Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Similar presentations


Presentation on theme: "Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES."— Presentation transcript:

1 Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES

2 u Fingerprint scanning u Iris scanning u Voice recognition Many types of biometric authentication... u Many others... u Face recognition u Body odor Authenticating...

3 A Comparison Among Biometric Architectures

4 Registration Template Alice

5 Template is stored

6 Authentication

7  ? It’s Alice!

8 The big questions u Where is the match performed? –Determines architecture u How is the template protected? –Critical because….

9 Limited password changes First password Second password

10 Templates represent intrinsic information about you Alice Theft of a template is theft of identity

11 An Important Note u Biometrics no more secure than PINs! –Static values –False acceptance rates imply, e.g., 1/100,000 security (i.e., perhaps 17 bits) u Thus, it is at present unwise to protect cryptographic systems with biometrics alone u Biometrics are a good second factor, i.e., PIN replacement

12 The Three Architectures: Server-side, Client-side, and On-device

13 Server-side matching Server Client

14 Server-side matching Server Client  “access granted”

15 Server-side matching: Drawbacks u Risk of template compromise en bloc –Hundreds of thousands of fingerprints make an excellent hacker target –Privacy, liability concerns considerable u Architecturally complex u Matching is CPU-intensive for server

16 Client-side matching Server  “It’s Alice!” “Hi, Alice!”

17 Client-side matching u Most convenient and simple to build u Fine for, e.g., locking desktop with screen saver u Not secure for remote authentication... client can be made to lie!

18 Client-side matching Server “It’s Alice!” “Hi, Alice!”

19 On-device matching SecurID

20 On-device matching  SecurID

21 On-device matching u On-device security provides full privacy and integrity u With smartcard, biometric unlocks card, thus no need for modification of client or server software But...

22 On-device matching u But Alice must always have her smart card with her -- portability lost u At present, true on-device match available only with expensive (i.e., $200) units u Most “on-card” matching systems process data on PC, reducing security

23 “Fuzzy Vault”: A New Architecture

24 “password” UNIX protection of passwords “password” h(“password”) “password”

25 Template protection? h( )

26 Fingerprint is variable u Differing angles of presentation u Differing amounts of pressure u Chapped skin  Don’t have exact key! So hashing won’t work...

27 We want “fuzzy” vault u Differing angles of presentation u Differing amounts of pressure u Chapped skin

28 We want “fuzzy” vault 

29 How do we do it? u Fuzzy vault is just a piece of encrypted data u Uses error-correcting codes –Technology used to eliminate “noise” in telecommunications, CD players, etc. u We make counterintuitive use of error- correcting codes –Jettison the message space!

30 What do we get? Fingerprint (features) not stored in clear

31 Fuzzy vault Vault can be stored in directory and unlocked on client Client Directory

32 Fuzzy vault: Caveats Basic fuzzy vault: u Does not achieve security of on-card matching u Not secure against Trojan horses u Still provides adequate security as second factor, e.g., PIN replacement

33 Fuzzy vault pros u Provable security characterization –Similar (dubious) schemes lack proofs u No need for biometric server u No need for smart card –Fuzzy vault can be placed on smart or dumb card for added flexibility, though u Can build secure readers without crypto u All the benefits of secure, client-side match!

34 When can I buy a fuzzy vault? u Fuzzy vault is a research concept u Validated in early prototype u Needs development on biometrics side u RSA Labs is looking for research partner

35 To learn more... u Fuzzy vault I -- Suitable for iris? –“A Fuzzy Commitment Scheme”, ACM CCS ‘99 –Joint work with Martin Wattenberg, IBM u Fuzzy vault II -- Suitable for fingerprints? –“A Fuzzy Vault Scheme”, ISIT ‘01 –Joint work with Madhu Sudan, MIT u Patents pending u Papers at u Ari Juels at


Download ppt "Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES."

Similar presentations


Ads by Google