SYSTEM AND METHOD FOR AUTHENTICATION OF SHIPPING TRANSACTIONS USING PRINTABLE AND READABLE BIOMETRIC DATA
FIELD OF THE INVENTION
The present invention relates in general to biometric authentication of physical characteristics of a human being. More particularly, the present invention relates to using iris recognition to authenticate the identity of one or more persons involved in a shipping transaction thereby ensuring a secure shipping transaction.
BACKGROUND OF THE INVENTION
In the shipping of high-value materials and documents there is often a requirement to uniquely and reliably identify one or more of a sender and a receiver. In addition, it is also sometimes desirable to authenticate the identity of shippers, or carriers, involved in the shipping transaction. For example, a significant problem in the shipping industry is the theft of high- value packages from within storage or transport facilities operated by a shipping company. Often a high- value package is identified as such by the names and/or addresses of the sender and/or the receiver. A person may recognize a package as possibly containing high-value goods because of knowledge of the type of business of the sender and/or the receiver, or the lifestyle of the sender and/or the receiver.
Currently the recipient's signature is often, but not always, recorded by the shipping company representative at the time the package is delivered in an attempt to ensure the secure delivery of the package. Typically, "high-value" packages require a positive
acknowledgment by signatures and a clear transfer of liability from a shipper to a receiver. However the signature may be illegible and in any case is subject to forgery. Hence, this conventional system and method provide insufficient protection, especially against liability claims, particularly when the value of the goods is very high. High value packages are typically stored in specially constructed and restricted areas having limited access via, for example, badging. The identification of employees of the shipping agent who are responsible for the security of the special areas is another key element of liability protection for the shipper/carrier.
Other technologies exist for ensuring the security of goods being shipped between multiple points. These technologies include, for example, bar codes. Packages labeled with machine-readable bar codes give them a unique identity (e.g., "tracking number") to facilitate timely and accurate delivery. However, one-dimensional bar codes require an access code that serves as a real-time key for opening a database. This has the disadvantage of requiring an external database after the bar code has been scanned. In addition, these existing codes provide no assurance of the authenticity of sender or receiver.
Biometrics, such as fingerprints, have come into widespread use for personal identification, but there exists no single standard analysis technique or code format. Due to the lack of a single standard and the poor accuracy, other biometrics are of very little value in this type of application. Moreover, traditional security techniques only ensure that token of identity are checked, but do not obscure the nature of the goods or the identity of the shipper or receiver. They simply check the token and do not provide a means of authenticating the identity of the sender or receiver. Therefore, they are subject to fraudulent use associated with the sender, the receiver, or other persons involved in the shipping process. The fraud can include, for example, theft, substitution of inferior goods, alteration of the goods, or mishandling of the goods.
In addition to the shipping transaction security technologies discussed above, various technologies are used for verifying the presence of a person in accordance with an examination of particular biometric attribute of the person, such as the attributes of voice recognition, face recognition, fingerprints, hand geometry, and retinal scanning. Unlike DNA and iris recognition, which are true identifiers, these other biometrics do not verify the identity
of a person. The latter of these technologies, retinal scanning involves the visual examination of the particular attributes of the exterior of the iris of at least one of the person's eyes. The iris of the human eye has random patterns of striations, ciliary processes, crypts, rings, furrows and other features which had been shown capable of generating highly unique biometric templates for personal identification. In this regard, reference is made to U.S. Patent No. 4,641,349, "Iris Recognition System", issued to Flom et al., and U.S. Patent No. 5,291,560, "Biometric Personal Identification System Based on Iris Analysis", issued to Daugman. As made clear by these patents, the visible texture of aperson's iris can be used to distinguish one person from another with great accuracy. Thus, iris recognition can be used for such purposes as identifying a person in various applications, such as controlling access to a secure facility or a bank automatic teller machine, for example. An iris recognition system involves the use of an imager to video image the iris of each person attempting access, and image processing means for comparing this iris video image with a reference iris image on file in a database.
What is still needed is a system and method which solve the aforementioned problems associated with ensuring secure shipping transactions. As will be seen, the present invention provides an improved system and method for ensuring secure shipping transactions which solve the aforementioned problems.
SUMMARY OF THE INVENTION
The present invention is directed to a system that uses iris recognition to authenticate the identity of a person in a shipping transaction involving the movement of goods between multiple points, or destinations. The system of the present invention includes a sender, a receiver, one or more shippers, one or more biometric imaging devices, one or more processors, a printer, a reader, and a label having printable and readable biometric data, hereinafter also referred to as IriStrip™ data. Preferably, the IriStrip™ data is a 2-D bar code and the indicia of the bar code include at least one iris template of one or more person in the shipping transaction, such as the sender, the receiver, or a shipper. The IriStrip™ data can also include other shipping information, such as information about the goods, shipping instructions, handling instructions, the point of orientation, the point of destination, etc.
Preferably, the IriStrip™ data is encrypted using authorized encryption techniques before it is printed on the label. The label is printed and attached to the goods and the reader is used
by persons involved in the shipping transaction to read the IriStrip™ data at each destination in the shipping transaction to track the movement of the goods and to authenticate the identity of one or more person involved in the shipping transaction. Attached to the goods, the biometric template of the IriStrip™ data allows later detection of fraud associated with the shipping transaction, including theft, substitution of inferior goods, alteration of the goods, mishandling of the goods, etc.
The present invention is also directed to a method of providing secure shipping of goods between two points using iris recognition techniques to authenticate the identity of one or more person in the shipping transaction. The method comprises obtaining an image of an iris of at least one eye of a designated receiver of the goods and printing a label having printable and readable biometric data, or IriStrip™ data. Preferably, the method includes encrypting the printable and readable data in the indicia of a 2-D bar code and includes one or more biometric templates (e.g., an IrisCodes™ template). The printable and readable data can include other identification and shipping information, such as, for example, the name, address, and phone number of the sender and/or receiver, the type, quantity, and condition of the goods, insurance information, shipping instructions, handling instructions, etc. The method further includes, attaching the label to a package, document, or goods to be shipped, shipping the package between a point of origination and a point of destination, obtaining an image of an iris of at least one eye of a receiver of the goods, comparing one of the obtained iris images to iris images stored in the printable and readable data, or alternatively a database, and authenticating the security of the shipping transaction based on the comparison.
The present invention can also provide for the authentication of the identity of the sender of the package. Once the package has been successfully delivered to the designated recipient, a return label having a printable and readable data containing identification data relating to the sender can be read, or scanned, to obtain a digital signature contained therein. If the digital signature has been encrypted (e.g., digitally sign, compute hash, add to label, encrypt with private key), then it can be decrypted and the original hash can be compared with the computed hash from the printed label. For example, a sample of or the entire Iriscode™ template could be used for the hash generation. The integrity of the label and the authenticity of the sender can thus be verified based on the results of the comparison.
In addition, the method can include obtaining an image of an iris of at least one eye of one or more shippers at a destination responsible for the movement of the goods between the sender and the receiver, and storing identity information relating to the shippers in a transactions database. Preferably, the information comprising the IriStrip™ data is encrypted to further enhance the security of the shipping transaction. The IriStrip™ data has a template of an image of an iris which can be used to authenticate the proposed/claimed identity of a person involved in the shipping transaction, or can be used to identify a person involved in the shipping transaction by comparing an obtained iris image to stored iris images. The present invention can minimize and/or eliminate altogether fraud or theft associated with certain special handling areas. The system and method of unified tracking, by scanning the IriStrip™ data of a package thereby reading a stored IrisCode™ template therein and capturing an iris image of each person involved in the shipping process, can include persons responsible for providing high- value packages into and retrieving packages from these special protection areas. One template, including the IrisCode™ in an IriStrip™ data, can be responsible for tracking all packages. The invention provides a unified security monitoring system using this one template approach to manage accountability and authorization of access to secure packages and facilities, as well as, the information related to each secure package.
BRIEF DESCRIPTION OF THE DRAWINGS The foregoing and other aspects of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings. For the purpose of illustrating the invention, there is shown in the drawings an embodiment that is presently preferred, it being understood, however, that the invention is not limited to the specific methods and instrumentalities disclosed. In the drawings:
Figure 1 is a schematic diagram of an exemplary system for sender/receiver authentication using iris recognition and encryption in accordance with the present invention;
Figure 2 is a flowchart illustrating an exemplary iris enrollment process;
Figure 3 is a schematic diagram of another exemplary system for sender/receiver authentication using iris recognition in accordance with the present invention;
Figure 4A is a schematic diagram showing an exemplary 2-D bar code having printable and readable biometric data in accordance with the present invention;
Figure 4B is a schematic diagram showing an exemplary IriStrip™ data structure having printable and readable biometric data in accordance with the present invention;
Figure 5 is a schematic diagram showing an exemplary label having IriStrip™ data disposed on a package in accordance with the present invention;
Figure 6 is a schematic diagram showing an exemplary reader device and IriStrip™ data structure in accordance with the present invention; Figure 7 is a schematic diagram showing an exemplary imaging device in accordance with the present invention;
Figure 8A is a schematic diagram showing an exemplary controller in accordance with the present invention;
Figure 8B is a schematic diagram showing another exemplary controller in accordance with the present invention;
Figure 9 is a flowchart of an exemplary secure shipping process in accordance with the present invention;
Figure 10 is a flowchart of another exemplary secure shipping process in accordance with the present invention; and Figure 11 is a flowchart of another exemplary secure shipping process in accordance with the present invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
The present invention is directed to a system and method for secure shipping transactions using iris recognition. The system and method provide for secure shipping transactions by authenticating the claimed identity of one or more persons involved in the shipping transaction and/or identifying one or more persons in the shipping transaction. The system and method use iris patterns as a means of authenticating the identity thereby ensuring a secure shipping transaction. Identification information relating to one or more of the sender, the receiver, and a shipper involved in the shipment of a package, or document, can be printed in one or more strips having printable and readable data that can be affixed to the package
during transit. When the package reaches its destination, the information contained in the printable and readable data is read and compared to a captured iris image to authenticate one of the shipper at a particular (e.g., intermediate) destination and the receiver at the final destination, and can also be compared to stored iris images in a database to authenticate the identity of the sender. In addition, the security and privacy of the persons involved in the shipping transaction can be protected using authorized cryptology techniques.
As shown in Figure 1, the system 10 the present invention includes an iris imaging device 11 and an input device 12, such as a keyboard or mouse, and the appropriate software for enrolling applicants in an application by capturing an iris image and, optionally, other identification data.
Referring to Figure 2, the steps which comprise an exemplary iris enrollment process 40 are illustrated. The data collection step includes acquisition of a high-quality iris image using a suitable imaging platform, at step 41. Typically this platform will utilize low- level infrared illumination and an infrared-sensitive camera. The resulting image is processed to extract a digital code, such as for example, a fixed-length 512-byte digital code, at step 42, that fully captures the unique information used for identification. The IrisCode™ record is stored, at step 43, in a database along with other personal information that has particular value for the specific identification application. Other identification information can be entered at step 44 and might include, a graphical representation of the person's signature, the person's name, a face picture of the individual, an ID number, address, telephone number, for example. The enrollment of individuals can be accomplished by, for example, a shipper at a fixed location, shippers ' employees at remote or mobile locations, and a third party which provides shippers with a database of people and their authorization.
Referring back to Figure 1 , the system includes a database 13 , or memory, for storing the enrolled iris images and other identification information. The system 10 includes a printer device 14 for printing printable and readable data 15 having one or more stored iris images. The printable and readable data 15 can be printed on, for example, a label 16 which can be attached to a package 17, or document, to be shipped. The system 10 includes a reader device 18 for reading the printable and readable data 15 at a Nth destination along the shipping route. The same or another iris imaging device 11 can be used at each Nth destination for capturing an iris image of one or more persons involved in the shipping transaction. The
system 10 also includes at least one processor 19 having a memory 20 for authenticating the security of the shipping transaction based on a comparison of a captured iris image to a stored iris image in the printable and readable data 15, or alternatively, the database 13. The label printer device 14, handheld iris imaging device 11 , and optical character reader device 18 can be included in one unit, or alternatively, they can each comprise a separate device.
As shown in the exemplary system of Figure 3, the present invention can include technologies for iris recognition 11, public/private key encryption 21, and message digest functions 22 in a system and method for assuring the safe delivery of, for example, sensitive, classified, proprietary, or high value shipments to the intended recipient. A template (hereinafter also referred to as an "IrisCode™" template) is extracted from the captured iris image and is a unique, commensurable, and compact digital biometric code generated from the iris of the eye that remains unique to the individual. The IrisCode™ templates can be printed as sequences of numbers, characters, indicia, or other spatial patterns by the printer device 14 as part of the printable and readable data 15. Preferably, the printable and readable data 15 (herein after also referred to as IriStrip™ data) comprises an encrypted, printable and readable code. The IriStrip™ data 15 can be read by the reader device 18 that reads the printed IrisCode™ template, much the same way that Universal Product Codes (U.P.C. 's) are read on products in supermarkets.
In addition, because the IrisCode™ template has a compact, standard form, it can be printed as a series of indicia in the IriStrip™ 15 data on, for example, a shipping label 16, or a tag, a card, etc. The printed format can be binary, octal, or hexadecimal characters, or any other format which uniquely expresses digital data. Because the IrisCode™ template constitutes a unique message, its integrity can be protected using a message digest function 22 ("hashing" function) in much the same way that digital messages are protected. Furthermore, the system 10 can also include an encryption device 21 , as shown in Figure 3. In this embodiment, the biometric template is encrypted using an encryption device 21 so that the output is an encrypted biometric template that can be used by the printer 18 in printing the printable and readable data 15. Encryption can be with any of the known encryption techniques using public and private keys to encipher and decipher the data, respectively. The existing public/private key infrastructure which has been developed for secure electronic transactions and messaging can be used to authenticate the sender through
the creation of a printed digital signature which can be incorporated into, for example, the return address of the sender. Together with the encryption technologies, IrisCode™ templates provide a means for accurate, reliable, unique identification of a sender and/or a receiver in a shipping transaction. One advantage offered by this embodiment of the invention is the security of shipping transactions which utilize the biometric template is enhanced because the data is generated and encrypted and thus is less susceptible to theft, alteration, or interception. This is due in part because less people will be aware of the sender's name and address and the receiver's name and address because they are obscured in the IriStrip™ data.
As shown in Figure 4A, the printable and readable data 15 is preferably encrypted as the indicia 25 of a 2-D printable and readable bar code 26 that includes one or more data fields having a number of different data types. For example, as shown in Figure 4B, the printable and readable data 15 can include multiple data fields, including biometric data 15a, graphics data 15b, text data 15c, other data 15d, and a hash of the printable and readable data 15e, for example. The 2-D bar code is a complete data record containing, for example, data, text, graphics, and biometrics that can be immediately applied to an application transaction, without accessing an external database, simply by scanning the symbol. Preferably, the printable and readable data 15 includes identification and tracking information relating to one or more persons involved in the shipping transaction, as well as optional information relating to the package being shipped. The IriStrip™ data 15 can be printed directly on the package, or preferably, is printed on a label 16, such as a pallet label, a package label, tags, ID cards, etc. As shown in Figure 5, the label 16 can include other information 24 in addition to the IriStrip™ data 15, such as text, sequence numbers, check boxes, lines and pictures, and a variety of shapes and OLE objects. Each label 16 can include one or more data fields 23 for the printing of information. For example, the IriStrip™ data 15 may be printed in one field 23a of a label 16, and address information 24 may be printed in another field 23b of the label 16. The label 16 includes a mechanism (not shown) for attaching the label 16 to the package 17, such an adhesive material, a bonding material, tape, glue, a tie, a string, etc. Multiple labels 16, or pages may be used for the shipping data. For example, two labels 16 may be used, as shown in Figure 5, one label 16a having data relating to the receiver, and another label 16b having data relating to the sender.
Preferably, the system includes a database 13 containing stored identification information for persons enrolled in a particular application. The database 13 allows sorting and selection of stored records for printing. For example, the database 13 can include stored IrisCode™ templates, as well as other optional identification and shipping information, such as name, address, telephone number, etc. of a person. Preferably, the database 13 is a central database maintained and controlled by a central authority, such as a shipper, or third party. The printer device 14 is adapted to print the IriStrip™ data 15 either directly on a package 17, or preferably the printer prints the IriStrip™ data 15 on a label 16 that can be affixed to the package 17. The printer device 14 can include any standard printer device, including thermal transfer, laser, print and apply, and impact printer technologies. Printers 14 that are suitable for use with the present invention include, for example, printers manufactured by the following companies: ATC, Avery, C. Itoh, Datamax/Fargo, Data South, Decision Data, Eltron, Esselte Meto, Facit, Genicom, Intermec, IBI, IBM, Inducomp, Mannesman Talley, Monarch, Novexx, Printronix, Paxar, Printek, RJS, Sato, Standard Register, Superior Machine, TEC, Tharo, Willet, Zebra. The printer 14 can be connected to the system 10 using any conventional wire or wireless connection technique, including COM and LPT.
Preferably, the system 10 includes a software program (not shown) for the development, printing, and reading of the IriStrip™ data 15 that is user- friendly and flexible. The software is preferably compatible with most operating systems, such as Windows 3.11/95/98/NT/2000. The operating system can include simple customized screens for simple entry of identification data and manipulation of system devices. The software is preferably adapted for a dedicated use for printing and reading of one or more standard label formats (e.g., one standard format for the address label and another standard format for the return address label). However, the software is preferably flexible to allow the user to change the design of the label as required.
The software preferably supports most popular label printers from impact printers through thermal transfer, print and apply, and laser printer technologies. The software can include any standard labeling software, including labeling software manufactured by T.L. Ashford, Strandware, Inc., Electronic Imaging Materials, Inc., for example. The software preferably provides for easy integration of the labeling process into shippers' systems and
programs (e.g., such as RPG, CL and COBOL) and existing database files. The software should allow the user to specify label formats, define fields, and merge fields with other identifying data. Although the system preferably uses 2D bar code symbology, the software preferably is capable of supporting other popular bar code symbologies including UCC 128, Interleave 2 of 5, EAN, UPC, Postnet, CODE 128, CODE 39, Maxicode, CODABAR, MSI, CODE 93, for example.
As shown in Figure 6, the reader device 18 is adapted to read or scan the IriStrip™ data 15 and extract various information contained therein. The reader device 18 can be a contact type reader (not shown) or a non-contact type reader, as shown in Figure 6, having a predetermined read zone and bar size range as determined by the particular application and reader device. The reader device 18 can be either a fixed mounted or a handheld device. The reader 18 can be connected to the system 10 using any conventional wire or wireless connection technique. The reader 18 can be powered from any standard power supply, such as external wall power or internal battery power. Preferably, the reader 18 is a lightweight, ruggedized, wireless, battery operated, handheld 2-D bar code laser scanning device, such as those manufactured by SUNMAX Bar Code Solutions of El Monte, CA.
As shown in Figure 7, an exemplary imaging device 11 comprises an iris acquisition device 105, an imaging lens 110, a mirror 120, an optional diopter correction lens 125, and an illuminator 130. The imaging device 11 can be a fixed, or preferably a portable device. The imager 11 can be powered by a standard DC or AC supply, and preferably a 9- volt battery (not shown). The imaging device 11 can be connected to the system using any conventional wire or wireless connection technique.
The system 10 includes one or more imaging devices 11. For example, the system 10 can include an imaging device at the database having the stored IrisCode™ templates, an imaging device at the transactions database, an imaging device 11 at each of the sender's location and the receiver' s location, and at each destination N in the shipping process. Alternatively, a single portable imaging device 11 can be used by, for example, the shipper's employee wherein the imaging device 11 follows the package 17 as the employee travels from one destination N to another. The number of location of the imaging device or devices 11 is such that each transaction in the shipping process is captured and recorded.
The iris is a protected internal organ that is, at the same time, readily available for outside observation. Its complex textural pattern of striations, crypts, rings, furrows, etc., has extremely high information content, yet is stable from about the age of one year throughout life. Notably, the iris structures are formed with minimal genetic penetrance (e.g., they are not influenced by the individual ' s genetic make-up) and so are dramatically different for every individual and indeed for every eye. If the variability inherent in the iris is expressed in statistical terms as the number of independent degrees of freedom, or forms of variability across individuals, the estimated number of such degrees of freedom is 266. This high information content, extracted by sophisticated computer image processing algorithms, enables an extremely accurate and sensitive personal identification technology. One recent study yielded an estimated crossover error rate of 1 in 1.2 million. This value represents the odds of a False Accept (incorrectly identifying a user as someone else) or a False Reject (failing to recognize a valid user), assuming that the system parameters are adjusted so that either type of error is equally likely. An exemplary imager that can be used with the present invention is a compact, handheld imaging apparatus manufactured by IriScan, Inc. of Marlton, NJ, and has sensors and indicators which assist the human operator in aligning and focusing the device. The imager also automatically captures the image when proper positioning is achieved. Because it is small and compact, it is practical for use as an accessory to a personal computer, and for many business and consumer applications where cost is critical.
Referring back to Figure 7, illustrated is a preferred embodiment of the handheld imager 11 that can be used with the present invention. Any known technique for capturing the iris image can be used, such as those described in Patent Application serial No. 09/200,214 (Attorney Docket No. ICAN-0064), entitled "Handheld Iris Imaging Apparatus and Method", filed on November 25, 1998, which is herein incorporated by reference. The exemplary handheld, non-invasive, non-contacting iris imager comprises iris acquisition device 105, an imaging lens 110, a mirror 120, an optional diopter correction lens 125, and an illuminator 130.
The imager 11 acquires images of an iris with sufficient clarity, focus, and size for use with conventional image processing and comparison routines. A prefened image processing and comparison routine is described in U.S. Patent No. 5,291,560, "Biometric
Personal Identification System Based on Iris Analysis", issued to Daugman, and commonly assigned with the present invention to IriScan Inc., and incorporated herein by reference. However, any processing and comparison technique can be used with the image that is acquired at the imager, such as the image pixel correlation technique described in U.S. Patent No. 5,572,596, "Automated, Non-Invasive Iris Recognition System and Method", issued to Wildes et al. and the techniques described in U.S. Patent No. 4,641,349, "Iris Recognition System", issued to Flom et al., both of which are incorporated herein by reference.
The image processing consists of a number of image processing steps (such as those described in U.S. Patent No. 5,291,560 and U.S. Patent No. 5,572,596, which are herein incorporated by reference) which lead to extraction of a unique and highly specific digital biometric template that can be used to identify the individual based on intensity patterns within the iris. The biometric template is then compared against other templates or images stored in a central database 13 or in another memory, such as the RAM 33 or EPROM 34 within the computer 30, shown in Figure 8 A. The database 13, or memory, stores selected data representing images of the iris of a plurality of subjects enrolled in a particular application. A match of the biometric template with a stored template identifies the subject whose iris is being imaged.
As shown in Figures 8 A and 8B, the processor 19 is preferably integrated into an operating system that can control the printer, reader, and the imager, and contains the labeling software. The processor 19 can perform comparison, tracking, and other processing functions. Preferably, the printer 14, the reader 18, and the imager 11 can follow one or more protocols as defined by the processor 19.
As shown in Figures 8 A and 8B, the processor 19 can reside in a conventional computer 30, such as a standard personal computer, which can comprise the processor 19 (e.g., 100 MHZ, 32 Mbyte DRAM, monitor, keyboard, ports, hard drive, floppy drive, CD- ROM drive). Alternatively, a separate microprocessor (not shown) can reside within each of the printer device 14, the reader device 18, and the imaging device 11 for controlling the functions of the particular device and for interacting with the other devices.
As shown in Figure 8 A, the processor 19 can be coupled to the other devices via conventional cables and/or printed circuit boards (PCBs) that can be connected into slots on the computer, such as an ISA slot or a PCI slot. Other conventional means for coupling
the devices to the processor can be employed, such as a standard wireless connection, as shown in Figure 8B.
The processor 19 preferably communicates with the other devices, controls the operation of the other devices, and runs the software which can be held in read only memory (ROM) 31. The processor 19 can be connected via a bus 32 to the ROM 31, a random access memory (RAM) 33, another memory such as an erasable programmable ROM (EPROM) 34, and an input/output (I/O) controller 35. The RAM 33 is large enough to hold at multiple protocols and person/package identification data. The I/O controller 35 is connected to the appropriate circuitry and drivers (not shown) for issuing commands and instructions to the different devices.
Figure 9 is a flowchart illustrating one exemplary embodiment of the invention, which provides for authentication of one or more of the sender and receiver, and also for protection of the person's iris template (e.g., the IrisCode™ template) while the shipment is in transit. As shown in Figure 9, the system includes a database of iris templates obtained through enrollment of valid recipients (and others involved in the shipping transaction, such as shippers, carriers, and senders) for a particular application, at step 300. The database can be set up to allow access to authorized users only, such as a system administrator, shippers and carriers involved in the shipping transaction. Preferably, the database is protected at a high level from unauthorized access by a security system or wall, such as, for example, a PCIris™ device. The database can be maintained by any of the persons involved in the shipping transaction, such as the sender, the receiver, or a shipper, or alternatively, the database can be maintained by an outside third party not otherwise involved in the shipping transaction (e.g., a system administrator).
Printable and readable data including biometric data in the form of, for example, a shipping label, is attached to the package or shipment, at step 315. Preferably the label is composed of multiple parts, such as for example, the sender identification and the recipient identification. To form the recipient identification, the shipper extracts the recipient's iris template (e.g., the IrisCode™ template) from the database and encrypts it, at step 305, using one of a number of suitable symmetric encryption techniques and a session key generated, at step 307 preferably using well-known techniques. The encrypted IrisCode™
template is printed on the label, at step 310, along with the recipient's name, address, and if desired, a tracking number or other unique shipping number generated by the carrier.
To form the sender identification, the recipient's IrisCode™ template is processed using a message digest function to generate a "hash", at step 320. The hash, sometimes called a checksum or message digest, is a unique, fixed-length digital value that can be computed for any data structure, but from which the contents of the data structure cannot be reconstructed, (e.g., it operates one-way only). It has the property that any change in the data structure, large or small, produces a significant and easily detected change in the hash. Standard hash techniques that can be used with the present invention include MD4, MD5, and SHA (Secure Hash Algorithm). The hash generated at step 320 is a unique but very compact summary of the IrisCode™ template. The hashing function is preferably one-way and reproducible, so that if the IrisCode™ template is modified in any way its hash will change dramatically. This provides a means of protecting the integrity of the template.
The hash of the IrisCode™ template is combined with the session key used to encrypt the IrisCode™ template, at step 321 and, if desired, other sender information, such as name and address. These combined data are then encrypted, also at step 321, using the sender's private key, provided at step 323, and a suitable asymmetric encryption technique is used to form a digital signature, unique to the sender, which can be printed on the shipper identification part of the label, at step 325 and attached to the package at step 315. When the shipment is delivered to a particular destination (e.g., the Nth destination), at step 330, the carrier, or shipper, uses the sender's public key, provided at step 333, to decrypt the digital signature and recover the hash and the session key, at step 335. The session key is then used to decrypt the printed IrisCode™ template, at step 340. The recipient's eye is imaged and the IrisCode™ template is extracted, at step 345, and compared against the IrisCode™ template printed on the shipment at step 350. If a successful match occurs, the recipient is authenticated, at step 355, and the package is delivered to the validated person. If a match is not made, then the recipient is invalidated at step 360, and the package is not delivered.
The hash from the decrypted printed IrisCode™ template is re-computed, at step 365, and compared, at step 370, to the hash contained in the digital signature. If they match then the integrity of the printed IrisCode™ template is verified, as is the authenticity
of the sender, at step 375. If they do not match, then the authenticity of the sender is invalidated at step 380.
Preferably, every step in the process is recorded in a database, such as a transactions database, at step 385. The transactions database provides a record of the transactions involved in the shipping process and provides an audit trail of accountability that is recorded and archived as appropriate. The transactions database can comprise a separate database or the same database that stores the IrisCode™ templates. Preferably, the transactions are hashed just prior to storage on the transaction database. Exemplary transactions include, acceptance of a package by the shipper and capture of the sender's IrisCode™ template, delivery to various parts of the shipping chain, handling of the package by shipper employees IrisCode™ and capture of employee's iris images for employees who have accepted physical custody of a package, who have handled a package, or have placed a package in a secure storage facility, the acceptance/delivery of the package at its final destination, etc. The encryption of the IrisCode™ template is optional and is not a requirement of the system and method. The IrisCode™ template is preferably encrypted prior to printing it on the label in order to prevent it from being copied and used for an unauthorized shipment or some other impersonation of the sender. If the carrier can guarantee the security of the printed IrisCode™ template without depending on encryption, the embodiment of the invention shown in Figure 10 can be used.
As shown in the flowchart of Figure 10, in another exemplary system, the recipient IrisCode™ template can be printed directly on the shipment without encryption. A database containing stored IrisCode™ templates is provided at step 400. An IrisCode™ template of the intended recipient is obtained from the database and a hash is computed for the IrisCode™ template, at step 405, and incorporated into a digital signature that is encrypted, at step 410, with the sender's private key, provided at step 415. The encrypted digital signature is then printed onto, for example a label, at step 420, and the label is attached to a package or document to be shipped, at step 425. An address label is also printed having the IrisCode™ template, at step 430, and attached to the package, at step 425. The package is shipped to the intended recipient and when the shipment is delivered, at step 435, the carrier scans the IrisCode™ template from the label, at step 440,
and compares it, at step 450, to the recipient's "live" IrisCode™ template, obtained at step 445, before releasing the shipment to the valid recipient, at step 455. If the obtained IrisCode™ template does not match the scanned IrisCode™ template read off of the label, at step 440, then the recipient is invalid and the carrier does not deliver the package, at step 460. Once the recipient has been authenticated, at step 455 , he can read, or scan the digital signature, at step 465, and decrypt the digital signature, at step 470, using the sender public key provided at step 475. The original hash, step 470, is then compared with that computed hash, step 477, from the printed label, at step 480, to verify the integrity of the label and the authenticity of the sender. If a match is found, then the signature is valid and the sender is authenticated at step 485. If a match is not made, then the signature is invalidated at step 490.
As shown in Figure 10, every step in the process is preferably recorded in a database, such as a transaction database, at step 495. The transaction database provides a record of the transactions involved in the shipping process and provides an audit trail of accountability that is recorded and archived as appropriate.
Figure 11 shows an exemplary method for secure shipping using iris recognition and encryption in accordance with the present invention and addresses certain additional shipping security risks not treated by the two previous embodiments, shown in Figure 9 and Figure 10. As shown in Figure 11, a shipping request is generated at step 500. The shipping request from the sender lists codes known to the shipper, such as, for example, the names of the sender and receiver, the value of the goods, the identity of an insurer who will provide loss coverage while the package is in transit, the IrisCode™ template of one or more persons involved in the shipping transaction, etc. Based on the coded identity of the sender, the shipping company picks up the package and captures the IrisCode™ template of the sender, at step 505. The system generates routing information at step 510, including for example, sender and receiver data, such as identification codes, iris templates, addresses, etc. Route generating data can be obtained, at step 515, from a database. In addition, the sender's name and address are encrypted with the sender's private key to produce a digital signature authenticating the origin of the package. This encrypted information is printed on a label, at step 520, and affixed to the package, at step 525. Alternatively, the encrypted information can be printed directly on the package or document to be shipped. The sender and receiver
identification codes and the sender's captured IrisCode™ template are encrypted with the shipper's public key and this is also printed on the package.
The shipper or carrier then delivers the package and when the package arrives at a shipper's facility (e.g., the Nth destination), at step 530, the shipper reads the labels attached to the package at step 535. The shipper decodes the sender and receiver identification codes and the sender's IrisCode™ template using its private key, at step 540. The IrisCode™ template is compared to the template contained in the shipper's database for that sender. If the sender is authenticated, the shipper generates a routing sequence for the package, specifying the sequence of N destinations (all of which are secure shipper facilities) which the package will pass through on its way to the receiver. Each of these N destinations has a public and private key pair. A label is printed which has one entry for each N destination, consisting of the address or other location information for that destination. The address for the (N+l)st destination is encrypted using the public key of the Nth destination, enabling each destination facility to decrypt the address of the next destination and forward the package to that destination without having any other information about the origin or final destination of the package. Further, each destination entry is digitally signed with the router's private key to allow authentication of the routing information.
This digital signature is created by first generating a hash of the destination address and encrypting this hash using the router's private key. This digital signature is added to the destination address and the combined message is encrypted using the destination's public key, as described above. This assures the integrity of the routing information at each step in the package's journey from sender to receiver.
In addition to generating the routing information, the shipper can request, for example, insurance coverage for the full value of the package from an insurance company, agent, or broker, at step 517. After insurance coverage is ananged the agent or broker returns an identifying sequence number to the shipper, at step 518, which certifies existence of the coverage. This may be printed on the package, at step 520, or entered in the shipper's database as part of the tracking information for the package, at step 515. The system can include a billing and insurance interface, such as an LDAP directory with pointers to either the IrisCode™ database or the transactions database.
The processing used at each N destination to forward the package is shown in Figure 11. The first routing label entry is read, at step 535 and decrypted with the N destination's private key, at step 540. The decrypted entry will consist of an address segment (the address of the next destination) and a digital signature segment. The signature portion of the message is extracted and decrypted with the router's public key, at step 545. This decrypted signature is the original hash of the destination entry, and it is compared, at step 550, with a hash generated from the address portion of the routing label entry, provided at step 547.
If the two hashes match, the integrity and authenticity of the address portion are both validated, at step 550. If the hashes do not match the process checks if this is the last entry in the routing information, at step 555. If it is not the last entry, the next entry, step 560, in the routing list is decrypted in the same way. If no authentic entry is found and it is the last entry the package must be returned to the sender, at step 565.
If a valid entry is found, the package is forwarded to the conesponding next N destination, at step 570. If desired, a temporary (plain text) address label for the next destination can be attached to the package to facilitate handling. If it is determined that the next destination is not the last destination in the routing information, at step 575, then the shipper continues with the delivery of the package in accordance with the next set of shipping instructions. When the package reaches its final destination (e.g., the last entry in the routing list is identified at step 575), the receiver identification code, which has been encrypted as part of the last destination's address, is recovered. This identification code is used to extract the receiver's address and IrisCode™ template from the shipper's data base, at step 515. The address and IrisCode™ template are printed on a delivery label that is attached to the package, at step 580. When the package is delivered, an image of the receiver' s iris is captured and the resulting IrisCode™ template is compared with one scanned from the package label, at step 585. If the receiver is authenticated, the package is delivered, at step 590. The receiver may scan the sender's encrypted name and address from the package and decrypt it with the sender's public key, if desired, to authenticate the origin of the package. If the receiver is not authenticated, then the package is retained by the shipper or returned to the sender at step 595.
Other exemplary applications that may benefit from the secure shipping transaction using printable and readable biometric data include:
1. Classified Materials (Nuclear, distribution of encryption keys);
2. Money delivered from a printing agency to a Government; 3. Intellectual Property and Proprietary data;
4. Jewelry; and
5. Consumer items.
In addition, because the iris authentication of sender and receiver adds a significant extra measure of security to the shipping service, the invention results in an economic benefit, such as for example, lower insurance costs to the sender and/or the receiver based on the value of the package to be sent and the reduced risk of theft of fraud.
The present invention can minimize and/or eliminate altogether fraud or theft associated with certain special handling areas. The system and method of unified tracking by scanning the IriStrip™ data of a package and the IrisCode™ template of each person involved in the shipping process, can include persons responsible for providing high-value packages into and retrieving packages from these special protection areas. One template, including the IrisCode™ template in an IriStrip™ data, is responsible for tracking all packages. The invention provides a unified security monitoring system using this one template approach to manage accountability and authorization of access to secure packages and facilities, as well as, the information related to each secure package.
In another embodiment of the present invention, notably in the early enrollment and implementation phases in order to build up the database of IrisCode™ templates, the label may only have the sender's IrisCode™ template. The database can be developed by having, for example, the shipper's employee captures the IrisCode™ template of the sender when he picks up the package. The sender's IrisCode™ template would be printed on the label and entered into the database at the time that the package is picked up, providing the sender was not already enrolled. In addition, at the time the shipper delivers the package to another shipper or the intended receiver, the shipper's employee, for example, would capture that person's live iris image. Preferably, prior to capturing the live iris image, the shipper's employee would ask if the person wanted to be enrolled. If yes, an electronic form, for
example, having a privacy statement and an use authorization would be presented. The "signing" or acknowledgment of the form could be the capturing of the live iris image.
Although illustrated and described herein with reference to certain specific embodiments, it will be understood by those skilled in the art that the invention is not limited to the embodiments specifically disclosed herein. Those skilled in the art also will appreciate that many other variations of the specific embodiments described herein are intended to be within the scope of the invention as defined by the following claims.