EP-4736037-A1 - METHOD FOR IDENTIFYING A PHYSICAL PERSON

Abstract

The invention relates to a method (200) for identifying a physical person, the method being computer-implemented and comprising a step of generating (207) a link value, a step of obtaining (211) a verification value, associated with a corresponding link value in an identity database, and a step of obtaining (212), from the identity database, a personal identifier that is associated, in the identity database, with the link value.

Inventors

• CANDEL, Gaëlle

Assignees

• Banks and Acquirers International Holding

Dates

Publication Date

20260506

Application Date

20240701

Claims (10)

1. Method for identifying (200, 400, 600, 800) a natural person, implemented by computer and comprising the following steps: - obtaining (203) a code (C); - obtaining (205) a secret (T) from the natural person; - comparison (206; 410) of the secret (T) of the natural person with secrets (E) of a database (4; 20) of secrets; - when a secret (E) corresponding to the secret (T) of the natural person in the database (4; 20) of secrets is identified, generation (207) of a link value (LID; LID1) from the secret (T) and from the code (C), preferably from a hash function (MAC) associated with a dedicated key (Kb); - comparison (210; 410) of the generated link value (LID) to link values (LIDbase; LID2 base ; LIDn+1 base ) of an identity database (6; 22; 36) distinct from the secrets database (4; 20) or to link values (LIDk base ; LID1 base ) of a buffer database (18; 38; 40) separate from the secrets database (4; 20) and the identity database (6; 22; 36); - obtaining (211; 413) a verification value (CI base ) associated with the link value (LID base ) in the identity database (6; 22; 36), or, the link value being a first link value (LID1 base ) of a chain of link values in which each other link value is obtained from the previous link value, obtaining a verification value (CI base ) associated with a link value (LID2 base ; LIDn+1 base ) of the chain in the identity database or in a buffer database separate from the secret database and the identity database, - obtaining (212; 414), from the identity database (6; 22; 36), a personal identifier (ID) associated, in the identity database, with the link value (LID base ) or with a link value (LID2 base ; LIDn+1 base ) of the link value chain, - generation (213) of a value to be verified (CI) from the secret (T) received, the code (C) received and the personal identifier (ID) obtained, preferably also derived from a hash function (MAC) associated with a dedicated key (Ki); - comparison (214) of the value to be verified (CI) generated with the verification value (CI base ) obtained, - when the generated value to be verified (CI) is identical to the verification value obtained (CI base ), provision (215) of the personal identifier obtained.
2. Method (200; 400; 600; 800) according to the preceding claim, in which, the method being a biometric identification method, the secret (T) relates to a biometric fingerprint of the natural person, in particular the secret is a hashed value (Fb(T)) of a biometric fingerprint of the natural person, the secret database (4; 20) is a biometric database comprising biometric fingerprints of natural persons.
3. Method (200; 400; 600; 800) according to any one of the preceding claims, in which the code (C) is: - relating to a password provided by the natural person, in particular the code (C) comprises a hashed value of a password provided by the natural person to the secret server; and/or - relating to an entity, such as a merchant with whom the natural person carries out his identification, in particular the code (C) includes a public value of identification of the entity known by the secret server.
4. A method (400; 600; 800) according to any preceding claim, comprising the following steps, when the link value (LID1) is a first link value of a chain of link values in which each other link value is obtained from the previous link value: - firstly, generation (408) of a first historical value (Hist1), of a chain of historical values, from the first link value (LID1), - when a link value (LID1 base ) corresponding to the first generated link value (LID1) is identified in the buffer database (18; 38; 40), generating (411) a next link value (LID2), optionally last link value, of the link value chain, from the secret (T), the code (C) and the first history value (Hist1), preferably from a hash function (MAC) associated with a dedicated key, and generating a next history value (Hist2) from the next link value (LID2) and the first history value, preferably also from a one-way function associated with a dedicated key, - optionally, comparing the next link value (LIDk) to link values (LIDk base ) of a next buffer database distinct from the buffer database, and generating a next link value (LIDk+1) and a next history value (Histk+1), these comparison and generation steps being repeated until the generation of a last link value of the link value chain, - to obtain the associated personal identifier (ID) in the identity database, comparing the last link value of the link value chain to link values in the identity database (LIDn+1 base ).
5. Method for registering (100; 300; 500; 700) a natural person in an identification system, implemented by computer and comprising the following steps: - obtaining (105) code (C); - obtaining (107) a secret (E) from the natural person; - comparison (109) of the secret (E) of the natural person with secrets (T) of a secrets database; - when no secret in the database corresponds to the secret of the natural person, generation (110) of a link value specific to the natural person, from the secret of the natural person and the code (C), preferably from a hash function associated with a dedicated key; - storing (110), in the secrets database, the secret of the natural person, without storing either the link value or the code; - generation (116), following receipt of this code and this secret, of a personal identifier of the natural person; - generation (111) of a verification value from the received secret, the received code and the generated personal identifier, preferably also from a hash function associated with a dedicated key; - storing (118), in an identity database, the personal identifier of the natural person associated with the link value and the verification value, or, the link value being a first link value of a chain of link values in which each other link value is obtained from the previous one, storing, in the identity database, the personal identifier associated with the last link value of the chain, and storing the verification value, in the identity database and associated with the personal identifier or in a buffer database, distinct from the secret database and the identity database, associated with a link value of the chain.
6. System (2; 16; 30; 44) for identifying a natural person, comprising: - a database (4; 20) of secrets comprising secrets (T) of natural persons, and - an identity database (6; 22; 36) comprising respective personal identifiers (IDs) of these natural persons, the identity database associating with each personal identifier of a natural person a link value, - automated means configured to: * comparing a secret received from a natural person to secrets in the secrets database and, a corresponding secret of the natural person being identified, to generate a link value from the secret of the natural person and from a code, preferably from a hash function associated with a dedicated key, * comparing the received link value to link values in an identity database or to link values in a buffer database separate from the secrets database and the identity database; * obtaining a verification value associated with a link value in the identity database or, the link value being a first link value in a chain of link values in which each other link value is obtained from the previous link value, obtaining a verification value associated with a link value in the chain in the identity database or in a buffer database separate from the secrets database and the identity database, *obtain, from the identity database, a personal identifier associated, in the identity database, with the link value or a link value in the link value chain, *obtain a value to be verified from the received secret, the received code and the obtained personal identifier, preferably also from a hash function associated with a dedicated key, *compare the generated verification value with the obtained verification value, and when the generated verification value is identical to the obtained verification value, indicate that the obtained personal identifier corresponds to the secret received from the natural person.
7. Identification system (6; 30; 44) according to the preceding claim, also comprising: - at least one buffer database (18; 38; 40), distinct from the secret database and the identity database, comprising link values, - automated means configured to: *receive the link value, code and secret, *compare the received link value to the link values in the buffer database, and, when it identifies a matching link value, to generate a next link value in the chain of link values from the link value, * pass the following link value, code and secret.
8. Data processing system (2; 16; 30; 44) comprising a processor configured to implement the steps of the identification method (200; 400; 600; 800) according to any one of claims 1 to 4 or of the registration method (100; 300; 500; 700) according to claim 5.
9. A computer program (12) comprising instructions which, when the program is executed by a computer, cause the computer to implement the steps of the identification method according to any one of claims 1 to 4 or of the registration method according to claim 5.
10. A computer-readable recording medium (14) comprising instructions which, when executed by a computer, cause the computer to implement the steps of the identification method (200; 400; 600; 800) according to any one of claims 1 to 4 or of the recording method (100; 300; 500; 700) according to claim 5.

Description

Method of identifying a natural person The invention relates to a method and a system for identifying a natural person, in particular the biometric identification of a natural person. A method for identifying a natural person comprises a step of collecting identity data, for example a biometric fingerprint provided by a biometric sensor, and a step of responding by providing a personal identifier, for example a name, an address or a number, associated with this identity data within an identity database. Such an identification method thus allows a natural person to be identified with various service providers, such as merchants. Thus, an identification system typically comprises a secrets database comprising a list of secrets of respective natural persons, for example respective biometric fingerprints, and an identity database separate from the secret database and comprising the list of respective identifiers of these natural persons. The secrets database is managed by a secrets server and the identity database is managed by an identity server separate from the secrets server. In a prior art, the secret database and the identity database list the respective secrets and identifiers according to a common index. Therefore, when the secret server receives a secret, it compares it to the secrets in the secret database. When it identifies a matching secret, it transmits the index number of this secret to the identity server. The identity server then returns the identifier having the same index number in the identity database. This approach is not secure for mass use. In particular, if two people register at the same time, their respective index numbers may be reversed in one of the two databases. In another state of the art, a unique digital value is generated when the natural person registers. It is associated in the secret database with the secret of the natural person and in the identity database with the identifier of this natural person. It is this digital value that is sent by the secret server to the identity server. The identity server then returns the identifier associated with the same digital value in the identity database. However, this approach is open to attack. For example, an attacker with write access to one of the two databases could reverse numeric values, say A and B, of two physical persons. In such a case, if the secret server collected the secret of person A, the identity server would return the identifier of person B. To address this, another approach is proposed in Annex A of the ISO 24745 standard proposal for the protection of biometric data. The unique numeric value is replaced, in the secret and identity databases, by a link value, called " commonidentifier (CI)" in the standard proposal. This link value is calculated using a public " message authentication code (MAC)" hash function, taking as input both the secret of the natural person and the identifier of this natural person, as well as a parameterization key for the function. It is this link value that is sent by the secret server to the identity server. The identity server then returns the identifier associated with the same link value in the identity database. To corrupt this system, an attacker would have to generate this link value. He would therefore have to have access to both databases in writing, as well as to the dedicated key, which makes this attack difficult to carry out. This approach, however, still has drawbacks in the event of mass adoption of the identification system, particularly if many service providers wish to use this system and if individuals wish to be able to be identified to several of these service providers. One solution is to provide, for each service provider, a database of secrets and a database of identities dedicated to the individuals registered with this service provider. However, the fleet of servers to be implemented and managed is then costly and difficult to maintain for the manager of the identification system. In addition, this requires an individual to renew the registration and identification process for each service provider with which they wish to be identified, which is tedious. Another solution is to share a single database of identities and a single database of secrets of natural persons for all service providers, and to associate a table of filtering rules to select the service providers with which each natural person is registered. However, a single natural person cannot then have several distinct profiles; they have a single profile for all service providers. Similarly, the revocation of identity with a single service provider is impossible. Furthermore, if the identity of the natural person is compromised by one service provider, it is then compromised for all the others. In addition, the filtering table risks being exploited commercially, in particular to obtain information on the behavior of natural persons, which risks contravening the principles of respect for their personal