Ileana Buhan - Research Highlights

Home Publications

Biometric-based technologies offer an elegant solution for human-machine authentication. With biometrics, events can be linked to a person. Biometric traits have high apparent entropy, they are easily available to their owner, and they are relatively immune to loss. The biggest concern related to biometric based authentication is a compromise of the biometric trait, since it cannot be renewed. Also, there are privacy concers.

My research is focused on security aspects of biometric based authentication. The three research directions are summarized below.

Threat Analysis of Biometrics Authentication Systems

Biometrics is attractive for a wide range of applications like: physical access control, user identification, etc. For some of these applications a low false accept rate thus high security is more important, whereas for other applications a low false reject rate thus a user friendly system is more appropriate. It is known that these requirements are conflicting and lowering the error rates of a biometric authentication system is thus the main focus of most research on biometrics.

However, regardless of how low the error rates of a biometric system are, the biometric system is of no use to us if the decisions made cannot be trusted. Thus, all parties involved in the system: physical modules, users, algorithms, etc. should behave as intended. Thus points of vulnerability in the intrinsic or physical functionality of a biometric authentication system should be eliminated.

We propose to use 3W-tree, an analysis tool to identify critical attack scenarios for a biometric system. Analysis based on a 3W-tree leads to concrete questions regarding the security of the system. Questions raised by other methods (e.g. attack trees) do not lead to the same level of specific questions. Our method is more concrete than other methods because we make explicit assumptions about the generic architecture of the system, thus exposing all main components in the architecture that are vulnerable to attack. Our method is not less general than other methods because other architectural assumptions can be plugged in easily. Our method is intended to be used as a design aid.

Published in ICB 2006. You can download the published paper.

Human Verifiable Device Authentication

Mobile devices are designed to interact anytime, anywhere. In many scenarios however it is desirable to associate devices in a secure way. For example when sharing contact information via the wireless link in an unsecured environment. This problem is known in the literature as secure device association. Solutions have to be specifically designed such that secure association can be realized between previously unassociated devices. Security means that the solution must offer guarantees of the association partner identity and must be resistant to eavesdropping and to a man-in the middle attack. The ideal solution should provide a balance between security and ease of use.

We propose a practical solution to the secure device association problem where biometrics are used to establish a common key between the pairing devices. Our approach has at least two major advantages. Firstly, it offers the possibility to transfer trust from humans to machines without any available security infrastructure. Biometric authentication offers physical validation, thus guaranteeing the identity of a device owner. Secondly, the process is short and user friendly. In the pairing protocol the keys extracted from biometric data are combined to form a session key.

The idea is both simple and effective. Suppose that two users wish to set up a secure communication channel. Both own a biometrically enabled handheld device (for example with face recognition biometrics). Both devices are equipped with a biometric sensor (a camera for face recognition) and a short range radio. Each device is capable of recognizing its owner for example by face recognition. Then the users take each others picture. Each device now contains a genuine template of its owner and a measurement that approximates the template of the other user. The idea is that each device calculates a common key from the owner template and the guest measurement. In our solution, all Alice has to do to set up a secure communication with Bob is to take a picture of him and let Bob take a picture of her. The protocol is even more general: it can be applied on any type of biometric channel.

To appear in IJSN (special issue on Secure Spontaneous Interaction) 2009(Vol 4(1)). You can find the paper and the slides.

Security with Noisy Data

The use of biometric features as key material in security protocols has often been suggested to avoid long passwords or keys. However, the use of biometrics in cryptography does not come without problems. It is known that biometric information lack uniformity and they are not exactly reproducible, which is the opposite of what is considered suitable for a cryptographic key. Fuzzy extractors allow cryptographic keys to be generated from noisy, non-uniform biometric data. They can be used to authenticate a user to a server without storing her biometric data directly. This is important because the server may well be untrusted.

We show that there exists a relation between the strength of the keys extracted from biometric data and the quality of the biometric data in terms of FAR (false acceptance rate) and FRR (false rejection rate). We estimates min-entropy values for the cryptographic keys derived from continuous distributions, thus linking real-life continuous biometric distributions to methods like fuzzy extractors. We relate the min-entropy of the strings to the FAR, thus formalizing the intuition that the min-entropy of an extracted key (in bits) cannot be more then -log2(FAR). This last point motivates research into improving the FAR (i.e., the classification results) of biometric systems and is usefull to evaluate the potential of the biometric data in the context of a specific cryptographic application.

"Fuzzy Extractors for Continuous Distributions." Published in ASIACCS 2007. You can find the published paper , the extended version of the paper and the slides.

As fuzzy extractors, a fuzzy embedder will leak (in the information theoretic) sense information about both the biometrics and the cryptographic key. While both types of leakage are important, information leakage of the biometric data is critical since the cryptographic key as opposed to biometric data can be renewed. We propose to use dithering techniques to lower or in some cases even to eliminate the correlation between the secret biometric information and the data that is made public. We give a practical construction based on quantization data-hiding codes which requires a weak secret at the decoder. We show that if the secret is compromised, or if it is simply impossible to store secret information at the decoder, the security of the construction will degrade gracefully. We show that constructing fuzzy embedders which leak no information about the biometrics is theoretically possible.

"Controlling Leakage of Biometric Information using Dithering". Accepted at EUSIPCO 2008 You can download the paper.