Abstract
Public Key Infrastructure is a widely deployed security technology for handling key distribution and validation in computer security. Despite PKI’s popularity as a security solution, Phishing and other Man-in-the-Middle related attacks are accomplished with ease throughout our computer networks. The major problems with PKI come down to trust, and largely, how much faith we must place in cryptographic keys alone to establish authenticity and identity. In this chapter, we look at a novel biometric solution that mitigates this problem at both the user and certificate authority levels. More importantly, we analyze the problem of applying unprotected biometric features directly into PKI, and propose the integration of a secure, revocable biometric template protection technology that supports transactional key release. A detailed explanation of this new Biocryptographic Key Infrastructure is provided, including composition, enrollment, authentication, and revocation details. The BKI provides a new paradigm for blending elements of physical and virtual security to address network attacks that more conventional approaches have not been able to stop.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The template described in [22] consists of a secret key + error correction θ ps XORed with shuffled biometric data θ canc, yielding θ lock. If an attacker knows θ ps, they can simply XOR it with θ lock, yielding θ canc, which can be used by the attacker to match from that point forward. This is a straightforward application of the SKI attack [32].
References
Adams C, Farrell S (1999) Internet X.509 public key infrastructure certificate management protocols. RFC 2510 (proposed standard). http://www.ietf.org/rfc/rfc2510.txt. Accessed 18 May 2011
Arndt C (2004) Biometric template revocation. In: Jain A, Ratha N (eds) Biometric Technology for Human Identification. Proceedings of the SPIE, vol 5404. SPIE, Bellingham, pp 164–175
Benavente O (2005) Authentication services and biometrics: network security issues. In: Proc of the 39th Annual International Carnahan Conference on Security Technology (CCST 2005), pp 333–336
BioAPI (2010) Business objectives and values. BioAPI consortium. http://www.bioapi.org/objectives.asp. Accessed 18 May 2011
BioLab (2006) FVC 2006: fingerprint verification competition. University of Bologna. http://bias.csr.unibo.it/fvc2006/databases.asp. Accessed 18 May 2011
Boeyen S, Hallam-Baker P (2006) Internet X.509 public key infrastructure repository locator service. RFC 4386 (proposed standard). http://www.ietf.org/rfc/rfc4386.txt. Accessed 18 May 2011
Boult T, Scheirer W, Woodworth R (2007) Secure revocable finger biotokens. In: Proc of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2007)
Boyen X, Dodis Y, Katz J, Ostrovsky R, Smith A (2005) Secure remote authentication using biometric data. In: Proc of EUROCRYPT, pp 147–163
Cappelli R, Lumini A, Maio D, Maltoni D (2007) Fingerprint image reconstruction from standard templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 29(9):1489–1503
Chokhani S, Ford W, Sabett R, Merrill C, Wu S (2003) Internet X.509 public key infrastructure certificate policy and certification practices framework. RFC 3647 (proposed standard). http://www.ietf.org/rfc/rfc3647.txt. Accessed 18 May 2011
Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk W (2008) Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (proposed standard). http://www.ietf.org/rfc/rfc5280.txt. Accessed 18 May 2011
Dawson E, Lopez J, Montenegro J, Okamoto EB (2003) Biometric authentication and authorization infrastructure. In: Proc of the International Conference on Information Technology: Research and Education (ITRE 2003), pp 274–278
Dodis Y, Reyzin L, Smith A (2007) Fuzzy extractors. In: Tuyls P, Skoric B, Kevenaar T (eds) Security with Noisy Data: Private Biometrics, Secure Key Storage and Anti-counterfeiting. Springer, Berlin, pp 79–99. Chapter 5
East-Shore (2007) Fingerprint image database. East shore technologies. http://www.east-shore.com/data.html. Accessed 18 May 2011
Ellison C, Schneier B (2000) Ten risks of PKI: what you’re not being told about public key infrastructure. Journal of Computer Security 16(1):1–7
Gerck E (2000) Overview of certification systems: X.509, PKIX, CA, PGP and SKIP. Bell 1(3):8
Gutmann PPK (2002) It’s not dead, just resting. IEEE Computer 35(8):41–49
Haller N (1995) The S/KEY one-time password system. RFC 1760 (proposed standard). http://www.ietf.org/rfc/rfc1760.txt. Accessed 18 May 2011
Jain A, Nandakumar K, Nagar A (2008) Biometric template security. EURASIP Journal on Advances in Signal Processing
Juels A, Sudan M (2002) A fuzzy vault scheme. In: Proc of the IEEE International Symposium on Information Theory, p 408
Juels A, Wattenberg M (1999) A fuzzy commitment scheme. In: Proc of the 6th ACM Conference on Computer and Communications Security, pp 28–36
Kanade S, Petrovska-Delacrétaz D, Dorizzi B (2010) Generating and sharing biometrics based session keys for secure cryptographic applications. In: Proc of the IEEE Fourth International Conference on Biometrics: Theory, Applications, and Systems (BTAS 2010)
Krause M (2001) The expanding surveillance state: why Colorado should scrap the plan to map every driver’s face and should ban facial recognition in public. The Independence Institute. http://www.i2i.org/articles/8-2001.PDF. Accessed 18 May 2011
Kuhn D, Hu V, Polk W, Chang S (2001) Introduction to public key technology and the federal PKI infrastructure. National Institute of Standards and Technology, SP 800-32
Kwon T, Moon H (2005) Multi-modal biometrics with PKI technologies for border control applications. In: Intelligence and Security Informations. Lecture Notes in Computer Science, vol 3495, pp 99–114. Springer, Berlin
Martinez-Silva G, Henriquez F, Cortes N, Ertaul L (2007) On the generation of X.509v3 certificates with biometric information. In: Proc of the 2007 International Conference on Security and Management (SAM’07)
Neuman C, Yu T, Hartman S, Raeburn K (2005) The kerberos network authentication service (V5). RFC 4120 (proposed standard). http://www.ietf.org/rfc/rfc4120.txt. Accessed 18 May 2011
NIST (2011) National Institute of Standards and Technology NIST special database 29. Standard reference data. http://www.nist.gov/srd/nistsd29.cfm. Accessed 18 May 2011
Ratha N, Chikkerur S, Connell J, Bolle R (2007) Generating cancelable fingerprint templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 29(4):561–572
Reinert L, Luther S (1997) User authentication techniques using using public key certificates, National Security Agency, Central Security Service
Schaad J (2005) Internet X.509 public key infrastructure certificate request message format (CRMF). RFC 4211 (proposed standard). http://www.ietf.org/rfc/rfc4211.txt. Accessed 18 May 2011
Scheirer W, Boult T (2007) Cracking fuzzy vaults and biometric encryption. In: Proc of the 2007 Biometrics Symposium, Held in Conjunction with the Biometrics Consortium Conference (BCC 2007), Baltimore, MD
Scheirer W, Boult T (2008) Bio-cryptographic protocols with bipartite biotokens. In: Proc of the IEEE 2008 Biometrics Symposium, Held in Conjunction with the Biometrics Consortium Conference
Scheirer W, Boult T (2009) Bipartite biotokens: definition, implementation, and analysis. In: Proc of the IEEE/IAPR International Conference on Biometrics, pp 775–785
Schneier B (1996) Applied Cryptography, 2nd edn. Wiley, New York
Sotirov A, Stevens M, Appelbaum J, Lenstra A, Molnar D, Osvik DA, de Weger B (2008) MD5 considered harmful today. HashClash project. http://www.win.tue.nl/hashclash/rogue-ca/. Accessed 18 May 2011
Stevens M, Sotirov A, Appelbaum J, Lenstra A, Molnar D, Osvik DA, de Weger B (2009) Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Proc of the International Cryptology Conference on Advances in Cryptology
Sutcu Y, Sencar T, Memon N (2005) A secure biometric authentication scheme based on robust hashing. In: Proc of the 7th ACM Workshop on Multimedia and Security (MM-Sect 2005)
Tang Q, Bringer J, Chabanne H, Pointcheval D (2008) A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Proc of the Information Security Practice and Experience Conference
The Open Group (1999) Architecture for public-key infrastructure (APKI)
Ueshige Y, Sakurai K (2006) A proposal of one-time biometric authentication. In: Arabnia H, Aissi S (eds) Proc of the International Conference on Security and Management (SAM 2006)
Acknowledgements
This work was supported in part by NSF STTR Award Number 0750485 and NSF PFI Award Number 065025.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this chapter
Cite this chapter
Scheirer, W.J., Bishop, W., Boult, T.E. (2013). Beyond PKI: The Biocryptographic Key Infrastructure. In: Campisi, P. (eds) Security and Privacy in Biometrics. Springer, London. https://doi.org/10.1007/978-1-4471-5230-9_3
Download citation
DOI: https://doi.org/10.1007/978-1-4471-5230-9_3
Publisher Name: Springer, London
Print ISBN: 978-1-4471-5229-3
Online ISBN: 978-1-4471-5230-9
eBook Packages: Computer ScienceComputer Science (R0)