2008. JANUARY / trends

What does biometrics cover?

According to definition, biometrics is the unique characteristic feature or distinctive feature which makes the recognition or verification of a person's automatic identification possible.

Verification of identity or authentication is a 1:1 analogy. Its goal is to determine the validity of the questioned identity in a way that it compares the existing verification sample with the sample of the current data recording. In practice this means that it compares the biometric data stored in the passport's chip with the data recorded of the owner at the crossing point in the case of passport control. In this way, it decides if the passport and the owner match. At the same time, recognition which is also mentioned as identification or possible identity determination is a 1: N analogy. During this, the person's biometric characteristics are compared with every record of a database. This way, the database of wanted criminals can be searched or double data recoding or recording different biographic data to the same photo can be prevented etc.

Biometric technologies in application

There are several technologies which are already in use. From among these, fingerprint identification, face recognition, iris and retinal scanning, hand geometrics, voice identification, manual signature control, or DNS identification are not the privileges of science fiction any more. Moreover, such technologies like ear geometrics, measurement of human scent and typing characteristics or even gait recognition. The wider and wider application of biometric technologies is ensured by their reliability and accuracy. The accuracy of identification can be measured by the following index numbers:

• FRR -"False-reject rate" - the rate shows the number of those cases during the identification when the application cannot identify legal data or it rejects faultily.
• FAR -"False-acceptance rate" - the rate shows the number of those cases during the identification when the application accepts illegal data or lets faulty data pass through.
• "Failure to acquire rate" - Rate of those experiments when the system is unable to produce an adequate quality picture as the light and the angle of the picture may influence the face recognition system.
• "Failure to enrol" - Faulty data recording. Number of those people of whom the system is unable to record adequate characteristic or repeatable sample. For example, it is impossible to scan the fingerprint without fingers.
• "Throughput" - Performance. That level on which the identification and the verification may operate (data collection, search, time spent on analogy operations).

The effective ruling of the ICAO (International Civilian Aviation Organisation) named three biometric characteristic, that is face, fingerprint and iris, which can be used in electronic documents for identification. As a part of the EU's document reform, each member state can only issue a so called e-passport with biometric identifiers from August 2006 the latest. Face must be included among the used biometric identifiers.

Face recognition

From the above mentioned three technologies, this is the most well-known. ICAO defined face as primary biometric identifier from 2002. This means that the owner's portrait must have been stored electronically in a format capable of identification. Processing of vectors linking the (stored and locally recorded) typical points of the face through mathematical algorithms and comparison of results form the basis of identification and recognition. The advantage of the technology is that it is easy to use. Furthermore, the worldwide interoperability of biometric passports is ensured by this technology which means that the biometric identifier stored in the chip of the passport must be able to be processed at every passport control points. Naturally, this is only possible when strict rules are kept. The ICAO 9303 document and its annexes contain the related rules. However, disadvantage of the technology is the disputed accuracy of control and the fact that the passing years have a serious influence on the portrait and therefore on the process of control as well.

Fingerprint identification

It serves as a secondary biometric identifier according to ICAO. The EU will make it compulsory to use it in the passports issued from 2009. The recognition and identification is based on the fact that it plots the typical points of the fingerprint (minutiae) in a normalised coordinate system and it compares the position of identical type points. The two main categories of minutiae points are ridge endings and minutiae. The advantage of the technology is the mature scientific and technological background. The results are absolutely reliable which means that false identification is tiny. Additionally, it is a constant characteristic which is not influenced by age as opposed to face. Successful application is supported by the available existing large databases. A disadvantage of fingerprint identification might be the negative associations. The word fingerprint is generally linked to criminal investigation so it will be a rather long process to make the public accept this technology. Most of all this was the reason why ICAO did not define this technology as primary biometric identifier of passports.

Iris recognition

As the technology is quite new, ICAO considered it only after the two previously mentioned. The method is based on the analysis of almost 200 characteristic in the coloured tissue around the pupil (rings, furrows, points) which might be suitable for comparison. Recognition can be done by CCD camcorder for example, in a range of 5-6 cms to 40-50 cms depending on the device. It can be applied through glasses accurately as well, not only for control but for identification as well. In the USA , it was used in state administration offices at the end of the 1990's at first which proves the security opportunities the technology offers. It's most important benefit is that the uniqueness of eyes, even the difference between the right and left eye of the same person, allows effective identification of people. The possibility of false recognition is rather low, the method is quite fast and easy-to-use which make the iris recognition one of the most important component of biometrics. However, it cannot be easily integrated into other systems as it is quite new. Another problem is that those people who must be identified against their will can hardly be made to hold their head to the recognizing ray of light for a longer period.

Biometric identifiers are stored in the contactless chip in the passport during the document personalization process. This procedure presents further security questions. How can the access of unauthorized persons be prevented? How can the security of communication be granted? What ensures the stability and authenticity of data?

Introduction of biometric identification became necessary first of all to reduce theft of identity. It was top priority to ensure authenticity and stability of the recorded biometric information. So processing of biometric characteristics used for identification (data recording, storing, control) requires the use of PK (Public Key) infrastructure based on different encrypting methods (RSA, DES, TDES, ECDS).

When data is recorded, the biometric information loaded into the computer system is in encoded format and it is decoded right before the next step of processing. Authenticity and stability is controlled before storing (data integrity). After this, the verified (signed) and stable (supplied with control code) data is stored on a data carrier with chip and/or in a central database. The data carrier with chip must have an own cryptographic module and operation system, and it should be familiar with mutual authentication as well. Before starting communication, both chip and the reader has to authenticate each other, otherwise the devices are not able to communicate with each other. After successful authentication, data exchange is executed through an encrypted communication channel. Information cannot get out of the system in any other ways.

During comparison and control, the encrypted communication which was established after mutual authentication is not enough to reach the biometric data. Only after further authentication and data integrity examination can the biometric identifier be used.

The IT infrastructure connected to biometric documents is based on the security system outlined above. By considering the present state, we can declare that this system ensures adequate protection for the biometric documents. Of course, this may change later. The continuous development of technology by IT security experts is needed to ensure that the few years' advantage which we have ahead of counterfeiters could be maintained.

Being a major security printing company, State Printing House gives high priority to the application of biometric identifiers. According to the ICAO and EU rules aimed at reaching a higher document protection level, one of the main direction of our developments is the introduction of a new electronic document family with biometric identifiers (ID card, driving license etc.). The card documents containing biometric identifiers can be used at several areas besides those mentioned above, for example during financial transactions in the bank sector, entrance and exit from protected objects, when making the management of highly important data and information more secure. To sum up, those technologies which we thought to be part of the distant future will become an important part of our lives within a reasonable time.