Method and system for providing password-free, hardware-rooted, ASIC-based authentication of a human to a mobile device using biometrics with a protected, local template to release trusted credentials to relying parties
First Claim
1. A stand-alone computing device, which may also be a mobile device comprising:
- a processor;
a memory;
a biometric sensor;
optionally, an application specific integrated circuit (ASIC) connected to or contained within said stand-alone computing device, incorporating an ASIC processor, an ASIC memory and ASIC software storage, capable of causing code-signing, biometric authentication and encryption operations to take place;
a software storage, wherein, upon power-up of the said stand-alone computing device, and prior to executing at least some of the software stored thereon, causes the said processor and the said ASIC processor, individually or in combination to;
check the signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check;
generate a device ID from hardware characteristics of said stand-alone computing device and said ASIC;
prompt a user to submit a plurality of biometric samples and capture said plurality of biometric samples using said biometric sensor;
optionally, transform data of said captured biometric samples to a consistent angle of inclination;
biometrically enroll an identity of a device user by matching said captured biometric samples to each other and determining a biometric template;
obtain a PIN value by one of a) generating said PIN value from hardware characteristics of the said stand-alone computer and the said ASIC and b) capturing said PIN value after being entered on said device;
generate a one-way hashed value of said PIN;
accept a password from the user after obtaining said PIN;
obfuscate said password using said hashed value of said PIN and said device ID, and store the obfuscated password in one of said memory and said ASIC memory;
generate a first private encryption key using at least said hashed PIN and, optionally, one of said device ID and said obfuscated password;
encrypt said biometric template using said first private encryption key and store the encrypted template in one of the said memory and the said ASIC memory;
and upon subsequent stand-alone computing device power up, the said software and the said ASIC software further cause the stand-alone computing device processor and the ASIC processor, individually or in combination to;
a) check said signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check;
b) generate said device ID from hardware characteristics of said stand-alone computing device and said ASIC;
c) capture a subsequent biometric sample from a user, using said biometric sensor;
d) decrypt the encrypted template using said first private encryption key;
e) de-obfuscate the obfuscated password using at least said hashed value of said PIN and said device IDf) provide the said de-obfuscated password for an authentication process, only if the encrypted template is correctly decrypted and said subsequent biometric sample matches said decrypted template.
3 Assignments
0 Petitions
Accused Products
Abstract
Biometric data are obtained from a biometric sensor on a mobile device, containing an ASIC, which is connected to or incorporated within it. The mobile device and ASIC, in combination or individually, capture biometric samples, extract biometric features and match them to a locally stored, encrypted template. For extra security, the biometric matching may be enhanced by the use of an entered PIN. The biometric template and other sensitive data are encrypted using hardware elements of the mobile device and ASIC, together with a PIN hash. A stored obfuscated Password is de-obfuscated and released to the mobile device authentication mechanism in response to a successfully decrypted template and matching biometric sample. A different de-obfuscated password may be released to authenticate the user to a remote computer and to encrypt data in transit. The system eliminates the need for the user to remember and enter complex passwords on the mobile device.
-
Citations
20 Claims
-
1. A stand-alone computing device, which may also be a mobile device comprising:
-
a processor; a memory; a biometric sensor; optionally, an application specific integrated circuit (ASIC) connected to or contained within said stand-alone computing device, incorporating an ASIC processor, an ASIC memory and ASIC software storage, capable of causing code-signing, biometric authentication and encryption operations to take place; a software storage, wherein, upon power-up of the said stand-alone computing device, and prior to executing at least some of the software stored thereon, causes the said processor and the said ASIC processor, individually or in combination to; check the signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check; generate a device ID from hardware characteristics of said stand-alone computing device and said ASIC; prompt a user to submit a plurality of biometric samples and capture said plurality of biometric samples using said biometric sensor; optionally, transform data of said captured biometric samples to a consistent angle of inclination; biometrically enroll an identity of a device user by matching said captured biometric samples to each other and determining a biometric template; obtain a PIN value by one of a) generating said PIN value from hardware characteristics of the said stand-alone computer and the said ASIC and b) capturing said PIN value after being entered on said device; generate a one-way hashed value of said PIN; accept a password from the user after obtaining said PIN; obfuscate said password using said hashed value of said PIN and said device ID, and store the obfuscated password in one of said memory and said ASIC memory; generate a first private encryption key using at least said hashed PIN and, optionally, one of said device ID and said obfuscated password; encrypt said biometric template using said first private encryption key and store the encrypted template in one of the said memory and the said ASIC memory; and upon subsequent stand-alone computing device power up, the said software and the said ASIC software further cause the stand-alone computing device processor and the ASIC processor, individually or in combination to; a) check said signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check; b) generate said device ID from hardware characteristics of said stand-alone computing device and said ASIC; c) capture a subsequent biometric sample from a user, using said biometric sensor; d) decrypt the encrypted template using said first private encryption key; e) de-obfuscate the obfuscated password using at least said hashed value of said PIN and said device ID f) provide the said de-obfuscated password for an authentication process, only if the encrypted template is correctly decrypted and said subsequent biometric sample matches said decrypted template. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A stand-alone computing device comprising;
-
a processor; a memory; a biometric sensor; Optionally, an application specific integrated circuit (ASIC) connected to or contained within said stand-alone computing device, incorporating an ASIC processor, an ASIC memory and an ASIC software storage, capable of causing code-signing, biometric authentication and encryption operations to take place; a software storage, wherein, upon power-up of the said stand-alone computing device, and prior to executing at least some of the software stored thereon, causes the said processor and the said ASIC processor, individually or in combination to; check the signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check; generate a device ID from hardware characteristics of said stand-alone computing device and said ASIC; biometrically enroll device users by capturing biometric samples, wherein said biometric samples contain, at least, (X,Y) coordinate values, and each set of co-ordinate values having one of an associated explicit and inferred time stamp; extract biometric feature values from signs made on an electronic signing area of said stand-alone computing device, by one of a stylus and a finger, wherein said signs are chosen by the user to be one of, a secret sign without user feedback and a signature with user feedback; verify the identity of a user by matching a new biometric sample with a previously enrolled biometric template, wherein said biometric template includes an electronic representation of said user'"'"'s authentic signature and said authentic electronic signature and said authentic electronic signature is released so that it may be compared with an electronic signature stored on a second computer remote from the stand-alone computing device; calculate means of biometric features and modify the said means by weights that correspond to a large discrimination score measured between authentic and imposter samples; generate a password and password hash from a stored, de-obfuscated password and device ID, wherein said de-obfuscated password is generated following a PIN generation and biometric sample matching; provide the de-obfuscated password for an authentication process, only if the encrypted template is correctly decrypted and said subsequent biometric sample matches said decrypted template. - View Dependent Claims (13, 14)
-
-
15. A stand-alone computing device comprising:
-
a processor; a memory; a biometric sensor; Optionally, an application specific integrated circuit (ASIC) connected to or contained within said stand-alone computing device, incorporating an ASIC processor, an ASIC memory and an ASIC software storage, capable of causing code-signing, biometric authentication and encryption operations to take place; a software storage, wherein, upon power-up of the said stand-alone computing device, and prior to executing at least some of the software stored thereon, causes the said processor and the said ASIC processor, individually or in combination to; check the signed code stored on the said ASIC and the said stand-alone computing device and, responsive to a successful check; generate a device ID from hardware characteristics of said stand-alone computing device and said ASIC; capture a biometric sample from a device user using said biometric sensor; perform authentication with a remote computer using PKI communications and a second private encryption key, wherein said second private encryption key is generated as a function of a previously entered password and said device ID; said software further causing one of the said processor and the said ASIC processor to perform PKI encryption using at least said second private encryption key; One of said memory and said ASIC memory storing a biometric template, which is encrypted and decrypted using said first private encryption key; wherein said stand-alone computing device is further enabled, in response to a good match between said biometric sample and said decrypted biometric template, and accessed by PKI communications software, without said user re-entering a PIN or password for device access or for remote computer authentication. - View Dependent Claims (16, 17)
-
-
18. A stand-alone computing device comprising:
-
a processor; a memory; a biometric sensor integrated into said stand-alone computing device; Optionally, an application specific integrated circuit (ASIC) connected to or contained within said stand-alone computing device, incorporating an ASIC processor, an ASIC memory and ASIC software storage, capable of causing code-signing, biometric authentication and encryption operations to take place and; software storage, wherein, upon power-up of the said stand-alone computing device, and prior to executing at least some of the software stored thereon, causes the processor and the said ASIC, individually or in combination to; check the signed code stored on one of the said ASIC and the said stand-alone computing device and, responsive to a successful check; generate a device ID from characteristics of hardware components of said device; capture a biometric sample from a device user using said biometric sensor; prompt the user to enter a PIN, which is subjected to a one-way hash function, wherein said hashed PIN is used (optionally in conjunction with said device ID) to generate said first private encryption key; perform authentication with a remote computer using PKI communications with said second private encryption key; one of said ASIC memory and said memory storing a biometric template, which is encrypted and decrypted using said first private encryption key; wherein operation of said stand-alone computing device is further enabled, in response to a good match between said biometric sample and said decrypted biometric template, and accessed by PKI communications software, without said user re-entering a password for device access or for remote computer authentication. - View Dependent Claims (19, 20)
-
Specification