Abstract
This paper discusses the usage of biometrics in multi-secret steganography as one of three levels of information protection. Each secret is related to an individual key, which is fully or partially derived from personal trait. The chosen container is fuzzy vault cryptosystem that works well with biometric features and allows to reveal secrets independently of each other. Presented idea may be used in single-user system in which one person stores a number of secrets or in multi-user cloud-based systems. The additional topics covered in this study are pros and cons of diverse types of biometric data with regard to information protection and also security issues of biometrics application in general.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
There are usually three methods of controlling access to an important resource. These are: something you know, something you have and something you are. To prevent unauthorized access, one can use a combination of depicted measures or at least one of them. Each method provides different type of protection and has its own advantages and disadvantages.
Something you know is the most common category which reaches passwords, passphrases, PINs and similar codes. People are used to this form of access control in their daily lives, it is cheap, easy to implement and does not need any external device. However, users are required to remember a number of codes which sometimes may be problematic and lead to security risks, e.g. using the same password in many places or noting it on a piece of paper. Additionally each person is responsible for their own protection as weak passphrases are vulnerable to be guessed. On the other hand, passwords are not assigned to the user forever and can easily be changed in case of leakage. Therefore security codes are good and wide spread, but need some precautions.
Something you have is another class of methods based on a physical device, most often in the form of a card or a key fob. This object can either be passive (with fixed secret code, like RFID [1]) or active (that generates multiple codes, like token). Some devices are equipped with more advanced solutions, for instance challenge-response mode. To grant access to the system, the user does not need to remember anything. Instead, he or she is obligated to have the device, which serves as a key. Thus this type of access control can be regarded as convenient for some people, but a few threats should also be noted. The user may lose access to the system if the device is lost or stolen. So it is easier for adversary to intentionally block authorized person than in case of password.
Something you are is the last group which uses personal traits to identify user. This includes various biometric features, like fingerprints, voice, iris, face shape, DNA, vein pattern etc. The main advantage of this method is that it does not require carrying any additional device nor remembering any secret code. In short-term biometric features are constant, they may change gradually with regard to age and weight. There is very low probability of biometrics match between two people excluding very close family relationships. The problem with this type of access control is that each measurement is a little imprecise and has some discrepancies comparing to a reference object. For that reason methods that use biometric traits have to compensate those inaccuracies. What is more, every system which relies only on biometrics exposes user to risk of privacy and identity theft [2]. Personal traits cannot be easily changed and some of them are not very difficult to obtain, for example fingerprints or voice sample. The user may lose access to their data in case of accident or serious illness, but those situations are rare. Normally biometric features change very little in long-time period.
In practice we can not only see solutions based on one approach, but also multi-factor authentications. Systems that use many methods at the same time are more secure, but less user-friendly and may be annoying for users. The major advantage of combining different approaches is the fact that even if some pieces of information are compromised, the adversary is still not able to grant access to the system. Nevertheless, to increase the level of security, one needs to reduce usability, which is not always acceptable.
This paper focuses on biometric features in multi-secret steganography. Personal traits will serve to encode and decode hidden secrets by being used in key derivation process. This task requires obtained data to be in form of a number or set of numbers. What is more, a few biometric observations of the same person are slightly different, but the output key should nonetheless be able to decode the secret. Thus we need a method which can deal with these issues. An algorithm that meets above requirements is described in Sect. 2. Section 3 presents a few biometrics that may be used in multi-secret steganography together with their strong and weak points. Section 4 summarizes entire discussion and draws some conclusions.
2 Hiding Many Secrets with Biometric Features
Multi-secret steganography [3] is a branch of information hiding in which many secrets are embedded in a single container. The user should be able to decode each information in a lossless way, which means that secrets cannot overwrite each other. Additionally, to use biometric features, the algorithm ought to have the ability to work on imprecise data. These demands are fulfilled by multi-secret fuzzy vault [4], a cryptosystem which is presented below.
Fuzzy vault is a construction consisted of great amount of points. A few of them are genuine and store important information. The rest is only a chaff destined to hide real secrets between a noise. In this cryptosystem we can distinguish two phases: vault creation and secret reconstruction.
The aim of the first phase is to produce a vault with hidden secrets. To do this, we need the secrets itself (numbers) and also associated to them secret keys (unordered sets of numbers). The keys are required to be disjunctive. Then for every secret we create a polynomial that encodes this secret in its coefficients. In next step each polynomial is evaluated on the elements of related key. In this way all genuine points are generated. Algorithm 1 presents this part of vault creation.
Eventually, the important data need to be hidden between a noise. Thus the final stage is chaff points generation. They may be scattered randomly, but have to fulfill following two demands. Firstly, false points cannot lie on any of the polynomials. Secondly, x coordinates of chaff points and genuine points have to be different (or not too close to each other). After the great amount of noise is created, the vault is ready. The whole process is depicted in Fig. 1. There are also different approaches to chaff points generation, for instance method based on circle packing [5].
Vault creation process.
When the vault is constructed, it is possible to start recovering embedded secrets. Each secret information is linked to individual key, which is in form of unordered set. Therefore the proper key is needed to filter correct points from the whole collection. Then selected points are used to reconstruct the polynomial, from which the secret is decoded. This procedure is presented in Fig. 2.
Secret extraction process.
As mentioned previously, every secret is encoded in its individual polynomial. The degree of each polynomial is chosen at the beginning and does not change later. This is very important parameter that determines minimal length of secret key (which is equal degree+1). However, the keys can be longer as with more points we are also able to reconstruct the formula. Moreover, if the key is redundant, some of its parts may be invalid and the secret is still recoverable. This means that the key used to extract secret information is not required to be exactly the same like the original key used in vault creation. It is enough to them to overlap substantially, which gives us error-tolerance. In consequence we can use incomplete or imprecise data, that is exactly which is needed for biometric purposes.
Biometric features may be applied in steganographic algorithms as keys or key fragments. This necessitates traits that can be expressed as set of numbers (for example fingerprints) or as numbers (like iris). Biometrics from former group give keys directly as they are already in required format. The latter features should be joined into one set to create full key. This means that the key can be derived fully or partially from some personal trait. It is also possible to combine this approach with other methods of information protection. One fragment of the key may be originated from biometric feature, another based on the passphrase and the last one can be stored on external device.
Presented idea of applying personal traits in multi-secret steganography is suitable not only for systems in which one person stores many secrets in single container. It works well with systems destined for many participants in which each user has own secret, thus there is an opportunity of using it in cloud. It should be noted that flexibility of described solution allows to select the most appropriate method of key generation.
3 Applicability of Various Biometric Features in Multi-secret Steganography
There are many traits which can be applied in multi-secret steganography. Below we present and characterize a few of them.
Fingerprints are subject of research since many years and are well studied. They can be acquired in fast, safe and non-invasive manner for the user. Additionally, scanning devices are cheap and easy to use. Each finger has its own pattern, thus it is possible to encode ten pieces of information in this way. Moreover, fingerprints do not change with age and weight. However, every person leave them in many places by simply touching a surface, so it is possible to obtain one’s biometric data even after long time. There are known cases of deceiving the scanner with artificial finger and granting access to the system [6].
Voice sample is a trait which is very easy and cheap to obtain, as it only requires a microphone. The recording process may take a few seconds, but it is non-invasive and safe. This biometric feature gives the possibility of combining authentication and authorization at the same time (match of person and a secret phrase). On the other hand, the user may not be correctly identified if his voice is modified as a result of illness. What is more, the system may be attacked with use of samples which were recorder earlier.
Iris are feature which can be an option with moderate budget. The scanning is fast and safe for the user. This trait may be analyzed with use of color or grayscale images, therefore we are also flexible in device selection. Iris have individual characteristics and are harder to copy than fingerprints. The next advantage is that each of two eyes may be used to encode different information.
Face shape can be analyzed on the basis of camera image or 3D scan. Depending of applied hardware, it can be either cheap or expensive. The whole procedure is fast and safe for the user. Face shape may somewhat change as a result of losing or gaining weight. If the recognition is based on single image, it is possible to break into the system by presenting a photograph. Additionally, most cameras are sensitive to changes in illumination and a skin tone. On the other hand, deceiving 3D scanner is much more complicated.
Vein pattern is very characteristic trait. For biometric purposes usually blood vessels in hand are used as a feature. This is because that body part contains many small vessels which are highly individual. The examination is not invasive, but requires specialized and expensive equipment. What is more, it is difficult to get one’s vein pattern, thus granting access to some resource in an unauthorized way is not a simple task. It should also be noted that there is a possibility of encoding two different secrets with both hands.
Bone shape is a feature which can vary between people, especially in case of hands or frontal sinus. It can express many individual characteristics, like previous fractures or disorders, for example rheumatoid arthritis and osteoarthritis [7]. It rarely changes, mainly as a result of disease or accident. To make such imaging, an interesting body part should be x-rayed. This type of examination cannot be made very often, because it impacts strongly on user’s health. Also, the equipment is expensive and needs additional antiradiation shields or walls. From security point of view this feature is very hard to forge [8].
DNA is the most detailed feature which contains the largest amount of information. It is highly unique, although can be identical in monozygotic twins. The sample of DNA can be easily obtained, but the sole examination is complex and very expensive. Genetic code of the user may be recognized regardless of their age or weight. Collecting one’s DNA in an unauthorized way is possible for example from a glass or used tissue.
4 Conclusions
This paper presents application of biometric features in multi-secret steganography. It describes an algorithm which is able to work on imprecise data and also the method of using personal traits in secret encoding and decoding. The advantages of that approach are that it allows to reconstruct all secrets independently from each other and that it can be combined with other measures of information protection. Additionally presented idea is suitable for multi-user cloud systems, but also for system in which one user has many secrets.
The conclusions of this study are as follows. Biometric features may be used as keys in steganography and there is a number of traits from which we can choose. However, as they cannot be easily changed, there is a risk of obtaining one’s feature in an unauthorized way. For that reason personal traits are not recommended to solely secure really important information. They can and they should be used in cooperation with different techniques of access control.
Biometric systems are usually comfortable for users because they do not impose carrying physical device nor remembering a password. But this convenience cannot overshadow security aspects of biometrics, which are really important and should always be taken into consideration.
References
Valero, E., Adán, A.: Integration of RFID with other technologies in construction. Measurement 94, 614–620 (2016)
Lee, V.: Biometrics and identity fraud. Biometric Technol. Today 16(2), 7–11 (2008)
Ogiela, M.R., Koptyra, K.: False and multi-secret steganography in digital images. Soft Comput. 19(11), 3331–3339 (2015)
Koptyra, K., Ogiela, M.R.: Fuzzy vault schemes in multi-secret digital steganography. In: 10th International Conference on Broadband and Wireless Computing, Communication and Applications, BWCCA 2015, Krakow, Poland, pp. 183–186 (2015)
Hani, M.K., Marsono, M.N., Bakhteri, R.: Biometric encryption based on a fuzzy vault scheme with a fast chaff generation algorithm. Future Gener. Comp. Syst. 29(3), 800–810 (2013)
Espinoza, M., Champod, C., Margot, P.: Vulnerabilities of fingerprint reader to fake fingerprints attacks. Forensic Sci. Int. 204(1), 41–49 (2011)
Sumarahinsih, A., Kalim, H., Yueniwati, Y.P.W., Naba, A.: Image segmentation: determination of joint space area inhand radiographs. ARPN J. Eng. Appl. Sci. 11(3), 1931–1935 (2016)
Castiglione, A. (et al.): On secure data management in health-care environment. In: Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, IMIS 2013, pp. 666–671. Taichung, Taiwan (2013)
Acknowledgments
This work was supported by the AGH University of Science and Technology research Grant No. 15.11.120.868.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Koptyra, K., Ogiela, M.R. (2017). Biometric Traits in Multi-secret Digital Steganography. In: Battiato, S., Farinella, G., Leo, M., Gallo, G. (eds) New Trends in Image Analysis and Processing – ICIAP 2017. ICIAP 2017. Lecture Notes in Computer Science(), vol 10590. Springer, Cham. https://doi.org/10.1007/978-3-319-70742-6_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-70742-6_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70741-9
Online ISBN: 978-3-319-70742-6
eBook Packages: Computer ScienceComputer Science (R0)
