CH716288A2 - Process for processing biometric data of an individual, with phases of calibration and control and registration, in a blockchain, subject to geolocation, of an analysis result. - Google Patents

Abstract

The invention relates to a method for processing the biometric data of an individual, from an issuer (E2) connected to a peer-to-peer network on which a blockchain is deployed, this method comprising the prior distribution, on the network, of an encrypted container (22) containing reference biometric data (15) then, subsequently, and subject to geolocation, the comparison of data (27) scanned at the level of the transmitter (E2) with the data ( 15) reference contained in the encrypted container (22); the result of the comparison is entered in the blockchain.

Description

TECHNICAL AREA

The invention relates to the field of computing, and more specifically to the processing of the biometric data of an individual.

PRIOR ART

[0002] The biometric data of individuals (typically a fingerprint or of the palm, a retinal or iris print, the venous network of the hand, an image of the face), tend to become generalized as data of authentication, in particular for the use of access control systems to a physical (eg local, safe) or virtual environment (typically a session on a computer, tablet or even a smartphone).

[0003] Conventionally, reference biometric data, captured during a setting session, are stored in a database, then, on request, are called to be compared with instantaneous biometric data, captured locally from a terminal on an individual wishing to access a given environment.

[0004] When several individuals ("users") are presumed authorized to access the same environment, a conventional technique consists in memorizing, in the database, as many biometric data as there are individuals benefiting from an access authorization. .

In a first version, called local, the database is local, that is to say it is stored in a memory space equipping the (or directly connected to) the terminal from which the capture is performed . This technique may seem immune to intrusions (and therefore identity theft) due to its local nature, but it is most often necessary to provide network access to the database, for administration purposes ( including adding or removing users, resulting in the database being hacked.

[0006] In a second version, called delocalized, the database is stored in a memory space reserved in a remote server to which, at each request by a user, the terminal connects to compare the biometric data captured with the reference biometric data .

This second version has the advantage of allowing remote administration of the authorizations associated with the users. However, it is based, on the one hand, on the IT security policy to which the remote server on which the database is stored is subject; on the other hand, on the trust that can be granted to the administrator of said server.

[0008] There are also many services for which the biometric data of individuals are stored on remote servers to be used as a means of authentication on user accounts.

[0009] In all cases, it is never certain that the biometric data of users are protected from intrusions, copying, possible commercial exploitation, or even erasure.

[0010] There is therefore a need to improve the confidentiality with which the biometric data of individuals are processed.

SUMMARY OF THE INVENTION

A method is proposed for processing the biometric data of an individual, from a computer processing unit, called the transmitter, connected or integrated into a peer-to-peer network composed of a plurality of nodes forming a distributed database on which is stored, by replication on each node, a chain of blocks, this method comprising: <tb> <SEP> A) A calibration phase, which includes the following operations: <tb><SEP> <SEP> - Using a capture device, carry out a first capture of biometric data, called reference, of the individual at the level of a limb or an organ thereof ; <tb><SEP> <SEP> - Encrypt the biometric data resulting from this first capture to form an encrypted container of biometric data; <tb><SEP> <SEP> - Store separately the encrypted container of biometric data and a cryptographic decryption key thereof; <tb><SEP> <SEP> - Enter, in a block of the blockchain, a transaction containing a trace of this capture and / or this storage; <tb> <SEP> B) A control phase, which includes the following operations: <tb><SEP> <SEP> - Establish a communication session between the transmitter and the network; <tb><SEP> <SEP> - Select a so-called computing node from the network, equipped with a processing unit in which an execution environment secured by cryptography, called an enclave, is implemented; <tb><SEP> <SEP> - Instantiate the enclave; <tb><SEP> <SEP> - Using a capture device fitted to or connected to the transmitter, capture the biometric data of the individual at the level of a limb or organ of this individual ; <tb><SEP> <SEP> - Load the captured biometric data into the enclave, via a secure communication line; <tb><SEP> <SEP> - Using a geolocation beacon fitted to or linked to the transmitter, edit instantaneous geolocation data; <tb><SEP> <SEP> - Load into the enclave, via a secure communication line, the instantaneous geolocation data; <tb><SEP> <SEP> - Select from the network a storage node on which is stored a copy of the encrypted container containing the reference biometric data; <tb><SEP> <SEP> - Load the encrypted container into the enclave; <tb><SEP> <SEP> - Decrypt the reference biometric data in the enclave, using a decryption key associated with the encrypted container; <tb><SEP> <SEP> - In the enclave, compare the captured biometric data and the reference data, and check if the instantaneous geolocation data satisfies a predefined geolocation condition; <tb><SEP> <SEP> - Write in a block of the blockchain a transaction including a trace of the result of the comparison and a trace of the result of the check.

[0012] According to a preferred embodiment, the calibration phase comprises the following operations: Fragment the cryptographic decryption key; Designate, among the network, a group of storage nodes equal in number to the fragments; Distribute each fragment of the decryption cryptographic key to a storage node, with each storage node receiving a unique fragment.

[0013] In this case, the control phase advantageously comprises the following operations: <tb> <SEP> - From the compute node enclave, select from the network of nodes on which fragments of the cryptographic decryption key associated with the container are stored; <tb> <SEP> - Load said fragments into the compute node enclave; <tb> <SEP> - In the enclave: <tb><SEP> <SEP> o Reconstitute the cryptographic decryption key associated with the container, from the fragments thus loaded; <tb><SEP> <SEP> o Decrypt the biometric data of the container using the key thus reconstituted.

BRIEF DESCRIPTION OF THE FIGURES

[0014] Other objects and advantages of the invention will appear in the light of the description of an embodiment, given below with reference to the accompanying drawings in which: <tb> <SEP> LaFIG.1 is a simplified block diagram illustrating a peer-to-peer network on which a chain of blocks is distributed; <tb> <SEP> LaFIG.2 is a simplified functional diagram illustrating different components of a computer processing unit involved in the creation and operation of a secure execution environment called an enclave; <tb> <SEP> LaFIG.3 is a functional diagram partly illustrating a network architecture, partly the steps of a calibration phase, and partly the files produced, exchanged or stored within the network for the needs (or application) of this phase; <tb> <SEP> LaFIG.4 is a functional diagram illustrating steps of a process for processing the biometric data of an individual; <tb> <SEP> TheFIG.5 is a functional diagram illustrating, in the extension of that of theFIG.4, additional steps of the treatment process.

DETAILED DESCRIPTION OF THE INVENTION

The proposed method aims to treat, in a confidential manner, the biometric data of an individual.

Without being limited thereto, the proposed treatment method exploits, by combining them, the functionalities offered by two relatively recent technologies of which it seems useful to make a preliminary description before going into the details of the method, namely: Blockchain technology or, in Anglo-Saxon terminology, blockchain (in what follows, Anglo-Saxon terminology will be preferred, because of its common use in most languages, including French); The technology of the secure execution environment or, in English terminology, of the trusted execution environment (TEE).

[0017] Blockchain technology is organized in layers. She understands : A layer of hardware infrastructure, called a “blockchain network”; A protocol layer called the “blockchain protocol”; An information layer, called the “blockchain register”.

The blockchain network is a decentralized computer network, called a peer-to-peer network (in Peer-to-Peer or P2P terminology), made up of a plurality of computers (in the functional sense of the term: it is a device provided with a programmable computer processing unit, which can be in the form of a smartphone, a tablet, a desktop computer, a workstation, a physical or virtual server, i.e. computing and memory space allocated within a physical server and on which an operating system or operating system emulation runs), called "nodes" with reference to the theory of graphs, capable of communicating with each other (ie exchanging computer data), two by two, by means of wired or wireless links.

A network1blockchain comprising nodes2communicating by links3is illustrated in theFIG.1. For the sake of simplification and conformity with graph theory, on FIG.1, the nodes2 of the network1 are represented by circles; the bonds3, by edges connecting the circles. In order not to overload the drawing with lines, only certain links3 between nodes2 are shown.

[0020] The nodes2 can be scattered over large geographic regions; they can also be grouped into smaller geographic regions.

The blockchain protocol is in the form of a computer program implemented in each node2 of the network1 blockchain, and which includes, in addition to dialogue functions - that is to say exchange of computer data - with the other nodes2 of the network1 , a calculation algorithm which, from input data called "transactions" (which are transcriptions of interactions between one or more transmitting computer terminals and one or more recipient computer terminals): <tb> <SEP> - Builds structured data files4 called "blocks", each block4 including a body4containing digital transaction fingerprints, and a header4Bcontaining: <tb><SEP> <SEP> o A sequence number, or row, or height (height in English), in the form of an integer which designates the position of block4 within a chain in the order growing from an initial block (Genesis block); <tb><SEP> <SEP> o A unique digital fingerprint of body4A data; <tb><SEP> <SEP> o A unique digital fingerprint, called a pointer, of the header of the previous block4, <tb><SEP> <SEP> o A timestamp data; <tb> <SEP> - Implements a mechanism for validating blocks4 by consensus between all or part of the nodes2; <tb> <SEP> - Concatenates validated blocks4 to form a register5 (the blockchain register) in the form of an aggregate in which each block4 is mathematically linked to the previous one by its pointer.

The slightest modification of the data of the body4Aou of the header4B of a bloc4affects the value of its digital fingerprint and consequently breaks the existing link between this bloc4 thus modified and the next bloc4 whose pointer no longer corresponds.

[0023] According to a particular embodiment, the digital fingerprint of each bloc4 is a digest (or hash) of the data of bloc4, that is to say the result of a hash function applied to the data of block4 (including body4A and header4B except for the digital fingerprint itself). The hash function is typically SHA-256.

For a bloc4donné of rank N (N an integer), the pointer ensures with the bloc4précè of rank N-1 an unalterable link. Indeed, any modification of the data of block4 of rank N-1 would lead to the modification of its fingerprint, and therefore to a lack of correspondence between this (modified) fingerprint of block4 of rank N-1 and the pointer stored among the metadata of block4 of rank NOT.

The succession of blocks4 linked together two by two by correspondence of the pointer of a bloc4donné of rank N with the digital imprint of the previous block of rank N-1 therefore constitutes the register5blockchain in the form of an aggregate of correlated blocks4, in which the slightest modification of the data of a block4 of rank N-1 results in a breaking of the link with the following block4 of rank N - and therefore the breaking of the blockchain register.

It is this particular structure which gives the data contained in the register5blockchain a reputation for immutability, guaranteed by the fact that the register5blockchain is replicated on all the nodes2 of the network1, forcing any attacker, not only to modify all the blocks4 of rank greater than the modified block4, but to deploy these modifications (even though the register5blockchain continues to be constituted by the nodes2 applying the blockchain protocol) to all the nodes2.

Whatever the type of consensus applied by the block validation mechanism4, most blockchain technologies have the primary function of recording, in their blockchain ledger5, transactions between one or more issuing terminals, and one or more receiving terminals, interchangeably called "users".

Each user is associated with an account, called in a simplified manner "electronic wallet" (in English digital wallet), which contains a memory area and a programmatic interface having interaction functions with the 1blockchain network to submit transactions to it, and synchronization functions with the 5blockchain register to register, in the memory area, the transactions validated by registration in the 5blockchain register.

[0029] Unless otherwise stated, and for the sake of simplicity, the simple expression "blockchain" or "blockchain" designates the register5blockchain itself.

Some recent blockchain technologies (Ethereum, typically) add to the three hardware (blockchain network), protocol (blockchain protocol) and informational (blockchain register) layers an application layer which is in the form of a development environment for programming applications, called “smart contracts”, which can be deployed on the ledger5blockchain from nodes2.

The technology of smart contracts is now briefly described.

[0032] A smart contract comprises two elements: An account, called a “Contract account”, in the memory area of which is written a source code containing computer instructions implementing the functions assigned to the smart contract; An executable code (in English Executable Bytecode) resulting from a compilation of the source code, this executable code being stored or deployed within the register5blockchain, that is to say inserted as a transaction in a block4 of the register5blockchain.

In the blockchain technology offered by Ethereum, a smart contract is activated by a call (in English Call) sent by another account, said initiator account (which can be a user account or a contract account), this call is presenting in the form of a transaction containing, on the one hand, a reserve fund to be transferred (i.e. a payment) from the initiating account to the contract account and, on the other hand, initial conditions.

This call is recorded as a transaction in the register5blockchain. It triggers: The transfer of the reserve fund from the initiating account to the contract account; The designation, among the network1blockchain, of an execution node associated with a user account; The activation, in a computer processing unit of the execution node, of an execution environment or virtual machine (called Ethereum Virtual Machine or EVM in the case of Ethereum); The step-by-step execution of the steps for calculating the executable code by the virtual machine from the initial conditions, each step of calculation being accompanied by a transfer of a fraction (called gas in the case of Ethereum) of the reserve fund from the contract account to the user account of the execution node, until the calculation steps are exhausted, at the end of which a result is obtained; The entry (possibly in the form of a digital fingerprint) of this result as a transaction in the ledger5blockchain.

The initiating account retrieves (that is to say, in practice, downloads) the result when it is synchronized with the register5blockchain.

We now briefly introduce the secure execution environments.

A secure execution environment (Trusted execution environment or TEE) is, within a computer processing unit provided with a processor or CPU (Central Processing Unit) 7, a temporary computing and data storage space. , called (by convention) an enclave, or even cryptographic enclave, which is isolated, by cryptographic means, from any unauthorized action resulting from the execution of an application outside this space, typically the operating system.

[0038] Intel®, for example, from 2013 revised the structure and interfaces of its processors to include enclave functions, under the name Software Guard Extension, better known by the acronym SGX. SGX equips most of the XX86 type processors marketed by Intel® since 2015, and more specifically from the sixth generation incorporating the so-called Skylake microarchitecture. The enclave functions offered by SGX are not automatically accessible: they must be activated via the elementary input / output system (Basic Input Output System or BIOS).

It does not come within the requirements of the present description to detail the architecture of the enclaves, insofar as: Despite its relative youth, this architecture is relatively well documented, in particular by Intel® which has filed numerous patents, cf. e.g., among the most recent, the US patent application US 2019/0058696; Processors making it possible to implement them are available on the market - in particular the aforementioned Intel® processors; Only the functionalities allowed by the enclave are of interest to us here, these functionalities being able to be implemented via specific command lines. As such, those skilled in the art may refer to the guide published in 2016 by Intel®: Software Guard Extensions, Developer Guide.

For a more accessible description of the enclaves, and more particularly of Intel® SGX, those skilled in the art can also refer to A. Adamski, Overview of Intel SGX - Part 1, SGX Internal, or to D. Boneh , Nickaming Schemes, Fast Verification, and Applications to SGX Technology, in Topics in Cryptology, CT - RSA 2017, The Cryptographers' Track at the RSA Conférence 2017, San Francisco, CA, USA, Feb. 14-17, 2017, Proceedings, pp. 149-164, or to K. Severinsen, Secure Programming with Intel SGX and Novel Applications, Thesis submitted for the Degree of Master in Programming and Networks, Dept. Of Informatics, Faculty of Mathematics and Natural Science, University of Oslo, Autumn 2017.

To summarize, with reference to theFIG.2, an enclave8includes, first of all, a secure memory zone9 (called Enclave Page Cache, in English Enclave Page Cache or EPC), which contains code and data relating to the 'enclave itself, and whose content is encrypted and decrypted in real time by a dedicated chip called the Memory Encryption Engine (MEE). The EPC9 is implemented within a part of the dynamic random access memory (DRAM) 10 allocated to the processor7, and to which ordinary applications (in particular the operating system) do not have access.

[0042] The enclave8 comprises, secondly, cryptographic keys used to encrypt or sign on the fly the data leaving the EPC9, whereby the enclave8 can be identified (in particular by other enclaves), and the The data it generates can be encrypted to be stored in unprotected memory areas (i.e. outside of the EPC9).

In order to be able to use such an enclave8, an application11 must be segmented into, on the one hand, one or more unsecured parts12 (in English untrusted part (s)), and, on the other hand, one or more secure parts13 (in English trusted part (s)).

Only the processes induced by the secure part (s) 13 of the application11 can access the enclave8. The processes induced by the unsecured part (s) 12 cannot access the enclave8, i.e. they cannot dialogue with the processes induced by the part (s) (s) 13secure (s).

The creation (also called instantiation) of the enclave8 and the flow of processes within it are controlled via a set14d'instructions particular executable by the processor7et called by the part (s) 13secure (s) of the application11.

Among these instructions: ECREATE commands the creation of an enclave8; EINIT commands the initialization of the enclave8; EADD commands code loading into the enclave8; EENTER commands code execution in the enclave8; ERESUME commands a new execution of code in the enclave8; EEXIT controls the exit of enclave8, typically at the end of a process running in enclave8.

We have, on laFIG.2, functionally represented the enclave8sous in the form of a block (in dotted lines) including the secure part13 of the application11, the set14d'instructions of the processor7, and the EPC9. This representation is not realistic; it simply aims to visually group together the elements that make up or exploit the enclave8.

We will explain below how the enclaves are exploited.

The proposed method aims to perform decentralized processing of biometric data of an individual natural person. This treatment consists of two phases: A preliminary phase of calibration; A control phase.

We first describe the calibration phase, which aims to develop reference biometric data of the individual, from a first computer processing unit (eg equipping a fixed or portable personal computer, a tablet , a smartphone, or even an access control device), connected or integrated into the 1blockchain network and called the "first transmitter". In FIG. 3, the first transmitter E1 is in the form of a smartphone. This embodiment is purely illustrative.

To this end, the first transmitter E1 is equipped with (or connected to) a biometric capture device or scanner. The scanner16 is configured to capture the user's biometric reference data at a limb (e.g. one or more finger (s), hand) or organ (e.g. eye, face , an ear, part of the venous network) of this user.

These reference biometric data are intended to be stored not locally in the first transmitterE1, but on the network1blockchain. Indeed, the nodes2 of the blockchain network are all equipped with memory areas, these can be used as storage space for the reference biometric data. To minimize the risk of data loss15, it is advantageous to perform a replication of the data, that is to say to make a copy of the data15, and to distribute a copy to several nodes2 of the blockchain network. Data traceability15 can be achieved by entering, in the blockchain register, one or more traces (or digital fingerprints) of the memorizations thus carried out.

This distributed storage of data15est advantageously controlled by a smart contract, activated for example by the first transmitterE1 which, while transmitting the data15 to be stored to the network1, transmits to the smart contract a call by the procedure described above.

However, if the replication of data15 within the network1blockchain solves the problem of the sustainability of the data15, it does not solve the problem of their confidentiality.

It is therefore proposed to distribute on the network1not only the data15 (in encrypted form), but also a decryption key thereof, via an enclave8instantiated on a node2E, called entry node, of the network1 (FIG. 3).

To this end, a first preliminary operation consists, at the level of the first transmitterE1, in carrying out, by means of its scanner16, a capture of the biometric data15 of the individual, then considered as reference data. In the example illustrated, these reference biometric data come from a fingerprint.

A second preliminary operation consists in transmitting, from the first transmitter E1, a request to store data 15 to the network 1.

On receipt of the storage request by at least one node2du network1, it is selected, within network1, at least one input node2E, equipped with a computer processing unit in which an enclave8 is implemented.

This enclave8est then instantiated, and the reference biometric data are loaded into it from the first transmitterE1 via a secure communication line (eg using the Transport Layer Security or TLS protocol). For this purpose, the enclave8 can be provided, as soon as it is instantiated, with a communication interface 18 emulation supporting the chosen protocol (here TLS) for the exchange of secure data.

The blockchain protocol is advantageously loaded into the enclave8, to form a module19blockchain able to query the register5blockchain and / or to participate in the process of creation and validation of the blocks4.

A transaction20containing a digital imprint of the data loading thus carried out is recorded in a bloc4de the blockchain5, for the purposes of traceability.

This transaction20 can be transmitted to the module19blockchain by the first senderE1, to be registered by one or more nodes2 of the network (by the process described above) in a new block4 of the register5blockchain. As a variant, the module19blockchain itself issues a transaction20for registration in a new block4.

In the enclave8se then takes place a process which comprises the following operations.

A first operation consists in encrypting the data15 by means of a cryptographic encryption key21 to form an encrypted container22, by associating it with a cryptographic decryption key. To this end, the data 15 received from the first transmitter E1 are relayed by the communication interface 18 to an encryption module 24 implemented in the enclave 8.

According to a preferred embodiment, the encryption is symmetrical. In this case, the encryption key21 and the decryption key23 are one and the same key.

A second operation consists in fragmenting the decryption key. More precisely, the decryption key 23 is fragmented into a predetermined number N of fragments 23.i, (i an integer, 2≤i≤N).

According to a preferred embodiment, N is such that N> 3 and the fragmentation is carried out in application of Shamir's rules (known as Shamir's Secret Sharing, in English Shamir's Secret Sharing), and more precisely of the threshold diagram , where a predetermined integer K (1 <K <N) is chosen such that a number K of fragments23.isont sufficient to reconstitute the decryption key23.

A third operation consists in designating, among the network1, one or more primary storage nodes2.

To this end, the enclave8est advantageously provided with a data distribution module25, to which the encryption module24 communicates the encrypted container22 for distribution to the primary storage nodes2.

A fourth operation consists in designating, among the network1, a group of several secondary storage nodes2B, in number N equal to the number of fragments23.ide the decryption key23.

These secondary storage nodes 2B are preferably distinct from the primary storage nodes 2 - in other words, the primary storage nodes 2 and the secondary storage nodes 2 B form two disjoint groups (shown in dotted lines in FIG. 3).

A fifth operation consists in distributing the encrypted container22 to the primary storage node or nodes.

A sixth operation consists in distributing the fragments23.ide the cryptographic decryption key23 to the secondary storage nodes 2B, each secondary storage node 2B receiving a unique fragment23.i.

According to a preferred embodiment, the enclave8 is provided with a fragmentation and key distribution module26, to which the encryption module24 communicates the decryption key23 for fragmentation and distribution to the secondary storage nodes2B.

These operations completed, the enclave8 can be closed.

Outside the enclave8, the following operations are carried out: <tb> <SEP> o The encrypted container22 is stored within each primary storage node2; <tb> <SEP> o Each fragment23.ide the decryption cryptographic key23 is stored within each secondary storage node2Brespective.

To ensure the traceability of these operations, at least one transaction containing a digital imprint of the distributions or memorizations thus carried out is registered in a bloc4de the chain5de blocks, by one or more nodes2 of the network1. This transaction can be initiated by the Primary2 and Secondary2B storage nodes, but it can also be initiated by the enclave8 itself (and more specifically by the module19blockchain) before it closes.

The reference biometric data, thus encapsulated in an encrypted container22, can be stored for a determined or indefinite period on the storage nodes2A of the network1.

These reference biometric data are used, as much as necessary, to authenticate the user when the latter needs to access a place or a service: this is the objective of the control phase, which is applied to new biometric data27 of the individual, which must be compared with reference data15.

We now describe this control phase, which is initiated from a second computer processing unit E2 (equipping for example a fixed or portable personal computer, a tablet, a smartphone, or even a control device. access), linked or integrated into the 1blockchain network and called the second transmitter.

The second transmitter E2 can be confused with the first transmitter E1; nevertheless the emitters E1, E2 can be different.

Biometric data control is typically performed for the purpose of unlocking, for the user, access to a physical environment (a home, a room, a safe) or a virtual environment (a working environment in a computer, a tablet or smartphone).

The control is carried out in a decentralized manner, on the network1.

For this control phase, the second transmitter E2 is equipped with (or connected to) a biometric capture device or scanner. The scanner28 is configured to capture the user's biometric data27 at a limb (e.g. one or more finger (s), hand) or organ (e.g. eye, face, body). ear, part of the venous network) of this user.

A first operation 101 consists in establishing, on request (REQ), a communication session between the second transmitter E and the network 1.

This session is activated from the second transmitter E2, for example following a predetermined action such as pressing a button or the detection (eg by means of a proximity sensor) of the approach of the user's limb or organ.

A second operation 102 consists, among the network 1, in selecting a computing node 2 P, equipped with a processing unit in which an enclave 8 ′ is implemented.

A third operation 103 consists, within the computation node2P, in instantiating the enclave8 '.

A fourth operation104 consists, at the level of the second transmitterE2, in carrying out, by means of its scanner28, a capture of the biometric data27 of the individual. In the example illustrated, these biometric data come from a fingerprint.

A fifth operation 105 consists, from the second transmitter E2, in loading, into the enclave 8 ′ of the computation node 2 P, via a secure communication line (eg using the Transport Layer Security or TLS protocol), the biometric data thus captured.

According to a preferred embodiment, the control of the data27, carried out within the enclave8 ', is carried out according to the instructions of an intelligent contract SC deployed on the blockchain5.

As illustrated in laFIG.3, a sixth operation 106 consists, for the enclave 8 ′, in calling (CALL) the intelligent contract SC.

A seventh operation 107 consists, in return, in loading the code of the intelligent contract SC in the enclave 8 ′ for execution. Also loaded into the enclave8 is a virtual machine (EVM when the smart contract SC is programmed according to Ethereum's specifications) intended to allow execution of the code of the smart contract SC.

An eighth operation108 consists, for the enclave8 ', in selecting from the network1a storage node2A on which is stored a copy of the encrypted container22 containing the reference biometric data15, and in transmitting to this storage node2B a request (REQ) for communication of this container22.

To facilitate this selection, the encrypted container22 can be coupled to an identifier associated with the second transmitterE2 (transmitted to the enclave8 'with the scanned biometric data27), or to the user (and which can be entered by the latter on a interface fitted to or linked to the second transmitter E2).

A ninth operation109consist, from the storage node2B, to load into the enclave8'le container22crypted.

The decryption of the biometric reference data of the encrypted container 22 requires the decryption cryptographic key 23, also stored on the network1.

A tenth operation 110 therefore consists, for the enclave8 ', in selecting from among the network1K storage nodes2B on which K fragments23.irespectives are stored, and in transmitting to each storage node2B a request (REQ) to communicate its fragment23.i .

As illustrated in laFIG.4, an eleventh operation111consists, from the storage nodes2Bde thus selected, to be loaded into the enclave8 'the K fragments23.i.

A twelfth operation112 consists, for the enclave8 ', in reconstituting the key23 from the K fragments23.i thus loaded.

A thirteenth operation 113 consists, for the enclave 8 ′, in decrypting the reference biometric data 15 of the container 22 by applying the key 23 to it thus reconstituted.

A fourteenth operation114 consists, for the enclave8 ', in comparing the biometric data27 resulting from the capture carried out by the scanner28 and the reference biometric data thus decrypted. The comparison can be carried out by a conventional technique (typically by measuring the distances between minutiae in the case of the fingerprint).

[0103] If this comparison is unsuccessful, the data15,27 are declared not to correspond, and the action for which the control of the user's biometric data was required (typically an unlocking) is not authorized. The second transmitter E2 is informed. However, the operations of capturing and comparing biometric data can be repeated, to minimize the risk of false negatives.

If, on the contrary, the comparison is successful, the data 15,27 are declared to correspond, and the action for which the control of the user's biometric data was required is authorized.

[0105] Either way, the comparison produces a result (eg in the form of a bit of value 0 on failure, and value 1 on success).

[0106] However, the only biometric authentication of the individual behind the second transmitter E2 is deemed insufficient to authorize the required action: an additional predefined geolocation condition must in fact be verified. This condition is for example included in the instructions of the intelligent contract SC. This condition specifies eg. a predefined geographical area, within which the second transmitter E2 is supposed to be located (or on the contrary one or more geographical areas outside of which the second transmitter E2 is supposed to be located).

For this purpose, the second transmitter E2 is equipped with (or connected to) a geolocation beacon. This tag31 is configured to edit instantaneous geolocation data, typically in the form of a tuple of geographical coordinates including latitude and longitude, and, if applicable, altitude.

[0108] Thus, a fifteenth operation115 consists, for the enclave8 ', in transmitting to the senderEa request (REQ) for communication of instantaneous geolocation data32 (unless the data32 has not been communicated beforehand, for example with the biometric data.

A sixteenth operation116 consists, at the level of the second transmitterE2, in editing, from the beacon31, instantaneous geolocation data32.

[0110] A seventeenth operation 117 consists, from the second transmitter E2, in loading the instantaneous geolocation data into the enclave 8 ′, via a secure communication line 29.

An eighteenth operation 118 consists, for the enclave 8 ′, in verifying that the instantaneous geolocation data satisfies the geolocation condition. In the example illustrated, this geolocation condition results from the instructions of the intelligent SC contract.

This verification produces a result33 (typically, a bit of value 1 when the geolocation condition is satisfied, a bit of value 0 when the geolocation condition is not satisfied).

If the instantaneous geolocation data does not satisfy the geolocation condition, the control process is terminated, and no access authorization is issued.

If, on the contrary, the instantaneous geolocation data satisfies the geolocation condition, the action for which the control of the user's biometric data was required is authorized.

When the action (typically an unlocking) must be applied at the level of the second transmitter E2, the latter must be informed of the result.

In this case, a nineteenth operation119 consists, for the enclave8 ', in transmitting the result30 to the second transmitterE2.

[0117] Furthermore, for the purposes of traceability, the result30 (or, preferably, a trace of this result30) as well as the result33 (or preferably a trace of this result33), are preferably recorded in the blockchain5.

In this case, a twentieth operation 120 consists, for the enclave 8 ′, in initiating a transaction TX intended for the blockchain 5. This transaction can be signed by means of a private key associated with the enclave8 '.

To this end, and according to an embodiment illustrated in theFIG.5, a twenty-first operation 117 consists, for the enclave8 ', in establishing a communication session (SESS) with at least one node2 of the network1, a twenty-second operation122 then consisting in transmitting the signed transactionTX to this node2, with a view to its registration in the blockchain5. The signed transaction TX is then distributed to several validator nodes of the network1, for the purpose of verification prior to registration.

[0120] After the signed transaction TX has been verified, a twenty-third operation 123 consists, for one or more validating nodes2, in entering it in a new block4 intended for the blockchain5. A twenty-fourth operation124 consists, for one of the validating nodes2, in adding the new block4 containing the signed transactionTX to the blockchain5, after the completion of a consensus mechanism such as proof-of-work (PoW) , proof of authority (in English proof-of-authority or PoA) or proof of stake (in English proof-of-stake or PoS).

The method which has just been described has the following advantages.

[0122] Firstly, the biometric reference data, encrypted, cannot be used by any third party, including the one who ensures their storage on a storage node2A.

[0123] No use (in particular commercial) can therefore be made of it, for the benefit of confidentiality.

Second, the replication of the container 22 on several storage nodes 2 also limits the risk of erasure while increasing the reliability of the method.

Thirdly, the decentralized nature of the control prevents a possible fraudulent takeover of the second transmitter E2 by an unauthorized third party.

Fourth, the geolocation condition further adds to the difficulty for an unauthorized third party to access the desired environment (typically a virtual environment), when this condition is not satisfied.

Claims (3)

1. A method of processing biometric data of an individual, from a computer processing unit, called the transmitter (E2), connected or integrated into a peer-to-peer network (1) composed of a plurality of nodes (2) forming a distributed database on which is stored, by replication on each node (2), a chain (5) of blocks, this method comprising: A) A calibration phase, which includes the following operations: - By means of a capture device (16), perform a first capture of biometric data (15), called reference, of the individual at the level of a limb or an organ thereof; - Encrypting the biometric data (15) resulting from this first capture to form an encrypted container (22) of biometric data; - Separately store the encrypted container (22) of biometric data and a cryptographic key (23) for decryption thereof; - Enter, in a block (4) of the chain (5) of blocks, a transaction containing a trace of this capture and / or this storage; B) A control phase, which includes the following operations: - Establish a communication session between the transmitter (E2) and the network (1); - Select from the network (1) a node (2P) called computation, equipped with a processing unit in which is implemented an execution environment secured by cryptography, called enclave (8 '); - Instantiate the enclave (8 '); - Using a capture device (28) fitted to or connected to the transmitter (E2), capture biometric data (27) of the individual at the level of a limb or an organ of this individual ; - Load into the enclave (8 '), via a secure communication line (29), the captured biometric data (27); - Using a geolocation beacon (31) fitted to or linked to the transmitter (E2), edit instantaneous geolocation data (32); - Load into the enclave (8 '), via a secure communication line (29), the instantaneous geolocation data (32); - Selecting from the network (1) a storage node (2B) on which is stored a copy of the encrypted container (22) containing the reference biometric data (15); - Load the encrypted container (22) into the enclave (8 '); - Decrypting in the enclave (8 ') the biometric reference data (15), by means of a decryption key (23) associated with the encrypted container (22); - In the enclave (8 '), compare the captured biometric data (27) and the reference data (15), and check whether the instantaneous geolocation data (32) satisfies a predefined geolocation condition; - Writing in a block (4) of the chain (5) of blocks a transaction comprising a trace of the result (30) of the comparison and a trace of the result (33) of the verification. 2. Treatment method according to claim 1, in which the calibration phase comprises the following operations: - Fragment the cryptographic decryption key (23); - Designate, among the network, a group of storage nodes (2B) in number equal to the fragments (23.i); - Distribute each fragment (23.i) of the cryptographic decryption key to a storage node (28), each storage node (2B) receiving a single fragment (23.i). 3. The treatment method according to claim 2, the control phase of which comprises the following operations: - From the enclave (8 ') of the compute node (2P), select from the network (1) nodes (2B) on which are stored fragments (23.i) of the cryptographic key (22) of decryption associated with the container (22); - Load said fragments (23.i) into the enclave (8 ') of the computing node (2C); - In the enclave (8 '): o Reconstitute the cryptographic decryption key (23) associated with the container (22), from the fragments (23.i) thus loaded; o Deciphering the biometric data (15) of the container (22) by means of the key (23) thus reconstituted.