This invention relates to a biometric authentication method and system for authenticating a person's identity by using biometric information on the person.
A personal authentication system using biometric information captures biometric information on a person at a time of enrollment, extracts information called a “feature”, and enrolls the extracted feature. At a time of authentication, the personal authentication system again extracts a feature from biometric information captured from the person, and determines whether or not to authenticate the person by matching the extracted feature against the enrolled feature.
Hereinbelow, the information to be enrolled is referred to as a “template for enrollment”, and the information used at the time of authentication is referred to as a “template for authentication”. In a case where the template for enrollment and the template for authentication are not distinguished from each other, both are referred to simply as a “template”.
In a system in which a client terminal and an authentication server are coupled to each other via a network, in a case where the server executes biometric authentication on a user situated on a client terminal side, the server normally stores an enrolled template. The client terminal extracts the feature from the biometric information captured from the user at the time of authentication, and transmits the extracted feature (template for authentication) to the server. The server determines whether or not to authenticate the person by matching the received feature (template for authentication) against the enrolled template.
The template is information that may identify a person, and hence needs to be strictly managed as personal information, which necessitates a high management cost. Further, even when the template is strictly managed, many people are still psychologically hesitant to enroll a template in terms of privacy.
Further, the number of items of biometric information of each kind held by one person is limited (for example, only ten fingers are available in a case of enrolling fingerprints as the biometric information), and hence the template cannot be changed not as easily as a password or encryption key can. This leads to a problem that the biometric information cannot be used any longer in a case where leakage of the template occurs to cause a risk of forgery.
In addition, in a plurality of different systems in which templates, generated from the same biometric information, are enrolled, if one of the enrolled templates leaks from one of the systems, the other systems are also threatened, which are enrolled a template generated by same biometric information as leaking template.
In order to solve the above-mentioned problems, for example, Japanese Patent Application Laid-open No. 2007-293807 (hereinafter, referred to as “Document 1”. The entire contents of which are incorporated herein by reference.) proposes a method (hereinafter, referred to as “cancelable biometrics”) in which: at the time of enrollment of the biometric information, the client terminal uses a fixed function (a kind of encryption) and a secret parameter (a kind of encryption key) stored by the client terminal to transform the feature into a template for enrollment, and enrolls the generated template for enrollment in the server; at the time of authentication, the client terminal uses the same function and parameter to transform a feature of the biometric information newly extracted from the user into a template for authentication, and transmits the template for authentication generated by the transformation to the server; and the server matches the template for authentication against the enrolled template.
According to the method disclosed in Document 1, the privacy of a person is protected as follows. The template for enrollment and the template for authentication are each in a state in which the feature obtained from the original biometric information is kept concealed. As long as the client terminal stores the parameter used for the transformation in secret, the original feature cannot be known from the template stored in the server at the time of authentication.
Further, even if the template leaks, the client terminal creates another template for enrollment by changing the parameter used for the transformation, and enrolls the created template for enrollment in the server, thereby enabling security to be maintained.
Also in the plurality of different systems in which the templates for enrollment, generated from the same biometric information, are enrolled, the templates for enrollment created by the transformation using different parameters are enrolled in the server. This may prevent the security of the other systems from degrading even if one of the enrolled templates leaks from one of the systems.
A specific method of realizing the cancelable biometrics depends on the type of the biometric information, the matching algorithm, or the like. Document 1 discloses a method (hereinafter, referred to as “correlation invariant random filtering (or CIRF)”) applicable to a biometric authentication technology, such as vein authentication, for determining a similarity based on a cross correlation between features (images).