Secure identity and privilege system

US 8,086,867 B2
Filed: 05/01/2002
Issued: 12/27/2011
Est. Priority Date: 03/26/2002
Status: Active Grant

First Claim

Patent Images

1. A process for generating a unique, secure printable identity document and for authenticating the use of the identity document, comprising:

generating for an individual an identity certificate incorporating a pointer to biometric data and other identifying data for the individual, and including cryptographically hashed information and an encoded signature;

storing said identity certificate and biometric in a reference database;

performing a one-to-many biometric data search in a reference database to check said individual'"'"'s biometric data against biometric data previously stored in said reference database to determine whether said individual has a pre-existing identity already stored in said reference database, and, if said individual'"'"'s biometric data was not previously stored in said reference database,encoding said individual'"'"'s identity certificate, wherein the encoding includes generating a barcode;

producing a machine-readable encoded identity record incorporating said identity certificate; and

authenticating the use of said identity record by comparing said encoded identity with said stored identity certificate to authenticate the individual holding said identity record.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

102 Citations

View as Search Results

28 Claims

1. A process for generating a unique, secure printable identity document and for authenticating the use of the identity document, comprising:
- generating for an individual an identity certificate incorporating a pointer to biometric data and other identifying data for the individual, and including cryptographically hashed information and an encoded signature;
  
  storing said identity certificate and biometric in a reference database;
  
  performing a one-to-many biometric data search in a reference database to check said individual'"'"'s biometric data against biometric data previously stored in said reference database to determine whether said individual has a pre-existing identity already stored in said reference database, and, if said individual'"'"'s biometric data was not previously stored in said reference database,encoding said individual'"'"'s identity certificate, wherein the encoding includes generating a barcode;
  
  producing a machine-readable encoded identity record incorporating said identity certificate; and
  
  authenticating the use of said identity record by comparing said encoded identity with said stored identity certificate to authenticate the individual holding said identity record.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The process of claim 1, wherein authenticating further includes detecting revocation of the identity certificate.
  - 3. The process of claim 1, wherein producing a machine-readable encoded identity record includes printing said barcode for use by a holder in identity verification.
  - 4. The process of claim 1, wherein comparing said encoded identity record with said stored identity certificate includes comparing encoded signatures.
  - 5. The process of claim 4, wherein comparing said encoded identity record with said stored identity certificate includes comparing externally stored biometric data with biometric data available from a presenter of the identity record.

6. A process for generating a unique, secure printable privilege, comprising:
- generating for an individual an identity certificate incorporating a pointer to biometric data and other identifying data for the individual, and including cryptographically hashed information and an encoded signature;
  
  storing said identity certificate and biometric data in a reference database in a location remote from locations where identity data is to be retrieved;
  
  retrieving identity data for an individual, including an encoded signature, data for identity and pointers to biometric data gathered from the remotely stored identity certificate;
  
  generating for said individual a privilege certificate incorporating reference to said identity certificate, cryptographically hashed privilege information, a pointer to existing biometric data, and an encoded signature;
  
  storing said privilege certificate and associated biometric data in a secure privilege database;
  
  producing a machine-readable encoded printable privilege document incorporating said privilege certificate;
  
  upon request for the granting of a privilege, comparing said encoded printable privilege document with said stored privilege certificate to biometrically authenticate the individual holding said printable privilege document; and
  
  detecting any revocation of the privilege prior to the granting of the requested privilege.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The process of claim 6, wherein producing a machine-readable encoded printable privilege includes printing said privilege for use by a holder in privilege verification.
  - 8. The process of claim 6, wherein producing a machine-readable encoded printable privilege includes generating a barcode.
  - 9. The process of claim 8, wherein producing a machine-readable encoded printed privilege further includes printing said barcode for use by a holder in privilege verification.
  - 10. The process of claim 6, wherein comparing said encoded printable privilege with said stored privilege includes comparing encoded signatures.
  - 11. The process of claim 10, wherein comparing said encoded printed privilege with said stored privilege includes comparing stored biometric data with biometric data available from a presenter of the printed privilege.
  - 12. The process of claim 6, further including:
    - generating for said individual privilege certificate additional biometric data;
      
      storing said additional biometric data in said secure privilege database; and
      
      incorporating in said privilege certificate a pointer to said additional biometric data, whereby additional biometrics may be added to a privilege certificate to enhance security.
  - 13. The process of claim 6, further including forwarding a copy of said stored privilege certificate and associated biometric data to a locality where said privilege is to be exercised for comparison at said locality with said privilege document.
  - 14. The process of claim 6, further including comparing said privilege certificate on said privilege document with said stored privilege certificate to detect tampering.

15. A process for generating a unique, secure privilege, comprising:
- generating for an individual an identity certificate incorporating a pointer to biometric data and other identifying data for the individual, and including cryptographically hashed information and an encoded signature;
  
  storing said identity certificate and biometric data in a reference database in a location remote from locations where identity data is to be retrieved;
  
  retrieving identity data for an individual, including an encoded signature, data for identity and pointers to biometric data gathered from the remotely stored identity certificate;
  
  generating for said individual a privilege certificate incorporating reference to said identity certificate, cryptographically hashed privilege information, a pointer to existing biometric data, and an encoded signature;
  
  storing said privilege certificate and associated biometric in a secure privilege database;
  
  producing a machine-readable encoded privilege record incorporating said privilege certificate;
  
  upon request for the granting of a privilege, comparing said encoded privilege record with said stored privilege certificate to biometrically authenticate the individual holding said privilege record; and
  
  detecting any revocation of the privilege prior to the granting of the requested privilege.
- View Dependent Claims (16, 17, 18)
- - 16. The process of claim 15, wherein producing a machine-readable encoded privilege record includes producing a printed privilege document.
  - 17. The process of claim 15, wherein producing a machine-readable encoded privilege record includes producing a machine readable certificate of privilege from said stored identity certificate and said stored privilege certificate for delivery to the individual when said individual presents himself and requests said privilege.
  - 18. The process of claim 17, wherein said machine readable certificate of privilege is produced from said stored identity certificate and said stored privilege certificate and delivered to said individual when said individual presents himself at a point of privilege and requests said privilege and has lost his privilege document.

19. A scalable method for generating a certified identity from a remotely accessible certifying entity or trusted identity authority (TIA) for a plurality of individuals, comprising:
- (a) providing a secure data storage adapted to automatically receive, store and retrieve biometric data and identity information within the TIA;
  
  (b) identifying a minimum set of biometric data to be collected from each individual seeking a certified identity, wherein said biometric data comprises one or more unique physical identifiers and wherein said unique physical identifiers included in said minimum set comprise at least one identifier selected from a group including facial image feature data, iris scan data, retina scan data, voice print data, DNA data, footprint data or fingerprint data;
  
  (c) submitting to the TIA, for a first individual, pre-selected biometric data corresponding to said minimum set of biometric data;
  
  (d) submitting to the TIA, for said first individual, pre-selected identity information comprising name, date of birth and place of birth;
  
  (e) performing a one-to-many biometric data search of said TIA data storage to check said first individual'"'"'s biometric data against said biometric data in said TIA data storage to determine whether said first individual has a pre-existing identity already stored in said TIA data storage;
  
  (f) if said first individual does not have a pre-existing identity already stored in said TIA data storage, meaning said first individual'"'"'s biometric data is not already stored in said TIA data storage, then storing said first individual'"'"'s biometric data with said first individual'"'"'s identity information for future pre-existing identity checks;
  
  (g) hashing said first individual'"'"'s biometric data to allow detection of an unauthorized attempt to alter data stored in said TIA data storage;
  
  (h) generating a digital certificate of identity for said first individual;
  
  said certificate being digitally signed by said TIA, said certificate of identity including (i) the first individual'"'"'s pre-selected identity information including name, date and place of birth, and (ii) a web address, URL or location data for said pre-selected biometric data, and associated hashes, permitting verifiably correct remote access to said certificate of identity by authorized entities;
  
  (i) storing said certificate of identity in a file in said TIA data storage, said file having a unique name; and
  
  (j) computing a hash code including said file'"'"'s unique name, and storing said file with said hash code.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19, further comprising:
    - (k) printing said certificate of identity as a tangible, portable document.
  - 21. The method of claim 19, wherein step (e) also includes determining whether said first individual'"'"'s biometric data has been stored in said TIA data storage from a prior identity certificate generation process, and if so, designating a prior identity certificate for said first individual;
    - the method further comprising;
      
      (k) revoking said prior identity certificate for said first individual;
      
      (l) hashing updated biometric data and saving said hashed updated biometric data for future checks;
      
      (m) adding new alias, new birth date or new birth place information to said first individual'"'"'s prior identity information to generate updated first individual identity information;
      
      (n) creating a new identity certificate including all aliases ever stored, plus current location or URL information for biometric data;
      
      wherein the hash of biometric data is included to represent the file names of the biometric data;
      
      (o) storing said new identity certificate for future use to issue privileges.
  - 22. The method of claim 19, further comprising a scalable method for accessing certified identity data stored remotely in the trusted identity authority (TIA) for a plurality of individuals, comprising:
    - (k) providing a first trusted privilege authority (TPA) designated as an agent for the TIA;
      
      (l) establishing a right of access for said first TPA to access identity certificates stored in said TIA'"'"'s data storage; and
      
      (m) wherein said identity certificates'"'"' identity information and biometric data can only be accessed in said first TPA by a licensed privilege owner in a process of granting a privilege to an individual owning the identity, and wherein no public or private keys are required from an individual seeking a privilege.
  - 23. The method of claim 22, wherein any TIA supports an unlimited number of TPA, and wherein said TPAs depend on said TIA'"'"'s identity certificates to generate a root identity and biometrics for an individual seeking to exercise a privilege.
  - 24. The method of claim 22, further comprising the following additional method steps:
    - (n) receiving information on a first privilege seeking individual in the TPA;
      
      (o) validating said first privilege seeking individual'"'"'s access to a privilege controlled by the TPA, and, as an agent of the TIA, retrieving the individual'"'"'s Identity Certificate and associated biometrics to the TPA, and, in response,(p) generating a first privilege certificate that binds the retrieved identity and biometrics to the privilege for which access is to be granted, wherein said privilege certificate is stored in a secure TPA database.
  - 25. The method of claim 24, wherein said TPA comprises, in addition to said minimum set of biometric data required by said TIA, collection of additional biometric data from said first privilege seeking individual.
  - 26. The method of claim 25, wherein said collection of additional biometric data does not require (a) other TPAs or (b) the TIA to use or honor said additional biometric data.
  - 27. The method of claim 24, wherein said TPA sends said first privilege certificate and associated biometrics from said first TPA database to one or more sites where said privilege is to be granted, thereby pre-positioning said first privilege seeking individual'"'"'s privilege certificate and biometric data where said privilege certificate and biometric data will be used to grant access to said privilege.
  - 28. The method of claim 24, further comprising:
    - (q) printing said privilege certificate as a tangible document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Inventors
Freeman, William E., Bellmore, Mark A., Aull, Kenneth W.
Primary Examiner(s)
Zia, Syed A.
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/137,622
Publication Number

US 20040162984A1
Time in Patent Office

3,527 Days
Field of Search

None
US Class Current

713/186
CPC Class Codes

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/40145   Biometric identity checks

G07C 9/253   visually

G07C 9/27   with central registration

G07D 7/004   using digital security elem...

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3268   using certificate validatio...

Secure identity and privilege system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Secure identity and privilege system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links