Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme
Embed Size (px)
Transcript of Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme
- Slide 1
Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme Slide 2 Biometrics Slide 3 Biometric authentication: Computer Authentication through Measurement of Biological Characteristics Slide 4 u Fingerprint scanning u Iris scanning u Voice recognition Types of biometric authentication u Many others... u Face recognition u Body odor Authenticating... Slide 5 Enrollment / Registration Template t Alice Slide 6 Enrollment / Registration Alice Server Slide 7 Authentication Server Slide 8 Authentication Alice Server Slide 9 Server verifies against template ? Slide 10 The Problem... Slide 11 Template theft Slide 12 Limited password changes First password Second password Slide 13 Templates represent intrinsic information about you Alice Theft of template is theft of identity Slide 14 Towards a solution Slide 15 password UNIX protection of passwords password h(password) Password Slide 16 Template protection? h( ) Slide 17 Fingerprint is variable u Differing angles of presentation u Differing amounts of pressure u Chapped skin Don t have exact key! Slide 18 We need fuzzy commitment ( ) Slide 19 Seems counterintuitive u Cryptographic (hash) function scrambles bits to produce random- looking structure, but uFuzziness or error resistance means high degree of local structure Slide 20 Error Correcting Codes Slide 21 Noisy channel Alice Bob Alice, I love crypto s Slide 22 Error correcting codes Alice Bob 110 Slide 23 g 111 111 000 Function g adds redundancy Bob M 3 bits C 9 bits c Message space Codeword space g Slide 24 Error correcting codes Alice Bob 111 111 000 0 1 Slide 25 101 111 100 111 111 000 f c C Function f corrects errors Alice f Slide 26 Alice uses g -1 to retrieve message 9 bits C M 3 bits Alice g-1g-1 c Alice gets original, uncorrupted message 110 Slide 27 Constructing C Slide 28 Idea: Treat template like message W g C(t) = h(g(t)) Slide 29 What do we get? uFuzziness of error-correcting code u Security of hash function-based commitment Slide 30 Problems Davida, Frankel, and Matt (97) u Results in very large error-correcting code u Do not get good fuzziness u Cannot prove security easily u Dont really have access to message! Slide 31 Our (counterintuitive) idea: Express template as corrupted codeword u Never use message space! Slide 32 Express template as corrupted codeword W t w t = w + Slide 33 t = w + h(w) Idea: hash most significant part for security Idea: leave some local information in clear for fuzziness Slide 34 How we use fuzzy commitment... Slide 35 Computing fuzzy hash of template t u Choose w at random u Compute = t - w u Store (h(w), ) as commitment (h(w), ) Slide 36 Verification of fingerprint t u Retrieve C(t) = (h(w), ) u Try to decommit using t: Compute w = f(t - ) Is h(w) = h(w)? ? Slide 37 Characteristics of u Good fuzziness (say, 17%) u Simplicity u Provably strong security I.e., nothing to steal Slide 38 Open problems u What do template and error distributions really look like? u What other uses are there for fuzzy commitment? Graphical passwords Slide 39 Questions?