Planned intervention: On Thursday March 28th 07:00 UTC Zenodo will be unavailable for up to 5 minutes to perform a database upgrade.
Published September 15, 2016 | Version v1
Journal article Open

Practical security and privacy attacks against biometric hashing using sparse recovery

  • 1. Informatics and Information Security Research Center (BILGEM), The Scientific and Technological Research Council of Turkey (TUBITAK), Kocaeli, 41470, Turkey
  • 2. Faculty of Science and Natural Engineering, Sabanci University, Orhanli Tuzla, Istanbul, 34956, Turkey

Description

Biometric hashing is a cancelable biometric verification method that has received research interest recently. This method can be considered as a two-factor authentication method which combines a personal password (or secret key) with a biometric to obtain a secure binary template which is used for authentication. We present novel practical security and privacy attacks against biometric hashing when the attacker is assumed to know the user’s password in order to quantify the additional protection due to biometrics when the password is compromised. We present four methods that can reconstruct a biometric feature and/or the image from a hash and one method which can find the closest biometric data (i.e., face image) from a database. Two of the reconstruction methods are based on 1-bit compressed sensing signal reconstruction for which the data acquisition scenario is very similar to biometric hashing. Previous literature introduced simple attack methods, but we show that we can achieve higher level of security threats using compressed sensing recovery techniques. In addition, we present privacy attacks which reconstruct a biometric image which resembles the original image. We quantify the performance of the attacks using detection error tradeoff curves and equal error rates under advanced attack scenarios. We show that conventional biometric hashing methods suffer from high security and privacy leaks under practical attacks, and we believe more advanced hash generation methods are necessary to avoid these attacks.

Files

13634_2016_Article_396.pdf

Files (2.1 MB)

Name Size Download all
md5:4f8ac0ac4691c5b6747d539c8c882cd1
2.0 MB Preview Download
md5:6f78a669ab388e1765c7ceba9c99bc2f
11.2 kB Download

Additional details

Funding

BEAT – Biometrics Evaluation and Testing 284989
European Commission