Towards practical cancelable biometrics for finger vein recognition

Abstract

Biometrics has nowadays become a preferred solution for systems requiring secure authentication. However, the usage of biometric characteristics raises significant concerns regarding personal data protection and privacy. Several template protection schemes have been therefore proposed to conceal the employed identifiers, while still ensuring the ability to efficiently recognise users. In this paper, we propose and analyse three different approaches generating cancelable templates from finger vein features. A thorough analysis of the considered methods is conducted to investigate their impact on the achievable recognition performance, as well as their security in terms of renewability and unlinkability. Furthermore, a specific attack is designed to evaluate the irreversibility of the protection scheme providing the best recognition performance.

Introduction

The adoption of biometric recognition for security purposes is constantly increasing in various practical applications within the field of human–machine systems, including border control, logical and physical access control, ATM cash withdrawal, and many more. The main reasons for such rapid spread are the enhanced customer convenience and the improved security this technology offers with respect to traditional authentication methods, such as those based on passwords or tokens. In fact, while these latter can be forgotten or stolen, it is not possible to loose or forget a biometric characteristic. Additionally, biometric characteristics are much more difficult to be fraudulently copied or forged than standard identifiers.

Despite the aforementioned advantages, the use of biometric data in recognition systems may also involve severe security and privacy concerns. Due to their uniqueness, biometric characteristics can allow an attacker to track the activities of a subject whose characteristics have been registered in different domains [40]. Moreover, compromised biometric data cannot be used anymore, thereby further limiting the already small number of usable biometric identifiers that a subject can use [7]. Since biometric information cannot be revoked and reissued as it happens for disclosed passwords or stolen keys, proper countermeasures should be taken in order to address the aforementioned issues.

Biometric template protection (BTP) schemes have been therefore proposed to ensure the secure and private handling of biometric data during the authentication process. In general, these methods modify the original biometric template with the aim of generating an alternative representation in a protected feature space, with no information leakage about the original sample. The comparison procedure is then carried out in this secure domain, thereby protecting the data during the whole recognition process.

According to the ISO/IEC 24745 standard [17], a properly defined BTP scheme should satisfy the following properties:

• irreversibility: given a protected template, it should not be possible to reconstruct the original biometric sample;

• renewability: from a given biometric sample, it should be possible to issue multiple protected templates;

• unlinkability: given two protected templates, generated form the same biometric information and stored in different systems, it should not be feasible to determine that they belong to the same subject;

• performance: using a BTP scheme should not significantly degrade the system recognition performance. Moreover, the recognition performance should not be sensitive to the parameters specifying the employed template protection step [38].

BTP schemes are categorized into two main classes: biometric cryptosystems and cancelable biometrics approaches. The former class can be further separated into key-binding methods, whose aim is to secure a cryptographic key by means of biometric data and vice versa [14], and key-generating approaches, which derive a cryptographic key from biometric data [42]. In contrast, cancelable biometric methods apply a key-dependent transformation function to the biometric data or templates to be secured. Salting approaches are defined using invertible transformations, with system security thus relying on the secret storage of the employed key. Conversely, non-invertible transformations can be applied either to the samples or to the original templates [18]. This latter category is of great importance, since it typically allows template comparison to be performed in the protected domain while using the same techniques employed in the unprotected scenario. Actually, techniques based on non-invertible transformations have been already proposed for several characteristics, such as fingerprint [44], face [3], iris [33], palmprint [25], and online signature [27], among others.

Cancelable biometrics is the focus of the present work, where the security of templates generated applying non-invertible transforms to samples of an emerging biometric modality, that is, the vascular patterns of human fingers, is evaluated.

Finger vein biometrics is receiving an ever increasing interest from both industry and the research community because of its convenience in the acquisition procedure, its robustness to presentation attacks, and its high recognition performance [29]. The imaging of subcutaneous vein patterns is feasible thanks to the haemoglobin capability of absorbing near infra-red (NIR) light: a camera sensitive to the 800–900 nm range produces images where blood vessels appear darker than the remaining body parts when illuminated with NIR radiation.

Cancelable biometric schemes for vein patterns have been first proposed in [15], where a Fourier-like transform over a finite field has been used on finger vein images, with template comparison performed through correlation-based distance metrics. Similarly, a hashing/binary filtering approach, based on the application of an alignment robust scheme in combination with index-of-maximum hashing, has been used for finger vein template protection in [21]. In addition, methods relying on the fusion with other characteristics have been also proposed, e.g., fusing finger vein patterns with fingerprint minutiae to design a cancelable multi-biometric system [45].

In this context, we present a thorough benchmark of several cancelable biometrics techniquesapplied to finger vein patterns. In more detail, building upon the authors’ previous work in [32], we evaluate the effectiveness of three distinct approaches, namely block remapping, image warping, and Bloom filters in the feature domain. The two former methods can be applied in the image as well as in the feature domain and to any image-based biometric characteristic (i.e., not restricted to binary templates), as in the case of face [36] and iris [12]. Their use for finger veins has been also proposed in our previous work [22], by applying them to vein patterns in the image domain.

One of the main advantages of Bloom-filter-based template protection, with respect to other approaches, is its applicability to different biometric modalities represented through binary templates, including iris [37], face [9], or fingerprint [1]. Being able to apply a single method to protect different image-based templates leads to a second advantage, that is, the feasibility of implementing a multi-biometric feature level fusion [10], possibly resorting to user-friendly combinations such as face and iris, or fingerprint and finger vein. In particular, Gomez-Barrero et al. presented in [10] a general method to extract Bloom-filter templates from any binary, fixed-length template, so to use them jointly. In the experiments carried out for the different biometric characteristics in the aforementioned works, it can also be observed that, when considering templates protected using Bloom filters, there is typically only a minimal biometric recognition performance loss with respect to the usage of unprotected templates. Actually, as for the vast majority of BTP schemes, small alignment issues have to be handled during pre-processing to manage the most challenging samples, as it may happen for facial images [10]. In this regard, iris recognition represents a convenient scenario for the application of Bloom filters, since misalignments of the original samples can be handled by processing normalized iriscodes column-wise, and then discarding the information about which column originated a given bit in the protected template, without the need for computing multiple shifted versions of protected templates [37]. Finally, it should be noted that the Bloom filter extraction and comparison steps are fast, and that the generated templates are sparse, that is, the BTP method also preserves computational efficiency.

In summary, the main contributions of the present article are:

• thorough evaluation and benchmark, in terms of recognition performance, irreversibility, unlinkability, and renewability, of three distinct cancelable biometrics approaches applied to finger vein patterns;

• application of the block-remapping and image-warping BTP schemes to feature representations of vein patterns. Differently from [32], [6], we consider six different feature representations of finger vein samples in order to evaluate the most appropriate one to be used in the protected biometric recognition system;

• use of Bloom filters to protect finger vein patterns. In contrast to [10], we apply Bloom filters directly to binary vein images, instead of using vein minutiae-based templates;

• proposal of a pre-alignment method for improving the recognition performance attainable by the employed finger vein cancelable biometrics;

• exploitation of a specific attack, based on a square jigsaw puzzle solver algorithm, to quantify the irreversibility of the block remapping approach.