WO2019161887A1 - Secure enrolment of biometric data - Google Patents

Secure enrolment of biometric data Download PDF

Info

Publication number
WO2019161887A1
WO2019161887A1 PCT/EP2018/054189 EP2018054189W WO2019161887A1 WO 2019161887 A1 WO2019161887 A1 WO 2019161887A1 EP 2018054189 W EP2018054189 W EP 2018054189W WO 2019161887 A1 WO2019161887 A1 WO 2019161887A1
Authority
WO
WIPO (PCT)
Prior art keywords
biometric
secure
biometric data
enrolment
processing unit
Prior art date
Application number
PCT/EP2018/054189
Other languages
French (fr)
Inventor
Jose Ignacio Wintergerst LAVIN
Kim Kristian Humborstad
Jørgen FRANDSEN
Peter Robert LOWE
Original Assignee
Zwipe As
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zwipe As filed Critical Zwipe As
Priority to PCT/EP2018/054189 priority Critical patent/WO2019161887A1/en
Publication of WO2019161887A1 publication Critical patent/WO2019161887A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • G07C9/26Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition using a biometric sensor integrated in the pass
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0716Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips at least one of the integrated circuit chips comprising a sensor or an interface to a sensor
    • G06K19/0718Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips at least one of the integrated circuit chips comprising a sensor or an interface to a sensor the sensor being of the biometric kind, e.g. fingerprint sensors
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/02Access control comprising means for the enrolment of users
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/40Indexing scheme relating to groups G07C9/20 - G07C9/29
    • G07C2209/41Indexing scheme relating to groups G07C9/20 - G07C9/29 with means for the generation of identity documents

Definitions

  • the present invention relates to security of biometric data during the enrolment process.
  • Biometrically authorised devices such as fingerprint authorised smartcards are becoming increasingly more widely used.
  • Smartcards for which biometric authorisation has been proposed include, for example, access cards, credit cards, debit cards, pre-pay cards, loyalty cards, identity cards, and so on.
  • Smartcards are electronic cards with the ability to store data and to interact with the user and/or with outside devices, for example via contactless technologies such as RFID and
  • NFC NFC. These cards can interact with sensors to communicate information in order to enable access, to authorise transactions and so on.
  • Other devices are also known that make use of biometric authorisation such as fingerprint authorisation, and these include computer memory devices, building access control devices, military technologies, vehicles and so on.
  • biometric data is stored on a physical device, such as a smartcard
  • a physical device such as a smartcard
  • biometric data such as a biometric image or a biometric template reduced from the biometric image
  • biometrically authorised smartcards include an on-board biometric sensor. Whilst there are benefits to the use of self-enrolment, i.e. where the fingerprint is enrolled onto the device using an on-board fingerprint sensor, this also imposes additional constraints on the biometrically authorised device, since the on- board sensor must additionally be capable of enrolling new biometric data if the device is to operate in such a fashion. This can require, for example, a sensor with better resolution or larger size, and/or greater level of electrical power might be needed.
  • FIG. 1 shows a prior art technique for how user may be enrolled onto a biometric smartcard 105 using a separate enrolment biometric sensor. Fingerprint biometrics are described by way of example, but other biometrics, such as a voice signature, could be stored in the same manner.
  • a fingerprint enrolment module 101 containing a fingerprint sensor at least as high quality as that used on the smartcard 105 is used to capture the user’s fingerprint.
  • the fingerprint enrolment module 101 is deployed at a location where the user is to be enrolled and is contained in an enrolment management device 102.
  • the purpose of the enrolment management device 102 is to manage the enrolment. It may be one of many functions provided by the enrolment device 102 which may have many other functions in the banking scenario, such as providing ATM services.
  • the enrolment management device 102 is able to guide the enrollee through the process of enrolment by giving instructions on an LCD screen or similar. These instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.
  • the output from the fingerprint scanner of the enrolment module 101 is processed through the enrolment device 102 and control logic 103 that is connected to the enrolment device 102.
  • the fingerprint image is constructed into a form that can be written directly to the memory 104 of the card 105. Often a copy of the biometric data is also stored on a server 106 controlled by the bank.
  • the card 105 may be physically located within the body of the enrolment device 102 or may be located externally and connected through appropriate physical or wireless connections.
  • the smartcard 105 may authorise transactions or similar by comparing the enrolled template to a fingerprint scanned by an on-board fingerprint sensor 107.
  • the biometric image is stored in the memory of the enrolment management system 102 in the clear and so is available to anyone who has access to the memory of the enrolment management system 102.
  • the enrolment management system 102 will typically be part of a computer at a banking office. It will very likely consist of a networked PC attached through a USB cable to the enrolment module 101. Since the system is simple, there are multiple points of entry where an unauthorised person might attempt to intercept and capture the fingerprint image. Furthermore, storing a central database 106 of biometric data can present a desirable target for hackers or the like.
  • the present invention provides a method of preparing biometric data for enrolment of a user onto of issuing a biometric authentication device to a user, the biometric authentication device comprising an on-board biometric sensor and a secure processing environment, the method comprising: reading a biometric identifier of the user using a biometric sensor of an enrolment processing unit, the enrolment processing unit having a secure processing environment and being separate from the biometric authentication device; extracting biometric data corresponding to the biometric identifier, the extracting being performed in the secure processing environment of the enrolment processing unit; converting encrypting the biometric data to produce secure biometric data, the encrypting being performed within the secure processing environment of the enrolment processing unit; and transmitting the secure biometric data from the enrolment processing unit to a device provider that issues biometric authentication devices; loading the biometric data onto the biometric authentication device by the device provider; and issuing the biometric authentication device to the user after loading of the secure biometric data on the biometric device.
  • the described enrolment processing unit removes the need for the raw biometric data to be transmitted to or through an enrolment management system, such as a computing terminal or the like. Instead, the biometric data is received directly at the enrolment processing unit, where it processed within the secure environment. This restricts the number of access points where an unauthorised person might intercept the data.
  • the described arrangement now provides only a single easy-to-access point to intercept the biometric data, i.e. during transmission from the enrolment processing unit to the biometric device. However, any biometric data intercepted at this point will have been converted to secure biometric data and so cannot be easily utilised. Thus, the described enrolment processing unit makes it much more difficult for the user’s data to be stolen.
  • secure processing environment will be understood to refer to a tamper-resistant hardware platform capable of securely hosting applications and their confidential and cryptographic data.
  • a secure processing environment will typically comprise at least a secure processor and a secure memory.
  • the processor and memory may be provided as a single integrated circuit.
  • a common example of a secure processing environment is the secure element used in a payment card.
  • the term“secure biometric data” refers to biometric data that has been modified in a manner that prevents an unauthorised person from being able to retrieve the original biometric data.
  • the modification may comprise encryption or other reversible processes for obfuscating the data.
  • the card preferably comprises means to reverse the process, for example having a pre- stored key or using a public key, or having a pre-stored algorithm to descramble the data.
  • the modification may be irreversible, for examine it may comprise hashing or the like.
  • the biometric data may be encrypted with a key associated with the biometric authentication device.
  • the key may be a public encryption key.
  • the biometric authentication device may be capable of decrypting the secure biometric data.
  • the biometric authentication device may comprise a private decryption key, which may correspond to the public encryption key.
  • the biometric data may be loaded onto the biometric authentication device by loading the secure biometric data directly onto the biometric authentication device, i.e. without decryption.
  • the biometric data comprises a biometric template.
  • a biometric template is a collection of features extracting from a biometric image and defining the biometric identifier.
  • the template may comprise data defining a plurality of minutiae detected in the fingerprint image.
  • the template may define the relative positions of the minutiae, for example.
  • the template may define non-minutiae features of the fingerprint.
  • the software for performing template extraction may be highly confidential and thus storing it only within a secure environment will prevent an unauthorised person from stealing the algorithms used.
  • the enrolment processing unit may be configured to connect to a computing device. In some embodiments, the enrolment processing unit may be configured to draw power from the computing device. In some embodiments, the enrolment processing unit may be configured to receive commands from the computing device.
  • the enrolment processing unit may provide an output to the computing device, for example for display on a screen of the computing device.
  • the enrolment processing unit may comprise a display interface and may be configured to provide an output to the user via the display interface.
  • the display may comprise an LCD display or the like.
  • the output may comprise instructions for a user of the enrolment processing unit and/or an indication of the status of the enrolment processing unit and/or a biometric device communicating with the enrolment processing unit.
  • the enrolment processing unit is preferably configured not to transmit the (raw) biometric image and/or the (raw) biometric data to any device external to the enrolment processing unit. That is to say, the user’s biometric data never leaves the enrolment processing unit, except in a secure form.
  • the biometric identifier is preferably a fingerprint biometric.
  • the biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae.
  • the application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.
  • the method may comprise transmitting the secure biometric data to a remote location, for example to a device provider at a remote location, e.g. not on the same site as the enrolment processing unit.
  • the device provider may be at least 1 km away from the enrolment processing unit and may be at least 10km away.
  • the method may comprise reverting the secure biometric data to biometric data within a secure processing environment on the biometric device.
  • the biometric data and/or the secure biometric data may be stored within a secure memory on the biometric device.
  • the method does not include the step of reverting the secure biometric data to biometric data outside of a secure processing environment, e.g. when not in the processing environment of the enrolment processing unit or of the biometric device.
  • the method may further comprise providing the biometric device to the user after storage of the secure biometric data. That is to say, an enrolled biometric device is provided to the user.
  • the providing may comprise sending the enrolled biometric device to the user, e.g. by mail, courier or the like.
  • the biometric identifier is preferably a fingerprint biometric.
  • the biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae.
  • the application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.
  • the biometric device is preferably a device configured to perform an action responsive to authentication of the bearer of the device by comparison of stored biometric data with a biometric identifier of the bearer.
  • the biometric device may comprise an on-board biometric sensor, such as a fingerprint sensor, for reading the biometric identifier of the bearer.
  • the biometric device may be any one of the following: an access card, a credit card, a debit card, a pre-pay card, a loyalty card, an identity card, or the like.
  • the biometric device may be a smartcard.
  • the smartcard preferably has a width of between 85.47 mm and 85.72 mm, and a height of between 53.92 mm and 54.03 mm.
  • the smartcard may have a thickness less than 0.84 mm, and preferably of about 0.76 mm (e.g. ⁇ 0.08 mm). More generally, the smartcard may comply with ISO 7816, which is the specification for a smartcard.
  • Figure 1 illustrates a prior art arrangement for enrolling a user onto a biometric smartcard
  • Figure 2 illustrates an arrangement for enrolling a user onto a biometric smartcard in accordance with an embodiment of the present invention
  • Figure 3 illustrates a method of enrolling a user onto a biometric smartcard in accordance with another embodiment of the invention.
  • the insecure computer 202 does not perform any of the algorithm calculations for the enrolment. Instead, a biometric processing unit 203 comprising a secure microprocessor is provided between the computer 202 and the card 105. This secure microprocessor is as difficult to hack as the secure element of the smartcard 105 itself.
  • the smartcard 105 is connected to this unit 203 by direct smartcard communication, such as a connection through NFC in the case of a contactless card 105.
  • the biometric processing unit 203 comprises a fingerprint sensor 201 , which is at least as high quality as that used on the smartcard 105 to capture the user’s fingerprint.
  • the biometric processing unit 203 will guide the enrollee through the process of enrolment by sending instructions to the computing device 202 for display on an LCD screen or similar.
  • the instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.
  • the output from the fingerprint scanner 201 of the biometric processing unit 203 is processed by the secure microprocessor of the biometric processing unit 203 and a fingerprint template is constructed that can directly be written to the memory 104 of the card 105.
  • the biometric processing unit 203 contains a means to control the data that is sent from the fingerprint sensor 201 to the card 105. It may operate in one of several ways, which will be described in more detail below.
  • the image or template is encrypted in the biometric processing unit 203 according to one of several algorithms and sent to the card 105 in packets. These packets are controlled in terms of when they are sent and arrive at the card memory such that only one packet is in transit at a time. Once the card memory 104 receives a packet it tells the biometric processing unit 203 to send the next packet. Thus, two or more packets are never in transit at a given time. In this way a person attempting to retrieve the image from the system can only find a complete image within the memory 104 of the smartcard 105 or the biometric processing unit 203, which are both secure. ln one implementation, each blank card 105 may be manufactured with a private decryption key that only resides in the card 105 itself.
  • the private decryption key is preferably unique to the smartcard 105.
  • a public key may be made available to the biometric processing unit 203, for example it may include a database of public keys or it may be able to query a central database of public keys.
  • the biometric data may only be decrypted using the private key on the smartcard 105, i.e. once it is again stored in a secure memory. The unencrypted biometric data is thus never stored in an accessible memory.
  • the smartcard 105 may perform an action, such as to authorise a transaction or similar, responsive to verification of the identity of the card bearer. This may be done by comparing the enrolled fingerprint template to a fingerprint scanned by an on-board fingerprint sensor 107.
  • Figure 3 illustrates a further embodiment, which may employ a similar biometric processing unit 203 to that shown in Figure 2.
  • the encrypted biometric data is not transmitted directly to the smartcard 105 but is instead transmitted to a third party, such as a card provider for installation onto a smartcard 105.
  • a third party such as a card provider for installation onto a smartcard 105.
  • step 301 the user first scans their fingerprint using the fingerprint sensor 201 of the biometric processing unit 203.
  • the biometric processing unit 203 extracts a fingerprint template from the scanned fingerprint image captured by the fingerprint sensor 201.
  • Step 302 is optional, and in some implementations the biometric data transmitted may be the biometric image itself or some other derived biometric
  • the biometric data to be stored on the smartcard 105 is encrypted. This may include identifying one or more encryption properties associated with the user and/or their smartcard 105 and encrypting the biometric data in accordance with those properties. For example, the properties may include a type of encryption to use and an encryption key to use.
  • the encrypted biometric data is transmitted from the biometric processing unit 203 to a card provider, or the like. In some embodiments, this may simply be transmission to the computer 202. In other embodiments, the card provider may be located remotely to the biometric processing unit, e.g. a central card production facility for cards used in banking. The biometric data has already been encrypted at this stage and so cannot be used by any third party who intercepts it.
  • the card provider cannot access the data, reducing the risk that the biometric data and decryption information could be stolen should the card provider be subject to a security breach. For example, even if the card provider stores a centralised database of the encrypted biometric data, it cannot be accessed if the database security is compromised as the decryption keys are only stored on the individual cards.
  • the card provider places the (still encrypted) biometric data onto the smartcard.
  • the smartcard 105 contains the necessary decryption algorithm and private key to decrypt the data, which were preferably pre-stored on the device at the time of manufacture.
  • the smartcard 105 is provided to the user. This may be via mail in the case of a remote card provided, or may simply comprise giving the smartcard 105 directly to the user in other situations where the card provider is local to the biometric processing unit 203.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Collating Specific Patterns (AREA)
  • Image Input (AREA)

Abstract

To provide improved security during enrolment of a user onto a biometric smartcard 105, a secure enrolment processing unit 203 is used to ensure that the biometric data cannot be easily intercepted. A method of enrolling of the user onto the biometric smartcard 105 comprises reading a fingerprint of the user using a fingerprint sensor 201 on the enrolment processing unit 203, extracting biometric data corresponding to the fingerprint, the extraction being performed in a secure processing environment of the enrolment processing unit 203, converting the biometric data to secure biometric data within the secure processing environment, and then transmitting the secure biometric data from the enrolment processing unit to the smartcard 105. The user's biometric data is thus only transmitted in a secure format.

Description

SECURE ENROLMENT OF BIOMETRIC DATA
The present invention relates to security of biometric data during the enrolment process.
Biometrically authorised devices such as fingerprint authorised smartcards are becoming increasingly more widely used. Smartcards for which biometric authorisation has been proposed include, for example, access cards, credit cards, debit cards, pre-pay cards, loyalty cards, identity cards, and so on. Smartcards are electronic cards with the ability to store data and to interact with the user and/or with outside devices, for example via contactless technologies such as RFID and
NFC. These cards can interact with sensors to communicate information in order to enable access, to authorise transactions and so on. Other devices are also known that make use of biometric authorisation such as fingerprint authorisation, and these include computer memory devices, building access control devices, military technologies, vehicles and so on.
In a system where biometric data is stored on a physical device, such as a smartcard, it is necessary to enrol the user of the device in a secure manner. That is to say, the user’s biometric identifier must be scanned and biometric data, such as a biometric image or a biometric template reduced from the biometric image, stored on the device. It is desirable to accomplish this without compromising the privacy of the user.
Some biometrically authorised smartcards include an on-board biometric sensor. Whilst there are benefits to the use of self-enrolment, i.e. where the fingerprint is enrolled onto the device using an on-board fingerprint sensor, this also imposes additional constraints on the biometrically authorised device, since the on- board sensor must additionally be capable of enrolling new biometric data if the device is to operate in such a fashion. This can require, for example, a sensor with better resolution or larger size, and/or greater level of electrical power might be needed. For example, in the case of a fingerprint as the biometric data it is common to permit identification of a user based on a partial fingerprint, whereas enrolment typically requires a full fingerprint and repeated scans of the fingerprint in order to create a full fingerprint 'template' for later authentication of the user's identity. Thus, it is not always ideal to use the same sensor for enrolment as for authorisation. Figure 1 shows a prior art technique for how user may be enrolled onto a biometric smartcard 105 using a separate enrolment biometric sensor. Fingerprint biometrics are described by way of example, but other biometrics, such as a voice signature, could be stored in the same manner.
A fingerprint enrolment module 101 containing a fingerprint sensor at least as high quality as that used on the smartcard 105 is used to capture the user’s fingerprint. The fingerprint enrolment module 101 is deployed at a location where the user is to be enrolled and is contained in an enrolment management device 102. The purpose of the enrolment management device 102 is to manage the enrolment. It may be one of many functions provided by the enrolment device 102 which may have many other functions in the banking scenario, such as providing ATM services.
The enrolment management device 102 is able to guide the enrollee through the process of enrolment by giving instructions on an LCD screen or similar. These instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.
The output from the fingerprint scanner of the enrolment module 101 is processed through the enrolment device 102 and control logic 103 that is connected to the enrolment device 102. In a normal or conventional embodiment of the enrolment management device 102, the fingerprint image is constructed into a form that can be written directly to the memory 104 of the card 105. Often a copy of the biometric data is also stored on a server 106 controlled by the bank.
The card 105 may be physically located within the body of the enrolment device 102 or may be located externally and connected through appropriate physical or wireless connections.
Once enrolled, the smartcard 105 may authorise transactions or similar by comparing the enrolled template to a fingerprint scanned by an on-board fingerprint sensor 107.
A problem arises with such a system because it is strongly desirable, and indeed a requirement in some countries, that a biometric image or a depiction thereof, such as a list of minutiae, not be kept in a publically accessible location.
Once the biometric data is stored on the biometric device, it is very difficult for it to be accessed by an unauthorised person because it is stored within a secure memory and only processed within a secure processor. However, in the method depicted in Figure 1 , the biometric image is stored in the memory of the enrolment management system 102 in the clear and so is available to anyone who has access to the memory of the enrolment management system 102. The enrolment management system 102 will typically be part of a computer at a banking office. It will very likely consist of a networked PC attached through a USB cable to the enrolment module 101. Since the system is simple, there are multiple points of entry where an unauthorised person might attempt to intercept and capture the fingerprint image. Furthermore, storing a central database 106 of biometric data can present a desirable target for hackers or the like.
An additional problem with the method shown in Figure 1 is that the computer program that processes the fingerprint image, e.g. to extract the fingerprint template, is processed within the computer 102. The algorithms used to perform this process are often highly proprietary and there is a desire that these should be protected against reverse engineering.
The present invention provides a method of preparing biometric data for enrolment of a user onto of issuing a biometric authentication device to a user, the biometric authentication device comprising an on-board biometric sensor and a secure processing environment, the method comprising: reading a biometric identifier of the user using a biometric sensor of an enrolment processing unit, the enrolment processing unit having a secure processing environment and being separate from the biometric authentication device; extracting biometric data corresponding to the biometric identifier, the extracting being performed in the secure processing environment of the enrolment processing unit; converting encrypting the biometric data to produce secure biometric data, the encrypting being performed within the secure processing environment of the enrolment processing unit; and transmitting the secure biometric data from the enrolment processing unit to a device provider that issues biometric authentication devices; loading the biometric data onto the biometric authentication device by the device provider; and issuing the biometric authentication device to the user after loading of the secure biometric data on the biometric device.
The described enrolment processing unit removes the need for the raw biometric data to be transmitted to or through an enrolment management system, such as a computing terminal or the like. Instead, the biometric data is received directly at the enrolment processing unit, where it processed within the secure environment. This restricts the number of access points where an unauthorised person might intercept the data. The described arrangement now provides only a single easy-to-access point to intercept the biometric data, i.e. during transmission from the enrolment processing unit to the biometric device. However, any biometric data intercepted at this point will have been converted to secure biometric data and so cannot be easily utilised. Thus, the described enrolment processing unit makes it much more difficult for the user’s data to be stolen.
As used herein, the term“secure processing environment” will be understood to refer to a tamper-resistant hardware platform capable of securely hosting applications and their confidential and cryptographic data. A secure processing environment will typically comprise at least a secure processor and a secure memory. The processor and memory may be provided as a single integrated circuit. A common example of a secure processing environment is the secure element used in a payment card.
Furthermore, the term“secure biometric data” refers to biometric data that has been modified in a manner that prevents an unauthorised person from being able to retrieve the original biometric data. For example, the modification may comprise encryption or other reversible processes for obfuscating the data. The card preferably comprises means to reverse the process, for example having a pre- stored key or using a public key, or having a pre-stored algorithm to descramble the data. In other embodiments, the modification may be irreversible, for examine it may comprise hashing or the like.
In one embodiment, the biometric data may be encrypted with a key associated with the biometric authentication device. The key may be a public encryption key. The biometric authentication device may be capable of decrypting the secure biometric data. For example, the biometric authentication device may comprise a private decryption key, which may correspond to the public encryption key. The biometric data may be loaded onto the biometric authentication device by loading the secure biometric data directly onto the biometric authentication device, i.e. without decryption.
Preferably the biometric data comprises a biometric template. A biometric template is a collection of features extracting from a biometric image and defining the biometric identifier. For example, in the case of a fingerprint, the template may comprise data defining a plurality of minutiae detected in the fingerprint image. In other arrangements, the template may define the relative positions of the minutiae, for example. In yet further embodiments, the template may define non-minutiae features of the fingerprint. The software for performing template extraction may be highly confidential and thus storing it only within a secure environment will prevent an unauthorised person from stealing the algorithms used.
The enrolment processing unit may be configured to connect to a computing device. In some embodiments, the enrolment processing unit may be configured to draw power from the computing device. In some embodiments, the enrolment processing unit may be configured to receive commands from the computing device.
In some embodiments, the enrolment processing unit may provide an output to the computing device, for example for display on a screen of the computing device. In other embodiments, the enrolment processing unit may comprise a display interface and may be configured to provide an output to the user via the display interface. For example, the display may comprise an LCD display or the like.
The output may comprise instructions for a user of the enrolment processing unit and/or an indication of the status of the enrolment processing unit and/or a biometric device communicating with the enrolment processing unit.
The enrolment processing unit is preferably configured not to transmit the (raw) biometric image and/or the (raw) biometric data to any device external to the enrolment processing unit. That is to say, the user’s biometric data never leaves the enrolment processing unit, except in a secure form.
The biometric identifier is preferably a fingerprint biometric. The biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae. The application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.
The method may comprise transmitting the secure biometric data to a remote location, for example to a device provider at a remote location, e.g. not on the same site as the enrolment processing unit. For example, the device provider may be at least 1 km away from the enrolment processing unit and may be at least 10km away.
The method may comprise reverting the secure biometric data to biometric data within a secure processing environment on the biometric device. The biometric data and/or the secure biometric data may be stored within a secure memory on the biometric device.
Preferably the method does not include the step of reverting the secure biometric data to biometric data outside of a secure processing environment, e.g. when not in the processing environment of the enrolment processing unit or of the biometric device.
The method may further comprise providing the biometric device to the user after storage of the secure biometric data. That is to say, an enrolled biometric device is provided to the user. The providing may comprise sending the enrolled biometric device to the user, e.g. by mail, courier or the like.
The biometric identifier is preferably a fingerprint biometric. The biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae. The application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.
The biometric device is preferably a device configured to perform an action responsive to authentication of the bearer of the device by comparison of stored biometric data with a biometric identifier of the bearer. The biometric device may comprise an on-board biometric sensor, such as a fingerprint sensor, for reading the biometric identifier of the bearer.
The biometric device may be any one of the following: an access card, a credit card, a debit card, a pre-pay card, a loyalty card, an identity card, or the like. The biometric device may be a smartcard. The smartcard preferably has a width of between 85.47 mm and 85.72 mm, and a height of between 53.92 mm and 54.03 mm. The smartcard may have a thickness less than 0.84 mm, and preferably of about 0.76 mm (e.g. ± 0.08 mm). More generally, the smartcard may comply with ISO 7816, which is the specification for a smartcard.
Certain preferred embodiments of the present invention will now be described in greater detail, by way of example only and with reference to the following embodiments, in which:
Figure 1 illustrates a prior art arrangement for enrolling a user onto a biometric smartcard;
Figure 2 illustrates an arrangement for enrolling a user onto a biometric smartcard in accordance with an embodiment of the present invention; and Figure 3 illustrates a method of enrolling a user onto a biometric smartcard in accordance with another embodiment of the invention.
In accordance with an embodiment of the invention, as illustrated in Figure 2, the insecure computer 202 does not perform any of the algorithm calculations for the enrolment. Instead, a biometric processing unit 203 comprising a secure microprocessor is provided between the computer 202 and the card 105. This secure microprocessor is as difficult to hack as the secure element of the smartcard 105 itself.
In this embodiment, the smartcard 105 is connected to this unit 203 by direct smartcard communication, such as a connection through NFC in the case of a contactless card 105.
The biometric processing unit 203 comprises a fingerprint sensor 201 , which is at least as high quality as that used on the smartcard 105 to capture the user’s fingerprint. The biometric processing unit 203 will guide the enrollee through the process of enrolment by sending instructions to the computing device 202 for display on an LCD screen or similar. The instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.
The output from the fingerprint scanner 201 of the biometric processing unit 203 is processed by the secure microprocessor of the biometric processing unit 203 and a fingerprint template is constructed that can directly be written to the memory 104 of the card 105.
The biometric processing unit 203 contains a means to control the data that is sent from the fingerprint sensor 201 to the card 105. It may operate in one of several ways, which will be described in more detail below.
In one configuration, the image or template is encrypted in the biometric processing unit 203 according to one of several algorithms and sent to the card 105 in packets. These packets are controlled in terms of when they are sent and arrive at the card memory such that only one packet is in transit at a time. Once the card memory 104 receives a packet it tells the biometric processing unit 203 to send the next packet. Thus, two or more packets are never in transit at a given time. In this way a person attempting to retrieve the image from the system can only find a complete image within the memory 104 of the smartcard 105 or the biometric processing unit 203, which are both secure. ln one implementation, each blank card 105 may be manufactured with a private decryption key that only resides in the card 105 itself. The private decryption key is preferably unique to the smartcard 105. A public key may be made available to the biometric processing unit 203, for example it may include a database of public keys or it may be able to query a central database of public keys. Thus, once encrypted, the biometric data may only be decrypted using the private key on the smartcard 105, i.e. once it is again stored in a secure memory. The unencrypted biometric data is thus never stored in an accessible memory.
Ideally, no database or other records (outside of the smartcard 105 itself) would be kept of the private keys, thus ensuring that this data cannot be accessed by anyone with malicious intent.
Once the authorised user’s template has been enrolled, the smartcard 105 may perform an action, such as to authorise a transaction or similar, responsive to verification of the identity of the card bearer. This may be done by comparing the enrolled fingerprint template to a fingerprint scanned by an on-board fingerprint sensor 107.
Figure 3 illustrates a further embodiment, which may employ a similar biometric processing unit 203 to that shown in Figure 2.
In this method, the encrypted biometric data is not transmitted directly to the smartcard 105 but is instead transmitted to a third party, such as a card provider for installation onto a smartcard 105. This permits the user to be enrolled onto a new smartcard before it is sent to the user, which may be more secure because the card cannot be fraudulently used if it is intercepted before reaching the user.
In step 301 , the user first scans their fingerprint using the fingerprint sensor 201 of the biometric processing unit 203.
Next, in step 302, the biometric processing unit 203 extracts a fingerprint template from the scanned fingerprint image captured by the fingerprint sensor 201. Step 302 is optional, and in some implementations the biometric data transmitted may be the biometric image itself or some other derived biometric
In step 303, the biometric data to be stored on the smartcard 105 is encrypted. This may include identifying one or more encryption properties associated with the user and/or their smartcard 105 and encrypting the biometric data in accordance with those properties. For example, the properties may include a type of encryption to use and an encryption key to use. ln step 304, the encrypted biometric data is transmitted from the biometric processing unit 203 to a card provider, or the like. In some embodiments, this may simply be transmission to the computer 202. In other embodiments, the card provider may be located remotely to the biometric processing unit, e.g. a central card production facility for cards used in banking. The biometric data has already been encrypted at this stage and so cannot be used by any third party who intercepts it. Furthermore, even the card provider cannot access the data, reducing the risk that the biometric data and decryption information could be stolen should the card provider be subject to a security breach. For example, even if the card provider stores a centralised database of the encrypted biometric data, it cannot be accessed if the database security is compromised as the decryption keys are only stored on the individual cards.
Next, in step 305, the card provider places the (still encrypted) biometric data onto the smartcard. The smartcard 105 contains the necessary decryption algorithm and private key to decrypt the data, which were preferably pre-stored on the device at the time of manufacture.
Finally, in step 306, the smartcard 105 is provided to the user. This may be via mail in the case of a remote card provided, or may simply comprise giving the smartcard 105 directly to the user in other situations where the card provider is local to the biometric processing unit 203.

Claims

CLAIMS:
1. A method of issuing a biometric authentication device to a user, the biometric authentication device comprising an on-board biometric sensor and a secure processing environment, the method comprising:
reading a biometric identifier of the user using a biometric sensor of an enrolment processing unit, the enrolment processing unit having a secure processing environment and being separate from the biometric authentication device;
extracting biometric data corresponding to the biometric identifier, the extracting being performed in the secure processing environment of the enrolment processing unit;
encrypting the biometric data to produce secure biometric data, the encrypting being performed within the secure processing environment of the enrolment processing unit;
transmitting the secure biometric data from the enrolment processing unit to a device provider that issues biometric authentication devices;
loading the biometric data onto the biometric authentication device by the device provider; and
issuing the biometric authentication device to the user after loading of the biometric data on the biometric device.
2. A method according to claim 1 , wherein the biometric data is encrypted with a key associated with the biometric authentication device, wherein the biometric data is loaded onto the biometric authentication device by loading the secure biometric data directly onto the biometric authentication device, and wherein the biometric authentication device is capable of decrypting the secure biometric data.
3. A method according to claim 1 or 2, wherein the device provider is remote from the enrolment processing unit.
4. A method according to claim 1 , 2 or 3, wherein the biometric data comprises a biometric template.
5. A method according to any preceding claim, wherein the biometric data never leaves the enrolment processing unit except in the form of secure biometric device.
6. A method according to any preceding claim, comprising reverting the secure biometric data to biometric data within the secure processing environment of the biometric device.
7. A method according to any preceding claim, wherein the biometric device is a device configured to perform an action responsive to authentication of the bearer of the device by comparison of stored biometric data with a biometric identifier of the bearer.
8. A method according to any preceding claim, wherein the biometric device is one of an access token, an identity token, a credit card, a debit card, a pre-pay card, a loyalty card
9. A method according to any preceding claim, wherein the biometric identifier is a fingerprint biometric.
PCT/EP2018/054189 2018-02-20 2018-02-20 Secure enrolment of biometric data WO2019161887A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/054189 WO2019161887A1 (en) 2018-02-20 2018-02-20 Secure enrolment of biometric data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/054189 WO2019161887A1 (en) 2018-02-20 2018-02-20 Secure enrolment of biometric data

Publications (1)

Publication Number Publication Date
WO2019161887A1 true WO2019161887A1 (en) 2019-08-29

Family

ID=61274248

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/054189 WO2019161887A1 (en) 2018-02-20 2018-02-20 Secure enrolment of biometric data

Country Status (1)

Country Link
WO (1) WO2019161887A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3929779A1 (en) * 2020-06-22 2021-12-29 Samsung Electronics Co., Ltd. Biometric authentication smart cards

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100117794A1 (en) * 2003-06-16 2010-05-13 William Mark Adams Method and system for creating and operating biometrically enabled multi-purpose credential management devices
US8694793B2 (en) * 2007-12-11 2014-04-08 Visa U.S.A. Inc. Biometric access control transactions
EP3037998A1 (en) * 2014-12-23 2016-06-29 Intel Corporation Method and system for providing secure and standalone-operable biometric authentication
WO2017149022A1 (en) * 2016-03-03 2017-09-08 Zwipe As Attack resistant biometric authorised device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100117794A1 (en) * 2003-06-16 2010-05-13 William Mark Adams Method and system for creating and operating biometrically enabled multi-purpose credential management devices
US8694793B2 (en) * 2007-12-11 2014-04-08 Visa U.S.A. Inc. Biometric access control transactions
EP3037998A1 (en) * 2014-12-23 2016-06-29 Intel Corporation Method and system for providing secure and standalone-operable biometric authentication
WO2017149022A1 (en) * 2016-03-03 2017-09-08 Zwipe As Attack resistant biometric authorised device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3929779A1 (en) * 2020-06-22 2021-12-29 Samsung Electronics Co., Ltd. Biometric authentication smart cards
US12045329B2 (en) 2020-06-22 2024-07-23 Samsung Electronics Co., Ltd. Biometric authentication smart cards

Similar Documents

Publication Publication Date Title
US10681025B2 (en) Systems and methods for securely managing biometric data
US11664997B2 (en) Authentication in ubiquitous environment
US11803633B1 (en) Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates
US8806616B2 (en) System, method, and apparatus for allowing a service provider system to authenticate that a credential is from a proximate device
US20140093144A1 (en) More-Secure Hardware Token
US20100258625A1 (en) Dynamic Card Verification Values and Credit Transactions
US20190019189A1 (en) Payment authentication
Thawre et al. Survey on security of biometric data using cryptography
GB2556625A (en) Secure enrolment of biometric data
WO2019161887A1 (en) Secure enrolment of biometric data
US20090037744A1 (en) Biometric pin block
Patil et al. Design and implementation of secure biometric based authentication system using rfid and secret sharing
JP6690686B2 (en) Account opening system, account opening method, and program
Chizari et al. Security issues in ATM smart card technology
TW201947454A (en) Secure enrolment of biometric data
US20070185994A1 (en) System and method for authentication permitting access control to electronic information and software applications between remotely accessed computer systems
Shin et al. Study of Cancelable Biometrics in Security Improvement of Biometric Authentication System
EP4246404A2 (en) System, user device and method for an electronic transaction
Jacobs et al. Biometrics and Smart Cards in Identity Management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18707002

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18707002

Country of ref document: EP

Kind code of ref document: A1