Secure communication between a virtual smartcard enclave and a trusted I/O enclave

US 10,664,583 B2
Filed: 03/29/2019
Issued: 05/26/2020
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A storage disk or storage device comprising instructions that, when executed, cause a computing device to at least:

generate, in a first trusted execution environment (TEE), an indicator when biometric data from a biometric capture device matches a stored biometric template;

transmit the indicator and signed data generated in the first TEE to a second TEE, the signed data to identify the first TEE, the first TEE being independent from the second TEE, the second TEE being sealed; and

in response to determining that the indicator is from the first TEE based on the signed data, unseal the second TEE based on the indicator to facilitate access to the second TEE.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for accessing a trusted execution environment includes instructions to transmit, from a first trusted execution environment, a request for a biometric match claim, receive, in response to the request for a biometric match claim, biometric data from a biometric capture device, perform a match of the biometric data against biometric templates stored in the first trusted execution environment, and unseal a second trusted execution environment based on the match data.

Citations

21 Claims

1. A storage disk or storage device comprising instructions that, when executed, cause a computing device to at least:
- generate, in a first trusted execution environment (TEE), an indicator when biometric data from a biometric capture device matches a stored biometric template;
  
  transmit the indicator and signed data generated in the first TEE to a second TEE, the signed data to identify the first TEE, the first TEE being independent from the second TEE, the second TEE being sealed; and
  
  in response to determining that the indicator is from the first TEE based on the signed data, unseal the second TEE based on the indicator to facilitate access to the second TEE.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The storage disk or storage device of claim 1, wherein the instructions, when executed, cause the computing device to:
    - request a biometric match claim from a credential manager application in a third execution environment separate from the first TEE and the second TEE; and
      
      request the biometric data from the biometric capture device.
  - 3. The storage disk or storage device of claim 1, wherein the computing device includes the biometric capture device, the biometric capture device includes a camera, the biometric data includes a video frame of a face captured by the camera, and the instructions, when executed, cause the computing device to obtain the video frame from the camera.
  - 4. The storage disk or storage device of claim 1, wherein the instructions, when executed, cause the computing device to provide a signature on a video frame of the biometric data, the signature to identify a camera that originated the video frame.
  - 5. The storage disk or storage device of claim 1, wherein the biometric data includes a video frame of a face and the biometric template is a face template, and the instructions, when executed, cause the computing device to:
    - verify that the video frame is from a camera of the biometric capture device based on a signature of the video frame; and
      
      compare the video frame with the face template.
  - 6. The storage disk or storage device of claim 1, wherein the second TEE includes a virtual smartcard, the second TEE including cryptographic data specific to a user corresponding to the biometric data, the cryptographic data including one or more cryptographic keys, and the instructions, when executed, cause the computing device to provide access to the cryptographic data when the second TEE is unsealed.
  - 7. The storage disk or storage device of claim 1, wherein the biometric data includes at least one of a video frame of facial data or three dimensional data of an image, the three dimensional data including infrared data, and the instructions, when executed, cause the computing device to obtain at least one of the facial data or the three dimensional data from the biometric capture device, the biometric capture device includes at least one of a camera, a fingerprint scanner, or a retina scanner.

8. An apparatus for secure communication, the apparatus comprising:
- memory including instructions; and
  
  one or more processors including a first trusted execution environment (TEE) and a second TEE, the first TEE being independent from the second TEE, the second TEE being sealed, the one or more processors to execute the instructions to;
  
  generate, in the first TEE, an indicator when biometric data from a biometric capture device matches a biometric template stored in the first TEE;
  
  pass the indicator and signed data generated in the first TEE that identifies the first TEE to the second TEE; and
  
  in response to determining that the indicator is from the first TEE, unseal the second TEE.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the instructions, when executed, cause the one or more processors to:
    - request a biometric match claim from a credential manager application in a third execution environment separate from the first TEE and the second TEE; and
      
      request the biometric data from the biometric capture device.
  - 10. The apparatus of claim 8, wherein the apparatus includes the biometric capture device, the biometric capture device includes a camera, and the biometric data includes video frames of a face captured by the camera.
  - 11. The apparatus of claim 8, wherein the instructions, when executed, cause the one or more processors to provide a signature on a video frame of the biometric data, the signature to identify a camera that originated the video frame.
  - 12. The apparatus of claim 8, wherein the biometric data includes a video frame of a face and the biometric template is a face template, and the instructions, when executed, cause the one or more processors to:
    - verify that the video frame is from a camera of the biometric capture device based on a signature of the video frame; and
      
      compare the video frame with the face template.
  - 13. The apparatus of claim 8, wherein the second TEE includes a virtual smartcard, the second TEE including cryptographic data specific to a user corresponding to the biometric data, the cryptographic data including one or more cryptographic keys, and the instructions, when executed, cause the one or more processors to provide access to the cryptographic data when the second TEE is unsealed.
  - 14. The apparatus of claim 8, wherein the apparatus includes the biometric capture device, the biometric capture device including at least one of a camera, a fingerprint scanner, or a retina scanner, and the biometric data includes at least one of a video frame of facial data or three dimensional data of an image, the three dimensional data including infrared data.

15. A method for secure communications, the method comprising:
- generating, in a first trusted execution environment (TEE), an indicator when biometric data from a biometric capture device matches a stored biometric template;
  
  transmitting the indicator and signed data generated in the first TEE to a second TEE, the signed data to identify the first TEE, the first TEE being independent from the second TEE, the second TEE being sealed; and
  
  in response to determining that the indicator is from the first TEE based on the signed data, unsealing the second TEE based on the indicator to facilitate access to the second TEE.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, further including:
    - requesting a biometric match claim from a credential manager application in a third execution environment separate from the first TEE and the second TEE; and
      
      requesting the biometric data from the biometric capture device.
  - 17. The method of claim 15, wherein the biometric capture device includes a camera and the biometric data includes a video frame of a face captured by the camera.
  - 18. The method of claim 15, further including providing a signature on a video frame of the biometric data, the signature to identify a camera that originated the video frame.
  - 19. The method of claim 15, wherein the biometric data includes a video frame of a face and the biometric template is a face template, and further including:
    - verifying that the video frame is from a camera of the biometric capture device based on a signature of the video frame; and
      
      comparing the video frame with the face template.
  - 20. The method of claim 15, wherein the second TEE includes a virtual smartcard, the second TEE including cryptographic data specific to a user corresponding to the biometric data, the cryptographic data including one or more cryptographic keys, and further including providing access to the cryptographic data when the second TEE is unsealed.
  - 21. The method of claim 15, wherein the biometric capture device includes at least one of a camera, a fingerprint scanner, or a retina scanner, and the biometric data includes at least one of a video frame of facial data or three dimensional data of an image, the three dimensional data including infrared data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Proulx, Francois, Rene, Mathieu
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US16/370,827
Publication Number

US 20190228142A1
Time in Patent Office

424 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/32 using biometric data, e.g. ...

G06F 21/57 Certifying or maintaining t...

Secure communication between a virtual smartcard enclave and a trusted I/O enclave

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication between a virtual smartcard enclave and a trusted I/O enclave

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links