Cancelable Biometrics

Posted on February 25, 2006

When you find out that your credit card number has been compromised, you can easily cancel it and obtain a new number. Same with passwords, keys and many other forms of security available. So what can you do if your biometric has been compromised? Use a different finger?

Cancelable biometrics refers to a way of designing a biometric system such that the stored templates cannot be converted back into the raw biometric data. The idea is that at some point in the registration process a transformation is applied to the image, the features extracted from the image, or even to the users template/model and the recognition process is performed using the transformed data. For good security the transformation should probably be one-way and the raw biometric image/data should be thrown away.

This way if by nefarious (or plain incompetent) means, someone bad gets access to the templates, they shouldn’t be able to be able to re-create the raw biometric data for the purposes of somehow fooling the system.

Of course, there are a few caveats to this still.

1. You need to trust the people who are capturing the raw biometric data (taking your mugshot, scanning your fingerprints, etc.) as they could easily keep the raw data, which could then be compromisd through the same nefarious or incompetent means above.
2. You are still well and truly stuffed if someone does get access to you raw biometric data (ie. takes a photo of you) through other means, because someone will find a way to fool the system if they know what it expects to see. Repeat after me: Biometrics are not secret. Biometrics cannot be secret. Remember that.

There was also a news article on cancelable biometrics (it inspired me to write this), but I don’t think it is very well written, especially this part:

The original image isn’t stored anywhere. And even if hackers could obtain the altered biometric, it would be of limited use as long as individual organizations maintained their own formulas for transforming images before scanning.

Therein lies the real advantage of the method. While a standard biometric can’t be torn up and reissued like a credit card or password — since it’s based on unchanging aspects of a person’s physical appearance — distortion makes that possible. A bank or an office building that had its biometrics compromised could register new ones simply by changing the way it transforms images.

That’s why IBM calls this “cancelable biometrics.”

Now it’s possible that what I’m talking about here and “Cancelable Biometrics” are actually not the same thing. But, anyway: To compromise the system above (assuming I have the altered biometric data) I still need to reconstruct the original biometric to present to the scanner, yes? Am I missing something? Just having access to the altered biometric is akin to having access to a users password hash, but not their password.

Now if I can easily reverse the alteration — which it seems I would have to do to compromise the system — then I have a non-altered biometric and assuming I could fool the scanners with it, I could get into the system no matter what they changed the new alteration to. I could also get into any other system the victim uses the biometric to access (once again asuming I could fool the scanners).

But maybe I’m wrong. Maybe they can cut off the compromised user “by changing the way [they transform] images.” I hope they only have a few compromised users, because getting everyone to register their biometrics again on Monday morning will be a giant pain (remember, “the original image isn’t stored anywhere”).

Biometrics are not secret. Biometrics cannot be secret.

» Filed Under biometrics, research

Comments

• Search for:

• Pages

  • About David Dean

• Recent Posts

  • links for 2008-06-21
  • links for 2008-06-18
  • links for 2008-06-17
  • links for 2008-06-02
  • links for 2008-05-27

• Categories

  Select Category action  (1) admin  (3) advertising  (2) art  (1) audio-visual  (3) australia  (3) automobile  (1) baby  (1) bibtex  (1) biometrics  (15) blogger  (1) Blogger Posts  (281) blogging  (1) books  (3) brisbane  (2) code  (2) comics  (12) computer  (6) conference  (5) cool  (1) crash  (1) david dean  (8) democracy  (1) diy  (1) DMCA  (1) DRM  (3) ebooks  (2) economics  (1) eten  (1) extraterrestrial life  (1) face recognition  (2) family  (2) fhmm  (2) fiction  (7) fingerprint  (4) firefox  (1) fix  (1) flash  (1) freedback  (3) freedbacking  (1) gadget  (2) gadgets  (1) gaze tracking  (2) gesture  (1) global warming  (1) gnome  (1) google  (10) henry  (1) history  (1) howto  (8) htk  (1) humour  (24) IDIAP  (1) impact  (1) journals  (1) latex  (2) links  (123) linux  (2) linux. howto  (1) listing  (1) lockpick  (1) lyx  (2) map  (3) maps  (1) math  (1) matlab  (2) mobile  (1) movies  (2) NAS  (1) nofollow  (1) NSLU  (1) onion  (1) open source  (2) opengl  (2) PhD  (3) photography  (1) photos  (3) podcast  (3) programming  (1) publications  (4) QUT  (1) research  (23) retro  (1) science  (3) search  (1) security  (11) sf  (5) shopping  (1) software  (2) spam  (1) speech  (15) subvocal  (1) syndication  (3) tablet  (1) technorati  (1) techoni  (1) television  (1) terrorism  (1) thomas  (1) toulouse  (1) trains  (1) transcription  (1) tshirt  (2) tv  (1) ubuntu  (1) uncategorised  (6) usa  (3) vegemite  (1) video  (9) virtualisation  (1) vision  (1) vmware  (1) WaveSurfer  (1) wishlist  (2) wordpress  (3) yuck  (1) zoomr  (1)

• Interesting from Elsewhere

• Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org