Testimonianza di Alessandro Tommasi presentation biosig

Biometric AuthenticationError correctionHash functions

Fuzzy CommitmentReferences

Biometric Signature Verification

A Tomasi1 M Sala1 V Da Rold1 G Sciarretta2

1University of TrentoDepartment of Mathematics2Fondazione Bruno Kessler

Security and Trust

May 30, 2013

BioSigV

mailto:[email protected]




http://www.unitn.it/en

http://www.unitn.it/en/dmath

http://fbk.eu/

http://st.fbk.eu/



Outline

1 Biometric Authentication

2 Error correction

3 Hash functions

4 Fuzzy Commitment

BioSigV



Biometric Authentication

BioSigV



Authentication systems

Authentication systems can be based on several factors:

something you know,

something you have,

something you are.

password!

BioSigV



Biometric measures

Physical biometrics:

Pros :

Cannot be lost or forgottenDifficult to forge

Cons :

Intrusive, or at least perceived as suchDifficult if not impossible to revokePresent and future privacy issues: health,ethnicity etc.

BioSigV



Biometric signature I

A behavioural, non-intrusive measurement, familiar and widelyaccepted. Con: high variability.

BioSigV



Biometric signature II

Input data: [x,y,t,p,e]

Extracted features:

ID Description ID Description ID Description

1 Number of Strokes 10-11 Average X and Y Acceleration 41-50 X and Y Sub-Accelerations

2 Time Duration 12-13 Initial X and Y 51-52 Height and Width

3 Aspect Ratio 14-15 Final X and Y 53-55 Mean X,Y and Pressure Value

4-5 X and Y Area 16-20 M1,1,M1,2,M2,1 and M0,3 56-58 Maximum X,Y and Pressure Value

6-7 Average X and Y Velocity 21-30 X and Y Sub-Areas 59-61 Minimum X,Y and Pressure Value

8-9 Absolute Average X and Y Velocity 31-40 X and Y Sub-Velocity 62-63 Maximum X and Y Velocity

BioSigV



Genuines vs. forgeries

Some features are moredistinguishing than others.

BioSigV



Error correction

BioSigV



Error correction

Consider the following scenario: a source sends a message macross a channel to a receiver. The channel is affected by noise,which modifies the signal.Broadly speaking, an error correction scheme is composed of twoalgorithms, E ncode and Decode, that modify the message to makeit more resilient to errors e, so that

D (E (m) + e) = m

for sufficiently “small” e.

BioSigV



Linear block ECC I

Let Fq be the finite field with q elements and (Fq)n be the linearspace of all n-tuples over Fq.

Definition

Let k, n ∈ N such that 1 ≤ k ≤ n. A linear code C is ak-dimensional vector subspace of (Fq)n.

Definition

If C is an [n, k]q code, then any matrix G whose rows form a basisfor C as a k-dimensional vector space is called a generator matrixfor C .

The encoding procedure of a message m ∈ (Fq)k into the wordc ∈ (Fq)n is just mG = c.

BioSigV



Linear block ECC II

Concretely, we split a message m into blocks of length k and mapevery possible mk into a codeword, c . Crudely speaking, this is amore complex form of redundancy:

1 7→ [111]

0 7→ [000]

A code with minimum distance d can detect up to d − 1 andcorrect up to b(d − 1)/2c errors.

BioSigV



Cyclic Codes

Definition

An [n, k , d ]q linear code C is cyclic if the cyclic shift of a word isalso a word, i.e.

(c0, . . . , cn−1) ∈ C =⇒ (cn−1, c0, . . . , cn−2) ∈ C .

Consider the univariate polynomial ring Fq[x ] and the idealI = 〈xn − 1〉. We denote by R the ring Fq[x ]/I . We construct abijective correspondence between the vectors of (Fq)n and theresidue classes of polynomials in R:

(v0, . . . , vn−1)↔ v0 + v1x + · · ·+ vn−1xn−1.

We can view linear codes as subsets of the ring R, thanks to thecorrespondence above.

BioSigV



Generator Polynomial

Theorem

An [n, k , d ]q code C is cyclic iff C is an ideal of R.

Since R is a principal ideal ring (if C is not trivial) there exists aunique monic polynomial g that generates C . We call g thegenerator polynomial of C .Let m = (m0, . . . ,mk−1) be a message to encode, and consider itspolynomial representation m(x) in R. To obtain an associated wordit is sufficient to multiply m(x) by the generator polynomial g(x):

c(x) = m(x)g(x) ∈ C .

BioSigV



Hash functions

BioSigV



Hash functions

A cryptographic hash function h maps messages of arbitrarylength1into a fixed-length message digest. Hash functions arerequired to be:

one-way : given a known digest d generated by a known hashfunction h(·), it is infeasible to deduce m such thatd = h(m);

collision resistant : it is infeasible to find explicitly two messagesm1,m2 such that h(m1) = h(m2);

input sensitive : the smallest difference between two messagesm1,m2 leads to completely different digestsh(m1), h(m2).

1up to some very large maximumBioSigV



Example: SHA-1

SHA-1: Security Hash Algorithm [FIPS2180-1]. Given an inputmessage of length up to 264 bits, SHA-1 outputs a 160-bit string:

message SHA-1 digest

m’illumino di immenso 04DEC8C39C14B4E5AB28

4EE204C81D58F1A59936

mi illumino di immenso 666BCFA1CC6D6580F316

AF077B85B9DE34055A57

Roma DE5429D6F4FA2C86427A

50757791DE88A0B75C85

roma A6B6EA31C49A8E944EFE

9ECBC072A26903A1461A

2Federal Information Processing StandardBioSigV



Collision resistance

The collision resistance of hash functions can be measured in termsof their robustness against birthday attacks, i.e. the number ofbrute-force hash operations it takes, in probability, before we findtwo messages with the same hash by simply picking randommessages from the whole message space. For an n-bit output hash,this is proportional to 2n/2.Crudely speaking, assume we have a commercial PC capable ofperforming hashes at 1 GHz, i.e. 109h(·)s−1. A 128-bit digest hashsuch as SHA-1 will yield a collision in at most roughly 2 · 1019

hashes, which would take at most 30 years. Adding processingpower and finding vulnerabilities in the hash function significantlyreduce the waiting time.

BioSigV



Fuzzy Commitment

BioSigV



Fuzzification

By applying a repeatable but non-invertible transform f (s) to thesignature we commit enough biometric data to authenticate users,but as little as possible to preserve privacy. We do this based onthresholds.

BioSigV



The scheme at a glance

Enrolment(s):1 generate a random message, r , and encode it (E (r))2 sum the message with the fuzzy median signature, f (s)3 commit enrolment data:

a hash of the message, h(r)a user-specific string, u = E(r) + f (s)the error correction capacity t corresponding to the user

Verification(s, h(r), u, t):1 subtract the fuzzy observed signature from the user’s string:

v = u − f (s)

= E (r) + f (s)− f (s)

= E (r) + e

2 correct the errors in the transmitted message:r = D(E (r) + e);

3 if h(r) == h(r), accept the observed signature as authentic.BioSigV



Encoding choices

Block codes make sense for authentication schemes because wecan precisely define the length of our encoded message (n).Furthermore, for MDS codes, i.e. ones for which strict equalityholds in the Singleton bound d ≤ n − k + 1, we can uniquelyassociate an error correction capacity t with a given message andcode length. We can also tweak t based on whether we want tomake it easier for users to authenticate themselves or harder forforgers to gain access.

BioSigV



Privacy and cancelability

Cancelability Since the random message r is generated atenrolment, any user can enrol the samesignature again.The signature itself can be changed, since it isbehavioural.

Privacy A sufficiently long random message r and robusthash function h(·) ensure that the user’sbiometric data cannot be recovered by anyone.Even if the data were recovered, all we havecommitted is a fuzzy version.

BioSigV



Enrolment

BioSigV



Authentication

BioSigV



Privacy and cancelability

Cancelability Since the random message r is generated atenrolment, any user can enrol the samesignature again.The signature itself can be changed, since it is abehavioural measure.

Privacy A sufficiently long random message r and robusthash function h(·) ensure that the user’sbiometric data cannot be feasibly recovered byanyone, whether thief or system administrator.Even if the data were recovered, all we havecommitted is a fuzzy version.

BioSigV



Performance

Assessed against both research and custom database, allowing twoauthentication attempts.False Rejection Rate / Type I Error: 3.5%False Acceptance Rate / Type II Error: 3.2%Work commissioned by PayBay Networks Srl, part of QUI!Group

BioSigV

http://www.paybay.it/

http://www.quigroup.it/



[Bov+03] L Bovino et al. “Multi-Expert Verification ofHand-Written Signatures”. In: Proceedings of theSeventh International Conference on DocumentAnalysis and Recognition (ICDAR). Vol. 2.Washington, DC, USA: IEEE Computer Society, 2003,pp. 932–936. isbn: 0-7695-1960-1. doi:10.1.1.160.9174.

[Fre08] M. R. Freire. “Biometric Template Protection inDynamic Signature Verification”. MSc. UniversidadAutonoma de Madrid, Nov. 2008.

BioSigV

http://dx.doi.org/10.1.1.160.9174



[GJ07] G. K. Gupta and R. C. Joyce. “Using position extremapoints to capture shape in on-line handwrittensignature verification”. In: Pattern Recognition 40.10(Oct. 2007), pp. 2811–2817. issn: 0031-3203. doi:10.1016/j.patcog.2007.01.014.

[IP08] D. Impedovo and G. Pirlo. “Automatic SignatureVerification: The State of the Art”. In: Systems, Man,and Cybernetics, Part C: Applications and Reviews,IEEE Transactions on 38.5 (Sept. 2008), pp. 609–635.issn: 1094-6977. doi: 10.1109/TSMCC.2008.923866.

[IW09] T. Ignatenko and F. M. J. Willems. “BiometricSystems: Privacy and Secrecy Aspects”. In:Information Forensics and Security, IEEE Transactionson 4.4 (2009), pp. 956–973. issn: 1556-6013. doi:10.1109/TIFS.2009.2033228.

BioSigV

http://dx.doi.org/10.1016/j.patcog.2007.01.014

http://dx.doi.org/10.1109/TSMCC.2008.923866

http://dx.doi.org/10.1109/TIFS.2009.2033228



[IW10] T. Ignatenko and F. M. J. Willems. “Using positionextrema points to capture shape in on-line handwrittensignature verification”. In: Information Forensics andSecurity, IEEE Transactions on 5.2 (2010),pp. 337–348. doi: 10.1109/TIFS.2010.2046984.

[JGC02] A. K. Jain, F. D. Griess, and S. D. Connell. “On-linesignature verification”. In: Pattern Recognition 35(2002), pp. 2963–2972.

[JNN08] A. K. Jain, K. Nandakumar, and A. Nagar. “Biometrictemplate security”. In: EURASIP Journal on Advancesin Signal Processing (Jan. 2008). issn: 1110-8657.doi: 10.1155/2008/579416.

BioSigV

http://dx.doi.org/10.1109/TIFS.2010.2046984

http://dx.doi.org/10.1155/2008/579416



[JS06] A. Juels and M. Sudan. “A fuzzy vault scheme”. In:Designs, Codes and Cryptography 38.2 (2006),pp. 237–257. doi: 10.1007/s10623-005-6343-z.

[JW99] A. Juels and M. Wattenberg. “A fuzzy commitmentscheme”. In: Proceedings of the 6th ACM conferenceon Computer and communications security (CCS ’99’).Kent Ridge Digital Labs, Singapore: ACM, 1999,pp. 28–36. isbn: 1-58113-148-8. doi:10.1145/319709.319714.

[LBA96] L Lee, T Berger, and E Aviczer. “Reliable On-LineHuman Signature Verification Systems”. In: IEEETrans. Pattern Anal. Mach. Intell. 18.6 (June 1996),pp. 643–647. issn: 0162-8828. doi:10.1109/34.506415.

BioSigV

http://dx.doi.org/10.1007/s10623-005-6343-z

http://dx.doi.org/10.1145/319709.319714

http://dx.doi.org/10.1109/34.506415



[Lee+04] J. Lee et al. “Using geometric extrema forsegment-to-segment characteristics comparison inonline signature verification”. In: Pattern Recognition37.1 (Jan. 2004), pp. 93–103. issn: 0031-3203. doi:10.1016/S0031-3203(03)00229-2.

[Liw+11] M. Liwicki et al. “Signature Verification Competitionfor Online and Offline Skilled Forgeries(SigComp2011)”. In: Document Analysis andRecognition (ICDAR), 2011 International Conferenceon. IEEE Computer Society. 2011, pp. 1480–1484.doi: 10.1109/ICDAR.2011.294.

BioSigV

http://dx.doi.org/10.1016/S0031-3203(03)00229-2

http://dx.doi.org/10.1109/ICDAR.2011.294



[Liw+12] M. Liwicki et al. “ICFHR 2012 Competition onAutomatic Forensic Signature Verification (4NsigComp2012)”. In: Frontiers in Handwriting Recognition(ICFHR), 2012 International Conference on. IEEE.Bari, Sept. 2012, pp. 823–828. doi:10.1109/ICFHR.2012.217.

[SE00] S Sanderson and J. H. Erbetta. “Authentication forsecure environments based on iris scanningtechnology”. In: Visual Biometrics (Ref.No. 2000/018),IEE Colloquium on. 2000, pp. 8/1–8/7. doi:10.1049/ic:20000468.

[YWP95] L Yang, B. K. Widjaja, and R Prasad. “Application ofhidden Markov models for signature verification”. In:Pattern Recognition 28.2 (1995), pp. 161–170. issn:0031-3203. doi: 10.1016/0031-3203(94)00092-Z.

BioSigV

http://dx.doi.org/10.1109/ICFHR.2012.217

http://dx.doi.org/10.1049/ic:20000468

http://dx.doi.org/10.1016/0031-3203(94)00092-Z

Testimonianza di Alessandro Tommasi presentation biosig

Technology

Transcript of Testimonianza di Alessandro Tommasi presentation biosig