BioVault locks up biometrics: Using biometrics for encryption, digital signatures

Jul 31, 2009

A system that allows biometric data to be used to create a secret key for data encryption has been developed by researchers in South Africa. They describe details of the new technology in the International Journal of Electronic Security and Digital Forensics this month.

If a user, a web customer say, wishes to send a message or other data to another user, an online shop, over an unsecured network, the message must be encrypted to avoid interception of sensitive information such as passwords and credit card information.

Encryption relies on authentication being symmetric to work. In other words, the user's password or PIN must match the password or PIN stored by the online shop to lock and unlock the data. This is because encryption systems use the password or PIN to produce, or seed, a random number that is used as the cipher for encrypting the data. If the passwords do not match exactly then the seed will be incorrect, the random number different and the decryption will fail.

One way to avoid users having to remember endless, complicated passwords is to use biometrics, including fingerprints, iris pattern, . However, biometrics is not a symmetric process. The initial recording of biometric data samples only a limited amount of the information, the pigment patter in one's iris, for instance. The unlocking process then compares the iris pattern, or other biometric "token", being presented for access with the sample stored in the database. If the match is close enough, the user can gain entry.

The reason for this asymmetry is that any biometric system takes only a digital sample of data from the fingerprint or iris, for instance. Moreover, even the legitimate user will not be able to present exactly the same biometric data repeatedly. The close enough aspect of biometrics does not make biometrics insecure, provided that the closeness is very precise, but it does mean that biometric tokens cannot be used to create a secret key for an encryption algorithm.

Bobby Tait and Basie von Solms of the University of Johannesburg, Gauteng, South Africa, explain how biometrics can nevertheless be used to make a consistent secret key for encryption.

In conventional encryption, if Alice wishes to send a secret message to Bill, then she must encrypt the message, whether it is an email or credit card details transmitted from her computer to the online shop. In order for the encryption algorithm to provide cipher text that is random, a secret key must be provided. Alice and Bill must share exact copies of their secret key for this to work.

Aside from the asymmetry in biometrics, this approach will not work because Alice and Bill cannot provide the same biometric token to encrypt and decrypt the message. Now, Tait and von Solms have used the so-called BioVault infrastructure to provide a safe and secure way for Alice and Bill to share biometric tokens and so use their fingerprints, iris pattern, or other biometric to encrypt and decrypt their data without their biometrics being intercepted.

The BioVault encryption system works as follows:

In phase 1, Alice identifies herself to the authentication server, and indicates that she wants to send an encrypted message to Bill and requests Bill's biometric key from the server.

In phase 2, the server retrieves a random biometric key from Bill's stored biometric keys.

In phase 3, Alice uses the biometric key to encrypt her message and sends it to Bill.

In phase 4, Bill receives the message sent by Alice, and decrypts the message by testing the biometric keys in his database against the received cipher text.

The fact that each biometric key (data) is unique means that the BioVault system can irrevocably identify and authenticate users through their biometric keys (data) and detect fraudulent use of keys.

Tait adds that the same approach could also be used to digitally sign electronic documents, files, or software executables using biometrics. He will be presenting the team's results on this aspect of their work in the UK at the beginning of September. "If passwords or tokens are used for authentication, only the password or token is proven as authentic - not the user that supplied the token or password," he explains, "Biometrics authenticates the user directly - this was one of the drivers behind the BioVault development."

More information: "BioVault: biometrically based encryption" in Int. J. Electronic Security and Digital Forensics, 2009, 2, 269-279

Source: Inderscience Publishers (news : web)

Explore further: Forging a photo is easy, but how do you spot a fake?

add to favorites email to friend print save as pdf

Related Stories

Keeping an eye on intruders

Sep 04, 2008

Electronic fingerprinting, iris scans, and signature recognition software are all becoming commonplace biometrics for user authentication and security. However, they all suffer from one major drawback - they can be spoofed ...

Photo safeguards confidential information

Oct 22, 2008

(PhysOrg.com) -- These days you can take a photograph with almost every mobile phone. However, using this sort of photo to protect confidential data and send it safely is something new. Ileana Buhan, a PhD ...

Biometrics for secure mobile communications

Jul 20, 2006

Though security applications that verify a person's identity based on their physical attributes, such as fingerprint readers or iris scanners, have been in use for some time, biometric security has only recently ...

Fingerprint Advances Will Fight Cybercrime

Feb 24, 2006

Forgot your password? No problem. Biometrics researchers at the University at Buffalo have made important advances that bring closer the day when we can access devices and Web sites with nothing more than the ...

Knobbly kneed ID: Internal body parts and biometrics

Mar 25, 2009

Forget LED thumb-pad identification devices, complex retinal laser scanning, or even computerized iris recognition, the way forward for biometric validation is a quick X-ray snapshot of a person's knees, according to a report ...

Recommended for you

Forging a photo is easy, but how do you spot a fake?

Nov 21, 2014

Faking photographs is not a new phenomenon. The Cottingley Fairies seemed convincing to some in 1917, just as the images recently broadcast on Russian television, purporting to be satellite images showin ...

Algorithm, not live committee, performs author ranking

Nov 21, 2014

Thousands of authors' works enter the public domain each year, but only a small number of them end up being widely available. So how to choose the ones taking center-stage? And how well can a machine-learning ...

Professor proposes alternative to 'Turing Test'

Nov 19, 2014

(Phys.org) —A Georgia Tech professor is offering an alternative to the celebrated "Turing Test" to determine whether a machine or computer program exhibits human-level intelligence. The Turing Test - originally ...

Image descriptions from computers show gains

Nov 18, 2014

"Man in black shirt is playing guitar." "Man in blue wetsuit is surfing on wave." "Black and white dog jumps over bar." The picture captions were not written by humans but through software capable of accurately ...

Converting data into knowledge

Nov 17, 2014

When a movie-streaming service recommends a new film you might like, sometimes that recommendation becomes a new favorite; other times, the computer's suggestion really misses the mark. Yisong Yue, assistant ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.