Security and Privacy in Biometrics-Based Systems

Abstract

Advancement in deep learning (DL) based biometric identification and the proliferation of affordable sensors made biometrics pivotal players in authentication and surveillance systems. For instance, major companies (e.g., MasterCard, AliPay) already adopted facial/voice-based authentication as part of their security measures. Furthermore, governments and private sectors use biometric recognition for a broader impact, such as identifying and catching “person of interest”, targeted advertisement or border protection. While these technologies could have enormous impacts, existing biometric authentication and surveillance systems are vulnerable to several kinds of attacks, and also jeopardize the privacy of people's sensitive data. Although biometric-based systems offer superior usability and advantage for various use cases, they have to i) defend against different kinds of impersonation attacks and ii) protect the privacy of biometric data against adversaries.

This dissertation aims to provide solutions to above challenges. First, I will present vulnerabilities against impersonation attacks in an authentication setting. Our study shows that many cloud-based audio/visual recognition systems (e.g., Amazon Rekognition) can be defeated by the crudest impersonations. Then, I will present our live biometric verification system, the Real Time Captcha (rtCaptcha), a practical approach that places a formidable computational burden on the attacker by combining dynamic, live detection with a randomized Captcha challenge for stronger security. Second, I will present our privacy-preserving remote biometric authentication system, Justitia, which makes DL-inferences of biometric data compatible with the standard privacy-preserving primitives, like fuzzy extractors. Justitia lets a remote server to authenticate a client without revealing the biometric data in cleartext in the process of enrollment and authentication. Finally, I will propose a fuzzy (labeled-) private set intersection (FLPSI) protocol for privacy-preserving biometric search. FLPSI is a secure computation protocol that allows a client to search a biometric data over a sensitive database without revealing the query and search results to the server.