The present invention relates to the generation of keys for use in security systems, and in particular relates to the generation of keys from physical identifiers.
There is an increasing demand for more reliable and convenient security systems, and there is interest in the use of physical identifiers, such as fingerprints, iris, voice and gait Since physical identifiers cannot be lost or forgotten in the way that, for example, computer passwords can, they have the potential to offer higher security and more convenience to users.
A system that uses symmetric cryptographic keys derived from physical/biometric data is described below with reference to
Consider the situation that a user, Alice, wants to communicate over a private channel with another user, for example, her Bank. The protocol used by Alice and the Bank comprises two phases, the enrolment phase and the application phase.
During the application phase, a noisy measurement Yn of Alice's biometrics is obtained at a terminal. Alice enters conventional user identity data, such as a user name, into the terminal, and the user identity data is sent to the Bank. The Bank accesses its database using this data and retrieves the helper data W associated with Alice. The helper data W is sent to Alice's terminal over a public authenticated channel. The helper data W together with the noisy measurement Yn of Alice's biometrics are used to derive a key F(V). F(S) and F(V) are then used to encrypt communications sent from the Bank to Alice and from Alice to the Bank respectively. As the system uses symmetric cryptographic keys, F(V) must equal F(S) in order for the encrypted communications to be decoded.
The convenience and security of this system in relation to classical systems comes from the fact that Alice is not required to store her cryptographic key, F(V), nor the helper data W. In the application phase Alice is only required to provide a measurement of her biometric identifier.
However, Alice may need to use her biometric data to establish secure communications with several parties, for example, the Bank and another user, Charlie. Therefore, Alice must be able to derive multiple cryptographic keys from her biometric data as it desirable that Charlie is not able to eavesdrop on the communications between Alice and the Bank. In addition, it is desirable to protect against the possibility that multiple parties use their respective cryptographic keys to collaborate in an attack on the secure channel between Alice and the Bank.
Such a system should have several characteristics. Firstly, the system should be robust, meaning that, given a noisy measurement Yn of a user's biometrics Xn, it should be possible to derive the correct key in the application phase, i.e. F(V)=F(S).
Secondly, the information in the database of the Bank (F(S) and W) should not reveal any sensitive information about Xn.
Thirdly, the helper data W that is sent over the public authenticated channel should not give any information about the cryptographic key F(S).
Fourthly, given a fixed biometric X′ it should be possible to derive different pairs of F(S) and W.
In the following, the different pairs of keys and helper data are denoted F(Si) and Wi, where i=1, 2, . . . , K, where K>>1. The secrecy of a key F(S) should be guaranteed given the helper data Wi and all of the other key/helper data pairs, F(S1), W1; . . . ; F(Si−1), Wi−1; F(Si+1), Wi+1; . . . ; F(SK), WK.
Several assumptions are also made about the security of the system. Firstly, the Certification Authority (CA), which carries out the enrolment phase, is trusted.
Secondly, the communication of the helper data W from the Bank to Alice during the application phase is over a public authenticated channel.
Thirdly, the parties that Alice communicates with cannot be trusted. Charlie, for example, might use his knowledge of F(SC) and WC to attack the secure channel between Alice and the Bank, i.e. he will try to find F(SB).
Fourthly, several parties can collaborate to attack one of Alice's secure channels with another user.
Fifthly, an attacker that does not share a secure channel with Alice can steal cryptographic keys and helper data from one or more of the parties who share a secure channel with Alice. In particular he has access to F(Si), Wi.
Sixthly, the sensor and processing devices in the terminal that Alice uses during the application phase are tamper resistant.
Finally, an attacker is not able to obtain latent biometrics. The only information can come from information in the databases.
Biometric templates are processed measurement data, i.e. feature vectors, and are modelled as realizations of a random process. Biometrics of different individuals are independent realizations of a random process that is equal for all individuals. The processing of biometrics results in templates that can be described by n independent identically distributed (i.i.d) random variables with a known distribution PX. The probability that the biometric sequence Xn of a certain individual equals xn is defined by
where PX is the probability distribution of each component, defined on an alphabet , which can be a discrete set or (for X= the sequence Xn is characterised by the probability density function fx
Noisy measurements made during the application phase are modelled as observations of biometrics through a memoryless noisy channel. For a measurement Yn of biometrics xn:
where PY|X characterizes the memoryless channel with input alphabet and output alphabet The biometric templates obtained by the certification authority are noise free.
In order to deal with noisy measurements, Secret Extraction Codes (SECs) can be used. Secret Extraction Codes are described in “Capacity and Examples of Template-Protecting Biometric Authentication Systems” by Pim Tuyls and Jasper Goseling (available from “eprint.iacr.org/2004/106.pdf”), but will also be described below.
S denotes the set of secrets and and denote the input and output alphabets respectively of the channel representing the noisy measurements.
Let n, ε>0. An (n, |S|, c) Secret Extraction Code C, defined on x , is an ordered set of pairs of encoding and decoding regions
C={(εi,)|i=1, 2, . . . , |S|}, (3)
where εi⊂ and ⊂, such that
for i, j=1, 2, . . . , |S|, i≠j and
P
Y
|X
(Di|Xin)≧1−ε, (5)
for all xinεεi and i=1, 2, . . . , |S|.
A secret extraction code provides an encoding-decoding scheme of a (possibly continuous) variable into a finite alphabet S={1, 2, . . . , |S|} by discretization. The condition in Eq. (4) expresses that unambiguous encoding and decoding is possible and the condition of Eq. (5) implies a low probability of error.
When the sets εi have cardinality one, the SECs are normal error correcting codes.
To determine the cryptographic keys from the secret extraction codes, the following are defined:
The size of S and is large enough such that given F(S), it is computationally infeasible to find S
The following procedure is used during the enrolment phase:
1. The biometrics of Alice are measured
2. A secret extraction code C is chosen at random in Φx
3. Given a C={(Ei, )}i=1|S|, the secret S is defined as S=i if εεi.
For Φx
4. F(S) and W are provided to the Bank.
The following procedure is used during the application phase:
1. The Bank sends the helper data W to Alice over a public authenticated channel.
2. Alice obtains a measurement Yn of her biometrics.
3. The secret extraction code C(W) is used to derive the secret V=i if Ynε, and hence the key F(V).
4. Alice and the Bank use a symmetric cryptosystem based on the keys F(V) and F(S), respectively.
As mentioned above, if Alice uses a symmetric cryptosystem to communicate securely with different parties, it is desirable that she does not use the same key in more than one place.
If C is a collection of SECs, and xnε is the biometric template of Alice, then if there is only one secret extraction code in the collection available for use with a particular biometric (i.e. |Φx
Therefore, it is an object of the present invention to provide an extended set of secret extraction codes for use in extracting cryptographic keys from a particular biometric identifier.
According to a first aspect of the present invention, there is provided a method of generating a key for encrypting communications between first and second terminals, the method comprising: obtaining a measurement of characteristics of a physical identifier of a user; and extracting a key from the physical identifier using a code selected from a collection of codes, each code in the collection defining an ordered mapping from a set of values of the characteristics to a set of keys; wherein the collection of codes comprises at least one code in which the ordered mapping is a permutation of the ordered mapping of one of the other codes in the collection.
The invention will now be described, by way of example only, with reference to the following drawings, in which:
In the following, the invention will be described with reference to the use of secret extraction codes and biometric identifiers. However, it will be appreciated by a person skilled in the art that the invention can be applied to systems in which keys are derived using other methods, and from any type of physical identifier.
As mentioned above, where there is only one secret extraction code from the collection available for use with a particular biometric (i.e. if |Φx
Therefore, the present invention provides a method of generating a key for encrypting communications between first and second terminals in which the collection of SECs used for key extraction has been extended. In particular, assume that |Φx
In preferred embodiments of the invention, the method achieves |Φx
Specifically, the secret extraction codes are ordered sets of encoding/decoding region pairs. That is, the secret extraction codes relate a set of values of characteristics of a physical identifier to a set of keys. The ordering of the set of values and set of keys in the secret extraction code implies a mapping from “regions” (a region being a particular set of values of characteristics of the physical identifier) to keys. The present invention extends this collection by adding secret extraction codes that have the same “regions” as the original secret extraction codes in the collection but with a different mapping to keys.
In step 102, a collection of secret extraction codes is defined. The collection may comprise one or more secret extraction codes. Each secret extraction code defines a mapping between sets of values of characteristics of a physical identifier and a set of keys. That is, based on the measured values of the characteristics, the measurement is assigned to one of multiple regions. The regions may be such that all measurements within a region are similar to each other, or may be such that each region includes disparate measurements. Given the assigned region, a selected secret extraction code then defines a particular key from the set of available keys.
In step 104, the collection of secret extraction codes is expanded by permuting the mapping between the sets of values of the characteristics of the physical identifier and the set of keys. In a preferred embodiment of the invention, the permutation is a cyclic permutation, as will be described in more detail below. In alternative embodiments of the invention, the permutation is a non-cyclic permutation.
In step 110, a measurement is taken of characteristics of a physical identifier of a user.
As described above, when this measurement is made during the application phase, the measurement will be noisy, meaning that it will not exactly match the measurement taken by the certification authority during enrolment.
In step 112, a secret extraction code is selected from a collection of codes. In accordance with the invention described above, at least one of the codes in the collection has a mapping between values of the characteristics of the physical identifier and the set of keys that is a cyclic permutation of the ordered mapping of one of the other codes in the collection.
In the enrolment phase, that is, when a user first establishes a key for encrypting communications with another specific user, the certification authority randomly selects one of the secret extraction codes from the collection. In the application phase, when the user wishes to communicate with another specific user, the first terminal selects the appropriate secret extraction code using helper data that was generated by the certification authority at the time of enrolment. The helper data is generated by the certification authority and is stored in a memory of the second terminal.
In step 114, the selected secret extraction code is used to extract a key from the measurement of the characteristics of the physical identifier. A one-way function is normally used to generate the encryption key from the extracted key. In the enrolment phase, the certification authority sends the encryption key to the second terminal, where it is stored in a memory.
In the application phase, the generated encryption key is used to encrypt communications to be sent to, and to decrypt communications received from, the second terminal.
As mentioned above, a permutation process is used in order to generate additional secret extraction codes from a first secret extraction code. As an example of the permutation used in accordance with the invention, let X be a permutation on S={1, 2, . . . , |S|}, i.e. π: SS, and let C={(εi, )}i=1|S|εC. A new secret extraction code, Cπ, is defined as
Cπ={(επ(i),Dπ(i))}i=1|S|. (6)
Let Π⊂{π: SS} be a subset of permutations on S. A new collection Ch of secret extraction codes is constructed as
C
Π={Cπ:CεC,πεΠ} (7)
In a preferred embodiment of the present invention, the following construction of the set of permutations is used. The set of permutations is the set of all cyclic shifts on S, i.e.
ΠCS={πk:kεS,πk:SS,πk(i)=i+k(mod|S|)} (8)
Thus, if, in a basic secret extraction code, measurements in a first region are mapped to a first key, measurements in a second region are mapped to a second key, and so on; then, in a first permutation, measurements in a first region are mapped to the second key, measurements in a second region are mapped to a third key, and so on, until measurements in a final region are mapped to the first key. Further, in a second permutation, measurements in a first region are mapped to the third key, measurements in a second region are mapped to a fourth key, and so on, until measurements in the final region are mapped to the second key. The number of available permutations is thus equal to the number of regions and keys.
The extended collection of codes CCS is defined by
CCS={Cπ:CεC,πεΠCS} (9)
This construction meets the requirements set out in the Background section. For example, let xnε, such that given the original collection C of secret extraction codes, Φx
xn,C→F(S) (10)
For the new collection CCS, define
xn,Cπ
It follows from Equations 8 and 9 that,
F(Sk)=F(S+k(mod|S|)). (12)
Formulate requirement 4 of the introduction as follows
F,F(S),kF(S+k(mod|s|)). (13)
Given a complete description of the one-way function F, the value of F(S) (with S unknown) and kε{1, 2, . . . , |S|}, an attacker should not be able to derive the value of F(S+k(mod |S|)).
The requirement of Equation 13 imposes requirements on the one-way function F. For example, F cannot be homomorphic, i.e. F(α+β)=F(α)F(β), otherwise an attacker will be able to calculate F(S) efficiently.
One-way functions that are not vulnerable to the above-mentioned attack include, for example, SHA-1, or one-way functions derived from block ciphers.
If EK is a block cipher (e.g. LOMBOK or DES) using a fixed publicly known key K, one-way function F can be constructed as
F(S)=EK(S)⊕S. (14)
Finally note that the only requirement imposed on the one-way function F is one-wayness (or pre-image resistance). One-wayness ensures that, given F(S), an attacker is not able to find a value V (which possibly equals S) such that F(V)=F(S). In addition, collision resistance is not required.
It will be appreciated that the word “comprising” does not exclude other elements or steps, that “a” or “an” does not exclude a plurality, and that a single processor or other unit may fulfill the functions of several means recited in the claims. Furthermore, the presence of reference signs in the claims shall not be construed as limiting the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
04107011.1 | Dec 2004 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB05/54376 | 12/22/2005 | WO | 00 | 6/21/2007 |