A Modified Fuzzy Vault Scheme for Biometrics-Based ...

4 downloads 0 Views 332KB Size Report
Abstract—The fuzzy vault scheme, which has been most widely used in biometric systems, has some weaknesses while applied in securing Body Sensor ...
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

A Modified Fuzzy Vault Scheme for Biometricsbased Body Sensor Networks Security Fen Miao, Shu-Di Bao, Ye Li Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen, China Abstract—The fuzzy vault scheme, which has been most widely used in biometric systems, has some weaknesses while applied in securing Body Sensor Network (BSN) communications. This is mainly because of the dynamic random characteristics of biometric identifiers independently generated by sensor nodes based on self-captured physiological signals. A modified fuzzy vault scheme is proposed to overcome this problem, aiming for a significant reduction in recognition errors. Error-correction encoding/decoding process is deployed in a way different from the existing ones at the transmitter/receiver to reduce the effect of bit differences in dynamic random patterns between biometric identifiers. An enveloping process is further deployed before the projection of real points onto the keying material constructed polynomial to protect the real points from being revealed by various potential attacks. This enveloping process can also be deployed in the traditional fuzzy vault scheme to prevent the known attacks based on statistical analysis of points in the vault. A detailed performance analysis in terms of False Acceptance Rate (FAR) and False Rejection Rate (FRR), as well as antiattack capability was conducted to demonstrate the effectiveness of our solution.

fuzzy methods [4-5] were deployed for an increased tolerance in acceptable differences. Juels and Sudan [5] proposed the fuzzy vault scheme that operates in the key binding mode and, can compensate for intra-class variations in the biometric data. The fuzzy vault scheme offers attractive properties in terms of security, changeable key, and flexibility, and thus has been a good candidate for biometrics based cryptographic systems. Researchers have attempted to implement it in, for example, fingerprint, face, and Iris biometric system [6-8]. Though the fuzzy vault was also adopted in biometrics based BSN security in [9-11], it is noted that the scheme is not good enough to achieve stable performance due to dynamic random patterns in bit difference between such generated biometric identifiers. The error-correction code involved in the existing fuzzy vault scheme takes effects only after the receiver reconstructs the polynomial coefficients, which thus has little effect on increasing the tolerance in bit differences between biometric identifiers. In addition, the existing fuzzy vault scheme is also lacks protection from the known attacks based on statistical performance of real points in the vault [12].

Keywords- Biometrics; Fuzzy Vault; Reed-Salomon; Polynomial Construct

This paper focuses on solving the weakness of fuzzy vault scheme for its usage in securing BSN communications. Errorcorrection code is proposed to be used in a different way from the existing ones to reduce the effect of bit differences in dynamic random patterns between biometric identifiers. An enveloping process before the projection of real points onto the keying material constructed polynomial is introduced to protect the real points from being revealed. The vault contains a transformed version while not the exact copy of biometric identifier to prevent eavesdropping attacks. The enveloping process can also protect the existing fuzzy vault scheme from being attacked by statistical analysis of points in the vault. The analyses of anti-attack capability and recognition performance in terms of False Acceptance Rate (FAR) and False Rejection Rate (FRR) are conducted to demonstrate the effectiveness of the proposed solution.

I.

INTRODUCTION

BODY sensor network (BSN), which has great potential in being the main front-end platform of telemedicine and mobile health systems, is currently being heavily developed to keep pace with the continuously rising demand for personalized healthcare. Due to significant legal, financial, privacy, and safety implications in its applications, the fundamental requirements of privacy, confidentiality, authentication, authorization, and integrity have to be fulfilled for BSN. Because of stringently limited processing power, memory, and energy, as well as lack of user interface, unskilled users, longevity of devices, and global roaming, a novel lightweight and resource-efficient biometrics-based security method was proposed for BSN [1-3]. It is based on the idea that biometrics generated simultaneously from the same subject are with high similarity, while those generated non-simultaneously or from different subjects are with significant dissimilarity. The timing information of heartbeats was adopted as biometric trait due to its chaotic nature, which can ensure the dynamic random performance of the generated biometric identifiers. Building upon this initial idea, the authors in [2-3] proposed to use Inter-Pulse-Interval (IPI) to secure the transmission of keying materials. Since the biometric traits captured simultaneously at different parts of the same subject have slight differences,

The remainder of this paper is organized as follows. In section II, the background including the generation process of the IPI based biometric identifier, the fuzzy vault scheme and random number generation is briefly described. Section III gives the details of the proposed modified fuzzy vault implementation in BSN. Performance study in terms of FAR/FRR as well as anti-attack capability analysis is conducted in section IV. Finally, conclusions and future work are summarized in section V.

This research was supported in part by the National S&T Major Project of China (Grant No. 2009ZX03006-001-01) and Guangdong S&T Major Project of China (Grant No. 2009A080207002).

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

II.

BACKGROUND

A. Biometric Identifier Generation based on IPI In order to secure BSN communications, the biometric identifiers should be time variable with a property of randomness, such that different biometric identifiers can be issued for securing different applications to achieve uncompromised security. IPI is one of the most common biometric traits applied in BSN security. There are two advantages of using IPI. Firstly, it can be derived from multiple physiological signals such as electrocardiograph (ECG) and photoplethysmograph (PPG) by measuring the time difference between the peaks in the signals. Secondly, it has been demonstrated that biometric identifiers generated from a series of IPI values pass the selected randomness tests from the National Institute of Standards and Technology (NIST) standards, and thus show an acceptable degree of randomness [3]. Biometric identifier generation process is based on the solution presented in [3]. B. Traditional Fuzzy Vault Scheme [5]

T ′ at its own end. It reconstructs the vault based on the following steps. Step 1: Project its own real points set to the vault and search for matchings. The candidate point set is then collected. Step 2: The polynomial is reconstructed based on the candidate set using Lagrange theorem. The binary formatted coefficients of the reconstructed polynomial are then concatenated in the same order to generate K er ′ . Step 3: An error-correction decoding process is deployed on K er ′ to derive Key. Building upon the fuzzy vault, the receiver can derive the secret key of the transmitter if T ′ and T are with high similarity.

C. Random Number Generation based on Physiological Signal Since biosensors on or implanted in the human body have the basic function of detecting and recording time-variant physiological signals, it is possible to generate high performance random sequences due to the chaotic property of those signals. An efficient random number generator based on detected signals is presented in [13]. It is shown through the NIST randomness tests that the generated binary sequences have a property of randomness. Such generated binary sequences are made use of in the proposed fuzzy vault scheme. III.

PROPOSED FUZZY VAULT IMPLEMENTATION

In this section, the modified fuzzy vault implementation, including the vault encoding and decoding processes, is detailed.

A. Vault Encoding Fig. 2 shows the block diagram of the proposed modified fuzzy vault encoding scheme. The vault is encoded as follows. Fig.1 Block diagram of traditional fuzzy vault scheme

Real points generation: The feature points are derived by segmenting the biometric identifier generated into several sections each with the length of i. Each feature point can be described as follows: i (1) b j = {0,1}

The block diagram of traditional fuzzy vault scheme is presented in Fig.1. Suppose the transmitter aims to lock the secret Key under the real points set T . It constructs the vault based on the following steps. Step1: An error-correction encoding process is deployed on Key to generate Ker .

where b j ∈ {0,2i − 1}(1 ≤ j ≤ N ) ,

Step2: Create a polynomial by segmenting Ker as its coefficients with the form of Ker = cm −1 | cm − 2 | " | c0 , where

points in the vault. It is noted that the feature points are all sequential ordered according to our method.

m is the degree of the polynomial. Step3: Project each real point onto the polynomial to generate real points set G, so that Ker is bound with the real points set T through the polynomial. Step4: Randomly create chaff points set C , and ensure that each pair in the set does not lay on the polynomial. Step5: The final vault V is constructed by taking the union of the two sets, i.e. G ∪ C , and pass through a scrambler so that it is difficult to distinguish real points from chaff points. Once received the vault, the receiver tries to reconstruct the polynomial through a matching process on the vault based on

i can be defined based on the

vault size. The form of the real points set in vault can be expressed as T = {b j }N , where N is the number of feature j =1

Polynomial Construct: Once the real points set is generated, the transmitter constructs an m degree polynomial with the 0 m−1 m −2 , where p ( x) = cm−1x + cm−2 x + " + c0 x α ci ∈ {0, 2 − 1}(0 ≤ i ≤ m − 1) is the coefficients of the polynomial, α is relevant to the cryptographic key Key , l Key ∈ {0,1} . The coefficients compose the secret key by

form

concatenating

together

with

the

form

of

Key = cm −1 | cm − 2 | " | c0 . The length of Key l is relevant to

the degree m and the length of each coefficient of the

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

Fig. 2. Proposed implementation of vault encoding at the transmitter

Fig. 3. Proposed implementation of vault decoding at the receiver

polynomial

α

with the form of l = m × α .

Error-correction encoding: The security of traditional fuzzy vault scheme will be influenced due to the dynamic random patterns between biometric identifiers generated from IPI, especially for the bit differences between biometric identifiers. An Error-correction encoding process, such as with the ReedSalomon (RS) or Golay code, is firstly deployed on each real point to generate redundancy set b j (1 ≤ j ≤ N ) 2t u j = {0,1} (1 ≤ j ≤ N ) , where t is the number of errors can be

corrected. It is noted that the error-correction code selected should be a linear block codes in order to ensure the certainty of the location of redundancy bit. The redundancy points set N U = {u j } j =1 is produced after the error-correction encoding

process on each real point. Enveloping process of real points: In order to resolve the security potentials brought about by U and prevent the attack of the vault based on the statistical property of real points, an enveloping algorithm, which is based on the random sequence generated from the physiological signal described in section II, should be adopted. The binary random sequence is segmented into several sections with the form of R = {r j }N , where j =1

i r j ∈ {0,1} (1 ≤ j ≤ N ) , R can be public, then the real points N {b j } j=1 XOR with {r j }N one by one with binary mode to j=1

generate {d j }N = {b j ⊕ r j }N . j =1 j =1

the form C = {cf k , ck }kM=1 , where cf ≠ d j (1 ≤ j ≤ N ) , k c ≠ p cf , M is the number of the chaff points. Combined k

( k)

with redundancy points set U and the message authentication code hash(key), the vault is constructed with the form of V = G ∪ C ∪ hash( Key ) ∪ U , where hash(key) is used to verify the cryptographic key Key .

B. Vault Decoding Fig. 3 shows the block diagram of the proposed modified fuzzy vault decoding scheme. Once received the vault, the receiver decodes it as follows. Real points generation: The biometric identifier generation process of receiver is the same as the transmitter, we first obtain the real points set T ′ = {b′j }N , where j =1 i b′j ∈ {0,1} (1 ≤ j ≤ N ) is derived as the same process of the

transmitter, N is the number of feature points in T ′ . Error-correction decoding: Each of the redundancy point u j in U is firstly extracted from the vault and attached to b′j . A new set B′′ = {b′′j }N is produced after error-correction j =1 decoding process on each combination of b′j and u j . Enveloping process of real points: Based on the public random sequence {rj }Nj =1 , the new feature points set {b′′j }N j =1

Vault Construct: With the polynomial and enveloped real points set, the transmitter computes the set G = {d j , p ( d j )}N . j =1

It also generates a much larger set of random chaff points based on the physiological signal described in section II, of

XOR with {r }

N j j =1

to generate D = {d ′j }N = {b′′j ⊕ r j }N . j =1 j =1

Vault reconstruct: The receiver tries to reconstruct the polynomial P based on the enveloped real points set D using Lagrangian interpolation theorem. hash(key) is used to verify

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

the coefficients of the reconstructed polynomial. Once verified successfully, the receiver can get the cryptographic key based on the reconstructed polynomial. IV.

PERFORMANCE EVALUATION

Our performance evaluation is based on data from two experiments. In one experiment (Exp.I), 14 healthy subjects were recruited, ECG was captured from the three fingers of the subjects and two channels of PPG were captured from the index fingers of the two hands, respectively. For each subject, the three signals were captured simultaneously for 2-3min. In another experiment (Exp.II), 85 clinical subjects were recruited, one channel of ECG and one channel of PPG were captured for 40s on three or four days within two-month period. A 12-bit A/D converter sampling at 1000Hz was deployed to get the digital signals.

A. Anti-attack Capability Analysis There are two security potentials in proposed modified fuzzy vault during vault exchange process. The first potential is that the redundancy set in the vault will leak some information of real points. An eavesdropper can record the vault and try to derive the real points set to reconstruct the polynomial from it. Firstly, the eavesdropper can reconstruct real points through redundancy set information by brute-force. Take RS (n, k) with q-bit symbols as the error correcting code of each feature point for example, the number of average attempts to guess any one of the precise real point is (2k − n)*q −1 . The average attempts to reconstruct the m degree 2 m+1 ( m+1)*(2k −n)*q −1 , where polynomial is C N N is the ×2

m >= 4 . Fig.4 and Fig.5 depict the FAR and FRR curves as the function of m in Exp.I, respectively. It can be seen that the modified fuzzy vault have a better FRR performance, while not compromise the FAR performance in the case that m >= 4 . The comparison of minimum half total error rate (HTER) that equals (FAR+FRR)/2 between the modified fuzzy vault and the traditional one in Exp.I is presented in Table I. It can be seen the modified fuzzy vault scheme can achieve minimum HTERs of 0 with a moderate m = 6 ~ 11 . In fact, m should be as large as possible to ensure security of the scheme while HTER is ideal. Fig.6 and Fig.7 depict the FAR and FRR curves as the function of m in Exp.II, separately. In fact, over two-thirds of subjects in Exp.II were old unhealthy people with various kinds of cardiovascular diseases. The quality of the ECG and PPG signals of Exp.II was not as good as Exp.I, resulting in worse performance in terms of FRR. Nevertheless, the results still show a great improvement with our solution with a minimum HTER of 0.3%, compared to 3.4% with traditional scheme. The results indicate that the proposed scheme is promising in different settings, such as the lab and the clinical setting. TABLE I HTER COMPARISON of Exp. I

number of real points in the vault. Thus parameters (n, k, q, m, m+1 ( m+1)*(2k −n )*q l N) should satisfy C N ×2 ≥ 2 , where l is the

length of cryptographic key Key that need to be protected, in order not to compromise the security. Secondly, the eavesdropper can derive real points by computing every combination of the points in the vault to reconstruct the polynomial until get the same hash(Key). Guessing the correct real points that are enough reconstruct the polynomial would require an average of CNm++1M / 2 attempts, where CNm++1M is the number of selecting m+1 elements from N+M elements. With our enveloping solution, due to ordered real points and unordered dispersed points, even though the eavesdropper can get R , it should put the enveloped points in order as the real points. The number of average attempts to guess the correct m+1 N real points is increased to( C N , where PNN is the + M × PN / 2)

B. FAR/FRR Performance Take l = 128 , RS (15, 11) with q=4 as error-correction code for example, FAR and FRR were used to evaluate the performance of modified fuzzy vault. The number of feature points N = 20 . In order not to compromise the security, the degree of polynomial m should satisfy the condition that

Modified fuzzy vault

5

0.017094

0.000375

6

0.038462

0

7

0.064103

0

9

0.128205

0

9

0.183761

0

10

0.239316

0

11

0.303419

0

12

0.337607

0.004274

13

0.376068

0.004274

14

0.418803

0.008547

15

0.448718

0.017094

16

0.457265

0.029915

17

0.478632

0.051282

18

0.491453

0.111111

19

0.495726

0.226496

0.7 Fuzzy Vault Modified Fuzzy Vault

0.6

0.5

0.4

FAR

number of arranging N elements considering its order. Also, the enveloping solution can prevent the known attack of fuzzy vault based the statistical performance of real points by storing only a transformed version of real points.

Fuzzy vault

M

0.3

0.2

0.1

0

0

2

4

6

8

10

12

14

16

18

Degree of polynomial m

Fig.4. FAR as the function of degree of polynomial in Exp.I

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

1 Fuzzy Vault Modified Fuzzy Vault

0.9 0.8 0.7

FRR

0.6 0.5 0.4 0.3 0.2 0.1 0

0

2

4

6

8

10

12

14

16

18

Degree of polynomial m

Fig.5. FRR as the function of degree of polynomial in Exp.I

solved for a stable system performance. In this context, a different way of error-correction encoding and decoding is deployed at the transmitter/receiver to reduce the effect of bit differences in dynamic random patterns between biometric identifiers. An enveloping process is further deployed before the projection of real points onto the keying material constructed polynomial to protect the real points from being revealed by various potential attacks. The enveloping process can also be deployed in the general fuzzy vault scheme to prevent the known attacks based on statistical analysis of real points in the vault. The detailed anti-attack capability analysis shows that the modified scheme can ensure secure key transmission with uncompromised security. On the other hand, a comparison of FAR/FRR results is presented to demonstrate the effectiveness of the solution.

0.7

ACKNOWLEDGMENT

Fuzzy Vault Modified Fuzzy Vault

0.6

This work thanks for the experimental data provided by Joint Research Center for Biomedical Engineering, Chinese University of Hong Kong.

0.5

FAR

0.4

REFERENCES

0.3

[1] 0.2

0.1

0

0

2

4

6

8

10

12

14

16

18

[2]

Degree of polynomial m

Fig.6. FAR as the function of degree of polynomial in Exp.II

[3]

1

[4]

Fuzzy Vault Modified Fuzzy Vault

0.9 0.8

[5]

0.7

FRR

0.6

[6]

0.5 0.4

[7]

0.3 0.2

[8]

0.1 0

0

2

4

6

8 10 12 Degree of polynomial m

14

16

18

[9]

Fig.7. FRR as the function of degree of polynomial in Exp.II

V.

[10]

CONCLUSION

In this paper, we have proposed a modified fuzzy vault scheme for biometrics based BSN security. Different from general biometrics methods, the biometrics applicable to secure BSN communications should be time variant with a property of randomness, which thus can ensure uncompromised security in communications while not only identification. Therefore, while applying the fuzzy vault scheme proposed for general biometrics methods into securing BSN communications, some weaknesses have to be

[11] [12] [13]

S.Cherukuri, K.K. Venkatasubramanian, S.K.S. Gupta, “BioSec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body,” Proc. IEEE International Conference Parallel Processing Workshop, pp.432−439, 2003. S. D. Bao, Y. T. Zhang, L. F. Shen, “A new symmetric cryptosystem of body area sensor networks for telemedicine,” Proc. 6th Asian-Pacific Conference on Medical and Biological Engineering, 2005. Shu-Di Bao, C.Y. Poon, Yuan-Ting Zhang, and Lian-Feng Shen, “Using the timing information of heartbeats as an entity identifier to secure body sensor network,” IEEE transactions on information technology in biomedicine, Vol. 12, no. 6, pp. 772-779, Nov. 2008. A. Juels, M. Wattenberg, “A fuzzy commitment scheme,” Proceedings of 6th ACM conference on Computer and Communication Security, 1999. Juels A, Sudan M, “A fuzzy vault scheme,” Design Codes and Cryptography, Vol. 38, no. 2, pp. 237-257, 2006. Uludag U, Pankanti S. Jain A, “Fuzzy vault for fingerprints,” In: Kanade T, Jai AK, Ratha NK. Proc. of the 5th Int’l Conf. on AVBPA. Berlin: Springer-Verlag, pp. 310−319, 2005. Wang Y, Plataniotis K, “Fuzzy vault for face based cryptographic key generation, In: Proc. of the Biometrics Symp. Berlin: Springer-Verlag, 2007. 1−6. Lee Y, Bae K, Lee S, Park K, Kim J, “Biometric key binding: fuzzy vault based on iris images, In: Lee SW, Li SZ eds. Proc. of the ICB 2007. LNCS 4642, Berlin: Springer-Verlag, pp.800−808, 2007. Krishna K. Venkatasubramanian, Ayan Banerjee, Sandeep Kumar S. Gupta, “Plenthysmogram-based secure inter-sensor communication in body sensor networks, Proc. of IEEE Military Communiations, pp.1−7, 2008. Krishna K. Venkatasubramanian, Ayan Banerjee, Sandeep Kumar S. Gupta, “PSKA: usable and secure key agreement scheme for body area networks,” IEEE Transactions on Information Technology in Biomedicine, Vol. 14, no. 1, pp.60-68, 2010. Fen Miao, Lei Jiang, Ye Li, Yuan-Ting Zhang. “Biometrics based novel key distribution solution for body sensor networks,” Proc. Annual Conference of IEEE-EMBS, pp.2458−2461, 2009. Chang E, Shen R, Teo F. “Finding the original point set hidden among chaff,” Proc. of the ASIACCS 2006. New York: ACM, pp.182−188, 2006. S.D. Bao and Y.-T. Zhang, “A new symmetric cryptosystem of body area sensor networks for telemedicine,” in 6th Asian–Pacific Conference on Medical and Biological Engineering, 2005.

978-1-4244-5637-6/10/$26.00 ©2010 IEEE