Abstract
Biometric data can be used as input for PKI key pair generation. The concept of not saving the private key is very appealing, but the implementation of such a system shouldn’t be rushed because it might prove less secure then current PKI infrastructure. One biometric characteristic can be easily spoofed, so it was believed that multi-modal biometrics would offer more security, because spoofing two or more biometrics would be very hard. This notion, of increased security of multi-modal biometric systems, was disproved for authentication and matching, studies showing that not only multi-modal biometric systems are not more secure, but they introduce additional vulnerabilities. This paper is a study on the implications of spoofing biometric data for retrieving the derived key. We demonstrate that spoofed biometrics can yield the same key, which in turn will lead an attacker to obtain the private key. A practical implementation is proposed using fingerprint and iris as biometrics and the fuzzy extractor for biometric key extraction. Our experiments show what happens when the biometric data is spoofed for both uni-modal systems and multi-modal. In case of multi-modal system tests were performed when spoofing one biometric or both. We provide detailed analysis of every scenario in regard to successful tests and overall key entropy. Our paper defines a biometric PKI scenario and an in depth security analysis for it. The analysis can be viewed as a blueprint for implementations of future similar systems, because it highlights the main security vulnerabilities for bioPKI. The analysis is not constrained to the biometric part of the system, but covers CA security, sensor security, communication interception, RSA encryption vulnerabilities regarding key entropy, and much more.
Highlights
We are connecting an increasing amount of user devices to the Internet, driven by concept of Internet-of-Things and Machine-to-Machine communications [1]
A problem with Biometric PKI (bioPKI) is the ease of capturing biometric data without user knowledge
This paper proposed a bioPKI system where the private key is never stored and it’s derived form the user’s biometrics
Summary
We are connecting an increasing amount of user devices to the Internet, driven by concept of Internet-of-Things and Machine-to-Machine communications [1]. Studies [7,8] proved that biometric data can be reconstructed from a stored template and a possible database breach could compromise biometric characteristics for many users. The biometric template is binded by an encryption key and stored in the database. Some authors proposed the implementation of a distributed infrastructure to store the private key on multiple devices [18], but the user is still. The use of multi-modal biometrics might be necessary because it might offer better security and key entropy. The main contribution of our paper is proving an attacker can use spoofed biometrics to retrieve the private key and an in depth security analysis of the current vulnerabilities of bioPKI.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
