Method and System for Providing Password-free, Hardware-rooted, ASIC-based Authentication of a Human to a Mobile Device using Biometrics with a Protected, Local Template to Release Trusted Credentials to Relying Parties

US 20140365782A1
Filed: 03/06/2014
Published: 12/11/2014
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A mobile device incorporating;

a processor, memory, signed software, at least one sensor, capable of capturing biometric data and an ASIC, contained within or connected to said mobile device and dedicated to causing certain biometric authentication and encryption operations to take place;

said mobile device incorporating signed software code, said signed software code incorporating;

a means of capturing biometric signature/sign input from a human;

a means of capturing biometric sensor input from a human;

a means of acquiring PIN input from a human;

a means of capturing password input from a human and a means of password authentication;

said ASIC to incorporate a processor, a non-volatile storage area containing authentication parameters, at least one encrypted biometric template, credential information and an obfuscated password;

said ASIC memory also containing a non-volatile software code storage unit containing software code;

said code defining a method of generating a hardware ID from characteristics of hardware components;

a method of obtaining a hashed PIN value by one of a) generating said hashed PIN value from said hardware ID and b) generating said hashed value from said PIN value entered on the mobile device;

a method of obfuscating and de-obfuscating a password using said hashed value of said PIN and said hardware ID;

a method of storing said obfuscated password in said memory of said ASIC;

said ASIC software code capable of transforming biometric sample data to a consistent angle of inclination, biometrically enrolling and verifying the identity of mobile device users by matching the biometric samples captured from said biometric sensor with at least one biometric template stored in encrypted form in the said ASIC memory;

a method of generating a template encryption key using at least said obfuscated password and said hashed PIN;

a method of encrypting and decrypting said biometric template using said encryption key;

a method of de-obfuscating said password and submitting it to one of the said mobile device authentication process, including a Trusted Platform Module and the server authentication process, in response to the successful decryption of the said biometric template and the successful matching of said biometric sample to said biometric template, thereby relieving the user of the need to enter a complex password for the purposes of mobile device access and encryption.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Biometric data, which may be suitably transformed are obtained from a biometric input device contained within a stand-alone computer or a mobile device, which may contain an ASIC chip connected to or incorporated within the stand-alone computer or mobile device and which includes the capability for capturing one or more biometric samples and for biometric feature extraction, matching and encryption. For extra security, the biometric matching is used in conjunction with a PIN to authenticate the user to the stand-alone computer or mobile device. The biometric template and other sensitive data residing on the mobile device are encrypted using hardware elements of the mobile device (or the ASIC) together with the PIN hash and/or the Password hash. An obfuscated version of the Password, stored on the ASIC or the mobile device is de-obfuscated and released to the mobile device authentication mechanism, including a Trusted Platform Module if present, in response to a successfully decrypted template and matching biometric sample and PIN. A de-obfuscated password is used to authenticate the user to the mobile device and the same or a different de-obfuscated password may be used to authenticate the user to a remote computer using the SSL/TLS or a process based upon a symmetric encryption algorithm. The locally generated password may be used to encrypt data at rest on the mobile device or ASIC and the remote authentication password may be used to encrypt data in transit to and from a remote computer. This creates a trusted relationship between the stand-alone computer or mobile device and the remote computer. The system also eliminates the need for the user to remember and enter complex passwords on the mobile device or for secure transmission of data. A similar method may be used, with the signature/sign biometric modality to determine whether the holder of an IC chip card is, in fact the card owner.

Citations

16 Claims

1. A mobile device incorporating;
- a processor, memory, signed software, at least one sensor, capable of capturing biometric data and an ASIC, contained within or connected to said mobile device and dedicated to causing certain biometric authentication and encryption operations to take place;
  
  said mobile device incorporating signed software code, said signed software code incorporating;
  
  a means of capturing biometric signature/sign input from a human;
  
  a means of capturing biometric sensor input from a human;
  
  a means of acquiring PIN input from a human;
  
  a means of capturing password input from a human and a means of password authentication;
  
  said ASIC to incorporate a processor, a non-volatile storage area containing authentication parameters, at least one encrypted biometric template, credential information and an obfuscated password;
  
  said ASIC memory also containing a non-volatile software code storage unit containing software code;
  
  said code defining a method of generating a hardware ID from characteristics of hardware components;
  
  a method of obtaining a hashed PIN value by one of a) generating said hashed PIN value from said hardware ID and b) generating said hashed value from said PIN value entered on the mobile device;
  
  a method of obfuscating and de-obfuscating a password using said hashed value of said PIN and said hardware ID;
  
  a method of storing said obfuscated password in said memory of said ASIC;
  
  said ASIC software code capable of transforming biometric sample data to a consistent angle of inclination, biometrically enrolling and verifying the identity of mobile device users by matching the biometric samples captured from said biometric sensor with at least one biometric template stored in encrypted form in the said ASIC memory;
  
  a method of generating a template encryption key using at least said obfuscated password and said hashed PIN;
  
  a method of encrypting and decrypting said biometric template using said encryption key;
  
  a method of de-obfuscating said password and submitting it to one of the said mobile device authentication process, including a Trusted Platform Module and the server authentication process, in response to the successful decryption of the said biometric template and the successful matching of said biometric sample to said biometric template, thereby relieving the user of the need to enter a complex password for the purposes of mobile device access and encryption.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13, 14, 15, 16)
- - 2. The mobile device and methods for authenticating a user to said mobile device as recited in claim 1 where all the functionality of claim 1 is incorporated within the mobile device.
  - 3. The mobile device and methods for authenticating a user to a mobile device as recited in claim 2 where said mobile device is connected, through a network to a remote computer;
    - said mobile device and said remote computer achieving mutual remote authentication through the following steps;
      
      a) Remote computer requests active user to authenticate to said mobile device using said biometric verification and said PINb) After mutual authentication, mobile device communicates encrypted data, including a user credential over said network using a symmetrical encryption key, which is a function of at least one of the one-way hashed value of said password (generated following a PIN and biometric match) and said mobile device IDc) Mobile device communicates at least said mobile device ID, encrypted with said symmetrical encryption key, to said remote computerd) Remote computer calculates said symmetrical encryption key from a stored value of the said password hash, decrypts at least said mobile device ID and authenticates it as a legitimate mobile device on said networke) Remote computer acknowledges the legitimacy of said network communication by encrypting the hashed password using said symmetrical key and communicates this data to said mobile device.f) Mobile device decrypts said data, tests the said hashed password for authenticity and in response to said test, acknowledges remote computer legitimacy to remote computer and grants it access to said mobile device.g) Remote computer checks said mobile device system configuration to see if said configuration complies with network security policy, changes said configuration in response to its acceptability and, if appropriate, releases said user credential to said remote computer application.h) In the absence of said active mobile device responding to said remote computer request, remote computer gains access to said mobile device and modifies said mobile device according to enterprise security policy.
  - 4. The mobile device and methods for authenticating a user to said mobile device as recited in claim 2 where said mobile device is connected, through a network to a remote computer, said mobile device and said remote computer achieving mutual remote computer-mobile device authentication through the following steps:
    - a) Remote computer requests active mobile device user to authenticate to the mobile device using said biometric verification and said PINb) After successful submission of said biometric sample and PIN, mobile device generates said password which is used to implement a SSL/TLS authentication protocol between said mobile device and the said remote computer.c) In the absence of said active mobile device responding to said remote computer request, remote computer gains access to said mobile device and modifies said mobile device according to enterprise security policy.
  - 5. The mobile device and methods of claim 2 where the said mobile device user enters one of a stylus-based sign and a finger-based sign on the said mobile device screen as the said biometric sample.
  - 6. The mobile device and methods as in claim 5 where said biometric template is adaptive, and includes biometric feature means and variances and is stored and updated within said mobile device;
    - said signs to be chosen by the user and to be one of, a sign, which could be signature, without user feedback and a sign, which could be a signature with user feedback, said biometric samples to contain, at least, sequentially sampled (X,Y) coordinate values, each set of co-ordinate values having one of an associated explicit and inferred time stamp;
      
      said biometric feature means, modified by discriminating weights, to be chosen to offer powerful discrimination between authentic and non-authentic biometric samples.
  - 7. The mobile device and methods of claim 6 where said biometric feature means are functions of at least one of:
    - a. V(x), where V(x) is the variance of the x-coordinate values of the transformed sign.b. V(y) where V(y) is the variance of the y-coordinate values of said transformed sign.c. C(x,y) where C(x,y) is the covariance of the transformed sign coordinate valuesd. Total sign time.e. Total in-contact sign timef. Total out-of contact sign time.g. Positions of (x,y) turning points with respect to time.h. Positions of (x,y) turning points with respect to x-position.i. Positions of (x,y) turning points with respect to y-position.j. An estimate of total x-distance traveled.k. An estimate of total y-distance traveled.l. (x,y) positions of new points of stylus contact with respect to timem. New out-of-contact stylus (x,y) positions with respect to x-positionn. (x,y) positions of new points of stylus contact with respect to x-positiono. (x,y) positions of new out-of-contact stylus positions with respect to timep. Forehand (x,y) distancesq. Backhand (x,y) distances.
  - 8. The mobile device and methods of claim 2 where:
    - a) The said encrypted biometric template is associated with one of an encrypted user credential and an encrypted electronic representation of the user'"'"'s authentic signature which is released to relying parties and electronic documents requiring it, said electronic documents subsequently being communicated to a remote computer, which may store one of said user credential and a said electronic representation of said authentic signature of said user, which is used to check the authenticity of one of said user credential and said electronic representation of user'"'"'s authentic signature.b) The said biometric template includes a time-stamp associated with the last time it was used to match a biometric sample.c) The said biometric template includes an authentication code which is a definitive function of at least the said template data.d) The said biometric template contains a value, representative of the number of samples contributing to said biometric template values.
  - 13. The mobile device and methods of claim 2 where the said biometric data are not transformed prior to extracting said biometric features.
  - 14. The mobile device and methods of claim 3 where said biometric data are not transformed prior to extracting said biometric features.
  - 15. The mobile device and methods of claim 4 where said biometric data are not transformed prior to said feature extraction.
  - 16. The mobile device and methods of claim 13 where said mobile device and said mobile device user authenticate biometrically to a remote computer using a CBEFF patron such as ANSI BioAPI and where the BioAPI payload includes at least said mobile device ID encrypted with said symmetrical encryption key.

9. A POS terminal containing an integrated IC card reader where the user credential is released in the following manner:
- a) The said biometric template and user credential are first created on the user'"'"'s IC card after said user enters a series of biometric samples, which may be captured at different times from a biometric sensor on the POS terminalb) At the capture of each said biometric sample, biometric feature data are extracted and passed to the IC card, first for template creation and then, later, for authentication.c) The user'"'"'s said authentic electronic signature is captured from said POS terminal and, together with the said biometric template data, are encrypted by the IC card and stored using a symmetric key generated using a hardware root from the IC card.d) During a transaction using said IC card at said POS terminal, biometric data are captured by said POS terminal, said biometric features are extracted by the POS terminal and communicated securely to the said IC Card, which decrypts the biometric template and carries out the biometric matching and the template update processes.e) The result of the biometric matching process, together with the decrypted authentic electronic signature of the card holder is communicated to the POS terminal where it is displayed in viewable form on the sales associate'"'"'s screen;
  
  said sales associate uses these data together with the authorization result from the card issuer, to determine whether to accept or decline the transaction and whether to ask for further evidence of cardholder identity.

10. A mobile device, incorporating;
- a processor, memory and signed software capable of biometrically enrolling mobile device users, by capturing biometric samples and extracting biometric feature values from signs made on an electronic signing area of said computing mobile device, by one of a stylus and a finger;
  
  verifying the identity of a user by matching a new biometric sample with a previously enrolled biometric template;
  
  said signs to be chosen by the user, entered on said electronic signing area of said stand-alone computing mobile device and to be one of, a secret sign without user feedback and a signature with user feedback;
  
  said biometric samples to contain, at least, said (X,Y) coordinate values, each set of co-ordinate values having one of an associated explicit and inferred time stamp;
  
  said biometric feature means modified by discriminating weights chosen to offer powerful discrimination between authentic and impostor samples;
  
  said biometric template to further include one of a user credential and an electronic representation of said user'"'"'s authentic signature;
  
  said authentic electronic signature to be released for possible comparison with an electronic signature of said user stored on a second computer, remote from the stand alone mobile device;
  
  said software also capable of generating a password and password hash from a stored, de-obfuscated password, generated following PIN and biometric match, and said mobile device hardware rooted ID.
- View Dependent Claims (11, 12)
- - 11. The mobile device and methods of claim 10 where said mobile device is connected, through a network to a remote computer, said mobile device and said remote computer achieving mutual remote computer/mobile device authentication through the following steps:
    - a) Remote computer requests active mobile device user to authenticate to the mobile device for mutual mobile device authentication.b) Mobile device communicates encrypted data over said network using a symmetrical encryption key, which is a function of said hashed value of said password.c) Mobile device communicates at least said mobile device ID, encrypted with said symmetrical encryption key, to said remote computerd) Remote computer calculates said symmetrical encryption key, decrypts at least said mobile device ID and authenticates it as a legitimate mobile device on said networke) Remote computer acknowledges the legitimacy of said network communication by encrypting one of said hashed password and other known data using said symmetrical key and communicating it to the mobile device.f) Mobile device checks the value of one of the said hashed password and said other known data, acknowledges remote computer legitimacy to remote computer and grants it access to said mobile deviceg) Remote computer checks said mobile device system configuration to see if said configuration complies with network security policy, changes said configuration in response to compliance and, if appropriate, releases a trusted credential to said remote computer.h) In the absence of said active mobile device responding to said remote computer request, remote computer gains access to said mobile device and modifies the mobile device according to network security policy.
  - 12. The mobile device and methods of claim 10 for authenticating a user to said mobile device where said mobile device is connected, through a network to a remote computer, said mobile device and said remote computer achieving mutual remote computer/mobile device authentication through the following steps:
    - a) Remote computer requests active mobile device user to authenticate to the mobile device using said biometric verification and said PINb) After successful submission of biometric sample and PIN mobile device generates said password which is used to implement an SSL/TLS authentication protocol between it and the said remote computer.c) In the absence of said active mobile device responding to said remote computer request, remote computer gains access to said mobile device and modifies said mobile device according to enterprise security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocrypt Access, LLC
Original Assignee
Christopher J. Beatson, Mark A. Kelty, Rodney Beatson
Inventors
Kelty, Mark A., Beatson, Christopher J., Beatson, Rodney

Granted Patent

US 9,286,457 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/186
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/45   Structures or tools for the...

G06F 21/72   in cryptographic circuits

G06F 2221/2129   Authenticate client device ...

G06V 30/1478   of characters or characters...

G06V 40/382   Preprocessing; Feature extr...

G06V 40/50   Maintenance of biometric da...

G06V 40/53   Measures to keep reference ...

H04L 2209/12   Details relating to cryptog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/80   Wireless

H04L 9/0861   Generation of secret inform...

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3242   involving keyed hash functi...

Method and System for Providing Password-free, Hardware-rooted, ASIC-based Authentication of a Human to a Mobile Device using Biometrics with a Protected, Local Template to Release Trusted Credentials to Relying Parties

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Providing Password-free, Hardware-rooted, ASIC-based Authentication of a Human to a Mobile Device using Biometrics with a Protected, Local Template to Release Trusted Credentials to Relying Parties

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links