WO2019022658A1 - Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data - Google Patents
Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data Download PDFInfo
- Publication number
- WO2019022658A1 WO2019022658A1 PCT/SE2018/050736 SE2018050736W WO2019022658A1 WO 2019022658 A1 WO2019022658 A1 WO 2019022658A1 SE 2018050736 W SE2018050736 W SE 2018050736W WO 2019022658 A1 WO2019022658 A1 WO 2019022658A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- biometric data
- client device
- transformed
- user
- network node
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/50—Maintenance of biometric data or enrolment thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Definitions
- the invention relates to methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data.
- Biometrics-based identification is a user-friendly way to securely
- biometric data When using it for identification purposes in distributed systems is that template biometric data must be available at a node in a computer system where the end-user is supposed to be identified. This constitute a major security design challenge in distributed computer system as this typically requires original, clear text biometric data to be stored at a central node and distributed in the system. Such solutions are very vulnerable to original biometric data compromise, and data compromised on one system may lead to a situation that the same biometric data is compromised on all other systems as well where the biometric data is used. Simply encrypting the biometric data will not solve this problem as the original biometric data must be available at the remote location during authentication.
- An object of the present invention is to solve, or at least mitigate, this problem in the art and thus to provide an improved method of enabling authentication of a user of a client device over a secure communication channel based on biometric data.
- This object is attained in a first aspect of the invention by a method performed by a client device of enabling authentication of a user of the client device based on biometric data captured by the client device.
- the method comprises capturing at least one set of biometric data of the user,
- a client device configured to enable authentication of a user of the client device based on biometric data captured by the client device.
- the client device comprises a biometric data sensing system comprising a biometric data sensor and a processing unit.
- the biometric data sensor is configured to capture at least one set of biometric data of the user
- the processing unit is configured to transform the at least one set of biometric data into non-invertible biometric data, and submit an enrolment request comprising the transformed biometric data and a user identifier over a secure communication channel to a trusted network node.
- This object is attained in a third aspect of the invention by a method performed by a network node of enabling authentication of a user of a client device based on biometric data captured by the client device.
- the method comprises receiving, from the client device, an enrolment request comprising at least one set of transformed biometric data of the user along with a user identifier over a secure communication channel, and storing the received transformed biometric data, a secret feature transform key with which the biometric data was transformed at the client device, and the user identifier in a secure end-user repository.
- a network node configured to enable authentication of a user of a client device based on biometric data captured by the client device.
- the trusted network node comprises a processing unit being configured to receive, from the client device, an enrolment request comprising at least one set of transformed biometric data of the user along with a user identifier over a secure
- a method performed by a network node of enabling authentication of a user of a client device based on biometric data captured by the client device comprises receiving, from the client device, a request to authenticate a user of the client device, the authentication request comprising a user identifier, fetching, from the secure end-user repository , at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node, and submitting the transformed biometric data and the secret feature transform key over a secure communication channel to the client device.
- a network node configured to enable authentication of a user of a client device based on biometric data captured by the client device.
- the trusted network node comprising a processing unit is configured to receive, from the client device, a request to authenticate a user of the client device, the authentication request comprising a user identifier, fetch, from the secure end-user repository, at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node, and submit the transformed biometric data and the secret feature transform key over a secure
- a method performed by a client device of enabling authentication of a user of the client device based on biometric data enrolled at a trusted network node comprises submitting, to the trusted network node, a request to authenticate the user of the client device, the authentication request comprising a user identifier, receiving, from the trusted network node, at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node, capturing biometric data of the user, transforming the biometric data into non- invertible biometric data using the received feature transform key, and comparing the transformed biometric data with the at least one set of transformed biometric data received from the trusted network node, and it there is a matchauthenticating the user at the client device.
- a client device configured to enable authentication of a user of the client device based on biometric data enrolled at a trusted network node.
- the client device comprises a biometric data sensing system comprises a biometric data sensor and a processing unit, the processing unit is configured to submit, to the trusted network node, a request to authenticate the user of the client device, the authentication request comprising a user identifier, and receive, from the trusted network node, at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node.
- the biometric data sensor is configured to capture biometric data of the user.
- the processing unit is further configured to transform the biometric data into non-invertible biometric data using the received feature transform key, and compare the transformed biometric data with the at least one set of transformed biometric data received from the trusted network node, and it there is a match authenticate the user at the client device.
- a first client device embodied e.g. in the form of a smart phone captures biometric data of a user, for instance using a fingerprint sensor. This biometric data is then protected at the smart phone using a feature transform and securely registered, or enrolled, with a remotely located trusted network node, which stores the protected biometric data in a secure central
- the user will authenticate herself at a local computing station, i.e. a second client device, by having the computing station capture the biometric data of the user, protect the captured biometric data, and match the protected biometric data at the computing station with the protected biometric data that previously was registered with the trusted server, and now transmitted to the local computing station.
- a clear-text copy of the biometric data of the user never leaves the smart phone or the local computing station.
- the user enrols with the trusted server via the computing station as an alternative to using his/her smart phone. In such a scenario, both enrolment and authentication is performed by the same client device
- the smart phone captures biometric data of the user and transforms the captured biometric data into a transformed biometric data set using a suitable feature transform scheme.
- the transform scheme used should produce transformed biometric data which is non-invertible, i.e. it should be infeasible for an attacker to reconstruct the original biometric data even with access to both a feature transformation key used in the feature transform and the transformed biometric data.
- the smart phone submits the transformed biometric data over a secure channel, i.e. a communication channel being protected in terms of
- the trusted server 300 stores the received transformed biometric data, the feature transformation key and the user identifier, referred to as an enrolment set, in a secure end-user repository, and the enrollment of the user with the trusted server is thereby completed.
- the secure end -user repository typically contains a large number of enrollments; thousands of users may be enrolled with the trusted server, and a user potentially registers a plurality of transformed biometric data sets with the trusted server.
- the biometric data is not stored in the clear outside of the user's trusted client device.
- a user wishing to access the local computing station will need to authenticate herself with the trusted server with which she previously enrolled via the smart phone or the computing station.
- the user enters a user identifier at the computing station, which is submitted to the trusted server in an authentication request over a secure channel.
- the trusted server Upon receiving the authentication request comprising the user identifier, the trusted server fetches one or more enrollment sets associated with this particular user identifier from the repository. These fetched enrollment sets are referred to as candidate enrollment sets, which are returned over the secure channel to the computing station.
- a "pre-match" is advantageously performed at the trusted server utilizing the user identifier to fetch the adequate candidate enrollment sets, having as an effect that a largely reduced number of candidate enrollment sets will be considered by the computing station as compared to a scenario where the pre-match is not performed.
- the computing station (being equipped with a suitable biometric sensor) derives the fingerprint data of the user, and uses the transformation key of each received candidate enrollment set to create a corresponding set of transformed biometric data.
- the local computing station digitally signs at least one of the sets of transformed biometric data, and the digitally signed set of transformed biometric data to the trusted server, which in its turn performs a verification process for the digitally signed set of transformed biometric data. If the verification is successful, the trusted server submitting an
- the trusted server associates each set of
- the corresponding index umber is included.
- the trusted server verifies that each index number received from the computing station complies with the previously submitted corresponding index number before an authentication grant can be issued.
- the verification of the index number further raises the security level of the system.
- Figure l shows an electronic device in the form of a smart phone in which the present invention may be implemented
- Figure 2 shows a view of a fingerprint sensor onto which a user places the finger
- Figure 3 shows a fingerprint sensor being part of a fingerprint sensing system according to an embodiment
- Figure 4 illustrates a signalling diagram of enrolling transformed biometric data of a user at a trusted server and subsequently authenticating a user based on the enrolled transformed biometric data according to an
- Figure 5 illustrates a signalling diagram of enrolling transformed biometric data of a user at a trusted server and subsequently authenticating a user based on the enrolled transformed biometric data according to another embodiment.
- Figure l shows a client device 100 in the form of a smart phone in which the present invention maybe implemented.
- the smart phone 100 is equipped with a fingerprint sensor 102 and a display unit 104 with a touch screen interface 106.
- the fingerprint sensor 102 may, for example, be used for unlocking the mobile phone 100 and/ or for authorizing transactions carried out using the mobile phone 100, etc.
- the fingerprint sensor 102 may alternatively be placed on the backside of the mobile phone 100. It is noted that the fingerprint sensor 102 could be integrated in the display unit/touch screen or form part of a smart phone home button. It is understood that the fingerprint sensor 102 according to embodiments of the invention may be implemented in other types of electronic devices, such as laptops, remote controls, tablets, smart cards, etc., or any other type of present or future similarly configured device utilizing fingerprint sensing.
- Figure 2 illustrates a somewhat enlarged view of the fingerprint sensor 102 onto which a user places her fmger 201.
- the fingerprint sensor 102 is configured to comprise a plurality of sensing elements.
- a single sensing element (also denoted as a pixel) is in Figure 2 indicated by reference numeral 202.
- FIG. 3 shows the fingerprint sensor 102 being part of a fingerprint sensing system 101.
- the fingerprint sensing system 101 comprises the fingerprint sensor 102 and a processing unit 103, such as a microprocessor, for controlling the fingerprint sensor 102 and for analysing captured
- the fingerprint sensing system 101 further comprises a memory 105.
- the fingerprint sensing system 101 in turn, typically, forms part of the electronic device 100 as exemplified in Figure 1.
- the sensor 102 upon an object contacting the fingerprint sensor 102, the sensor 102 will capture an image of the object in order to have the processing unit 103 determine whether the object is a fingerprint of an authorised user or not by comparing the captured fingerprint to one or more authorised fingerprint templates pre-stored in the memory 105.
- the fingerprint sensor 102 maybe implemented using any kind of current or future fmgerprint sensing principle, including for example capacitive, optical, ultrasonic or thermal sensing technology. Currently, capacitive sensing is most commonly used, in particular in applications where size and power consumption are important. Capacitive fmgerprint sensors provide an indicative measure of the capacitance between (see Figure 2) several sensing elements 202 and a finger 201 placed on the surface of the fingerprint sensor 102. Acquisition of a fingerprint image is typically performed using a fmgerprint sensor 102 comprising a plurality of sensing elements 202 arranged in a two-dimensional manner.
- the user places her finger 201 on the sensor 102 for the sensor to capture an image of the fmgerprint of the user.
- the processing unit 103 evaluates the captured fmgerprint and compares it to one or more authenticated fingerprint templates stored in the memory 105. If the recorded fmgerprint matches the pre-stored template, the user is authenticated and the processing unit 103 will typically instruct the smart phone 100 to perform an appropriate action, such as transitioning from locked mode to unlocked mode, in which the user is allowed access to the smart phone 100.
- the steps of the method performed by the fmgerprint sensing system 101 are in practice performed by the processing unit 103 embodied in the form of one or more microprocessors arranged to execute a computer program 107 downloaded to the storage medium 105 associated with the microprocessor, such as a Random Access Memory (RAM), a Flash memory or a hard disk drive.
- the processing unit 103 is arranged to cause the fmgerprint sensing system 101 to carry out the method according to embodiments when the appropriate computer program 107 comprising computer-executable instructions is downloaded to the storage medium 105 and executed by the processing unit 103.
- the storage medium 105 may also be a computer program product comprising the computer program 107.
- the computer program 107 maybe transferred to the storage medium 105 by means of a suitable computer program product, such as a Digital Versatile Disc (DVD) or a memory stick.
- a suitable computer program product such as a Digital Versatile Disc (DVD) or a memory stick.
- the computer program 107 may be downloaded to the storage medium 105 over a network.
- the processing unit 103 may alternatively be embodied in the form of a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a complex programmable logic device (CPLD), etc. It should further be understood that all or some parts of the functionality provided by means of the processing unit 103 may be at least partly integrated with the fingerprint sensor 102.
- FIG 4 illustrates an embodiment of enabling authentication of user 200 of a second client device 500 over a secure communication channel based on biometric data captured by a first client device 100 and enrolled at a trusted network node 300.
- a client device 100 embodied e.g. in the form of a smart phone captures biometric data of a user 200, e.g. in the manner described with reference to Figures 1-3.
- This biometric data is then protected at the smart phone and securely registered, or enrolled, with a remotely located trusted network node, embodied in the form of a server 300, which stores the protected biometric data in a secure central repository 400.
- the user 200 will authenticate herself at a local computing station 500, i.e.
- a second client device by having the computing station 500 capture the biometric data of the user, protect the captured biometric data, and match the protected biometric data at the computing station 500 with the protected biometric data that previously was registered with the trusted server 300, and now transmitted to the local computing station 500.
- the user 200 Upon successful authentication, the user 200 will be given access to the local computing station 500. It is noted that a clear-text copy of the biometric data of the user 200 never leaves the smart phone 100 or the local computing station 500.
- This can for instance be a medical system station in a hospital or similar.
- the local station 500 as such is considered trusted, but a "proof maybe required that only a legitimate user is allowed to access the station 500.
- This can be solved using traditional login procedures using username and passwords, hardware tokens, or biometrics such as fingerprints.
- biometric identification solutions typically require that complete biometric profiles of all authorized users are stored in a central repository 400 of a trusted server 300 where efficient template-matching is performed to authenticate users.
- Biometric profiles are very privacy sensitive and one would like to avoid storing biometric profiles in clear text in any central location.
- authorized medical personnel such as doctors and nurses are authenticated to local computing stations using biometrics managed by the trusted server 300 and stored in the central repository 400.
- the medical personnel can for instance register, or enrol, to the trusted server 300 using their smart phone 100 with biometric data sensing capabilities and then login to any of the many local computing stations distributed over the hospital premises using local biometrics readers directly attached to the distributed computing stations 500. It is also possible that the users register with the trusted server 300 via any one of the local computing stations 500 as an alternative to using their smart phone 100.
- the smart phone 100 captures biometric data T of the user 200 in step S101, using e.g. a fingerprint sensor as described with reference to Figures 1-3.
- the smart phone 100 transforms the captured biometric data T into a transformed biometric data set Tr, using a suitable feature transform scheme.
- This may for instance be performed using a secret feature transformation key R having been generated at the smart phone 100 by means of an appropriate pseudorandom function (PRF).
- PRF pseudorandom function
- the smart phone 100 is pre- configured with the secret feature transformation key R shared with the trusted server 300.
- Tr F(R, T) which is non-invertible, i.e. it should be infeasible for an attacker to reconstruct the original biometric data T even with access to both the feature transformation key R and the transformed biometric data Tr.
- transform functions F may be envisaged, such as cartesian, polar or functional transformations, or a non-invertible
- MAC Authentication Code
- the smart phone 100 submits in step S103 the transformed biometric data Tr over a secure channel, i.e. a communication channel being protected in terms of confidentiality and integrity, e.g. via the Internet, to the remotely located trusted server 300 along with the secret feature transformation key R (unless R is preconfigured to be shared by the smart phone 100 and the trusted server 300) and a user identifier D associated with the transformed biometric data Tr such that the transformed biometric data Tr subsequently can be designated by the user 200.
- a secure channel i.e. a communication channel being protected in terms of confidentiality and integrity, e.g. via the Internet
- the trusted server 300 stores the received transformed biometric data Tr, the feature transformation key R and the user identifier D, referred to as an enrolment set, in a secure end-user repository 400 in step S104, located either locally at or remote from the remote server 300, and the enrollment of the user 200 with the trusted server 300 is thereby completed.
- the secure end-user repository 400 typically contains a large number of enrollments; thousands of users may be enrolled with the trusted server 300, and a user potentially registers a plurality of transformed biometric data sets with the trusted server 300, even using different feature transformation keys R for each transformed biometric data set.
- an index i is optionally created by the trusted server 300, thereby resulting in an enrollment set ⁇ i, Tn, RI ⁇ D associated with the user identifier D, which set is stored in the secure end-user repository 400 in step S104.
- each index i associated with the particular user identifier.
- the user identifier D itself is used as an index i for the enrollment set. In such case, the user identifier D would have to be unique such that the corresponding enrollment set may be
- a number of enrollment sets are associated with the user identifier D without incorporating an index number i.
- the biometric data T is not stored in the clear outside of the user's trusted client device, i.e. the smart phone 100.
- a user wishing to access the local computing station 500 will need to authenticate herself with the trusted server 300 with which she previously has enrolled.
- the user (which in this particular example is assumed to be the user 200 that enrolled with the trusted server in steps S101-S104) enters a user identifier D' at the computing station 500 in step S105, which is submitted to the trusted server 300 in an authentication request in step S106 over a secure channel.
- the trusted server 300 Upon receiving the authentication request comprising the user identifier D', the trusted server 300 fetches one or more enrollment sets associated with this particular user as identified by D' from the repository 400 in step S107. These fetched enrollment sets are referred to as candidate enrollment sets, which are returned over the secure channel to the computing station 500 in step S108.
- a "pre-match" is advantageously performed at the trusted server 300 utilizing the user identifier D' to fetch the adequate candidate enrollment sets, having as an effect that a largely reduced number of candidate enrollment sets will be considered by the computing station 500 as compared to a scenario where the pre-match is not performed.
- the feature transformation key Ri may be the same or different for each enrollment set.
- steps S109 and S110 may well be performed at an earlier stage, for instance in connection to step S105 where the user 200 enters a user identifier D', or even before the user enters her user identifier D' in step S105.
- the computing station 500 attempts to match each created set of transformed biometric data Tr' to the corresponding received transformed biometric data Tn in step S111, and if at least one match can be found the user 200 is authenticated in step S112 and thus given access to the computing station 500, or to some protected data stored at the station.
- a match must be attained for more than one enrollment set.
- the steps of the method performed by the remote server 300 are in practice performed by a processing unit 301 embodied in l6 the form of one or more microprocessors arranged to execute a computer program 302 downloaded to a storage medium 303 associated with the microprocessor, such as a Random Access Memory (RAM), a Flash memory or a hard disk drive.
- the processing unit 301 is arranged to cause the remote server 300 to carry out the method according to embodiments when the appropriate computer program 302 comprising computer-executable instructions is downloaded to the storage medium 303 and executed by the processing unit 301.
- the storage medium 303 may also be a computer program product comprising the computer program 302.
- the computer program 302 may be transferred to the storage medium 303 by means of a suitable computer program product, such as a Digital Versatile Disc (DVD) or a memory stick.
- a suitable computer program product such as a Digital Versatile Disc (DVD) or a memory stick.
- the computer program 302 maybe downloaded to the storage medium 303 over a network.
- the processing unit 301 may alternatively be embodied in the form of a digital signal processor (DSP), an application specific integrated circuit
- ASIC application-specific integrated circuit
- FPGA field-programmable gate array
- CPLD complex programmable logic device
- Figure 5 illustrates a further embodiment of enabling authentication of user 200 of a second client device 500 over a secure communication channel based on biometric data captured by a first client device 100 and enrolled at a trusted network node 300.
- step S110 the computing station 500 matches the set of transformed biometric data Tr' created in step S110 to the corresponding received set of transformed biometric data Tn in step S111
- Pr is a private key of an asymmetric key pair shared with the trusted server 300, where a corresponding public key is denoted Pu.
- step Snib sig and optionally i (and the matching score M, in case the signature comprises M) is submitted to the trusted server 300 over the secure channel, which in this turn verifies sig using the public key Pu, and optionally also verifies the index i in step 111c, and in case the digital signature sig (and optionally i) is successfully verified, the trusted server 300 returns an authentication grant in step Sind.
- the matching score M may be used to determine at the trusted server 300 if the matching is good enough. If not, the user may not be authenticated, or may be required to enter a personal code such as a pin code, or a password, at the local station.
- the trusted server 300 may verify that the unique index i indeed exists for the database held in the repository 400, and that this particular index was part of the candidate enrollment set(s) submitted in step S 108.
- the local computing station Upon receiving the authentication grant, the local computing station authenticates the user 200 in step S112.
- a higher level of security is provided by means of verification of the digital signature sig.
- an index number i is associated with each enrollment set for a particular user as identified with user identifier D, an even higher level of security is provided since not only the digital signature sig is verified but also the index number i (and potentially even the matching score M).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Software Systems (AREA)
- Power Engineering (AREA)
- Multimedia (AREA)
- Human Computer Interaction (AREA)
- Computing Systems (AREA)
- Collating Specific Patterns (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
In an aspect of the invention, a network node (300) configured to enable authentication of a user (200) of a client device (100, 500) based on biometric data captured by the client device (100, 500) is provided, which network node (300) receives a request to authenticate a user of a client device (500), the authentication request comprising a user identifier, fetch at least one set of enrolled transformed biometric data corresponding to the user identifierand a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node (300), and submit the transformed biometric data and the secret feature transform key over a secure communication channel to the client device (500).
Description
METHODS AND DEVICES OF ENABLING AUTHENTICATION OF A USER OF A CLIENT DEVICE OVER A SECURE COMMUNICATION CHANNEL BASED ON BIOMETRIC DATA
TECHNICAL FIELD
The invention relates to methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data.
BACKGROUND
Biometrics-based identification is a user-friendly way to securely
authenticate human users. One major problem with biometric data when using it for identification purposes in distributed systems is that template biometric data must be available at a node in a computer system where the end-user is supposed to be identified. This constitute a major security design challenge in distributed computer system as this typically requires original, clear text biometric data to be stored at a central node and distributed in the system. Such solutions are very vulnerable to original biometric data compromise, and data compromised on one system may lead to a situation that the same biometric data is compromised on all other systems as well where the biometric data is used. Simply encrypting the biometric data will not solve this problem as the original biometric data must be available at the remote location during authentication.
Hence, there is a need to provide solutions that allow remote authentication based on biometric identification but at the same time provide protection of the original biometric data. SUMMARY
An object of the present invention is to solve, or at least mitigate, this problem in the art and thus to provide an improved method of enabling authentication of a user of a client device over a secure communication channel based on biometric data.
This object is attained in a first aspect of the invention by a method performed by a client device of enabling authentication of a user of the client device based on biometric data captured by the client device. The method comprises capturing at least one set of biometric data of the user,
transforming the at least one set of biometric data into non-invertible biometric data, and submitting an enrolment request comprising the transformed biometric data and a user identifier over a secure
communication channel to a trusted network node.
This object is attained in a second aspect of the invention by a client device configured to enable authentication of a user of the client device based on biometric data captured by the client device. The client device comprises a biometric data sensing system comprising a biometric data sensor and a processing unit. The biometric data sensor is configured to capture at least one set of biometric data of the user, and the processing unit is configured to transform the at least one set of biometric data into non-invertible biometric data, and submit an enrolment request comprising the transformed biometric data and a user identifier over a secure communication channel to a trusted network node.
This object is attained in a third aspect of the invention by a method performed by a network node of enabling authentication of a user of a client device based on biometric data captured by the client device. The method comprises receiving, from the client device, an enrolment request comprising at least one set of transformed biometric data of the user along with a user identifier over a secure communication channel, and storing the received transformed biometric data, a secret feature transform key with which the biometric data was transformed at the client device, and the user identifier in a secure end-user repository.
This object is attained in a fourth aspect of the invention by a network node configured to enable authentication of a user of a client device based on biometric data captured by the client device. The trusted network node comprises a processing unit being configured to receive, from the client
device, an enrolment request comprising at least one set of transformed biometric data of the user along with a user identifier over a secure
communication channel, and store the received transformed biometric data, a secret feature transform key with which the biometric data was transformed at the client device, and the user identifier in a secure end-user repository.
This object is attained in a fifth aspect of the invention by a method performed by a network node of enabling authentication of a user of a client device based on biometric data captured by the client device. The method comprises receiving, from the client device, a request to authenticate a user of the client device, the authentication request comprising a user identifier, fetching, from the secure end-user repository , at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node, and submitting the transformed biometric data and the secret feature transform key over a secure communication channel to the client device.
This object is attained in a sixth aspect of the invention a network node configured to enable authentication of a user of a client device based on biometric data captured by the client device. The trusted network node comprising a processing unit is configured to receive, from the client device, a request to authenticate a user of the client device, the authentication request comprising a user identifier, fetch, from the secure end-user repository, at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node, and submit the transformed biometric data and the secret feature transform key over a secure
communication channel to the client device. This object is attained in a seventh aspect of the invention by a method performed by a client device of enabling authentication of a user of the client
device based on biometric data enrolled at a trusted network node. The method comprises submitting, to the trusted network node, a request to authenticate the user of the client device, the authentication request comprising a user identifier, receiving, from the trusted network node, at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node, capturing biometric data of the user, transforming the biometric data into non- invertible biometric data using the received feature transform key, and comparing the transformed biometric data with the at least one set of transformed biometric data received from the trusted network node, and it there is a matchauthenticating the user at the client device.
This object is attained in an eighth aspect of the invention by a client device configured to enable authentication of a user of the client device based on biometric data enrolled at a trusted network node. The client device comprises a biometric data sensing system comprises a biometric data sensor and a processing unit, the processing unit is configured to submit, to the trusted network node, a request to authenticate the user of the client device, the authentication request comprising a user identifier, and receive, from the trusted network node, at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node. The biometric data sensor is configured to capture biometric data of the user. The processing unit is further configured to transform the biometric data into non-invertible biometric data using the received feature transform key, and compare the transformed biometric data with the at least one set of transformed biometric data received from the trusted network node, and it there is a match authenticate the user at the client device.
In brief, a first client device embodied e.g. in the form of a smart phone captures biometric data of a user, for instance using a fingerprint sensor. This biometric data is then protected at the smart phone using a feature transform and securely registered, or enrolled, with a remotely located trusted network node, which stores the protected biometric data in a secure central
repository. Subsequently, the user will authenticate herself at a local computing station, i.e. a second client device, by having the computing station capture the biometric data of the user, protect the captured biometric data, and match the protected biometric data at the computing station with the protected biometric data that previously was registered with the trusted server, and now transmitted to the local computing station. Upon successful authentication, the user will be given access to the local computing station. Advantageously, a clear-text copy of the biometric data of the user never leaves the smart phone or the local computing station. As an alternative, the user enrols with the trusted server via the computing station as an alternative to using his/her smart phone. In such a scenario, both enrolment and authentication is performed by the same client device
In more detail, the smart phone captures biometric data of the user and transforms the captured biometric data into a transformed biometric data set using a suitable feature transform scheme. The transform scheme used should produce transformed biometric data which is non-invertible, i.e. it should be infeasible for an attacker to reconstruct the original biometric data even with access to both a feature transformation key used in the feature transform and the transformed biometric data. The smart phone submits the transformed biometric data over a secure channel, i.e. a communication channel being protected in terms of
confidentiality and integrity, to the remotely located trusted server along with the secret feature transformation key (unless the key is preconfigured to be shared by the smart phone and the trusted server) and a user identifier associated with the transformed biometric data such that the transformed biometric data subsequently can be designated by the user.
The trusted server 300 stores the received transformed biometric data, the feature transformation key and the user identifier, referred to as an enrolment set, in a secure end-user repository, and the enrollment of the user with the trusted server is thereby completed. It should be noted that the secure end -user repository typically contains a large number of enrollments; thousands of users may be enrolled with the trusted server, and a user potentially registers a plurality of transformed biometric data sets with the trusted server.
Advantageously, by using the feature transform scheme, the biometric data is not stored in the clear outside of the user's trusted client device.
Now, a user wishing to access the local computing station will need to authenticate herself with the trusted server with which she previously enrolled via the smart phone or the computing station.
Hence, the user enters a user identifier at the computing station, which is submitted to the trusted server in an authentication request over a secure channel.
Upon receiving the authentication request comprising the user identifier, the trusted server fetches one or more enrollment sets associated with this particular user identifier from the repository. These fetched enrollment sets are referred to as candidate enrollment sets, which are returned over the secure channel to the computing station.
Hence, a "pre-match" is advantageously performed at the trusted server utilizing the user identifier to fetch the adequate candidate enrollment sets, having as an effect that a largely reduced number of candidate enrollment sets will be considered by the computing station as compared to a scenario where the pre-match is not performed.
Thereafter, the computing station (being equipped with a suitable biometric sensor) derives the fingerprint data of the user, and uses the transformation
key of each received candidate enrollment set to create a corresponding set of transformed biometric data.
Then, the computing station attempts to match each created set of
transformed biometric data to the corresponding received transformed biometric data, and if at least one match can be found the user is
authenticated and thus given access to the computing station.
In an embodiment, the local computing station digitally signs at least one of the sets of transformed biometric data, and the digitally signed set of transformed biometric data to the trusted server, which in its turn performs a verification process for the digitally signed set of transformed biometric data. If the verification is successful, the trusted server submitting an
authentication grant to the client device. Advantageously, a higher level of security is provided by means of verification of the digital signature.
In a further embodiment, the trusted server associates each set of
transformed biometric data stored in the secure end-user repository with an index number, which is also included in the enrolment sets and consequently in the candidate enrolment set(s) submitted to the local station.
Subsequently, when receiving a digitally signed set of transformed biometric data from the local station, the corresponding index umber is included. The trusted server verifies that each index number received from the computing station complies with the previously submitted corresponding index number before an authentication grant can be issued. Advantageously, the verification of the index number further raises the security level of the system.
Further embodiments will be described in the following. Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated
otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention is now described, by way of example, with reference to the accompanying drawings, in which:
Figure l shows an electronic device in the form of a smart phone in which the present invention may be implemented;
Figure 2 shows a view of a fingerprint sensor onto which a user places the finger; Figure 3 shows a fingerprint sensor being part of a fingerprint sensing system according to an embodiment;
Figure 4 illustrates a signalling diagram of enrolling transformed biometric data of a user at a trusted server and subsequently authenticating a user based on the enrolled transformed biometric data according to an
embodiment; and
Figure 5 illustrates a signalling diagram of enrolling transformed biometric data of a user at a trusted server and subsequently authenticating a user based on the enrolled transformed biometric data according to another embodiment. DETAILED DESCRIPTION
The invention will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout the description.
Figure l shows a client device 100 in the form of a smart phone in which the present invention maybe implemented. The smart phone 100 is equipped with a fingerprint sensor 102 and a display unit 104 with a touch screen interface 106. The fingerprint sensor 102 may, for example, be used for unlocking the mobile phone 100 and/ or for authorizing transactions carried out using the mobile phone 100, etc. The fingerprint sensor 102 may alternatively be placed on the backside of the mobile phone 100. It is noted that the fingerprint sensor 102 could be integrated in the display unit/touch screen or form part of a smart phone home button. It is understood that the fingerprint sensor 102 according to embodiments of the invention may be implemented in other types of electronic devices, such as laptops, remote controls, tablets, smart cards, etc., or any other type of present or future similarly configured device utilizing fingerprint sensing.
Figure 2 illustrates a somewhat enlarged view of the fingerprint sensor 102 onto which a user places her fmger 201. In the case of employing a capacitive sensing technology, the fingerprint sensor 102 is configured to comprise a plurality of sensing elements. A single sensing element (also denoted as a pixel) is in Figure 2 indicated by reference numeral 202.
Figure 3 shows the fingerprint sensor 102 being part of a fingerprint sensing system 101. The fingerprint sensing system 101 comprises the fingerprint sensor 102 and a processing unit 103, such as a microprocessor, for controlling the fingerprint sensor 102 and for analysing captured
fingerprints. The fingerprint sensing system 101 further comprises a memory 105. The fingerprint sensing system 101 in turn, typically, forms part of the electronic device 100 as exemplified in Figure 1.
Now, upon an object contacting the fingerprint sensor 102, the sensor 102 will capture an image of the object in order to have the processing unit 103 determine whether the object is a fingerprint of an authorised user or not by comparing the captured fingerprint to one or more authorised fingerprint templates pre-stored in the memory 105.
The fingerprint sensor 102 maybe implemented using any kind of current or future fmgerprint sensing principle, including for example capacitive, optical, ultrasonic or thermal sensing technology. Currently, capacitive sensing is most commonly used, in particular in applications where size and power consumption are important. Capacitive fmgerprint sensors provide an indicative measure of the capacitance between (see Figure 2) several sensing elements 202 and a finger 201 placed on the surface of the fingerprint sensor 102. Acquisition of a fingerprint image is typically performed using a fmgerprint sensor 102 comprising a plurality of sensing elements 202 arranged in a two-dimensional manner.
In a general authorization process, the user places her finger 201 on the sensor 102 for the sensor to capture an image of the fmgerprint of the user. The processing unit 103 evaluates the captured fmgerprint and compares it to one or more authenticated fingerprint templates stored in the memory 105. If the recorded fmgerprint matches the pre-stored template, the user is authenticated and the processing unit 103 will typically instruct the smart phone 100 to perform an appropriate action, such as transitioning from locked mode to unlocked mode, in which the user is allowed access to the smart phone 100. With reference again to Figure 3, the steps of the method performed by the fmgerprint sensing system 101 (apart from capturing the image, which is carried out by the sensor 102) are in practice performed by the processing unit 103 embodied in the form of one or more microprocessors arranged to execute a computer program 107 downloaded to the storage medium 105 associated with the microprocessor, such as a Random Access Memory (RAM), a Flash memory or a hard disk drive. The processing unit 103 is arranged to cause the fmgerprint sensing system 101 to carry out the method according to embodiments when the appropriate computer program 107 comprising computer-executable instructions is downloaded to the storage medium 105 and executed by the processing unit 103. The storage medium 105 may also be a computer program product comprising the computer program 107. Alternatively, the computer program 107 maybe transferred to
the storage medium 105 by means of a suitable computer program product, such as a Digital Versatile Disc (DVD) or a memory stick. As a further alternative, the computer program 107 may be downloaded to the storage medium 105 over a network. The processing unit 103 may alternatively be embodied in the form of a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a complex programmable logic device (CPLD), etc. It should further be understood that all or some parts of the functionality provided by means of the processing unit 103 may be at least partly integrated with the fingerprint sensor 102.
Figure 4 illustrates an embodiment of enabling authentication of user 200 of a second client device 500 over a secure communication channel based on biometric data captured by a first client device 100 and enrolled at a trusted network node 300. In brief, a client device 100 embodied e.g. in the form of a smart phone captures biometric data of a user 200, e.g. in the manner described with reference to Figures 1-3. This biometric data is then protected at the smart phone and securely registered, or enrolled, with a remotely located trusted network node, embodied in the form of a server 300, which stores the protected biometric data in a secure central repository 400. Subsequently, the user 200 will authenticate herself at a local computing station 500, i.e. a second client device, by having the computing station 500 capture the biometric data of the user, protect the captured biometric data, and match the protected biometric data at the computing station 500 with the protected biometric data that previously was registered with the trusted server 300, and now transmitted to the local computing station 500. Upon successful authentication, the user 200 will be given access to the local computing station 500. It is noted that a clear-text copy of the biometric data of the user 200 never leaves the smart phone 100 or the local computing station 500.
As previously mentioned, in many situations a need arises to securely identify an end-user at a local computing station 500. This can for instance be a
medical system station in a hospital or similar. In this scenario, the local station 500 as such is considered trusted, but a "proof maybe required that only a legitimate user is allowed to access the station 500. This can be solved using traditional login procedures using username and passwords, hardware tokens, or biometrics such as fingerprints.
However, traditional biometric identification solutions typically require that complete biometric profiles of all authorized users are stored in a central repository 400 of a trusted server 300 where efficient template-matching is performed to authenticate users. Biometric profiles are very privacy sensitive and one would like to avoid storing biometric profiles in clear text in any central location.
Hence, authorized medical personnel such as doctors and nurses are authenticated to local computing stations using biometrics managed by the trusted server 300 and stored in the central repository 400. The medical personnel can for instance register, or enrol, to the trusted server 300 using their smart phone 100 with biometric data sensing capabilities and then login to any of the many local computing stations distributed over the hospital premises using local biometrics readers directly attached to the distributed computing stations 500. It is also possible that the users register with the trusted server 300 via any one of the local computing stations 500 as an alternative to using their smart phone 100.
With reference to Figure 4, the smart phone 100 captures biometric data T of the user 200 in step S101, using e.g. a fingerprint sensor as described with reference to Figures 1-3. In step S102, the smart phone 100 transforms the captured biometric data T into a transformed biometric data set Tr, using a suitable feature transform scheme.
This may for instance be performed using a secret feature transformation key R having been generated at the smart phone 100 by means of an appropriate pseudorandom function (PRF). Alternatively, the smart phone 100 is pre-
configured with the secret feature transformation key R shared with the trusted server 300.
The transform scheme used should produce transformed biometric data denoted Tr = F(R, T) which is non-invertible, i.e. it should be infeasible for an attacker to reconstruct the original biometric data T even with access to both the feature transformation key R and the transformed biometric data Tr.
A number of different transform functions F may be envisaged, such as cartesian, polar or functional transformations, or a non-invertible
transformation function built upon an approximation Message
Authentication Code (MAC) scheme.
The smart phone 100 submits in step S103 the transformed biometric data Tr over a secure channel, i.e. a communication channel being protected in terms of confidentiality and integrity, e.g. via the Internet, to the remotely located trusted server 300 along with the secret feature transformation key R (unless R is preconfigured to be shared by the smart phone 100 and the trusted server 300) and a user identifier D associated with the transformed biometric data Tr such that the transformed biometric data Tr subsequently can be designated by the user 200.
The trusted server 300 stores the received transformed biometric data Tr, the feature transformation key R and the user identifier D, referred to as an enrolment set, in a secure end-user repository 400 in step S104, located either locally at or remote from the remote server 300, and the enrollment of the user 200 with the trusted server 300 is thereby completed.
It should be noted that the secure end-user repository 400 typically contains a large number of enrollments; thousands of users may be enrolled with the trusted server 300, and a user potentially registers a plurality of transformed biometric data sets with the trusted server 300, even using different feature transformation keys R for each transformed biometric data set.
Hence, for each registered transformed biometric data set Tr and feature transformation key R, an index i is optionally created by the trusted server 300, thereby resulting in an enrollment set {i, Tn, RI}D associated with the user identifier D, which set is stored in the secure end-user repository 400 in step S104. As a result, if the user 100 has registered for instance five biometric profiles, each has a unique index number i associated with the particular user identifier. Should the user 100 register only one single biometric profile, it is possible that the user identifier D itself is used as an index i for the enrollment set. In such case, the user identifier D would have to be unique such that the corresponding enrollment set may be
distinguished at the trusted server 300.
It can further be envisaged that a number of enrollment sets are associated with the user identifier D without incorporating an index number i.
Advantageously, by using the feature transform scheme, the biometric data T is not stored in the clear outside of the user's trusted client device, i.e. the smart phone 100.
Now, a user wishing to access the local computing station 500 will need to authenticate herself with the trusted server 300 with which she previously has enrolled. Hence, the user (which in this particular example is assumed to be the user 200 that enrolled with the trusted server in steps S101-S104) enters a user identifier D' at the computing station 500 in step S105, which is submitted to the trusted server 300 in an authentication request in step S106 over a secure channel. Upon receiving the authentication request comprising the user identifier D', the trusted server 300 fetches one or more enrollment sets associated with this particular user as identified by D' from the repository 400 in step S107. These fetched enrollment sets are referred to as candidate enrollment sets, which are returned over the secure channel to the computing station 500 in step S108. Hence, a "pre-match" is advantageously performed at the trusted
server 300 utilizing the user identifier D' to fetch the adequate candidate enrollment sets, having as an effect that a largely reduced number of candidate enrollment sets will be considered by the computing station 500 as compared to a scenario where the pre-match is not performed. Thereafter, the computing station 500 (being equipped with a suitable biometric sensor) derives the fingerprint data T' of the user 200 in step S109, and uses the transformation key Ri of each candidate enrollment set received in step S108 to create a corresponding set of transformed biometric data Tr' = F(Ri, T) in step S110. It is noted that the feature transformation key Ri may be the same or different for each enrollment set.
As is understood, steps S109 and S110 may well be performed at an earlier stage, for instance in connection to step S105 where the user 200 enters a user identifier D', or even before the user enters her user identifier D' in step S105. Then, the computing station 500 attempts to match each created set of transformed biometric data Tr' to the corresponding received transformed biometric data Tn in step S111, and if at least one match can be found the user 200 is authenticated in step S112 and thus given access to the computing station 500, or to some protected data stored at the station. Alternatively, in an embodiment providing for stricter security, in case the user 200 has enrolled a plurality of enrollment sets with the trusted server 300, a match must be attained for more than one enrollment set. In case even stricter security is required, it can even be envisaged that all sets of transformed biometric data must match. Advantageously, as can be concluded from the above, no clear text biometric data is stored at the trusted server 300, which considerable can increase a user's trust in using the system.
With reference to Figure 4, the steps of the method performed by the remote server 300 are in practice performed by a processing unit 301 embodied in
l6 the form of one or more microprocessors arranged to execute a computer program 302 downloaded to a storage medium 303 associated with the microprocessor, such as a Random Access Memory (RAM), a Flash memory or a hard disk drive. The processing unit 301 is arranged to cause the remote server 300 to carry out the method according to embodiments when the appropriate computer program 302 comprising computer-executable instructions is downloaded to the storage medium 303 and executed by the processing unit 301. The storage medium 303 may also be a computer program product comprising the computer program 302. Alternatively, the computer program 302 may be transferred to the storage medium 303 by means of a suitable computer program product, such as a Digital Versatile Disc (DVD) or a memory stick. As a further alternative, the computer program 302 maybe downloaded to the storage medium 303 over a network. The processing unit 301 may alternatively be embodied in the form of a digital signal processor (DSP), an application specific integrated circuit
(ASIC), a field-programmable gate array (FPGA), a complex programmable logic device (CPLD), etc.
Figure 5 illustrates a further embodiment of enabling authentication of user 200 of a second client device 500 over a secure communication channel based on biometric data captured by a first client device 100 and enrolled at a trusted network node 300.
Now, in this embodiment, after the computing station 500 matches the set of transformed biometric data Tr' created in step S110 to the corresponding received set of transformed biometric data Tn in step S111, the computing station proceeds to step Sina where it digitally signs the transformed biometric data Tn and corresponding index i for which there is a match, which is denoted sig = SIG(Pr, i 11 Tn) where 11 denotes concatenation.
Pr is a private key of an asymmetric key pair shared with the trusted server 300, where a corresponding public key is denoted Pu. The computing station 500 is typically preconfigured with the asymmetric key pair.
It is further envisaged that the signature may be extended with a matching score M indicating how well two transformed biometric data sets match, resulting in sig = SIG(Pr, M 11 i 11 Tn).
Thereafter, in step Snib, sig and optionally i (and the matching score M, in case the signature comprises M) is submitted to the trusted server 300 over the secure channel, which in this turn verifies sig using the public key Pu, and optionally also verifies the index i in step 111c, and in case the digital signature sig (and optionally i) is successfully verified, the trusted server 300 returns an authentication grant in step Sind. The matching score M may be used to determine at the trusted server 300 if the matching is good enough. If not, the user may not be authenticated, or may be required to enter a personal code such as a pin code, or a password, at the local station.
Hence, the trusted server 300 may verify that the unique index i indeed exists for the database held in the repository 400, and that this particular index was part of the candidate enrollment set(s) submitted in step S 108. Upon receiving the authentication grant, the local computing station authenticates the user 200 in step S112. Advantageously, a higher level of security is provided by means of verification of the digital signature sig.
Further, in the embodiment where an index number i is associated with each enrollment set for a particular user as identified with user identifier D, an even higher level of security is provided since not only the digital signature sig is verified but also the index number i (and potentially even the matching score M).
The invention has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims.
Claims
l8
1. A method performed by a network node (300) of enabling
authentication of a user (200) of a client device (100, 500) based on biometric data captured by the client device (100, 500), comprising:
receiving (S106), from the client device (500), a request to authenticate a user of the client device (500), the authentication request comprising a user identifier;
fetching (S107), from the secure end-user repository (400), at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device (500) and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node (300); and
submitting (S108) the transformed biometric data and the secret feature transform key over a secure communication channel to the client device (500), wherein the submitted transformed biometric data is compared at the client device (500) with biometric data being captured at the client device (500) and transformed with the secret feature transform key and if there is a match, the user is authenticated.
2. The method of claim 1, wherein a plurality of sets of enrolled
transformed biometric data corresponding to the user identifier received from the client device (500) are fetched (S107) from the secure end-user repository (400) and submitted (S108) to the client device (500).
3. The method of any one of claims 1 or 2, further comprising:
receiving (Snib), from the client device (500), at least one digitally signed set of transformed biometric data;
verifying (Sine) said at least one digitally signed set of transformed biometric data; and if the verification is successful:
submitting (Sind) an authentication grant to the client device (500).
4. The method of any one of claims 1-3, further comprising:
associating each set of transformed biometric data stored in the secure
end-user repository (400) with an index number, wherein the submitting (S108) of the plurality of sets of transformed biometric data corresponding to the user identifier received from the client device (500) further comprises: submitting the index number associated with each set of transformed biometric data, wherein the receiving (Snib), from the client device (500), of at least one digitally signed set of transformed biometric data further comprises:
receiving an index number for each digitally signed set of transformed biometric data; and the verifying (Sine) of said at least one digitally signed set of transformed biometric data further comprises:
verifying that each index number received from the client device (500) complies with the previously submitted corresponding index number for each set of transformed biometric data.
5. A method performed by a client device (500) of enabling authentication of a user (200) of the client device (500) based on biometric data enrolled at a trusted network node (300), comprising:
submitting (S106), to the trusted network node (300), a request to authenticate the user (200) of the client device (500), the authentication request comprising a user identifier;
receiving (S108), from the trusted network node (300), at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node (300);
capturing (S109) biometric data of the user (200);
transforming (S110) the biometric data into non-invertible biometric data using the received feature transform key; and
comparing (Sin) the transformed biometric data with the at least one set of transformed biometric data received from the trusted network node (300); and it there is a match
authenticating (S112) the user at the client device (500).
6. The method of claim 5, wherein a plurality of sets of transformed biometric data are received (S108) from the trusted network node (300) and compared to the biometric data transformed at the client device (500), wherein the user is authenticated (S112) if the biometric data transformed at the client device matches each one of the sets of transformed biometric data received (S108) from the trusted network node (300).
7. The method of claims 5 or 6, further comprising:
digitally signing (Sina) the at least one received set of transformed biometric data for which there is a match;
submitting (Snib) the digitally signed biometric data to the trusted network node (300);
receiving (Sine), from the trusted network node (300) in case the trusted network node (300) successfully verifies the digitally signed biometric data, an authentication grant, wherein the user is authenticated (S112) at the client device (500).
8. The method of claim 7, wherein the receiving (S108) of the plurality of sets of transformed biometric data corresponding to the user identifier received from the client device (500) further comprises:
receiving an index number associated with each set of transformed biometric data, and wherein the submitting (Snib) of at least one digitally signed set of transformed biometric data further comprises:
submitting the index number for each digitally signed set of
transformed biometric data.
9. The method of any one of the preceding claims, wherein the client device (500) requesting authentication is different from the client device
(100) requesting enrolment.
10. A network node (300) configured to enable authentication of a user (200) of a client device (100, 500) based on biometric data captured by the client device (100, 500), the trusted network node (300) comprising a processing unit (301) being configured to:
receive, from the client device (500), a request to authenticate a user of the client device (500), the authentication request comprising a user identifier;
fetch, from the secure end-user repository (400), at least one set of enrolled transformed biometric data corresponding to the user identifier received from the client device (500) and a secret feature transform key with which the biometric data was transformed at enrolment of the transformed biometric data at the network node (300); and
submit the transformed biometric data and the secret feature transform key over a secure communication channel to the client device (500), wherein the submitted transformed biometric data is compared at the client device (500) with biometric data being captured at the client device (500) and transformed with the secret feature transform key and if there is a match, the user is authenticated. 11. The network node (300) of claim 10, being configured to fetch a plurality of sets of enrolled transformed biometric data corresponding to the user identifier received from the client device (500) are from the secure end- user repository (400) and to submit the fetched plurality of sets of enrolled transformed biometric data to the client device (500). 12. The network node (300) of any one of claims 10 or 11, the processing unit (301) further being configured to:
receive, from the client device (500), at least one digitally signed set of transformed biometric data;
verify said at least one digitally signed set of transformed biometric data; and if the verification is successful:
submit an authentication grant to the client device (500).
13. The network node (300) of any one of claims 10-12, the processing unit (301) further being configured to:
associate each set of transformed biometric data stored in the secure end-user repository (400) with an index number, and further being configured to, when submitting the plurality of sets of transformed biometric
data corresponding to the user identifier received from the client device (500):
submit the index number associated with each set of transformed biometric data, and further being configured to, when receiving the at least one digitally signed set of transformed biometric data from the client device (500):
receive an index number for each digitally signed set of transformed biometric data; and further being configured to, when verifying said at least one digitally signed set of transformed biometric data:
verify that each index number received from the client device (500) complies with the previously submitted corresponding index number for each set of transformed biometric data.
14. A client device (500) configured to enable authentication of a user (200) of the client device (500) based on biometric data enrolled at a trusted network node (300), the client device comprising a biometric data sensing system (101) comprising a biometric data sensor (102) and a processing unit (103),
the processing unit (103) being configured to:
submit, to the trusted network node (300), a request to authenticate the user (200) of the client device (500), the authentication request comprising a user identifier;
receive, from the trusted network node (300), at least one set of transformed biometric data corresponding to the user identifier submitted with the authentication request and the secret feature transform key with which the received biometric data was transformed at enrolment of the transformed biometric data at the network node (300);
the biometric data sensor (102) being configured to:
capture biometric data of the user (200);
the processing unit (103) further being configured to:
transform the biometric data into non-invertible biometric data using the received feature transform key; and
compare the transformed biometric data with the at least one set
of transformed biometric data received from the trusted network node (300); and it there is a match
authenticate the user at the client device (500).
15. The client device (500) of claim 14, the client device (500) being configured to receive a plurality of sets of transformed biometric data from the trusted network node (300) and compare the received plurality of sets of transformed biometric data to the biometric data transformed at the client device (500), wherein the user is authenticated (S112) if the biometric data transformed at the client device matches each one of the sets of transformed biometric data received (S108) from the trusted network node (300).
16. The client device (500) of claims 14 or 15, the processing unit (103) further being configured to:
digitally sign the at least one received set of transformed biometric data for which there is a match;
submit the digitally signed biometric data to the trusted network node
(300);
receive, from the trusted network node (300) in case the trusted network node (300) successfully verifies the digitally signed biometric data, an authentication grant, wherein the user is authenticated (S112) at the client device (500).
17. The client device (500) of claim 16, the processing unit (103) being configured to:
receive an index number associated with each set of transformed biometric data, and further to, when submitting the at least one digitally signed set of transformed biometric data:
submit the index number for each digitally signed set of transformed biometric data.
18. A computer program (107) comprising computer-executable
instructions for causing the biometric data sensing system (101) to perform steps recited in any one of claims 5-8 when the computer-executable
instructions are executed on a processing unit (103) included in the biometric data sensing system (101).
19. A computer program product comprising a computer readable medium (105), the computer readable medium having the computer program (107) according to claim 18 embodied thereon.
20. A computer program (302) comprising computer-executable
instructions for causing the trusted network node (300) to perform steps recited in any one of claims 1-4 when the computer-executable instructions are executed on a processing unit (301) included in the trusted network node (300).
21. A computer program product comprising a computer readable medium (303), the computer readable medium having the computer program (302) according to claim 20 embodied thereon.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18839117.1A EP3622429B1 (en) | 2017-07-27 | 2018-07-05 | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data |
CN201880003593.3A CN109791583B (en) | 2017-07-27 | 2018-07-05 | Method and device for enabling authentication of a user of a client device over a secure communication channel based on biometric data |
US16/623,240 US11115215B2 (en) | 2017-07-27 | 2018-07-05 | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE1750964 | 2017-07-27 | ||
SE1750964-7 | 2017-07-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019022658A1 true WO2019022658A1 (en) | 2019-01-31 |
Family
ID=65039874
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2018/050736 WO2019022658A1 (en) | 2017-07-27 | 2018-07-05 | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data |
Country Status (4)
Country | Link |
---|---|
US (1) | US11115215B2 (en) |
EP (1) | EP3622429B1 (en) |
CN (1) | CN109791583B (en) |
WO (1) | WO2019022658A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3767917A1 (en) * | 2019-07-18 | 2021-01-20 | In-Idt | System for identifying an individual |
CN112654039A (en) * | 2019-09-25 | 2021-04-13 | 北京紫光青藤微系统有限公司 | Terminal validity identification method, device and system |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11165772B2 (en) * | 2017-09-13 | 2021-11-02 | Fingerprint Cards Ab | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7181017B1 (en) * | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
WO2009073144A2 (en) * | 2007-11-28 | 2009-06-11 | The Regents Of The University Of Colorado | Bio-cryptography: secure cryptographic protocols with bipartite biotokens |
WO2009115611A2 (en) * | 2008-03-20 | 2009-09-24 | Universite De Geneve | Secure item identification and authentication system and method based on unclonable features |
US20090271634A1 (en) * | 2008-04-25 | 2009-10-29 | The Regents Of The University Of Colorado & Securics, Inc. | Bio-Cryptograhpy : Secure cryptographic protocols with bipartite biotokens |
US20100241595A1 (en) * | 2000-07-06 | 2010-09-23 | David Paul Felsher | Information record infrastructure, system and method |
US20110037563A1 (en) * | 2009-08-17 | 2011-02-17 | Electronics And Telecommunictions Research Institute | Apparatus and method for biometric registration and authentication |
US20110047377A1 (en) * | 2009-08-19 | 2011-02-24 | Harris Corporation | Secure digital communications via biometric key generation |
US20160164682A1 (en) * | 2014-12-04 | 2016-06-09 | Fujitsu Limited | Privacy preserving set-based biometric authentication |
WO2016128906A1 (en) * | 2015-02-11 | 2016-08-18 | Visa International Service Association | Systems and methods for securely managing biometric data |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070136604A1 (en) * | 2005-12-06 | 2007-06-14 | Motorola, Inc. | Method and system for managing secure access to data in a network |
US8001387B2 (en) * | 2006-04-19 | 2011-08-16 | Dphi, Inc. | Removable storage medium with biometric access |
US8438385B2 (en) * | 2008-03-13 | 2013-05-07 | Fujitsu Limited | Method and apparatus for identity verification |
EP2244414A1 (en) * | 2008-03-25 | 2010-10-27 | Panasonic Corporation | Data encryption device |
US20100138667A1 (en) * | 2008-12-01 | 2010-06-03 | Neil Patrick Adams | Authentication using stored biometric data |
FR2988196B1 (en) | 2012-03-19 | 2014-03-28 | Morpho | METHOD FOR AUTHENTICATING AN INDIVIDUAL BEARING AN IDENTIFICATION OBJECT |
US9774596B2 (en) * | 2014-05-23 | 2017-09-26 | Fujitsu Limited | Privacy-preserving biometric authentication |
CN108141363A (en) * | 2015-10-15 | 2018-06-08 | 诺基亚技术有限公司 | For the device of certification, method and computer program product |
US10142333B1 (en) * | 2016-06-21 | 2018-11-27 | Wells Fargo Bank, N.A. | Biometric reference template record |
US10237270B2 (en) * | 2016-09-29 | 2019-03-19 | International Business Machines Corporation | Distributed storage of authentication data |
JP7064093B2 (en) * | 2017-02-21 | 2022-05-10 | フィンガープリント カーズ アナカタム アイピー アクティエボラーグ | High reliability key server |
US10922436B2 (en) * | 2018-08-07 | 2021-02-16 | Microsoft Technology Licensing, Llc | Securing sensitive data using distance-preserving transformations |
-
2018
- 2018-07-05 US US16/623,240 patent/US11115215B2/en active Active
- 2018-07-05 CN CN201880003593.3A patent/CN109791583B/en active Active
- 2018-07-05 EP EP18839117.1A patent/EP3622429B1/en active Active
- 2018-07-05 WO PCT/SE2018/050736 patent/WO2019022658A1/en unknown
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100241595A1 (en) * | 2000-07-06 | 2010-09-23 | David Paul Felsher | Information record infrastructure, system and method |
US7181017B1 (en) * | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
WO2009073144A2 (en) * | 2007-11-28 | 2009-06-11 | The Regents Of The University Of Colorado | Bio-cryptography: secure cryptographic protocols with bipartite biotokens |
WO2009115611A2 (en) * | 2008-03-20 | 2009-09-24 | Universite De Geneve | Secure item identification and authentication system and method based on unclonable features |
US20090271634A1 (en) * | 2008-04-25 | 2009-10-29 | The Regents Of The University Of Colorado & Securics, Inc. | Bio-Cryptograhpy : Secure cryptographic protocols with bipartite biotokens |
US20110037563A1 (en) * | 2009-08-17 | 2011-02-17 | Electronics And Telecommunictions Research Institute | Apparatus and method for biometric registration and authentication |
US20110047377A1 (en) * | 2009-08-19 | 2011-02-24 | Harris Corporation | Secure digital communications via biometric key generation |
US20160164682A1 (en) * | 2014-12-04 | 2016-06-09 | Fujitsu Limited | Privacy preserving set-based biometric authentication |
WO2016128906A1 (en) * | 2015-02-11 | 2016-08-18 | Visa International Service Association | Systems and methods for securely managing biometric data |
Non-Patent Citations (6)
Title |
---|
DANG T K ET AL.: "Cancellable fuzzy vault with periodic transformation for biometric template", IET BIOMET, vol. 5, no. 3, 1 September 2016 (2016-09-01), pages 229 - 235, XP055567121, ISSN: 2047-4938 * |
DAVID GONZALEZ MARTINEZ ET AL.: "Secure crypto-biometric system for cloud computing", SECURING SERVICES ON THE CLOUD (IWSSC), 2011 1 ST INTERNATIONAL WORKSHOP ON, 6 September 2011 (2011-09-06), XP032063713 * |
NANDAKUMAR KARTHIK: "BioSAKE: Biometrics-based secure authentication and key Exchange", 2013 INTERNATIONAL CONFERENCE ON BIOMETRICS (ICB, 4 June 2013 (2013-06-04), pages 1 - 8, XP032491265 * |
See also references of EP3622429A4 * |
VIGILA SOOSAI ANTONY MARIA CELESTIN ET AL.: "Biometric security system over finite field for mobile applications", IET INFORMATION SECU, 1 March 2015 (2015-03-01), pages 119 - 126, XP006051531 * |
YAN SUI ET AL.: "Biometrics-Based Authentication: A New Approach", COMPUTER COMMUNICATIONS AND NETWORKS (ICCCN), 2011 PROCEEDINGS OF 20TH INTERNATIONAL CONFERENCE ON, 31 July 2011 (2011-07-31), pages 1 - 6, XP032049082 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3767917A1 (en) * | 2019-07-18 | 2021-01-20 | In-Idt | System for identifying an individual |
FR3098948A1 (en) * | 2019-07-18 | 2021-01-22 | In-Idt | Identification system for an individual. |
CN112654039A (en) * | 2019-09-25 | 2021-04-13 | 北京紫光青藤微系统有限公司 | Terminal validity identification method, device and system |
CN112654039B (en) * | 2019-09-25 | 2024-03-01 | 紫光同芯微电子有限公司 | Terminal validity identification method, device and system |
Also Published As
Publication number | Publication date |
---|---|
CN109791583A (en) | 2019-05-21 |
EP3622429B1 (en) | 2022-10-12 |
EP3622429A4 (en) | 2020-03-25 |
CN109791583B (en) | 2023-04-14 |
US11115215B2 (en) | 2021-09-07 |
EP3622429A1 (en) | 2020-03-18 |
US20210152360A1 (en) | 2021-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11218319B2 (en) | Biometrics-based remote login | |
US10296734B2 (en) | One touch two factor biometric system and method for identification of a user utilizing a portion of the person's fingerprint and a vein map of the sub-surface of the finger | |
Khan et al. | Comparative study of authentication techniques | |
US10742410B2 (en) | Updating biometric template protection keys | |
EP3586472B1 (en) | Trusted key server | |
US9940503B2 (en) | Authentication device including template validation and related methods | |
EP3622429B1 (en) | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data | |
Shafique et al. | Modern authentication techniques in smart phones: Security and usability perspective | |
US10574452B2 (en) | Two-step central matching | |
US11165772B2 (en) | Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data | |
JP2006350683A (en) | Personal authentication device | |
Wu | Biometrics authentication system on open network and security analysis | |
WO2013074096A1 (en) | Authentication device including template validation and related methods |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18839117 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018839117 Country of ref document: EP Effective date: 20191209 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |