Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
SECURE ENROLMENT OF BIOMETRIC DATA
Document Type and Number:
WIPO Patent Application WO/2019/161887
Kind Code:
A1
Abstract:
To provide improved security during enrolment of a user onto a biometric smartcard 105, a secure enrolment processing unit 203 is used to ensure that the biometric data cannot be easily intercepted. A method of enrolling of the user onto the biometric smartcard 105 comprises reading a fingerprint of the user using a fingerprint sensor 201 on the enrolment processing unit 203, extracting biometric data corresponding to the fingerprint, the extraction being performed in a secure processing environment of the enrolment processing unit 203, converting the biometric data to secure biometric data within the secure processing environment, and then transmitting the secure biometric data from the enrolment processing unit to the smartcard 105. The user's biometric data is thus only transmitted in a secure format.

Inventors:
LAVIN, Jose Ignacio Wintergerst (1206 Hermosa Way, Colorado Springs, Colorado, 80905, US)
HUMBORSTAD, Kim Kristian (Rubina Ranas Gate 9, 0190 Oslo, 0190, NO)
FRANDSEN, Jørgen (9698 Yukon Ct, Broomfield, Colorado, 80021, US)
LOWE, Peter Robert (16380 Falcon Highway, Peyton, Colorado, 80831, US)
Application Number:
EP2018/054189
Publication Date:
August 29, 2019
Filing Date:
February 20, 2018
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
ZWIPE AS (Rådhusgata 24, 0151 Oslo, 0151, NO)
International Classes:
G07C9/00; G06F21/32; G06K19/07; G06Q20/40; H04L9/08
Domestic Patent References:
WO2017149022A12017-09-08
Foreign References:
EP3037998A12016-06-29
US8694793B22014-04-08
US20100117794A12010-05-13
Other References:
None
Attorney, Agent or Firm:
LEES, Gregory (Dehns, St. Bride's House10 Salisbury Square, London EC4Y 8JD, EC4Y 8JD, GB)
Download PDF:
Claims:
CLAIMS:

1. A method of issuing a biometric authentication device to a user, the biometric authentication device comprising an on-board biometric sensor and a secure processing environment, the method comprising:

reading a biometric identifier of the user using a biometric sensor of an enrolment processing unit, the enrolment processing unit having a secure processing environment and being separate from the biometric authentication device;

extracting biometric data corresponding to the biometric identifier, the extracting being performed in the secure processing environment of the enrolment processing unit;

encrypting the biometric data to produce secure biometric data, the encrypting being performed within the secure processing environment of the enrolment processing unit;

transmitting the secure biometric data from the enrolment processing unit to a device provider that issues biometric authentication devices;

loading the biometric data onto the biometric authentication device by the device provider; and

issuing the biometric authentication device to the user after loading of the biometric data on the biometric device.

2. A method according to claim 1 , wherein the biometric data is encrypted with a key associated with the biometric authentication device, wherein the biometric data is loaded onto the biometric authentication device by loading the secure biometric data directly onto the biometric authentication device, and wherein the biometric authentication device is capable of decrypting the secure biometric data.

3. A method according to claim 1 or 2, wherein the device provider is remote from the enrolment processing unit.

4. A method according to claim 1 , 2 or 3, wherein the biometric data comprises a biometric template.

5. A method according to any preceding claim, wherein the biometric data never leaves the enrolment processing unit except in the form of secure biometric device. 6. A method according to any preceding claim, comprising reverting the secure biometric data to biometric data within the secure processing environment of the biometric device.

7. A method according to any preceding claim, wherein the biometric device is a device configured to perform an action responsive to authentication of the bearer of the device by comparison of stored biometric data with a biometric identifier of the bearer.

8. A method according to any preceding claim, wherein the biometric device is one of an access token, an identity token, a credit card, a debit card, a pre-pay card, a loyalty card

9. A method according to any preceding claim, wherein the biometric identifier is a fingerprint biometric.

Description:
SECURE ENROLMENT OF BIOMETRIC DATA

The present invention relates to security of biometric data during the enrolment process.

Biometrically authorised devices such as fingerprint authorised smartcards are becoming increasingly more widely used. Smartcards for which biometric authorisation has been proposed include, for example, access cards, credit cards, debit cards, pre-pay cards, loyalty cards, identity cards, and so on. Smartcards are electronic cards with the ability to store data and to interact with the user and/or with outside devices, for example via contactless technologies such as RFID and

NFC. These cards can interact with sensors to communicate information in order to enable access, to authorise transactions and so on. Other devices are also known that make use of biometric authorisation such as fingerprint authorisation, and these include computer memory devices, building access control devices, military technologies, vehicles and so on.

In a system where biometric data is stored on a physical device, such as a smartcard, it is necessary to enrol the user of the device in a secure manner. That is to say, the user’s biometric identifier must be scanned and biometric data, such as a biometric image or a biometric template reduced from the biometric image, stored on the device. It is desirable to accomplish this without compromising the privacy of the user.

Some biometrically authorised smartcards include an on-board biometric sensor. Whilst there are benefits to the use of self-enrolment, i.e. where the fingerprint is enrolled onto the device using an on-board fingerprint sensor, this also imposes additional constraints on the biometrically authorised device, since the on- board sensor must additionally be capable of enrolling new biometric data if the device is to operate in such a fashion. This can require, for example, a sensor with better resolution or larger size, and/or greater level of electrical power might be needed. For example, in the case of a fingerprint as the biometric data it is common to permit identification of a user based on a partial fingerprint, whereas enrolment typically requires a full fingerprint and repeated scans of the fingerprint in order to create a full fingerprint 'template' for later authentication of the user's identity. Thus, it is not always ideal to use the same sensor for enrolment as for authorisation. Figure 1 shows a prior art technique for how user may be enrolled onto a biometric smartcard 105 using a separate enrolment biometric sensor. Fingerprint biometrics are described by way of example, but other biometrics, such as a voice signature, could be stored in the same manner.

A fingerprint enrolment module 101 containing a fingerprint sensor at least as high quality as that used on the smartcard 105 is used to capture the user’s fingerprint. The fingerprint enrolment module 101 is deployed at a location where the user is to be enrolled and is contained in an enrolment management device 102. The purpose of the enrolment management device 102 is to manage the enrolment. It may be one of many functions provided by the enrolment device 102 which may have many other functions in the banking scenario, such as providing ATM services.

The enrolment management device 102 is able to guide the enrollee through the process of enrolment by giving instructions on an LCD screen or similar. These instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.

The output from the fingerprint scanner of the enrolment module 101 is processed through the enrolment device 102 and control logic 103 that is connected to the enrolment device 102. In a normal or conventional embodiment of the enrolment management device 102, the fingerprint image is constructed into a form that can be written directly to the memory 104 of the card 105. Often a copy of the biometric data is also stored on a server 106 controlled by the bank.

The card 105 may be physically located within the body of the enrolment device 102 or may be located externally and connected through appropriate physical or wireless connections.

Once enrolled, the smartcard 105 may authorise transactions or similar by comparing the enrolled template to a fingerprint scanned by an on-board fingerprint sensor 107.

A problem arises with such a system because it is strongly desirable, and indeed a requirement in some countries, that a biometric image or a depiction thereof, such as a list of minutiae, not be kept in a publically accessible location.

Once the biometric data is stored on the biometric device, it is very difficult for it to be accessed by an unauthorised person because it is stored within a secure memory and only processed within a secure processor. However, in the method depicted in Figure 1 , the biometric image is stored in the memory of the enrolment management system 102 in the clear and so is available to anyone who has access to the memory of the enrolment management system 102. The enrolment management system 102 will typically be part of a computer at a banking office. It will very likely consist of a networked PC attached through a USB cable to the enrolment module 101. Since the system is simple, there are multiple points of entry where an unauthorised person might attempt to intercept and capture the fingerprint image. Furthermore, storing a central database 106 of biometric data can present a desirable target for hackers or the like.

An additional problem with the method shown in Figure 1 is that the computer program that processes the fingerprint image, e.g. to extract the fingerprint template, is processed within the computer 102. The algorithms used to perform this process are often highly proprietary and there is a desire that these should be protected against reverse engineering.

The present invention provides a method of preparing biometric data for enrolment of a user onto of issuing a biometric authentication device to a user, the biometric authentication device comprising an on-board biometric sensor and a secure processing environment, the method comprising: reading a biometric identifier of the user using a biometric sensor of an enrolment processing unit, the enrolment processing unit having a secure processing environment and being separate from the biometric authentication device; extracting biometric data corresponding to the biometric identifier, the extracting being performed in the secure processing environment of the enrolment processing unit; converting encrypting the biometric data to produce secure biometric data, the encrypting being performed within the secure processing environment of the enrolment processing unit; and transmitting the secure biometric data from the enrolment processing unit to a device provider that issues biometric authentication devices; loading the biometric data onto the biometric authentication device by the device provider; and issuing the biometric authentication device to the user after loading of the secure biometric data on the biometric device.

The described enrolment processing unit removes the need for the raw biometric data to be transmitted to or through an enrolment management system, such as a computing terminal or the like. Instead, the biometric data is received directly at the enrolment processing unit, where it processed within the secure environment. This restricts the number of access points where an unauthorised person might intercept the data. The described arrangement now provides only a single easy-to-access point to intercept the biometric data, i.e. during transmission from the enrolment processing unit to the biometric device. However, any biometric data intercepted at this point will have been converted to secure biometric data and so cannot be easily utilised. Thus, the described enrolment processing unit makes it much more difficult for the user’s data to be stolen.

As used herein, the term“secure processing environment” will be understood to refer to a tamper-resistant hardware platform capable of securely hosting applications and their confidential and cryptographic data. A secure processing environment will typically comprise at least a secure processor and a secure memory. The processor and memory may be provided as a single integrated circuit. A common example of a secure processing environment is the secure element used in a payment card.

Furthermore, the term“secure biometric data” refers to biometric data that has been modified in a manner that prevents an unauthorised person from being able to retrieve the original biometric data. For example, the modification may comprise encryption or other reversible processes for obfuscating the data. The card preferably comprises means to reverse the process, for example having a pre- stored key or using a public key, or having a pre-stored algorithm to descramble the data. In other embodiments, the modification may be irreversible, for examine it may comprise hashing or the like.

In one embodiment, the biometric data may be encrypted with a key associated with the biometric authentication device. The key may be a public encryption key. The biometric authentication device may be capable of decrypting the secure biometric data. For example, the biometric authentication device may comprise a private decryption key, which may correspond to the public encryption key. The biometric data may be loaded onto the biometric authentication device by loading the secure biometric data directly onto the biometric authentication device, i.e. without decryption.

Preferably the biometric data comprises a biometric template. A biometric template is a collection of features extracting from a biometric image and defining the biometric identifier. For example, in the case of a fingerprint, the template may comprise data defining a plurality of minutiae detected in the fingerprint image. In other arrangements, the template may define the relative positions of the minutiae, for example. In yet further embodiments, the template may define non-minutiae features of the fingerprint. The software for performing template extraction may be highly confidential and thus storing it only within a secure environment will prevent an unauthorised person from stealing the algorithms used.

The enrolment processing unit may be configured to connect to a computing device. In some embodiments, the enrolment processing unit may be configured to draw power from the computing device. In some embodiments, the enrolment processing unit may be configured to receive commands from the computing device.

In some embodiments, the enrolment processing unit may provide an output to the computing device, for example for display on a screen of the computing device. In other embodiments, the enrolment processing unit may comprise a display interface and may be configured to provide an output to the user via the display interface. For example, the display may comprise an LCD display or the like.

The output may comprise instructions for a user of the enrolment processing unit and/or an indication of the status of the enrolment processing unit and/or a biometric device communicating with the enrolment processing unit.

The enrolment processing unit is preferably configured not to transmit the (raw) biometric image and/or the (raw) biometric data to any device external to the enrolment processing unit. That is to say, the user’s biometric data never leaves the enrolment processing unit, except in a secure form.

The biometric identifier is preferably a fingerprint biometric. The biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae. The application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.

The method may comprise transmitting the secure biometric data to a remote location, for example to a device provider at a remote location, e.g. not on the same site as the enrolment processing unit. For example, the device provider may be at least 1 km away from the enrolment processing unit and may be at least 10km away.

The method may comprise reverting the secure biometric data to biometric data within a secure processing environment on the biometric device. The biometric data and/or the secure biometric data may be stored within a secure memory on the biometric device.

Preferably the method does not include the step of reverting the secure biometric data to biometric data outside of a secure processing environment, e.g. when not in the processing environment of the enrolment processing unit or of the biometric device.

The method may further comprise providing the biometric device to the user after storage of the secure biometric data. That is to say, an enrolled biometric device is provided to the user. The providing may comprise sending the enrolled biometric device to the user, e.g. by mail, courier or the like.

The biometric identifier is preferably a fingerprint biometric. The biometric data may be a fingerprint template, which may comprise data representing a plurality of minutiae. The application may be configured to process a fingerprint image scanned by the biometric sensor so as to identify the plurality of minutiae and generate the biometric template. As noted above, the algorithms used to perform this type of processing are often carefully guarded.

The biometric device is preferably a device configured to perform an action responsive to authentication of the bearer of the device by comparison of stored biometric data with a biometric identifier of the bearer. The biometric device may comprise an on-board biometric sensor, such as a fingerprint sensor, for reading the biometric identifier of the bearer.

The biometric device may be any one of the following: an access card, a credit card, a debit card, a pre-pay card, a loyalty card, an identity card, or the like. The biometric device may be a smartcard. The smartcard preferably has a width of between 85.47 mm and 85.72 mm, and a height of between 53.92 mm and 54.03 mm. The smartcard may have a thickness less than 0.84 mm, and preferably of about 0.76 mm (e.g. ± 0.08 mm). More generally, the smartcard may comply with ISO 7816, which is the specification for a smartcard.

Certain preferred embodiments of the present invention will now be described in greater detail, by way of example only and with reference to the following embodiments, in which:

Figure 1 illustrates a prior art arrangement for enrolling a user onto a biometric smartcard;

Figure 2 illustrates an arrangement for enrolling a user onto a biometric smartcard in accordance with an embodiment of the present invention; and Figure 3 illustrates a method of enrolling a user onto a biometric smartcard in accordance with another embodiment of the invention.

In accordance with an embodiment of the invention, as illustrated in Figure 2, the insecure computer 202 does not perform any of the algorithm calculations for the enrolment. Instead, a biometric processing unit 203 comprising a secure microprocessor is provided between the computer 202 and the card 105. This secure microprocessor is as difficult to hack as the secure element of the smartcard 105 itself.

In this embodiment, the smartcard 105 is connected to this unit 203 by direct smartcard communication, such as a connection through NFC in the case of a contactless card 105.

The biometric processing unit 203 comprises a fingerprint sensor 201 , which is at least as high quality as that used on the smartcard 105 to capture the user’s fingerprint. The biometric processing unit 203 will guide the enrollee through the process of enrolment by sending instructions to the computing device 202 for display on an LCD screen or similar. The instructions may be: present finger normal, present finger left, present finger right, present finger up, present finger down, as well as press harder and enrolment complete.

The output from the fingerprint scanner 201 of the biometric processing unit 203 is processed by the secure microprocessor of the biometric processing unit 203 and a fingerprint template is constructed that can directly be written to the memory 104 of the card 105.

The biometric processing unit 203 contains a means to control the data that is sent from the fingerprint sensor 201 to the card 105. It may operate in one of several ways, which will be described in more detail below.

In one configuration, the image or template is encrypted in the biometric processing unit 203 according to one of several algorithms and sent to the card 105 in packets. These packets are controlled in terms of when they are sent and arrive at the card memory such that only one packet is in transit at a time. Once the card memory 104 receives a packet it tells the biometric processing unit 203 to send the next packet. Thus, two or more packets are never in transit at a given time. In this way a person attempting to retrieve the image from the system can only find a complete image within the memory 104 of the smartcard 105 or the biometric processing unit 203, which are both secure. ln one implementation, each blank card 105 may be manufactured with a private decryption key that only resides in the card 105 itself. The private decryption key is preferably unique to the smartcard 105. A public key may be made available to the biometric processing unit 203, for example it may include a database of public keys or it may be able to query a central database of public keys. Thus, once encrypted, the biometric data may only be decrypted using the private key on the smartcard 105, i.e. once it is again stored in a secure memory. The unencrypted biometric data is thus never stored in an accessible memory.

Ideally, no database or other records (outside of the smartcard 105 itself) would be kept of the private keys, thus ensuring that this data cannot be accessed by anyone with malicious intent.

Once the authorised user’s template has been enrolled, the smartcard 105 may perform an action, such as to authorise a transaction or similar, responsive to verification of the identity of the card bearer. This may be done by comparing the enrolled fingerprint template to a fingerprint scanned by an on-board fingerprint sensor 107.

Figure 3 illustrates a further embodiment, which may employ a similar biometric processing unit 203 to that shown in Figure 2.

In this method, the encrypted biometric data is not transmitted directly to the smartcard 105 but is instead transmitted to a third party, such as a card provider for installation onto a smartcard 105. This permits the user to be enrolled onto a new smartcard before it is sent to the user, which may be more secure because the card cannot be fraudulently used if it is intercepted before reaching the user.

In step 301 , the user first scans their fingerprint using the fingerprint sensor 201 of the biometric processing unit 203.

Next, in step 302, the biometric processing unit 203 extracts a fingerprint template from the scanned fingerprint image captured by the fingerprint sensor 201. Step 302 is optional, and in some implementations the biometric data transmitted may be the biometric image itself or some other derived biometric

In step 303, the biometric data to be stored on the smartcard 105 is encrypted. This may include identifying one or more encryption properties associated with the user and/or their smartcard 105 and encrypting the biometric data in accordance with those properties. For example, the properties may include a type of encryption to use and an encryption key to use. ln step 304, the encrypted biometric data is transmitted from the biometric processing unit 203 to a card provider, or the like. In some embodiments, this may simply be transmission to the computer 202. In other embodiments, the card provider may be located remotely to the biometric processing unit, e.g. a central card production facility for cards used in banking. The biometric data has already been encrypted at this stage and so cannot be used by any third party who intercepts it. Furthermore, even the card provider cannot access the data, reducing the risk that the biometric data and decryption information could be stolen should the card provider be subject to a security breach. For example, even if the card provider stores a centralised database of the encrypted biometric data, it cannot be accessed if the database security is compromised as the decryption keys are only stored on the individual cards.

Next, in step 305, the card provider places the (still encrypted) biometric data onto the smartcard. The smartcard 105 contains the necessary decryption algorithm and private key to decrypt the data, which were preferably pre-stored on the device at the time of manufacture.

Finally, in step 306, the smartcard 105 is provided to the user. This may be via mail in the case of a remote card provided, or may simply comprise giving the smartcard 105 directly to the user in other situations where the card provider is local to the biometric processing unit 203.