EP1036372A1 - Espace prive accessible a distance au moyen d'une empreinte digitale - Google Patents

Espace prive accessible a distance au moyen d'une empreinte digitale

Info

Publication number
EP1036372A1
EP1036372A1 EP98965955A EP98965955A EP1036372A1 EP 1036372 A1 EP1036372 A1 EP 1036372A1 EP 98965955 A EP98965955 A EP 98965955A EP 98965955 A EP98965955 A EP 98965955A EP 1036372 A1 EP1036372 A1 EP 1036372A1
Authority
EP
European Patent Office
Prior art keywords
user
fingerprint
private space
private
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP98965955A
Other languages
German (de)
English (en)
Inventor
Vance Bjorn
Fabio Righi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cross Match Holdings Inc
Original Assignee
Digital Persona Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Persona Inc filed Critical Digital Persona Inc
Publication of EP1036372A1 publication Critical patent/EP1036372A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/37Individual registration on entry or exit not involving the use of a pass in combination with an identity check using biometric data, e.g. fingerprints, iris scans or voice recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to biometrics, and more specifically, to accessing remote networks using biometric verification of identity.
  • a virtual private network is constructed by using public wires, such as the Internet, to connect nodes.
  • These systems use encryption to ensure that only authorized users can access the network and that the data cannot be intercepted. However, encryption is only as safe as the storage of the keys.
  • a private space is set up in a remote system accessible through a network.
  • a user identification based on the user's fingerprint is associated with the private space.
  • Fingerprint information is received from the user to access the space, and compared to the user identification stored in the remote system.
  • the private space is only accessible if the fingerprint information matches the user identification.
  • FIG. 1 is an illustration of the network on which the present invention may be implemented.
  • Figure 2 illustrates the remote system including the private area that may be accessed.
  • Figure 3 illustrates the local system that is used to access the private area.
  • Figure 4 is a flowchart illustrating the process of creating the private space.
  • Figure 5 is a flowchart illustrating the process of logging into the private space.
  • Figure 6 is a flowchart illustrating another embodiment of the registration process.
  • Figure 7 is a flowchart illustrating another embodiment of the process of logging into a private space.
  • Figure 1 illustrates a network in which the present invention may be utilized.
  • Sensor 130 is coupled to local system 120.
  • Local system 120 is enabled to connect to a network 130, which couples a plurality of systems 140, 150, 160 together.
  • the network 130 is the Internet.
  • a remote system 140 contains the private area that the local system 120 is trying to connect to. Other systems 150, 160 may be accessed through the network as well. Because the network 130 is not secure, the security mechanism described below is used to restrict access to the private area.
  • Figure 2 illustrates the remote system including the private area that may be accessed.
  • the remote system 140 includes a system area 210, which may store the operating system, various application programs, and other files.
  • the remote system 140 further includes a network access unit 220.
  • the remote system 140 has a semi-permanent network connection, such as Ethernet, ISDN, Tl, or similar connection.
  • the remote system 140 may be connected to the network 130 via a modem.
  • the remote system 140 further may include a fingerprint recognition unit 230.
  • the fingerprint recognition unit matches a template stored within the remote system 140 to a fingerprint received from a user.
  • the matching may use any matching algorithm known in the art.
  • no fingerprint recognition unit is included in the remote system 140.
  • the remote system may further include an encryption unit 240.
  • the encryption unit 240 encrypts and decrypts using public and private keys.
  • the encryption unit 240 retrieves a public key stored with the user data 260, in order to verify the identity of the user by decrypting a file encrypted with the user's private key.
  • the encryption unit further includes the private and public keys of the remote system 140.
  • the remote system further includes an access control unit 250.
  • the access control unit 250 controls access to the user data 260.
  • the access control unit 250 receives indication from the fingerprint recognition unit 230 whether the template matched the fingerprint sent by the user.
  • the identity verification unit 250 receives indication from the encryption unit 240 whether the public key decrypted the file sent by the user encrypted with the user's fingerprint based private key.
  • the access control unit 250 only permits access to the user data 260 when a match was found.
  • the user data 260 may be actual data, various application programs, or anything that the user may have access to.
  • the user data 260 may include the operating system of the computer. That is, the user may remotely adjust the operation of the remote system 140.
  • multiple users may have private areas within the same user data block 260. Each user is permitted access only to his or her private area.
  • FIG. 3 illustrates the local system that is used to access the private area.
  • the local system 110 includes a system area 310, which may store the operating system, various application programs, and other files.
  • the local system 110 further includes a network access unit 320.
  • the network access unit 320 provides a network connection such as Ethernet, ISDN, Tl, etc.
  • the network access unit 320 may provide a network connection via a modem.
  • the local system 110 may further include a scanner interface 330.
  • the scanner 120 is coupled to the local system 110.
  • the scanner interface 330 receives a digitized fingerprint image from the scanner.
  • the scanner interface 330 may further extract a template from the digitized fingerprint image.
  • the local system may further include an encryption unit 340.
  • the encryption unit 340 encrypts and decrypts using public and private keys.
  • the encryption unit generates the private and public keys of the user from the fingerprint data received by the scanner interface 330.
  • the encryption unit 340 generates a fingerprint template from the fingerprint data received by the scanner interface 330. This fingerprint template is sent to the remote system 140.
  • Figure 4 is a flowchart illustrating the process of creating the private space.
  • the remote access system is set up. For one embodiment, this includes adding server software to the remote system.
  • the remote system receives a fingerprint template from the user.
  • the remote system receives an actual digital image of the fingerprint.
  • the remote system receives a template including extracted features of the fingerprint.
  • the remote system receives other data representing various characteristics of the fingerprint.
  • This fingerprint template is received either locally, or remotely with validation.
  • the user may set up the private space locally, for remote access.
  • validation may be a digital certificate, or an encryption verification method. Since the private space at this point does not contain any data, the security of this step is not vital.
  • private space is allocated to the user.
  • actual space is allocated to the user.
  • flexible allocation may be made, permitting the user to store varied amounts of data, and reallocating space as needed. However, this establishes an area for the user's data.
  • the fingerprint template is stored within the remote system to control access to the private space.
  • the template is stored in the access control unit 250 of the remote system.
  • the access control unit 250 is enabled, and access to the private space is routed through the access control unit 250. At this point, the user needs to be validated in order to access the private space.
  • Figure 5 is a flowchart illustrating the process of logging into the private space
  • the remote system receives an access request.
  • the user may request access by entering the remote system's IP address into a web browser.
  • the remote system responds with a request for validation.
  • the request for validation may specifically request a fingerprint.
  • the user now has to place his or her finger on the fingerprint scanner 120 attached to the user's local system. This fingerprint information is transmitted to the remote system.
  • the fingerprint information is received by the remote system.
  • the fingerprint information is a digital image of the fingerprint.
  • the fingerprint information may be a list of extracted features of the fingerprint, or other data. Some of the processing for creating this information may occur in the user's local system.
  • the fingerprint information is compared with the fingerprint template associated with the private space. For one embodiment, if there are multiple private spaces within the remote system, the user requests his or her own private space by entering a handle or name. For another embodiment, the user merely attempts to access the remote system, and the matching is to all fingerprint templates within the remote system.
  • the fingerprint recognition unit 230 of the remote system manipulates the data of the fingerprint image and the fingerprint template to be in the same format. If the information does not match the template, the process continues to block 560, and the user is denied access to the private space. If the information matches the template, the process continues to block 570, and the user is allowed access to the private space. For one embodiment, after the user is allowed access, a one-time session key is exchanged with the user for further verification during the access period. For another embodiment, the remote system periodically challenges the user's local system for re-verification.
  • Figure 6 illustrates another embodiment of the registration process.
  • the remote access system is set up.
  • the remote system receives a digital certificate of the user.
  • Digital certificates are known in the art. They are used to verify the identity of a user.
  • the digital certificate includes the public key of the user. This public key is generated based on the fingerprint of the user.
  • the public key of the user is extracted from the digital certificate. For one embodiment, this involves decrypting the digital certificate with the certifying authority's public key.
  • the public key of the user is verified. For one embodiment, this is done by receiving a file encrypted with the private key that corresponds to the public key of the user. Decrypting this file with the user's public key verifies that the user is in fact associated with the public key included in the digital certificate. Because the private key is generated based on an actual fingerprint image of the user, the user's identity is also verified.
  • the user's public key is stored in the system. And at block 660, space is allocated for the user.
  • Figure 7 is a flowchart illustrating the process of logging into the private space.
  • the remote system receives a request for access to the private space.
  • the remote system sends a request for a file encrypted the user's private key.
  • the private key is fingerprint based, and therefore also verifies that the actual user associated with the private key is sitting in front of the computer system.
  • the remote system receives the file encrypted with the fingerprint based private key.
  • the remote system retrieves the public key associated with the user, and attempts to decrypt the file sent by the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Biomedical Technology (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Medical Informatics (AREA)
  • Human Computer Interaction (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Collating Specific Patterns (AREA)

Abstract

L'invention concerne un procédé et un dispositif permettant d'accéder à distance à un espace privé (140). Cet espace (140) est établi dans un système à distance (140), accessible via un réseau (130). Une identification d'utilisateur, basée sur l'empreinte digitale de celui-ci, est associée à cet espace privé. Des informations relatives à cette empreinte digitale sont reçues à partir de l'utilisateur (420) désirant accéder à l'espace, et comparées à l'identification de l'utilisateur stockée dans le système à distance (440). L'espace privé n'est accessible que si les informations relatives à l'empreinte digitale correspondent à l'identification de l'utilisateur (450).
EP98965955A 1997-11-14 1998-11-10 Espace prive accessible a distance au moyen d'une empreinte digitale Withdrawn EP1036372A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US97034197A 1997-11-14 1997-11-14
PCT/US1998/023802 WO1999026188A1 (fr) 1997-11-14 1998-11-10 Espace prive accessible a distance au moyen d'une empreinte digitale
US970341 2001-10-03

Publications (1)

Publication Number Publication Date
EP1036372A1 true EP1036372A1 (fr) 2000-09-20

Family

ID=25516800

Family Applications (1)

Application Number Title Priority Date Filing Date
EP98965955A Withdrawn EP1036372A1 (fr) 1997-11-14 1998-11-10 Espace prive accessible a distance au moyen d'une empreinte digitale

Country Status (6)

Country Link
EP (1) EP1036372A1 (fr)
JP (1) JP2001523903A (fr)
KR (1) KR20010052103A (fr)
CN (1) CN1291313A (fr)
AU (1) AU2196899A (fr)
WO (1) WO1999026188A1 (fr)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001216270A (ja) * 2000-01-31 2001-08-10 Netmarks Inc 認証局、認証システム及び認証方法
US7409543B1 (en) 2000-03-30 2008-08-05 Digitalpersona, Inc. Method and apparatus for using a third party authentication server
US7698565B1 (en) 2000-03-30 2010-04-13 Digitalpersona, Inc. Crypto-proxy server and method of using the same
JP2001306524A (ja) * 2000-04-19 2001-11-02 Nec Corp 営業端末の共用化システム及びその方法
JP2002073568A (ja) * 2000-08-31 2002-03-12 Sony Corp 個人認証システムおよび個人認証方法、並びにプログラム提供媒体
JP4654498B2 (ja) * 2000-08-31 2011-03-23 ソニー株式会社 個人認証システム、個人認証方法、および情報処理装置、並びにプログラム提供媒体
JP4654497B2 (ja) * 2000-08-31 2011-03-23 ソニー株式会社 個人認証システム、個人認証方法、および情報処理装置、並びにプログラム提供媒体
JP4660900B2 (ja) * 2000-08-31 2011-03-30 ソニー株式会社 個人認証適用データ処理システム、個人認証適用データ処理方法、および情報処理装置、並びにプログラム提供媒体
KR100353731B1 (ko) * 2000-11-01 2002-09-28 (주)니트 젠 일회성 지문템플릿을 이용한 사용자 인증시스템 및 방법
US7310734B2 (en) * 2001-02-01 2007-12-18 3M Innovative Properties Company Method and system for securing a computer network and personal identification device used therein for controlling access to network components
CA2450834C (fr) 2001-06-18 2013-08-13 Daon Holdings Limited Coffre-fort de donnees electroniques fournissant des signatures electroniques protegees par biometrie
US7181627B2 (en) * 2002-08-01 2007-02-20 Freescale Semiconductor, Inc. Biometric system for replacing password or pin terminals
KR100772292B1 (ko) * 2003-09-22 2007-11-01 김형윤 구조물의 건전성 감시용 센서 및 시스템
EP1761902A1 (fr) 2004-06-25 2007-03-14 Koninklijke Philips Electronics N.V. Biometrie privee et renouvelable
FR2946209A1 (fr) * 2009-06-02 2010-12-03 Alcatel Lucent Procede de protection d'un reseau de telecommunication et routeur securise mettant en oeuvre un tel procede.
CN102799956A (zh) * 2011-05-23 2012-11-28 方良卫 指纹分析用于求才、求职、交友、生涯规划、职涯规划的系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0581421B1 (fr) * 1992-07-20 2003-01-15 Compaq Computer Corporation Méthode et système pour détection d'alias basée sur un certificat
US5497422A (en) * 1993-09-30 1996-03-05 Apple Computer, Inc. Message protection mechanism and graphical user interface therefor
US5541994A (en) * 1994-09-07 1996-07-30 Mytec Technologies Inc. Fingerprint controlled public key cryptographic system
US5613012A (en) * 1994-11-28 1997-03-18 Smarttouch, Llc. Tokenless identification system for authorization of electronic transactions and electronic transmissions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9926188A1 *

Also Published As

Publication number Publication date
CN1291313A (zh) 2001-04-11
KR20010052103A (ko) 2001-06-25
JP2001523903A (ja) 2001-11-27
WO1999026188A1 (fr) 1999-05-27
AU2196899A (en) 1999-06-07

Similar Documents

Publication Publication Date Title
US20200228335A1 (en) Authentication system for enhancing network security
US7698565B1 (en) Crypto-proxy server and method of using the same
US7409543B1 (en) Method and apparatus for using a third party authentication server
US9544297B2 (en) Method for secured data processing
JP4460763B2 (ja) 生物測定データを用いた暗号キー発生法
CA2341784C (fr) Methode de deploiement d'une transaction icp (infrastructure a cles publiques) dans un fureteur web
JP5619019B2 (ja) 認証のための方法、システム、およびコンピュータ・プログラム(1次認証済み通信チャネルによる2次通信チャネルのトークンベースのクライアント・サーバ認証)
EP1244263A2 (fr) Procédé de contrôle d'accès
EP1866873B1 (fr) Procédé, système, dispositif de sécurité personnelle et produit de programme informatique pour authentification biométrique sécurisée par cryptographie
US20020178366A1 (en) Method for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server
US20050055552A1 (en) Assurance system and assurance method
US7051209B1 (en) System and method for creation and use of strong passwords
CA2345688A1 (fr) Recuperation automatique de mots de passe oublies
JP2003337923A (ja) データ更新方法及びデータ更新システム
JP2012044670A (ja) バイオメトリック識別技術の利用に基づいたユーザー認証方法及び関連のアーキテクチャー
WO1999026188A1 (fr) Espace prive accessible a distance au moyen d'une empreinte digitale
WO2002037403A1 (fr) Systeme et procede d'authentification dans lesquels un modele d'empreintes digitales ne servant qu'une fois est utilise
US20030115154A1 (en) System and method for facilitating operator authentication
US20030076961A1 (en) Method for issuing a certificate using biometric information in public key infrastructure-based authentication system
JPH11212922A (ja) パスワード管理、回復方式
JPH05333775A (ja) ユーザ認証システム
JPH05298174A (ja) 遠隔ファイルアクセスシステム
JP4253167B2 (ja) 個人情報アクセス制御方法、端末、システム、並びに、プログラム
KR102070248B1 (ko) 개인키의 안전 보관을 지원하는 사용자 간편 인증 장치 및 그 동작 방법
TWI606363B (zh) Key share system and method

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20000603

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE GB

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20020601