1. 1 Design and Implementation for Secure Embedded Biometric Authentication Systems Shenglin Yang Advisor: Ingrid Verbauwhede Electrical Engineering Department University of California, Los Angeles

2. 2 Personal Authentication Systems Biometrics Select Authenticator SecurityEmbedded Software Optimization Hardware Acceleration Memory Management Oracle-based Design Crypto- Biometrics Micro-coded Coprocessor Secure Embedded Biometric Authentication Device

3. 3 Outline Motivation and challenges Secure biometric matching techniques –Secure partitioning –Cryptographic Biometrics Fuzzy vault based fingerprint verification Micro-coded coprocessor implementation Secure iris verification Conclusions

4. 4 Biometrics UniqueNo token needed No memorize needed For mobile biometric authentication system, the template is stored on the embedded device. more resource-constrained more vulnerable Motivation and challenges Biometrics provide a more secure and convenient way for personal authentication

5. 5 Security Challenges Protocol Algorithm Architecture (Embedded SW) Circuit Micro-Architecture Traditional attacks Channel Stack/Memory Bus Side channel attacks Timing Power EMI Mobile devices are more accessible, which means that they are more vulnerable too! Attacks on communication channels, stack/memory, and bus … Side Channel Attacks (SCA) on mobile devices

6. 6 Personal Authentication Systems Biometrics Select Authenticator SecurityEmbedded Software Optimization Hardware Acceleration Memory Management Oracle-based Design Crypto- Biometrics Micro-coded Coprocessor Secure Embedded Biometric Authentication Device

7. 7 Logic Level Solution 0-1 Transition 1-0 Transition SCA based on Differential Power Analysis: Asymmetric power consumption in standard CMOS Obtain the secret key of an encryption system using the power variations Unprotected AES cracked under 3 min. Solution: special logic (WDDL) Exactly one charging event per cycle Charge capacitance is constant for different outputs Tiri, K. and Verbauwhede, I., Security encryption algorithms against DPA at the logic level: next generation smart card technology, Workshop on Cryptographic Hardware and Embedded Systems (Lecture Notes Computer Science Vol.2779), Sept. 2003, pp 125-136, Cologne, Germany.

8. 8 Security Partitioning Security comes with penalty : larger chip size Only the sensitive template and the corresponding processes need to be protected. Matching Algorithm Minutiae Extraction Secret Key Load Bogus Load Key Template Crypto Module Unprotected Protected

9. 9 Secure Matching Input (Unsecure)Template (Secure) Unprotected software Protected oracle Query Response For each input minutiae pair I For each template minutiae pair T if (I=T) matching_count++ If matching_count >N return TRUE else return FALSE Results: 1% FRR and <0.01% FAR

10. 10 Personal Authentication Systems Biometrics Select Authenticator SecurityEmbedded Software Optimization Hardware Acceleration Memory Management Oracle-based Design Crypto- Biometrics Micro-coded Coprocessor Secure Embedded Biometric Authentication Device

11. 11 Cryptographic Biometrics Noninvertible transformed version of template Fuzzy vault scheme Ref: Juels, A. and Sudan, M., “A fuzzy vault scheme,” Proceedings 2002 IEEE International Symposium on Information Theory, 2002, pp.408. Piscataway, NJ. Alice List of favorite movies (KEY) Bob List of favorite movies (KEY’) Telephone Num Cipher Text If KEY and KEY’ are similar enough, Bob can extract the Telephone number of Alice from the cipher text

12. 12 Fingerprint Vault Biometrics, such as fingerprint, can act as the KEY in the fuzzy vault scheme p(x) Minutiae Template Fuzzy Vault Add Noise Matching PIN PIN OK? ThumbPod Minutiae Input Lock set Minutiae Template Fuzzy Vault Encode (GF) Add Noise Matching PIN PIN OK? ThumbPod Minutiae Input Lock set p(x)

13. 13 Effect of Shifting and Rotation (a) (b) (a) and (b) are two prints from a same finger; (c) is the positions of the features. (c)

14. 14 Feature Alignment Overlap of four minutiae feature sets aligned based on a well-selected reference point

15. 15 Experimental Results (1) Unlock complexity varies according to the degree of polynomial for different size of impostor set. Size of unlock set / Degree of polynomial Log complexity (log2)

16. 16 verification accuracy varies along with polynomial degrees for difference size of the impostor set. Experimental Results (2) Size of unlock set / Degree of polynomial Error rate

17. 17 Experimental Results (3) The influence of the polynomial degree and the chaff set size on the system performance (Complexity-Accuracy Factor) Size of unlock set / polynomial degree Complexity-Accuracy Factor

18. 18 Personal Authentication Systems Biometrics Select Authenticator SecurityEmbedded Software Optimization Hardware Acceleration Memory Management Oracle-based Design Crypto- Biometrics Micro-coded Coprocessor Secure Embedded Biometric Authentication Device

19. 19 Implementation Approaches Embedded Application CPU DSPASIP Micro-coded Design ASIC Standard Instruction Set Architecture Specialized Instruction Set Architecture Custom Instruction Set Architecture Custom Micro- architecture Custom Circuit

20. 20 RNG IO ARM TRI GFMTRIDAGRAMALURF MICROCODE ROM PC Z IR DECODER Controller MEM Architecture A 16-bit microcoded coprocessor, FV16, is design to implement the fuzzy vault algorithm

21. 21 Performance Comparison Taking advantage of the special function blocks, the execution time is significantly reduced –GFM: 14 times –RNG: 162 times –TRI: 82 times

22. 22 Human Iris Iris iris forms during gestation and remains the same for the rest of one’s life iris is unique for individuals it is well protected and extremely difficult to be modified Sclera Pupil

23. 23 Iris Feature Extraction Segmentation Detect iris boundary Detect pupil boundary Isolate eyelid & eyelash Normalization (Daugman’s rubber sheet model) r r   Feature Coding

24. 24 Feature Coding r 2D signal 1D Gabor filter Real response Imaginary response Phase quantizationIris template Feature Coding 1D signal Position Intensity 

25. 25 Template-Protect Verification ENC Secret data generation Hash Recovering the random bit stream Storage Comparing Iris feature Input iris feature Enrollment Verification Result W Hash W S’ C S (1023,46,219) BCH

26. 26 Two-Segment Algorithm Feature extraction Reliable bits selection Select flag Reliable bits (Z) RNG S Storage F C Division Z 1 Z 2 Input Reliable bits selection F Division W 1 W2W2 W1W1 W2W2 DEC Hash Storage Compare Decision Y/N HsHs (H s ) 1 HsHs (H s ) 2 R1R1 R2R2 Z1Z1 Z2Z2 S1S1 S2S2 ENC Hash

27. 27 Verification Performance All feature bits are used for verification Reliable feature bits are used for verification (a) (b)

28. 28 Performance vs Reliable Bits Sizes(1) 0.40.50.60.70.80.91 Threshold Error rate FRR FAR Desired verification threshold 1460 reliable bits

29. 29 1096 reliable bits 0 0.2 0.4 0.6 0.8 1 00.10.20.30.40.50.60.70.80.91 Threshold Error rate FRR FAR Desired verification threshold Performance vs Reliable Bits Sizes(2)

30. 30 974 reliable bits Performance vs Reliable Bits Sizes(3) 0 0.2 0.4 0.6 0.8 1 00.10.20.30.40.50.60.70.80.91 Threshold Error rate FRR FAR Desired verification threshold

31. 31 Performance Comparison The iris verification system based on 1096 reliable bits achieves the best performance

32. 32 Conclusions An efficient secure embedded fingerprint authentication system is designed and implemented. System security for biometric authentication systems is addressed from two levels: Logic level and algorithm level. –Security partitioning based fingerprint matching algorithm is proposed –Fuzzy vault based fingerprint matching is designed and implemented using microcoded coprocessor –Template-protected iris verification is proposed

33. 33 Selected Publications Yang, S., Sakiyama, K., and Verbauwhede, I., “Efficient and Secure Fingerprint Verification for Embedded Devices,” EURASIP Journal on Applied Signal Processing, vol.2006, no.3, pp. 11, 2006. Yang, S., Schaumont, P., and Verbauwhede, I., “Microcoded Coprocessor for Embedded Secure Biometric Authentication Systems,” Proc. IEEE/ACM/IFIP International Conference on Hardware - Software Codesign and System Synthesis, pp. 130-135, September. 2005. Yang, S. and Verbauwhede, I., “Automatic Secure Fingerprint Verification System Based on Fuzzy Vault Scheme,” Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 609-612, March 2005. Yang, S. and Verbauwhede, I., “Secure Fuzzy Vault Based Fingerprint Verification System,” Proc. 38th IEEE Asilomar Conference on Signals, Systems, and Computers, Vol. 1, pp. 577-581, November 2004. Yang, S. and Verbauwhede, I., “Methodology for Memory Analysis and Optimization in Embedded Systems,” Proc. GSPx Embedded Signal Processing Conference, pp. 1-6, September 2004. Yang, S. and Verbauwhede, I., “A Realtime, Memory Efficient Fingerprint Verification System,” Proc. IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 189-192, May 2004. Yang, S. and Verbauwhede, I., “A Secure Fingerprint Matching Technique,” Proc. ACM Workshop on Biometrics: Methods and Applications, pp.89-94, November 2003. Yang, S., Sakiyama, K., and Verbauwhede, I., “A Compact and Efficient Fingerprint Verification System for Secure Embedded Systems,” Proc. 37th IEEE Asilomar Conference on Signals, Systems, and Computers, pp. 2058-2062, November 2003.

34. 34 Thank You!