DE102007060605A1 - Securing personal identity documents against counterfeiting - Google Patents

Abstract

The invention relates to a method for securing personal identity documents against counterfeiting, wherein at least one image (21) is generated from the identity document to be secured or from a component of the identity document, wherein according to a predetermined rule from the at least one image (21) a first Code is generated, which characterizes the at least one image, wherein from the first code by applying a cryptographic hash function, a second code is generated and wherein from the second code, a document identifier is formed.

Description

The The invention relates to a method for securing personal identity documents against counterfeiting.

Personal identity documents such as identity cards, passports, visas and driver's licenses to document the identity of their owner. The Forgery of identity documents can thus to create a new, non-existent identity or to accept an existing but false identity be used.

fake Identity documents are for significant security issues responsible. So can a fake passport of terrorists or other criminals from a stolen or empty passport getting produced. The authentication of identity documents is therefore an important safety measure, at the same time however, due to the technical capabilities of the counterfeiters too a big challenge.

traditional Analog identity documents usually contain information name, place of birth and date of birth, gender, nationality, in addition a passport photo of the person as well as information over the issuer of the document. The data will be both readable the document printed as well as in a so-called machine-readable Zone (Machine Readable Zone - MRZ) applied to the document. The MRZ can be automatically detected and evaluated by a reader become.

each Identity document is associated with a document number, e.g. B. provided the identity card number. Based on the document number can verify the goodness of the document become. However, the identity number is independent from the content of the document. If z. B. manipulated the photo of an identity card, can not counterfeit the document number be detected.

Various Procedures have been proposed to ensure the security of identity documents to increase. This can be done using digital watermarks or other stenographic methods, for example, the identification number invisibly embedded in certain parts of the document such as the passport photo become. A secret password becomes the digital watermark from the selected parts of the document, the identification number decoded and with the identification number coded or coded in the MRZ compared.

The International Civil Aviation Organization (ICAO) recommends electronic To use identity documents. In extension of traditional Identity documents, including the identity card information the passport image stored in an RFID chip, which is in the document is integrated. Access to this information is secure and can only be done via a reader that from the optically recorded information in the MRZ cryptographic key generated. The data exchange between chip and reader is only successful and the authenticity of the document thus proven if the information in RFID matches that in the MRZ. In addition, the coherence of documents and document holders using biometric recognition procedures To: To directly relate a document to its owner prove the biometric data stored in the RFID with the currently recorded biometric data of the document holder compared.

The These methods increase the security level of identity documents significant. In the case of digital watermarks, however, it should be remembered that that the contents of the document by the watermark (though only slightly) and elaborate Tests for each new document type will be necessary to negative influences of the watermark on the quality of the document and the robustness of the watermark against the production process of the document. In the case Electronic identity documents are special readers and possibly key management required to access to get the digital data storage of the RFID chip.

One Another disadvantage of the RFID solution is the sensitivity of the chip against mechanical influences (eg buckling of the chip) Document) and electromagnetic interference.

It is an object of the present invention, the disadvantages described the existing solutions at least partially avoid. In particular, the appearance of the document should do not need to be changed and use a special reader as well as an RFID chip or an additional security mechanism for Access control should not be necessary if possible.

It a method is proposed, the identity documents safeguards against counterfeiting, and also a procedure for checking the authenticity of identity documents.

• – Er ist eindeutig für jedes Dokument und vom Inhalt des Dokuments abhängig.
• – Er kann anhand des Identitätsdokumentes oder einer Kopie des Identitätsdokuments, die inhaltlich nicht verändert wurde, rekonstruiert oder erzeugt werden.
• – Es ist nicht möglich, den Inhalt des Dokuments aus dem Code zu rekonstruieren.

In particular, the method generates a (eg binary) code from the information contained in analog identity documents. This code has the following properties:

• - It is unique to each document and depends on the content of the document.
• - It can be reconstructed or generated based on the identity document or a copy of the identity document that has not been changed in content.
• - It is not possible to reconstruct the content of the document from the code.

According to the invention at least a picture of the identity document to be secured or generated from a part of the identity document.

Z. For example, the image from which a first code (s. be generated from a part of the identity document. In this case, the component already at the time of production the image may be part of it or it may not be until later the component and other components the identity document getting produced. An example of such a component, which is later processed into an identity document is, is a passport photo.

The Picture from which the first code is generated, shows z. B. a passport photo the person whose identity through the identity document should be documented. The picture can also be another Part of the identity document, e.g. B. a specially printed Area, logo, or combination of such parts (i.e. H. reproduce). The picture can also be at least another part the identity document and the passport photo of the person or show a part of it.

Instead of An image can also contain a plurality of images of components of the identity document for the generation of the first codes are used.

Under An image becomes a two-dimensional reproduction of an object understood or understood the data that this two-dimensional reproduction describe.

Out the image (s) will be in accordance with a predetermined Regulation generates a first code. On the basis of the prescribed rule the first code is reproducible and unique for that or the pictures.

The Prescribed rule can also define how the Image or images obtained from the identity document will / will, from / from which the first code is generated.

Z. B. defines the default rule that the image is a passport photo is or is a predefined part of a passport photograph or of the Passport picture or the part is to produce. Alternatively, the default Rule z. B. define that of another interest Region of the identity document the image or images to generate is / are.

alternative or additionally, the default rule may define that the first code is from a particular part and / or specific Characteristics of the image or images is generated. For example, you can too the particular features the eye relief of a person on a Passport image, the distance from other facial features of the person the passport picture and / or a dimension of at least one facial feature belong to the person on the passport photo. Formulated more generally can image features of the or images according to the to be evaluated for the formation of the first code, their presence is expected or at least likely is. The image features are z. B. according to per se Known image processing method by evaluating the or Pictures determined.

The Determination of such image features increases the reproducibility and robustness of the procedure considerably. In particular, you can Therefore, various methods of generating the image or images are used and it can, despite the slightly different image results in each case the same first code are generated. Also a further processing (including storage of image data in compressed Shape, analogue of digital image data and / or digitization from analogue image data) nevertheless leads with high reliability to the same first code. A previous reproduction of the identity document and generating the image (s) from the reproduction also the generation of the same first code.

general formulated is the default rule preferably order a prescription that is the generation of a perceptual (English: perceptual) codes defined. Such rules are in itself known from the data processing. It is an essential one Recognition of the present invention that just such rules for the purpose of securing identity documents against counterfeiting are particularly advantageous.

The Result of such regulations or calculation methods also called the checksum (or fingerprint). This is understood to mean, in particular, one-dimensional bit sequences. Despite the term "checksum", the algorithm must Do not include an operation that sums up. The Designation "Checksum" is one of historical Reasons chosen name.

However, the result (the first Co de) not only for the backup or the result is not suitable without further processing. An important reason for this is that it is not the other way round that the result should be able to be used to identify the image and thus the person to be identified. Another reason is that even the first code can be generated by a counterfeiter, unless further security measures are taken. This is especially true when the first code is unencrypted from the document removed.

regulations to generate perceptual codes have the property that they are similar to images that are similar to human perception also similar, d. H. generate approximately equal codes. They also generate images for human perception are different, distinctly different Codes.

Perception-based methods to generate a code are already known in the art and therefore will not be described in further detail. For example, in the publication GAVRIELIDES, MA; SIKUDOVA, E .; PITAS, I .: Color-Based Descriptors for Image Fingerprinting (IEEE Transactions to Multimedia Vol. 8, IEEE Computer Society, August 2006, pp. 740-74) discloses a method in which an image is automatically evaluated based on color values. The respective color value is quantized and histograms of the color distribution are created. The code can be defined as a characteristic of the histogram, eg. B. as a statistical parameter or as a mathematical combination of statistical parameters of the histogram. Other methods are described, for example, in the following two publications: VENKATESAN, R .; KOON, S.-M .; JAKUBOVSKI, MH; MOULIN, P .: Robust Image Hashing (International Conference on Image Processing Vol. 3. Vancouver, BC: IEEE Computer Society, September 2000, pp. 664-666) and MONGA, Vishal; EVANS, Brian L .: Perceptual Image Hashing Via Feature Points: Performance Evaluation and Tradeoffs. (IEEE Transactions to Image Processing Vol. 15, IEEE Computer Society, November 2006).

One The basic idea of the present invention is that the Document identifier can be recalculated to verify the authenticity of the document Document. This is for example scanned the document again, d. H. the at least one picture, from which the first code is generated, recaptured.

The Capturing the image but may lead to a different result especially because another scanner was used with one other resolution was scanned and / or because the document has been dirty or has signs of wear. In a renewed Generation of the first code is therefore the problem that the first code from the originally generated first code eventually differs.

It Therefore, it is preferable that the first code has redundant information about having at least one image, wherein the redundant information is used to correct the first code.

Z. For example, an error correction mechanism or code, such as z. A BCH code (Bose-Chaudhuri-Hocquenghem code) or an RS code (Reed-Solomon code), be applied with the occurring bit error in the code or be recognized and corrected in a code section. Such procedures are known per se and will not be described here. In other words, this "correction" can also be referred to as the "normalization" of the first code.

Under A code is understood to mean any representation of data stored in a readable and evaluable format. For example, it may be the code is a binary code or a code with act multiple characters, the characters are not just two Can accept values. For example, it may be at the first Code to a sum (also called checksum) act, the obtained according to the prescribed rule from intermediate results which was previously obtained in the evaluation of the image (s) were.

alternative to a perceptual based hash function can be biometric Evaluation method for evaluating the image, in particular one Passport picture can be applied to generate the first code.

With the first code, optionally with one from the MRZ Code is combined by applying a cryptographic Hash function generates a second code. Alternatively to the MRZ can Plain text on the document (eg name, address and place of birth of the Person) and combined with the first code become.

In turn, a document identifier is formed from the second code. This formation of the document identifier may consist merely in combining the second code in a readable and / or machine-readable form with other constituents of the identity document (eg as mentioned in the preceding paragraph) and / or the second code separately from the document is stored. The combination with the document has the advantage that the document identifier is already present when the document is checked together with the document, and z. B. not first be determined from a database got to.

The However, formation of the document identifier preferably also the step on that the second code combined with a digital signature becomes. This combination is then used for the document identifier used. The digital signature makes it possible in particular an authority or other issuer of the identity document the document identifier is unique and unalterable mark as a mark to be used by the authority or the other exhibitor. The combination of codes with one digital signature is known per se and therefore will not be here described in more detail.

Cryptographic Hash functions are well known in computing and are characterized by the following properties: It is not possible, from the result of using the hash function again to close the code to which the hash function was applied (one-way function).

Further belongs to the scope of the invention, a computer program that designed so that the program runs on a computer or computer network, the inventive method in one of its embodiments.

Farther belongs to the scope of the invention, a computer program Program code means (especially machine code) to the inventive To carry out a method in one of its embodiments, if the program is running on a computer or computer network becomes. In particular, the program code means may be on a be stored computer-readable media.

Furthermore belongs to the scope of the invention, a data carrier, on which a data structure is stored after a load in a working and / or main memory of a computer or computer network the inventive method in one of his Embodiments can perform.

Also belongs to the scope of the invention, a computer program product with program code means stored on a machine-readable carrier, to the inventive method in one of his Execute configurations when the program is on a Computer or computer network is running. there Under a computer program product, the program is considered tradable Product understood. It can basically be in any one Form, for example, on paper or a computer-readable Disk and in particular in computer readable form over a Data transmission network are distributed.

Further belongs to the scope of the invention, a device (in particular a computer or computer network in which the above-mentioned computer program loaded and / or controlled by the computer program), which is configured, the inventive method in one of its embodiments. In the device can it is z. B. to a commercial personal computer or a computing unit (for example, a microcomputer or a FPGA), which can be transferred to another device (eg a device for playing the multimedia data) is integrated.

The In particular, the device is designed such that it has a data memory in which the document identifier from an earlier Calculation is saved. Alternatively or in addition the device has an interface for receiving data which correspond to the document identifier.

embodiments The invention will now be described with reference to the attached Drawing described. The individual figures of the drawing show:

1 an identity document and schematically steps of an embodiment of the method according to the invention for forming a document identifier,

2 a preferred form of generation of the first code and

3 an embodiment of a method step for generating the first code by a perception-based hash function.

As 1 First, a first code is extracted from the passport photo of the document. The first code, in particular a checksum, is made of a document-specific content, such. As the passport photo, a specially printed area, a logo or a combination of such content generated, so that the first codes of different documents clearly differ from each other.

The first code is combined with the document's MRZ data into a unique binary code. A cryptographic hash function (eg, according to the definition SHA-1, Secure Hash Algorithm - 1) is applied to this binary code, so that the result of the hash function (the second code) is not based on the first code or the content of the document can be. The result of the hash function is provided with the digital signature of the issuer of the document to confirm the document identifiers. The result of the hash function with the digital signature is shown in the fol referred to as a document identifier.

There the document identifier is unique and the content of the document is dependent, and so is the document itself safe against manipulation and counterfeiting. The document identifier can z. B. be applied as a barcode on the document or stored in the MRZ. Optionally, the document identifier also on a magnetic strip or one inseparable from the document connected digital storage medium (eg an RFID chip) stored become.

Around will check the document ID digitize the document (eg with a flatbed scanner or a digital camera) and the calculation of the document identifier again carried out. The version applied on the document of the document identifier is read out (eg with a barcode scanner) and compared with the newly calculated identity. If both Document identifiers match the document classified as genuine.

The Document identifier can be used as an efficient feature for matching serve with extensive databases, since it is a stationary (ie. H. not changeable) and z. B. binary coded feature is. About the database can provide additional information to a determined document based on the document identifier are reported (eg lost, expired, etc.). The anonymity of the document identifier is determined by the calculation process (s. o.), the conclusion on personal Makes data impossible.

• – Das berechnete Dokumentenkennzeichen ist eindeutig. Es ist nicht möglich, aus inhaltlich unterschiedlichen Dokumenten dasselbe Dokumentenkennzeichen zu erzeugen.
• – Inhaltlich identische Kopien eines Dokuments liefern dasselbe Dokumentenkennzeichen. Damit kann z. B. auch verifiziert werden, ob eine Kopie eines Dokuments die Inhalte des Originals korrekt wiedergibt.
• – Es vermeidet die Nachteile der bisher existierenden Lösungen zur Überprüfung der Echtheit analoger Identitätsdokumente. Es ist nicht notwendig, Bildinformationen im Dokument zu verändern, wie dies bei der Verwendung digitaler Wasserzeichenverfahren notwendig wäre. Die Verwendung eines speziellen Lesegerätes wie auch eines RFID-Chips ist nicht notwendig, jedoch möglich, falls es das Anwendungsszenario erfordert.
• – Ein Gerät für die Prüfung der Echtheit eines Identitätsdokuments kann auf Basis eines preiswerten Scanners oder einer preiswerten digitalen Kamera und einer zusätzlichen Recheneinheit geringer Leistung erfolgen, wenn der erste Code auf einem wahrnehmungsbasierten Kodierungsverfahren beruht.
• – Das Dokumentenkennzeichen kann offengelegt werden. Es ist kein zusätzlicher Mechanismus für die Zugriffskontrolle erforderlich und der Prozess zur Überprüfung der Echtheit des Dokuments damit stark vereinfacht.
• – Das Verfahren ist fälschungssicher, wenn außerdem die digitale Signatur des Ausstellers des Dokuments in die Berechnung der Dokumentenkennzeichen eingeht.
• – Das Dokumentenkennzeichen ist abhängig vom Inhalt des Dokuments. Inhaltliche Manipulationen führen zu einer Änderung des Dokumentenkennzeichens und können einfach detektiert werden.
• – Das berechnete Dokumentenkennzeichen erlaubt keine Rückschlüsse auf die Daten im Dokument und erfüllt daher datenschutzrechtliche Anforderungen.
• – Das berechnete Dokumentenkennzeichen kann aufgrund der binären Kodierung schnell und effizient in unfangreichen Datenbanken gefunden werden.

The proposed method for calculating a unique document identifier offers several advantageous properties that are not yet combined by any other method:

• - The calculated document identifier is unique. It is not possible to create the same document identifier from content-related documents.
• - Identical copies of a document provide the same document identifier. This can z. For example, you can also verify that a copy of a document correctly reflects the contents of the original.
• It avoids the disadvantages of the existing solutions for verifying the authenticity of analog identity documents. It is not necessary to change image information in the document, as would be necessary when using digital watermarking. The use of a special reader as well as an RFID chip is not necessary, but possible if the application scenario requires it.
• A device for verifying the authenticity of an identity document may be based on a low cost scanner or a low cost digital camera and an additional low power computing unit if the first code is based on a perceptual based coding method.
• - The document identifier can be disclosed. There is no additional access control mechanism required and the process of verifying the authenticity of the document is greatly simplified.
• - The procedure is tamper-proof if, in addition, the digital signature of the issuer of the document is included in the calculation of the document identifiers.
• - The document identifier depends on the content of the document. Content manipulations lead to a change of the document identifier and can be easily detected.
• - The calculated document identifier does not allow conclusions to be drawn about the data in the document and therefore meets data protection requirements.
• Due to the binary coding, the calculated document identifier can be found quickly and efficiently in extensive databases.

An essential step of the method is the generation of the first code from the image or images of the document. The first code can be created in several ways. 2 illustrates a preferred form of generation of the first code. First, a region of interest (ROI) in the document is detected. If a passport photo is on the document, the area showing the person's face is defined as ROI. Background or clothing of the person, however, are of little relevance for checking the authenticity of an identity document and are not selected and / or not evaluated.

in the Following, based on an image generated by the ROI, characteristic features calculated. These features can from a robust hash of the image and / or the biometric Character of the passport photo (especially the face) derived become. To small deviations due to a recalculation to avoid the first code, an error correction mechanism, such as B. a BCH code can be used.

Especially it is possible to extract the first code (eg. the checksum or hash value), biometric methods apply if the image is a biometric image, z. Biometric face photograph, fingerprint image or iris image.

For Face photos z. B. can the known per se method of principal component analysis (PCA, Principle Component Analysis) and / or discriminant analysis (LDA, Linear Discriminant Analysis) are applied to holiness values of the image, to extract characteristic values. For example, in the PCA method no plurality of basic faces to be defined. The face up The facial photo can then be assisted by the characteristic values represented as a linear combination of the basic faces mathematically become. the characteristic values are therefore suitable as values the perceptual checksum or as a starting point for the calculation of such a checksum.

If if the image is a fingerprint image z. For example, the location and orientation of the details of the fingerprint (eg the minutiae) are described by characteristic values, which are then used to form the first code.

In in the same way, the iris pattern can appear in an image of an iris be described by characteristic values. In similar Way can also use the paper of the document to form the first Codes are analyzed, if it z. In a local Area with defined location on the document a microscopic has fine optical structure. The structure is then detected and characterized to form the first code.

If the characteristics or the characteristic values after the application the rule for forming the perceptual checksum yet can not be in binary form, they can subsequently converted into binary values. For example, a median can be calculated by values of different image areas and anyone can single value can be compared with the median and dependent from the result of the comparison the binary value "0" or "1." For a specific example will be discussed in more detail.

3 shows that a picture 21 initially in a standard format of z. B. 256 × 256 pixels (normalized) is brought, so a normalized image 22 arises. Although the image shows hair and the neck as well as a person's face, it may alternatively be an image showing the face almost all over. Now the pixels are divided into blocks (block representation 23 ), z. B. in blocks of 16 × 16 pixels. These blocks use a perceptual hash function as follows, resulting in the first code.

First becomes for each of the k (k is a positive integer, which corresponds to the number of blocks) blocks the mean assigned to the block M1 ... Mk formed. In the case of one Color image is this z. B. a color average, in the case of a grayscale image z. For example, a grayscale average.

Now the median Md of these means M1 ... Mk is determined and it Block is compared to see if the median is greater (or greater or equal) than the mean, in In which case, the block is assigned a first binary value becomes (eg "1"), or if the median is less than or equal to (or less) than the mean, in which case the block a second binary value is assigned (eg "0").

The representation in the lower half of the 3 shows a line representation of the means in which the lines of the block representation 23 line by line, ie after the first line the second line follows, etc. The result of the comparison between the respective mean of the block and the median is shown in the line below. This line represents the first code.

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited non-patent literature

• - GAVRIELIDES, MA; SIKUDOVA, E .; PITAS, I .: Color-Based Descriptors for Image Fingerprinting (IEEE Transactions to Multimedia Vol. 8, IEEE Computer Society, August 2006, pp. 740-74) [0027]
• VENKATESAN, R .; KOON, S.-M .; JAKUBOVSKI, MH; MOULIN, P .: Robust Image Hashing (International Conference on Image Processing Vol. 3. Vancouver, BC: IEEE Computer Society, September 2000, pp. 664-666) [0027]

Claims (11)

Method for securing personal identity documents against counterfeiting, wherein - at least one image ( 21 ) is generated from the identity document to be secured or from a component of the identity document, according to a predetermined rule from the at least one image ( 21 ) a first code is generated which characterizes the at least one image, - a second code is generated from the first code by applying a cryptographic hash function, and - a document identifier is formed from the second code. A method according to the preceding claim, wherein the document identifier readable and / or machine readable as part the identity document with other components of the Identity document is combined. Method according to one of the preceding claims, wherein in the formation of the document identifier, the second code combined with a digital signature. Method according to one of the preceding claims, wherein the first code is combined with other data that is characteristic for the identity document, before leaving the first code the second code is generated. A method according to the preceding claim, wherein the other data in a machine-readable zone (Machine Readable Zone - MRZ) on the identity document are or are arranged. Method according to one of the preceding claims, wherein image features of the one or more images according to a prescribed rule for the formation of the first code and the first code is generated from the image features. Method according to one of the preceding claims, the first code being a perceptual based checksum, in particular a one-dimensional bit sequence. Method according to one of the preceding claims, wherein upon re-generation of the first code for verification of the document identifier, the first code is redundant information about having at least one image and wherein the redundant information is used to correct the first code. Device for automatically detecting tampering in multimedia data, eg. As image data or audio data, the Device is designed, the invention Method according to one of the preceding method claims perform. Computer program that is designed to be that the program expires on a computer or computer network Method according to one of the preceding method claims performs. Disk on which a data structure stored after a loading into a work and / or Main memory of a computer or computer network the computer or controls the computer network such that the method according to a the preceding method claims is executed.