Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | patience-clarke |
View: | 220 times |
Download: | 5 times |
© 2005 The Generics Group AG
Presentation to BCS/12th April 2005
Biometrics & IdentityAddressing the concerns of privacy through technology
- 2 -© 2005 The Generics Group AG
Biometrics & Privacy
Generics group research activities in biometrics and security
Overview of biometrics and basic model of how they work
Conventional and cryptographic modes of operation
Biometric key generation technology
- 3 -© 2005 The Generics Group AG
Scientific Generics - Background
Cambridge based technology consultancy, research and development organisation with regional offices in US, Germany, Scandinavia and Hong Kong
Involved in the incubation of over 50 start off companies in fields ranging from:
Compact fuel cells Optical telecommunications Transmission of data over sound (e.g. between TV and mobile phone) Sensor devices Tracking and location technologies
Mainstay of business revenues come from fees for services consultancy activities relating to the interaction of technology with business value
Company retains a commitment to investment in commercially focused technology research activities
- 4 -© 2005 The Generics Group AG
Background to biometrics research activities
Programme initiated in early 2001 with a view to deep integration of biometrics with private key management within a PKI with a view to realisation of the concept of I am my private key
First proof of principal demonstrator developed for iris in 2002
Security research activities broadened in 2003 to include consideration address of full range of privacy concerns impacting on the use of biometrics within national identity cards
Second verification demonstrator developed in 2004 which verifiably reproduced 400 bit keys from third party iris test data
2005 - current research activities focused on moving towards publication of test results that verify the technology creation of wider applications relating to other biometrics such as finger-print alpha product development of related security technologies incorporation as a commercial venture
- 5 -© 2005 The Generics Group AG
Privacy risk of biometric identification systems
National Identity System
Biometric data
Identification Powers
Privacy Risk
RiskMitigation
Steps
Improvingacceptance
Cost of privacy
Residual perceived
privacy Risk
Financial costs
Political costs
- 6 -© 2005 The Generics Group AG
Privacy enabling technology - reducing the costs of privacy
Biometric data
Identification Powers
Reduces privacy risk
RiskMitigation
costsAcceptance costs
Costs of privacy
National Identity System
Privacy enabling technolog
y
Reduces cost
Increases personal security
Increases system security
Increases acceptance
- 7 -© 2005 The Generics Group AG
Technology Overview
Eliminate cost and complexity from biometric security infrastructure by a suite of technologies that support privacy by design
Biometric key generation - reduces need to access reference data Secure anonymisation - removes privacy issues of identification checks Secure workflow engine - enables robust policy enforcement in respect of
biometric escrow and identify registration processes Highly scalable wholesale delivery of high security identification and
certification services
SecureSystem
Privacy
PrivacyCompatible Secure
System
Cryptographic modes of biometrics increases privacy AND security whilst reducing costs
- 8 -© 2005 The Generics Group AG
Biometrics - a definition
Biometrics are automated methods of recognising a person based on physiological or behavioural characteristics
Among the features measured are: face, fingerprints, hand geometry, iris, handwriting (signature), retinal, vein and voice
Ordinarily people distinguish between two different operational modes for biometrics:
Verification - are you who you claim to be (one-to-one) Identification - who are you really (one to many)
The UK and US biometric identity card systems are based on the use of both operational modes:
Verification for standard operational mode Identification for watch lists and multiple identity enrolment detection
Biometrics are fundamentally based on authentication of an individual based on: WHO YOU ARE or SOMETHING I AM
- 9 -© 2005 The Generics Group AG
Why are biometrics so compelling?
The human interface is the biggest security gap in most security systems
Authentication, rather than encryption is the major problem facing security
The aspiration of biometrics is automated recognition of identity based on the immutable properties of a person’s being
The promise of direct proof of presence of the individual is the central premise of the appeal
- 10 -© 2005 The Generics Group AG
Why are biometrics so difficult?
High quality image capture of biometrics is difficult
High performance discrimination based on biometric data is challenging
Biometric capture processes can be challenging or upsetting to users
Biometrics are not the same as passwords
Protecting biometrics against spoofing is problematic
There are competing methods of authentication that are arguably lower cost, easier to use and do not invade privacy of the person - e.g. strong passwords, RSA SecureId tokens, smart-card protected secrets etc
The cost benefit barriers for adoption should not be under-estimated of
- 11 -© 2005 The Generics Group AG
The biometric conundrum
Biometrics are compelling to the market - otherwise any technology that is so difficult to use would otherwise have been dropped long ago.
Biometrics are problematic - otherwise anything so compelling would have been adopted on a much wider scale than has hitherto been the case
Will biometrics become a niche technology relied on in times of political insecurity and for high value applications?
ORIs the mass adoption of biometrics simply a question of time?
- 12 -© 2005 The Generics Group AG
Examples of biometrics
Iris - highly accurate, relatively expensive
Finger Live-scan highly accurate, high cost finger scan reasonably accurate, low cost
Face - limited to one-to-one, best interoperability
Voice - limited performance, easily spoofed
Retina -highly accurate, difficult to use
Hand vein - accurate, easy to use, low adoption
Hand geometry - reasonably accurate, use in new applications diminishing
Signature - difficult to use but very attractive for PDA etc
- 13 -© 2005 The Generics Group AG
Biometric images - iris
Commercial iris camera
Standard camera plus macro lens
- 14 -© 2005 The Generics Group AG
Biometric images - fingerprint
High quality - optical High volume - thermal swipe
- 15 -© 2005 The Generics Group AG
Limitations of biometrics
Performance
Cost
Security
Societal
Systems integration issues
- 16 -© 2005 The Generics Group AG
Performance - alphabet soup
FMR - false match rate (or false accept)
FNMR - false non match rate (or false reject)
FTE - failure to enrol
Equal error rate - FMR=FNMR
ATV - ability to verify FTE * FNMR
SFMR - system false match rate
SFNMR - system false non match rate
- 17 -© 2005 The Generics Group AG
Cost
Typical costs for high quality sensor devices (iris, finger, retina) is of the order of several thousand to several tens of thousands of dollars.
There is however also an emerging low-cost commodity tier of biometric devices that will enable most biometrics, with the possible exception of retina, to operate at price points of less than $100.
However the nature of applications compensates in that those applications which have the requirement of high throughput and high quality devices the cost tolerance for devices also tends to be higher.
For one-to-many applications such as border-control a small number of high cost devices can be used to support enrolment whilst a larger number of lower quality devices may be exploited to support verification.
- 18 -© 2005 The Generics Group AG
Security
Security of authentication as measured by the SFMR
Biometric templates are a symmetric verification measure
Biometrics can be spoofed, if image data is stolen or captured by stealth
Mitigation of above with liveness checks
One to many matching requires central database storage. Data protection issues mandate that this is held in secure storage with high integrity, auditability and accountability of process
Security of the biometric image process environment to protect against interception
New sensor devices include use of capture specific generated nonce embedded into a trusted device as part of the defence against replay attacks
- 19 -© 2005 The Generics Group AG
Societal factors
Public enthusiasm for national enrolment programmes! Or what? Actually most market research indicates reasonable compliance.
Who needs access to one to many matching and at what point? One to many matching is required to trap multiple identity registration. There
is NO other legitimate reason other than covert surveillance.
Postulated conclusions Required at enrolment only. Match database should be fully anonymised. ALL other checks should be one to one Highly secure mechanisms for biometric escrow, and subsequent escalation
need to be in place and under the control of a trusted intermediary authority Trusted authority acts to uphold the institution of Government - but is not
constituted by officers of the government.
- 20 -© 2005 The Generics Group AG
Systems integration
BioAPI is the emerging standard
This is a framework approach supporting plug-in provider applications
Given the diversity of biometrics and the encoding regimes used this framework is highly abstract and has a light touch.
Framework is primarily focused on template based methods.
Cryptographic modes operate on a password substitution model and do not require the complexity of a framework since the integration problem is much cleaner
- 21 -© 2005 The Generics Group AG
Other standards
ICAO all biometrics to be stored in full image format to support multi-vendor
operability face to be stored in unencrypted format other biometrics, iris or face, to be stored using encryption protocols to be
determined by n-lateral agreements for n-lateral read US led definition of ad-hoc standards - ultimately these will
be moderated by the domestic mandates for privacy
- 22 -© 2005 The Generics Group AG
Biometric modes
Conventional biometrics Template matching One to one Vs one to many Local storage Vs central storage Data protection Encrypted storage/universal access
Cryptographic modes Repeatable number generation - biometric keys Digitally signed identity certificate Entitlement certificate Private key mode Password substitution
- 23 -© 2005 The Generics Group AG
Standard biometrics is based on comparison with stored templates
X1 X2 X3 X4 X5 X6
X7 X8 X9 X10 X11 X12
X13 X14 X15 X16 X17 X18
X19 X20 X21 X22 X23 X24
X25 X26 X27 X28 X29 X30
X1 X2 X3 X4 X5 X6
X7 X8 X9 X10 X11 X12
X13 X14 X15 X16 X17 X18
X19 X20 X21 X22 X23 X24
X25 X26 X27 X28 X29 X30
X1 X2 X3 X4 X5 X6
X7 X8 X9 X10 X11 X12
X13 X14 X15 X16 X17 X18
X19 X20 X21 X22 X23 X24
X25 X26 X27 X28 X29 X30
AcceptBiometric
RejectBiometric
Pattern matching against stored data is an effective basis for authentication but is reliant on a system maintained record of a biometric reference template that is available at all points of authentication
- 24 -© 2005 The Generics Group AG
Cryptographic modes are enabled by biometric key generation
Cryptographic modes Overview
AsymmetricProcess
Instructions
Asymmetric process instructions represent stored data generated at enrolment that are subsequently used to stabilise the regeneration of the biometric key
- 25 -© 2005 The Generics Group AG
A biometric key can be exploited in a number of cryptographic modes
Biometric certificate - incorporated as a component of a digital signature (zero storage mode)
Biometric pin – biometric is a numeric component of a cryptographic key (zero knowledge mode)
Cryptographic modes Overview
BiometricCertificate
Data
Signature (IA)
- 26 -© 2005 The Generics Group AG
Biometric certificates – zero storage mode
Biometric number is a stable integer value and can therefore be used as a component of signing data for a digital signature
The signing data can include other data attributes that can be bound to a biometric under the security jurisdiction of the private key that is used to generate the signature
The combination of digital signature and associated data is referred to as a biometric certificate since it contains a certified assertion of the binding between a biometric identity and related information
The security of the resultant document is based entirely on a single principal PKI key pair – i.e. protection of the private key used at issuance and trusted distribution of the public key that is used at verification
The biometric data does not contain any security sensitive data. It can be stored openly in plain-text format and does not require secure storage. This is a major driver of cost reduction as well as privacy.
- 27 -© 2005 The Generics Group AG
Biometric certificate – biometric as a component of signing data
ProcessInstructions
SHA
Hash
RSA
Signature
BiometricCertificate
Identity orEntitlement
Data
ProcessInstructions
Signature
Biometric certificate is a manifest of a verifiable digital binding between biometric identity and associated data
Private key of Issuing authority
Security perimeter
Identity orEntitlement
Data
Cryptographic modes Biometric certificate
- 28 -© 2005 The Generics Group AG
Biometric Certificate – in summary
BiometricCertificate
Identity orEntitlement
Data
ProcessInstructions
Signature (IA)
Biometric certificate enables the regeneration and authentication of a biometric source without revealing its value
Cryptographic modes Biometric certificate
- 29 -© 2005 The Generics Group AG
Biometric certificates - applications
Public identity certificate – e.g. ID card
Anonymous Entitlement certificate – e.g. benefits entitlement card
Anonymous identity certificate
Biometric extension to public key certificate
Cryptographic modes Biometric certificate
- 30 -© 2005 The Generics Group AG
Biometric certificate – as an identity document
Cryptographic modes Biometric certificate
Private Key of passport office used to create digitalbinding of biometric to identity data
Biometric source
Personal Identity Data
DigitalSignature
Biometric Certificate
Public Key of passport office used to verify documentsignature
DatabaseSmart Card
Biometric certificate can be stored in an open format at any location
ProcessInstructions
- 31 -© 2005 The Generics Group AG
BiometricCertificate
EntitlementData
ProcessInstructions
Signature (IA)
Biometric certificate - as an anonymous entitlement
Cryptographic modes Biometric certificate
Private Key of benefits office used to create digitalbinding of biometric to entitlement data
Biometric source
Benefit entitlement
DigitalSignature
Public Key of benefits office used to verify certificate
Biometric is used as a proof of entitlement but preserves privacy of identity
ProcessInstructions
- 32 -© 2005 The Generics Group AG
Biometric certificate – as a privacy enhanced identity check
BiometricCertificate
Patient recordData
ProcessInstructions
Signature (IA)
Cryptographic modes Biometric certificate
Private Key of health-care systemBiometric
source
Medical Record Header
DigitalSignature
Public Key of health-care system
Biometric is used as an identity integrity check – whilst preserving absolute privacy of identity
ProcessInstructions
- 33 -© 2005 The Generics Group AG
Biometric certificate and public key certificates
BiometricCertificate
Identity orEntitlement
Data
ProcessInstructions
Signature (IA)
Public keyCertificate
Identity orTrusted status
Data
Public key
Signature (CA)
+ =Public keyCertificate
Identity orTrusted status
Data
Public key
Signature (CA)
ProcessInstructions
Biometric certificate is the complement of a public certificate. BC binds the identity data to the biological identity, whilst a PKC binds the identity data to the digital identity of a private key
Cryptographic modes Biometric certificate
- 34 -© 2005 The Generics Group AG
Biometric PKC – as a robust identity check of online identity
BiometricPKC
X.509 PKC
ProcessInstructions
Signature (IA)
Cryptographic modes Biometric certificate
Issuance: Private Key of trusted third partyBiometric
source
DigitalIdentity
DigitalSignature
Verification: Public Key of TTP
Biometric is used as an identity integrity check – whilst preserving absolute privacy of identity
ProcessInstructions
Face/voice fromVideo-conference
link
- 35 -© 2005 The Generics Group AG
Biometric pin – zero knowledge protocols
A biometric number can function mathematically as a conventional password or pin
The interface between a biometric pin generation mode of cryptographic and a digital security system is the generated number
It therefore works directly to add biometric security as an incremental measure to existing security models
Password protection of private key Chip and pin Password based log-on to secured connection point
And provides some new security models Physical presence decryption of secured data – e.g. DNA component of a
medical record Symmetric encryption of biometric history
- 36 -© 2005 The Generics Group AG
Biometric pin – zero knowledge protocol
Existing security
pinmechanism
sPin
Generator
Biometric key can be used incrementally to replace or enhance existing security models to support generation of a secret pin
- 37 -© 2005 The Generics Group AG
Biometric enabled pin – something I have, something I know, something I am
AsymmetricProcess
Instructions
Pass phrase
Smart Card
Pin Generator
Cryptographic modes Biometric pin
Biometric key can be used to implement the three factor security model in a manner that is totally consistent with classical digital security models
- 38 -© 2005 The Generics Group AG
Biometric enabled pin – biometric enhanced chip and pin
Pass phrasePin
Generator
Cryptographic modes Biometric pin
Biometric key can be used as incremental security layer to existing chip and pin models
Smart Card
- 39 -© 2005 The Generics Group AG
Biometric pin – in summary
Biometric key that is used as a component of a generated PIN allows biometrics to be used as a replacement or enhancement to any existing password enabled application
- 40 -© 2005 The Generics Group AG
Biometric pin – as a sign-on mechanism to computer device
Biometric key that is used as a component of a log-on password to add biometric authentication as an incremental security mechanism
Password based log-on
- 41 -© 2005 The Generics Group AG
Biometric pin – as an enabler of a private key
Biometric key that is used as a component of a generated PIN allows biometrics to be used as a replacement or enhancement to any existing password enabled application
SHA+
AES
Private key enablement
- 42 -© 2005 The Generics Group AG
Biometric private key – physical presence decryption in closed system PKI
Cipher- Records
PatientDatabase
Public Key
Write/store
read/access
Private Key
- 43 -© 2005 The Generics Group AG
Biometric signing device – private key management for open system PKI
User
Process Instructions
Public Key
Process Instructions
Public Key
User biometric unlocks a private key to enable crypto operations within a secure user managed environment Public Key
Network
Network connectedreliant party
Remote authentication supported by standard PKI
• Universal biometric sign-on through a single user controlled device• Physical presence security protects digital assets on device• No means of attack of digital identity through stolen device• New device can be activated by download from networked repository
Network Repository
- 44 -© 2005 The Generics Group AG
Biometric pin – as a symmetric encryption key to support drift tracking
Biometric pin
ValueHistory
SHA+
AES
ProcessInstructions
Enrolment
update
ValueHistory
History statistics on previous readings are stored encrypted under the biometric pin, used in symmetric encryption mode. Access to value history supports continuous enrolment.
- 45 -© 2005 The Generics Group AG
Secure Server
Biometric key – two phase protocol for attack resistant keys
Pin Generator/Key enabler
External pin
External pin
Server controlled key share
Key blob
Attack resistantpin or private key
Server protectedpublic key
- 46 -© 2005 The Generics Group AG
Technology overview for biometric key generation
- 47 -© 2005 The Generics Group AG
Basic premise of biometric key generation
AsymmetricProcess
Instructions
Likely to be impossible
Difficult but tractable
- 48 -© 2005 The Generics Group AG
Issues to be addressed for biometric key generation
Consistency of spatial alignment
Consistency of measurement structure boundaries of inclusion consistency of reference index – i.e. spatial sequencing Errors of inclusion – false minutiae, missed minutiae
Consistency of encoding
Consistency of value Feature classification Stability of digital value following conversion from real to integer
Scalability to large number of features As the volume of biometric information increases the probability of at least
one error increases exponentially
- 49 -© 2005 The Generics Group AG
Spatial alignment of a biometric – alignment vector
Sacrificial feature elements – either a partial image, or location references for a small feature subset
External reference points – alignment by device(finger guides on scanner), or alignment by other reference data – eyelid corners
Implicit reference points – use second order information about biometric e.g. fault map minimisation
Sacrificial featuresor partial image
External reference points
Implicit reference points
- 50 -© 2005 The Generics Group AG
Consistency of measurement structure
Inclusion boundary – specified by a stored policy and reinforced by exclusion vector
Spatial order resolution – enforced by sequence vector which is used to identity sequence clusters
Inclusion errors – propagation effect is mitigated by the use of specialised structural error correction techniques
Consistently exclude unstable features
Consistent spatial sequence through targeted use of secondary sort attributeStructural error correction detects and locates presence and position of inclusion errors
7
2130
38
- 51 -© 2005 The Generics Group AG
Configuration of encoders
Selection of encoders – e.g. selection of wavelet function and secondary properties such as scale, orientation
Spatial variation of encoders – different elements of the biometrics may be configured separately so as to maximise information extracted
Typical examples for iris: Grid resolution of biometric surface Selection of encoder, texture, intensity gradient, normalised intensity
Configuration is dynamically optimised at enrolment and once optimised is remembered in the form of stored configuration parameters
Configuration instructions provide the formal basis of interaction between generic enrolment processes and plug-in encoders
Optimisation models will typically explore the configuration space of the enabled encoders
- 52 -© 2005 The Generics Group AG
Consistency of value
Any conversion from real number measurement to integer is subject to digital boundary effect
The effect is an arbitrary consequence of a uniform measurement basis
Digital boundary effect is eliminated through the use of independent basis of measurement for each measured value
1
2
3
4
2 0 1 3 2 1
Rea
l D
om
ain
Digital Encoding Domain
Best case
Worst case
- 53 -© 2005 The Generics Group AG
Scalability to large numbers of features
Use redundant data of biometric as a data channel for error correction
Residual key-data is converted to error correction code-words to generate error correction bits
Error correction bits are encoded under fault tolerant symmetric encryption by redundant data
Results in a configurable level of fault tolerance
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
- 54 -© 2005 The Generics Group AG
Value stabilisation in detail
Exploration of the digital boundary effect reveals it to be an arbitrary property of an unnecessarily constrained measurement basis
The key to addressing the digital boundary effect is in adaptive customisation of the measurement axis on a per-feature basis
This supports minimisation of element faults that arise from digital boundary noise
The limitations on effectiveness of the technique derive from statistical analysis of offset patterns in data-encoding schemes where over-sampling has been applied.
In this situation the property of asymmetry is compromised because analysis of the offsets provides better than random predictability of where edge transitions occur
- 55 -© 2005 The Generics Group AG
Exploring the digital boundary effect
Best case
1
4
3
2 Worst case
A measurement profile is like a vibration along its probability distribution
A collision with a digital boundary generates an encoding fault - noise
The propensity to error is a function of the placement of the distribution relative to digital boundaries
If a measurement vibration is contained between two adjacent quantisation boundaries then the feature faults rarely – resulting in low level of noise
- 56 -© 2005 The Generics Group AG
Addressing the digital boundary effect
There is no requirement for a common basis of measurement across all encoded features
Stored offsets that are used to provide localised shift of the measurement axis
The effect of this is that all measurement vibrations are optimally situated with respect to fault boundaries
Resulting in a minimised level of digital boundary noise
1
4
3
2
StandardOrigin
Best case
- 57 -© 2005 The Generics Group AG
Normalising signal to noise ratio across a biometric
Some features may exhibit higher stability than others – with reduced deviation in measurement error profile
Different resolutions of encoding are therefore appropriate
Stored process instructions can be used to customise the unit scaling of encoding prior to digital conversion
Resulting in a homogenised level of element fault probability across all features Stable feature Unstable feature
Normalised probability of element fault
- 58 -© 2005 The Generics Group AG
Error correction – in detail
- 59 -© 2005 The Generics Group AG
Scalability to large numbers of features
Use redundant data of biometric as a data channel for error correction
Residual key-data is converted to error correction code-words to generate error correction bits
Error correction bits are encoded under fault tolerant symmetric encryption by redundant data
Results in a configurable level of fault tolerance
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
- 60 -© 2005 The Generics Group AG
Scalability to large numbers of features
Partition
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
Map datageneration
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B BR R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
Biometric data
Redundant data
Key data Error correction data
- 61 -© 2005 The Generics Group AG
Exploits standard forward error correction techniques as applied to data communications and storage
D D D D P P P PD D D D
D D D D P P P PD D D D
Transmission
encoding
decoding
Bit fault
The data transmission channel includes a proportion of redundant data to support fault tolerance
An error correction algorithm, e.g. Hamming, BCH or Golay supports the generation of code words by appending parity data
Transmission on a noisy channel gives rise to random bit faults
The algorithm supports maximum likelihood decoding of a faulty code-word to regenerate a fault-free version of the initial data
- 62 -© 2005 The Generics Group AG
Enrolment steps for error correction
Partition the biometric data into key-data (k-data) and redundant data (r-data)
Decompose the key-data into error correction code words according to the configured algorithm
Apply the configured algorithm to generate the required error correction parity data for each code-word
Recover all of the generated parity data as an array of binary data (p-data)
Apply binary mapping function to store the P-data, transformed under R-data to generate the mapping data M-data
Place the M-data within the storage unit for stored process instructions
- 63 -© 2005 The Generics Group AG
Partitioning of data
Partition
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K KB B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B BR R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
Biometric data
Redundant data
Key data
Partition algorithm is deterministic under a given encoding regime
Partition algorithm performs pseudo random redistribution of data
Takes explicit account of the size of error correction code-words
Component bits of each code-word are based on scattered sampling across biometric surface – dilutes burst error
Key data is based on equi-distribution of sample points of biometric surface – maximises residual entropy
- 64 -© 2005 The Generics Group AG
Generation of error correction data
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
Key data is decomposed into error correction code words to form the data component of the transmission data
Configured error correction algorithm generates the parity data
Parity data is extracted as a byte stream
- 65 -© 2005 The Generics Group AG
Generation of stored error correction mapping data
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
R R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
=XOR
Redundant data from the biometric is used to create a fault tolerant reversible mapping of error correction parity data into a form of safe storage
The mapping is reversible such that in the presence of equivalent redundant data from any subsequent measurement instance the parity data can be recovered from the mapping data
Mapping data is stored as a byte stream within the process instructions
Redundant data forms a data-channel for the storage and recovery of the error correction parity data
Key data is not stored and is recovered directly from each measurement instance of the biometric source
- 66 -© 2005 The Generics Group AG
Application of stored mapping data to apply error correction to biometric key
Partition the biometric into K-Data and R-Data using the same algorithm as applied in enrolment
Read M-Data from the process instructions
Recover P-Data by applying the inverse mapping of M-Data under R-Data
Decompose K-data into error correction code words as at enrolment
Populate the parity data of each code word from the recovered P-Data
Apply the error correction algorithm for each code word
Recover K-data as the error corrected data component of each code word
- 67 -© 2005 The Generics Group AG
Partitioning of data
Partition
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K KB B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B BR R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
Biometric data
Redundant data
Key data
Partition algorithm is exactly the same as enrolment
Any degrees of freedom are fixed at enrolment and stored as configuration instructions
- 68 -© 2005 The Generics Group AG
Recovery of parity data and reconstruction of code words
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
R R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
=XOR
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
Redundant data is used to recover P-data from the stored M-data
The K-data is decomposed into error correction code words
The parity component of code-words is populated from P-data
- 69 -© 2005 The Generics Group AG
Recovery of biometric key
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
Error correction algorithm is applied to each code word to regenerate the error corrected data-component of each code word
The error corrected K-data is extracted from the error corrected code words
- 70 -© 2005 The Generics Group AG
Fault map generation
Error corrected K-Data, k-Data’ can be used to regenerate error corrected form of P-Data, P-Data’ using the configured error correction algorithm
P-Data’ can be combined with stored M-Data to regenerate error corrected form of R-Data, R-Data’
The original form of biometric data, B-Data’, can be recovered by applying the inverse partitioning algorithm on K-data’ and R-Data’
XOR mapping between the currently measured B-Data and the fully error corrected form B-Data’, enables the regeneration of an element fault map – representing the difference between the current biometric and the biometric values generated at enrolment
Application of the stored offsets in combination with B-data’, allows complete regeneration of the exact biometric measurements that are represented by the enrolment data
- 71 -© 2005 The Generics Group AG
Regeneration of fault map – recovery of error corrected R-Data
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
D D D D
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
D D D D P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
R R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
M M M M M M M M
M M M M M M M M
M M M M M M M M
M M M M M M M M
P P P P P P P P
P P P P P P P P
P P P P P P P P
P P P P P P P P
=XOR
Original values of P-Data can be regenerated from error corrected K-data
Original values of R-Data can be regenerated from mapping between M-data and P-data
- 72 -© 2005 The Generics Group AG
Regeneration of biometric data
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
Recombine
K K K K K K K K
K K K K K K K K
K K K K K K K K
K K K K K K K K
R R R R R R R R
R R R R R R R R
R R R R R R R R
R R R R R R R R
Recombining R-Data and K-Data through inverse partition algorithm regenerates original form of B-data generated at enrolment
- 73 -© 2005 The Generics Group AG
Fault map generation
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
XOR
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
=
Recombining error corrected form of B-data’ with the uncorrected B-data corresponding to current encoding enables construction of a fault map
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
Enrolment value Measured value Differences
- 74 -© 2005 The Generics Group AG
Error Correction of Multi-bit Integer Data
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
LSBHSB
Integers are represented as multiple bits
Measurement error is not homogeneous across bit position
Appropriate to split biometric surface into multiple bit streams
Allow different level of redundancy for different bit streams – or even different algorithms
- 75 -© 2005 The Generics Group AG
Error Correction of Multi-bit DataF F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
F F F F F F F F
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
LSBHSB
For correctly tuned system the majority of errors will be +/-1 since the margin of error for +/-2 is approx 3 times greater in extent
Majority of errors, typically 98% in higher order bit streams will have corresponding error in LSB plane
Fault map can be fully determined from the LSB bit plane
Use of fault map to constrain the most likely error locations improves error correction in higher order bit streams
- 76 -© 2005 The Generics Group AG
Fault map decoding
D D D D D D D D D D D D P P P P P P P P P P P
Using the fault map we can determine through partition maps exactly which bits in HSB streams correspond to detected faults in the LSB bit plane
D D 0 D D D D D D 0 D D P P P P 0 P P P P P P
D D 0 D D D D D D 0 D D P P P P 1 P P P P P P
D D 0 D D D D D D 1 D D P P P P 0 P P P P P P
D D 0 D D D D D D 1 D D P P P P 1 P P P P P P
D D 1 D D D D D D 0 D D P P P P 0 P P P P P P
D D 1 D D D D D D 0 D D P P P P 1 P P P P P P
D D 1 D D D D D D 1 D D P P P P 0 P P P P P P
D D 1 D D D D D D 1 D D P P P P 1 P P P P P P
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
D D D D D D D D D D
Set of all code-words consistent with fault map
Set of all error corrected values consistent with fault map
D D D D D D D D D D
Modal value
Exploring the code space to determine the modal value consistent with the fault map efficiently exploits the available information to maximise error correction performance
- 77 -© 2005 The Generics Group AG
Regeneration of real-number version of biometric data
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
B B B B B B B B
+
O O O O O O O O
O O O O O O O O
O O O O O O O O
O O O O O O O O
O O O O O O O O
O O O O O O O O
O O O O O O O O
O O O O O O O O
b b b b b b b b
b b b b b b b b
b b b b b b b b
b b b b b b b b
b b b b b b b b
b b b b b b b b
b b b b b b b b
b b b b b b b b
=
Recombining digital form of B-data with the offset vector enables complete reconstruction of the real number measurement values of the biometric
- 78 -© 2005 The Generics Group AG
Use of recovered b-data to support continuous enrolment
B B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B BB B B B B B B B
+
O O O O O O O OO O O O O O O OO O O O O O O OO O O O O O O OO O O O O O O OO O O O O O O OO O O O O O O OO O O O O O O O
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
=
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
b b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b bb b b b b b b b
Value history
Value history can be locked under biometric key, in symmetric encryption mode, to support continuous revision of value related process instructions