BIOMETRICALLY ENABLED PRIVATE SECURE INFORMATION REPOSITORY
* * * * *
BACKGROUND OF THE INVENTION
This invention relates generally to a private system to store and retrieve all types of information with the use of biometrics for authentication and encryption techniques for security.
In this age of the information highway, virtually all personal and financial information is stored within computer systems. Yet this information tends to be scattered among different organizations, like: Federal and local government, bank, merchant, and educational facilities. For this reason, access to all stored information from one source is virtually impossible, or, at the very least impracticable. Furthermore, in certain cases access to information requested by its provider, or owner, is restricted.
In today's information age, users are required to provide personal information freely, however, their access to that information may be strictly prohibited. Merchants normally require financial information to complete transactions, yet they are t-nlikely to divulge any credit data regarding that individual. Governmental agencies usually maintain a detailed profile database on all individuals, but some, or all, of this information is not accessible to the respective individuals. However, when governmental agencies do allow people to access their information, these venues can be described as inconvenient, limited in accessible hours, entailing waiting on long lines, and inadequate service. These facilities may include: county courthouses, departments of motor vehicles, departments of welfare services, departments of housing, departments of immigration and naturalization services, and the various other government agencies. A major reason the government will not allow computer access to personal information is due to security and identity verification issues. The feasibility of a secure solution has made convenient access impracticable.
There is not one entity currently available to house all personal information for convenient retrieval. Personal information may include, but is not limited to: leases, deeds, passports, birth certificates, wills, trusts, driver's Hcenses, bank account information, credit information, commercial transaction information, educational information, and citizenship information.
Even if a secure system was were available, security issues would make people hesitant to supply their personal information electronically. Hackers may attempt to compromise computer systems to conduct vandalism, espionage, and theft. It is possible for hackers to gain successful, unauthorized access to computer systems.
Even for systems with nearly absolute security, by allowing access only to authorized individuals, there is still the danger of fraud through the impersonation of an authorized user. For example, bad checks are abundant within the stream of commerce, mdividuals may steal checks and forge signatures.
Other computer systems designs do not reflect the issue of security as a primary concern. Some systems utilize passwords in the form of alphanumeric characters, which can be easily guessed using algorithms capable of generating random combinations of numbers and letters. This type of security is further susceptible to user negligence, e.g., forgotten, lost, stolen, or intercepted passwords.
Other approaches have focused on providing secure identification and verification. U.S. Pat. No. 5,790,668 discloses system and method to provide secure handling of data through means of a personal identifier database. Similarly, U.S. Pat. No. 5,930,804 discloses an invention to provide improved Web-based security measures, and methods to implement such measures and, moreover, to provide improved Web-based authentication systems and methods. Similarly, U.S. Pat. No. 5,870,723 discloses a method and system to provide a biometric transaction authorization with the use of a PIN number. Similarly, U.S. Pat. No. 5,995,630 discloses a method to facilitate secure and authorized access to a computer.
While these approaches provide a method to avoid the problems associated with unauthorized access with user identification, they have disadvantages. These approaches focus
on a gateway comprising security and user verification. First, these approaches do not offer a secure, authenticated centralized repository system. The database element in these approaches is limited to storing information pertinent to a particular business, or security purpose. For example, the databases in these inventions house only biometric information, personal identifiers, limited financial information, or encryption keys. Accordingly, these approaches do not offer an implementable system that serves as a secure repository in which to store any and all types of data.
These approaches also have a security deficiency, as they require a personal PIN number or personal identifier. These methods seriously compromise the security of the system as a whole. PIN numbers can be forgotten, lost, misplaced, and obtained through disreputable algorithmic approaches or other schemes.
Furthermore, systems that require personal identifiers, commonly associate the person's social security number with their identity. These approaches inherently lack the ability to provide anonymity to the users. Information is inexplicably tied to a particular person. Individuals are uniquely identified with ease through a social security number. Moreover, social security numbers are easily accessible and widely utilized. It is common practice for governmental institutions, financial institutions, educational institutions, and medical institutions and to use social security numbers as personal identifiers. Most of these institutions utilize and display social security numbers with disregard for privacy or security. Thus, the identity of the data owner can be easily obtained through his social security number.
However, none of these verification systems offer a general, centralized database to store any, and all, types of data and information. Accordingly, there is a need for a system where any type of information may be stored securely and retrieved with anonymity, ease and convenience. Further, there is a need for a single, comprehensive, information storage system having reliability, privacy, authenticity, and accessibility.
By way of further background, U. S. Patent No. 6,032,137 and U.S. Patent No. 5,910,988 commonly assigned herewith and incorporated herein by this reference, describe data repository systems and methods, for example as applied to commercial payments and transactions.
SUMMARY OF THE INVENTION
This invention involves the storage and retrieval of data with the full identification and verification of users through means of a biometric identifier. The biometric identifier identifies biometric data or biometrics that comprises a statistical analysis of biological data, for example: retina geometry prints, facial prints, DNA data, fingerprints, or voice patterns. Biometric data represents a unique personal identity marker, which is in possession of the user at all times. The use of biometrics ensures a private system due to its inherent characteristics. The DataTreasury™ Repository System uses a biometric, as a unique identity marker. The usage of biometrics effectuates creates an extremely secure method of authentication for access to data stores. Furthermore, as corrtmunication protocols have become increasingly sophisticated users can access data anywhere in the world.
Users who wish to enroll into the DataTreasury™ Repository System must first present documents to authenticate their claimed identity. Upon registration they must input their biometrics, and any required information into client stations. The biometrics obtained through the registration process are is stored in an enrollment biometric database. The enrollment biometrics are utilized to assist in the verification of the user in future transactions.
As a paradigm, merchants, as well as financial institutions, may enroll in to the DataTreasury™ Repository System to facilitate financial transactions. Commercial users can take the form of a host within the DataTreasury™ Repository System, and utilize its services to conduct business. Financial transactions are not limited to financial institutions, which are enrolled into the system. The DataTreasury™ Repository System may further communicate, transmit information, facilitate transactions with financial institutions, which are not enrolled. The DataTreasury™ Repository System may further communicate, and conduct transactions with any non-enrolled user, entity, whether an institution, a business, or an individual.
It is an object of the present invention to provide a system for a secure, centralized storage of all types of information. For example, a system which could handle commercial
transaction information, financial information, credit information, citizenship information, educational information with authenticated access, would comprise: at least one remote client subsystem designed to receive and transmit data; at least one remote data processing subsystem designed to facilitate the processing of data, comprising an encryption subsystem to ensure a secure, biometric authentication subsystem to ensure the identity of users; at least one remote data management subsystem to manage the processing of data; at least one remote data storage subsystem to store any, and all, types of data; and at least one communication network for secure transmission of data within, , and between the data processing subsystem, the data management subsystem, and the data storage subsystem.
The DataTreasury™ Repository system securely supplies authenticated access to information such as, credit information, banking information, personal information, real-estate information, employment information, and commercial transaction information.
It is a further object of the DataTreasury™ Repository System to facilitate: private and secure financial transactions, via a centralized, secure, and easily accessible system worldwide.
It is a further object of the DataTreasury™ Repository System to facilitate a virtually fraud proof system of conducting transactions.
It is a further object of the DataTreasury™ Repository System to facilitate a private method to traverse the internet.
It is a further object of the DataTreasury™ Repository System to facilitate the secure and private electronic co rnunication between computer systems.
It is a further object of the DataTreasury™ Repository System to facilitate the registration process for warranties, and similar legal documents.
It is a further object of the DataTreasury™ Repository System to secure email coπvmunication and prevent unsolicited advertisements or spamming.
It is further object of the DataTreasury™ Repository System of the invention to store and provide data with a multi-tiered architecture comprised of the DataTreasury™ Object Request broker (ORB), the DataTreasury™ AppHcation Server (AS), the DataTreasury™ Database (DB), DataTreasury™ Encryption Subsystem (ES), and a DataTreasury™ Biometric Subsystem (DTBS).
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING
These and other objects and features of the invention will be more clearly understood from the following detailed description along with the accompanying drawing figures, wherein:
FIG. 1 is a block diagram of the DataTreasury™ Repository System (DRS) architecture;
FIG. 2 is a block diagram of the distributed envtronrnent;
FIG. 3 is a block diagram of the dient subsystem;
FIG.4 is a block diagram of the Object Request Broker (ORB) architecture;
FIG.5 is a block diagram of the AppHcation Server (AS) architecture;
FIG. 6 is a block diagram of the Encryption Server architecture;
FIG. 7 is a block diagram of the process for analyzing and storing biometrics using the DataTreasury™ Biometric Subsystem architecture;
FIG. 8 is a block diagram of the comrnunication network;
FIG. 9 is a flow chart of the process for transferring information;
FIG. 10 is a flow chart describing the process for the DRS; and
FIG. 11 is a flow chart of the second embodiment of the process shown in FIG. 9.
DETAILED DESCRIPTION OF THE INVENTION
Fig. 1 displays the block diagram of a DataTreasury™ Repository System (DRS) 100, which is connected to either cHents 50 or hosts 70 via either an AppHcation Programmable Interface (API) gateway 80 or through a sign on server (SOS) 90. The DataTreasury™ Repository System 100 has five elements: a DataTreasury™ Object Request broker (ORB) 200 (transaction management subsystem), a DataTreasury™ AppHcation Server (AS) 300 (data processing subsystem), a DataTreasury™ Database (DB) 400 (data storage subsystem), DataTreasury™ Encryption Subsystem (ES) 500 (system to ensure security), and a DataTreasury™ Biometric Subsystem (DTBS) 600 (system to process and verify biometrics).
As shown in FIG. 2, the DataTreasury™ Repository System 100 uses an object oriented programming language for housing any and all types of information across a distributed environment. Data is sent to the ORB 200 via cHent subsystems 50 and hosts 70. This information is first encapsulated, next, it is compressed and then it is encrypted before it is sent through API gateway 80 or SOS 90. This information is then decrypted and processed through ORB 200, which in connection with AS 300 ES 500 and DTBS 600, processes this information. This information is then sent on to DB 400 for storage of this information or retrieval of additional information stored in DB 400. A comm.unicati.on network 800 connects these elements together. As shown, API gateway 80 SOS 90, ORB 200, AS 300, DB 400, relational databases 430, ES 500, and DTB 600 are all housed in a central location. API gateway 80 or SOS 90 are designed to receive information from cHents 50 or hosts 70. SOS 90 is designed as a single sign on server whereby with one password or one set of biometric information, the user can gain access to multiple accounts that would formerly take multiple login identifications and passwords.
CHent subsystem 50 is shown in greater detail in FIG. 3, ORB 200 is shown in greater detail in FIG. 4, AS 300 is shown in greater detail in FIG. 5, ES 500 is shown in greater detail in FIG. 6, the process for DTBS 600 is shown in greater detail in FIG. 7, and communication network 800 is shown in greater detail in FIG. 8.
As shown in FIG. 3, cHent subsystem 50 provides a convenient interface to users to enable data entry and extraction from the DB 400. A simplified interface to enable data extraction from a database for use in the present invention is described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation 09/454,492 to Bailard, entitled "Remote Image Capture with Centralized Processing and Storage", which is incorporated herein by reference. Furthermore, the cHent subsystems 50 may also be hosts 70. These cHent subsystems may contain a biometric processing cHent subsystem 51, and a data capturing device 53. The cHent subsystem may contain input devices 55 such as but not limited to: video cameras, digital cameras, CD-ROM readers, DVD readers, keyboards, mice, microphones, smart card readers, scanners, magnetic strip readers, MICR readers, 2D/3D bar code readers, and biometric capture devices. The cHent subsystem may also contain output devices 57 which may faciHtate report generation such as but not Hmited to: monitors, printers, and speakers. CHent subsystems 50 may further take any form comprising a point of sale, Internet, or wireless machines, to name a few. Furthermore, cHent subsystems 50 may also contain a biometric device 59 for capturing biometric data.
CHent subsystems 50 may connect to the ORB 200 through a comrnunication network such as comrnunication network 800. However cHent subsystem 50 may connect to ORB 200 by any means including, but not limited to, the internet, wireless RF, microwave, infrared or, through a wired local or wide area network. A wireless data network may be used for connecting one or more cHent subsystems 50 to one or more centralized processing faciHties, this wireless network is employed for either local area network (LAN) or wide area network (WAN) connectivity, or both simultaneously. The wireless network is not limited to a specific technology, transmission speed, or mode of operation. The physical means for comrnunication between the cHent subsystem 50 and the ORB 200 may be faciHtated by, but not Hmited to modems, cables, fiber optics, or satellites. Furthermore, CHent subsystems 50 are not tied to a specific prograrnming language. CHent subsystems 50 and AS 300 in a distributed environment need only communicate in terms of the ORB 200, interface. The ORB 200 may act as a middleware layer between the cHent subsystems 50 and all types of heterogeneous sources. Ftu thermore, the ORB 200 may automate services such as, but not limited to: object registration, location, activation, and demultiplexing. The ORB 200 handles the request between the cHent
subsystem 50 to the AS 300. Objects 350 are encapsulated packages of code and data that can be manipulated by operations through a defined interface. The ORB 200 initiates queries of the DB 400, which are necessary for object 350 functionaHties. An essential aspect of the DataTreasury™ Repository System is that it enables, identifies, authenticates, and processes information using, inter aHa, biometric and cryptographic algorithms.
As is known to persons of ordinary skill in the art, the DataTreasury™ Repository System 100 could also use other software development standards, other system deployment standards, and other reHabiHty standards as long as adherence to these alternative standards provides the security, avaJlabiHty, integrity and reHabiHty required by mission critical appHcations of this scale. See, e.g. Fayad, Johnson, and Schmidt, "Building AppHcation Frameworks: Object Oriented Foundations of Framework Design", chap. 1 to chap. 6, (Wiley, 1999)
Fig. 4 is a block diagram of the ORB 200 architecture. ORB 200 can exist on one or more servers and can contain a transaction processing architecture 250, which manages objects 230 such as appHcation objects 232, domain objects 234, and database objects 236. In addition, transaction processing architecture 250 also manages events 255, transactions 265, persistence 270, concurrency 275 and security 260. In the preferred embodiment, the ORB 200 is faciHtated through the use of Common Object Request Broker Architecture (CORBA). The ORB 200 may provide a series of services including but not limited to: life cycle services, persistence services, naming services, event services, concurrency control services, tiansaction services, relationship services, externalization services, query services, Hcensing services, and properties services, life cycle services define how to create, copy, move, and delete components. A component is a reusable program buHding block that can be combined with other components in the same or other computers in a distributed network to form an appHcation. The persistence service facihtates the ability to store data on the DB 400.
The naming service allows components to find other components by name. The event service allows the components to specify specific events to be notified of. The concurrency control service aHows the ORB 200 to manage locks to data caused by competing transactions or threads. The transaction service ensures that once transactions are completed, the required
functions are performed, and to ensure the consistency of the DB 400. The relationship service can create and/ or keep track of dynamic associations between components. The externalization service provides a method to add and obtain data from a component resident in a stream of data. The query service aHows the component to query the DB 400. The Hcensing service aHows the use of the component to be measured. Lastly, the properties service allows components to have a self description, which in turn can be used by other components. The cHent subsystems 50 use stubs to invoke the required appHcation objects 230 in AS 300 through the ORB 200 for the required transaction. ORB 200 can also contain a memory hierarchy 262 containing a primary memory 264 and a secondary memory 266.
Hi the preferred embodiment, the ORB 200 server comprises stand-alone IBM Enterprise RS/60007026 Model M80 servers, which are connected through a common network. TypicaUy, the IBM Enterprise RS/6000 7026 Model M80 class computers have 6 GB of RAM, a 1.26 TB Shark storage array, and gigabit Ethernet network connection.
The cHent subsystems 50 requests to the AS 300, DB 400, ORB 200, and hosts 70 are faciHtated through CORBA compHant services. Object request brokers, ORB 200 can create a persistent link between cHent subsystems 50, hosts 70 and AS 300 for servicing requests. AS 300 and ORB 200 are usuaHy the middle tier and databases are maintained in the third tier. AS 300 requires CORBA services to corrtmunicate with third tier databases for executing queries.
As is known to persons of ordinary skiU in the art, CORBA or any equivalent architectural framework may be utiHzed to construct an ORB 200 to provide load balancing and aUocation of services between appHcation servers and databases.
In an alternate embodiment, an information gateway may be utiHzed to construct the ORB 200. The object based ORB 200 may be also implemented with a message, transaction, or event based arc-hitectural frameworks. An exemplary embodiment of alternate architectural frameworks which may be utiHzed, as known to persons of ordinary skiU in the art, include but are not limited to: MQ series, Tuxedo, and Rendezvous. See, e.g., Bernstein, and Newcomer, "Principles of Transaction Processing", chap.2 to chap. 10, (Morgan Kaufman Publishers, 1997). AdditionaHy, see, e.g., Primatesta, "Tuxedo, an Open Approach to OLTP", chap. 2 to chap. 6,
(Prentice Hall, 1995). Further, see, e.g., Gilman and Schreiber, "Distributed Computing with IBM MQSeries", chap.3 to chap 10, (Wiley, John & Sons, Incorporated, 1996).
As will be understood by those skilled in the art, Object-Oriented Programming (OOP) techniques involve the declaration, definition, creation, invocation and destruction of "objects" 230. OOP focuses on objects rather than specific functions. In object-oriented programrning, objects are the concepts to consider first in designing a program and they may also comprise units of code that are eventually derived from the process. In between, each object is made into a generic class of object and even more generic classes are defined so that objects can share models and reuse the class definitions in their code. Each object is an instance of a particular class or subclass with the class's own method or procedures and data variable. An object is what actuaHy runs in the system. See, e.g., Rumbaugh, Blaha, Premerlani, Eddy, and Lorensen, "Object Oriented Modeling and Design", chap. 1 to chap. 10, (Prentice Hall, 1991). These objects 230 are software entities comprising data elements and routines, or functions, which manipulate the data elements. The data and related functions are treated by the software as an entity and can be created, used and deleted in a paraHel and concurrent fashion. Together, the data and functions enable objects 230 to model virtuaHy any real-world entity in terms of its characteristics, represented by the data elements, relationships and its behavior. Object 230's behavior determines how and when it manipulates its data elements. In this way, objects 230 can model co plex physical phenomena like weather systems, and it can also model abstract complexities like many mathematical algorithms.
In the preferred embodiment, through a cornrnunication network, the ORB 200 are connected to the AS 300 and DB 400 through a LAN using switched lOOOBaseT/lOOBaseT Ethernet, using TCP/IP protocol, though the invention is not so limited. As is known to persons of ordinary skill in the art, the lOOOBaseT/lOOBaseT Ethernet is a networking link layer protocol. Further, the numbers 1000 and 100 refer to the comrnunication link speed in megabits per second. In the preferred embodiment the CISCO Catalyst 6000, model No. 6509, Network Switch or equivalent hardware supports the LAN connectivity between the devices connected to it. A communication network for use in the present invention is described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation
09/454,492 to BaHard, entitled "Remote Image Capture with Centralized Processing and Storage", which is incorporated herein by reference.
The ORB 200 and the cHent subsystems 50 are connected on a Wide Area Network (WAN). A WAN router faciHtates comrnunication between the cHent subsystem 50 and the ORB 200. In the preferred embodiment, the WAN uses frame relay connectivity. As is known to persons of ordinary skiU in the art, frame relay is a network protocol for data communication. In contrast to dedicated point-to-point links that provide a fixed data rate, frame relay communication provides variable bandwidth availabiHty on-demand with a guaranteed rrririimum data rate. Frame relay cornrnunication also aUows occasional short high data rate bursts according to network availabiHty. In the preferred embodiment, the CISCO 2621 router, or equivalent hardware, supports the WAN connectivity between the devices.
Each frame encloses one user packet and adds addressing and verification information. Frame relay data communication typicaUy has transmission rates between 56 kilobytes per second (kb/s) and 1.544 megabytes per second (Mb/s). Frames may vary in length up to a design Hrnit of approximately 1024 bytes.
In the preferred embodiment, the telecomrnurύcations frame relay carrier cloud is a cornmunication network, which receives the frames destined for the ORB 200 sent by the WAN router from the cHent subsystems 50. As is known to persons of ordinary skill in the art, carriers provide comrnunication services through local central offices. These central offices contain networking faciHties and equipment to interconnect telephone and data communications to other central offices within its own network and within networks of other carriers.
Since the component links of the interconnection network are shared by the carrier' cHents, data cornmunication must be dynamicaUy assigned to links in the network according to availabiHty. Because of the dynamic nature of the data routing, the interconnection network is referred to as a carrier cloud of communication bandwidth.
The ORB 200 may be coupled with a firewaU (See FIG. 6) to provide more secure cornmunication. A firewall is a security device which prevents unauthorized users and/ or data traffic from gaining access to a computer network, and/ or monitors the transfer of information
to and from the network. CHent subsystem 50 requests and system responses between system and cHent subsystem 50 programs are communicated through a filtering router. FirewaHs are weU known within the art. See, e.g., Strebe and Perkins, "Firewalls 24 Seven", part 1 and part 2, (Sybex, Network Press, 2000). Filtering routers interrogate the source and destination addresses of open network messages communicated through the router to verify that the source and destination addresses conform to the requirements specified by the operator for communication through the router.
For example, the filtering router does not pass comrnunication messages through it, when these messages arrive from an external network that have a source address which corresponds to the same network for the destination address. This prevents a "spoofing" attack where a computer outside a computer network attempts to emulate another computer on the network to which the destination address computer is coupled, to exploit potentiaHy lower security measures for computers on the same network. Spoofing is the attempt to exploit the source routing feature of the TCP/IP protocol by intentionaHy creating packets with incorrect IP addresses. In spoofing the hacker disguises himself as a host 70 or router on the targeted network to circumvent some security measures. Transmission from the ORB 200 is preferably first passed through a proxy firewall. Proxy firewalls require the use of a proxy server, or bastion host. The bastion host prevents the direct access to Internet services by the internal users by acting as their proxy, and filtering out unauthorized traffic. A proxy is a structure, where one system acts as a vanguard to another system in making and responding to request. The firewall is preferably implemented with PGP Security Inc. Gauntlet, version 5.5. This is a fuHy integrated system which provides both packet filtering and proxy services. It also contains software enabling remote management of the firewaU throughout the entire enterprise.
Fig. 5 is a block diagram of the DataTreasury™ AppHcation Server (AS) 300. The AS 300 processes aU transactions initiated by the ORB 200. However, it is essential that each transaction must be first verified by the encryption appHcation object subsystem 230 and the biometrics appHcation object subsystem 230. A system for processing data for later authorized retrieval for use in the present invention is described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation 09/454,492 to BaUard, entitled
"Remote Image Capture with Centralized Processing and Storage", which is incorporated herein by reference.
In the preferred embodiment, the AS 300 server comprises stand-alone IBM Enterprise RS/6000 7026 Model M80, which are connected on a common network. Typically, the IBM Enterprise RS/6000 7026 Model M80 class computers have an 6 GB of RAM, a 1.26 TB Shark storage array, and a gigabit Ethernet network connection.
AppHcation services of the AS 300 are preferably appHcation programs written in a prograrr-ming language such as Java, C, or C++. In a preferred embodiment, the invention is implemented in the C++ prograrr-ming language using object-oriented programming techniques. C++ is a compiled language, that is, programs are written in a human-readable script and the script is then provided to a program called a compiler, which transforms the human readable code and produces object code. The resulting object code is then processed by a second process, caHed a linker. The linker incorporates various Hbrary routines required by the object code. The output of the linker is machine executable code. As described below, the C++ language has certain characteristics which aUow a software developer to easily use programs written by others while st l providing a great deal of control over the reuse of programs to prevent their destruction or improper use. The C++ language is weH known and many articles and texts are available which describe the language in detail. Hi addition, C++ compilers are commercially available from several vendors including Sun Microsystems, Inc. and Microsoft Corporation. Accordingly, for reasons of clarity, the details of the C++ language and the operation of the C++ compiler will not be discussed further in detail herein.
As used herein, the term "object" refers to an encapsulated package of code and data that can be manipulated by operations through a defined interface associated with a distributed object 350. The encryption subsystem 500, biometric subsystem 600, coHector subsystem, and other business appHcation subsystems are aH instantiated through AS 300 objects. Thus, distributed objects 350 wiU be seen by those skiHed in the art as including the basic properties that define traditional programming objects. However, distributed objects 350 differ from traditional programming objects by the inclusion of two important features. First, distributed objects 350 are multilingual. Distributed objects 350 may be comparable to object abstractions in
various prograrr-ming languages. Distributed object 350 provides a set of fields and methods accessible to cHents 50. Distributed objects 350 give users a virtual model of the data source, aHowing seamless integration of heterogeneous data models and protocols. A framework is necessary for management of the distributed objects. The framework can dynamically repHcate objects, providing automatic load balancing, event handling and fault tolerance. This technology offloads business logic processing from the cHent 50 side onto middleware object services.
The interfaces of distributed objects 350 are defined using an interface definition language that can be mapped to a variety of different programming languages. The Object Management Group produces one such Interface Definition Language (IDL). IDL is a language used by CORBA to define interfaces between appHcation components. The IDL generates the stubs and skeletons.
Second, distributed objects 350 are location, language, cHent subsystem 50, or hosts 70 independent, i.e., distributed objects 350 can be located anywhere in a network. This contrasts sharply with traditional prograrr-ming objects, which typicaUy exist in the same physical address space as the cHent subsystem 50. Distributed objects 350 can be object cHents or object servers, depending upon whether the object 350 sends requests to other objects 350 or repHes to requests from other objects 350. Requests and repHes are made through the ORB 200, which is aware of the locations and status of the objects 350. A distributed object system refers to a system comprising distributed objects 350 that comrnunicate through the ORB 200. An object reference is a unique way to identify objects 350. The creation and definition of object references dependent on the ORB 200 wϋl be familiar to those skilled in the art.
When a cHent subsystem 50 calls one of the AS 300 objects 350 to invoke an object operation, the corresponding stub points to a skeleton. The ORB 200 passes the invocation from the cHent subsystem 50 stub to the appHcation server skeleton. Stubs are code produced by the IDL compiler in conjunction with cHent subsystem 50 appHcations to facilitate an interface with the ORB 200. Skeletons are proxy code^ which facihtates the appHcation server implementations through a corresponding interface. The corresponding object 350 implementation to the
skeleton is then able to perform the requested service; which in turn can return any results through the ORB 200 skeleton to the cHent subsystem 50.
In the preferred embodiment, through comrnunication network 800, the AS 300 are connected to the ORB 200 using switched lOOOBaseT/ 100BaseT Ethernet, and TCP/IP protocol though the invention is not so limited. As is known to persons of ordinary skiU in the art, lOOOBaseT/ 100BaseT Ethernet is a networking link layer protocol. Further, the numbers 1000 and 100 refer to the communication link speed in megabits per second. In the preferred embodiment the CISCO Catalyst 6000, model 6509, Network Switch or equivalent hardware supports the LAN connectivity between the devices connected to it.
Turning back to FIG. 2, there is a block diagram of the DB 400 having associated databases 430. DB 400 is responsible for repHcation and synchronization and responds to queries directed by the ORB 200. An essential aspect of the DB 400 is its storage and retrieval of any type of data including biometric data. In the preferred embodiment aU data stored in the DB 400 is encrypted to maximize privacy and security. A remote secure, reHable, and centralized repository to store data for later retrieval for use in the present invention is described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation 09/454,492 to BaUard, entitled "Remote Image Capture with CentraHzed Processing and Storage", which patent is incorporated herein by this reference.
In the preferred embodiment, the DB 400 server comprises stand-alone IBM Enterprise RS/6000 7026 Model M80 servers, which are connected on a common network. The IBM Enterprise RS/6000 7026 Model M80 class computers have 6 GB of RAM, a 1.26 TB Shark storage array, and a gigabit Ethernet network connection.
As shown in FIG. 2, DB 400 is a centralized storage subsystem, which comprises numerous databases 430 housed in separate remote physical locations. Data is partitioned by its type and housed in distinct locations. Further, the DB 400 is capable of repHcating itself to mirrored databases 430, located either on site or in separate sites.
In the preferred embodiment of the invention, a one to many search is utilized to scan the entire data set of enroUed biometric data resident on the DB 400 to determine the identity of
a user to allocate the appropriate account. The search and matching processing of the DB 400 may be implemented on servers containing multiple CPU's, each CPU working on a subset of the data. A massive paraUel clustering scheme may be utiHzed to merge aU processors within one server, or it's functional equivalent. Further, aU operating data may be held in RAM at aU times for maximum throughput.
Further, in the preferred embodiment, an efficient search and matching algorithm may be implemented with the DB 400 for an expeditious one to many search. An exemplary algorithm suitable for use in the preferred embodiment is the Veridicom Software Development Kit, Minutia Extraction Module and Fingerprint Verification Module, version linux-sdk-2.6.2.9- i386, available from Veridicom Incorporated, Santa Clara, CA. The Minutia Extraction Module scans and produces minutia based on features such as ridge endings, spacing, bifurcations, etc. Further, it extracts particularly significant minutia to perform a relative and distinct comparison between fingerprints; elirninating noisy minutia, borders, wrinkles, smudges, etc. The software produces templates of 1KB (uncompressed) or 300 bytes (compressed) for use with the Fingerprint Verification Module. The searching algorithm categorizes the stored fingerprint minutia into four categories: left loop, right loop, whirl, and neither. This categorization reduces the number of minutia to search and to match against hence, rnaking the searching and matdiing process faster. The software scores these results, and provides statistics on matches relying on matching minutia based on distance, and neighborhood placement/ orientation discrimination. This technique is capable of distinctly matching individuals based on discrirr nating minutia. Though the extraction module may extract many minutia, the matching set is very smaU based on the rnatching criteria mentioned above and aHows the matching algorithm to be more efficient, since less minutia are being compared.
An alternate embodiment of a search and matching algorithm may be used as described in the United States Patent No. 5,802,525 to Isidore Rigoutsos, entitled "Two-Dimensional Affine-Invariant Hashing Defined Over Any Two-Dimensional Convex Domain and Producing Uniformly-Distributed Hash Keys", United States Patent No. 6,072,895 to Rudolf Maarten BoUe, et al., entitled "System and Method Using Minutiae Pruning for Fingerprint Image Processing", United States Patent No. 6,049,621 to Aral Jain, et al., entitled "Determing a Point Corresponding Between Two Points in Two Respective (Fingerprint) Images", United States Patent No.
6,041,133 to Andrea Califano, et al., entitled "Method and Apparatus for Fingerprint Matching Using Transformation Parameter Clustering Based on Local Feature Correspondence", United States Patent No. 6,005,963 to Rudolf Maarten BoUe, et al., entitled "System and Method for Deterrning if a Fingerprint Image Contains an Image Portion Representing a Partial Fingerprint Impression".
In another embodiment of the invention, the device may include a personal identifier that is assigned to each user to narrow the search parameters for rnatching biometric data. This personal identifier reduces the search from the entire set of data on tire DB 400 to a manageable subset of data. The identifier is utilized to effectuate an enhanced rate of searching in the DB 400. The personal identifier may include but is not restricted to area codes, zip codes, or any other personal identifier representing the user's aUocated group.
DB 400 Database server also includes local data memory, which is preferably implemented with the IBM DB2, version 6.1, relational database, which was designed to support both data and image storage within a single repository. This is a relational database management system ("RDBMS") for managing data operations between local data memory and appHcation services. IBM DB2 is a commercially available software product of International Business Machines Corporation, New Orchard Road, Armonk, NY. The dynamic server of the preferred embodiment uses multiprocessing to efficiently process database 430 commands and other messages communicated through appHcation services without delaying appHcation service processing and communication with cHent subsystem 50 programs. Other embodiments of local data memory are possible as long as the embodiment is a highly avaUable platform with sufficient storage and access times for the storage and retrieval of data. The database need not reside on a single physical platform; it may reside on several computing platforms comprising one logical unit, as in a database cluster. An appHcation can access data from the cHent subsystem 50 and the server. Likewise, such an interface may be required when an appHcation service is implemented in an object-oriented language such as C++ and local data memory is a relational database 430.
It is essential that the DB 400 is designed to store and house any and aU types of information within user accounts mcluciing, but not limited to: biometric, financial, business,
personal, or academic; known henceforth as transactional data. User accounts are defined as storage aHotted to each particular user within the DB 400. This system can receive, transmit, store, and process any type of transactional data, which may include but is not limited to: leases, deeds, passports, birth certificates, wills, trusts, driver's Hcenses, bank account information, credit information, commercial transaction information, educational information, citizenship information, photographs, pictures, digital sound files, digital graphic files, medical information, laboratory notes, grocery lists, personal dairies, to do lists, Christmas lists, digital movies, customer Hsts, trade secrets, computer source code, electronic mails, merchant inventory Hsts, cash flow information, expense information, consumer demographic information, sales information, payroU information, tax information, retirement information, investment information, benefits information, biometric information, incentive information, coupon information, governmental assistance program information, electronic cash, electronic signature information and voting information.
As known to persons of ordinary skiU in the art, a relational database 430 consists of a coUection of tables each of which have a unique name. See, e.g. Toerey, "Database Modeling & Design, Second Edition", chap. 2 and chap. 3, (Morgan Kaufmann Publishers, 1994). A database schema is the logical design of the database. Each table in a relational database has attributes. A row in a table represents a relationship among a set of values for the attributes in the table. Each table has one or more superkeys. A superkey is a set of one or more attributes, which uniquely identify a row in the table. A candidate key is a superkey for which no proper subset is also a superkey. A primary key is a candidate key selected by the database designer as the means to identify a row in a table.
As is weU known to persons of ordinary skiU in the art, the DataTreasury™ Repository System 100 could use other database models available from other vendors including the entity relationship model as long as the selected database meets the storage access efficiency and synchronization requirements of the system. See, e.g., Toerey, "Database Modeling & Design, Second Edition", chap. 2 and chap. 3, (Morgan Kaufmann Publishers, 1994).
An exemplary DB 400 basic schema consists of the tables listed below. Since the names of the attributes are descriptive, they adequately define the attributes' contents. The primary keys in each table are identified with two asterisks (**).
I. CUSTOMER: This table describes the DataTreasury™ Repository System customer.
A. **CUSTOMER.sub.~ ID
B. COMPANY.sub.- NAME
C. CONTACT
D. CONTACT.sub.- TITLE
E. ADDR1
F. ADDR2 G. CITY
H. STATRsub.- CODE I. ZIP.sub.- CODE J. COUNTRY.sub.~ CODE K. VOX.sub.~ PHONE L. FAX.sub.- PHONE M. CREATE.sub.- DATE
II. CUSTOMER.sub.- MAIL.sub.~ TO: This table describes the matting address of the DataTreasury™ Repository System customer.
A. **MAIL.sub.~ TO.sub.~ NO B. **CUST.sub.~ ID
C. CUSTOMER.sub.- NAME
D. CONTACT
E. CONTACT.sub.- TILE
F. ADDR1
G. ADDR2 H. CITY
I. STATE.sub.~ CODE J. ZIP.sub.~ CODE K. COUNTRY.sub.- CODE L. VOX.sub.- PHONE M. FAX.sub.- PHONE N. CREATE.sub.- DATE O. COMMENTS
In the preferred embodiment, through a cornrnunication network, the DB 400 is connected to the ORB 200 through a LAN using switched lOOOBaseT/lOOBaseT Ethernet, and TCP/IP protocol though the invention is not so limited. As is known to persons of ordinary skill in the art, the lOOOBaseT/ 100BaseT Ethernet is a networking Hnk layer protocol. Further, the numbers 1000 and 100 refer to the communication link speed in megabits per second. In the
preferred embodiment the CISCO Catalyst 6000, model 6509, Network Switch or equivalent hardware supports the LAN connectivity between the devices connected to it. However, DB 400 could also connect to ORB using a WAN connection shown in FIG. 8.
Fig. 6 displays the block diagram of the DataTreasury™ Encryption Subsystem (ES) 500. The ES 500 ensures a secure transaction and communication between the DataTreasury™ AppHcation Server (AS) 300 and their cHent subsystems 50. Furthermore, the ES 500 ensures that aU data stored is encrypted and secured against any attempts to gain unauthorized access. Encryption which protects against unauthorized access for use in the present invention is described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation 09/454,492 to BaUard, entitled "Remote Image Capture with Centralized Processing and Storage", which patent is incorporated herein by this reference. The ES 500 is further capable of detecting potential tampering of documents in transit. Lastly, the ES 500 verifies the identity of the cHent subsystem 50 initiating the transaction. The ES 500 is created as an encryption object initiated from the AS 300.
One embodiment of the cryptography scheme in the ES 500, is implemented with a symmetric cryptography scheme. Symmetric cryptography entails the use of a single secret key for both encryption and decryption of the transmission. The cHent subsystem 50 and the AS 300 require the possession of the key issued to the cHent subsystem 50 in order to decipher transmissions. The AS 300 issues unique keys to each of their cHent subsystems 50.
Another embodiment of the cryptography scheme in the ES 500, is implemented with an asymmetric cryptography scheme. An asymmetric scheme utilizes a two key pair, which consists of a pubHc key 520 and a private key 580. A pubHc key 520 is one that is freely distributed, whereas a private key 580 is treated in a surreptitious fashion. A document that is encrypted with pubHc key 520 may only be decrypted with the corresponding private key 580, and visa versa.
Furthermore, the integrity of the cornmunications within the ES 500 may be ensured with the use of a digital signature. A digital signature is used to link the owner of the pubHc key to the document; it is also capable of detecting alterations to the transmission in transit. The transmission is subjected to an encryption process, known to a person skilled in the art as
hashing, and a message digest is created. The process of creating the message digest is known as the digesting process. A message digest is a unique value of fixed length dependent on the input into the digesting process transmission. Both parties need to be aware that the digesting process is utiHzed.
Once the user formulates the desired transmission, it is then subjected to the digesting process. Then the cHent subsystem 50 utilizes his pubHc key to encrypt the message digest and the transmission, which results in a digital signature. The digital signature can be combined with the transmission, or exist as a separate entity. The AS 300 receives the transmission along with the digital signature. The digital signature is decrypted utilizing the corresponding private key to obtain a decrypted message digest. The transmission is then subjected to the digest process to obtain a message digest. Lastly, the ES 500 compares the signature message digest with the transmission message digest, if these values are equal, then the cHent subsystem 50 is authenticated.
Another method that may be used to ensure data transmission authenticity is the use of digital certificates 550. These digital certificates 550 certify the identity of the holder of the pubHc key 520. The AS 300 may act as a certification authority 560. The certification authority 560 issues the digital certificates 550 to cHent subsystems 50. The digital certificates 550 verify that the owner of the pubHc key 520 is also the certificate holder.
The cHent subsystem 50 obtains the digital certificate 550 and presents it to the appHcation with some form of identity verification, specificaHy, but not exclusively biometric information, personal information, financial information. The appHcation verifies the certificate with the certificate authority 560, and the AS 300. The digital certificate 550 which is sent to the cHent subsystem 510 may contain one or more of the foUowing: the certification authority's 560 digital signature, the pubHc key 520 of the cHent subsystem 510, the name of the user, the name of the certification authority 560, and the expiration date of the certificate.
Data is stored in the DB 400 in an encrypted form. After retrieval from the database the records must be decrypted before any useful operation can be performed on them. For decryption, a cryptographic key is required. The key is obtained as a result of, or in conjunction
with, the authentication process using a biometric. In this way, it is possible to secure records from access from aU but the authentic owner of the information.
The DataTreasury™ Repository System 100 is not so limited to the encryption and the authentication schemes. As known to persons of ordinary skiU in the art, the DataTreasury™ Repository System may utilize any scheme that ensures the highest degree of security, encryption and authentication may also be implemented. See, e.g., Pleeger, "Security in Computing", Second Edition, chap.2 to chap.9, (Prentice Hall, 1996).
Fig. 7 displays a block diagram of the process for processing biometrics using the DataTreasury™ Biometric Subsystem (DTBS) 600. The DTBS 600 processes aU biometric "information in the DataTreasury™ Repository System. The DTBS 600 may make use of layered biometrics for added security. A layered biometric consists of multiple types of biometrics or multiples of the same type biometric. The biometric information may be from a fingerprint, digital voiceprint, retinal scan, DNA or some other form of biometric. The multiple biometric sources are individuaUy processed, and a composite of the resulting elements are used for verification. The DTBS 600 extracts minutia from the fingerprint and stores them in the DB 400. The DTBS 600 further authenticates the user identity with their personal biometric. Devices for capturing biometrics which are subsequently utilized to verify the identity of a person by comparing the biometric data captured remotely with the biometric data stored for use in the present invention are described in United States Patent No. 5,910,988, United States Patent No. 6,032,137, and United States Patent AppHcation 09/454,492 to BaUard, entitled "Remote Image Capture with Centralized Processing and Storage", which is incorporated herein by reference.
In the fingerprint biometric subsystem, a capacitive apparatus may be utilized to capture a biometric signature, preferably in the form of a raw image 605 of the fingerprint. This biometric device is connected to the cHent subsystem 50. The fingerprint may then be saved in an image format. It may also be compressed with a loss-less compression algorithm, and/ or converted to a more efficient image format. An apparatus stated in the U.S. Patent entitled "Capacitive Fingerprint Sensor with Adjustable Gain," 6,049,620, may be utiHzed.
The compressed and then encrypted image is then transferred to the DataTreasury™ Repository System. H the preferred embodiment, once the image has been received, the AS 300
begins preprocessing 610 the image. Preprocessing 610 performs basic image enhancement transformations on the image, such as the adjustment of: contrast, brightness, and scale, and additionaUy removes extraneous noise from the image to produce an enhanced image of the fingerprint. Preprocessing 610 can correct for differences in images due to acquisition using different sensors, as weU as other variables affecting image acquisition. It is also possible to create profiles for specific devices or conditions, and apply them conditionaUy during preprocessing 610.
After preprocessing 610 is complete, the image is subjected to a binarization process 615. The binarization process 615 transforms the image into pixels of values either pure black or white.
Skeleton processing 617 foUows binarization. The skeleton image is formed by reducing the lines representing finger ridges in the binary image to a width of 1 pixel wide. This is done to maintain the original topography and connectivity of the ridges. Skeleton postprocessing is then conducted to enhance the skeleton image by interpolating breaks in the skeleton images caused by finger pores, scars, wrinkles, and other surface imperfections in the finger. See, e.g., Jain, HaHci, Hayashi, Lee, and Tsutsui, "InteUigent Biometric Tecliniques in Fingerprint and Face Recognition", chap. 2 and chap.3, (CRC Press, 1999).
The image is then classified in step 630 into distinct categories to decrease retrieval time. These categories may include but are not limited to: whorls, loops, and arches. These categories are utiHzed to form an index of the cHent subsystem's 50 identity corresponding to rninutia within DB 400. For instance, a process in the U.S. Patent entitled "Neural Network System for Classifying Fingerprints," U.S. Patent Number 5,825,907 may be utiHzed to classify fingerprints.
The minutia points are extracted in step 650. An algorithm is utiHzed to obtain minutia points. If the extracted minitia points cannot be read, then in step 670 DTBS 600 utilizes a different biometric and then in step 695 repeats the comparison of biometrics. However if DTBS 600 can read the biometrics, then the extracted minutia points are compared in step 675 with the point of reference minutia points resident in DB 400. The point of reference, enrollment minutia are obtained and subsequently stored in the DB 400 during the user's registration process. If the minutia points match in step 690, a positive verification is made. However, if there is no match,
then another biometric input 670 is requested, and verification fails. The other biometric may be from another type of biometric input 670, like a voiceprint or retinal print. Furthermore, it may be from another source input of the same type of biometrics. This other biometric 670 is reintroduced into the verification process 695.
FIG. 8 shows a block diagram of communication network 800 connecting cHent subsystems 50, hosts 70 ORB 200, and DB 400. ORB 200 may connect to other ORB 200 systems via a first local area network or LAN connection 810 which contains a network switch 812. CHent subsystems 50 and hosts 70 may be connected to each other via the internet or via an ethernet connection forrning an intranet. Both cHent subsystems 50 and hosts 70 connect to API 80 or SOS 90 first and then to ORB 200 via a wide area network or WAN connection 820. WAN connection 820 comprises an ethernet network 822 connected to cHent subsystems 50 or hosts 70 and another ethernet network 823 connected to network switch 812. Ethernet 822 associated with cHent subsystems 50 connects to a WAN router 824 while ethernet 823 associated with network switch 812 connects to WAN router 825. WAN routers 824 and 825 connect to API Gateway 80 or SOS 90 via network lines 823. API Gateway 80 or SOS 90 connects to network switch 812 which connects to ORB servers 200.
ORB 200 also connects to DB 400 via a second LAN 840. In addition DB 400 may exist as one or more servers connected to each other via a second LAN 860 containing a network switch 862. Second LAN 840 comprises an ethernet network, for connecting to network switch 812 for ORB 200 and for connecting to network switch 862 for DB 400. Network switch 862 connects to data storage subsystems DB 400.
This invention is not so limited by the method of extracting and analyzing minutia.
For example, FIG. 9 is a flowchart depicting the general process for the central management, security, storage, biometric authentication, verification and user or initiator initiated data transactions.
Thus this process includes a first step 910 which includes capturing transactional data mcluding an image of the biometric data, and any and aU types of additional data. Next, in step 920 at least one remote location encrypts and sends this transactional data or information. In
step 930, the authenticity and identity of the user is verified so that the user can access an appropriate account. In step 940, the transactional data is encrypted and decrypted upon transmission and storage and presentation to the user. In step 950 the capturing and sending of data is managed. Next, in step 960, this data is coUected at a remote centralized location. In step 970, the remote centralized location manages the coUecting, processing, sending and storing of this transactional data. FinaUy, in step 980 the encrypted transactional data and subsystem identification information is transmitted between the remote location the centralized location and other entities.
Step 910 which comprises the step of capturing transactional data may include the steps of capturing biometric data and any and all additional data; successively tiar-sforming the captured biometric data to a biometric signature, creating an encrypted compressed file identifying a location and time of the biometric data capturing; storing the tagged, encrypted compressed biometric signature file; and Mtiating a transaction upon the capture of a biometric.
Step 920 which includes the step of encrypting the data includes the steps of creating encryption keys to encrypt the data; and encrypting and decrypting the transactional data with encryption and decryption keys.
Steps 910 and 920 can occur at a plurality of remote locations while step 960 which includes coUecting processing sending and storing the encrypted transactional data at a remote centralized location can occur at a pluraHty of independent locations. Step 960 may also include the steps of tiansrnitting from remote locations transactional data with servers at a centralized location; storing specific types of encrypted transactional data at distinct independent remote locations in a memory hierarchy, wherein the storing of this data maintains recently accessed encrypted transactional data in a primary memory and other encrypted transactional data in a secondary memory; dynamically assigning the servers at me central location to receive portions of the transactional data for balancing
Fig. 10 is a flowchart depicting the operation of one embodiment of the present invention.
H step 1010, a registered user who desires a service from the DataTreasury™ Repository System initiates a transaction. The user begins the transaction by inputting a biometric. CHent subsystem 50 transactions are associated with unique stubs.
Hi step 1020, a cHent subsystem 50 stub resides at the terminal; and the stub forwards the transaction via frame relay. All transmissions sent to the ORB 200 are encrypted.
In step 1030, the crypto object verifies that the stub is a vaHd DataTreasury™ Repository issuer. The crypto subsystem verifies secure communication between the stub and skeleton using but not limited to socket level cryptography. Lastly, the crypto object decrypts the messages.
In step 1040, the skeletons specify aU objects to be created to accompHsh the desired task.
In step 1050, the business appHcation objects associated with the identified skeletons are invoked by the ORB 200. The AS 300 instantiates the business objects, to correspond with the skeletons.
In step 1060, the business appHcation object instantiates a biometric verification object to ensure the identification of the user with the corresponding level of confidence.
In step 1070, the raw fingerprint is grafted on a vector grid to extract invariant characteristics, such as minutia points. The minutia extiaction is accompHshed through an algorithm.
In step 1080, the ORB 200 initiates a query of the DB 400, amongst the enroUed user biometrics store, for minutia matches. This can be but not Hmited to a one-to-one search when there exists no personal identifier. When there is such a personal identifier available, the parameters of the one-to-many search are dramaticaUy reduced. Lastly, the minutia points are matched.
In step 1085, the AS 300 business objects perform the cHent subsystem 50 requested operation on the user account corresponding to the user's biometric.
In step 1090, the encrypted response/ results are returned to the cHent subsystem 50.
FIG. 11 is a second embodiment of the flowchart shown in FIG. 9. H this case, many of the steps shown in FIG. 9 are shown. For example, in step 910 transactional data is captured, while in step 920, this data is encrypted and sent. However, instead of verifying the authenticity of the user in step 930, the system verifies the identity of the user in step 931. This step involves a one to many search wherein the system searches for the user's identity which has been previously stored in DB 400. Once this identity has been matched, in step 933 the system creates a pseudo identifier which identifies the user via a Hmited information tag such as a set of demographic information. In step 935, this pseudo identifier is stored in a pseudo identifier database in DB 400. Next, in step 937, the system sets a security filter so that this pseudo identifier and cannot be used to determine the true identity of the user.
Once the user's pseudo identification has been established, the system proceeds through steps 940-980 as in FIG. 9. This type of process shown in FIG. 11 can be used especiaUy for voting or health care where the identity of the user must remain secret. If this process is used for voting then step 910, which is the step of capturing transactional data, includes capturing voting information such as the votes cast by each user. If this process is used for health care, then step 910 involves capturing the health history of the user, the health care insurance information of the user, or any health related tests for the user such as blood tests or urine tests.
While the above invention has been described with reference to certain preferred embodiments, the scope of the present invention is not limited to these embodiments. One skilled in the art may find variations of these preferred embodiments which, nevertheless, fall within the spirit of the present invention, whose scope is defined by the claims set forth below.