Reasoning about privacy properties of biometric system architectures in the presence of information leakage
Julien Bringer1
Hervé Chabanne12 Roch
2
1 Lescuyer
Daniel Le Métayer3
1 Morpho Télécom ParisTech 3 INRIA
Information Security Conference'15
September 11, 2015
This work has been partially funded by the French ANR BIOPRIV and the European FP7 PRIPARE projects
2
1
Analysis of Biometric Systems
2
A Formal Model for Privacy By Design
3
Back to Biometric Systems
4
Conclusion
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
/01/ Analysis of Biometric Systems
3
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
Introducing biometric systems I
typical components
user I
terminal
card
location of the comparison
typical data I I I I I
4
database
br: biometric reference (of an enrolled user) rd: raw biometric data (a image, a fresh capture) bs: biometric template to be compared with the reference thr: threshold according to a distance between templates dec: result of the matching (decision)
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
An example of a biometric system I
the
Match-On-Card
technology rd → bs
utilisateur
rd
bs
dec
dec terminal
I storage of a reference inside a
br thr carte
secure element
I the card performs the comparison I the reference does not leave the card I the terminal trusts the card
5
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
Motivations I
Precedent work (BCLL'15; AL'14) I description of biometric systems within a formal model I formal reasoning about privacy properties I intuition: the architecture level is the right level to reason
about privacy properties I assumption: the building blocks do their jobs properly
I
This work I the precedent model is static I no runtime leakage is taken into account I we need such an extension for biometric systems
6
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
/02/ A Formal Model for Privacy By Design
7
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Formal Model for Privacy-By-Design
Reasoning about architecture I
Analysis of a system I components, localisation of data, trust assumptions,
I
etc.
Architecture language
architectural primitives e.g.: Hasi (X ), Receivei,j ({S}, {X }), Computei (X = T ), ... S ::= Attesti ({Eq}), Eq ::= Pred(T , . . . , Tn )
I Description of a system: a set of I
1
I a description speci�es each component, communication,
computation,
I
etc.
Architecture semantics I semantics based on
traces
(aka sequences of events)
I events are instantiations of architectural primitives I architecture semantics: the set of states reachable by the
(compatible) traces 8
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Formal Model for Privacy-By-Design
Reasoning about architecture I
A dedicated epistemic logic for
privacy properties
deductive algorithmic knowledge � paradigm con�dentiality of data and integrity of
I following the � I properties:
computations I semantics of a property
I
P:
set of architectures satisfying
Axiomatics I aka a set of
deductive rules , e.g.:
sound and complete with respect
to the semantics
H2
Receivei,j (S, E ) ∈ A A`
K1 9
P
X ∈E
Hasiall (X )
Computei (X = T ) ∈ A A ` Ki (X = T )
/ ISC'15 / Reasoning about privacy properties of biometric system architectures
Formal Model for Privacy-By-Design
Extension of the formal model I
Extending the architecture language I for each primitive, introduction of a bound on the number of
instantiations I
I
Receivei,j ({S}, {X }), Computei (X = T ), . . . (n)
(n)
Extending the traces of events I introduction of several sessions in the traces (a I
Session
event)
enable the modelling of several successive sessions
I enable the use of di�erent values of the same variable I
motivation: the information leakage due to the access of several values of the same variable across di�erent sessions
I introduction of a system re-initialization (a
Reset
10 / ISC'15 / Reasoning about privacy properties of biometric system architectures
event)
Formal Model for Privacy-By-Design
Extension of the formal model I
Adapting the trace semantics I the architecture semantics is always the set of reachable
component states I the de�nition of the component states is adapted to the new
events
I
Extending the privacy logic I enable the reasoning about several access to the same variable I axiomatics for this extended logic:
(n)
H2 H5
Receivei,j (S, E ) ∈ A
Depi (Y , X )
X ∈E
A ` Hasi (X (n) ) ∀X (n) ∈ X : A ` Hasi (X (n) ) A ` Hasi (Y (1) )
11 / ISC'15 / Reasoning about privacy properties of biometric system architectures
/03/ Back to Biometric Systems
12 / ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
Another biometric system I
Extending (BCKK'09)
Match-On-Card
to biometric identi�cation
I terminal with extended functionalities I
sensor + database + smart card inside the terminal
I biometric data are stored in two ways I
a secure sketch for �ltering; a ciphertext for identifying
I templates comparison carried out inside the card
13 / ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
Inherent leakage in the black-box model I
information leakage I the result of the authentication
leaks information
about the
quantizations ... I ... even if the functionality is seen as
I
black-box (BCS'10)
idea of the attack 1. successive queries to the card with random values 2. analysis of the indices queried by the card
14 / ISC'15 / Reasoning about privacy properties of biometric system architectures
Analysis of Biometric Systems
Application of the extended formal model I
description of this system and some variants inside the extended formal model I
rd
(n)
ComputeT (sebr = EGet(ebr, ind)),
rd → bs bs → qs ebr → sebr ind
ebr
ebr
br → ebr
qs ind bs, sebr
dec
...
qr
br → qr
dec
user
terminal
module
server
15 / ISC'15 / Reasoning about privacy properties of biometric system architectures
issuer
Analysis of Biometric Systems
Application of the extended formal model I
description variants with counter-measures I variant 1: ask all indices (no more dependencies on indices) I variant 2: block the number of queries before a critical bound I variant 3: re-initialization (re-encryption the database,
permutation of the indices, etc.)
I
then, analysis of the con�dentiality of the secure sketches; e.g.:
@X : DepT (qr, X ) ∈ Ami-e1 (n)
HasT (qr) 6∈ Ami-e1
HN
(n)
@j : ReceiveT,j (S, {qr}) ∈ Ami-e1 (n)
@T : ComputeT (qr = T ) ∈ Ami-e1 ∀n : A 0 HasT (qr(n) ) A ` HasTnone (qr)
16 / ISC'15 / Reasoning about privacy properties of biometric system architectures
/04/ Conclusion
17 / ISC'15 / Reasoning about privacy properties of biometric system architectures
Conclusion
I
precedent work I description of biometric system architectures within a formal
model I reasoning about privacy properties of the architectures
I
our contribution I extending the formal model (semantics and epistemic logic) to
catch the runtime leakage I
important for biometric comparison
I analysis of a variants a biometric system within this extension
thank you for your attention
18 / ISC'15 / Reasoning about privacy properties of biometric system architectures