Electronic data vault providing biometrically protected electronic signatures

US 7,865,449 B2
Filed: 10/29/2009
Issued: 01/04/2011
Est. Priority Date: 06/18/2001
Status: Expired due to Fees

First Claim

Patent Images

1. An electronic data vault system for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, said electronic data vault system comprising:

a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;

a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, to encrypt the first cryptographic key with a third cryptographic key, and to export a second cryptographic key of the at least one cryptographic key pair from said key trust;

a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the at least one biometric is captured during enrollment in said electronic data vault system;

an interface configured to allow controlled access to said remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system;

an authentication engine configured to interface with said biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, to sign a claim of identity with a cryptographic key of the authentication engine and to forward the signed claim of identity to said key trust, wherein the at least one user provides the identity claim prior to authentication, said authentication engine is configured to generate an authentication ticket by signing the identity claim upon authentication of the at least one user, and after authentication of the at least one user said key trust is further configured to decrypt the first cryptographic key with the third cryptographic key; and

an e-signature application configured to verify that said authentication engine signed the authentication ticket, sign the authentication ticket upon verifying that the authentication engine signed the authentication ticket, and request re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An eVault system securely stores personal data and documents for citizens and allows controlled access by citizens and optionally by service providers. The eVault may be adapted to allow processes involving the documents to be carried out in a secure and paperless fashion. Documents are certified, and biometric matching is used for security. On effecting a match with a biometric identifier presented by a user, the user is allowed access to his personal eVault and to access a personal cryptographic key stored therein. One or more of these personal keys may be securely applied within the eVault to generate an electronic signature, amongst other functions.

Citations

14 Claims

1. An electronic data vault system for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, said electronic data vault system comprising:
- a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;
  
  a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, to encrypt the first cryptographic key with a third cryptographic key, and to export a second cryptographic key of the at least one cryptographic key pair from said key trust;
  
  a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the at least one biometric is captured during enrollment in said electronic data vault system;
  
  an interface configured to allow controlled access to said remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system;
  
  an authentication engine configured to interface with said biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, to sign a claim of identity with a cryptographic key of the authentication engine and to forward the signed claim of identity to said key trust, wherein the at least one user provides the identity claim prior to authentication, said authentication engine is configured to generate an authentication ticket by signing the identity claim upon authentication of the at least one user, and after authentication of the at least one user said key trust is further configured to decrypt the first cryptographic key with the third cryptographic key; and
  
  an e-signature application configured to verify that said authentication engine signed the authentication ticket, sign the authentication ticket upon verifying that the authentication engine signed the authentication ticket, and request re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. An electronic data vault system in accordance with claim 1, wherein the third cryptographic key is one of a symmetric key and an asymmetric key.
  - 3. An electronic data vault system in accordance with claim 1, further comprising a policy management system configured to:
    - allow the at least one user to define policies controlling access of specific service providers to specific parts of a datastore of the at least one user;
      
      define data that is permitted to be deposited by specific service providers into the datastore of the at least one user; and
      
      define default data access levels for service providers not specifically identified.
  - 4. An electronic data vault system in accordance with claim 3, wherein during authentication of the at least one user by said authentication engine, said electronic data vault system is configured to enable the authenticated at least one user to access the datastore specific to the authenticated at least one user, the specific datastore having a document and data repository and key trust personal to the authenticated at least one user, and to apply the first cryptographic key previously associated with the authenticated at least one user onto data stored within the document and data repository.
  - 5. An electronic data vault system in accordance with claim 1 further comprising means for certifying data or documents, wherein said means for certifying data or documents comprises selecting at least one of the following:
    - ensuring that data submitted by a service provider meets a correct predefined format;
      
      ensuring that information included in the data corresponds to already certified data held in the user datastore;
      
      ensuring that a service provider submitting data has correct permissions and has been authenticated to a necessary security level to submit the data; and
      
      ensuring that the user has provided permission for the data to be submitted, optionally from an identified service provider.

6. A method for remotely and securely storing data for a user in an electronic data vault system such that the user can subsequently access the data via a network interface, said method comprising:
- storing, securely, personal data for at least one user in a remote server comprising a document and data repository, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;
  
  generating at least one cryptographic key pair for the at least one user with a key trust;
  
  storing a first cryptographic key of the at least one cryptographic key pair in the key trust;
  
  encrypting the first cryptographic key with a third cryptographic key;
  
  exporting a second cryptographic key of the at least one cryptographic key pair from the key trust;
  
  storing at least one biometric captured from and associated with the at least one user in a biometric database, wherein the at least one biometric is captured during enrollment in the electronic data vault system;
  
  allowing controlled access to the remote server by the at least one user and allowing for transmission of the at least one captured user biometric to the electronic data vault system through the network interface;
  
  authenticating the at least one user with an authentication engine configured to interface with the biometric database, to sign an identity claim of the at least one user with a cryptographic key of the authentication engine and to forward the signed identity claim to the key trust, the identity claim being provided prior to said authenticating operation;
  
  generating an authentication ticket with the authentication engine during said authenticating operation by signing the identity claim upon authentication of the at least one user with the authentication engine;
  
  verifying that the authentication engine signed the authentication ticket;
  
  signing the authentication ticket with an e-signature application when said verifying operation confirms that the authentication engine signed the authentication ticket;
  
  requesting re-authentication by the authentication engine when the authentication ticket is no longer valid;
  
  verifying the signature of the e-signature application with the key trust to ensure the authentication ticket was received from a trusted e-signature application; and
  
  decrypting the first cryptographic key with the third cryptographic key, wherein the key trust performs said decrypting operation.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A method for remotely and securely storing data in accordance with claim 6, further comprising generating the third cryptographic key as one of a symmetric key and an asymmetric key.
  - 8. A method for remotely and securely storing data in accordance with claim 6, further comprising:
    - allowing the at least one user to define policies controlling access of specific service providers to specific parts of a datastore of the at least one user;
      
      defining data that is permitted to be deposited by specific service providers into the datastore of the at least one user; and
      
      defining default data access levels for service providers not specifically identified using a policy management system.
  - 9. A method for remotely and securely storing data in accordance with claim 8, further comprising:
    - enabling the authenticated at least one user to access the datastore specific to the authenticated at least one user during said authenticating operation, the specific datastore having a document and data repository and key trust personal to the authenticated at least one user; and
      
      applying the first cryptographic key previously associated with the authenticated at least one user onto data stored within the document and data repository.
  - 10. A method for remotely and securely storing data in accordance with claim 6, further comprising certifying data or documents by selecting at least one of the following operations:
    - ensuring that data submitted by a service provider meets a correct predefined format;
      
      ensuring that information included in the data corresponds to already certified data held in the user datastore;
      
      ensuring that a service provider submitting data has correct permissions and has been authenticated to a necessary security level to submit the data; and
      
      ensuring that the user has provided permission for the data to be submitted, optionally from an identified service provider.

11. An electronic data vault system comprising:
- a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, and to encrypt the first cryptographic key with a third cryptographic key;
  
  an interface configured to allow controlled access to a remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system;
  
  an authentication engine configured tointerface with a biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics,generate an authentication ticket by signing a claim of identity upon authentication of the at least one user, the claim of identity being provided by the at least one user prior to authentication, andforward the signed claim of identity to said key trust; and
  
  an e-signature application configured toverify that said authentication engine signed the authentication ticket,sign the authentication ticket upon verifying that said authentication engine signed the authentication ticket, andrequest re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key.
- View Dependent Claims (12)
- - 12. An electronic data vault system in accordance with claim 11, said key trust being further configured to sign a document digest with the first cryptographic key to generate a biometrically protected signature for the document.

13. A method for remotely and securely storing data for a user in an electronic data vault system such that the user can subsequently access the data via a network interface, said method comprising:
- generating at least one cryptographic key pair for the at least one user with a key trust;
  
  storing a first cryptographic key of the at least one cryptographic key pair in the key trust;
  
  encrypting the first cryptographic key with a third cryptographic key;
  
  allowing controlled access to a remote server by the at least one user and allowing for transmission of the at least one captured user biometric to the electronic data vault system through the network interface;
  
  authenticating the at least one user with an authentication engine configured to interface with a biometric database, to sign an identity claim of the at least one user with a cryptographic key of the authentication engine and to forward the signed identity claim to the key trust, the identity claim being provided prior to said authenticating operation;
  
  generating an authentication ticket with the authentication engine during said authenticating operation by signing the identity claim upon authentication of the at least one user with the authentication engine;
  
  verifying that the authentication engine signed the authentication ticket;
  
  signing the authentication ticket with an e-signature application when said verifying operation confirms that the authentication engine signed the authentication ticket;
  
  requesting re-authentication by the authentication engine when the authentication ticket is no longer valid;
  
  verifying the signature of the e-signature application with the key trust to ensure the authentication ticket was received from a trusted e-signature application; and
  
  decrypting the first cryptographic key with the third cryptographic key.
- View Dependent Claims (14)
- - 14. A method for remotely and securely storing data for a user in accordance with claim 13, further comprising signing a document digest with the first cryptographic key to generate a biometrically protected signature for the document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daon Holdings Limited
Original Assignee
Daon Holdings Limited
Inventors
Tattan, Oliver, White, Conor, Loughman, Stephen, Peirce, Michael, Murphy, Michael
Primary Examiner(s)
Worjloh; Jalatee

Application Number

US12/608,441
Publication Number

US 20100088233A1
Time in Patent Office

432 Days
Field of Search

705/50, 705 64- 79, 713/150, 726 1- 26, 380277-286
US Class Current

705/67
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6245   Protecting personal data, e...

G06Q 20/027   involving a payment switch ...

G06Q 20/0855   involving a third party

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/68   Special signature format, e...

H04L 2209/80   Wireless

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

Electronic data vault providing biometrically protected electronic signatures

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic data vault providing biometrically protected electronic signatures

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links