Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

US 8,842,887 B2
Filed: 01/31/2011
Issued: 09/23/2014
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A stand-alone computing device comprising:

a processor;

a memory;

a biometric sensor; and

software storage, wherein upon an initial device power-up, executing the software stored thereon, causes the processor to;

generate a device ID from characteristics of device hardware components;

prompt a user to submit a plurality of biometric samples and capture said plurality of biometric samples using said biometric sensor;

transform data of said captured biometric samples to a consistent angle of inclination;

biometrically enroll an identity of a device user by matching said transformed data of said captured biometric samples to each other and determining a biometric template;

obtain a PIN value by one of a) generating said PIN value from said device ID and b) capturing said PIN value after being entered on the device;

generate a one-way hashed value of said PIN;

accept a password from the user after obtaining said PIN;

obfuscate the password using said hashed value of said PIN and said device ID, and storing the obfuscated password in said memory;

generate a private encryption key using at least said obfuscated password and said hashed PIN;

encrypt said biometric template using said private encryption key and store the encrypted template in the memory; and

upon subsequent device power up, the software further causes the processor to;

capture a subsequent biometric sample from a user, using said biometric sensor;

decrypt the encrypted template using said private encryption key;

de-obfuscate the obfuscated password using said hashed value of said PIN; and

provide the de-obfuscated password for an authentication process, only if the decrypted template is correctly decrypted and said subsequent biometric sample matches said decrypted template.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Biometric data, suitably transformed are obtained from a biometric input device contained within a stand-alone computing device and used in conjunction with a PIN to authenticate the user to the device. The biometric template and other data residing on the device are encrypted using hardware elements of the device, the PIN and Password hash. A stored obfuscated password is de-obfuscated and released to the device authentication mechanism in response to a successfully decrypted template and matching biometric sample and PIN. The de-obfuscated password is used to authenticate the user to device, the user to a remote computer, and to encrypt device data at rest on the device and in transit to and from the remote computer. This creates a trusted relationship between the stand-alone device and the remote computer. The system also eliminates the need for the user to remember and enter complex passwords on the device.

43 Citations

View as Search Results

17 Claims

1. A stand-alone computing device comprising:
- a processor;
  
  a memory;
  
  a biometric sensor; and
  
  software storage, wherein upon an initial device power-up, executing the software stored thereon, causes the processor to;
  
  generate a device ID from characteristics of device hardware components;
  
  prompt a user to submit a plurality of biometric samples and capture said plurality of biometric samples using said biometric sensor;
  
  transform data of said captured biometric samples to a consistent angle of inclination;
  
  biometrically enroll an identity of a device user by matching said transformed data of said captured biometric samples to each other and determining a biometric template;
  
  obtain a PIN value by one of a) generating said PIN value from said device ID and b) capturing said PIN value after being entered on the device;
  
  generate a one-way hashed value of said PIN;
  
  accept a password from the user after obtaining said PIN;
  
  obfuscate the password using said hashed value of said PIN and said device ID, and storing the obfuscated password in said memory;
  
  generate a private encryption key using at least said obfuscated password and said hashed PIN;
  
  encrypt said biometric template using said private encryption key and store the encrypted template in the memory; and
  
  upon subsequent device power up, the software further causes the processor to;
  
  capture a subsequent biometric sample from a user, using said biometric sensor;
  
  decrypt the encrypted template using said private encryption key;
  
  de-obfuscate the obfuscated password using said hashed value of said PIN; and
  
  provide the de-obfuscated password for an authentication process, only if the decrypted template is correctly decrypted and said subsequent biometric sample matches said decrypted template.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The device of claim 1, wherein said device is connected, through a network to a remote computer and said device and said remote computer achieving mutual remote computer/device authentication by:
    - a) the remote computer being configured to request an active device user to authenticate the device using said subsequent biometric sample and said PIN;
      
      b) said device being configured to generate a one-way hash value of said de-obfuscated password provided for authentication;
      
      c) said device being configured to communicate encrypted data, including a user credential over said network, using a symmetrical encryption key, which is a function of at least one of the one-way hashed value of said provided de-obfuscated password and said device ID;
      
      d) said device being configured to further communicate at least said device ID, encrypted with said symmetrical encryption key, to said remote computer;
      
      e) the remote computer being configured to calculate said symmetrical encryption key from a stored value of the hashed password, decrypts at least said device ID, and authenticates the device as a legitimate device on said network;
      
      f) the remote computer being configured to acknowledge the legitimacy of said network communication by encrypting the hashed password using said calculated symmetrical key and communicates the encrypted hashed password to said device,g) said device being configured to decrypt said encrypted hashed password, tests the decrypted hashed password for authenticity and in response to said test, acknowledges remote computer legitimacy to remote computer and grants it full access to said device;
      
      h) the remote computer being configured to check said device for compliance with network security policy and may change parameter data for acceptability and, if appropriate, releases said user credential to remote computer applications, andi) the remote computer being configured to delete all data from the device when the device does not respond to said remote computer request.
  - 3. The device of claim 1, wherein said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication by:
    - a) the remote computer being configured to request an active device user to authenticate the device using said subsequent biometric sample and said PIN;
      
      b) the device being configured to generate said de-obfuscated password which is used to release a Private Key to implement a PKI encryption and authentication protocol between the device and the said remote computer, only after successful submission of said subsequent biometric sample and PIN,c) the remote computer being configured to gain full access to said device and modify said device according to enterprise security policy when the device does not respond to said remote computer request.
  - 4. The device of claim 1, wherein the said biometric sensor comprises one of a stylus-based screen entry digitizer and a finger-based screen entry digitizer and records sign input.
  - 5. The device in claim 4, wherein said biometric samples contain, at least (X,Y) coordinate values, wherein each set of co-ordinate values having one of an associated explicit and inferred time stamp;
    - said biometric template is adaptive,the device being configured to calculate, store, and update biometric features, biometric feature means, and biometric feature variances, wherein said biometric feature means are modified by choosing weights that correspond to a largest discrimination score measured between authentic and imposter samples; and
      
      the device being configured to prompt a user to choose said signs to be one of;
      
      a secret sign without user feedback and a signature with user feedback.
  - 6. The device of claim 5, wherein said biometric feature means are based on at least one of:
    - V(x), where V(x) is variance of the x-coordinate values of a transformed sign, V(y), where V(y) is variance of the y-coordinate values of a transformed sign, C(x,y), where C(x,y) is covariance of a transformed sign coordinate values, total sign time, total in-contact sign time, total out-of contact sign time, positions of (x,y) turning points with respect to time, positions of (x,y) turning points with respect to x-position, positions of (x,y) turning points with respect to y-position. an estimate of total x-distance traveled, an estimate of total y-distance traveled, (x,y) positions of new points of stylus contact with respect to time, new out-of-contact stylus (x,y) positions with respect to x-position, (x,y) positions of new points of stylus contact with respect to x-position, (x,y) positions of new out-of-contact stylus positions with respect to time, Forehand (x,y) distances, and Backhand (x,y) distances.
  - 7. The device of claim 1, whereinsaid biometric template contains an electronic representation of the user'"'"'s valid signature which is released to electronic documents requiring it, said electronic documents subsequently being communicated to a remote computer storing a valid signature for said user, which is used to check the authenticity of the said electronic representation of user'"'"'s valid signature, requiring an exact or very close match;
    - said biometric template includes a time-stamp associated with the last time it was used to match a biometric sample;
      
      said biometric template includes an authentication code which is a definitive function of at least data defining said templatesaid biometric template contains the number of samples contributing to its values.
  - 8. The device of claim 1, further comprising an integrated IC card reader and wherein a user credential is released in the following manner:
    - a) said biometric template and a user credential are stored on an IC card;
      
      b) the PIN and subsequent biometric sample matching to the decrypted template processes are undertaken on the IC card; and
      
      c) in response to a correct PIN and biometric sample match, said user credential is released to be compared to information stored on a remote computer.

9. A stand-alone computing device comprising:
- a processor;
  
  a memory; and
  
  a software storage, wherein execution of the software causes the processor to;
  
  biometrically enroll device users, by capturing biometric samples, wherein said biometric samples contain, at least, (X, Y) coordinate values, and each set of co-ordinate values having one of an associated explicit and inferred time stamp;
  
  extract biometric feature values from signs made on an electronic signing area of said computing device, by one of a stylus and a finger, wherein said signs are chosen by the user to be one of, a secret sign without user feedback and a signature with user feedback;
  
  verify the identity of a user by matching a new biometric sample with a previously enrolled biometric template, wherein said biometric template includes an electronic representation of said user'"'"'s authentic signature and said authentic electronic signature is released for comparison with an electronic signature stored on a second computer remote from the stand alone computing device;
  
  calculate means of biometric features and modifying the means by weights that correspond to a largest discrimination score measured between authentic and imposter samples;
  
  generate a password and password hash from a stored, de-obfuscated password and device ID, wherein the de-obfuscated password is generated following a PIN generation and biometric sample matching.
- View Dependent Claims (10, 11)
- - 10. The device of claim 9, wherein said device is connected, through a network to a remote computer and said device and said remote computer achieving mutual remote computer/device authentication by:
    - a) the remote computer being configured to request an active device user to authenticate the device for mutual device authentication;
      
      b) said device being configured to communicate encrypted data over said network using a symmetrical encryption key, which is a function of the hashed value of said password;
      
      c) said device being configured to communicate at least said device ID, encrypted with said symmetrical encryption key, to said remote computer;
      
      d) the remote computer being configured to calculate said symmetrical encryption key, decrypts at least said device ID, and authenticates the device as a legitimate device on said network;
      
      e) the remote computer being configured to acknowledge the legitimacy of said network communication by encrypting one of said hashed password and other known data using said symmetrical key and communicates the encrypted one to said device;
      
      f) said device being configured to check the value of one of said hashed password and said other known data and in response to said check, acknowledges remote computer legitimacy to remote computer and grants it full access to said device;
      
      g) the remote computer being configured to check said device for compliance with network security policy and may change device parameter data for acceptability and, if appropriate, releases a trusted credential; and
      
      h) the remote computer being configured to delete all data from the device when the device does not respond to said remote computer request.
  - 11. The device of claim 9, wherein said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication by:
    - a) the remote computer being configured to request an active device user to authenticate the device using said subsequent biometric sample and said PIN;
      
      b) the device being configured to generate said de-obfuscated password which is used to release a Private Key to implement a PKI encryption and authentication protocol between the device and the said remote computer, only after successful submission of a subsequent biometric sample and PIN,c) the remote computer being configured to gain full access to said device and modify said device according to enterprise security policy when the device does not respond to said remote computer request.

12. A mobile device comprising:
- a processor;
  
  a memory;
  
  a biometric sensor integrated into the mobile device; and
  
  software storage embodying software that when executed cause the processor to;
  
  generate a device ID from characteristics of hardware components of said device;
  
  capture a biometric sample from a device user using said biometric sensor;
  
  perform authentication with a remote computer using PKI communications and a private encryption key, wherein said private encryption key is generated as a function of a previously entered password and said device ID;
  
  said software further causing the processor to perform encryption using at least said private encryption key;
  
  said memory storing a biometric template, which is encrypted and decrypted using said private encryption key;
  
  wherein said mobile device is unlocked, in response to a good match between said biometric sample and said decrypted biometric template, and accessed by PKI communications software, without said user re-entering a PIN or password for device access or for remote computer authentication.
- View Dependent Claims (13, 14)
- - 13. The mobile device of claim 12, wherein said memory stores an electronic representation of said user'"'"'s authentic electronic signature which, in response to a satisfactory biometric match of said biometric sample with said biometric template, is released in encrypted form for comparison with a very close replica of said electronic signature stored remotely on a separate computer.
  - 14. The mobile device of claim 12, wherein said device and said device user authenticate to a remote computer using a CBEFF patron such as ANSI BioAPI and where the BioAPI payload includes at least said device ID encrypted with said private encryption key.

15. A mobile device comprising:
- a processor;
  
  a memory;
  
  a biometric sensor integrated into the mobile device; and
  
  software storage embodying software that when executed cause the processor to;
  
  generate a device ID from characteristics of hardware components of said device;
  
  capture a biometric sample from a device user using said biometric sensor;
  
  prompt the user to enter a PIN, which is subjected to a one-way hash function, wherein the hashed PIN is used in conjunction with said device ID and a previously entered password to generate a private encryption key;
  
  perform authentication with a remote computer using PKI communications and said private encryption key;
  
  said software further causing the processor to perform encryption using at least said private encryption key;
  
  said memory storing a biometric template, which is encrypted and decrypted using said private key;
  
  wherein said mobile device is unlocked, in response to a good match between said biometric sample and said decrypted biometric template, and accessed by PKI communications software, without said user re-entering a password for device access or for remote computer authentication.
- View Dependent Claims (16, 17)
- - 16. The mobile device of claim 15, wherein said memory stores an electronic representation of said user'"'"'s authentic electronic signature which, in response to a satisfactory biometric match of said biometric sample with said biometric template, is released in encrypted form for comparison with a very close replica of said electronic signature stored remotely on a separate computer.
  - 17. The mobile device of claim 15, wherein said device and said device user authenticate to a remote computer using a CBEFF patron such as ANSI BioAPI and where the BioAPI payload includes at least said device ID encrypted with said private encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocrypt Access, LLC
Original Assignee
Christopher J. Beatson, Mark A. Kelty, Rodney Beatson
Inventors
Beatson, Rodney, Beatson, Christopher J., Kelty, Mark A.
Primary Examiner(s)
Bella, Matthew
Assistant Examiner(s)
BROOKS, JULIAN D

Application Number

US12/931,340
Publication Number

US 20110126024A1
Time in Patent Office

1,331 Days
Field of Search

382/115, 382/119, 382/124, 382/209, 713/182, 713/184, 713/186
US Class Current

382/115
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2129   Authenticate client device ...

G06V 30/1478   of characters or characters...

G06V 40/382   Preprocessing; Feature extr...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3242   involving keyed hash functi...

Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links