Identification and Key Distribution Based on Biometric Information

Transcription

1 Identification and Key Distribution Based on Biometric Information Prof. Dr. Valery Korzhik University of Telecommunications St. Petersburg (Russia)

2 1. Identification of users Alice y(password) Access control x=f(y) x f(.) one way function? Important remark: With the use of one-way function it is assumed that y is distributed trully randomly. Otherwise nothing is taken for granted. Defects of this approach: Good password can be forgotten by Alice, Storing of password in memory increases the risk of its theft, Short password can be easy memorized but it can be easy found by adversary 2

3 Alice К Conventional key application К(secret key) Encryption/decryption, Digital signature Shortcoming of this approach: The key that is storing in some memory can be stolen or erased How can we remove this defect? Use Alice s biometric or her psychology. «My body is my password»[1] + Psychology: say Alice s preferences are: young, rich and healthy men. 3

4 Biometrics as a source of passwords and keys The main types of biometrics: Palmprint verification, Iris biometric, Face recognition, Fingerprint system, Speaker recognition, Signature system, Keystroke biometrics, Vein pattern Ear Facial thermogram Gait Using a small subset of values from a large universe (e.g. favorite movies), A combining of methods. Remark: Both hardware and software to transform human biometrics into digital form were designed by many companies [1]. Defects of biometrical approach: Digital data producing by biometrics are not truly random and it is very difficult to reproduce them repeatedly. 4

5 Configuration of pattern recognition system [1] Physical variables Data acquisition Data preprocessing The main methods using in recognition: Image segmentation Pattern classification Discriminant functions Bayes and non-bayes classification Neural networks Support vector machine Feature extraction preprocessing Decision classification Class Model of recognition: X 1 X 2 X L -set of features x i1 x i2 x il -the feature of i-th user Then it is possible to store data as h( x ij ),where h OWF (one way function) L 2 However, if the recognition follows to the rule i = Arg min = ρ ( x, j ij x 1 ij ) i then h( x ij ) - cannot be used. 5

6 Methods to remove defects: 1. Recognition on biometrics. (Then the parameters have to store in secret) 2. The use of secure sketch [2] SS 3. The use of fuzzy extractors [2] FE Definition and properties of SS and FE. Non-formal definition: SS: (for identification on BI) ω ω s = f(ω) ω ω is close to ω FE: (for key generation on BI) ω ω R = R(ω) P = P(ω) R is truly random even if it is known P that is stored publicly ω ω is close to ω 6

7 Specification of the notion ω' is close to ω : 1. Hamming metrics ρ H ( ω, ω') = is the number of position in which binary vectors ω and ω' are different Example. ω = ρ H ( ω, ω') = 3 ω'= (This metrics is very natural for BI) 2. Set difference 1 ρ ( ω, ω' ) = ρ S S ( A, A' ) = AΔA', 2 where Δ is symmetric difference of the sets A and ' B is a cardinality of B. Example. U = {1,2,3,4,5,6 }, A U, A = 1,2,3, 4 Δ A. B U, B = 3,4,5,6, AΔB = 1,2,5,6 ρ S ( A, B) = 2 Psychometry: A selection of small subset from a large universe (e.g. favorite movies) 7

8 3. Edit distance 1 ρ e ( ω, ω') = (is the minimum number of omissions and insertions that 2 are needed in order to transform ω into ω ' ) Example. ω =1/ 01011ˆ ω ' = ρ e ( ω, ω') = 1 (This distance is very natural in recognition of handwritten text.) 8

9 3. Exact definition SS and FE: Let us Μ be metrix space, Μ = N, ρ(,) - is given metrix ( Μ, m, m', t) - SS is randomized mapping Μ ( ω ) {1,0} * with a following properties: (i) Rec(...) such that ω = Rec( ω', SS( ω)) for all ω, ω' Μ, ρ( ω, ω' ) t. ~ (ii) H ( W SS( W )) m' for any random variable W on Μ, having H ( W ) = m, where H ( W ) = log(max Pr( W )) W E s H ( W SS ( W ) = s) H ( W SS( W )) = log( {2 }) Remark: The condition (ii) makes impossible to recover W given s = SS(W ) unconditionally (that means that it cannot be recovered independently on computing power of opponent!) 9

10 ( Μ, m, l, t, ε ) - FE is determined by two procedures: (Gen, Rep): (i) Gen is randomized mapping l W Μ R {0,1 } P, for which SD( R, P, U l, P ) ε, if H ( W m. ) (ii) Rep is deterministic procedure R = Rep(ω', P), if ρ ( ω, ω') t, where SD ( X, Y ) - is statistical distance between two probability distributions on X and Y, e.g.: 1 SD ( X, Y ) = Pr ( X = v) Pr ( Y = v). 2 v Remark: The small value SD(...) means that the probability distribution on R } l {0,1 is close to uniform distribution ( U l ) close to truly random variable). even known P, (e.g. it is 10

11 Identification based on BI using SS Alice (BI) Initialization Identification ω ω Server for access control SS ω = Memory (s) Calculation Re c( ω,s) = ~ SS ~ ω ω = Calculation ( ) s Calculation ( ) s ~ Comparison s with. Taking a decision ṣ~ Remarks: 1. Storing s in memory does not require a protection 2. One way functions are not needed 3. Good statistical properties (close to truly randomness) for s=ss(ω) are not provided (but they are not required) 4. It is necessary to provide a condition H m 11

12 Key generation based on BI using FE Alice (BI) ω Calculation the key R Calculation P Memory (P, E) Encryption E = f ( M, R) Alice (BI) ω Calculation the key R( P,ω ) Decryption M = ϕ( E, R) Remarks: 1. Key R is close to truly random value. 2. Storing Р, Е in memory does not require protection. 3. Calculation and storing P can be performed in a reader of BI. 4. It is necessary to protect P against a forgery by adversary (the use of digital signature or robust fuzzy extractors see further) 12

13 4. Design of FE given SS and SE (strong extractors) Definition SE. SE is randomized mapping: {,1} n,{ 0,1} d { 0, 1 } l 0 such that for input strings ω { 0,1} n with arbitrary probability distribution but with min entropy at least m ; SD SE W,X,U l,x ε if X { 0, 1} d, ( X ) Ul Pr =. ( ( ) ), Clear demonstration of SE. This is a generator of good output randomness (close to uniform distribution) presented as binary string of shorter length l than it s input binary string of the length n that has bad randomness given short (length d) truly random seed, whereas the knowledge of this seed does not affect on good output randomness. 13

14 How to design FE given SE and SS? Let us assume that there is SS(M, m, m, t) and SE(n, m, l, ε) with l = m 2log( 1/ ε ). Then the following construction (Gen, Rep) gives FE(M, m, l, t, ε): Gen( W ; X, X 1 2 ): P = SS( ( W ; X 1 ), X 2 ), R = SE( W,X 2 ). X Rep ( W,P): W = RecSS ( W, P), R = SE( W,X 2 ). SS( ) Ω ω ω W,X 2 1 xx 2 2 X X1 X 2 REC SS ω Xx 22 14

15 Conclusion: In order to design FE we have to design both SS and SE. Construction SS for Hamming distance. Let C is (n,k,2t+1) error correcting code (not necessary linear). Then: SS(ω,x)= ω C(x), where x is chosen randomly and С(x) is a code word, x Encoder SS(ω,x) ω Rec(ω',SS(ω): ω' SS(ω,x)= ω' ω C(x)=e C(x), / e / t, where /e/ is Hamming weight of e. D(ω' SS(ω,x))=D(e C(x))=x, where D is a decoding procedure under the condition that C corrects at least t errors. Then ω= SS(ω,x) C(x). It can be proved [2] that: m' m-r, m,r. 15

16 Practical implementation of SS: If C is linear code then SS ( ω) = syn ( ω) (syndrom to w on the c code C), e.g. SS( ω ) = ωh, where H is check matrix of the code C. In this case a randomness X is not required at all! In fact, let us take s=ss(ω)= ωh and ω = ω e, where e is error pattern over the weight at most t. Then we have ω H=(ω e)h= = ωh eh that gives relation eh= ω H s. Since C is capable to correct all errors of the weight at most t, we can recover e on given syndrom eh. After that we can recover ω as follows: ω = ω e. If W U n, e.g. H ( W ) = m = n, then we get FE: R=X, P = ω C(X ), REP( ω, P) = D( P ω ) This construction does not work in general case, because if ω U n, then P gives a leakage of information about X=R. 16

17 In order to design FE it is necessary to design SE. Trevisan s extractor: w Error correcting code ( n~, n) u Block schemes S 1 : s11,s12,,s1v S2 : S i : Sl : s 21,s 22,,s 2v si1,si2,,siv sl1,sl2,,slv Random binary sequence(seed) 1 2 d γ Boolean function a 1, a 2,, a v f (a) i l Parameters of Trevisan s extractor: H ( W ) 2 n 1 n l = ; d = O log ; log c, v O log ; n~ 2 = 2 = 2 = 2 c log 2 c λ ε ε v 17

18 Almost universal class of hash functions[6] n l Definition. A family of mapping H = { h i } { 0,1} {0,1} is called δ -almost universal ( δ AU ), if for any x x : Pr( h i ( x) = hi ( x )) δ under uniformly selected hi from the set H.. l In a particular case when δ = 2 we get a conventional family of universal hash functions. Asymptotic behavior of parameters for some classes of AU hash functions has been considered in [6]. However constructive methods to design such hash functions are not sufficiently advanced. In application to authentication problem AU functions were used in [7]. 18

19 Reducing AU to SE Statement [8]. Let us consider any m, ε > 0 and l m 2l. Then if { { } n { } l } is AU for 2 H = h i : 0,1 0, 1 δ = 2 l (1 + ε ), it results in the fact that H is SE. Thus, if it is known how to design AU then it is known also how to design SE with some given parameters. But constructive methods to design AU are known not so much If Reducing of linear q-ary codes to SE [ T, k, (1 δ ] 1/ q ) T q is some q-ary linear code with given parameters, then the exists ( 1/ δ, q δ / 2) - extractor that can be presented as Extr ( ω, x) = [ C( ω)] x= i, where C (ω) - code words corresponding to ω and [.] x= i - is a random choice of i-th symbol. 19

20 How to use SE in a solution of key distribution problem [3, 4] Model of key distribution: X ( ε ) A A s Y( ) ε B B а) Е - is passive eavesdropper are any but: ε Α ε B, Α, ε B, ε E ε, ( 1 ε > ) 2 б) Е - is active eavesdropper but Ε 0 ( ε < ε ε ε ) Α < Ε, B Ε, E Z ( ε E ) Channel of public discussion Two main techniques to solve key distribution problem: 1. Privacy amplification (РА) 2. The use of SE 20

21 1. Privacy amplification (РА) X Y A h C C h Y ~ B K Noiseless channel of public discussion K ~ X, Y the strings received by A and B, C the string of check symbols to X (on the code V), h hash function Pr ~ ~ ( X = Y ) 1 Pr( K = K ) 1 21

22 Privacy amplification (continuation) I ( n t t l ) ( K / Z; C; h) 2 c ln 2, if AB ε AE ε <. where: n the length of the strings X,Y,Z; Z the string received by E; t the number of bits in С; l the length of the key К; t c Renyi information about the string X given Z. For BSC X Z with error probability ε AE, t c ( ( 2 log ε + ( ε ) 2 ) = N, AE 1 AE where ε AB = ε A + ε B 2ε Aε B, εae = εa + ε E 2ε Aε E If ε AB > ε AE, then it is necessary to perform some information exchange protocol over public discussion channel before hashing. 22

23 Hashing with class of universal hash functions [ x h] l K =, n where is multiplication over the field ( ) GF 2, [ ] l a choice of l bits from the string of the length n l. The strings h should be taken uniformly distributed. Defects of this technique: 1. If X(Y) are not truly random, then truly randomness of K is not taken for granted. 2. The strings h of the length n should be generated as truly random and transmitted over the channel. 3. Security of key distribution system is determined by Shannon s information leaking to eavesdropper. This criterion is not always convenient in order to estimate an efficiency of brute force attack against the key. 23

24 2. The use of SE in a key distribution S ( ) P m P m Y ~ P ω Channel of public discussion K ~ Г is the string (seed) of the length d Pr ~ ~ ( X = Y ) 1 Pr( K = K ) 1 K = SE( X, Г), ~ K = ~ SE( Y, Г), 24

25 The use of SE in a key distribution (continuation) I ( K/Z;C;Γ ) 2l ε [4], where ε = SD ( SE( X, Г ), U l, U d ) s Pr( min entropy = H ( X Z; C) n( ( 1 ε AE ) t s ) 1 2 ε is a function of H ( ), d and l and depends on a construction of SE (see below). Asymptotic [5]: ( ) m, SE ( n m) + 2log( 1 ) O( 1) d 2log( 1 ) O( 1) n, H ε 0 with the parameters: d = log ε + l = m + ε 25

26 The use of FE in a broadcast key distribution [9] Center of broadcasting P X 2 X 2 SE(X 2,w) SS(w) w P K noisy channels (P m,p w ) noiseless channel ω1 ω 2 ω 3 U 1 U 2 U 3 U m ω m REC SS (X 2,w 1 )... SE(w,X 2 ) K K K Z P K H k E K =? 26

27 Broadcast key distribution (continuation) ρ ( ω, ω) t H / z) k, H i (ω SD ( K, U / P, Z) ε It is obviously that this approach fails if wiretap channel is better than main (legal) channel. However it is still unclearly if it is better or not than the methods considered above as P m <P w. 27

28 (, m', t) m : Selection of SS parameters ~,, ' ) t H ( W) = m, H ( W SS( W )) m' SS W ) = sync ( ω ) = ωh ρ( ω ω (, where H is check matrix of some (n,n-r) linear code. n is the length of the string ω, r is the number of check symbols. Interconnection of the parameters n, r and t is due to Varshamov -Gilbert bound: r=nh(2t/n); H(x)= xlogx + (1-x)log(1-x). How to determine the requirement to m? If the best method of statistical finding ω on SS(ω) is used, then the s probability of success after L = 2 trails of ω is P s m = 2. How to find m for BI? This is open problem. (Experimental testing with an estimation Н(ω) and then an estimation of H (ω) ). 28

29 Robust fuzzy extractors (RFE) Definition This is ordinary FE with the parameters (m, l, t, ε), that in addition provides the probability of undetected substitution P to any P P at ' most δ for any strings ( ω,ω ). Parameters of RFE: (m, l, t, ε, δ). Interconnection between parameters is determined by the following assertion[9]: Let ω = n and (m, m-k, t) is SS for Hamming metrix. Then there exists construction [9] of (m, l, t, ε, δ) robust extractor for appropriated choice of v and any m, l, t, ε, δ, if 2 ( en / t) 2log( n / f ) O() 1 l 2m n k 2t log ε. However construction of RFE is complex enough and it is questionably the need in protection against active attack when the key is generated from BI. 29

30 Open problems 1. Which of BI is preferentially? 2. How can we estimate H (ω), where ω is BI? 3. How can be established a secure level of H (ω/ss (ω)) for SS and ε for FE. 4. Constructive design of SE given its complexity. 5. Parameter optimization for SS and FE. 6. Parameter optimization for broadcast key distribution system based on FE technique. 7. Practical implementation of identification systems based on particular types of BI. 8. Design of SS and FE for Euclidian metrics on the plane. 30

31 References 1. Zhang D.D. Automated Biometrics. Technologies and Systems. Wiley and Sons, Dodis Y., Reyzin L., Smith A. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. Lecture Notes in Computer Science 3027, p , Springer-Verlag, Maurer U., Wolf S. Secret-key agreement over unauthenticated public channels - part III: Privacy amplification. IEEE Transactions on Information Theory, 2003, April, Vol. 49, No. 4, pp V. Yakovlev, V. Korzhik, M. Bakaev, Key Distribution protocols with the use of extractors based on noisy channels under the condition of active eavesdropper Problems of Information Security (in Russian), N2, 2006, pg Trevisan L. Construction of extractors using pseudo-random generator. Proceedings of the 31 annual ACM symposium on theory of computing, Atlanta, 1999, pp Stinson D.R. Universal hashing and authentication codes. LNCS, v Korjik V., Morales-Luna G. Hybrid authentication based on noisy channels. International Journal of information security, 2003, vol. 1, No. 4, pp Hasted J. et. al, Construction of pseudorandom generator from any one-way function. SIAM J. of Computing, 28(4), 1999, p Dodis Y. et. al, Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets. Proc. of EUROCRYPT Maurer U. Information-theoretically secure secret-key agreement by NOT authenticated public discussion. Advances in Cryptology EUROCRYPT 97. Berlin, Germany: Springer-Verlag, 1997, vol. 1233, pp V. Yakovlev, V. Korzhik, G. Morales-Luna, Key Distribution Protocols Based on Noisy Channels in Presence of Active Adversary: Conventional and New Versions with Parameter Optimization, IEEE Trans. on IT, Special Issue on Information Security. (submitted, 2007) 12. Bernadette Dorizzi and Carmen Garcia-Mateo, Multimedia Biometrics, Annals of telecommunications, vol.62,no.1,2,