Method and system for secure FIDO development kit with embedded hardware

US 10,404,464 B2
Filed: 08/22/2016
Issued: 09/03/2019
Est. Priority Date: 08/22/2016
Status: Active Grant

First Claim

Patent Images

1. A method for use of a biometric template to perform authentication through biometric data using three distinct application programs and a trusted execution environment in a computing device, comprising:

storing, in a first memory of a computing device, a biometric application program including a biometric module, a third party application program, and a verification application program, where the biometric application program is in compliance with the Fast IDentity Online (FIDO) alliance;

receiving, by an input device of the computing device, first biometric data of a user;

generating, by the biometric module of the computing device, a first template based on the first biometric data;

generating, by a generation module of the computing device, a cryptographic key pair comprised of a private key and a corresponding public key using an encryption algorithm;

encrypting, by an encryption module of the computing device, the first template using the public key;

storing, in a second memory of the computing device, the private key, wherein the second memory is a trusted execution environment;

storing, in the computing device, the encrypted first template;

receiving, by the biometric application program, a biometric request submitted by the third party application program;

receiving, by the input device of the computing device, second biometric data of the user;

generating, by the biometric module of the computing device, a second template based on the second biometric data;

receiving, by the verification application program, the second template transmitted by the biometric application program;

decrypting, by the verification application program, the encrypted first template using the private key stored in the second memory of the computing device;

verifying, by the verification application program, the second template based on the decrypted first template; and

receiving, by the third party application program, a result of the verification, whereinthe biometric application program and the third party application program are prevented from accessing the trusted execution environment or decrypted first template,the verification application program is prevented from accessing the first biometric data and the second biometric data, andthe third party application program receives the result of the verification without receiving the first biometric data, the second biometric data, the second template, or the private key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for registration of a biometric template in a computing device includes: storing, in a first memory of a computing device, a biometric module; receiving, by an input device of the computing device, biometric data of a user; generating, by the biometric module of the computing device, a template based on the biometric data; generating, by a generation module of the computing device, a cryptographic key pair comprised of a private key and a corresponding public key using an encryption algorithm; encrypting, by an encryption module of the computing device, the generated template using the private key; storing, in a second memory of the computing device, the private key, wherein the second memory is a trusted execution environment; and storing, in the computing device, the encrypted template.

25 Citations

View as Search Results

20 Claims

1. A method for use of a biometric template to perform authentication through biometric data using three distinct application programs and a trusted execution environment in a computing device, comprising:
- storing, in a first memory of a computing device, a biometric application program including a biometric module, a third party application program, and a verification application program, where the biometric application program is in compliance with the Fast IDentity Online (FIDO) alliance;
  
  receiving, by an input device of the computing device, first biometric data of a user;
  
  generating, by the biometric module of the computing device, a first template based on the first biometric data;
  
  generating, by a generation module of the computing device, a cryptographic key pair comprised of a private key and a corresponding public key using an encryption algorithm;
  
  encrypting, by an encryption module of the computing device, the first template using the public key;
  
  storing, in a second memory of the computing device, the private key, wherein the second memory is a trusted execution environment;
  
  storing, in the computing device, the encrypted first template;
  
  receiving, by the biometric application program, a biometric request submitted by the third party application program;
  
  receiving, by the input device of the computing device, second biometric data of the user;
  
  generating, by the biometric module of the computing device, a second template based on the second biometric data;
  
  receiving, by the verification application program, the second template transmitted by the biometric application program;
  
  decrypting, by the verification application program, the encrypted first template using the private key stored in the second memory of the computing device;
  
  verifying, by the verification application program, the second template based on the decrypted first template; and
  
  receiving, by the third party application program, a result of the verification, whereinthe biometric application program and the third party application program are prevented from accessing the trusted execution environment or decrypted first template,the verification application program is prevented from accessing the first biometric data and the second biometric data, andthe third party application program receives the result of the verification without receiving the first biometric data, the second biometric data, the second template, or the private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the encrypted template is stored in the second memory of the computing device.
  - 3. The method of claim 1, wherein the encrypted template is stored in the first memory of the computing device.
  - 4. The method of claim 1, wherein the encryption algorithm uses the Elliptic Curve Diffie-Hellman protocol.
  - 5. The method of claim 1, wherein the encryption module is stored in the first memory of the computing device.
  - 6. The method of claim 1, wherein the first memory and second memory are two sections of a single memory in the computing device.
  - 7. The method of claim 1, wherein the first memory is not a trusted execution environment.
  - 8. The method of claim 1, wherein the verification application program comprises at least the generation module and the encryption module.
  - 9. The method of claim 8, wherein the biometric application program is configured to execute in compliance with specifications of the Fast IDentity Online (FIDO) Alliance.
  - 10. The method of claim 1, wherein the biometric data includes at least one of:
    - fingerprint data, retinal scan data, voice data, and facial scan data.

11. A system for use of a biometric template to perform authentication through biometric data using three distinct application programs and a trusted execution environment in a computing device, comprising:
- an input device of a computing device configured to receive first biometric data of a user;
  
  a first memory of the computing device configured to store a biometric application program including a biometric module configured to generate a first template based on the first biometric data, a third party application program, and a verification application program, where the biometric application program is in compliance with the Fast IDentity Online (FIDO) alliance;
  
  a generation module of the computing device configured to generate a cryptographic key pair comprised of a private key and a corresponding public key using an encryption algorithm;
  
  an encryption module of the computing device configured to encrypt the generated first template using the public key, wherein the encrypted template is stored in the computing device; and
  
  a second memory of the computing device configured to store the private key, wherein the second memory is a trusted execution environment, whereinthe biometric application program is configured to receive a biometric request submitted by the third party application program;
  
  the input device of the computing device is further configured to receive a second biometric data of the user;
  
  the verification application program is configured toreceive the second template transmitted by the biometric application program,decrypt the encrypted first template using the private key stored in the second memory of the computing device, andverify the second template based on the decrypted first template;
  
  the third party application program is configured to receive a result of the verification;
  
  the biometric application program and the third party application program are prevented from accessing the trusted execution environment or decrypted first template;
  
  the verification application program is prevented from accessing the first biometric data and the second biometric data; and
  
  the third party application program receives the result of the verification without receiving the first biometric data, the second biometric data, the second template, or the private key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the encrypted template is stored in the second memory of the computing device.
  - 13. The system of claim 11, wherein the encrypted template is stored in the first memory of the computing device.
  - 14. The system of claim 11, wherein the encryption algorithm uses the Elliptic Curve Diffie-Hellman protocol.
  - 15. The system of claim 11, wherein the encryption module is stored in the first memory of the computing device.
  - 16. The system of claim 11, wherein the first memory and second memory are two sections of a single memory in the computing device.
  - 17. The system of claim 11, wherein the first memory is not a trusted execution environment.
  - 18. The system of claim 11, wherein the verification application program comprises at least the generation module and the encryption module.
  - 19. The system of claim 18, wherein the biometric application program is configured to execute in compliance with specifications of the Fast IDentity Online (FIDO) Alliance.
  - 20. The system of claim 11, wherein the biometric data includes at least one of:
    - fingerprint data, retinal scan data, voice data, and facial scan data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Kamal, Ashfaq
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/242,774
Publication Number

US 20180054312A1
Time in Patent Office

1,107 Days
Field of Search

713186
US Class Current
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 9/321   involving a third party or ...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

Method and system for secure FIDO development kit with embedded hardware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system for secure FIDO development kit with embedded hardware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others