Cancelable Biometrics for Template Protection


Biometric-based verification systems are quite common in the present-day world. In fact, application areas of biometrics are expanding day-by-day. They are used for a variety of purposes ranging from online banking, e-commerce, health-care, airport check-ins, border security, mobile phone unlocking, law enforcement, and many more. In the present-day scenario, it is worthy to say that biometric-based authentication systems are replacing traditional ones one by one to provide better security. Big technocrat giants like Google, Apple, Microsoft, Intel, and Samsung are investing a huge amount of money for implementing biometric authentication systems in their future products for better customer experience and satisfaction. Moreover, deployment of large biometric systems worldwide like Aadhaar (India), eKTP (Indonesia), and MyKad (Malaysia) surges the immediate need to secure biometric systems from potential security threats. Although biometric authentication-based systems can help in alleviating the problems associated with traditional systems, they are prone to inadvertent security lapses as well as to deliberate attacks that can result due to illegitimate intrusion or theft of sensitive biometric information. Figure 2.1 depicts the significant points of vulnerabilities on biometric recognition systems, as suggested by [72]. These vulnerability points, as suggested by [26], can be broadly classified into two categories as follows:

1. Direct Vulnerability: Flere, the attacker attacks the sensing device by presenting the spoofed biometrics of the registered user. For mounting this type of attack, adversary requires no knowledge about the system. Furthermore,

Major vulnerability points in a biometric-based system

FIGURE 2.1 Major vulnerability points in a biometric-based system.

digital protection mechanisms like watermarking, encryption cannot be used here because this type of attack is carried out outside the system at the sensor level [26]. In Figure 2.1, this type of vulnerability is depicted as an attack point API.

2. Indirect Vulnerability: Here, the adversary needs to have an expertise knowledge about the internal working of the biometric system [38]. In Figure 2.1, this type of vulnerability is depicted as an attack point from AP2 to AP8. This type of attack mainly comprises manipulation of the database (either by altering a template or by deleting it), communication channel interception, or by bypassing the feature extractor and matcher module.

In recent years, several researchers have paid attention to address these vulnerabilities, but still, it is not fully solvable. Direct vulnerabilities are normally accessed by studying the physiological characteristics of biometric traits as carried out in liveliness detection, while indirect ones are addressed by securing the communication channel and databases. The focus of this chapter is to highlight the importance of template protection along with its techniques.


Biometric verification systems are based on the uniqueness of anatomical and observable patterns; however, the permanence of these features poses a challenge if it is stolen. Unlike conventional password-based systems, it cannot be revoked. Thus, gaining one’s biometric information is regarded as a compromise of the user’s privacy [60]. Even the EU General Data Protection Regulation 2016/679 [1] has defined biometric data as sensitive data. So, it is important and essential to secure biometric templates from adversarial attackers who can alter biometric templates for illegitimate access and fraudulent activities.

2.2.1 Consequences of Template Compromise

On gaining access to a person biometric template, an adversary can launch not only financial attack but can hamper a person’s social life also by falsely plotting its biometric templates at crime scenes. Moreover, an intruder getting access to a template stored with least security can launch cross-domain linkage attacks. In the past, it was postulated [60] that biometric features can detect a certain type of medical condition in an individual. Furthermore, this information can be used to deny employment and insurance to subjects having a certain kind of medical disorder.

2.2.2 Template Protection Techniques

Broadly template protection techniques are classified under two main categories: hardware-based solutions and software-based solutions. The former one is a close recognition system [61] from which the biometric template is never transmitted and thus secured. Privaris PlusID [2] is one such example of hardware-based solution. Major limitations are that they are less flexible (need to be carried everywhere) and are expensive and prone to being lost like conventional credit cards. In the latter case (software-based solutions), biometric data are combined with some helper data to transform it into another form, and this resultant form is stored in the database rather than the original biometric template. Further, software-based template protection techniques can be divided into three subcategories as follows:

  • 1. Biometric Encryption: In this type of technique, the biometric template is encrypted during the enrollment phase using a key; thus, an encrypted version of the biometric template is stored in the database. During authentication attempt, stored encrypted template is decrypted and matched with the query biometrics. On the basis of the key used, it can be further classified into two categories: (i) symmetric encryption (same key for encryption and decryption) and (ii) asymmetric encryption (different keys for encryption and decryption).
  • 2. Biometric Cryptosystems: As the name suggests, biometric cryptosystem (BC) is an amalgam of two terms biometrics and cryptosystem. Designed specifically to take benefits from both like uniqueness and nonrepudiation from biometrics and high security from cryptography [44]. Here, during the enrollment phase, the biometric template is associated with a key to obtain a secure sketch (which is stored in the database) while during authentication, query biometric is used to recover the original biometric template from the stored secure sketch. On the basis of the key used to generate secure sketch, it is mainly divided into two categories, as shown in Figure 2.2 and described below as: (a) Key binding-based cryptosystems (here, the cryptographic key is hidden within the enrolled biometric template using secret bit replacement algorithm. Fuzzy vault [40] and fuzzy commitment [41] are two popular examples of this category). (b) Key generation-based cryptosystems (here, the secure sketch is derived only from the biometric template while the cryptographic key is generated from the helper data and query biometric features. A fuzzy extractor is a popular example of this category).
  • 3. Cancelable Biometrics (CB): During the enrollment phase, a transformed version of the biometric template is stored in the database known as pseudo biometric identity (PBI), while during authentication query, biometric is again transformed to match with PBI. Based on the transformation functions, they are further classified into two subcategories: (a) non-invertible transformation-based and (b) salting-based approaches.

a. Non-invertible Transformation-Based CB: Here, the transformation function is non-invertible in nature, major limitation performance, and security degradation if transformation function is stolen. Two popular approaches under this category are random projection-based transformations and geometric transformations.

b. Salting-Based Approaches: Here, original biometric features are randomly permuted and convolved to generate transformed versions. GRAY-SALT, BIN-SALT. GRAY-COMBO, and BIN-COMBO [108] are some of the popular earlier works carried out under this category.

Two variants of biometric cryptosystem

FIGURE 2.2 Two variants of biometric cryptosystem: (a) Key binding scheme (b) key generation scheme.

2.2.3 Comparative Analysis between Template Protection Techniques

We have seen that a biometric template can be secured using any three of the software- based template protection techniques discussed in the previous section. Table 2.1 postulates major advantages and limitations of the above-mentioned techniques.

  • 2.2.4 Fundamental Requirements of Template Protection Techniques
  • 1. Non-Invertibility: This property ensures non-invertibility of stored transformed template in the database. Mathematically, it is defined as: if F, is the original biometric template corresponding to subjectj and T, is its transformed version stored in the database, then reconstruction of F, from T,


Approach-Wise Advantages and Issues





Performance preservation

  • 1. Key management
  • 2. During authentication original biometrics is accessible



  • 1. Combines benefits of cryptography and biometrics
  • 2. Secure key release mechanism based on biometrics
  • 1. Original biometrics is accessible after accept decision
  • 2. Linkability



Original biometrics is never stored and thus not accessible

  • 1. Performance degradation
  • 2. Weak security

should be impossible. In short, mapping of F, to Tt should be one to many instead of one to one.

  • 2. Revocability: Since the number of biometrics associated with an individual is limited, it is required if somehow biometric is stolen, it should be replaced wisely. Revocability ensures this property.
  • 3. Unlinkability: In today’s world, we are using biometric-based authentication in a number of applications ranging from mobile unlocking to sophisticated applications like online banking and all. In all these applications, it is required that stored, transformed template of a subject in one database should not match with templates stored in other databases. This is particularly essential to limit cross-matching database attacks. Unlinkability among databases ensures this.
  • 4. System Usability: The above three mentioned requirements, i.e., non- invertibility, revocability, and unlinkability are non-functional requirements of cancelable templates while system usability is a functional requirement which ensures that the system performance in terms of false acceptance rate (FAR) and false rejection rate (FRR) should not degrade while applying any kind of transformation to biometric templates in order to meet nonfunctional requirements. In fact, for an ideal protected biometric system all the four requirements should be met simultaneously, although it is difficult to achieve in reality.
  • 2.2.5 Potential Attacks on Template Protection Techniques

Although protected biometric templates are more robust against different types of attacks as compared to the one without protection, they are vulnerable to some attacks. One of the major shortcomings of these protected biometric templates is that they are vulnerable to presentation attacks. In fact, some of the techniques have been specially fabricated to attack popular BCs and CB systems. In Table 2.2, template protection techniques along with their vulnerable attacks are discussed.


Security Attacks Against Biometric Templates


Possible Security Attacks

Biometric Encryption [94]

Hill climbing, substitution attack, attack via record multiplicity

Biometric Cryptosystems

(i) Key binding scheme [32,40]

Attack on error-correcting codes, substitution attack, chaff elimination, ARM (attack via record multiplicity),

(ii) Key generation scheme [17,97]

Hill climbing, false acceptance attack, brute force attack

Cancelable Biometrics

(i) Non-invertible transformations [73]

Overwriting final decision, ARM, substitution attack, linkage attack

(ii) Salting-based Approaches [28]

Stolen token attack, substitution attack, overwriting final decision, linkage attack, masquerading attack

< Prev   CONTENTS   Source   Next >