Is storing fingerprint's template safe for application security?

Fingerprint recognition library (.NET port)

Brought to you by: robert-vazan

This project can now be found here.

Is storing fingerprint's template safe for application security?

Forum: Forum Archive

Creator: Michał Nieruchalski

Created: 2019-06-15

Updated: 2019-06-16

Michał Nieruchalski - 2019-06-15

My name is Michał and I'm 19 years old IT student from Poland.
Currently I work on my new project, basically I will try to create fingerprint webauthentication service which will work as authentication provider (such as facebook or google).
So I started with a little research and I found SourceAFIS algorithm. In my application I have to handle data security problem. Of course I can't store plain fingerprint .jpg files. I can encrypt them and then decrypt when I will have to compare one fingerprint to another, but imo this also isn't good solution (everyone who will know my encryption key will be able to decrypt all fingerprints in database).
So I was wondering how safe is storing fingerprint's json template in database? Does somebody who will have this tamplate is able to generate fingerprint image from this? I'm really interested in your opinion about this.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert Važan - 2019-06-15

Templates don't add any security. They are just a performance optimization.

If templates are used as input to biometric system, stolen template is all an attacker needs to get in. If images are needed as input, then attacker can use stolen template to reconstruct fingerprint image that will produce the same template once it is entered into the target biometric system, i.e. templates are reversible enough to work in an attack.

There are "encrypted" or "secure" templates. SourceAFIS doesn't use them. And I am not sure how secure they really are.

Nevertheless, keeping the original image is very valuable for compatibility reasons. Templates differ between vendors and even between versions of the same software. You want to keep your freedom to recreate all templates from original images should you need to upgrade/switch the fingerprint matching software.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michał Nieruchalski - 2019-06-16

Thanks for your response. I see that when I loose fingerprint template somebody is able to generate image which wil produce same tamplate. But is this generated from template image really fingeprint image? Anotherwords Can I produce from this:
https://pasteboard.co/IjF0wMM.png
This:
https://pasteboard.co/IjF0rMz.png

Imagine If I in my database I have a table which stores user's name, lastname and fingerprint image. In this situation, if I'll have data leak, attacker has a lot of fingerprints and knows who these fingerprints belongs to.

Can you recommend any sources about this "secure" or "encrypted" templates?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert Važan - 2019-06-16

You cannot reconstruct exactly the same fingerprint, but you can reconstruct fingerprint that is sufficiently similar to match reliably. Furthermore, SourceAFIS may employ ridge matching in the future and its templates will likely embed all ridge curves, which will make it possible to reconstruct nearly perfect duplicate of the fingerprint. Templates really aren't designed to protect information.

I know there are research papers covering secure/encrypted/hashed templates, but I cannot provide any pointers.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.