Electronic data vault providing biometrically protected electronic signatures
First Claim
1. An electronic data vault system for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, said electronic data vault system comprising:
- a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user;
a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, to encrypt the first cryptographic key with a third cryptographic key, and to export a second cryptographic key of the at least one cryptographic key pair from said key trust;
a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the at least one biometric is captured during enrollment in said electronic data vault system;
an interface configured to allow controlled access to said remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system;
an authentication engine configured to interface with said biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, to sign a claim of identity with a cryptographic key of the authentication engine and to forward the signed claim of identity to said key trust, wherein the at least one user provides the identity claim prior to authentication, said authentication engine is configured to generate an authentication ticket by signing the identity claim upon authentication of the at least one user, and after authentication of the at least one user said key trust is further configured to decrypt the first cryptographic key with the third cryptographic key; and
an e-signature application configured to verify that said authentication engine signed the authentication ticket, sign the authentication ticket upon verifying that the authentication engine signed the authentication ticket, and request re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key.
0 Assignments
0 Petitions
Accused Products
Abstract
An eVault system securely stores personal data and documents for citizens and allows controlled access by citizens and optionally by service providers. The eVault may be adapted to allow processes involving the documents to be carried out in a secure and paperless fashion. Documents are certified, and biometric matching is used for security. On effecting a match with a biometric identifier presented by a user, the user is allowed access to his personal eVault and to access a personal cryptographic key stored therein. One or more of these personal keys may be securely applied within the eVault to generate an electronic signature, amongst other functions.
-
Citations
14 Claims
-
1. An electronic data vault system for remotely and securely storing data for a user such that the user can subsequently access the data via a network interface, said electronic data vault system comprising:
-
a remote server comprising a document and data repository configured to securely store personal data for at least one user, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user; a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, to encrypt the first cryptographic key with a third cryptographic key, and to export a second cryptographic key of the at least one cryptographic key pair from said key trust; a biometric database configured to provide a storage location for at least one biometric captured from and associated with the at least one user, wherein the at least one biometric is captured during enrollment in said electronic data vault system; an interface configured to allow controlled access to said remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system; an authentication engine configured to interface with said biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, to sign a claim of identity with a cryptographic key of the authentication engine and to forward the signed claim of identity to said key trust, wherein the at least one user provides the identity claim prior to authentication, said authentication engine is configured to generate an authentication ticket by signing the identity claim upon authentication of the at least one user, and after authentication of the at least one user said key trust is further configured to decrypt the first cryptographic key with the third cryptographic key; and an e-signature application configured to verify that said authentication engine signed the authentication ticket, sign the authentication ticket upon verifying that the authentication engine signed the authentication ticket, and request re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for remotely and securely storing data for a user in an electronic data vault system such that the user can subsequently access the data via a network interface, said method comprising:
-
storing, securely, personal data for at least one user in a remote server comprising a document and data repository, wherein the secured personal data for each specific user is stored in a datastore associated with the specific user; generating at least one cryptographic key pair for the at least one user with a key trust; storing a first cryptographic key of the at least one cryptographic key pair in the key trust; encrypting the first cryptographic key with a third cryptographic key; exporting a second cryptographic key of the at least one cryptographic key pair from the key trust; storing at least one biometric captured from and associated with the at least one user in a biometric database, wherein the at least one biometric is captured during enrollment in the electronic data vault system; allowing controlled access to the remote server by the at least one user and allowing for transmission of the at least one captured user biometric to the electronic data vault system through the network interface; authenticating the at least one user with an authentication engine configured to interface with the biometric database, to sign an identity claim of the at least one user with a cryptographic key of the authentication engine and to forward the signed identity claim to the key trust, the identity claim being provided prior to said authenticating operation; generating an authentication ticket with the authentication engine during said authenticating operation by signing the identity claim upon authentication of the at least one user with the authentication engine; verifying that the authentication engine signed the authentication ticket; signing the authentication ticket with an e-signature application when said verifying operation confirms that the authentication engine signed the authentication ticket; requesting re-authentication by the authentication engine when the authentication ticket is no longer valid; verifying the signature of the e-signature application with the key trust to ensure the authentication ticket was received from a trusted e-signature application; and decrypting the first cryptographic key with the third cryptographic key, wherein the key trust performs said decrypting operation. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An electronic data vault system comprising:
-
a key trust configured to generate at least one cryptographic key pair for the at least one user, to store a first cryptographic key of the at least one cryptographic key pair, and to encrypt the first cryptographic key with a third cryptographic key; an interface configured to allow controlled access to a remote server by the at least one user and to allow for transmission of the at least one captured user biometric to said electronic data vault system; an authentication engine configured to interface with a biometric database to authenticate the at least one user based on a match of the at least one captured user biometric with previously stored biometrics, generate an authentication ticket by signing a claim of identity upon authentication of the at least one user, the claim of identity being provided by the at least one user prior to authentication, and forward the signed claim of identity to said key trust; and an e-signature application configured to verify that said authentication engine signed the authentication ticket, sign the authentication ticket upon verifying that said authentication engine signed the authentication ticket, and request re-authentication by said authentication engine when the authentication ticket is no longer valid, wherein said key trust is further configured to verify the signature of said e-signature application to ensure the authentication ticket was received from a trusted e-signature application prior to decrypting the first cryptographic key with the third cryptographic key. - View Dependent Claims (12)
-
-
13. A method for remotely and securely storing data for a user in an electronic data vault system such that the user can subsequently access the data via a network interface, said method comprising:
-
generating at least one cryptographic key pair for the at least one user with a key trust; storing a first cryptographic key of the at least one cryptographic key pair in the key trust; encrypting the first cryptographic key with a third cryptographic key; allowing controlled access to a remote server by the at least one user and allowing for transmission of the at least one captured user biometric to the electronic data vault system through the network interface; authenticating the at least one user with an authentication engine configured to interface with a biometric database, to sign an identity claim of the at least one user with a cryptographic key of the authentication engine and to forward the signed identity claim to the key trust, the identity claim being provided prior to said authenticating operation; generating an authentication ticket with the authentication engine during said authenticating operation by signing the identity claim upon authentication of the at least one user with the authentication engine; verifying that the authentication engine signed the authentication ticket; signing the authentication ticket with an e-signature application when said verifying operation confirms that the authentication engine signed the authentication ticket; requesting re-authentication by the authentication engine when the authentication ticket is no longer valid; verifying the signature of the e-signature application with the key trust to ensure the authentication ticket was received from a trusted e-signature application; and decrypting the first cryptographic key with the third cryptographic key. - View Dependent Claims (14)
-
Specification