ISSN 0032-9460, Problems of Information Transmission, 2011, Vol. 47, No. 2, pp. 201–215.
Pleiades Publishing, Inc., 2011.
Original Russian Text
A.L. Chmora, 2011, published in Problemy Peredachi Informatsii, 2011, Vol. 47, No. 2, pp. 127–143.
Key Masking Using Biometry
A. L. Chmora
Infotecs JSC (Information Technologies and Communication Systems)
Received April 7, 2010; in ﬁnal form, December 6, 2010
Abstract—We construct an abstract model based on a fundamental similarity property, which
takes into account parametric dependencies and reﬂects a speciﬁc collection of requirements.
We consider a method for masking a cryptographic key using biometry, which satisﬁes the
constructed model and guarantees an adequate practical security level.
Using biometry as a secret key in cryptography seems reasonable. The essence of practical
attractiveness of biometry as a cryptographic tool consists in its natural inseparability. Indeed,
any cryptographic key must be kept secret. In practical applications, the key is written in an
autonomous storage medium. When necessary, the medium is connected to a cryptographic device
with an appropriate interface. The key is fed into the device by retrieving from the storage medium.
Obviously, the medium is not an integral part of the key owner and can easily be separated from
him (e.g., lost, stolen, or destroyed).
This inseparability property is crucial for a number of applications. For example, it is known
that a digital signature guarantees nonrepudiation. The purpose of this security service consists
in resolving conﬂicts that occur in the case of recession a digitally signed document, which in fact
means repudiation of previously undertaken commitments. Authorship of a digital signature can
always be proved. For this, it suﬃces to present a public key, whose authenticity and uniqueness is
approved by a public key certiﬁcate, and also the document itself with the digital signature. The
defendant exposes the pairing secret key according to a writ. However, in this case the defendant
may make use of the separability property and claim that the medium where the secret key for
computing the digital signature was stored was used without his consent. Consequently, the trial
becomes more confused. Now, instead of attributing the authorship, it is necessary to prove or
disprove the fact of security leak. When using biometry, relevance of such arguments becomes
There are drawbacks too. A human has a limited number of biometric objects of a certain type:
ten ﬁngers, two eyes, two palms, etc. Moreover, due to certain restrictions, biometric objects do not
possess the ﬂexibility of cryptographic keys, which can be created repeatedly and whose entropy
can even be reduced or increased if security requirements have changed. Another drawback is due
to the fact that biometric data are changeable, and measurement results for the same object vary
in some range. As a rule, this variability is volatile and depends on external environment factors.
However, in the course of time it may become irreversible.
Bijectivity of a cryptographic mapping is possible only if a key does not change within a single
cycle consisting of successive applications of the encryption and decryption. Therefore, biometric
data cannot be used as a cryptographic key. However, a solution nevertheless exists. Various ways