Methods for secure backup of personal identity credentials into electronic devices
First Claim
1. A method for secure backup of biometric encryption keys associated with a first biometric personal identification device for future restoration of an encrypted digital signature, the method comprising:
- dividing, at the first biometric personal identification device, a first symmetric key to produce a first portion of the first symmetric key and a second portion of the first symmetric key different from the first portion of the first symmetric key;
encrypting a digital signature associated with the first portion of the first symmetric key based on a party public key associated with a party to produce the encrypted digital signature, the encrypted digital signature being associated with the first portion of the first symmetric key;
sending the encrypted digital signature associated with the first portion of the first symmetric key to a backup storage repository separate from the first biometric personal identification device such that the encrypted digital signature associated with the first portion of the first symmetric key is retrievable during a first symmetric key restoration by a second personal identification device, the encrypted digital signature associated with the first portion of the first symmetric key configured to be decrypted during the first symmetric key restoration based on a party private key associated with the party;
dividing, at the first biometric personal identification device, a second symmetric key to produce a first portion of the second symmetric key and a second portion of the second symmetric key different from the first portion of the second symmetric key;
generating, at the first biometric personal identification device, a digital signature associated with the first portion of the second symmetric key based on a device private key associated with the first biometric personal identification device;
encrypting the first portion of the second symmetric key and the digital signature associated with the first portion of the second symmetric key based on the party public key associated with the party to produce an encrypted first portion of the second symmetric key and an encrypted digital signature associated with the first portion of the second symmetric key; and
encrypting the second portion of the second symmetric key based on a user-selected identifier to produce an encrypted second portion of the second symmetric key.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.
149 Citations
12 Claims
-
1. A method for secure backup of biometric encryption keys associated with a first biometric personal identification device for future restoration of an encrypted digital signature, the method comprising:
-
dividing, at the first biometric personal identification device, a first symmetric key to produce a first portion of the first symmetric key and a second portion of the first symmetric key different from the first portion of the first symmetric key; encrypting a digital signature associated with the first portion of the first symmetric key based on a party public key associated with a party to produce the encrypted digital signature, the encrypted digital signature being associated with the first portion of the first symmetric key; sending the encrypted digital signature associated with the first portion of the first symmetric key to a backup storage repository separate from the first biometric personal identification device such that the encrypted digital signature associated with the first portion of the first symmetric key is retrievable during a first symmetric key restoration by a second personal identification device, the encrypted digital signature associated with the first portion of the first symmetric key configured to be decrypted during the first symmetric key restoration based on a party private key associated with the party; dividing, at the first biometric personal identification device, a second symmetric key to produce a first portion of the second symmetric key and a second portion of the second symmetric key different from the first portion of the second symmetric key; generating, at the first biometric personal identification device, a digital signature associated with the first portion of the second symmetric key based on a device private key associated with the first biometric personal identification device; encrypting the first portion of the second symmetric key and the digital signature associated with the first portion of the second symmetric key based on the party public key associated with the party to produce an encrypted first portion of the second symmetric key and an encrypted digital signature associated with the first portion of the second symmetric key; and encrypting the second portion of the second symmetric key based on a user-selected identifier to produce an encrypted second portion of the second symmetric key. - View Dependent Claims (2, 3, 4)
-
-
5. A method for secure backup of biometric encryption keys associated with a first biometric personal identification device for future restoration of an encrypted digital signature, the method comprising:
-
generating a digital signature associated with a first section of a first symmetric key based on a device private key associated with the first biometric personal identification device, the digital signature configured to be verified based on a device public key associated with the first biometric personal identification device; encrypting the digital signature associated with the first section of the first symmetric key based on a party public key associated with a party to produce the encrypted digital signature, the encrypted digital signature being associated with the first section of the first symmetric key, the encrypted digital signature configured to be decrypted based on a party private key associated with the party; encrypting the second section of the first symmetric key based on a user-selected identifier to produce an encrypted second section of the first symmetric key, the encrypted second section of the first symmetric key configured to be decrypted based on the user-selected identifier; sending from the first biometric personal identification device to a backup storage repository the encrypted digital signature and the encrypted second section such that the encrypted digital signature and the encrypted second section can be retrieved by a second personal identification device during a symmetric key restoration process; dividing, at the first biometric personal identification device, a second symmetric key to produce a first section of the second symmetric key and a second section of the second symmetric key; and sending to the party an encrypted digital signature associated with the first section of the second symmetric key, an encrypted first section of the second symmetric key and an encrypted second section of the second symmetric key. - View Dependent Claims (6, 7, 8)
-
-
9. A biometric apparatus, comprising:
-
a memory configured to store a biometric data of a user, a device private key and a party public key associated with a party; a processor coupled to the memory, the processor configured to divide a first symmetric key into a first section and a second section different from the first section, the processor configured to generate a digital signature associated with the first section of the first symmetric key based on the device private key, the processor configured to encrypt the digital signature associated with the first section of the first symmetric key based on the party public key to produce an encrypted digital signature associated with the first section of the first symmetric key, the processor configured to encrypt the second section of the first symmetric key based on a first user-selected identifier to produce an encrypted second section of the first symmetric key, the processor configured to divide a second symmetric key into a first section and a second section different from the first section, the processor configured to generate a digital signature associated with the first section of the second symmetric key based on the device private key, the processor configured to encrypt the digital signature associated with the first section of the second symmetric key based on the party public key to produce an encrypted digital signature, the processor configured to encrypt the second section of the second symmetric key based on a second user-selected identifier to produce an encrypted second section of the second symmetric key; and a transmitter coupled to the processor, the processor configured to send at least one of the encrypted digital signature associated with the first section and the encrypted second section using the transmitter to a backup storage repository separate from the biometric apparatus such that the encrypted digital signature is retrievable in a first symmetric key restoration process by a device separate from the biometric apparatus. - View Dependent Claims (10, 11, 12)
-
Specification