Biometric Cryptography

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Biometric Cryptography


The Biometrics, described as the science of recognizing an individual based on his or her physical or behavioral traits, is beginning to gain acceptance as a legitimate method for determining an individual's identity [1]. The combination of biometrics and cryptographic keys will help in providing strong biometric cryptosystems. The main feature of the biometric cryptosystem is that the cryptographic keys will not be revealed until a successful biometric authentication takes place. The keys will be bound to biometric template of a user stored in the database. However, variations in physiological and behavioral characteristics pose significant challenges in generating the keys. In this paper, we will discuss how the biometric keys are generated and how the authentication algorithm works. Also, a comparison between traditional cryptosystems versus biometric cryptosystems will be made with respect to how authentication takes place in both the systems. The issues faced by the traditional cryptosystems such as loss of secret keys, hard-to-remember large keys and the fact that they do not guarantee any non-repudiation i.e. any imposter gaining access to the system if the key is compromised will be discussed. Further, we will also discuss some of the limitations of biometric systems.


The Biometrics, described as the science of recognizing an individual based on his or her physical or behavioral traits, is beginning to gain acceptance as a legitimate method for determining an individual's identity. Biometric systems provide several advantages because of their reliability over traditional methods such as password based authentication. It provides reliability in the sense the biometric traits are difficult to lost or forgotten, hard to copy, share and distribute. Also, it requires the person being authenticated to be present at the time and point of authentication. Thus, according to authors, biometrics-based authentication scheme is a robust alternative as compared to traditional authentication schemes. The entire authentication system or the security of the cryptographic keys that protect the content can be served by the biometric systems if they are combined with cryptography methods. [1]

Biometric systems are based on different kinds of human characteristics. Some of them are listed below with a short description of each:

1. Face: Face recognition method is based on facial characteristics such as eyes, nose, eyebrows, lips, and chin. With the variations in the environment such as camera position, lighting etc, authentication can be very sensitive to those at the enrollment phase. [2]

2. Fingerprint: Fingerprint scanning is based on the pattern of ridges and valleys on the surface of a fingertip. The templates are matched based on these patterns. [1]

3. Hand Geometry: Hand geometry is based on characteristics such as shape, size of palm, and length and width of the fingers. [4]

4. Iris: The iris is the annular region of the eye bounded by the pupil and the sclera on either side. [1]

5. Keystroke: Keystroke recognition is based on the typing on a keyboard by an individual. It have been used to achieve more robust password entry by detecting that the password was typed by the same user that enrolled it, by comparing the speed at which the password was typed [2].

6. Signature: Signature recognition is based on how an individual signs his or her name. These are behavioral characteristics which can change over a period of time and can be affected by physical and emotional condition of the signatories. [5]

7. Voice: Voice recognition consists of both physical as well as behavioral characteristics. It is based on the shape and size of the appendages like vocal tracts, mouth, nasal cavities, and lips that are used in decoding the sound. As far as behavioral characteristics are concerned those change over a period of time due to age, medical conditions, emotional state, etc. [6]

8. DNA Fingerprint: DNA fingerprint recognition is based on comparing the short segments of DNA of an individual with the stored DNA sample. [2]

9. Deep Tissue Illumination: Deep tissue illumination recognition is based on illumination of human tissue by specific lighting conditions and the detection of deep tissue patterns based on light reflection. [2]

Operation of Biometric System [1]:

A biometric system operates either in verification mode or identification mode. Basically, it has three modes - Enrollment mode, Verification mode and Identification mode.

Enrollment mode: In this mode, the user is first time enrolled in the system. The system measures the biometric feature and saves it in the template database. The next time user tries to authenticate itself then the acquired image is compared with the template stored in the database during the enrollment phase.

Verification Mode: In this mode, the individual claims an identity for the purpose of recognition. To determine whether the claim is true or not the system conducts one-to-one comparison. The purpose of this is to avoid multiple people using the same identity which is typically called “positive recognition”. [3]

Identification Mode: In this mode, with one-to-many comparison the system tries to identify the individual by searching the templates of all the users present in the database. It tries to authenticate the individual without the subject having to claim an identity. The main advantage of this mode is that it is used for “negative recognition” where the system establishes the identity of the individual who tries to refuse who he/she ought to be. [3] In other words, the conniving individual tries to repudiate the system.

A biometric system consists of following four main components(Refer 1.) [3]:

1. Sensor module: This module captures the biometric data of an individual. For e.g.: Face image.

2. Feature extraction module: This module extracts the required feature from the data captured from the sensor module. For e.g. size of the eyes, nose, position of the lips etc.

3. Matcher module: In this module, the features extracted are compared with the features stored in the database as templates. It also contains the decision making module in which, based on the matching score, user identity is identified or verified.

4. System database module: In this module, the biometric templates of the enrolled user are stored into the database. During enrollment phase, a quality check is performed so that the acquired image is highly reliable. From the acquired image required features are extracted and is store as an template in the database.

Biometric Encryption [7]:

Biometric encryption algorithm proposed by Soutar et al. basically links the key with the biometric trait. They developed this algorithm for correlation-based fingerprint matching system. The key is linked during the enrollment phase of the system and it is released only during the verification process when there is a successful biometric authentication takes place. A correlation filter function H(u) is generated using many (training) fingerprint images taken during the enrollment phase. In the design of this function two factors were importantly considered, first it created the same output pattern for a legitimate user in order to reduced false match rate (FMR) and second it is tolerant to distortions present in the images in order to reduce false non-match rate (FNMR). The H(u) has both magnitude and phase components represented as |H(u)| and . The output pattern is obtained with the correlation of the training fingerprint images with H(u). The output pattern is used for both linking the key as well as retrieving the key during verification. The filter function H(u) is further stored as the Bioscrypt (coined by the authors) in order to achieve maximum security. The H(u) is stored as which is a product of and a random phase only function(random phase only function is a randomly generated phase-only array of the same size as of H(u)).

Implementation of Biometric Encryption Algorithm:-

I. Enrollment:

In Enrollment process, following stages are carried out in order to complete enrollment of a particular user:

Stage E-1:

In this stage, it generates the output pattern and the filter function using Fourier transform. is a 128x128 phase-only array which is stored as a Bioscrypt and is a complex valued array which is further used in stage E-2.

Stage E-2:

In this stage, the output pattern is linked with an N-bit key, . The linking algorithm involves a binarization process applied to a small portion of along with the selection of L values to represent each key bit. An enrollment template of 128x64 is formed so that it can be used to link with key . This linking of key with the binarized correlation output is then stored as a lookup table. In addition to this, some error correcting codes are used while linking the key to the output because there might be a possibility of some variation in the biometric signal at the time of authentication.

Stage E-3:

In this stage, in order to create an invalid key when an attacker tries to use the system using someone else's Bioscrypt an encryption algorithm is used with key as an encryption key. S bits of are encrypted using the encryption algorithm and then hashed using hashing algorithms such as SHA1/Triple DES to produce an identification code .

In the end, , lookup table and are stored as a biometric template called Bioscrypt for a particular user.

II. Verification:

In Verification process, following stages are carried out in order to complete the verification of a particular user:

Stage V-1:

In this stage, the value is combined with the fingerprint images taken during authentication process to create the output pattern . This is passed to the next stage V-2 for further processing.

Stage V-2:

In this stage, created in stage V-1 is used to extract the N-bit cryptographic key . To extract this key binarization process is used. First, a small portion of is extracted which is given to binarization process to create a binarized verification template. Lookup table which is generated in E-2 is used to extract the required bits. If generated matches with then the key is released to the system else different portions of is extracted and the process is repeated again till all bits of is used. If a match is found then the key is released else verification/authentication failed message is displayed.

Stage V-3:

In this stage, key validation is done by creating an identification code . is created using an encryption algorithm in which key is used as an encryption key. The encrypted data is then hashed using hashing algorithm such as SHA1/Triple DES to create identification code . It is the same process as done in enrollment phase to create. This is then compared with . If is not equal to then is not equal to in that case verification/authentication failed message is displayed else valid key is retrieved. This is done till all the portion of is checked for key matching process.

The main drawback of the above approach is that the authors did not explain about how much entropy is consumed at each stage of the algorithm. The results of FMR, FNMR are not defined as well. They assumed that the biometric signals captured are of ideal nature i.e. there are no discrepancy in the data captured [13]. This was one of the approaches of using fingerprint as the biometric trait. There are several other approaches which have been proposed using different biometric traits to secure the keys. Davida et al. proposed an algorithm based on iris biometric [14].

Pros of Biometric Systems:

1. Biometric characteristics are permanent and non-transferable [8] i.e. users will not be able to transfer those characteristics to others as compared to normal passwords.

2. Biometric objects cannot be stolen [8], as compared to traditional objects such as passwords which can be stolen from the user if the user happens to keep those objects in an insecure place.

3. Biometric features cannot be lost or forgotten [8] as compared to traditional features such as passwords.

4. In addition to this, the overall cost of losing, reissuing or giving temporary access cards is also reduced [8].

Traditional Authentication Method:

In traditional method, authentication takes place with help of a key (which is generally a password). Some of the traditional methods use random and long keys to authenticate the user. For e.g. Advanced Encryption Standard (AES) [9].

Limitations of traditional cryptosystems:

1. The keys used in traditional cryptosystems are very long and random due to which it is very difficult to memorize the key [1].

2. People tend to keep their passwords which are easy to remember. As a result they are easily vulnerable to attacks such as dictionary attacks, social engineering attacks, etc [9].

3. If at all the user keeps complex passwords, they store them at such a location which is easy to access since complex passwords are difficult to remember [1]. The locations could be anything such as writing down on a piece of paper and keeping it under the computer desk, etc.

4. Traditional cryptosystems like password-based authentication systems fails to provide non-repudiation. If suppose user shares the password with somebody then there is no way to know who actually used the system [1].

5. Another drawback is that people tend to use same password across all the applications which they use, as a result if one password is broken the attacker gets access to all the applications in which that same password is used. [1]

6. Keyspace and entropy if taken into consideration can lead password-based authentication system more vulnerable to attacks. Lower the keyspace, lower is the entropy and hence more vulnerable to attacks. For e.g. In a 4-digit pin-based authentication system, if the user gets the choice of choosing the digits they tend to select easy to remember numbers due to which it is easier for the attacker to guess the pin number. However, if the pin is randomly generated then it will be difficult for the attacker to guess the pin number easily. [10]

7. Administrative costs are more due to resetting of passwords, reissuing of new passwords, etc. [10]

Besides biometric cryptosystems being better than traditional cryptosystems they too have some limitations.

Limitations of Biometric Systems:

1. Noise in sensed data: The data collected at the biometric stations while authenticating the user may consists of some distortion or noise. It will create problems in the matching process resulting into rejection of a legitimate user. For e.g.: A fingerprint image with cuts or scratches can be an example of a noisy data. A person having cold can result into distorted voice signal in voice recognition systems. [3]

2. Intra-class variations: The biometric signals which are captured during the authentication phase can vary to a large extent affecting the overall matching process. This might happen if the user changes his physiological or behavioral characteristics. For e.g.: Facial makeup on an individual's face can generate different face images. [3]

3. Distinctiveness: Though physiological or behavioral characteristics among individuals vary a lot but there might a large similarity in the features some or the other way. Hence discriminating the traits is subjected to certain constraints. [3]

4. Nonuniversality: When a certain biometric system is installed it is assumed that all the users who will use the system will posses that biometric trait. However, in reality it is not the case some may not posses those biometric trait. As a result the system will be unable to enroll those users in the system. [3]

5. Attacks on Biometric Systems:

a. Zero-effort attacks: An attacker might have the same features as that of a legitimate user [1]. For e.g.: an attacker might do some plastic surgery on his face to look same like a legitimate user. Another possibility is that an attacker might mimic the voice of a legitimate user.

b. Adversary attacks: An attacker can obtain secretly the images of a legitimate user say face images. These images are then further converted into digital format. This data is then is used by the attacker to authenticate himself on the system [1].

c. Circumvention: In this attack, an attacker forges the biometric system and obtains the information stored in the application. As a result, the attacker can change the data present in the system or inserts some false data so that the attacker might get an access into the system legitimately. [11]

d. Repudiation: A conniving legitimate user can access the system and then deny that some attacker has attacked the system [11].

e. Collusion: In this, a legitimate user with super accesses to the system can modify the biometric data present in the system [11].


Biometric cryptography will certainly help increase in security requirements as compared to traditional-based authentication systems. Although there are certain limitations to biometrics such as FMR, FNMR, etc. they can result in a better solution as far as security is concerned. Features such as permanency, cannot be easily forgotten or lost, etc. adds advantage to the overall security of the system. Although there have been many approaches proposed for binding keys to biometrics, there are still many challenges and issues involved in implementing robust, more secure biometric cryptosystems. Issues such as non-repudiation, complexity and entropy of the system, etc needs to be taken care of in order to implement better biometric cryptosystems. In future, multi-modal biometrics can be an effective model of implementing security systems in which more than one biometric trait can be used to authenticate the user [12]. It can overcome the limitations faced by the single biometric system to some extent.