Secure Biometric Verification of Identity

US 20080019578A1
Filed: 09/28/2007
Published: 01/24/2008
Est. Priority Date: 09/10/2002
Status: Active Grant

First Claim

Patent Images

1. An identification card comprising:

an on-board memory for storing reference data;

an on-board sensor for capturing live biometric data;

an on-board microprocessor for comparing the captured biometric data with corresponding stored reference data within a predetermined threshold and for generating a verification message only if there is a match within the predetermined threshold; and

means for communicating the verification message to an external network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high security identification card includes an on-board memory for stored biometric data and an on-board sensor for capturing live biometric data. An on-board processor on the card performs a matching operation to verify that the captured biometric data matches the locally stored biometric data. Only if there is a positive match is any data transmitted from the card for additional verification and/or further processing. Preferably, the card is ISO SmartCard compatible. In one embodiment, the ISO SmartCard functions as a firewall for protecting the security processor used for storing and processing the protected biometric data from malicious external attack via the ISO SmartCard interface. In another embodiment, the security processor is inserted between the ISO SmartCard Interface and an unmodified ISO SmartCard processor and blocks any external communications until the user'"'"'s fingerprint has been matched with a previously registered fingerprint. Real-time feedback is provided while the user is manipulating his finger over the fingerprint sensor, thereby facilitating an optimal placement of the finger over the sensor. The card may be used to enable communication with a transactional network or to obtain physical access into a secure area.

228 Citations

25 Claims

1. An identification card comprising:
- an on-board memory for storing reference data;
  
  an on-board sensor for capturing live biometric data;
  
  an on-board microprocessor for comparing the captured biometric data with corresponding stored reference data within a predetermined threshold and for generating a verification message only if there is a match within the predetermined threshold; and
  
  means for communicating the verification message to an external network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The identification card of claim 1, wherein the verification message includes at least excerpts from the stored reference data.
  - 3. The identification card of claim 2, wherein the on-board processor is configured to perform matching of the captured biometric data with corresponding stored reference data completely, such that the captured biometric data is not required to be transmitted to the external network in order to complete the matching.
  - 4. The identification card of claim 1, wherein the means for communicating comprises an interface and wherein the verification message includes at least excerpts from the captured biometric data, the verification message being transmitted to a remote authentication system for additional verification using reference data which is different from the reference data stored on the on-board memory.
  - 5. The identification card of claim 4, wherein the on-board microprocessor uses a different matching algorithm than that used at the remote authentication system.
  - 6. The identification card of claim 1, wherein the identification card is ISO SmartCard compatible.
  - 7. The identification card of claim 6, wherein the on-board processor is a security processor for storing and processing the protected biometric data, and wherein the identification card further comprises an ISO SmartCard processor.
  - 8. The identification card of claim 7, wherein the security processor is functionally separated from the ISO SmartCard processor by a firewall.
  - 9. The identification card of claim 7, wherein external data to and from the security processor passes through the ISO SmartCard processor.
  - 10. The identification card of claim 7, wherein external data to and from the ISO SmartCard processor passes through the security processor.
  - 11. The identification card of claim 7, wherein the security processor comprises:
    - a first connection used for loading data during a loading process; and
      
      a second connection connected to the external network.
  - 12. The identification card of claim 11, wherein the first connection is configured to be permanently disabled after the loading process has been completed.
  - 13. The identification card of claim 7, wherein the identification card comprises a magnetic stripe region and an embossed region, wherein the biometric sensor comprises a fingerprint sensor, and wherein the security processor, the ISO SmartCard processor, and the fingerprint sensor are located in a middle region between the magnetic stripe region and the embossed region.
  - 14. The identification card of claim 1, wherein the biometric data includes fingerprint data, the on-board sensor is a fingerprint sensor that captures data from a user'"'"'s finger placed on the fingerprint sensor, and the indentification card provides real-time feedback for finger placement while the user is manipulating his or her finger over the fingerprint sensor, thereby facilitating an adequate placement of the finger over the fingerprint sensor.
  - 15. The identification card of claim 1, wherein the biometric data includes fingerprint data, the sensor is a fingerprint sensor that captures data from a user'"'"'s finger placed on the fingerprint sensor, and wherein the on-board microprocessor is configured to use a hybrid matching process in comparing the captured biometric data with corresponding stored reference data, wherein the hybrid matching process depends on both minutiae and overall spatial relationships in the fingerprint data.
  - 16. The identification card of claim 1, wherein the biometric data includes fingerprint data, the on-board sensor is a fingerprint sensor that captures data from a user'"'"'s finger placed on the fingerprint sensor, and wherein the fingerprint sensor further comprises a sheet of crystalline silicon supported by a backing plate.
  - 17. The identification card of claim 16, wherein the backing plate comprises a glass epoxy layer between two metal layers and the backing plate is reinforced by a carrier frame surrounding the sheet of crystalline silicon.
  - 18. The identification card of claim 1, wherein the card further comprises means for restricting use of the identification card to a predetermined location.
  - 19. The identification card of claim 1, wherein at least some of the captured biometric data and the reference data are transmitted to a separate authentication server for secure verification of a user'"'"'s identity prior to any grant of on-line access to an application server for processing of secure financial transactions involving that user.

20. A method of verifying identity using an identification card having therein an on-board memory, an on-board sensor, an on-board security microprocessor and a communication interface for interfacing with an external network, the method comprising:
- maintaining stored reference data in the on-board memory;
  
  capturing live biometric data using the on-board sensor;
  
  comparing, using the on-board security microprocessor, the captured biometric data with corresponding stored reference data within a predetermined threshold;
  
  if there is a match within the predetermined threshold, generating a verification message;
  
  communicating the verification message to a remote authentication system over an external network, wherein the verification message includes at least excerpts from the captured biometric data, the verification message being transmitted to a remote authentication system for additional verification using reference data that is different from the stored reference data stored on the on-board memory; and
  
  executing a secure three-way authentication protocol in response to a match request relating to a particular logon attempt at a particular application server that produces a positive match at the authentication server, the secure three-way authentication protocol executed such that a challenge character sequence is sent from the authentication server to the identification card, which the identification card uses along with the match request to generate a challenge response that is then forwarded to the application server, in response so which the application server then forwards the challenge response to the authentication server, which then verifies whether the challenge response is valid.

21. A method for identifying a user of an intelligent identification card, the intelligent identification card including an on-board memory storing reference data and an on-board biometric sensor, the method comprising:
- capturing live biometric data using the on-board sensor;
  
  comparing the captured biometric data with corresponding reference data stored in the on-board memory within a predetermined threshold;
  
  generating a verification message only if there is a match within the predetermined threshold;
  
  communicating the verification message to an external network, the verification massage including at least excerpts from the captured biometric data; and
  
  additionally verifying the user at a remote authentication system using reference data which is different from the reference data stored on the on-board memory.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein a matching process used in the identification card is different from a matching process used by the remote authentication system.
  - 23. The method of claim 21, further comprising:
    - transmitting at least some of the captured biometric data and the reference data to a separate authentication server for secure verification of a user'"'"'s identity prior to any grant of on-line access to an application server for processing of secure financial transactions involving that user.
  - 24. The method of claim 21, further comprising:
    - receiving a match request relating to a particular logon attempt at a particular application server; and
      
      executing, if a positive match is produced at an authentication server in response to the match request, a secure three-way authentication protocol, the authentication protocol including;
      
      a) sending a challenge character sequence from the authentication server to the identification card;
      
      b) generating, at the identification card, a challenge response based on the challenge character sequence and the match request;
      
      c) forwarding the challenge response to the application server;
      
      d) forwarding the challenge response from the application server to the authentication server; and
      
      e) verifying, at the authentication server, whether the challenge response is valid.

25. An apparatus for identifying a user of an intelligent identification card, the intelligent identification card including an on-board memory storing reference data and an on-board biometric sensor, the apparatus comprising:
- means for capturing live biometric data using the on-board sensor;
  
  means for comparing the captured biometric data with corresponding reference data stored in the on-board memory within a predetermined threshold;
  
  means for generating a verification message only if there is a match within the predetermined threshold; and
  
  means for communicating the verification message to an external network, wherein the verification message includes at least excerpts from the captured biometric data, the verification message being transmitted to a remote authentication system for additional verification using remotely stored reference data which is different from the local reference data stored on the on-board memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IVI Holdings Limited
Original Assignee
IVI Smart Technologies Incorporated
Inventors
Aida, Takashi, Drizin, Wayne, Saito, Tamio

Granted Patent

US 8,904,187 B2
Time in Patent Office

Days
Field of Search
US Class Current

382/124
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/35   communicating wirelessly

G06K 19/07   with integrated circuit chips

G06K 19/07354   by biometrically sensitive ...

G07C 9/257   electronically G07C9/26 tak...

G07C 9/26   using a biometric sensor in...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3271   using challenge-response

Secure Biometric Verification of Identity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Biometric Verification of Identity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links