Patent Application
20070170257
The present invention relates to the field of authentication techniques, and more particularly without limitation, to authentication of customer cards, financial transaction cards and copy protection.
Various sealing and printing techniques to provide authentication and to avoid unauthorised replication of products and documents are known from the prior art. However, an increasing economic damage results from forgery due to insufficient security.
For authenticating documents and things U.S. Pat. No. 5,145,212 teaches the use of non-continuous reflective holograms or diffraction gratings. Such a hologram or diffraction grating is firmly attached to a surface that contains visual information desired to be protected from alteration. The reflective discontinuous hologram is formed in a pattern that both permits viewing the protected information though it and the viewing of an authenticating image or other light pattern reconstructed from it in reflection. In another specific authentication application of this U.S Patent a non-transparent structure of two side-by-side non-continuous holograms or diffraction patterns, each reconstructing a separate image or other light pattern, increases the difficulty of counterfeiting the structure.
PCT application WO087/07034 described holograms, including diffraction gratings, that reconstruct an image which changes as the hologram is tilted with respect to the viewer and in a manner that images reconstructed from copies made of the hologram in monochromatic light do not have that motion.
In UK Patent Application GB 2 093 404 sheet material items which are subject to counterfeiting have an integral or bonded authenticating device which comprises a substrate having a reflective diffractive structure formed as a relief pattern on a viewable surface thereon and a transparent material covering the structure. Specified grating parameters of the diffractive structure result in peculiar, but easily discernable, optical colour properties that cannot be copied by colour copying machines.
U.S. Pat. No. 4,661,983 described a random-pattern of microscopic lines or cracks having widths in the order of micrometers that inherently forms in a dielectric coating of an authenticating device incorporated in a secure document. It permits identification of a genuine individual document by comparing read-out line-position information derived by microscopic inspection with read-out digital codes of line-information obtained earlier at the time of fabrication of the document.
U.S. Pat. No. 5,856,070 shows an authentication label containing a light diffracting structure. Unique parameters are randomly defined in the light diffracting structure by anisotropic process steps not under full control of the producer during the manufacturing of the diffracting structure to prevent copying or creating an exact replica thereof. The resultant uniquely coloured authenticating pattern can be verified by simple observation with the naked eye.
U.S. Pat. No. 4,218,674 shows an authentication method and system that uses an object being of base material having random imperfections. The random imperfections are converted into pulses along a pre-determined measuring track over the surface of the object of base material. WO01/57831 shows a similar method that uses random gas enclosures in an authentication object.
The present invention provides for an authentication method which is based on an authentication object, such as an authentication label, having a three-dimensional pattern of distributed particles. By means of a two-dimensional data acquisition performed on the object a code is obtained that is used for the purpose of authentication.
When the authenticity of the object needs to be checked the same two-dimensional data acquisition step is performed again in order to provide a check-code. On the basis of the code and the check-code the authentication is performed. For example, if the code and the check-code are identical, this means that the object is an original and not an unauthorised copy.
The present invention is particularly advantageous as authentication is based on the three-dimensionality of the particle distribution within the object. If it is determined for the purposes of authentication that an object does in fact have a three-dimensional pattern of distributed particles it is sufficient to perform the consecutive data acquisition in two-dimensions. This approach is based on the discovery that it is most difficult if not impossible to copy the particle distributions in two-dimensions in case the particles are distributed in three-dimensions.
In accordance with a preferred embodiment of the invention the particles that are distributed in the object are magnetic. The two-dimensional data acquisition is performed by scanning the object by means of a magnetic head.
In accordance with a further preferred embodiment of the invention an image of the object is acquired in the two-dimensional data acquisition step. The image is scanned and filtered in order to obtain a data vector. Preferably the filtering involves some kind of averaging in order to increase the robustness of the method.
In accordance with a further preferred embodiment of the invention binary data is encrypted by means of the code acquired from the two-dimensional data acquisition in order to provide a code for the authentication. Preferably the binary data is a symmetric key that is used for encryption and decryption of mass data.
In accordance with a further preferred embodiment of the invention the code acquired from the object by means of the two-dimensional data acquisition is a reference data vector. For encoding of each bit of the binary data a random vector is determined on the basis of the reference data vector. This encryption method is particularly advantageous as the key management problem is avoided. In contrast to prior art encryption it is not performed on the basis of an exact key but on the basis of a reference object from which a reference data vector data is acquired.
In accordance with a further preferred embodiment of the invention a data object is used as a reference object. For acquisition of a reference data vector the data object is rendered by means of a rendering program, such as a text processing program in case the data object is a text document, and the data acquisition is performed on the rendered data object.
In accordance with a further preferred embodiment of the invention the random vector for encoding one of the bits is determined by generating a candidate random vector and by calculating the scalar product of the candidate random vector and the reference data vector. In case the absolute value of the scalar product is (i) above a pre-defined threshold value and (ii) the sign of the scalar product corresponds to the bit to be encoded, the candidate random vector is accepted for encoding of the bit and stored. In case the candidate random vector does not fulfil these two requirements (i) and (ii) another candidate random vector is generated and the conditions are tested again. This procedure continues until a candidate random vector is identified that fulfils both conditions.
In accordance with a further preferred embodiment of the invention a running index of the accepted candidate random vector is stored rather than the complete candidate random vector. The combination of the running index and the seed value of the pseudo random number generator that is used for generating of the random vectors unequivocally identifies the complete random vector. This way the size of the result of the encryption can be reduced drastically.
In accordance with a further preferred embodiment of the invention a data file is encrypted. For example a user can encrypt a data file on his or her computer on the basis of the authentication object in order to protect the data file against unauthorised access.
In accordance with a further preferred embodiment of the invention a user's personal data, such as the user's name as printed on his or hers passport or chip card, is encrypted. This is useful for checking the authenticity of the passport or chip card.
In accordance with a further preferred embodiment of the invention a symmetric key is encrypted on the basis of the reference object. For example, the symmetric key is used for encryption of a large data file. The symmetric key itself is encrypted in accordance with a method of the present invention on the basis of the authentication object. This way the symmetric key is protected in a secure way while avoiding the disadvantages of prior art key management approaches.
In another aspect the present invention provides a method of encrypting and decrypting binary data. The binary data is assigned a random vector for each encoded bit. The decoding is performed by acquiring a reference data vector from a reference object. The decryption of one of the bits is performed on the basis of one of the random vectors and the reference data vector.
In accordance with a preferred embodiment of the invention the decryption of one of the bits is performed by determining the sign of the scalar product of the reference data vector and the one of the random vectors.
Decryption of the encrypted binary data is only possible if the reference object is authentic. It is to be noted that the reference data vector that was used for the encryption does not need to be reproduced in an exact way for the decryption; some degree of error in the acquisition of the reference data vector is allowed without negatively affecting the decryption.
The present invention is particularly advantageous in that it facilitates the solution of the prior art key management problem in a user friendly, convenient and yet secure way. The present invention can be used in various fields for the purposes of protecting the confidentiality of data and for the purpose of authentication of documents or files.
In another aspect the present invention relates to copy protection. In accordance with a preferred embodiment of the invention the mass data to be stored on a data carrier, such as an optical recording device, e.g. a CD or DVD, is first encoded by means of a symmetric key before it is stored on the data carrier. A reference object is attached to the data carrier or forms an integral part of the data carrier such that the reference object cannot be removed without destroying the object and/or the data carrier.
The symmetric key that was used for encrypting the mass data stored on the data carrier is encrypted by means of a reference data vector acquired from the reference object of the data carrier. The resulting set of random vectors is stored on the data carrier. This can be done by attaching a label, such as a bar code label to the data carrier or a data carrier cover, and/or by digitally storing the set of random vectors on the data carrier. Depending on the implementation the seed value that was used for generating the random vectors together with the running indices is stored rather than the complete random vectors.
In accordance with a further preferred embodiment of the invention an image of the object is acquired in a read position. The read position may be dislocated from a reference position defined by markers on the object due to mechanical tolerances of the read apparatus. The amount of the dislocation of the read position with respect to a reference position is measured by detecting of the marker positions in the image. Next a projective transformation is performed on the image for compensation of the dislocation.
In the following, preferred embodiments of the invention will be described, by way of example only, and with reference to the drawings, in which:
Carrier layer 102 consists of a translucent or transparent material, such as a synthetic resin or transparent plastic material, which enables to optically determine the positions of particles 104. For example, carrier layer 102 has a thickness 106 of between 0.3 to 1 mm or any other convenient thickness.
Particles 104 can be glass beads or balls, or disks, metallic or pearlescent pigments with or without a light reflecting coating or any other convenient form or type of particle. The particles can be optically detected due to their reflective coating, or in the absence of such reflective coating, due to their reflection coefficient, which is different to the material of the carrier layer 102.
Preferably particles 104 are 5 to 200 micrometers in diameter. For example, particles 104 can be optical lens elements or other particles to provide the authentication label 100 with a retroreflective effect.
Preferably authentication label has adhesive layer 108 in order to glue authentication label 100 to a product of document. The material properties of carrier layer 102 and adhesive layer 108 are chosen such that an attempt to remove authentication label 100 from the product or document would result in destruction of authentication label 100.
For example, authentication label 200 has the size of a post stamp, which is 3×4 mm and contains about two hundred particles 204. The random distribution of the two hundred particles within carrier layer 202 provides a sufficient uniqueness of authentication label 200.
In step 300 an authentication object having a three-dimensional pattern of randomly distributed particles is provided. For example, the authentication object is a piece of scotchlite tape, which is commercially available from 3M.
In step 302 a two-dimensional data acquisition step is performed. This can be done by acquiring a two-dimensional image of a surface of the authentication object. Alternatively the authentication object is scanned in two-dimensions by other measurement means. For example, if the particles that are distributed in the object are magnetic a magnetic head can be used for performing the two-dimensional data acquisition.
The measurement data that results from the two dimensional data acquisition performed in step 302 is filtered in step 304. Preferably the measurement data are low pass filtered. For example, measurement data acquired from the same region of the surface of the authentication object are averaged. These regions are predetermined by a virtual grid.
In step 306 the authentication code is provided.
In order to perform an authentication of the authentication object, steps 300 to 306 are performed again. The object is authentic if the following two conditions are fulfilled,
This will be explained in greater detail below by making reference to
Depending on the kind of reference object a data acquisition step is performed (step 400). This way the reference data vector {right arrow over (ξ)} is obtained (step 402) that has a number of k values obtained from the reference data object. Preferably there is some kind of filtering of the raw data acquired from the reference object in order to provide the reference data vector {right arrow over (ξ)}. For example, the raw data is filtered by a low pass filter for increased robustness of the encoding and decoding method.
Further, it is useful to normalize the data vector data vector {right arrow over (ξ)}. This way all values εi are within a defined range, such as between [−1; 1].
In step 404 the l bits to be encrypted are entered. In step 406 the index j is initialised. In step 408 a first candidate random vector {right arrow over (R)} is generated by means of a random number generator. The random vector {right arrow over (R)} has the same dimension k as the reference data vector {right arrow over (ξ)}.
In step 410 the scalar product of the reference data vector and the candidate random vector is calculated. If the absolute value of this scalar product is above a predefined threshold level ε a first condition is fulfilled. If the sign of the scalar product matches the bit Bj to be encoded this means that the candidate random vector can be accepted for encoding of bit Bj.
For example of the bit Bj is ‘0’ the sign of the scalar product needs to be ‘−’ and if Bj=1 then the sign of the scalar product needs to be ‘+’.
In other words the candidate random vector {right arrow over (R)} is accepted for encrypting bit Bj if both of the following conditions are met:
If one of the conditions (i) and (ii) is not fulfilled the control goes back to step 408 for generation of a new candidate random vector which is then tested against the two conditions (i) and (ii) in step 410. Steps 408 and 410 are carried out repeatedly until a candidate random vector has been found that fulfils both of the conditions of step 410. The accepted candidate random vector constitutes row j of matrix M (step 412). In step 414 index j is implemented and the control goes back to step 408 for encoding of the next bit Bj of the l bits to be encrypted.
After encryption of all l bits the control goes to step 416 where the matrix M is outputted as a result of the encryption.
It is to be noted that the choice of threshold ε is a trade off between security, measurement tolerance and processing time. Increasing ε increases the average number of attempts for finding an acceptable candidate random vector but also increases the acceptable measurement tolerance. Decreasing ε increases the security level and decreases the processor power requirement, but decreases the acceptable measurement tolerance. A convenient choice for ε is 1, 2, 3, 4, 5, or 6, preferably between 3 and 4, most probably ε=3.7 if the reference data vector dimension (k) is 256 and the required measurement tolerance is 5%.
In any other cases a good choice for ε is
ε=8*T*sqrt(k/3)
where T is the required measurement tolerance (5% is T=0.05) and k is the reference data vector dimension and sqrt( ) function is the normal square root function.
Decryption of matrix M in order to recover the encrypted bits is only possible if the decryptor is in the possession of the reference object that was used for the encryption (cf. Step 400 of
A corresponding decryption method is explained in greater detail below by making reference to
For example, the resulting matrix M is stored by printing a bar code on a secure document carrying the authentication object. Alternatively or in addition the matrix M can also be stored electronically in case the secure document has an electronic memory.
In step 608 the first random vector {right arrow over (R)}m=1 of k random numbers Ri is generated by the pseudo random number generator on the basis of the seed value. This candidate random vector is evaluated in step 610 in the same way as in step 410 of
Step 614 corresponds to step 414. In step 616 the sequence S containing a number of l running indices is outputted rather than a matrix M having a number of l×k random numbers. Hence, by storing the running indices and the seed value rather than the random vectors themselves a drastic compression of the result of the encoding operation is obtained.
Optical sensor 704 is coupled to image processing module 710. Image processing module 710 has an image processing program that can filter the image data required by optical sensor 704.
Image processing module 710 is coupled to encoding module 712. Encoding module 712 receives the filtered measurement data from image processing module 710. Encoding module 712 is coupled to a storage 714 in order to store the result of the encoding for later usage. For example, the image processing and encoding is done for a sequence of authentication labels for the purpose of mass production of data carriers, passports, bank cards, or other secure documents.
In this case a sequence of authentication codes is stored in storage 714 during the mass production. These authentication codes can be printed and mailed to the users independently from the mailing of the authentication labels 706. For example, the authentication label 706 are attached to customer cards or financial transaction cards, such as ATM-cards, that are mailed to the customers. The customers receive the corresponding authentication codes by separate mail.
Preferably image processing and encoding apparatus 700 has random number generator 716. Preferably random number generator 716 is a pseudo random number generator.
Preferably image processing module 710 delivers reference data vector {right arrow over (ξ)} (cf. step 402 of
As a matter of principle the l bits B1, B2, B3, . . . Bl that are encrypted by encoding module 712 can be of any kind. For example the ASCII code of a user name or other personal data is encrypted. Alternatively a random number such as a pin code that is only known by the user is encrypted.
As a further alternative a symmetric key is encrypted. The symmetric key is used for encryption of mass data stored on a data carrier. Decryption of the mass data is only possible by an authorised user who is in possession of the authentication label 706 and matrix M or sequence S depending on the implementation. The later application is particularly useful for the purpose of copy protection as it will be explained in greater detail below by making reference to
In step 904 the card reader makes a determination whether the authentication label has a three-dimensional pattern of particles or not. This can be done by various methods. Preferred embodiments of how this determination can be done will be explained in more detail by making reference to the
If it is determined in step 904 that there is no three-dimensional pattern of distributed particles in the authentication label, a corresponding refusal message is outputted by the card reader in step 906.
If the contrary is true, the authentication procedure goes on to step 908, where a two-dimensional data acquisition procedure on the authentication label is performed. As it has been determined before that there is in fact a three-dimensional distribution pattern of the particles it is sufficient to acquire the data from the authentication label in only two dimensions.
In step 910 the measurement data obtained from the data acquisition performed in step 908 is filtered to provide a check code in step 912. It is to be noted that steps 908 to 912 are substantially identical to steps 302 to 306 of
In case the codes are not identical a refusal message is outputted by the card reader in step 916. If the codes are in fact identical an acceptance message is outputted in step 918 by the card reader. Alternatively an action is performed or enabled depending on the field of application of the authentication method, such as banking, access control, financial transaction, or copy protection.
In step 1000 the matrix M is entered. In step 1002 data is acquired from the reference object. On this basis the reference data vector {right arrow over (ξ′)} is obtained (step 1004). It is to be noted that the data acquisition step 400 of
As a consequence the raw data obtained from the measurements of the reference object will not be exactly the same in step 400
In step 1006 the index j is initialised. In step 1008 the scalar product of the reference data vector {right arrow over (ξ′)} and the random vector in row j of matrix M that is assigned to bit Bj is calculated. The sign of the scalar provides the decoded bit value Bj whereby the same convention as for the encoding is used. In other words, when the sign is negative, the bit value is ‘0’; if the sign is positive the bit value Bj is ‘1’.
In step 1010 the index j is incremented and the control goes back to step 1008 for decoding the next bit position. Steps 1008 and 1010 are carried out repeatedly until all l bit positions have been decoded. The decoded l bits are outputted in step 1012.
It is to be noted that the above described encryption and decryption methods are particularly advantageous as they are error tolerant in view of unavoidable measurement errors in the data acquisition from the reference object. Typically the reference data vectors used for the encryption and for the decryption will not be exactly the same but still a correct decryption result is obtained with a high degree of reliability and security.
In case the decoded l bits outputted in step 1012 are identical to the original bits that have been inputted in step 404 (cf.
In step 1100 the sequence S is inputted. The seed value that was used for the encoding (cf. step 603 of
In step 1107 a pseudo random generator that operates in accordance with the same algorithm as the pseudo random number generator that has been used for the encryption is used to recover the random vector {right arrow over (R)}m=s
The following step 1108 is identical to step 1008 of
The second image is taken with light sources 1202 and 1206 switched off, while light source 1206 illuminates authentication label 100 from still another illumination angle.
The three images are combined to provide a resulting image. The combination can be done by digitally superimposing and adding the digital images. If there is in fact a three-dimensional distribution pattern of particles within authentication label regular geometric artefacts must be present in the resulting image. Such artefacts can be detected by a pattern recognition step. In the case of three light sources the geometric artefacts, which are produced, are triangles of similar size and shape. This effect is not reproducible by means of a two-dimensional copy of the original authentication label 100.
As an alternative, more than three light sources at different illumination angles can be used for taking a corresponding numbers of images, which are superposed and added. Changing the number of light sources also changes the shape of the geometric artefact in the resulting image.
The test, whether authentication label 100 is in fact reflective or not, is done as follows: a first image is taken by camera 1300 with diffuse light source 1302 switched on. The diffuse light source 1302 will not invoke the reflective effect. The second image is taken with diffuse light source 1302 switched off and direct light source 1304 switched on.
By means of half mirror 1306 this produces an incident light beam, which is about perpendicular to the surface of authentication label 100. This light beam invokes the reflective effect. By comparing the first and the second images it is apparent whether authentication label 100 is reflective or not. This distinction can be made automatically by means of a relatively simple image processing routine.
Presently, mica pigments coated with titanium dioxide and/or iron oxide are safe, stable and environmentally acceptable for use in coating, cosmetics and plastics. The pearlescent effect is produced by the behaviour of incident light on the oxide coated mica; partial reflection from and partial transmission through the platelets create a sense of depth. The colour of the transmitted light is complementary to the colour of the reflected light.
To check the presence of this colour effect, light source 1400 producing diffuse, white light and two cameras 1402 and 1404 are used. The cameras 1402 and 1404 are positioned at opposite sides of authentication label 200.
An incident light beam 1406 is partly reflected by particle 204 into reflected light beam 1408 and partly transmitted as transmitted light beam 1410. If the colours of reflected light beam 1408 and transmitted light beam 1410 are complementary this means that authentication label 200 could not have been produced by two-dimensional copying.
The test whether the colours of reflected light beam 1408 and transmitted light beam 1410 are complementary can be made by summing the colour coordinate values e.g. using the RGB colour coordinate system. The summation of the colour coordinates must result in roughly a constant RGB value.
The data track of area 1552 stores encrypted data, such as audio and/or video data, multimedia data, and/or data files. In addition matrix M (cf. step 416 of
When a user desires to use optical disc 1550, he or she puts optical disc 1550 into a player or disc drive. The player or disc drive reads the matrix M or the sequence S and seed value from the optical disc 1550. On this basis the authenticity of authentication label 1656 is checked by performing the method of
Reader 1600 has slot 1622 with a mechanism for insertion of optical disc 1550. Authentication label 1556 is attached to the surface of optical disc 1550 by an adhesive or it is integrated within the card. In the latter case the surface of optical disc 1550 must be transparent in order to enable to take an image of the surface of authentication label 1556. For example, optical disc 1550 is made of a flexible, transparent plastic that has a smooth outer surface and which envelops authentication label 1556.
Reader 1600 has at least one light source 1602 for illumination of authentication label 1556 when optical disc 1550 is inserted into slot 1622 (cf. the implementations of
Further, reader 1600 has optical sensor 1604, such as a CCD camera. Optical sensor 1604 is coupled to image processing module 1610. Image processing module 1610 is equivalent to image processing module 710 of
Image processing module 1610 is coupled to decryption module 1612. Decryption module 1612 serves to recover a symmetric key for decryption of mass data stored on optical disc 1550 by consecutive decryption module 1617. Decryption module 1617 is coupled to rendering module 1618.
Optical reader 1620 is coupled both to decryption module 1612 and decryption module 1617. Optical reader 1620 has a laser diode for directing a laser beam onto a surface of optical disc 1550 in order to read its data track.
If the method of
Preferably light source 1602 and optical sensor 1604 implement any one of the arrangements of FIGS. 12 to 14 as explained above.
In the following it is assumed that the matrix M or the sequence S and seed code are stored on the data track of optical disc 1550.
In operation optical disc 1550 is inserted into slot 1622. In response a determination is made by image processing module 1610 by means of light source 1602 and optical sensor 1604 where there is a three-dimensional distribution of particles within authentication label 1556 (cf.
If image processing module 1610 determines that there is in fact a three-dimensional particle distribution within authentication label 1556 it directs optical reader 1620 to read matrix M or sequence S and the seed value from the data track of the optical disc 1550. This information is entered into decryption module 1612.
Further, optical sensor 1604 acquires image data from authentication label 1556. The image data is filtered by image processing module 1610 and the resulting data vector {right arrow over (ξ′)} is entered into decryption module 1612. Decryption module 1612 recovers the symmetric key from the matrix M or the sequence S by using the seed value for the random number generator 1616. The resulting symmetric key is provided to decryption module 1617. The encrypted mass data that is read by optical reader 1620 from optical disc 1550 is decrypted by decryption module 1617 by means of the symmetric key. As a result the decrypted mass data is recovered and rendered by rendering module 1618.
Alternatively, the matrix M or the sequence S and the seed value are provided to the user by means of a separate information carrier, such as on a printed document. In this implementation the user may need to manually enter the matrix M or the sequence S and the seed value into reader 1600. Alternatively, the information carrier is machine readable and attached to optical disc 1550. In this case the information carrier is read by means of optical sensor 1604 and image processing module 1610 in order to provide matrix M or sequence S and the seed value to the decryption module 1612.
| Number | Date | Country | Kind |
|---|---|---|---|
| 03462003.9 | Apr 2003 | EP | regional |
| 04462004.5 | Jan 2004 | EP | regional |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP04/04539 | 4/29/2004 | WO | 7/10/2006 |
