Biometric non-repudiation network security systems and methods

US 7,623,659 B2
Filed: 11/04/2005
Issued: 11/24/2009
Est. Priority Date: 11/04/2005
Status: Active Grant

First Claim

Patent Images

1. A client device, comprising:

a biometric unit configured to generate a biometric feature based on sensing a portion of a human body, a first biometric feature being generated at a first time for establishing a biometric key pair, a second biometric feature being generated at a second time that is after the first time for authenticating the client device;

a transceiver unit configured to send and receive message data over a network; and

a cryptographic engine configured to one of encrypt and decrypt message data and to generate one or more cryptographic keys based on a predetermined key generating algorithm, the cryptographic engine being configured to generate a client public key and a client private key associated with a client device identifier, the cryptographic engine being configured to generate a biometric public key and a biometric private key associated with the first user biometric feature, the cryptographic engine encrypting a hash of a first message data using the biometric private key when the first biometric feature matches the second biometric feature, wherein the first message data is encrypted with the client public key and contains a random token data from a server, the encrypted hash being appended to the first message data to form an authenticated first message data, the authenticated first message data being encrypted by a server public key to form an encrypted authenticated first message data, the encrypted authenticated first message data being sent over the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with an embodiment of the present invention, a client device includes a biometric unit, a transceiver unit, and a cryptographic engine. The biometric unit generates a first biometric feature at a first time and a second biometric feature at a second time based on sensing a portion of a human body. The transceiver unit sends and receives message data over a network. The cryptographic engine encrypts and decrypts message data, generates client public and private keys associated with a client device identifier, and generates biometric public and private keys associated with the first user biometric feature. The cryptographic engine encrypts a hash of a first message data using the biometric private key when the first and second biometric features match, and appends the encrypted hash forming an authenticated first message data that is encrypted by a server public key and sent over the network.

54 Citations

View as Search Results

24 Claims

1. A client device, comprising:
- a biometric unit configured to generate a biometric feature based on sensing a portion of a human body, a first biometric feature being generated at a first time for establishing a biometric key pair, a second biometric feature being generated at a second time that is after the first time for authenticating the client device;
  
  a transceiver unit configured to send and receive message data over a network; and
  
  a cryptographic engine configured to one of encrypt and decrypt message data and to generate one or more cryptographic keys based on a predetermined key generating algorithm, the cryptographic engine being configured to generate a client public key and a client private key associated with a client device identifier, the cryptographic engine being configured to generate a biometric public key and a biometric private key associated with the first user biometric feature, the cryptographic engine encrypting a hash of a first message data using the biometric private key when the first biometric feature matches the second biometric feature, wherein the first message data is encrypted with the client public key and contains a random token data from a server, the encrypted hash being appended to the first message data to form an authenticated first message data, the authenticated first message data being encrypted by a server public key to form an encrypted authenticated first message data, the encrypted authenticated first message data being sent over the network.
- View Dependent Claims (2, 3, 4, 5, 24)
- - 2. The client device of claim 1, further comprising:
    - a memory configured to store and retrieve memory data including the client private key, the client public key, the first biometric feature, the biometric private key, the biometric public key, and the server public key, the memory being a tamper proof write-once flash memory.
  - 3. The client device of claim 1, the biometric unit further comprising a biosensor configured to a generate the biometric feature based on sensing one of a user finger print, an iris print, and a retina print.
  - 4. The client device of claim 3, wherein the biosensor is one of external to the client device body, and internal to the client device body.
  - 5. The client device of claim 1, the cryptographic engine being configured to one of encrypt and decrypt message information using at least one of an RSA algorithm, a DSS algorithm, and a SHA algorithm.
  - 24. The client device of claim 1, further comprising a processor memory configured to store and retrieve the server public key, and a second tamper proof write-once flash memory configured to store and retrieve the client private key, the client public key, the first biometric feature, the biometric private key, and the biometric public key.

6. A user authentication device, comprising:
- a component for generating a biometric feature based on sensing a portion of the body of a user, a first biometric feature being generated at a first time for establishing a biometric key pair, a second biometric feature being generated at a second time that is after the first time for authenticating;
  
  a component for sending and receiving message data over a network; and
  
  a component for encrypting and decrypting message data,the component for encrypting and decrypting message data being configured to generate one or more cryptographic keys based on a predetermined key generating algorithm,the component for encrypting and decrypting being configured to generate a client public key and a client private key associated with a client device identifier,the component for encrypting and decrypting being configured to generate a biometric public key and a biometric private key associated with the first user biometric feature,the component for encrypting and decrypting encrypting a hash of a first message data using the biometric private key when the first biometric feature matches the second biometric feature, wherein the first message data is encrypted with the client public key and contains a random token data from a server, the encrypted hash being appended to the first message data to form an authenticated first message data, the authenticated first message data being encrypted by a server public key to form an encrypted authenticated first message data, the encrypted authenticated first message data being sent over the network by the component for sending and receiving message data.
- View Dependent Claims (7)
- - 7. The user authentication device of claim 6, further comprising:
    - a component for tamper resistantly storing and retrieving data including the clientprivate key, the client public key, the first biometric feature, the biometric private key, and the biometric public key.

8. A biometric authentication method for a client device, comprising the operations of:
- establishing a client device key pair, the client device key pair having a client private key and a client public key;
  
  establishing a user biometric key pair, the biometric key pair having a biometric private key and a biometric public key;
  
  asserting, by the client device, a transaction request;
  
  responding, by the client device, to a received biometric challenge from a second device that includes a predetermined portion encrypted with the client public key, wherein the predetermined portion includes a random token data from a server;
  
  generating, by the client device, a second user biometric feature in response to the received biometric challenge;
  
  generating, by the client device, a server public key encrypted biometric authentication when the second user biometric feature matches the first user biometric feature, the server public key encrypted biometric authentication including a hash of the random token data encrypted with the biometric private key and the transaction request; and
  
  establishing an authenticated communication with the second device.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. The method of claim 8, wherein the operation of establishing a client device key pair further comprises:
    - generating a client key pair associated with a client device identifier;
      
      storing the client key pair in a memory; and
      
      publishing the client public key to a key server.
  - 10. The method of claim 9, wherein the client key pair is generated based on a public key encryption algorithm.
  - 11. The method of claim 10, wherein the public key pair is generated based on the RSA algorithm.
  - 12. The method of claim 8, wherein the operation of responding to a received biometric challenge further comprises decrypting a challenge message using the client private key.
  - 13. The method of claim 8, wherein the operation of establishing a user biometric key pair further comprises:
    - generating a first user biometric feature;
      
      storing the first user biometric feature in a tamper resistant memory;
      
      generating a biometric key pair associated with a first user biometric feature,the biometric key pair including a biometric public key and a biometric private key;
      
      storing the biometric key pair in the tamper resistant memory; and
      
      publishing the biometric public key to a key server.
  - 14. The method of claim 13, wherein the client key pair is generated based on a public key encryption algorithm.
  - 15. The method of claim 14, wherein the public key encryption algorithm is the RSA algorithm.
  - 16. The method of claim 13, wherein the operations of generating a first user biometric and generating a second user biometric both include one of reading a fingerprint, scanning an iris, and scanning a retina.
  - 17. The method of claim 13, wherein the tamper resistant memory is a write-once flash memory.
  - 18. The method of claim 13, wherein the tamper resistant memory is removable from the client device.
  - 19. The method of claim 13, wherein the hash is generated based on an algorithm in the secure hash algorithm (SHA) family.

20. A file server device, comprising:
- a removable tamper proof memory configured to store and retrieve a server private key;
  
  a memory configured to store and retrieve a client public key, a biometric public key, and a token data;
  
  a cryptographic engine configured to one of encrypt and decrypt message data and to generate one or more cryptographic keys based on a predetermined key generating algorithm, the cryptographic engine being configured to generate a server public key and the server private key; and
  
  a transceiver unit configured to send and receive message data over a network, the transceiver unit being configured to receive a transaction request message from a client device and send a biometric challenge message to the client device, a portion of the biometric challenge message including the token data encrypted with the client public key, the transceiver unit being configured to receive a biometric authentication from the client device, a portion of the biometric authentication including a hash of the token data encrypted with the biometric private key and the transaction request message, both encrypted with the server public key, the file server decrypting the biometric authentication using the server private key, extracting the hash of the token data, decrypting the hash of the token data using the biometric public key to form a received token hash, computing a hash of the token data to form a stored token hash, and processing the transaction request when the stored token hash matches the received token hash.
- View Dependent Claims (21)
- - 21. The file server device of claim 20, further comprising:
    - a file server record unit configured to store and modify at least one file server record, a transaction request for a file server record being authenticated when the server public key encrypted token data matches the client public key encrypted token data, the file server transaction request including at least one of creating a new record of information, viewing an existing record, changing an existing record, and deleting a record.

22. A biometric authentication method for a server device, comprising the operations of:
- receiving a transaction request from a client device including a predetermined portion encrypted with a server public key, the client device having a client private key and a client public key;
  
  asserting, by the server device, a biometric challenge to the transaction request, the biometric challenge including a random token data encrypted with the client public key, a successful response from the client device to the biometric challenge requiring a match between a golden biometric sample captured during an initialization sequence and a new biometric sample captured after the assertion of the biometric challenge;
  
  authenticating, by the server device, the transaction request when the biometric response from the client device is successful, wherein the authenticating comprises comparing a hash of the random token data received from the client device with a hash of the random token data stored in the server device, wherein the server device receives a server public key encrypted transaction request comprising a biometric private key encrypted hash; and
  
  establishing an authenticated communication with the client device.
- View Dependent Claims (23)
- - 23. The method of claim 22, wherein the operation of authenticating the transaction request further comprises:
    - decrypting the encrypted transaction request portion using the server private key, the encrypted transaction request portion including an encrypted hash of random token data;
      
      decrypting the encrypted hash of the token data using the biometric public key to form a first hashed token data;
      
      computing a hash of a stored token data to from a second hashed token data;
      
      comparing the first hashed token data to the second hashed token data; and
      
      asserting the transaction request is authenticated if the first hashed token data and the second hashed token data match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Yao, Shu-Chuan, Huang, Kung-Shiuh
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Sanders; Stephen

Application Number

US11/266,936
Publication Number

US 20070106895A1
Time in Patent Office

1,481 Days
Field of Search

380/44
US Class Current

380/44
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/0866   involving user or device id...

H04L 9/302   involving the integer facto...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Biometric non-repudiation network security systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Biometric non-repudiation network security systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others