Private eyes: Secure remote biometric authentication

摘要

We propose an efficient remote biometric authentication protocol that gives strong protection to the user's biometric data in case of two common kinds of security breaches: (1) loss or theft of the user's token (smart card, handheld device, etc.), giving the attacker full access to any secrets embedded within it; (2) total penetration of the server. Only if both client and server are simultaneously compromised is the user's biometric data vulnerable to exposure. The protocol works by encrypting the user's biometric template in a way that allows it to be used for authentication without being decrypted by either token or server. Further, the encrypted template never leaves the token, and only the server has the information that would enable it to be decrypted. We have implemented our protocol using two iris recognition libraries and evaluated its performance. The overall efficiency and recognition performance is essentially the same compared to an unprotected biometric system.