Invariant biohash security system and method

US 9,569,773 B1
Filed: 05/04/2016
Issued: 02/14/2017
Est. Priority Date: 01/23/2015
Status: Active Grant

First Claim

Patent Images

1. A mobile device for generating a secure biometric-based cryptographic key without storing biometric information in order to authenticate data comprising:

(a) one or more processors, including a secure enclave processor core configured to be only accessible to;

(1) input, to the secure enclave processor core, passwords, digital biometric image data, and electronic messages targeted for encryption, and(2) provide, from the secure enclave processor core, encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;

(b) a biometric reader;

(c) a display screen; and

(d) non-transitory computer-readable memory having stored thereon instructions to perform the steps of;

(1) receiving, via a first graphical user interface rendered on the display screen of the mobile device, a user password;

(2) capturing, using the biometric reader, into the secure enclave processor core, a first digital biometric image of a biometric reading of a user;

(3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;

(i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;

(ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;

(iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;

(iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;

(v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;

(vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;

(4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;

(i) generating, by the secure enclave processor core, using the user password a threshold intensity value;

(ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;

(5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;

(6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload to generate a digitally signed electronic message to be securely transmitted to a second device;

(7) securely transmitting, from the mobile device to the second device, the digitally signed electronic message, wherein the digital signature can be verified by the second device using a corresponding public key provided to the second device, wherein the corresponding public key corresponds to the invariant asymmetric private key; and

(8) permanently deleting, from the secure enclave processor core, the user password, the first digital biometric image, the second digital biometric image, the third digital biometric image, the fourth digital biometric image, the fifth digital biometric image, the first set of feature data, the invariant biometric feature vector, the invariant asymmetric private key, and the 128-bit invariant code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and program products for providing secure authentication for electronic messages are disclosed. A method may comprise generating an asymmetric private key based at least in part upon an invariant biometric feature vector derived from an input biometric reading. The private key may be further based at least in part upon a user password. The resulting private key may not be stored but rather may be generated when required to authenticate an electronic message, at which time it may be used to provide a digital signature for the electronic message. The private key may be deleted after use. The private key may be regenerated by inputting both a new instance of the biometric reading as well as a new instance of the password.

Citations

26 Claims

1. A mobile device for generating a secure biometric-based cryptographic key without storing biometric information in order to authenticate data comprising:
- (a) one or more processors, including a secure enclave processor core configured to be only accessible to;
  
  (1) input, to the secure enclave processor core, passwords, digital biometric image data, and electronic messages targeted for encryption, and(2) provide, from the secure enclave processor core, encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;
  
  (b) a biometric reader;
  
  (c) a display screen; and
  
  (d) non-transitory computer-readable memory having stored thereon instructions to perform the steps of;
  
  (1) receiving, via a first graphical user interface rendered on the display screen of the mobile device, a user password;
  
  (2) capturing, using the biometric reader, into the secure enclave processor core, a first digital biometric image of a biometric reading of a user;
  
  (3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;
  
  (i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;
  
  (ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;
  
  (iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;
  
  (iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;
  
  (v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;
  
  (vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;
  
  (4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;
  
  (i) generating, by the secure enclave processor core, using the user password a threshold intensity value;
  
  (ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;
  
  (5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;
  
  (6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload to generate a digitally signed electronic message to be securely transmitted to a second device;
  
  (7) securely transmitting, from the mobile device to the second device, the digitally signed electronic message, wherein the digital signature can be verified by the second device using a corresponding public key provided to the second device, wherein the corresponding public key corresponds to the invariant asymmetric private key; and
  
  (8) permanently deleting, from the secure enclave processor core, the user password, the first digital biometric image, the second digital biometric image, the third digital biometric image, the fourth digital biometric image, the fifth digital biometric image, the first set of feature data, the invariant biometric feature vector, the invariant asymmetric private key, and the 128-bit invariant code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The mobile device of claim 1, wherein the user password is an alphanumeric password that is encoded to convert it to a numeric sequence.
  - 3. The mobile device of claim 1, wherein the user password is a personal identification number.
  - 4. The mobile device of claim 1, wherein the biometric reader is a fingerprint scanner.
  - 5. The mobile device of claim 4, wherein the fingerprint scanner is a capacitive fingerprint scanner.
  - 6. The mobile device of claim 1, further configured, prior to converting the first digital biometric image into an invariant biometric feature vector, to perform the step of:
    - converting, by the secure enclave processor core, the first digital biometric image into a sixth digital biometric image by applying a distortion to the first digital biometric image, the distortion based at least in part upon the user password and the sixth digital biometric image to be converted into an invariant biometric feature vector in place of the first digital biometric image.
  - 7. The mobile device of claim 6, wherein applying the distortion to the first digital biometric image comprises selecting from a predefined set of distortion algorithms based at least in part upon a numeric value derived from the user password.
  - 8. The mobile device of claim 6, wherein applying the distortion to the first digital biometric image comprises selecting a pixel location associated with a center of distortion based at least in part upon a numeric value derived from the user password.
  - 9. The mobile device of claim 1, wherein generating a threshold intensity value using the user password comprises:
    - (a) obtaining, by the secure enclave processor core, a numeric value from the user password; and
      
      (b) normalizing, by the secure enclave processor core, the numeric value within a predefined intensity range of possible intensity values by scaling the numeric value based at least in part upon a relation between a range of possible numeric values and the predefined intensity range.
  - 10. The mobile device of claim 1, wherein applying the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code comprises:
    - (a) generating, using the threshold intensity value, a sequence of real numbers comprising a set of pseudo-random vectors;
      
      (b) applying a Gram-Schmidt ortho-normalization to the set of pseudo-random vectors to transform them into an orthonormal set of vectors;
      
      (c) computing an inner product between the invariant biometric feature vector and the orthonormal set of vectors;
      
      (d) assigning a value of zero to each inner product value less than the threshold intensity value and assigning a value of one to each inner product value greater than the threshold intensity value;
      
      (e) mapping each value to a bit location based at least in part upon the location within the biometric feature vector; and
      
      (f) aggregating the values in their respective locations to produce a bit string.
  - 11. The mobile device of claim 10, wherein applying the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code further comprises, prior to computing the inner product, normalizing the invariant biometric feature vector between the values negative one and positive one.
  - 12. The mobile device of claim 1, wherein the step of applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprises:
    - (i) receiving, at the secure enclave processor core from a normal processor core, the electronic message;
      
      (ii) evaluating, by the secure enclave processor core, the electronic message to verify the message data format;
      
      (iii) generating, by the secure enclave processor core, a message digest by computing a hash of the message payload; and
      
      (iv) encrypting, by the secure enclave processor core, the message digest using the private key.

13. A mobile device for authenticating data associated with an electronic deposit sweep transfer which generates a secure biometric-based cryptographic key without storing biometric information, comprising:
- (a) one or more processors, including a secure enclave processor core configured to be only accessible to;
  
  (1) input, to the secure enclave processor core, passwords, digital biometric image data, and electronic messages targeted for encryption, and(2) provide, from the secure enclave processor core, encrypted electronic messages and public keys configured to verify the authenticity of encrypted electronic messages;
  
  (b) a biometric reader;
  
  (c) a display screen; and
  
  (d) non-transitory computer-readable memory having stored thereon instructions to perform the steps of;
  
  (1) receiving, via a first graphical user interface rendered on the display screen of the mobile device, a user password;
  
  (2) capturing, using the biometric reader, into the secure enclave processor core, a first digital biometric image of a biometric reading of a user;
  
  (3) converting, by the secure enclave processor core, the first digital biometric image into an invariant biometric feature vector using an integrated wavelet and Fourier-Mellin transformation process comprising the following steps within the secure enclave processor core;
  
  (i) applying, by the secure enclave processor core, a wavelet transformation to the first digital biometric image to generate a second digital biometric image;
  
  (ii) applying, by the secure enclave processor core, a fast Fourier transform to the second digital biometric image, to generate a third digital biometric image;
  
  (iii) applying, by the secure enclave processor core, a log-polar transformation to the third digital biometric image to generate a fourth digital biometric image;
  
  (iv) applying, by the secure enclave processor core, a high pass filter to the fourth digital biometric image to generate a fifth digital biometric image;
  
  (v) applying, by the secure enclave processor core, a fast Fourier transform to the fifth digital biometric image to generate a first set of feature data;
  
  (vi) applying, by the secure enclave processor core, row concatenation to the first set of feature data to generate the invariant biometric feature vector;
  
  (4) converting, by the secure enclave processor core, the invariant feature vector using the user password into a 128-bit invariant code comprising the following steps within the secure enclave processor core;
  
  (i) generating, by the secure enclave processor core, using the user password a threshold intensity value;
  
  (ii) applying, by the secure enclave processor core, the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code;
  
  (5) generating, by the secure enclave processor core, an invariant asymmetric private key using the 128-bit invariant code and the user password;
  
  (6) applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprising a message payload associated with a deposit sweep transaction to generate a digitally signed electronic message to be securely transmitted to a second device associated with the deposit sweep transaction;
  
  (7) securely transmitting, from the mobile device to the second device, the digitally signed electronic message causing the deposit sweep transaction to be initiated upon successful verification of the digital signature using a corresponding public key provided to the second device, wherein the corresponding public key corresponds to the invariant asymmetric private key; and
  
  (8) permanently deleting, from the secure enclave processor core, the user password, the first digital biometric image, the second digital biometric image, the third digital biometric image, the fourth digital biometric image, the fifth digital biometric image, the first set of feature data, the invariant biometric feature vector, the invariant asymmetric private key, and the 128-bit invariant code.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 14. The mobile device of claim 13, wherein the message payload comprises an approval of an allocation of at least a portion of customer funds of a first customer associated with the mobile device to a different destination depository institution, the different destination depository institution not currently holding customer funds for a deposit sweep program for the first customer.
  - 15. The mobile device of claim 13, wherein the approval of the allocation was input via a graphical accept option of a destination institution management graphical user interface rendered on the display screen according to machine-readable instructions provided by a deposit sweep computer system.
  - 16. The mobile device of claim 13, wherein the user password is an alphanumeric password that is encoded to convert it to a numeric sequence.
  - 17. The mobile device of claim 13, wherein the user password is a personal identification number.
  - 18. The mobile device of claim 13, wherein the biometric reader is a fingerprint scanner.
  - 19. The mobile device of claim 18, wherein the fingerprint scanner is a capacitive fingerprint scanner.
  - 20. The mobile device of claim 13, further configured, prior to converting the first digital biometric image into an invariant biometric feature vector, to perform the step of:
    - converting, by the secure enclave processor core, the first digital biometric image into a sixth digital biometric image by applying a distortion to the first digital biometric image, the distortion based at least in part upon the user password and the sixth digital biometric image to be converted into an invariant biometric feature vector in place of the first digital biometric image.
  - 21. The mobile device of claim 20, wherein applying the distortion to the first digital biometric image comprises selecting from a predefined set of distortion algorithms based at least in part upon a numeric value derived from the user password.
  - 22. The mobile device of claim 20, wherein applying the distortion to the first digital biometric image comprises selecting a pixel location associated with a center of distortion based at least in part upon a numeric value derived from the user password.
  - 23. The mobile device of claim 13, wherein generating a threshold intensity value using the user password comprises:
    - (a) obtaining, by the secure enclave processor core, a numeric value from the user password; and
      
      (b) normalizing, by the secure enclave processor core, the numeric value within a predefined intensity range of possible intensity values by scaling the numeric value based at least in part upon a relation between a range of possible numeric values and the predefined intensity range.
  - 24. The mobile device of claim 13, wherein applying the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code comprises:
    - (a) generating, using the threshold intensity value, a sequence of real numbers comprising a set of pseudo-random vectors;
      
      (b) applying a Gram-Schmidt ortho-normalization to the set of pseudo-random vectors to transform them into an orthonormal set of vectors;
      
      (c) computing an inner product between the invariant biometric feature vector and the orthonormal set of vectors;
      
      (d) assigning a value of zero to each inner product value less than the threshold intensity value and assigning a value of one to each inner product value greater than the threshold intensity value;
      
      (e) mapping each value to a bit location based at least in part upon the location within the biometric feature vector; and
      
      (f) aggregating the values in their respective locations to produce a bit string.
  - 25. The mobile device of claim 24, wherein applying the threshold intensity value to the invariant feature vector to generate the 128-bit invariant code further comprises, prior to computing the inner product, normalizing the invariant biometric feature vector between the values negative one and positive one.
  - 26. The mobile device of claim 13, wherein the step of applying, by the secure enclave processor core, the invariant asymmetric private key to an electronic message comprises:
    - (i) receiving, at the secure enclave processor core from a normal processor core, the electronic message;
      
      (ii) evaluating, by the secure enclave processor core, the electronic message to verify the message data format;
      
      (iii) generating, by the secure enclave processor core, a message digest by computing a hash of the message payload; and
      
      (iv) encrypting, by the secure enclave processor core, the message digest using the private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Island Intellectual Property LLC (Double Rock Corporation)
Original Assignee
Island Intellectual Property LLC (Double Rock Corporation)
Inventors
Bent, Bruce R. II, Buarque de Macedo, Charles R.
Primary Examiner(s)
Huang, Tsan-Yu J

Application Number

US15/146,645
Time in Patent Office

286 Days
Field of Search

713/186
US Class Current

1/1
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06Q 20/10   specially adapted for elect...

G06Q 20/108   Remote banking, e.g. home b...

G06Q 20/3827   Use of message hashing

G06Q 20/3829   involving key management

G06Q 20/40145   Biometric identity checks

G06Q 2220/00   Business processing using c...

G06Q 40/02   Banking, e.g. interest calc...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/126   the source of the received ...

H04L 9/0866   involving user or device id...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

H04W 12/068 : using credential vaults, e....

H04W 12/069 : using certificates or pre-s...

View All

Invariant biohash security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Invariant biohash security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links