Security Vulnerabilities Against Biometric System 1 Security … · 2018-05-21 · Security Vulnerabilities Against Biometric System 2 In the enrollment phase, the system administrator

Security Vulnerabilities Against Biometric System 1

Security Vulnerabilities AgainstFingerprint Biometric System

Mahesh Joshi1 Bodhisatwa Mazumdar1 Somnath Dey1

{phd1701101004, bodhisatwa, somnathd}@iiti.ac.in1Indian Institute of Technology Indore, India

ABSTRACT

The biometric system is an automatic identification andauthentication system that uses unique biological traits,such as fingerprint, face, iris, voice, retina, etc. of an indi-vidual. Of all these systems, fingerprint biometric system isthe most widely used because of its low cost, high matchingspeed, and relatively high matching accuracy. Due to thehigh efficiency of fingerprint biometric system in verifyinga legitimate user, numerous government and private orga-nizations are using this system for security purpose. Thispaper provides an overview of the fingerprint biometricsystem and gives details about various current securityaspects related to the system. The security concerns that weaddress include multiple attacks on the system, associatedthreat models, biometric cryptosystems, current issues,challenges, opportunities, and open problems that exist inpresent day fingerprint biometric systems.

KEYWORDS

biometric system, biometric attacks, threat model, secu-rity, vulnerability template protection schemes

I. INTRODUCTION

Traditionally, passwords and tokens are in use as standarduser authentication mechanisms. However, in recent times, bio-metric systems have ushered a new dimension to access controlsystems, and are widely used as a reliable and convenientmeans for user authentication. The primary purpose of using abiometric system is to provide non-repudiable authentication[1]. These systems have become a trusted authenticationmechanism in health-care, financial, retail, education, man-ufacturing, military, and law enforcement agencies [2]. Theyare also used in applications for the benefit of society suchas tracking child vaccination schedules, identifying missingchildren, and preventing fraud in food subsidies, etc [3].

Biometric systems recognize patterns, such as veins in thepalm, the texture of an iris, or the minutiae of a fingerprint [4].The fingerprint biometric system is a touch-based recognitionsystem, with comparatively small finger surface exposed tothe sensor for feature extraction and comparison, thus leadingto relatively high matching speed and accuracy with moderatecost. Due to these advantages, it has become the most widelyused and most convenient biometric authentication system.The Unique Identification Authority of India (UIDAI) initiatedby Government of India has so far issued more than 1110

million Aadhaar numbers the residents of India [5]. In this pro-cess, the biometric traits such as the fingerprints are collectedfrom every citizen to provide them with targeted deliveryof financial and other subsidies, benefits, and services. TheAadhaar process presents an alert to emphasize the securityaspect of the biometric system to preserve the privacy andsecurity of biometric traits of millions of people.

Even though biometric systems are reliable means of au-thentication as compared to password or token based system,it is not completely secure and have privacy concerns to worryabout. The security concerns of biometric-based applicationinclude the risks of stolen biometrics, replacing compromisedbiometrics, frauds done by administrators, denial of service,and intrusion etc. The biometric system also has limitationdue to which it falsely accept an impostor or falsely rejects agenuine user. The communication channel is highly insecureleading to interception of biometric data and thus losing theprivacy of an individual. In this paper, we provide an insightinto the fingerprint biometric recognition system and addresssecurity concerns that can be a threat to the system. We presentpossible attacks on the system components and communicationchannels between them, and ways to mitigate such attacks.

The organization of our paper is as follows. Section IIdiscusses the fingerprint biometric system briefly and itslimitations. Section III identifies fifteen vulnerable points inthe system, where the possibilities of an attack exist. SectionIV describes the attacks on the biometric system and theircountermeasures. Section V provides a glimpse of threat mod-els available in the literature. Section VI provides an insightinto the methods used for protecting the fingerprint template,such as cancelable biometrics and biometric cryptosystems.This section focuses on the application of cryptography insecuring biometric system. In Section III, we present the issuesand challenges for biometric recognition system. The researchopportunities, and open problems in the biometric systemare briefly discussed in Section VIII. Section IX draws theconclusion of the paper.

II. FINGERPRINT BIOMETRIC SYSTEM

The fingerprint biometric system is a pattern recognitiontechnique that recognizes a person based on a feature vectorextracted from the person’s fingerprint pattern. The stepsinvolved in a fingerprint biometric recognition system is shownin Fig. 1. These systems work in two phases, namely, anenrollment phase, and an authentication phase.

arX

iv:1

805.

0711

6v1

[cs

.CR

] 1

8 M

ay 2

018


In the enrollment phase, the system administrator performsthe registration of an individual to the biometric application.The user puts his finger on the surface of the sensor in an inputdevice. A user of the fingerprint biometric system interactswith the sensing device as he puts his finger on the sensor.The quality of fingerprint captured by the sensor depends onthe state of the finger, such as a wet or dry finger, a cut onthe finger, the pressure applied by finger, the durability ofthe sensor, etc., and environmental factors, such as humidity,and temperature. The technologies used for manufacturingfingerprint sensor include an optical sensor, capacitive sensor,pressure sensor, thermal sensor, an ultrasound sensor, etc.The image collected by the sensor is enhanced using imageenhancement module. The feature extraction module retrievesthe interesting features, shown in Fig. 2, from the fingerprintimage. The template protection module generates an encryptedbiometric template that is stored in a template database. Theadministrator enrolls the user by assigning his credentials tothe captured fingerprint.

The authentication phase verifies and identifies the claimedindividual. The “verification” involves checking whether thepresented biometric belongs to the claimed person. The “iden-tification” discloses who is associated with the submittedbiometric. In this phase, a user puts his finger on the systemand claims himself as a registered user. This attempt is termedas a live fingerprint.

Fig. 1: Fingerprint biometric system

The interesting features of a fingerprint image are shown

in Fig. 2. The impression where the finger surface touchesthe sensor forms dark lines in the image is termed as ridges,whereas the remaining surface is called valley. The flowpattern of ridges in a fingerprint is unique to the person inthat no two people with the same fingerprints have yet beenfound [6]. The ridges on the fingerprint image form differentshapes, such as a lake (a closed ridge surrounding a valley),the bifurcation of a single ridge, a short ridge, a dot (or anisland), bridge, crossover, etc. These complex characteristicscan be represented as a combination of two basic features, i.e.,ridge ending and ridge bifurcation. The points at ridge endingand ridge bifurcation form the minutia of a fingerprint [2].

An image quality checker follows the scanner in the system.The existing fingerprint quality metrics include, segmentation-based approaches, sum of pixels standard deviation (STD)of local block, NIST fingerprint image quality (NFIQ) level(1 − 5), etc. An NFIQ value of one indicates high qualitysamples, whereas the NFIQ value of five indicates poor qualitysamples. A good quality captured image depicts high contrastand bright ridge structure. An image quality assessment isperformed to detect a poorly captured fingerprint. Greenberg etal. [7] performed experiments to compare various fingerprintimage enhancement techniques and found that the techniquesbased on direct gray-scale enhancement perform better thanapproaches which require binarization (the process of convert-ing a gray-scale image into a binary image) and thinning asintermediate steps.

The enhanced image ridges are traced to create a binaryimage. This binary image skeleton undergoes thinning opera-tion to facilitate the extraction of minutia location, namely,the points of ridge ending and ridge bifurcation. A tem-plate normally contains only the information necessary forcomparison in the matcher module. ISO/IEC JTC1/SC37 forstandardization specifies three formats for fingerprint dataas minutia-based, pattern-based, and image-based. A minutiatemplate contains only the minutia information, such as,position, type, and angle etc. A pattern template contains onlypattern related information such as ridge structure. An imagetemplate typically stores the unmodified output of the sensordevice, such as the image of a fingerprint. The stored templateshould not reveal any data that can be replayed, and it shouldbe difficult for an adversary to guess or reverse engineer theoriginal biometric trait or any close replica from the storeddata [8].

Fig. 2: Features from fingerprint image


A stored template satisfying the following four characteris-tics is termed as protected:

1) The stored template must be irreversible in generatingthe original biometric data.

2) The matching score should not vary considerably due toacquisition noise or environmental changes.

3) It must ensure the user’s privacy.4) It must guarantee that the encrypted template retrieved

by the adversary from one database cannot be used formatching in another database for the same user withouthis consent.

The biometric template protection schemes aim at preservingthe user’s privacy while enhancing the security of storedtemplates. Section VI presents a detailed discussion of presentday template protection schemes.

Intrinsic limitations of biometric system: The matcher mod-ule compares the live input fingerprint template with the storedfingerprint templates. A false match error rate or false acceptrate (FAR) specifies the percentage of cases (or the probabilitywith which) the system accepts an intruder (non-enrolled) user.It is the ratio of number of attempts made by non-enrolledusers against the matching score when the system acceptssome of them as authorized user. The false non-match errorrate or false reject rate (FRR) determines the percentage ofcases (or the probability with which) the system rejects angenuine user. It is the ratio of number of attempts made byenrolled users against the matching score when the systemrejects some of them as unauthorized user. The predefineddecision threshold value of a biometric system is set to adefault value according to the requirement of a particularorganization. A high security application will have a higherthreshold, which means a high FRR and low FAR. A universityattendance system or a customer service facility center on theother hand has a comparatively low threshold. The system’sdecision depends on the matching score (a numerical value)which must be greater than or equal to a predefined thresholdfor a given biometric system. High-performance fingerprintrecognition systems can support error rates in the range of10−6 for false accept cases and 10−4 for false reject cases[9].

Fig. 3 shows the existence of a false match and a false non-match decision as a limitation of a biometric system. For alarge number of attempts by enrolled and non-enrolled users,the matches form a bell-shaped curve which overlap eachother. A high threshold, T2, removes all bad matches at thecost of allowing false-non matches. If the threshold is set toa lower value, T1, it eliminates most of the bad matches butfavors some false-matches. The equal-equal error rate (EER)for a fixed threshold occurs when the system’s false match andfalse non-match error rates are equal. Its value indicates theprobability where the FAR and FRR are same. The equal-equalerror rate is also termed as cross-over error rate. A biometricsystem with lower EER will be more accurate.

III. FINGERPRINT BIOMETRIC SYSTEM : FROM SECURITYPERSPECTIVE

Roberts identified the source of vulnerabilities for the bio-metric system that generated out of threats. These sources

Fig. 3: Error distribution curves depicting matching scores for anenrolled user and a non-enrolled user over a number matchingattempts.

are categorized into three types, namely, threat agent, threatvectors and system vulnerabilities [10]. A threat agent is anunauthorized individual who accesses the biometric system.Thus, an attacker, an impostor, or even a legitimate user can bea possible threat to the biometric system. All possible attackson the biometric system combine to form the threat vector.

We identify 16 attack points (AP) on the fingerprint bio-metric system as shown in Fig. 4. The system componentsand the insecure communication channel between these com-ponents form the probable attack points that render the systemsusceptible to numerous attacks. The possibility of attacksis mainly attributed to the design flaws in the system. Thesystem components in Fig. 4 are depicted in closed boxes.The arrow pointing from one component to another shows thetransmission of the output of one component to be fed as inputto the next component through a communication channel.

The security model in Fig. 4 is unique in several aspectsas compared to the existing threat models. We include thetemplate protection techniques’ module and identify the pres-ence of an attack on it that aim to reveal the biometric keyfor the cryptosystem. The successful attempts of side-channelattacks targeting the circuit technology implementation of thebiometric system are also included in our security model.During enrollment phase, the adversary can intercept thesecured template over the channel connecting the templateprotection technique module and the database. We addressdifferent attacks on the 16 attack points in the biometric systemin Section IV.

IV. ATTACK SCENARIOS

The fingerprint biometric system can be the target of thesystem administrator, an authorized user, a layman mountinga DoS attack on the biometric input instrument, or the bio-metric application such as an automated teller machine, or anadversary possessing a knowledge of the biometric system.The scenarios involving the system administrator are termedas insider attacks or administrative frauds.


Fig. 4: Vulnerabilities and attacks on different components of a fingerprint biometric system. A number corresponding to an arrow or adashed line represents an attack point (AP).

A. Direct and Indirect Attack

The biometric attacks are broadly classified as direct attacks(also known as presentation attacks) and indirect attacks [11].The adversary executes direct attacks by presenting the bio-metric characteristics of a registered user to the sensing deviceto access the system as authorized user. The attacker targetsthe input device or the application controlled by the biometricsystem for direct attack by damaging them, rendering thesystem inaccessible to such users. In Fig. 4 these attacks aredepicted as attack points, AP 1, AP 2, and AP 16. As thesensing device is an external component of the system and isaccessible to everyone, an attacker with no knowledge of theinternals of the biometric system can mount this attack [12].

Galbally et al. performed vulnerability evaluation of finger-print verification systems against direct attack that was carriedout with fake fingertips created from minutia templates in [13].Further, the authors conducted direct attack experiments usinga highly competitive ISO minutia-based matcher and fakefingers generated from ISO/IEC 19794-2 templates printedon plastic cards as 2D barcodes in [14]. The authors used

the FVC2006 DB2 database (FVC, 2006), captured withthe optical Biometrika FX3000 sensor. The work showedthat over 75% of direct attack attempts granted access tothe system. Matsumoto et al. demonstrated that 11 differentfingerprint recognition systems accepted artificially createdgummy (gelatin) fingers [15].

The indirect attacks expect the attacker to have an expertisein biometric systems. In order to mount an indirect attack,the adversary must know about the internals of the targetedsystem component. The person directly involved in these typesof attack can be an impostor or an authorized user. The in-terception of information transmitted over the communicationchannel, which target the internal components of the biometricsystem to override its output or manipulate the stored templateare examples of indirect attacks. The attack points other thanAP 1, AP 2, and AP 16 in Fig. 4 fall under this category.

B. Repudiation

An individual can take the benefit of the intrinsic limitationof the biometric system. The attacker can refuse to have ac-


cessed the system by arguing the false acceptance phenomenonassociated with the system. The bank technician who withdrewcash using the biometric application specified in Fig. 4 canpoint out the possibility of false acceptance by the biometricsystem.

C. Contamination or covert acquisition

The authorized user can unknowingly leave behind thetraces of his fingerprints in daily routine. The adversaryuses the fingerprint traces to generate fake fingerprint usingspoofing or constructing a mold by lifting latent fingerprint tomount the attack. An attempt to regenerate fingerprint imagefrom a stolen template is also an example of such attack. Theattacker can acquire the biometric of a user from biometrichome security application and use it to dispense cash fromthe biometric application in Fig. 4.

D. Coercion

The attacker can forcefully ask the authorized user to submithis biometrics to the input device, for example, at gunpoint.The attacker uses the biometric application with the user’sbiometric data for financial transactions. The possibility ofsuch incidents is high at automated teller machines havingan insecure infrastructure, no security personnel, impropersecurity measures like CCTV cameras.

E. Negligence

A legitimate user can hurriedly forget to log out fromthe biometric application while the attacker is noticing him.The adversary exploits such an incidence of negligence. Hecontinues the session pretending as an authorized user andcan carry out some more transactions or even access sensitiveinformation about the user

F. Insider attacks

The system administrator or the authorized person can helpin mounting an insider attack on the biometric system. Theadministrator reveals the flaws in the system to the attacker,or the legitimate user cooperates in executing such attacks.

1) Collusion: In collusion scenario, a legitimate user, suchas the system administrator with full access privileges isthe attacker. He illegally accesses and modifies the systemparameters, such as the predefined threshold. The attacker canchange the access rights of an authorized user.

2) Enrollment fraud or false enrollment: The administratoris the authority involved in the enrollment phase. He can helpthe attacker by enrolling as a legitimate user. The administratoris satisfied with a massive bribe for the illegal enrollment forentry into the government premises with high security.

3) Exception abuse: The exception handling procedure de-signed to facilitate authorized users in case of emergency canbecome a vulnerability to the system. The system administratoruses this facility to help the attacker access the system as anenrolled user. The system administrator resets the predefinedthreshold to a lower value such that the adversary can takebenefit of the false match error and become authorized.

Fig. 5: Methods employed for creating artificial fingerprints [16]

4) Function creep: The administrator can collect biometricsamples of an individual whose count may exceed than thatneeded to be stored for matching in the authentication phase.The other traits along with the personal information andgovernment identifiers of the user like Social Security Numberin US or Aadhaar number in India, can be sold to privateorganizations for financial or other malicious reasons.

The system should have multiple system administratorswith hierarchy having different levels of privileges so that anindividual authority cannot mount an insider attack, such ascollusion and exception abuse. An organization can distributethe responsibility of enrollment to several departments toavoid the possibility of an enrollment fraud. One departmentcan issue a smart-card cum identity card to every employeewhose document based verification is performed by anotherdepartment. This card can be used by a third department(performing enrollment process) to store his biometrics on thecard itself.

G. Sensor attacks

The sensor attacks define how an attacker can grant accessto the system with manipulated biometric submission to thesensor. The attacks on system input are specified as Type 1 inFig. 4. Since these attacks are carried out at the entry point ofthe biometric system, the security mechanisms implementedfor digital protection, such as cryptosystems are ineffective insuch scenarios.

1) Spoofing attack: The stolen or fake fingerprint submis-sion to a biometric system is termed as a spoofing attack. Aspoofing attack represents the presentation of false data, ora false biometric claiming to be legitimate, in an attempt tocircumvent the biometric system controls [10]. The spoofing isprobably the easiest way for an attacker to become authorized.To succeed, the attacker need not know about the internals ofthe matching or the encryption algorithm.

Fig. 5 shows various methods that can be used for creatingartificial fingerprints. In a cooperative method, the owner ofthe fingerprint is involved in the process of creation of anartificial impression of his fingerprint. The direct mold of alegitimate user is created using a dental impression material orplaster. The non-cooperative methods typically create artificialfingerprints by collecting the impressions left by the user atdifferent places. A powder and brush are used to create latentfingerprints by placing it on transparent material, such as glass.


Simple techniques, such as breathing, placing a water-filledplastic bag, or brushing graphite powder on the sensor havebeen used to reactivate latent fingerprints deposited on a sensor[16]. The use of a dead person’s finger to create his artificialfingerprint is termed as cadaver. The fingerprint synthesis isa technique to recreate a fingerprint from its stored template.The fingerprint reconstruction process can be moderated byemploying an iterative hill-climbing approach [17].

Fig. 6 shows various existing methods for fingerprint anti-spoofing. The hardware-based solutions are costly since a newhardware component needs to be added to the biometric sensor.Also, this solution may add a new threat to the system, so thesoftware-based solutions were more emphasized rather thana hardware-based solution. To derive dynamic features (e.g.,ridge distortion and perspiration), multiple frames of the samefingerprint image captured with two or five seconds intervalare analyzed. The existence of pores on finger results inperspiration and generates an image with a darker region nearpores. The spoofed finger does not possess this phenomenon,and thus generates almost same image over a short period.The change in gray level between the first and last images ina sequence can be measured by considering the local maximaand minima of the ridge signal [16].

When a real finger is put on the sensor (multiple times in ashort span), it produces distortion in the image due to pressingand moving the finger on the sensor surface. The distortioncan be analyzed by observing multiple frames at high framerate when the user presses or moves the finger. The textureproperties of a finger comprises its morphology, smoothness,and orientation. For a spoofed finger, these properties aredifferent than a live finger, for instance, the live finger surfaceis smoother than the spoofed one. In a static pore basedapproach, the live and spoofed fingerprint can be detectedby comparing their pore quantities. The presence of poresand locating pores on the surface is another approach usedto distinguish between spoofed and live fingerprint [18].

Feng at al. proposed an algorithm to detect altered fin-gerprints in [19]. Distorted fingerprints have unusual ridgepatterns which are not found in natural fingerprints. Suchfingerprints include abnormal spatial distribution of singularpoints or abrupt changes in orientation field along the scars[20]. The proposed algorithm classifies the fingerprint as anatural or altered fingerprint using a support vector machine

Fig. 6: Existing anti-spoofing approaches [16]. They are broadlyclassified into hardware and software based approaches.

(SVM) by employing the features extracted from ridge orienta-tion field. It is observed that the continuous orientation field ofa natural fingerprint is indeed continuous (i.e. no singularity)but for an altered fingerprint, the continuous component ofthe orientation field is discontinuous. The proposed algorithmextracts a feature vector, called as curvature histogram, fromthe continuous orientation field. The curvature histogram isinput to the support vector classifier to distinguish between anatural and an altered fingerprint. The work used real (human)and altered fingerprint in their experiments, and their proposedalgorithm could detect 92% of altered fingerprints.

2) Masquerade: A masquerade attack is a general termgiven to any attempt made by the adversary pretending as alegitimate user to access either the system or the informationand services of a registered user. The attacker in such casescreates fake fingers, or alters the fingerprint of the authorizeduser to mount a spoofing attack. The anti-spoofing approachesdiscussed above can help in mitigating masquerade attack.

3) Altered fingerprint submission: Altered fingerprints arereal fingers used to conceal ones identity to evade identificationby a biometric system, e.g., using an abrasive material tomanipulate the ridges of ones finger. Yoon et al. have compiledthe case studies of altered fingerprints by an individual [20].The authors classified the altered fingerprints as obliteration,distortion, and imitation. An obliterate fingerprint is a resultof a cut, burn, skin disease, or side effects of drugs.

4) Obfuscation: Obfuscation can be defined as a deliberateattempt by an individual to mask his identity from a biometricsystem by altering the biometric trait prior to its acquisitionby the system e.g. mutilating the ridges of ones fingerprint byusing abrasive material [20]. The altered fingerprint submis-sion falls into the category of obfuscation. It is not guaranteedthat an altered fingerprint will always succeed in evading thebiometric system since the number of minutia points extractedfrom unaltered area before and after the mutilation are notsufficient for a successful match in every case.

5) Fake digital biometric: The digitized latent fingerprintscan be used by the adversary to mount a masquerade attack.The replay of a feature set to the matcher module is an exampleof fake digital biometric submission attack. The adversarycan reconstruct intercepted template data to get authorized asmultiple genuine users and thus hide his own identity.

6) Fake physical biometric: The spoofing is the process ofgenerating fake physical finger of a legitimate user to enterthe system. The attacker fixes his target before executing theattack to increase the chances of a successful attack. InterGov[21] reports that insiders commit about 80 percent of allcyber crimes (an assessment based only on reported securitybreaches) [22].

7) Latent print reactivation: A latent print of the fingerprintwill be generated on the biometric sensor surface due to oilsecretion from sweat glands in the palm, or contact with theoily or sticky material. The impressions of the fingerprint onthe sensor surface can be used by the adversary to createreadable prints. In such cases, the attacker uses the fumesfrom cyanoacrylate glue or powder for reactivating the latentfingerprint.


H. Feature extractor attacks

The feature extraction module is responsible for identifyingminutia points from the fingerprint image generated by theinput device. The adversary can target the feature extractionmodule such that it becomes incapable of generating the realfeature corresponding to the submitted fingerprint.

1) Override feature extractor: The attack on feature extrac-tion module by the adversary involves replacing the featureset extracted by the module with the feature set chosen by theattacker. This is usually conducted through an attack on thesoftware or firmware of the biometric system [10].

2) Trojan horse attack: Fig. 7 shows a Trojan Horse attackagainst the feature extraction module. It can be seen that aTrojan attack breaks the legal process of biometric systemto override the feature extraction module. Trojan horse is amalicious program that can be controlled remotely by theadversary through commands. Once activated, the Trojan candelete, copy, or modify the data from the targeted systemcomponent. For such incidence in Fig. 4, the Trojan willgenerate preprogrammed feature set to be fed as input to thetemplate protection techniques module.

Fig. 7: A Trojan Horse attack against the feature extraction module[23, Chapter 7]

I. Attacks on template protection techniques module

The features extracted by the feature extraction module areused to generate a secure digital template using cryptographictechniques, such as, cancelable biometrics and biometric cryp-tosystem, as mentioned in Section VI. The template protectionmodule responsible for performing the translation of a featurevector into a cryptographically secured biometric template isa potential target of the attacker. The attacker aims to extractinformation related to the key used in the encryption algorithm.The attacks on template protection techniques module arespecified as AP 6 in Fig. 4.

Side channel attacks (SCA) target a specific implementationof a circuit on a technology platform that recover the em-bedded secret key of the cryptosystem [24]. In these attacks,the adversary uses the information leakage, such as powerconsumption statistics, timing information, or the electromag-netic radiation as a side channel to recover the key of theencryption algorithm. An electromagnetic field is generated

due to the movement of electric charges. Electromagnetic side-channel attacks exploit correlations between intermediate data(function of the secret key) and variations in electromagneticemanations from tamper-resistant devices, such as smart-cards[25]. In timing side-channel attacks, the execution time fora cryptographic algorithm reveals the valuable informationrelated to the secret code involved in the computation suchas an encryption key.

J. Matcher module attacks

The matcher module in the biometric system is a hard-ware or software component responsible for performing thematching between the template generated from live fingerprintand the stored template during the authentication phase. Theoutput of a matcher module is the similarity score betweenthe two templates under comparison. The adversary targetingthe matcher module aims to achieve a matching score abovethe predefined threshold for a non-enrolled fingerprint. Theattacks on matcher module are specified as AP 11 in Fig. 4.A software-based matcher executable can be digitally signedto mitigate attack by an adversary trying to execute othermalicious code to override the output of matcher.

1) Hill climbing attack: The term hill-climbing designatesan attack in which the similarity score given by the matcher isused to iteratively modify a synthetically generated template,or a group of templates, until the verification threshold isreached [26]. The goal of the hill-climbing attack is to getauthorized due to intrinsic limitation of false acceptance of thebiometric system. The set up for hill climbing attack includesa database of artificially generated minutia templates (i.e.fake digital biometric) and an application that submits thesetemplates to the matcher of the targeted biometric system. Theapplication collects the matching score of a submitted templateand modifies the template so that the matching score ultimatelyexceeds the decision threshold to access the system. A time-outlock-out policy that allows a specific number of unsuccessfulattempts and lock the biometric system for an random timeperiod can be used to mitigate hill-climbing attack.

2) Matcher override or false match: The matcher modulecompares the live fingerprint template with the stored tem-plates and preserves the score corresponding to each matchingpair. The claiming user is authenticated with the identity ofthe enrolled user whose stored template match against the livefingerprint resulted in highest score. The adversary targetingthe matcher module overrides the score generated for thegenuine template comparison with a matching score abovethe predefined threshold. A matching score greater than thethreshold dispenses cash from the biometric application shownin Fig. 4.

3) Side channel attacks: The timing analysis involves mea-suring the time required for executing private key operations.Galbally et al. presented a time analysis of a reference minutia-based fingerprint matching system and studied the relationshipbetween the score generated by the minutiae-based NISTFingerprint Image Software 2 (NFIS2) and the time requiredto produce the matching score [27]. The experimental resultshows a clear correlation between the score and time required


to produce the score, i.e. on average the higher a matchingscore the larger is the time. Furthermore, the potential side-channel leakages of a hardware fingerprint biometric compari-son module was studied in [28]. The authors concluded that thesimple power consumption analysis during matching processreveals sensitive information i.e. we can get the number ofminutia for each angle value by increasing the angle value ofthe input minutia [28].

Simple power analysis (SPA) : The current flowing from thepower supply unit to the matcher module of a biometric systemcan be analyzed to detect power consumption patterns thatleaks the information related to the cryptographic operations.The sequence of executed microprocessor instructions canbe a useful information revealed by SCA. The adversary isassumed to have knowledge about the time at which thepower consumption is correlated with the secret key. The mostcommon defenses against SCA include adding noise, dummyinstructions, and power consumption balancing.

Correlation power analysis (CPA) : CPA is a statistical toolthat uses Hamming distance for evaluation of cryptographicmodule leakage and/or retrieve the secret data like encryptionkey or minutia information in case of fingerprint biometricsystem. In biometric system, it is infeasible to directly linkthe output (matching core or the binary decision) with theinput (fingerprint). So, only a CPA that considers (input data,hypothesis) pairs during the enrollment/registration phase is afeasible way to find out the correlation between the input andoutput. The vulnerability analysis of an embedded hardwareverification module (matcher used in Match-on-card systems)against SCA by exploiting the activity leakage of the matcherto retrieve the stored trait was presented in [29]. The authorsinvestigated the SCA vulnerability of the registration phaseand demonstrated how side-channel analysis by CPA to re-trieve a reference fingerprint is feasible on a biometric matchermodule in [29]. They retrieved a part of the reference minutiaset i.e. one reference minutia per angle, in their experiment.

Differential power analysis (DPA) : Applying techniquesof differential power analysis to fingerprint matching is chal-lenging due to the relatively large candidate space and thelinearity of matching algorithms [30]. The possibility of side-channel attacks on fingerprint matching algorithms such as,the Bozorth3 and a custom matching algorithm, was studied in[30]. In [31] the authors have presented a secure co-processorthat does not leak information through the power supply. Tothe best of their knowledge, the authors reported that this isthe first IC that is practically immune to DPA attacks.

SCA countermeasures : Viable cryptosystem designs mustaddress power analysis attacks. Masking is a commonlyproposed technique for defending against these side-channelattacks [32]. Integrated Circuits with active shield can beused to avoid side channel leakages. Another way to mitigateside channel attacks is to modify the implementation of thecryptographic algorithm such that all computations consumesame power and use equal number of clock cycles. A robustsecure fingerprint matching technique, which is secure againstside channel attacks was proposed by Yang et al. [33].

4) Trojan horse attack: The Trojan horse is a maliciousexecutable program that suppresses the actual matching score

output of the matcher module with the predefined score suchthat the adversary can bypass all the earlier modules (stages)in biometric system and still get authorized to access theapplication. This is a tampering attack where the adversaryalters the vendor’s matching algorithm code and replaces ormodifies it with the Trojan horse code. Trojan programs canbe remotely controlled by the adversary to send commands tothe matcher module.

K. Template database attacks

The template database stores encrypted biometrics anddetails of each enrolled user. The biometric system uses astored template and information corresponding to it to performthe identification and verification of a user in the authenticationphase. The adversary targets the database either directly orindirectly via an externally compromised system (if the serveris online). The primary intention of the attacker is to reuse ortamper the stored templates. Stolen biometrics can be used toattempt a man-in-the-middle attack, such as a replay attack.The attacker can delete the stored templates to mount a DoSattack. Fig. 4 represents an attack on the database as AP 8.Li et al. have proposed a privacy protection scheme (hidingscheme) for the thinned fingerprint template in [34]. In thisscheme, the user’s identity is hidden into thinned fingerprintimage during enrollment and such a fingerprint template isstored in an online database for authentication. In the pro-posed data hiding scheme, no boundary pixel is produced indata embedding, resulting in a marked-thinned fingerprint ofvisually imperceptible abnormality without compromising theperformance of the fingerprint identification [34]. The authorsclaim that using such scheme, it is infeasible for the attacker toreveal the identity of the user from stolen templates collectedfrom a compromised online template database.

1) Template reconstruction: The attacker breaks into theonline database where the encrypted biometrics are storedby cracking a database account with administrative privilegesor by exploiting the vulnerability in the database software.He modifies the existing encrypted biometrics or reconstructsa new template from them. The modified and reconstructedtemplates form the base for a replay attack. If the attacker cantamper and modify the template information and generate afalse ID to an illegitimate person, it is termed as a templatemodification attack. The adversary can use the modified bio-metrics to mount a hill-climbing attack at AP 9 in Fig. 4. Rosset al. demonstrated that the fingerprint reconstruction processcan be moderated by employing an iterative hill-climbingapproach [17]. The authors demonstrated that the informationabout orientation field, fingerprint class information namely,A, L, R and W , and the friction ridge structure can begenerated out of the minutiae template alone. A possibleway to mitigate the reconstruction of fingerprint from storedtemplate is to create templates from encrypted minutia insteadof storing minutia on template.

2) Unauthorized template modification: The attacker cantarget the online database from an externally compromised,hacked system through a known or unknown bug in thedatabase software, log information on the disk, or information


in cache or primary memory. Such an attempt is difficultto trace since the compromised system is mostly a hackedcomputer under the control of the attacker. The adversary cansteal the minutia templates to execute a replay attack. He caneven delete and substitute the minutia templates to mount aDoS attack for the genuine users.

3) Circumvention: The adversary controlling the applica-tion secured with the biometric system is said to be attemptingcircumvention. The circumvention threat can be cast as aprivacy attack, where the attacker obtains the unauthorizeddata (for example, accessing the medical records of anotheruser) or, as a subversive attack, where the attacker manipulatesthe system (for example, changing those records, submittingbogus insurance claims, etc.) [35]. The adversary gets himselfauthorized by attempting any attack, such as spoofing, replay,administrative frauds etc., to access the application and thenmounts circumvention on the application data.

L. Man-in-the-middle (MiTM) attack

In a typical scenario of a man-in-the-middle attack on thebiometric system, the attacker intercepts the communicationchannel to collect the biometric data of a legitimate user. Theattacker, in this case, can target AP 3, AP 5, AP 7, AP 9, AP10, and AP 12 from Fig. 4 on the biometric system. Theseattacks are similar to replay attacks, where the attacker listensto the communication channel for capturing biometric data andthen alters this data to access the system as a legitimate user.

1) Replay attack: In the replay attack (also known as falsedata injection attack), an attacker bypasses the scanner anduses the previously generated digital image of a legitimate userto access the system. The attacker injects the false intercepteddata directly into the communication channel to the matchingcomponent. Here, the attacker intercepts the communicationmedium between the sensor and the matching component,then alters the contents (to access the system as more thanone genuine user), and then retransmits to the matcher forprocessing. This is a type of the man-in-the-middle attackrepresented as AP 5 in Fig. 4 which requires the attackerto have good knowledge of the system and database. Indata injection attack, the biometric system and the templatedatabase are compromised.

A challenge/response method to mitigate a replay attackconsiders every attempt involving all modules of the biometricsystem to authorize a user as a single transaction. It assumesthat the sensor is intelligent enough to respond to a query bya secured transaction server. Whenever the sensor is touchedwith a user finger, the transaction server sends a query, e.g.a random pixel value, to the sensor. If the image received bythe feature extractor has the same pixel value as responded bythe sensor then the transaction continues otherwise an attemptof bypassing the sensor and thus an attack is detected and thetransaction is aborted.

2) Reuse of residuals: The biometric system can hold theretrieved digital template in its primary memory for sometime after performing the matching operation. The adversarycan use the biometrics available in main memory to accessthe system as a legitimate user. The adversary replays the

biometric templates to mount reuse of residual attack at AP5 in Fig. 4. The memory holding the data for matching canbe reserved and flushed immediately after a claiming user iseither rejected or accepted by the system to avoid reuse ofresidual by the adversary.

3) System parameter override or modification: The attackermanipulates the system parameters to widen the range offalse acceptance and subsequently shorten the false rejectmargin. As a result of such alteration of system parameters(especially FAR/FRR parameters), the adversary creates a pathto access the application in Fig. 4 with poor quality fingerprintimages or incorrect data. The code signing technique candetect any tampering or alteration in the code, thus mitigatingsuch attacks. Protection of software code against illegitimatemodifications are discussed in [36] and [37].

4) Synthesized feature vector: The adversary with a knowl-edge of the biometric system can create a biometric templateoutside the system and directly inject it into the data stream ofthe communication channel. The hill-climbing attack can usethis synthesized template at AP 9 in Fig. 4. The challenge-response technique can help in detecting an attack involvinga synthesized feature vector.

5) Brute force attack: A brute force attack on the biometricsystem involves submitting a large number of fingerprints tothe system. Brute force attack is mounted at AP 4 in Fig. 4.The attacker must maintain a real fingerprint template databaseof large number of entries in order to execute the brute forceattack efficiently. The work of Ratha et al. in [38] givesthe relation between the matches that occurred for variousattempts of brute force attack. A dictionary-based guessingattack is a sophisticated brute force attack. Here, the attackerchooses only those fingerprints that have a high probability ofmatching. The average number of attempts needed by a brute-force attack can be derived from the FAR of the system [39].A 0.001% FAR indicates that 1 out of 100,000 brute forceattacks on an average will be successful [40].

6) Storage channel intercept and data inject: The com-munication channel between the encrypted biometric templatedatabase with other components, namely, the template protec-tion techniques module and the matcher, can be the source ofinformation for the adversary. The attacker may inject falsedata directly into the data stream connected to the database.Such a threat is shown as AP 7 and AP 10 in Fig. 4. The datatransmitted over the communication channel can be encryptedto avoid interception.

7) Modify score: The adversary can ease the process ofauthentication by modifying the matching score interceptedbetween the channel connecting the matcher and the decisionmodule. He overrides the actual score with a high score abovethe threshold. Fig. 4 represents such a threat as AP 12. Amutual authentication between matcher and decision module,like a challenge-response technique, can be used to detect amodified score.

M. Modify access rights

The administrator enrolls users having different privilegesor access rights in the biometric controlled application. If


the adversary diminishes the rights of a high privileged user,then it leads to a denial of service attack to such users.The system is under threat when a user registered with lowaccess rights suddenly gets administrative rights. In either case,the adversary initially needs to gain the system administratorcredentials.

N. Decision override

The decision module accepts or rejects a user as enrolledand authorized based on the comparison between the matchingscore and the predefined score. The attacker can use a Trojanhorse to override the decision module to give the result inhis favor. For example, such an attack can be used by theadversary to grant access to the application in Fig. 4 or denyall other users from using the application.

O. Denial-of-service (DoS) attack

The DoS attack renders the system inaccessible to theauthorized users. For a biometric authentication system, anonline authentication server that processes access requests (viaretrieving templates from a database and performing matchingwith the transferred biometric data) can be bombarded withmany bogus access requests to a point, where the server’scomputational resources cannot handle valid requests any more[35]. These attacks are generally detected in a small timeduration. In some cases, however, the intent is to have theattack noticed in order to create confusion and alarm and forcethe activation of alternative or exception handling procedures[10]. The organization can use CCTV cameras, tamperingalarms, or personal security guards to protect a biometricsystem controlled application, such as a cash dispenser shownin Fig.III.

P. Intrusion

In intrusion attack, the attacker breaks into the templatestorage through an external system. The scenario where thesystem recognizes an impostor as an authorized user is alsoa case of intrusion. The server hardening (i.e. enhancing theserver security against all possible vulnerabilities), databaseaccess controls, signing stored templates, storing encryptedtemplates and use of Match-on-Card technology can be thepossible countermeasures against intrusion attack.

Q. Zero-effort attacks

The zero-effort attack is a benefit an adversary receives, andthe trouble an enrolled user faces due to system limitations. Itis an incorrect authentication (a non-enrolled user is authenti-cated due to false match error) and rejection (an enrolled useris rejected due to false non-match error) scenario. This attackis the result of shifting the predefined threshold to lower orhigher value. Fig. 4 shows this scenario as AP 14 and AP15. The existence of zero-effort attack is due to the limitedindividuality and intraclass variations in biometric features andefforts are underway by the research community to reducesuch intrinsic errors by designing salient-feature detectors androbust matchers [8].

An on-line platform, EvaBio, for the security evaluation ofbiometric systems was presented in [41], which implements aquantitative-based security assessment method to allow easilythe evaluation and comparison of biometric systems. In orderto quantify a newly developed biometric system, the authorsalso provided a database of common vulnerabilities and threatsof a biometric system.

V. THREAT MODELS

In this Section, we present threat models that exist fora fingerprint biometric system. A threat model is a way toidentify various possibilities of attacks (or the potential threats)on a system in the computational powers of an adversary. Wepresent four threat models that exist in the literature whichpoint out different attacks and vulnerabilities in the biometricsystem.

A. Ratha et al. model

The Ratha et al. model shown in Fig. 8 is the first threatmodel proposed for a fingerprint biometric system. It identifieseight vulnerabilities based on the access point of informationin a biometric system [9]. These vulnerabilities lead to aspecific type of attack, represented as Type 1 to Type 8, onthe system components. The countermeasures for all 8 typesof attacks from this model are discussed in Section IV.

Type 1 attack : According to the model, sensors are suscep-tible to spoofing, false biometric submission or residual attackrepresented as Type 1 attacks. These attacks are basicallya fake biometric presentation at the sensor. The adversarycollects the biometrics of a genuine user and creates fakephysical finger to access the system.

Type 2 attack : The interception of communication channelbetween sensor and feature extractor by the adversary formsthe base for Type 2 attack. The adversary replays a previouslyintercepted digitized biometric signal bypassing the sensor.Masquerading is a Type 2 attack.

Fig. 8: Ratha et al. model [9] : The dashed arrows indicate the accesspoint of information for mounting a specific type of attack


TABLE I: Biometric system attack summary with reference to Fig. 4. AP stands for Attack Point.

AP Targeted component Possible attack Countermeasures References

1 Biometric input device Adversary attacks andadministrative frauds

Liveness detection,Challenge/response

[42], [14], [43],[16], [19]

2 Biometric input device Denial of service Rugged devices [10], [44]

3 Communication channel between sensorand feature extraction module Fingerprint image intercept Transmit data over

encrypted path/secure channel [44]

4 Feature extraction module Trojan horse attack,Override feature extractor Code signing [44]

5 Communication channel between feature extractionmodule and template protection techniques module Replay attack

Challenge-responsebased system,

disposable Feature Extractors (FE)[10], [45]

6 Template protection techniques module Side channel attacks Masking, designing ICswith active shield [30], [31]

7 Communication channel between template protectiontechniques module and template database

Template intercept,data inject

Use strong testedbiometric algorithms [46]

8 Template database Steal, delete, modify,substitute template

Hardened server,DB access controls,

sign templates,store encrypted templates,

store template on card

[8], [22], [47]

9 Communication channel between template protectiontechniques module and matcher module

Hill-climbing attack,brute force attack Time out/lock out policies [39], [48]

10 Communication channel between template databaseand matcher module Replay attack Utilize Timestamps or

Time to Live (TTL) tag [10]

11 Matcher module Side channel attack,Trojan horse attack

Masking, designing ICswith active shield,

Code signing[30], [33]

12 Communication channel between matcher module anddecision module Modify score Mutual authentication between

matcher and decision module [44]

13 Decision module Override decision Code signing [10]

14 Communication channel between decision module andbiometric application

Zero-effort attack(false match error) Design robust matcher [48], [49]

15 Communication channel between decision module andbiometric application

Zero-effort attack(false nonmatch error) Design robust matcher [49]

16 Biometric application (e.g. cash dispenser) Denial of service CCTV monitoring,deploy security guards [44], [10]

Type 3 attack : The attacker can override the featureextraction module to mount a Type 3 attack. The adversarycopies a Trojan horse executable at the feature extractionmodule. Generally, Trojan horses can be controlled remotely.The adversary sends commands to the Trojan horse to sendthe feature set selected by him.

Type 4 attack : The communication channel between thefeature extractor and the matcher can be targeted by theattacker. The adversary intercepts the features transmitted overthe communication channel and replays it after a time gap. Thepreviously intercepted and tampered/modified feature sets canbe directly transmitted to the matcher bypassing the featureextractor module.

Type 5 attack : The threat to the matcher module overridingthe matching score using a Trojan horse is a Type 5 attack.In this attack, the adversary sends commands remotely togenerate a high matching score and send positive response (e.g.a “Yes” or “Accept”) to the biometric controlled applicationand bypass the authentication process completely. He can evenmount a denial-of-service attack by giving a command toindefinitely generate a low matching score.

Type 6 attack : The intruder can explore ways for templatedatabase leakage with Type 6 attack. The adversary not onlycollects the leaked stored templates but also replays them andmodifies them to get authorized on behalf of different enrolledusers.

Type 7 attack : In Type 7 attack scenario, the adversary

intercepts the communication channel between the templatedatabase and the matcher module to collect templates fromthe data stream. These intercepted templates can be directlyreplayed or altered and then replayed at the matcher moduleto access the system with the identity of different users.

Type 8 attack : The adversary can bypass all system com-ponents and directly manipulate the system decision in hisfavor in Type 8 attack. An attack to override the final decisionof the biometric system in favor of the adversary nullifiesthe excellent performance characteristics of the biometricapplication.

B. The fishbone model

Fig. 9 shows the fishbone (cause and effect) model pro-posed by Jain et al. in [44]. The model depicts the causesthat determine the vulnerability of a biometric system. Theauthors identified five causes that lead to vulnerabilities in thebiometric system represented in ovals in Fig. 9. The arrowsspecify the effects i.e. the possible attacks due to these causes.

Intrinsic failure involves the system limitations and errorsresponsible for false acceptance of a non-enrolled individualor false rejection of an enrolled user. The intra-user variationscauses large variations in the live and stored features of theenrolled user leading to false rejection. This error can bedue to improper or partial finger put at the sensor. The lackof individuality or uniqueness (mostly among twins in facerecognition system) can result in large similarity between


the feature sets of two different individual leading to falserejection.

Administration cause describe the ways in which a dishoneststaff, such as, a system administrator can play the role of anadversary. A disloyal administrator can assist an adversary ineither mounting a successful attack, or induce an enrollmentfraud or exception abuse. The exception processing is a wayfor the enrolled user to get authorized in case if the biometricsystem rejects him due to intrinsic limitation or denial ofservice attack (by deleting his stored template). The insiderattacks include the cooperation an adversary receives from thedisloyal staff to mount an attack on the system.

Infrastructure causes include system design defects thatmake the system susceptible to adversary attacks. The hard-ware components such as sensor, the software implementedat the feature extraction module and matcher module alongwith the communication channel between various systemcomponents forms the infrastructure of the biometric system.A Trojan horse program can be used by the adversary tooverride the matcher or decision module.

Non-secure processing causes point out the vulnerabilitiesdue to insecure enrollment and authentication process. Theadversary can mount a hill-climbing or replay attack throughthe non-secure communication channel to intercept the infor-mation and get authorized by skipping the sensor. The poorlysecured database can leak the stored templates. The adversaryuses the templates thus collected to mount a replay attack.A function creep is a phenomenon of cross-matching thebiometric features of an enrolled user. The adversary collectsthe biometrics of a user either through database leakage orcommunication channel intercept from his employer’s systemand uses it in other applications like banking services, passportservices etc.

Patent cause or biometric overtness is related to the secrecyof biometric templates. The attacker covertly collects thebiometrics of a genuine user from the sensor or public placesvisited by the user. These biometrics can be used to createfake physical or gummy finger to mount a spoofing attack.

This model highlights the general errors that should beavoided and the security techniques to be implemented whiledesigning a biometric system. The authors suggest that the

Fig. 9: Fishbone model [44]. The blocks denote the processing phasesof a biometric system that are vulnerable targets in this model. Thepossible attacks are mentioned on the arrows.

Fig. 10: Nagar et al. model [44]

most straightforward way for securing the biometric systemis to store the template and the system modules (components)on smart cards. Such systems are called as system-on-card ormatch-on-card.

C. The Nagar et al. model

Fig. 10 shows Nagar et al. model. This model is basedon the Fishbone model in terms of specifying causes forvulnerabilities and their effects on a biometric system. The textbesides the dotted ovals in Fig. 10 specify a given cause andthe contents of the ovals shows the possible attacks as an effectof these causes. The four large rectangles in Fig. 10 showsthe major constituents of a biometric-based authenticationapplication.

The non-secure infrastructure can leak sensitive informationto the adversary through communication channel. The systemcomponents, such as feature extraction module or the matchermodule are also vulnerable to Trojan attack which overridesthe real output of these elements. The authors combined non-secure processing causes (arising due to insecure enrollmentand authentication process) and infrastructure causes (respon-sible for denial of service attack) from Fishbone model into asingle non-secure infrastructure cause in this model.

Overtness of biometric includes the attacks that use the overtinformation about the biometrics of an individual, such as,our face, fingerprint left at public places, our voice over aconversation etc. The attack involving overtness of biometricinclude coercion, collusion, and spoofing attacks targeted bythe adversary at a biometric input device.

Intrinsic failure includes the system limitations responsiblefor false acceptance of a non-registered user. The predefinedthreshold decides the authenticity of a claiming user. For ahigh security application, like entry into military zone, thethreshold is fixed to a higher value which sometime mayreject a soldier due to improper touch of his finger to thesensor or environmental factors. For a university attendancesystem, a student not registered for a particular course canmark proxy attendance for a registered student due to lowerthreshold value.


Fig. 11: Bartlow and Cukic framework : AP represents an Attack Point. The biometric system is divided into three modules, namely,administrative observation/system management module, IT environment module and biometric subsystem module. The biometric subsystemmodule is divided into five subsystem, namely, data collection, signal processing, decision, transmission and storage subsystem.

A system administrator may exploit administrative loop-holes to misuse his administrative rights. As discussed inSection IV, the administrator can support the adversary in col-lusion, enrollment fraud or spoofing. The best countermeasureagainst the attacks involving internal staff with administrativeprivileges is to appoint multiple system administrators forevery superuser task.

D. Bartlow and Cukic framework

Wayman proposed to classify a biometric system as acomposition of five primary subsystems depending on itsapplication, namely, data collection, transmission, signal pro-

cessing (which includes feature extraction, quality control,pattern matching), storage, and decision [50]. Fig. 11 showsthe Bartlow and Cukic framework [51], [10] as an extensionof Ratha et al. model and Wayman’s subsystem architecture,which mainly focus on technical testing of biometric devices.The authors decomposed the model into three modules andidentified more than twenty vulnerable attack points. The threemodules (shown in dark gray color in Fig. 11) are namelyadministrative observation/system management module, ITenvironment module, and the biometric subsystem module.The biometric subsystem (i.e. the system management module)is further categorized into five subsystems (shown in large


ovals in Fig. 11) according to Wayman’s suggestion. Thearrows represent the point of attacks and vulnerabilities in thesubsystems and various modules in the system.

In Fig. 11, the administrative observation/system manage-ment module represents disloyal system administrators and thearrow originating from it shows the possible attack points bysuch staff targeting different components. Attack points AP 1and AP 2 target the data collection module of biometric sub-system where the adversary seeks help from the administrator.Attack points AP 18 and AP 20 specify the manipulation offinal decision by the administrator in favor of the adversary.The bad administrator can perform false enrollment throughAP 19.

The IT environment subsystem includes other applications,such as operating system and database management systemthat directly or indirectly interact with the biometric system.The attack point AP 3 shows the possibility of an attackthrough these interacting applications. There is a possibility ofintrusion or malicious code execution with the help of theseapplications.

The biometric subsystem specifies the internal componentsof the biometric system, the data transmission between them,and the targeted vulnerable points. In the data collection mod-ule, the collection and presentation of biometrics is performed.The attack points, AP 4, AP 5, and AP 6 are vulnerableto attacks carried out through the input devices. The spoof-ing, replay, and masquerade attacks can be mounted on thismodule. The compression and transmission of biometric datais represented with transmission module which is susceptibleto attacks, such as replay, parallel sessions, and masqueradeshown by attack points, AP 7, AP 8, AP 9, AP 10, and AP 11in Fig. 11. In this attack mode, the adversary intercepting overthe communication channel collects the information requiredto mount replay, hill-climbing, or brute force attack. The signalprocessing module comprises the robust feature extraction,template matching, and image quality control components. Theadversary uses a Trojan at AP 12 and AP 14 to target thefeature extractor and the quality control unit, respectively. Theattacker can even use a poor quality image at AP 13 to mounta hill-climbing attack, or execute a brute force attack. Usingthe hill-climbing attack, the attacker can construct a fingerprintimage using the responses (i.e. score) of matcher module untilan acceptable score is achieved. In another scenario, he canapply image processing techniques to generate multiple copiesof the poor quality image by enhancing the ridges and use allthese images to mount a brute force attack. The interceptionof information between the pattern matching module and thedecision module is shown in AP 15. The process of capturingdata through database leakage and retransmitting it again tothe matcher module is done at attack points, AP 16 and AP17, respectively. The attempt to override the final conclusionof the decision module in cooperation with a bad administratoris represented with AP 20.

The details about potential vulnerable attack points is givenin this model, but it does not propose the methodology todesign security techniques for a biometric system. So, thismodel can be used only as a benchmark to test and validateexisting and proposed security techniques.

VI. TEMPLATE PROTECTION SCHEMES

A template represents a set of salient features, such asminutia, that summarizes the biometric data (signal) of anindividual [47]. The stored template should not reveal any datathat can be replayed and it should be difficult for an adversaryto guess or reverse engineer the original biometric trait or anyclose replica from the stored data [8]. The biometric templateprotection schemes aim at preserving the user’s privacy whileenhancing the security of stored templates.

ISO/IEC 24745 [52] standard specifies three mandatoryrequirements for all biometric template protection schemes,namely, non-invertability, revocability, and unlinkability. Non-invertability property requires that given a protected biometrictemplate, it should be computationally infeasible to obtainthe original template. Revocability property requires that, itshould be computationally difficult to obtain the originalbiometric template from multiple instances of protected bio-metric reference derived from the same biometric trait ofan individual [53]. Non-linkability property assures that, itis computationally difficult to ascertain whether two or moreinstances of protected biometric reference were derived fromthe same biometric traits of a user [53].

Fig. 12 shows various template protection schemes adaptedfrom [54]. Biometric templates storing minutia information(without encryption) are vulnerable to tampering attack andreplay attack. The templates can be secured at the database (byavoiding leakage), over the communication channel (by usingencryption techniques), and also at the matcher (by concealingany information related to secret data, such as encryption key,through data-dependent variations in power consumption orcomputation time). The schemes to protect biometric templatescan be broadly categorized into three levels, namely, hardwarelevel, software level, and biometrics in encrypted domain.

A. Hardware level schemes

Hardware level protection to templates is performed duringtransmission and in the database to avoid interception andtampering of templates. A tamper-proof hardware disallows anattacker from breaking into the hardware components, such asmatcher, to steal a secret (such as, an encryption key), and thusprevent unauthorized access. Smart-card assisted hardware,such as System-on-Card and Match-on-Card, can help inmitigating such attacks on biometric templates. Since thesesystems embeds the biometric system and a user template onthe card itself, it lowers the probability of template interceptionand leakage from database as compared to online database.The trusted platform module (TPM) was developed by TrustedComputing Group (TCG) as platform that includes additionalhardware and software to increase the security level of IT-systems [55]. A Trusted Platform is “a computing platformthat has a trusted component, probably in the form of built-inhardware, which it uses to create a foundation of trust forsoftware processes” [56]. TPM secures a hardware (i.e., acryptoprocessor) using an integrated cryptographic key. TPMcan be used for hardware level tamper detection and alsofor hardware-based authentication. There are increased useof TPM chips in certain dedicated security applications, such


TABLE II: Comparison of Threat Models

Threat model Underlying criteria Classification Application

Ratha et al. model Access point ofinformation

8 vulnerable points resultingin 8 types of attacks

A general model withoutdetails of specific attacks

Fishbone model cause and effect 5 causes leading tobiometric system failure

Useful while designingbiometric security techniques

Nagar et al. model Cause and effect similarto Fishbone model

Major vulnerabilities andtheir 4 underlying causes

Specifies the vulnerabilities forbiometric-based authentication system

Bartlow and Cukicframework

Wayman’s subsystemarchitecture [50]

3 modules with20 potential attack points

Well suited for testingand validating secure techniques

Fig. 12: Template protection schemes

as Microsoft BitLocker, storage of public key infrastructure(PKI), private keys, and other credentials (e.g., biometric iden-tifiers), and potentially secure machine identities on sensitivenetworks [57].

B. Software level schemes

The software level schemes mainly concentrate on the waysto make sure that the biometrics stored on the templatesis encrypted (using key) and it is practically infeasible todivulge the secret encryption key or regenerate the originalfingerprints of a user. These schemes include cryptosystems(using encryption key to secure template), template genera-tion using feature transformations (such as, salting and non-

invertible transforms), and transformation of template image(e.g. steganography).

1) Cryptosystems: Biometric cryptosystems provide thebenefits of cryptography and biometrics to an application.They protect the application using high and adjustable securitylevels provided by cryptographic techniques using a secret key,and ensures trust using non-repudiation through biometrics.The biometric cryptosystems can be designed in two ways.It can either use the biometrics of an individual to generate adigital key, or securely bind a secret key to the user biometrics.Biometrics-based “key-release” refers to the use of biometricauthentication to release a previously stored cryptographic key,whereas biometrics-based “key generation” refers to extract-ing/generating a cryptographic key from a biometric template


or construct [58]. These techniques are discussed in detail inthe following paragraphs of this Section.

The majority of cryptosystems require the storage of bio-metric dependent public information, which is applied to re-trieve or generate keys; such biometric dependent informationis referred to as helper data [44]. Uludag et al. [59] stated thattwo contradicting requirements arise,

1) helper data should contain sufficient information toallow an alignment between a query and a template, and

2) helper data should not leak critical information about thetemplate.

The authors proposed a scheme for generating orientation-fieldbased helper data in the fuzzy fingerprint vault framework,which does not leak minutiae information, yet it enables us toproperly align the input query.

Key-binding scheme: In biometric-based key bindingschemes, the cryptographic key is tightly bound with thebiometric template so that it cannot be released without asuccessful biometric authentication without accessing templatedirectly [60]. The transformed characteristic of the legitimateuser is compact in the feature space, and the characteristicof a fake identity is either dispersed or far away from thelegitimate user’s characteristic. This variation distinguishesthe transformed characteristic of the registered user from thecharacteristic of the false identity.

Fig. 13: Basic concept of biometric key-binding [61].

Fig. 13 shows the basic concept behind the key-bindingscheme. In this method, the key is combined with a biometricsample to generate helper data during the enrollment. A newbiometric sample along with the stored helper data are usedto release the same key during the authentication [62]. In thisscheme, it is computationally infeasible to retrieve the originalbiometric template or the secret key given only the helper data.

Biometric Encryption (BE) is a group of emerging tech-nologies that securely binds a digital key to a biometric orgenerates a digital key from the biometric so that no biometricimage or template needs to be stored [63]. In biometricencryption, a password-based encryption key is used to encryptthe template during the enrollment phase. The most distinct BEtechnologies are the following: Mytec1 [64] and Mytec2 [65],[66], ECC check bits [67], biometrically hardened passwords[68], the fuzzy commitment scheme [69] and some of itsgeneralizations in the fuzzy extractor/secure sketch framework[70], shielding functions (i.e., quantization using correctionvector) [60], fuzzy vault [71], PinSketch [72], and BioHashing[73] with key binding [74].

Biometric EncryptionTM, an algorithm for linking and re-trieval of digital keys, which can be used as a method for thesecure management of cryptographic keys was proposed bySoutar et al. in [75, Chapter 22]. This algorithm works on thecomplete fingerprint image and is based on the mechanismof correlation. The algorithm independently generates thecryptographic key which can be periodically updated usinga re-enrollment procedure.

During enrollment, the Biometric EncryptionTM processcombines the biometric image with a digital key (used as acryptographic key) to create a secure block of data, knownas a BioscryptTM [75, Chapter 22]. Mytec Technologies Inc.claim that it is infeasible to obtain either the fingerprint or thekey independently from Bioscrypt TM. The algorithm combinesthe biometric image and the BioscryptTM to retrieve the keyduring verification.

In the enrollment process, a set of input fingerprint imagesundergo image processing with a random (phase) array andgenerate two new arrays as output, namely, Hstored(u) whichis stored in BioscryptTM and c0(x). The proprietary linkalgorithm performs linking of cryptographic key k0 and c0(x).Finally, the key k0 is used to create an identification code id0.During verification process, the Hstored(u) undergoes imageprocessing with a new set of input (claim) fingerprint imagesto produce an output pattern c1(x). The proprietary retrievalalgorithm accepts c1(x) as input to extract a key k1. A newidentification code id1 is generated from k1. In the end, thekey validation is performed by comparing id0 and id1.

Fuzzy commitment A fuzzy commitment scheme (FCS)processes a binary biometric enrollment sequence (i.e. a bina-rized fingerprint image) XN = {x1, x2, ..., xN} with symbols,xi ∈ {0, 1} for i = {1, 2, ..., N}, and a binary biometricauthentication sequence Y N = {y1, y2, . . . , yN} with symbolsyi ∈ {0, 1} for i = {1, 2, ..., N}, where the sequences aregenerated by a biometric source according to some distribution{Q(xN , yN ) , xN ∈ {0, 1}N , yN ∈ {0, 1}N} [69]. Fig. 14shows the fuzzy commitment scheme. In this scheme, a secrets ∈ {0, 1, ..., |S|} is independent of biometric data and chosenuniformly at random. So,

Pr{S = s} = 1/|S|, ∀ s ∈ {0, 1, ..., |S|} (1)

Fig. 14: Fuzzy commitment scheme [69]

In the enrollment phase, the secret s is fed to the encoder togenerate an encoded binary codeword CN = ( c1, c2, ..., cN )such that ci ∈ {0, 1}, ∀ i = 1, 2, ..., N . The binary biometricenrollment sequence XN is added (modulo 2) to the generatedcodeword to produce a sequence ZN = ( z1, z2, ..., zN ) , suchthat zi ∈ {0, 1}, ∀ i = 1, 2, ..., N . Thus

ZN = CN ⊕XN = e( s) ⊕XN (2)


where, CN = e( s) and e( ·) represents the encoding func-tion. The public sequence ZN released to the authenticationside is referred to as the helper data.

In the authentication, a binary biometric authenticationsequence Y N is added (modulo 2) to the helper data ZN

received from enrollment. This addition results in the sequenceRN .

RN = ZN ⊕ Y N = e( s) ⊕XN ⊕ Y N (3)

where, RN = ( r1, r2, ..., rN ) , such that ri ∈ {0, 1}, ∀i = 1, 2, ..., N . Thus, we can consider RN as a codewordCN with some additional noise sequence, i.e., XN ⊕ Y N . Adecoder accepts RN as input to determine the estimate s as

s = d(RN ) = d( e( s) ⊕ (XN ⊕ Y N ) ) (4)

where, d( ·) represents the decoding function.Like a conventional cryptographic commitment scheme, the

fuzzy commitment scheme is both concealing and binding:it is infeasible for an attacker to learn the committed value,and also for the committer to decommit a value in more thanone way [76]. Lafkih et al. [77] proposed a security analysisframework based on several scenarios of threats that can affectbiometric cryptosystems and applied this analysis on FCS anddetermined theoretically and practically that cryptosystemsbased on FCS do not ensure a high level of security orprotection of privacy.

A fuzzy vault scheme [71], is an order invariant crypto-graphic construction in the form of an error-tolerant encryptionoperation where keys consist of sets. It is an extension of thefuzzy commitment scheme. Suppose, Alice possess a secretencryption key k and an unordered set A. She places k in avault and locks using A. If Bob possess another unordered setB, then he can unlock the vault to access k if and only if Blargely overlaps A.

You et al. [78] defined the fuzzy vault scheme also called asfingerprint vault scheme as follows. In this scheme, initiallyevery extracted minutia is converted into an element mi ina finite field F. The selected secret key k is encoded to apolynomial f (x) ∈ F [X], which is evaluated in each mi.All the points (mi, f (mi)) and some stochastic camouflagepoints ci, di are selected, such that di 6= f (ci) are to be storedtogether as a vault V .

The security of this scheme is based on the infeasibilityof the polynomial reconstruction problem. The fuzzy vaultscheme is an example of the biometric-based key generation.This scheme possesses characteristics that make it suitablefor applications that combine biometric authentication andcryptography; the advantages of cryptography (e.g., provensecurity) and fingerprint-based authentication (e.g., user con-venience, non-repudiation) can be utilized in such systems[79]. Nagar et al. have shown that both performance andsecurity of a fingerprint fuzzy vault can be improved byincorporating minutiae descriptors, which capture orientationand ridge frequency information in a minutia’s neighborhoodin [80].

Shielding function Shielding functions are proposed to en-hance privacy and prevent misuse of biometric templates in

key binding schemes. These function aim to enhance thereliability and reproducibility of the detection and to shieldthe information (or ‘entropy’) in the secret from the referencedata [60].

Fig. 15: Shielding functions: basic operation mode [61]

Fig. 15 shows the basic operation mode of shieldingfunction. A fixed length, real-valued, noise free biometricfeature vector X is assumed at the enrollment. A secretS (the key) together with X is applied to an inverse δ-contracting function G−1 to generate the helper data W , suchthat G (W,X) = S. A hash of the secret S is stored (asa template) additionally as F (S) = V . The δ-contractingfunction G that computes a residual for each feature is thecore of this scheme. W comprises all residuals that form acorrection vector. During authentication phase, a new featurevector Y is used to compute G (W,Y ). If ||X − Y || ≤ δ,then G (W,Y ) = S′ = S = G (W,X). Finally, the hashvalue F (S) of the reconstructed secret S is tested against thepreviously stored one (V ) yielding successful authenticationor rejection [61].

Key-generation scheme: Fig. 16 shows the basic conceptbehind the key generation scheme. Key generation techniquesextract a cryptographic key from a biometric sample duringthe enrollment (along with the helper data, if necessary) andthe same key has to be extracted using a new biometric sample(and the helper data when available) during authentication[62].

Fig. 16: Basic concept of biometric key-generation [61]

Quantization The idea of quantization is to quantize eachcomponent of the feature vector with a threshold to toleratethe noise [81]. The best way to protect the user biometrics isto ensure that the information on the template is incompre-hensible and irreversible. Hash functions are generally used


for such purposes. A hash function is extremely sensitive toinput value; the biometric samples from the same user arenever exactly the same hence the feature vectors don’t matchexactly. As a result, the hash function can not be directlyused to protect biometric templates. The adaptive non-uniformquantization algorithm maps different noisy feature vectorsfrom one biometric sample to a unique vector and then protectit by cryptographic hash functions, such as MD5.

Secure sketch and Fuzzy extractor Secure sketches andextractors can be viewed as providing fuzzy key storage; theyallow recovery of the secret key (w or R) from a faulty readingw′ of the password w by using some public information (sor P ) [70]. The secure sketch scheme consists of two maincomponents, namely, an encoder and a decoder. An encoder(sketch generation algorithm) accepts the original biometrictemplate w as input and gives a sketch (extra information)s as output. The encoder (biometric template reconstructionalgorithm) accepts a live biometric template w′ and the sketchs as input and generates w only if w and w′ are sufficientlyclose to each other according to some similarity measure.

Fig. 17: (a) Secure sketch : On input w, a procedure outputs a sketchs. Then, given s and a value w′ close to w, it is possible to recoverw. (b) Fuzzy extractor : It extracts a uniformly random string R fromits input w in a noise-tolerant way. Noise tolerance means that if theinput changes to some w′ but remains close, the string R can bereproduced exactly [70].

The fuzzy extractors allow one to extract some randomnessR (using generation procedure Gen) from w and then success-fully reproduce R (using reproduction procedure Rep) fromany string w′ that is close to w [70]. For an efficient fuzzyextractor, the procedures Gen and Rep must run in expectedpolynomial time.

Key-release scheme: In a key release mode, biometrics playsa predetermined role in a cryptosystem, and the key would bereleased to users only if biometric matching is successful [82].The user authentication process is completely decoupled fromthe key release operation.

Fig. 18 shows the key release scheme of biometric templateprotection. In such systems, a cryptographic key is stored aspart of a users database record, together with the user name,biometric template, access privileges etc., that is only releasedupon a successful biometric authentication [83]. The systemusing key release scheme, uses local storage of the biometric

Fig. 18: Key release scheme : In the fingerprint-based authentication,a cryptographic key is the “secret” and fingerprint is the “key” andthe cryptographic key is released upon a successful authentication.[2].

system, such as smart card, which raises issue about stealinguser biometrics. Moreover, these systems are also vulnerable toTrojan horse attack at the decision module. Such an attack willbypass all system components and inject 1-bit accept/rejectdecision code into the system decision module.

2) Feature transformations: In the feature transformationbased approach, a transformation function is applied to thetemplate, and the output transformed template is stored in thedatabase. There are various transformation functions availablein the literature, e.g. cancelable biometric [84], biohashing[73], biometric salting [44], MRP (Multispace Random Pro-jection) [85] etc. Some of them are discussed below.

Cancelable biometrics: The non-invertible transformationschemes, such as the cancelable biometrics apply a one-wayfunction1 to the template rendering it computationally hard forthe adversary to invert the template. The cancelable biometricson large fingerprint database was demonstrated by Ratha et al.in [84]. Their results proved that a large number of cancelablefingerprint transformations could be constructed without losingmuch accuracy of the biometric system. Cancelable biomet-rics consist of intentional, repeatable distortions of biometricsignals based on transforms which provide a comparison ofbiometric templates in the transformed domain [9]. Jin etal. [86] proposed an error-correction code (ECC) free keybinding scheme along with cancelable transform for minutia-based fingerprint biometrics. The analysis done by Nagaret al. demonstrates that cancelable fingerprint templates arevulnerable to intrusion and (template) linkage attacks becauseit is relatively easy to obtain a pre-image of the transformedtemplate [87].

Biometric salting is a template protection approach in whichthe biometric features are transformed using a function definedby a user-specific key or password [44]. Biometric saltingusually denotes transformations of biometric templates, whichare chosen to be invertible [61]. The adversary can recoverthe original template if he accesses the key and the template.Therefore, security of salting-based approach depends on thesecrecy of the key and the template. The key must be secretin private domain, and must be used for every authenticationattempt.

Biohashing, applied to fingerprint biometric, is a two factorauthentication approach that combines fingerprint feature witha user specified key/token and generates a unique compact

1a function f (x) is said to be a one-way function if it is hard to invert,i.e., given a value y, it is computationally infeasible to find some input x suchthat f (x) = y


code per person [73]. It is a product of the biometric feature ofan individual (such as a fingerprint) with a tokenized pseudo-random number that generates a set of user-specific secret codecalled as biohash.

Fig. 19: BioHashing : Two factor authentication - secret key andbiometric data [73]

Fig. 19 shows the generation of a biohash with the helpof a user’s secret information (e.g. secret key or token)and his biometric data, such as fingerprint. An integratedwavelet and FourierMellin transform (WFMT) is used to createthe biometric features since, in WFMT framework, wavelettransform preserves the local edges and noise reduction inthe low-frequency domain (high energy compacted) after theimage decomposition. This renders the fingerprint images lesssensitive to shape distortion. The analysis done by Nagar etal. in [87] indicates that biohashing is vulnerable to intrusionand (template) linkage attacks because it is relatively easy toobtain a close approximation of the original template.

Multispace Random Projection (MRP) : Teoh et al. [85]proposed a generic cancelable biometrics formulation (coinedas MRPs), which is a two-factor cancelable formulation, wherethe biometric data is distorted in a revocable but non-reversiblemanner by first transforming the raw biometric data into afixed-length feature vector. Subsequently, the feature vectoris projected onto a sequence of random subspaces that werederived from a user-specific pseudo-random number (PRN).The raw biometric data is transformed into a fixed-lengthfeature vector, and then the non-invertible random subspaceprojection is performed on it to carryout MRP. A token ora centered database stores the user-specific seeded pseudo-random number generator. The independent, zero-mean, andunit-variance Gaussian-distributed random bases generatedfrom PRN generators constitutes the random subspace. MRPcan be revoked through the pseudo-random numbers replace-ment, so that a new template can be generated instantly, andits non-invertible property helps to preserve the privacy of theuser biometrics data [85].

Robust hashing : Robust hashing is a secure biometric basedauthentication scheme which employs a user-dependant one-way transformation combined with a secure hashing algorithm[88]. The robust hashing function ensures the security andprivacy of biometric data, since it is designed as a sum ofproperly weighted and shifted Gaussian functions. Prelimi-nary results show that proposed scheme offers a simple andpractical solution to one of the privacy and security weaknessof biometrics-based authentication systems namely, templatesecurity [88].

BioPhasoring : BioPhasor, a generic cancelable biomet-rics formulation, is a set of binary codes based on iteratedmixing between the user-specific tokenized pseudo-randomnumber and the biometric feature that enables straightforwardrevocation of biometric template via token replacement [89].Whenever a genuine token is used, BioPhasor offers highaccuracy during verification. As it is a general framework,different biometrics, such as fingerprint, face, and iris, canbe secured using BioPhasor approach. Due to the highlystable binary representation in BioPhasor, it can be easilyincorporated into biometric encryption techniques.

Non-invertible transforms : There is a significant intra-class variation in the fingerprint representations; multipleacquisitions of the same finger lead to different numberof minutia as well as their position (x, y) and orienta-tion (θ), due to which it becomes difficult to match fin-gerprints in encrypted domain [90]. A minutia based fin-gerprint template T consists of n minutia points suchthat, T = {(x1, y1, θ1) , (x2, y2, θ2) , · · · , (xn, yn, θn)}, where(x, y) represents the position of each minutia and (θ) isits orientation. The transformation function, φ (·), trans-forms T into a new set of n minutia, i.e., φ (T ) ={(x′1, y′1, θ′1) , (x′2, y′2, θ′2) , · · · , (x′n, y′n, θ′n)}. Thus, a measureof non-invertibility estimates the difficulty in obtaining Tgiven φ (T ) [90].

Cartesian and polar transformation : In the Cartesian trans-formation, the minutiae positions are measured in rectangularcoordinates with reference to the position of the singularpoint, where the x-axis is aligned with the orientation of thesingular point [91]. The coordinate system is divided intofixed sized cells numbered in a fixed sequence. The Cartesiantransformation changes the initial cell positions (with rotationin multiple of 90◦ after transposition. In polar transformation,the minutiae positions are measured in polar coordinates withreference to the core position [91]. The orientation of thecore in the fingerprint is used as reference to measure theangle. In this case, the coordinate space is divided into polarsectors (L levels and S angles) numbered in sequence. Thetransformation changes the initial sector positions along withchanging the minutia angles in accordance to the difference inthe sector positions before and after transformation. Ahmad etal. [92] proposed a local feature-based, and Cartesian and polartransformation-based cancelable fingerprint template scheme.

Surface folding : In a surface folding transformation, boththe position and the orientation of the minutia are changed bya mapping function [2]. Conceptually, in this transformationthe minutia are embedded in a sheet and then the sheet iscrumpled.

Fig. 20 shows the surface folding transformation. It isobserved that the transform is smooth locally, but not globally.Also, the transform has “folds”, i.e., multiple minutia locationin the original space map to same location in the transformedspace. This property provides the desired non-invertibility asit creates ambiguity while reversing the transform. However,due to fairly low “degree of folding” (after the transformationonly 8% minutia have their neighbors perturbed) the non-invertibility provided by functional surface folding transformis not strong in spite of high matching accuracy.


Fig. 20: Surface folding transformation [2]

Block permutations : Block permutation is a non-invertibletransformation technique for cancelable biometric system. Thisinvolves the process of splitting the entire image output bythe biometric sensor, into several smaller blocks which areshuffled based on a key value, such that the entire inputimage becomes chaotic [93]. The application of this techniqueto fingerprint biometric system involves the division of theoriginal fingerprint minutia image into several blocks. A usersecret key is used to shuffle these blocks in random order sothat the real minutia positions are not revealed to the adversary.

Biotokens : Fig. 21 shows the basic operation mode ofbiotokens. Initially, the scaling and translation transformationis applied to each measured biometric feature v to producev′ = (v − t) · s. The transformed features are then split into astable part g (an integer) and an unstable part r. The first partof the secure biometric template, w, is a one-way transformof g. The unencoded r obscured by the transform along withs and t form the second part of the template.

Fig. 21: Biotokens: basic operation mode [61]

In authentication, features are transformed by applying sand t onto a residual region defined by r and the unencryptedr is used to compute the local distance within a “window”,which is referred to as robust distance measure, to providea perfect match of w [61]. Scheirer et al. introduced bipar-tite biotoken a secure template construct for cryptographictransactions supporting biometrics that, when re-encoded, canrelease session specific data in [94]. The authors showed thatbipartite biotokens offer a convenient enhancement to keys andpasswords, allowing for tighter auditing and non-repudiation,

as well as protection from phishing and man-in-the-middleattacks [95].

BioConvolving : Maiorana et al. introduced a novel non-invertible transform-based approach, namely, BioConvolving,which provides both protection and renewability for anybiometric template [96]. The transform can be expressed interms of a set of discrete sequences related to the temporal,spatial, or spectral behavior of the considered biometrics. TheBioConvolving approach is characterized by three types oftransformations which, when applied to an original biometrictemplate, RF with F sequences r(i) [n], of length N , cangenerate a secure template TF composed by F functionsf(i) [n] , i = 1, 2, ..., F , from which retrieving the originaldata is as hard as randomly guessing them [97]. The securityof the BioConvolving approach depends on the fact that,if an impostor gains access to the stored information, hehas to resolve a blind deconvolution problem to retrievethe original template [98]. The advantage of BioConvolvingscheme is that it is not feasible for the adversary to retrievethe original template even if he succeeds in stealing more thanone transformed template. However, the primary drawback ofthe BioConvolving cancelable transformation system was thelength of its transformed template, which does not have thesame length as the original one [99].

Fingerprint shell : Moujahdi et al. exploits the informa-tion provided by the extracted minutiae to construct a newrepresentation based on special spiral curves (that will bestored in the database as template). The representation canbe used for the recognition task instead of the traditionalminutiae-based representation in [100]. Initially, the minutiaand singular points (such as, core and delta) are extractedfrom the fingerprint image. The distance between each minutiaand every core and delta point is calculated. These distancesare arranged in ascending order. These distances form thehypotenuses of several right angle triangles constructed inthe next step. The algorithm keeps only the spiral curvesthus formed for matching in the authentication phase. Theauthors demonstrated that the fingerprint shell is invulnerableto brute force attack and zero-effort attack. The limitationsof this approach include a drastic variation in the constructedcurve due to the addition of spurious minutia or missing ofmajority of minutia. Due to this limitation, the fingerprint shellis not efficient enough to be used in biometric acquisition inall scenarios.

3) Template image transformation: While biometric tech-niques have inherent advantages over traditional personalidentification techniques, the problem of ensuring the securityand integrity of the biometric data is critical, e.g. if a personsbiometric data (such as, her fingerprint image) is stolen, it isnot possible to replace it unlike replacing a stolen credit card,ID, or password [101]. Encryption, steganography, watermark-ing and visual cryptography are possible solutions to enhancethe security and integrity of biometric data.

Steganography: Steganography communicates secret in-formation by hiding it in multimedia carrier such as im-age/video/audio files [54]. A novel and efficient informa-tion security system to protect biometric signatures fromany unauthorized access which employs orthogonal coding


scheme, encoded steganography, and nonlinear encryptionscheme involving joint transform correlation is proposed in[102]. The technique employs orthogonal coding scheme toencode multiple biometric information and multiplex togetherwhich makes it almost impossible to decode even a part of thesecret information without authorization [102].

Watermarking: Ratha et al. [103] described a robust data-hiding algorithm in the wavelet-compressed domain for finger-print images which is simple and can be easily implementedin hardware. The approach provides security against replayattack for an on-line fingerprint authentication system. In thismethod, a different verification string is issued by the serviceprovider (server) for each transaction. The verification stringis combined with the fingerprint image, and then the newimage is transmitted over the insecure communication channel.The server on receiving this image back can decompress it toverify the presence of correct string embedded in it. Thus thereplay of stored images to the matcher is prevented. Jain et al.introduced two applications of an amplitude modulation-basedwatermarking (hiding a users biometric data in a variety ofimages) method which has the ability to increase the securityof both the hidden biometric data (e.g., eigen-face coefficients)and host images (e.g., fingerprints) [101]. The authors claimedthat a high accuracy in verification on watermarked (e.g.,fingerprint) images is guaranteed by the feature analysis ofthe host images.

Visual Cryptography Scheme (VCS): Naor et al. intro-duced a cryptographic scheme, visual cryptography, whichis perfectly secure, very easy to implement and can decodeconcealed images without any cryptographic computationsin [104]. VCS is a cryptographic technique that allows forthe encryption of visual information such that the decryptioncan be performed using the human visual system [105]. Thebasic VCS scheme is denoted as (k, n) VCS, and read ask − out − of − n VCS. Suppose T is the original binaryimage, the scheme encrypts it in n images such that,

T = Sh1 ⊕ Sh2 ⊕ Sh3 · · · ⊕ Shk(5)

where ⊕ is a Boolean operation and Shi is an image thatappears as white noise, such that, hi ∈ (1, 2, 3, · · · , k), k ≤ nand n specifies the number of noisy images. The encryption isundertaken in such a way that k or more out of the n generatedimages are necessary for reconstructing the original image Tand it is difficult to decipher the secret image using individualShis [105].

C. Secure Multiparty Computation (SMPC)

The Secure Multiparty Computation technique is useful ina system composed of n entities, namely e1, e2, ..., en. Allentities jointly compute a public function g using individualsecret data, s1, s2, ..., sn, keeping their private inputs undis-closed from each other.

Homomorphic Encryption (HE): Gomez-Barrero et al. pro-posed a new efficient biometric template protection schemebased on homomorphic probabilistic encryption for fixed-length templates, where only encrypted data is processed[106]. Homomorphic Encryption schemes require no auxiliary

data (which can be exploited in order to obtain informationabout the hidden biometric data, thus violating the privacyof the subject) and allow for computations to be performedon ciphertexts, which generate encrypted results whose corre-sponding plaintexts match the results of the operations carriedout on the original plaintext [106]. Most HE schemes relyon asymmetric cryptography, and the homomorphic propertyholds under encryption with the public key of one of the partiesinvolved in the protocol [107].

In an honest-but-curious adversary model [108], where bothparties, client and server, follow the established protocols butmay try to learn additional information about the other sidetemplate, the server must process the clients biometric datawithout extracting any information from it, and at the sametime, the server must protect the information stored in thedatabase [107]. To achieve this, the Paillier homomorphicprobabilistic encryption scheme [109] is used, which is basedon the decisional composite residuosity assumption: given acomposite n and an integer z, it is hard to decide whether zis an n-residue modulo n2.

Oblivious Transfer (OT): Oblivious transfer is a secure two-party computation (STPC) protocol which enables one party,say the sender (e.g. a server) S, to send one out of n messages(x1, x2, ..., xn) to a receiver (say, a client) R. The receiverinitially chooses any of the n messages. The communicationcompletes without the receiver revealing any information aboutthe chosen xi to the sender and also the information about theremaining n − 1 messages is kept hidden from the receiver.If we consider the elements to be the stored (encrypted)biometric templates, we see that OT essentially allows oneto search in the database, without revealing which item (i.e.,biometric template) is selected for the matching process [110].OT alone cannot prevent some template recovery attacks, sincethe best known strategy is based solely on the value returnedby the (Biometric Authentication System) BAS (essentially theacceptance/rejection message) which is not affected by the OTtechnique [110]. Hamming distance together with oblivioustransfers is one of the most elegant tools used in biometricauthentication systems [111].

Garbled Circuits (GC): Garbled circuits are a cryptographictechnique (combining OT and SMPC between two entities)that enables two parties to compute a function (representedas a binary circuit) and learn only the output of the functionand nothing else (e.g., the other partys input) and thus is quiterelevant for achieving a privacy-preserving matching processin biometric authentication [110]. Given that the complexitydepends on the number of gates composing the circuit, GCsare suited for operations such as sums and comparisons, forwhich the number of gates depends linearly on the input bitlength [107].

Dodis et al. coined the terms secure sketch and fuzzyextractor in the context of key generation from biometricdata [70]. The general idea of fuzzy extractor is based on atwo-step process, where an extraction function first transformsany sufficiently random fuzzy secret into an almost uniformrandom private string, and outputs some public information,which is used in the regeneration step to reconstitute the exactsame private string from a close enough approximation of the


original fuzzy secret [112].Umut Uludag et al. [83] have presented various methods

that monolithically bind a cryptographic key with the user’sstored biometric template in such a way that the key cannotbe revealed without a successful biometric authentication.In [62], the authors have proposed an effective biometriccryptosystem construction for biometric template protectionusing a number of discretized fingerprint texture descriptorsand appropriate error correcting codes (ECC). Jo et al. haveproposed a biometric digital key generation/extraction mecha-nisms for cryptographic secure communication [113]. Arjonaet al. provided the implementation of a fingerprint biometriccryptosystem in FPGA [114].

A novel algorithm for fingerprint encryption which trans-forms fingerprint minutia and performs matching in the trans-formed form was proposed in [115]. This algorithm con-structs a circular region around each minutia and encryptsthese regions before storing as “canceled template” in thedatabase. Considering their results, the authors claim to haveachieved improvement in accuracy compared to fuzzy vaultsystem. Benjamin Tams investigated the implementations ofbiometric cryptosystems for protecting fingerprint templatesand concluded that a single fingerprint is insufficient to providea secure biometric cryptosystem in [48].

The biometric data can be secured using encryption tech-niques, watermarking, and steganography. The use of anamplitude modulation-based watermarking method to hide ausers biometric data in a variety of images so as to increasethe security of both the hidden biometric data and hostimages (e.g., fingerprints) was proposed in [101]. The hashingtechnique can also be used to secure biometric data. A methodhashing fingerprint minutia information, wherein only hasheddata is transmitted and stored in the server database, and itis not possible to restore fingerprint minutia locations usinghashed data in [116].

VII. ISSUES AND CHALLENGES

The fingerprint biometric system is widely used in bor-der control, forensics, criminal identification, access control,computer logins, e-commerce, welfare disbursements, missingchildren identification, id-cards, passports, user authenticationon mobile devices, time and attendance monitoring systems[117]. Due to the wide acceptance of the biometric system asa reliable means for user identification and authorization, itbecomes a need to address various challenges for improvingthe system performance and enhance the security of such sys-tems. Jain et al. have categorized the fundamental barriers inbiometrics into four main categories, namely, accuracy, scale,security, and privacy in [118]. The accuracy of a biometricsystem is highly influenced by false-match and false-nonmatcherrors in making the correct decision. The scale barrier posesa question about the effect of the number of enrolled usersin making a correct decision. The security of the biometricsystem against possible attacks and the privacy of user data isof paramount importance.

The future of biometric system along with various researchopportunities are discussed in [119]. The authors have ad-dressed opportunities in modality-related research, information

security research, testing and evaluation research, systems-level statistical engineering research, research on scale andsocial science. The privacy issues related to biometric systemare discussed in [22]. The privacy issues are mainly relatedto user data (i.e. biometrics). Privacy concerns arise whenbiometric data are used for secondary purposes, invokingfunction creep, data matching, aggregation, surveillance andprofiling [120]. To address the privacy issue of an individual’sbiometrics, a fingerprint authentication system for the privacyprotection of the fingerprint template stored in a database isintroduced in [34]. In this case, the identity of an individualis hidden in a thinned fingerprint template, which is storedin an online database and retrieved in authentication phase.Some people do not believe in the biometric system due toprivacy concerns. Hence, the research community is facing achallenge to develop a biometric system which takes care ofnot only the security but also the privacy of the user data.

The World Bank estimates that more than 1.5 billion peopleworldwide do not officially exist [121]. Biometric system canbe the possible solution to this global issue of rendering theresources and services of the government accessible to thepeople.

Akhtar et al. have performed a comprehensive study onbiometric systems and tried to answer some of key questionsrelated to biometrics in [40]. The authors have categorisedthe queries into various sections, such as the current statusof biometrics, current issues and challenges of biometrics,hot topics in biometrics, security of biometrics and future ofbiometrics.

VIII. OPEN PROBLEMS AND OPPORTUNITIES

The biometric systems are improving every day making ourlives better and secure. In this Section, we identify presentlimitations, open problems, and future research opportunitiesin biometric systems. Table III shows the topics in biometricsthat still need attention from industry and academia.

Smartphone biometrics is the use of biometrics to securea smartphone from unauthorized access and theft. At presentmore than 95% of world population is using a smartphone.The use of fingerprint, iris, and face as owner identification isalready available with some smartphones. The time requiredfor authentication using biometrics is relatively high, and withmulti-factor authentication, such as password and biometrics,things are getting worse for the user. A hardware-level match-ing can improve the execution time of such systems.

Big data techniques for biometrics is required for anextensive template database such as Aadhaar database ora global passport validation with user biometrics. The bigdata techniques work at data storage, data analytics, efficientsearching, and data privacy. These techniques can be a possiblesolution to a sufficiently sizeable biometric template database.

Biometric sensor interoperability is the adaption of a bio-metric system to the raw biometrics obtained from the sensorsof another biometric system. The biometric systems are tunedto accept the biometrics generated from a single sensor.Hence, they show an abnormal response to the biometrics notproduced from its sensors. This issue can be addressed at a


TABLE III: Opportunities in fingerprint biometric system

Topic Issues / research opportunitiesSmartphonebiometrics

Improving matching speed and addressingtemplate security on smartphone

Big datatechniques Securing database against template leakage

Biometric sensorinteroperability Sensor technology enhancement

Wearablebiometrics Addressing privacy issues

Performanceimprovement

Improving matching speed, narrowingzero-effort attacks

Sensor technologyenhancement

Improving the sensor speed and making theminvulnerable to presentation attacks

Poor quality imagerecognition

Improving the digital image processingtechniques

Biometrics onsmartcard

Issues related to tampering attack anda side-channel attack on this system

Fingerprintindexing Designing techniques for database indexing

Biometriccryptosystems

Performance enhancement using hardware basedmultimodal biometric cryptosystem

Touchlessbiometric Touchless biometric system using multiple traits

Cancelablebiometrics

Cancelable template generation for multimodalbiometric systems

2D-3Dbiometrics

Develop improved image processing techniquesto transform 2D biometrics into 3D

Multimodalbiometric system

Issues in design, testing, accuracy,and performance of such systems

Biometrics asdigital signature

Mitigating the hill-climbing attack and issuesrelated to practicable biometric digital signature

level that a capacitive sensor accepts the biometrics obtainedfrom any other capacitive sensor.

Wearable biometrics refers to person identification technol-ogy incorporated into items of garments and accessories thatcan read, record, and compare individuals biometric traits suchas heart rate, respiratory rate, or any physical activity [122].The devices embedded into daily wearables such as a watch,jewelry, shoes, spectacles, handbags, clothing, etc. providecontinuous interaction with the biometric system without userknowledge and intervention. Wearable biometric is the futureof user identification. An improvement in sensor technology,such as sound sensor, location sensor, light sensor, temper-ature sensor etc., and wireless communication protocol isrequired for wearable biometrics. Biometric signals should bedistinguishable, permanent, collectable, and difficult to imitate[122].

Performance improvement in biometric system deals withthe matching time during the authentication phase. Thechances of zero-effort attack should be narrowed down, and atthe same time, the user identification and authentication musthappen in no time since the biometric submission. To addressthis problem, we need to revisit the system in its entirety andpreserve the security of the system. The biometric input devicecan be designed to capture multiple fingerprint images andkeep the best quality image to improve matching accuracyand minimize the possibility of zero-effort attack. Based onthe images captured in the enrollment phase, the predefinedthreshold should be automatically adjusted for every user, andthis user-specific threshold should be used in authenticationphase.

Sensor technology enhancement needs to be addressed for

detecting and preventing all kinds of fake biometric submis-sion incidents at the sensor level itself. The sensor shouldbe able to sense the physical presence of a user when thebiometrics is submitted. An improvement in sensor technologycan reduce the probabilities of false acceptance and falserejection.

Poor quality image recognition is required since the humanand environmental factors affect the way sensor captures thebiometrics of an individual. The image enhancement moduleshould be able to make a poorly captured image recogniz-able by the matcher against the stored template. The imageprocessing techniques can solve this problem.

Biometrics on smartcard is already in use, such as Match-on-card and Match-in-sensor wherein the biometric is storedin the smartcard and a one-to-one matching is performed in theauthentication mode. The template security and performanceof this system have to be evaluated and improved.

Fingerprint indexing is the organization of fingerprint tem-plates stored in the database. The linear search performed onentire database results in a large search space and thus requiresO(n)

comparisons in the worst case for n templates in thedatabase. A relatively less number of worst case comparisonscan reduce the search time and ultimately improve the overallperformance of the system.

Biometric cryptosystems based on a single finger cannotprovide significant security since it is susceptible to bruteforce attack and zero-effort attack, i.e., false acceptance.Also, the biometric cryptosystem is found to be relativelyslow as compared to the cancelable biometrics. A hardware-based biometric cryptosystem with multi-modal biometric canaddress this problem.

Touchless biometric system senses the biometrics of anindividual with physical contact with the sensor. A palm printbased touchless biometric system is available as a commercialproduct. A multimodal touchless biometric system can effi-ciently enhance the security of such systems.

Cancelable biometrics using multiple traits can make thetemplate more secure and irreversible. The combination ofcancelable biometric with biometric encryption techniques isa topic to look forward to research for solving the problem ofstolen biometrics.

2D-3D biometrics is the transformation of the 2D biometricimage into a 3D image to be used for enrollment and authen-tication. The image processing techniques that help in suchtransformation can explore new horizon.

Multimodal biometric system using more than one trait toenroll and authorize an individual is gaining more attentionby the research community. The performance and security ofsuch system have a vast scope in contributing to biometricsystem future.

Biometrics as digital signature It is desirable to generate adigital signature using biometrics but not practicable becauseof its inaccurate measuring and potential hill-climbing attacks,without using specific hardware devices that hold signaturekeys or biometric templates securely [123].


IX. CONCLUSION

In this paper, we have done a comprehensive study ofthe fingerprint biometric system and addressed various secu-rity aspects of the system. The security vulnerabilities of abiometric system were highlighted using threat models. Thedirect, indirect and side channel attacks targeting biometricsystem were elaborated to understand the weaknesses inthe system. The application of cryptographic techniques insecuring biometric system termed as biometric cryptosystemand cancelable biometrics has contributed significantly to thetemplate protection techniques. We have identified some of theopen problems and challenges that need to be addressed bythe researchers. The biometric security has a lot of scopes tomake further the system more invulnerable to different typesof attacks. We mainly focused on including the topics relatedto the biometric system that is sufficient enough to build abase for the reader and encourage them to further explore andcontribute in the field of biometric security.

REFERENCES

[1] A. K. Jain, K. Nandakumar, and A. Nagar, “Fingerprinttemplate protection: From theory to practice,” in Security andPrivacy in Biometrics, 2013, pp. 187–214. [Online]. Available:https://doi.org/10.1007/978-1-4471-5230-9 8

[2] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, Handbook ofFingerprint Recognition, 2nd ed. Springer Publishing Company,Incorporated, 2009.

[3] A. K. Jain, S. S. Arora, L. Best-Rowden, K. Cao, P. S.Sudhish, A. Bhatnagar, and Y. Koda, “Giving infants an identity:Fingerprint sensing and recognition,” in Proceedings of theEighth International Conference on Information and CommunicationTechnologies and Development, ICTD 2016, Ann Arbor, MI,USA, June 03 - 06, 2016, 2016, p. 29. [Online]. Available:http://doi.acm.org/10.1145/2909609.2909612

[4] A. Jain and S. U. Pankanti, “A touch of money [biometric authentica-tion systems],” IEEE Spectrum, vol. 43, pp. 22–27, 2006.

[5] [Online]. Available: https://uidai.gov.in/[6] R. M. Bolle, A. W. Senior, N. K. Ratha, and S. Pankanti,

“Fingerprint minutiae: A constructive definition,” in BiometricAuthentication, International ECCV 2002 Workshop Copenhagen,Denmark, June 1, 2002, Proceedings, 2002, pp. 58–66. [Online].Available: https://doi.org/10.1007/3-540-47917-1 7

[7] S. Greenberg, M. Aladjem, and D. Kogan, “Fingerprint imageenhancement using filtering techniques,” Real-Time Imaging,vol. 8, no. 3, pp. 227 – 236, 2002. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S1077201401902839

[8] A. K. Jain, K. Nandakumar, and A. Nagar, “Biometric templatesecurity,” EURASIP J. Adv. Sig. Proc., vol. 2008, 2008. [Online].Available: https://doi.org/10.1155/2008/579416

[9] Ratha N. K.,Connell J. H.,Bolle R. M., “Enhancing securityand privacy in biometrics-based authentication systems,” IBMSystems Journal, vol. 40, no. 3, p. , 2001. [Online]. Available:http://www.cedar.buffalo.edu/ govind/CSE717/papers/

[10] C. Roberts, “Biometric attack vectors and defences,” Comput.Secur., vol. 26, no. 1, pp. 14–25, Feb. 2007. [Online]. Available:http://dx.doi.org/10.1016/j.cose.2006.12.008

[11] S. Marcel, M. S. Nixon, and S. Z. Li, Eds., Handbook of BiometricAnti-Spoofing - Trusted Biometrics under Spoofing Attacks, ser.Advances in Computer Vision and Pattern Recognition. Springer,2014. [Online]. Available: https://doi.org/10.1007/978-1-4471-6524-8

[12] Z. Akhtar, C. Micheloni, and G. L. Foresti, “Biometric livenessdetection: Challenges and research opportunities,” IEEE Security& Privacy, vol. 13, no. 5, pp. 63–72, 2015. [Online]. Available:https://doi.org/10.1109/MSP.2015.116

[13] J. Galbally, R. Cappelli, A. Lumini, D. Maltoni, and J. Fierrez-Aguilar, “Fake fingertip generation from a minutiae template,” in19th International Conference on Pattern Recognition (ICPR 2008),December 8-11, 2008, Tampa, Florida, USA, 2008, pp. 1–4. [Online].Available: https://doi.org/10.1109/ICPR.2008.4761456

[14] J. Galbally, R. Cappelli, A. Lumini, G. G. de Rivera, D. Maltoni,J. Fierrez, J. Ortega-Garcia, and D. Maio, “An evaluation of directattacks using fake fingers generated from ISO templates,” PatternRecognition Letters, vol. 31, no. 8, pp. 725–732, 2010. [Online].Available: https://doi.org/10.1016/j.patrec.2009.09.032

[15] T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino, “Impactof artificial ”gummy” fingers on fingerprint systems,” Datenschutz undDatensicherheit, vol. 26, no. 8, 2002.

[16] E. Marasco and A. Ross, “A survey on antispoofing schemes forfingerprint recognition systems,” ACM Comput. Surv., vol. 47, no. 2, pp.28:1–28:36, 2014. [Online]. Available: https://doi.org/10.1145/2617756

[17] A. Ross, J. Shah, and A. K. Jain, “From template to image:Reconstructing fingerprints from minutiae points,” IEEE Trans.Pattern Anal. Mach. Intell., vol. 29, no. 4, pp. 544–560, 2007.[Online]. Available: https://doi.org/10.1109/TPAMI.2007.1018

[18] H. Choi, R. Kang, K. Choi, and J. Kim, “Aliveness detection offingerprints using multiple static features,” vol. 2, 01 2007.

[19] J. Feng, A. K. Jain, and A. Ross, “Detecting altered fingerprints,” in20th International Conference on Pattern Recognition, ICPR 2010,Istanbul, Turkey, 23-26 August 2010, 2010, pp. 1622–1625. [Online].Available: https://doi.org/10.1109/ICPR.2010.401

[20] S. Yoon, J. Feng, and A. K. Jain, “Altered fingerprints:Analysis and detection,” IEEE Trans. Pattern Anal. Mach.Intell., vol. 34, no. 3, pp. 451–464, 2012. [Online]. Available:https://doi.org/10.1109/TPAMI.2011.161

[21] [Online]. Available: www.intergov.org[22] S. Prabhakar, S. Pankanti, and A. K. Jain, “Biometric

recognition: Security and privacy concerns,” IEEE Security &Privacy, vol. 1, no. 2, pp. 33–42, 2003. [Online]. Available:https://doi.org/10.1109/MSECP.2003.1193209

[23] A. K. Jain, A. A. Ross, and K. Nandakumar, Introduction to Biometrics.Springer Publishing Company, Incorporated, 2011.

[24] F. Standaert, “Introduction to side-channel attacks,” in SecureIntegrated Circuits and Systems, 2010, pp. 27–42. [Online]. Available:https://doi.org/10.1007/978-0-387-71829-3 2

[25] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis:Concrete results,” in Cryptographic Hardware and Embedded Systems- CHES 2001, Third International Workshop, Paris, France, May 14-16, 2001, Proceedings, no. Generators, 2001, pp. 251–261. [Online].Available: https://doi.org/10.1007/3-540-44709-1 21

[26] J. Galbally, J. Fierrez, J. Ortega-Garcia, C. McCool, and S. Marcel,“Hill-climbing attack to an eigenface-based face verification system,”in 2009 First IEEE International Conference on Biometrics, Identityand Security (BIdS), Sept 2009, pp. 1–6.

[27] J. Galbally, S. Carballo, J. Fierrez, and J. Ortega-Garcia, “Vulnerabilityassessment of fingerprint matching based on time analysis,” inBiometric ID Management and Multimodal Communication, JointCOST 2101 and 2102 International Conference, BioID MultiComm2009, Madrid, Spain, September 16-18, 2009. Proceedings, 2009,pp. 285–292. [Online]. Available: https://doi.org/10.1007/978-3-642-04391-8 37

[28] M. Berthier, Y. Bocktaels, J. Bringer, H. Chabanne, T. Chouta,J. Danger, M. Favre, and T. Graba, “Studying potential side channelleakages on an embedded biometric comparison system,” IACRCryptology ePrint Archive, vol. 2014, p. 26, 2014. [Online]. Available:http://eprint.iacr.org/2014/026

[29] T. Chouta, T. Graba, J. Danger, J. Bringer, M. Berthier,Y. Bocktaels, M. Favre, and H. Chabanne, “Side channelanalysis on an embedded hardware fingerprint biometric comparator& low cost countermeasures,” in HASP 2014, Hardware andArchitectural Support for Security and Privacy, Minneapolis, MN,USA, June 15, 2014, 2014, pp. 6:1–6:6. [Online]. Available:http://doi.acm.org/10.1145/2611765.2611771

[30] M. Durmuth, D. Oswald, and N. Pastewka, “Side-channel attackson fingerprint matching algorithms,” in Proceedings of the6th International Workshop on Trustworthy Embedded Devices,TrustED@CCS 16, Vienna, Austria, October 28, 2016, 2016, pp. 3–13. [Online]. Available: http://doi.acm.org/10.1145/2995289.2995294

[31] K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, andI. Verbauwhede, “A side-channel leakage free coprocessor ic in 0.18mcmos for embedded aes-based cryptographic and biometric processing,”2005.

[32] J. Waddle and D. A. Wagner, “Towards efficient second-order poweranalysis,” in Cryptographic Hardware and Embedded Systems -CHES 2004: 6th International Workshop Cambridge, MA, USA,August 11-13, 2004. Proceedings, 2004, pp. 1–15. [Online]. Available:https://doi.org/10.1007/978-3-540-28632-5 1


[33] S. Yang and I. M. Verbauwhede, “A secure fingerprint matchingtechnique,” in Proceedings of the 2003 ACM SIGMM Workshopon Biometrics Methods and Applications, ser. WBMA ’03. NewYork, NY, USA: ACM, 2003, pp. 89–94. [Online]. Available:http://doi.acm.org/10.1145/982507.982524

[34] S. Li and A. C. Kot, “Privacy protection of fingerprint database,” IEEESignal Process. Lett., vol. 18, no. 2, pp. 115–118, 2011. [Online].Available: https://doi.org/10.1109/LSP.2010.2097592

[35] U. Uludag and A. K. Jain, “Attacks on biometric systems: a casestudy in fingerprints,” in Security, Steganography, and Watermarkingof Multimedia Contents VI, San Jose, California, USA, January18-22, 2004, Proceedings, 2004, pp. 622–633. [Online]. Available:https://doi.org/10.1117/12.530907

[36] P. C. van Oorschot, “Revisiting software protection,” in InformationSecurity, 6th International Conference, ISC 2003, Bristol, UK,October 1-3, 2003, Proceedings, 2003, pp. 1–13. [Online]. Available:https://doi.org/10.1007/10958513 1

[37] H. Chang and M. J. Atallah, “Protecting software code by guards,”in Security and Privacy in Digital Rights Management, ACMCCS-8 Workshop DRM 2001, Philadelphia, PA, USA, November5, 2001, Revised Papers, 2001, pp. 160–175. [Online]. Available:https://doi.org/10.1007/3-540-47870-1 10

[38] N. K. Ratha, J. H. Connell, and R. M. Bolle, “An analysis ofminutiae matching strength,” in Audio- and Video-Based BiometricPerson Authentication, Third International Conference, AVBPA 2001Halmstad, Sweden, June 6-8, 2001, Proceedings, 2001, pp. 223–228.[Online]. Available: https://doi.org/10.1007/3-540-45344-X 32

[39] M. Martinez-Diaz, J. Fierrez-Aguilar, F. Alonso-Fernandez, J. Ortega-Garcia, and J. A. Siguenza, “Hill-climbing and brute-force attackson biometric systems: A case study in match-on-card fingerprintverification,” in Proceedings 40th Annual 2006 International CarnahanConference on Security Technology, Oct 2006, pp. 151–159.

[40] Z. Akhtar, A. Hadid, M. Nixon, M. Tistarelli, J. L. Dugelay, andS. Marcel, “Biometrics: In search of identity and security (q a),” IEEEMultiMedia, vol. PP, no. 99, pp. 1–1, 2017.

[41] M. El-Abed, P. Lacharme, and C. Rosenberger, “Security EvaBio: Ananalysis tool for the security evaluation of biometric authenticationsystems,” in 5th IAPR International Conference on Biometrics, ICB2012, New Delhi, India, March 29 - April 1, 2012, 2012, pp. 460–465.[Online]. Available: https://doi.org/10.1109/ICB.2012.6199793

[42] A. Adler, Biometric System Security. Boston, MA: Springer US,2008, pp. 381–402. [Online]. Available: https://doi.org/10.1007/978-0-387-71041-9 19

[43] A. Hadid, N. W. D. Evans, S. Marcel, and J. Fierrez, “Biometricssystems under spoofing attack: An evaluation methodology and lessonslearned,” IEEE Signal Process. Mag., vol. 32, no. 5, pp. 20–30, 2015.[Online]. Available: https://doi.org/10.1109/MSP.2015.2437652

[44] A. K. Jain, K. Nandakumar, and A. Nagar, “Biometrictemplate security,” EURASIP J. Adv. Signal Process, vol.2008, pp. 113:1–113:17, Jan. 2008. [Online]. Available:http://dx.doi.org/10.1155/2008/579416

[45] J. Shelton, K. S. Bryant, S. Abrams, L. Small, J. Adams,D. Leflore, A. Alford, K. Ricanek, and G. V. Dozier, “Genetic& evolutionary biometric security: Disposable feature extractors formitigating biometric replay attacks,” in Proceedings of the Conferenceon Systems Engineering Research, CSER 2012, St. Louis, MO,USA, March 19-22, 2012, 2012, pp. 351–360. [Online]. Available:https://doi.org/10.1016/j.procs.2012.01.072

[46] A. K. J. Arun A. Ross, Jidnya Shah, “Toward reconstructingfingerprints from minutiae points,” pp. 5779 – 5779 – 13, 2005.[Online]. Available: https://doi.org/10.1117/12.604477

[47] A. K. Jain, A. Ross, and U. Uludag, “Biometric security: Challengesand solutions,” in 13th European Signal Processing Conference,EUSIPCO 2005, Antalya, Turkey, September 4-8, 2005, 2005, pp.1–4. [Online]. Available: http://ieeexplore.ieee.org/document/7078369/

[48] B. Tams, “Attacks and countermeasures in fingerprint based biometriccryptosystems,” CoRR, vol. abs/1304.7386, 2013. [Online]. Available:http://arxiv.org/abs/1304.7386

[49] A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: a tool for in-formation security,” IEEE Transactions on Information Forensics andSecurity, vol. 1, no. 2, pp. 125–143, June 2006.

[50] Wayman, James L., Technical Testing and Evaluation of BiometricIdentification Devices. Boston, MA: Springer US, 1996, pp. 345–368.[Online]. Available: https://doi.org/10.1007/0-306-47044-6 17

[51] Bartlow N., Cukic B., “The vulnerabilities of biometric systems - anintegrated look and old and new ideas,” Technical report, 2005.

[52] Information technology - Security techniques - Biometric informationprotection, International Organization for Standardization Standard,June 2011.

[53] K. Nandakumar and A. K. Jain, “Biometric template protection:Bridging the performance gap between theory and practice,” IEEESignal Process. Mag., vol. 32, no. 5, pp. 88–100, 2015. [Online].Available: https://doi.org/10.1109/MSP.2015.2427849

[54] H. Kaur and P. Khanna, “Biometric template protection usingcancelable biometrics and visual cryptography techniques,” MultimediaTools Appl., vol. 75, no. 23, pp. 16 333–16 361, 2016. [Online].Available: https://doi.org/10.1007/s11042-015-2933-6

[55] M. AlsharE, A. Zin, R. Sulaiman, and M. Mokhtar, “Evaluation ofthe tpm user authentication model for trusted computers,” Journal ofTheoretical and Applied Information Technology, vol. 81, no. 2, pp.298–309, 11 2015.

[56] S. Pearson, “Trusted computing platforms, the next security solution.”Trusted E-Services Laboratory, HP Laboratories Bristol, Tech. Rep.,11 2002.

[57] A. D. A. David A. Fisher, Jonathan M. McCune, “Trust and trustedcomputing platforms,” Carnegie Mellon University, Tech. Rep., 1 2011.

[58] A. Kholmatov and B. A. Yanikoglu, “Biometric cryptosystem usingonline signatures,” in Computer and Information Sciences - ISCIS2006, 21th International Symposium, Istanbul, Turkey, November1-3, 2006, Proceedings, 2006, pp. 981–990. [Online]. Available:https://doi.org/10.1007/11902140 102

[59] U. Uludag and A. K. Jain, “Securing fingerprint template: Fuzzyvault with helper data,” in IEEE Conference on Computer Visionand Pattern Recognition, CVPR Workshops 2006, New York,NY, USA, 17-22 June, 2006, 2006, p. 163. [Online]. Available:https://doi.org/10.1109/CVPRW.2006.185

[60] H. Li, M. Wang, L. Pang, and W. Zhang, “Key binding basedon biometric shielding functions,” in Proceedings of the FifthInternational Conference on Information Assurance and Security, IAS2009, Xi’An, China, 18-20 August 2009, 2009, pp. 19–22. [Online].Available: https://doi.org/10.1109/IAS.2009.305

[61] C. Rathgeb and A. Uhl, “A survey on biometric cryptosystems andcancelable biometrics,” EURASIP J. Information Security, vol. 2011,p. 3, 2011. [Online]. Available: https://doi.org/10.1186/1687-417X-2011-3

[62] Y. Imamverdiyev, A. B. J. Teoh, and J. Kim, “Biometric cryptosystembased on discretized fingerprint texture descriptors,” Expert Syst.Appl., vol. 40, no. 5, pp. 1888–1901, 2013. [Online]. Available:https://doi.org/10.1016/j.eswa.2012.10.009

[63] A. Cavoukian and A. Stoianov, “Encryption, biometric,” inEncyclopedia of Biometrics, Second Edition, 2015, pp. 401–411.[Online]. Available: https://doi.org/10.1007/978-1-4899-7488-4 63

[64] G. J. T. C. Soutar and G. J. Schmidt, “Fingerprint controlled publickey cryptographic system,” Patent US 5 541 994, 1996.

[65] A. S. R. G. B. V. K. Colin Soutar, Danny Roberge, “Biometricencryption: enrollment and verification procedures,” pp. 3386 – 3386– 12, 1998. [Online]. Available: https://doi.org/10.1117/12.304770

[66] ——, “Biometric encryption using image processing,” pp. 3314 – 3314– 11, 1998. [Online]. Available: https://doi.org/10.1117/12.304705

[67] Y. Wang, S. Rane, and A. Vetro, “Leveraging reliable bits: ECCdesign considerations for practical secure biometric systems,” in FirstIEEE International Workshop on Information Forensics and Security,WIFS 2009, London, UK, December 6-9, 2009, 2009, pp. 71–75.[Online]. Available: https://doi.org/10.1109/WIFS.2009.5386479

[68] F. Monrose, M. K. Reiter, and S. Wetzel, “Password hardening basedon keystroke dynamics,” Int. J. Inf. Sec., vol. 1, no. 2, pp. 69–83,2002. [Online]. Available: https://doi.org/10.1007/s102070100006

[69] T. Ignatenko and F. M. J. Willems, “Information leakage infuzzy commitment schemes,” IEEE Trans. Information Forensics andSecurity, vol. 5, no. 2, pp. 337–348, 2010. [Online]. Available:https://doi.org/10.1109/TIFS.2010.2046984

[70] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. D. Smith, “Fuzzyextractors: How to generate strong keys from biometrics and othernoisy data,” CoRR, vol. abs/cs/0602007, 2006. [Online]. Available:http://arxiv.org/abs/cs/0602007

[71] A. Juels and M. Sudan, “A fuzzy vault scheme,” IACR CryptologyePrint Archive, vol. 2002, p. 93, 2002. [Online]. Available:http://eprint.iacr.org/2002/093

[72] Y. Dodis, L. Reyzin, and A. D. Smith, “Fuzzy extractors: Howto generate strong keys from biometrics and other noisy data,”in Advances in Cryptology - EUROCRYPT 2004, InternationalConference on the Theory and Applications of CryptographicTechniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings,


2004, pp. 523–540. [Online]. Available: https://doi.org/10.1007/978-3-540-24676-3 31

[73] B. Topcu, H. Erdogan, C. Karabat, and B. A. Yanikoglu,“Biohashing with fingerprint spectral minutiae,” in 2013BIOSIG - Proceedings of the 12th International Conferenceof Biometrics Special Interest Group, Darmstadt, Germany,September 4-6, 2013, 2013, pp. 305–312. [Online]. Available:http://subs.emis.de/LNI/Proceedings/Proceedings212/article4.html

[74] A. Cavoukian and A. Stoianov, Biometric Encryption:The New Breed of Untraceable Biometrics. Wiley-Blackwell, 2009, ch. 26, pp. 655–718. [Online]. Available:https://onlinelibrary.wiley.com/doi/abs/10.1002/9780470522356.ch26

[75] A. S. R. G. Colin Soutar, Danny Roberge and B. V. Kumar, ICSAGuide to Cryptography. McGraw-Hill, 1999.

[76] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” inCCS ’99, Proceedings of the 6th ACM Conference on Computer andCommunications Security, Singapore, November 1-4, 1999., 1999, pp.28–36. [Online]. Available: http://doi.acm.org/10.1145/319709.319714

[77] M. Lafkih, M. Mikram, S. Ghouzali, M. E. Haziti, and D. Aboutajdine,“Biometric cryptosystems based fuzzy commitment scheme: a securityevaluation,” Int. Arab J. Inf. Technol., vol. 13, no. 4, pp. 443–449,2016.

[78] L. You, G. Zhang, and F. Zhang, “A cryptographic key binding methodbased on fingerprint features and the threshold scheme,” IJACT, vol. 3,pp. 21–31, May 2011.

[79] U. Uludag, S. Pankanti, and A. K. Jain, “Fuzzy vault for fingerprints,”in Audio- and Video-Based Biometric Person Authentication, 5thInternational Conference, AVBPA 2005, Hilton Rye Town, NY, USA,July 20-22, 2005, Proceedings, 2005, pp. 310–319. [Online]. Available:https://doi.org/10.1007/11527923 32

[80] A. Nagar, K. Nandakumar, and A. K. Jain, “Securing fingerprinttemplate: Fuzzy vault with minutiae descriptors,” in 19th InternationalConference on Pattern Recognition (ICPR 2008), December 8-11,2008, Tampa, Florida, USA, 2008, pp. 1–4. [Online]. Available:https://doi.org/10.1109/ICPR.2008.4761459

[81] Q. Han, Z. Wang, and X. Niu, “An improved biometric templateprotection method based on non-uniform quantization,” JDIM, vol. 6,no. 2, pp. 168–173, 2008.

[82] J. Dong and T. Tan, “Security enhancement of biometrics, cryptographyand data hiding by their combinations,” in 2008 5th InternationalConference on Visual Information Engineering (VIE 2008), July 2008,pp. 239–244.

[83] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain,“Biometric cryptosystems: Issues and challenges,” Proceedingsof the IEEE, vol. 92, no. 6, pp. 948–960, 2004. [Online]. Available:https://doi.org/10.1109/JPROC.2004.827372

[84] N. K. Ratha, J. H. Connell, R. M. Bolle, and S. Chikkerur,“Cancelable biometrics: A case study in fingerprints,” in 18thInternational Conference on Pattern Recognition (ICPR 2006), 20-24August 2006, Hong Kong, China, 2006, pp. 370–373. [Online].Available: https://doi.org/10.1109/ICPR.2006.353

[85] A. B. J. Teoh and C. T. Yuang, “Cancelable biometrics realizationwith multispace random projections,” IEEE Trans. Systems, Man, andCybernetics, Part B, vol. 37, no. 5, pp. 1096–1106, 2007. [Online].Available: https://doi.org/10.1109/TSMCB.2007.903538

[86] Z. Jin, A. B. J. Teoh, B. Goi, and Y. H. Tay,“Biometric cryptosystems: A new biometric key binding andits implementation for fingerprint minutiae-based representation,”Pattern Recognition, vol. 56, pp. 50–62, 2016. [Online]. Available:https://doi.org/10.1016/j.patcog.2016.02.024

[87] A. Nagar, K. Nandakumar, and A. K. Jain, “Biometric templatetransformation: a security analysis,” in Media Forensics and SecurityII, part of the IS&T-SPIE Electronic Imaging Symposium, San Jose,CA, USA, January 18-20, 2010, Proceedings, 2010, p. 75410O.[Online]. Available: https://doi.org/10.1117/12.839976

[88] Y. Sutcu, H. T. Sencar, and N. D. Memon, “A secure biometricauthentication scheme based on robust hashing,” in Proceedings ofthe 7th workshop on Multimedia & Security, MM&Sec 2005, NewYork, NY, USA, August 1-2, 2005, 2006, 2005, pp. 111–116. [Online].Available: http://doi.acm.org/10.1145/1073170.1073191

[89] A. B. J. Teoh and D. C. L. Ngo, “Biophasor: Token supplementedcancellable biometrics,” in Ninth International Conference on Control,Automation, Robotics and Vision, ICARCV 2006, Singapore, 5-8December 2006, Proceedings, 2006, pp. 1–5. [Online]. Available:https://doi.org/10.1109/ICARCV.2006.345404

[90] A. Nagar and A. K. Jain, “On the security of non-invertiblefingerprint template transforms,” in First IEEE International Workshop

on Information Forensics and Security, WIFS 2009, London,UK, December 6-9, 2009, 2009, pp. 81–85. [Online]. Available:https://doi.org/10.1109/WIFS.2009.5386477

[91] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle, “Generatingcancelable fingerprint templates,” IEEE Trans. Pattern Anal. Mach.Intell., vol. 29, no. 4, pp. 561–572, Apr. 2007. [Online]. Available:http://dx.doi.org/10.1109/TPAMI.2007.1004

[92] T. Ahmad and H. Fengling, “Cartesian and polar transformation-basedcancelable fingerprint template,” 11 2011.

[93] P. Punithavathi and G. Subbiah, “Can cancellable biomet-rics preserve privacy?” Biometric Technology Today, vol.2017, no. 7, pp. 8 – 11, 2017. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S0969476517301388

[94] W. J. Scheirer and T. E. Boult, “Bipartite biotokens: Definition,implementation, and analysis,” in Advances in Biometrics, ThirdInternational Conference, ICB 2009, Alghero, Italy, June 2-5, 2009. Proceedings, 2009, pp. 775–785. [Online]. Available:https://doi.org/10.1007/978-3-642-01793-3 79

[95] W. Scheirer and T. Boult, “Bio-cryptographic protocols with bipartitebiotokens,” in Proc of the IEEE Biometric Symposium, BSYM ’08, 102008, pp. 9 – 16.

[96] E. Maiorana, P. Campisi, J. Fierrez, J. Ortega-Garcia, and A. Neri,“Cancelable templates for sequence-based biometrics with applicationto on-line signature recognition,” Trans. Sys. Man Cyber. PartA, vol. 40, no. 3, pp. 525–538, May 2010. [Online]. Available:http://dx.doi.org/10.1109/TSMCA.2010.2041653

[97] Bioconvolving: Cancelable templates for a multi-biometrics signaturerecognition system, 04 2011.

[98] L. Nanni, E. Maiorana, A. Lumini, and P. Campisi, “Combining local,regional and global matchers for a template protected on-line signatureverification system,” Expert Syst. Appl., vol. 37, no. 5, pp. 3676–3684,2010. [Online]. Available: https://doi.org/10.1016/j.eswa.2009.10.023

[99] F. L. Malallah, S. M. B. S. A. A. Rahman, W. A. B. W. Adnan, and S. B.Yussof, “Non-invertible online signature biometric template protectionvia shuffling and trigonometry transformation,” International Journalof Computer Applications, vol. 98, no. 4, pp. 4–17, July 2014, full textavailable.

[100] C. Moujahdi, G. Bebis, S. Ghouzali, and M. Rziza, “Fingerprintshell: Secure representation of fingerprint template,” PatternRecognition Letters, vol. 45, pp. 189–196, 2014. [Online]. Available:https://doi.org/10.1016/j.patrec.2014.04.001

[101] A. K. Jain and U. Uludag, “Hiding biometric data,” IEEE Trans.Pattern Anal. Mach. Intell., vol. 25, no. 11, pp. 1494–1498, 2003.[Online]. Available: https://doi.org/10.1109/TPAMI.2003.1240122

[102] M. N. Islam, M. F. Islam, and K. Shahrabi, “Robust information secu-rity system using steganography, orthogonal code and joint transformcorrelation,” Optik - International Journal for Light and ElectronOptics, vol. 126, no. 23, pp. 4026 – 4031, 2015. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S0030402615007147

[103] N. K. Ratha, J. H. Connell, and R. M. Bolle, “Secure data hidingin wavelet compressed fingerprint images,” in Proceedings of theACM Multimedia 2000 Workshops, Los Angeles, CA, USA, October30 - November 3, 2000, 2000, pp. 127–130. [Online]. Available:http://doi.acm.org/10.1145/357744.357902

[104] M. Naor and A. Shamir, “Visual cryptography,” in Advances in Cryp-tology — EUROCRYPT’94, A. De Santis, Ed. Berlin, Heidelberg:Springer Berlin Heidelberg, 1995, pp. 1–12.

[105] A. Ross and A. A. Othman, “Visual cryptography forbiometric privacy,” IEEE Trans. Information Forensics andSecurity, vol. 6, no. 1, pp. 70–81, 2011. [Online]. Available:https://doi.org/10.1109/TIFS.2010.2097252

[106] M. Gomez-Barrero, J. Fierrez, J. Galbally, E. Maiorana, andP. Campisi, “Implementation of fixed-length template protectionbased on homomorphic encryption with application to signaturebiometrics,” in 2016 IEEE Conference on Computer Vision andPattern Recognition Workshops, CVPR Workshops 2016, Las Vegas,NV, USA, June 26 - July 1, 2016, 2016, pp. 259–266. [Online].Available: https://doi.org/10.1109/CVPRW.2016.39

[107] M. Barni, G. Droandi, and R. Lazzeretti, “Privacy protectionin biometric-based recognition systems: A marriage betweencryptography and signal processing,” IEEE Signal Process.Mag., vol. 32, no. 5, pp. 66–76, 2015. [Online]. Available:https://doi.org/10.1109/MSP.2015.2438131

[108] O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applica-tions. New York, NY, USA: Cambridge University Press, 2004.

[109] P. Paillier, “Public-key cryptosystems based on composite degreeresiduosity classes,” in Advances in Cryptology - EUROCRYPT


’99, International Conference on the Theory and Applicationof Cryptographic Techniques, Prague, Czech Republic, May 2-6, 1999, Proceeding, 1999, pp. 223–238. [Online]. Available:https://doi.org/10.1007/3-540-48910-X 16

[110] E. Pagnin and A. Mitrokotsa, “Privacy-preserving biometricauthentication: Challenges and directions,” Security andCommunication Networks, vol. 2017, pp. 7 129 505:1–7 129 505:9,2017. [Online]. Available: https://doi.org/10.1155/2017/7129505

[111] M. S. Kiraz, Z. A. Genc, and S. Kardas, “Security and efficiencyanalysis of the hamming distance computation protocol basedon oblivious transfer,” Security and Communication Networks,vol. 8, no. 18, pp. 4123–4135, 2015. [Online]. Available:https://doi.org/10.1002/sec.1329

[112] X. Boyen, “Reusable cryptographic fuzzy extractors,” in Proceedings ofthe 11th ACM Conference on Computer and Communications Security,CCS 2004, Washington, DC, USA, October 25-29, 2004, 2004, pp. 82–91. [Online]. Available: http://doi.acm.org/10.1145/1030083.1030096

[113] J. Jo, J. Seo, and H. Lee, “Biometric digital signature key generationand cryptography communication based on fingerprint,” in Frontiersin Algorithmics, First Annual International Workshop, (FAW) 2007,Lanzhou, China, August 1-3, 2007, Proceedings, 2007, pp. 38–49.[Online]. Available: https://doi.org/10.1007/978-3-540-73814-5 4

[114] R. Arjona, “A fingerprint biometric cryptosystem in fpga.” [Online].Available: http://digital.csic.es/handle/10261/122760

[115] H. Chen and H. Chen, “A novel algorithm of fingerprintencryption using minutiae-based transformation,” Pattern RecognitionLetters, vol. 32, no. 2, pp. 305–309, 2011. [Online]. Available:https://doi.org/10.1016/j.patrec.2010.09.007

[116] S. Tulyakov, F. Farooq, and V. Govindaraju, “Symmetric hashfunctions for fingerprint minutiae,” in Pattern Recognition andImage Analysis, Third International Conference on Advances inPattern Recognition, ICAPR 2005, Bath, UK, August 22-25,2005, Proceedings, Part II, 2005, pp. 30–38. [Online]. Available:https://doi.org/10.1007/11552499 4

[117] J. A. Unar, W. C. Seng, and A. Abbasi, “A review ofbiometric technology along with trends and prospects,” PatternRecognition, vol. 47, no. 8, pp. 2673–2688, 2014. [Online]. Available:https://doi.org/10.1016/j.patcog.2014.01.016

[118] A. K. Jain, S. Pankanti, S. Prabhakar, L. Hong, andA. Ross, “Biometrics: A grand challenge,” in 17th InternationalConference on Pattern Recognition, ICPR 2004, Cambridge, UK,August 23-26, 2004., 2004, pp. 935–942. [Online]. Available:https://doi.org/10.1109/ICPR.2004.1334413

[119] J. N. Pato, “Biometric recognition: Challenges and opportunities.”National Academies Press, 2010.

[120] S. K. Panigrahy, D. Jena, K. S. Babu, and S. K. Jena, “On theprivacy protection of biometric traits: Palmprint, face, and signature,”in Contemporary Computing - Second International Conference,IC3 2009, Noida, India, August 17-19, 2009. Proceedings, 2009,pp. 182–193. [Online]. Available: https://doi.org/10.1007/978-3-642-03547-0 18

[121] D. M. Storisteanu, T. L. Norman, A. Grigore, and A. B. Labrique, “Canbiometrics beat the developing world’s challenges?” Biometric Tech-nology Today, vol. 2016, no. 11, pp. 5 – 9, 2016. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S096947651630193X

[122] J. Blasco, T. M. Chen, J. Tapiador, and P. Peris-Lopez, “A surveyof wearable biometric recognition systems,” ACM Comput. Surv.,vol. 49, no. 3, pp. 43:1–43:35, Sep. 2016. [Online]. Available:http://doi.acm.org/10.1145/2968215

[123] T. Kwon and J. Lee, “Practical digital signature generation usingbiometrics,” in Computational Science and Its Applications -ICCSA 2004, International Conference, Assisi, Italy, May 14-17,2004, Proceedings, Part I, 2004, pp. 728–737. [Online]. Available:https://doi.org/10.1007/978-3-540-24707-4 85

Documents

Security Vulnerabilities Against Biometric System 1 Security … · 2018-05-21 · Security Vulnerabilities Against Biometric System 2 In the enrollment phase, the system administrator