생체정보 보호 강화를 위한 입법정책적 고찰

이부하,박신욱 충북대학교 법학연구소 2022 과학기술과 법 Vol.13 No.1

Article 23 (1) of the Personal Information Protection Act stipulates that “A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as ‘sensitive data’), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, and other personal information that is likely to markedly threaten the privacy of any data subject.” Article 18 of the Enforcement Decree of the Personal Information Protection Act stipulates that ‘Information prescribed by Presidential Decree’ in the main clause , with the exception of the subparagraph, of Article 23 (1) of the Act means the following data or information. In subparagraph 3, “Personal information resulting from specific technical processing of data relating to the physical, physiological or behavioral characteristics of an individual for the purpose of uniquely identifying that individual” is defined as one of the sensitive data. The range of sensitive data is wider than that of biometrics. ‘Data that constitutes a criminal history record’ defined in subparagraph 5 of Article 2 of the Act on the Lapse of Criminal Sentences, etc. as stipulated in Article 18 (3) of the Enforcement Decree of the Personal Information Protection Act and Article 18 (4) of the Enforcement Decree of the Personal Information Protection Act ‘Personal information revealing racial or ethnic origin’ is sensitive data completely different from biometric information. Therefore, it is necessary to enact a separate law to protect and manage biometrics or biometric information that requires more protection than sensitive data. As safety measures for biometrics security, there are first, security measures for forged/falsified biometric information, second, protection of the transmission section when collecting and inputting biometric information, third, use within the scope of the agreed purpose, fourth, biometric information collection and input processing at the terminal, fifth, encryption when storing biometric information, sixth, destruction of biometric information, seventh, separate storage when storing original biometric information, eighth, in case of leakage of biometric information, protective measures are taken. The Act on Protection and Management of Biometrics (draft) includes Chapter 1 General Provisions, Chapter 2 Establishment of Biometrics Protection Policy, Chapter 3 Collection and Use of Biometrics and Restrictions on It, Chapter 4 Safe Management of Biometrics, and Chapter 5, Guarantee of Rights of Data Subjects.

HV-KEM을 이용한 생체 정보 기반 인증 프로토콜

서민혜(Minhye Seo),황정연(Jung Yeon Hwang),김수형(Soo-hyung Kim),박종환(Jong Hwan Park) 한국정보보호학회 2016 정보보호학회논문지 Vol.26 No.1

생체 정보를 이용한 사용자 인증은 사용자가 어떠한 정보도 소유하거나 기억할 필요가 없으므로 사용자 측면에서 매우 편리하다. 그러나 생체 정보는 한번 노출되면 영구적으로 사용할 수 없기 때문에 인증 수행 시 생체 정보의 프라이버시 보호가 필수적이다. 또한 생체 정보는 본질적으로 노이즈가 있기 때문에 인증 수행 시 적절한 오차 범위이내에서 이를 처리할 수 있어야 한다. 최근 퍼지 추출기(fuzzy extractor)를 이용한 생체 정보 기반 인증 프로토콜에 대한 연구가 활발히 진행되고 있으나, 사용자가 헬퍼 데이터(helper data)를 추가적으로 기억해야 하는 문제점이 존재한다. 본 논문에서는 함수 암호 중 하나인 HV-KEM(Hidden Vector Key Encapsulation Mechanism)을 이용하여 사용자가 어떠한 정보도 소유하거나 기억할 필요 없는 생체 정보 기반 인증 프로토콜을 제안한다. 또한, 인증 프로토콜 설계를 위한 HV-KEM의 보안 요구사항을 정립하고 제안하는 인증 프로토콜을 정확성/안전성/효율성 측면에서 분석한다. Biometric authentication is considered as being an efficient authentication method, since a user is not required to possess or memorize any other information other than biometrics. However, since biometric information is sensitive and could be permanently unavailable in case of revealing that information just once, it is essential to preserve privacy of biometrics. In addition, since noise is inherent in the user of biometric recognition technologies, the biometric authentication needs to handle the noise. Recently, biometric authentication protocols using fuzzy extractor have been actively researched, but the fuzzy extractor-based authentication has a problem that a user should memorize an additional information, called helper data, to deal with their noisy biometric information. In this paper, we propose a novel biometric authentication protocol using Hidden Vector Key Encapsulation Mechanism(HV-KEM) which is one of functional encryption schemes. A primary advantage of our protocol is that a user does not need to possess or memorize any additional information. We propose security requirements of HV-KEM necessary for constructing biometric authentication protocols, and analyze our proposed protocol in terms of correctness, security, and efficiency.

Biometrics-based Key Generation Research: Accomplishments and Challenges

Ha, Lam Tran,Choi, Deokjai THE KOREAN INSTITUTE OF SMART MEDIA 2017 스마트미디어저널 Vol.6 No.2

The security and privacy issues derived from unsecurely storing biometrics templates in biometric authentication/ recognition systems have opened a new research area about how to secure the stored biometric templates. Biometrics-based key generation is the newest approach that provides not only a mechanism to protect stored biometric templates in authentication/ recognition systems, but also a method to integrate biometric systems with cryptosystems. Therefore, this approach has attracted much attention from researchers worldwide. A review of current research state to summarize the achievements and remaining works is necessary for further works. In this study, we first outlined the requirements and the primary challenges when implementing these systems. We then summarize the proposed techniques and achievements in representative studies on biometrics-based key generation. From that, we give a discussion about the accomplishments and remaining works with the corresponding challenges in order to provide a direction for further researches in this area.

Biometrics-based Key Generation Research: Accomplishments and Challenges

Lam Tran Ha,Deokjai Choi 한국스마트미디어학회 2017 스마트미디어저널 Vol.6 No.2

The security and privacy issues derived from unsecurely storing biometrics templates in biometric authentication/ recognition systems have opened a new research area about how to secure the stored biometric templates. Biometrics-based key generation is the newest approach that provides not only a mechanism to protect stored biometric templates in authentication/ recognition systems, but also a method to integrate biometric systems with cryptosystems. Therefore, this approach has attracted much attention from researchers worldwide. A review of current research state to summarize the achievements and remaining works is necessary for further works. In this study, we first outlined the requirements and the primary challenges when implementing these systems. We then summarize the proposed techniques and achievements in representative studies on biometrics-based key generation. From that, we give a discussion about the accomplishments and remaining works with the corresponding challenges in order to provide a direction for further researches in this area.

Biometrics-based Key Generation Research: Accomplishments and Challenges

TRAN HA LAM,최덕재 (사)한국스마트미디어학회 2017 스마트미디어저널 Vol.6 No.2

The security and privacy issues derived from unsecurely storing biometrics templates in biometric authentication/ recognition systems have opened a new research area about how to secure the stored biometric templates. Biometrics-based key generation is the newest approach that provides not only a mechanism to protect stored biometric templates in authentication/ recognition systems, but also a method to integrate biometric systems with cryptosystems. Therefore, this approach has attracted much attention from researchers worldwide. A review of current research state to summarize the achievements and remaining works is necessary for further works. In this study, we first outlined the requirements and the primary challenges when implementing these systems. We then summarize the proposed techniques and achievements in representative studies on biometrics-based key generation. From that, we give a discussion about the accomplishments and remaining works with the corresponding challenges in order to provide a direction for further researches in this area.

Index-of-Max 해싱을 이용한 폐기가능한 홍채 템플릿

김진아,정재열,김기성,정익래 한국정보보호학회 2019 정보보호학회논문지 Vol.29 No.3

In recent years, biometric authentication has been used for various applications. Since biometric features are unchangeableand cannot be revoked unlike other personal information, there is increasing concern about leakage of biometric information. Recently, Jin et al. proposed a new cancelable biometric scheme, called “Index-of-Max” (IoM) to protect fingerprinttemplate. The authors presented two realizations, namely, Gaussian random projection-based and uniformly randompermutation-based hashing schemes. They also showed that their schemes can provide high accuracy, guarantee the securityagainst recently presented privacy attacks, and satisfy some criteria of cancelable biometrics. However, the authors did notprovide experimental results for other biometric features (e.g. finger-vein, iris). In this paper, we present the results ofapplying Jin et al.'s scheme to iris data. To do this, we propose a new method for processing iris data into a suitable formapplicable to the Jin et al.'s scheme. Our experimental results show that it can guarantee favorable accuracy performancecompared to the previous schemes. We also show that our scheme satisfies cancelable biometrics criteria and robustness tosecurity and privacy attacks demonstrated in the Jin et al.’s work. 최근에 생체인증은 다양한 분야에 사용되고 있다. 생체정보는 변경이 불가능하고 다른 개인정보와 달리 폐기할 수없기 때문에 생체정보 유출에 대한 우려가 커지고 있다. 최근 Jin et al.은 지문 템플릿을 보호하기 위해IoM(Index-of-Max) 해싱이라는 폐기가능한 생체인증 방법을 제안했다. Jin et al.은 Gaussian randomprojection 기반과 Uniformly random permutation 기반의 두 가지 방법을 구현하였다. 제안된 방법은 높은 매칭 정확도를 제공하고 프라이버시 공격에 강력함을 보여주며 폐기가능한 생체인증의 요건을 만족함을 보여주었다. 그러나 Jin et al.은 다른 생체정보에 대한 인증(예: 정맥, 홍채 등)에 대한 실험 결과를 제공하지는 않았다. 본 논문에서는 Jin et al.의 방법을 적용하여 홍채 템플릿을 보호하는 방법을 제안한다. 실험 결과는 이전의 폐기가능한 홍채인증 방법과 비교했을 때 더 높은 정확도를 보여주며 보안 및 프라이버시 공격에 강력함을 보여준다.

Energy-Efficient Biometrics-Based Remote User Authentication for Mobile Multimedia IoT Application

( Sungju Lee ),( Jaewon Sa ),( Hyeonjoong Cho ),( Daihee Park ) 한국인터넷정보학회 2017 KSII Transactions on Internet and Information Syst Vol.11 No.12

Recently, the biometric-based authentication systems such as FIDO (Fast Identity Online) are increased in mobile computing environments. The biometric-based authentication systems are performed on the mobile devices with the battery, the improving energy efficiency is important issue. In the case, the size of images (i.e., face, fingerprint, iris, and etc.) affects both recognition accuracy and energy consumption, and hence the tradeoff analysis between the both recognition accuracy and energy consumption is necessary. In this paper, we propose an energy-efficient way to authenticate based on biometric information with tradeoff analysis between the both recognition accuracy and energy consumption in multimedia IoT (Internet of Things) transmission environments. We select the facial information among biometric information, and especially consider the multicore-based mobile devices. Based on our experimental results, we prove that the proposed approach can enhance the energy efficiency of GABOR+LBP+GRAY VALUE, GABOR+LBP, GABOR, and LBP by factors of 6.8, 3.6, 3.6, and 2.4 over the baseline, respectively, while satisfying user's face recognition accuracy.

휴대폰 환경에서 얼굴 및 홍채 정보를 이용한 암호화키 생성에 관한 연구

한송이(Song-yi Han),박강령(Kang Ryoung Park),박소영(So-young Park) 대한전자공학회 2007 電子工學會論文誌-CI (Computer and Information) Vol.44 No.6

최근 하나의 휴대폰에 여러 가지 미디어들이 복합적으로 장착됨에 따라 휴대폰에서 제공되는 서비스의 사용자 보안에 대한 요구가 증가되고 있다. 현재 이를 위하여 비밀번호와 인증과정을 통한 암호화 카드를 이용하여 본인을 인증한 후에 서비스를 제공할 수 있는 암호화키를 생성하고 있지만 이는 분실의 위험에 언제든지 노출되어 있다. 따라서 상대적으로 분실의 위험이 거의 존재하지 않는 생체정보를 이용하여 키를 생성하는 연구가 많이 진행되고 있다. 하지만 생체정보는 언제나 동일한 키를 생성해내야 하는 암호화키 생성 시스템의 요구사항과 달리 환경의 변화에 따라 본인이라도 특징 추출시마다 약간씩 다른 특징값이 추출되는 문제점을 가지고 있다. 따라서 본 연구에서는 생체 특징으로부터 직접적으로 키를 생성해내는 생체 정보 기반 키 생성 방법(Biometric-based key generation)이 아닌 생체 정보 매칭 기반 키 생성 방법(Biometric matching-based key release)을 이용하여 미리 정의해 놓은 키를 인식과정을 통하여 도출하고 또한 하나의 생체가 갖는 성능의 불안정성을 극복하기 위하여 얼굴과 홍채를 결정 레벨(Decision Level) 에서 결합함으로써 모바일 환경의 특성을 반영하며 안정된 성능 하에 암호화키가 생성될 수 있도록 하였다. 또한 휴대폰에 내장되어 있는 메가 픽셀 카메라를 이용함으로써 한 번의 영상 취득으로 얼굴과 홍채 인식이 동시에 이루어지는 편리함을 제공하였다. 본 논문에서 제안하는 키 생성 방법의 성능을 측정한 결과, 암호화키 생성에 있어 0.5%의 EER(Equal Error Rate) 성능을 얻었으며, FRR(False Rejection Rate : 본인의 생체 정보로 타인의 암호화키가 나올 에러율)을 25%로 설정하였을 때, FAR(False Acceptance Rate : 타인의 생체 정보로 본인의 암호화키가 나올 에러율)은 약 0.002%의 성능을 얻었다. 동시에 본 시스템에서는 임계 치에 따라 암호화키 생성의 FAR과 FRR값을 동적으로 제어할 수 있는 기능을 제공하였다. Recently, as a number of media are fused into a phone, the requirement of security of service provided on a mobile phone is increasing. For this, conventional cryptographic key based on password and security card is used in the mobile phone, but it has the characteristics which is easy to be vulnerable and to be illegally stolen. To overcome such a problem, the researches to generate key based on biometrics have been done. However, it has also the problem that biometric information is susceptible to the variation of environment, whereas conventional cryptographic system should generate invariant cryptographic key at any time. So, we propose new method of producing cryptographic key based on "Biometric matching-based key release" instead of "Biometric-based key generation" by using both face and iris information in order to overcome the unstability of uni-modal biometrics. Also, by using mega-pixel camera embedded on mobile phone, we can provide users with convenience that both face and iris recognition is possible at the same time. Experimental results showed that we could obtain the EER(Equal Error Rate) performance of 0.5% when producing cryptographic key. And FAR was shown as about 0.002% in case of FRR of 25%. In addition, our system can provide the functionality of controlling FAR and FRR based on threshold.

항공안전 향상을 위한 생체인식 기반 항공보안시스템 도입 및 국제표준화 활성화 연구

조성환(Sung-Hwan Cho),윤한영(Han-Young Yoon) 한국산학기술학회 2020 한국산학기술학회논문지 Vol.21 No.5

테러리즘 양상의 변화와 과학기술의 발전으로 항공보안 분야의 선제적 대응 필요성에 따라 각 국가는 공항 및 항공관련 기관에 생체인식기술을 활용하고 있으며 적극적으로 확대하여 도입하고 있다. 항공안전을 위협하는 요소를 사전에 예방하기 위한 ICAO 항공보안계획은 글로벌 항공운송산업의 지속적인 발전을 위한 전제로써 생체인식을 기반으로 한 항공보안 시스템 구축 및 향상 방안을 강구하였다. 본 연구의 목적은 생체인식기술을 도입하여 각 국가 간 균질적인 항공보안시스템을 구현하는 데 기초자료로 활용되기 위함이다. 본 연구는 주요 선진국의 생체인식기반 보안시스템 운영현황을 살펴보고 법적․제도적 분석을 통한 정책적 시사점을 도출하고자 하였다. ICAO 회원국들이 항공테러를 사전에 예방하고 항공보안 관련 정보를 실시간으로 공유하기 위해 항공여객의 생체인식정보 활용을 위한 ICAO 회원국 간 표준화 방향 및 구체적인 가이드라인이 필요하다. 항공안전을 향상하기 위해 항공보안시스템에서 생체정보의 활용은 이제 거의 모든 국가에서 보편적으로 이루어지고 있는 시대적 흐름이 되었다. ICAO 차원에서 국제적 표준 기준이 제시 된다면 글로벌 항공운송산업의 안전 향상 위한 생체정보 활용 시, 회원국 간 실시간적인 정보 공유 등을 통해 발생할 수 있는 항공안전 위협 요소 또는 예상되는 보안사고를 일관성 있게 대처 할 수 있을 것이다. Airports and civil aviation authorities have recently utilized and expanded the use of biometric technologies to respond proactively against the rapid changes in aviation terrorism due to scientific development. The Global Security Plan (GASeP) developed by the International Civil Aviation Organization (ICAO) is regarded as precondition for sustainable development of the global air transport industry. Thus GASeP has sought to improve aviation security system using biometic technologies. The purpose of this paper is to realize the equivalent access of aviation security system throughout the world with biometric technologies. First, this paper reviewed the current biometric-security system operated by the EU, USA and international society. Second, legal and institutional processes regarding personal biometric information were analyzed to suggest political implications. This paper concluded that ICAO should propose a global standardization and prepare guideline materials among its 193 member states to prevent aviation security breaches and to share related information on a real-time basis because time is required to utilize biometric technology to improve aviation safety and to develop global air transport.

Security Analysis to an Biometric Authentication Protocol for Wireless Sensor Networks

이영숙 (사)디지털산업정보학회 2015 디지털산업정보학회논문지 Vol.11 No.1

A novel authentication mechanism is biometric authentication where users are identified by their measurable human characteristics, such as fingerprint, voiceprint, and iris scan. The technology of biometrics is becoming a popular method for engineers to design a more secure user authentication scheme. In terms of physiological and behavioral human characteristics, biometrics is used as a form of identity access management and access control, and it services to identity individuals in groups that are under surveillance. In this article, we review the biometric-based authentication protocol by Althobati et al. and provide a security analysis on the scheme. Our analysis shows that Althobati et al.’s scheme does not guarantee server-to-user authentication. The contribution of the current work is to demonstrate this by mounting threat of data integrity and bypassing the gateway node on Althobati et al.’s scheme. In addition, we analysis the security vulnerabilities of Althobati et al.’s protocol.