WO1994019770A1 - Secure personal identification instrument and method for creating same - Google Patents

Secure personal identification instrument and method for creating same Download PDF

Info

Publication number
WO1994019770A1
WO1994019770A1 PCT/CA1994/000084 CA9400084W WO9419770A1 WO 1994019770 A1 WO1994019770 A1 WO 1994019770A1 CA 9400084 W CA9400084 W CA 9400084W WO 9419770 A1 WO9419770 A1 WO 9419770A1
Authority
WO
WIPO (PCT)
Prior art keywords
instrument
data
personal
code
encrypted
Prior art date
Application number
PCT/CA1994/000084
Other languages
French (fr)
Inventor
Sherman M. Chow
Nur M. Serinken
Seymour Shlien
Original Assignee
Her Majesty In Right Of Canada, As Represented By The Minister Of Communications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Her Majesty In Right Of Canada, As Represented By The Minister Of Communications filed Critical Her Majesty In Right Of Canada, As Represented By The Minister Of Communications
Priority to AU60349/94A priority Critical patent/AU6034994A/en
Priority to GB9516080A priority patent/GB2289965B/en
Priority to DE4490836T priority patent/DE4490836T1/en
Publication of WO1994019770A1 publication Critical patent/WO1994019770A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/06009Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
    • G06K19/06037Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B42BOOKBINDING; ALBUMS; FILES; SPECIAL PRINTED MATTER
    • B42DBOOKS; BOOK COVERS; LOOSE LEAVES; PRINTED MATTER CHARACTERISED BY IDENTIFICATION OR SECURITY FEATURES; PRINTED MATTER OF SPECIAL FORMAT OR STYLE NOT OTHERWISE PROVIDED FOR; DEVICES FOR USE THEREWITH AND NOT OTHERWISE PROVIDED FOR; MOVABLE-STRIP WRITING OR READING APPARATUS
    • B42D25/00Information-bearing cards or sheet-like structures characterised by identification or security features; Manufacture thereof
    • B42D25/20Information-bearing cards or sheet-like structures characterised by identification or security features; Manufacture thereof characterised by a particular use or purpose
    • B42D25/23Identity cards
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B42BOOKBINDING; ALBUMS; FILES; SPECIAL PRINTED MATTER
    • B42DBOOKS; BOOK COVERS; LOOSE LEAVES; PRINTED MATTER CHARACTERISED BY IDENTIFICATION OR SECURITY FEATURES; PRINTED MATTER OF SPECIAL FORMAT OR STYLE NOT OTHERWISE PROVIDED FOR; DEVICES FOR USE THEREWITH AND NOT OTHERWISE PROVIDED FOR; MOVABLE-STRIP WRITING OR READING APPARATUS
    • B42D25/00Information-bearing cards or sheet-like structures characterised by identification or security features; Manufacture thereof
    • B42D25/30Identification or security features, e.g. for preventing forgery
    • B42D25/309Photographs
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B42BOOKBINDING; ALBUMS; FILES; SPECIAL PRINTED MATTER
    • B42DBOOKS; BOOK COVERS; LOOSE LEAVES; PRINTED MATTER CHARACTERISED BY IDENTIFICATION OR SECURITY FEATURES; PRINTED MATTER OF SPECIAL FORMAT OR STYLE NOT OTHERWISE PROVIDED FOR; DEVICES FOR USE THEREWITH AND NOT OTHERWISE PROVIDED FOR; MOVABLE-STRIP WRITING OR READING APPARATUS
    • B42D25/00Information-bearing cards or sheet-like structures characterised by identification or security features; Manufacture thereof
    • B42D25/30Identification or security features, e.g. for preventing forgery
    • B42D25/318Signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/08Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code using markings of different kinds or more than one marking of the same kind in the same record carrier, e.g. one marking being sensed by optical and the other by magnetic means
    • G06K19/10Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code using markings of different kinds or more than one marking of the same kind in the same record carrier, e.g. one marking being sensed by optical and the other by magnetic means at least one kind of marking being used for authentication, e.g. of credit or identity cards
    • G06K19/14Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code using markings of different kinds or more than one marking of the same kind in the same record carrier, e.g. one marking being sensed by optical and the other by magnetic means at least one kind of marking being used for authentication, e.g. of credit or identity cards the marking being sensed by radiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/347Passive cards
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • G07C9/257Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition electronically
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/12Card verification
    • G07F7/125Offline card verification

Definitions

  • FIELD OF THE INVENTION This invention relates to personal identification instruments and in particular to an instrument and method of creating such an instrument which has a high degree of security from fraud.
  • BACKGROUND TO THE INVENTION Personal identity instruments are widely used in society, e.g. passports, credit cards, driver's licences, building passes, etc. Such instruments are very valuable, and therefore are often illegally fabricated or stolen and altered so that they can be used fraudulently by another person. Such an instrument ideally should be useless in the hands of another person.
  • U.S. Patent 5,027,113 describes a process and apparatus for making a personal identification instrument which is subject to machine verification.
  • An instrument according to that patent is first made carrying e.g. indicia and/or a photograph, and deviations from a standard of the outlines of at least some of the indicia (on a magnified scale) are stored in a memory.
  • a machine reads the exact outline of corresponding indicia. Since paper fibers, ink bleeds, etc. result in a different outline than the original, the machine comparing the deviation data with the originally stored outline deviation data can result in the declaration of a fraudulent instrument.
  • the entire photograph is read by a camera.
  • the variation of the distribution of grey levels in the image scanned by the camera, as compared with stored data describing the variation of the distribution of grey levels, stored from the original authentic photograph, can result in detection of a fraudulent instrument.
  • the present invention provides a means for realizing a personal identification instrument which has extremely high security, and is virtually immune to falsification. There is no need for storage of massive amounts of any data at any central location nor of transmission of any data; all of the verification data is carried on the instrument itself. Each verification station need only contain a processor capable of processing an algorithm and a scanner for scanning the instrument and reading data from the instrument into the processor.
  • a personal identification instrument is comprised of a substrate, and carried on the substrate are a photograph and/or a personal signature, personal information relating to the legitimate holder of the instrument, and an encrypted machine readable security code carried by the instrument, the code being comprised of a combination of digitized personal information and a digitized descriptor of the photograph and/or personal signature.
  • a method of creating a personal identification instrument on which personal data and a picture and/or signature of a legitimate holder are retained is comprised of acquiring a first digital representation of the picture and/or signature of a legitimate holder of said instrument, extracting first feature data from the digital representation, reading the personal data, combining the feature data with the personal data into a single data sequence and generating a security code by encrypting the sequence with a secret key, and affixing the security code to the instrument to provide a substantially forgery-proof instrument.
  • Figure 1 is an apparatus that can be used to read a personal identification instrument
  • Figure 2 illustrates a face of an instrument in accordance with a first embodiment
  • Figure 3 illustrates a face of an instrument in accordance with a second embodiment
  • Figure 4 illustrates a face of an instrument in accordance with a third embodiment
  • Figure 5 illustrates a face of an instrument in accordance with a fourth embodiment
  • Figure 6 illustrates an imprinted carrier on which is imprinted an encoded matrix in accordance with another embodiment of the invention.
  • a personal identification instrument is divided into three areas: area 1 which contains biographical data of the legitimate holder of the instrument, area 2 which contains either or both of a picture and signature of the legitimate holder of the instrument, and area 3 which contains authentication information.
  • areas 1, 2 and 3 do not have any significance in the present invention. They can be arranged in a book form or in a one or two- sided card form, depending on the requirements of the application.
  • the biographical data in area 1 should be in a human readable form, that can be electro-optically read by validation equipment at the authentication station.
  • the subject matter in areas 2 and 3 can be in human readable form but should be in machine readable form.
  • Modern encryption algorithms such as symmetric or asymmetric key systems can provide means for protecting the data stored in area 3. Even though such algorithms become public domain, it is extremely difficult for someone to decode the data without knowing the secret key used in the encryption. Millions of years of computer time have been estimated to be required to break some of the encoding schemes. The particular encoding scheme used is not particular to this invention, so long as it is encrypted.
  • the encoded information is dependent on the photograph and other information on the instrument, it is extremely difficult to alter the information or photograph on the instrument without escaping detection, even though the method of validating the instrument may be known to the public. For example, it would be next to impossible for a person to generate a new encrypted code for the instrument based on modified information on the instrument without knowing the secret key used by the encryption scheme.
  • the number of bits contributed by area 2 to area 3 in accordance with one embodiment of this invention is in the order of 100 bits.
  • the contribution from area 1 to area 3 can be from a few bits to thousands of bits. If the information output of the biographical area is too large to fit into the bit space allocated in the authentication area, the information can be passed through a one way cryptographic hash function to limit this contribution to allocated bit space.
  • the tamper proof instrument can be copied or transmitted; if the copies are of high quality (reproduction of colour, resolution, dimensions, brightness, contrast, etc.), then the copies will have the same attributes as the original. Copies can be authenticated since no alterations will have been made on them. Indeed, the whole document can become image area 2, and there may be no contribution from area 1; or vice versa, full contribution from area 1 and no area 2, area 3 will constitute the descriptor of the whole document. As one example, area 3 can contain 640 bits.
  • the information stored in area 3 is in the form of a two-dimensional, high density, bar code
  • 640 bits can be stored in an area occupied by a postage stamp. This can be divided to store 128 bits of the image (area 2) and 496 bits from the biographical data (area 1) plus 16 bits of error protection.
  • Figure 1 illustrates in block diagram a typical system which can be used to encode or authenticate the instrument.
  • the instrument 5 can be placed on a table 7 which is moved in the directions of the arrow by means of motor driven rollers 9 or pulled by hand. As the table moves to the right, it carries the instrument 5 under scanner 11. The sampled image data is passed into processor 13 , to which a display 15 is connected.
  • a flat bed scanner such as Hewlett Packard Model lie Scanjet can be used.
  • Such a scanner produces a grey level black and white image of the picture to a resolution to 150 dots per inch, which has been found to be adequate for most applications.
  • the present invention is intended to include all possible means of acquiring the data, including colour data.
  • the processor executes algorithms, such as described below, to extract data from the photograph. It may be necessary, for some applications to include algorithms to find the location of the picture due to placement inaccuracies.
  • the algorithm extracting the information from the picture is preferred to extract global features from the picture, i.e. not local to any specific position in the picture but which depend on its overall characteristics. These features make very little assumptions regarding the contents of the image, so that they will still work if the image does not contain a face. However the algorithm is preferably optimized for the more usual situation where the photograph does contain a face. About 10 features are preferred to be extracted, which are encoded as small numbers. Concatenating the bits of these features produces a 50 to 128 bit number which is associated with the photograph. The features are preferably computed by taking weighted averages. As the weighting functions are highly non-linear, it is very difficult to create an image which would have the same averages and yet the image contain a face or signature of a specific person.
  • the next step in the process is to input other personal information for area 1, such as the age, height, colour of eyes, birth date, birth place, etc. of the authentic holder of the instrument.
  • This is preferably read from an imprint already on the card, although instead it could be input on a keyboard.
  • the information should describe unalterable properties of the person.
  • the validation machine could display this information to the validation station user ' if a one-way hash function is not used.
  • the image is applied to the document by direct recording or by attachment of image material to the instrument.
  • the image that is part of the instrument in area 2 is recorded in human visible form and is acquired by the electro-optical means (e.g. by the scanner) from the instrument.
  • the combination of the personal information and a digitized descriptor of the photograph and/or personal information forms a code, which after encrypting using a secret key is recorded in area 3 on the instrument in any reliable machine readable form, for example any of the forms shown in Figures 2-5.
  • the encryption algorithm used in processor 13 can use either private or public key encryption techniques. These techniques are well known in literature; an example of each is Data Encryption Standard (DES) for private key and Rivest Shamir Adleman (RSA) algorithm for public key techniques.
  • DES Data Encryption Standard
  • RSA Rivest Shamir Adleman
  • the resulting personal identification instrument is as shown in Figures 2-5.
  • a system such as that shown in Figure 1 can be used.
  • the instrument 5 is placed on table 7 and is passed under scanner 11.
  • the biographical information is acquired from the recorded area 1 of the document, and is converted into binary format in processor 13 as was done in the document creation process and is saved in a local memory.
  • the image in area 2 of the instrument is acquired in a similar manner, and is processed by the image processing algorithm, to extract image descriptors. It is preferred that this is done by calculating weighted averages, as will be described below.
  • the image descriptors are also saved in a local memory.
  • the information stored in area 3 is read and is decrypted using the secret decryption key.
  • the binary vector resulting from the decryption is separated into two parts.
  • the part containing the biographical data is compared to the biographical data that was read from the area 1 of the instrument, and if there is any discrepancy between the two sets of biographical data streams, the document is declared as a fake. If the biographical data test is positive, then a distance measure is applied between the image descriptor that is generated at the authentication stage, and the decrypted image descriptor from the information stored in area 3. If the distance measure is greater than a predetermined limit, the document is declared as a counterfeit.
  • the aforenoted one-way hash function (which is also known as a message digest algorithm or manipulation detection code) , is a message of variable length and provides a fixed length code. It appears to be computationally infeasible to find two different messages with the same output code, if this code is larger than 64 bits. With this property, if the input is altered in any way, it will be detected by a mismatch of the output code generated.
  • the detection process in the authentication station is required only to detect the presence of the manipulation, but not the location or magnitude or of the manipulation.
  • the present invention dispenses with verification of the entire photograph, and instead utilizes selected features. Different features differ in the amount of sensitivity (for distinguishing nearly similar pictures) and robustness to environmental changes that can occur due to the changes in the photograph or scanner.
  • Photographs in passports are in many cases black and white.
  • Black and white pictures provide more definition and are more robust to environment changes. It is preferred in the present invention, to convert all scanned pictures to black and white. The conversion of colour photographs to black and white often results in loss of contrast.
  • the feature extraction technique used in the present invention should be robust enough to handle this loss in contrast.
  • the image should be acquired by electro- optical means.
  • the resolution of the scanned image should be reduced to about 100 dots per inch if it were digitized at a higher resolution. If the digitized picture is in colour, the luminance component should be extracted and the hue and saturation components discarded.
  • the area of the digitized document where the photograph is located should be determined.
  • the picture could always be located in one place, to a high tolerance, or the position could be located automatically, either from datum points or from an analysis algorithm.
  • the digitized image should then be converted from as many grey levels as the equipment provides
  • the weighted averages of the dark component in the multi-tone average should then be computed.
  • the weighted averages of the light component in the multi-tone image should then be computed.
  • the averages should then be encoded into a number with a fixed number of bits.
  • One way of digitizing the picture is to represent it as a two-dimensional array of numbers or pixels where the dimensions of the array depend on the size of the picture.
  • P(i,j) denote the value of that pixel located at the i-th row and j-th column of this array.
  • the dimensions of the array were 64 by 64, which was achieved by a suitable selection for scanning parameters and by cropping the edges of the picture.
  • Each pixel element took a value between 0 and 255 where low values denoted a dark pixel and high values denoted a bright pixel.
  • each pixel in the array P(i,j) was assigned a new value, either 0, 1 or 2 depending upon the original value of that pixel.
  • the 0 value was assigned to all dark pixels whose original intensity level lay within a range of 0 to THR1 inclusive where THR1 is some threshold value selected.
  • the 2 value was assigned to all bright pixels whose intensity level lay between THR2 and 255 inclusive where THR2 is a higher threshold.
  • the 1 value was assigned to all the remaining pixels.
  • THR1 and THR2 The choice of these thresholds THR1 and THR2 depends upon the specific image and the manner in it was scanned. As some pictures are over or under exposed (or faded) , it was necessary to make some allowance. It may be necessary to compensate for different scanning hardware which may be calibrated differently, in other systems.
  • the thresholds were chosen so that one third of the pixel elements in the picture were assigned to each of the three categories 0, 1 and 2. This was accomplished by computing a histogram of the pixel values in the digitized picture P(i,j) and by finding the levels which divided the distribution into approximately 3 equal parts.
  • the spatial distribution of all the pixels assigned to the zero category was analyzed. For example one can compute the mean, variance and correlation of the i and j-th spatial coordinates of all the pixels assigned to this category. (Recall that i and j address the row and column number of the pixels in the digitized picture.)
  • the parameters that were used were the weighted averages of the i-th coordinate, the j-th coordinate and the product of the i-th and j- th coordinates. Two different weighting functions were used to obtain 6 averages - three for each weighting function.
  • the weighting functions serve two purposes.
  • the first weighting function gives the pixels located in the central part of the picture more weight.
  • the face is usually centered in the picture and it is the component of the picture which is most difficult to modify without escaping detection.
  • the weighting function also serves the purpose of making it more difficult for someone to tamper with the image in order to get a specific set of six spatial parameters.
  • the weighting functions were based on the harmonic functions sine and cosine.
  • the first weighting function represents the first half of the sine wave (from zero to 180 degrees) .
  • the second weight function represents the full sine wave from zero to 360 degrees. Hence the second weighting function is non-symmetric across the image and contains negative weights.
  • To compute the weights the i-th and j-th coordinates were converted to two angles by dividing them by 64 (the weight of the picture) and then multiplying them by 180 or 360.
  • the averages of the i-th and j-th coordinates must lie in a fixed range (-64 to +64) . In actual practice it was found that they lie in a smaller range.
  • the average of the i*j-th product is divided by 20 to confine them to a smaller workable range. In fact, each of these parameters can be encoded in a single 8 bit byte. There are 12 parameters, so 96 bits were used to encode the characteristics of the image.
  • the fixed number which is a digitized descriptor of the photograph (and/or personal signature if used)
  • the digitized personal information or code resulting from the hash function processed personal information is encrypted and is fixed to the card in area 3 in e.g. one of the forms shown in Figures 2-5.
  • the square Euclidean distance is computed between the decoded information obtained from area 3 and the image descriptor generated from the digitized image of area 2 of the personal identification instrument, which has been read by the authentication system.
  • the square Euclidean distance is then compared with a threshold limit, in order to provide an accept or reject indication of the instrument as being genuine or fake, e.g. as on display 15 or by other means.
  • the security code can contain combined data from areas l and 2 of the instrument into the security code or from either. Indeed, the instrument can carry only area 1 or 2 data, and the area 2 data can be comprised of the image descriptors of the whole instrument, whatever imprint is carried thereon.
  • a personal identification instrument in which a photo of the legitimate holder is incorporated with biographical data into an encoded, encrypted file.
  • the image is first digitized and compressed into a file which can reproduce a recognizable likeness in about 900 bytes of data.
  • the biographical data is appended to the image forming a file of about 1000 bytes. Error correction bits are added producing a file of about 1400 bytes.
  • the file is encrypted using the secret key of a public key encryption scheme in which the key used is about 600 bits.
  • the encrypted data is printed on a carrier 19 as a matrix 20 of black and white rectangles, using a laser printer, representing the binary number, as shown in Figure 6.
  • the 1400 bytes of data, and thus the printed area, can occupy an area of about 6 to 8 square inches. No photograph is printed on the carrier, nor biographical data although it may be desired to imprint the owner's name in some circumstances.
  • a verification station is used.
  • the verification station is comprised of a scanner connected to a desk top computer.
  • the matrix 20 is first scanned into the computer and converted to a binary number.
  • an error correction procedure is applied to remove scanning errors. This process will overcome disfigurement of the matrix due to usage (e.g. discoloration due to handling, pencil marks and staple holes) .
  • the error corrected file now is comprised of about 1000 bytes, which is then decrypted using the public key.
  • the information after decryption is displayed on the monitor of the computer.
  • the displayed likeness of the legitimate holder and the displayed biographical data can be used to check against the person to ensure authenticity. Forgery and tampering with the photo or the data contained in the matrix is not possible unless the secret key is

Abstract

A personal identification instrument is comprised of a substrate, and carried on the substrate: a photograph and/or a personal signature, personal information relating to the legitimate holder of the instrument, and an encrypted machine readable security code carried by the instrument, the code being comprised of a combination of digitized personal information and a digitized descriptor of the photograph and/or personal signature.

Description

SECURE PERSONAL IDENTIFICATION INSTRUMENT AND METHOD FOR CREATING SAME
FIELD OF THE INVENTION: This invention relates to personal identification instruments and in particular to an instrument and method of creating such an instrument which has a high degree of security from fraud. BACKGROUND TO THE INVENTION: Personal identity instruments are widely used in society, e.g. passports, credit cards, driver's licences, building passes, etc. Such instruments are very valuable, and therefore are often illegally fabricated or stolen and altered so that they can be used fraudulently by another person. Such an instrument ideally should be useless in the hands of another person.
In order to make an instrument more difficult to counterfeit or use by another person, it bears the signature and sometimes a photograph of the owner of the instrument. A security guard, cashier, customs agent, etc. typically verifies the picture visually with the face of the user, sometimes also requests a signature for comparison with the signature on the instrument, and by that means verifies the authenticity of the instrument.
However such instruments are subject to fraud. It is possible to make a fake instrument from a stolen document or card containing a different photograph, matching the fraudulent holder.
U.S. Patent 5,027,113 describes a process and apparatus for making a personal identification instrument which is subject to machine verification. An instrument according to that patent is first made carrying e.g. indicia and/or a photograph, and deviations from a standard of the outlines of at least some of the indicia (on a magnified scale) are stored in a memory. When an instrument is presented, a machine reads the exact outline of corresponding indicia. Since paper fibers, ink bleeds, etc. result in a different outline than the original, the machine comparing the deviation data with the originally stored outline deviation data can result in the declaration of a fraudulent instrument.
Similarly, for verification of a photograph, the entire photograph is read by a camera. The variation of the distribution of grey levels in the image scanned by the camera, as compared with stored data describing the variation of the distribution of grey levels, stored from the original authentic photograph, can result in detection of a fraudulent instrument.
Unfortunately the system described in the patent requires storage of a large amount of data for each instrument, which becomes very large when photograph data are stored. In addition, each verification station requires access to the stored data. While the data can be stored in a centralized data bank, verification requires the transfer of very large amounts of data along transmission lines from the central data bank to the verification stations. Where there is a continuous flow of persons to be authenticated, for example where many millions of passport-holding persons are subject to verification at any of hundreds of border points spanning very long borders (e.g. the border between the United States and Canada, the border between the United States and Mexico) the cost of using such a system becomes prohibitive. SUMMARY OF THE PRESENT INVENTION: The present invention provides a means for realizing a personal identification instrument which has extremely high security, and is virtually immune to falsification. There is no need for storage of massive amounts of any data at any central location nor of transmission of any data; all of the verification data is carried on the instrument itself. Each verification station need only contain a processor capable of processing an algorithm and a scanner for scanning the instrument and reading data from the instrument into the processor. In accordance with an embodiment of the invention a personal identification instrument is comprised of a substrate, and carried on the substrate are a photograph and/or a personal signature, personal information relating to the legitimate holder of the instrument, and an encrypted machine readable security code carried by the instrument, the code being comprised of a combination of digitized personal information and a digitized descriptor of the photograph and/or personal signature. In accordance with another embodiment of the invention, a method of creating a personal identification instrument on which personal data and a picture and/or signature of a legitimate holder are retained, is comprised of acquiring a first digital representation of the picture and/or signature of a legitimate holder of said instrument, extracting first feature data from the digital representation, reading the personal data, combining the feature data with the personal data into a single data sequence and generating a security code by encrypting the sequence with a secret key, and affixing the security code to the instrument to provide a substantially forgery-proof instrument. BRIEF INTRODUCTION TO THE DRAWINGS: A better understanding of the invention will be obtained by reference to the detailed description below, in conjunction with the following drawings, in which:
Figure 1 is an apparatus that can be used to read a personal identification instrument, Figure 2 illustrates a face of an instrument in accordance with a first embodiment,
Figure 3 illustrates a face of an instrument in accordance with a second embodiment,
Figure 4 illustrates a face of an instrument in accordance with a third embodiment,
Figure 5 illustrates a face of an instrument in accordance with a fourth embodiment, and
Figure 6 illustrates an imprinted carrier on which is imprinted an encoded matrix in accordance with another embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION:
Turning first to Figures 2, 3, 4 and 5, a personal identification instrument is divided into three areas: area 1 which contains biographical data of the legitimate holder of the instrument, area 2 which contains either or both of a picture and signature of the legitimate holder of the instrument, and area 3 which contains authentication information.
The main difference between the embodiments of Figures 2-5 is in the storage of the authentication information: in Figure 2 it is in the form of a two- dimensional bar code, in Figure 3 the information is stored in an integrated circuit chip, in Figure 4 it is stored in a magnetic stripe, and in Figure 5 it is stored in an OCR code.
The design geometry of areas 1, 2 and 3 do not have any significance in the present invention. They can be arranged in a book form or in a one or two- sided card form, depending on the requirements of the application. The biographical data in area 1 should be in a human readable form, that can be electro-optically read by validation equipment at the authentication station. The subject matter in areas 2 and 3 can be in human readable form but should be in machine readable form.
When producing the authentication information for area 3, data bits from area 1 and area 2 should be passed through an encryption algorithm to form a security code which should be affixed in e.g. one of the forms shown in Figures 2-5 on the instrument.
Modern encryption algorithms such as symmetric or asymmetric key systems can provide means for protecting the data stored in area 3. Even though such algorithms become public domain, it is extremely difficult for someone to decode the data without knowing the secret key used in the encryption. Millions of years of computer time have been estimated to be required to break some of the encoding schemes. The particular encoding scheme used is not particular to this invention, so long as it is encrypted.
Since the encoded information is dependent on the photograph and other information on the instrument, it is extremely difficult to alter the information or photograph on the instrument without escaping detection, even though the method of validating the instrument may be known to the public. For example, it would be next to impossible for a person to generate a new encrypted code for the instrument based on modified information on the instrument without knowing the secret key used by the encryption scheme.
It would be difficult to generate a photograph of a person with the same information that is embedded in encrypted information affixed to the card. It is likely that the new photograph would be obviously different from the desired holder of the instrument and furthermore, the name, age and height (blometric information) of the person encoded also likely would not match.
The number of bits contributed by area 2 to area 3 in accordance with one embodiment of this invention is in the order of 100 bits. The contribution from area 1 to area 3 can be from a few bits to thousands of bits. If the information output of the biographical area is too large to fit into the bit space allocated in the authentication area, the information can be passed through a one way cryptographic hash function to limit this contribution to allocated bit space.
The tamper proof instrument can be copied or transmitted; if the copies are of high quality (reproduction of colour, resolution, dimensions, brightness, contrast, etc.), then the copies will have the same attributes as the original. Copies can be authenticated since no alterations will have been made on them. Indeed, the whole document can become image area 2, and there may be no contribution from area 1; or vice versa, full contribution from area 1 and no area 2, area 3 will constitute the descriptor of the whole document. As one example, area 3 can contain 640 bits.
Where, for example, as in Figure 2 the information stored in area 3 is in the form of a two-dimensional, high density, bar code, 640 bits can be stored in an area occupied by a postage stamp. This can be divided to store 128 bits of the image (area 2) and 496 bits from the biographical data (area 1) plus 16 bits of error protection.
Figure 1 illustrates in block diagram a typical system which can be used to encode or authenticate the instrument. The instrument 5 can be placed on a table 7 which is moved in the directions of the arrow by means of motor driven rollers 9 or pulled by hand. As the table moves to the right, it carries the instrument 5 under scanner 11. The sampled image data is passed into processor 13 , to which a display 15 is connected.
Many commercial scanners or video cameras can serve to acquire a digital representation of a surface of an instrument. For example a flat bed scanner such as Hewlett Packard Model lie Scanjet can be used. Such a scanner produces a grey level black and white image of the picture to a resolution to 150 dots per inch, which has been found to be adequate for most applications. However the present invention is intended to include all possible means of acquiring the data, including colour data.
The processor executes algorithms, such as described below, to extract data from the photograph. It may be necessary, for some applications to include algorithms to find the location of the picture due to placement inaccuracies.
The algorithm extracting the information from the picture is preferred to extract global features from the picture, i.e. not local to any specific position in the picture but which depend on its overall characteristics. These features make very little assumptions regarding the contents of the image, so that they will still work if the image does not contain a face. However the algorithm is preferably optimized for the more usual situation where the photograph does contain a face. About 10 features are preferred to be extracted, which are encoded as small numbers. Concatenating the bits of these features produces a 50 to 128 bit number which is associated with the photograph. The features are preferably computed by taking weighted averages. As the weighting functions are highly non-linear, it is very difficult to create an image which would have the same averages and yet the image contain a face or signature of a specific person. These features are only based on the luminance (black and white) components of the picture; however the present invention is not restricted and could cover colour components if this were necessary or desirable. Any generic scheme for extracting local or global features from a picture can be used. One specific algorithm will be described in more detail below.
The next step in the process is to input other personal information for area 1, such as the age, height, colour of eyes, birth date, birth place, etc. of the authentic holder of the instrument. This is preferably read from an imprint already on the card, although instead it could be input on a keyboard. Ideally, the information should describe unalterable properties of the person. The validation machine could display this information to the validation station user' if a one-way hash function is not used.
The image is applied to the document by direct recording or by attachment of image material to the instrument. The image that is part of the instrument in area 2 is recorded in human visible form and is acquired by the electro-optical means (e.g. by the scanner) from the instrument.
The combination of the personal information and a digitized descriptor of the photograph and/or personal information forms a code, which after encrypting using a secret key is recorded in area 3 on the instrument in any reliable machine readable form, for example any of the forms shown in Figures 2-5.
The encryption algorithm used in processor 13 can use either private or public key encryption techniques. These techniques are well known in literature; an example of each is Data Encryption Standard (DES) for private key and Rivest Shamir Adleman (RSA) algorithm for public key techniques. The resulting personal identification instrument is as shown in Figures 2-5.
To authenticate the information, a system such as that shown in Figure 1 can be used. The instrument 5 is placed on table 7 and is passed under scanner 11. The biographical information is acquired from the recorded area 1 of the document, and is converted into binary format in processor 13 as was done in the document creation process and is saved in a local memory.
The image in area 2 of the instrument is acquired in a similar manner, and is processed by the image processing algorithm, to extract image descriptors. It is preferred that this is done by calculating weighted averages, as will be described below. The image descriptors are also saved in a local memory.
The information stored in area 3 is read and is decrypted using the secret decryption key. The binary vector resulting from the decryption is separated into two parts. The part containing the biographical data is compared to the biographical data that was read from the area 1 of the instrument, and if there is any discrepancy between the two sets of biographical data streams, the document is declared as a fake. If the biographical data test is positive, then a distance measure is applied between the image descriptor that is generated at the authentication stage, and the decrypted image descriptor from the information stored in area 3. If the distance measure is greater than a predetermined limit, the document is declared as a counterfeit. Clearly if the image has been altered or if the data stored in area 1 of the instrument has been changed, this will not match the decrypted codes stored in area 3. A forger would be unable to produce a correctly matching code for application to area 3, since the encryption key is secret. Even if the encryption and decryption algorithms are known, the correct code for area 3 would not be able to be produced, since the key used in generation of area 3 remains a secret.
The aforenoted one-way hash function, (which is also known as a message digest algorithm or manipulation detection code) , is a message of variable length and provides a fixed length code. It appears to be computationally infeasible to find two different messages with the same output code, if this code is larger than 64 bits. With this property, if the input is altered in any way, it will be detected by a mismatch of the output code generated. The detection process in the authentication station is required only to detect the presence of the manipulation, but not the location or magnitude or of the manipulation.
With regard to the photograph, such a photograph on an identification card is typically 1" by 1%". Digitized to a resolution of 300 dots per inch in three colours, this would cause the picture to occupy 300 x 375 x 3 x 8 = 2.7 million bits. Even using shades of grey, the amount of data representing a photograph is huge. The prior art patent 5,027,113 referred to above requires the storage and transmission of bits of a photograph of this magnitude for every expected instrument to be verified.
The present invention dispenses with verification of the entire photograph, and instead utilizes selected features. Different features differ in the amount of sensitivity (for distinguishing nearly similar pictures) and robustness to environmental changes that can occur due to the changes in the photograph or scanner.
It has been found that the digitization of a picture by a scanner is not a repeatable operation. On a gross scale the digitized pictures should appear the same, but in the fine scale there will be small variations for various practical reasons. For example, it is unlikely that the position of the picture will be exactly the same due to the various mechanical tolerances in the scanning equipment.
In addition, the picture on an identification card or passport will probably be scanned on many different authentication machines. These machines may be produced by different manufacturers using different components. Furthermore, machines of the same manufacturer may differ or depart from standard calibration due to aging and use. This will introduce other variations in the digitized data. Exposure of colour photographs to ultraviolet rays also causes slow fading of the picture.
Many parts of the picture may contain useless information. For example, a person in the photograph typically is in front of a featureless background. Although the encoding technique may use some of the information in the background, it should provide greater weight to the foreground information.
Photographs in passports are in many cases black and white. Black and white pictures provide more definition and are more robust to environment changes. It is preferred in the present invention, to convert all scanned pictures to black and white. The conversion of colour photographs to black and white often results in loss of contrast. The feature extraction technique used in the present invention should be robust enough to handle this loss in contrast.
It is preferred that the feature extraction, both in the encoding system and in the decoding system should follow the following preferred steps.
The image should be acquired by electro- optical means. The resolution of the scanned image should be reduced to about 100 dots per inch if it were digitized at a higher resolution. If the digitized picture is in colour, the luminance component should be extracted and the hue and saturation components discarded.
The area of the digitized document where the photograph is located should be determined. The picture could always be located in one place, to a high tolerance, or the position could be located automatically, either from datum points or from an analysis algorithm.
The digitized image should then be converted from as many grey levels as the equipment provides
(e.g. typically 256) , to 3 grey levels. The weighted averages of the dark component in the multi-tone average should then be computed. The weighted averages of the light component in the multi-tone image should then be computed. The averages should then be encoded into a number with a fixed number of bits.
One way of digitizing the picture is to represent it as a two-dimensional array of numbers or pixels where the dimensions of the array depend on the size of the picture. Let P(i,j) denote the value of that pixel located at the i-th row and j-th column of this array. In a successful prototype system, the dimensions of the array were 64 by 64, which was achieved by a suitable selection for scanning parameters and by cropping the edges of the picture.
Each pixel element took a value between 0 and 255 where low values denoted a dark pixel and high values denoted a bright pixel.
To correct the continuous tone image to a three tone image, each pixel in the array P(i,j) was assigned a new value, either 0, 1 or 2 depending upon the original value of that pixel. The 0 value was assigned to all dark pixels whose original intensity level lay within a range of 0 to THR1 inclusive where THR1 is some threshold value selected. The 2 value was assigned to all bright pixels whose intensity level lay between THR2 and 255 inclusive where THR2 is a higher threshold. The 1 value was assigned to all the remaining pixels.
The choice of these thresholds THR1 and THR2 depends upon the specific image and the manner in it was scanned. As some pictures are over or under exposed (or faded) , it was necessary to make some allowance. It may be necessary to compensate for different scanning hardware which may be calibrated differently, in other systems.
The thresholds were chosen so that one third of the pixel elements in the picture were assigned to each of the three categories 0, 1 and 2. This was accomplished by computing a histogram of the pixel values in the digitized picture P(i,j) and by finding the levels which divided the distribution into approximately 3 equal parts.
The spatial distribution of all the pixels assigned to the zero category was analyzed. For example one can compute the mean, variance and correlation of the i and j-th spatial coordinates of all the pixels assigned to this category. (Recall that i and j address the row and column number of the pixels in the digitized picture.) The parameters that were used were the weighted averages of the i-th coordinate, the j-th coordinate and the product of the i-th and j- th coordinates. Two different weighting functions were used to obtain 6 averages - three for each weighting function.
The weighting functions serve two purposes. The first weighting function gives the pixels located in the central part of the picture more weight. For example, the face is usually centered in the picture and it is the component of the picture which is most difficult to modify without escaping detection. The weighting function also serves the purpose of making it more difficult for someone to tamper with the image in order to get a specific set of six spatial parameters.
The weighting functions were based on the harmonic functions sine and cosine. The first weighting function represents the first half of the sine wave (from zero to 180 degrees) . The second weight function represents the full sine wave from zero to 360 degrees. Hence the second weighting function is non-symmetric across the image and contains negative weights. To compute the weights the i-th and j-th coordinates were converted to two angles by dividing them by 64 (the weight of the picture) and then multiplying them by 180 or 360.
The averages of the i-th and j-th coordinates must lie in a fixed range (-64 to +64) . In actual practice it was found that they lie in a smaller range. The average of the i*j-th product is divided by 20 to confine them to a smaller workable range. In fact, each of these parameters can be encoded in a single 8 bit byte. There are 12 parameters, so 96 bits were used to encode the characteristics of the image.
In the instrument creation process, the fixed number, which is a digitized descriptor of the photograph (and/or personal signature if used) , is then combined with the digitized personal information or code resulting from the hash function processed personal information, is encrypted and is fixed to the card in area 3 in e.g. one of the forms shown in Figures 2-5.
If the process is being used at an authentication station, the square Euclidean distance is computed between the decoded information obtained from area 3 and the image descriptor generated from the digitized image of area 2 of the personal identification instrument, which has been read by the authentication system.
The square Euclidean distance is then compared with a threshold limit, in order to provide an accept or reject indication of the instrument as being genuine or fake, e.g. as on display 15 or by other means.
The security code can contain combined data from areas l and 2 of the instrument into the security code or from either. Indeed, the instrument can carry only area 1 or 2 data, and the area 2 data can be comprised of the image descriptors of the whole instrument, whatever imprint is carried thereon.
Using the present invention no communication is required between the authentication and a central database. The cost of the authentication stations are relatively low, and being only as complex as present day widely-available personal computers. The personal identification instruments are virtually immune from tampering and falsification, and have been found to be very robust in testing, showing a very low false- negative and false-positive instance.
In accordance with another embodiment of the invention, a personal identification instrument is created in which a photo of the legitimate holder is incorporated with biographical data into an encoded, encrypted file. The image is first digitized and compressed into a file which can reproduce a recognizable likeness in about 900 bytes of data. The biographical data is appended to the image forming a file of about 1000 bytes. Error correction bits are added producing a file of about 1400 bytes. The file is encrypted using the secret key of a public key encryption scheme in which the key used is about 600 bits. The encrypted data is printed on a carrier 19 as a matrix 20 of black and white rectangles, using a laser printer, representing the binary number, as shown in Figure 6. The 1400 bytes of data, and thus the printed area, can occupy an area of about 6 to 8 square inches. No photograph is printed on the carrier, nor biographical data although it may be desired to imprint the owner's name in some circumstances. To check authenticity, a verification station is used. The verification station is comprised of a scanner connected to a desk top computer. The matrix 20 is first scanned into the computer and converted to a binary number. Next, an error correction procedure is applied to remove scanning errors. This process will overcome disfigurement of the matrix due to usage (e.g. discoloration due to handling, pencil marks and staple holes) . The error corrected file now is comprised of about 1000 bytes, which is then decrypted using the public key. The information after decryption is displayed on the monitor of the computer. The displayed likeness of the legitimate holder and the displayed biographical data can be used to check against the person to ensure authenticity. Forgery and tampering with the photo or the data contained in the matrix is not possible unless the secret key is known to the forger.
A person understanding this invention may now conceive of alternative structures and embodiments or variations of the above. All of those which fall within the scope of the claims appended hereto are considered to be part of the present invention.

Claims

We Claim:
1. A personal identification instrument comprising a substrate, and carried on the substrate: a photograph and/or a personal signature, personal information relating to the legitimate holder of the instrument, and an encrypted machine readable security code carried by the instrument, said code being comprised of a combination of digitized said personal information and a digitized descriptor of said photograph and/or personal signature.
2. An instrument as defined in claim 1, in which said digitized personal information is a code resulting from passing the personal information through a hash function.
3. An instrument as defined in claim 1 in which said descriptor is a code resulting from the low resolution luminance component of said photograph reduced to a small number of gray levels.
4. An instrument as defined in claim 3 in which the number of gray levels is three.
5. An instrument as defined in claim 3, in which said digitized personal information is a code resulting from passing the personal information through a hash function.
6. An instrument as defined in claim 1 in which said code is carried on the substrate in the form of a machine readable bar code.
7. An instrument as defined in claim 6 in which the bar code is a two dimensional bar code.
8. An instrument as defined in claim 1 in which said code is carried on the substrate recorded in a magnetic stripe.
9. An instrument as defined in claim 1 in which said code is carried on the substrate recorded in an integrated circuit.
10. An instrument as defined in claim 1 in which said code is carried on the substrate in the form of an OCR code.
11. A method of creating a personal identification instrument on which personal data and a picture and/or signature of a legitimate holder are retained, comprising the steps of:
(a) acquiring a first digital representation of the picture and/or signature of a legitimate holder of said instrument,
(b) extracting first feature data from the digital representation,
(c) reading said personal data,
(d) combining said feature data with said personal data into a single data sequence,
(e) generating a security code by encrypting the sequence with a secret key, and
(f) affixing the security code to the instrument to provide a substantially forgery-proof instrument.
12. A method as defined in claim 11, in which the security code is fixed to the instrument in at least one of a machine readable bar code, a machine readable magnetic stripe, a machine readable integrated circuit and an OCR code.
13. A method as defined in claim 11, in which said feature data is formed of a low resolution luminance component of the picture and/or signature reduced to a small number of grey levels.
14. A method as defined in claim 13, in which the number of grey levels is three.
15. A method as defined in claim 13 in which the feature data is comprised of the binary coded weighted averages of each of the grey levels for each of i-th and j-th coordinates of the picture, more weight being given to pixels at the center of the picture.
16. A method of authenticating a personal identification instrument created using the method of claim 11 comprising: (g) reading said personal data,
(h) acquiring a second digital representation of the picture and/or signature from said instrument,
(i) extracting second feature data from the second digitized representation corresponding to similar feature data as those in step (b) ,
(j) processing the second feature data to obtain image descriptors,
(k) reading and decrypting the security code using a decryption key,
(1) separating personal data from feature data in the decrypted security code,
(m) comparing the personal data obtained in step (1) from the personal data read in step (g) , (n) in the event there is a discrepancy between the personal data from step (1) compared to step (g) , declaring the instrument as a fake,
(o) in the event the instrument is not declared as a fake in step (n) , comparing decrypted feature data descriptors obtained in step (1) with the feature data descriptors obtained in step (j),
(p) declaring the instrument as a fake in the event the compared descriptors are dissimilar to a predetermined degree.
17. A method of creating a personal identification instrument on which personal data of a legitimate holder of the instrument comprised of any of a personal identification number, a signature, and printed personal information is carried, comprised of:
(a) acquiring a first digital representation of said personal data,
(b) encrypting said personal data using a secret code,
(c) affixing the encrypted personal data to said instrument as a security code.
18. A method as defined in claim 17, in which said personal data is passed through a one-way hash function before being encrypted.
19. A method as defined in claim 18, in which the encrypted personal data is affixed to said instrument by printing on said instrument at least one of a bar code and an OCR code, or by recording the encrypted personal data on a magnetic stripe carried by the instrument, or by recording the encrypted personal data in an integrated circuit and affixing said circuit to said instrument.
20. A method of creating a personal identification instrument carrying a picture and/or signature of a legitimate holder thereof, comprising:
(a) acquiring a first digital representation of said picture and/or signature,
(b) extracting first feature data from the digital representation,
(c) encrypting said feature data using a secret code, (d) affixing the encrypted feature data to said instrument as a security code.
21. A method as defined in claim 9, in which the encrypted feature data is affixed to said instrument by printing on said instrument at least one of a bar code and an OCR code, or by recording the encrypted personal data on a magnetic stripe carried by the instrument, or by recording the encrypted personal data in an integrated circuit and affixing said circuit to said instrument.
22. A method of authenticating a personal identification instrument created using the method of claim 17, comprising: (d) reading the personal data from the instrument,
(e) reading and decrypting the security code, using a decryption key,
(f) comparing the decrypted personal information from the security code from the personal data read from the instrument, and
(g) declaring the instrument a fake in the event there is a discrepancy therebetween.
23. A method of authenticating a personal identification instrument created using the method of claim 20, comprising:
(e) acquiring a second digital representation of said picture and/or signature carried by the instrument,
(f) extracting second feature data from the picture and/or signature carried by the instrument,
(g) processing the second feature data to obtain image descriptors,
(h) reading and decrypting the security code using a decryption key,
(i) separating feature data descriptors from the decrypted security code, (j) comparing decrypted feature data descriptors obtained in step (i) with the feature data descriptors obtained in step (g) ,
(k) declaring the instrument as a fake in the event the compared descriptors are dissimilar to a predetermined degree.
24. A personal identification instrument comprising a carrier, and an imprinted data file carried by the carrier comprised of an encrypted digital representation of at least a picture of a legitimate holder thereof.
25. An instrument as defined in claim 24 in which said data file is comprised of a compressed digitized representation which has been encrypted.
26. An instrument as defined in claim 25 in which said data file is compressed additionally of error correction bits.
27. An instrument as defined in claim 24 in which the data file is imprinted on the carrier in a matrix of black and white rectangles, and in which a part of said data file containing said encrypted digital representation of said picture has a length of about 900 bytes.
28. A method of authenticating a document comprised of: (a) digitizing the likeness of a legitimate holder,
(b) image compressing the digitized likeness,
(c) encrypting the compressed digitized likeness, using a secret key of a public key encryption scheme,
(d) printing the encrypted compressed digitized likeness on a document as a matrix of black and white rectangles, (e) when authenticating the document, scanning the matrix into a digital computer to produce a data sequence,
(g) decrypting the data using the public key which corresponds to the secret key used for the encryption process, and
(h) displaying decrypted data as an image of the legitimate holder.
29. A method as defined in claim 28, including adding error correction bits to the encrypted compressed digital likeness prior to printing on the document, and during authentication, examining the scanned matrix for errors and removing any errors by decoding the error correcting code, prior to the decrypting step.
30. A method as defined in claim 28, in which the likeness of a legitimate holder is digitized from a photograph of said holder.
PCT/CA1994/000084 1993-02-19 1994-02-17 Secure personal identification instrument and method for creating same WO1994019770A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU60349/94A AU6034994A (en) 1993-02-19 1994-02-17 Secure personal identification instrument and method for creating same
GB9516080A GB2289965B (en) 1993-02-19 1994-02-17 Secure personal identification instrument and method for creating same
DE4490836T DE4490836T1 (en) 1993-02-19 1994-02-17 Secure personal identification instrument and method for its production

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US1958993A 1993-02-19 1993-02-19
US019,589 1993-02-19

Publications (1)

Publication Number Publication Date
WO1994019770A1 true WO1994019770A1 (en) 1994-09-01

Family

ID=21793998

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA1994/000084 WO1994019770A1 (en) 1993-02-19 1994-02-17 Secure personal identification instrument and method for creating same

Country Status (5)

Country Link
AU (1) AU6034994A (en)
CA (1) CA2115905C (en)
DE (1) DE4490836T1 (en)
GB (1) GB2289965B (en)
WO (1) WO1994019770A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996003286A1 (en) * 1994-07-26 1996-02-08 International Data Matrix, Inc. Unalterable self-verifying articles
US5505494A (en) * 1993-09-17 1996-04-09 Bell Data Software Corporation System for producing a personal ID card
US5530438A (en) * 1995-01-09 1996-06-25 Motorola, Inc. Method of providing an alert of a financial transaction
EP0805409A2 (en) * 1994-03-21 1997-11-05 I.D. Tec, S.L. Biometric security process for authenticating identity and credit cards, visas, passports and facial recognation
GB2342743A (en) * 1998-10-17 2000-04-19 Nicholas Paul Elliot Verification method
NL1010443C2 (en) * 1998-11-02 2000-05-03 Robert Arnout Van Der Ing Loop Fraud resistant identity card with encrypted digital data and digitized images can serve multiple purposes, such as passport, driving license, medical card, etc.
EP1018712A1 (en) * 1998-12-22 2000-07-12 Eastman Kodak Company Method and apparatus for transaction card security utilizing embedded image data
WO2000042577A1 (en) * 1999-01-18 2000-07-20 Iridian Technologies, Inc. Method and apparatus for securely transmitting and authenticating biometric data over a network
EP0730243A3 (en) * 1995-02-28 2000-08-02 AT&T Corp. Identification card verification system and method
GB2348343A (en) * 1999-03-26 2000-09-27 Int Computers Ltd Authentication of MOT certificate using encryption
WO2001043067A2 (en) * 1999-12-10 2001-06-14 Durand Technology Limited Improvements in or relating to applications of fractal and/or chaotic techniques
WO2002089068A1 (en) * 2001-05-02 2002-11-07 Navigator Solutions Limited Biometric identification method and apparatus
WO2003073387A2 (en) * 2002-02-28 2003-09-04 Siemens Aktiengesellschaft Method, device and computer program for verifying the authenticity of non-electronic documents
WO2002043012A3 (en) * 2000-11-25 2003-11-13 Orga Kartensysteme Gmbh Method for producing a data carrier and data carrier
US7010694B2 (en) 1998-10-14 2006-03-07 Harri Vatanen Method and system for application of a safety marking
WO2006090172A2 (en) * 2005-02-25 2006-08-31 First Ondemand Ltd Identification systems
WO2018067974A1 (en) * 2016-10-07 2018-04-12 Chronicled, Inc. Open registry for human identification
US10210527B2 (en) 2015-06-04 2019-02-19 Chronicled, Inc. Open registry for identity of things including social record feature
US11107088B2 (en) 2016-05-27 2021-08-31 Chronicled, Inc. Open registry for internet of things
US11113699B2 (en) 2015-06-04 2021-09-07 Chronicled, Inc. Open registry for identity of things

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19906388A1 (en) * 1999-02-16 2000-08-24 Bundesdruckerei Gmbh Personalizing, verifying identity, security documents involves placing personal data and/or correlated data in document in second, machine-readable form generated using biometric technique
EP1039401A3 (en) * 1999-03-19 2004-03-31 Citibank, N.A. System and method for validating and measuring effectiveness of information security programs
GB0218898D0 (en) * 2002-08-14 2002-09-25 Scient Generics Ltd Authenticated objects
DE102004052117A1 (en) * 2004-10-26 2006-04-27 Zilch, André, Dr. Identification documents production method involves obtaining electronic graphic data and electronic text data of customer, and obtaining signature of customer electronically to complete identification document for customer
DE102015107474B4 (en) 2015-05-12 2019-03-14 Bundesdruckerei Gmbh Method for determining an individual sharpness of an image of an iris and method for person examination
CN105225281B (en) * 2015-08-27 2017-09-29 广西交通科学研究院 A kind of vehicle checking method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0216298A2 (en) * 1985-09-17 1987-04-01 Casio Computer Company Limited Identification system
EP0334616A2 (en) * 1988-03-21 1989-09-27 Leighton, Frank T. Method and system for personal identification
GB2223614A (en) * 1988-08-30 1990-04-11 Gerald Victor Waring Identity verification
GB2240948A (en) * 1990-02-15 1991-08-21 Peter Robert Peter Sunman Credit, identity or like cards
WO1992016913A1 (en) * 1991-03-20 1992-10-01 The Security Systems Consortium Limited Securing financial transactions

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT1074184B (en) * 1976-11-03 1985-04-17 Mario Marco De Gasperi SYSTEM FOR THE REALIZATION AND VERIFICATION OF THE AUTHENTICITY OF IDENTIFICATION DOCUMENTS
DE3049607C3 (en) * 1980-12-31 2003-07-17 Gao Ges Automation Org Process for the production of identity cards and device for carrying it out

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0216298A2 (en) * 1985-09-17 1987-04-01 Casio Computer Company Limited Identification system
EP0334616A2 (en) * 1988-03-21 1989-09-27 Leighton, Frank T. Method and system for personal identification
GB2223614A (en) * 1988-08-30 1990-04-11 Gerald Victor Waring Identity verification
GB2240948A (en) * 1990-02-15 1991-08-21 Peter Robert Peter Sunman Credit, identity or like cards
WO1992016913A1 (en) * 1991-03-20 1992-10-01 The Security Systems Consortium Limited Securing financial transactions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"magnetic encoded photo credit card", IBM TECHNICAL DISCLOSURE BULLETIN, vol. 21, no. 6, November 1978 (1978-11-01), US, pages 2515 - 2517 *

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5505494A (en) * 1993-09-17 1996-04-09 Bell Data Software Corporation System for producing a personal ID card
EP0805409A2 (en) * 1994-03-21 1997-11-05 I.D. Tec, S.L. Biometric security process for authenticating identity and credit cards, visas, passports and facial recognation
EP0805409A3 (en) * 1994-03-21 1998-07-01 I.D. Tec, S.L. Biometric security process for authenticating identity and credit cards, visas, passports and facial recognation
WO1996003286A1 (en) * 1994-07-26 1996-02-08 International Data Matrix, Inc. Unalterable self-verifying articles
US5984366A (en) * 1994-07-26 1999-11-16 International Data Matrix, Inc. Unalterable self-verifying articles
US5530438A (en) * 1995-01-09 1996-06-25 Motorola, Inc. Method of providing an alert of a financial transaction
EP0730243A3 (en) * 1995-02-28 2000-08-02 AT&T Corp. Identification card verification system and method
US7010694B2 (en) 1998-10-14 2006-03-07 Harri Vatanen Method and system for application of a safety marking
GB2342743A (en) * 1998-10-17 2000-04-19 Nicholas Paul Elliot Verification method
GB2342743B (en) * 1998-10-17 2003-05-14 Nicholas Paul Elliot Verification method
NL1010443C2 (en) * 1998-11-02 2000-05-03 Robert Arnout Van Der Ing Loop Fraud resistant identity card with encrypted digital data and digitized images can serve multiple purposes, such as passport, driving license, medical card, etc.
EP1018712A1 (en) * 1998-12-22 2000-07-12 Eastman Kodak Company Method and apparatus for transaction card security utilizing embedded image data
US6536665B1 (en) 1998-12-22 2003-03-25 Eastman Kodak Company Method and apparatus for transaction card security utilizing embedded image data
US6321981B1 (en) 1998-12-22 2001-11-27 Eastman Kodak Company Method and apparatus for transaction card security utilizing embedded image data
US6332193B1 (en) 1999-01-18 2001-12-18 Sensar, Inc. Method and apparatus for securely transmitting and authenticating biometric data over a network
WO2000042577A1 (en) * 1999-01-18 2000-07-20 Iridian Technologies, Inc. Method and apparatus for securely transmitting and authenticating biometric data over a network
US6907528B1 (en) 1999-03-26 2005-06-14 Fujitsu Services Limited Method and system for cryptographically authenticating a printed document by a trusted party
GB2348343A (en) * 1999-03-26 2000-09-27 Int Computers Ltd Authentication of MOT certificate using encryption
WO2001043067A2 (en) * 1999-12-10 2001-06-14 Durand Technology Limited Improvements in or relating to applications of fractal and/or chaotic techniques
WO2001043067A3 (en) * 1999-12-10 2002-05-10 Durand Technology Ltd Improvements in or relating to applications of fractal and/or chaotic techniques
WO2002043012A3 (en) * 2000-11-25 2003-11-13 Orga Kartensysteme Gmbh Method for producing a data carrier and data carrier
WO2002089068A1 (en) * 2001-05-02 2002-11-07 Navigator Solutions Limited Biometric identification method and apparatus
WO2003073387A2 (en) * 2002-02-28 2003-09-04 Siemens Aktiengesellschaft Method, device and computer program for verifying the authenticity of non-electronic documents
WO2003073387A3 (en) * 2002-02-28 2004-10-28 Siemens Ag Method, device and computer program for verifying the authenticity of non-electronic documents
WO2006090172A2 (en) * 2005-02-25 2006-08-31 First Ondemand Ltd Identification systems
WO2006090172A3 (en) * 2005-02-25 2006-12-07 First Ondemand Ltd Identification systems
US10210527B2 (en) 2015-06-04 2019-02-19 Chronicled, Inc. Open registry for identity of things including social record feature
US11113699B2 (en) 2015-06-04 2021-09-07 Chronicled, Inc. Open registry for identity of things
US11354676B2 (en) 2015-06-04 2022-06-07 Chronicled, Inc. Open registry for identity of things
US11107088B2 (en) 2016-05-27 2021-08-31 Chronicled, Inc. Open registry for internet of things
WO2018067974A1 (en) * 2016-10-07 2018-04-12 Chronicled, Inc. Open registry for human identification

Also Published As

Publication number Publication date
GB9516080D0 (en) 1995-10-11
AU6034994A (en) 1994-09-14
DE4490836T1 (en) 1996-01-11
CA2115905C (en) 2004-11-16
GB2289965B (en) 1997-01-22
GB2289965A (en) 1995-12-06
CA2115905A1 (en) 1994-08-20

Similar Documents

Publication Publication Date Title
US6292092B1 (en) Secure personal identification instrument and method for creating same
CA2115905C (en) Secure personal identification instrument and method for creating same
EP0730243B1 (en) Identification card verification system and method
CA2170440C (en) Self-verifying identification card
EP0600646B1 (en) Method and apparatus for producing and authenticating a secure document
EP1520369B1 (en) Biometric authentication system
EP1514227B1 (en) Visible authentication patterns for printed document
US8087583B2 (en) Associating media through encoding
US8190901B2 (en) Layered security in digital watermarking
JP5696040B2 (en) Method and apparatus for identifying a printing plate for a document
US20040065739A1 (en) Barcode having enhanced visual quality and systems and methods thereof
EP2320389A2 (en) Visible authentication patterns for printed document
WO2000039953A1 (en) Method and apparatus for protecting the legitimacy of an article
JP2013127796A (en) Method and device for securing document
JP2003527778A (en) Protection of the legitimacy of electronic documents and their printed copies
US6636614B1 (en) Method for preventing the falsification of documents comprising a photograph, preferably a facial-view photograph
JP2001126046A (en) Ic card, ic card authentication system and its authentication method
US20030152250A1 (en) Personal identification instrument and method therefor
US9036913B2 (en) Secured identification medium and method for securing such a medium
JP2003060890A (en) Individual authentication system using communication network
Chow et al. Forgery and tamper-proof identification document
EA007836B1 (en) Protection system of authenticity of printed information carrier

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AT AU BB BG BR BY CH CN CZ DE DK ES FI GB HU JP KP KR KZ LK LU LV MG MN MW NL NO NZ PL PT RO RU SD SE SK UA UZ VN

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
RET De translation (de og part 6b)

Ref document number: 4490836

Country of ref document: DE

Date of ref document: 19960111

WWE Wipo information: entry into national phase

Ref document number: 4490836

Country of ref document: DE

122 Ep: pct application non-entry in european phase
122 Ep: pct application non-entry in european phase