The present invention relates to a method for authenticating a user by biometric information, a program for executing the method, and an authentication system. More particularly, the invention relates to a method and the like for authenticating a user by fingerprint information.
An authentication system using fingerprint information obtains a fingerprint image of a user to extract and register a feature quantity upon registration. This registration information is called a template. Upon authentication, the system newly obtains a fingerprint image from the user to extract a feature quantity, and verifies this against the template to verify the identity of the user. In a system in which a client and a server are connected via a network, a typical example is that a template is maintained by the server in the case of authenticating a user on the client side. The client obtains the user's fingerprint upon authentication, extracts a feature quantity, and transmits the feature quantity to the server. The server verifies the feature quantity against the template to authenticate the user.
However, the template is information by which the user can be identified. Thus, the template needs to be strictly managed as personal information and thereby needs a high management cost. Even if the information is strictly managed, many users are still psychologically hesitant to register a template from the point of view of privacy. Furthermore, the number of fingerprints per user is limited (ten fingers of right and left hands). If the template is leaked and could be forged, the template may not be easily changed unlike the encryption key. In addition, when the same biometric information is registered to a different system, the different system also faces a threat.
To cope with such problems, there may be a method in which the template is encrypted and stored. However, as the method needs to once decode the template upon authentication, it is difficult to prevent leakage caused by sophisticated attacks as well as leakage intentionally caused by a server administrator. Hence, the method is insufficient for the protection of privacy issues.
Thus, there is proposed a method in which upon registration, a feature quantity is transformed by a certain function and a secret parameter that the client has, and is stored in the server as a template which is kept confidential, and upon authentication, a fingerprint feature quantity newly extracted by the client is transformed by the same function and parameter, and is transmitted to the server that verifies the received feature quantity against the template both in the transformed state. This method is called cancelable biometric authentication, which is disclosed, for example, in N. K. Ratha, et al., “Enhancing security and privacy in biometric-based authentication systems”, IBM System Journal, Vol. 40, No. 3, 2001.
According to this document, the client secretly holds the transformation parameter. The original feature quantity is still unknown to the server upon authentication, so that the personal privacy is protected. Even if the template is leaked, security can be maintained by regenerating and reregistering the template with the transformation parameter changed. In the case of using the same biometric information to different systems, templates are registered after transformation of different parameters for the respective systems. This makes it possible to prevent the security from being reduced in the other systems, even if one template is leaked. Here, the transformation parameter is equivalent to the key in encryption, which needs to be secretly managed by the client.
As specific methods for realizing the cancelable biometric authentication, two techniques are presented in N. K. Ratha, et al., “Enhancing security and privacy in biometric-based authentication systems”, IBM System Journal, Vol. 40, No. 3, 2001. One is a method for dividing a fingerprint image into n×m blocks to use the block substitution as transformation. The other is a method for transforming the x coordinate, y coordinate, and direction angle θ of a fingerprint feature point by high order polynomial functions, respectively. Here, the fingerprint feature points represent fingerprint ridge endings and bifurcations. The fingerprint verification algorithm, generally called “minutia matching”, uses the coordinates (x, y) of feature points and the ridge direction angles θ at the feature point as the feature quantity.