RU2371765C2 - Anonymous biometric person's registration method - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: invention can be used for protecting private information of citizens when providing social assistance to them. Besides invention can be used in judicial record keeping when protecting witnesses, as well as in electronic voting systems. In order to achieve the result, examples of two biometric images of the registered person are used and a pair of keys (public and private key) is formed, the first neuron network is taught to reproduce the public key, when the first biometric image is presented to it, the second neuron network is taught to reproduce the user's private key when the second biometric image is presented to it, of the registered person, the public key bunch of the registered person and narrative matrixes of connections and parametres of its taught neuron network are kept, registration time and place is fixed, electronic digital signature (EDS) data of automatic registration machine and EDS of the registered person is signed, accuracy of EDS of the registered person is checked, and in case it is accurate, examples of biometric images and the private key of the registered person are deleted.

EFFECT: improving safe registration of people.

2 cl

Description

The invention relates to techniques for protecting medical confidentiality in the conduct of anonymized electronic medical records. The invention can be used to protect personal data of citizens while providing them with social assistance. In addition, the invention can be used in court proceedings for the protection of witnesses, as well as in electronic voting systems.

The simplest method for registering a patient [1] is known by entering biometric data and photographs into the patient’s pass, as well as entering personal data (name, patronymic, last name, pass number) in the electronic medical history (claim 10 of the formula). This method is unacceptable, for example, in cases of registration of patients with socially significant diseases (AIDS, sexually transmitted diseases), as it does not ensure the anonymity of the patient and violates the requirements of the law of the Russian Federation “On personal data”.

A known method of biometric registration of a person [2], which removes several examples of a biometric image of a person (for example, two or three fingerprints), then form a biometric template of a person (for example, in the form of a list of coordinates of special points of a fingerprint). This list is then stored and the special points of the presented biometric image are compared with it. Practically all modern means of biometric identification are organized by this comparison method and by this registration method. This technology may well be used in biometric police control systems (for example, in the new generation passport and visa document system), however, their use in civilian biometric applications that ensure user anonymity is undesirable.

The formation of a biometric template does not ensure the anonymity of the person being registered, which is a fundamental drawback of most biometric technologies and their systems for recording biometric data. Possessing software biometric data protection of a certain person, an attacker can always extract a biometric template from it and find the person himself or many people with close biometric images from it. It is assumed that in the future, large criminal databases will be created (stolen) by organized criminal groups, using which any attacker can disavow the anonymity of a person registered in a particular system. For all modern manufacturers of biometrics with classic decision rules, anonymity cannot be ensured by biometric templates:

- fingerprint drawing;

- the iris of the eye;

- handwritten autograph of a person;

- geometry of the palm of a person;

- geometry of the human auricle;

- geometry of a person’s face;

- ……………………………………………;

made according to the requirements of international biometric standards, including using the BioAPI specification. All international biometric standards ISO / IEC JTC1 CS37 were created without taking into account the high requirements for anonymity and confidentiality of biometric data specific to civilian applications. The ISO / IEC JTC1 CS27 sub-committee on international standardization, which is responsible for the information security of biometric applications, has not yet created relevant international standards.

There is a method of anonymous password registration of a person [3], by which a person (for example, when registering in DOS, Windows or Linux operating systems) selects a fictitious name (login) and chooses a password for himself. A login is public information and a password is confidential information. User registration consists in calculating the hash function of the login and password, followed by storing the login and the calculated hash function.

The main disadvantage of this method is that short passwords are easily selected by an attacker, and a long password is difficult to remember for a registered person. In addition, the registered person can intentionally transfer the short password to another person.

This disadvantage is eliminated by the method recommended by GOST R 52633-2006 [4, see clause 5.1 and Fig. 1 of the standard]. Using this method, it is necessary to create a long password (access code), set neural network connections, take some examples of a biometric image of a person, train the neural network to be able to convert a biometric image of a registered person into a long password (access code) [4, see paragraph 6 - requirements for training].

The disadvantage of the registration method is that a long access code (secret key) must be safely transported in a geographically distributed information system, in addition, there is no mechanism for safe and reliable disavowal of the anonymity of a registered person. Another drawback is that only people (devices) who know the access code of the person being verified can identify a person. There is a contradiction, according to which, on the one hand, the access code (password) should be known to many people who will need to identify the person in the future, and on the other hand, the access code (password) should be kept secret.

The problem of biometric identification of a person by many other people is solved by the method [5]. In this way, identification is carried out by comparing the code at the output of the neural network with the code of the string of letters in the document of the person being identified, for example, with the code of the name of the person being verified. If the biometric image of an identifiable person generates his surname, name and patronymic at the output of the neural network, then this person really is the owner of the document. The method [5] involves registering a person in the form of training his neural network to give a unique code on its outputs that corresponds to a string of characters from a document that is well read and understood by other people. At the same time, any other person who has the document of the person being checked in his hands can identify the person.

The main disadvantage of the method [5] and its registration is that they generally do not ensure the anonymity of the identified person.

The task of ensuring anonymity is solved by one of the options of the second registration method that fully implements the requirements of GOST R 52633-2006 [6], according to which the encrypted keys (identification and authentication keys based on encryption procedures) are transported securely in a geographically distributed system. Using this method, a random secret key is created, it is placed in several neural networks of different communication subscribers, and tables of connections and parameters of their personal trained neural networks are sent to these subscribers. At the same time, each subscriber safely receives a shared secret encryption key and can extract it from his neural network by presenting the parameters of his biometric image to its inputs.

The disadvantage of the method of biometric registration by the method [6] is that only a person who knows his secret key can identify a person. This greatly limits the possibilities of identification, which can be implemented on registration, built on the basis of the method [6]. By the method of [6], only people belonging to a small trusted group can be mutually identified, to whom their personal neural networks were sent with a common secret key of communication or mutual identification / authentication.

A fundamentally important drawback of registration for implementing the method [6] is the impossibility of reliable disavowal of the anonymity of a registered person. If people in a small group of trustees do not know each other, then on their own initiative they cannot safely disavow their anonymity.

The technical goal of the present invention is to solve the problem of safe biometric registration of people, preserving a high level of confidentiality of biometric parameters of the user and ensuring a high level of anonymity of a person, provided that it is possible to disavow the anonymity of a person at his request or due to the requirements of the legislation in force in Russia.

This goal is achieved by the fact that when registering in place of one biometric image, two different biometric images are used and examples of the first and second biometric images of the person being registered are taken without the presence of outsiders. In addition, instead of a single key, like analogs and prototypes, a pair of keys is used: a public and a private key. Create a key pair and train two neural networks. The first neural network is trained to reproduce at its output the public key of the person being registered upon presentation of the first biometric image of this person at its inputs. The second neural network is trained on the second biometric image to reproduce the second private key of the person being registered.

After training the neural networks, the examples used in the training of biometric images of a person are destroyed, in addition, the private key of the registered person is also destroyed. The tables of connections of the first and second trained neural networks and the tables of the parameters of these connections are stored in conjunction with the public key of the person being registered, in addition, they additionally record the time and place of registration, covering all the data with an electronic digital signature of the registration machine. An additionally registered person signs his public key and tables of a previously trained neural network with his electronic digital signature. The registrar forms his electronic digital signature himself with his private key, which he receives through the presentation of the second neural network of his second biometric image. Next, go to the second stage of registration, carried out under the supervision of a verifying person and reflected in the second part of the claims. The correctness of the first stage of registration is judged by the fidelity of an electronic digital signature under the data of the registration machine and the person being registered.

According to the second part of the formula of the proposed method, certificates of public keys of persons or devices capable of being guarantors of preserving the anonymity of the person being registered are delivered to the place of registration in advance (certificates can be delivered by both the registered person and the registration authority).

Under the control of the checking person, the registered person proves his ability to reproduce the public key by presenting his first biometric image to the first trained neural network. Verification of the registrant is carried out automatically, without showing the inspector the public key of the registrant. Then, under the control of the inspecting person, the personal data of the person being registered is entered, supplementing them with the public key of the person being registered, for example, reading them from the passport of the person being registered or from another reliable source (document).

According to the proposed method, a registered person is granted the right to choose a guarantor for ensuring his anonymity (for example, a doctor, lawyer, notary, trust center). After choosing a guarantor, they verify the certificate of its public key and the availability of information on the provision of anonymity services provided by the guarantor in the certificate. The authentication of the certificate and the public key in it is carried out using the public key of the certification authority that previously issued the guarantor certificate. In the case of the authenticity of the key and the presence of authority to use it to ensure anonymity, encryption is performed on this public key of the guarantor of confidential personal data registered. Further stored together: a cipher program, the public key of the person being registered, the public key of the guarantor of anonymity, his name and address. The cryptogram of personal data is transmitted to the guarantor only in cases stipulated by law.

With large amounts of personal data of the person being registered, he presents his second biometric image to the second neural network and receives his personal key at its outputs, then he generates a shared secret key for the guarantor of anonymity and the registrant. On a shared secret key, the personal data of the registrant is encrypted. The shared secret key of the registrant and the guarantor of anonymity is generated using the private key of the person being registered and the public key of the guarantor of his anonymity according to the Diffie-Hellman rule adopted in asymmetric cryptography [3]. After encryption of personal data, the registered person signs the cipher program with his electronic digital signature. Next, check the digital signature of the registrant, and if it is true, the personal data of the registrant and his private key are destroyed. Further, they store only the registered public key, the cryptogram of his personal data, the public key, the name and address of the guarantor of anonymity. The ciphertext of the registered personal data is transferred to the guarantor of anonymity only in cases stipulated by law.

The goal of the proposed registration method according to claim 1 of the formula is achieved by the fact that a registered person is able to anonymously prove his identity by presenting his first biometric image to the machine with the first neural network. At the same time, at the output of the first trained neural network, its public key will appear, which is proof of its identity. Moreover, the person’s name itself is unknown, since his examples of biometric images and his personal data were destroyed during registration. In addition, a registered person can carry out some actions in the information space that no one except him can reproduce. For example, a registered patient will be able to confirm the transfer of expensive drugs to him, forming an electronic receipt for them and signing it with his electronic digital signature created on his personal key received at the outputs of the second neural network after presenting her with a second biometric image.

A positive technical effect of the implementation of the proposed registration method according to claim 2 of the formula is that in cases established by the legislation of the Russian Federation, the anonymity of the patient can be disavowed in a predetermined manner. For this purpose, law enforcement agencies refer to the guarantor of his anonymity selected during registration by the user. Law enforcement authorities transfer the ciphertext of personal data and the public key of the anonym to the guarantor. The guarantor of anonymity verifies the legitimacy of the requirements of law enforcement agencies and then decrypts the ciphertext for them using his private key.

The cumulative technical effect is that patients with socially significant diseases receive a guarantee of their anonymity in treatment. Doctors treating anonymous patients receive a guarantee that the patient will not be able to abuse his anonymity and ask the healthy person to take tests for him. Presumably, all technologically significant points of the treatment process should be equipped with equipment capable of automatically recognizing a previously registered patient with high reliability without risk of compromising his anonymity.

Let us consider in more detail an example of the technical implementation of the proposed registration method in a medical institution focused on providing medical care to patients with socially significant diseases (AIDS, sexually transmitted diseases). Patients with such diseases are usually afraid of trusting the preservation of their anonymity to the medical personnel of the state health system, they turn to private doctors (sometimes without a complete medical education and license), which increases the risk of infection to others, complications due to poor medical care.

According to the proposed method, a patient who has contacted a medical facility during registration receives (creates a random number generator) two keys (public and private key). To train the first neural network, the patient presents several examples of his fingerprint (for example, the index finger of his right hand). Next, a neural network learning machine is launched, which trains the first neural network in such a way that the presentation of the index finger of a registered person generates the public key code of the registered person at the output of the first neural network. Next, the ability of a person to reproduce his public key is checked by presenting the first neural network of the parameters of the index fingerprint pattern registered. In case of coincidence of the public key at the output of the neural network with a valid public key, the public key itself and tables of descriptions and relationships of the already trained first neural network are stored.

In addition, the registrant presents several examples of his handwritten password and starts the learning machine of the second neural network, which trains the second neural network so that the presentation of examples of the handwritten password of the registrant generates the personal key code of the person being registered at the output of the second neural network. After that, the time and place of registration are recorded, all data is covered by an electronic digital signature of the registration machine and an electronic digital signature of the person being registered. Under his public key, tables of connections and weights of these connections of two trained neural networks, the registered person forms his digital signature with his personal key, which he receives by presenting his second biometric image by presenting the second neural network. After creating the first and second EDS, the second electronic digital signature of the person registered by its public key is checked, if the EDS of the person registered is correct, all examples of human biometric images are destroyed, and the private key of the person being registered is also destroyed. As a result of such registration, the registration system software does not store examples of the first and second biometric images, nor the private key of the registered one. Only safe information is saved in the form of tables of trained first and second neural networks and the registered key of a registered person, which are signed by the digital signature of the registration machine and the digital signature of the person being registered.

A positive technical effect of the registration considered above is that a registered person can prove his identity, guaranteed to remain anonymous. Accordingly, a potential patient with a socially significant disease can, without fear, register with a medical institution, for example, to take test tests for the presence of a disease.

After checking the biological sample taken from the patient, a positive or negative analysis result is obtained. The person who came for the result of the analysis confirms that this is precisely his analysis by presenting his first biometric image to the verification machine. If, at the same time, the public key of the anonymous applicant appears at the output of the first neural network, then its identification is positive, and this is exactly the one who previously passed the biological sample.

In the case of a negative result of the analysis of a biological sample (registered healthy), the person who has applied for help can disclose his anonymity and receive a certificate of his health in his real name.

In the case of a positive result of the analysis of the biological sample (registered sick), the person who has applied for help should begin anonymous treatment. He is invited to anonymously register his personal data, for this purpose he must choose a guarantor of his anonymity (doctor, lawyer, notary, anonymity preservation center). If the guarantors of anonymity are known in advance in the medical institution, then there are pre-delivered certificates of their public keys with notes on the possibility of their use while ensuring guarantees of anonymity.

In this case, the registered person chooses a guarantor. Further, a medical institution employee checking it makes sure that there is a person in front of him who can reproduce the anonymous public key by presenting the parameters of his first biometric image (fingerprint) to the inputs of the neural network. Verification is carried out automatically, and the verifier, according to the proposed method, cannot see the verifier’s public key itself. The public key registered at the second stage of registration is kept secret from others. The tester sees only the result of the test, for example, the green light of the traffic light on the computer screen.

Next, the examiner registers the patient's passport data (name, patronymic, last name, date of birth, place of birth, address of residence, passport number and social insurance). If there is little data, then they are encrypted on the public key of the guarantor of anonymity, and the ciphertext is then saved without sending the guarantee of anonymity along with other data about the registered one. Personal data itself is destroyed. After their destruction, only a guarantor of anonymity can restore a person’s personal data from ciphertext using his personal key. The ciphertext is transmitted to the guarantor of anonymity only in cases prescribed by law, for example, the patient is convicted of intentionally infecting other people. The guarantor of anonymity, before disclosing it, must verify the weight of the charges against the citizen and the lawfulness of the requirements of law enforcement agencies.

In the case of encryption of significant amounts of personal information (the amount of information is much more than 512 bits), the common secret key of the patient and the guarantor of his anonymity are used for encryption. The patient’s personal data is encrypted on a shared secret key of a registered person and his guarantor of anonymity. To generate a common secret key, use the usual procedure of asymmetric cryptography of Diffie-Hellman [3, see 13.1 p. 300. Encryption using public keys], that is, they use the private key of the registered and the public key of the guarantor of anonymity. For this purpose, the registered one presents his handwritten password, receives his private key, then receives a secret key shared with the guarantor of anonymity and encrypts his personal data on it. Next, the registered data ciphertext is signed with its electronic digital signature, after which the fidelity of this electronic digital signature is verified using the public key of the registered. If the digital signature of the registrant is true, the open personal data of the registrant and his private key are destroyed, and the ciphertext of personal data is stored together with the public key of the registered patient and the public key of his guarantor of anonymity, the name and address of the guarantor.

In cases provided by law, when removing the patient’s anonymity, the ciphertext is transferred to the guarantor of anonymity, which, having the patient’s public key and his private key, is able to generate a shared secret key for the patient and the guarantor of anonymity and decrypt the patient’s personal data.

A positive technical effect of the implementation of the method described above is that the medical staff is not able to compromise the anonymity of the patient. Only the patient himself can open it if necessary. To disavow the patient’s anonymity without his knowledge, the law requires an official request from the law enforcement authorities to receive the ciphertext of his personal data stored in the medical institution, and voluntary cooperation with the authorities of the guarantor of anonymity.

At the same time, medical personnel still have the ability to perform their functions, treat the patient, verify his identity, keep an anonymous (anonymous) electronic medical history, write prescriptions for medicines.

The patient has a guarantee of preservation of his anonymity and at the same time can at any time confirm his identity in a pharmacy or hospital, in social security agencies. Moreover, the patient can form his electronic digital signature on receipts for medicines and other legally relevant documents. This will make it possible to raise the level of accounting for expensive drugs used in the treatment of socially significant diseases (for example, in the treatment of the last stages of HIV infection). In general, the system for ensuring anonymous biometric identification, carried out according to the proposed method of anonymous registration, should increase the level of ensuring the anonymity of patients with various types of diseases and increase their level of trust in state and non-state medical institutions equipped with new technology.

It should be noted that the proposed method of anonymous biometric registration can still be used in justice for the protection of witnesses, in social security agencies, in electronic voting systems. In all these systems, it is necessary to ensure the anonymity of a citizen in conjunction with his reliable identification, which excludes the substitution of one person for another by conspiracy or against the will of the substitute.

LITERATURE

1. The method of patient care in the automated medical care and insurance system ISMOS 2100 - application for a patent of the Russian Federation No. 2003106438/09, applicant Kalinovsky Georgiy Ivanovich (RU), 117404, Moscow, M-405, Warsaw sh. 143, building 1, apt. 110, E.V. Borisov, published 2004.09.27.

2. Ball Rood et al. Biometrics Guide. / Ball Rood, Connel Jonathan X., Pancanti Sharat, Ratha Nalini K., Senior Andrew W. // Moscow: Technosphere, 2007 .-- 368 p.

3. Smith Richard E. Authentication: from passwords to public keys. - M: Williams, 2002, 424 p.

4. GOST R 52633-2006 “Protection of information. Information security technique. Requirements for highly reliable biometric authentication. ”

5. RF patent No. 2292079, “Method for identifying a person by his biometric image”, priority 02.02.2005, application No. 2005102541, applicant FSUE Penza Scientific Research Electrotechnical Institute, authors: Efimov OV, Ivanov A.I. , Funtikov V.A.

6. RF patent No. 2273877, “A method for distributing keys in a large geographically dispersed system”, application No. 2004124971, priority dated August 16, 2004, applicant FSUE Penza Scientific Research Electrotechnical Institute, authors Efimov OV, Ivanov A.I. ., Funtikov V.A.

Claims (2)

1. The method of anonymous biometric registration of a person, which consists in repeatedly taking examples of a biometric image of a person without witnesses, setting up a private key when registering an artificial neural network, and then teaching the artificial neural network to reproduce the private key upon presentation of a trained artificial neural network with an example of a biometric image of a person, destroying examples of a biometric image of a registered person, memorizing tables of connections and parameters of trained art venous neural network, characterized in that when registering a person, they create an open key, repeatedly take examples of another biometric image of a person, specify the connections of another artificial neural network, then each of the artificial neural networks is trained using examples of the corresponding biometric image of a person, and training artificial neural networks are conducted so that the first artificial neural network upon presentation of the first biometric image gives the public key of the registered person eka, and the second artificial neural network, upon presentation of the second biometric image, issued the private key of the person being registered, after that the tables of connections and parameters of the first and second trained artificial neural networks in conjunction with the public key of the registered person are memorized and additionally record the time and place of registration, sign these data an electronic digital signature of the registration machine and an electronic digital signature of the registrant, who forms it with his private key, which he received the registrant himself shows up by presenting his second biometric image by presenting the second neural network, then the electronic digital signature of the registrant is checked, if correct, all examples of human biometric images are destroyed, and the private key of the registered person is also destroyed. 2. The method according to claim 1, characterized in that when registering the personal data of a person, they check the ability to play back the public key at the output of the first artificial neural network, then enter the personal data of the person being registered, supplementing them with the public key of the person being registered, encrypting the selected key by a registered person, a guarantor of anonymity of personal data of a person, or with large amounts of personal data, the registered person presents his second biometric image In order to obtain a private key at its outputs, they then generate a shared secret key of the registrant and guarantee of anonymity on the private key of the registered and public key of the guarantee of anonymity and encrypt the personal data of the registrant on this shared secret key, then the registrant signs the encryption program with his digital signature, then verify this electronic digital signature, if the result of verification of the electronic digital signature of the registered personal data is positive triruemogo and its private key are erased, the encrypted data is stored together with the public key of the registered person, the name, address and the public key of anonymity guarantees, which cipher can be presented only in the cases established by law.