System and method for sequentially processing a biometric sample

US 7,574,734 B2
Filed: 08/15/2002
Issued: 08/11/2009
Est. Priority Date: 08/15/2002
Status: Active Grant

First Claim

Patent Images

1. A system for providing access to a controlled resource, said system comprising:

a hardware security token including a first cryptographic means and a first biometric verification means configured to allow access to a controlled resource, wherein the security token is configured to perform a first verification attempt of a biometric sample; and

a stateless server configured to respond to said security token and including second biometric verification means and second cryptographic means compatible with said first cryptographic means, the second cryptographic means being coupled to said second biometric verification means;

wherein the security token is configured to transfer the biometric sample and a biometric processing parameter to the stateless server for a second verification attempt, and wherein the stateless server generates a cryptographic secret using the biometric processing parameter and sends said cryptographic secret to said security token if said second verification attempt is successful.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides for progressive processing of biometric samples to facilitate verification of an authorized user. The initial processing is performed by a security token. Due to storage space and processing power limitations, excessive false rejections may occur. To overcome this shortfall, the biometric sample is routed to a stateless server, which has significantly greater processing power and data enhancement capabilities. The stateless server receives, processes and returns the biometric sample to the security token for another attempt at verification using the enhanced biometric sample. In a second embodiment of the invention, a second failure of the security token to verify the enhanced biometric sample sends either the enhanced or raw biometric sample to a stateful server. The stateful server again processes the biometric sample and performs a one to many search of a biometric database. The biometric database contains the master set of enrolled biometric templates associated with all authorized users. Signals generated by the stateful server are used by the security token to allow or deny access to a resource or function. In both embodiments of the invention, the heuristics remain with the security token.

Citations

69 Claims

1. A system for providing access to a controlled resource, said system comprising:
- a hardware security token including a first cryptographic means and a first biometric verification means configured to allow access to a controlled resource, wherein the security token is configured to perform a first verification attempt of a biometric sample; and
  
  a stateless server configured to respond to said security token and including second biometric verification means and second cryptographic means compatible with said first cryptographic means, the second cryptographic means being coupled to said second biometric verification means;
  
  wherein the security token is configured to transfer the biometric sample and a biometric processing parameter to the stateless server for a second verification attempt, and wherein the stateless server generates a cryptographic secret using the biometric processing parameter and sends said cryptographic secret to said security token if said second verification attempt is successful.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The system according to claim 1 further comprising a stateful server, said stateful server responsive to said stateless server, wherein said stateful server includes a third biometric verification means and a third cryptographic means coupled to said third biometric verification means.
  - 3. The system according to claim 2 wherein said second biometric verification means is configured to send said biometric sample to said stateful server for a third verification attempt.
  - 4. The system according to claim 3 wherein said second biometric verification means is configured to send related biometric information to said stateful server for the third verification attempt, wherein said related biometric information includes a unique token identifier associated with said security token, a biometric template, and a biometric processing algorithm descriptor.
  - 5. The system according to claim 4 wherein the stateless server includes a biometric database, said biometric database contains a plurality of high resolution biometric templates, each of said plurality of high resolution biometric templates being associated with the unique token identifier.
  - 6. The system according to claim 5 wherein each of said plurality of high resolution biometric templates is indexed by said unique token identifier.
  - 7. The system according to claim 6 wherein said third biometric verification means includes means for retrieving each of said plurality of high resolution biometric templates using said unique token identifier.
  - 8. The system according to claim 2 wherein said second or third biometric verification means includes a plurality of replaceable biometric processing algorithms.
  - 9. The system according to claim 8 wherein said plurality of replaceable biometric processing algorithms includes an associated unique biometric processing algorithm descriptor.
  - 10. The system according to claim 2 wherein said security token and said stateless server are in communication over a telecommunications link.
  - 11. The system according to claim 10 wherein said stateless server and said stateful server are in communication over said telecommunications link.
  - 12. The system according to claim 11 wherein said telecommunications link includes a secure messaging protocol.
  - 13. The system according to claim 2 wherein said first cryptographic means includes a token access key.
  - 14. The system according to claim 13 wherein said second or third cryptographic means include a master key configured to communicate with said token access key.
  - 15. The system according to claim 2 wherein said biometric processing parameter includes any of a unique identifier associated with said security token, a biometric template, or a biometric processing algorithm descriptor.
  - 16. The system according to claim 15, wherein said second or third biometric verification means allows access to said controlled resource upon presentation of said cryptographic secret, wherein said unique identifier is used by said second or third cryptographic means to diversify said master key to generate said valid cryptographic secret.
  - 17. The system according to claim 5 wherein each said high resolution biometric template includes unique physiological data associated with an authorized user of said security token.
  - 18. The system according to claim 2 wherein said second biometric verification means includes first means for generating a reject result if said second verification attempt is unsuccessful, and wherein said third biometric verification means includes second means for generating said reject result if said third verification attempt is unsuccessful.
  - 19. The system according to claim 18, wherein said second or third biometric verification means allows access to said controlled resource upon presentation of said cryptographic secret, wherein a result returned to the security token is either said reject or said cryptographic secret.
  - 20. The system according to claim 19 wherein said reject includes means for locking said security token.
  - 21. The system according to claim 2 wherein both said stateless and said stateful servers include greater processing capabilities than said security token.
  - 22. The system according to claim 2 wherein said security token is operatively connectable to a client, said client including interface means for facilitating communications between said security token and said stateless server.
  - 23. The system according to claim 22 wherein said client further includes biometric sample pre-processing means.
  - 24. The system according to claim 2 wherein said stateful server further includes audit trail generating means.
  - 25. The system according to claim 24 wherein said audit trail generating means includes means for recording transactions occurring on said stateless server, said stateful server or both.
  - 26. The system of claim 1, wherein the security token comprises a smart card.
  - 27. The system according to claim 1, wherein said biometric processing parameter includes any of a unique identifier associated with said security token, a biometric template, or a biometric processing algorithm descriptor.
  - 28. The system of claim 22, wherein the client comprises a biometric scanner.
  - 29. The system of claim 1, wherein the biometric sample is an initially unverifiable biometric sample.

30. A system for providing access to a controlled resource, said system comprising:
- a physical security token comprising a first cryptographic module and a first biometric processing module, wherein the security token is configured to perform a first verification attempt of a biometric sample; and
  
  a stateless server configured to respond to said security token, wherein the stateless server includes a second biometric processing module and a second cryptographic module compatible with said first cryptographic module and coupled to said second biometric processing module;
  
  wherein the security token is configured to transfer the biometric sample and a biometric processing parameter to the stateless server for a second verification attempt, and wherein the stateless server generates a cryptographic secret using the biometric processing parameter and sends said cryptographic secret to said security token if said second verification attempt is successful.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 31. The system of claim 30, wherein the security token further comprises a first comparator to compare a result from the first biometric processing module with a pre-established portion of a biometric template to generate a first verification signal.
  - 32. The system of claim 31, wherein the security token further comprises an access gate module in communication with the first cryptographic module and the first comparator, wherein the access gate module allows access to the controlled resource based on any of said first verification signal or said cryptographic secret.
  - 33. The system of claim 30, wherein the stateless server further comprises a second comparator to compare a result from the second biometric processing module with a biometric reference to generate a second verification signal.
  - 34. The system of claim 33, wherein the second cryptographic module is in communication with the comparator, and wherein the second cryptographic module generates said cryptographic secret responsive to said second verification signal.
  - 35. The system according to claim 30, further comprising a stateful server, said stateful server responsive to said stateless server, wherein said stateful server includes a third biometric processing module and a third cryptographic module coupled to said third biometric processing module.
  - 36. The system according to claim 35, wherein said second biometric processing module is configured to send said biometric sample to said stateful server for a third verification attempt.
  - 37. The system according to claim 36, wherein said second biometric processing module is configured to send related biometric information to said stateful server for the third verification attempt, wherein said related biometric information includes a unique token identifier associated with said security token, a biometric template, and a biometric processing algorithm descriptor.
  - 38. The system according to claim 37, wherein the stateless server includes a biometric database, said biometric database contains a plurality of high resolution biometric templates, each of said plurality of high resolution biometric templates being associated with the unique token identifier.
  - 39. The system according to claim 38, wherein each of said plurality of high resolution biometric templates is indexed by said unique token identifier.
  - 40. The system according to claim 39, wherein said third biometric processing module retrieves each of said plurality of high resolution biometric templates using said unique token identifier.
  - 41. The system according to claim 35, wherein said second biometric processing module or said third biometric processing module include a plurality of replaceable biometric processing algorithms.
  - 42. The system according to claim 41, wherein said plurality of replaceable biometric processing algorithms includes an associated unique biometric processing algorithm descriptor.
  - 43. The system according to claim 35, wherein said first cryptographic module includes a token access key.
  - 44. The system according to claim 43, wherein said second cryptographic module or third cryptographic module include a master key configured to communicate with said token access key.
  - 45. The system according to claim 30, wherein said biometric processing parameter includes any of a unique identifier associated with said security token, a biometric template, or a biometric processing algorithm descriptor.
  - 46. The system according to claim 45, wherein said unique identifier is used by said second cryptographic module or third cryptographic module to diversify said master key to generate said cryptographic secret.
  - 47. The system according to claim 46, wherein said biometric template includes unique physiological data associated with an authorized user of said security token.
  - 48. The system according to claim 35, wherein said second biometric processing module generates a reject result if said second verification attempt is unsuccessful, and wherein said third biometric processing module generates said reject result if said third verification attempt is unsuccessful.
  - 49. The system according to claim 48, wherein said reject includes means for locking said security token.
  - 50. The system according to claim 35, wherein both said stateless and said stateful servers include greater processing capabilities than said security token.
  - 51. The system according to claim 30, wherein said security token is operatively connectable to a client, said client including an interface to facilitate communications between said security token and said stateless server.
  - 52. The system according to claim 51, wherein said client further includes a computer system that performs biometric sample pre-processing.
  - 53. The system of claim 51, wherein the client comprises a biometric scanner.
  - 54. The system according to claim 35, wherein said stateful server further comprises an audit module that records transactions occurring on said stateless server.
  - 55. The system according to claim 54, wherein said audit module records transactions occurring on said stateful server.
  - 56. The system of claim 30, wherein the security token comprises a smart card.

57. A server for providing access to a controlled resource, the server comprising:
- a biometric processing module configured to receive a biometric sample and a biometric processing parameter from a hardware security token for a second verification attempt when the security token has failed a first verification attempt of the biometric sample;
  
  a comparator in communication with the biometric processing module, wherein the comparator is configured to compare a result from the biometric processing module with a biometric reference to generate a verification signal; and
  
  a cryptographic module configured to generate a cryptographic secret using the biometric processing parameter and send said cryptographic secret to said security token if said second verification attempt is successful.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 58. The server according to claim 57, further comprising a stateful server, said stateful server responsive to said biometric processing module, said biometric processing module is configured to send said biometric sample to said stateful server for a third verification attempt.
  - 59. The server according to claim 58, wherein said biometric processing module is configured to send related biometric information to said stateful server for the third verification attempt, wherein said related biometric information includes a unique token identifier associated with said security token, a biometric template, and a biometric processing algorithm descriptor.
  - 60. The server according to claim 59, wherein said biometric template includes unique physiological data associated with an authorized user of the security token.
  - 61. The server according to claim 59, further comprising a biometric database, said biometric database contains a plurality of high resolution biometric templates, each of said plurality of high resolution biometric templates being associated with the unique token identifier.
  - 62. The server according to claim 61, wherein each of said plurality of high resolution biometric templates is indexed by said unique token identifier.
  - 63. The server according to claim 57, wherein said second biometric processing module includes a plurality of replaceable biometric processing algorithms.
  - 64. The server according to claim 63, wherein said plurality of replaceable biometric processing algorithms includes an associated unique biometric processing algorithm descriptor.
  - 65. The server according to claim 57, wherein said cryptographic module includes a master key configured to communicate with a token access key of the security token.
  - 66. The server according to claim 57, wherein said biometric processing parameter includes any of a unique identifier associated with said security token, a biometric template, or a biometric processing algorithm descriptor.
  - 67. The server according to claim 66, wherein said unique identifier is used by said cryptographic module to diversify said master key to generate said cryptographic secret.
  - 68. The server according to claim 57, wherein said biometric processing module generates a reject result if said second verification attempt is unsuccessful.
  - 69. The server according to claim 57, further comprising an audit module that records transactions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ActivIdentity, Inc. (Assa Abloy AB)
Original Assignee
ActivIdentity, Inc. (Assa Abloy AB)
Inventors
Le Saint, Eric F., Fedronic, Dominique Louis Joseph
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US10/218,640
Publication Number

US 20040034783A1
Time in Patent Office

2,553 Days
Field of Search

713/150, 713/168, 713/182, 713/185, 713/186, 713/159, 713/170, 713/172, 726/2, 726/5, 726/9, 726/18, 380/255, 382115-127
US Class Current

726/9
CPC Class Codes

G06F 21/32 using biometric data, e.g. ...

G07C 9/37 using biometric data, e.g. ...

System and method for sequentially processing a biometric sample

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for sequentially processing a biometric sample

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links