Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Published byPhilip Bellanger Modified over 9 years ago

Similar presentations

Presentation on theme: "Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES."— Presentation transcript:

1 Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES

2 u Fingerprint scanning u Iris scanning u Voice recognition Many types of biometric authentication... u Many others... u Face recognition u Body odor Authenticating...

3 A Comparison Among Biometric Architectures

4 Registration Template Alice

5 Template is stored

6 Authentication

7  ? It’s Alice!

8 The big questions u Where is the match performed? –Determines architecture u How is the template protected? –Critical because….

9 Limited password changes First password Second password

10 Templates represent intrinsic information about you Alice Theft of a template is theft of identity

11 An Important Note u Biometrics no more secure than PINs! –Static values –False acceptance rates imply, e.g., 1/100,000 security (i.e., perhaps 17 bits) u Thus, it is at present unwise to protect cryptographic systems with biometrics alone u Biometrics are a good second factor, i.e., PIN replacement

12 The Three Architectures: Server-side, Client-side, and On-device

13 Server-side matching Server Client

14 Server-side matching Server Client  “access granted”

15 Server-side matching: Drawbacks u Risk of template compromise en bloc –Hundreds of thousands of fingerprints make an excellent hacker target –Privacy, liability concerns considerable u Architecturally complex u Matching is CPU-intensive for server

16 Client-side matching Server  “It’s Alice!” “Hi, Alice!”

17 Client-side matching u Most convenient and simple to build u Fine for, e.g., locking desktop with screen saver u Not secure for remote authentication... client can be made to lie!

18 Client-side matching Server “It’s Alice!” “Hi, Alice!”

19 On-device matching SecurID

20 On-device matching  SecurID

21 On-device matching u On-device security provides full privacy and integrity u With smartcard, biometric unlocks card, thus no need for modification of client or server software But...

22 On-device matching u But Alice must always have her smart card with her -- portability lost u At present, true on-device match available only with expensive (i.e., $200) units u Most “on-card” matching systems process data on PC, reducing security

23 “Fuzzy Vault”: A New Architecture

24 “password” UNIX protection of passwords “password” h(“password”) “password”

25 Template protection? h( )

26 Fingerprint is variable u Differing angles of presentation u Differing amounts of pressure u Chapped skin  Don’t have exact key! So hashing won’t work...

27 We want “fuzzy” vault u Differing angles of presentation u Differing amounts of pressure u Chapped skin

28 We want “fuzzy” vault 

29 How do we do it? u Fuzzy vault is just a piece of encrypted data u Uses error-correcting codes –Technology used to eliminate “noise” in telecommunications, CD players, etc. u We make counterintuitive use of error- correcting codes –Jettison the message space!

30 What do we get? Fingerprint (features) not stored in clear

31 Fuzzy vault Vault can be stored in directory and unlocked on client Client Directory

32 Fuzzy vault: Caveats Basic fuzzy vault: u Does not achieve security of on-card matching u Not secure against Trojan horses u Still provides adequate security as second factor, e.g., PIN replacement

33 Fuzzy vault pros u Provable security characterization –Similar (dubious) schemes lack proofs u No need for biometric server u No need for smart card –Fuzzy vault can be placed on smart or dumb card for added flexibility, though u Can build secure readers without crypto u All the benefits of secure, client-side match!

34 When can I buy a fuzzy vault? u Fuzzy vault is a research concept u Validated in early prototype u Needs development on biometrics side u RSA Labs is looking for research partner

35 To learn more... u Fuzzy vault I -- Suitable for iris? –“A Fuzzy Commitment Scheme”, ACM CCS ‘99 –Joint work with Martin Wattenberg, IBM u Fuzzy vault II -- Suitable for fingerprints? –“A Fuzzy Vault Scheme”, ISIT ‘01 –Joint work with Madhu Sudan, MIT u Patents pending u Papers at www.ari-juels.com u Ari Juels at ajuels@rsasecurity.com

Download ppt "Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES."

Similar presentations

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.
Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.

Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.
Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.

Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.
Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.

Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.

POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Securing Fingerprint Template - Fuzzy Vault with Helper Data

Securing Fingerprint Template - Fuzzy Vault with Helper Data
Fuzzy Stuff 6.857 Lecture 24, 2006. Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.

Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
Biometric Cryptosystems Presenters: Yeh Po-Yin Yang Yi-Lun.

Biometric Cryptosystems Presenters: Yeh Po-Yin Yang Yi-Lun.
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Biometrics Technology Jie Meng. What is Biometrics ? Biometrics is the science and technology of measuring and analyzing biological data. In information.

Biometrics Technology Jie Meng. What is Biometrics ? Biometrics is the science and technology of measuring and analyzing biological data. In information.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google