Iris security systems: The latest identification technique

I am one of a group of three people working on systems auditing in the Ferrovial Internal Auditing department. My work consists of reviewing and analysing techniques in the main systems that support Ferrovial processes, business and affiliates, with the aim of improving processes and providing the company with a greater control framework. Our work covers the entire Ferrovial group and we conduct our reviews at national and international level. Accordingly, we often have to travel to different places (USA, Canada, Poland, etc.).

I have been at the company for just over four years now and, I must say, since last December, I am much more at ease now. My reason for saying this, which may sound strange coming from a position in a private company and constantly being involved in projects and activities, is that on 15th December last I finally presented my doctoral thesis at Madrid Polytechnic University (UPM), obtaining the highest possible grade; finally I can say that I am a Doctor in Telecommunications Engineering.

Identifying people by their Iris

The idea of researching the iris as an identifier or security systems arose when analysing alternatives to fingerprinting, a widely-used and relatively simple method, requiring only an object that has been touched by the subject. Nevertheless, the iris is an even more “personal” feature and one that is more difficult to obtain, requiring greater proximity. When I began my research, these aspects coincided with the fact that my teachers were involved in iris recognition combined with other identification methods, including odour recognition and finger geometry recognition.

The title of my thesis was “Biometric authentication of users through iris by using key binding and similarity preserving hashing functions” and it was developed along with UPM, the Higher Council for Scientific Investigation (CSIC) and the Institute for Physical and Data Systems (ITEFI) Although the title may seem complex and unintelligible, the main idea can be summarised as managing user access by means of iris recognition. In just over 200 pages, it explains the tools used to store iris patterns in a safe environment (ensuring that they are not compromised in the event of theft), the comparison method and the benchmarks defined to ensure that the system identifies users correctly, avoiding false positives.

It took six years of hard work since I finished my degree in 2009, during which time I balanced my research with my work, first in Deloitte and later, since 2012, in Ferrovial. The biggest problem was finding time, with so many projects on the go and having to travel so much, but I feel that, even though it may be easy to drift along in the day-to-day routine, these days it is important to retain a spirit of innovation and to seek out new challenges.

A bit of theory: cancelable biometrics

Correct user management is not a new subject, but rather a problem that has always existed and one which businesses need to tackle. However, with the rise of new technologies, the Internet of things, social networks and cloud computing, it does present new challenges. We need to find solutions to guarantee data confidentiality and protection and privacy, to ensure that information does not fall into the wrong hands. Because of this, I based my research on the following aspects:

• Cryptography, the science that guarantees information confidentiality, integrity and availability.
• Biometrics, with the aim of building an intrinsic authentication and identification method using behavioural and physical features, such as signatures and fingerprints.

Combining both sciences results in safer, more reliable authentication methods, known as biometric cryptosystems or bio-cryptosystems. The emergence of the concept of cancelable biometrics has also led to a revolution in the user authentication process. The principal objective of this concept is to allow biometric features to be revoked, amended and cancelled. While this is easy with passwords, in the case of biometric features it requires enormous effort. Just think of the problems that could arise if your fingerprint or iris pattern was stolen or if your speech patterns could be imitated. How could fingerprints be changed? And irises? Obviously, we could use another hand or finger or change our tone of voice, but in the long term these solutions are neither practical nor viable.

The solution proposed by cancellable biometrics is to distort biometric features using cryptographic and mathematical tools and functions (such as hashing functions or the Lagrange polynomial interpolation), so that even if they are compromised, they can be changed transparently and with no inconvenience to the user, simply by changing certain values in the functions used.

Research

In the first phase of the project, I designed and developed a cancelable bio-cryptosystem in Java, to be used to identify individuals by their iris patterns. After identifying the irises, it delivers a unique key for each iris. This key can then be used to encrypt documents or to access private rooms. With this first objective, I performed a series of experiments, comparing real irises (obtained from CASIA, a public database) to verify the reliability and efficacy of the system.

Although the initial results were good, they needed to improve before being used in a real situation. Accordingly, to reduce the percent error and fine tune comparisons, I used other comparison methods as additional steps to identify irises more accurately. The two methods I used were:

• Similarity preserving hashing functions. These functions are useful when comparing similar files. They are used in forensic digital research to analyse texts or images and determine the degree of similarity. The idea has been used to compare iris patterns and filter those which belong to the same user.
• Walsh-Hadamard transform. This is an orthogonal mathematic function. In other words, all its elements are perpendicular to each other, making it useful for representing discrete sequences, i.e. those which may only adopt certain values (e.g., computer bits, which can only be 0 or 1).

This option gave very good results in avoiding access by users not recognised by the system. This was the security objective I was seeking. On the other hand, the percentage of known users that the system could possibly not recognise correctly also increased.

So now what?

The next step would be to work on extending the results so that the system can be used in real situations, adjusting certain values or developing new methods to complement those described above.

The most direct possible application would be user authentication, which would be very valuable in many environments and businesses, including Ferrovial. For example, controlling access to protected areas (airport control rooms, restricted areas, etc.) or everyday appliances (computers, phones…). Another possible use would be linking certain authorised persons with a secret number, so only they could access certain critical content (offers, technial analysis, etc.).

Nevertheless, after spending so much time on the project and in view of the good results obtained so far, first things first, and right now I am going to take some time off; I think I have earned it.