1 design and implementation for secure embedded biometric authentication systems shenglin yang...
TRANSCRIPT
1
Design and Implementation for Secure Embedded Biometric
Authentication Systems
Shenglin YangAdvisor: Ingrid Verbauwhede
Electrical Engineering Department
University of California, Los Angeles
2
Personal Authentication Systems
Biometrics
Select Authenticator
SecurityEmbedded
Software Optimization
Hardware Acceleration
Memory Management
Oracle-based Design
Crypto-Biometrics
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
3
Outline
• Motivation and challenges
• Secure biometric matching techniques– Secure partitioning– Cryptographic Biometrics
• Fuzzy vault based fingerprint verification• Micro-coded coprocessor implementation• Secure iris verification
• Conclusions
4
Biometrics
Unique No token needed
No memorize needed
For mobile biometric authentication system, the template is stored on the embedded device.
•more resource-constrained•more vulnerable
Motivation and challenges
Biometrics provide a more secure and convenient way for personal authentication
5
Security Challenges
Protocol
Algorithm
Architecture (Embedded SW)
Circuit
Micro-Architecture
Traditional attacks
Channel
Stack/Memory
Bus
Side channel attacks
Timing
Power
EMI
Mobile devices are more accessible, which means that they are more vulnerable too!
• Attacks on communication channels, stack/memory, and bus …
• Side Channel Attacks (SCA) on mobile devices
6
Personal Authentication Systems
Biometrics
Select Authenticator
SecurityEmbedded
Software Optimization
Hardware Acceleration
Memory Management
Oracle-based Design
Crypto-Biometrics
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
7
Logic Level Solution
0-1 Transition
1-0 Transition
SCA based on Differential Power Analysis:
• Asymmetric power consumption in standard CMOS
• Obtain the secret key of an encryption system using the power variations
• Unprotected AES cracked under 3 min.
Solution: special logic (WDDL) • Exactly one charging event per cycle • Charge capacitance is constant for different outputs
Tiri, K. and Verbauwhede, I., Security encryption algorithms against DPA at the logic level: next generation smart card technology, Workshop on Cryptographic Hardware and Embedded Systems (Lecture Notes Computer Science Vol.2779), Sept. 2003, pp 125-136, Cologne, Germany.
8
Security Partitioning
• Security comes with penalty : larger chip size• Only the sensitive template and the corresponding
processes need to be protected.
MatchingAlgorithmAlgorithm
MinutiaeExtraction
SecretKey
Load Bogus
Load Key
Template
CryptoModule
Unprotected
Protected
9
Secure MatchingInput (Unsecure) Template (Secure)
Unprotected software
Protected oracle
Query Response
For each input minutiae pair I For each template minutiae pair T if (I=T) matching_count++
If matching_count >N return TRUE else return FALSE
Results: 1% FRR and <0.01% FAR
10
Personal Authentication Systems
Biometrics
Select Authenticator
SecurityEmbedded
Software Optimization
Hardware Acceleration
Memory Management
Oracle-based Design
Crypto-Biometrics
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
11
Cryptographic Biometrics
• Noninvertible transformed version of template• Fuzzy vault scheme
Ref: Juels, A. and Sudan, M., “A fuzzy vault scheme,” Proceedings 2002 IEEE International Symposium on Information Theory, 2002, pp.408. Piscataway, NJ.
Alice
List of favorite movies(KEY)
Bob
List of favorite movies(KEY’)
Telephone Num
CipherText
If KEY and KEY’ are similar enough, Bob can extract the Telephone number of Alice from the cipher text
12
Fingerprint Vault• Biometrics, such as fingerprint, can act as the KEY in the
fuzzy vault schemep(x)
MinutiaeTemplate
Fuzzy Vault
Add Noise
Matching
PIN
PIN OK?
ThumbPod
MinutiaeInput
Lock set
MinutiaeTemplate
Fuzzy Vault
Encode (GF)
Add Noise
Matching
PIN
PIN OK?
ThumbPod
MinutiaeInput
Lock set
p(x)
13
Effect of Shifting and Rotation
(a)
(b)
(a) and (b) are two prints from a same finger; (c) is the positions of the features.
(c)
14
Feature Alignment
2
1 1d
Figu
2d
Fig
1
Fig
2
Fi
212121 ,,,,, ddM
Overlap of four minutiae feature sets aligned based on a well-selected reference point
15
Experimental Results (1)
• Unlock complexity varies according to the degree of polynomial for different size of impostor set.
Size of unlock set / Degree of polynomial
Lo
g c
om
ple
xity
(lo
g2)
16
Size of unlock size / Degree of polynomial
Err
or R
ate
verification accuracy varies along with polynomial degrees for difference size of the impostor set.
Experimental Results (2)
Size of unlock set / Degree of polynomial
Err
or
rate
17
Experimental Results (3)• The influence of the polynomial degree and the chaff set size on the
system performance (Complexity-Accuracy Factor)
CER THCTHERM 1
Size of unlock set / polynomial degree
Complexity-Accuracy Factor
18
Personal Authentication Systems
Biometrics
Select Authenticator
SecurityEmbedded
Software Optimization
Hardware Acceleration
Memory Management
Oracle-based Design
Crypto-Biometrics
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
19
Implementation Approaches
Embedded Application
CPU DSP ASIPMicro-coded Design
ASIC
Standard Instruction Set Architecture
Specialized Instruction Set Architecture
Custom Instruction Set Architecture
Custom Micro-architecture
Custom Circuit
20
RNG
IO
ARM
TRIGFM TRIDAGRAMALURF
MICROCODE ROM
PCZ
IR
DE
CO
DE
RController
MEM
ArchitectureA 16-bit microcoded coprocessor, FV16, is design to implement the fuzzy vault algorithm
21
Performance Comparison
• Taking advantage of the special function blocks, the execution time is significantly reduced– GFM: 14 times– RNG: 162 times– TRI: 82 times
22
Human Iris
Iris
• iris forms during gestation and remains the same for the rest of one’s life
• iris is unique for individuals • it is well protected and extremely difficult to be modified
Sclera
Pupil
23
Iris Feature Extraction
Segmentation
Detect iris boundary
Detect pupil boundary
Isolate eyelid & eyelash
Normalization (Daugman’s rubber sheet model)
r r
Feature Coding
24
Feature Coding
r
2D signal
1D Gabor filter
Real response
Imaginaryresponse
Phase quantization Iris template
Feature Coding
1D signal
Position
Intensity
25
Template-Protect Verification
ENC
Secret data generation
Hash
Recovering the random bit stream
Storage
Comparing
Iris feature
Input iris feature
Enrollment
Verification
Result
W
Hash
W
S’
CS
(1023,46,219) BCH
26
Two-Segment AlgorithmFeature extraction
Reliable bits selection
Select flag Reliable bits (Z)
RNG
S
Storage
F
C
Division Z1 Z2
InputReliable bits selection
F
Division
W1
W2
W1 W2
DEC
DEC
Hash
Storage
Compare
Decision
Y/N
Hs
(Hs)1Hs
(Hs)2
R1
R2
Z1
Z2
S1
S2
ENC
Hash
Hash
27
Verification Performance
0
0.1
0.2
0.3
0.4
0 0.2 0.4 0.6 0.8 1
Hamming distance
Pro
babi
lity
Intra-class
inter-class
0
0.005
0.01
0.015
0.02
0.35 0.4 0.45 0.5 0.55
All feature bits are used for verification
0
0.1
0.2
0.3
0 0.2 0.4 0.6 0.8 1
Hamming distance
Prob
abil
ity
Intra-class
Inter-class
0
0.005
0.01
0.015
0.02
0.35 0.4 0.45 0.5 0.55
Reliable feature bits are used for verification
(a) (b)
28
Performance vs Reliable Bits Sizes(1)
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Threshold
Err
or
rate
FRR
FAR
Desired verification threshold
1460 reliable bits
29
1096 reliable bits
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Threshold
Err
or
rate
FRR
FAR
Desired verification threshold
Performance vs Reliable Bits Sizes(2)
30
974 reliable bits
Performance vs Reliable Bits Sizes(3)
0
0.2
0.4
0.6
0.8
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Threshold
Err
or
rate
FRR
FAR
Desired verification threshold
31
Performance Comparison
Reliable bits size Desired threshold FRR FAR
1460 30.0% 14.7% 0.0%
1096 40.0% 0.8% 0.0%
974 45.0% 1.6% 23.0%
The iris verification system based on 1096 reliable bits achieves the best performance
32
Conclusions
• An efficient secure embedded fingerprint authentication
system is designed and implemented.
• System security for biometric authentication systems is
addressed from two levels: Logic level and algorithm
level.– Security partitioning based fingerprint matching algorithm is
proposed
– Fuzzy vault based fingerprint matching is designed and
implemented using microcoded coprocessor
– Template-protected iris verification is proposed
33
Selected PublicationsYang, S., Sakiyama, K., and Verbauwhede, I., “Efficient and Secure Fingerprint Verification for Embedded Devices,” EURASIP Journal on Applied Signal Processing, vol.2006, no.3, pp. 11, 2006.
Yang, S., Schaumont, P., and Verbauwhede, I., “Microcoded Coprocessor for Embedded Secure Biometric Authentication Systems,” Proc. IEEE/ACM/IFIP International Conference on Hardware - Software Codesign and System Synthesis, pp. 130-135, September. 2005.
Yang, S. and Verbauwhede, I., “Automatic Secure Fingerprint Verification System Based on Fuzzy Vault Scheme,” Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 609-612, March 2005.
Yang, S. and Verbauwhede, I., “Secure Fuzzy Vault Based Fingerprint Verification System,” Proc. 38th IEEE Asilomar Conference on Signals, Systems, and Computers, Vol. 1, pp. 577-581, November 2004.
Yang, S. and Verbauwhede, I., “Methodology for Memory Analysis and Optimization in Embedded Systems,” Proc. GSPx Embedded Signal Processing Conference, pp. 1-6, September 2004.
Yang, S. and Verbauwhede, I., “A Realtime, Memory Efficient Fingerprint Verification System,” Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 189-192, May 2004.
Yang, S. and Verbauwhede, I., “A Secure Fingerprint Matching Technique,” Proc. ACM Workshop on Biometrics: Methods and Applications, pp.89-94, November 2003.
Yang, S., Sakiyama, K., and Verbauwhede, I., “A Compact and Efficient Fingerprint Verification System for Secure Embedded Systems,” Proc. 37th IEEE Asilomar Conference on Signals, Systems, and Computers, pp. 2058-2062, November 2003.
34
Thank You!