U.S. patent application number 11/873164 was filed with the patent office on 2008-02-14 for system and method for secure biometric identification.
This patent application is currently assigned to BROADCOM CORPORATION. Invention is credited to Jeff Calcagno, Martin Morris, Andrew Senyei.
Application Number | 20080039140 11/873164 |
Document ID | / |
Family ID | 38577916 |
Filed Date | 2008-02-14 |
United States Patent
Application |
20080039140 |
Kind Code |
A1 |
Morris; Martin ; et
al. |
February 14, 2008 |
SYSTEM AND METHOD FOR SECURE BIOMETRIC IDENTIFICATION
Abstract
A system and method for secure biometric identification. The
inventive system includes a mobile unit and a server. The mobile
unit is adapted to receive biometric input and provide a first
signal in response thereto. In the illustrative implementation, the
mobile unit is a Personal Digital Assistant (PDA) and the biometric
input is provided by a fingerprint sensor mounted thereon. A first
transceiver is mounted on the PDA for transmitting the first signal
and receiving a second signal in response thereto. The PDA is
adapted to encrypt the first signal and decrypt the second signal.
A secure device is mounted at the PDA. The secure device has two
modes of operation: a first locked mode by which access thereto is
prohibited and a second unlocked mode by which access thereto is
enabled on receipt of the second signal. In the illustrative
implementation, the secure device is an encrypted database for
which the second signal is a decryption key. The server unit
includes a second transceiver for receiving the first signal
transmitted via the wireless link. The first and second
transceivers are adapted to operate in accordance with the
Bluetooth specification. The server is equipped with a system for
authenticating the biometric data and providing the second signal
in response thereto. The second signal is then communicated to the
mobile unit where it is utilized to access the secure device, e.g.,
encrypted database.
Inventors: |
Morris; Martin; (Vista,
CA) ; Senyei; Andrew; (La Jolla, CA) ;
Calcagno; Jeff; (La Jolla, CA) |
Correspondence
Address: |
MCANDREWS HELD & MALLOY, LTD
500 WEST MADISON STREET
SUITE 3400
CHICAGO
IL
60661
US
|
Assignee: |
BROADCOM CORPORATION
5300 California Avenue
Irvine
CA
92617
|
Family ID: |
38577916 |
Appl. No.: |
11/873164 |
Filed: |
October 16, 2007 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09531720 |
Mar 21, 2000 |
7284266 |
|
|
11873164 |
Oct 16, 2007 |
|
|
|
Current U.S.
Class: |
455/558 |
Current CPC
Class: |
H04L 9/0825 20130101;
H04L 9/3231 20130101; H04L 2209/805 20130101 |
Class at
Publication: |
455/558 |
International
Class: |
H04M 1/00 20060101
H04M001/00 |
Claims
1-59. (canceled)
60. A mobile wireless communications device, comprising: a
biometric sensor that is part of a card that is received by the
mobile wireless communications device a processor operatively
coupled to the biometric sensor; and an encrypted database
operatively coupled to the processor, wherein the mobile wireless
communications device wirelessly transmits biometric information,
wherein the mobile wireless communications device wirelessly
receives a cryptographic key in response to the transmitted
biometric information, and wherein the cryptographic key is used to
decrypt at least a portion of the encrypted database.
61. The mobile wireless communications device according to claim
60, wherein the biometric sensor comprises a fingerprint
sensor.
62. The mobile wireless communications device according to claim
61, comprising: control software running on the processor.
63. The mobile wireless communications device according to claim
60, wherein the processor comprises a central processing unit.
64. The mobile wireless communications device according to claim
62, comprising: a wireless transceiver operatively coupled to the
processor.
65. The mobile wireless communications device according to claim
64, comprising: encryption circuitry operatively coupled to the
processor.
66. The mobile wireless communications device according to claim
65, comprising: a working database operatively coupled to the
processor.
67. The mobile wireless communications device according to claim
65, wherein the biometric information is derived from information
generated by the biometric sensor.
68. The mobile wireless communications device according to claim
67, wherein the mobile wireless communications device is part of a
personal digital assistant (PDA).
69. The mobile wireless communications device according to claim
67, wherein the wireless transceiver comprises a Bluetooth-enabled
wireless transceiver.
70. A system for secure identification, comprising: a first
handheld wireless communications device comprising a biometric
sensor, a first processor, a secure device and a first wireless
transceiver, the biometric sensor being part of a card, the card
being received by the handheld wireless communications device, the
first processor being in communication with the biometric sensor
and the first wireless transceiver; the secure device storing an
encrypted database, and a second communications device in
communication with the first handheld wireless communications
device, the second communications device comprising a second
processor, a second transceiver and software, the second processor
being operatively coupled to the second transceiver, the software
authenticating a signal transmitted by the first wireless
transceiver and received by the second transceiver and providing a
cryptographic key in response to the authenticated signal, wherein
the cryptographic key is used by the first handheld wireless
communications device to decrypt at least a portion of the
encrypted database.
71. The system according to claim 70, wherein the cryptographic key
comprises a public key.
72. The system according to claim 70, wherein the first handheld
wireless communications device comprises a personal digital
assistant (PDA).
73. The system according to claim 70, wherein the first wireless
transceiver comprises a Bluetooth-enabled wireless transceiver.
74. The system according to claim 73, wherein the second
transceiver comprises a second Bluetooth-enabled wireless
transceiver.
75. The system according to claim 73, wherein the second wireless
communications device comprises an access point.
76. The system according to claim 70, wherein the first handheld
wireless communications device and the second communications device
communicate via a local area network.
77. The system according to claim 70, wherein the first handheld
wireless communications device and the second communications device
communicate via a wide area network.
78. The system according to claim 70, wherein the first handheld
wireless communications device and the second communications device
communicate via an access point.
79. The system according to claim 70, wherein the first handheld
wireless communications device comprises a mobile wireless
communications device.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] The present invention relates to electronic devices and
systems. More specifically, the present invention relates to
systems and methods for providing user identification and/or
authentication for electronic devices and systems.
[0003] 2. Description of the Related Art
[0004] Currently, whenever a user wishes to access a computer-based
system containing private data, the user must often identify
himself, usually with a password. Passwords notoriously provide
poor security as users either chose very simple, easily ascertained
passwords or, if they use more difficult passwords, users often
write them down, making them subject to theft.
[0005] In the end, most forms of encryption, as well as access
controls such as passwords and even locks, serve a single purpose
of identifying the person requesting access.
[0006] Hence, there is a need in the art for a reliable, secure
system or method of authenticating the identity of a user. Ideally,
the system or method would be effective such that one would not
need to memorize passwords or utilize other authenticating devices
such as keys to access computers and other electronic devices and
systems.
SUMMARY OF THE INVENTION
[0007] The need in the art is addressed by the system and method
for secure biometric identification of the present invention. The
inventive system includes a mobile unit and a server. In the
illustrative embodiment, the mobile unit is adapted to receive
biometric input and provide a first signal in response thereto. A
first transceiver is included for transmitting the first signal and
receiving a second signal in response thereto. In an illustrative
embodiment, a secure device is operationally coupled to the mobile
unit. The secure device has two modes of operation: a first locked
mode by which access thereto is prohibited and a second unlocked
mode by which access thereto is enabled on receipt of the second
signal.
[0008] The server unit includes a second transceiver for receiving
the first signal transmitted via the wireless link. The server is
equipped with a system for authenticating the biometric data and
providing the second signal in response thereto. The second signal
is then communicated to the mobile unit where it is utilized to
access the secure device.
[0009] In the illustrative embodiment, the first and second
transceivers are adapted to operate in accordance with the
Bluetooth specification. Preferably, the mobile unit is adapted to
encrypt the first signal and decrypt the second signal. In the
illustrative implementation, biometric input is provided by a
fingerprint sensor mounted on a Personal Digital Assistant. The
secure device in the illustrative implementation is an encrypted
database for which the second signal is a decryption key.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] FIG. 1a is a perspective front view of an illustrative
implementation of a PDA adapted for use in accordance with the
teachings of the present invention.
[0011] FIG. 1b is a perspective rear view thereof.
[0012] FIG. 2 is a block diagram of an illustrative implementation
of a mobile unit subsystem constructed in accordance with the
present teachings.
[0013] FIG. 3 is a block diagram of an illustrative implementation
of a server subsystem for use in the system for secure biometric
identification of the present invention.
[0014] FIG. 4 is a flow diagram illustrative of a method for secure
biometric identification implemented in accordance with the
teachings of the present invention.
DESCRIPTION OF THE INVENTION
[0015] Illustrative embodiments and exemplary applications will now
be described with reference to the accompanying drawings to
disclose the advantageous teachings of the present invention.
[0016] While the present invention is described herein with
reference to illustrative embodiments for particular applications,
it should be understood that the invention is not limited thereto.
Those having ordinary skill in the art and access to the teachings
provided herein will recognize additional modifications,
applications, and embodiments within the scope thereof and
additional fields in which the present invention would be of
significant utility.
[0017] As mentioned above, and in accordance with the present
teachings, the inventive system includes a mobile unit and a
server. In the illustrative embodiment, the mobile unit is a
Personal Digital Assistant (PDA) adapted to receive biometric input
from a fingerprint sensor and provide a first signal in response
thereto. Personal Digital Assistants are well known and widely
used.
[0018] FIG. 1a is a perspective front view of an illustrative
implementation of a PDA adapted for use in accordance with the
teachings of the present invention. FIG. 1b is a perspective rear
view thereof. In the preferred embodiment, the PDA is implemented
in accordance with the teachings of copending U.S. utility patent
application, filed on Mar. 21, 2000, entitled "SYSTEM AND METHOD
FOR SECURE USER IDENTIFICATION WITH BLUETOOTH ENABLED TRANSCEIVER
AND BIOMETRIC SENSOR IMPLEMENTED IN A HANDHELD COMPUTER", inventor
Martin Morris, (Atty. Docket No. WIDC-011), which teachings are
hereby incorporated herein by reference. As disclosed in the
reference application, in the best mode, the PDA 10 is equipped
with an expansion slot 12 such as the Visor.TM., Handheld Computer
manufactured and sold by Handspring and disclosed more fully at
www.handspring.com. As shown in FIG. 1b, the expansion slot 12 is
adapted to receive a card 14 on which a biometric device, in the
illustrative embodiment--a fingerprint sensor 16, is disposed. In
addition, in accordance with the present teachings, a transceiver
22 is also disposed on the card 14. In the preferred embodiment,
the transceiver 22 is adapted to operate in accordance with the
BLUETOOTH SPECIFICATION VERSION 1.0A CORE, published in July 1999.
When the card is inserted into the expansion slot, it interfaces
electrically with the system bus of the PDA and provides an
electrical circuit depicted in FIG. 2.
[0019] FIG. 2 is a block diagram of an illustrative implementation
of a mobile unit subsystem constructed in accordance with the
present teachings. The mobile unit subsystem 20 includes the
wireless transceiver 22 which is adapted to communicate with a
central processing unit (CPU) 26 of the PDA. The central processing
unit 26 receives biometric data from the fingerprint sensor 28. In
accordance with the present teachings, data from the fingerprint
sensor 28 is encrypted in either in software 30 adapted to run on
the CPU 26 and/or in optional hardware 32. Encryption hardware and
software are well known in the art. The control software 30 also
enables the CPU 26 to selectively access and control the mobile
unit components via a system bus shown generally at 38.
[0020] The encrypted biometric data is either used locally to
access an encrypted database 34 or, preferably, transmitted over a
link such as a wireless link to a server subsystem via the
transceiver 22 and antenna 24. The server subsystem is depicted in
FIG. 3.
[0021] FIG. 3 is a block diagram of an illustrative implementation
of a server subsystem for use in the system for secure biometric
identification of the present invention. The encrypted biometric
data signal is received by a server antenna 42 and a second
wireless Bluetooth enabled transceiver 44. The received signal is
decrypted by an optional conventional hardware based decryption
circuit 46 and/or by decryption software implemented in control
software 48 adapted to run on a server CPU 50. Those skilled in the
art will appreciate that the decryption scheme utilized on the
server is designed to match that of the mobile unit 20. In the
preferred embodiment, the RSA public key encryption scheme is used.
This scheme is disclosed more fully in U.S. Pat. No. 4,405,829
entitled Cryptograpgic Communications System & Method, issued
Sep. 29, 1983 to Rivest, et al. the teachings of which are
incorporated herein by reference. The server control software also
controls the CPU 50 to selectively access and control the
components of the server subsystem 40 via a server subsystem bus
shown generally at 51.
[0022] In accordance with the present teachings, the decrypted
biometric data, in the illustrative implementation, the decrypted
fingerprint, is compared by fingerprint matching software 52 to a
database 54 of biometric data, i.e., fingerprints. Fingerprint
matching software is well known in the art. Such software may be
purchased from Veridicom, Inc. of Santa Clara, Calif.
[0023] When a match is achieved, a user is identified and an
authentication key specific to the identified mobile user is
retrieved from an encryption key database by the CPU 50 via the bus
51. In the preferred embodiment, the retrieved encryption key is
encrypted by the resident encryption scheme either by the hardware
unit 46, if provided, and/or by the encryption software implemented
in the control software 48. The encrypted encryption key is then
transmitted back to the mobile unit 20 via the wireless link
through the transceiver 44 and antenna 42. As an alternative, the
encrypted encryption key may be provided to a network 59 via a
first network interface. card or circuit 58 and a second network
interface card or circuit 66. The network 59 facilitates the
communication of the encrypted encryption key to the mobile unit 20
via a wireless transceiver 62 and an antenna 64. This configuration
may be preferred if the second antenna 64 is closer to the mobile
unit 20.
[0024] In addition, those skilled in the art will appreciate that
the inventive system can be implemented such that the encrypted
biometric data is transmitted from a first PDA 20 and the encrypted
encryption key or other information is sent to a second mobile unit
or over a network to a second server or network of devices.
[0025] Returning to FIG. 2, on receipt of the encrypted encryption
key from the server subsystem 40 via the antenna 24 and the
wireless transceiver 22, the mobile unit CPU 26 decrypts the
encrypted key using the resident software and/or hardware
decryption facility 30 and 32, respectively. The decrypted
encryption key is then used by the CPU 26 to access a secure
device. In an illustrative embodiment, the secure device is an
encrypted database 34 mounted on the mobile unit. Those skilled in
the art will appreciate that the secure device need not be mounted
on the mobile unit 20. As an alternative, the secure device may be
coupled to the mobile unit via the wireless link.
[0026] In any event, the secure device, i.e., database 34, has two
modes of operation: a first locked mode by which access thereto is
prohibited and a second unlocked mode by which access thereto is
enabled on receipt of the decrypted encryption key. For optimal
security, the decryption key for the encrypted database 34 should
not be stored on the mobile unit. On receipt of the decrypted
decryption key, a working copy 36 of the encrypted database 34 is
created.
[0027] FIG. 4 is a flow diagram illustrative of a method for secure
biometric identification implemented in accordance with the
teachings of the present invention. As shown in FIGS. 2, 3 and 4
when a user in possession of the mobile unit 20 wishes to access
the secure device 34, he/she places a finger on the fingerprint
sensor 28 and starts the access control program 100.
[0028] At step 104, the CPU 26 running the access control software
30 scans the fingerprint from sensor 28 and, at step 106, encrypts
it with the public key of the authentication server 40 by using the
encryption software or hardware 30, 32.
[0029] At step 108, the resulting encrypted message is sent to the
server 40 via the transceiver 22 and antenna 24 on the mobile unit
20 and the antenna 42 and transceiver 44 of the server 40. As
mentioned above, as an alternative, the encrypted fingerprint is
sent via the access point 60 and local or wide-area network 59 when
the server 40 is not within direct radio range of the mobile unit
20.
[0030] At step 110, when the authentication request is received at
the server 40, the server CPU 50 decrypts the message using its
secret key and the encryption hardware and/or software 46 and 48,
respectively.
[0031] At step 112, the CPU 50 then utilizes the fingerprint match
software 52 to compare the decrypted fingerprint to the database of
authorized fingerprints 54 to determine if the request is
valid.
[0032] If the request is valid, then, at step 114, the decryption
key for the user's encrypted database 34 (FIG. 2) is retrieved from
the key database 56 (FIG. 3).
[0033] At step 116, the key is encrypted via the encryption
hardware or software 46, 48 (FIG. 3) and, at step 118, sent back to
the mobile unit 20 via the same path from which the request was
originally received.
[0034] At the mobile unit 20, at steps 122 and 124, the key is
received and decrypted.
[0035] At step 126, the retrieved key used to make a temporary
working copy 36 of the encrypted database 34.
[0036] At step 128 this temporary copy 36 is either read or edited.
If edited, then at step 130 the edited working copy is deleted or
rewritten to encrypted form as soon as the user completes his
operation.
[0037] Thus, the present invention has been described herein with
reference to a particular embodiment for a particular application.
Those having ordinary skill in the art and access to the present
teachings will recognize additional modifications applications and
embodiments within the scope thereof.
[0038] It is therefore intended by the appended claims to cover any
and all such applications, modifications and embodiments within the
scope of the present invention.
[0039] Accordingly,
* * * * *
References