Biometrics and E-passports Lessons learned from established biometrics systems

Transcription

1

2 Biometrics and E-passports Lessons learned from established biometrics systems The introduction of e-passports represents a profound technical accomplishment not only in the ID arena, but across several fields of technology. Rarely do we see such a rapid confluence of disparate and nascent technologies on such a large and global scale. Biometrics, contactless chips, encryption and data security, security printing and optical authentication all present significant technical challenges in their own right, but the necessity to solve these problems in a singular solution with an age-old form factor is truly a daunting task. Not only must solutions work properly, but they must achieve several layers of interoperability. This all must happen by Fall 2006, when U.S. laws require visa-waiver countries to begin issuance of e-passports for their citizens to continue to be exempt from requiring visas. E-passports represent the first true mass deployment of biometrics technology on a consumer product scale. Will e-passports be ready? Will they work as intended? As this paper is being written, signs point to yes for most countries. Some non-visa-waiver countries also have e-passport programs in progress. One fact is certain: the resulting cross-pollination of biometrics and smart card technologies has brought a remarkably accelerated learning curve for specialists in these disciplines. Those areas where the technologies intersect present some difficult challenges; some were anticipated as plans for e-passports were first placed on paper, and some were not. Today, the focus of the e-passport vendor community continues to focus on the challenges of physical layer interoperability between contactless chips and readers, as well as reducing the read times of contactless chips. Thanks to wellparticipated interoperability tests in Singapore in late 2005 and Berlin in June 2006, enormous strides have been made towards these challenges. Further progress has also resulted from trials conducted by the U.S. Government in the Spring of 2006, which involve the use of e-passports by people traveling through San Francisco with e-passports from several countries. It is expected that physical layer issues will largely be resolved by Fall 2006, when we will likely see the first e-passports cross U.S. borders in a non-trial environment. New challenges will arise, however, as the number of e-passports in use rises dramatically as expected in It is one thing to get a system of several hundred e- passports working smoothly in a controlled environment; it is quite another when several million e-passports are in use and unanticipated outliers begin to occur with more frequency. This paper takes an introductory look at four such challenges whose degrees of difficulty are more a function of scale than time, making them more difficult to model and anticipate. Nevertheless, they are issues that have been addressed before in the biometrics industry. After all, this is not the dawn of large-scale biometrics systems, but rather something of a reincarnation. Some consider the inception of modern, large-scale biometrics to be the digitization of millions of fingerprint card records by the FBI in the early 1990s to which matching algorithms could be applied in order to identify an individual by their fingerprints. Today, there are some fifty million fingerprint records in the U.S. FBI database, and many millions more in similar automated fingerprint identification systems (AFIS) around the world. A great deal has been learned in the development and evolution of these systems, and these lessons can be effectively applied to e-passport systems. Biometrics Enrollment for E-Passports 1

3 AFIS systems rely heavily on advanced algorithms running on high-performance hardware. But of equal importance in achieving sufficient levels of matching performance that is, low occurrences of false accepts and false rejects is image quality. Fingerprint images of poor quality result in poor matching performance. The same can be said for facial images, and for both verification and identification applications. Some e-passport systems will include collection of fingerprints for identity proofing upon enrollment and for storage of images on the e-passport. With the increased use of biometrics for identification, databases of biometric samples are growing exponentially. The more samples in the gallery database, the more data that is required in the probe sample being submitted for matching. In the case of fingerprints, this means more minutiae, which means more surface area, which means more fingers. But border management applications require much faster enrollment times as little as ten seconds. This paper will discuss new technologies addressing this problem. the data with other large national systems (eg. Interpol, UK, RCMP, BKI). The system works because of strict adherence to data interchange standards. This same AFIS infrastructure must also rely on a robust networking architecture that enables reliable submission of these data files. Local police that submit files to an AFIS must be confident that their files are received, and that any network outages do not result in an interruption or loss of work. E-passport systems will similarly require the submission of biometric files across a network from remote registration stations to a centralized personalization center and/or background check system. Issue #1: Biometric Image Quality A primary driver for the transition to e-passports is the use of biometrics to prevent their fraudulent creation or use. Biometric facial and fingerprint images stored digitally in the e-passport memory will be extracted upon a border crossing attempt and then compared either visually or electronically to a live picture of the individual. It is in this way that border management officers can better ensure that an individual is indeed the person they are claiming to be and have participated in a proper passport issuance process. For images to be proficiently used for biometric applications, they must 1) conform to specific requirements and 2) be of sufficient quality. Specific requirements of biometric images are included in biometric data interchange format standards defined by the ISO/IEC SC 37 Biometrics standards group. For example, facial images must be compressed with either JPEG or JPEG2000 and cannot be compressed above a certain ratio; ICAO recommends a file size between 12 and 20 Kbytes. Facial images must also meet a minimum resolution requirement. More subjective characteristics are also either required or recommended by ICAO. These Figure 1. Facial Image and Optimized Facial Image AFIS systems such as the FBI IAFIS are actually large interconnected networks of machines that collect, route, archive finger images, match finger templates, and exchange messages. They rely heavily on the interchange of data files; more specifically the exchange of fingerprint image transaction files. The data is collected and searched in a hierarchical fashion from local databases first, then at the state level, then at the FBI. The FBI also exchanges 2 Biometrics Enrollment for E-Passports

4 include subject pose and orientation, facial expressions, headwear, lighting, shadows, and bright spots. ICAO recommends horizontal eye positions and pre-location and identification of eye locations. Biometrics systems rely on image quality on two sides 1) the capture and storage of the biometric image upon enrollment, and 2) the capture of a live image upon a border crossing attempt. While there might be several chances to improve the quality of the biometric upon the border entry attempt (though this is less desirable for efficient throughput purposes), enrollment presents but one chance to capture and store a high quality biometric image onto the e-passport. If enrollment images are of poor quality, an individual might always have problems achieving a match. One can imagine their frustration during what can already be mildly stressful encounter. It is absolutely critical to store highquality images on the e-passport; matching algorithm providers will continue to do their part to improve matching performance, but there is little that can be done when images on deployed e-passports are of poor quality. a federal employee ID application, the U.S. government has recommended use of JPEG2000 region of interest compression, with the facial region compressed to a ratio of 24:1. Upon capture, the photographer needs specific guidelines for setup of the photographing environment and positioning of the subject. SC 37 has recently drafted a document (NI511) providing recommended environmental conditions for facial photo capture. Image processing can be performed to further automate this process. Software available from several vendors can be used to find eye locations, and also to align, scale, and crop the image, and optimize contrast, so that operators can spend less time preparing a subject for a photo. Software applications can be used to check the image for potentially non-compliant features, such as yaw, hot spots, shadows, smiles, low brightness and contrast, incorrect image geometry, improper head position, a cluttered background, and poor focus. The guidelines and quality requirements for digital facial images developed by ISO/IEC are influenced by the anticipated use of facial matching technology by certain countries. Matcher performance is greatly improved if the facial images conform to a specified set of dimensional and quality requirements. ICAO standards recognize the importance of storing biometric images as opposed to templates. The need for digital facial images stored within these documents is readily apparent, but it is somewhat less obvious that digital fingerprint images should also be stored where this secondary biometric is implemented. While results of the NIST MINEX tests published in April 2006 illustrate that minutiae data is currently interoperable between several vendors, only images provide true interoperability between all vendors. Even though finger minutiae data interchange formats are standardized, certain aspects of template extraction and matching techniques are proprietary to each vendor; minutiae extraction is typically tuned to maximize the performance of proprietary matchers. Consequently, anything other than the proprietary template may diminish the accuracy of a given matcher. What can be done to help? Facial images stored on e-passports should conform to the ISO/IEC standards to the greatest degree achievable to ensure that they will be useful for visual or electronic matching to a live photo at a border checkpoint. It is recommended that facial images be compressed to between 15 and 20 Kbytes in size, and are non-compliant if smaller than 12 Kbytes. As an example, for Figure 2. Poor and Good Fingerprint Images, Scoring 14 and 81 Respectively Score = 14 Score = 81 Biometrics Enrollment for E-Passports 3

5 As with facial images, fingerprint images must also be compliant with ISO/IEC guidelines. They should be compressed in compliance with Fingerprint Image Data Interchange Standard ISO/IEC , at Image Acquisition Setting Level 31, as described in Table 1 of the standard. This specifies use of WSQ compression at 500 ppi resolution and 8 bits pixel depth, or 256 gray levels. WSQ is a wavelet-based compression technique optimized specifically for 500 ppi fingerprint images. Fingerprints compressed using WSQ should be compressed to a size no smaller than 1/15 the original size. For a one-squareinch image, this translates to about 16.7 Kbytes in size. The e- passport standard recommends a minimum compressed fingerprint image file size of 10 Kbytes, which translates to about 0.75 square inches. According to NIST IR 7201, fingerprint images should be no smaller than 320 x 320 pixels in size. Ideally, only fingerprint scanning equipment certified by the FBI should be used for creating fingerprint images. A list of certified equipment is posted at gov/hq/cjisd/iafis/cert.htm. of the image, identify non-compliant features, and assign quality scores, which attempts to correlate to the behavior of the image in a matching environment. These applications analyse the image to quantify features known to correlate to good performance, such as good ridge flow and contrast in the case of fingerprints. They can also be used to process the image to automate the capture process and ensure compliance. Issue #2: Fingerprint Enrollment Efficiency The amount of fingerprint data required from each enrollee is increasing dramatically as search databases grow, while the time to collect the data and the required skill level of operators needs to go down. Consider that AFIS systems were designed primarily for criminal applications, where the criminal suspect enrollee has nothing but Figure 3. Tenprint capture using slap scanner and image processing software time, and a highly-skilled police officer is the most typical system operator. For civil applications such as e-passports, a long line of enrollees at a passport center is a more typical environment, with lower skilled operators. For visitor screening at passport stations, the U.S. Government is targeting a maximum enrollment time of only fifteen seconds to collect a full set of ten flat fingerprints. What can be done to help? Advanced fingerprint image processing technology is answering the call for this difficult requirement. Instead of collecting rolled fingerprints, new fingerprint slap scanners can be used to collect three images as biometric input: 1) right hand slap, 2) left hand slap, and 3) dual-thumb slap. The first step in the processing of each image is the segmentation and identification of In summary, the quality of facial and fingerprint images should be assessed upon capture to ensure their usefulness in a matching environment and to screen images to ensure that databases are not burdened with large numbers of low quality data. Low-quality images stored on e-passports will likely cause the owner grief upon their future border crossings. Software applications are commercially available that perform an analysis 4 Biometrics Enrollment for E-Passports

6 the individual fingertips. Once the individual fingertip locations have been identified, the results are used to define bounding boxes. NIST has recently defined new standards to enable transport of these three images with bounding box information in a standard-compliant Type 14 EFT data interchange file, as defined by ANSI/NIST ITL Each finger is analyzed for quality and sequenced against all other fingers to identify possible misplaced fingers. When the user has a series of images that satisfy certain input criteria (sufficient quality, properly placed, properly sequenced), the images are compressed with WSQ for storage and/or transmission. The compressed images are then stored with required demographic data in the ANSI/NIST data interchange file and transmitted to a central archive for storage or to an agency for processing. A final optional step is the printing of the ANSI/NIST file for hardcopy storage or review. Issue #3: Data Interoperability When receiving an e-passport upon a border crossing attempt, e-passport readers will be used to collect and parse data from files stored in the e-passport memory chip during the personalization process. The logical data structure, or LDS of these files is defined by ICAO standards for the e-passport. The LDS is essentially a series of files, or Data Groups that each contain biographic data and/or biometric images such as the face or finger prints. Data Group DG1 contains biographical MRZ data found on traditional passports, such as ANSI/NIST Compliant File name, nationality, date of birth, and passport number. DG2 contains a facial biometric image and associated data. The optional DG3 contains one or more fingerprint images. The biometric image data groups are specified ISO/IEC SC 37 in the ISO/IEC x biometric data interchange file format standards, and referred to by the ICAO LDS. The data interchange file is wrapped in what is called a CBEFF header defined by ISO/ IEC Some of the ISO/IEC biometric data interchange formats are derived from legacy standards. For example, fingerprint image files have been submitted by enrollment workstations to AFIS using similar standards for many years. In the U.S., state and local police have submitted fingerprint files via an -based store and forward system to the FBI IAFIS fingerprint database via its CJIS WAN in large volumes since The ANSI/ NIST ITL Data Format Figure 4. ANSI/NIST File Type 1 Record Transaction Information (1) Type 2 Record Demographic Data (1) Type 10 Record (JPEG) Mug Shot, Scar, Tattoo Images (1-N) Type 14 Record (WSQ) 2 Slap, 1 Dual Thumb Images for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo standard has been strictly adhered to for this application. As a result, a great deal has been learned about the issues and challenges of a largescale system relying on biometric data interchange formats for proper operation. Interestingly, even given the strict compliance requirements for fingerprint image file submission to the FBI, non-compliant file submissions still occur. Perhaps this is less surprising given the fact that several thousand such files are submitted to the FBI every day from many distant locations using equipment designed and provided by different vendors. Files with missing data, incorrect field content, or with poor quality image data are often the result of human error or improper interpretation of the standard. In each case, the FBI must reply to the sender with a message that conveys the problem. It can be considered a natural and unavoidable occurrence in a Biometrics Enrollment for E-Passports 5

7 Figure 5. ICAO Logical Data Structure (LDS) Name Nationality DOB Sex Issuing State Document No. Date of Expiry ICAO Logical Data Structure (LDS) MRZ Data ISO SC 37 ISO SC 37 JPEG/JPEG2000 Compressed CBEFF/ FACIAL IMAGE DATA FORMAT WSQ Compressed CBEFF/ FINGERPRINT IMAGE DATA FORMAT 3) It is expected that with a new version of the LDS will come use of three Data Groups reserved to hold data written to the e- passport by a receiving state. Receiving states would then be tasked with establishing interoperability in the reverse direction, essentially doubling the size of our interoperability matrix. 4) There are several different options for securing the data on e-passports. Each algorithm must be supported by readers. high-traffic-volume system that includes a large degree of human interaction; it is manageable thanks to a thoroughly defined, strictly followed data interchange standard. Imagine a scenario with just one nation implementing an e-passport system. Several remote registration workstations might be used to collect and submit the data to a centralized personalization center. Then, upon departure and return of individuals, the files on their e- passports must be successfully read by e-passport readers at the border checkpoint. Given that the responsibilities to produce and read e- passports will typically fall under the jurisdiction of different government agencies, it will be necessary for these agencies to coordinate efforts to ensure data interoperability between the personalization and reader systems. Such a scenario presents similar challenges addressed by software in AFIS with success. While the e-passport data interchange standards allow for considerably more flexibility in what data can be included in a file, this problem can be reasonably addressed. Of course, not just one country but as many as one hundred countries or more will eventually be writing and reading e-passports. Considering a writer and reader for each participant in the worldwide e-passport arena, the size of the interoperability matrix is a mindboggling. With just 50 countries writing and reading e-passports, we have 2500 different read/write cases in an interoperability matrix. With 100 countries, the size of our matrix balloons to 10,000. There are further complications: 1) Plans to update the ICAO LDS standards are already on the drawing board; a Version 2 of the LDS could be in use as soon as Both Version 1.7 and Version 2.0 would both need to be read by e-passport reader systems. 2) Legislation has been enacted by the European Union to require the placement of fingerprint image biometrics on e-passports by This will require the inclusion of a new LDS DG 3 to e-passports. The scale of the problem is considerable, and unlike physical layer interoperability challenges, can be expected to get worse with time and scale, not better. What can be done to help? Like an AFIS-based system, an e- passport system will in some cases require the submission of biographic data and biometric image files from remote registration workstations to a centralized personalization center. It will be crucial to validate the compliance of the file data upon registration; this way, any errors in data creation can be identified. On the reader side, e-passport reader workstations need to flexibly handle both multiple versions of LDS files as well as non-compliant interpretations of the LDS standards. These workstations should be equipped to quickly and easily ingest modifications to accommodate new versions of e-passports or non-complaint e-passports as responsibilities become aware of them. 6 Biometrics Enrollment for E-Passports

8 The data interoperability challenge will always be present and will require perpetual care. A permanent interoperability testing infrastructure will need to be put in place and maintained. A registry of e-passport data files maintained by ICAO might be a useful tool. Issue #4: Robust Networking AFIS rely on a robust networking architecture that enables reliable submission of thousands of data files daily from thousands of workstations. Local police that submit files to an AFIS must be assured that their files are received, and that any network failures do not result in an interruption or loss of work. E-passport systems will similarly require the submission of biometric files across a network from remote registration stations to a centralized personalization center and/or background check system, and can also significantly benefit from such a robust network. What can be done to help? The FBI IAFIS as well as many similarly large AFIS around the world rely on a secure based store-and-forward network architecture to ensure that files are received and whose status can be easily checked and verified. Web Services is the more typical technology of choice in newer systems. As described above, biometric data files are created at remote workstations for submission to the AFIS. A store-and-forward system attaches these files to an or generates a Web Services message at the remote workstation and stores it at the local store-and-forward server. If there are multiple Client Workstation Web Browser workstations at a given site, then these utilize the same server. This local server then forwards the files to a centrally located server, which serves as a single point of contact between the entire agency and the IAFIS. It also serves as a single point of inquiry as to the status of each transaction submission. The IAFIS sends reply messages back through the store-and-forward to the remote workstations that indicate status. Following are some store-andforward network benefits: Figure 6. Biometric Store-and-forward Status Query Status Reply centralized control of the enrollment process and visibility into system-wide performance and trouble spots implified submission and reception of transactions by reducing the number of clients that must interface directly with the database or matching system. It is often a requirement of large centralized systems that submissions from disparate systems be aggregated to a single communication link. TRANSACTION SERVER Store and Forward AFIS/ ID Personalization redundancy with temporary backup storage of transactions, ensuring that transactions submitted by a particular client are never lost and will eventually be received and processed by the matching system, even in the event of a network failure. less ambiguity as to the status of a submitted transaction, providing assurance and guidance to a workstation operator. immediate feedback and troubleshooting information to a workstation operator in the event of problems with transaction submissions or responses. Biometrics Enrollment for E-Passports 7

9 In Summary Large-scale biometrics systems such as AFIS have been in use with great success for many years, and provide valuable lessons to developers of e-passport systems. Image quality, enrollment efficiency, data interoperability, and robust networking are challenges that have been addressed in AFIS, and should also be addressed in e-passport systems. Anticipating these issues early in the development of e-passport systems will significantly reduce risks and costs associated with fixing problems after systems have already deployed. For more information and white papers, please consult the Aware website at or contact by at About Aware, Inc. Aware has been a leading provider of commercial off-the-shelf (COTS), standardsbased biometric software since Aware software products provide tools for OEM software providers and integrators to enable their own products with interoperable, standards-compliant, field-proven biometric functionality for applications from border management to criminal justice. Aware software enables standard-compliant compression and formatting of biometric data, with products such as WSQ1000 for fingerprint image compression, NISTPack for ANSI/NIST-ITL (FBI, Interpol, UK, DOD, RCMP, etc.) submission to government databases, ICAOPack, PreFace and M1Pack for biometric Epassport and ID card compliance. Aware offers quality assurance software that enables the assessment of biometrics prior to storage and submission as well as software for the printing of demographic data and fingerprint images in user defined card layouts. Aware s suite of software tools are used by federal, state, and local government agencies around the world, including the FBI and other U.S. Department of Justice agencies, the U.S. Department of State, the INS (Department of Homeland Security), and several agencies throughout Europe, Asia, and South America. Aware is headquartered in Bedford, Massachusetts, and has approximately 120 employees. Aware is a publicly traded company on the NASDAQ Stock Exchange (symbol: AWRE). Aware, Inc. 40 Middlesex Turnpike Bedford, MA T F E marketing@aware.com w The information presented in this document is designed as an introduction to the Aware suite of biometric tools. If you would like further information, extended examples, or product manuals please contact Aware at: help@aware.com wp_bioepassports_rev1_0506 Copyright 2006 Aware, Inc. All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical photocopying, recording, or otherwise without the prior written permission of Aware, Inc. This document is for information purposes only and is subject to change without notice. Aware, Inc. assumes no responsibility for the accuracy of the information. AWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Aware is a registered trademark of Aware, Inc. Other company and brand, product and service names are trademarks, service marks, registered trademarks or registered service marks of their respective holders.