The purpose of this white paper is to present my research on Biometric Encryption (BE) to the Chief Information Officer (CIO). This information will be used to support the CIO with his decision on whether this technology is worth implementing and integrating into the company's current systems. This white paper will provide a description of BE and its value, followed by a discussion of the security issues and perceived weaknesses as well as other issues that could be seen as barriers to its success and their possible effects on the organization.
Also, included within this white paper will be discussion of future risks, issues and considerations followed up by my final analysis, recommendations and concluding remarks. Hopefully this information will provide the CIO with enough insight to which an informed decision can be made whether or not to implement this technology into the organization.
Description of the emerging technology and its value to the organization
Biometric Encryption is a process that securely binds a PIN or a cryptographic key to a biometric so that neither the key nor the biometric can be retrieved from the stored template. The key is re-created only if the correct live biometric sample is presented on verification.
The digital key (password, PIN, etc.) is randomly generated on enrolment so that the user (or anybody else) does not even know it. The key itself is completely independent of biometrics and, therefore, can always be changed or updated. After a biometric sample is acquired, the BE algorithm securely and consistently binds the key to the biometric to create a protected template, also called “private template.” In essence, the key is encrypted with the biometric.
The BE template provides an excellent privacy protection and can be stored either in a database or locally (smart card, token, laptop, cell phone, etc.). At the end of the enrolment, both the key and the biometric are discarded.