Paper 2017/1177

Reusable Authentication from the Iris

Benjamin Fuller, Sailesh Simhadri, and James Steel

Abstract

Biometrics exhibit noise between repeated readings. Due to the noise, devices store a plaintext template of the biometric. This stored template is an appetizing target for an attacker. Due to this risk, the primary use case for biometrics is mobile device authentication (templates are stored within the mobile device’s secure processor). There has been little adoption in client-server applications. Fuzzy extractors derive a stable cryptographic key from biometrics (Dodis et al., Eurocrypt 2004). In this work we describe an iris key derivation system with 32 bits of security even when multiple keys are derived from the same iris. We are fully aware that 32 bits of security is insufficient for a secure system. The goal of this work is to inspire researchers to design multi-factor authentication systems that uses our scheme as one component. Our system is based on repeated hashing which simplifies incorporating multiple factors (such as a password). Our starting point a recent fuzzy extractor due to Canetti et al.(Eurocrypt 2016). Achieving satisfactory parameters requires modifying and coupling the image processing and cryptographic algorithms. Our scheme is implemented in C and Python and is open-sourced. On a moderately powerful server, authentication usually completes within .30s.

Note: Significant reorganization and rewriting. Includes additional proofs and is more formal.