Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

US 20110126024A1
Filed: 01/31/2011
Published: 05/26/2011
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A stand-alone computing device incorporating;

a processor, memory and software;

a password authentication process;

a method of generating a device ID from characteristics of device hardware components;

a method of obtaining a PIN value by one of a) generating said PIN value from said device ID and b) a method of entering said PIN value on the device;

a method of generating a one-way hashed value of said PIN;

a method of obfuscating and de-obfuscating a password using said hashed value of said PIN and said Device ID;

a method of storing said obfuscated password in said memory;

a biometric sensor capability;

said software capable of transforming biometric sample data to a consistent angle of inclination, biometrically enrolling and verifying the identity of device users by matching the biometric samples captured from said biometric sensor with at least one biometric template stored in encrypted form in the device memory;

a method of generating a template encryption key using at least said obfuscated password and said hashed PIN;

a method of encrypting and decrypting said biometric template using said encryption key;

a method of de-obfuscating said password and submitting it to said authentication process in response to the successful decryption of the said biometric template and the successful matching of said biometric sample to said biometric template.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Biometric data, suitably transformed are obtained from a biometric input device contained within a stand-alone computing device and used in conjunction with a PIN to authenticate the user to the device. The biometric template and other data residing on the device are encrypted using hardware elements of the device, the PIN and Password hash. A stored obfuscated password is de-obfuscated and released to the device authentication mechanism in response to a successfully decrypted template and matching biometric sample and PIN. The de-obfuscated password is used to authenticate the user to device, the user to a remote computer, and to encrypt device data at rest on the device and in transit to and from the remote computer. This creates a trusted relationship between the stand-alone device and the remote computer. The system also eliminates the need for the user to remember and enter complex passwords on the device.

147 Citations

16 Claims

1. A stand-alone computing device incorporating;
- a processor, memory and software;
  
  a password authentication process;
  
  a method of generating a device ID from characteristics of device hardware components;
  
  a method of obtaining a PIN value by one of a) generating said PIN value from said device ID and b) a method of entering said PIN value on the device;
  
  a method of generating a one-way hashed value of said PIN;
  
  a method of obfuscating and de-obfuscating a password using said hashed value of said PIN and said Device ID;
  
  a method of storing said obfuscated password in said memory;
  
  a biometric sensor capability;
  
  said software capable of transforming biometric sample data to a consistent angle of inclination, biometrically enrolling and verifying the identity of device users by matching the biometric samples captured from said biometric sensor with at least one biometric template stored in encrypted form in the device memory;
  
  a method of generating a template encryption key using at least said obfuscated password and said hashed PIN;
  
  a method of encrypting and decrypting said biometric template using said encryption key;
  
  a method of de-obfuscating said password and submitting it to said authentication process in response to the successful decryption of the said biometric template and the successful matching of said biometric sample to said biometric template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method for authenticating a user to a stand-alone device as recited in claim 1 where said device is connected, through a network to a remote computer;
    - said device and said remote computer achieving mutual remote computer/device authentication through the following steps;
      
      a) Remote computer requests active device user to authenticate to the device using said biometric verification and said PINb) Device communicates encrypted data, including a user credential over said network using a symmetrical encryption key, which is a function of at least one of the one-way hashed value of said password (generated following a PIN and biometric match) and said device IDc) Device communicates at least said device ID, encrypted with said symmetrical encryption key, to said remote computerd) Remote computer calculates said symmetrical encryption key from a stored value of the said password hash, decrypts at least said device ID and authenticates it as a legitimate device on said networke) Remote computer acknowledges the legitimacy of said network communication by encrypting the hashed password using said symmetrical key and communicates this data to said device.f) Device decrypts said data, tests the said hashed password for authenticity and in response to said test, acknowledges remote computer legitimacy to remote computer and grants it full access to said stand-alone computer.g) Remote computer checks said device system to see if it complies with network security policy, changes it in response to its acceptability and, if appropriate, releases said user credential to said remote computer application.h) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies said device according to enterprise security policy.
  - 3. The method for authenticating a user to a stand-alone device as recited in claim 1 where said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication through the following steps:
    - a) Remote computer requests active device user to authenticate to the device using said biometric verification and said PINb) After successful submission of biometric sample and PIN device generates said password which is used to release a Private Key to implement a PKI encryption and authentication protocol between it and the said remote computer.c) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies said device according to enterprise security policy.
  - 4. The stand-alone computing device of claim 1 where the said biometric sensor comprises one of a stylus-based screen entry digitizer and a finger-based screen entry digitizer and records sign input.
  - 5. The stand-alone computing device in claim 4 where said biometric template is adaptive, and includes biometric feature means and variances and is stored and updated on said computing device;
    - said signs to be chosen by the user and to be one of, a secret sign without user feedback and a signature with user feedback, said biometric samples to contain, at least, said (X,Y) coordinate values, each set of co-ordinate values having one of an associated explicit and inferred time stamp;
      
      said biometric feature means modified by discriminating weights chosen to offer powerful discrimination between authentic and impostor samples.
  - 6. The stand alone computing device in claim 5 where said biometric feature means are functions of at least one of:
    - a. V(x), where V(x) is the variance of the x-coordinate values of the transformed sign.b. V(y) where V(y) is the variance of the y-coordinate values of said transformed sign.c. C(x,y) where C(x,y) is the covariance of the transformed sign coordinate valuesd. Total sign time.e. Total in-contact sign timef. Total out-of contact sign time.g. Positions of (x,y) turning points with respect to time.h. Positions of (x,y) turning points with respect to x-position.i. Positions of (x,y) turning points with respect to y-position.j. An estimate of total x-distance traveled.k. An estimate of total y-distance traveled.l. (x,y) positions of new points of stylus contact with respect to timem. New out-of-contact stylus (x,y) positions with respect to x-positionn. (x,y) positions of new points of stylus contact with respect to x-positiono. (x,y) positions of new out-of-contact stylus positions with respect to timep. Forehand (x,y) distancesq. Backhand (x,y) distances.
  - 7. The stand-alone computing device in claim 1 where:
    - a) The said biometric template contains an electronic representation of the user'"'"'s valid signature which is released to electronic documents requiring it, said electronic documents subsequently being communicated to a remote computer storing a valid signature for said user, which is used to check the authenticity of the said electronic representation of user'"'"'s valid signature, requiring an exact or very close match.b) The said biometric template includes a time-stamp associated with the last time it was used to match a biometric sample.c) The said biometric template includes an authentication code which is a definitive function of at least the said template data.d) The said biometric template contains the number of samples contributing to its values.
  - 8. The stand alone computing device in claim 1 which contains an integrated IC card reader and where the user credential is released in the following manner:
    - a) The said biometric template and a user credential are stored on an IC card.b) The PIN and biometric matching processes are undertaken on the IC card.c) Responsive to a correct PIN and biometric match, said user credential is released to be compared to the same information stored on a remote computer.

9. A stand-alone computing device incorporating;
- a processor, memory and software capable of biometrically enrolling device users, by capturing biometric samples and extracting biometric feature values from signs made on an electronic signing area of said computing device, by one of a stylus and a finger;
  
  verifying the identity of a user by matching a new biometric sample with a previously enrolled biometric template;
  
  said signs to be chosen by the user, entered on said electronic signing area of said stand-alone computing device and to be one of, a secret sign without user feedback and a signature with user feedback;
  
  said biometric samples to contain, at least, said (X,Y) coordinate values, each set of co-ordinate values having one of an associated explicit and inferred time stamp;
  
  said biometric feature means modified by discriminating weights chosen to offer powerful discrimination between authentic and impostor samples;
  
  said biometric template to further include an electronic representation of said user'"'"'s authentic signature;
  
  said authentic electronic signature to be released for comparison with the same electronic signature stored on a second computer remote from the stand alone computing device;
  
  said software also capable of generating a password and password hash from a stored, de-obfuscated password, generated following PIN and biometric match, and said device ID.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9 where said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication through the following steps:
    - a) Remote computer requests active device user to authenticate to the device for mutual device authentication.b) Device communicates encrypted data over said network using a symmetrical encryption key, which is a function of at least one of the hashed value of said password.c) Device communicates at least said device ID, encrypted with said symmetrical encryption key, to said remote computerd) Remote computer calculates said symmetrical encryption key, decrypts at least said device ID and authenticates it as a legitimate device on said networke) Remote computer acknowledges the legitimacy of said network communication by encrypting one of said hashed password and other known data using said symmetrical key and communicating it to the device.f) Device checks the value of one of the said hashed password and said other known data, acknowledges remote computer legitimacy to remote computer and grants it full access to said deviceg) Remote computer checks said device system to see if it complies with network security policy, changes it in response to its acceptability and, if appropriate, releases a trusted credential.h) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies the device according to network security policy.
  - 11. The method in claim 9 for authenticating a user to a stand-alone device where said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication through the following steps:
    - a) Remote computer requests active device user to authenticate to the device using said biometric verification and said PINb) After successful submission of biometric sample and PIN device generates said password which is used to release a Private Key to implement a PKI encryption and authentication protocol between it and the said remote computer.c) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies said device according to enterprise security policy.

12. A stand-alone computing device incorporating;
- a processor, memory and software;
  
  a password authentication process;
  
  a method of generating a device ID from characteristics of device hardware components;
  
  a method of obtaining a PIN value by one of a) generating a PIN value from said device ID and b) a method of entering a PIN value on the device screen;
  
  a method of generating a one-way hashed value of said PIN;
  
  a method of obfuscating and de-obfuscating a password using said hashed value of said PIN and said Device ID;
  
  a biometric sensor capability;
  
  said software, biometrically enrolling and verifying the identity of device users by matching biometric samples captured from said biometric sensor with at least one biometric template stored in encrypted form in the device memory;
  
  a method of generating a template encryption key using at least said obfuscated password and said hashed PIN;
  
  a method of encrypting and decrypting said biometric template using said encryption key;
  
  a method of submitting said de-obfuscated password and submitting it to said authentication process in response to the successful decryption of the said biometric template and the successful matching of said biometric sample to said biometric template.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12 where said device is connected, through a network to a remote computer, said device and saidremote computer achieving mutual remote computer/device authentication through the following steps:
    - a) Remote computer requests active device user to authenticate to the device using said biometric verification and said PIN.b) Device communicates encrypted data, including a user credential over said network using a symmetrical encryption key, which is a function of at least one of the one-way hashed value of said password (generated following a PIN and biometric match) and said device ID.c) Device communicates at least said device ID, encrypted with said symmetrical encryption key, to said remote computer.d) Remote computer calculates said symmetrical encryption key from a stored value of the said password hash, decrypts at least said device ID and authenticates it as a legitimate device on said network.e) Remote computer acknowledges the legitimacy of said network communication by encrypting the hashed password using said symmetrical key and communicates this data to said device.f) Device decrypts said data, tests the said hashed password for authenticity and in response to said test, acknowledges remote computer legitimacy to remote computer and grants it full access to said stand-alone computing device.g) Remote computer checks said device system to see if it complies with network security policy, changes it in response to its acceptability and, if appropriate, releases said user credential.h) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies said device according to enterprise security policy.
  - 14. The method of claim 12 where said device is connected, through a network to a remote remote computer, said device and said remote computer achieving mutual remote computer/device authentication through the following steps:
    - a) Remote computer requests active device user to authenticate to the device using said biometric verification and said PIN.b) After successful submission of biometric sample and PIN device generates said password which is used to release a Private Key to implement a PKI encryption and authentication protocol between it and the said remote computer.c) In the absence of said active device responding to said remote computer request, remote computer gains full access to said device and modifies said device according to enterprise security policy.
  - 15. The method of claim 12 where said biometric template includes an electronic representation of said user'"'"'s electronic signature which, in response to a satisfactory biometric match of a biometric sample with said template, is released in encrypted form for comparison with a very close replica of said electronic signature stored remotely on a separate computer.
  - 16. The stand alone computing device in claim 12 where said device and said device user authenticate to a remote computer using a CBEFF patron such as ANSI BioAPI and where the BioAPI payload includes at least said device ID encrypted with said symmetrical encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocrypt Access, LLC
Original Assignee
Christopher J. Beatson, Mark A. Kelty, Rodney Beatson
Inventors
Beatson, Rodney, Beatson, Christopher J., Kelty, Mark A.

Granted Patent

US 8,842,887 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/186
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2129   Authenticate client device ...

G06V 30/1478   of characters or characters...

G06V 40/382   Preprocessing; Feature extr...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3242   involving keyed hash functi...

Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links