remember passwords
• could be forgotten.
• User has to carry smart cards
• could be lost or stolen.
• Problem of non-repudiation
• The user who generated the cryptic message can
  easily deny his involvement
• Biometrics is a solution to these problems

4
Difficulties in using Biometrics

• Non-repeatability
• Every time one obtains a biometric, its value is
  not exactly the same as that obtained before.
• Limited Number
• Easily Accessible to public

5
Biometric used Feature Extraction

• Fingerprints are used as a key to our
  cryptosystem
• Features are extracted using a set of gabor
  filters applied on all the elements of a
  tessellated fingerprint.

6
Gabor Feature Extraction

• Reference Point Location
• Divide the fingerprint image, into
  non-overlapping blocks
• Compute the intensity gradients using sobel
  operator
• Estimate the local orientation as
• Compute E, an image containing only the sine
  component of O

7

• Initialize A , a label image
• used to indicate the reference
• point
• Find the maximum value in A and assign its
  coordinate to the reference point.
• Repeat steps by using a window size of ww ,
  where wltw to get a fine estimate
• The different sizes taken are 5, 10 and 15 pixels

8

• Sector-Wise Normalization
• Tessellate fingerprint image into sectors and
  normalize pixels in each sector as
• Gabor Filters
• where f is the frequency, and are the
  space constants

fig
9

• Each sector is filtered using gabor filters for
  four different values of ? in 0,45,90,135
• the feature value, Vi?, is the average absolute
  deviation from the mean defined as
• where ni is the number of pixels in Si and Pi?
  is the mean of pixel values of Fi?(x, y)
• Finally a feature vector is generated whose
  elements have value in the range 0-255

10
Addressing problems associated with using
biometrics
11
Limited number Open to public

• Transform the Biometric Features into a new set
  of features using a Secure Transformation
• No. of bio-keysNo. of Transformations
• Added security since transformation function is
  kept secret
• Secure Transformation should have some desirable
  qualities
• Range of value of elements of feature vector
  should not vary non uniformly

12

• Secure Transformation
• Transformation matrix is generated using a set of
  random numbers.
• Feature vector to be transformed is converted to
  matrix form and convolved with the Transformation
  matrix to get the Secure Features.

Fingerprint Features in Matrix Form
Random Kernel
Secure Fingerprint Features
13
Non-Repeatability

• Usual cryptosystems fail with biometrics since
  each time one obtains a biometric, its value is
  not exactly the same as that obtained before.
• There is a high probability that a person is not
  able to decipher the message encrypted using
  biometrics
• Modified Fuzzy Vault Scheme is used instead of
  usual cryptosystem.

14
Modified Fuzzy Vault Scheme

• Fuzzy Vault
• A secret message M is encrypted into a fuzzy
  vault V using another data A
• M can be decrypted using a data B
  sufficiently close to A
• Creation of Fuzzy Vault
• The secret message M is the Document of length
  k.
• Data A is the biometric template.

15

• M is encoded using the Reed-Solomon codes to
  C of length n2t-1
• RS codes have error correcting capacity of
  (n-k)/2 where k is the length of M
• n triplets are formed such that a randomly chosen
  position(1,2or3) say Position (i) of the ith
  triplet is the ith number from code C and the
  other two numbers are randomly chosen.
• Call the triplet Locking Set 1
• Another n triplets are formed such that
• ith triplet contains ith biometric element at
  Position(i)
• The other two elements are such that they form an
  arithmetic progression with distanceFV_tolerance
• Call it Locking Set 2

16

• Unlocking the Fuzzy Vault
• Using the biometric, find the Position(i)
• Position(i) is the position of the element in ith
  triplet in Locking Set 2 which is closest to ith
  biometric element
• Find value at Position(i) in the Locking Set 1,
  this should be the ith value of the Reed-Solomon
  code.
• Decode the Reed-Solomon code to obtain the
  message.

17
Non-Repudiability

• Since Fuzzy Vault is Symmetric Cryptosystem, the
  encryption key is same as decryption key.
• Causes a set-back in terms of non-repudiability
• Solution
• Encryption module has its own set of encryption
  and decryption keys.
• Created Fuzzy Vault is encrypted by the module
  whose decryption key is made public.
• No possibility of creation of fuzzy vault outside
  Encryption Module using the key.

18
Invariant Features

• Invariant feature I of data d for a
  transformation T is the feature such that
• Invariant features are used instead of
  biometrics.
• Transformed biometric is sent
• Actual biometric is secure
• Same key serves for different cryptosystems by
  changing the set of Invariants.
• Key to hierarchical security

19

• Permutation used as Transformation
• Values of elements are not changed
• Invariant Feature is the increasing order of the
  feature elements
• Hierarchical Security
• Message can be encoded with different security
  levels
• Receivers with a key for security level higher
  than the encryption security are able to decode.
• Implemented by doing binary subdivision of the
  Secure Feature and evaluating Invariant Features
  for each division.
• Increasing order of first 2k permuted elements is
  same as increasing order of join of first k
  permuted elements and next k permuted elements.

20
Complete System Design

• The complete system is implemented in MATLAB.

21

• System Initialization
• Each Module is initialized with its RSA keys and
  Field and is added to the Server.
• Decryption key and Field are registered with
  server
• Each user is added to a module
• Users Secure Transformation and Identity are
  registered with the module.

22

• Document Sending
• Calculate Gabor Features of the fingerprint
• Transform the Fingerprint Features to get Secure
  Fingerprint Features
• Generate and RSA cryptosystem(32 bit in our case)
  randomly having
• Field n
• Encryption Key e
• Decryption Key d
• Divide the document into chunks of appropriate
  length(2 in our case) such that the numeric
  equivalent of each chunk is less than n for the
  encryption to work properly. Pad the message if
  required.
• Encrypt the document using e

23

• Each digit of the number d is considered as an
  8-bit character to be secured in the fuzzy vault
• Append random digits to d such that its length
  becomes 255-2Permissible_Error
• Find the invariant features corresponding to the
  desired security level to create Modified Fuzzy
  Vault
• Encrypt Modified Fuzzy Vault using Module
  Encryption Key
• Send the Encrypted Modified Fuzzy Vault, the
  Encrypted Document, Security Level, Module Id,
  User identity, the padded values, n and the
  length of d

24
Encryption
25

• Document Receiving
• Find the invariant features corresponding to the
  Security Level
• Decrypt the Modified Fuzzy Vault using module
  Decryption Key
• Open the Modified Fuzzy Vault using the invariant
  features to get d
• Obtain the actual d taking only the first desired
  digits
• Decrypt the Document using n and d to get the
  Document

26
Decryption
KEY
Invariant Feature
Invariant Extraction
Document key
Modified Fuzzy Vault Decryption Algorithm
Encrypted Fuzzy Vault
Fuzzy Vault
Module Encryption
27
Results obtained using this cryptosystem
FAR and FRR for Modified Fuzzy Vault
28
Drawback in the proposed system

• The implementation of the previous cryptosystem
  required a special network of modules for
  implementing the final step in the encryption
  stage, the Module Encryption step.
• The role of module encryption step was to ensure
  that the message was sent using a legitimate
  fingerprint extracted from a person and not using
  the decryption key held with one of the receivers.

29
Proposal for improvement

• Some other validation information can be attached
  to the system instead of encryption of the Fuzzy
  Vault in the module encryption step.
• The validation information should involve use of
  a secret biometric feature to implement security.
  
• Verification of the validation information should
  be asymmetric.

30
Stable Biometric Features

• Description (not definition)
• Biometric features whose value change very
  infrequently among multiple prints of a finger
• Deformation Invariant Features V/S Stable
  Features Since biometrics are prone to burst
  errors in addition to noise and other
  deformations due to unavoidable conditions so
  only deformation (linear and non-linear)
  invariant features wont suffice to implement
  total invariance.

31
(No Transcript)
32
Stable Feature Extraction

• Element by element quantization
• Using the error correcting codes to counter burst
  errors.

33
Element by element quantization

• n(10-15) sample features from prints of same
  finger are taken at the registration step
• Mean and variance of each feature element is
  calculated over the samples
• Lower and upper bounds on the variance is set to
  take care of extreme situations
• Clustering of the samples could also be done to
  handle the burst errors as error-free samples
  would cluster out

34

• The possible range of feature values i.e.0-255 is
  divided into blocks of width 6s such that the
  mean is at the center of the block.
• Any value of a particular feature element is
  quantized to the center of the block in which it
  lies.
• The block-length of each division of the
  range(0-255) for each element and the offset of
  the first block from 0 is made public for
  quantization.

35
(No Transcript)
36
Using Error-correcting codes for stability

• A new scheme has been designed to utilize the
  error correcting codes for stability
• The mean vector of the sample features is taken
  as the quantized feature vector.
• This vector is assumed to be a RS error
  correcting code of certain desired error
  correcting capability.
• The vector is decoded to get the message
• The message is again coded to get the error free
  message.

37

• Since the range of values is fixed(0-255) a
  cyclic shift map is found from the quantized
  feature vector (mean) to the error free code.

• The cyclic shift map is made public

38
Extracting the stable feature

• First the feature vector is quantized using the
  block-length and the offset
• The quantized feature vector is transformed using
  the cyclic shift map and decoded to get the
  stable feature.

39
The Validation Information

• The idea is to use the stable biometric as an
  encryption key to an RSA cryptosystem to encode
  the message digest of the document to be sent.
• The decryption key would be made public so that
  anybody is able to get message digest and the
  receiver can match it with that of the document
  in the fuzzy vault to establish its validity.

40
Issue related to Validation Information

• Any key of an RSA cryptosystem generated out of
  primes p and q should be coprime to the eulers
  function of pq i.e. (p-1)(q-1)
• So, the stable biometric cant be directly used
  as a key.
• Proposed solution map the set of stable
  biometrics to the set of possible keys.
• The numeric representation of the stable
  biometric feature (say a) is mapped to

41
Overall System Working

• Document Sending
• The sender creates the previously mentioned
  Modified Fuzzy Vault using cancelable biometric
  to lock the document.
• Stable features are extracted from a secret
  biometric template and an RSA cryptosystem is
  generated using it as described before.
• The decryption key is made public and encryption
  key is used to encrypt the message digest of
  document.
• The Fuzzy Vault and the Validation Information is
  sent along with other necessary identification
  information to the receiver.

42

• Document Receiving
• The receiver opens the Fuzzy Vault using the key
  corresponding to the desired security level to
  get the document.
• Receiver extracts the message digest from the
  Validation Information using the publicly
  available decryption key.
• He extracts the message digest from the document
  and matches it with that in the Validation
  Information to verify the document.
• The Validation Information part has been
  implemented in matlab and has been tested on data
  from a single fingerprint to give accurate
  results with certain values of constants used.

43
Currently working on

• Designing a better method for clustering at the
  element-by-element quantization step.
• Introducing suitable rotation invariance in the
  fingerprint features.
• Better core-point estimation in a fingerprint for
  better features.

44
Future Work

• The only thing the user need to keep on a secure
  system or a smart-card is the convolution kernel
  (Secure Transformation) for generating the
  cancelable biometric. We will try to eliminate
  that as well.
• More exhaustive analysis of the system and its
  improvement.

45
References

• A.K. Jain, S. Prabhakar, L. Hong, and S.
  Pankanti, Filterbank-basedFingerprint Matching,
  IEEE Trans. Image Process., 2000, 846859.
• U. Uludag, S. Pankanti, S. Prabhakar, and A.K
  Jain, Biometric cryptosystems issues and
  challenges, Proceedings of the IEEE, Volume
  92, Issue 6, June 2004, pp. 948 960.
• M. Savvides, B.V.K. Vijaya Kumar, and P.K.
  Khosla, Cancelable biometric filters for face
  recognition, ICPR, 23-26 Aug. 2004, pp. 922-925
  Vol.3.
• A. Juels, and M. Sudan, A Fuzzy Vault Scheme,
  Proc. IEEE Intl. Symp. Information Theory, 2002,
  pp. 408.
• C.-H. Lin, and Y.-Y. Lai, A flexible biometrics
  remote user authentication scheme, Computer
  Standards Interfaces, Volume 27, no. 1, Nov.
  2004, pp. 19-23.

46
Thank You