The present invention relates to a biometric authentication method and system for authenticating a user by biometric information of the user.
A personal authentication system using biometric information obtains biometric information of a user in the initial registration, extracts information called a feature quantity, and registers the extracted information. This registered information is called a template. Upon authentication, the system obtains again the biometric information from the user to extract the feature quantity, and verifies the identity of the user by verifying the feature quantity against the template having been registered.
In a system in which a client and a server are connected via a network, typically the server maintains a template when biometrically authenticating a user on the client side. The client obtains the biometric information of the user upon authentication, extracts a feature quantity, and transmits to the server. The server matches the feature quantity against the template to determine whether the two feature quantities are from the same person.
However, the template is information by which an individual can be identified. Thus the template needs to be strictly managed as personal information and thereby needs a high management cost. Even if the information is strictly managed, many people are still psychologically hesitant to register a template from the point of view of privacy. The number of physical characteristics per person for one pieces of biometric information (e.g., only ten fingers for fingerprints) is limited, so that the template is not easily changed, unlike the password and encryption key. Thus the biometric authentication could not be used if the template were leaked and exposed to forgery. In addition, when the same biometric information is registered to a different system, the different system also faces a threat.
To cope with the above described problems, JP-A No. 7802/2001 (US 20050229009, EP 1063812) discloses a method that biometric information is encrypted and transmitted to an authentication server. With this method, as the biometric information is needed to be encrypted upon authentication, it is difficult to prevent leakage caused by sophisticated attacks as well as leakage intentionally caused by a server administrator. Hence the method is insufficient for the protection of privacy issues.
Thus a method (called cancelable biometric authentication) is proposed in which, upon registration of biometric information, a feature quantity is transformed by a certain function and secret parameter held by the client and is stored as a template to the server to which the original information is kept confidential, and upon authentication, a feature quantity of biometric information is newly extracted by the client, transformed by the same function and parameter, and is transmitted to the server which then matches the received feature quantity against the template in the transformed state respectively.
With this method, as the client secretly holds the transformation parameter, the original feature quantity is still unknown to the server upon authentication and the personal privacy is protected. Even if the template is leaked, security can be maintained by regenerating and reregistering the template with the transformation parameter changed. In the case of using the same biometric information to different systems, templates are registered after transformation of different parameters for the respective systems. In this way, even if one template is leaked, it is possible to prevent the security of the other systems from being reduced.
A specific method for realizing cancelable biometric authentication is dependant on the type and verification algorithm of the biometric information. A method for realizing cancelable biometric authentication by face images is proposed in M. Savvides, B. V. K. Vijayakumar, and P. K. Khosla, “Authentication-Invariant Cancelable Biometric Filters for Illumination-Tolerant Face Verification”, Biometric Technology for Human Identification, Proceedings of SPIE Vol. 5404, p 156-163. In this method, a face image is transformed into frequency space. Upon registration, a filter is generated as a template for absorbing illumination changes and the like. Upon authentication, a filter process is applied using the template to the input face image. Then the authentication is performed by making a threshold determination for the output pattern.
According to the above JP-A No. 7802/2001 (US 20050229009, EP 1063812), in a remote user authentication system using biometric information, the input biometric information is encrypted on the client side and is transmitted to the authentication server in which the encrypted information is decoded. This makes it possible to securely transmit and receive the biometric information in the biometric authentication system via a network. However, the user's biometric information may not be confidential to a server administrator as the biometric information is decoded within the authentication server. For this reason, there is a possibility of leakage of unencrypted biometric information due to an accident or dishonesty of the server administrator. Still there remains a problem that the hesitation about privacy for the user may not be reduced.
According to the description in M. Savvides, B. V. K. Vijayakumar, and P. K. Khosla, “Authentication-Invariant Cancelable Biometric Filters for Illumination-Tolerant Face Verification”, Biometric Technology for Human Identification, Proceedings of SPIE Vol. 5404, p 156-163, it is possible to realize cancelable transformation by applying a random filter to a registration template. However, when the cancelable transformation is performed by applying such a method to a verification algorithm using cross-correlations between images as verification values, the verification values are largely different, thereby causing a problem that the verification accuracy is degraded.
Further, when the enrolled image and the verification image are three-value images having three types of illuminance values according to the degree of physical characteristics, a verification algorithm uses distance values of the three-value images as verification values. Also in this case, the cancelable transformation may not be realized by the method proposed in M. Savvides, B. V. K. Vijayakumar, and P. K. Khosla, “Authentication-Invariant Cancelable Biometric Filters for Illumination-Tolerant Face Verification”, Biometric Technology for Human Identification, Proceedings of SPIE Vol. 5404, p 156-163.