Biometric authentication system with encrypted models
First Claim
Patent Images
1. A method for the secure handling of data, comprising the steps of:
- (a) acquiring a biometric database of personal identifiers and data comprising;
(i) acquiring an enrollment biometric sample;
(ii) acquiring an enrollment record identifier;
(iii) acquiring encryption key generation data;
(iv) creating a biometric model from said enrollment biometric sample;
(v) creating a first encryption key from said encryption key generation data;
(vi) performing an encryption operation on said biometric model to yield an encrypted biometric model;
(vii) storing a biometric record in said database wherein said record is comprised of said encrypted biometric model and said record identifier, (b) verifying the identity of a user desiring access to a secured resource, comprising the steps of;
(i) acquiring a current biometric sample;
(ii) a current record identifier;
(iii) a decryption key generation data;
(iv) identifying a matching biometric record whose enrollment record identifier matches the current record identifier;
(v) creating a decryption key from said decryption key generation data;
(vi) performing a decryption operation on said matching biometric record to extract a decrypted biometric model from said record; and
(vii) comparing said decrypted biometric model with the current biometric sample to verify the identity of the user for authorizing access to the secured resource.
5 Assignments
0 Petitions
Accused Products
Abstract
A method of performing biometric authentication of a person'"'"'s identity including a biometric template prior to storing it in a biometric database. The encryption algorithm encrypts the biometric template using a pass-phrase, known only to the individual, to generate the cryptographic key used to store and retrieve the biometric template. When an individual wishes to access a secured resource, he must be authenticated by providing an identifier which is used to retrieve the appropriate record. He must also provide the correct password to allow the system to decrypt the model.
364 Citations
22 Claims
-
1. A method for the secure handling of data, comprising the steps of:
-
(a) acquiring a biometric database of personal identifiers and data comprising;
(i) acquiring an enrollment biometric sample;
(ii) acquiring an enrollment record identifier;
(iii) acquiring encryption key generation data;
(iv) creating a biometric model from said enrollment biometric sample;
(v) creating a first encryption key from said encryption key generation data;
(vi) performing an encryption operation on said biometric model to yield an encrypted biometric model;
(vii) storing a biometric record in said database wherein said record is comprised of said encrypted biometric model and said record identifier, (b) verifying the identity of a user desiring access to a secured resource, comprising the steps of;
(i) acquiring a current biometric sample;
(ii) a current record identifier;
(iii) a decryption key generation data;
(iv) identifying a matching biometric record whose enrollment record identifier matches the current record identifier;
(v) creating a decryption key from said decryption key generation data;
(vi) performing a decryption operation on said matching biometric record to extract a decrypted biometric model from said record; and
(vii) comparing said decrypted biometric model with the current biometric sample to verify the identity of the user for authorizing access to the secured resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
generating a statistical equivalence score; and
testing said statistical equivalence score against a pre-determined threshold to determine whether to grant said user access to said secured resource.
-
-
5. The method of claim 1, wherein the step of acquiring an enrollment biometric sample is obtained indirectly from one or more user supplied input responses.
-
6. The method of claim 1, wherein the step of acquiring a current biometric sample is obtained indirectly from one or more user supplied input responses.
-
7. The method of claim 1, wherein the step of acquiring an enrollment biometric sample is derived directly from a user supplied bio-characteristic.
-
8. The method of claim 1, wherein the step of acquiring a current biometric sample is derived directly from a user supplied bio-characteristic.
-
9. The method of claim 1, further comprising:
-
(a) creating a re-encryption key;
(b) performing an encryption operation on said decrypted biometric model to yield a re-encrypted biometric model, said encryption operation using said re-encryption key as input; and
(c) replacing said record in the biometric database with said re-encrypted biometric model.
-
-
10. The method of claim 1, wherein said encryption key generation data is a secret user supplied password.
-
11. The method of claim 1, wherein said encryption key generation data includes a series of answers provided by said user to a series of challenge questions.
-
12. The method of claim 1, wherein the step of generating a first encryption key further comprises:
-
collecting a subset of user provided answers to challenge questions, wherein said subset is comprised of those answers whose index corresponds to each integer from a first challenge list; and
concatenating said collected answers to form said first encryption key.
-
-
13. The method of claim 1, further comprising:
-
encrypting a series of answers to a series of challenge questions;
storing said encrypted answers as part of said biometric record; and
storing said challenge list as part of said biometric record.
-
-
14. The method of claim 12, where the integers which comprise the first challenge list are randomly generated.
-
15. The method of claim 1, wherein said encryption key generation data comprises a randomly selected first encryption key.
-
16. The method of claim 15, wherein the step of storing the biometric record further comprises:
-
dividing the randomly selected first encryption key into a plurality of n shares, where n equals the number of challenge questions;
combining each of said n shares of said first encryption key with one of the answers to said series of challenge questions thereby forming combined key shares; and
storing said plurality of combined key shares.
-
-
17. The method of claim 1, wherein the step of creating a decryption key from said decryption key generation data further comprises:
-
retrieving combined key shares from an encrypted biometric record;
retrieving a challenge list from said biometric record;
asking the user challenge questions whose index corresponds to integers from said challenge list;
collecting the answers to said challenge questions; and
deriving said decryption key by combining said retrieved combined key shares with said answers.
-
-
18. The method according to claim 1, wherein said encryption key generation data comprises answers to one or more challenge questions directed to a bio-characteristic of said user.
-
19. The method according to claim 1, wherein said first encryption key is a random number with magnitude greater than 127 bits.
-
20. The method according to claim 1, further comprising:
-
encrypting said biometric model using said first encryption key;
encrypting answers to a series of challenge questions using said first encryption key;
encrypting said first encryption key with a second encryption key;
storing said encrypted biometric model and said encrypted answers in one of a first and second database; and
storing said encrypted first encryption key in one of a first and second database, wherein the database is different from the selected database from the previous storing step.
-
-
21. The method according to claim 20, further comprising:
-
creating a new challenge list after a successful decryption operation on an encrypted biometric record;
creating a new encryption key using decrypted answers to challenge questions corresponding to said new challenge list; and
re-encrypting said first encryption key with the new encryption key.
-
-
22. A program storage device readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for secure handling of data, the method comprising the steps of:
-
(a) acquiring a biometric database of personal identifiers and data comprising;
acquiring an enrollment biometric sample, an enrollment record identifier, and encryption key generation data;
creating a biometric model from said enrollment biometric sample;
creating a first encryption key from said encryption key generation data;
performing an encryption operation on said biometric model to yield an encrypted biometric model;
storing a biometric record in said database wherein said record is comprised of said encrypted biometric model and said record identifier, (b) verifying the identity of a user desiring access to a secured resource, comprising the steps of;
acquiring a current biometric sample, a current record identifier, and a decryption key generation data;
identifying a matching biometric record whose enrollment record identifier matches the current record identifier;
creating a decryption key from said decryption key generation data;
performing a decryption operation on said matching biometric record to extract a decrypted biometric model from said record; and
comparing said decrypted biometric model with the current biometric sample to verify the identity of the user for authorizing access to the secured resource.
-
Specification