Electronic data vault providing biometrically protected electronic signatures

US 20040236694A1
Filed: 12/17/2003
Published: 11/25/2004
Est. Priority Date: 06/18/2001
Status: Active Grant

First Claim

Patent Images

1. An electronic data vault system (eVault) comprising means for securely storing personal data for one or more users, the secured personal data being stored in a datastore associated with a specific user, at least one item of the personal data being at least one cryptographic key for the one or more users, and wherein the system further comprises an interface for allowing controlled access to the system by a user, means for performing authentication of users using biometric matching, and further comprises a policy management system allowing a user to define policies controlling the access of specific service providers to specific parts of the user datastore, defining the data that may be deposited by specific service providers into a user'"'"'s datastore, and defining default data access levels for service providers not specifically identified.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system (“eVault”) securely stores personal data and documents for citizens and allows controlled access by citizens and optionally by service providers. The eVault may be adapted to allow processes involving the documents to be carried out in a secure and paperless fashion. Documents are certified, and biometric matching is used for security. On effecting a match to a biometric identifier presented by a user, the user is allowed access to their personal eVault and to a personal cryptographic key stored there. One or more of these personal keys may be securely applied within the eVault to generate an electronic signature, amongst other functions.

Citations

53 Claims

1. An electronic data vault system (eVault) comprising means for securely storing personal data for one or more users, the secured personal data being stored in a datastore associated with a specific user, at least one item of the personal data being at least one cryptographic key for the one or more users, and wherein the system further comprises an interface for allowing controlled access to the system by a user, means for performing authentication of users using biometric matching, and further comprises a policy management system allowing a user to define policies controlling the access of specific service providers to specific parts of the user datastore, defining the data that may be deposited by specific service providers into a user'"'"'s datastore, and defining default data access levels for service providers not specifically identified.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 53)
- - 2. A system as claimed in claim 1, wherein the system is adapted to store documents associated with one or more users.
  - 3. A system as claimed in claim 1 and additionally comprising a data processing system.
  - 4. A system as claimed in claim 1 further comprising a service provider interface for allowing controlled access by service providers for a) updating the data and documents and b) performing processes requiring access to the data and documents.
  - 6. A system as claimed in claim 1, wherein the system further comprises means for certifying data or documents.
  - 7. A system as claimed in claim 6 where the certification process includes at least one step selected from the group consisting of (a) ensuring that the submitted data meets a correct. predefined format, (b) the information included in the data or documents corresponds to already certified data held in the user datastore, (c) the submitter has the correct permissions and has been authenticated to the necessary security level for performing the submission of the submitted data, (d) the user has provided permission for the data ho be submitted, optionally from an identified service provider, (e) the addition of a timestamp to the submitted data, and (f) the application of one or more electronic signatures to the submitted data or document.
  - 8. A system as claimed in claim 1, wherein the system comprises means for storing the data and documents in distributed locations for presenting a single centralised view to users.
  - 9. A system as defined in claim 8 where the distributed locations include datastores managed and maintained by independent third-party service providers.
  - 10. A system as claimed in claim 1, wherein the interface comprises means for allowing access using a plurality of different types of devices including telephones, kiosks, ATMs, PDAs, mobile devices and Web browsers.
  - 11. A system as claimed in claim 1, wherein the system comprises means for performing multi-modal biometric verification.
  - 12. A system as claimed in claim 1 further including means for executing one or more processes in communication with service providers, at least one of the processes being an enabling of completion of service application forms online and for automatically populating parts of the forms using data retrieved from within the system.
  - 13. A system as claimed in claim 1 further comprising means for making at least one cryptographic key available for secure communication between the user and service providers.
  - 14. A system as claimed in claim 1 further including means to enable third parties access to documents or data specifically related to one or more users, such that the third party may directly request the data from the eVault, or the eVault may automatically push the data to specific third parties, when it is updated within the eVault.
  - 53. The method as claimed in claim 14 further including the step of returning the cryptographic key to the user on matching the identifier in the datastore with the supplied biometric identifier.

5. Cancelled.

15. A method of associating at least one cryptographic key with a specific user and storing an associated key in a datastore specific to that user, the method comprising the steps of:
- a) storing a set having one or more personal identifiers associated with the user in a datastore specific to that user, b) linking the set of personal identifiers with at least one cryptographic key generated for that user, and wherein the set of personal identifiers associated with the user includes at least one biometric identifier, and at least one cryptographic key may subsequently be accessed by providing at least one biometric identifier, the access to the cryptographic key being effected by the steps of;
  
  c) receiving a biometric identifier from the user, d) comparing the biometric identifier with a datastore of previously stored identifiers, and e) on matching an identifier in the datastore with the supplied biometric identifier, providing that previously stored cryptographic key for use.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 38)
- - 16. The method as claimed in claim 15 wherein at least one cryptographic key comprises a set of cryptographic keys.
  - 17. The method as claimed in claim 16 wherein the set of keys includes a pair of public and private keys.
  - 18. The method as claimed in claim 15 wherein the set of cryptographic keys includes a symmetric key.
  - 19. The method as claimed in claim 15 wherein at least one cryptographic key includes an asymmetric key.
  - 20. The method as claimed in claim 15 wherein the step of storing a set of personal identifiers with the user includes the steps of:
    - a) electronically registering the user, b) capturing a set of identifiers presented by the user, and c) storing the set of identifiers in the datastore.
  - 21. The method as claimed in claim 19 comprising the additional steps of:
    - a) comparing the captured set of identifiers with previously stored identifiers in said datastore, and b) accepting the captured set of identifiers where the step of comparing the captured set of identifiers does not find a matching previously stored identifier.
  - 22. The method as claimed in claim 15 further comprising the steps of:
    - a) associating the specific user with a pre-existing user, b) authenticating the identity of that pre-existing user, and c) storing the set of identifiers for the specific user after authentication of the pre-existing user.
  - 23. The method according to claim 15 further comprising the step of requesting a cryptographic key or keys for a specific user be generated after the biometric identifiers have been associated with and stored for that user.
  - 24. The method as claimed in claim 22 wherein the request for a cryptographic key or keys to be generated is a signed request.
  - 38. The method as claimed in claim 15 wherein the biometric identifier is selected from one of the biometric types selected from the group consisting of iris, voice, finger, blood, DNA, Retina, Face, and Hand Geometry.

25. (Cancelled)

26. A method of providing a user with access to an electronically stored document, the method comprising the steps of:
- a) receiving a request;
  
  from a user for a specific document, the request including at least one biometric identifier for that user, b) comparing the supplied biometric identifier with a set of pre-stored identifiers so as to authenticate the user, and wherein access is provided to the electronic document by forwarding a copy of the requested document to the user if the step of comparing the supplied biometric identifier authenticates the user, and wherein the biometric identifier is received at a document repository, the biometric identifier being encrypted prior to receipt at the repository, and further wherein the repository forwards the encrypted identifier to an authentication engine where it is decrypted and compared with the set of pre-stored identifiers so as to authenticate the user.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39)
- - 28. The method as claimed in claim 26 wherein the authentication engine, on authentication of the identity of the user, returns an authentication ticket to the document repository, the authentication ticket indicating whether the user is authenticated or not.
  - 29. The method as claimed in claim 28 wherein on authentication of the user and receipt of said ticket at the document repository, the repository confirms that the authenticated user is entitled to retrieve the requested document and, on confirmation of same, returns the requested document and authentication ticket to the user.
  - 30. The method as claimed in claim 28 wherein the authentication ticket is returned to the user by means of software tokens, forwarded by the repository to the user.
  - 31. A method of applying an electronic signature to a document, the method comprising the steps of:
    - a) receiving an encrypted digest of a document and an authentication ticket of a user from said user, the document and authentication ticket having being forwarded to the user according to the method steps of claim 26, b) applying an electronic signature to the verified authentication ticket and encrypted digest, and forwarding said signed combination to a key trust, the key trust being adapted to verify the authenticity of the applied signature and the authentication ticket, c) on verification of said applied signature and authentication ticket obtaining a cryptographic key from a datastore associated with the key trust, the cryptographic key selected;
      
      being associated with the biometric identifier detailed in the authentication ticket, and d) signing the digest using the cryptographic key, the signed digest forming an electronic signature for the document linkable to the user.
  - 32. The method as claimed in claim 31 comprising the additional step of verifying the authentication ticket received from the user prior to forwarding the ticket to the key trust.
  - 33. The method as claimed in claim 31 comprising the further steps of:
    - a) receiving the electronic signature from the key trust and returning the electronic signature to the user, and b) storing the electronic signature.
  - 34. The method as claimed in claim 31 wherein the key trust decrypts the cryptographic key, the decryption being effected using a key corresponding to the claim identity signed by the authentication engine.
  - 35. The method as claimed in claim 31 wherein the key trust decrypts the cryptographic key, the decryption being effected using a key corresponding to one or more claims.
  - 36. The method as claimed in claim 34 wherein the key used to decrypt the selected cryptographic key is a symmetric key.
  - 37. The method as claimed in claim 34 wherein the key used to decrypt the selected cryptographic key is an asymmetric key.
  - 39. The method as claimed in claim 31 wherein a signing of a document includes the application of a time stamp to that signature.

27. (Cancelled)

40-48. -48. (Cancelled).

49. A security access system for providing a user with access to an electronically stored document, the document being stored in a datastore specific to that user, the system comprising:
- a) means for receiving a request from a user for a specific document, the request including at least one biometric identifier for that user, b) means for comparing the supplied biometric identifier with a set of pre-stored identifiers so as to authenticate the user, and c) means for forwarding a copy of the requested document to the user if the means for comparing the supplied biometric identifier authenticates the user.
- View Dependent Claims (50, 51, 52)
- - 50. The system as claimed in claim 49 wherein the biometric identifier is received at a document repository, the biometric identifier being encrypted prior to receipt at the repository, and wherein the repository forwards the encrypted identifier to an authentication engine where it is decrypted and compared with the set of pre-stored identifiers so as to authenticate the user.
  - 51. The system as claimed in claim 50 wherein the authentication engine, on authentication of the identity of the user, is adapted to return an authentication ticket to the document repository, the authentication ticket indicating whether the user is authenticated or not.
  - 52. The system as claimed in claim 51 wherein on authentication of the user and receipt of said ticket at the document repository, the repository is adapted to confirm that the authenticated user is entitled to retrieve the requested document and, on confirmation of same, is adapted to return the requested document and authentication ticket to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daon Holdings Limited
Original Assignee
Daon Holdings Limited
Inventors
White, Conor, Peirce, Michael, Tattan, Oliver, Loughman, Stephen, Murphy, Michael

Granted Patent

US 7,676,439 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/50
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6245   Protecting personal data, e...

G06Q 20/027   involving a payment switch ...

G06Q 20/0855   involving a third party

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/68   Special signature format, e...

H04L 2209/80   Wireless

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

Electronic data vault providing biometrically protected electronic signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic data vault providing biometrically protected electronic signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links