Abstract -
Since the introduction of new cryptographic construct named
fuzzy vault back in 2002, there has been several successful implementations and
evaluations of it. Implementation presented in this report builds upon strengths
and weaknesses of past solutions and adds an important improvement to the im-
plementation - automatic alignment of template and query ngerprint minutiae.
To facilitate this alignment, authors have used high curvature points, derived
from ngerprint orientation eld, as helper data. This data doesn't leak any
information about template minutiae, as high curvature points are global fea-
tures of a ngerprint. Authors have also evaluated the performance of proposed
fuzzy vault. They showed considerable improvements in comparison to other ap-
proaches. On the other hand, discussion about security of this implementation
of ngerprint fuzzy vault is questionable, since it is known fact today that fuzzy
vault is vulnerable to brute force attack.
1 Introduction
Traditional cryptography, which is nowadays widely used to provide secrecy and
authenticity of information, uses one or more keys to convert a plain text to a
cipher text [1]. In other words, encryption key transforms a plain text to, more
or less, sequence of random bits that can be transformed back to a plain text
only using appropriate decryption key. Algorithms using this scheme, such as
AES and RSA, have proven to be highly secure. Security rests upon the assump-
tion that the cryptographic keys are known only to legitimate users [2]. This is
the source of the main challenge of the traditional cryptography - maintaining
the secrecy of the keys. As algorithms mentioned above need long keys (e.g. 128
bits for AES), remembering the key is not an option. One of the solutions for
this problem is to impose password authentication to control the access to the
keys. In this case legitimate user doesn't have to remember the actual key, but
the password which he can use to access the key. On the other hand, password
introduce a new problem. If a password is too short it will be easily remembered,
but also easily broken. Long passwords are, on the other hand, hard to brake,
but also hard to remember and expensive to maintain [3]. Further, passwords
are easily lost, stolen or even guessed using aspects of social engineering [2]. All
2 Marko Pascan(299450)
this creates a space for an alternative, stronger authentication schemes. In bio-
metric authentication identity is established based on anatomical and behavioral
traits like face, ngerprint, speech, eye iris, hand, etc. This kind of authentica-
tion is more reliable then password-based authentication in the sense that traits
cannot be lost or forgotten [2]. Forging traits is possible, but dicult and un-
reliable. Fuzzy vault is combination of biometrics and traditional cryptography,
combining ideas and principles from both approaches. These hybrid systems
are called biometric cryptosystems. Fuzzy vaults operate in key-binding mode,
which means that the key and the template are monolithically bound withing
the framework and authentication and key release are done in a single step [2].
Organization The rest of this report is organized as follows. Next section gives
some background and denitions that will be used in the rest of this report.
Section 3 gives an introduction to fuzzy vault in general and ngerprint-based
fuzzy vault as a specialization of general fuzzy vault. Section 4 gives an overview
on implementation proposed in [2]. Next section introduces helper data used
in [2] and ngerprint alignment that uses this helper data. Brief overview of
experimental results is given in Section 6. Vulnerability of fuzzy vault is brie
y discussed in section 7. Concluding remarks are given in the last section.
2 Background and Denitions
This section gives a brief overview on several topics of importance for fuzzy
vaults, both from aspects of biometry and cryptography (mathematics).
Fingerprint Fingerprints are believed to be unique and immutable for each
individual. In other words it is highly unlikely that two dierent individuals will
have the same ngerprints. This lead to a wide usage of ngerprints for identi-
fying individuals. Fingerprints are taken from people on various occasions, most
commonly when issuing personal identity card, passport or a visa.
Fingerprints are made of series of ridges and furrows on the surface of the nger.
Uniqueness can be determined by the pattern of ridges and furrows, as well as
the minutiae points [4]. Minutiae points represent local ridge characteristics that
occur at either a ridge bifurcation or a ridge ending. Figure 1 shows ngerprint
with minutiae points marked with white squares. Tails on these squares represent
the orientation of minutiae points. Figure 2 shows matching between two nger-
prints and their intra-class variability which occurs because two ngerprints are
not aligned.
Mathematical Background In implementation of fuzzy vault few mathemat-
ical concepts are extensively used. These concepts are brie
y introduced here.
Firstly, all arithmetics are done in a nite eld. As its name suggests, nite eld
is a mathematical eld that consist of nite number of elements.

Download full report
http://cosec.bit.uni-bonn.de/fileadmin/u...report.pdf