The present invention relates in general to identification of physical characteristics of a human being, and particularly, the present invention relates to a system and method of fast biometric database searching using digital certificates. More particularly, the present invention relates to using iris recognition and digital certificates to conduct fast biometric database searching of relatively large databases for the identification of a subject.
Various techniques are used for uniquely authenticating a remote server provider or computing platform. For example, encrypted passwords, account information, and Personal Identification Numbers (PIN) have been used as tools to authenticate a computing platform and to authorize a transaction originating at the computing platform.
More recently, certificates have been used to authenticate a computing platform as being an authorized platform for a particular application. Perhaps the best known public-key certificate format is X.509, which is an identity-based design. That is, it ties a public key to a computing platform, such as a distinguished name. The distinguished name is a unique string supposedly associated with a computing platform or other object. A certifying authority assigns each certificate and has the task of ensuring that each certificate is unique and that the certificate is an accurate and true label for the computing platform.
While the above authentication techniques provide a mechanism for authenticating a computing platform as being an authorized platform for a given application, these technologies do not provide for the identification of the person at the computing platform who is using the computing platform to seek services from the application server. They simply provide a token in place of identity.
Various technologies are used for uniquely identifying a person in accordance with an examination of particular attributes of either the person""s interior or exterior eye. One of these technologies involves the visual examination of the particular attributes of the exterior of the iris of at least one of the person""s eyes. The iris of the human eye has random patterns of striations, ciliary processes, crypts, rings, furrows and other features which have been shown capable of generating highly unique biometric templates for personal identification. In this regard, reference is made to U.S. Pat. No. 4,641,349, xe2x80x9cIris Recognition Systemxe2x80x9d, issued to Flom et al., and U.S. Pat. No. 5,291,560, xe2x80x9cBiometric Personal Identification System Based on Iris Analysisxe2x80x9d, issued to Daugman. As made clear by these patents, the visible texture of a person""s iris can be used to distinguish one person from another with great accuracy. Thus, iris recognition can be used for such purposes as controlling access to a secure facility or a bank automatic teller machine, for example. An iris recognition system involves the use of an imager to video image the iris of each person attempting access, and image processing means for comparing this iris video image with a reference iris image on file in a database.
Iris identification systems have been developed that are capable of collecting images of the iris and processing them to produce biometric templates. These templates may be used to identify human individual irises with extremely low error rates, on the order of 1 in 106.
Iris recognition is widely recognized as the most powerful technology available for biometric identification of humans. Most biometric technologies are useful only for verification, implying 1:1 matching between a live biometric measurement and a single stored template. However, some biometric technologies, such as the iris recognition technology developed by IriScan(copyright), are capable of identification, in which the live biometric is matched against N entries in a database to identify the individual without the need to provide a presumed identity or biometric token. This 1:N match can be performed for very large N due to the extremely low single-match false accept and false reject rates which characterize some biometric technologies, such as the IriScan(copyright) iris recognition technology. However, challenges are posed by 1:N matching of biometric templates when N is very large, and match times can quickly become unacceptable.
The template matching process, when viewed as a database search operation, has some very demanding requirements. First, there is no xe2x80x9ckeyxe2x80x9d that can be used to arrange the templates in the database in some advantageous way to facilitate searching. There is no way to avoid matching the unknown template against each and every database entry until the correct match is found, or the search is exhausted. Also, each match is typically performed at a number of different relative rotational alignments of the two templates. So each pair of templates really requires as many as 21 separate bit comparisons, accounting for xc2x128 degrees of relative rotation. For example, a typical single 300 MHz Pentium-based PC can match templates at a rate of approximately 40,000 matches in about a second or two.
This may be entirely adequate for most physical access control installations, in which the database has less than about 40,000 entries and a match time of a second or two, or longer, is acceptable. However, for large networked systems where a single access server has to process multiple simultaneous matching requests, over a secure network with a database of millions of enrollees, match times can quickly become unacceptable. Typically, an exhaustive search is performed for each unknown template, and consequently, the match speed varies directly with the processing power and inversely with the number of simultaneous requests.
There are a number of conventional strategies for increasing the match speed that yield low-confidence matching. One is xe2x80x9cfilteringxe2x80x9d, in which information like sex, birth date, etc. is used to pre-classify the unknown person to be identified. This filtering technique is used, for example, with the less accurate finger-print identification techniques. The database is partitioned according to these pre-classifications, and when the person is enrolled the biometric template is placed in the correct partition. When the person seeks to be identified, they must provide information (age, sex, etc.) to identify the database partition containing their template. However, if the pre-classification is done incorrectly, either at enrollment or later at identification, the search will be conducted over the wrong segment of the database and the person will never be found. As a result this strategy produces high false reject rates and completely unreliable results.
The matching speed can be increased through the use of multiple processors in parallel. The match speed achieved is linearly related to the speed and/or number of processors. Although this is a viable approach, it is not cost-effective. Greater gains might be achieved by designing and building specialized processors that can perform the simple XOR logic operations at very high speed. However, this speed advantage is limited by the rates at which data can be moved into and out of the processor.
Although the art of biometric recognition systems is well developed, there remain some problems inherent in this technology, particularly with biometric systems and methods characterized by 1:N matching of biometric templates when N is very large. A system and method for achieving fast, accurate, cost-effective identification in these applications is needed. Therefore, a need exists for a recognition system and fast search methodology that overcomes the drawbacks of the prior art.
The present invention is directed to a system and method for conducting fast biometric database searches using iris recognition and digital certificates. The present invention provides for the authentication of a computing platform based on digital certificates attached thereto and also for the relatively fast identification of a person at the computing platform based on the digital certificate and a biometric image, such as an iris image. A level of access and other entitlements to use the computing platform may be granted to the person based on the results of the identification process.
A system for fast biometric database searching for the identification of a person at a remote computing platform includes a database having a plurality of stored biometric images, the database being separated into a plurality of partitions. A plurality of computing platforms are connected to the database. A digital certificate is attached to each of the computing platforms and keyed to point to one of the database partitions. A biometric imager is located at each of the computing platforms for obtaining a biometric image of the subject, such as a person. Preferably an image of the iris of the eye is obtained. A certifying authority and identity server having a processor is disposed between the computing platforms and the database for authenticating the computing platform based on the digital certificate attached thereto and for identifying the person based on a comparison of the obtained biometric image to stored biometric images within the database partition designed by the digital certificate.
According to another aspect of the present invention, the certifying authority maintains and controls access to the database and assigns the digital certificates that are attached to each computing platform. The computing platform to the certifying authority authentication is accomplished using conventional techniques, such as X.9 and X.509 technologies. The iris image or template provides for accurate identification of the person and the digital certificate provides a secure transport method and as a mechanism to ensure privacy of the identity of the person and the image of the biometric trait of the person.
According to another aspect of the invention, the system and method of fast biometric database searching using digital certificates provides a database search of about one obtained biometric template comparison against about 1-10 million stored biometric templates in about 1-2 seconds using a single 300 MHz Pentium-based PC.
According to another aspect of the invention, the system of identification also includes: a handheld imaging apparatus; a first memory for storing at least one template of at least one image of an iris of at least one person""s eye; a second memory for storing a template of an iris image obtained by the iris acquisition device; and a comparator for comparing the template of the iris image of the second memory with the at least one stored template of the first memory to identify the person.
According to another aspect of the invention, the comparator comprises a processor responsive to an output of the camera for comparing the template of the second memory with the at least one stored template of the first memory.
According to another aspect of the invention, the first memory, the second memory, and the comparator are disposed in a housing that is separate from the handheld iris imaging apparatus. In an embodiment, the housing is coupled to the handheld iris imaging apparatus by a wireless modem.
A method for authenticating the computing platform and of identifying a person at the computing platform comprises attaching a digital certificate to each of a plurality of computing platforms, storing a copy of the attached digital certificates with a certifying authority and identity server, initiating a transaction by the person at one of the computing platforms, obtaining an image of a biometric trait of the person, preferably obtaining an iris image of the eye, processing the obtained biometric image and the digital certificate to form a combined template, communicating the combined template to a certifying authority and identity server, providing a database containing stored biometric images of persons authorized to use the computing platform and the stored digital certificates, segregating the database into a plurality of partitions keyed to the digital certificates, comparing the communicated digital certificate to the stored digital certificates, authenticating the computing platform based on the comparison of the digital certificates, searching one or more partitions based on the partitions pointed to by the communicated digital certificate contained in the template, comparing the obtained biometric image of the template to the stored biometric images in the partition, and identifying the person based on the comparison. The method can also include authorizing a level of access or an entitlement to use the computing platform based on the identification.
According to an aspect of the present invention, the method further comprises activating an indicator if the computing platform has been authenticated and the person has been identified.
The present invention is also directed to an iris certificate (e.g., an IrisCert(trademark) code) having a plurality of data fields including information relating to a digital certificate which identifies one or more computing platforms and points to a partition within a database and information relating to an iris image (e.g., an IrisCode(trademark) template) obtained from a person seeking to use one of the computing platforms. The iris certificate can also include other data, such as name, address, a level of authorization, entitlements, etc.