Design and Implementation for Secure Embedded Biometric Authentication Systems

1
Design and Implementation for Secure Embedded
Biometric Authentication Systems

• Shenglin Yang
• Advisor Ingrid Verbauwhede
• Electrical Engineering Department
• University of California, Los Angeles

2
Personal Authentication Systems
Select Authenticator
Biometrics
Security
Embedded
Software Optimization
Oracle-based Design
Memory Management
Crypto-Biometrics
Hardware Acceleration
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
3
Outline

• Motivation and challenges
• Secure biometric matching techniques
• Secure partitioning
• Cryptographic Biometrics
• Fuzzy vault based fingerprint verification
• Micro-coded coprocessor implementation
• Secure iris verification
• Conclusions

4
Motivation and challenges
Biometrics provide a more secure and convenient
way for personal authentication
Unique
No token needed
Biometrics
No memorize needed

• For mobile biometric authentication system, the
  template is stored on the embedded device.
• more resource-constrained
• more vulnerable

5
Security Challenges

• Mobile devices are more accessible, which means
  that they are more vulnerable too!
• Attacks on communication channels, stack/memory,
  and bus
• Side Channel Attacks (SCA) on mobile devices

Traditional attacks
Side channel attacks
Protocol
Algorithm
Channel
Timing
Architecture (Embedded SW)
Stack/Memory
Power
Micro-Architecture
Bus
EMI
Circuit
6
Personal Authentication Systems
Select Authenticator
Biometrics
Security
Embedded
Software Optimization
Oracle-based Design
Memory Management
Crypto-Biometrics
Hardware Acceleration
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
7
Logic Level Solution

• Asymmetric power consumption in standard CMOS
• Obtain the secret key of an encryption system
  using the power variations
• Unprotected AES cracked under 3 min.

• Solution special logic (WDDL)
• Exactly one charging event per cycle
• Charge capacitance is constant for different
  outputs

Tiri, K. and Verbauwhede, I., Security encryption
algorithms against DPA at the logic level next
generation smart card technology, Workshop on
Cryptographic Hardware and Embedded Systems
(Lecture Notes Computer Science Vol.2779), Sept.
2003, pp 125-136, Cologne, Germany.
8
Security Partitioning
Secret Key
Minutiae Extraction
Unprotected
Load Key
Crypto Module
Template
Load Bogus
Protected

• Security comes with penalty larger chip size
• Only the sensitive template and the corresponding
  processes need to be protected.

9
Secure Matching
Input (Unsecure)
Template (Secure)
For each input minutiae pair I For each
template minutiae pair T
Unprotected software
if (IT) matching_count If
matching_count gtN return TRUE else return
FALSE
Query
Response
Protected oracle
Results 1 FRR and lt0.01 FAR
10
Personal Authentication Systems
Select Authenticator
Biometrics
Security
Embedded
Software Optimization
Oracle-based Design
Memory Management
Crypto-Biometrics
Hardware Acceleration
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
11
Cryptographic Biometrics

• Noninvertible transformed version of template
• Fuzzy vault scheme

Alice
Bob
Telephone Num
Cipher Text
List of favorite movies (KEY)
List of favorite movies (KEY)
If KEY and KEY are similar enough, Bob can
extract the Telephone number of Alice from the
cipher text
Ref Juels, A. and Sudan, M., A fuzzy vault
scheme, Proceedings 2002 IEEE International
Symposium on Information Theory, 2002, pp.408.
Piscataway, NJ.
12
Fingerprint Vault

• Biometrics, such as fingerprint, can act as the
  KEY in the fuzzy vault scheme

p(x)
Minutiae
PIN
Template
Lock set
Add Noise
ThumbPod
Fuzzy Vault
Minutiae
PIN OK?
Matching
Input
13
Effect of Shifting and Rotation
(a)


(b)
(c)
(a) and (b) are two prints from a same finger
(c) is the positions of the features.
14
Feature Alignment
Overlap of four minutiae feature sets aligned
based on a well-selected reference point


15
Experimental Results (1)

• Unlock complexity varies according to the degree
  of polynomial for different size of impostor set.

Log complexity (log2)
Size of unlock set / Degree of polynomial
16
verification accuracy varies along with
polynomial degrees for difference size of the
impostor set.
Experimental Results (2)
Error rate
Size of unlock set / Degree of polynomial
17
Experimental Results (3)

• The influence of the polynomial degree and the
  chaff set size on the system performance
  (Complexity-Accuracy Factor)

Complexity-Accuracy Factor
Size of unlock set / polynomial degree
18
Personal Authentication Systems
Select Authenticator
Biometrics
Security
Embedded
Software Optimization
Oracle-based Design
Memory Management
Crypto-Biometrics
Hardware Acceleration
Micro-coded Coprocessor
Secure Embedded Biometric Authentication Device
19
Implementation Approaches
Embedded Application
CPU DSP ASIP Micro-coded Design ASIC
Standard Instruction Set Architecture Specialized Instruction Set Architecture Custom Instruction Set Architecture Custom Micro-architecture Custom Circuit
20
Architecture
A 16-bit microcoded coprocessor, FV16, is design
to implement the fuzzy vault algorithm
RNG
GFM
TRI
DAG
RAM
ALU
RF
TRI
Controller
Z
PC
IR
DECODER
IO
MICROCODE ROM
ARM
MEM
21
Performance Comparison

• Taking advantage of the special function blocks,
  the execution time is significantly reduced
• GFM 14 times
• RNG 162 times
• TRI 82 times

22
Human Iris
Sclera
Iris
Pupil

• iris forms during gestation and remains the same
  for the rest of ones life
• iris is unique for individuals
• it is well protected and extremely difficult to
  be modified

23
Iris Feature Extraction
Segmentation
Detect iris boundary
Detect pupil boundary
Isolate eyelid eyelash
Normalization (Daugmans rubber sheet model)
?

r
r
?

Feature Coding
24
Feature Coding
Feature Coding
1D signal
2D signal
Intensity
r
?
Position

1D Gabor filter
Real response
Imaginary response
Phase quantization
Iris template
25
Template-Protect Verification
Iris feature

(1023,46,219) BCH
C
Secret data generation
S
ENC




Enrollment

Hash
W


Storage
W
Recovering the random bit stream
Input iris feature

S
Verification



Comparing
Hash

Result

26
Two-Segment Algorithm
Feature extraction

Reliable bits selection

Select flag
Reliable bits (Z)


F

Division

RNG
Z

Z
1

2

Storage

S

W

C
1


ENC

W2
Hash


F

Input
Hs
Reliable bits selection
W1
W2
Storage



Hs
Z1?
(Hs)1
S1?
R1
DEC
Hash
Division


Compare
Decision
Y/N


Z2?
S2?
(Hs)2
DEC
Hash


R2


27
Verification Performance
(a)
(b)
Reliable feature bits are used for verification
All feature bits are used for verification
28
Performance vs Reliable Bits Sizes(1)
1460 reliable bits
Error rate
FRR
FAR
0.4
0.5
0.6
0.7
0.8
0.9
1
Threshold
29
Performance vs Reliable Bits Sizes(2)
1096 reliable bits
Desired verification threshold
1
0.8
Error rate
0.6
0.4
0.2
FRR
FAR
0
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Threshold
30
Performance vs Reliable Bits Sizes(3)
974 reliable bits
1
0.8
Error rate
0.6
0.4
FRR
0.2
FAR
0
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Threshold
31
Performance Comparison
The iris verification system based on 1096
reliable bits achieves the best performance
32
Conclusions

• An efficient secure embedded fingerprint
  authentication system is designed and
  implemented.
• System security for biometric authentication
  systems is addressed from two levels Logic level
  and algorithm level.
• Security partitioning based fingerprint matching
  algorithm is proposed
• Fuzzy vault based fingerprint matching is
  designed and implemented using microcoded
  coprocessor
• Template-protected iris verification is proposed

33
Selected Publications
Yang, S., Sakiyama, K., and Verbauwhede, I.,
Efficient and Secure Fingerprint Verification
for Embedded Devices, EURASIP Journal on Applied
Signal Processing, vol.2006, no.3, pp. 11,
2006. Yang, S., Schaumont, P., and Verbauwhede,
I., Microcoded Coprocessor for Embedded Secure
Biometric Authentication Systems, Proc.
IEEE/ACM/IFIP International Conference on
Hardware - Software Codesign and System
Synthesis, pp. 130-135, September. 2005. Yang,
S. and Verbauwhede, I., Automatic Secure
Fingerprint Verification System Based on Fuzzy
Vault Scheme, Proc. IEEE International
Conference on Acoustics, Speech, and Signal
Processing, pp. 609-612, March 2005. Yang, S.
and Verbauwhede, I., Secure Fuzzy Vault Based
Fingerprint Verification System, Proc. 38th IEEE
Asilomar Conference on Signals, Systems, and
Computers, Vol. 1, pp. 577-581, November 2004.
Yang, S. and Verbauwhede, I., Methodology for
Memory Analysis and Optimization in Embedded
Systems, Proc. GSPx Embedded Signal Processing
Conference, pp. 1-6, September 2004. Yang, S.
and Verbauwhede, I., A Realtime, Memory
Efficient Fingerprint Verification System, Proc.
IEEE International Conference on Acoustics,
Speech, and Signal Processing, pp. 189-192, May
2004. Yang, S. and Verbauwhede, I., A Secure
Fingerprint Matching Technique, Proc. ACM
Workshop on Biometrics Methods and Applications,
pp.89-94, November 2003. Yang, S., Sakiyama, K.,
and Verbauwhede, I., A Compact and Efficient
Fingerprint Verification System for Secure
Embedded Systems, Proc. 37th IEEE Asilomar
Conference on Signals, Systems, and Computers,
pp. 2058-2062, November 2003.
34
Thank You!