Methods for secure enrollment of personal identity credentials into electronic devices
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-021/00
G06K-009/00
G05B-023/00
출원번호
US-0190058
(2008-08-12)
등록번호
US-8127143
(2012-02-28)
발명자
/ 주소
Abdallah, David S.
Johnson, Barry W.
출원인 / 주소
Privaris, Inc.
인용정보
피인용 횟수 :
13인용 특허 :
118
초록▼
A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier f
A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.
대표청구항▼
1. A method, comprising: verifying, at a personal identification device, a validity of an enrollment authority based on an encrypted verification string associated with the enrollment authority, the verifying including comparing a decrypted verification string and an unencrypted verification string
1. A method, comprising: verifying, at a personal identification device, a validity of an enrollment authority based on an encrypted verification string associated with the enrollment authority, the verifying including comparing a decrypted verification string and an unencrypted verification string such that the validity of the enrollment authority is verified when the decrypted verification string matches the unencrypted verification string, the decrypted verification string being produced by the personal identification device based on the encrypted verification string and a public key associated with the enrollment authority;sending from the personal identification device an encrypted session key to the enrollment authority when the validity of the enrollment authority is verified;downloading, at the personal identification device, biometric data encrypted using the encrypted session key after the sending and when the validity of the enrollment authority is verified; andstoring, only at the personal identification device, the biometric data after the receiving such that the biometric data is prevented from being transmitted from the personal identification device after the storing. 2. The method of claim 1, further comprising: before the verifying, receiving a digital certificate uniquely associated with the enrollment authority, the digital certificate including a public key of the enrollment authority, the verifying being based on the digital certificate. 3. The method of claim 1, further comprising: before the verifying, sending the unencrypted verification string from the personal identification device to the enrollment authority. 4. The method of claim 1, further comprising: before the verifying, receiving at the personal identification device the encrypted verification string from the enrollment authority, the encrypted verification string being produced by the enrollment authority based on the unencrypted verification string sent from the personal identification device and a private key uniquely associated with the enrollment authority. 5. The method of claim 1, further comprising: before the verifying, decrypting the encrypted verification string based on a public key associated with the enrollment authority. 6. The method of claim 1, wherein: the encrypted verification string being produced by the enrollment authority based on the unencrypted verification string sent by the personal identification device and a private key uniquely associated with the enrollment authority. 7. The method of claim 1, further comprising: sending a digital certificate associated with the personal identification device from the personal identification device to the enrollment authority, the digital certificate including a public key associated with the personal identification device;receiving, at the personal identification device, a device verification string from the party enrollment authority;encrypting the device verification string based on a private key uniquely associated with the personal identification device to produce an encrypted device verification string; andsending the encrypted device verification string from the personal identification device to the enrollment authority. 8. A method, comprising: verifying, at an enrollment authority, a validity of a personal identification device based on an encrypted verification string associated with the personal identification device, the verifying including comparing a decrypted string and a device verification string such that the validity of the personal identification device is verified when the decrypted string matches the device verification string;receiving, at the enrollment authority, an encrypted session key from the personal identification device; andsending, from the enrollment authority, a signal configured to permit the personal identification device to download biometric data encrypted using the encrypted session key after the validity of the personal identification device is verified such that the biometric data is stored only at the personal identification device and prevented from being transmitted from the personal identification device. 9. The method of claim 8, further comprising: before the verifying, receiving a digital certificate uniquely associated with the personal identification device, the digital certificate including a public key of the personal identification device, the verifying being based on the digital certificate. 10. The method of claim 8, further comprising: before the verifying, sending the device verification string from the enrollment authority to the personal identification device, the encrypted string being based on the device verification string. 11. The method of claim 8, further comprising: before the verifying, receiving at the enrollment authority the encrypted string from the personal identification device, the encrypted string being produced by the personal identification device based on a device verification string sent by the enrollment authority and a private key uniquely associated with the personal identification device. 12. The method of claim 8, further comprising: before the verifying, decrypting the encrypted string based on the encrypted string and a public key associated with the personal identification device to produce a decrypted string, the verifying being based on the decrypted string. 13. The method of claim 8, wherein: the decrypted string being produced by the enrollment authority based on the encrypted string and a public key associated with the personal identification device, the encrypted string being produced by the personal identification device based on a device verification string sent by the enrollment authority and a private key uniquely associated with the personal identification device. 14. The method of claim 8, further comprising: after the sending, sending biometric data from the enrollment authority to the personal identification device based on the encrypted session key. 15. The method of claim 8, further comprising: receiving, from the personal identification device, a digital certificate associated with a manufacturer of the personal identification device; andverifying a validity of the manufacturer based on the digital certificate associated with the manufacturer. 16. The method of claim 8, further comprising: sending a digital certificate associated with the enrollment authority from the enrollment authority to the personal identification device, the digital certificate including a public key associated with the enrollment authority;receiving at the enrollment authority an enrollment authority verification string from the personal identification device;encrypting the enrollment authority verification string based on a private key uniquely associated with the enrollment authority to produce an encrypted enrollment authority verification string; andsending the encrypted enrollment authority verification string from the enrollment authority to the personal identification device. 17. An apparatus, comprising: a memory configured to store biometric data of a user;a processor coupled to the memory, the processor configured to verify a validity of an enrollment authority based on an encrypted string associated with the enrollment authority and a digital certificate uniquely associated with the enrollment authority;the processor configured to compare a decrypted string and an enrollment authority verification string such that the validity of the enrollment authority is verified when the decrypted string matches the enrollment authority verification string;a biometric sensor coupled to the processor, the biometric sensor configured to receive biometric data from the user;a transmitter coupled to the processor, the processor configured to send an encrypted session key to the enrollment authority via the transmitter when the validity of the enrollment authority is verified; anda receiver coupled to the processor, the receiver configured to receive the digital certificate uniquely associated with the enrollment authority, the digital certificate including a public key of the enrollment authority, the processor configured to download and store the biometric data when the validity of the enrollment authority is verified, the receiver configured to store the biometric data such that such that the biometric data is prevented from being transmitted by the transmitter after the storing. 18. The apparatus of claim 17, wherein: the processor is configured to send the enrollment authority verification string to the party via the transmitter, the enrollment authority verification string being associated with the encrypted string. 19. The apparatus of claim 17, wherein: the receiver is configured to receive the encrypted string from the enrollment authority, the encrypted string being produced by the enrollment authority based on the enrollment authority verification string sent by the apparatus and a private key uniquely associated with the party enrollment authority. 20. The apparatus of claim 17, wherein: the processor configured to produce the decrypted string based on the encrypted string and a public key associated with the enrollment authority, the processor configured to send the enrollment authority verification string via the transmitter, the encrypted string being produced by the enrollment authority based on the enrollment authority verification string and a private key uniquely associated with the enrollment authority. 21. The apparatus of claim 17, wherein: the processor is configured to produce a session key, the processor configured to encrypt the session key to produce the encrypted session key. 22. The apparatus of claim 17, wherein the processor is configured to send the encrypted session key to the enrollment authority via the transmitter such that the enrollment authority securely sends biometric data based on the encrypted session key. 23. The apparatus of claim 17, wherein: the processor is configured to send a digital certificate associated with a manufacturer of the apparatus to the enrollment authority via the transmitter such that a validity of the digital certificate associated with the manufacturer can be verified. 24. The apparatus of claim 17, wherein: the receiver is configured to receive a device verification string from the enrollment authority,the processor being configured to encrypt the device verification string based on a private key uniquely associated with the apparatus to produce an encrypted device verification string, the processor being configured to send the encrypted device verification string to the enrollment authority via the transmitter.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (118)
Edward M. Scheidt ; Ersin L. Domangue, Access control and authorization system.
Berson William (Westport CT) Zemlok Kenneth C. (Shelton CT), Apparatus for verifying an identification card and identifying a person by means of a biometric characteristic.
Richards, Bruce G.; Drummond, Jay Paul; Blackson, Dale; Cichon, Bob A.; Ess, Joseph C.; Moales, Mark A.; Weis, David W.; Smith, Mark D.; Church, James, Automated banking machine and system.
Green, Patrick C.; Smith, Mark; Ramachandran, Natarajan; Delaney, Daniel J.; Barker, David A.; Theriault, Franklin M.; Herrera, Elizabeth; Hill, Jeffrey A.; Douglas, Mark, Automated transaction system and method.
Bernstein Robert J. (First Options ; One Financial Plz. 440 S. LaSalle St. Chicago IL 60605), Automatic portable account controller for remotely arranging for payment of debt to a vendor.
Dickinson, Alexander G.; Rohrbach, Mark D.; Clayton, Richard F.; Stark, Gregory H.; Ferrante, Michelle, Cryptographic server with provisions for interoperability between cryptographic systems.
Booth, Kevin E.; Popolow, Harry N.; Ford, Richard R.; Johnson, Edward E.; Loftin, Jon S.; Osborne, Lance C.; Johnson, David W., Electronically-controlled locker system.
Wood, David L.; Weschler, Paul; Norton, Derk; Ferris, Chris; Wilson, Yvonne; Soley, William R., Log-on service providing credential level change without loss of session continuity.
Chainer, Timothy Joseph; Kitchens, Bruce P.; Maes, Stephane Herman; Martens, Marco; Rutledge, Joseph Dela; Tresser, Charles Philippe, Method and apparatus for secure authorization and identification using biometrics without privacy invasion.
Campbell, Bruce S.; Strauss, III, Burton M.; Dolecki, Myron C., Method and system for partitioned service-enablement gateway with utility and consumer services.
Boate,Alan; Reed,Brian, Method and system for securing a computer network and personal identification device used therein for controlling access to network components.
Bolle, Rudolf Maarten; Nunes, Sharon Louise; Pankanti, Sharathchandra; Ratha, Nalini Kanta; Smith, Barton Allen; Zimmerman, Thomas Guthrie, Method for biometric-based authentication in wireless communication for access control.
Lambert Howard Shelton,GBX ; Orchard James Ronald Lewis,GBX, Method for controlling access to electronically provided services and system for implementing such method.
Stephen J. Borza CA, Method for securing communication by selecting an encoding process using a first computer based upon ability of a second computer and deleting the process thereafter.
Drummond, Jay Paul; Blackson, Dale; Cichon, Bob A.; Ess, Joseph C.; Moales, Mark A.; Weis, David W.; Smith, Mark D.; Church, James, Method of using an automated banking machine.
Gopalakrishnan, Ponani S.; Kanevsky, Dimitri; Maes, Stephane Herman, Methods and apparatus for restricting access of a user using random partial biometrics.
Johnson, Richard C., Methods and systems for carrying out directory-authenticated electronic transactions including contingency-dependent payments via secure electronic bank drafts.
Johnson, Richard C., Methods and systems for single sign-on authentication in a multi-vendor e-commerce environment and directory-authenticated bank drafts.
Futamura,Ichiro; Ishibashi,Yoshihito; Matsuyama,Shinako; Kon,Masashi; Watanabe,Hideaki, Person authentication system, person authentication method, information processing apparatus, and program providing medium.
Puhl Larry C. (Sleepy Hollow IL) Comroe Richard A. (Dundee IL) Furtaw Robert W. (Arlington Heights IL) Cantarutti Tracey L. (Barrington IL), Portable authentification system.
McClurg, George William; Brunell, David; Scott, Walter Guy, Rechargeable mobile hand-held fingerprint scanner with a data and power communication interface.
Hoffman, Ned; Lapsley, Philip Dean, System and method for processing tokenless biometric electronic transmissions using an electronic rule module clearinghouse.
Bianco Peter Garrett ; Boon William Taylor ; Sterling Robert Brewster ; Ware Karl Roger, System, method and computer program product for allowing access to enterprise resources using biometric devices.
Lapsley, Philip Dean; Lee, Jonathan Alexander; Pare, Jr., David Ferrin; Hoffman, Ned, Tokenless biometric electronic financial transactions via a third party identicator.
Ned Hoffman ; David Ferrin Pare, Jr. ; Jonathan Alexander Lee ; Philip Dean Lapsley, Tokenless biometric electronic transactions using an audio signature to identify the transaction processor.
Hoffman Ned (Berkeley CA) Pare ; Jr. David F. (Berkeley CA) Lee Jonathan A. (Berkeley CA), Tokenless identification system for authorization of electronic transactions and electronic transmissions.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.