Abstract
Motivated by the need for precise definitions of privacy requirements, foundations for formal reasoning, and tools for justifying privacy-preserving design choices, a recent work introduces a formal model for the description of system architectures and the formal verification of their privacy properties. A subsequent work uses this framework to reason about privacy properties of biometric system architectures. In these studies, the description of an architecture specifies each component, their computations and the communications between them. This static approach makes it possible to reason about design choices at the very architectural level, leaving aside the implementation details. Although it is important to express privacy properties at this level, this approach fails to catch some leakage which may result from the system runtime. In particular, in the case of biometric systems, known attacks allow to recover some biometric information following a black-box approach, without breaking any part of the system. In this paper, we extend the existing formal model in order to deal with such side-channel attacks and we apply the extended model to analyse biometric information leakage in several variants of a biometric system architecture.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Antignac, T., Le Métayer, D.: Privacy architectures: reasoning about data minimisation and integrity. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 17–32. Springer, Heidelberg (2014)
Antignac, T., Le Métayer, D.: Trust driven strategies for privacy by design. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IFIP AICT, vol. 454, pp. 60–75. Springer, Heidelberg (2015)
Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: IEEE Symposium on Security and Privacy, S&P 2006, pp. 184–198. IEEE Computer Society (2006)
Becker, M.Y., Alexander, M., Laurent, B.: S4P: A generic language for specifying privacy preferences and policies. Technical report, Microsoft Research/IMDEA Software/EMIC (2010)
Bringer, J., Chabanne, H., Kevenaar, T.A.M., Kindarji, B.: Extending match-on-card to local biometric identification. In: Fierrez, J., Ortega-Garcia, J., Esposito, A., Drygajlo, A., Faundez-Zanuy, M. (eds.) BioID MultiComm2009. LNCS, vol. 5707, pp. 178–186. Springer, Heidelberg (2009)
Bringer, J., Chabanne, H., Le Métayer, D., Lescuyer, R.: Privacy by design in practice: reasoning about privacy properties of biometric system architectures. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 90–107. Springer, Heidelberg (2015)
Bringer, J., Chabanne, H., Simoens, K.: Blackbox security of biometrics (invited paper). In: Conference on Intelligent Information Hiding and Multimedia Signal Processing, IIH-MSP 2010, pp. 337–340. IEEE Computer Society (2010)
Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols: a taster. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 289–309. Springer, Heidelberg (2010)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006)
European Parliament. European parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. General data protection regulation, ordinary legislative procedure: first reading (2014)
Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press, Cambridge (2004)
Fournet, C., Kohlweiss, M., Danezis, G., Luo, Z.: ZQL: a compiler for privacy-preserving data processing. In: USENIX 2013 Security Symposium, pp. 163–178. USENIX Association (2013)
Govan, M., Buggy, T.: A computationally efficient fingerprint matching algorithm for implementation on smartcards. In: Biometrics: Theory, Applications, and Systems, BTAS 2007, pp. 1–6. IEEE Computer Society (2007)
Gürses, S., Troncoso, C., Díaz, C.: Engineering privacy by design. In: Privacy and Data Protection Conference, Presented at the Computers (2011)
Halpern, J.Y., Pucella, R.: Dealing with logical omniscience. In: Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2007, pp. 169–176 (2007)
Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Crypt. 38(2), 237–257 (2006)
Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM Conference on Computer and Communications Security, CCS 1999, pp. 28–36. ACM Press (1999)
Kanak, A., Sogukpinar, I.: BioPSTM: a formal model for privacy, security, and trust in template-protecting biometric authentication. Secur. Commun. Netw. 7(1), 123–138 (2014)
Kerschbaum, F.: Privacy-preserving computation. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 41–54. Springer, Heidelberg (2014)
Lai, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part I: single use case. IEEE Trans. Inf. Forensics Secur. 6(1), 122–139 (2011)
Li, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part II: multiple use case. IEEE Trans. Inf. Forensics Secur. 6(1), 140–151 (2011)
Li, H., Pang, L.: A novel biometric-based authentication scheme with privacy protection. In: Conference on Information Assurance and Security, IAS 2009, pp. 295–298. IEEE Computer Society (2009)
Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: IEEE Symposium on Computer Security Foundations, CSF 2013, pp. 81–96. IEEE Computer Society (2013)
McSherry, F.: Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In: ACM Conference on Management of Data, SIGMOD 2009, pp. 19–30. ACM Press (2009)
Le Métayer, D.: Privacy by design: a formal framework for the analysis of architectural choices. In: ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 95–104. ACM Press (2013)
Mulligan, D.K., King, J.: Bridging the gap between privacy and design. Univ. Pennsylvania J. Const. Law 14, 989–1034 (2012)
National Institute of Standards and Technology (NIST). MINEXII - an assessment of match-on-card technology (2011). http://www.nist.gov/itl/iad/ig/minexii.cfm
International Standard Organization. International standard ISO/IEC 24787:2010, information technology - identification cards - on-card biometric comparison (2010)
Pagnin, E., Dimitrakakis, C., Abidin, A., Mitrokotsa, A.: On the leakage of information in biometric authentication. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. Lecture Notes in Computer Science, vol. 8885, pp. 265–280. Springer, LNCS (2014)
Pucella, R.: Deductive algorithmic knowledge. J. Log. Comput. 16(2), 287–309 (2006)
Simoens, K., Bringer, J., Chabanne, H., Seys, S.: A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans. Inf. Forensics Secur. 7(2), 833–841 (2012)
Spiekermann, S., Faith Cranor, L.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)
Tang, Q., Bringer, J., Chabanne, H., Pointcheval, D.: A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 56–70. Springer, Heidelberg (2008)
Uludag, U., Pankanti, S., Jain, A.K.: Fuzzy vault for fingerprints. In: Kanade, T., Jain, A., Ratha, N.K. (eds.) AVBPA 2005. LNCS, vol. 3546, pp. 310–319. Springer, Heidelberg (2005)
Acknowledgements
This work has been partially funded by the French ANR-12-INSE-0013 project BIOPRIV and the European FP7-ICT-2013-1.5 project PRIPARE.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Sketch of Proof for Completeness and Correctness
A Sketch of Proof for Completeness and Correctness
A trace is said to be a covering trace if it contains an event corresponding to each primitive specified in an architecture \(\mathcal {A}\) (except trust relations) and if for each primitive it contains as much events as the multiplicity \(^{(n)}\) of the primitive. As a first step to prove soundness, it is shown that for all consistent architecture \(\mathcal {A}\), there exists a consistent trace \(\theta \in T (\mathcal {A})\) that covers \(\mathcal {A}\).
Then the soundness is shown by induction on the depth of the tree \(\mathcal {A} \vdash \phi \).
-
Let us assume that \(\mathcal {A} \vdash Has_i (X^{(n)})\), and that the derivation tree is of depth 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (H1), (H2) or (H3). In each case, it is shown (thanks to the existence of covering traces) that an appropriate trace can be found in the semantics of \(\mathcal {A}\), hence \(\mathcal {A} \in S (Has_i (X^{(n)}))\). The case of \(\mathcal {A} \vdash Has_i (c)\) is very similar.
-
Let us assume that \(\mathcal {A} \vdash K_i (Eq)\), and that the derivation tree is of depth 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (K1), (K2), (K3), (K4) or (K5). In each case, starting from a state \(\sigma ' \in S_i (\mathcal {A})\) such that \(\mathsf {s} (\sigma ') \ge n\), it is first shown that there exists a covering trace \(\theta \ge \theta '\) that extends \(\theta '\) and that contains \(n\) corresponding events \(Compute_G (X = T^\epsilon ) \in \theta \) in \(n\) distinct sessions (for the K1 case, and other events for the other rules). Then by the properties of the deductive algorithmic knowledge, it is shown that the semantics of the property \(\mathcal {A} \in S (K_i (X = T))\) holds.
-
Let us assume that \(\mathcal {A} \vdash Has_i (X^{(n)})\), and that the derivation tree is of depth strictly greater than 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (H4) or (H5).
In the first case, by the induction hypothesis and the semantics of properties, there exists a reachable state \(\sigma \in S (\mathcal {A})\) and \(n\) indices \(i_1, \dots , i_n\) such that \(\sigma _i^v (X) [i_l]\) is fully defined for all \(l \in [1, n]\). This gives, a fortiori, \(\mathcal {A} \in S (Has_i (X^{(m)}))\) for all \(m\) such that \(1 \le m \le n\).
In the second case, we have that \((Y, \{X_1^{(n_1)}, \dots , X_m^{(n_m)}, c_1, \dots , c_q\}) \in Dep_i\), that \(\forall l \in [1, m]:\) \(\mathcal {A} \vdash Has_i (X_l^{(n_l)})\) and \(\forall l \in [1, q]:\) \(\mathcal {A} \vdash Has_i (c_l)\). of a covering trace that contains an event \(Compute_G\) (\(Y\) \(=\) \(T\)) (where \(i \in G\)), allowing to conclude that \(\mathcal {A} \in S (Has_i (Y^{(1)}))\).
Again, the corresponding cases for constant are very similar.
-
A derivation for \(Has^{none}\) is obtained by application of (HN). The proof assume, towards a contradiction, that \(A \not \in S (Has^{none}_i (X))\). It is shown, by the architecture semantics, that there exists a compatible trace that enable to derive \(\mathcal {A} \vdash Has^{(1)}_i (X)\). However, since (HN) was applied, we have \(\mathcal {A} \nvdash Has^{(1)}_i (X)\), hence a contradiction.
-
The last case (the conjunction \(\wedge \)) is fairly straightforward.
The completeness is proved by induction over the definition of \(\phi \).
-
Let us assume that \(\mathcal {A} \in S (Has_i (X^{(n)}))\). By the architecture semantics and the semantics of traces, it is shown that the corresponding traces either contain events where \(X\) is computed, received or measured, or that some dependence relation on \(X\) exists. In the first case, we have \(\mathcal {A} \vdash Has_i (X^{(n)})\) by applying (respectively) (H1), (H2), or (H3) (after an eventual application of (H4)). In the last case, the proof shows how to exhibit a derivation tree to obtain \(\mathcal {A} \vdash Has_i (X^{(n)})\) (the (H5) rule is used).
-
Let us assume that \(\mathcal {A} \in S (Has^{none}_i (X))\). By the semantics of properties, this means that in all reachable states, \(X\) does not receive any value. The proof shows that \(\mathcal {A} \nvdash S (Has_i (X^{(1)}))\), otherwise \(\mathcal {A} \in S (Has^{none}_i (X))\) would be contradicted. So as a conclusion, \(\mathcal {A} \vdash Has^{none}_i (X)\) by applying (HN).
-
The constant cases \(\mathcal {A} \in S (Has_i (c)\) and \(\mathcal {A} \in S (Has^{none}_i (c))\) case are similar to the variable cases.
-
Let us assume that \(\mathcal {A} \in S (K_i (Eq))\). By the semantics of properties this means that for all reachable states, there exists a later state in the same session where the knowledge state enables to derive \(Eq\). By the semantics of architecture, we can exhibit a compatible trace that reaches a state where \(Eq\) can be derived. By the semantics of compatible traces, the proof shows, by reasoning on the events on the traces, that \(\mathcal {A} \vdash K_i (Eq)\) by applying either (K1), (K2), (K3), (K4) or (K5).
-
Finally the conjunctive case is straightforward.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bringer, J., Chabanne, H., Le Métayer, D., Lescuyer, R. (2015). Reasoning about Privacy Properties of Biometric Systems Architectures in the Presence of Information Leakage. In: Lopez, J., Mitchell, C. (eds) Information Security. ISC 2015. Lecture Notes in Computer Science(), vol 9290. Springer, Cham. https://doi.org/10.1007/978-3-319-23318-5_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-23318-5_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23317-8
Online ISBN: 978-3-319-23318-5
eBook Packages: Computer ScienceComputer Science (R0)