We verify you with your face without having your face!
SenseCrypt is a breakthrough face recognition (FR) technology that, in essence, allows the binding of a data structure to a natural person in a privacy preserving and secure way. The data structure thus created contains no biometrics or facial images, is much smaller than a regular facial recognition template, and can even be represented as a QR code.
To enroll a person in a traditional FR system, a template from the person‘s face is generated and stored. This template is unique to a person but it is not privacy preserving as
The template can be used to derive the person’s face image
Distances between templates can be used to reveal one’s identity
In contrast, enrolling a person with SenseCrypt does not involve saving any biometric or identity revealing information. Instead, with SenseCrypt the act of enrollment consists of encrypting a set of non-biometric metadata.
In detail, a public key is derived from the given face to encrypt a set of given metadata (examples include: name, visa_id, user_id, access allowance etc.).
The resulting encrypted data structure is called a SensePrint. After creating the SensePrint, the given face image and the public key are discarded such that no biometry data remains.
In traditional FR to recognize a person, a new template is created from the given face image and compared against the templates in the database. If the new template is close enough to one of the stored templates, the person is considered to be the same.
Instead, with SenseCrypt verification consists of attempting to decrypt a given SensePrint.
In detail, a private key is derived from the given face. If the private key is from the correct person it can be used to decrypt the SensePrint. A successful decryption verifies the person. The decryption fails if the person who generated the SensePrint is different from the person who tries to access it.
With no biometry data stored, this solution reduces privacy compliance risks with legislation/acts around the world while, at the same time, offering complete peace of mind regarding data breach risks.
Overview of SenseCrypt eID technology
Generate a SenseCrypt eID (SensePrint) - an act of encryption:
Face + eID attributes (metadata) → SensePrint
Verify a SensePrint - an act of decryption:
Face + SensePrint → eID attributes (metadata)
While SenseCrypt eID SensePrints are great for use cases where the natural person is present at each transaction of the system, there are use cases where the person cannot be present for a certain action.
In another scenario, a verifier should not be exposed to processing facial images of a person as this is a privacy risk and may also be in violation of regulatory policies or applicable law.
It may also be possible that a natural person doesn't want to expose their face to a third party due to religious reasons.
SenseCrypt Face PKI solves the question of how these use-cases can be covered in a privacy-preserving way without revealing biometric data / facial images to actors in the system.
SenseCrypt Face PKI extends SenseCrypt by enabling a third party with no access to a person’s face / biometric data to:
encrypt information that only this person can read (after scanning their face)
verify that this person signed specific information
The central piece of technology in SenseCrypt Face PKI is the Face Certificate. A Face Certificate is generated from:
the user’s face
an existing SensePrint
a purpose ID
metadata
A Face Certificate is a standard X509v3 certificate such as the ones that are used to secure all internet traffic. However, the public key contained in the certificate is derived from a user's face. We have brought the trusted and standard security technology used to secure all websites on the internet but, instead of certifying websites, Face Certificates certify persons and enable verifying them with their face without having access to or processing any face or biometry data.
In addition, the Face Certificate can contain a subset of eID attributes (metadata) that are encrypted for a specific verifier using a pre-registered verifier's public key. The verifier may also maintain a pairwise key pair such that the verifier's public key is different for each Face Certificate. This can mitigates risk of data breaches as each Face Certificate has metadata that is encrypted with a different, user specific, public key.
A third party can use a Face Certificate to encrypt data, such that it can only be decrypted when the user presents his/her face and the correct purpose id. This allows the third party to send encrypted information to a specific user, without having that user’s biometric information while ensuring that only this person can read this information.
It is to be noted that if a key (or key-pair) which is not part of SenseCrypt technology is used to encrypt a large amount of data (for example, a hard disk), the key can still be protected with a face by encrypting it with a Face Certificate.
Later, when the hard disk is to be decrypted, the encrypted key is first itself decrypted using a face. Then the decrypted key is used to decrypt the hard disk.
The user can sign a piece of information with:
their face
a SensePrint
a purpose ID
A third party can verify this signature with the Face Certificate of that user which is issued for that purpose.
A Face Certificate consists of:
A Public Key - the public key is used to encrypt data and to verify face-based signatures.
Metadata - any subset of SensePrint metadata that should be exposed as part of providing a Face Certificate. This metadata is encrypted using a specific verifier's public key.
Expiry date - a standard expiry date as with all X509 certificates.
Certificate Revocation List (CRL) URL - a standard property of an X509 certificate that allows the revocation of a Face Certificate at anytime.
Signature - a standard property of an X509 certificate that allows an external party to verify that the certificate was issued by a specific issuer. This signature is verifiable against the root certificate of the issuer.
The purpose ID allows defining the scope of a Face Certificate. When issuing a Face Certificate we want to ensure it can only be used for a specific purpose. E.g. when a user requests the issuance of a Face Certificate for his bank to verify the signature of his withdrawal transactions, another bank should not be able to use the same Face Certificate for their transactions.
The purpose ID facilitates privacy preservation by ensuring that the same certificate cannot be used across different purposes as that would make it linkable as different parties would be able to track a user by just observing that the same Face Certificate is used across different databases.
Whenever a third party receives a Face Certificate to encrypt data and send to a user, how can the third party be sure that this Face Certificate is actually valid and originates from a legitimate source?
In SenseCrypt PKI, similar to traditional PKI systems, one can check the validity of a Face Certificate against a root certificate provided by a trusted Certificate Authority (CA) - the certificate issuer i.e. your deployment of the SenseCrypt server.
Generate a face certificate:
Face + SensePrint + Purpose ID + eID attributes subset → Face Certificate
Encrypt a key:
Key + Face Certificate → Encrypted Key
Decrypt a key:
Encrypted Key + Face + Purpose ID + SensePrint → Decrypted key
Face Signing:
Face + Data + Purpose ID + SensePrint → Signature
Verify Signature
Data + Signature + Face Certificate → is_valid?
This concludes a brief introduction to SenseCrypt technology. If you would like to read more about the design principles, motivation, and impact of SenseCrypt, you can explore more in the Appendix section.
In the next section we will get more hands on and show you how to get started with SenseCrypt technology.
