International Symposium on Information Technology 2008 (ITSim'08), KL, Malaysia
Biometric Template Protection Using Watermarking with Hidden Password Encryption Md. Rajibul Islam Multimedia University, Faculty of Information Science and Technology (FIST), Jalan Ayer Keroh lama, 75450 Melaka, Malaysia
[email protected] du.my
Md. Shohel Sayeed Multimedia University, Faculty of Information Science and Technology (FIST), Jalan Ayer Keroh lama, 75450 Melaka, Malaysia
[email protected]
Biometrics supplies the same level of security to all users unlike passwords and is highly challenging to brute force attacks. Identification and authentication refers to two special tasks: finding the identity of a person given the biometric versus verifying the identity given the biometric data and the claimed identity. We offer a biometric authentication scheme in this paper to address the security and privacy concerns. In particular, two biometric features (e.g. fingerprint and palmprint) are combined to obtain a non-unique identifier of the individual and stored as such in a central database. While the combined biometric ID is reducing anxiety of security and privacy and not a unique identifier as well, we show that it can still be used in authenticating a person’s identity. As a particular example, we demonstrate a biometric authentication system that uses two separate biometrics of the same individual to form a combined biometric ID. However, it is now acknowledged that biometric systems are vulnerable to attacks. One of the most solemn attacks is against the stored templates. A stolen biometric template cannot be easily revoked and it may be used in other applications that utilize the same biometric feature.
Abstract For quite a few years the biometric recognition techniques have been developed. Here, we briefly review some of the known attacks that can be encountered by a biometric system and some corresponding protection techniques. We explicitly focus on threats designed to extract information about the original biometric data of an individual from the stored data as well as the entire authentication system. In order to address security and privacy concerns, we present a biometric authentication scheme that uses two separate biometric features combined by watermark embedding with hidden password encryption to obtain a non-unique identifier of the personage. Furthermore, to present the performance of the authentication system we provide experimental results. The transformed features and templates trek through insecure communication line like the Internet or intranet in the client-server environment. Our projected technique causes security against attacks and eavesdropping because the original biometric will not be exposed anywhere in the authentication system.
1. Introduction
A.
Now a day, in traditional verification methods biometric systems propose numerous benefits. It is unfeasible to share and complicated to replicate. Even direct secret observation will not able to obtain Biometric information. It enhances user feasibility by improving the need to memorize long and random passwords. It sentinels against repudiation by the user.
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
Andrews Samraj Multimedia University, Faculty of Information Science and Technology (FIST), Jalan Ayer Keroh lama, 75450 Melaka, Malaysia andrews.samraj@mmu .edu.my
Security Vulnerabilities
To some possible attacks biometric authentication systems may become vulnerable. Some of those security vulnerabilities are presented as follows: Spoofing attacks on the sensor, replay attack on the channel between sensor and matcher, substitute attack on the storage database, tempering on storage database
296
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
and matcher, masquerade attack during verification the channel between sensor and matcher, Trojan horse attack on matcher, overriding attack and yes/no response during decision making after matching and privacy issue During Decision Making after Matching.
user privacy in the whole client-server model of biometric authentication system. Here, user needs to provide two biometric data during each and every authentication session. Hence, sometimes very bothering. Not user - friendly.
B. Sketch of some Biometric Template Security Approaches
2. Proposed Watermarking with Hidden password Encryption (WHPE)
Numerous researchers have proposed some approaches, which are summarized below. Here, a little briefing of their manner, qualities and negative aspects are sketched below. In Encryption [14], Template is encrypted using well-known cryptographic techniques. The main advantage is Matching algorithm and accuracy are unaffected and limitation is Template is exposed during every authentication attempt. One-way function is applied to the biometric features in Non-invertible transform template security approach. The benefit is matcher need not be redesigned since transformation occurs in the same feature space. The weakness is it usually leads to increase in the FRR. In Hardening / Salting [16], User-specific external randomness is added to the biometric features. It increases the entropy of biometric features resulting in low FAR but if the user-specific random information is compromised, there is no gain in entropy. In Secure sketch [12], a sketch is derived from the template; sketch is secure because template can be reconstructed only if a matching biometric query is presented. It is more tolerant to intra-user variations in biometric data; can be used for securing external data such as cryptographic keys. Limitation is template is exposed during successful authentication and Non-uniform nature of biometric data reduces security. A key is derived directly from biometric features in Key generation [13]. It is most efficient and scalable approach. Constraints are tolerance to intra-user variations is limited, resulting in high FRR. Hardened fuzzy vault [15], a hybrid approach where the biometric features are hardened (using password) before a secure sketch (vault) is constructed. Here, hardening increases the entropy thereby improving the vault security; also enhances user privacy but not userfriendly, user needs to provide both the password and the biometric during authentication. In proposed Watermarking with Hidden Password Encryption (WHPE), we present an upgraded approach where two biometric features are synthesized and encrypted with a hidden password which is derived from the biometric classification. The advantage is biometric templates are never exposed anywhere in the biometric system. Thus improves the security of the biometric template and
Our projected scheme consists of four main steps as shown in Figure 1. First of all, performed preprocessing and DWT (Discrete Wavelet Transform) of the fingerprint image to make it prepared for the watermark embedding process. Second step is palmprint classification, so that the system can get a hidden password that we have fixed according to six categories of palmprint. In third step, two different biometric images derived from the same user are applied to the watermark embedding process. The embedded template is then secured by the watermarking based on DWT. Finally, the watermarked template is encrypted using the hidden password derived after palmprint classification from the second step. In this work, we call this approach “Watermarking with Hidden Password Encryption (WHPE)”.
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
A.
Palmprint classification
A novel algorithm for the automatic classification of low-resolution palmprints using principle lines has been proposed by Wu et al [1]. The algorithm has the ability to classify palmprints into six categories according to the number of principal lines and the number of their intersections. The principal lines of the palmprint are identified first using their position and thickness. Then a set of directional line detectors is developed. After that they extract potential beginnings (“line initials”) of the principal lines and then, a recursive process is applied to extract the principal lines in their entirety based on these line initials. The proportions of these six categories (1–6) in the database containing 13,800 samples [2] are 0.36%, 1.23%, 2.83%, 11.81%, 78.12% and 5.65%, respectively. They have shown 96.03% of accuracy to classify palmprints.
B.
Watermarking Algorithm
For watermarking, the fingerprint image is used as the base or the cover image and the palmprint features are used as the watermark [4][5]. These features are the palmprint template obtained by convolving the palmprint image with preprocessing.
297
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
better resistance against attacks on the WHPE template. Moreover, the additional variability introduced by hidden password-based watermark embedding reduces the similarity between WHPE templates of different users. This decreases the False Accept Rate (FAR) of the system significantly. If we imagine client-server structural design for the biometric system where preprocessing, feature extraction and watermark embedding are applied at the client side and hidden password encryption, matching is performed at the server, the server never watch the original template. Only the watermark embedded template would be exposed during successful decryption and the original template is never exposed at the server. Two common methods for cracking a users’ password are, dictionary attacks and social engineering techniques. In the proposed system, hidden password is implicitly verified during authentication by matching the WHPE biometric features. Even if an adversary attempts to guess the hidden password, it is not possible to verify the guess without knowledge of the user’s biometric data. This provides resistance against dictionary attacks to learn the hidden password. However, it is still possible to glean the hidden password through social engineering techniques. Therefore, hidden password based transformation alone is not sufficient to ensure the security of the biometric template. Due to this reason, we use the watermark embedding process to secure the biometric template. Note that the hidden password used in constructing the watermark embedding that secures the transformed template is fixed forever. Therefore, if the hidden password is compromised, the security of the WHPE is not affected and it is computationally hard for an attacker to obtain the original biometric template. Because of the template is however synthesized by watermarking. Finally, the watermarked template is encrypted using a hidden password derived from the palmprint classification. This prevents substitution attacks against the watermarked template because an adversary cannot modify the watermarked template without knowing the hidden password or the key derived from it.
Watermark Embedding Algorithm: Let FPuni be the unique fingerprint image of size s × s and FPdwt (i, j) be the corresponding four level discrete wavelet transformed image, where i = 1,2,3,4 denotes the wavelet decomposition level and j = a, h, v, d denotes the approximation, horizontal, vertical and diagonal sub-bands respectively. Let PPuni be the unique palmprint image of size t × t, where s ! t and PPdwt (i, j) be the corresponding two level wavelet transformed image with i=1,2. At level-2, the coefficients of approximation band of the palmprint image are embedded into the detail sub-bands of the fingerprint image. A Hidden Password F1 is used to embed the coefficients in the possible 3*S*S locations, where S is the length and width of the sub-bands. Embedding at level-2 is described in Equation (1). Next, the approximation band in the second level of the palmprint image is further decomposed to the third level. At level-3, the coefficients of the approximation band of the palmprint image are embedded into the detail sub-bands of the fingerprint image using another auto generate key F2 whose upper bound is 3*T*T. T is the height and width of sub-bands at level-3. Equation (2) describes the watermark embedding process at level-3. The inverse wavelet transformation is performed on the modified FPdwt (i, j) to obtain the final watermarked fingerprint image FPwm. Figure 1 shows the process of embedding palmprint image in the fingerprint image.
FPdwt (2, j)=
{
PPdwt (2, a) according to F1 FPdwt (2, j) elsewhere
FPdwt (3, j)=
{
PPdwt (3, a) according to F2 FPdwt (3, j) elsewhere
C. Watermarked Template binding by Hidden Password Encryption Hidden password improves user privacy to encryption of the watermarked template because it enables the creation of revocable templates and prevents cross matching of templates across different applications. The distribution of WHPE template is statistically more similar to uniform distribution than the distribution of original template. This recommends
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
298
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
(a) Client
Webcam
Palmprint Acquisition
Fingerprint Acquisition
Wu’s Classification Algorithm
Fingerprint Preprocessing
Palmprint Preprocessing
Cat1
Cat2
Cat4
Cat3
DWT
Hidden password F1
Embedding Palm Template in Fingerprint
Auto Generate Key F2
IDWT Cat5
Cat6
Watermarked Fingerprint Template
Encrypted Template
Database (b) Server
Figure 1(a): Enrolment phase- Proposed Watermarking with Hidden password Encryption (WHPE)
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
299
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
(a) Client
Webcam
Palmprint Acquisition
Fingerprint Acquisition
Wu’s Classification Algorithm
Fingerprint Preprocessing
Palmprint Preprocessing
Cat1
Cat2
Cat4
Cat3
DWT
Embedding Palm Template in Fingerprint
Hidden password F1
Auto Generate Key F2
IDWT Cat5
Cat6
Database
Watermarked Fingerprint Template
Decrypted Template
Matching
Yes/no
(b) Server Figure 1(b): Verification phase- Proposed Watermarking with Hidden password Encryption (WHPE)
3. Experimental Result and Discussion
A.
The proposed watermarking with hidden password encryption (WHPE) scheme has been tested on the webcam database.
Our webcam database is a database with 1000 images (100 fingers × 5 impressions/finger and 100 palms × 5 impressions/palm) of size 480×580. We followed the standard of FVC2000 [6], FVC2002 [7], FVC2004 [8] fingerprint databases where each database contains fingerprints from 110 fingers. The
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
Experiments and Results
300
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
experiments are designed and performed to study effects of the watermarking on the performance of the proposed secure fingerprint-based authentication system. In this experiment the compassion of watermarking schemes on biometric images is analyzed. To carry out the tests, we watermarked the 1000 images from our database including both 500 fingerprints and 500 palmprints, ran feature extraction and recognition on the watermarked images, and compared the results to that of using the original fingerprints. In order to perform watermark-embedding process we used each impression of palmprint on each fingerprint impression, which are obtained from the same individual. And by following this process, we got six watermark embedded templates for single individual and like this in the whole database we got 500 templates from 100 individuals. First, to obtain a baseline performance of the authentication system, each fingerprint is matched with rest of the fingerprint database i.e., 499 fingerprints to obtain 499 normalized matching scores. Among the normalized matching scores obtained for a fingerprint, one would expect 4 high scores and 495 low scores. For each hypothesized threshold matching score, the performance of the system was characterized by the true rejects (TR) and the True accepts (TA).
We classified our test in three different experiments and our experiments representing the performances of the authentication system using original fingerprint database for matching in the experiment 1 and the matching performance between the original fingerprint data with watermarked fingerprints obtained by WHPE in the experiment 2 and finally the matching using the same set of watermarked fingerprint database with watermarked fingerprint data in experiment 3. We performed all these experiments and obtained the results that are revealed in table 1. From a visual inspection of the matching results generated in our final experiments, we observed that experiment 1 and experiment 3 had no significant effects on the performance of the authentication system, where experiment 2 had significant and undesirable effect. This is because, in WHPE scheme the watermark embedding affects a significant number of pixels in a local neighborhood so that some minutiae cannot be extracted during matching session. As a result experiment 2 obtained awful matching results. These results have demonstrated that the watermarked images can obtain approximately the same accuracy as the original unwatermarked fingerprints in the matching/authentication session on our proposed secure authentication system.
Table 1: Standard results obtained from the tests Tests Experiment 1 Experiment 2 Experiment 3
Matching Phase Original image Original image Watermarked image
Original image Watermarked image Watermarked image
Discussions
Although numerous techniques have been proposed to enhance the security and privacy of the biometric authentication system, but still it’s a risky issue. It has been largely disregarded the study of potential vulnerability of Biometric Authentication against attacks. That means a complicated attacker could achieve access to both the embedded templates and the whole attack phases described in section. But a user’s
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
TR (%)
90.8 52.6 89.3
9.2 47.4 10.7
Matched TA (%) 94.1 53.1 91.9
biometric is not obtained. Such an attacker, fully familiar with the system and exploiting its weaknesses, will not be doing just a watermark extraction process in order to break the embedded template. As a substitute, he will develop different attacks that can be run in a realistic time frame. The WHPE must be flexible against those on-line attacks. Here, we discuss the security of the above scheme. First, we cite the security framework of the proposed authentication scheme. If challengers’ success to steal the template stored in the database, they can get the encrypted template. Subsequently they attempt to extract the template and ruin the file so that it may no longer be useful. Hans Georg Schaathun, [3] presented some attacks in watermarking layer. A real watermarking scheme cannot be expected to be infallible. The attacks are, (1) Non-collusive watermarking attack: Non-collusive watermarking
The averaged matched true acceptance for experiment 1 and experiment 3 is around 90%. So we have proved that our WHPE scheme will perform successfully and better. The security level also remaining strong because in our proposed scheme the original biometric is not exposed anywhere.
B.
TA (%)
301
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
replay attack on the proposed authentication scheme. If the adversaries can snoop to the communication from the proposed scheme, and obtain the information of any embedded template or encrypted data or decrypted data, when they reuse this information, the client and the database can detect replay attack by verifying the difference among the information of the data used in WHPE scheme. Only the attack will be established possibly when the user’s biometric as well as according to our scheme the attacker compromises the fingerprint and the palmprint both.
attacks can be applied to any mark. By garbling the segment, the pirates cause the extraction algorithm to fail with some probability. (2) Collusive watermarking attack: A collusive watermarking attack applies to detectable marks. By combining different versions of the same mark, for instance by averaging, the pirates can weaken the watermark and cause extraction to fail with some probability. (3) Cropping a segment: A pirate can crop the file by removing certain segments. If the pirates use a very strong watermarking attack or extensive cropping, they will also ruin the file, because they have no information about the hidden password, which is used for embedding and encryption. Suppose, the hidden password is compromised then they can become impostor of the decryption and they will able to obtain a watermarked template which is still secured in the authentication scheme because the original template will never be exposed any where in the system, even in the matching process. However, even if adversaries hijack the whole database, because it receives no personal information, of course including the original template and the extracted feature, the takeover does not threaten the user’s privacy. Then we consider the case of a malicious authentication server collects information. In this structure, it receives watermark embedded and encrypted transformed data. As abovementioned, they imply no information before extraction the embedded and encrypted data. Besides, the malicious sever cannot know the corresponding watermark embedded process, hidden password and encryption process. Hence, the malicious server obtains no information about original templates. Next, we consider security of the information transformed by WHPE against hill-climbing attack [9] [10], replay attack [11], collusion attack. Hill-climbing attack [11] uses of replied matching score in order to make a fake. When the application server sends the matching score to client or adversary as shown in Fig. 3, the adversary transforms embedded feature data selected from database that the adversary constructs. The adversary sends the transformed features to the authentication server for matching. Because this system used the hidden password to seek the corresponding data, it is difficult for the adversary to improve the fake from the replied matching score. Therefore, the probability of the adversary’s success on our proposed authentication scheme becomes less than conventional biometric authentication. Normally, replay attack is impossible, if previously obtained information is not reusable. When adversaries eavesdrop on the communication between the client and the authentication server, they obtain only embedded transformed features or encrypted data, which are not reusable. Hence, no adversary successes
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
4. Conclusion We proposed the authentication scheme to protect the biometric templates and to improve the security and privacy level of biometric authentication system in this paper. The main concept of the proposed authentication scheme is that stolen biometric information is not reusable, in every authentication for even same person. In the scheme we used hidden password, which was derived from palmprint classifications. The hidden password concept is very similar to the password concept [15] but here user needs to remember the password and also the password is very easy to guess. Finally, we obtained the view of the security of our proposed authentication scheme against the attacks described in section 1(a). The performance of the authentication scheme is presented by the experiments and results.
5. References [1]. X. Wu, D. Zhang, K. Wang and B. Huang, “Palmprint classification using principle lines,” Pattern Recognition, Vol. 37, No. 10, pp 1987-1998, 2004. [2]. Palmprint database from Biometric Research Center, The Hong Kong Polytechnic University. Available:http://www4.comp.polyu.edu.hk/~biometrics/ [3]. Hans Georg Schaathun, “On watermarking/ fingerprinting for copyright protection,” Proc. of First International Conference on Innovative Computing, Information and Control (ICICIC '06), Vol. 3, pp. 50- 53, 2006. [4]. Yeung M. and Pankanti S., “Verification Watermarks on Fingerprint Recognition and Retrieval,” Journal of Electronic Imaging, vol. 9, no. 4, pp.468-476, 2000.
[5]. M.M. Yeung and F.C. Mintzer, “Invisible watermarking for image verification,” Journal of Electronic Imaging, Vol. 7(03), pp. 578-591, 1998.
302
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.
[6]. FVC2000 fingerprint database, http://bias.csr.unibo.it/fvc2000/databases.asp
Available:
[7]. FVC2002 fingerprint database, http://bias.csr.unibo.it/fvc2002/databases.asp
Available:
[8]. Maio, D. Maltoni, R. Cappelli, J. L. Wayman and A. K. Jain, “FVC2004: Third Fingerprint Verification Competition,” Proc. International Conference on Biometric Authentication (ICBA), pp. 1-7, Hong Kong, 2004. [9]. Soutar, “Biometric System Security,” Secure No. 5, pp. 46-49, 2002. Available: http://www.silicontrust.com/pdf/secure_5/46_techno_4.pdf [10]. Dimovski, D. Gilogoroski, “Generating highly nonlinear Boolean functions using a genetic algorithm,” Proc. IEEE 6th International Conference on Telecommunications in Modern Satellite, Cable and Broadcasting Service (TELSIKS 2003), pp. 604-607, 2003. [11]. K. Jain, A. Ross, and U. Uludag, “Biometric template security: challenges and solutions,” Proc. 13th European Signal Processing Conference (EUSIPCO ’05), Antalya, Turkey, 2005. [12]. Y. Sutcu, Q. Li and N. Memon, “Protecting Biometric Templates with Sketch: Theory and Practice,” IEEE Trans. on Information Forensics and Security, vol. 2, pp. 503-512, 2007. [13]. S.W. Sun, C.S. Lu, and P.C. Chang, “Biometric Template Protection: a Key-Mixed Template Approach,” Proc. IEEE Intl. Conf. Consumer Electronics 2007, pp. 1-2, Las Vegas, NV, 2007. [14]. Colin Soutar, Danny Roberge, Alex Stoianov, Rene Gilroy, and B.V.K. Vijaya Kumar “Biometric Encryption™,” Bioscrypt Inc. , ICSA Guide to Cryptography, edited by Randall K. Nichols, McGraw-Hill (1999), chapter 22. [15]. Karthik Nandakumar, Abhishek Nagar and Anil K. Jain, “Hardening Fingerprint Fuzzy Vault Using Password,” Proc. International Conference on Biometrics, 2007. [16]. A.B.J. Teoh, A. Goh and D.C.L. Ngo, “Random Multispace Quantization as an Analytic Mechanism for BioHashing of Biometric and Random Identity Inputs,” IEEE Trans. on PAMI, Vol. 28, No. 12, pp. 1892-1901, 2006.
978-1-4244-2328-6/08/$25.00 © 2008 IEEE
303
Authorized licensed use limited to: IEEE Xplore. Downloaded on November 27, 2008 at 02:06 from IEEE Xplore. Restrictions apply.