KR20210014827A - Biometric Identification System and its operating method - Google Patents

Abstract

The present invention relates to a biometric identification system for securing a trusted transaction, and an operating method thereof. The operating method of the present invention comprises the steps of: receiving an identity claim; receiving a device identifier (210); authenticating that a peripheral device (130) is a trusted system; deleting a biometric indicator (212) and the device identifier (210) from a vendor server (111); receiving the biometric indicator (212) and a vendor server ID (224); authenticating the biometric indicator (212); and approving the trusted transaction associated with an identification request.

Description

Biometric Identification System and its operating method {Biometric Identification System and its operating method}

The present invention relates to the field of biometric authentication, and more particularly, to an identification system and operation method for access control in an online environment using biometrics.

Customer-oriented computing systems such as point of sale (POS) systems and automatic access control systems typically incorporate security mechanisms designed to reduce losses by improving the accuracy and security of trusted transactions supported by the system. To this end, some organizations have sought to improve convenience, satisfaction, security and profitability by using biometrics technology.

Organizations like theme parks, for example, use biometric technology in the form of fingerprint readers to make it easier for authorized guests to re-enter theme parks, while at the same time reducing ticket fraud by preventing unauthorized use of theme park tickets. . Also, organizations such as casinos, for example, can use biometrics technology in the form of facial recognition to improve customer loyalty programs while reducing casino risk by identifying card counters, scammers and even gambling addicts. Also, for example, government agencies can use biometrics technology to improve targeted services such as identification cards, benefit programs, background checks, passenger screening, suspect identification and visitor tracking.

The use of the aforementioned biometrics technology is a form of user identification. This use allows the organization to identify a person by collating previously recorded biometric indicators with biometric indicators to identify the person. Biometric indicators can be defined as functions unique to one person. For example, biometric indicators can be physiological or behavioral. Biometric indicators include DNA, facial features, fingerprints, iris, voice, and hand geometry, as well as other measurable physical features. Behavioral biometric indicators include gait, speech and typing patterns, and other measurable behavioral traits.

Biometrics technology has become widespread due to a utility that grants users access to resources while denying unauthorized users access to those resources. Many biometric indicators, such as fingerprints, can be captured without inconvenience to the user, and can be collected without the user's knowledge or consent. However, the fact that biometric indicators can be measured quickly and easily is also the biggest threat in using biometric indicators as authentication triggers. In particular, biometric indicators may be difficult to maintain security. For example, because biometric indicators are not significantly altered and are vulnerable, there is a risk of being exposed, lost or stolen. Recovery from biometric indicator violations can be difficult for similar reasons.

Given the sensitivity of a violating biometric indicator, it is often important to maintain the reliable characteristics of a biometric device. Deployed in a network environment, these trusted devices are uniquely addressable using an identifier standard commonly used in software configurations, often referred to as universally unique identifiers (UUIDs) or globally unique identifiers (GUIDs). The purpose of UUIDs is to allow distributed systems to uniquely identify information without significant central coordination.

For the purposes of this disclosure, the word "unique" should be considered to mean "substantially unique" and not "uniquely guaranteed". For example, a UUID can contain a 128-bit or 256-bit value, and the meaning of each bit can be defined by one of several variations to achieve substantial uniqueness over space and time. In other words, because the size of the identifier is limited, two different items can share the same identifier, which is a form of hash collision. The identifier size and generation process should be chosen so as not to cause enough collisions in practice. A device's UUID should be made with reasonable confidence that the same identifier will not be unintentionally created to identify another device. Thus, information labeled with UUID can be combined into a single database later without the need to resolve identifier conflicts.

To further reduce the chance of collision, a "guaranteed" UUID may contain a reference to the network address of the trusted device that generated the UUID, and a timestamp (eg, a record of the exact time of the transaction request). Includes randomly generated components. Since the network address identifies a unique device and the timestamp is unique for each UUID generated on a particular host, these two components are considered in the computing industry to ensure full originality. Randomly generated UUID elements can be added as a means of protection against unexpected problems.

Also, for purposes of definition, an Internet Protocol address (IP address) is a numeric label assigned to an automated device (e.g., computer, printer) configured to participate in a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: host or network interface identification and location.

This background information is provided to indicate information that the applicant believes may be relevant to the present invention.

Accordingly, an object of the present invention is to provide a biometric identification system and operation method for securing a trusted transaction by using a biometric identification system including a peripheral device, a vendor server, and an authentication server through the biometric identification system and operation method of the present invention. .

The biometric identification authentication system and operation method of the present invention include a biometric identity verification system including a peripheral device 131, a vendor server 111, and a verification server 101. ), when executed by a plurality of computer processors (112, 102),

Receiving an identity claim including a biometric indicator 212 using a biometric scanner application 132 executed by the peripheral device 130, and

Receiving the biometric indicator 212 and a device identifier 210 for the peripheral device 130 using a communication subsystem 115 executed by the vendor server 111; and

By comparing the device identifier 210 with the vendor server ID 224 of the vendor server 111 using the communication subsystem 115 on the vendor server 111, the peripheral device 130 is a trusted system (trusted system). system), and

An identification request including the biometric indicator 212 and the vendor server ID 224 is transmitted to the authentication server 101 using an authorization subsystem 114 running on the vendor server 111 Next, erasing the biometric indicator 212 and the device identifier 210 from the vendor server 111,

Receiving the biometric indicator 212 and the vendor server ID 224 using an account management subsystem 104 executed by the authentication server 101,

Authentication of whether the vendor server ID 224 matches the stored vendor server ID 234 for the vendor server 111 using the account management subsystem 104 executed by the vendor server 101 The steps to do,

Using an identity verification subsystem 105 executed by the authentication server 101, translating the biometric indicator 212 into an encryption value 232, and the encryption value When the first match with one of a plurality of stored cipher records defined as a cipher record matched with (232) is detected, an identification authentication flag defined as a pulse is generated. Authenticating the biometric indicator 212, and

Applying a trusted transaction linked to the identification request by receiving the pulse using the authorization subsystem 114 executed by the vendor server 111

Each computer processor (112, 102) containing a plurality of instructions to perform the method comprising each non-volatile computer readable forming a plurality of non-transitory computer-readable storage media (computer-readable storage media) It features possible storage media 113, 103.

The present invention biometric identification system and operation method has a remarkable effect for securing a trusted transaction by using a biometric identification system including a peripheral device, a vendor server, and an authentication server.

1 is a schematic block diagram of a biometric identification system according to an embodiment of the present invention.
FIG. 2 is an exemplary diagram of an exemplary data structure maintained and used by the biometric identification system shown in FIG. 1.
3A, 3B, and 3C are diagrams illustrating exemplary pattern analysis graphs respectively applied to iris biometrics, fingerprint biometrics, and voice biometrics generated by a biometric identification system according to an embodiment of the present invention.
4 is a detailed flowchart illustrating a method of processing an authentication event by a peripheral device used in connection with the biometric identification system according to an embodiment of the present invention.
5 is a flowchart illustrating a method of processing an authentication event by a vendor server used in connection with a biometric authentication identification system according to an embodiment of the present invention.
6 is a flowchart illustrating a method of processing an authentication event by an authentication server used in connection with a biometric identification system according to an embodiment of the present invention.
7 is a block diagram of a machine in an exemplary form of a computer system according to an embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the present invention may be embodied in many different forms, and should not be construed as being limited to the embodiments described herein. Rather, these embodiments are provided so that the present disclosure may be made thorough and complete, and will fully convey the scope of the present invention to those skilled in the art. Those of ordinary skill in the art can appreciate that the following description of the embodiments of the present invention is illustrative and is not intended to be limiting in any way. Other embodiments of the present invention will be easily proposed to those skilled in the art having the advantages of the present disclosure. The same number refers to the same element.

While the following detailed description contains a number of detailed descriptions for purposes of illustration, those skilled in the art will appreciate that many modifications and variations to the following detailed description are within the scope of the present invention. Accordingly, the following embodiments of the present invention are disclosed without loss of generality to the claimed invention, and without imposing limitations on the invention.

In this detailed description of the present invention, directional terms such as “upper”, “lower”, “upper”, “lower” and other similar terms are used for the reader's convenience with reference to the drawings. In addition, one of ordinary skill in the art should understand that this description may include location, orientation and other terms to convey orientation without departing from the principles of the invention.

In addition, in this detailed description, those skilled in the art generally refer to quantitatively defining terms such as "generally", "substantially", "most" and other terms, in which information about the object, characteristic, or quality referred to is generally Make up most of the subject The meaning of any of these terms depends on the context in which the term is used, and the meaning may be explicitly modified.

A biometric identification system according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 7. Throughout this specification, the present invention provides an online identification system, an identification system, a biometric authentication system, a biometric identification system, a verification system, a verification service, a verifier, an apparatus, a system, a product, a service and a method. Those skilled in the art will understand that this term is exemplary only and does not affect the scope of the invention. For example, the present invention can easily relate to physical access control and computational forensic techniques.

Exemplary systems and methods for biometric identification systems are described below. In the following description, for purposes of explanation, a number of specific details are set forth in order to provide a thorough understanding of the exemplary embodiments. However, it will be apparent to those skilled in the art that the invention may be practiced without these specific details and/or with different combinations of details than those given herein. Accordingly, specific embodiments are provided for a simplified description rather than a limiting description.

As illustrated and described by the various drawings and accompanying texts, an embodiment of the present invention includes a peripheral device, a vendor server, and an authentication server configured to operate to verify identity claims using biometric indicators. It provides a biometric identification system and protects biometric indicators from intrusion by cooperating with algorithms executed in each vendor server and authentication server.

For example, without limitation, referring to FIG. 1 further, the biometric authentication identification system 100 according to an embodiment of the present invention may include an authentication server 101, and the authentication server 101 is a vendor server. Two or more of each of the one or more peripheral device(s) 130 and the supply server(s) 110 are connected to the broadband network 120 via a network connection, eg, the Internet. Similarly, two or more of the respective vendor server(s) 111 and the authentication server 101 may be coupled to a wide area network 120 such as the Internet by using a network connection. The peripheral device 130 may also be directly connected to the vendor server 111 as described in more detail below.

The peripheral device 130 may include a biometric scanning device 131. For example, without limitation, the biometric scanning device 131 may use a biometric scanner application 132 operable to acquire a mathematical image of a user's unique physical or behavioral characteristic (eg, biometric indicator). I can. 3A, 3B, and 3C, the biological indicators captured and processed by the biometric scanning device 131 include one or more iris patterns 302, fingerprint patterns 304, and voice patterns 306. Can contain The biometric scanning device 131 uses an encryption application 134 operable to encrypt the biometric indicator generated by the biometric scanner application 132 before transmitting it from outside the direct control of the biometric scanning device 131. These data can be obtained advantageously.

The user of the biometric scanning device 131 may be a potential consumer or current consumer of protected data and/or functions that are made available by a service provider (eg, a vendor). The consumer may interact with various servers included in the biometric identification system 100 through the peripheral device 130. For example, a consumer may include individuals seeking access to protected data and/or automated systems. Also, for example, consumers can include, without limitation, individuals or companies wishing to conduct business transactions online using e-commerce web pages.

Continuing with reference to FIG. 1, the vendor server 111 may include a web host operable for online transaction processing (OLTP). For example, services typically provided by vendor server 111 may include virtual stores, online marketplaces, demographic data collection, electronic data exchange, online marketing, and secure business transactions. These services typically manipulate content whose access is restricted by privacy policies (e.g. social networking websites) or commercial needs (e.g. e-commerce websites).

The vendor server 111 may include a web host operable to provide an authentication service for securing a trusted transaction that can be initiated using the peripheral device 130. For example, the vendor server 111 receives a query to determine whether the requesting individual has the authority to perform the requested electronic transaction. While such authentication events may serve to establish a basic level of trust for user identity claims provided electronically to the vendor server 111, subscriptions to credential services provided by a trust registrar generally do not require an identity claim. It is used for further verification, thereby increasing the level of confidence in the identity claim. Such a registration authority, commonly referred to as a credential service provider (CSP), may use the authentication server 101 of the biometric identification system 100 for this purpose.

For example, without limitation, the vendor server 111 may include a processor 112 capable of receiving and executing computerized instructions, and also a data storage 113 capable of storing data and instructions used by the processor. ) More specifically, the processor 112 may be deployed in data communication with some number of authentication servers 101 and some number of peripheral devices 130. The processor 112 may be operated to direct input from other components of the biometric identity. It connects the verification system 100 to the data store 113 for storage and subsequent retrieval. For example, the processor 112 may communicate data with external computing resources such as the peripheral device 130 and the authentication server 101 through each direct connection and/or through a network connection to a wide area network. It includes a network interface 119 which is facilitated by interface 119.

Authentication subsystem 114 instructions, communication subsystem 115 instructions, and transaction subsystem 116 instructions are stored in data store 113 and can be retrieved by processor 112 for execution. The authentication subsystem 114 may be operable to advantageously receive and analyze the access request data and/or transaction request data submitted from the peripheral device 130 by the requesting party (eg, a user) making an identity claim. The communication subsystem 115 operates to advantageously facilitate automatic interaction with a trust system (e.g., a trusted system type of peripheral device 130) and a credential service provider (e.g., authentication server 101). can do. The transaction subsystem 116 may be operable to advantageously perform a trusted transaction for the requesting party upon authentication and/or verification of the identity of the requesting party.

Reference is continued to FIG. 1. As shown in FIG. 1, the authentication server 101 includes a processor 102 capable of receiving and executing computerized instructions, and a data storage 103 capable of storing data and instructions used by the processor 102. It may include. Enables data communication with several vendor servers 111 that may be deployed in data communication with 130. The processor may transfer data from other components of the biometric identification system 100 for data storage storage and subsequent retrieval. For example, without limitation, the processor 102 may directly access and/or a network interface 109 It is possible to communicate data with external computing resources such as the vendor server 111 through a network connection to the wide area network 120 facilitated by ).

The account management subsystem 104 instructions, the identification subsystem 105 instructions, and the report generation subsystem 106 instructions are stored in the data store 103 and can be retrieved by the processor 102 for execution. The account management subsystem 104 may operate to create and maintain verification accounts for vendors seeking credential services. The identity verification subsystem 105 may be operable to respond to authentication and/or transaction requests with an indication of the authenticity of the requester's identity claim (defined as a pulse). The report generation subsystem 106 may be operable to format and display validation metrics and system health indicators.

For those of skill in the art, the present invention is not limited to any of the operations related to identification, such as access request and transaction request processing, authentication services, verification services, personal identification, personal identification, and personal identification, or We will consider the use of computer commands that can perform all actions. This includes information collection and storage, and reliable transaction risk handling. The initiation of computer instructions, including authentication subsystem instructions, communication subsystem instructions, transaction subsystem instructions, account management subsystem 104 instructions, ID verification subsystem 105 instructions, and report generation subsystem 106 instructions, anyway. . Those skilled in the art will readily understand that the stored computer instructions can be configured in any way while still achieving many of the objects, features and advantages in accordance with the present invention.

Subsequently, with reference to FIG. 1 and further with reference to FIG. 2, the data structure 207 existing on the peripheral device 130 will be described. For example, without limitation, the peripheral device 130 uses the biological scanner application 132 to scan the biological characteristics of the person making the claim and generate a numerical representation of the biological characteristics (i.e., biometric indicator 212). can do. In an embodiment of the present invention, the peripheral device 130 may encrypt the biometric indicator 212 by selectively using the encryption application 134. Encryption can achieve data security by requiring access to a secret key or password that allows the reader to decrypt the biometric indicator 212. Peripheral device 130 may also include a hardware identifier and optionally a hash value. It is possible to maintain the UUID (210).

With continuing reference to FIGS. 1 and 2, the data structure 208 existing on the vendor server 111 will be described. For example, without limitation, the vendor server 111 uses the communication subsystem 115 to receive the biometric indicator 212 from the peripheral device 130 as well as the UUID 210 of the device and these two values The representations of are provided to the vendor server 111 as data structures 222 and 212, respectively. In one embodiment of the present invention, the vendor server 111 recognizes the peripheral device 130 as a trusted resource using the authenticated subsystem 114, and, for example, non-limitingly, CSP. The vendor server 111 may also maintain an IP address 224 that can uniquely label that server (a label defined as the vendor server ID) on the network. In some embodiments, the vendor server ID may be some other type of identifier other than the IP address 224.

With continued reference to FIGS. 1 and 2, the data structure 209 existing on the authentication server 101 will be described. For example, but not limitedly, the authentication server 101 not only receives the biometric indicator 212 from the peripheral device 130 using the account management subsystem 104, but also supplies the biometric indicator 212 to the vendor. It is transmitted to the IP address 234 of the server (Vender Server) 111. In one embodiment of the present invention, the authentication server 101 also converts the biometric indicator 212 into an encryption value 232 using the identity verification subsystem 105, and the verification algorithm By applying, a pass or fail flag (ie, pulse) to return to the vendor server 111 is generated.

Referring now to FIGS. 1 and 2 with reference to FIG. 4, a method aspect of performing a trusted transaction using the peripheral device 130 of the identification system 100 according to an embodiment of the present invention is provided. For example, without limitation, the user may interact with the peripheral device 130 to prompt authentication and verification control guidance from the vendor server 111 and/or the authentication server 101. More specifically, the user may generate an access/transaction request (hereinafter, “user request”) using the peripheral device 130 and transmit the request to the supplier server 111 through the wide area network 120.

For example, without limitation, from the beginning of block 405, the biometric scanner application 132 of the peripheral device 130 may poll for input (block 415 ). Polling may involve checking the input, and if no input is detected at block 415, it forces a time delay (block 497) before re-checking the input. If the automated method during polling receives a completion call (block 475), the process ends at block 499.

Upon detecting the scanned biometric input at block 415, the method may operate at block 420 to capture a mathematical image of the user's biological characteristics (hereinafter, biometric indicator 212). Those skilled in the art will immediately recognize that the peripheral device 130 and/or multiple peripheral devices 130 may operate to capture one or more biometric indicators 212 for subsequent transmission to the vendor server 111 for subsequent processing. something to do. In addition, the biometric indicator 212 may include, for example, (but not limited to) a multifactor biometric indicator including a combination of an image of a voice (Figure 3C), an iris (Figure 3A) and a fingerprint (Figure 3B). I can. Likewise, this method can capture other data as part of a user request, such as a username, password, and response to fact-based questions (e.g. mother's maiden name).

If at block 420 it is determined that the attempt to receive the biometric indicator 212 has failed (block 425), the biometric scanner application 132 may indicate an input error before returning to input polling (block 425). (450)). Upon successfully receiving the biometric indicator at block 425, the encryption application 134 sends an identity claim including the biometric indicator 212 at block 440 and adds the UUID 210 of 130). It can be sent to both the vendor server 101 and the authentication server 101 for processing (block 442). Before returning to input polling, the biometric scanner application 132 may confirm successful transmission of the identity claim (block 445). Depending on the result of this transmission check, the biometric scanner application 132 may optionally flag an input error before returning to input polling (block 450).

With continued reference now to FIGS. 1 and 2 with reference to FIG. 5, aspects of a method of executing a trusted transaction using a vendor server 111 of an identity verification system 100 in accordance with an embodiment of the present invention are discussed. . For example, without limitation, the vendor server 111 may interact with the peripheral device 130 to authenticate trusted hardware and request verification control instructions from the authentication server 101. More specifically, the vendor server 111 may manage verification of the identity verification submitted from the peripheral device 130 in order to support the user's trusted transaction request input from the peripheral device 130.

For example, without limitation, from the beginning of block 505, the communication subsystem 115 of the vendor server 111 may poll for input (block 515). For example, at block 513, communication subsystem 115 may monitor a data channel (eg, interface 119 to wide area network 120) for input. Polling may involve checking the input, and when no input is detected at block 515, it forces a time delay (block 587) again before the input check. If the automated method receives a completion call during polling (block 585), the process ends at block 599.

In block 530, the authentication subsystem 114 analyzes the device identifier (UUID) 210 so that the peripheral device 130 (that is, the peripheral device 130) is a biometric indicator 222, a biometric indicator. Transmitting 222 is a trust system. For example, a biometric scanner hardware correlated with a service vendor (for example, a device identifier (UUID) 210 correlated to the IP address 224 on the vendor server 111) may qualify as a trusted system. .

At block 535, if it is determined that the received device identifier (UUID) 210 is not of the trusted system, the authentication subsystem 114 flags a device error (block 550), and the transaction subsystem ( 116) to receive the requested transaction (e.g., a transaction access failure message) (block 560) before returning to the reject input poll. Upon successfully identifying the device identifier (UUID) 210 as of a trusted device in block 535, the authentication subsystem 114 authenticates the verification pass or fail flag (ie, pulse) from the authentication server 101. The server verifies whether the augmented identity claim matches the verification record maintained by the authentication server 101.

For example, if a biometric match is found by the authentication server 101 at block 565, the authentication subsystem 114 may signal or pass (block 580) a transactional access authorization before returning to input polling. I can. In one embodiment of the present invention, a successful verification at block 565 may activate the transaction subsystem 116 to service an automated request (block 580) initiated from a trusted peripheral device 130. .

5, if no biometric match was found by the authentication server 101 at block 565, and then the past registration of the vendor was not detected by the authentication server 101 at block 575, Block 560 authentication subsystem 114 may reject the requested transaction before returning to input polling (block 560). Conversely, if a vendor's past registration is detected (block 575), the authentication subsystem 114 sends an identification record (block 577) to the authentication server 101 (block 579) for further verification. Can be saved as a new account for purposes. The authentication subsystem 114 may execute the requested transaction before returning to input polling (block 580). One of ordinary skill in the art will immediately recognize that multiple vendors can each have a unique response of either negative or positive pulses.

With continued reference to FIGS. 1 and 2 with reference now to FIG. 6, a method aspect of securing a trusted transaction using the authentication server 101 of the identity verification system 100 according to an embodiment of the present invention is discussed. For example, without limitation, the authentication server 101 may interact with the vendor server 111 to provide verification control instructions while maintaining data security for the input biometric indicator. More specifically, the authentication server 101 can manage the history of the submitted biometric indicators, and can use these history records to verify the increased identity request submitted from the account-holding supplier server 11-1. have.

For example, without limitation, from the beginning of block 605, account management subsystem 104 of authentication server 101 may poll for input (block 615). For example, without limitation, at block 617 account management subsystem 104 may monitor a data channel (eg, interface 109 to wide area network 120) for input. Polling may involve checking the input, and when no input is detected at block 615, it enforces a time delay (block 697) before re-checking the input. If the automated method receives a completion call during polling (block 695), the process ends at block 699.

Upon detecting the input at block 615, the method may operate at block 620 to receive the biometric indicator 212 and UUID 210 of the peripheral device 207 (see 131). At block 625, if the received input is determined in an unrecognized format and/or is in error in another way (e.g., the UUID 210 of the peripheral device 207 is the account holder's vendor IP The address 234 account management subsystem 104 flags an error (block 660) before returning to input polling, and may send an identity verification failure message to the vendor server 111 in the form of a pulse ( Block 692. For example, a service request log (which contains an invalid request as described above) may be written to the data store 103 for subsequent retrieval and reporting by the report generation subsystem 106 .

Upon successful input reception at block 625, the identification subsystem 105 may translate the biometric indicator 212 into the cryptographic value 232 using a locally loaded and secure cipher (block 630 )). For example, without limitation, the encryption value 232 may not contain any information about the querying vendor, regardless of the vendor for which the user asserts the identity, so that any user has the same encryption value 232 . Formatting of the encryption value 232 can allow manipulation and comparison without infringing on its original content (eg, biometric indicator 212).

At block 640, the identification subsystem 105 may compare the encryption value 232 to the stored record captured during a previous transaction verification operation. If the encryption value 232 is found to match the verification record maintained by the authentication server 101 (block 645), then the ID verification subsystem 105 determines that the matching verification matches the encryption value 232 and the vendor. It may be determined whether to include the association of (block 675). If a vendor affiliation exists, the identification subsystem 105 flags the identification success (block 690), and a notification to the vendor server 111 of the biometric matching found by the authentication server 101 ( If there is no vendor association at block 675 before returning to block 692) input polling, then the identification subsystem 105 flags the identification success (block 690) and the vendor server 111 ) Before returning to notification, entering the identification value vendor and encryption value 232 Before returning to polling, a biometric match (block 692) in the form of a pulse is performed.

If it is found that the cryptographic verification value 232 does not match the verification record maintained by the authentication server 101 (block 645), then at block 665, the identity verification subsystem 105 is sent to the investigator (e.g., The, user, mismatched encrypted value 232 is stored in the data store 103 (see block 577 in Figure 5). If no such storage direction exists, the identification subsystem 105 will return the pulse before returning. A match error can be flagged in the form (block 660), and an identity verification failure message can be sent to the vendor server 111 (block 692), and polling is input. If a save instruction exists, the identity verification sub-sub. System 105 may store encryption value 232 as a new record in data store 103, and vendor (block 680) examining encryption value 232 before flagging identification (block 690). ), return to the supplier server 111 of biometric authentication match (block 692) in the form of pulses, and return to input polling.

One of ordinary skill in the art will note that one or more aspects of the invention may be practiced on a computing device. Those of skill in the art will also note that a computing device can be understood as any device with a processor, memory unit, inputs and outputs. This may include, but is not limited to, cellular phones, smart phones, tablet computers, laptop computers, desktop computers, personal digital assistants, and the like. 7 shows a model calculation apparatus in the form of a computer 810, in which one or more computer-implemented steps may be performed in implementing the method aspects of the present invention. Components of the computer 810 may include a processing unit 820, a system memory 830, and a system bus 821 coupling various system components, including system memory, to the processing unit 820, but It is not limited. The system bus may be any of several types of bus structures including memory buses or memory controllers, peripheral buses, and local buses using any of a variety of bus structures. For example, these architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect PCI).

Briefly, encryption unit 825 has computational functions that can be used to verify digital signatures, calculate hashes, digitally sign hash values, and encrypt or decrypt data. The encryption unit 825 may also have a protected memory for storing keys and other secret data. In another embodiment, the function of the encryption unit may be illustrated in software and executed through an operating system.

Computer 810 generally includes a variety of computer-readable media. Computer-readable media may be any available media that can be accessed by computer 810, and includes both volatile and nonvolatile media, removable and non-removable media. For example, without limitation, computer-readable media may include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage device, magnetic cassette, magnetic tape, magnetic disk storage device, or other magnetic storage device, or It can be any other medium that can be used to store the desired information and can be accessed by computer 810. Communication media is typically used as a carrier wave or other transmission mechanism for computer readable instructions, data structures, program modules or other data and includes all information delivery media. The term "modulated data signal" refers to a signal that has set or changed one or more characteristics in a manner that encodes information in the signal. By way of example, the communication medium includes, but is not limited to, a wired medium such as a wired network or a direct wired connection, and a wireless medium such as sound, radio frequency, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer-readable media.

System memory 830 includes computer storage media in the form of volatile and/or nonvolatile memory such as read-only memory (ROM) 831 and random access memory (RAM) 832. Data containing basic routines that help transfer information between elements within computer 810, such as during startup, are generally stored in ROM 831. RAM 832 typically includes data and/or program modules that are readily accessible to processing unit 820 and/or are currently operated by processing unit 820. 7 includes an operating system (OS) 834, an application program, another program module 836 and program data 837.

Computer 810 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only, FIG. 7 shows a hard disk drive 841 reading or writing from a non-removable, nonvolatile magnetic medium, a magnetic disk drive 851 reading from or writing to a removable, nonvolatile magnetic disk 852, a CD ROM, or And an optical disk drive 855 that reads from or writes to a removable, nonvolatile optical disk 856 such as other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that may be used in the exemplary operating environment include magnetic tape cassettes, flash memory cards, digital versatile disks, digital videotape, solid state RAM, solid state ROM, and the like. The hard disk drive 841 is typically connected to the system bus 821 via a non-removable memory interface such as interface 840, and the magnetic disk drive 851 and optical disk drive 855 are typically interface 840 and It is provided as the system bus 821 interface 850 by the same removable memory interface.

The drives and associated computer storage media discussed above and shown in FIG. 7 provide storage of computer readable instructions, data structures, program modules, and other data for computer 810. In FIG. 7, for example, a hard disk drive 841 is shown to store an OS 844, an application program 845, another program module 846 and program data 847. These components include OS 834, application program 835, other program modules 836, OS 844, application programs 845, other program modules 846 and program data 847 to be at least different copies. Different numbers are given to indicate that they can. A user may enter commands and information into the computer 810 through input devices such as a keyboard 862 and a cursor control device 861, which are generally referred to as a mouse, trackball, or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, and the like. These and other input devices are often connected to the processing unit 820 through a user input interface 860 that is coupled to the system bus, but may be connected by other interfaces and bus structures such as parallel ports, game ports, or universal serial ports. Can be a bus (USB). A monitor 891 or other type of display device is also connected to the system bus 821 via an interface such as a graphics controller 890. In addition to the monitor, the computer can be connected to other peripheral output devices such as speaker 897 and printer 896, which can be connected via output peripheral interface 895.

Computer 810 may operate in a network environment using logical connections to one or more remote computers, such as remote computer 880. The remote computer 880 may be a personal computer, server, router, network PC, peer device, or other common network node, typically only the memory storage device 881 is shown in FIG. 7, but is associated with the computer 810. Include many or all of the elements described above. The logical connection illustrated in FIG. 7 may include a local area (LAN) 871 and a wide area network (WAN) 873, but may include other networks 140. Such networking environments are common in offices, enterprise-wide computer networks, intranets, and the Internet.

When used in a LAN networking environment, the computer 810 is connected to the LAN 871 via a network interface or adapter 870. When used in a WAN networking environment, the computer 810 is typically via a WAN 873, such as a modem 872 or other means for establishing communication over the Internet. The modem 872, which may be internal or external, may be connected to the system bus 821 through a user input interface 860 or other suitable mechanism. In a network environment, a program module illustrated in relation to the computer 810 or a part thereof may be stored in a remote memory storage device. By way of example and not limitation, FIG. 7 shows that a remote application program 885 resides on memory device 881.

Communication connections 870 and 872 allow a device to communicate with other devices. Communication connections 870 and 872 are examples of communication media. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transmission mechanism and includes any information delivery media. A "modulated data signal" may be a signal in which one or more of its characteristics are set or changed in such a way as to encode information in the signal. By way of example, communication media include, but are not limited to, wired media such as a wired network or direct wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Computer-readable media may include both storage media and communication media.

For those of skill in the art, the present invention will contemplate the use of a data structure capable of storing information to support some or all of the operations associated with delivering authentication and verification services. The disclosure of the above exemplary data structures is not intended to be limiting in any way. Those skilled in the art will readily appreciate that the data structure may contain any number of additional or alternate real-world data sources, and may be structured in any manner while still achieving many of the objects, features, and advantages in accordance with the present invention.

Some of the exemplary aspects of the present invention may be advantageous in solving the problems described herein and other discussed problems that cannot be found by those skilled in the art.

While the above description includes many specificities, these should not be construed as limiting the scope of any embodiment, but as illustrations of the presented embodiments. A variety of other derivatives and variations are possible within the teachings of the various embodiments. Although the present invention has been described with reference to exemplary embodiments, those skilled in the art will understand that various changes may be made and equivalents may be substituted with the components thereof without departing from the scope of the present invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from the essential scope of the invention. Accordingly, the present invention is not limited to the specific embodiments disclosed as the best or only mode contemplated for carrying out the present invention, and the present invention will cover all embodiments that fall within the scope of the appended claims. In addition, in the drawings and detailed description, exemplary embodiments of the present invention are disclosed, and specific terms may be used, but unless otherwise stated, they have been used in a comprehensive and technical sense, and are not used for the purpose of limitation, Scope Therefore, the scope of the present invention is not limited thereto. Also, the use of terms such as first and second does not indicate any order or importance, and rather, terms such as first and second are used to distinguish one component from another. In addition, the use of the terms a, an, etc. does not indicate a limitation of quantity, but indicates the presence of at least one of the mentioned items.

Accordingly, the scope of the present invention should be determined not by the examples given, but by the appended claims and their legal equivalents.

100: biometric authentication identification system 101: authentication server
102, 112: processor 103: data store
104: account management subsystem 105: identification subsystem
106: Report Generation Subsystem
110: supply unit server 111: vendor server
113: data store 114: authentication subsystem
115: communication subsystem 116: transaction subsystem
119: network interface 120: broadband network
130: peripheral device 131: biometric scanning device
132: biometric scanner application 134: encryption application
140: other networks 207: data structure
208: data structure 210: device identifier (UUID)
212: biometric indicator 222: biometric indicator
224, 234: Vendor Server ID 232: Encryption value
302: iris pattern 304: fingerprint pattern
306: voice pattern 810: computer
820: unit 821: system bus
825: encryption unit 830: system memory
831: read-only memory (ROM) 832: random access memory (RAM)
834, 844: operating system (OS) 836: module
837: program data 840: interface
841: hard disk drive 845: application program
847: program data 850: system bus interface
851: magnetic disk drive 855: optical disk drive
856: optical disc 861: cursor control device
862: keyboard 871: local area (LAN)
872: modem 873: wide area network (WAN)
880: remote computer 881: memory storage device
885: remote application program 890: graphic controller
891: monitor 895: peripheral interface
896: printer 897: speaker

Claims (14)

As a method of operating a biometric identity verification system including a peripheral device 131, a vendor server 111, and a verification server 101, a plurality of computer processors ( 112, 102),
Receiving an identity claim including a biometric indicator 212 using a biometric scanner application 132 executed by the peripheral device 130, and
Receiving the biometric indicator 212 and a device identifier 210 for the peripheral device 130 using a communication subsystem 115 executed by the vendor server 111; and
By comparing the device identifier 210 with the vendor server ID 224 of the vendor server 111 using the communication subsystem 115 on the vendor server 111, the peripheral device 130 is a trusted system (trusted system). system), and
An identification request including the biometric indicator 212 and the vendor server ID 224 is transmitted to the authentication server 101 using an authorization subsystem 114 running on the vendor server 111 Next, erasing the biometric indicator 212 and the device identifier 210 from the vendor server 111,
Receiving the biometric indicator 212 and the vendor server ID 224 using an account management subsystem 104 executed by the authentication server 101,
Authentication of whether the vendor server ID 224 matches the stored vendor server ID 234 for the vendor server 111 using the account management subsystem 104 executed by the vendor server 101 And the steps to do,
Using an identity verification subsystem 105 executed by the authentication server 101, translating the biometric indicator 212 into an encryption value 232, and the encryption value When the first match with one of a plurality of stored cipher records defined as a cipher record matched with (232) is detected, an identification authentication flag defined as a pulse is generated. Authenticating the biometric indicator 212, and
Applying a trusted transaction linked to the identification request by receiving the pulse using the authorization subsystem 114 executed by the vendor server 111
Each computer processor (112, 102) containing a plurality of instructions to perform the method comprising each non-volatile computer readable forming a plurality of non-transitory computer-readable storage media (computer-readable storage media) A method of operating a biometric identification authentication system, characterized by possible storage media (113, 103). The method of claim 1,
A method of operating a biometric identification authentication system in which the device identifier 210 has a universally unique identifier UUID. The method of claim 1,
The method of operating a biometric identification authentication system in which the vendor server ID (224) is an IP address linked to the vendor server. The method of claim 1,
The method of operating a biometric identification authentication system further comprising the step of linking the vendor server ID to the matched cipher record in the authentication step of the biometric indicator (212). The method of claim 1,
The authentication step of the biometric indicator 212 is:
Storing the encryption value (232) in a second record of the plurality of stored cipher records,
Linking the vendor server ID 224 to the second record, and transmitting a message indicating the association of the vendor server ID 224 with the second record to the vendor server 111 How the measurement identification authentication system works. The method of claim 1,
And executing a trust transaction linked to the identification request using the transaction subsystem (116) of the vendor server (111) when the first match is detected. A peripheral device 130,
With the vendor server 111, and
A computer system having an authentication server 101 including a memory and a data store 103,
The peripheral device 130 operates to receive an identification request including a biometric indicator 212,
The vendor server 111 operates to receive the biometric indicator 212 and the device identifier 210 for the peripheral device 130 using the communication subsystem 115 running on the vendor server 111 And
The vendor server 111 also compares the device identifier 210 with the vendor server ID 210 of the vendor server 111 using a communication subsystem 115 running on the vendor server 111 Operate to authenticate that the peripheral device 130 is a trusted system,
The vendor server 111 transmits the biometric indicator 212 and the vendor server ID 224 to the authentication server 101 using the authorization subsystem 114 on the vendor server 111, and then the It operates to delete the biometric indicator 212 and the vendor server ID 224 from the vendor server 111,
The identification server 101 receives the biometric indicator 212 and the vendor server ID 224, and the vendor server ID 224 using the account management subsystem 104 running on the authentication server 101 Operates to authenticate whether it matches the vendor server ID 234 stored for the vendor server 111,
Converting the biometric indicator 212 into an encrypted value,
When the first match with one of the plurality of stored cipher records defined as the cipher record matched with the encryption value 232 is detected, an identification authentication flag defined as a pulse is generated,
Operates to authenticate the biometric indicator 212, and
A computer system operative for the vendor server 111 to authorize a trusted transaction associated with the identification request by receiving the pulse. The method of claim 7,
A computer system in which the device identifier 210 comprises a universally unique identifier (UUID). The method of claim 7,
A computer system in which the vendor server ID (224) is an IP address associated with the vendor server. The method of claim 7,
A computer system operative in which the authentication server 101 also associates the vendor server ID 224 with a matched cipher record. The method of claim 7,
The computer system operative to cause the authentication server (101) to also store the encryption value (232) in a second of a plurality of stored cipher records, and to associate the vendor server ID (224) with the second record. The method of claim 7,
A computer system operative to execute the trusted transaction when the authentication server 101 also receives the pulse. A method of operating a biometric identification authentication system including a peripheral device 130, a vendor server 111, and an authentication server 101, when executed by a plurality of computer processors 112 and 102. Non-volatile computer-readable storage media,
Receiving an identification request including a biometric indicator 212 using a biometric scanner application 132 executed by the peripheral device 130, and
Receiving the biometric indicator 212 and the device identifier 210 for the peripheral device 130 using the communication subsystem 115 executed by the vendor server 111,
The peripheral device 130 is a trusted system by comparing the device identifier 210 with the vendor server ID 224 of the vendor server 111 at all times using the communication subsystem 115 on the vendor server 111. The steps to authenticate,
The biometric indicator 212 and the vendor server ID 224 are transmitted to the authentication server 101 using the authorization subsystem 114 running on the vendor server 111, and then the biometric indicator 212 ) And the vendor server ID 224 from the vendor server 111,
Receiving the biometric indicator 212 and the vendor server ID 224 using the account management subsystem 104 executed by the authentication server 101;
The biometric indicator 212 is converted into an encryption value using the identification subsystem 105 executed by the authentication server 101, and the encryption value is not matched with any of the stored plurality of cipher records. If not detected, generating an identification authentication flag defining an identity verification fail, and
A plurality of instructions for performing a method comprising the step of disallowing a trusted transaction associated with the identification request by receiving the identification authentication flag using the authorization system 114 executed by the vendor server 111 A method of operating a biometric identification authentication system, characterized in that each computer processor (112, 102) and each non-volatile computer-readable storage medium (113, 103) including the. The method of claim 13,
The method of operating a biometric identification authentication system further comprising executing a transaction access fail using the transaction subsystem 116 of the vendor server 111.

Images