Next Article in Journal
Sequential Batch Design for Gaussian Processes Employing Marginalization †
Previous Article in Journal
A Risk-Free Protection Index Model for Portfolio Selection with Entropy Constraint under an Uncertainty Framework
Previous Article in Special Issue
An Android Malicious Code Detection Method Based on Improved DCA Algorithm
Article Menu
Issue 2 (February) cover image

Export Article

Open AccessArticle
Entropy 2017, 19(2), 70; doi:10.3390/e19020070

User-Centric Key Entropy: Study of Biometric Key Derivation Subject to Spoofing Attacks

Department of Computer Science, City University of Hong Kong, Tat Chee Avenue, Kowloon, Hong Kong, China
*
Author to whom correspondence should be addressed.
Academic Editor: James J. Park
Received: 30 November 2016 / Revised: 22 January 2017 / Accepted: 9 February 2017 / Published: 21 February 2017
View Full-Text   |   Download PDF [2098 KB, uploaded 21 February 2017]   |  

Abstract

Biometric data can be used as input for PKI key pair generation. The concept of not saving the private key is very appealing, but the implementation of such a system shouldn’t be rushed because it might prove less secure then current PKI infrastructure. One biometric characteristic can be easily spoofed, so it was believed that multi-modal biometrics would offer more security, because spoofing two or more biometrics would be very hard. This notion, of increased security of multi-modal biometric systems, was disproved for authentication and matching, studies showing that not only multi-modal biometric systems are not more secure, but they introduce additional vulnerabilities. This paper is a study on the implications of spoofing biometric data for retrieving the derived key. We demonstrate that spoofed biometrics can yield the same key, which in turn will lead an attacker to obtain the private key. A practical implementation is proposed using fingerprint and iris as biometrics and the fuzzy extractor for biometric key extraction. Our experiments show what happens when the biometric data is spoofed for both uni-modal systems and multi-modal. In case of multi-modal system tests were performed when spoofing one biometric or both. We provide detailed analysis of every scenario in regard to successful tests and overall key entropy. Our paper defines a biometric PKI scenario and an in depth security analysis for it. The analysis can be viewed as a blueprint for implementations of future similar systems, because it highlights the main security vulnerabilities for bioPKI. The analysis is not constrained to the biometric part of the system, but covers CA security, sensor security, communication interception, RSA encryption vulnerabilities regarding key entropy, and much more. View Full-Text
Keywords: multi-modal key derivation; biometric PKI; biometric entropy; Wireless Sensor Security; user-centric security multi-modal key derivation; biometric PKI; biometric entropy; Wireless Sensor Security; user-centric security
Figures

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. (CC BY 4.0).

Scifeed alert for new publications

Never miss any articles matching your research from any publisher
  • Get alerts for new papers matching your research
  • Find out the new papers from selected authors
  • Updated daily for 49'000+ journals and 6000+ publishers
  • Define your Scifeed now

SciFeed Share & Cite This Article

MDPI and ACS Style

Dinca, L.M.; Hancke, G. User-Centric Key Entropy: Study of Biometric Key Derivation Subject to Spoofing Attacks. Entropy 2017, 19, 70.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics

1

Comments

[Return to top]
Entropy EISSN 1099-4300 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top