Biometric authenticaton system and method with vulnerability verification

US 8,312,521 B2
Filed: 03/23/2007
Issued: 11/13/2012
Est. Priority Date: 03/24/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, comprising:

a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information;

a service provider that provides a service; and

a vulnerability verification server,wherein;

the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends the produced process profile to the service provider;

the vulnerability verification server is equipped with;

a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and

a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider;

the service provider is equipped with;

a second storage device that stores an authentication policy indicating the criteria of the vulnerability information can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;

a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server;

a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies the criteria at the judged vulnerability level;

a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and

a service providing unit that provides a service to the client terminal where the request of the service was made in the case that the service providing judgment unit judges it is possible.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A biometric authentication device has a threat of an attack of pretending to be someone else by such as forgery. The present invention supports a service provider to appropriately decide the level of such threat.

A vulnerability verification server 150 is provided in the system, and the vulnerability of each biometric product is centrally managed. A service provider 130 sends the information that specifies the device in which a client terminal 110 executes the biometric authentication to the vulnerability verification server 150, and receives the vulnerability information. The service provider 130 decides whether the service can be provided or not to the client terminal 110 using the vulnerability information that was received.

6 Citations

View as Search Results

13 Claims

1. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, comprising:
- a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information;
  
  a service provider that provides a service; and
  
  a vulnerability verification server,wherein;
  
  the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends the produced process profile to the service provider;
  
  the vulnerability verification server is equipped with;
  
  a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider;
  
  the service provider is equipped with;
  
  a second storage device that stores an authentication policy indicating the criteria of the vulnerability information can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;
  
  a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server;
  
  a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies the criteria at the judged vulnerability level;
  
  a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
  
  a service providing unit that provides a service to the client terminal where the request of the service was made in the case that the service providing judgment unit judges it is possible.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The biometric authentication system according to claim 1, wherein the vulnerability verification server comprising a vulnerability information collecting unit that collects the specifying information of the biometric authentication unit equipped in each client terminal, the condition of use of the client terminal having the biometric authentication unit, and the vulnerability information of the biometric authentication unit specified by the specifying information and the condition of use, and stores the collected specifying information, condition of use and vulnerability information.
  - 3. The biometric authentication system according to claim 1, wherein the service providing judgment unit of the service provider comprising:
    - a verification policy; and
      
      the policy verification unit decides whether the vulnerability level at which the biometric authentication unit of the client terminal can provide the service is satisfied or not, by comparing the vulnerability level shown by the vulnerability information and the vulnerability level in which the service can be provided that is kept in the verification policy; and
      
      in a case of judging that the level is satisfied with the policy verification unit, the service providing judgment unit decides that the service can be provided.
  - 4. The biometric authentication system according to claim 2, wherein:
    - the vulnerability information indicates difficulty of attack in each of a level of difficulty of fraud and forgery and a level of an attacker; and
      
      the service providing judgment unit judges that the service can be provided in a case that both the level of difficulty of fraud and forgery and the level of the attacker of the vulnerability information received by the policy verification unit, satisfy the criteria of the authentication policy.
  - 5. The biometric authentication system according to claim 3, wherein:
    - the service provider can provide a plurality of services;
      
      the service providing judgment unit judges whether there is an service of the plurality of services, that can be provided within the vulnerability level of the vulnerability information or not among other services in a case of judging that the service that is requested to be provided from the client terminal cannot be provided; and
      
      the service providing unit provides the any service that was judged to be capable by the service providing judgment unit to the client terminal where the request was made.
  - 6. The biometric authentication system according to claim 4, wherein:
    - the process profile includes the condition of use in addition to the information that specifies the biometric authentication unit; and
      
      the condition of use is also kept in the vulnerability information keeping unit in addition to the information that specifies the biometric authentication unit.

7. A biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network and that is equipped with:
- a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information,a service provider that provides a service, anda vulnerability verification server,wherein;
  
  the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider;
  
  the vulnerability verification server is equipped with;
  
  a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  a change notifying unit that sends, when information stored in the first storage device is updated, updated information to the service provider;
  
  the service provider is equipped with;
  
  a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;
  
  a third storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  a vulnerability information management unit that causes the third storage device to store the updated information when receiving the updated information from the vulnerability verification server;
  
  a vulnerability verification unit that acquires based on the specifying information and the condition of use included in the process profile, when receiving the process profile, the vulnerability information sent from the third storage device;
  
  a policy verification unit that judges, based on the condition of use included in the process profile, the vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the acquired vulnerability information satisfies the criteria at the judged vulnerability level;
  
  a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
  
  a service providing unit that provides a service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges it is possible.
- View Dependent Claims (8, 9, 10)
- - 8. The biometric authentication system according to claim 7 further comprising:
    - a vulnerability information collecting unit that collects the vulnerability information of the biometric authentication unit equipped in each client terminal, the condition of use of the client terminal having the biometric authentication unit, and the acquired vulnerability information under the condition of use and stores the collected specifying information, condition of use, and vulnerability information.
  - 9. The biometric authentication system according to claim 8, wherein;
    - the first storage device stores the specifying information of the biometric authentication unit, types of the vulnerability of the client terminal having the biometric authentication unit, a range affected by the vulnerability, and the condition of use of the client terminal in which the vulnerability clearly exists; and
      
      the vulnerability information includes a resource and condition that are necessary to realize an attack using the vulnerability, and a knowledge level of an attacker having an ability of attacking using the vulnerability, which are registered in a vulnerability information keeping unit as the vulnerability information.
  - 10. The biometric authentication system according to claim 9, wherein the range affected by the vulnerability is specified by the information that specifies the device of the biometric authentication unit, the information that specifies the software, and the information that specifies the template.

11. A service providing propriety judging method implemented via a biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network, wherein:
- the biometric authentication system is equipped with a client terminal, a vulnerability verification server, and a service provider, and;
  
  the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies a biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider;
  
  the vulnerability verification server is equipped with a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  the service provider is equipped with a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal; and
  
  the service provider executes sending, when receiving the process profile, the process profile to the vulnerability verification server;
  
  the vulnerability verification server executes acquiring, based on the specifying information and the condition of use included in the process profile, when receiving the process profile from the service provider, the vulnerability information from the first storage device and sending acquired vulnerability information to the service provider; and
  
  the service provider executes;
  
  receiving the vulnerability information send from the vulnerability verification server;
  
  judging, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies a criteria at a judged vulnerability level;
  
  judging, based on the judgment by a policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
  
  providing a service to the client terminal in a case that a service providing judgment unit judges providing the service is possible.

12. A non-transitory computer-readable medium embodying a program for running a computer of a service provider in a biometric authentication system that provides a service after carrying out personal identification of a service requester through a data communication network comprising:
- a client terminal that receives an input of biometric information of the service requester and performs a biometric authentication with its own biometric authentication unit using the received biometric information;
  
  a service provider that provides a service; and
  
  a vulnerability verification server;
  
  wherein;
  
  the client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies the biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provider;
  
  the vulnerability verification server is equipped with;
  
  a first processor;
  
  a first storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and vulnerability information indicating a level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  the service provider is equipped with;
  
  a second processor;
  
  a second storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;
  
  wherein the program, when executed, causes;
  
  the first processor of the vulnerability verification server to function as a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends acquired vulnerability information to the service provider, when receiving the process profile from the service provider;
  
  the second processor of the service provider to function as;
  
  a second vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receive the vulnerability information sent from the vulnerability verification server;
  
  a policy verification unit that judges, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies criteria at the judged vulnerability level;
  
  a service providing judgment unit that judges, based on the judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
  
  a service providing unit that provides the service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges that providing the service is possible.

13. A vulnerability verification server that notifies vulnerability information indicating the vulnerability level of the biometric authentication unit of a client depending on a request from a service provider providing a service in a biometric authentication system that provides the service after carrying out personal identification of a service requester through a data communication network;
- wherein;
  
  a client terminal is equipped with a process profile producing unit that produces a process profile, which includes specifying information that specifies a biometric authentication unit, an authentication result by the biometric authentication unit, and a condition of use indicating under what kind of security control the client terminal itself is used, and that sends a produced process profile to the service provide;
  
  the service provider is equipped with;
  
  a storage device that stores an authentication policy indicating criteria of the vulnerability information which can provide the service in each plurality of vulnerability levels which is determined according to strictness of security control of the client terminal;
  
  a vulnerability verification unit that, when receiving the process profile, sends the process profile to the vulnerability verification server, and receives the vulnerability information sent from the vulnerability verification server;
  
  a policy verification unit that judges, based on the condition of use included in the process profile, a vulnerability level of the client terminal which sent the process profile, and further judges, based on the authentication policy, whether or not the vulnerability information sent from the vulnerability verification server satisfies criteria at a judged vulnerability level;
  
  a service providing judgment unit that judges, based on judgment by the policy verification unit, whether or not the service can be provided to the client terminal which sent the process profile; and
  
  a service providing unit that provides the service to the client terminal where the request of the service was made in a case that the service providing judgment unit judges that providing the service is possible;
  
  the vulnerability verification server is equipped with;
  
  another storage device that stores the specifying information of the biometric authentication unit, the condition of use indicating under what kind of security control the client terminal, having the biometric authentication unit, is used, and the vulnerability information indicating the level of vulnerability of the biometric authentication unit specified by the specifying information and the condition of use; and
  
  a vulnerability verification unit that acquires the vulnerability information from the first storage device based on the specifying information and the condition of use included in the process profile, and sends the acquired vulnerability information to the service provider, when receiving the process profile from the service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Isobe, Yoshiaki, Mimura, Masahiro
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Salehi, Helai

Application Number

US12/293,470
Publication Number

US 20090307764A1
Time in Patent Office

2,062 Days
Field of Search

726/7, 726/25
US Class Current

726/7
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/51   at application loading time...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 9/3231   Biological data, e.g. finge...

Biometric authenticaton system and method with vulnerability verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Biometric authenticaton system and method with vulnerability verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others