Biometrics and Cryptography
The traditional cryptography method uses encryption keys, which are long bit strings, usually consists of 128 bits or more. These keys are symmetric, public, or private. These are an essential part of any cryptosystem, for example, Public Key Infrastructure (PKI). It's impossible for an individual to memorize such a long random key, so the key is generated, using several steps, in the form of a password or a PIN that can be easily remembered. The weakest point of any cryptosystem is the password management system, as the password can be guessed, could be found with a brute force search, or even can be stolen by an attacker.
Biometrics, on the other hand, has unique characteristics that are always present in every human race. Then, a simple question arises.
Can Biometric be used as a cryptographic key?
Unfortunately, the answer to this question is no. The biometric images or templates are variable by nature, which means that each fresh biometric sample is different. And the conventional cryptography cannot tolerate even a single bit error.
A biometric system always produces either a Yes or a No response, which is primarily considered as one bit of information. Therefore, a crucial part for biometrics in the conventional cryptosystem is password management, as mentioned by Bruce Schneierix. When the system receives a Yes response, it automatically unlocks the password or the key where the key must be stored in a secured and trusted location. But even this scheme is still prone to the security vulnerabilities as the biometric system and the password are connected through one bit only.
Conventional cryptographic methods can encrypt the biometric templates or images which are stored in a database. By default, it would improve the level of system security as an intruder must gain access to the encryption keys first. However, most privacy issues connected with an extensive database remain, since the keys and, therefore, the biometric data, are controlled by a custodian.
What is Biometric Encryption (BE)?
The Biometric Encryption is a process that binds a PIN or a cryptographic key securely to a biometric so that neither the biometric nor the key can be fetched from the stored template. The key is re-created only if a correct live biometric sample is presented on verification.
Working process of Biometric Encryption
The working of Biometric Encryption is an effective, secure, and privacy-friendly tool especially for biometric password management because the password and the biometric are bound on a fundamental level. The steps of BE working is briefly explained below:
1. Digital Enrolment
The digital key unlike a password, PIN, etc. is randomly generated on enrolment, so that nobody, including the user, knows it. The key itself is entirely independent of biometrics and, therefore, can always be altered or updated. After a biometric sample is attained, the BE algorithm consistently and securely binds the key to the biometric to generate a protected BE template, which is also known as a "private template". The key is always encrypted with the biometric. The BE template provides excellent privacy protection and can be stored in a database or locally on a smart card, token, laptop, cell phone, or other devices. At the termination of the enrolment process, both the biometric and the key are discarded.
2. Biometric Verification
For the verification process, the user offers a new biometric sample, which is when applied to the legitimate Biometric Encryption template, will let the BE algorithm retrieve the same key or password. So the biometric serves as a decryption key. At the end of the verification, the given sample is discarded once again.
3. Password Management
When the digital key, password, PIN, etc., is retrieved, then it is used as the basis for any physical or logical application. The most apparent way lies in the conventional cryptosystem, such as a PKI, where the password will automatically generate a pair of public and private keys.
4. Encryption/Decryption Scheme
The Biometric Encryption algorithm is designed to account for suitable variations in the input biometric. Nevertheless, an attacker whose biometric sample is different enough will not be able to retrieve the password. This encryption or decryption scheme is uncertain, as the biometric sample is different each time. With the invention of so many modern hacking methods, it is a big challenge to make the system work correctly.
Advantages of Biometric Encryption
Biometric Encryption technologies have massive potential to lift privacy and security. The crucial benefits and advantages of this technology are given below:
In any biometric system, privacy and security concerns include fears of security breaching, potential data matching, surveillance, profiling, interception, and identity theft by hackers. Mismanagement and misuse of biometric data by others can invoke negative externalities and costs that fall primarily upon individuals.
Biometric Encryption directly manages these risks and threats. The users retain the complete (local) control and use of their biometrics. Local authority enhances confidence and trust in the system, which ultimately promotes greater enrolment and use.
In Biometric Encryption, the Account identifiers are bound with the biometric and are recomputed directly from the user's verification. These results in much powerful account identifiers (passwords) that are more extended and more complex and are not needed to be memorized. And these are also less susceptible to security attacks. Here there are no substitution attack, No tampering of data, no Trojan horse attacks, etc., as an attacker cannot create his template since neither he nor anybody else, know the digital key.
Also, the possibilities of high-level masquerade attack are minimal as the system does not store any template so that the intruder cannot create a digital artifact.
The users can take advantage of the convenience and ease of BE technologies to encrypt their private or sensitive data. Since the key is one's own biometric which is used locally thus, enabling the BE technology to securely place a powerful tool directly in the hands of individuals. Hence, Biometric Encryption could be viewed as encryption for the masses.