Technologies for end-to-end biometric-based authentication and platform locality assertion

US 10,079,684 B2
Filed: 12/18/2015
Issued: 09/18/2018
Est. Priority Date: 10/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device for end-to-end biometric authentication, the computing device comprising:

one or more processors;

communication circuitry coupled to the one or more processors; and

one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the computing device to;

securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device;

allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave;

receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device,encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor;

decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and

perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decryption of the encrypted biometric data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

12 Citations

View as Search Results

11 Claims

1. A computing device for end-to-end biometric authentication, the computing device comprising:
- one or more processors;
  
  communication circuitry coupled to the one or more processors; and
  
  one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the computing device to;
  
  securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device;
  
  allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave;
  
  receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device,encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor;
  
  decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and
  
  perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decryption of the encrypted biometric data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing device of claim 1, wherein to perform the biometric authentication operation comprises to enroll a user based on the biometric data.
  - 3. The computing device of claim 2, wherein to enroll the user comprises to:
    - generate a biometric template based on the biometric data; and
      
      encrypt the biometric template to generate an encrypted biometric template, wherein the encrypted biometric template is bound to the authentication secure enclave.
  - 4. The computing device of claim 1, wherein to perform the biometric operation comprises to identify a user based on the biometric data.
  - 5. The computing device of claim 4, wherein to identify the user based on the biometric data comprises to:
    - decrypt an encrypted biometric template to generate a biometric template, wherein the encrypted biometric template is bound to the authentication secure enclave; and
      
      determine whether the biometric data matches the biometric template in response to decryption of the encrypted biometric template.
  - 6. The computing device of claim 1, wherein the plurality of instructions, when executed by the one or more processors, further cause the computing device to allocate the virtualization-protected memory buffer in a memory range that is accessible via a device direct memory access only to the biometric device.

7. One or more non-transitory machine readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device;
  
  allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave;
  
  receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device;
  
  encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor;
  
  decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and
  
  perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decrypting the encrypted biometric data.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The one or more non-transitory machine readable storage media of claim 7, wherein to perform the biometric authentication operation comprises to enroll a user based on the biometric data.
  - 9. The one or more non-transitory machine readable storage media of claim 8, wherein to enroll the user comprises to:
    - generate a biometric template based on the biometric data; and
      
      encrypt the biometric template to generate an encrypted biometric template, wherein the encrypted biometric template is bound to the authentication secure enclave.
  - 10. The one or more non-transitory machine readable storage media of claim 7, wherein to perform the biometric operation comprises to identify a user based on the biometric data.
  - 11. The one or more non-transitory machine readable storage media of claim 10, wherein to identify the user based on the biometric data comprises to:
    - decrypt an encrypted biometric template to generate a biometric template, wherein the encrypted biometric template is bound to the authentication secure enclave; and
      
      determine whether the biometric data matches the biometric template in response to decrypting the encrypted biometric template.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Negi, Ansuya, Sarangdhar, Nitin V., Warrier, Ulhas S., Venkatachary, Ramkumar, Sahita, Ravi L., Robinson, Scott H., Grewal, Karanvir S.
Primary Examiner(s)
Kanaan, Simon P

Application Number

US14/974,893
Publication Number

US 20170104597A1
Time in Patent Office

1,005 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3231   Biological data, e.g. finge...

Technologies for end-to-end biometric-based authentication and platform locality assertion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Technologies for end-to-end biometric-based authentication and platform locality assertion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others