Design Aspects of Secure Biometric Systems and Biometrics in the Encrypted Domain

This chapter introduces the main security requirements for the biometric processing pipeline and summarizes general design principles and approaches. General IT security principles are reflected and selected paradigms such as template protection by biometric hashing, fuzzy commitment schemes, and fuzzy extractors are reviewed. Further, we discuss the design principles of biometric matching algorithms that operate in the encrypted domain. The overall algorithm design, implementation, and configuration issues are summarized and discussed in an exemplary manner for the case of face biometrics. 2.1 Security Requirements for the Biometric Processing Pipeline Recently security has become one of the most significant and challenging problems during the introduction of new information technology. It therefore plays an important role for biometric systems and applications. Since digital biometric data can easily be copied without information loss, manipulated at will or forged without noticeable traces, security solutions are required to counter these threats. In order to judge and evaluate the overall trustworthiness, security criteria need to be defined, e.g. taken from the Europe-wide valid ITSEC catalogue of criteria [16], and applied to biometrics. In general we can notice a rising awareness of security for biometric solutions. In which way security mechanisms can be applied to biometric data and their applicaC. Vielhauer (B) Brandenburg University of Applied Sciences, Potsdam, Germany e-mail: [email protected] C. Vielhauer · J. Dittmann Otto-von-Guericke University Magdeburg, Magdeburg, Germany J. Dittmann e-mail: [email protected] S. Katzenbeisser Technische Universität Darmstadt, Darmstadt, Germany e-mail: [email protected] P. Campisi (ed.), Security and Privacy in Biometrics, DOI 10.1007/978-1-4471-5230-9_2, © Springer-Verlag London 2013 25 26 C. Vielhauer et al. tions needs to be analyzed individually for each application and biometric modality. This is mainly due to the structure and complexity of biometric data as well as the privacy requirements derived from the right of all individuals to protect personrelated data and information, as codified in data protection laws. Based on the central issues of IT-security, this chapter introduces the most important security requirements, which must be fulfilled by today’s biometric systems. We first provide an overview of the basic security requirements (also called security aspects) in general by enumerating five generally known security aspects (confidentiality, integrity, authenticity, non-repudiation, and availability) and proceed with a discussion of privacy issues (unlinkability, unobservability, anonymity, and pseudonymity) that are commonly linked to biometric applications. The security requirements of confidentiality, integrity, authenticity, non-repudiation, and availability are essential for computer and network systems (see for example [3] and [7, 27] or [20]). In the case of biometrics we consider as security target under investigation the involved resources such as humans (subjects), entities (such as components or processes) and biometric data (information). Confidentiality refers to the secrecy or prohibition of unauthorized disclosure of resources. In cases of a biometric system it mainly refers to biometric and related authentication information, which needs to be kept secret from unauthorized entities. Confidentiality may ensure secrecy of user’s biometric data when it is captured, transferred or stored. Particularly biometric information should only be accessible in full quality to the person it belongs. Beside this issue, during biometric verification or identification the accessing party needs to be restricted with appropriate security measures. This ensures that nobody apart from the allowed parties can use the measurement. An attack goal could be the unauthorized access to and copying of reference data, such as fingerprints. Biometric data is highly sensitive and personal, because any illegitimate possession and use of stolen data may lead to uncontrollable subsequent illicit use. For example, a stolen fingerprint reference can be used to construct artificial silicon fingerprints [24] for identity theft or even to lay fake fingerprint traces by printing the fingerprint patterns with amino acids as described in [21]. Some biometric modalities even reveal medical patterns that potentially indicate diseases [15]. Integrity of a biometric system refers to the overall integrity of all resources such as biometric and related authentication information and all software and hardware components involved in the biometric processing pipeline. Integrity is the quality or condition of being whole and unaltered (resource is not altered or manipulated) and refers to its consistency, accuracy, and correctness. Security measures offering integrity usually ensure that modifications are detectable. Different integrity degrees such as low, middle, high can be defined, see for example the International Electrotechnical Commission safety standard IEC-Standard 61508 (see the website http://www.iec.ch, 2011). Appropriate levels need to be defined and integrity policies for the overall system design, implementation, and configurations need to be imposed. For a biometric system the integrity should be defined as “high” for all 2 Design Aspects of Secure Biometric Systems and Biometrics in the Encrypted Domain 27 components, which means that any malicious manipulations during operation and storage should be avoided or at least detected including its notification and correc-