AU2003276864A2 - Cryptographically secure person identification - Google Patents

Description

WO 2004/036802 PCT/US2003/027614 1 CRYPTOGRAPHICALLY SECURE PERSON IDENTIFICATION TECHNICAL FIELD This invention generally relates to a technology for facilitating authentication of person identification documents.

BACKGROUND OF THE INVENTION Herein, person identification document (ID) authentication refers to the confirmation that the presented ID is authentic, genuine, legitimate, valid, and/or unadulterated. This may also be called person ID certification. Examples of such personal IDs include immigration documents, passports, and driver's license.

In contrast, "person verification" refers to the confirmation that the personal information on an ID corresponds to the person presenting the ID.

There are many conventional person ID authentication approaches.

Sophisticated document production is the most common approach. Other common approaches include biometrics, smart cards, and watermarks.

Sophisticated Production Historically and over many cultures, the test of a person's identity is verified by the possession of identifying documents. The test of the veracity of such documents has been the difficulty of producing such documents. Although it is not an identification document, paper money is a prime example of the receiver relying on its authenticity because it is difficult to produce a passable counterfeit.

However, recent advances in the printing technology have made high-quality printing devices relatively inexpensive. The availability of high-end printers has WO 2004/036802 PCTIUS2003/027614 2 rendered forging most personal identification documents (IDs) a relatively simple task. It has also significantly raised the costs of printing the official documents by the issuing organizations.

In response, issuing parties (such as governments) have implemented increasingly more sophisticated and presumptively more expensive production techniques. For example, issuing parties are using holograms, watermarks, microprinting, special print paper and/or chemical coating, etc. Since the production of IDs is more complex, authentication has become correspondingly more complex, unreliable, and most importantly, expensive.

Biometric Approaches Biometrics has been defined as a process of automatically recognizing a person using distinguishing traits. Several biometric approaches have been proposed via face, speech, fingerprint, handwriting, and/or iris and retina recognition. A survey of these techniques is provided by "The Biometric Consortium" at "http://www.biometrics.org." Typically, a biometric-based person identification system includes a human verifier who ensures the identification system is not fooled. This can happen when an adversary shows a realistic size photo of the face of an authorized person to the face detector or plays a voice recording to a speech detector.

While some types of biometric-based person identification (such as retina scan or fingerprint detection) can be highly reliable, often they are intimidating retina scan) and can be used maliciously to incriminate innocent users fingerprint scan). A malicious detector can record a person's fingerprint, create its physical copy, and then, incriminate this person at will. This renders fingerprint detection systems highly undesirable for most person identification scenarios.

WO 2004/036802 PCTIUS2003/027614 3 Finally, some biometrics systems are commonly subjected complaints for invasion of privacy. For example, wide-spread face detection points can disclose at any time one's location to a party who gains control over such a system.

Nevertheless, the almost all biometric-based person identification systems have three major disadvantages: inconsistent reliability (especially for face and speech recognition) as the system scales up, which commonly renders these systems highly prone to false alarms and false positives; the authenticator needs to be connected to a central trusted server which actually performs the identification; and the equipment performing the authentication is costly.

For most applications, biometric-based approaches are inconvenient, costly, and most importantly, unreliable.

Smart Cards Smart cards represent a seemingly effective approach to person identification. An advantage of smart cards that is often touted is its all-digital communication with the authenticator.

A simple scenario is having a smart card, which contains a digital photo, personal description data, and a signed hash of this information using the private key of the issuer. Authentication is performed by hashing the photo and the personal description data and then authenticating this hash against the signature using the public key of the issuer. Finally, the authenticator must display the certified digital photo, so that a human can verify that the person being identified is on the photo.

WO 2004/036802 PCTUS2003/027614 4 Personal IDs are frequently lost or damaged. Replacing a smart card involves purchase of another hardware device in addition to burning this device with the appropriate identification contents. This can be expensive.

Due to their relatively generous storage capabilities, smart cards may give an impression that they may be used for storing additional information, in particular, private information about the owner private keys that are revoked if smart card is lost). However, it has been demonstrated so far that smart cards cannot be considered a secure storage because it is relatively easy to extract the hidden information even without reverse engineering the smart card.

Exemplary attacks that have successfully identified encryption keys (both symmetric and private keys) have been based on analyzing smart card's I/O behavior via differential power analysis or timing analysis. Thus, it cannot be expected that a smart card stores anything more than the public information about the user, which is in many ways equivalent to a photo ID.

Watermarks Another technique for authenticating content is to hide imperceptible secret information, a watermark, in the digital photo. One serious disadvantage of this type of ID authentication is the fact that in most watermarking systems, the secret hidden in the photo must be present in the authenticator. Hence, a single broken authenticating device renders the entire system broken.

Surprisingly, public-key watermarking systems have been developed, however, with different target applications. In addition, this system requires significantly longer host signals than a single photo to statistically reliably detect the existence of a given secret. In addition, such a system requires that the secret used to mark a photo be renewed after several photos.

WO 2004/036802 PCT/US2003/027614 Finally, a malicious customer can always try to estimate the secret by taking many photos of herself and comparing them with the photo on the ID. In summary, using watermarks for public ID authentication is the least robust technology for enabling secure ID authentication.

Challenge All conventional approaches sophisticated production, biometrics, smart cards, and watermarks) are riddled with shortcomings. They all have one or more of the following drawbacks: expensive to implement, maintain, and/or scale; difficult to implement, maintain, and/or scale; difficult for the human authenticator to effectively authenticate; unreliable results an unacceptable degree of false positive or misses); and unreliable security increasingly easier for an adversary to thwart or fool the system).

It is a challenge to provide an architecture for secure personal identification documents (IDs) that are difficult to forge, simply and inexpensively produced, and do not require smart card, biometric, or sophisticated production approaches.

SUMMARY OF THE INVENTION Described herein is a technology for facilitating authentication of person identification documents.

One implementation, described herein, is a simple, inexpensive, and cryptographically secure personal ID architecture. With this implementation, one may efficiently create and authenticate secure photographic personal identification WO 2004/036802 PCT/US2003/027614 6 documents (ID) that thwarts tampering and counterfeiting attempts. This ID employs a compact, cryptographically signed bar-code that is readable by an ordinary scanner.

This summary itself is not intended to limit the scope of this patent.

Moreover, the title of this patent is not intended to limit the scope of this patent. For a better understanding of the present invention, please see the following detailed description and appending claims, taken in conjunction with the accompanying drawings. The scope of the present invention is pointed out in the appending claims.

BRIEF DESCRIPTION OF THE DRAWINGS The same numbers are used throughout the drawings to reference like elements and features.

Fig. 1 is an illustration of an example personal identification that may be employed in accordance with an implementation described herein.

Fig. 2 is broad graphical representation of an issuing party issuing a personal identification in accordance with an implementation described herein.

Fig. 3 is broad graphical representation of an authentication of a personal identification in accordance with an implementation described herein.

Fig. 4 is a functional flow diagram showing an implementation described herein...

Fig. 5 is an example of a computing operating environment capable of (wholly or partially) implementing at least one embodiment described herein.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT In the following description, for purposes of explanation, specific numbers, materials, and configurations are set forth in order to provide a thorough Q:PERO8WUOO3276864 spe.do-22/0310S 7 understanding of the present invention. However, it will be apparent to one skilled in the MC) art that the present invention may be practiced without the specific exemplary details. In

(N

other instances, well-known features are omitted or simplified to clarify the description of the exemplary implementations of present invention, thereby better explain the present oO 5 invention. Furthermore, for ease of understanding, certain method steps are delineated as rseparate steps; however, these separately delineated steps should not be construed as Cc necessarily order dependent in their performance.

The following description sets forth one or more exemplary implementations of a Cryptographically Secure Person Identification that incorporate elements recited in the appended claims. These implementations are described with specificity in order to meet statutory written description, enablement, and best-mode requirements. However, the description itself is not intended to limit the scope of this patent.

The inventors intend these exemplary implementations to be examples. The inventors do not intend these exemplary implementations to limit the scope of the claimed present invention. Rather, the inventors have contemplated that the claimed present invention might also be embodied and implemented in other ways, in conjunction with other present or future technologies.

An example of an embodiment of a Cryptographically Secure Person Identification may be referred to as an exemplary "Face Certification" or an "exemplary FACECERT" for short.

Introduction The one or more exemplary implementations, described herein, of the present claimed invention may be implemented (in whole or in part) by a FACECERT architecture 400 and/or by a computing environment like that shown in Fig. WO 2004/036802 PCT/US2003/027614 8 The exemplary FACECERT is a simple, inexpensive, and cryptographically secure personal ID architecture. With the exemplary FACECERT, one may efficiently create and authenticate secure photographic personal identification documents (ID) that thwarts tampering and counterfeiting attempts.

This ID employs a compact, cryptographically signed bar-code that is readable by an ordinary scanner. It provides an efficient, simple, inexpensive, and secure mechanism for authenticating a person's identification using IDs that are difficult to forge, but simply and inexpensively produced.

In a typical conventional scenario, the authentication system an "authenticator") of a person's ID must connect to a remote database and retrieve a stored photograph for the comparison with the ID.

Unlike conventional approaches, the exemplary FACECERT does not require sophisticated production, smart cards, biometrics, and/or massive, remote databases.

More interestingly, the IDs need not be printed by a trusted or high-end printer (as is typically the case with conventional approaches). Rather, the ID may be printed anywhere, anytime, and potentially by anyone.

With the exemplary FACECERT, all the necessary data for authentication is securely stored on the ID itself, in the form of a cryptographically signed bar-code.

It does not depend on face recognition technology.

Secure photo identification provided by the exemplary FACECERT would contribute to efficient, secure, and inexpensive digital government efforts, since they provide cryptographical security, low-cost all-digital infrastructure deployment and maintenance, and convenient usage for both users and ID issuers.

WO 2004/036802 PCTIUS2003/027614 9 Exemplary FACECERT IDs The exemplary FACECERT is a simple, inexpensive, and cryptographically secure personal ID architecture. Instead of relying on the sophistication of the printing process to impose difficult forging, the exemplary FACECERT relies on public-key cryptography for provable security, while deploying a standard-quality low-cost color printing process.

As shown in Fig. 1, a personal FACECERT ID 100 includes "persondistinguishing data" in a "human-readable" representation and a "computerreadable" representation.

Herein, the designation of "human-readable" does not exclude the possibility that a computer may read the representation. In fact, with the exemplary FACECERT, a computing device does "read" the human-readable representation.

Rather, the designation means that it is easily readable by human. Examples of such representations include photographs, images, symbols, and human-language English) text.

Similarly, the designation of "computer-readable" focuses on the ease at which a computer may read the representation rather that a human's inability to read it.

In general, "person-distinguishing data" includes information that reasonably distinguishes one person from another. Examples of person-distinguishing data includes (but is not limited to) the following information about a specific person: one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's WO 2004/036802 PCT/US2003/027614 personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

With the exemplary FACECERT, the human-readable representation includes a human-readable printout of person's portrait photo 110 and any supplemental information 120 (typically, personal information). The computer-readable readable representation includes a device readable 2-D color bar-code 130, which contains a cryptographically signed message.

That bar-coded message 130 includes compact versions of both the supplemental information 120 and a representation of the face (of the portrait photo). The message is signed using RSA) using the private key of the IDissuing party the issuer).

FACECERT ID Issuance As illustrated in Fig. 2, a primary example of an ID-issuer 200 is a department of government. The issuer 200 officially issues the ID 100.

Typically, the human-readable person-distinguishing data that is certified on a FACECERT ID is both photographic and textual. The photo 110 is a portrait of the owner of the FACECERT ID. The photo may have any suitable resolution. Since the printout on the ID fits certain fixed area, this resolution may be constrained. The resolution needs to great enough to be effectively legible by humans and machine.

The supplemental information 120 is any suitable data. It is likely to vary depending on the specific application. As shown in Fig. 1, it will typically be personal statistical information such as name, age, weight, height, weight, eye color, other personal data, etc. This data is printed on the ID 100.

WO 2004/036802 PCT/US2003/027614 11 Typically, the computer-readable person-distinguishing data that is certified on a FACECERT ID is a 2D color bar code bar-code 130). Alternatively, it may be a magnetic strip or some other suitable computer-readable medium.

With the exemplary FACECERT, it is desirable for a bar-code reader to read the bar-code 130 on a FACECERT ID with relative accuracy. Since the likelihood of read-failure increases with the number of bits encoded in the bar-code, a balance between accuracy and data storage is typically made when producing a FACECERT ID. Also, included in this balance are the space and reproduction quality requirements of the ID.

Efficient compaction digital-facial-image data is advantageous in some instances because: For a given size of the bar-code, efficient face-data compaction maximizes the presentation accuracy of the compacted face-data with respect to the face in the original image this reduces the risk of finding look-a-likes or mimicking a given face; and For a given facial presentation accuracy, efficient compaction reduces the length of the message that needs to be cryptographically signed, thus decreasing the computational cost of authenticating a cryptographic signature, which limit the amount of data that can be signed if one wants to authenticate an ID in only one or few seconds.

Therefore, the exemplary FACECERT employs a bar-code of about 3Kb that balances these factors. Of course, other implementation may employ a bar-code that encodes more or less data.

Modem scanners are capable of reliably reading up to about six maximally separated colors. Thus, for a message of ns bits, the exemplary FACECERT uses WO 2004/036802 PCT/US2003/027614 12 Fns log 6 2 bins in the bar-code. For example, for n s 3072 bits, we use 1189 bins which results in a 120 x10 bin bar-code.

It is desirable for the print area of each bin should be such that scanning the bar-code results in an error that is less than certain desired minimal performance bound. It is realistic to assume that the longer dimension of the bar-code reaches an inch. If each bin is scanned with a 10 x 10 CCD matrix (1000 dpi 48-bit CCD sensor array is a standard equipment of most low-cost scanners), the data in the bar-code can be detected with high reliability.

The exemplary FACECERT compacts an image of a face 112 into only several thousand bits with preserved sharpness of the main facial characteristics. The exemplary FACECERT employs eigenface-based compression methodologies and improved variants of principal component analysis, such bit-rates can be easily achieved even when the component analysis is trained on a small database of images.

Loss of an ID can result in a potentially malicious reuse of the ID by an adversary if that adversary is a near-perfect look-a-like. To prevent this unlikely scenario, the ID may contain descriptive information of a certain unique mark of the ID owner.

ID Authentication Fig. 3 illustrates an example of FACECERT ID authentication. It is performed by an intelligent scanning device (such as FACECERT authenticator 300). As shown in Fig. 3, the authenticator 300 scans the photo, supplemental info, and bar-code of the ID 100.

WO 2004/036802 PCT/US2003/027614 13 The authenticator 300 obtains the public key of the ID-issuing party. The key may be stored on-board the authenticator or on a locally connected data storage.

Alternatively, the key may be retrievable via a remote Internet) connection.

The authenticator 300 scans the bar-code, decodes the cryptographic signature, and then performs signature authentication public-key decryption of the decoded data) using the public key of the issuer 200. As a result, the authenticator 300 obtains the message signed with the private key of the issuer.

That message includes person-distinguishing data. More specifically, the message contains the supplemental information 120 and a compacted representation of the face 112 in the photo 110. Next, the authenticator scans the textual supplemental information 120 from the ID 100, performs character recognition, and compares the recognized text with the extracted supplemental information.

Next, the authenticator 300 scans the photo of the ID 100. It detects the face in the photo and performs a statistical comparison with the de-compacted face extracted from the bar-coded message. By using printed guides 114 on the ID, one may achieve accurate scanning alignment, such as rotation and scaling.

If the two faces match beyond a certain threshold (which may be arbitrarily, statistically, and/or empirically determined), the authenticator 300 concludes that the ID is authentic. Otherwise, the ID has been either forged or damaged, or an error occurred while scanning the ID. This indication may simply be a chromatic light red or green light) and/or an audible tone buzzer or beep).

Therefore, tampering with the photo or the supplemental information on an officially issued ID means they will not match the person-distinguishing data encoded in the cryptographically signed bar-code.

WO 2004/036802 PCTUS2003/027614 14 Human Verification Although the authenticator 300 performs authentication of a specific FACECERTS ID, an actual human verifies that the face on the ID corresponds to the person presenting the ID. This human is called, herein, the verification official 305.

The human's role with the exemplary FACECERT is verifying that the face on the ID corresponds to the person presenting the ID. This is the same role that human verifiers often perform in typically security or person identification settings.

Therefore, in a typical person identification setting, the role of the exemplary FACECERT is to authenticate the ID. It does this by confirming that the information on the ID (including the photo) has not been altered since it was issued by the IDissuer. Instead of authorizing the ID, the role of the verification official 305 is to verify that the face on the ID (and other person-distinguishing data on the ID) corresponds to the person presenting the ID.

With a positive confirmation by the exemplary FACECERT, the human verifier 305 may confidently rely on the person-distinguishing data (including the photo) on the presented ID. Conversely, with a negative confirmation by the exemplary FACECERT, the human verifier 305 may have probable cause to suspect that the information on the presented ID has been modified.

While this authentication and verification process is typically performed inperson, it may occur on-line via a web-cam, closed-circuit television, and the like.

With the exemplary FACECERT, the human verifier 305 may, if desired, have the face from the bar-code displayed on a video screen and double check that everything is in order. This scenario is particularly practical at border crossings, where the immigration officers are already sitting in front of a computer, so their scanning device can send all the information to a computer for display.

WO 2004/036802 PCT/US2003/027614 Cryptography Background The exemplary FACECERT employs a public-key infrastructure (PKI) to cryptographically sign the data in the bar-code of the ID. More specifically, it employs RSA public-key cryptography. However, other implementations of the exemplary FACECERT may employ other cryptographically secure mechanism, especially those using private-public key structures.

Although the RSA public-key cryptography infrastructure is well-known to those of ordinary skill in the art, many of its key aspects are discussed here to provide background for further discussion of its use with the exemplary FACECERT.

In the RSA public-key signing system, each communicating party is assumed to have two keys: a public-key, which is available to everyone and used for signature authentication, and a private-key, which is securely stored with the signature issuer and used to sign messages. The public-private key-pair is created in the following way: Generate two large and distinct primes p and q.

Compute n pq and Select a random e Z I e qp,gcd(e,p)= 1.

Find d e Z* I d y,ed l(modp) The created key-pair is: private key is d, whereas the public-key is a set of two numbers Commonly, in communication protocols that use the RSA public-key crypto-system the Secure Socket Layer SSL) e is fixed, usually to e 216 hence, reducing the information that represents the public-key to n as well as speeding up signature authentication. A message e is typically signed using the private key d as follows: WO 2004/036802 PCTUS2003/027614 16 s=md(modn). (0.1) The authentication procedure shows that for a given message m, signature s has been obtained by signing m using d. However, the private-key d is not used, rather the corresponding public-key n is typically used to perform the same task as follows: r se(modn). (0.2) If r m, then s is a valid signature of m otherwise the signature s does not correspond to the message m.

The exemplary FACECERT does not dependant upon a single secret stored in a single protected location. Rather, it employs a secure storage techniques for the master secrets private keys).

For example, with one technique, the multiple private-public keys are used to chain the signatures output of one RSA signing is sent as input to another RSA signing with a different private key). Each private key may be stored in geographically different but secure locations.

With another example of a secure storage technique, parts of each private key is stored in k different locations such that each key can be retrieved only if n out of k (n k) collude their information to create the key. Those of skill in the art recognize this technique as "secret sharing." With this technique, the issuing organization further disperses the pieces of the puzzle that need to be assembled by the adversary to break the system.

With still another example of a technique, the secrets may be stored in tamperproof hardware.

WO 2004/036802 PCT/US2003/027614 17 Of course, the exemplary FACECERT may employ other suitable secure storage techniques.

FaceCert Architecture and Methodology Fig. 4 illustrates the functional components and one or more methodological implementations of the FACECERT architecture 400. The top portion 410 of Fig. 4 illustrates the issuance of a FACECERT ID 100 while the lower portion 420 illustrates the authentication of that ID. These one or more methodological implementations may be performed in software, hardware, or a combination thereof As shown in issuance portion 410 of Fig. 4, the FACECERT ID issuer 200 creates the message m that is signed by RSA.

At 210, the exemplary FACECERT compacts the face in the photo 110 of the ID 100. This compact face data message f) is a succinct, but relatively complete, representation of the specific face in the specific photo 110.

The output of the face compaction is the message f with n, n, bits.

Parameter nE is fixed and equals n, k nRSA k e where nRSA is the length of an RSA public-key (we adopt nRsV 1024) and k is commonly set to k e Given a fixed nr, one of the goals of the face compaction is to increase the distance between any two distinct facial structures. This goal translates directly to minimized likelihood of a false negative and false positive during the authentication.

At 220, the supplemental information 120 textual data) is compressed using any suitable data compression technique. For example, the printed message can be compressed as pure text using LZ77 or semantically with optimal coding addresses converted to latitude/longitude encoded using arithmetic encoding).

The output of the text compression is denoted as a message t with n. bits.

WO 2004/036802 PCT/US2003/027614 18 The exemplary FACECERT reads the data from the FACECERT ID with an error-free assumption. Then it either compresses the data or it cryptographically hashs it before combining the digest, as in Equation Since the output is always a fixed length, hashing is sometimes desirable over compression. Exemplary hash functions are SHA1 and Messages f and t are merged into a message m of length n, n, using an operator 230 that encourages each bit of m to be dependent upon at least one bit from both f and t and there exists at least one bit in m which depends upon a given bit of f or t. This helps to increase the number of bits that need to be manipulated in a photo to create a certain message m. An example of such an operator is: m t of m, tmo,,XORf,i O..nF-1, (0.3) where mi, f, and t i represent the i -th bit of message m, f, and t respectively.

At 240, message m is signed with the private-key 242 of the issuer of a FACECERT ID. Each nRS bits of m are signed separately. The resulting signature s has n s n nF bits. The resulting signature s is printed as a 2D color bar-code 130onto the FACECERT ID 100.

As shown in authentication portion 420 of Fig. 4, the FACECERT authenticator 300 that the cryptographically signed data in the bar-code corresponds with the supplemental data 120 and the face 112 in the photo 110 of a FACECERT

ID.

The authenticator 300 initially scans all three printed components of the ID: the photo 110, the supplemental textual information 120, and the bar-code 130.

WO 2004/036802 PCT/US2003/027614 19 Those are represented by photo scan 310, OCR text scan 320, and bar-code scan 330.

At 322, the scanned supplemental textual information is also converted into a text-string. This text-string is compressed using the same compression technique one based on Equation employed above by component 220. This results in message Generic optical character recognition (OCR) is not required for this task because the font used to print the text is known to the authenticator and may be optimized for improved OCR.

At 332, the authenticator 300 received the scanned bar-code data. It converts scanned bar-code into a authentication signature The authenticator obtains the issuer's public-key 334. It performs the RSA signature authentication on s, using issuer's public-key and obtains the signed message m,.

If the ID has not been tampered with, then the authentication signature s, and the originally printed signature s will match. However, the authenticator has no direct access to a verifiable copy originally printed signature. Rather, it must authenticate that the authentication signature s, of the presented ID is, indeed, the originally printed signature s.

Since the photo and supplemental info on the presented ID were presumptively used to generate the authentication signature then the data encoded in s, should match the face and supplemental data extracted there from. If the ID remains in a pristine and unmodified condition, they will match. Otherwise, there will be no match.

At 340, message f. is computed from m, and t.

At 350, the authenticator 300 applies a de-compaction technique to extract the digital facial-feature data from f,.

WO 2004/036802 PCT/US2003/027614 At 360, the authenticator compares the facial-feature data extracted from f, to digital facial-feature data of the scanned photo of the presented ID. It quantifies the level of similarity correlation) between the two faces: the de-compacted and the scanned one.

At 370, the authenticator 300 reports the results of component 360. If the quantified level of correlation is above a threshold, then it reports that the ID is authentic. Otherwise, it reports that it is invalid.

Alternatively, the authenticator may report that the ID is valid, but provide an additional indication flashing blue light and quick beeps) that this particular person should be detained. She may be wanted by the authorities as a person of interest, a suspect, an escapee, a criminal, etc.

Again, the face authentication task does not involve face recognition in the typical setting of biometrics, but rather a more straightforward task of correlating two equivalent facial structures.

If the authenticator 300 indicates that the ID is authentic, the human official verifier 305 confidently performs their typical duty of authenticating that the human-readable data (including the photo) on the ID corresponds with the person presenting the ID. If the authenticator 300 indicates that the ID is invalid, it gives the human official verifier 305 reasonable suspicion to investigate further. The data on the ID may be forged and thus, the presenter is an imposter. The data on the ID may be corrupted or simply read incorrectly.

Face Compendium A digital representation of the facial features of the face 112 in the photo 110 on the ID 100 is stored in the bar-code 130. If the balances of bar-code reading accuracy and space allowed it, then the entire unabridged photo may be encoded in WO 2004/036802 PCT/US2003/027614 21 the bar-code. Since key distinguishing information is found on the face of the person, then the balances of factors may allow for an unabridged portion of the photo that represents the face to be encoded in the bar-code.

Since the realities of the balance lean towards substantially less data storage in the bar-code than can fully represent the unabridged face in the photo, the digital image 110 of the face is compacted with the exemplary FACECERT. While the image of the face may be compacted using traditional image compression techniques JPEG, GIF, etc.), other techniques may be employed to reduce the storage requirements further while maintaining a fair representation of the face.

With the exemplary FACECERT, the digital facial-feature data in the bar-code should be a succinct, but reasonably complete, representation of the face in that photo. Unlike biometric face-recognition approaches, the digital facial-feature data does not need to represent the person's face viewed from multiple angles and conditions.

Rather, the digital facial-feature data on the FACECERT ID need only represent that specific face on that specific photograph. That is because the exemplary FACECERT is authenticating that the face in the photo on the ID matches the face represented by the digital facial-feature data in the bar-code.

Since the digital facial-feature data is indeed a succinct, but reasonably complete, representation of the face in that specific photo, it may be called "face compendium." This face compendium is "reasonably complete" in the sense that the compendium contains sufficient data to reconstruct an image of the face.

Furthermore, the compendium is "reasonably complete" enough so that enough facial-feature data is encoded therein to potentially distinguish the represented face from other similar faces.

WO 2004/036802 PCTiUS2003/027614 22 Of course, other implementations may employ bar-codes that encode more or less data, but one implementation, described herein, employs a bar-code of about 3000 bits. This is found to be reasonable compromise of many factors, including (but not limited to) bar-code reading accuracy and space for the bar-code.

To improve this compromise, the exemplary FACECERT employs a compaction technique that identifies the object of interest facial structure) and compacts its features, rather than compacting the entire image using standard image compression techniques such as JPEG.

Face Detection and Compaction The computer vision community has studied various models of faces over the last several years. The exemplary FACECERT does not need to encode the face image to facilitate recognition of the person in differing images, but rather in the very same photograph from which the face code has been extracted. Thus, the exemplary FACECERT does not face the difficult issue of over-training that is present in a typical biometric face-recognition application.

Rather, the exemplary FACECERT employs an efficient facial-features compaction technique. While generic DCT coefficients may be employed, the face images may be compacted better using subspace models learned from a large face database.

The problem of subspace learning can be elegantly defined in terms of a generative model that describes joint generation of the subspace coordinates, or factors, y and the image g by linearly combining image components in the so called factor loading matrix A: p(g,y) N(g; u Ay, WO 2004/036802 PCT/US2003/027614 23 where 0 constitutes the non-uniform image noise the variability not captured in the subspace model). A is an n x k matrix used to expand from the k-dimensional subspace into a full n-dimensional one, where n is the number of pixels in the image g.

The parameters A, and /u can be learned by maximizing the likelihood of a set of images logp() log PJ

SY,

and a good low-dimensional representation of the image tends to be E[y I g].

The above probability model, called factor analysis also allows for the design of the optimal encoding strategy for the factors y. As a result, a face image can be efficiently encoded with about 85 bytes representing 100 face factors y.

The subspace model may be extended that take into account the possible transformation of the facial image, such as translations, rotations, and scale. In this model, called transformed component analysis (TCA), an additional random transformation variable T is applied to the image expanded from y, and a new image h is observed: p(h, g, y) N(h;Tg, T)N(g; Ay, c)N(y; (0.6) Such a model, when trained on an image set tends to automatically align all images to create the very compact subspace representation. The regular subspace models, in presence of transformational variability in the training data will tend to create blury models, while TCA creates sharper components.

WO 2004/036802 PCT/US2003/027614 24 FACECERT Authentication The task of authentication performed by the exemplary FACECERT may be viewed as template matching. A likelihood over the windows in the image can be used as a cost instead of the template differences, although even straightforward correlation technique would work.

For example, to use the likelihood as the similarity measure, one would take the message f, extract the window size and detection threshold thr as well as the subspace parameters y compute: logp(h g(h,g,T (0.7) for all windows of appropriate size. If maxh log p(h) thr, then the ID photograph does contain the face encoded in the bar-code.

If the only modeled transformations are shifts, the integration over transformation T is not necessary since the search is done over all windows in the image. This process is equivalent to matching pu+Ay with the window h, in the sense of a Mahalanobis distance dependent on the learned noise model. These types of computations are as effective as image correlation and can be done very efficiently using the fast Fourier transformation (FFT).

During the photo ID creation, the provided photograph is searched for a face, which is cropped and compacted efficiently using a transformed component analyzer. The face code, together with the compaction error and the window size (or even position) is signed with a private key.

The FACECERT ID is then created as a combination of text, photo and a barcode containing the encoded face. During authentication, the bar-code is decoded WO 2004/036802 PCT/US2003/027614 and the face code, consisting of the factors y, threshold on likelihood (or encoding error) and the window size are decoded from the bar-code using a public key and the face store in the bar-code is compared to the one in the actual photograph in the FACECERT ID.

Scanning 2D Color Bar-codes Of course, it is desirable to have high accuracy when reading the 2D color bar-code. Modem low-cost scanning devices typically have a 48-bit per pixel accuracy in the RGB color spectrum. However, hardly the color information of a digital image is retrieved accurately after printing and then scanning.

Assuming low-cost devices and print material, one can at best hope for only several colors to be transmitted reliably through this communication channel.

Assuming an n,-bin bar-code the likelihood that it is incorrectly scanned equals: Pr[, (1-Pr[fl (0.8) i=1 where 7 is the scanned n,-bin bar-code and e is the maximal likelihood for a given color used in the bar-code to be incorrectly scanned. At least one implementation, described herein, adopts 6-color bar-codes: RGB: r [0,0,255],[0,255,0],[255,0,0],[255,255,255],[255,255,0] as a reliable communication channel E 10 8 that can satisfy read error probabilities of at least Pr[P6 y] 10-4 WO 2004/036802 PCT/US2003/027614 26 Commonly, for a given scanner type CCD sensor matrix brand), one of the following colors [255,255,0], [255,0,255], [0,255,255] has the highest read error rates with respect to the other colors in F. Thus, for a given CCD scanning device type, the F spectrum is one of these colors, which results in a good read-error rate.

Bar-code read accuracy can be improved through error detection parity check) and error correcting codes Reed-Solomon codes), although typically good performance is achieved by printing the F colors at a known location on the ID to enable scanner fine-tuning.

Exemplary Computing System and Environment Fig. 5 illustrates an example of a suitable computing environment 500 within which an exemplary FaceCert, as described herein, may be implemented (either fully or partially). The computing environment 500 may be utilized in the computer and network architectures described herein.

The exemplary computing environment 500 is only one example of a computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the computer and network architectures. Neither should the computing environment 500 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing environment 500.

The exemplary FaceCert may be implemented with numerous other general purpose or special purpose computing system environments or configurations.

Examples of well known computing systems, environments, and/or configurations that may be suitable for use include, but are not limited to, personal computers, server computers, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, WO 2004/036802 PCTIUS2003/027614 27 programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.

The exemplary FaceCert may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The exemplary FaceCert may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The computing environment 500 includes a general-purpose computing device in the form of a computer 502. The components of computer 502 may include, by are not limited to, one or more processors or processing units 504, a system memory 506, and a system bus 508 that couples various system components including the processor 504 to the system memory 506.

The system bus 508 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures may include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnects (PCI) bus also known as a Mezzanine bus.

WO 2004/036802 PCTiUS2003/027614 28 Computer 502 typically includes a variety of computer readable media. Such media may be any available media that is accessible by computer 502 and includes both volatile and non-volatile media, removable and non-removable media.

The system memory 506 includes computer readable media in the form of volatile memory, such as random access memory (RAM) 510, and/or non-volatile memory, such as read only memory (ROM) 512. A basic input/output system (BIOS) 514, containing the basic routines that help to transfer information between elements within computer 502, such as during start-up, is stored in ROM 512.

RAM 510 typically contains data and/or program modules that are immediately accessible to and/or presently operated on by the processing unit 504.

Computer 502 may also include other removable/non-removable, volatile/non-volatile computer storage media. By way of example, Fig. 5 illustrates a hard disk drive 516 for reading from and writing to a non-removable, non-volatile magnetic media (not shown), a magnetic disk drive 518 for reading from and writing to a removable, non-volatile magnetic disk 520 a "floppy disk"), and an optical disk drive 522 for reading from and/or writing to a removable, nonvolatile optical disk 524 such as a CD-ROM, DVD-ROM, or other optical media.

The hard disk drive 516, magnetic disk drive 518, and optical disk drive 522 are each connected to the system bus 508 by one or more data media interfaces 526.

Alternatively, the hard disk drive 516, magnetic disk drive 518, and optical disk drive 522 may be connected to the system bus 508 by one or more interfaces (not shown).

The disk drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules, and other data for computer 502. Although the example illustrates a hard disk 516, a removable magnetic disk 520, and a removable optical disk 524, it is to WO 2004/036802 PCT/US2003/027614 29 be appreciated that other types of computer readable media which may store data that is accessible by a computer, such as magnetic cassettes or other magnetic storage devices, flash memory cards, CD-ROM, digital versatile disks (DVD) or other optical storage, random access memories (RAM), read only memories (ROM), electrically erasable programmable read-only memory (EEPROM), and the like, may also be utilized to implement the exemplary computing system and environment.

Any number of program modules may be stored on the hard disk 516, magnetic disk 520, optical disk 524, ROM 512, and/or RAM 510, including by way of example, an operating system 526, one or more application programs 528, other program modules 530, and program data 532.

A user may enter commands and information into computer 502 via input devices such as a keyboard 534 and a pointing device 536 a "mouse"). Other input devices 538 (not shown specifically) may include a microphone, joystick, game pad, satellite dish, serial port, scanner, and/or the like. These and other input devices are connected to the processing unit 504 via input/output interfaces 540 that are coupled to the system bus 508, but may be connected by other interface and bus structures, such as a parallel port, game port, or a universal serial bus (USB).

A monitor 542 or other type of display device may also be connected to the system bus 508 via an interface, such as a video adapter 544. In addition to the monitor 542, other output peripheral devices may include components such as speakers (not shown) and a printer 546 which may be connected to computer 502 via the input/output interfaces 540.

Computer 502 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computing device 548. By way of example, the remote computing device 548 may be a personal WO 2004/036802 PCT/US2003/027614 computer, portable computer, a server, a router, a network computer, a peer device or other common network node, and the like. The remote computing device 548 is illustrated as a portable computer that may include many or all of the elements and features described herein relative to computer 502.

Logical connections between computer 502 and the remote computer 548 are depicted as a local area network (LAN) 550 and a general wide area network (WAN) 552. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet.

When implemented in a LAN networking environment, the computer 502 is connected to a local network 550 via a network interface or adapter 554. When implemented in a WAN networking environment, the computer 502 typically includes a modem 556 or other means for establishing communications over the wide network 552. The modem 556, which may be internal or external to computer 502, may be connected to the system bus 508 via the input/output interfaces 540 or other appropriate mechanisms. It is to be appreciated that the illustrated network connections are exemplary and that other means of establishing communication link(s) between the computers 502 and 548 may be employed.

In a networked environment, such as that illustrated with computing environment 500, program modules depicted relative to the computer 502, or portions thereof, may be stored in a remote memory storage device. By way of example, remote application programs 558 reside on a memory device of remote computer 548. For purposes of illustration, application programs and other executable program components such as the operating system are illustrated herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computing device 502, and are executed by the data processor(s) of the computer.

WO 2004/036802 PCT/US2003/027614 31 Computer-Executable Instructions An implementation of an exemplary FaceCert may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Typically, the functionality of the program modules may be combined or distributed as desired in various embodiments.

Exemplary Operating Environment Fig. 5 illustrates an example of a suitable operating environment 500 in which an exemplary FaceCert may be implemented. Specifically, the exemplary FaceCert(s) described herein may be implemented (wholly or in part) by any program modules 528-530 and/or operating system 526 in Fig. 5 or a portion thereof.

The operating environment is only an example of a suitable operating environment and is not intended to suggest any limitation as to the scope or use- of functionality of the exemplary FaceCert(s) described herein. Other well known computing systems, environments, and/or configurations that are suitable for use include, but are not limited to, personal computers (PCs), server computers, handheld or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, wireless phones and equipments, general- and special-purpose appliances, application-specific integrated circuits (ASICs), network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.

WO 2004/036802 PCTUS2003/027614 32 Computer Readable Media An implementation of an exemplary FaceCert may be stored on or transmitted across some form of computer readable media. Computer readable media may be any available media that may be accessed by a computer. By way of example, and not limitation, computer readable media may comprise "computer storage media" and "communications media." "Computer storage media" include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by a computer.

"Communication media" typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as carrier wave or other transport mechanism. Communication media also includes any information delivery media.

The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also included within the scope of computer readable media.

WO 2004/036802 PCT/US2003/027614 33 Comparison with Existing Approaches The exemplary FACECERT does not require smart cards or expensive biometric approaches to authenticating a person's identity. It does not rely on the sophistication of ID production to help authenticate a person's identity by reducing the likelihood of counterfeits.

Sophisticated Production With readily available and relatively inexpensive high-quality, sophisticated production equipment, an unscrupulous rogue can cheaply and easily produce impressive counterfeit documents, including personal IDs. In response, issuing parties (such as governments) have implemented increasingly more sophisticated and presumptively more expensive production techniques.

For example, issuing parties are using holograms, watermarks, microprinting, special print paper and/or chemical coating, etc. Since the production of IDs is more complex, authentication has become correspondingly more complex, unreliable, and most importantly, expensive.

With the exemplary FACECERT, these issuing parties can end this escalating cycle of increasingly more expensive and sophisticated production techniques and increasingly more complex, unreliable, and expensive authentication techniques. In contrast to the conventional approaches, the exemplary FACECERT does not rely on the sophistication of ID production to increase the confidence level that the presented ID is not counterfeit.

The FACECERT ID does not need to be printed by a trusted or high-end printer. It does not need to be produced using sophisticated production techniques to make it more difficult and expensive for a devious scoundrel to manufacture a counterfeit ID.

WO 2004/036802 PCT/US2003/027614 34 Rather, the FACECERT ID may be printed anywhere, anytime, and potentially by anyone using basic, inexpensive printers. That is because the exemplary FACECERT relies on the cryptographically signed data in the bar-code to make it more difficult and expensive for an adversary to manufacture a counterfeit ID; rather than rely on the sophistication of production.

With the exemplary FACECERT, the Department of Motor Vehicles may, for example, e-mail a driver's license ID (in its digital format) to a customer, who can print it on her own printer creating as many copies as she wants. Unlike the conventional approaches, loss of the ID with the exemplary FACECERT incurs minimal cost to the customer.

Biometric Approaches With biometrics, a computer may automatically recognize a person using distinguishing traits of that person. Several biometric-based person identification approaches have been proposed. Some of these include based upon automatic recognition of the distinguishing traits of a person's face, speech, fingerprints, handwriting, and/or iris and retina.

While some types of biometric-based person identification (such as retina scan or fingerprint detection) can be reliable, often they are intimidating retina scan) and can be used maliciously to incriminate innocent users fingerprint scan). A malicious detector can record a person's fingerprint, create its physical copy, and then, incriminate this person at will. This renders fingerprint detection systems highly undesirable for most person identification scenarios.

Typically, a biometric-based person identification system includes a human verifier who ensures the identification system is not fooled. This can happen when WO 2004/036802 PCTIUS2003/027614 an adversary shows a realistic size photo of the face of an authorized person to the face detector or plays a voice recording to a speech detector.

Finally, some biometrics systems are commonly subjected complaints for invasion of privacy. For example, wide-spread face detection points can disclose at any time one's location to a party who gains control over such a system.

For most applications, biometric-based approaches are generally considered to be inconvenient, costly, and most importantly, unreliable.

Smart Cards With a smart card based system, a digitally stored image of the person's face must be displayed so that the human verifier can confirm that the face in the image stored on the card corresponds to the face of the presenter of the smart card. The typical display will be a LCD or other flat panel display.

However, the exemplary FACECERT does not need to display any image.

Instead, it employs an optical scanner a charge-coupled device (CCD) to scan the photo, supplemental information, and bar-code. The human verifier confirms that the face of the printed image corresponds to the face of the presenter of the FACECERT ID.

Medium-quality displays LCDs) are significantly more expensive than CCD scanners (up to a factor of In one estimate, a mass-produced scanner of the authenticator of the exemplary FACECERT should not cost more than US$15, as opposed to a smart card authenticator, which should encompass at least US$50 only for the LCD display. Consequently, the cost of the authenticating infrastructure of the exemplary FACECERT is significantly less than that of a smart-card based approach.

WO 2004/036802 PCTIUS2003/027614 36 Furthermore, personal IDs are frequently lost or damaged. Replacing a FACECERT ID involves only a simple reprint. However, replacing a smart card involves purchase of another hardware device in addition to burning this device with the appropriate identification contents.

Moreover, the data stored on smart cards are not secure. Using various techniques, the data in the smart card can be extracted. More importantly, it can be replaced with new data. This reduces the overall confidence level in the security of smart cards.

Due to their relatively generous storage capabilities, smart cards may give an impression that they may be used for storing additional information, in particular, private information about the owner private keys that are revoked if smart card is lost).

Conclusion Although the invention has been described in language specific to structural features and/or methodological steps, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or steps described. Rather, the specific features and steps are disclosed as preferred forms of implementing the claimed invention.

Claims (43)

1. A system facilitating cryptographically secure person identification, the system comprising: 00 5 an identification issuer configured to produce one or more person identification documents (IDs) for a person, the ID comprising first and second representations of person-distinguishing data which distinguishes persons, the first representation being human-readable and second representation being computer-readable and encrypted; and an identification authenticator configured to automatically determine whether the first representation of person-distinguishing data of an ID corresponds with a decrypted second representation of person-distinguishing data of the same ID.

2. A system as recited in claim 1, wherein the first representation includes person- distinguishing data selected from a group consisting of one or more images of the person's face, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

3. A system as recited in claim 1, wherein the second representation includes person- distinguishing data selected from a group consisting of one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information. Q:\OPER\DBW2O3276864 spe.dc.22103/05 38

4. A system as recited in claim 1, wherein the format of the first representation is CC selected from a group consisting of written human-language text, color-coding, photographs, written human-language symbols, and imagery. 00 5 5. A system as recited in claim 1, wherein the format of the second representation is selected from a group consisting of a bar-code, a magnetic strip, and a memory storage Cc device.

6. A system as recited in claim 1, wherein: the first representation of person-distinguishing data comprises a image of a person, wherein the image comprises the face of that person; the second representation of person-distinguishing data comprises a face compendium of the face in the image, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face.

7. A computer-readable medium having computer-executable instructions that, when executed by a computer, performs a method comprising: for a specific person, identifying person-distinguishing data of that person's face, the person-distinguishing data comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the person- distinguishing data represents less than all of the features of that person's face; encrypting the identified person-distinguishing data; producing one or more person identification documents (IDs) comprising a human- readable representation of that person's face and a computer-readable representation of the encrypted person-distinguishing data.

8. A medium as recited in claim 7, wherein producing comprises printing onto a print medium. Q:AOPERXDBWU00327664 spe.doc.22/03/ 39

9. A medium as recited in claim 7, wherein the method further comprises compacting Mc, the person-distinguishing data. (N

10. A medium as recited in claim 7, wherein the person-distinguishing data further 00 5 comprises information related to that person, the data being is selected from a group rconsisting of one or more images of the person's face, a retina scan of the person, an iris Cc scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

11. A medium as recited in claim 7, wherein the computer-readable and encrypted representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices.

12. A person identification document (ID) issuance system comprising: a production device configured to produce person IDs; a medium as recited in claim 7.

13. A person ID produced by the method of the medium as recited in claim 7, the person ID having stored thereon a computer-readable data structure, comprising the computer-readable representation of the encrypted person-distinguishing data.

14. A method for issuing person identification documents (IDs), the method comprising: for a specific person, generating a human-readable representation of that person's face, distinguishes that person from other persons; for that person, identifying person-distinguishing data of that person's face, the person-distinguishing data comprising data that defines facial structures of that person's Q:\OPER\DBW\2003276864 sp .dom-2213/05 face which distinguishes that person from other persons, wherein the person-distinguishing data represents less than all of the features of that person's face; generating an encrypted and computer-readable representation of the identified person-distinguishing data; producing one or more person IDs comprising both the human-readable IN representation and the encrypted and computer-readable representation. A method as recited in claim 14, wherein producing comprises printing onto a print medium.

16. A method as recited in claim 14, wherein the generating of the encrypted and computer-readable representation further comprises compacting the person-distinguishing data.

17. A method as recited in claim 14, wherein the person-distinguishing data further comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

18. A method as recited in claim 14, wherein the computer-readable and encrypted representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices.

19. A method as recited in claim 14, wherein the human-readable representation comprises a photograph of the face of that person. Q:\OPER\DBW2003276864 sps.do-22/03/05 41 A computer-readable medium having computer-executable instructions that, when Cc executed by a computer, performs the method as recited in claim 14.

21. A computer comprising one or more computer-readable media having computer- executable instructions that, when executed by the computer, perform the method as IN recited in claim 14.

22. A person ID produced by a method as recited in claim 14, the person ID having stored thereon a computer-readable data structure, comprising the computer-readable representation of the encrypted person-distinguishing data.

23. A person identification document (ID) issuance system, comprising: an image-acquisition device configured to obtain an image of a person's face; a data generator configured to identify and generate person-distinguishing data of that person's face, the person-distinguishing data comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the person-distinguishing data represents less than all of the features of that person's face; a data encrypter configured to encrypt the person-distinguishing data; an ID producer configured to produce one or more person identification documents (IDs) comprising a human-readable representation of the image of that person's face and a computer-readable representation of the encrypted person-distinguishing data.

24. A system as recited in claim 23, wherein the ID producer comprises a printer configured to print on a print medium. A system as recited in claim 23, wherein the data generator is further configured to compact the person-distinguishing data.

26. A system as recited in claim 23, wherein the person-distinguishing data further comprises information related to that person, which data is selected from a group Q:\OPER\f)BW\2003276864 sps do-223/05 42 (-i consisting of one or more images of the person's face, a retina scan of the person, an iris Cc scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's 00 5 birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information. (Ni

27. A system as recited in claim 23, wherein the computer-readable and encrypted representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices.

28. A system as recited in claim 23, wherein the human-readable representation comprises a photograph of the face of that person.

29. A person ID produced by a system as recited in claim 23, the person ID having stored thereon a computer-readable data structure, comprising the computer-readable representation of the encrypted person-distinguishing data. A person ID comprising: a first computer-readable data structure that is also human-readable, the first data structure comprising: a first data field containing an image of a person's face; a second data field containing personal information associated with that person; a second computer-readable data structure comprising: a first data field containing a face compendium of that person's face, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face; a second data field containing the same personal information associated with that person; a third data field functioning to delimit the end of the second data structure. Q:\OPERkDBW%2003276864 spcsdo-2203/I05 43 S31. A person ID as recited in claim 30, wherein the personal information comprises information related to that person, which data is selected from a group consisting of a retina scan of the person, an iris scan of the person, the person's name, the person's social IN 5 security number, the person's account number, the person's weight, the person's height, IN the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

32. A person ID as recited in claim 30, wherein second data structure is a bar-code.

33. A computer-readable medium having computer-executable instructions that, when executed by a computer, performs a method comprising: scanning a person identification document (ID) and by so doing obtaining: a first set of person-distinguishing data from a human-readable representation on the person ID; a second set of person-distinguishing data from a computer-readable representation on the person ID; automatically comparing the first and second sets of person-distinguishing data; indicating results of the automatic comparison of the first and second sets.

34. A medium as recited in claim 33, wherein the second set is encrypted and the method further comprises decrypting the second set. A medium as recited in claim 33, wherein the second set of person-distinguishing data comprises a face compendium of that person's face, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face. Q:\OPER\DBW2003276864 spe.doc-22/03/05 44 ("i

36. A medium as recited in claim 33, wherein the first set of person-distinguishing data comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, the person's name, the person's social security number, the person's account number, the person's weight, the person's IN 5 height, the person's hair color, the person's eye color, one or more of the person's IN fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

37. A medium as recited in claim 33, wherein the second set of person-distinguishing data comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

38. A medium as recited in claim 33, wherein the computer-readable representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices.

39. A medium as recited in claim 33, wherein: the first set of person-distinguishing data comprises a photograph of that person, wherein the photograph comprises the face of that person; the second set of person-distinguishing data comprises a face compendium of the face in the photograph, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face. A person ID authentication device comprising: Q:\OPER\DBW2003276864 spe.do.22/03/O05 an audio and/or visual output unit; a medium as recited in claim 33.

41. A method for authenticating person identification documents (IDs), the method oO 5 comprising: scanning a person identification document (ID) and by so doing obtaining: a first set of person-distinguishing data from a human-readable representation on the person ID; a second set of person-distinguishing data from a computer-readable representation on the person ID; automatically comparing the first and second sets of person-distinguishing data; indicating results of the automatic comparison of the first and second sets.

42. A method as recited in claim 41, wherein the second set is encrypted, the method further comprising decrypting the second set.

43. A method as recited in claim 41, wherein the second set of person-distinguishing data comprises a face compendium of that person's face, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face.

44. A method as recited in claim 41, wherein the first set of person-distinguishing data comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information. Q:IOPER\DBW\2003276864 spe.doc22/03d05 46 A method as recited in claim 41, wherein the second set of person-distinguishing Mc, data comprises information related to that person, which data is selected from a group (N consisting of one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's oO 5 account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's Cc birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

46. A method as recited in claim 41, wherein the computer-readable representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices.

47. A method as recited in claim 41, wherein: the first set of person-distinguishing data comprises a photograph of that person, wherein the photograph comprises the face of that person; the second set of person-distinguishing data comprises a face compendium of the face in the photograph, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face.

48. A computer comprising one or more computer-readable media having computer- executable instructions that, when executed by the computer, perform the method as recited in claim 41.

49. A person identification document (ID) authorization system, comprising: an optical scanner configured to obtain a first set of person-distinguishing data from a human-readable representation of a person identification document (ID) and obtain a second set of person-distinguishing data from a computer-readable representation of the person ID; QAOPEROBWA2O3276864 spe.dom.22/3/05 47 a comparison unit configured to automatically compare the first and second sets of Mc, person-distinguishing data; (N a reporting unit configured to indicate results based upon such comparison by the comparison unit. \O 00 A system as recited in claim 49, wherein the second set is encrypted, the system (N M€ further comprising a decrypter configured to decrypt the second set.

51. A system as recited in claim 49, wherein the second set of person-distinguishing data comprises a face compendium of that person's face, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face.

52. A system as recited in claim 49, wherein the first set of person-distinguishing data comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information.

53. A system as recited in claim 49, wherein the second set of person-distinguishing data comprises information related to that person, which data is selected from a group consisting of one or more images of the person's face, a retina scan of the person, an iris scan of the person, the person's name, the person's social security number, the person's account number, the person's weight, the person's height, the person's hair color, the person's eye color, one or more of the person's fingerprints, information about the person's birthmarks, information about the person's tattoos, the person's personal human statistics, one or more distinguishing traits of that person, and the person's contact information. QAPER\DB\2003276864 spe.do.22/035O5 48 Mcf 54. A system as recited in claim 49, wherein the computer-readable representation is selected from a group consisting of one or more bar-codes, one or more magnetic strips, and one or more memory storage devices. 00 A system as recited in claim 49, wherein: the first set of person-distinguishing data comprises a photograph of that person, wherein the photograph comprises the face of that person; the second set of person-distinguishing data comprises a face compendium of the face in the photograph, the face compendium comprising data that defines facial structures of that person's face which distinguishes that person from other persons, wherein the face compendium represents less than all of the features of that person's face. DATED this 22nd day of March 2005 MICROSOFT CORPORATION By its Patent Attorneys DAVIES COLLISON CAVE