HRL Laboratories, LLC has been awarded $654,965 by the Office of the Director of National Intelligence under Intelligence Advanced Research Projects Activity (IARPA) to study security of stored biometric data.
The recent cyberattack on the US Office of Personnel Management (OPM) resulted in theft of the personal data of millions of government employees and security clearance applicants. This kind of cybercrime illuminates the emergent need for cybersecurity and defenses against cyberattacks. Finding better ways to secure data has been given high priority by the US Government.
A person’s identity data—addresses and even names or social security numbers—can be changed, but not their biometrics, such as fingerprints. The problem is that typical identification and authentication systems store fingerprint biometrics (templates) that even when encrypted can be stolen as part of a back-end data theft, such as the one at OPM. Such biometric templates can then be decrypted later, especially if the attackers are able to steal the decryption key along with the data.
The HRL project, entitled Acquiring Biometrics with Cryptography, is led by Chong Ding of HRL’s Information and Systems Science Lab. Ding and his colleagues use cryptographic algorithms called fuzzy extractors that enable them to extract a cryptographic key—used for authentication and access control—from any biometric or physical trait, such as fingerprints or iris scans. For this initial proof of concept project only fingerprints will be studied.
“Our objective is to create a biometric identification and authentication system that is not dependent on a decryption key that can be stolen along with data during a cyberattack. Using the fuzzy extractors as our main tool, attackers will not have the ability to put the biometric identifiers back together correctly.” Ding said. “To authenticate someone’s identity based on their fingerprints will require their fingerprints be taken again to verify that the new reading of fingerprints is close enough to those (almost matches) from which the stored data were extracted. This process presents challenges in guaranteeing accuracy of the biometric matching when using them for identification becomes necessary, but holds promise as a way to store data that even if stolen cannot be used in any harmful way.”
With this technology in place, biometric identification should be completely protected from cyberattacks. Even if attackers obtain all the data stored in back ends, mathematical proofs show they cannot recreate the fingerprints or authenticate to other systems. This is a seedling study and, once it is proven, the fuzzy extractor concept should be expandable to any other biometric that is digitally stored.
HRL Laboratories, LLC, Malibu, California (hrl.com) is a corporate research-and-development laboratory owned by The Boeing Company and General Motors specializing in research into sensors and materials, information and systems sciences, applied electromagnetics, and microelectronics. HRL provides custom research and development and performs additional R&D contract services for its LLC member companies, the U.S. government, and other commercial companies.
Media Inquiries: media[at]hrl.com, (310) 317-5000