Electronic data vault providing biometrically protected electronic signatures

US 7,676,439 B2
Filed: 06/18/2002
Issued: 03/09/2010
Est. Priority Date: 06/18/2001
Status: Expired due to Fees

First Claim

Patent Images

1. An electronic data vault system (eVault) for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, the system comprising:

a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;

a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair and to export a second cryptographic key of the at least one cryptographic key pair from the key trust;

a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the biometric is captured during enrollment in the electronic data vault system;

an interface configured to allow controlled access to the remote server by the at least one user and to allow for transmission of the at least one captured user biometric to the system;

means for performing authentication of the at least one user using biometric matching and including an authentication engine configured to interface with the biometric database and to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, wherein the key trust is further configured to decrypt the first cryptographic key using a third cryptographic key that corresponds to a claim signed by the authentication engine during authentication of the at least one user;

means for executing one or more processes in communication with service providers, at least one of the processes being an enabling of completion of service application forms online and for automatically populating parts of the forms using data retrieved from within the electronic data vault system; and

a policy management system configured to allow the at least one user to define policies controlling access of specific service providers to specific parts of a datastore of the at least one user, to define the data that is permitted to be deposited by specific service providers into the datastore of the at least one user, and to define default data access levels for service providers not specifically identified, whereinduring authentication of the at least one user by the authentication engine, the system is configured to enable the authenticated at least one user to access the datastore specific to the authenticated at least one user, the specific datastore having a document and data repository and key trust personal to the authenticated at least one user, and to apply the first cryptographic key previously associated with the authenticated at least one user onto data stored within the document and data repository.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An eVault system securely stores personal data and documents for citizens and allows controlled access by citizens and optionally by service providers. The eVault may be adapted to allow processes involving the documents to be carried out in a secure and paperless fashion. Documents are certified, and biometric matching is used for security. On effecting a match with a biometric identifier presented by a user, the user is allowed access to his personal eVault and to access a personal cryptographic key stored therein. One or more of these personal keys may be securely applied within the eVault to generate an electronic signature, amongst other functions.

52 Citations

View as Search Results

15 Claims

1. An electronic data vault system (eVault) for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, the system comprising:
- a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;
  
  a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair and to export a second cryptographic key of the at least one cryptographic key pair from the key trust;
  
  a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the biometric is captured during enrollment in the electronic data vault system;
  
  an interface configured to allow controlled access to the remote server by the at least one user and to allow for transmission of the at least one captured user biometric to the system;
  
  means for performing authentication of the at least one user using biometric matching and including an authentication engine configured to interface with the biometric database and to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, wherein the key trust is further configured to decrypt the first cryptographic key using a third cryptographic key that corresponds to a claim signed by the authentication engine during authentication of the at least one user;
  
  means for executing one or more processes in communication with service providers, at least one of the processes being an enabling of completion of service application forms online and for automatically populating parts of the forms using data retrieved from within the electronic data vault system; and
  
  a policy management system configured to allow the at least one user to define policies controlling access of specific service providers to specific parts of a datastore of the at least one user, to define the data that is permitted to be deposited by specific service providers into the datastore of the at least one user, and to define default data access levels for service providers not specifically identified, whereinduring authentication of the at least one user by the authentication engine, the system is configured to enable the authenticated at least one user to access the datastore specific to the authenticated at least one user, the specific datastore having a document and data repository and key trust personal to the authenticated at least one user, and to apply the first cryptographic key previously associated with the authenticated at least one user onto data stored within the document and data repository.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A system as claimed in claim 1, wherein the electronic data vault system is adapted to store documents associated with at least one user.
  - 3. A system as claimed in claim 2, wherein the system further comprises means for certifying data or documents.
  - 4. A system as claimed in claim 3 wherein the means for certifying data or documents comprises a process which includes selecting at least one of the following:
    - ensuring that data submitted by a service provider meets a correct predefined format;
      
      ensuring that information included in the data corresponds to already certified data held in the user datastore;
      
      ensuring that a service provider submitting data has correct permissions and has been authenticated to a necessary security level to submit the data;
      
      ensuring that the user has provided permission for the data to be submitted, optionally from an identified service provider;
      
      adding a timestamp to the submitted data; and
      
      applying at least one electronic signature to the submitted data.
  - 5. A system as claimed in claim 2, wherein the system further comprises means for storing the data and documents in distributed locations for presenting a single centralised view to users.
  - 6. A system as defined in claim 5 where the distributed locations include datastores managed and maintained by independent third-party service providers.
  - 7. A system as claimed in claim 1 further comprising a data processing system.
  - 8. A system as claimed in claim 1 further comprising a service provider interface for allowing controlled access by service providers forupdating data and documents in the data and document repository, andperforming processes requiring access to the data and documents.
  - 9. A system as claimed in claim 1, wherein the interface comprises means for allowing access using a plurality of different types of devices including telephones, kiosks, ATMs, PDAs, mobile devices and Web browsers.
  - 10. A system as claimed in claim 1, wherein the system comprises means for performing multi-modal biometric verification.
  - 11. A system as claimed in claim 1 further comprising means for making at least one cryptographic key available for secure communication between the user and service providers.
  - 12. A system as claimed in claim 1 further comprising means for updating the data within the eVault and means to enable third parties access to documents or data specifically related to one or more users, such that the third party is able to directly request the data from the eVault, or the eVault is configured to automatically push the data to specific third parties, when the data is updated within the eVault.
  - 13. The system as claimed in claim 12, further comprising means for returning the first cryptographic key to the user on matching the identifier in the datastore with the supplied biometric identifier.
  - 14. A system as claimed in claim 1 wherein the third cryptographic key is one of a single cryptographic key usable across a plurality of identity claims and a derived cryptographic key.
  - 15. A system as claimed in claim 1 wherein the first cryptographic key is a private key and the second cryptographic key is a public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daon Holdings Limited
Original Assignee
Daon Holdings Limited
Inventors
Tattan, Oliver, White, Conor, Loughman, Stephen, Peirce, Michael, Murphy, Michael
Primary Examiner(s)
Worjloh; Jalatee

Application Number

US10/481,171
Publication Number

US 20040236694A1
Time in Patent Office

2,821 Days
Field of Search

705/51, 705 64- 79, 725 26- 33, 713/186, 380200-203
US Class Current

705/67
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6245   Protecting personal data, e...

G06Q 20/027   involving a payment switch ...

G06Q 20/0855   involving a third party

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/68   Special signature format, e...

H04L 2209/80   Wireless network architectu...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

Electronic data vault providing biometrically protected electronic signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic data vault providing biometrically protected electronic signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links