Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates

US 9,940,453 B2
Filed: 04/14/2017
Issued: 04/10/2018
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A stand-alone computing device, which may also be a mobile device comprising:

at least one processor;

at least one storage area;

at least one biometric sensor and;

ASIC logic, and software contained within the said storage areas, wherein, upon enablement of the said stand-alone computing device, and prior to executing at least some of the said software and ASIC logic, the said software and ASIC logic cause the said processors, either individually or in combination to;

biometrically enroll the identity of the user by capturing a plurality of biometric samples, including multi-modal samples, from one or more of the said biometric sensors and calculating one or more biometric templates;

encrypt the said biometric templates using a first private encryption key, whose derivation must include a device ID calculated from hardware characteristics of the said stand-alone computing device;

store the encrypted biometric templates in one of the said storage areas, and;

upon subsequent device enablement, commence normal processing, responsive to a successful match of one or more subsequent biometric samples to one or more of the said biometric templates.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Biometric data are obtained from biometric sensors on a stand-alone computing device, which may contain an ASIC, connected to or incorporated within it. The computing device and ASIC, in combination or individually, capture biometric samples, extract biometric features and match them to one or more locally stored, encrypted templates. The biometric matching may be enhanced by the use of an entered PIN. The biometric templates and other sensitive data at rest are encrypted using hardware elements of the computing device and ASIC, and/or a PIN hash. A stored obfuscated PassWord is de-obfuscated and may be released to the authentication mechanism in response to successfully decrypted templates and matching biometric samples. A different de-obfuscated password may be released to authenticate the user to a remote or local computer and to encrypt data in transit. This eliminates the need for the user to remember and enter complex passwords on the device.

34 Citations

20 Claims

1. A stand-alone computing device, which may also be a mobile device comprising:
- at least one processor;
  
  at least one storage area;
  
  at least one biometric sensor and;
  
  ASIC logic, and software contained within the said storage areas, wherein, upon enablement of the said stand-alone computing device, and prior to executing at least some of the said software and ASIC logic, the said software and ASIC logic cause the said processors, either individually or in combination to;
  
  biometrically enroll the identity of the user by capturing a plurality of biometric samples, including multi-modal samples, from one or more of the said biometric sensors and calculating one or more biometric templates;
  
  encrypt the said biometric templates using a first private encryption key, whose derivation must include a device ID calculated from hardware characteristics of the said stand-alone computing device;
  
  store the encrypted biometric templates in one of the said storage areas, and;
  
  upon subsequent device enablement, commence normal processing, responsive to a successful match of one or more subsequent biometric samples to one or more of the said biometric templates.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The device of claim 1 where, further, a device password, selected according to a set of rules defined by one or both of said user and an enterprise, has been entered into the said device, obfuscated using, at least, said first private encryption key, and stored in one of the said storage areas.
  - 3. The device of claim 2 where, in the event of a biometric match of subsequent biometric samples to the said biometric templates, the device will de-obfuscate the said stored obfuscated device password and release it to one of the device authentication processes, which could be implemented as a result of the said software, stored within one, or a combination of, the said storage areas, or within a Trusted Platform Module, or within the said ASIC, which could also be a Trusted Platform Module.
  - 4. The device of claim 2 wherein said device is connected, through a network, to a remote computer and said device and said remote computer achieve mutual remote computer/device authentication by:
    - a) said remote computer being configured to request an active device user to authenticate to said device using subsequent biometric samples;
      
      b) responsive to a good match between the said subsequent biometric samples and one or more decrypted biometric templates, stored in encrypted form in one of the said storage areas, said device being configured to de-obfuscate a previously-entered, stored, obfuscated, remote computer password, previously provided for authentication to said remote computer, and generate a one-way hashed value of a said remote computer password;
      
      c) said device being configured to communicate encrypted data, including a user credential over said network, using a symmetrical encryption key, which is a function of at least the said one-way hashed value of the said remote computer password;
      
      d) said device being configured to further communicate at least a device ID, calculated from hardware characteristics of said device and encrypted with said symmetrical encryption key, to said remote computer;
      
      e) said remote computer being configured to calculate said symmetrical encryption key, decrypt at least the said device ID, and authenticate said device as a legitimate device on said network;
      
      f) said remote computer being configured to acknowledge the legitimacy of said network communication by encrypting the said hashed remote computer password using said symmetrical encryption key and communicating said encrypted hashed remote computer password to said device;
      
      g) said device being configured to decrypt said encrypted hashed remote computer password, test the said decrypted hashed password for authenticity and, in response to said test, acknowledge remote computer legitimacy to said remote computer and grant it access to said device;
      
      h) said remote computer being configured to check said device for compliance with network security policy, if necessary, amend said device for acceptability and enable said device for further operation, and;
      
      i) said remote computer being configured to gain access to said device and modify said device according to enterprise security policy, including deleting all data stored on the said device when said device does not respond to said remote computer request.
  - 5. The device of claim 2 wherein said device is connected, through a network to a remote computer, said device and said remote computer achieving mutual remote computer/device authentication by:
    - a) said remote computer being configured to request an active device user to authenticate to said device using subsequent biometric samples;
      
      b) responsive to a successful match of subsequent biometric samples to one or more decrypted biometric templates, stored in encrypted form in the said storage areas, said device being configured to de-obfuscate a previously-entered, stored, obfuscated remote computer password, provided for authentication to said remote computer, which is used to generate a private encryption key to implement a PKI encryption-based authentication protocol and encrypted communications between said device and the said remote computer;
      
      c) said remote computer being configured to check said device for compliance with network security policy, if necessary, amend said device for acceptability and, if appropriate, enable said device for further operation, and;
      
      d) said remote computer being configured to gain access to said device and modify said device according to enterprise security policy, including deleting all data from the said device, when it does not respond to said remote computer request.
  - 6. The device of claim 1, where, upon subsequent device enablement, in the event the subsequent biometric samples do not match the said biometric templates, the said stand-alone computing device will perform failure actions according to a policy agreed by one or both of the said user and an enterprise.
  - 7. The device of claim 1 where the said normal processing results in the said device encrypting appropriate data at rest stored on the said device, as defined by one or both of the said user and an enterprise, and using the said first private encryption key.
  - 8. The device of claim 1 where the said normal processing includes the said device decrypting encrypted data, stored in one of the said storage areas, as required by one of said user and an enterprise, and using the said first private encryption key.
  - 9. The device of claim 1, where the said normal processing includes the said device executing other software applications, as determined by one of the said user and an enterprise.
  - 10. The device of claim 1 where the said biometric templates contain estimates of mean feature values, and deviations from the said mean feature values, said estimates adapting after a successful match of subsequent biometric samples to said biometric templates, and said adapted estimates being used for future matching.
  - 11. The device of claim 1 where one of the said biometric samples is created by the interaction of a stylus and stylus positioning methodologies implemented within the stylus and the device.
  - 12. The device of claim 1 where the biometric sensors are one or more of a fingerprint sensor, a camera and a microphone.
  - 13. The device of claim 1 where, the said normal processing involves the said device releasing an encrypted electronic signature, with a look of ink on paper, to a relying party in a transaction requiring it.
  - 14. The device of claim 1, where the said normal processing involves said device releasing an encrypted credential of said user to a relying party for a transaction requiring it.
  - 15. The device of claim 14, where the said encrypted credential is released to a relying party involved in a payment card transaction.
  - 16. The device of claim 1, where the stand alone computing device is an IC chip connected to an integrated IC card, which may also be a payment card and wherein a user credential is released in the following manner:
    - a) At least one of the biometric templates and the said user credential are stored in encrypted form on said IC chip;
      
      b) biometric template encryption, template decryption and the matching of submitted biometric samples to the said biometric templates are undertaken by the said IC chip; and
      
      c) in response to a good biometric match between the said submitted biometric samples and one or more of the said biometric templates, the said user credential is released in encrypted form to a remote computer.

17. A stand-alone computing device, which may also be a mobile device comprising:
- at least one processor;
  
  at least one storage area;
  
  at least one biometric sensor, and;
  
  ASIC logic, and software contained within the said storage areas, which, when executed, causes the said stand-alone computing device processors, either in combination or individually to;
  
  capture biometric samples from the device user, using one or more of the said biometric sensors, and;
  
  responsive to a good match between the said biometric samples and one or more decrypted biometric templates stored in encrypted form in the said storage areas, the said ASIC logic and the said software further cause the said stand-alone computing device to communicate with a local or remote computer, using PKI communications without said user re-entering a password.
- View Dependent Claims (18)
- - 18. The device of claim 17 where said remote computer operates in a cloud network system.

19. A stand-alone computing device, which may also be a mobile device comprising:
- at least one processor;
  
  at least one storage area;
  
  at least one biometric sensor, integrated into the stand-alone computing device, and;
  
  ASIC logic, and software, contained within the said storage areas, which, when executed, causes the said stand-alone computing device processors, either in combination or individually to;
  
  capture a PIN from the device user and generate a hash of said PIN;
  
  capture one or more biometric samples from a device user using one or more of said biometric sensors and;
  
  responsive to a successful PIN entry and a good match between the said biometric samples and one or more decrypted biometric templates, stored in encrypted form in the said storage areas, the said ASIC logic and the said software further cause the said stand-alone computing device to communicate with a remote computer, using PKI communications without said user re-entering a password.
- View Dependent Claims (20)
- - 20. The device of claim 19, where said remote computer operates in a cloud network system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocrypt Access, LLC
Original Assignee
Biocrypt Access, LLC
Inventors
Beatson, Rodney, Kelty, Mark A., Beatson, Christopher J.
Primary Examiner(s)
Johns, Andrew W

Application Number

US15/731,069
Publication Number

US 20170220794A1
Time in Patent Office

361 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/45   Structures or tools for the...

G06F 21/72   in cryptographic circuits

G06F 2221/2129   Authenticate client device ...

G06V 30/1478   of characters or characters...

G06V 40/382   Preprocessing; Feature extr...

G06V 40/50   Maintenance of biometric da...

G06V 40/53   Measures to keep reference ...

H04L 2209/12   Details relating to cryptog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/80   Wireless network architectu...

H04L 9/0861   Generation of secret inform...

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3242   involving keyed hash functi...

Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links