Improving security and privacy in biometric systems

Resumo

The achievement of perfect security is out of the question. Even if we are not yet aware of them, every security aimed technology has weaknesses which attackers can exploit in order to circumvent the system. We should hence direct our efforts to the development of applications whose security level make it infeasible for computationally bound attackers to break the systems. This Thesis is focused on improving the security and privacy provided by biometric systems. With the increased need for reliable and automatic identity verification, biometrics have emerged in the last decades as a pushing alternative to traditional authentication methods. Certainly, biometrics are very attractive and useful for the general public: forget about PINs and passwords, you are your own key. However, the wide deployment of biometric recognition systems at both large-scale applications (e.g., border management at European level or national identity systems) and everyday tasks (e.g., smartphone or PC access), has raised some concerns regarding the use and storage of such sensitive data. Therefore, understanding the threats which can affect those systems and analysing to what extent the subject's privacy is protected is of the utmost importance. In this context, the present PhD Thesis pretends to shed some light into the difficult problem of security and privacy evaluation of biometric systems. To that end, a systematic analysis of the privacy provided by unprotected templates is carried out, and new biometric template protection schemes are proposed to deal with the unveiled privacy issues, being their robustness to the mentioned privacy threats thoroughly assessed. This way, the experimental studies presented in this Dissertation can help to further develop the ongoing standardization efforts on the assessment of template protection schemes. The Thesis has been developed following the security through transparency principle, which has been largely applied in other security related areas such as cryptography. This paradigm relies on the fact that vulnerabilities exist regardless of their publication, and therefore pleads for making security systems as public as possible instead of keeping algorithms secret. This does not mean that obscurity cannot provide any protection. However, such a protection is in most cases only temporary. We should do our best to find threats and propose solutions to mitigate their effects. We believe that in order to grant the privacy protection that subjects are entitled to, it is necessary to understand and assess the threats, and publicly report quantitative analyses of their impact on the subject's privacy so that effective countermeasures can be developed. Such privacy issues have already been acknowledged within the biometric community and numerous biometric template protection schemes have been proposed to tackle them. However, in most cases, thorough evaluations of the security and privacy provided by those systems are not carried out. In this Dissertation, after summarizing the most relevant works related to the Thesis, we describe the privacy and security evaluation methodology that has been followed throughout the experimental chapters. These are dedicated to: i) the evaluation of unprotected templates and ii) the proposal and evaluation of biometric and multi-biometric template protection schemes, focusing on face, iris, fingerprint, handshape, fingervein and on-line signature, using publicly available biometric data and benchmarks in order to contribute reproducible research. The experimental part of the Thesis starts with the security and privacy evaluation of unprotected biometric systems. To that end, the irreversibility of the templates is analysed posing ourselves the following question: starting from the information stored in the template, are we able to reconstruct synthetic samples which are positively matched to the stored references? To answer that question, we develop and implement two inverse biometric methods and use the reconstructed samples to launch attacks. Experiments show that it is indeed possible to fool handshape and iris based systems with those reconstructed images. To address the privacy concerns raised by the previous study, we then propose a general framework for biometric and multi-biometric template protection based on Bloom filters. The proposed scheme not only prevents the reconstruction of synthetic biometric samples, but also deals with a second set of questions on privacy protection: can someone track my activities across different biometric verification systems? What if, for instance, my face based template is compromised: will I not be able to enrol in a system with my face ever again? A thorough experimental evaluation of face, iris, fingerprint and fingervein verification systems shows that the proposed scheme is able to protect the privacy of the subjects, even in the case secret keys are compromised and available to the eventual attacker. Furthermore, the scheme is robust to attacks based on known weaknesses of the underlying algorithms, preserving at the same time verification accuracy and speed. Finally, as an alternative to the aforementioned scheme, we present a general framework for biometric and multi-biometric template protection based on Homomorphic Encryption. The security and privacy of the scheme is evaluated in an analogous manner for fingerprint and on-line signature verification, proving that the encrypted templates and all the operations carried out in the encrypted domain reveal no information about the underlying biometric data. Moreover, verification accuracy in the encrypted domain is equivalent to that achieved in the unprotected domain, and a similar verification speed can be achieved using fixed-length templates. The research work described in this Dissertation has led to novel contributions which include the development of: i) a general framework for the security and privacy evaluation of biometric systems, and, in particular, for the unlinkability analysis of biometric templates, ii) two new methods to reverse engineer unprotected biometric templates, iii) a new biometric and multi-biometric template protection scheme based on Bloom filters, and iv) a new biometric and multi-biometric template protection scheme based on Homomorphic Encryption. Moreover, different original experimental studies have been carried out during the development of the Thesis. Besides, the research work completed throughout the Thesis has been complemented with the generation of several novel literature reviews and the improvement of current signature verification systems.