Distributed biometric database and authentication system.

FIELD OF THE INVENTION

This invention relates generally to a biometric system and, more specifically, to a distributed biometric database and authentication system using biometric encryption.

BACKGROUND OF THE INVENTION

Authentication of physical objects may be used in many applications, such as conditional access to secure buildings or conditional access to digital data (e.g. stored in a computer or removable storage media), or for identification purposes (e.g. for charging an identified individual for a particular activity). Every human being has a unique set of biometric data, such as voice, fingerprints, iris, retina, face, etc. The use of biometrics is, to an ever-increasing extent, considered to be a better alternative to traditional identification means, such as passwords and PIN-codes and, indeed, biometric information is increasingly used to verify and authenticate a person's identity in an ever-growing number of applications and situations.

Typically, the use of biometric information is governed by a trust model, whereby a user receives assurances that the information as provided will only be used for specific purposes and that abuse will be prevented by a security regime for the data. Unfortunately, while in theory this should provide a complete solution that addresses all concerns from citizens and the privacy community, in practice every security regime becomes vulnerable when deployed on a large scale, and widespread use inevitably leads to insider abuse and outside attacks, e.g. by hackers. It will be apparent that biometric applications are a tempting target for identity thieves, so traditional biometric systems have protected biometric templates by storing them in encrypted form. Thus, in order to check the identity of an individual, the template must be decrypted using a key before it can be compared with a live scan. This gives potential identity thieves two opportunities to access the template: intercepting the unencrypted template or stealing the encrypted template and key.

Therefore, the concept of providing intrinsic security by means of biometric encryption, whereby rather than using the original biometrics, a derived dataset is used that has been created via a one-way transformation. The one-way

properties of the transformation guarantee that the original biometrics can never be reconstructed from the stored data, while the transformations are unambiguous enough to be able to perform matches in the encrypted domain.

Referring to Figure 1 of the drawings, there is provided a schematic diagram illustrative of the basic operation of an exemplary solution in this class of approaches to secure biometrics. As shown, the biometric 10 is first scanned and transformed into a regular biometric feature vector. The signal-to-noise ratio is estimated and used (at 12) to reduce the noise levels and template size without losing useful information. Next, error-correction codes are used (at 14) to eliminate and remaining noise effects and minimize error rates, thereby ensuring, to the greatest extent possible, exact matching between templates and corresponding, subsequently-acquired biometric data. Auxiliary data is then combined (at 16) with the feature vector, thereby enabling different templates to be created from the same biometric. This auxiliary data is essentially a random number but, importantly, that number can be different for each person and application. Finally, the or each biometric template (feature vector and auxiliary data) is hashed (at 18) for secure storage. With auxiliary information, each biometric can give rise to many different templates, so any compromised template can simply be revoked and replaced with a new one using the same biometric 10 but different auxiliary information. Furthermore, as each resultant template is radically different, an identity thief who gains access to one template will not be able to use that template to access other applications.

While the system described above uses biometric encryption to solve many of the intrinsic problems associated with traditional biometric authentication and identification systems, there are still some drawbacks. For example, the matching performance of biometric encryption, while similar to that of traditional biometrics, can differ slightly in error rates. More importantly, biometry is embedded in law and case law where, for example, fingerprint matches are accepted as legal evidence if a certain number of minutiae correspond. Biometric encryption has no direct equivalent supported by years of case law. Furthermore, there are a large number of existing databases filled with biometric data within traditional biometric systems, which need to be dealt with. Finally, biometric encryption is a relatively young discipline, such that improvements in algorithms and ciphers can be expected over coming years, and any systems put in place now

should ideally be modifiable accordingly, in order to maintain a required level of security.

It is therefore an object of the present invention to provide a biometric system, using biometric encryption, in which the above-mentioned issues are addressed so as to provide a biometric system in which the required level of security is attained and can be maintained, whilst ensuring that a legally-acceptable audit trail (back to the original biometric data) can be provided, if a biometric match should be challenged, for example, in a court of law. SUMMARY OF THE INVENTION In accordance with the present invention, there is provided a biometric information system comprising a master database in which unencrypted biometric data is stored, and at least one encrypted operational database in which is stored biometric templates derived from biometric data stored in said master database which has been subjected to biometric encryption. Beneficially, the master database is preferably located in a secure, non-networked environment. In one exemplary embodiment, the system comprises a plurality of operational databases, each containing biometric templates generated from said unencrypted biometric data stored in said master database, preferably by a certified authority. In an alternative exemplary embodiment, a centralized operational database is provided containing biometric templates generated from said unencrypted data stored in said master database, and a centralized authority is permitted access to the contents of said centralized operational database. Beneficially, said centralized authority is configured to provide an authentication service, preferably on-line, to a plurality of applications in the form of organizations or otherwise.

The biometric data stored in said master database may be single or multi-modal. In one exemplary embodiment, said biometric encryption comprises the application of a one-way transformation, such as a one-way hash function, to a feature vector representative of said unencrypted biometric data.

Also, in accordance with the present invention, there is provided a method of providing a biometric information system, comprising the steps of storing unencrypted biometric data in a master database, placing said master database in a secure, non-networked environment, generating a plurality of encrypted biometric

templates by subjecting a plurality of respective pieces of unencrypted biometric data storing in said master database to biometric encryption, and stating said biometric templates in one or more operational databases.

These and other aspects of the present invention will be apparent from, and elucidated with reference to, the embodiments described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described by way of examples only and with reference to the accompanying drawings, in which:

Fig. 1 is a schematic diagram illustrating the principal steps of a biometric encryption method suitable for use in an exemplary embodiment of the present invention;

Fig. 2 is a schematic diagram illustrating some of the principal components of a biometric system according to a first exemplary embodiment of the present invention; Fig. 3 is a schematic diagram illustrating a method of biometric encryption suitable for use in the system of Fig. 2;

Fig. 4 is a schematic diagram illustrating some of the principal components of a biometric system according to a second exemplary embodiment of the present invention; and Fig. 5 is a schematic diagram illustrating a method of authentication of biometric data suitable for use in the system of Fig. 4.

DETAILED DESCRIPTION

Thus, the object of the present invention is met by means of a hybrid solution that is characterized by a "separation of purpose". Referring to Figure 2 of the drawings, in accordance with a first exemplary embodiment of the present invention, a dual system is proposed that is characterized by a master database 20 comprising biometric data in its unencrypted form, and a plurality of operational databases 26a, b, c, protected by biometric encryption, intended for broad and daily use. The biometric data may be single or multi-modal, wherein modes of biometric data may comprise, for example, voice, iris, face, retina, fingerprint, etc. The master database 20 is preferably located in a highly secure, protected and non-networked environment 24 and the encrypted operational databases 26a, b, c are then generated from the unencrypted biometric data in the master database 20 by a certified authority (CA) 22.

There are several types of suitable biometric encryption techniques available for use in generation of the encrypted operational databases 26a, b, c. One exemplary method of biometric encryption will be described in detail. However, it will be appreciated by a person skilled in the art that the present invention is not intended to be limited in relation to the type of biometric encryption employed and, indeed, it is an advantage of the present invention that, as new and improved biometric encryption algorithms are developed, the master database 20 can be used by the certified authority 22 to generate a new set of encrypted operational databases by means of the new algorithm(s). Referring to Figure 3 of the drawings, a biometric feature vector X is retrieved from the master database, and the signal-to-noise ratio is estimated (at 30) and used to reduce the noise levels and data size without losing useful information, following which error-correction codes are applied to eliminate any remaining noise effects. Auxiliary data W is generated or otherwise retrieved and added to the resultant biometric signal X'. The auxiliary data may be in the form of, for example, a random number and, importantly, can be different for each person or template, thus enabling several different encrypted operational databases to be generated from the same set of biometric data.

A one-way hash function F is finally applied to the biometric template comprised of the feature vector X' and the auxiliary data W to generate F(X', W).

As explained above, this encryption process is performed by the certified authority CA, so if a different algorithm or function is required to be applied to the raw data in order to generate a new set of encrypted operational databases, this too can be performed by the certified authority. Furthermore, the certified authority can thus also provide an audit trail if one of the biometric matches is ever challenged, for example, in a court of law.

Referring to Figure 4 of the drawings, in an alternative exemplary embodiment, the raw biometric data is once again stored in a secure environment within a master database 20. However, in this case, a centralized encrypted operational database 40 is provided which is filled with different protected biometric templates derived from the raw biometric data in the master database using, for example, the encryption technique described above in relation to Figure 3. In this case, several applications 42 (e.g. border control, social services, local authorities,

banks and other private organizations) can be served by a centralized authority 44 having access to the encrypted operational database 40. The centralized authority 44 thus provides an on-line authentication service to the applications 42, whereby a biometric sensor 46 local to the application collects biometric data from an individual and transmits it to the centralized authority 44.

Referring to Figure 5 of the drawings, upon receipt of the collected biometric data Y, the signal-to-noise ratio is estimated (at 50) and used to reduce the noise levels and data size, as in the enrolment phase, following which error- correction codes are applied to eliminate any remaining noise effects. Auxiliary data W associated with the individual to which the biometric data is supposed to belong is retrieved and added to the resultant biometric signal Y'.

The resultant data (Y') is transmitted to the centralized authority 44, auxiliary data W associated with the individual supposed to be represented by the biometric data Y is added, and the one-way hash function F is applied to the combination of the biometric data Y' and the auxiliary data W. If the result of F(Y', W) corresponds to the result of F(X', W), then a signal indicating a match is returned to the requesting application 42. Otherwise, data indicating that there is a mismatch is returned.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word "comprising" and "comprises", and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.