In-circuit security system and methods for controlling access to and use of sensitive data

US 9,923,884 B2
Filed: 05/19/2015
Issued: 03/20/2018
Est. Priority Date: 05/30/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A hardware-based in-circuit security system for an electronic device, the hardware-based in-circuit security system comprising at least one hardware processor, comprising:

a secure processor configured to communicate with a second processor;

a cryptographic subsystem coupled to the secure processor, wherein the cryptographic subsystem is further configured to perform a cryptographic operation;

an identity credential verification subsystem (ICVS) coupled to the secure processor, the ICVS is further coupled to an interface that is coupled to a biometric sensor, the interface configured to receive identity credential information from the biometric sensor of the electronic device in response to a request from the secure processor to verify an identity credential using identity information received from the biometric sensor;

wherein the secure processor is configured to request that the ICVS verify an identity credential using the identity credential information received from the biometric sensor using at least one enrolled identity credential, in response to the secure processor receiving an interrupt in response to a request from the second processor requesting a security service,the ICVS is configured to signal the secure processor in response to the ICVS completing an identity credential verification process using the identity credential information received by the ICVS from the biometric sensor,the secure processor is configured to trigger an interrupt to the second processor that the identity credential has been verified, in response to a signal from the ICVS that the identity credential has been verified, andwherein the secure processor is configured to trigger an interrupt to the second processor that the identity credential verification failed, in response to the secure processor receiving a predetermined number of signals from the ICVS that the identity credential verification failed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention disclosed herein is an in-circuit security system for electronic devices. The in-circuit security system incorporates identity credential verification, secure data and instruction storage, and secure data transmission capabilities. It comprises a single semiconductor chip, and is secured using industry-established mechanisms for preventing information tampering or eavesdropping, such as the addition of oxygen reactive layers. This invention also incorporates means for establishing security settings, profiles, and responses for the in-circuit security system and enrolled individuals. The in-circuit security system can be used in a variety of electronic devices, including handheld computers, secure facility keys, vehicle operation/ignition systems, and digital rights management.

209 Citations

25 Claims

1. A hardware-based in-circuit security system for an electronic device, the hardware-based in-circuit security system comprising at least one hardware processor, comprising:
- a secure processor configured to communicate with a second processor;
  
  a cryptographic subsystem coupled to the secure processor, wherein the cryptographic subsystem is further configured to perform a cryptographic operation;
  
  an identity credential verification subsystem (ICVS) coupled to the secure processor, the ICVS is further coupled to an interface that is coupled to a biometric sensor, the interface configured to receive identity credential information from the biometric sensor of the electronic device in response to a request from the secure processor to verify an identity credential using identity information received from the biometric sensor;
  
  wherein the secure processor is configured to request that the ICVS verify an identity credential using the identity credential information received from the biometric sensor using at least one enrolled identity credential, in response to the secure processor receiving an interrupt in response to a request from the second processor requesting a security service,the ICVS is configured to signal the secure processor in response to the ICVS completing an identity credential verification process using the identity credential information received by the ICVS from the biometric sensor,the secure processor is configured to trigger an interrupt to the second processor that the identity credential has been verified, in response to a signal from the ICVS that the identity credential has been verified, andwherein the secure processor is configured to trigger an interrupt to the second processor that the identity credential verification failed, in response to the secure processor receiving a predetermined number of signals from the ICVS that the identity credential verification failed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The in-circuit security system of claim 1, wherein the received identity credential information comprises biometric data including data representative of one of:
    - a fingerprint, a facial pattern, a human retinal pattern, a heartbeat pattern, a human DNA pattern, or an iris pattern.
  - 3. The in-circuit security system of claim 1, wherein receipt by the secure processor of the interrupt from the second processor requesting the security service comprises one of:
    - the secure processor receiving an interrupt from the second processor that is processed by the secure processor to fulfill the security service request, orthe secure processor receiving a message from the second processor and the receipt of the message generates an interrupt to the secure processor that is processed by the secure processor to fulfill the security service request.
  - 4. The in-circuit security system of claim 1, wherein the secure processor communicates with the second processor via an interface that comprises shared memory and an interrupt signal that triggers the secure processor to perform an identity credential verification.
  - 5. The in-circuit security system of claim 1, wherein the cryptographic subsystem is coupled to a random number generator, the cryptographic subsystem is configured to receive a random number from the random number generator as a seed for a cryptographic algorithm, and wherein a cryptographic operation comprises one of generating an encrypted message for transmission from the secure processor to the second processor, decryption, digital signing, or digital signature verification.
  - 6. The in-circuit security system of claim 1, wherein the secure processor signals the identity credential verification subsystem to wait to receive identity credential information from a sensor of the electronic device.
  - 7. The in-circuit security system of claim 1, wherein the secure processor comprises the cryptographic subsystem and the secure processor comprises the identity credential verification subsystem.

8. A non-transitory computer-readable medium programmed with executable instructions that, when executed by a processing system, perform operations comprising:
- receiving, by an identity credential verification subsystem (ICVS) of an in-circuit security system, identity credential information comprising biometric data in response to a request from a secure processor to verify an identity credential using the identity credential information received from a biometric sensor;
  
  receiving, by a secure processor communicatively coupled to a second processor, an interrupt triggered by the request from the second processor requesting that an identity verification be performed on the identity credential information received by the ICVS;
  
  requesting, by the secure processor, that the ICVS verify the identity credential using identity the credential information received from the biometric sensor and using at least one enrolled identity credential, in response to the secure processor receiving the signal from the second processor requesting a security service,sending, by the ICVS, to the secure processor, a signal indicating success or failure of the verification of the identify credential information;
  
  triggering an interrupt to the second processor, by the secure processor, that the identity credential has been verified, in response to the signal from the ICVS that the identity credential has been verified, andtriggering an interrupt to the second processor, by the secure processor, that the identity credential verification failed, in response to the secure processor receiving a predetermined number of signals from the ICVS that the identity credential verification failed.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The medium of claim 8, wherein the received identity credential information comprises biometric data including data representative of one of:
    - a fingerprint, a facial pattern, a retinal pattern, a heartbeat pattern, a human DNA pattern, or an iris pattern.
  - 10. The medium of claim 8, wherein receiving by the secure processor of the interrupt triggered by the request from the second processor that requests the security service comprises one of:
    - the secure processor receiving an interrupt from the second processor that is processed by the secure processor to fulfill the security request, orthe secure processor receiving a message from the second processor and the receipt of the message generates an interrupt to the secure processor that is processed by the secure processor to fulfill the security service request.
  - 11. The medium of claim 8, wherein receiving an interrupt comprises:
    - receiving, by the secure processor via an interface having an interrupt controller and shared memory with the second processor, an interrupt signal that triggers the secure processor to perform an identity credential verification.
  - 12. The medium of claim 8, wherein the cryptographic subsystem is further coupled to a random number generator and the cryptographic subsystem is configured to receive a random number from the random number generator as a seed for a cryptographic algorithm used in performing a cryptographic operation, wherein a cryptographic operation comprises one of generating an encrypted message for transmission from the secure processor to the second processor, decryption, digital signing, or digital signature verification.
  - 13. The medium of claim 8, further comprising:
    - retrieving an enrolled credential from a secure memory coupled to the secure processor.

14. A computer-implemented method comprising:
- receiving, by an identity credential verification subsystem (ICYS) of an in-circuit security system, identity credential information comprising biometric data in response to a request from a secure processor to verify an identity credential using the identity credential information received from a biometric sensor;
  
  receiving, by a secure processor communicatively coupled to a second processor, an interrupt triggered by the request from the second processor that an identity verification be performed on the identity credential information received by the ICYS;
  
  requesting, by the secure processor, that the ICYS verify the identity credential using the identity credential information received from the biometric sensor and using at least one enrolled identity credential, in response to the secure processor receiving the interrupt triggered in response to a request from the second processor requesting a security service,sending, by the ICYS, to the secure processor, a signal indicating success or failure of the verification of the identify credential information,triggering an interrupt to the second processor, by the secure processor, that the identity credential has been verified, in response to the signal from the ICYS that the identity credential has been verified, andtriggering an interrupt the second processor, by the secure processor, that the identity credential verification failed, in response to the secure processor receiving a predetermined number of signals from the ICYS that the identity credential verification failed.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein the received identity credential information comprises biometric data including data representative of one of:
    - a fingerprint pattern, a facial pattern, a retinal pattern, a heartbeat pattern, a human DNA pattern, or an iris pattern.
  - 16. The method of claim 14, wherein receiving by the secure processor of the interrupt triggered from the second processor that requests the security service comprises one of:
    - the secure processor receiving an interrupt from the second processor that is processed by the secure processor to fulfill the security request, orthe secure processor receiving a message from the second processor and the receipt of the message generates an interrupt to the secure processor that is processed by the secure processor to fulfill the security service request.
  - 17. The method of claim 14, wherein receiving an interrupt triggered by the request from the second processor comprises:
    - receiving, by the secure processor via an interface having an interrupt controller and shared memory with the second processor, an interrupt signal that triggers the secure processor to perform an identity credential verification.
  - 18. The method of claim 14, wherein the cryptographic subsystem is further coupled to a random number generator and the cryptographic subsystem is configured to receive a random number from the random number generator as a seed for a cryptographic algorithm used in performing a cryptographic operation, wherein a cryptographic operation comprises one of generating an encrypted message for transmission from the secure processor to the second processor, decryption, digital signing, or digital signature verification.
  - 19. The method of claim 14, whereinthe secure processor signals the identity credential subsystem to wait to receive identity credential information from the sensor of the electronic device.
  - 20. The method of claim 14 further comprising performing a cryptographic operation, by a cryptographic subsystem coupled to the secure processor, using at least one of the received identity credential information or an enrolled identity credential.
  - 21. The method of claim 14, further comprising:
    - determining that the ICVS has repeatedly received an exact same bit pattern representation of biometric data; and
      
      signaling the secure processor in response to the determining.
  - 22. The method of claim 14, further comprising:
    - signaling the ICVS, by the secure processor, to wait for a identity credential information from the biometric sensor.
  - 23. The method of claim 14, further comprising:
    - in response to determining that the ICVS has signaled that the identity credential verification has failed a predetermined number of times, putting the ICVS into at least one of the following states;
      
      the ICVS does not accept new identity credential information received from the biometric sensor;
      
      the ICVS does not create new images from identity credential information received from the biometric sensor;
      
      orthe ICVS does not perform matching of identity credential information to one or more stored templates.
  - 24. The method of claim 14, further comprising:
    - in response to determining that the ICVS has signaled that the identity credential verification has failed a predetermined number of times, instructing the ICVS to delete one or more enrolled identity credentials.
  - 25. The method of claim 14, wherein the ICVS stores a template corresponding to biometric data in a secure memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Johnson, Barry W., Riemenschneider, Kristen R. O., Russell, David C., Tillack, Jonathan A.
Primary Examiner(s)
Pearson, David

Application Number

US14/716,766
Publication Number

US 20150347727A1
Time in Patent Office

1,036 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/51   Indexing; Data structures t...

G06F 18/22   Matching criteria, e.g. pro...

G06F 21/1076   Revocation

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/6209   to a single file or object,...

G06F 21/72   in cryptographic circuits

G06F 21/85   interconnection devices, e....

G06V 40/13   Sensors therefor

G06V 40/1365   Matching; Classification

H04L 63/06   for supporting key manageme...

H04L 63/0861   using biometrical features,...

H04L 63/102   Entity profiles

H04L 9/3231   Biological data, e.g. finge...

H04N 21/25875   involving end-user authenti...

H04N 21/4415   using biometric characteris...

In-circuit security system and methods for controlling access to and use of sensitive data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

In-circuit security system and methods for controlling access to and use of sensitive data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links