Technologies for secure storage and use of biometric authentication information

US 9,137,247 B2
Filed: 03/15/2013
Issued: 09/15/2015
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A client device, comprising:

a processor;

a memory configured to store a biometric reference template, the biometric reference template comprising biometric reference information of a human; and

a client authentication module (CAM) configured to;

transmit a biometric authentication initiation signal (BAIS) to an authentication device, wherein the BAIS;

specifies requirements of a protected environment that is required by the client device for the temporary storage of a biometric template, said requirements comprising one or more of a type of protected environment, processing resources of a protected environment, memory of a protected environment, input/output resources of a protected environment, or one or more combinations thereof; and

is configured to cause the authentication device to transmit an attestation signal to the client device, the attestation signal including attestation information that attests to characteristics of a protected environment implemented by the authentication device;

evaluate said attestation information in said attestation signal to determine whether the characteristics of the protected environment implemented in the authentication device meet the requirements specified in said BAIS; and

the CAM is further configured to permit transmission of the biometric reference template to the authentication device when the characteristics of the protected environment implemented in the authentication device meets the requirements specified in the BAIS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

53 Citations

View as Search Results

24 Claims

1. A client device, comprising:
- a processor;
  
  a memory configured to store a biometric reference template, the biometric reference template comprising biometric reference information of a human; and
  
  a client authentication module (CAM) configured to;
  
  transmit a biometric authentication initiation signal (BAIS) to an authentication device, wherein the BAIS;
  
  specifies requirements of a protected environment that is required by the client device for the temporary storage of a biometric template, said requirements comprising one or more of a type of protected environment, processing resources of a protected environment, memory of a protected environment, input/output resources of a protected environment, or one or more combinations thereof; and
  
  is configured to cause the authentication device to transmit an attestation signal to the client device, the attestation signal including attestation information that attests to characteristics of a protected environment implemented by the authentication device;
  
  evaluate said attestation information in said attestation signal to determine whether the characteristics of the protected environment implemented in the authentication device meet the requirements specified in said BAIS; and
  
  the CAM is further configured to permit transmission of the biometric reference template to the authentication device when the characteristics of the protected environment implemented in the authentication device meets the requirements specified in the BAIS.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The client device of claim 1, wherein the CAM is further configured to deny transmission of the biometric reference template to the authentication device when the characteristics of the protected environment implemented by the authentication device do not meet said requirements specified in the BAIS.
  - 3. The client device of claim 1, wherein said attestation information further comprises information regarding the authentication device'"'"'s ability to hold said biometric reference template in confidence, and said CAM is further configured to:
    - compare said attestation information to a collection of predetermined acceptable and unacceptable protected environments;
      
      permit transmission of said biometric reference template to the authentication device when comparing the attestation information to said collection establishes that the protected environment implemented by the authentication device is one or more of the predetermined acceptable protected environments; and
      
      deny transmission of said biometric reference template to the authentication device when comparing the attestation information to said collection establishes that the protected environment implemented by the authentication device is one or more of the predetermined unacceptable protected environments.
  - 4. The client device of claim 1, wherein:
    - said BAIS is further configured to cause the authentication device to attest, in said attestation signal, to the implementation of a temporary storage policy by the protected environment implemented by said authentication device; and
      
      the CAM is further configured to analyze said attestation information to determine whether the temporary storage policy implemented by the protected environment is in accordance with predetermined parameters for the temporary storage and deletion of biometric reference templates from the protected environment; and
      
      the CAM is further configured to permit transmission of the biometric reference template when it is determined that the temporary storage policy implemented by the protected environment meets the predetermined parameters for the temporary storage and deletion of biometric reference templates.
  - 5. The client device of claim 4, wherein the CAM is further configured to deny transmission of the biometric reference template when it is determined that the temporary storage policy implemented by the protected environment implemented on the authentication device does not meet the predetermined parameters for the temporary storage and deletion of biometric reference templates.
  - 6. The client device of claim 1, wherein the protected environment is selected from a trusted execution environment, a memory enclave, and a combination thereof.

7. An authentication device, comprising:
- a processor;
  
  a memory;
  
  a protected environment; and
  
  an authentication device attestation module (ADAM), wherein the ADAM is configured to;
  
  transmit, in response to receipt of a biometric authentication initiation signal (BAIS) from a client device, an attestation signal containing attestation information attesting to the characteristics of a protected environment executable by the authentication device, wherein the attestation signal is configured to cause the client device to evaluate said attestation information to determine whether the characteristics of the protected environment meet requirements specified in the BAIS of a protected environment for the temporary storage of a biometric template, the requirements comprising one or more of a type of protected environment, processing resources of a protected environment, memory of a protected environment, input/output resources of a protected environment, or one or more combinations thereof;
  
  wherein when said attestation information establishes that the characteristics of the protected environment executable on the authentication device meet the requirements specified in the BAIS, the ADAM is further configured to;
  
  store a biometric reference template received from a client device in the protected environment;
  
  biometrically authenticate a human with the biometric reference template stored in the protected environment;
  
  establish an authenticated session if biometric authentication of the human is successful; and
  
  delete the biometric reference template upon the detection of a termination event.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The authentication device of claim 7, wherein the attestation information further comprises information about a temporary storage policy executable by the protected environment executable on authentication device.
  - 9. The authentication device of claim 7, wherein the biometric authentication is further performed using biometric test information obtained from the human using at least one sensor.
  - 10. The authentication device of claim 7, further comprising a sensor configured to obtain biometric test information from the human, the CAM further configured to perform the biometric authentication using the biometric test information and the biometric reference template stored in the protected environment.
  - 11. The authentication device of claim 7, wherein the termination event is selected from the expiration of a predetermined time period, failure of the authentication device to detect the client device, failure of the authentication device to detect a human presence, failure of the authentication device to verify the presence of the human, failure of the authentication device to maintain a specified degree of confidence that the human is present, failure of the biometric authentication of the human, and combinations thereof.
  - 12. The authentication device of claim 11, wherein said termination event comprises failure of the authentication device to maintain a specified degree of confidence that the human is present.
  - 13. The authentication device of claim 7, wherein the protected environment is selected from a trusted execution environment, a memory enclave, and combinations thereof.

14. A method of transferring a biometric template with a client device, comprising:
- transmitting a biometric authentication initiation signal (BAIS) to an authentication device, wherein the BAIS;
  
  specifies requirements of a protected environment that is required by the client device for the temporary storage of a biometric template, said requirements comprising one or more of a type of protected environment, processing resources of a protected environment, memory of a protected environment, input/output resource of a protected environment, or one or more combinations thereof; and
  
  is configured to cause the authentication device to transmit an attestation signal to the client device, the attestation signal including attestation information that attests to characteristics of a protected environment implemented by the authentication device;
  
  evaluating said attestation information in said attestation signal to determine whether the characteristics of the protected environment implemented in the authentication device meets the requirements specified in said BAIS; and
  
  permitting the transmission of the biometric reference template from the client device to the authentication device when the characteristics of the protected environment implemented in the authentication device meets the requirements specified in the BAIS.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, further comprising denying the transmission of the biometric reference template to the authentication device when the characteristics of the protected environment implemented in the authentication device do not meet the requirements specified in the BAIS.
  - 16. The method of claim 15, wherein said BAIS is further configured to cause the authentication device to attest, in said attestation signal, to the implementation of a temporary storage policy by the protected environment implemented by said authentication device;
    - andthe method further comprises;
      
      analyzing said attestation information to determine whether the temporary storage policy implemented by the protected environment is in accordance with predetermined parameters for the temporary storage and deletion of biometric reference templates from the protected environment; and
      
      permitting transmission of the biometric reference template from the client device to the authentication device when it is determined that the temporary storage policy implemented by the protected environment meets the predetermined parameters for the temporary storage and deletion of biometric reference templates; and
      
      denying the transmission of the biometric reference template when it is determined that the temporary storage policy implemented by the protected environment does not meet the predetermined parameters for the temporary storage and deletion of the biometric reference templates.
  - 17. The method of claim 15, wherein the protected environment is selected from a trusted execution environment, a memory enclave, and a combination thereof.
  - 18. The method of claim 14, wherein said attestation information comprises information regarding the authentication device'"'"'s ability to hold said biometric reference template in confidence, and the method further comprises:
    - comparing the attestation information to a collection of predetermined acceptable and unacceptable protected environments;
      
      permitting transmission of said biometric reference template to the authentication device when comparing the attestation information to said collection establishes that the protected environment implemented by the authentication device is one or more of the predetermined acceptable protected environments; and
      
      denying transmission of said biometric reference template to the authentication device when comparing the attestation information to said collection establishes that the protected environment implemented by the authentication device is one or more of the predetermined unacceptable protected environments.

19. A method of performing biometric authentication with an authentication device, comprising:
- transmitting, in response to receipt of a biometric authentication initiation signal (BAIS) from a client device, an attestation signal containing attestation information attesting to the characteristics of a protected environment executable by the authentication device, wherein the attestation signal is configured to cause the client device to evaluate said attestation information to determine whether the characteristics of the protected environment meet requirements specified in the BAIS of a protected environment for the temporary storage of a biometric template, the requirements comprising one or more of a type of protected environment, processing resources of a protected environment, memory of a protected environment, input/output resources of a protected environment, or one or more combinations thereof;
  
  wherein when said attestation information establishes that the characteristics of the protected environment executable on the authentication device meet the requirements specified in the BAIS, the method further comprises;
  
  storing a biometric reference template received from a client device in a protected environment of the authentication device;
  
  biometrically authenticating a human with the biometric reference template stored in the protected environment;
  
  establishing an authenticated session if biometric authentication of the human is successful; and
  
  deleting the biometric reference template upon the detection of a termination event.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19, further comprising obtaining biometric test information from the human with at least one sensor of the authentication device, and biometrically authenticating the human with the authentication device using the biometric test information and the biometric reference template stored in the protected environment.
  - 21. The method of claim 19, wherein the authentication device comprises a plurality of sensors configured to obtain biometric test information from the human, the method further comprising:
    - determining with the authentication device the type of biometric reference information contained in the biometric reference template;
      
      selecting with the authentication device a first subset of the plurality of sensors capable of obtaining biometric test information of a type corresponding to the biometric reference information;
      
      obtaining the biometric test information from the human with the first subset of the plurality of sensors; and
      
      biometrically authenticating the human with the authentication device using the biometric test information and the biometric reference template stored in the protected environment.
  - 22. The method of claim 19, wherein the termination event is selected from the expiration of a predetermined time period, failure of the authentication device to detect the client device, failure of the authentication device to detect a human presence, failure of the authentication device to verify the presence of the human, failure of the authentication device to maintain a specified degree of confidence that the human is present, failure of the biometric authentication of the human, and combinations thereof.
  - 23. The method of claim 22, wherein said termination event comprises failure of the authentication device to maintain a specified degree of confidence that the human is present.
  - 24. The method of claim 19, wherein the protected environment is selected from a trusted execution environment, a memory enclave, and combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Cahill, Conor P., Sheller, Micah J., Martin, Jason
Primary Examiner(s)
Traore, Fatoumata

Application Number

US13/995,247
Publication Number

US 20140282945A1
Time in Patent Office

914 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

H04L 63/06   for supporting key manageme...

H04L 63/0861   using biometrical features,...

Technologies for secure storage and use of biometric authentication information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for secure storage and use of biometric authentication information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links