International Conference on Intelligent and Advanced Systems 2007
Multimodality to improve Security and Privacy in Fingerprint Authentication System Md. Rajibul Islam, Md. Shohel Sayeed, Andrews Samraj Multimedia University, Faculty of Information Science and Technology (FIST) Jalan Ayer Keroh lama, 75450 Melaka, Malaysia E-mail: {md.rajibul.islam05, shohel.sayeed, andrews.samraj}@mmu.edu.my Abstract-With the pace of increasing online transactions and communication, the demand for security and privacy increases. To protect confidential information and to authenticate people electronically, several solutions already introduced. Traditional biometric systems that are based on single biometric usually suffer from problems like impostors’ attack or hacking, unacceptable error rates. To improve security and privacy and system’s reliability two or more biometrics of the same identity could be combined in a method that enhances the efficiency of the system. The biometric information, however, is irreplaceable information, when it is compromised. Thereby, one must give a special attention to protection of such information. We propose a novel protection technique for the biometric information, especially the feature information and the templates. The point of our proposal is securely embeds and extracts an iris template in a fingerprint image using a combined DWT and LSB based biometric watermarking algorithm in each authentication. The embedded data travel through insecure communication line like the internet, and they are used in matching process. This technique causes security against eavesdropping and replay attacks on the internet, because the watermark embedded transmitted data are used in the authentication session after watermark extraction. Index Termsņ Multimodal biometric, security, Biometric authentication, Watermarking, Template protection.
I.
INTRODUCTION
With the wide spread utilization of biometric identification systems, establishing the authenticity of biometric data itself has emerged as an important research issue. The fact that biometric data is not replaceable and is not secret, combined with the existence of several types of attacks that are possible in a biometric system, make the issue of security/integrity of biometric data extremely critical [1]. Although there has been much research on combining different biometrics for a variety of purposes, however, not much work has focused on the combination of fingerprint and iris, which are two of the characteristics that can reach the best recognition performance for high security applications [8]. In this paper, we propose a novel compatible scheme with the popular biometric systems. Our main idea is to improve the security and privacy in biometric authentication by using multimodal biometric in an anxious environment. That is, communicated data of the features and the templates is embedded in every authentication session for even unique person. The prospects of our scheme are as follows: i) The fingerprint and the enrolled iris templates are embedded by watermarking technique, and matching is done by using the extracted features after extraction of iris templates from fingerprint.
ii) Because of embedded authentication data for each authentication session, our scheme needs no apprehension about impostors’ attack or hacking the transformed information in the communication through untrusted channels. In this paper, we assume the watermarking algorithm which is already exists, we discuss the privacy protection and our proposed biometric authentication scheme. If this requirement is satisfied, even though eavesdroppers collect communication data from the attack phases shown in Fig. 1, they cannot obtain the enrolled fingerprint or iris templates or the extracted features. When they monitor some person’s entire authentication, they obtain only embedded data which has no correlation with the authentication sessions. An authentication server which performs matching process obtains the extracted data after extraction the iris template from fingerprint. In the rest of this paper, we describe in section II, attack phases, what information should be protected in the biometric authentication, section III, gives a definition of Watermarking based on a combination of wavelet and LSB and an explanation of our proposed authentication protocol. In section IV, we explain a discussion of security in proposed scheme. Finally, section V concludes this paper. II.
ATTACK PHASES
Many of the possible attacks in fingerprint authentication were identified as shown in Fig. 1, [2]: (a) attack at the sensor, (b) attack on the channel between the sensor and the feature extraction, (c) attack during the time of feature extraction, (d) attack on the channel between the feature extraction and the matcher, (e) attack on the matcher, (f) attack on the channel between the matcher and the database of templates, (g) attack on the database of templates. These attacks are elucidated in details in [2].
c
a
Feature Extraction
Scanner b Sensor
g
e Matcher d
Client
f
Database of Template
Server
Fig. 1- Diagram of the Attack Phases
1-4244-1355-9/07/$25.00 @2007 IEEE
Authorized licensed use limited to: IEEE Xplore. Downloaded on December 3, 2008 at 01:34 from IEEE Xplore. Restrictions apply.
~ 753
International Conference on Intelligent and Advanced Systems 2007 In this paper, we focus on all of this attack. To evade possible threats caused by this attack, we have used multimodal biometric specially fingerprint and iris. In the next section we have presented our proposed approach. A. Complexities in this work Biometric authentication has two phases of processing, that is, enrollment and authentication. In the enrollment phase sensor device acquires a user’s biometric raw data. Next step is feature extraction of the biometric raw data. The obtained features are enrolled as templates in the database. On the other hands, in the authentication phase, capture process and feature extraction process are in common with enrollment. The matching process performs comparison between the extracted features and the enrolled templates. The matching process evaluates the judgment result and calls the user accept or reject referring authentication policy. When we apply this biometric authentication to internet services, we must consider a part or all of the above five processes are included in separate entities distributed in internet. Because the biometrics on the internet services requires communication of the authentication information like the feature information, the template information, the authentication results etc. between the five processes through the internet. Since the internet is not safe against replacement, eavesdropping and imposture, we must appreciate that inadequate security for the above information compromises the user’s biometric information as one of the personal information. Because biometric information is unique in general, the user is unable to reenroll to the biometric authentication system [5]. Also assume that, even if eavesdroppers obtained only encrypted biometric information, their replay attacks can menace the biometric system. Thus, protection of the biometric information from these attacks is one of the major problems in the biometric authentication as well as privacy protection. In the next section, we focus protection of the feature information and the template information using multimodal biometric embedding by watermarking based on a combination of wavelet and LSB. This model gives the impression to be a practical implementation as a remote biometric authentication. In this model, we must save the features and the templates as personal information from challengers. III.
WATERMARKING ALGORITHM
For watermarking, the fingerprint image is used as the base or the cover image and the iris features are used as the watermark [4]. These features are the iris template [3] obtained by convolving the iris image with 2D Gabor filter. The algorithm is divided into two parts, watermark embedding and watermark extraction. A. Watermark Embedding Algorithm Step 1: Two-level Discrete Wavelet Transform (DWT) is applied on the original fingerprint image I. The coefficients of the approximation band of the DWT image contain significant details of the fingerprint image. Hence
the approximation band is not modified during embedding or extraction. Step 2: The detailed sub-bands are divided into blocks I 1 ,I2 ,…,Ir of size M x N and the coefficients in each block are numbered in raster scan order. From each block, the first wavelet coefficient that has a positive phase and whose value is less than threshold Ș is selected. The second LSB of the selected coefficient is replaced by one bit from the iris template. This process is written as follows
° (i, j )) = F ( x, y ) ′ (i, j ) = ® LSB2 ( Iifw Phase Iw ( I ( i , j ))≥0 & I ( i , j )<η I (i , j )if Phase( I w (i , j ))<0 w ° w ¯ w
(1)
where Iƍw(i,j) are the wavelet coefficients in block Ir. F(x,y) is the iris template, Iw(i,j) is the wavelet decomposed fingerprint image, Ș is the threshold which decides whether the watermark bit is inserted or not, and LSB2 denotes the second_LSB. Step 3: If the number of bits in the iris template F(x, y) is less than the number of blocks in the fingerprint image, then all bits of the iris template can be embedded. Otherwise, the following procedure is used to embed the remaining bits of the iris template: (a) For each block Ir, a message block MBr is formed by selecting few high order bits from each pixel of Ir. A key K is appended to message block MB r . The value K is sufficiently large to prevent an attacker from using brute force to remove the watermark. (b) The key K is used to compute a cryptographic hash of the message block H r = H(MB r )K
(2)
(c) The value of [Hr mod (M × N)] gives the pixel position for embedding the watermark bit. The watermark bit is embedded depending on the value of the most significant bit (MSB) of the hash value Hr. If the MSB of Hr is 0 then the facial bit is inserted unchanged; otherwise the complement of the iris bit is inserted. Step 4: After embedding all the bits from the iris template. Inverse Discrete Wavelet Transformation (IDWT) is applied on the watermarked fingerprint coefficients to generate the final secure watermarked fingerprint image. Fig. 2 shows the watermark embedding process. Any change in the value of Ir produces an entirely different hash and can make the watermark undetectable. Since the attacker does not know the key K, it is not possible to compute the hash value Hr . Also, high order bits are chosen for watermark insertion because any change in these values will degrade the quality of the image and hence the biometric verification performance.
754 ~
Authorized licensed use limited to: IEEE Xplore. Downloaded on December 3, 2008 at 01:34 from IEEE Xplore. Restrictions apply.
International Conference on Intelligent and Advanced Systems 2007
Iris
Fingerprint
Watermarked Fingerprint Image
Key K Key K 2D Gabor
Hash Table
DWT
Image Synchronization Hash Table
Iris Template e
Synchronized Image
Embedding Iris Template e in Fingerprint
IDWT
DWT Extraction of Iris Template from Fingerprint
Watermarked Fingerprint Image Fig. 2 – Watermark Embedding Process
B. Watermark Extraction Algorithm Step 1: The image is first synchronized with the block boundaries. The synchronization is performed corresponding to the blocks of size M × N formed during the embedding process. DWT is first applied on the image and the detailed sub-bands are divided into blocks of size (2M-1) × (2N -1). Step 2: For each block of size M×N, the following steps are performed for synchronization of block boundaries: (a) Similar to the embedding process, a corresponding message block MBr is formed by selecting few high order bits from each pixel of that block and a key K is appended to it. (b) The cryptographic hash of MBT is computed as before using Equation 2. (c) The synchronized block boundaries are identified by comparing the last few bits of the hash value Hr with the LSBs of pixels in every block and its neighboring blocks. Step 3: From each synchronized block, the first coefficient with positive phase and whose value is less than the threshold Ș is identified. The watermark bit is extracted from this coefficient. Step 4: The remaining bits of the watermark are extracted by computing the pixel position for each block where the bit was embedded. The pixel positions are calculated using the expression [Hr mod (M × N)]. The MSB of Hr is analyzed to determine if the actual value or its complement was inserted and the bit is extracted. Step 5: These extracted bits are arranged to form the iris template and IDWT is applied on the fingerprint image to generate the watermark extracted fingerprint image. Fig. 3 shows the extraction process of the fingerprint and the iris template from the watermarked fingerprint image.
Extracted Fingerprint Image
Extracted Iris Template
Fig. 3: Watermark Extraction Process
C. Requirements of the authentication system using Watermarking Technique For construction of the authentication system, we suppose five entities which are sensor, client, authentication server, database storing templates, watermark extraction generator and time-stamp server as shown in Fig. 4. In Fig. 4, the watermark extraction generator and the time-stamp server are TTP. Below are the requirements for watermark extraction generator: Algorithm of the watermark based on a combination of wavelet and LSB and input values of embedded fingerprint and iris template. In order to give time dependency to watermark extraction generator, the input values are authentication session ID with time-stamp data signed by time-stamp server and extracted value of watermark extraction generator. D. Proposed protocols of the biometric authentication using watermarking technique We present an authentication protocol using watermarking technique here. In the section, (1) - (19) denote numeral notations shown in Fig. 4. a) In process (1), client sends a request to sensor and (2) and (3) denote capturing fingerprint and iris, then generates watermark embedding process. In (4), client receives the watermarked embedded fingerprint image.
~ 755
Authorized licensed use limited to: IEEE Xplore. Downloaded on December 3, 2008 at 01:34 from IEEE Xplore. Restrictions apply.
International Conference on Intelligent and Advanced Systems 2007
1. Request 5. Request of authentication session 4.watermarked fingerprint image.
11. Session ID 13. Watermark extraction process
17. Request of extracted data
8. Authentication session
13. Watermark extraction process 16. Signal of finish watermark extraction
Database of Template
10. Authentication session ID
Authentication Server
8. Authentication session
Time stamp Server
Client
Sensor
7. Confirmation of start.
Watermark extraction generator
6. Accept and start authentication
17. Request of extracted data 18. Extracted data
18. Extracted data
2. Acquisition fingerprint and iris. 3. Watermark embedded process.
14. Extract iris template from fingerprint image
9. Verification of the received data from client and authentication server. 12. Generating watermark extraction process
19. Feature matching and judgment
15. Extract iris template from fingerprint image
Fig. 4: Proposed protocol of the authentication session using watermark based on a combination of wavelet and LSB to sending extracted fingerprint features and extracted iris template
b) Processes from (5) to (7) signify negotiation for beginning the authentication. After these steps, the client and the authentication server share the authentication session ID. c) Process (8) shows, watermark extraction generator receives request of generating watermark extraction process with the session ID from both of the client and the authentication server. d) Process (9) is a verification of the received data of the authentication session. In (10) and (11), the watermark extraction generator obtains timestamped data of the above session ID. The timestamped data is used for a parameter of watermark extraction process generation and a confirmation of the session performed. e) About process (12), please refer the discussion in subsection 3.2. f) In (13), the watermark extraction generator sends the generation process to both of the client and the database of enrolled templates. g) In (14) and (15), the client and the database apply the watermark extraction process to the embedded data
respectively. In order to end the generation process, the watermark extraction generator sends signal of the end to the authentication server in process (16). h) In (17)-(19) the authentication server obtains the extracted fingerprint data and iris templates. After the above protocols finished, the authentication server performs matching process and judgment process. i) The authentication server calculates the matching score based on minutiae. In judgment process, the authentication server decides accept or reject by comparing minutiae of the fingerprint obtained from database of template with live captured fingerprint image. IV. DISCUSSIONS OF SECURITY OF THE PROPOSED AUTHENTICATION SCHEME The analysis of potential vulnerability of Biometric Authentication against attacks has been largely overlooked. That means a sophisticated attacker could gain access to both the embedded templates and the whole attack phases described in section 2.0 (see Fig. 1). The only thing he cannot obtain is a user’s biometric. Such an attacker, fully
756 ~
Authorized licensed use limited to: IEEE Xplore. Downloaded on December 3, 2008 at 01:34 from IEEE Xplore. Restrictions apply.
International Conference on Intelligent and Advanced Systems 2007 familiar with the system and exploiting its weaknesses, will not be doing just a watermark extraction process in order to break the embedded template. As an alternative, he will devise various attacks that can be run in a realistic time frame. The watermarking algorithm must be flexible against those on-line attacks. Here, we discuss the security of the above proposal. First, we mention the security of the framework of the proposed authentication scheme. If challengers’ success to steal the value stored in the watermark extraction generator, they can become impostor of the watermark extraction generator. After that, the watermark extraction generator loses trust from other entities in Fig. 4. However, even if adversaries hijack the watermark extraction generator, because it receives no personal information, of course including the original template and the extracted feature, the takeover does not threaten the user’s privacy. Then we consider the case of a malicious authentication server collects information. In this structure, it receives embedded transformed data. As abovementioned, they imply no information before extraction the embedded data. Besides, the malicious sever cannot know the corresponding watermark embedded process. Hence, the malicious server obtains no information about original templates and extracted features. Next, we consider security of the information transformed by watermarking against hill-climbing attack [6], [7], replay attack, collusion attack. Hill-climbing attack uses of replied matching score in order to make a fake. When the application server sends the matching score to client (adversary) in Fig. 4, the adversary transforms embedded feature data selected from database which the adversary constructs. The adversary sends the transformed features to the authentication server. Because this system changes the calculation algorithm of matching score and threshold for it according to minutiae, it is difficult for the adversary to improve the fake from the replied matching score. Therefore, the probability of the adversary’s success on our proposed authentication scheme becomes less than conventional biometric authentication. In general, replay attack is impossible, if previously obtained information is not reusable. When adversaries eavesdrop on the communication between the client and the authentication server, they obtain only embedded transformed features which are not reusable. Hence, no adversary successes replay attack on the proposed authentication scheme. If the adversaries can listen to the communication from the watermark extraction generator, they obtain the information of watermark extraction process. When they reuse this information, the client and the database can detect replay attack by verifying the difference among the information of watermark extraction used in former authentication sessions.
Two cases of conspiracy attack establish possibly. The one of case is that the client conspires with the watermark extraction generator. In this case, the client can obtain not only watermark extraction process but also information of evaluation function. Therefore, adversaries who can perform normal hill-climbing attack success the conspiracy attack. The other one is that the authentication server stands in with the watermark extraction generator. The manner of attack is same as the above one. V. CONCLUSION In this paper, we focus the problems of the current studies of the template protection. As a countermeasure, we proposed the authentication scheme to protect the biometric templates and the extracted features. The main concept of the proposed authentication scheme is that stolen biometric information is not reusable by using a combined DWT and LSB based biometric watermarking algorithm, in every authentication for even same person. As a result, we obtained the view of the security of our proposed authentication scheme against hill-climbing attack and replay attack during the watermark extraction generator keeps security. This paper described only concept of such authentication scheme. As future works, we should study practical generating algorithm. In addition, we should research formal analysis of information theoretic security and time of calculation in this proposed authentication scheme. ACKNOWLEDGMENT The author would like to express his sincere gratitude to his project supervisor Md. Shohel Sayeed and his co supervisor Andrews Samraj for all their helpful guidance and advice. REFERENCES [1] [2] [3] [4]
[5] [6] [7] [8]
A. Jain and U. Uludag, “Hiding Biometric Data”, IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 25, No. 11, pp. 1494-1498, 2003. D. Maltoni, et al., Handbook of Fingerprint Recognition, Springer, 2003. N. Petkov and M.B. Wieling, “Gabor filter for image processing and computer vision” (On line), http://matlabserver.cs.rug.nl/edgedetectionweb/web/index.html Mayank Vasta, Richa Singh, Afzel Noore, Max M. Houck and Morris, “Robust biometric image watermarking for fingerprint and face template protection”. IEICE Electronics Express, Vol.3, No.2, pp. 2328, 2006 P. Reid, “Biometric for Network Security”, Prentice Hall, 2004. C. Soutar, “Biometric System Security”, Secure No. 5, pp. 46-49, 2002 (URL: http://www.silicontrust.com/pdf/secure_5/46_techno_4.pdf) A. Dimovski, D. Gilogoroski, “Generating highly nonlinear Boolean function using a genetic algorithm”, 1st Balkan Conference on Informatics, 2003. Alessandra Lumini and Loris Nanni, “When Fingerprints Are Combined with Iris – A Case Study: FVC2004 and CASIA”, International Journal of Network Security, Vol. 4, No.1, PP. 27–34, Jan. 2007.
~ 757
Authorized licensed use limited to: IEEE Xplore. Downloaded on December 3, 2008 at 01:34 from IEEE Xplore. Restrictions apply.