Privacy and Security Assessment of Biometric Template Protection
Biometrics enables convenient authentication based on a person s physical or behavioral characteristics. In comparisonwith knowledge- or token-based methods, it links an identity directly to its owner. Furthermore, it can notbe forgotten or handed over easily. As biometric techniques have become more and more efficient and accurate,they are widely used in numerous areas. Among the most common application areas are physical and logicalaccess controls, border control, authentication in banking applications and biometric identification in forensics.In this growing field of biometric applications, concerns about privacy and security cannot be neglected. Theadvantages of biometrics can revert to the opposite easily. The potential misuse of biometric information is notlimited to the endangerment of user privacy, since biometric data potentially contain sensitive information likegender, race, state of health, etc. Different applications can be linked through unique biometric data. Additionally,identity theft is a severe threat to identity management, if revocation and reissuing of biometric referencesare practically impossible. Therefore, template protection techniques are developed to overcome these drawbacksand limitations of biometrics. Their advantage is the creation of multiple secure references from biometric data.These secure references are supposed to be unlinkable and non-invertible in order to achieve the desired level ofsecurity and to fulfill privacy requirements.The existing algorithms can be categorized into transformation-based approaches and biometric cryptosystems.The transformation-based approaches deploy different transformation or randomization functions, whilethe biometric cryptosystems construct secrets from biometric data. The integration in biometric systems is commonlyaccepted in research and their feasibility according to the recognition performance is proved. Despiteof the success of biometric template protection techniques, their security and privacy properties are investigatedonly limitedly.This predominant deficiency is addressed in this thesis and a systematic evaluation framework for biometrictemplate protection techniques is proposed and demonstrated:Firstly, three main protection goals are identified based on the review of the requirements on template protectiontechniques. The identified goals can be summarized as security, privacy protection ability and unlinkability.Furthermore, the definitions of privacy and security are given, which allow to quantify the computational complexityestimating a pre-image of a secure template and to measure the hardness of retrieving biometric datarespectively.Secondly, three threat models are identified as important prerequisites for the assessment. Threat modelsdefine the information about biometric data, system parameters and functions that can be accessed during theevaluation or an attack. The first threat model, so called naive model, assumes that an adversary has very limitedinformation about a system. In the second threat model, the advanced model, we apply Kerckhoffs principleand assume that essential details of algorithms as well as properties of biometric data are known. The last threatmodel assumes that an adversary owns large amount of biometric data and this allows him to exploit inaccuracyof biometric systems. It is called the collision threat model.Finally, a systematic framework for privacy and security assessment is proposed. Before an evaluation process,protection goals and threat models need to be clarified. Based on these, the metrics measuring different protectiongoals as well as an evaluation process determining the metrics will be developed. Both theoretical evaluation withmetrics such as entropy, mutual information and practical evaluation based on individual attacks can be used.