<http://www.newscientist.com/news/print.jsp?id=ns99995010> New Scientist New biometric approach secures ID cards 19:00 19 May 04 Exclusive from New Scientist Print Edition. Subscribe and get 4 free issues. A novel biometric identification system could counter many of the objections to ID card schemes such as the one being proposed by the UK government. The system can unequivocally link a person to a particular ID card without having to match their biometric characteristics to data stored either on the card or on a central database. A biometric is a unique measure of some facet of a person's body - such as a fingerprint or an iris scan. By 2005, the International Civil Aviation Organisation wants such data incorporated in newly issued passports. And the UK government wants it in ID cards from 2007. The information will also be stored on databases. A person enrolling into a biometric scheme based on iris recognition first has to peer into an infrared scanner which records an image of one of their irises. This is then processed to convert it into a string of digits - that person's "biometric reference template". This is obtained by dividing the image into hundreds of squares and measuring the light intensity in each one. This is then stored on a central database, as in the proposed UK system, or on the individual's ID card. Sufficiently similar Later, when that person needs to prove their identity, a fresh scan is taken and processed, and the resulting data is matched to the stored reference template. If the two are sufficiently similar, the ID is authenticated. An exact match is not required, because there are always likely to be some differences between scans, caused by variations in measurement conditions, like lighting. The danger, security experts say, is that if someone's reference template were to be captured it could be used illicitly. For example, a criminal could simply send the template to a service provider such as a bank as if it had originated from a scanner. Now Gavan Duffy of Generics Group, based in Cambridge, UK, has devised a technique that avoids any need to store the biometric reference template. It relies on a statistical trick that removes the variability in the results when an iris or fingerprint is scanned. "We're enhancing its stability," Duffy says. String of digits In conventional systems, when an iris image is divided into a grid and converted into a string of digits, the values stored for the brightness vary within a range. Problems occur when the brightness value falls close to a threshold between two levels. This makes it likelier that during one scan it will fall short of this threshold, while under different lighting conditions it might rise far enough to put it in a different range. For example, if the scale of light intensities is from 0 to 10, a reference reading in a certain grid square might be 3.9. This would normally be rounded down to a 3. But in a later scan, that grid point might be measured as high as 4.1 and so be recorded as a 4, creating a mismatch between the scanned template number and the reference template number. Generics' trick is to remove this uncertainty by providing an "offset" value for each data point in the grid. Each offset value is chosen so as to shift the value of the original scan to the middle of its range. In the above example, the grid square would have an offset of 0.4 assigned to it, to shift the reading of 3.9 to the middle of its range, which is 3.5. If a later scan happened to produce a reading of 4.1, applying the offset it would bring it down to 3.7, which would be recorded as a 3, just as in the reference. "We can, with high reliability, generate the same number," says Duffy. Irreversibly encrypted Because the scan gives the same result time after time, the reference template can be combined with data recorded on the card to create a "digital signature" unique to the user. By irreversibly encrypting this signature it is possible to ensure that the biometric data is unrecoverable and not open to misuse. The offset data is stored on the card, unencrypted, as it is no use to anyone but the owner. When someone needs to prove who they are, a reader combines the scan with the offsets to make a template. This is then combined with the personal data on the card to produce a fresh signature. If the user is genuine, the new signature should be a perfect match for the stored one. Privacy campaigners are guardedly impressed: "This looks like a good solution. They are just storing information that needs the iris or fingerprint to be present for the offset information to be any use," says Ian Brown, of the Foundation for Information Policy Research. Though he stresses FIPR is opposed to ID cards, he says Generic's scheme seems to be a lesser evil. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'