System and method for biometric authentication with device attestation

US 9,961,077 B2
Filed: 10/29/2013
Issued: 05/01/2018
Est. Priority Date: 05/30/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for remotely attesting to authenticator integrity comprising:

an authenticator to read biometric authentication data from a user and determine whether to successfully authenticate the user based on a comparison with biometric reference data, a score being generated from the comparison; and

a cryptographic engine comprising a processor and non-transitory machine-readable medium having program code, which, when executed by the processor, causes the cryptographic engine to;

receive a challenge from a relying party that is outside of a physical enclosure of the apparatus, the challenge comprising a randomly generated nonce,sign the challenge and the score using an attestation key to generate an attestation signature, wherein the attestation key is established after an endorsement key certificate is generated, using a product line, specifically for the relying party, wherein the product line extracts a public endorsement key from an endorsement key pair to generate and return the endorsement key certificate to the cryptographic engine, and wherein the endorsement key certificate corresponds to the attestation key, andsend a user identifier (ID), the score, and the attestation signature to the relying party, wherein the relying party verifies that the attestation signature is valid using a key corresponding to the endorsement key certificate, and wherein the score is used to determine whether the authentication of the user is successful.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for biometric device attestation. For example, one embodiment of an apparatus includes: a biometric device to read biometric authentication data from a user and determine whether to successfully authenticate the user based on a comparison with biometric reference data; and a cryptographic engine to establish communication with a relying party and to attest to the model and/or integrity of the biometric device to the relying party.

306 Citations

21 Claims

1. An apparatus for remotely attesting to authenticator integrity comprising:
- an authenticator to read biometric authentication data from a user and determine whether to successfully authenticate the user based on a comparison with biometric reference data, a score being generated from the comparison; and
  
  a cryptographic engine comprising a processor and non-transitory machine-readable medium having program code, which, when executed by the processor, causes the cryptographic engine to;
  
  receive a challenge from a relying party that is outside of a physical enclosure of the apparatus, the challenge comprising a randomly generated nonce,sign the challenge and the score using an attestation key to generate an attestation signature, wherein the attestation key is established after an endorsement key certificate is generated, using a product line, specifically for the relying party, wherein the product line extracts a public endorsement key from an endorsement key pair to generate and return the endorsement key certificate to the cryptographic engine, and wherein the endorsement key certificate corresponds to the attestation key, andsend a user identifier (ID), the score, and the attestation signature to the relying party, wherein the relying party verifies that the attestation signature is valid using a key corresponding to the endorsement key certificate, and wherein the score is used to determine whether the authentication of the user is successful.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus as in claim 1 wherein the cryptographic engine is integrated within the authenticator.
  - 3. The apparatus as in claim 1 wherein the attestation key is a private key and the key of the relying party is a public key associated with the private key.
  - 4. The apparatus as in claim 1 wherein attesting to the integrity of the authenticator comprises implementing a series of direct anonymous attestation (DAA) transactions between the cryptographic engine and the relying party.
  - 5. The apparatus as in claim 4 wherein the DAA transactions include DAA-Sign and DAA-Verify transactions.
  - 6. The apparatus as in claim 1 further comprising:
    - protection logic to erase cryptographic data of the cryptographic engine upon detecting tampering with the cryptographic data.
  - 7. The apparatus as in claim 1 wherein the authenticator is to:
    - read the biometric authentication data from a user;
      
      extract specified portions of the biometric authentication data having certain features; and
      
      compare the specified portions of the biometric authentication data with biometric reference data and responsively generate the score based on the comparison, the score indicating a level of similarity between the specified portions of the biometric authentication data and the biometric reference data.

8. A method for remotely attesting to authenticator integrity comprising:
- reading biometric authentication data from a user and determining whether to successfully authenticate the user based on a comparison with biometric reference data, a score being generated from the comparison, wherein the reading and determining are performed by an authenticator; and
  
  protecting communication with a relying party that is outside of a physical enclosure of the authenticator; and
  
  performing an attestation transaction with the relying party to attest to the integrity of the authenticator to the relying party, the attestation comprising;
  
  receiving a challenge from the relying party, the challenge comprising a randomly generated nonce;
  
  signing the challenge and the score using an attestation key to generate an attestation signature, wherein the attestation key is established after an endorsement key certificate is generated, using a product line specifically for the relying party, wherein the product line extracts a public endorsement key from an endorsement key pair to generate and return the endorsement key certificate for signing the challenge and the score, and wherein the endorsement key certificate corresponds to the attestation key; and
  
  sending a user identifier (ID), the score, and the attestation signature to the relying party, wherein the relying party verifies that the attestation signature is valid using a key corresponding to the endorsement key certificate, and wherein the score is used to determine whether the authentication of the user is successful.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as in claim 8 wherein a cryptographic engine which performs the attestation transaction is integrated within an authenticator that reads the biometric authentication data from the user and determines whether to successfully authenticate the user based on a comparison with the biometric reference data.
  - 10. The method as in claim 8 wherein the attestation key is a private key and the key of the relying party is a public key associated with the private key.
  - 11. The method as in claim 8 wherein attesting to the integrity of the authenticator comprises implementing a series of direct anonymous attestation (DAA) transactions between a cryptographic engine and the relying party.
  - 12. The method as in claim 11 wherein the DAA transactions include DAA-Sign and DAA-Verify transactions.
  - 13. The method as in claim 8 further comprising:
    - erasing cryptographic data upon detecting tampering with the cryptographic data.
  - 14. The method as in claim 8 wherein determining whether to successfully authenticate the user further comprises:
    - reading the biometric authentication data from a user;
      
      extracting specified portions of the biometric authentication data having certain features;
      
      comparing the specified portions of the biometric authentication data with biometric reference data and responsively generate the score based on the comparison, the score indicating a level of similarity between the specified portions of the biometric authentication data and the biometric reference data.

15. A non-transitory machine-readable medium having program code stored thereon which, when executed by a machine, causes the machine to perform:
- reading biometric authentication data from a user and determining whether to successfully authenticate the user based on a comparison with biometric reference data, a score being generated from the comparison, wherein the operations of reading and determining are performed by an authenticator; and
  
  protecting communication with a relying party that is outside of a physical enclosure of the authenticator; and
  
  performing an attestation transaction with the relying party to attest to integrity of the authenticator to the relying party, the attestation comprising;
  
  receiving a challenge from the relying party, the challenge comprising a randomly generated nonce;
  
  signing the challenge and the score using an attestation key to generate an attestation signature, wherein the attestation key is established after an endorsement key certificate is generated, using a product line, specifically for the relying party, wherein the product line extracts a public endorsement key from an endorsement key pair to generate and return the endorsement key certificate for signing the challenge and the score, and wherein the endorsement key certificate corresponds to the attestation key; and
  
  sending a user identifier (ID), the score, and the attestation signature to the relying party, wherein the relying party verifies that the attestation signature is valid using a key corresponding to the endorsement key certificate, and wherein the score is used to determine whether the authentication of the user is successful.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The machine-readable medium as in claim 15 wherein a cryptographic engine which performs the attestation transaction is integrated within an authenticator that reads the biometric authentication data from the user and determines whether to successfully authenticate the user based on a comparison with the biometric reference data.
  - 17. The machine-readable medium as in claim 15 wherein the attestation key is a private key and the key of the relying party is a public key associated with the private key.
  - 18. The machine-readable medium as in claim 15 wherein attesting to the integrity of the authenticator comprises implementing a series of direct anonymous attestation (DAA) transactions between a cryptographic engine and the relying party.
  - 19. The machine-readable medium as in claim 18 wherein the DAA transactions include DAA-Sign and DAA-Verify transactions.
  - 20. The machine-readable medium as in claim 15 further comprising:
    - erasing cryptographic data upon detecting tampering with the cryptographic data.
  - 21. The machine-readable medium as in claim 15 wherein determining whether to successfully authenticate the user further comprises:
    - reading the biometric authentication data from a user;
      
      extracting specified portions of the biometric authentication data having certain features;
      
      comparing the specified portions of the biometric authentication data with biometric reference data and responsively generate the score based on the comparison, the score indicating a level of similarity between the specified portions of the biometric authentication data and the biometric reference data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Lindemann, Rolf
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
TAYLOR, SAKINAH W

Application Number

US14/066,273
Publication Number

US 20160241552A1
Time in Patent Office

1,645 Days
Field of Search

713186
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

H04L 63/0861   using biometrical features,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

System and method for biometric authentication with device attestation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

306 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for biometric authentication with device attestation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

306 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links