Biometrics
Completion requirements
Some consider biometrics as intrusive and as a violation of privacy. While you read, pay attention to how biometric systems authenticate and to the three main threats against biometric systems. What are these three threats and what are the cryptographic and non-cryptographic countermeasures?
3. Main Threats against Privacy-Preserving Biometric Authentication Systems
3.2. A Biometric Reference Recovery Attack
The most successful strategy to perform a biometric reference recovery attack is to use a hill-climbing technique to perform a centre search attack. The attack can be launched under three conditions:
(2)The adversary is able to see the output of the authentication process
. For instance, this information could be in an access control system, a door that is opening.
(3)The matching process between a fresh and a stored template relies on specific distances, called leaking distances, which include the Euclidean and the Hamming distance.
Figure 3 provides an intuition of the attack strategy. In the example (Figure 3) the stored reference template is the point
and the given matching 
is in the point 
. The matching templates are the points in the region delimited by the green circle. The adversary
starts from the first component of the given matching template, the point , and increments it repeatedly by a factor 1. When rejected, on the point 
denoted by the red bullet with a white cross, the attacker learns that the previous point
is the last one inside the acceptance circle. The same strategy is repeated starting from the point and decreasing (by a factor 1 each time) the first component until rejection, and for the other component of the template. After discovering
the coordinates of the four boundary points in the acceptance circle, the attacker can compute the coordinates of its centre, that is, find the digital representation of the biometric reference template.
Example of a recovery template attack for a BAS with biometric traits represented as vectors in
and with threshold 
. The values are chosen ad hoc to be able to picture
the example in an easy and intuitive way and do not reflect the parameters used in real applications (usually, 
is smaller than 
and 
is in the order of 2048).
This reference recovery attack is very efficient as it only requires a number of authentication attempts that are linear in the length of the biometric template. Moreover, it can be mounted against many biometric authentication systems (privacy-preserving or not) and even systems that employ secure multiparty computation techniques including somewhat homomorphic encryption.
Another strategy to perform biometric reference recovery attacks is to gain access to the database and try to decrypt the target template. This approach, however, is way less successful since normally the employed cryptographic techniques used to protect the templates' privacy are proven to be secure.
(1)The adversary is in possession of a matching template (maybe spoofed) for the target biometric reference.
(2)The adversary is able to see the output of the authentication process
. For instance, this information could be in an access control system, a door that is opening.(3)The matching process between a fresh and a stored template relies on specific distances, called leaking distances, which include the Euclidean and the Hamming distance.
Figure 3 provides an intuition of the attack strategy. In the example (Figure 3) the stored reference template is the point
and the given matching is in the point . The matching templates are the points in the region delimited by the green circle. The adversary
starts from the first component of the given matching template, the point , and increments it repeatedly by a factor 1. When rejected, on the point denoted by the red bullet with a white cross, the attacker learns that the previous point
is the last one inside the acceptance circle. The same strategy is repeated starting from the point and decreasing (by a factor 1 each time) the first component until rejection, and for the other component of the template. After discovering
the coordinates of the four boundary points in the acceptance circle, the attacker can compute the coordinates of its centre, that is, find the digital representation of the biometric reference template.Figure 3
Example of a recovery template attack for a BAS with biometric traits represented as vectors in
and with threshold . The values are chosen ad hoc to be able to picture
the example in an easy and intuitive way and do not reflect the parameters used in real applications (usually, is smaller than and is in the order of 2048).
This reference recovery attack is very efficient as it only requires a number of authentication attempts that are linear in the length of the biometric template. Moreover, it can be mounted against many biometric authentication systems (privacy-preserving or not) and even systems that employ secure multiparty computation techniques including somewhat homomorphic encryption.
Another strategy to perform biometric reference recovery attacks is to gain access to the database and try to decrypt the target template. This approach, however, is way less successful since normally the employed cryptographic techniques used to protect the templates' privacy are proven to be secure.