Intelligent agents for the management of complexity in multimodal biometrics

Current approaches to personal identity authentication using a single biometric technology are limited, principally because no single biometric is generally considered both sufficiently accurate and user-acceptable for universal application. Multimodal biometrics can provide a more adaptable solution to the security and convenience requirements of many applications. However, such an approach can also lead to additional complexity in the design and management of authentication systems. Additionally, complex hierarchies of security levels and interacting user/provider requirements demand that authentication systems are adaptive and flexible in configuration. In this paper we consider the integration of multimodal biometrics using intelligent agents to address issues of complexity management. The work reported here is part of a major project designated IAMBIC (Intelligent Agents for Multimodal Biometric Identification and Control), aimed at exploring the application of the intelligent agent metaphor to the field of biometric authentication. The paper provides an introduction to a first-level architecture for such a system, and demonstrates how this architecture can provide a framework for the effective control and management of access to data and systems where issues of privacy, confidentiality and trust are of primary concern. Novel approaches to software agent design and agent implementation strategies required for this architecture are also highlighted. The paper further shows how such a structure can define a fundamental paradigm to support the realisation of universal access in situations where data integrity and confidentiality must be robustly and reliably protected .     

A review on performance,security and various biometric template protection schemes for biometric authentication systems

Identifying a person based on their behavioral and biological qualities in an automated manner is called biometrics. The authentication system substituting traditional password and token for authentication and relies gradually on biometric authentication methods for verification of the identity of an individual. This proves the fact that society has started depending on biometric-based authentication systems. Security of biometric authentication needs to be reviewed and discussed as there are multiple points related to integrity and public reception of biometric-based authentication systems. Security and recognition accuracy are the two most important aspects which must be considered while designing biometric authentication systems. During enrollment phase scanning of biometric data is done to determine a set of distinct biometric feature set known as biometric template. Protection of biometric templates from various hacking efforts is a topic of vital importance as unlike passwords or tokens, compromised biometric templates cannot be reissued. Therefore, giving powerful protection techniques for biometric templates and still at that very moment preparing great identification accuracy is a good research problem nowadays, as well as in the future. Furthermore, efficiency under non-ideal conditions is also supposed to be inadequate and thus needs special attention in the design of a biometric authentication system. Disclosure of various biometric traits in miscellaneous applications creates a severe compromise on the privacy of the user. Biometric authentication can be utilized for remote user authentication. In this case, the biometric data of users typically called templates are stored in a server. The uniqueness and stability of biometrics ended it useful over traditional authentication systems. But, a similar thing made the enduring harm of a user’s identity in biometric systems. The architecture of the biometric system leads to several hazards that lead to numerous security concerns and privacy threats. To address this issue, biometric templates are secured using several schemes that are categorized as biometric cryptosystems, cancelable biometrics, hybrid methods, Homomorphic Encryption, visual cryptography based methods. Biometric cryptosystems and cancelable biometrics techniques provide reliable biometric security at a great level. However, there persist numerous concerns and encounters that are being faced during the deployment of these protection technologies. This paper reviews and analyses various biometric template protection methods. This review paper also reflects the limitations of various biometric template protection methods being used in present times and highlights the scope of future work.

     

生物认证系统设计研究

可靠的身份认证是保证信息系统安全的第一道防线,生物认证技术的出现为保护信息系统的安全提供了一种更可靠安全的方法。该文先分析一个通用生物认证系统结构参考模型,然后详细分析要设计一个完整的生物认证系统必须考虑的主要因素,并给出一个已经实现的生物认证系统设计实例。     

A practical implementation of fuzzy fingerprint vault for smart cards

Biometric-based authentication can provide strong security guarantee about the identity of users. However, security of biometric data is particularly important as the compromise of the data will be permanent. To protect the biometric data, we need to store it in a non-invertible transformed version. Thus, even if the transformed version is compromised, the actual biometric data remain safe. Fuzzy vault is a cryptographic construct to secure critical data with the fingerprint data. In this paper, we implement the fuzzy fingerprint vault, combining fingerprint verification and fuzzy vault scheme to protect fingerprint templates, for the smart card environment. To implement the fuzzy fingerprint vault as a complete system, we have to consider several practical issues such as automatic fingerprint alignment, verification accuracy, template size for storing in the smart card, execution time, error correcting code, etc. Especially, we handled the fingerprints having a few minutiae by applying an adaptive degree of the polynomial, and thus our implementation result can be used for real, large-scale applications.     

An anonymous and efficient remote biometrics user authentication scheme in a multi server environment

As service demands rise and expand single-server user authentication has become unable to satisfy actual application demand. At the same time identity and password based authentication schemes are no longer adequate because of the insecurity of user identity and password. As a result biometric user authentication has emerged as a more reliable and attractive method. However, existing biometric authentication schemes are vulnerable to some common attacks and provide no security proof, some of these biometric schemes are also either inefficient or lack sufficient concern for privacy. In this paper, we propose an anonymous and efficient remote biometric user authentication scheme for a multi-server architecture with provable security. Through theoretical mathematic deduction, simulation implementation, and comparison with related work, we demonstrate that our approach can remove the aforementioned weaknesses and is well suited for a multi-server environment.     

Implementation of Biometric Systems — Security and Privacy Considerations

As biometric systems are deployed within security systems, or as part of identification programs, implementation issues relating to security and privacy need to be considered. The role of a biometric system is to recognize (or not) an individual through specific physiological or behavioral traits. The use of the word ‘recognize’ is significant — defined in the Oxford Dictionary as “identify as already known”. In other words, a biometric system does not establish the identity of an individual in any way, it merely recognizes that they are who they say they are (in a verification or a ‘positive identification’ system), or that they were not previously known to the system (in a ‘negative identification’ system, for example, to avoid double enrollment in a welfare system). This tie between the actual identity of an individual and the use of biometrics is subtle and provokes much debate, particularly relating to privacy and other societal issues. This paper seeks to clarify come of these issues by providing a framework, and by distinguishing between technology and societal issues.     

Cancellable biometrics and annotations on BioHash

Lately, the once powerful one-factor authentication which is based solely on either password, token or biometric approach, appears to be insufficient in addressing the challenges of identity frauds. For example, the sole biometric approach suffers from the privacy invasion and non-revocable issues. Passwords and tokens are easily forgotten and lost. To address these issues, the notion of cancellable biometrics was introduced to denote biometric templates that can be cancelled and replaced with the inclusion of another independent authentication factor. BioHash is a form of cancellable biometrics which mixes a set of user-specific random vectors with biometric features. In verification setting, BioHash is able to deliver extremely low error rates as compared to the sole biometric approach when a genuine token is used. However, this raises the possibility of two identity theft scenarios: (i) stolen-biometrics, in which an impostor possesses intercepted biometric data of sufficient high quality to be considered genuine and (ii) stolen-token, in which an impostor has access to the genuine token and used by the impostor to claim as the genuine user. We found that the recognition rate for the latter case is poorer. In this paper, the quantised random projection ensemble based on the Johnson–Lindenstrauss Lemma is used to establish the mathematical foundation of BioHash. Based on this model, we elucidate the characteristics of BioHash in pattern recognition as well as security view points and propose new methods to rectify the stolen-token problem.     

Improving the security of ‘a flexible biometrics remote user authentication scheme’

Recently, Lin–Lai proposed ‘a flexible biometrics remote user authentication scheme,’ which is based on El Gamal's cryptosystem and fingerprint verification, and does not need to maintain verification tables on the server. They claimed that their scheme is secured from attacks and suitable for high security applications; however, we point out that their scheme is vulnerable and can easily be cryptanalyzed. We demonstrate that their scheme performs only unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their scheme is susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Lin–Lai's scheme. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication. Moreover, some standards for biometric-based authentication are also discussed, which should be followed during the development of biometric systems.     

A telebiometric system mechanism model and biometric network protocol for the security of networked manufacturing

Networked manufacturing changes conventional enterprise activities. With a networked manufacturing system, enterprises are able to perform a range of activities, such as product planning, design, production, and marketing, in collaboration with international partners, regardless of geographical location. However, strict security measures are required, as the authentication and information transfers for networked manufacturing are conducted over a network. With the development of biometric technology, more and more enterprises are using the unique biometric data of individuals to verify the identity of users, in order to restrict and provide access to technology research centers or factory facilities. This paper analyzes the vulnerabilities of the biometric system used for access control and the authentication of access to confidential information in the networked manufacturing system. In addition, the biometric systems that can be built in an open network environment are classified into 9 general models, and a biometric network protocol is suggested that is secure and compatible with international standards.     

一种基于同态加密的分布式生物特征认证协议

分布式生物特征认证系统因不依赖弱口令或硬件标识物而获得高的可靠性、安全性和便利性,但也因生物特征存在永久失效和隐私泄露的风险而面临更多的安全威胁.基于同态加密技术的生物特征认证方案允许特征向量在密文域匹配以保护向量安全和用户隐私,但也因此要在密文域执行昂贵的乘法运算,而且还可能因为向量封装不当而遭受安全攻击.在Brakerski等人同态加密方案的基础上提出了一种安全向量匹配方法,并在该方法的基础上设计了一个口令辅助的生物特征同态认证协议.该协议无需令牌等硬件标识物,注册时只需将带有辅助向量的特征模板密文和辅助向量外包存储,认证时服务器使用辅助向量匹配法完成模板向量和请求向量的相似性评估即可实现用户身份认证.基于Dolev-Yao攻击者模型变种和分布式生物特征认证系统所面临的主要攻击手段对协议进行了安全性分析,并通过和另外2个基于RLWE(learning with error over ring)同态的生物特征认证协议的对比分析,证明了新协议在隐私保护和向量匹配效率方面更具优势.     

Secure multimodal biometric authentication with wavelet quantization based fingerprint watermarking

As malicious attacks greatly threaten the security and reliability of biometric systems, ensuring the authenticity of biometric data is becoming increasingly important. In this paper we propose a watermarking-based two-stage authentication framework to address this problem. During data collection, face features are embedded into a fingerprint image of the same individual as data credibility token and secondary authentication source. At the first stage of authentication, the credibility of input data is established by checking the validness of extracted patterns. Due to the specific characteristics of face watermarks, the face detection based classification strategies are introduced for reliable watermark verification instead of conventional correlation based watermark detection. If authentic, the face patterns can further serve as supplemental identity information to facilitate subsequential biometric authentication. In this framework, one critical issue is to guarantee the robustness and capacity of watermark while preserving the discriminating features of host fingerprints. Hence a wavelet quantization based watermarking approach is proposed to adaptively distribute watermark energy on significant DWT coefficients of fingerprint images. Experimental results which evaluate both watermarking and biometric authentication performance demonstrate the effectiveness of this work.     

标准模型下隐私保护的多因素密钥交换协议

多因素认证密钥交换协议融合多种不同的认证因素来实现强安全的身份认证和访问控制,在具有高级别安全应用需求的移动泛在服务中具有巨大的应用潜力.现阶段多因素协议的研究成果还不丰富,并且已有协议都是在随机预言模型下可证明安全的.以两方口令认证密钥交换协议、鲁棒的模糊提取器以及签名方案为基本组件提出了一个标准模型下可证明安全的多因素协议.本文的协议中服务器不知道用户的生物模板,因此实现了对生物信息的隐私保护.与已有的随机预言模型下的多因素协议相比,本文的协议在满足更高安全性的同时具有更高的计算效率和通信效率,因此更满足高级别安全的移动泛在服务的应用需求.     

结合生物特征识别技术的网络安全认证系统设计

随着信息技术的飞速发展,生物特征识别技术正在被越来越广泛地应用到数据库和商业系统的访问控制中。这些应用需要采用一定的措施来抵御对安全的威胁。在涉及到一个开放的网络环境下的认证问题时,例如非面对面的交易中,加密技术(公钥加密术和数字签名技术)被采用来防止对生物认证信息的无授权的使用,同时保证数据的完整性。该文提出了一种包含可信任的第三方的网络认证结构,其结合了手形认证技术和加密技术。并开发了一种应用于基于网络环境的原型系统。对此模型的初步评估结果是令人满意的。类似的技术可以被应用到更加灵活的应用中。     

Fingerprint-Based Identity Authentication and Digital Media Protection in Network Environment

Current information security techniques based on cryptography are facing a challenge of lacking the exact connection between cryptographic key and legitimate users. Biometrics, which refers to distinctive physiological and behavioral characteristics of human beings, is a more reliable indicator of identity than traditional authentication system such as passwords-based or tokens-based. However, researches on the seamless integration biometric technologies, e.g., fingerprint recognition, with cryptosystem have not been conducted until recent years. In this paper, we provide an overview of recent advancements in fingerprint recognition algorithm with a special focus on the enhancement of low-quality fingerprints and the matching of the distorted fingerprint images, and discuss two representative methods of key release and key generation scheme based on fingerprints. We also propose two solutions for the application in identity authentication without trustworthy third-party in the network environment, and application in digital media protection, aiming to assure the secrecy of fingerprint template and fingerprint-based user authentication.     

Biometrics in Identity Management Systems

Biometric technology - the automated recognition of individuals using biological and behavioral traits - has been presented as a natural identity management tool that offers "greater security and convenience than traditional methods of personal recognition." Indeed, many existing government identity management systems employ biometrics to assure that each person has only one identity in the system and that only one person can access each identity. Historically, however, biometric technology has also been controversial, with many writers suggesting that biometrics invade privacy, that specific technologies have error rates unsuitable for large-scale applications, or that the techniques "are useful to organizations that regulate the individual, but of little use where the individual controls identification and authorization." Here, I address these controversies by looking more deeply into the basic assumptions made in biometric recognition. I'll look at some example systems and delve into the differences between personal identity and digital identity. I'll conclude by discussing how those whose identity is managed with biometrics can manage biometric identity management.     

Evaluation of a template protection approach to integrate fingerprint biometrics in a PIN-based payment infrastructure

Biometric authentication has a great potential to improve the security, reduce cost, and enhance the customer convenience of payment systems. Despite these benefits, biometric authentication has not yet been adopted by large-scale point-of-sale and automated teller machine systems. This paper aims at providing a better understanding of the benefits and limitations associated with the integration of biometrics in a PIN-based payment authentication system. Based on a review of the market drivers and deployment hurdles, a method is proposed in which biometrics can be seamlessly integrated in a PIN-based authentication infrastructure. By binding a fixed binary, renewable string to a noisy biometric sample, the data privacy and interoperability between issuing and acquiring banks can improve considerably compared to conventional biometric approaches. The biometric system security, cost aspects, and customer convenience are subsequently compared to PIN by means of simulations using fingerprints. The results indicate that the biometric authentication performance is not negatively influenced by the incorporation of key binding and release processes, and that the security expressed as guessing entropy of the biometric key is virtually identical to the current PIN. The data also suggest that for the fingerprint database under test, the claimed benefits for cost reduction, improved security and customer convenience do not convincingly materialize when compared to PIN. This result can in part explain why large-scale biometric payment systems are virtually non-existent in Europe and the United States, and suggests that other biometric modalities than fingerprints may be more appropriate for payment systems.     

CED-Net: context-aware ear detection network for unconstrained images

Pattern Analysis and Applications - Personal authentication systems based on biometric have seen a strong demand mainly due to the increasing concern in various privacy and security applications....     

基于生物识别的网络身份认证新方案

文章分析了现今基于生物识别技术的网络认证没被广泛应用的原因：生物特征的提取一般需要特殊的专用设备、指纹的利用比较泛滥、生物特征遗失后挂失比较困难等。文章同时对比了几种比较主流的生物特征识别技术,分析了它们各自的实用性、便捷性以及安全性,指出生物3D打印技术在未来对生物识别技术带来冲击的可能。文章提出了一种基于动态人脸识别的网络认证方案,该方案利用人脸作为网络认证的基础,通过跟踪实时人脸活动来实现实时人脸图像的采集,预防了照片攻击和视频攻击,提高了认证的可靠性和安全性。文章最后通过分析该方案的可实现性、可叠加性和安全性,并从成本等方面考虑,得出该方案性能较优的结论,同时对生物识别技术应用于网络认证进行了展望。由于生物特征具有唯一性和不可重置的特点,所以生物特征保护需要引起更高的关注,也需要更多学者做相关的研究,更好地利用生物特征。     

生物特征识别模板保护综述

生物特征识别(biometric authentication, BA)已经成为一种重要的身份鉴别手段,但当前部署的很多BA系统在保护用户生物特征数据的安全性和隐私性方面考虑不足,成为阻碍BA技术推广应用的一个关键障碍.BA系统可能面临来自软件和硬件的多种攻击,针对生物特征模板的攻击是其中最常见的一种．已经有很多技术文献致力于应对这种类型的攻击,但现有的综述性文献存在论述不全面或内容冲突等问题．为系统总结针对生物特征模板的攻击与保护技术,首先介绍了BA系统的相关概念、体系架构以及安全性与隐私性的内涵,然后阐述了BA系统面临的典型模板攻击方法.随后,将BA系统模板保护技术归纳为基于变换的方法和基于加密的方法2个类别,阐述并分析了每个类别中的经典方法与新兴技术．最后,指出了构建安全BA系统可能面临的几个主要困难与可能的解决思路.     

Cybertwin中的格上生物特征认证密钥交换协议

针对基于Cybertwin的网络架构中通信双方存在信道安全以及隐私保护的问题,提出新的格上认证密钥交换协议。使用生物特征认证技术实现Cytertwin服务下的用户实名制登录和强身份认证需求,保证Cybertwin服务对用户网络行为的审计和追踪。通过引入通信方身份信息构造格上抗碰撞哈希函数,使身份信息在公共信道传输过程中能够应对量子威胁,同时满足用户匿名性和不可追踪性。最后基于RLWE问题设计了新的和解机制,通过两轮交互共享安全会话密钥。协议在BPR模型下满足理论可证明安全,具有抗量子攻击、抗临时秘密值泄露攻击、抗生物特征猜测攻击等安全特性。仿真实验表明该协议计算和通信开销适用于Cybertwin服务下数量庞大的终端互连需求。