New biometric approach secures ID cards

R. A. Hettinga rah at
Thu May 20 08:36:59 PDT 2004


 New Scientist

New biometric approach secures ID cards


19:00 19 May 04


Exclusive from New Scientist Print Edition. Subscribe and get 4 free issues.


A novel biometric identification system could counter many of the
objections to ID card schemes such as the one being proposed by the UK

The system can unequivocally link a person to a particular ID card without
having to match their biometric characteristics to data stored either on
the card or on a central database.

A biometric is a unique measure of some facet of a person's body - such as
a fingerprint or an iris scan. By 2005, the International Civil Aviation
Organisation wants such data incorporated in newly issued passports. And
the UK government wants it in ID cards from 2007. The information will also
be stored on databases.

A person enrolling into a biometric scheme based on iris recognition first
has to peer into an infrared scanner which records an image of one of their
irises. This is then processed to convert it into a string of digits - that
person's "biometric reference template".

 This is obtained by dividing the image into hundreds of squares and
measuring the light intensity in each one. This is then stored on a central
database, as in the proposed UK system, or on the individual's ID card.

Sufficiently similar

Later, when that person needs to prove their identity, a fresh scan is
taken and processed, and the resulting data is matched to the stored
reference template. If the two are sufficiently similar, the ID is

 An exact match is not required, because there are always likely to be some
differences between scans, caused by variations in measurement conditions,
like lighting.

 The danger, security experts say, is that if someone's reference template
were to be captured it could be used illicitly. For example, a criminal
could simply send the template to a service provider such as a bank as if
it had originated from a scanner.

Now Gavan Duffy of Generics Group, based in Cambridge, UK, has devised a
technique that avoids any need to store the biometric reference template.
It relies on a statistical trick that removes the variability in the
results when an iris or fingerprint is scanned. "We're enhancing its
stability," Duffy says.

String of digits

In conventional systems, when an iris image is divided into a grid and
converted into a string of digits, the values stored for the brightness
vary within a range.

 Problems occur when the brightness value falls close to a threshold
between two levels. This makes it likelier that during one scan it will
fall short of this threshold, while under different lighting conditions it
might rise far enough to put it in a different range.

 For example, if the scale of light intensities is from 0 to 10, a
reference reading in a certain grid square might be 3.9. This would
normally be rounded down to a 3. But in a later scan, that grid point might
be measured as high as 4.1 and so be recorded as a 4, creating a mismatch
between the scanned template number and the reference template number.

Generics' trick is to remove this uncertainty by providing an "offset"
value for each data point in the grid. Each offset value is chosen so as to
shift the value of the original scan to the middle of its range. In the
above example, the grid square would have an offset of 0.4 assigned to it,
to shift the reading of 3.9 to the middle of its range, which is 3.5.

 If a later scan happened to produce a reading of 4.1, applying the offset
it would bring it down to 3.7, which would be recorded as a 3, just as in
the reference. "We can, with high reliability, generate the same number,"
says Duffy.

Irreversibly encrypted

Because the scan gives the same result time after time, the reference
template can be combined with data recorded on the card to create a
"digital signature" unique to the user.

 By irreversibly encrypting this signature it is possible to ensure that
the biometric data is unrecoverable and not open to misuse. The offset data
is stored on the card, unencrypted, as it is no use to anyone but the owner.

 When someone needs to prove who they are, a reader combines the scan with
the offsets to make a template. This is then combined with the personal
data on the card to produce a fresh signature. If the user is genuine, the
new signature should be a perfect match for the stored one.

 Privacy campaigners are guardedly impressed: "This looks like a good
solution. They are just storing information that needs the iris or
fingerprint to be present for the offset information to be any use," says
Ian Brown, of the Foundation for Information Policy Research. Though he
stresses FIPR is opposed to ID cards, he says Generic's scheme seems to be
a lesser evil.


R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list