Cryptographic keys from noisy data, theory and applications

Biometric security systems that verify a person’s identity by scanning fingers, hands, eye or face are becoming more and more common. As a result biometrics is one of the fastest growing industries. Applications for biometrics range from homeland security (for example the European biometric passport), physical access to various facilities (banks, amusement parks, office buildings, computer terminals, etc) and health and social services. Utilizing biometrics for personal authentication is more convenient and than current methods such as passwords or PINs (nothing to carry or remember). Another important advantage of biometric authentication is that it links events to a user (passwords or token can be lost or stolen) and is becoming socially acceptable and inexpensive. Biometric authentication requires comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login). However, biometric authentication is not perfect and the output of a biometric authentication system can be subject to errors due to imperfections of the classification algorithm, poor quality of biometric samples, or an intruder who has tampered with the biometric authentication systems. Although biometric authentication is intended primarily to enhance security, storing biometric information in a database introduces new security and privacy risks, which increase if the database is connected to a network. This is the case in most practical situations. The most severe threats are: impersonation, where an attacker steals templates from a database and constructs a synthetic biometric sample that passes authentication; irrevocability, where once compromised, biometrics cannot be updated or reissued; privacy, which is the exposure of sensitive personal information without the consent of the owner. A solution to these threats is to apply templateprotection techniques, which make it hard for an attacker to recover the biometric data from the templates. This thesis looks at security aspects of biometric authentication and proposes solutions to mitigate the risk of an attacker who tries to misuse biometric information or who bypasses modules of biometric systems to achieve his malicious goals.