TITLE: CONTACT LESS SMART CARD WITH FACIAL RECOGNITION TECHNICAL FIELD

This invention refers in general to the problem of the recognising of the possession by people, of the qualification required for the access a service, an area, at a generic security level. In the field of interest of this invention, qualification is identified as the possessing of a valid "contactless" card or badge. In the final analysis it is the secure recognition of the card's authenticity and the data contained in it. More in particular, in addition to the criteria of recognising qualification authenticity, this invention provides a method for secure data exchange between qualification and detection -reading- system in order to make the use of cards or badges suitable for those services requesting recharge or prepayment, enabling access to services subject to unitary or time taxation or in any case conditioned to complex logics, or for services that to be circulated have difficulty in referring to centralised management systems for verification of data authenticity and for which it is necessary that the data and relative security keys be transported inside the card.

BACKGROUND ART

The production of devices such as badges, cards and other contactless devices, is in great expansion. The many payment or credit systems, cashpoint systems, access control systems, etc., make wide use of it and today the functionalities requested to these devices are increasingly complex. At present there are badges of all kinds, but the field of interest concerning the invention is the contactless one, where the badge is read only if within a minimum and maximum distance of the detection system, with no need for

physical contact. Badges with RFID devices are widely used, but today they still have a limited data processing capacity since, in order to respect the pocket-size constraints, they have no feed sources and are self-fed by the electromagnetic field produced by the reader. Yet they are unable to draw sufficient energy from that field to activate the circuits that are capable of executing complex programs and firmware.

Another limitation of these RFID devices is that the maximum detection distance is limited: the greater this distance is, the more limited the data processing capability is.

Another important limitation is that the data memorised in these devices is vulnerable. For these reasons and others, service payment systems with RFID cards are still not very widespread because they are often considered easy to counterfeit. Despite the fact that the first modern biometric device was introduced on a commercial basis more than 25 years ago, producers of these technologies still work in an uncertain environment.

The efficiency of a biometric system consists in its capacity to distinguish the biometric characteristics of different individuals. The perfect precision of these systems, which are theoretically 100% accurate, could be an unachievable goal in the mass consumer market given the commercial need for cost-effective solutions. Although human characteristics appear to be unique, the technologies and techniques used to measure them have an inherent tolerance. This is due to the inaccuracy of the techniques applied and the different circumstances in which the characteristics are presented and measured.

For example, the results of a United States government test in 2003 entitled "Face Recognition Vendor Test" cast doubts on the accuracy of face recognition systems. The test used systems from ten leading producers and a database of 120,000 images of approximately 37,000 individuals. None of the systems worked well in identification mode when a face was shown and identification of the subject was requested. On the other hand, production of devices such as badges, cards and other contact-less devices is rapidly expanding. They are widely used by many payment and credit systems, ATMs or cash- lines, access control systems, etc.. The functions required of these devices are increasingly complex. For example, in sensitive areas, where security is a priority, they are required to verify that the holder is the right person. This is usually carried out through diabolic passwords or very complex systems which compare the locally measured anthropometric data of the holder with data stored in a database. Many of these systems require complex equipment and often cannot be used because they infringe privacy laws. Perhaps the most commonly used system at the moment is that which verifies the fingerprint of the card holder with data stored in the card itself. Privacy laws are respected since the fingerprint is memorised within the card held by the owner and the validation device compares the data in the card with the fingerprint read by a special device.

Currently there are many types of badges but for purposes of the invention the family involved is that of the "contact less" type where the badge is read only if it is within a minimum and maximum distance from the reading system without any physical contact. The badge described in the invention is of the intelligent

type, with remarkable working potential since it is able to process a substantial amount of data within a certain time. DISCLOSURE OF INVENTION

The object of the innovation is to supply an intelligent contactless card or badge which we will call TICL, that due to its onboard available intelligence is able to guarantee security and exclusive data access, therefore it is suitable for sensitive transactions where security is the first requirement. The TICL device has good memory and data processing availability and can provide a variety of functions. An important object of the innovation is the use of authentication and known encryption algorithms, in particular the "one-time password" and challenge type or even with an asymmetric key for data protection and security. Another object of the innovation is being able to selectively increase the maximum detection and writing distance of the card, in order to exchange data between system and cards within the whole area of the service.

Together with recognition of the holder, the aim of this invention is to verify that an authentic card or badge is being held by the legitimate owner. This verification is carried out by comparing an image of the face of the holder, taken by a camera, with data stored within the intelligent card which corresponds to that of the legitimate owner.

A further aim of this invention, besides providing criteria for recognising the authenticity of a card or badge, is to implement an exchange of secure data between the badge and the reading system. In this way it will be possible to use cards or badges for services that require recharge or prepay functions in order to

authorise access to services subject to taxes or time limits or, in any case, conditioned by complex logic.

Lastly, the aim of this invention is to create a card using standard hardware and software technologies in order to make the development of subsidiary products feasible for any developer and make each system component economical and easy to maintain.

These aims and others that will be clarified in the description are obtained using a technique of survey, calculation, check of persons present and taxation of transit in a circumscribed sector based on encryption algorithms for authentication and validation of the exchange during access as shown in claims 1-14 attached, and a device deriving from the assembly of known circuits, opportunely selected and modified electrically, and then mechanically adapted to make the object manageable and pocket- sized, above all not cumbersome according to claim 15.

The scope of the invention is to introduce onto the market an intelligent, wireless, contact-less model of a card or badge comprising an internal memory. A file is downloaded onto the memory containing data produced by an algorithm that, starting from a photograph of the badge owner's face, carries out a series of measurements on a limited series of areas and characteristic points and transforms them into a corresponding series of coded data. The choice and codification of the points is such that any other photograph of the owner produces the same code, disregarding a proportionality factor. If another photograph does not produce the same series of data, disregarding the proportionality factor, within a probability range of 90%, it may be assumed it does not belong to the same person. Increasing the

number of points taken into consideration, the possibility that the facial photographs of two different people produce the same series of data, disregarding the proportionality factor, asymptotically tends to be 0.

The data deriving from the above code of the photograph of the card owner's face is stored only in the card held by its legitimate owner, thereby respecting the owner's privacy. When the card is brought close to the reading device, a camera films the owner's face, codifies it and compares it with the data stored in the card. If the two series of numeric data (one stored on the card corresponding to the description of the legitimate owner, and the other measured by the camera) are compatible, the verification is positive and the transaction may continue, otherwise it will be stopped.

BRIEF DESCRIPTION OF DRAWINGS

For purely exemplary purposes and with no intention of limiting the particulars of the innovation and possible fields of application, the following is a description of the invention - to be used in the public transport sector - with reference to the enclosed figures, of which:

- Fig. 1 shows a general outline of the card or badge according to what exists at present.

- Fig. 2 schematically shows the various component sections cooperating to implement detection and an optimised control of the flow of people and relative taxation.

- Fig. 3 is a general block layout of the system sections according to another preferred embodiment of this invention.

- Fig 4 is a sequential block diagram of the phases that comprise the authentication and face recognition procedure according to the invention.

BEST MODE FOR CARRYING OUT THE INVENTION

The innovation consists in forming a card or badge on a laminate support 7 containing an electronic circuit described below, built with surface mount device (SMD) components. The electronic circuit is made up, as shown in figure 1, of: a microprocessor I ₅ a SIM 2 with relative algorithms and encryption keys in memory, a photovoltaic cell 3, with a supply circuit and capacitative circuits and/or rechargeable battery 4, one or more transceivers (RFID) 5, with relative antennas 6.

In particular the microprocessor 1 is the intelligence of the card 10 that must process the firmware algorithms stored in the internal program memory, for producing the encrypted data exchange with a remote access device. The microprocessor always operates in an energy saving mode, and switches over to the active state only when the RFID circuit is activated and only for the time necessary for the transaction. The microprocessor activates the encrypted data exchange with known encryption algorithms and furthermore the encryption key is protected and resident in the SIM that makes up the circuit.

The SIM 2 has the encryption key in memory, which cannot be read outside the SIM. The SIM 2 in turn is protected by a local code memorised in the processor firmware and used by it to activate the functions. An attempt to read the SIM with an incorrect code blocks the SIM permanently. The SIM 2 contains various files that preserve sensitive data to be protected and which

are transferred encrypted one way or another, during the exchange between card 10 and remote access device.

A photovoltaic cell 3 is placed on the TICL surface to extract energy from environmental illumination, which will be stored inside it. A feed regulation circuit 4a takes the energy produced by the photovoltaic cells 3 to store it in the capacitative circuits or in the rechargeable batteries 4b.

An RFID transceiver 5 with a serigraphy antenna 6 on the badge surface must alert the microprocessor when it is interrogated, and activate the radio frequency data transceiving.

When the card 10 is close to the reader it is interrogated, the transceiving circuit recognises the command and transmits its identifying registration number.

The detection system that has become aware of the presence of a card in its area can decide to start an exchange of protected data with the card. The transceiver circuit recognises the command and alerts the microprocessor for the encrypted exchange of messages. At the end of the transaction the microprocessor powers down.

When the reader system has guaranteed the security of the data correctly deciphered, it can update the data contained in the card, deducting or updating more or less sophisticated consumption or calculations.

By activating the detection and writing functions of card data, when the card is identified as being present in a certain area, a series of functional applications can be obtained; some of them will be described below as examples.

A possible application referred to public transportation, for example, is using this card as a travel pass. Authentication and deduction of the number of trips or credit time will be

automatically be calculated when the passenger is on board the vehicle.

The innovation introduces three distinct systems, which when working together can be considered logically integrated in a single system.

1 The first one is the TICL 10 card system, which is the authorization title to the vehicle or reserved public place;

2 The second one is the reader to display insufficient credit or residual credit, possibly connected to a host;

3 A credit purchase device in also fundamental.

Fig. 2 shows a generic barrier that can be passed using three access doors: 11, 11' and 11" - which could be three ordinary entry / exit bus doors or a reserved public area.

A reader device with an insufficient credit display is placed at each 12, 12', 12" door and a credit purchase device 13 is available either inside or outside the vehicle.

When entering the vehicle, the device checks the TICL card validity and whether there is enough credit. A display shows GO or insufficient credit. The detection -reading- device continually checks the cards inside the vehicle to calculate them or to tax them if necessary for the time of the journey or stay in the public place. If device 13 is present, the user can purchase credit inside the vehicle.

The detection device memorises all the cards validated to expedite manual checks for verification of offences.

The travel card we have invented for transportation is a card 10 with onboard electronics. Transponder badges have existed for a long time, but in this invention the card 10 has the following innovative features:

1 The card is the title of travel or of right to the service and can be recharged with transactions that use encryption algorithms. The type of recharge can be for one journey, for several journeys, for a period of journeys with time limits, etc.

2 The card 10 is validated and taxed electronically within a public mobile vehicle or place where there are a large number of similar cards, but with different data -identifier-. The algorithms for reading card data 10 without interaction errors, even if there are numerous cards close to each other, are resolved by the data exchange algorithm and are part of the reader software and the card firmware.

3 All the transactions of input or output with telematic debit of the cost of the journey are done with encryption algorithms, using inaccessible SIM resident encryption keys.

An antenna system inside public buses or the public place, with organised distribution, allows to read simultaneously all the card transponders; the onboard reader 12 checks the authenticity of the encryption keys of the cards 10 and possibly provides for the subsequent authorisation or deduction or telematics debit, of the cost due by each card, rewriting the data on the card.

Communication protocols currently provide for the use of three encryption keys that can coincide, or increase with the evolution of the calculation power of the μP 1 of the card 10. The keys are for the following functions:

1 Key for recharging the card 7 in specially arranged machines 13.

2 Key for dynamic real time updating of the data contained in the card 7 for authorisation and deduction of the portions of the card that have been used.

m

3 Key for checking or testing the status of the card 7 by the equipment used by personnel for manual card checks.

Communication protocol phases can be summed up as follows: a- intervention of the recognition preamble and encrypted key validity; b- transmission of codes and encrypted data; c- validation procedure of data transmitted; d- data update in the relative archives and encryption keys.

In a particular embodiment of the present invention, the security and authentication functions use the high reliability access technologies used in the GSM mobile telephony system and make use of the relative authentication and management protocols of user ID security and security of data exchanged. The season ticket, or more in general the ticket, is univocally identified by the SIM ID code and this code along with the personal Ki authentication key are the identification credentials.

For authentication and encryption procedures, this information is never transmitted on a radio channel, but uses a challenge- response type of mechanism.

The fundamental advantage of these security procedures comes from the distributed system characteristic that adapts specifically to the type of localised application, which is the aim of this invention. The system elements that intervene actively in realizing the procedures and where the information and resources relative to security are distributed, are: the SIM (Subscriber Identity Module), the card, a register similar to an HLR and one similar to a VLR, which in the GSM transposition correspond, respectively, to:

1- the HLR to the general register of subscribers or owners of tickets (prepaid, free, etc.);

2- the VLR to a register of visitors (passengers) placed for example at each metro station, which records access temporarily after authentication.

The card 10 includes, in the SIM 2, the personal authentication key Ki, the authentication algorithm A3, the encryption algorithm A5.

The information is distributed as in the GSM network: each metro station or each public transportation vehicle is a VLR and a kind of Base Transceiver Station (BTS) operating in RFID capacity and where the algorithms A3 and A5 are also contained. At the base of the encryption and authentication processes is the Authentication Center functional unit that is provided with the codes, the Ki key and the standard encryption algorithms in addition to an algorithm for generating pseudo-casual numbers. The AuC (Authentication Center) memorises the security parameters in the analogues of the VLR and HLR databases.

The authentication procedure is started up each time the card 10 comes close and enters in the range of action of a radio base station (a bus stop sign or a metro station) by an activation, deactivation or interrogation procedure of the services contemplated.

The functional units involved in the authentication process are: the SIM in the terminal and the AuC (Authentication Center) at the HLR equivalent. Authentication is done by adopting the known challenge-response type of mechanism. Therefore when the AuC receives an authentication request, it recognises the likely user ID, generates and transmits a random number as a

challenge, the card receives the challenge and transmits it to the SIM. The SIM calculates the response SRES to the challenge by inputting the random number (RAND) and the user's authentication key Ki, memorised in the SIM, to the authentication A3 algorithm (key-dependent one-way hash function). The SRES "signed" response is transmitted to the local network visited in that moment by the user, where it is compared to the value that the home network has calculated by applying the same algorithm A3 to the random number RAND and to the Ki key corresponding to the user's declared ID.

The user is identified and access to the service is registered (for example, in the last analysis, the opening of the entry turnstile to the metro) if and only if the two values coincide: the SRES received and the calculated value (the SIM holds the exact identification key). Otherwise the connection is refused and an authentication failure message is notified, blocking access to the user holding it. In this case other ID verification instruments can intervene, such as a biometric identifier - as it will be showed into details subsequently- or personnel directly.

It is evident that detection, calculation and checking techniques of the people present and their circumscribed transit according to this invention should be arranged for connection via GSM, GPRS or radio to a service centre for real time analysis and treatment of the data regarding the cards and/or passes.

Even in the transposition by GSM to access control, the AuC is the functional unit responsible for generating the group of parameters (RAND, SRES, Kc) that are usually referred to as a triplet. Therefore the AuC has two basic duties: secure, protected memorisation of the Ki keys of the users and their passes/cards -

titles-, and generate and supply the HLR, upon request, with a number of triplets for each user. The triplets must be generated in continuation (one is normally used at each access). What actually happens is that they are generated and memorised in the HLR and supplied, upon request, to the VLRs. This aspect fits perfectly with the operating conditions in which the same travel card is usually used several times, from the same point of entrance or access to public service. In this case the VLRs - as already specified, identifiable with the metro station or the bus stop sign or the bus itself- are themselves a characterising element, since it is a new type of VLR and radio base station operating in mobility, that actually function differently from the corresponding static ones in the GSM.

The invention is also based on performing of an algorithm which starts from real time photographs of a face and then:

• identifies N selected and predefined characteristic points of the human face;

• identifies and selects the most chromatically evident points of the face;

• performs a series of measurements correlated, among the identified points, and standardised with respect to a measurement between two predefined characteristic points of the human face -for example the distance between the nose tip and the eyebrow-,

• performs a series of measurements which weigh the chromatic differences between the identified points and are standardised with respect to a measurement carried out between two selected characteristic points of the human face, -for example the colour difference between cheeks and chin-,

• compresses and encodes the measured data according to the same data formatting performed on data recorded in the SIM memory (2) of the card.

It has been demonstrated that with the same selection of points for processing, the algorithm produces the same code from any other photo of the holder, disregarding a proportionality factor. If another photograph does not produce the same series of data, disregarding the proportionality factor, within a probability range of 90%, it may be assumed it does not belong to the same person. Increasing the number of points taken into consideration, the possibility that the facial photographs of two different people produce the same series of data, disregarding the proportionality factor, asymptotically tends to be 0.

The N points selected from characteristic points of a human face are defined by processing the image with image treatment techniques that block out the face, eyes, nose and mouth. The selected points must correspond to points that are not influenced by movement of facial-jaw muscles.

Definition of the most evident chromatic points in the photograph of the face is carried out exasperating the contrast and identifying the limit points.

The image treatment techniques measure the standardised distances between the selected points and codify the chromatic differences.

The number of points is increased until a percentage of secure recognition is achieved. This is assessed with compromise between the speed of the data processor and the size of the card's memory.

When the intelligent, contact-less card is in proximity of the reader and is interrogated, the transmitter circuit recognises the command and transmits its identifying number. In this condition of protocol activation the reading distance should be short so that the user is forced to position him/herself in front of the camera.

Once it is aware of the card within its sphere of competence, the system reader starts photographing the user and activates the algorithm which, from the photo, produces the series of data to compare with the data memorized in the card. At the same time, a command is sent to the card requesting it to be read and to transmit its data. The transmitter circuit recognises the command and activates the microprocessor for the encrypted exchange of messages. The system reader verifies the congruence of the data and activates, or not, the requested service.

Having guaranteed the safety of the correctly deciphered data, the system reader can update the data contained in the card deducting or updating consumption or more sophisticated accounts.

At the end of the transaction, the microprocessor goes into power down mode.

The recognition and authentication system as proposed in this invention, works with three distinct pieces of equipment which work together and can be considered integrated in a single system. a- The intelligent, contact-less card which constitutes the right to access and contains the cryptographic data characterising the user's photograph. b- The reader which is generally linked to a host computer. c- The camera which photographs the user.

Fig. 3 shows an area with three doors 11, 11' and 11", which could be three classic entrances to or exits from a protected area.

A reading device 12, 12', 12" is placed on each door together with a corresponding camera 13,13',13".

When a user tries to access the protected area through door 11, device 12 checks the validity of the intelligent, contact-less card and camera 13 photographs the user. The algorithm described in Fig. 4 is then applied to the photograph of the person who wishes to access the area and if the data that produce the algorithm are identical to those memorised in the card 10, door 11 opens otherwise an alarm is set off.

The basic element for this invention is therefore an electronic card 10 with memorized data. Card 10 constitutes the right to access a place or service and contains the data for recognition and authentication of its owner. This data is encrypted and the key is kept in a SIM.

In a preferred utilisation, the communication protocol provides for the use of three encryption keys that may coincide or increase depending on services requested of the intelligent, contact-less. The keys have the following functions:

1. Key to recharge the card 10 in specially designed machines.

2. Key for dynamic, real-time updating of the data contained in card 10 (reading and writing of characteristic data in the photo of the holder's face).

3. Key to control or test the status of the card by the equipment assigned to the personnel authorised to manually verify the card. The phases of the communication protocol may be summarised as follows: a - preamble of recognition and validity of encoded keys b - transmission of encrypted data c - validation process of transmitted data

d- data updating in relative archives and encoding keys.

INDUSTRIAL APPLICABILITY

Up to now, authentication of a card holder by measuring biometric parameters has been done through identification of the iris or fingerprint. With this invention a new alternative is possible: identification of the compatibility between the image of the card holder's face and an image of the card owner described within the card itself. Among the advantages of the invention, we must mention the simplicity of the hardware involved: a camera that can also be used for other functions such as video surveillance. Among the functions derived from the invention, it is possible to identify persons to be found within an environment starting from a photograph of a wanted person, or simply to identify all the known persons within a given environment.

Almost all the tickets or cards used to access services open to the public are at present made of synthetic plastic materials or paper and are always disposable. Therefore we calculate that every year, worldwide, hundreds of millions of cards or tickets are produced with no possibility for recycling.

One of the advantageous aspects of this article is the reduction of the environmental impact caused by the considerable amount of cards and tickets, due to the re-use of the card that can be recycled at any time, and furthermore it is multi-use therefore a multi-service card.

The lowering of costs on TICL components would be extremely significant consequent to use by public service managers, when all travel cards or various purchases are based on the TICL.

The method of reading cards inside the metallic vehicles is even more favoured by the reflections produced by the metallic masses,

significantly aiding effectiveness of the detection proposed in public vehicles.

The equipment for detecting and calculating the people present in a circumscribed environment, according to this invention, is an economic system that totally changes the technique that checks the flow of people qualified to access a service.