Methods for secure restoration of personal identity credentials into electronic devices
First Claim
1. A method, comprising:
- receiving, by a personal identification device, an encrypted first section and a decrypted second section of a biometric encryption key, wherein the second section includes a digital signature, the second section having been decrypted by a server using a private key associated with the server and the digital signature having been decrypted by the server using a public key associated with a second personal identification device;
verifying, by the personal identification device, a validity of the digital signature using the public key associated with the second personal identification device;
decrypting, by the personal identification device, the encrypted first section of the biometric encryption key; and
combining, by the personal identification device, the first section of the biometric encryption key and the second section of the biometric encryption key to restore the biometric encryption key when the validity of the signature is verified.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.
161 Citations
23 Claims
-
1. A method, comprising:
-
receiving, by a personal identification device, an encrypted first section and a decrypted second section of a biometric encryption key, wherein the second section includes a digital signature, the second section having been decrypted by a server using a private key associated with the server and the digital signature having been decrypted by the server using a public key associated with a second personal identification device; verifying, by the personal identification device, a validity of the digital signature using the public key associated with the second personal identification device; decrypting, by the personal identification device, the encrypted first section of the biometric encryption key; and combining, by the personal identification device, the first section of the biometric encryption key and the second section of the biometric encryption key to restore the biometric encryption key when the validity of the signature is verified. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
decrypting, by a server, a section of a symmetric key containing a digital signature in encrypted form, using a private key associated with the server, the section of the symmetric key being less than an entirety of the symmetric key; decrypting, by the server, the digital signature of the decrypted section of the symmetric key using a public key of a personal identification device to produce the decrypted section of the symmetric key including the decrypted digital signature; and sending, by the server, the decrypted section of the symmetric key, including the decrypted digital signature, to a second personal identification device. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method, comprising:
-
decrypting, by a server, a section of a first symmetric key in encrypted form containing a digital signature, the decrypting based on a private key of the server, to produce the section of the first symmetric key in decrypted form, the section of the first symmetric key in decrypted form being less than an entirety of the first symmetric key, the private key being associated with a server; after the decrypting the section of the first symmetric key in encrypted form, sending the section of the first symmetric key in decrypted form, and sending the remainder of the entirety of the first symmetric key in encrypted form, to a personal identification device, the first symmetric key associated with biometric data for the personal identification device; decrypting, by a server, a section of a second symmetric key in encrypted form containing a digital signature, the decrypting based on the private key of the server, to produce the section of the second symmetric key in decrypted form, the section of the second symmetric key in decrypted form being less than an entirety of the second symmetric key; and after the decrypting the section of the second symmetric key in encrypted form, sending the section of the second symmetric key in decrypted form, and the remainder of the entirety of the second symmetric key in encrypted form, to the personal identification device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable medium programmed with executable instructions that, when executed by a processing system, perform a method, comprising:
-
receiving, by a personal identification device, an encrypted first section and a decrypted second section of a biometric encryption key, wherein the second section includes a digital signature, the second section having been decrypted by a server using a private key associated with the server and the digital signature having been decrypted by the server using a public key associated with a second personal identification device; verifying, by the personal identification device, a validity of the digital signature using the public key associated with the second personal identification device; decrypting, by the personal identification device, the encrypted first section of the biometric encryption key; and combining, by the personal identification device, the first section of the biometric encryption key and the second section of the biometric encryption key to restore the biometric encryption key when the validity of the signature is verified.
-
-
22. A non-transitory computer readable medium programmed with executable instructions that, when executed by a processing system, perform a method, comprising:
-
decrypting, by a server, a section of a symmetric key containing a digital signature in encrypted form, using a private key associated with the server, the section of the symmetric key being less than an entirety of the symmetric key; decrypting, by the server, the digital signature of the decrypted section of the symmetric key using a public key of a personal identification device to produce the decrypted section of the symmetric key including the decrypted digital signature; and sending, by the server, the decrypted section of the symmetric key, including the decrypted digital signature, to a second personal identification device.
-
-
23. A non-transitory computer readable medium programmed with executable instructions that, when executed by a processing system, perform a method, comprising:
-
decrypting, by a server, a section of a first symmetric key in encrypted form containing a digital signature, the decrypting based on a private key of the server, to produce the section of the first symmetric key in decrypted form, the section of the first symmetric key in decrypted form being less than an entirety of the first symmetric key, the private key being associated with a server; after the decrypting the section of the first symmetric key in encrypted form, sending the section of the first symmetric key in decrypted form, and sending the remainder of the entirety of the first symmetric key in encrypted form, to a personal identification device, the first symmetric key associated with biometric data for the personal identification device; decrypting, by a server, a section of a second symmetric key in encrypted form containing a digital signature, the decrypting based on the private key of the server, to produce the section of the second symmetric key in decrypted form, the section of the second symmetric key in decrypted form being less than an entirety of the second symmetric key; and after the decrypting the section of the second symmetric key in encrypted form, sending the section of the second symmetric key in decrypted form, and the remainder of the entirety of the second symmetric key in encrypted form, to the personal identification device.
-
Specification