Secure smartcardbased fingerprint authentication

Abstract

In this paper, the fundamental insecurities hampering a scalable, wide-spread deployment of biometric authentication are examined, and a cryptosystem capable of using fingerprint data as its key is presented. For our application, we focus on situations where a private key stored on a smartcard is used for authentication in a networked environment, and we assume an attacker can launch o -line attacks against a stolen card.Juels and Sudan's fuzzy vault is used as a starting point for building and analyzing a secure authentication scheme using fingerprints and smartcards called a figerprint vault. Fingerprint minutiae coordinates m_i are encoded as elements in a nite eld F and the secret key is encoded in a polynomial f(x) over F[x]. The polynomial is evaluated at the minutiae locations, and the pairs (m_i, f(m_i)) are stored along with random (c_i, d_i) cha points such that d_i ≠ f(c_i). Given a matching fingerprint, a valid user can seperate out enough true points from the cha points to reconstruct f(x), and hence the original secret key.The parameters of the vault are selected such that the attacker's vault unlocking complexity is maximized, subject to zero unlocking complexity with a matching fingerprint and a reasonable amount of error. For a feature location measurement variance of 9 pixels, the optimal vault is 2⁶⁹ times more difficult to unlock for an attacker compared to a user posessing a matching fingerprint, along with approximately a 30% chance of unlocking failure.