Secure communication between a virtual smartcard enclave and a trusted I/O enclave

US 10,248,772 B2
Filed: 09/25/2015
Issued: 04/02/2019
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A hardware machine readable medium comprising instructions that when executed cause a machine to:

transmit, from a first trusted execution environment operatively connected to a biometric capture device, a request for a biometric match claim;

receive, in response to the request for the biometric match claim, biometric data from the biometric capture device;

perform, by the first trusted execution environment, a match of the biometric data against biometric templates stored in the first trusted execution environment;

verify, with a report including a signed piece of data transmitted by a second trusted execution environment via a credential manager application operating in a third execution environment, an authorization of the first trusted execution environment, wherein the second trusted execution environment is sealed; and

in response to the verification of the first trusted execution environment, unseal the second trusted execution environment based on the match of the biometric data performed by the first trusted execution environment, wherein the second trusted execution environment includes a virtual smartcard including cryptographic data specific to a user corresponding to the biometric data, and wherein the first trusted execution environment is independent from the second trusted execution environment.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for accessing a trusted execution environment includes instructions to transmit, from a first trusted execution environment, a request for a biometric match claim, receive, in response to the request for a biometric match claim, biometric data from a biometric capture device, perform a match of the biometric data against biometric templates stored in the first trusted execution environment, and unseal a second trusted execution environment based on the match data.

9 Citations

18 Claims

1. A hardware machine readable medium comprising instructions that when executed cause a machine to:
- transmit, from a first trusted execution environment operatively connected to a biometric capture device, a request for a biometric match claim;
  
  receive, in response to the request for the biometric match claim, biometric data from the biometric capture device;
  
  perform, by the first trusted execution environment, a match of the biometric data against biometric templates stored in the first trusted execution environment;
  
  verify, with a report including a signed piece of data transmitted by a second trusted execution environment via a credential manager application operating in a third execution environment, an authorization of the first trusted execution environment, wherein the second trusted execution environment is sealed; and
  
  in response to the verification of the first trusted execution environment, unseal the second trusted execution environment based on the match of the biometric data performed by the first trusted execution environment, wherein the second trusted execution environment includes a virtual smartcard including cryptographic data specific to a user corresponding to the biometric data, and wherein the first trusted execution environment is independent from the second trusted execution environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The hardware machine readable medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - identify a signature in the biometric data indicating that the biometric data was generated by a secure biometric capture device.
  - 3. The hardware machine readable medium of claim 2, wherein the first trusted execution environment and the second trusted execution environment are secure enclaves.
  - 4. The hardware machine readable medium of claim 1, wherein the biometric capture device includes a camera, and wherein the biometric data includes video frames of a face.
  - 5. The hardware machine readable medium of claim 4, wherein the first trusted execution environment includes face templates, andwherein the instructions, when executed, cause the machine to compare the biometric data received from the biometric capture device with the face templates.
  - 6. The hardware machine readable medium of claim 1, wherein an intermediary application executing in an untrusted execution environment provides communication between the first trusted execution environment and the second trusted execution environment.

7. A system for secure communications, comprising:
- one or more processors; and
  
  a memory, coupled to the one or more processors, on which instructions are stored which, when executed by the one or more processors, cause at least some of the one or more processors to;
  
  transmit, from a first trusted execution environment operatively connected to a biometric capture device, a request for a biometric match claim;
  
  receive, in response to the request for the biometric match claim, biometric data from the biometric capture device;
  
  perform, by the first trusted execution environment, a match of the biometric data against biometric templates stored in the first trusted execution environment;
  
  verify, with a report including a signed piece of data transmitted by a second trusted execution environment via a credential manager application operating in a third execution environment, an authorization of the first trusted execution environment, wherein the second trusted execution environment is sealed; and
  
  in response to the verification of the first trusted execution environment, unseal the second trusted execution environment based on the match of the biometric data performed by the first trusted execution environment, wherein the second trusted execution environment includes a virtual smartcard including cryptographic data specific to a user corresponding to the biometric data, and wherein the first trusted execution environment is independent from the second trusted execution environment.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the instructions that cause at least some of the one or more processors to perform the match of the biometric data against the biometric templates stored in the first trusted execution environment further include instructions that when executed further cause at least some of the one or more processors to:
    - identify a signature in the biometric data indicating that the biometric data was generated by a secure biometric capture device.
  - 9. The system of claim 8, wherein the first trusted execution environment and the second trusted execution environment are secure enclaves.
  - 10. The system of claim 7, wherein the biometric capture device includes a camera, and wherein the biometric data includes video frames of a face.
  - 11. The system of claim 10, wherein the first trusted execution environment includes face templates, andwherein the instructions that cause at least some of the one or more processors to perform the match of the biometric data against the biometric templates stored in the first trusted execution environment further include instructions that when executed cause at least some of the one or more processors to compare the biometric data received from the biometric capture device with the face templates.
  - 12. The system of claim 7, wherein an intermediary application executing in an untrusted execution environment provides communication between the first trusted execution environment and the second trusted execution environment.

13. A method for secure communications, comprising:
- transmitting, from a first trusted execution environment operatively connected to a biometric capture device, a request for a biometric match claim;
  
  receiving, in response to the request for the biometric match claim, biometric data from the biometric capture device;
  
  performing, by the first trusted execution environment, a match of the biometric data against biometric templates stored in the first trusted execution environment; and
  
  verifying, with a report including a signed piece of data transmitted by a second trusted execution environment via a credential manager application operating in a third execution environment, an authorization of the first trusted execution environment, wherein the second trusted execution environment is sealed; and
  
  in response to the verification of the first trusted execution environment, unsealing the second trusted execution environment based on the match of the biometric data performed by the first trusted execution environment, wherein the second trusted execution environment includes a virtual smartcard including cryptographic data specific to a user corresponding to the biometric data, and wherein the first trusted execution environment is independent from the second trusted execution environment.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the performing of the match of the biometric data against the biometric templates stored in the first trusted execution environment further includes:
    - identifying a signature in the biometric data indicating that the biometric data was generated by a secure biometric capture device.
  - 15. The method of claim 14, wherein the first trusted execution environment and the second trusted execution environment are secure enclaves.
  - 16. The method of claim 13, wherein the biometric capture device includes a camera, and wherein the biometric data includes video frames of a face.
  - 17. The method of claim 13, wherein the first trusted execution environment includes face templates, andwherein the performing of the match of the biometric data against the biometric templates stored in the first trusted execution environment further includes comparing the biometric data received from the biometric capture device with the face templates.
  - 18. The method of claim 13, wherein an intermediary application executing in an untrusted execution environment provides communication between the first trusted execution environment and the second trusted execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Proulx, Francois, Rene, Mathieu
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US14/866,545
Publication Number

US 20170091434A1
Time in Patent Office

1,285 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32 using biometric data, e.g. ...

G06F 21/57 Certifying or maintaining t...

Secure communication between a virtual smartcard enclave and a trusted I/O enclave

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication between a virtual smartcard enclave and a trusted I/O enclave

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links