IES83387Y1 - A biometric authentication system and method - Google Patents
A biometric authentication system and method Download PDFInfo
- Publication number
- IES83387Y1 IES83387Y1 IE2002/0190A IE20020190A IES83387Y1 IE S83387 Y1 IES83387 Y1 IE S83387Y1 IE 2002/0190 A IE2002/0190 A IE 2002/0190A IE 20020190 A IE20020190 A IE 20020190A IE S83387 Y1 IES83387 Y1 IE S83387Y1
- Authority
- IE
- Ireland
- Prior art keywords
- user
- authentication
- biometric
- identifier
- node
- Prior art date
Links
- 238000000034 method Methods 0.000 description 25
- 230000000694 effects Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 8
- 210000003811 Fingers Anatomy 0.000 description 5
- 210000000554 Iris Anatomy 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000000926 separation method Methods 0.000 description 3
- 210000001525 Retina Anatomy 0.000 description 2
- 230000001010 compromised Effects 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 230000000875 corresponding Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006011 modification reaction Methods 0.000 description 2
- 206010016275 Fear Diseases 0.000 description 1
- 210000003813 Thumb Anatomy 0.000 description 1
- 229920003013 deoxyribonucleic acid Polymers 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000002062 proliferating Effects 0.000 description 1
Description
A biometric authentication system and method
Field of the Invention
The present invention relates to the authentication of
users or individuals and in particular to a system and
method implementing or utilising biometric techniques to
authenticate the identity asserted by a user.
Background to the Invention
With the development of networked infrastructures that are
accessible to a plurality of persons there is a need to
implement security features to ensure that those persons
that gain access to services or stored items within the
network are authorised to do so. There is a further need to
ensure that the person effecting access is an authentic
user of the system.
Known techniques for ensuring security access are to
provide a user with a password or other identifier and
limiting the access to those persons who present a user
identifier and password which matches a previously stored
set of identifiers for that user. Problems with such
systems are that they are open to “hacking” by persons of
unscrupulous nature who can gain access through various
methods including stealing or guessing of passwords.
Systems which attempt to obviate or lessen the occurrence
of a successful unauthorised entry to a secure network or
network resource include those provide by RSA. Further
examples of known technologies are where the password
provided by the user is a constantly changing password
which digitally updates itself over a predetermined time
sequence. By establishing a relationship between the
password provided by the user attempting to gain access and
the expected password at the server it is possible to
reduce the opportunity of the person of unscrupulous nature
gaining access. Nevertheless as the base technology is
implemented independent of the personal identity of the
user asserting the password and identity there is still an
opportunity to overcome the security features offered.
It is also known over local networks to provide a security
feature based upon a biometric identifier uniquely
associated with the user attempting access. Due to the
nature of biometric identifiers it will be appreciated that
the indica making up the identifier are determined by the
biological make~up of the user associated with the
identifier. For example a retina scan or thumb print is
uniquely defined by the person presenting those identifiers
and the possibility of successfully electronically hacking
or counterfeiting the identifier is minimal. Although it is
known for using biometric identifiers to authenticate users
over a local network or a centralised implementation on a
wide area network, heretofore it has not been possible to
extend this technology or authentication method over a
larger area using a cooperating federation of
authentication servers.
There is therefore a need to provide a method and system
for authenticating the asserted identity of one or more
users over a distributed federation of authentication
servers.
Object of the Invention
It is an object of the present invention to provide a
method and system that improves the authentication of a
user identity through a scheme of cooperating systems
Summary of the Invention
Accordingly, the present invention provides for the
authentication of users accessing a network or network
resource by means of associating the user identity with one
or more biometric identifiers uniquely associatable with
that user, and using that biometric identifier to
subsequently authenticate the user.
By providing a trust network between a set of
Authentication Servers, Partner Applications and
individuals using biometric technology for authentication
of the individuals, the present invention provides for the
storing of a set of parameters or indica definable by a
specific biometric type at a central server and using that
set of parameters to authenticate a remote user.
The invention provides a federated network of trusted
partners, which are adapted to communicate securely in an
electronic environment with one another so as to effect the
verification or authentication of the identity of a user or
users who present themselves at at least one of the
partners. The authentication is implemented based on a
matching of a presented biometric identifier with a
previously stored identifier for that particular user.
It will be appreciated that one or more types of biometric
identifiers may be used or implemented and that a typical
range of biometric technologies include but should not be
limited to finger, iris,
face, voice, palm etc.
According to the present invention the authentication of
individuals will be carried out by a series of
(AS).
authentication servers An authentication server will
assert an individual’s identity to the Partner Applications
(PAs) that are part of the system or network of the present
invention.
By providing a series or plurality of biometric
authentication servers so as to establish a network of
trust between a group of individual’s (through their
biometric) and a set of Partner Applications (PAs), the
present invention provides a method and system to improve
the security by which a user can be authenticated and
enables the creation of massive authentication
infrastructures. By the term “massive” it will be
appreciated that the present invention intends to encompass
non-local networks, global networks either in a secure
corporate or non—corporate environment and the like.
It will be appreciated that a PA can be any one of a range
of systems that respect the identities asserted by the
authentication servers within the network of trust defined
by the system of the present invention. In order to secure
the interaction between individual components of the system
various security protocols may be used to ensure the safe
throughput of information.
By providing a plurality of co—operating servers which are
provided with means to respect and authenticate on behalf
of each other it is possible to implement a non—local
authentication system based on biometrics.
Accordingly the invention provides an authentication system
adapted to provide an authentication of one or more users
over a networked architecture using one or more biometric
identifiers previously associated with the users to
authenticate the users, the system comprising at least two
computing devices at separate nodes in the network:
a first device at a first node being adapted to
receive a request for authentication of a user connecting
to that node, the request for authentication including a
biometric identifier provided by the user, the first device
being further adapted based on a indica associated with
that user to determine a second device at a second node for
the user, the second device having a previously stored
biometric identifier associated with the user, the first
device being further adapted to forward a request for
retrieval at the second device of the previously stored
biometric identifier associated with the user to that
second device,
the second device being adapted upon receipt of the
request from the first device to retrieve the previously
stored identifier for that user,
comparison means adapted to establish an
authentication of the user based on a positive comparison
between the identifier provided by the user at the first
device and one previously stored and associated with the
user at the second device.
Desirably the system provides a framework for establishing
a network of authenticating servers and associated
biometric capture devices, and wherein one or more of the
authenticating servers or biometric capture devices can
establish and assert a user identity to others of
authenticating servers or biometric capture devices.
Preferably the computing devices at each node are selected
from one or more of the following:
an authentication server,
a biometric capture device.
In a first embodiment the comparison means are provided at
the first device, such that on retrieval of the previously
stored identifier at the second device, the second device
is adapted to forward a copy of the identifier to the first
device, which upon receipt is adapted to effect a
comparsison.
In another embodiment the comparison means are provided at
the second device, such that on retrieval of the previously
stored identifier at the second device, the second device
is adapted to effect a comparison between the identifier
forwarded by the first device to the second device and that
previously stored and associated with the user. Typically,
upon effecting a comparison of the provided identifier with
the previously stored identifier is adapted to effect a
communication to the first device detailing the result of
the authentication process.
Desirably, the second device is provided with means to
effect a search of plurality of previously stored biometric
identifiers based on on a indica associated with that user.
Verification means are desirably provided at at least one
of the first and second devices, the verification means
adapted to effect a verification of the identity of the
other of the first and second device.
Typically, communications between the first and second
devices are by means of a secure communication channel,
which is desirably provided by one or more of the following
protocols:
Secure Socket Layer (SSL),
extensible Mark Up Language (XML),
digital certificates,
or any form of symmetric or assumentric cryptography,
Desirably the invention additionally provides within the
system a partner application device located at the first
node,
the partner application device adapted, upon
U)
LII
authentication of the user, to process a request provided
by the user.
The invention also provides a method of authenticating the
identity of one or more users over a networked architecture
the method comprising the steps of:
receiving a request for authentication of a user
identity at a first network node,
determining a home node for that user, the home node
having a previously stored biometric identifier associated
with the user,
forwarding a request for authentication of the user to
the home node, the request including a biometric identifier
captured for that user, the receipt of the biometric
identifier at the home node effecting a comparison of the
received identifier with the previously stored identifier,
receiving confirmation at the first node that the user is
authenticated upon effecting a match between the received
identifier and the stored identifier.
In another embodiment a method of authenticating the
identity of one or more users over a networked architecture
is provided, the method comprising the steps of:
receiving a request for authentication of a user
identity at a first network node, the request including a
biometric identifier associated with the user,
determining a home node for that user, the home node
having a previously stored biometric identifier associated
with the user,
forwarding a request for a copy of the stored
identifier to the home node, the request including an
identifier associatable with the biometric identifier
stored for that user,
receiving a copy of the previously stored identifier
from the home node,
comparing the retrieved previously stored identifier
with the captured identifier and authenticating the user
upon confirming a matching set, and
wherein the home node only returns a copy of the stored
identifier to the first node upon verification of the
identity of the first node.
These and other features of the present invention will be
better understood with reference to the following drawings.
Brief Description of the Drawings
Figure 1 shows a trusted network system according to the
present invention,
Figure 2 is a flow sequence identifying a method of
authenticating a user according to the present invention,
Figure 3 is a process sequence showing an authentication of
a user according to one embodiment of the present
invention,
Figure 4 is a flow sequence showing the determination of
the correct home authentication server for a specific user
according to the present invention,
Figure 5 is an example of a hierarchy of trust between a
group of co—operating authentication servers according to
another embodiment of the present invention,
Figure 6 shows a logic flow for when authentication is
performed at a HAS in accordance with one embodiment of the
present invention,
Figure 7 is a logic flow showing a sequence of steps used
for authentication of a user at a secure device or FAS
according to a further embodiment of the invention
Detailed Description of the Drawings
Within the present specification certain terms will be used
to represent certain components of the system. The
following list of definitions is intended to define these
terms for ease of explanation and understanding of the
following description of an exemplary embodiment of the
present invention.
Authentication Server (AS)
A system authenticating an individual based on
one or more of their biometrics. This could be an
identification or a verification system. A
m verification system uses a claim and a biometric
to authenticate a user against an enrolled
biometric. An identification system does not need
the identity claim — it determines the identity
claim based on the biometric alone.
M Home Authentication Server (HAS)
The Home Authentication Server is the
authentication server the user is enrolled at. It
is the server where his/her identity and
enrolment biometric are stored.
X) Foreign Authentication Server (FAS)
A Foreign Authentication Server is an
Authentication Server participating in the
federation of authentication servers which is not
the individual’s HAS.
Partner Application (PA)
A Partner Application is a business application
which is providing service to a user and requires
the authentication of the user.
Identity Data Element (IDE)
An Identity Data Element is a piece of
information (or a set of IDES) which comprise
information about the individual.
IDES include
Examples of
(but are not limited to) social
security number, email
credit card number,
address, employee id, dynamically generated
authentication tickets etc.
Biometric
A biometric is any one of a plurality of
biological identifiers which can be associated
with a user such as but not limited to an
identifier defined by finger, iris, voice, face,
DNA etc..
Biometric Capture Device
A biometric capture device is intended to include
devices suitable for reading Various biometric
modalities including finger, iris, voice, face
etc. The Biometric Capture Device for the purpose
of this invention also includes the controlling
software for the device — whether residing on the
device or another device such as a client PC for
example.
The system of the present invention provides a biometric
trust infrastructure or BTI. Within the implementation of
the system of the present invention it is important to
separate the actual identifier associated with a user— the
(PA) that
person's biometric, from the Partner Application
is requesting the authentication. It will be appreciated
that this separation is desirable for a number of reasons
including: a protection of the privacy of the individual, a
protection of the integrity of the BTI, and to allow for
technology advances in biometrics in the immediate future
without hampering the delivery and rollout of applications.
According to a preferred embodiment of the present
invention the authentication of persons is conducted by one
(AS),
assert a person's identity to the Partner Application that
or more Authentication Servers which are used to
is implemented within the BTI. It will be appreciated that
in order to implement a trusted infrastructure that the
individual components within the BTI should communicate
with one another in a secure manner such as that
established through the use of public key cryptography and
digital signatures. It will be appreciated that the method
of the present invention provides for the encryption of
sensitive protocols. Many forms of establishing trust are
known and will be appreciated by those skilled in the art
including both symmetric and asymmetric encryption,
signature schemes, SSL techniques and XML documents.
By implementation of a trusted AS infrastructure, re—use of
enrolment is promoted. This does not mean that an
individual has to re-enrol on each presentation, rather
that their identity can be asserted to another AS which can
then assert it to one of its registered PAS. This it will
be appreciated is advantageous in that once a set of
parameters or biometric identifiers have been stored within
an AS, these parameters can be used at a later date to
establish new networks of trust without requiring the user
to re—define or re—present the identifier. This is
beneficial and advantageous in that the set of identifiers
can be used to extend the trust infrastructure without the
rigours of a re—registration process. By sharing of the
enrolment and identity across or between schemes the
present invention offers a more robust system of
implementation and expansion.
It will be understood that the concept of sharing
enrolments across organisations or networks has
traditionally been viewed as dangerous or controversial
from a consumer acceptance perspective. Fears of selling
biometric data and giving away identity invoke all the
wrong images in the minds of the consumer. In one
embodiment of the present invention the system of the
present invention obviates these problems by performing the
authentication at a remote trusted server which stores the
identifiers. In such an implementation the partner
applications do not gain access to the original data set
and therefore it cannot be compromised. In another
embodiment of the invention although a copy of the data set
is sent to the requesting node which performs the
authentication against the presented biometric set locally,
the data set is only sent to those nodes whose identity has
been tested. It will be appreciated that such a testing or
verification of the identity of the requesting node is also
advantageous in that an audit trail may be implemented to
ensure that use of the claim set may be monitored.
By implementing a BTI according to the present invention
benefits are provided to both the PA and the individual.
The benefits to the PA include:
Cost savings
The process of enrolment is a costly one. By
enabling the reuse of earlier enrolments (on
other Authentication Servers), a PA can leverage
on an increased user population with little or no
incremental cost.
Scalability
A BTI according to the present invention is a
scaleable, fault tolerant infrastructure with no
single point of failure.
Reach
Re—use
From a consumer's perspective,
benefits:
By offering a global, connected, authentication &
trust infrastructure, the PA can attain a global
trusted set of users without having to put their
own processes/presence in each area.
The ability to effectively “re-use” the
identification of the individual without having
to go through an enrolment process. The sharing
of a stored biometric identifier across a network
of multiple nodes so as to effect the
authentication of a user enables the system of
the present invention to provide a secure initial
record of the biometric set and then repeatably
use that set for subsequent authentications.
the following are key
Security & Privacy
Service
Consumer privacy is ensured through the
separation of the authentication services from
the Partner Agents.
Furthermore, biometrics offer an extremely high
level of security and identification — reducing
significantly the risk of identity theft.
Consumers who sign up to the BTI can avail of a
wide range of services provided by the PA if they
wish to do so.
Convenience
An individual can avail of many different
services offered by various PA’s participating in
the BTI without having to re—enrol for each and
every authentication server.
Enrolment
This section describes an example of a process that may be
used to enable the enrolment of a user with a BTI according
to the present invention.
In a BTI according to the present invention, users
generally enrol at their Home Authentication Server
(AS)
(HAS).
The HAS is the Authentication Server which stores the
user's biometric data and performs the enrolment function.
The HAS is also the AS that authenticates the user.
The process for the enrolment of users is well documented
within the art and for the sake of simplicity is not
repeated here.Once a user has enrolled with an AS, the
stored identifier can be used to authenticate the user at a
later date.
Identity Elements
An individual can have a Personal Identity with multiple
Identity Data Elements — for example, a public key
certificate with its corresponding private key, a name, a
credit card number etc.
The authentication process involves the identification or
verification of the user by comparing the biometric data
registered at enrolment with the biometric data captured
during the authentication process.
The authentication process may return one or more of the
IDES as requested by the PA or FAS. In some cases, no IDES
may be requested (or authorised for sharing by the
individual) and the returned identity data set may be null.
In these circumstances a simple assertion of biometric
authenticity may be used.
BTT Architectural Overview
Figure 1 shows an example deployment of a BTI 100. The
network infrastructure comprises a plurality of computing
devices at different nodes within the network and adapted
to communicate with one another over the network. As shown
in the exemplary embodiment of Figure 1 each node of the
network is provided with at least one biometric capture
device 105 which is of the type known in the art to capture
a biometric identifier from a user and process that
identifier into an electronic set of indicia representative
of the biometric. The Biometric Capture Devices 105 are one
or more devices connected to partner applications 115 or
Authentication Servers 110 which capture a user's biometric
information and claim of identity. Within the present
specification the term “Biometric Capture Device” is
intended to define the biometric data capture hardware as
well as any controlling software (for example on the device
itself or a connected controller such as a Personal
Computer).
Each of the capture devices 105 may be linkable to an
application device 115 provided on the network or directly
linkable to an authentication server 110. The Partner
Application or Applications 115 are the systems that
require a level of trust in the identity of the individual
before they offer their services. In general, the
accompanying figures to this specification show the
connection to the Partner Application from the Biometric
Capture Device. It will be appreciated that this connection
could be a connection to an agent (client) of the
Authentication Server or in fact could be a direct
connection to the server itself. It is important to note
that a node in the network as shown in Figure 1 is a
logical clustering of Biometric Capture Devices,
Applications and Authentication Servers for illustrative
purposes. The diagram is not intended to limit the present
invention to any physical layout of the network, as it will
be appreciated by those skilled in the art that many
modifications may be made to a network architecture while
maintaining the empirical characteristics of the
network.For example, it is envisaged that the Internet may
be used to connect all of these components together.
Components of a logical node in the aforementioned diagram
do not have to be co—resident.
The Authentication Server 115 is the component which
manages the biometric enrolment and identity management for
one or more users. It also understands the routing
protocols and security protocols necessary to connect to
other Authentication Servers to forward biometric claims
and understand the response. It should be noted that the
Authentication Server can perform the biometric matching
itself or in some cases, it may return the enrolment
biometric (through a suitably secured channel) to a
biometric matching component which could for example be
running on the Biometric Capture Device.
Each of the authentication servers are adapted to
communicate with one another over a network 125 which
provides connectivity between all the components in the
scheme. The network can be any electronic communications
network, and as will be appreciated by those skilled in the
art can be implemented as one or more of the following:
l. Private Network — e.g. operated by a group of
companies
. Internet - the most prolific network available.
. Mobile Network V for example one or mobile
telecommunications operators may decide to offer BTI
services.
It is envisaged and will be appreciated that the connection
from the biometric capture device to the application to the
authentication server could be done over the same network.
Communication or routing between individual nodes within
the network is, in accordance with one embodiment of the
invention, provided by a centrally updated directory
service l30, which stores routing information for each of
the registered users of the network system. On receiving a
request for the correct home authentication server for a
particular user ( i.e. the server which is storing the
registered biometric set for that user) the directory
service searches through data records to select the correct
routing for that user. More information of this sequence
will be provided later in this document.
It is important to understand that the directory service
could be a replicated one with one or more nodes or could
be a simple database or data file lookup provided on a
networked machine or the local machine.
Authentication of the Individual
Figure 2 shows a typical flow sequence associated with an
authentication of a user at an authentication server 110.
The server 110 receives a request for authentication from
the user who has connected to that node (Step 200). The
server checks internally to ascertain whether that user is
registered locally (Step 205). On ascertaining that the
user is not locally registered the networked directory
(130)
(Step 210).
service is contacted to ascertain the correct routing
information On contacting the home
authentication server it is possible to effect a comparison
of the presented biometric identifier and that previously
stored for the specific user (Step 215). This enables an
authentication of the user (Step 220).
Further details of an authentication operation is shown in
Figure 3.
Step 1, The client (composed of the biometric capture
device hardware and any client side applications) connects
to the partner application to request access to a protected
IGSOUICG.
The client could typically be a finger image capture device
and associated software (on the device and on a PC). Of
course, biometrics addressed by this invention include
iris, voice,
finger, face, retina, hand among others.
Step 2, the partner application or a component of an
authentication engine will request the authentication of
the user.
Step 3, the user provides a biometric through the biometric
capture device to the partner application. This step could
also include an optional identity claim/assertion.
Step 4, the PA forwards the biometric claim to its local
Authentication Server (shown here as the FAS, because it is
not the Authentication Server where the user enrolled and
where their biometrics are stored).
Step 5, the FAS determines that it is not the HAS of the
individual and routes the message to the individual’s HAS.
It will be appreciated that various methods are available
for doing this, examples of which will be described
elsewhere within the present specification.
Step 6, the HAS authenticates the user against the
biometric data previously enrolled. This can be a l to l
match (verification) or may involve an identification
activity (1 to Many).
Step 7, the match is successful and the HAS retrieves the
identity data elements from the Personal Identity Database.
As outlined earlier, the retrieval of these data elements
is optional and the returned information may be as simple
as a Boolean yes/no answer of a biometric match algorithm
scoring.
Step 8, the HAS then returns the data set it built in step
7 to the FAS.
Step 9, the FAS then returns the data set to the partner
application. In some cases, data may be added or removed
from the data set passed between the FAS and the PA.
Step 10, the PA then decides, based on the data set it has
received, whether to grant access to the resource requested
by the individual.
It will be appreciated by those skilled in the art that
the messages between the components are desirably encrypted
and signed. It will be further appreciated by those skilled
in the art the sequence of steps and the process itself as
outlined above is exemplary of a specific embodiment of the
present invention and that modifications may be made
without departing from the spirit and scope of the present
invention.
Figure 6 details a flow sequence where the authentication
of a user is conducted at a HAS, in accordance with one
embodiment of the present invention.
The user connects to the Foreign Authentication Server
(FAS) (Step 600). The applications or devices provided at
the server or one of its clients effect a capture of
biometric data from the user and a claim of identity for
that user (Step 605). On querying that the claim is not
local (Step 6lO), a directory service is searched to
determine the correct location of the HAS for that user
(Step 615).
).
A connection is effected to that HAS (Step
In order to ensure that communications between the
FAS and the HAS are in a secure mode, a secure session may
be implemented which incorporates the steps of encrypting
and signing the message to be despatched to the HAS
).
(Step
On effecting the secure communication the claim and
biometric are forwarded to the HAS (Step 630).
The HAS is typically always in a stand—by mode adapted to
(Steps 635, 640).
of a incoming message the identity of the FAS is verified
listen for incoming requests On receipt
using known techniques such as electronic signature etc..
The supplied biometric is decrypted (Step 645). A match
determination is effected against a locally stored
biometric which shares the same claim identifier as that
(Step 650).
supplied by the user On concluding the
determination of the match a result is effected (Step 655).
(Step 660)
(Step 665).
A response message is formed and returned to the
FAS that initiated the request
On receipt of the returned message from the HAS, the FAS
effects a check to ensure that the message returned did
originate with the desired HAS (Step 668). The message is
then checked to ascertain whether the HAS returned a
succesful match (Step 670).
(Step 675),
If succesful access is granted
(Step 680).
concludes the process until a new request for
(Step 685).
otherwise it is denied This
authentication is provided
Matching at Capture Device
A variant of the implementation exists, where the HAS does
not perform the matching, but instead, having verified the
credentials of the requesting FAS (and even perhaps the
Biometric Capture Device), it instead securely packages the
enrolled biometric and returns it to the FAS which can then
present it securely to the Biometric Capture Device.
The Biometric Capture Device can then locally (and
securely) match this biometric against the one presented by
the individual at the authentication stage.
An alternative embodiment allows for the FAS to perform the
matching by obtaining the presented biometric from the
Biometric Capture Device and performing a match against the
biometric obtained from the HAS.
Should a match be successful, the Biometric Capture Device
will then inform the Partner Application, which may then
grant access to the requested resource.
Figure 7 shows such an alternative flow sequence,
implemented when the FAS or Biometric Capture Device
performs the authentication as opposed to the HAS. A user
provides biometric data and a claim of identity to the FAS
(Step 705). On determining that the claim is not locally
matchable (Step 7lO), a lookup directory is contacted to
ascertain the correct routing information to the HAS
(Step 715).
(Step 720)
(Step 725).
associated with that user A connection is
effected to that HAS
established
and secure communication
A copy of the claim and biometric
are provided to the HAS (Step 730).
Similarly to that described above with reference to the HAS
verification, the HAS is in a stand—by mode waiting on
(Step 735, 740).
the identity of the FAS effecting the request is verified
(Step 745).
incoming requests On receipt of a request,
and the biometric decrypted The correct
enrolment data for the user being authenticated is
(Step 750),
this data in encrypted under a relevant key for this
retrieved from the HAS database and a copy of
communication session using techniques known in the art
(Step 755). For example, the biometric component of the
communication may be encrypted under a key known to the
Biometric Capture Device (BCD) where it will be decrypted
for matching. Alternatively, the encryption key could be
known to the FAS which could do the matching.
A response message is established (Step 765) and the
message returned to the FAS (Step 765).
On receipt of the message from the HAS, the FAS effects a
verification of the identity of the HAS to ensure that the
communication has not been compromised (Step 766). The
returned copy of the biometric identifier for the user is
then compared to that supplied by the user at the beginning
(Step 770).
(Step 772)
of the session A check to ascertain whether a
match is present
(Step 775)
returns of grant of access
is a match is effected, otherwise access is
(Step 780).
denied The session is the terminated
).
(Step
Step 770 (perform verification processing) could be carried
out on the biometric capture device itself. The invention
allows for a scenario where the encryption of the encoded
biometric is carried out under a key known to the Biometric
Capture Device. In this scenario, the matching would be
done between enroled and presented biometrics by the
biometric capture device (the FAS simply passing the
biometric from the HAS to the capture device. In this
embodiment, the capture device would return a result on the
match to the application and/or the FAS.
It will be appreciated that the order and presence of some
or all of the sequence of steps highlighted and described
in the flow charts above are of exemplary embodiments of
the present invention and it is not intended to limit the
present invention to any specifically ordered sequence.
Establishing the HAS
The system and method of the present invention are, in
accordance with one embodiment of the present invention,
desirably adapted to provide for a physical separation of
an identifier set associated with a specific user from the
Partner Application that is using the set to authenticate
the user. The set used to verify or authenticate the
identity of the user is remotely stored from the
applications or network nodes to which the request for
authentication is provided. It will be appreciated,
therefore that in order to efficiently provide
authentication that an efficient process for finding the
enrolment point or home node for an individual, and hence
where the biometric template is stored is required.
In a distributed BTI system of the present invention it is
necessary to be able to:
. Quickly find an individual’s biometric
template within the networked architecture
. Ensure that duplicate identity claims
registered are not registered at the same time
— for example,
BTI.
on 2 separate nodes within the
This is provided by the method implemented by the present
invention to determine the correct HAS by a FAS.
Two sample methods are outlined here, although it will be
appreciated that these are exemplary of the type of method
that may be applied and that it is not intended to limit
the invention to such methods or techniques. For ease of
explanation the methods will be termed the “Fully Qualified
Identity Method” and the “Hierarchical Determination
Method”.
Fully Qualified Identity Method
In the fully qualified identity model (FQIM), the user
presents an identity claim. The claim includes information
allowing the unambiguous determination of the HAS from the
identity claim.
The information in the claim allows the routing of the
authentication requests from the FAS to the HAS.
Various notation schemes can be used - from a hierarchical
structure such as DNS or LDAP to a flatter structure with
little or no hierarchy.
Examples of this include:
cwhite@bti.daon.com (hierarchical DNS structure)
cwhite btil (flat structure)
In both models a directory service can be used to identify
the network location of the HAS such as that shown in
Figure 4.
Step l, the FAS extracts the HAS name from the qualified
identity claim and connects to an AS directory server to
determine the network address of the HAS.
Step 2, the AS looks up the HAS name in its directory
database and returns the network address should it be
found.
Step 3 and 4, the FAS connects to the HAS and requests and
authentication of the user by sending the claim of identity
and the captured biometric information. The HAS
authenticates the user and returns the result
any IDES to the FAS).
(including
It should be understood that the claim can be provided in a
number of ways to the system including (but not limited
to):
l. The individual entering it via a keyboard
2. It may be stored on a token — for example
a) Magnetic stripe card
b) Chip card
c) 2D Bar code
It is also understood as mentioned earlier that the term
directory or directory service relates to a location
(network or local) where a lookup is performed to determine
the location of the HAS. Many methods are available to
those skilled in the art to implement this lookup
functionality.
Hierarchical Determination Method
In a hierarchical determination method, a hierarchy of
trust is established between a group of co—operating
authentication servers.
Each server in the hierarchy contains a replicated set of
enrolments equivalent to all authentication servers under
An example of the implementation of such a method is
illustrated in Figure 5. In the example hierarchy above,
each AS has its enrolment database associated with it.
From the example illustrated in Figure 5 it will be
appreciated that the heirarchy may be provided in tree
structure, and as you move up in the hierarchy or tree each
enrolment database contains its own enrolment records plus
the enrolment records of each of its subordinate servers.
For example the authentication servers 1.1 and 1.2 both
have their respective enrolment databases;
database 1.1 and 1.2.
enrolment
These servers are branches of
authentication server 1 which has access to both enrolment
database 1.1 and 1.2, in addition to its own enrolment
database; enrolment database 1.
Server 1 is independent of
server 2, which has its respective database, enrolment
database 2. Both server 1 and 2 are children of
Authentication server 0 which has access to all subsidiary
databases.
As a consequence of this, the root authentication server,
Authentication Server 0, contains the enrolment records for
the entire scheme or trusted network.
It will be appreciated that an implementation of this model
requires the synchronisation of all components in the
scheme. As an enrolment record is added, modified or
deleted for a given HAS, all its superior nodes must be
updated in a responsive manner. Various protocols are
available for this, and will be appreciated by those
skilled in the art.
The Hierarchical Determination Method lends itself to the
identification of individuals in large distributed
biometric systems where no claim of identity is made by the
individual.
The process of authenticating an individual is to first
check the local enrolment database. Should a match not be
found, forward the request for authentication to the
authentication server at the next highest level. If an
authentication server successfully authenticates the
individual, the search is complete.
If necessary, the authentication request will make its way
all the way to the root AS. Should it not be successful at
this point, then the search is deemed a failure.
Securing the BTI network
It will be appreciated that the authentication servers
within the BTI must be able to trust each other. There are
many ways to establish a trusted network, for example to
establish and maintain this trust, messages between the
components are typically encrypted and signed. Different
schemes are available in the art for doing this including
both asymmetric and symmetric cryptography, and will be
appreciated by those skilled in the art.
A claim is made in this invention for the use of asymmetric
or symmetric cryptographic algorithms and protocols to
establish a trust or secured link between biometric
authentication servers acting as HAS and FAS.
One scheme is presented as follows, but will be understood
as exemplary of the type of scheme that may be implemented
and is not intended to limit the present invention to any
one applied scheme.
The model is based on existing Public Key Infrastructure
(PKI) standards, although it will be appreciated that other
techniques may be applied or utilised without departing
from the scope of the present invention Each Authentication
engine is assigned a public—private key pair by a
Certificate Authority (CA)
itself). The CA signs the public key of the AS with its own
(or generates the key pair
private key. The corresponding public key of the CA is
embedded in each AS server. This allows an AS to establish
the bona—fida credentials of a different AS and thus
establish a network of trust.
The key pair assigned to each AS can be generated by the AS
itself and the public component exported to the CA or the
CA - or its RA (registration authority component) can
produce the key pair on behalf of the AS.
In the latter case, it will be appreciated that the private
key should be securely transported to the AS. Methods exist
within the art for this — e.g. multi—part key export and
import, and will be apparent to those skilled in the art.
The BTI of the present invention supports the concept of a
CA hierarchy for very large deployments. In this case, each
CA must have its public key signed by a higher level CA
with a chain right back to a root CA. This allows an A5 to
“walk the chain” of signatures provided by the CA to
establish that another AS is part of the scheme. Different
forms of asymmetric cryptography exist and are applicable
in this scheme include RSA (Rivest, Shamir, Adelman) and EC
(Elliptic Curve) techniques.
It will be appreciated that the present invention provides
for a distributed network having trusted interaction
between individual components and that by interfacing with
a set of biometric identifiers stored at a remote server
that a partner application can authenticate a user
identity.
The words “comprises/comprising” and the words
“having/including” when used herein with reference to the
present invention are used to specify the presence of
stated features, integers, steps or components but does not
preclude the presence or addition of one or more other
features, integers,
steps, components or groups thereof.
Claims (5)
1 . An authentication system adapted to provide an authentication of one or more users over a networked architecture using one or more biometric identifiers previously associated with the users to authenticate the users, the system comprising at least two computing devices at separate nodes in the network: a first device at a first node being adapted to receive a request for authentication of a user connecting to that node, the request for authentication including a biometric identifier provided by the user, the first device being further adapted based on a indica associated with that user to determine a second device at a second node for the user, the second device having a previously stored biometric identifier associated with the user, the first device being further adapted to forward a request for retrieval at the second device of the previously stored biometric identifier associated with the user to that second device, the second device being adapted upon receipt of the request from the first device to retrieve the previously stored identifier for that user, comparison means adapted to establish an authentication of the user based on a positive comparison between the identifier provided by the user at the first device and one previously stored and associated with the user at the second device.
2. An authentication system adapted to provide an authentication of one or more users over a networked architecture using one or more biometric identifiers previously associated with the users to authenticate the users, the system comprising at least two computing devices at separate nodes in the network: a first device at a first node being adapted to receive a request for authentication of a user connecting to that node, and based on a indica associated with that user to determine a home device at a second node for the user and to forward a biometric identifier to that home device for authentication, the second device having comparison means adapted to provide for an authentication of the user based on a positive comparison between the identifier provided by the user at the first device and one previously stored and associated with the user at the second device.
3. A method of authenticating the identity of one or more users over a networked architecture the method comprising one or more of the following steps of : a) receiving a request for authentication of a user identity at a first network node, b) determining a home node for that user, the home node having a previously stored biometric identifier associated with the user, C) forwarding a request for authentication of the user to the home node, the request including a biometric identifier captured for that user, the receipt of the biometric identifier at the home node effecting a comparison of the received identifier with the previously stored identifier, (1) receiving confirmation at the first node that the user is authenticated upon effecting a match between the received identifier and the stored identifier.
4. A method of authenticating the identity of one or more users over a networked architecture the method comprising one or more of the following steps of: receiving a request for authentication of a user identity at a first network node, the request including a biometric identifier associated with the user, determining a home node for that user, the home node having a previously stored biometric identifier associated with the user, forwarding a request for a copy of the stored identifier to the home node, the request including an identifier associatable with the biometric identifier stored for that user, receiving a copy of the previously stored identifier from the home node e) comparing the retrieved previously stored identifier with the captured identifier and authenticating the user upon confirming a matching set, and wherein the home node only returns a copy of the stored identifier to the first node upon Verification of the identity of the first node.
5. An authentication system and/or method as described herein with reference to and as shown in the accompanying drawings. Receive request for 200 authentication i Check local authentication sewer to ascertain whether 205 biometric is stored locally Contact networked directory service to ascertain location of _/210 l home database for presented biometric I Contact home database to ascertain if presented biometric _/ 215 set matches stored set Authenticate user if set matches
Publications (2)
| Publication Number | Publication Date |
|---|---|
| IE20020190U1 IE20020190U1 (en) | 2003-09-17 |
| IES83387Y1 true IES83387Y1 (en) | 2004-04-07 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2003212617B2 (en) | A biometric authentication system and method | |
| US10516538B2 (en) | System and method for digitally signing documents using biometric data in a blockchain or PKI | |
| AU2021206913B2 (en) | Systems and methods for distributed data sharing with asynchronous third-party attestation | |
| JP7083892B2 (en) | Mobile authentication interoperability of digital certificates | |
| Leiding et al. | Authcoin: validation and authentication in decentralized networks | |
| US8438385B2 (en) | Method and apparatus for identity verification | |
| CN112580102A (en) | Multi-dimensional digital identity authentication system based on block chain | |
| US7840813B2 (en) | Method and system with authentication, revocable anonymity and non-repudiation | |
| Luecking et al. | Decentralized identity and trust management framework for Internet of Things | |
| US8966263B2 (en) | System and method of network equipment remote access authentication in a communications network | |
| US10771451B2 (en) | Mobile authentication and registration for digital certificates | |
| JPH10308733A (en) | Method for providing secure communication, and device for providing secure directory service | |
| BRPI0304267B1 (en) | METHOD AND SYSTEM FOR PROCESSING CERTIFICATE REVOKING LISTS IN AN AUTHORIZATION SYSTEM | |
| CN113743921B (en) | Digital asset processing method, device, equipment and storage medium | |
| JP3362780B2 (en) | Authentication method in communication system, center device, recording medium storing authentication program | |
| US11700125B2 (en) | zkMFA: zero-knowledge based multi-factor authentication system | |
| Chalaemwongwan et al. | A practical national digital ID framework on blockchain (NIDBC) | |
| Griffin | Telebiometric authentication objects | |
| WO2022242572A1 (en) | Personal digital identity management system and method | |
| WO2021107755A1 (en) | A system and method for digital identity data change between proof of possession to proof of identity | |
| Rana et al. | Secure and ubiquitous authenticated content distribution framework for IoT enabled DRM system | |
| KR20220075723A (en) | Personal authentication method and system using decentralized identifiers | |
| Pandya et al. | An overview of various authentication methods and protocols | |
| KR20120071193A (en) | Hash tree based id federation system and technique for the user authentication | |
| Bertino et al. | Digital identity protection-concepts and issues |