Gjovik University College and CASED
Bundesverband Deutscher Banken (BdB), Deutsche Bank
What is it?
The Biometric Transaction Authentication Protocol -- in short BTAP -- is a security protocol that allows the authentication of banking transaction data using biometric identifiers. It is based on a hardware token with minimal functionality that combines the biometric sensor, secure storage as well as input/output. On the token the transaction data is sealed using exchangable, privacy protected biometric templates. Instead of using a TAN generator, mTAN, etc., we use a biometric TAN generator (the token) to authenticate online banking transactions - the user uses his body to create a unique TAN. The cryptographic seal proofs that the transaction data (amount of money, bank account, etc.) has been checked on a secure environment and that it has been verified by the enroled customer by capturing the biometric trait.
Why do we think it is good?
- It is a new tool against phishing and online fraud in online banking
- It enables data and person authentic online banking transactions
- It can be used even in insecure client computer environments
- It is based on well-known security primitives, it is modular and the security goals are formally verified
- It is independant of the biometric trait (fingerprint, vein recognition, etc.)
- It is compliant to privacy protection regulations, no biometric information is stored directly on the server or on the token
- It creates seals which are non-repudiable, since they can only be created from the enroled user
How does it work?
The biometric subsystem has to be combined with classic cryptographic functionality. The critical transaction
authentication is sourced out on a more tamper-proof biometric transaction device (BTD)
with limited functionality that can be certified using information technology security
To enable the use of cryptography the biometric information is transformed into a compact binary vector of fixed length, including error correction capacities to cope with noise inherent in biometric systems.
During the enrolment the vector is combined with a pre-shared secret key of the same length using simple bitwise XOR-operations into a secure template.
This process is using the Helper Data Scheme principles, the secure template and additional helper data (for the binarization and selection of components) is stored on the BTD, the secret key is destroyed.
For the verification of a banking transaction the user is creating a new record using the banking software (e.g. internet portal), one copy of this information is send to the banking server and one locally to the BTD. The information is displayed in the BTD environment, if the information is correct the user has to present the biometric trait to the sensor of the device - internally the features are extracted and transformed into the binary vector. The XOR-operation over the fresh binary vector representing the biometric infromation and the stored secure template release a bitstring close to the pre-shared key if the biometric information is genuine (the user is the enroled one). The error correction decoder can correct bits that are changed due to noise; the same secret key that was used during the enrolment, is released if all errors are corrected. The seal over the hashed transaction information is created using a keyed message authentication code (MAC) using the hash of the transaction data and the released key. This seal is send to the banking server.
On the server side the same steps are performed using the hashvalue of the ealier received transaction data as well as the hashvalue of the secret key. If the seals are identical the transaction is authenticated.
The working principle of BTAP is illustrated in this video.
- Overview of BTAP PDF-Flyer
- Presentation at EPC - August 2011 PDF-Version
- Paper on the Biometric Transaction Authentication Protocol (Securware 2010) PDF-Version
- Paper on BTAP Formal Model Veriﬁcation (Financial Crypto 2011) PDF-Version
- The BTAP protocol patent
- ISO/IEC 24745:2011 Biometric Information Protection Standard
- DB Research - Biometric recognition systems and mobile internet services PDF-Version
- European Banking Authority - Recommendations for the security of Internet payments PDF-Version
- BAFIN - MASI website
- European Central Bank - Recommendations for the security of Internet payments PDF-Version
- EU Directive 2015/2366 (PSD2) on payment services in the internal market PDF-Version