Invariant biohash security system and method

US 9,483,762 B1
Filed: 05/13/2016
Issued: 11/01/2016
Est. Priority Date: 01/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method for generating and using a secure biometric-based cryptographic key without storing biometric information in order to authenticate data in a deposit sweep transfer system comprising:

(a) receiving, at a client device associated with a deposit sweep customer, from a deposit sweep computer system comprising one or more computers, first machine-readable instructions to render a destination institution management graphical user interface, the destination institution management graphical user interface comprising a different destination depository institution notification associated with a first allocation of funds indicating that at least a portion of customer funds associated with the deposit sweep customer are allocated to a different destination depository institution that does not currently hold funds for the deposit sweep customer for the deposit sweep program, the destination institution management graphical user interface further comprising a graphical accept option to approve the first allocation of funds and a graphical reject option to reject the first allocation of funds;

(b) rendering, by the client device using the first machine-readable instructions, the destination institution management graphical user interface on a display screen operatively connected to the client device;

(c) receiving, at the client device, a selection of the graphical accept option;

(d) generating, by the client device, a digitally signed approval of the first allocation of funds by;

(1) receiving, via a second graphical user interface on the client device, a user password associated with the customer;

(2) capturing, using a biometric reader embedded in the client device, into a secure enclave processor core, a first digital biometric image of a biometric reading of a user, wherein the secure enclave processor core is only accessible to input passwords, digital biometric image data, and electronic messages targeted for encryption, and to receive from the secure enclave processor core encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;

(3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;

(i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;

(ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;

(iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;

(iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;

(v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;

(vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;

(4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;

(i) generating, by the secure enclave processor core, using the user password a threshold intensity value;

(ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;

(5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;

(6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload indicating approval of the allocation to generate a digitally signed electronic message comprising the digitally signed approval to be securely transmitted to the deposit sweep computer system; and

(e) transmitting, from the client device to the deposit sweep computer system, the digitally signed approval of the allocation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and program products for providing secure authentication for electronic messages are disclosed. A method may comprise generating an asymmetric private key based at least in part upon an invariant biometric feature vector derived from an input biometric reading. The private key may be further based at least in part upon a user password. The resulting private key may not be stored but rather may be generated when required to authenticate an electronic message, at which time it may be used to provide a digital signature for the electronic message. The private key may be deleted after use. The private key may be regenerated by inputting both a new instance of the biometric reading as well as a new instance of the password.

417 Citations

20 Claims

1. A method for generating and using a secure biometric-based cryptographic key without storing biometric information in order to authenticate data in a deposit sweep transfer system comprising:
- (a) receiving, at a client device associated with a deposit sweep customer, from a deposit sweep computer system comprising one or more computers, first machine-readable instructions to render a destination institution management graphical user interface, the destination institution management graphical user interface comprising a different destination depository institution notification associated with a first allocation of funds indicating that at least a portion of customer funds associated with the deposit sweep customer are allocated to a different destination depository institution that does not currently hold funds for the deposit sweep customer for the deposit sweep program, the destination institution management graphical user interface further comprising a graphical accept option to approve the first allocation of funds and a graphical reject option to reject the first allocation of funds;
  
  (b) rendering, by the client device using the first machine-readable instructions, the destination institution management graphical user interface on a display screen operatively connected to the client device;
  
  (c) receiving, at the client device, a selection of the graphical accept option;
  
  (d) generating, by the client device, a digitally signed approval of the first allocation of funds by;
  
  (1) receiving, via a second graphical user interface on the client device, a user password associated with the customer;
  
  (2) capturing, using a biometric reader embedded in the client device, into a secure enclave processor core, a first digital biometric image of a biometric reading of a user, wherein the secure enclave processor core is only accessible to input passwords, digital biometric image data, and electronic messages targeted for encryption, and to receive from the secure enclave processor core encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;
  
  (3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;
  
  (i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;
  
  (ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;
  
  (iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;
  
  (iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;
  
  (v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;
  
  (vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;
  
  (4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;
  
  (i) generating, by the secure enclave processor core, using the user password a threshold intensity value;
  
  (ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;
  
  (5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;
  
  (6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload indicating approval of the allocation to generate a digitally signed electronic message comprising the digitally signed approval to be securely transmitted to the deposit sweep computer system; and
  
  (e) transmitting, from the client device to the deposit sweep computer system, the digitally signed approval of the allocation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The method of claim 1, wherein the display screen is embedded in the client device.
  - 3. The method of claim 1, wherein the digitally signed approval of the allocation can be verified by the deposit sweep computer system using a public key corresponding to the invariant asymmetric private key.
  - 4. The method of claim 1, wherein the client device comprises a dedicated application configured to interact with the deposit sweep computer system.
  - 5. The method of claim 4, wherein the dedicated application is activated, upon receipt of the first machine-readable instructions, to render the destination institution management graphical user interface.
  - 6. The method of claim 1, wherein the different destination depository institution notification comprises an indication of the amount of funds allocated to the different destination depository institution for the customer.
  - 7. The method of claim 1, wherein the destination institution management graphical user interface further comprises a transfer amount input element by which the customer may input a maximum amount of funds permitted to be allocated to the different destination depository institution.
  - 8. The method of claim 1, wherein the user password is received via an input device comprising any of a keyboard, keypad, pointer device, or touch screen.
  - 9. The method of claim 1, wherein the biometric reader is a fingerprint scanner.
  - 10. The method of claim 1, wherein generating a threshold intensity value using the user password comprises:
    - (a) obtaining, by the secure enclave processor core, a numeric value from the user password; and
      
      (b) normalizing, by the secure enclave processor core, the numeric value within a predefined intensity range of possible intensity values by scaling the numeric value based at least in part upon a relation between a range of possible numeric values and the predefined intensity range.
  - 20. The method of claim 1, wherein generating a threshold intensity value using the user password comprises:
    - (a) obtaining, by the secure enclave processor core, a numeric value from the user password; and
      
      normalizing, by the secure enclave processor core, the numeric value within a predefined intensity range of possible intensity values by scaling the numeric value based at least in part upon a relation between a range of possible numeric values and the predefined intensity range.

11. A method for generating and using a secure biometric-based cryptographic key without storing biometric information in order to authenticate data in a deposit sweep transfer system comprising:
- (a) receiving, at a client device associated with a deposit sweep customer, from a deposit sweep computer system comprising one or more computers, first machine-readable instructions to render a destination institution management graphical user interface, the destination institution management graphical user interface comprising a different destination depository institution notification associated with a first allocation of funds indicating that at least a portion of customer funds associated with the deposit sweep customer are allocated to a different destination depository institution that does not currently hold funds for the deposit sweep customer for the deposit sweep program, the destination institution management graphical user interface further comprising a graphical accept option to approve the first allocation of funds and a graphical reject option to reject the first allocation of funds;
  
  (b) rendering, by the client device using the first machine-readable instructions, the destination institution management graphical user interface on a display screen operatively connected to the client device;
  
  (c) receiving, at the client device, a selection of the graphical reject option;
  
  (d) generating, by the client device, a digitally signed rejection of the first allocation of funds by;
  
  (1) receiving, via a second graphical user interface on the client device, a user password associated with the customer;
  
  (2) capturing, using a biometric reader embedded in the client device, into a secure enclave processor core, a first digital biometric image of a biometric reading of a user, wherein the secure enclave processor core is only accessible to input passwords, digital biometric image data, and electronic messages targeted for encryption, and to receive from the secure enclave processor core encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;
  
  (3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;
  
  (i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;
  
  (ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;
  
  (iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;
  
  (iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;
  
  (v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;
  
  (vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;
  
  (4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;
  
  (i) generating, by the secure enclave processor core, using the user password a threshold intensity value;
  
  (ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;
  
  (5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;
  
  (6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload indicating rejection of the allocation to generate a digitally signed electronic message comprising the digitally signed rejection to be securely transmitted to the deposit sweep computer system; and
  
  (e) transmitting, from the client device to the deposit sweep computer system, the digitally signed rejection of the allocation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising:
    - (f) receiving, at the client device from the deposit sweep computer system, second machine-readable instructions to render an updated destination institution management graphical user interface comprising one or more alternate depository institution selection options;
      
      (g) rendering, by the client device using the second machine-readable instructions, the updated destination institution management graphical user interface on the display screen;
      
      (h) receiving, at the client device, a selection of at least one of the alternate depository institution selection options;
      
      (i) generating, by the client device, a digitally signed alternate depository institution selection by applying, by the secure enclave processor core, the invariant asymmetric private key to a second electronic message comprising a second message payload indicating the selection of the at least one of the alternate depository institution selection options to generate a second digitally signed electronic message comprising the digitally signed alternate depository institution selection to be securely transmitted to the deposit sweep computer system; and
      
      (j) transmitting, from the client device to the deposit sweep computer system, the digitally signed alternate depository institution selection.
  - 13. The method of claim 11, wherein the display screen is embedded in the client device.
  - 14. The method of claim 11, wherein the digitally signed rejection of the allocation can be verified by the deposit sweep computer system using a public key corresponding to the invariant asymmetric private key.
  - 15. The method of claim 11, wherein the client device comprises a dedicated application configured to interact with the deposit sweep computer system.
  - 16. The method of claim 15, wherein the dedicated application is activated, upon receipt of the first machine-readable instructions or the second machine-readable instructions, to render respectively the destination institution management graphical user interface or the updated destination institution management graphical user interface.
  - 17. The method of claim 11, wherein the different destination depository institution notification comprises an indication of the amount of funds allocated to the different destination depository institution for the customer.
  - 18. The method of claim 11, wherein the destination institution management graphical user interface further comprises a transfer amount input element by which the customer may input a maximum amount of funds permitted to be allocated to the different destination depository institution.
  - 19. The method of claim 11, wherein the biometric reader is a fingerprint scanner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Island Intellectual Property LLC (Double Rock Corporation)
Original Assignee
Island Intellectual Property LLC (Double Rock Corporation)
Inventors
Bent, Bruce R. II, Buarque de Macedo, Charles R.
Primary Examiner(s)
Obeid, Mamon

Application Number

US15/154,590
Time in Patent Office

172 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06Q 20/10   specially adapted for elect...

G06Q 20/108   Remote banking, e.g. home b...

G06Q 20/3827   Use of message hashing

G06Q 20/3829   involving key management

G06Q 20/40145   Biometric identity checks

G06Q 2220/00   Business processing using c...

G06Q 40/02   Banking, e.g. interest calc...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/126   the source of the received ...

H04L 9/0866   involving user or device id...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

H04W 12/068 : using credential vaults, e....

H04W 12/069 : using certificates or pre-s...

View All

Invariant biohash security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

417 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Invariant biohash security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

417 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others