Cancelable Biometrics


One of the problems with biometrics is that they're difficult to reset. Lose your password, you get a new one. If someone compromises your biometric data, how do you get new fingerprints? The invariance over time of biometric data is one of it's greatest strengths as well as one of it's greatest weaknesses.

The biggest threat isn't that someone will steal your fingerprints, retinas, or other body parts from you (action movies being the obvious exception). Rather, it's that once the biometric data (features) about the artifact have been stored in the computer, they can be stolen and replayed.

Turns out that there are ways. This article, Enhancing security and privacy in biometrics-based authentication systems by N. K. Ratha, J. H. Connell, and R. M. Bolle describes with a method (see the section on Cancelable Biometrics toward the end). The article also contains recommendations on creating biometric systems that better withstand attack. Here are some images showing the technique at work.

In essence you're hashing the biometric data with some other key and changing the key where you can't change the biometric. This approach offers several advantages:

  • Because the transforms are non-invertible, the original biometric data cannot be recovered from the transformed data and thus is safe.
  • Different applications could use different transforms, preventing stored biometric data from one place being used somewhere else.
  • Privacy can be better protected because the actual features of a person aren't stored, but transformed data instead.

So, what about the Gummi Bear attack? Well, the system posits that the transform could be stored on a smart card, so that the Gummi Bear attacker would have to also get the card or at least what's on it. If the card get lost, issue a new card and you're back in business.