CN1695163A - Secure Biometric Authentication - Google Patents

Abstract

A high security identification card includes an on-board memory for stored biometric data and an on-board sensor for capturing live biometric data. An on-board processor on the card performs a matching operation to verify that the captured biometric data matches the locally stored biometric data. Only if there is a positive match is any data transmitted from the card for additional verification and/or further processing. Preferably, the card is ISO SmartCard compatible. In one embodiment, the ISO SmartCard functions as a firewall for protecting the security processor used for storing and processing the protected biometric data from malicious external attack via the ISO SmartCard interface. In another embodiment, the security processor is inserted between the ISO SmartCard Interface and an unmodified ISO SmartCard processor and blocks any external communications until the user's fingerprint has been matched with a previously registered fingerprint. Real-time feedback is provided while the user is manipulating his finger over the fingerprint sensor, thereby facilitating an optimal placement of the finger over the sensor. The card may be used to enable communication with a transactional network or to obtain physical access into a secure area.

Description

Secure Biometric Authentication

related application

This application is based on Provisional Application Nos. 60/409,716, filed September 10, 2002 (Docket No. 7167-102P1), and 60/409,715, filed September 10, 2002 (Docket No. 7167-103P) , No. 60/429,919, filed November 27, 2002 (Docket No. 7167-104P), No. 60/433,254, filed December 13, 2002 (Docket No. 7167-105P), July 3, 2003 Serial No. 60/484,692 (Docket No. 7167-106P), filed on the date of 1999, and claiming priority from these applications, the entire contents of which are hereby incorporated by reference.

technical field

Computerization and especially Internet technology has provided access to ever-increasing data including financial data, medical data, personal data, which means accelerating financial and other transactions in which confidential data is updated or exchanged.

Passwords are often used to maintain the confidentiality of this data; however, passwords are often based on dates of birth or phone numbers, which are easy to guess and not at all secure. Furthermore, even complex randomly generated passwords can often be easily stolen. The password-based data access system is therefore vulnerable to illegal attacks, which will bring danger and damage to industry and economy, and even human life. Therefore, there is a need for an improved method for securing data and protecting data from unauthorized access.

Biometric data can include fine details that are difficult to obtain but easy to analyze (such as the sequence of fingerprint minutiae), or global patterns that are easy to obtain but difficult to analyze (such as the spatial properties of adjacent fingerprint threads).

Encryption algorithms require digital keys that are valid only for authorized users. Without the correct key, encrypted data can only be decrypted into use if sufficient time and processing resources are devoted to it, and even then, only if certain characteristics of the unencrypted data are known (or at least predictable) Format.

Japanese Laid-Open Patent Application No. 60-029868 (dated February 15, 1985, applicant is Tamio SAITO), proposes a personal identification system that uses a Identification card with integrated memory. Biological data may include voiceprints, fingerprints, physical characteristics, and/or biometric tests. In use, the card data is read and decrypted for comparison with corresponding data obtained from the person presenting the card. The system allows registrants to be identified with a high degree of accuracy. However, because the biometric data is obtained and processed by an external device, it is difficult to protect the information stored on the card from possible alteration and/or identity theft.

An improved identification card has been proposed that includes a data-driven multiprocessor chip on the card to provide a hardware firewall that simultaneously encrypts and isolates biometric data stored on the card, thereby providing better protection against unauthorized access. Authorization to alter stored data. However, the actual matching procedure is performed on the same external reader terminal that captures the live biometric data, thus still potentially vulnerable to external fraudulent manipulation.

Contents of the invention

The first embodiment of the high security identification card includes not only an on-board (also called on-board or on-board) memory for storing biometric data, but also an on-board sensor for capturing on-site biometric data. The remote authentication system maintains a secure database including biometric data. An on-card processor on the card performs a preliminary matching operation to verify that the captured biometric data matches the local biometric stored data. Only when there is a correct local match can any captured data or any sensitive stored data be sent to the remote authentication system for additional verification and/or further processing. As a further protection against malicious attacks, the locally stored data is preferably different from the remotely stored data, and different matching algorithms are preferably used for local matching and remote matching. Thus even if the card, the locally stored data, and/or the local terminal connected to the card are compromised, it is likely that the remote authentication system will still be able to detect the intrusion attempt.

The second embodiment also includes on-card memory for storing biometric data, on-card sensors for capturing live biometric data, and an on-card processor; however, in this embodiment, the entire matching procedure is performed by the on-card processor execution, and the biometric raw acquisition data and any other "private" information stored in the on-card memory is inaccessible to any external program. Alternatively, only one verification message is generated in response to a successful match between newly acquired biometric data and previously acquired biometric data. The authentication information enables the card to function in a manner similar to traditional ISO smart cards based on successful/unsuccessful log on of a traditional personal identification number (PIN), but with additional security provided by a more secure verification procedure safety. In either embodiment, the biometric data and any associated locally stored encryption algorithms or encryption keys are preferably loaded onto the card upon initial award to the cardholder in a manner that prevents any future external access, thereby further enhancing Integrity of biologically stored data and the entire verification process.

In one embodiment, the ISO smart card acts as a firewall for protecting the secure processor used to store and process protected biometric data from external malicious attacks through the ISO smart card interface. In another embodiment, the security processor is interposed between the ISO smart card interface and the unmodified ISO smart card processor, and blocks any external communication until the user's fingerprint has been matched with a previously enrolled fingerprint.

In a preferred embodiment of a high security ID card with on-card fingerprint matching capability, when the user places their finger over the fingerprint sensor, real-time feedback is provided to facilitate optimal placement of the finger over the sensor . This feedback not only reduces computational complexity, but also provides an additional method for distinguishing between inexperienced users and fraudulent users, thereby further reducing the likelihood of false negatives and/or false positives. In another preferred embodiment, the fingerprint sensor is held in a carrier which provides additional stability.

In one exemplary application, captured biometric data and/or cardholder identification are encrypted prior to any authorization of online access to confidential data or prior to any automated process used to complete a secure transaction and then entered into the In a transaction network that includes financial institutions and separate authentication servers. In another exemplary application, the card's output is used to gain physical access to a secure area. In either application, records of successful and unsuccessful access attempts can be kept on the card or on an external secure server, or both.

Description of drawings

Figure 1 shows an embodiment of a smart card with on-card biometric verification of the identity of the person presenting the card;

2 is a flowchart of an exemplary procedure for assisting a user in achieving optimal placement of a finger on a fingerprint sensor;

Figure 3 is a functional block diagram of a biometric authentication system capable of simultaneously locally and remotely verifying the identity of a person presenting a secure identification card;

Figure 4 is a functional block diagram of a typical biometric authentication card with different physical data paths used during initial loading of the cardholder's biometric data and during verification of the cardholder's remotely requested identity;

Fig. 5 shows an alternative embodiment of the exemplary biometric authentication card of Fig. 4, which is intended to be adopted in the manner of an ISO smart card CPU without modification;

Figure 6 is a flow diagram representing communication between an exemplary application and an exemplary verification card, where only local verification of the cardholder's identity is performed;

Fig. 7 is a flow chart similar to Fig. 6, but the mode of the typical biometric authentication card of Fig. 5 is adopted instead;

Figure 8 shows a second embodiment of a smart card with on-card biometric authentication connectable wirelessly or by means of an electrical connector to a local terminal;

Figure 9 is a cross-sectional view of the card of Figure 8;

Figure 10 is a circuit diagram of a typical fingerprint sensor; and

FIG. 11 shows one embodiment of a carrier assembly for the sensor of FIG. 10 .

Detailed ways

smart card

As used herein, the term "smart card" or "intelligent card" refers generally to any physical object small enough to be held in the hand, worn around the neck, or otherwise carried on the person's body, It includes a microprocessor capable of storing, processing and communicating digitally encoded information relating to or otherwise relating to the cardholder personally. A well-known example of such a smart card is the ISO (International Standards Organization International Standards Organization) smart card, which has the same physical size and shape as a traditional credit card, but which includes: flash memory for storing user-specific data; and a microprocessor, It can be programmed with a strong encryption algorithm to indicate whether the PIN (Personal Identification Number) received from the user terminal matches the encrypted PIN stored on the card, so as to rely only on visual comparison of signature and/or physical appearance This gives a higher degree of confidence that the person presenting the card is the real cardholder compared to existing authentication systems.

Referring next to FIG. 1, one embodiment of a smart card with on-card biometric authentication is shown. The card 100 is generally made of plastic material and has the overall appearance of a traditional credit card, with approximate dimensions of about 53.98 x 85.6 mm and a thickness of about 0.76 mm or more specified in ISO7816.

Similar to a conventional credit card, the card 100 includes a blank upper region 102 extending along the entire lateral width of the card for carrying a magnetic strip (according to ISO7811-2 & 7811-6) on the back of the card, the magnetic strip Conventional coded character information about the cardholder and any associated account may be stored on the card 100, allowing the card 100 to be used in conventional magnetic stripe readers. However, since any data loaded on a magnetic stripe can be easily modified, such a magnetic stripe is only suitable for certain applications where the need for backward compatibility with older magnetic stripe terminals outweighs the potential reduction in system security that the magnetic stripe brings .

The upper region 102 is also used to support various anti-counterfeiting measures, such as a tamper-proof color photo of the cardholder and/or a holographic identification of the cardholder. The lower region 104 of the card 100 may emboss information in a conventional style (according to ISO 7811-1), such as the cardholder's name, digital account (or card) number, and expiration date, so that the card 100 may be embossed on a conventional card. used in the device.

The upper area 102 and lower area 104 are separated by a middle area 106 in which is embedded a set of eight visible ISO smart card contacts 108 which provide a convenient electrical connection between corresponding contacts on the card and card reader. With this method, not only data but also power, clock and control signals are exchanged between the reader and the card as specified in ISO 7816-3.

To the right of area 106 can be seen a sensor area 110 which is used to acquire fingerprint data from the cardholder's finger. Preferably, the card is provided with an ID code that uniquely corresponds to the sensor 110 or other electronic component embedded in the card; for example, a code in conventional IP and/or MAC address format.

Figure 1 also schematically shows several additional electronic components, which, in cooperation with the contacts 108 and the sensors 110, provide greater functionality and in particular better safety than would otherwise be possible.

In one embodiment, the ISO smart card compatible processor 112 is directly connected to the ISO contacts 108 to provide an electrical connection to an external ISO compatible card reader (not shown) to provide power not only to the on-card electronics but also The method used to transfer data between the card and any external communication software, security software, transaction software, and/or other application software running on the card reader or any associated computing device networked with the card reader.

Although in the described embodiment the data channel between the card 100 and the external reader is in the form of a wired connection using the ISO specified smart card connectivity scheme, it should be understood that in other embodiments other transmission technologies Can also be used, for example USB or RS 232C or SPI (serial) connections, via wireless RF (Radio Frequency radio frequency), microwave and/or IR (InfraRed infrared) communication links.

Also, while the described embodiment draws power from the card reader, other embodiments could have an on-card power source, such as a solar cell or battery. This on-card power supply may be advantageous, for example, if the mechanical interface between the card 100 and a particular type of card reader is such that the fingerprint sensor 110 cannot Accessed by the user, user fingerprint data must therefore be captured without a direct wired connection of the card 100 to the reader.

security processor

As shown, a security processor 114 is coupled between the ISO processor 112 and the sensor 110 to provide secure processing and storage of captured data and to provide a "firewall" to protect data stored in its dedicated memory The data and programs are protected from any unusual access attempts by the ISO processor 112, as described below. The firewall can be designed to pass only encrypted data using an encryption key based on a uniquely assigned network address or something else that uniquely corresponds to that particular card, such as data extracted from a previously stored fingerprint pattern, or a unique The assigned device number such as the CPU number, or the fingerprint sensor number. In another embodiment, the firewall only passes data that includes uniquely identifiable data from previous transmissions or data. In other embodiments, the firewall maintains different keys for different applications, and uses these keys to send data to respective different processors or portions of memory.

In another embodiment (not shown), security processor 114 is directly connected to ISO contacts 108 and acts as a security gate between ISO processor 112 and ISO contacts 108 . This alternative has the advantage of providing the additional security provided by the security processor 114 and sensor 110 without any possibility of compromising any security features that may have been integrated into the ISO processor 112 .

The security processor 114 preferably includes non-volatile semiconductor memory or non-semiconductor memory, such as FRAM, OTP, E ² PROM, MRAM, MROM, for storing previously registered fingerprint patterns and/or other human biological information. In other embodiments, some or all of the functions of the security processor 114 may be performed in the ISO processor 112 , and/or some or all of the functions of the ISO processor 112 may be performed in the security processor 114 . Such a combined implementation still maintains a software firewall between the functions, which is particularly advantageous if the device is executed in a manner that does not allow any subsequent modification of the stored software programs. Alternatively, both processors 112, 114 may be separate processors in a single multiprocessor device designed to protect each processor from any interference from another program running on a different processor. An example of such a multiprocessor device is DDMP (Data Driven Multiple Processor, Data Driven Multiple Processor) of Sharp Corporation of Japan.

Although these various sensors, contacts, and other electronic components, as well as printed circuits or other electrical circuits for interconnection, are preferably fully enclosed in the card body of card 100, they are protected from wear and external contamination, and Also their preferred location within the intermediate zone 106 between the upper zone 102 and the lower zone 104 further protects them from the possibility of conventional magnetic stripe readers, imprinters, and imprinting devices having mechanical connections to other zones. damage.

LED feedback

LEDs 116a, 116b are controlled by security processor 114 to provide visual feedback to the user. In the illustrated embodiment, they are located in the lower region 104 , preferably on the side of the card away from the contacts 108 . Regardless, the LEDs 116a, 116b are preferably located where they will not be damaged during any imprinting procedure, and when the card is inserted into a conventional ISO smart card reader and/or when the user's finger is placed over the fingerprint sensor 110 where they can be seen. For example:

In verify mode:

Flashing red light: waiting for finger

·Stop blinking: finger is on the sensor

Red light flashes once: no match, you can move your finger

Green light flashes once: already matched, you can remove your finger

In registration mode:

Green light flashing: waiting for finger

·Stop blinking: finger is on the sensor

The red light flashes once: can not register, you can move your finger

Green light flashes once: Registered, you can remove your finger

In erase mode:

Flashing green and red lights: ready to erase

·Green light flashes once: erased

Preferably, the user is given multiple opportunities to place his finger for a successful match or registration before any negative reports are sent. In one embodiment, a negative report is sent to the authentication server only if the user removes his finger before receiving a green light grant indication, or when a predetermined time limit is exceeded. This procedure not only trains the user to achieve optimal placement of his finger over the sensor, it not only reduces computational complexity, but also allows a larger discrimination threshold to be used. This visual feedback also provides a useful way to distinguish between inexperienced users (who usually keep trying until a correct placement is achieved) and fraudulent users (who usually don't want to draw any attention and will walk away before their malice is detected). The psychological basis of discrimination. The end result is a significantly reduced chance of false negatives and/or false positives.

FIG. 2 shows a typical procedure to assist the user in placing his finger on the sensor 110 . In block 150, the RED LED 116b is blinking. Once a finger is detected (block 152), the LED stops blinking and the image quality (elongated defined area corresponding to the bumps and valleys of the finger skin) is checked (block 154). If the quality is not acceptable (NO branch 156), then a single blink of the RED LED 116b indicates that the user has moved his finger to a different location (block 158); otherwise (YES branch 160) a second test is performed (block 162) to Determining whether the same finger is placed in the same position as used to enroll the user, so that a relatively simple matching algorithm can verify that the live data matches the stored data within a predetermined threshold, thereby verifying that the live finger is the same as the originally enrolled finger (YES branch 164), and the GREEN LED 116a is activated (block 166) for a long enough time (block 168) to confirm that a successful match has been made and the user can now remove his finger. Optionally, if the match threshold is not met (NO branch 170), then a single blink of the red LED 116b (block 158) indicates that the user has moved his finger to a different location, and the procedure repeats.

Typical network structure

Referring next to FIG. 3, one possible embodiment of a biometric authentication system that can both locally and remotely verify the identity of a person presenting a secure identification card is shown. It includes three main parts: client terminal 200 , application server 202 and authentication server 204 . The client terminal 200 includes the functionality of capturing and locally processing the user's fingerprint on-site, encrypting locally processed data, and securely communicating with the application server and authentication server, preferably over the Internet using the IP/TCP addressing scheme and transport protocol , and provide protection from malicious access through the traditional IP firewall 206. In other embodiments, the firewall 206 may have filters and encryption encoders/decoders for encoding sent data after it is verified as authorized data and for decoding received data before determining whether it is authorized data, which For example using an encryption algorithm like DES 128. In this way, the firewall 206 can classify data as authorized data or potentially malicious data not only according to the packet header, but also according to the packet content.

The client terminal 200 can be implemented as a dedicated network device, or can be applied to software installed on programmable desktop computers, notebook computers, or other workstations or personal computers. These computers are run by general-purpose operating systems such as Windows XXX, OS X, Controlled by Solaris XX, Linux or Free BSD. Preferably, the client terminal 200 includes a "disabled" database (such as the identity of lost or stolen cards, or restrictions on a particular card or group of cards) that is kept updated to provide an additional measure of security.

The application server 202 includes functionality to conduct transactions or to respond to instructions from a remote user at the client terminal 200 after the user's identity has been verified by the authentication server 204 . Authentication server 204 includes following functions, carries out secure communication with client terminal 200 and application server 202, stores real fingerprint data and other information about former registered user, compares stored data with the field data of encryption received from client terminal 200, And notify the application server 202 whether the specified on-site fingerprint data matches the stored fingerprint data.

More specifically, the client terminal 200 also includes two main components: a fixed card reader 208 component, which includes an Internet browser terminal 210 and a card reader interface 108a (which can be a simple USB cable terminated in a set of electrical contacts for forming corresponding electrical connections with the ISO smart card contacts 108); and the portable smart card component 100'. In one embodiment, the portable unit 100'

Application server 202 also includes an Internet server interface, including firewall 206 and Internet browser 214 , and transaction application module 216 and validation module 218 . In the case that the application server and the application module 216 are traditional devices not designed to communicate externally through the IP/TCP protocol, the firewall 206 can be replaced by a proper protocol conversion program installed with the confirmation module 218 and having a fixed IP address. For example, the application server may be operated by a third party willing to provide services to authorized users over the Internet.

Authentication server 204 also includes: Internet server interface 220; processing module 222, including fingerprint matching algorithm 224; ACTUAL INFORMATION COLLECTED FROM INDIVIDUALS. To further enhance security, preferably, stored data for any particular individual is not stored on the application server as a single column of information, but rather the items are stored separately, and any indexes or associations required to link these items are This is only available via the corresponding key, which is stored as part of the individual's private data on the authentication server.

position

In some embodiments, the fixed card reader 208 and/or the portable card 100" can also be equipped with an integrated Global Positioning Satellite (Global Positioning Satellite, "GPS") receiver 212, which can provide information about the location of the card reader and the card. or useful information about the current location when a particular transaction occurred. Particularly, location data from the GPS receiver 212 can be used to enable the reader and / or card failure (permanent or temporary). In addition to GPS, location can also be determined automatically by other methods, such as using PHS (Japanese Cellular Phone) caller location technology, or using location sensitive to local changes in the earth's electromagnetic field Sensors. In a particular example equipped with a GPS card, the various GPS components include antennas; digital amplification, AD converters, and sample and hold circuits; The components are either discrete devices mounted on a single circuit board, which are integrated, embedded or laminated into the card body.

Card structure with matching ISO card on the card

ISO processor interface

Figure 4 is a functional block diagram of a typical ISO smart card compatible biometric authentication card 100 or 100' having different physical data paths for both during initial loading of the cardholder's biometric data and during verification of the cardholder's identity to remote applications.

Specifically, in addition to the previously described ISO processor 112, security processor 114, fingerprint sensor 110, LEDs 116a, 116b, and optional GPS receiver 212, only the ISO processor 112 is directly connected to the reader via the ISO smart card contacts 108. In addition to the card 208, a separate load module 300 and associated temporary connection 302 are shown, which provide direct communication with the security processor 114 during initial user registration. It can be noted that the ISO processor 112 communicates with the security processor 114 through the I/O ports 304 , 306 when the temporary load connection 302 is connected to a specific I/O port 308 . Preferably, the security processor is programmed such that any sensitive security-related data or software is only available from port 308 and not from ports 304 and 306, thereby avoiding any possibility of malicious access to such sensitive data after connection 302 is disabled .

Most commercially available ISO processors have at least two I/O ports and some have at least three. Only one of these ports (I/O 1) is designated for a conventional ISO smart card serial data connection 108 to an external ISO compatible card reader 208. Preferably, an additional one or two I/O ports provide dedicated hardwired communication between the ISO processor 112 and the security processor 114, which acts as a hardware firewall to prevent reprogramming of the security processor 114 or obtaining Any malicious attempt to access any sensitive information that may have been previously acquired by sensor 110 or may be stored within processor 114 . In the specific case of an ISO processor with more than two I/O lines, even when the safety processor is completely powered down, there may be too many static messages on the dedicated communication path between the ISO processor and the safety processor. There are two states, such as 1) Ready (ready), 2) Busy (busy), 3) Fail (failure), and 4) Pass (pass). Of course, even if only one I/O port is active, these four states can be sent dynamically as serial data.

The possible commands and data that can be transferred between the ISO CPU and the safety CPU via the ISO interfaces I/O 2 and I/O 3 are as follows:

• Register or verify user commands, to which the security CPU will send registration or verification results for local storage and/or sending to remote applications.

Fingerprint information, as a template (reference) can be sent from the security CPU to the ISO CPU for storage in the ISO smart card memory for sending to remote applications. To enhance the security of sensitive private information, reference data can be encrypted by the security CPU before it is sent to the ISOCPU.

Load connection 302 provides a direct connection to secure CPU 114, which bypasses any firewalls provided by the ISO connection and associated dedicated I/O ports 304 and 306 while communications can be maintained between ISO CPU 112 and ISO card reader 208 protection so that power is also available to the secure CPU 114. Primarily it is used for the initial registration of the card to a specific user and will prevent unauthorized access.

Figure 5 shows an alternative embodiment of the typical biometric authentication card shown in Figure 4, which is intended to use an unmodified ISO SmartCard CPU. In particular, the ISO CPU 112' no longer has to perform any gateway functions between the card reader 208 and the security CPU 114', either during normal use or during loading, so it can be any ISO licensed chip, which does not in any way changes and is used in an absolutely transparent manner to the reader 208 and to any external application. In this alternative embodiment, if the captured fingerprint matches the stored fingerprint, the secure CPU 114' acts as a transparent firewall between the ISO CPU 112' and any external applications, and if the captured fingerprint matches the stored If the fingerprints do not match, it will block all such communications.

Card initialization and protection of stored data

shear

In one embodiment, the card is originally manufactured with a protruding printed circuit extension that provides a direct connection to the secure CPU, and to at least part of the ISO interface and/or any discrete on-card memory. The direct connection interface is only used to detect card and fingerprint enrollment data, and includes signals to enable the enrollment procedure. After registration is complete, the circuit extension is mechanically disconnected so that registration is no longer possible and the safety CPU memory is only accessible through the ISO CPU and the previously described firewall between the ISO CPU and the safety CPU.

fuse

In another embodiment, the secure CPU has a memory that is inaccessible once the enrollment fingerprint pattern is written. One example of such memory is a one-time PROM ("OTP"), which is similar in structure to EEPROM but is opaque to UV and thus not erasable. Another example is a Flash ROM that becomes read-only after registration is complete, such as by applying enough current to the Enable or Address or Data signal path to create a physical break ("fuse") in that signal path.

Typical Certification Procedure

In one embodiment, a typical authentication procedure involves acquiring physical fingerprint data, for example, using optical or pressure or conductive or capacitive or acoustic or elastic or photographic techniques on a client terminal used by the visitor connected to the application server, and then applying the The data is sent (preferably, in encrypted format) to a separate fingerprint authentication server. The fingerprint authentication server uses the authentication software to compare the acquired fingerprint data with the fingerprint file, which includes the user's fingerprint registration data, and if the data is matched, the authentication server sends a validating instruction to the application server.

In another embodiment, the user accesses the fingerprint authentication server's secure web browser, which includes a fingerprint file where all fingerprints are pre-registered along with personal data such as name, address, and date of birth. Then the secure fingerprint authentication server accessed by the user through a secure protocol such as HTTPS sends an instruction to the client terminal to obtain the user's fingerprint at the client terminal. In response to the instructions displayed by the browser of the client terminal, the user puts his selected finger on the fingerprint sensor, and then the fingerprint acquisition software installed in the client terminal acquires a digital fingerprint, for example, with a resolution of 25 microns (micron) to 70 microns rate and an area of 12.5 square millimeters (mm ² ) to 25 square millimeters, and also has an 8-bit grayscale pixel image.

The secure fingerprint authentication server receives the fingerprint data, together with the received User ID and Internet IP address and/or fingerprint sensor code (MAC address) and/or cookie (cookie is the data stored in the client terminal by the web server for web server identification the client terminal) and/or any unique code or other information identifying a particular individual or terminal (e.g. details from previous sessions between the client terminal and the secure fingerprint authentication server), upon receipt of which it uses the authentication software to The fingerprint data received is compared with the fingerprint file, which is the pre-registered fingerprint data along with user ID, personal information such as name, address, date of birth, illegal records, driver's license, social security number, etc., which can be details Compare and or FFT compare.

At the beginning of the authentication procedure, the web server 214 for the relevant application visually or audibly instructs the user to place his finger on the fingerprint capture sensor 110 and to tap his mouse button or keyboard key to thereby initiate the authentication in the security processor 114. Fingerprint acquisition software. Then the acquired user fingerprint data is sent to the web server 220 of the fingerprint authentication server 204 in an encrypted format (for example, using a secure RSA encryption transmission protocol HTTPS) through the ISO processor 112 and the web browser 210 of the client terminal 200 . If the acquired data successfully matches the corresponding data in its database 226 , then the fingerprint authentication server 204 will then confirm the identity of the user to the client terminal 200 and to the application server 202 .

Below with reference to Fig. 3, describe a typical preferred embodiment that has adopted three-way authentication protocol and one-time password as hash (Hash) character encoding sequence:

• The web browser 210 of the client terminal 200 accesses the web interface 214 of the corresponding application server 202 by requesting access to the application program 216 .

• The web interface 214 of the application server 202 responds with a LOG-IN screen message and related instructions to access the application 216 .

• The client terminal 200 instructs the ISO processor 112 to activate the security processor 114 .

• The ISO processor 112 triggers the security processor 114 .

• The security processor 114 waits for fingerprint data from the fingerprint sensor 110 and when valid data is received, extracts the fingerprint digital pattern, which is sent to the web browser 210 via the ISO processor 112 .

Web browser 210 sends an encrypted version of the fingerprinting pattern to authentication server 204 along with (or co-encrypting with) relevant information relating to card 100′ and card reader 208, such as the user ID, IP address of client terminal 200, and and/or a hardwired ID code (MAC address) of the sensor 110 .

· The network interface 220 of the authentication server 204 receives the fingerprint extraction pattern together with other information from the client terminal 200 through the above steps, and sends these information to the fingerprint matching processor 222 .

• Under the control of the matching software 224, the fingerprint matching processor 222 uses the received user ID or other user-specific relevant information to retrieve the corresponding fingerprint reference pattern from the database 226 and compares the fingerprint acquisition pattern with the fingerprint reference pattern.

• Store the result (match or no match) in the access history log along with information about the authentication of the terminal 200, user ID card 100' and application request 216, and return control to the authentication server web interface 220.

If the result is a match, then the authentication server network interface 220 generates a one-time password in the form of a challenge character sequence, which is transmitted to the client terminal 200, and uses the challenge character sequence as a hash code to hash the relevant information Encrypted, which is saved as the corresponding challenge response for possible future reference.

The client terminal 200 uses the received challenge character sequence as a hash code to encrypt the unencrypted copy of the previously stored relevant submission information, and then send it to the network interface 214 of the application server 202 as its application login procedure part of the response.

The network interface 214 of the application server 202 receives the relevant information through the hash conversion by the above steps, sends it to the application service 216, and the service combines it with the login (LOG-ON) attempt from the client terminal, and, in order to confirm For the matching result, send the relevant information received, which has been hash converted by the client terminal using the query sequence provided by the authentication server as a query response.

The network interface 220 of the authentication server 204 receives the challenge response from the application server by the above steps, sends the response to the authentication processor 222, which compares it with a previously saved reference copy of the expected challenge response to determine Whether the user identity is in fact authorized.

• Any authorized user identity information resulting from this comparison is then returned to the application 216 via the authentication server web interface 220 and the validation interface 218 of the application server 202 .

• Confirmation interface 218 authenticates to confirm that the user identity established at the initial login attempt is valid.

• Once the user's identity is confirmed, the authentication (application) program 216 communicates directly with the web browser 210 of the client terminal 200 through the network interface 214 of the application server 202 .

Figure 6 shows an alternative authentication procedure where all matching is performed on the ISO compliant card of Figure 4 by the secure CPU 114 and no external authentication server 204 is employed. The left side of FIG. 6 shows the functions performed by the application server 202 , while the right side shows the functions performed by the ISO smart card 100 .

When the smart card 100 is inserted into the card reader 208, the reset signal RST is sent from the card reader to the ISO CPU (START block 502) and the fingerprint CPU 114 (fingerprint verification block 504), and the two parts receive from the card reader 208 Power supply VCC. Then the ISO CPU responds with an ATR (Answer-to-Reset reset response) message and if necessary, sends a PPS (Protocol and parameters Selection protocol and parameter selection) (block 506). Meanwhile, the fingerprint CPU enters a wait state to receive fingerprint data, and when data is received from the sensor 110, executes an authentication procedure (block 504).

When the initial request command is sent to the ISO CPU 112 (block 508) by the application 216, the ISO CPU queries (block 510) the security CPU for the authentication status. If the response is positive, the ISO CPU responds to the application by running the request command (block 512). Otherwise (whether it is an error message or no response from the safety CPU 114) it does not do any response to the request command, but waits for a new first request (block 508b).

Assuming the fingerprint is verified and the first response is received in time and determined to be a response signal by the application 216 (block 514), the request/response procedure will continue (blocks 516, 518, 520) until the predetermined verification time limit is exceeded , during which no requests are received from the application (block 522), or the application cannot receive the expected response (block 524).

FIG. 7 is similar to the flowchart of FIG. 6 but modified to employ the exemplary biometric authentication card of FIG. 5 . The far left of Figure 7 shows the functions performed by the application server 202, the next column corresponds to the card reader 208, the next column depicts the ISO contacts 108, the next column shows the functions performed by the security CPU 114, and The function performed by the unchanged ISO smart card 112 is shown on the far right.

• A reset signal 550 is sent from the card reader 208 to the security CPU 114 when the smart card is inserted into the card reader or when the application software starts running the card reader device.

• Shortly after the safety CPU receives the reset signal 550, it sends a corresponding reset signal 552 to the ISO CPU 112. At the same time, the security CPU waits for the fingerprint data from the fingerprint sensor.

Receive reset signal 552 by the above steps, ISO CPU generates ATR (Answer-to-Reset) response 554 and then sends PPS (Protocol and parameters Selection) if necessary.

• Once the security CPU 114 receives the ATR (Answer-to-Reset) from the ISO CPU, it immediately transmits it, including any associated PPS commands, to the reader (block 556).

• At the same time, if the security CPU receives the fingerprint data, it will execute the authentication procedure described above. In the case that the authentication test result is PASS, the passing state will be maintained for a certain period of time. If the result is FAIL, then the secure CPU 114 waits for new fingerprint data.

Run the application by the above steps, send the command request 558 to the safety CPU, only when the safety CPU is still in the PASS state described above or when the last correct response has a multi-byte group, the safety CPU will send the command request 560 to the ISO CPU and also sends its correct response 562 to the reader (check box 564).

Otherwise (No branch 566) the fingerprint CPU generates a dummy request (dummy request, virtual request) 568 and sends it to the ISO CPU and also sends the result ERR response 570 to the card reader 216, so that the serial number in the request and The sequence numbers in the responses are properly synchronized.

Encryption and Confidentiality

Before transmission through any external network, preferably, any sensitive data and/or authentication results are encrypted, and DES, or Two Fish encryption can be used. Encryption keys can capture or store data based on fingerprints, user ID codes, uniquely assigned codes for sensors, memory addresses, nearby data in memory, other functionally relevant data, previous sessions (transactions), IP addresses, terminal codes , or the specified password. Optionally, sensitive data can be sent over the Internet using the secure HTTPS protocol.

In order to provide stronger security, a virtual personal gateway, such as hardware DES encryption and decryption, can be inserted between the secure fingerprint authentication server and the network connection, and between the corresponding application server and the network connection. By using these virtual gateways, or virtual private networks ("VPNs"), sensitive data is additionally protected by additional layers of encryption, such as DES 128 (commonly used for VPNs) and RSA (used by HTTPS).

For particularly secure applications, all communications can be surrounded by an additional layer of security. In particular, headers in lower layers can be encrypted in higher layers.

Wireless communication

Other embodiments may include dual interfaces for both contact (ISO 7816) operation and wireless (ISO1443A or B) operation, and preferably, install a multi-interface power supply unit which allows ISO 7816 contact all on one card , ISO 1443A, ISO1443B, ISO 15693 and HID legacy wireless systems (among others) are interoperable. Optionally, the card may include spares for other wireless communication technologies, such as Bluetooth (short range) or cellular (medium range) or microwave (long range).

Reference is next made to Figure 8 which shows a smart card with on-card biometric authentication which can be connected to a local terminal either wirelessly or by means of an electrical connector. Much of its structure and construction is similar to the previously described embodiment of Figure 1, and like reference numerals (possibly differentiated by single quotation marks) designate like elements. In particular, the ISO CPU 112, although shown in a different location (below the contacts 108, rather than to the side), has similar functions as previously described.

The ISO antenna 132 comprises two loop antennas typically disposed on the perimeter of the card 100 and provides an ISO compatible wireless interface to the ISO CPU 112 for data and power similar to that provided by the wired electrical interface 108. In addition, the security antenna 134 (in the example, the built-in antenna 132 and consists of only one loop antenna) provides independent power to the security CPU 114 through the DC-DC power regulator 120. Since there is no direct connection for wireless data other than through the ISO CPU 112, sensitive data stored within the security CPU 114 is not corrupted by this wireless interface. Alternatively, the functions of the two processors can be combined, or the external interface can be through the security CPU 114 instead of through the ISOCPU 112, as previously described with respect to the embodiment with only a wired connection to the external card reader and the external network, Appropriate wireless security measures must be incorporated into this variant configuration.

FIG. 9 is a cross-sectional view of the card shown in FIG. 8 . Note that most of the components described are contained within the core region 126 , with only the contact 108 extensions passing through the upper protective layer 122 . The operating surface of the sensor 110 is accessible through an upper window in the upper layer 122 and a lower window in a PCB (printed circuit board) 134, which is arranged between the upper layer 122 and the center layer 126, which provides a connection between the various electronic components. necessary electrical connections between them, and a surrounding ESD ground connection around the active area of the sensor 110.

The lower layer 124 and magnetic strip 128 are still visible.

fingerprint sensor

FIG. 10 is a typical schematic circuit diagram of a sensor 110 with an array 400 of sensor cells 402 arranged in rows 404 and columns 406 . Each cell 402 includes an activation gate 410 and a converter 412 as described above. Fingerprints are formed by the bumps and valleys of the skin on the fingers. When one of these bumps touches the vicinity of a cell 402 within the array 400, the transducer 412 of each sensor cell undergoes a mechanical and/or electrical change that in effect produces Digital image of a fingerprint with micro-pressure changes caused by bumps and valleys. Note that although each transducer 412 is described as a single variable capacitor, there are various types of transducers that can respond to the appearance of one of these bumps of human skin. In the particular example of a piezoelectric membrane transducer of a pressure sensor, the membrane deforms in the vicinity of the cell and generates an electric charge which is stored in a capacitor connected to the cell. The voltage across the capacitor is a function of the mechanical stress created by the deformation of the piezoelectric material, which in turn is a function of whether there is a protrusion or a recess on the cell. When the signal from the associated column driver 414 turns ON the gate 410 of the cell and when the associated row driver 416 is grounded, a voltage appears on the row's output line 418 and is converted in output driver 420 to an 8-bit digital signal. In order to maximize the detection of the deformation of the piezoelectric material, the piezoelectric electrical material can be formed on an elastic material, such as polyimide or a polyimide piezoelectric electrical material. Other typical analog converter technologies that can be implemented with a similar array organization include variable resistors and variable capacitors. Alternatively, each cell may comprise a simple digital switch that provides only a single bit of information; in this case, additional bits of information may be provided by providing multiple cells on the same field or by sampling each cell at a higher frequency. unit to generate. This alternative embodiment avoids the need for an A/D converter.

In a typical embodiment, the sensor is only 0.33 mm thick and is robust enough to be embedded in a smart card and is not affected by static electricity, elements, or the state of the user's skin (wet, dry, hot, cold). Sensor 110 typically has a device cell size of 25 microns to 70 microns and a typical pitch of 25 microns to 70 microns. Typical sensors have an area of 12.5 mm2 to 25 mm2 and 8-bit multilevel sensitivity. The sensor may be made of an array of TFTs (thin film transistors) and piezo-sensitive capacitors, for example formed of a thin-film piezoelectric material, such as titanium barium oxide or strontium barium oxide, and includes an upper electrode that covers and protects the entire sensing area. If mechanical stress is applied, a corresponding charge is generated and stored in the thin-film piezoelectric capacitor. Alternatively, pressure based sensors can be fabricated as TFT (Thin Film Transistor) together with thin film capacitors, and arrays of piezo-sensitive capacitors, for example formed from sheets of pressure-conducting material, such as carbon fiber dispersed rubber sheets, metals such as copper or tin or silver ), plated carbon fiber or paper base glass fiber or metal, dispersed elastic material (such as silicone), and an upper electrode sheet covering the entire sensing area.

The specified row and column drivers 416, 414 of the fingerprint sensor element 402 output electrical data to the output circuit 420, thereby converting the physical input representing the user's fingerprint into analog electrical data. The A/D converter in the output circuit 420 then converts the analog electrical signal into a digital electrical signal. Each thin film transistor selectively converts the shared interrow interconnect to a voltage on its associated capacitor so that the voltage on each capacitor can be read and thus the deformation of each cell can be measured. Preferably, an entire column of thin film transistors is switched simultaneously so that multiple cells (eg 8) in a selected column can be read in parallel on different inter-row interconnects. Multiple gates such as row and column interconnects reduce the number of interconnects, while reading multiple cells in parallel from different rows of the same column reduces the overall array read time. The output voltage from the sensor can be amplified by a differential amplifier. The output of this amplifier can be sampled and held for an A/D converter.

The substrate can be glass (eg non-alkaline glass), stainless steel, aluminum, ceramic (eg alumina), paper, fiberglass, but is preferably a thin plate of crystalline silicon. The thin film semiconductor material can be amorphous silicon, polycrystalline silicon, diamond, or any other semiconductor thin film. The piezoelectric material can be a piezoelectric ceramic, such as lead-zirconate-titanate (PZT) film, preferably with a thickness in the range of 0.1 to 50.0 μm, or a polymer piezoelectric polyimide film material. Interconnect material can be: titanium/nickel/copper, aluminum, chromium/nickel/gold, titanium/nickel/gold, aluminum/gold, tungsten/copper, tungsten/gold, tungsten/gold.

Figure 11 shows a carrier assembly for a sensor formed on a thin base card of crystalline silicon. Crystalline silicon has excellent electrical properties and facilitates the integration of sensor arrays with the required drive and output circuitry, however relatively large and thin silicon sheets will bend and break when subjected to localized surface pressure. The illustrated carrier provides a more robust structure than a silicon wafer of the same overall thickness.

As shown, the monolithic silicon 430 is approximately 0.1 mm thick and is surrounded by a fiberglass frame 432 of the same thickness, which is mounted on a backing plate 434, also of fiberglass construction, and approximately 0.05 mm thick. Frame 432 and backing plate 434 can be readily constructed using conventional printed circuit board (PCB) techniques. In particular, the upper and lower surfaces of backing plate 434 are covered by a thin copper layer 436 separated by a fiberglass core. Box 432 includes a plurality of pads 440 on its outer edges for connection to security processor 114 . A thin silicon chip 430 is epoxy bonded to the frame 432 and plate 434, and the active area is electrically connected by conventional wiring connections 442 on the exposed outer edge portion 444 of the silicon 430 surrounding a protected upper electrode 446. to the respective circuitry in block 430 .

matching algorithm

For local on-card processing that has limited processing power and only attempts to do a simple 1:1 match with a single reference sample, the fingerprint matching software can be based on a relatively simple comparison of the details of the two patterns. For example, a grayscale image of a fingerprint can be reduced to two values, white and black, and the three-dimensional convexities converted into two-dimensional thin lines (vectors). Therefore, the accuracy of this method is also affected by the following problems: blurring, sticking, distortion, missing line segments and others. Although the minutiae method is theoretically less accurate, it requires less computational resources and offers the possibility of being compatible with many existing databases.

For processing on a remote authentication server with stronger processing power, higher accurate resolution may be required, such as "POC" (Phase Only Correlation only phase comparison) matching algorithm. POC is a verification algorithm based on macro-matching of the entire image. In contrast, POC matches a large range of structural information - from details to the total image. Therefore, POC can provide enhanced accuracy to avoid noise, such as sticking and part missing. Theoretically, the POC method is not adversely affected by position shifts and brightness differences, and is fast (approximately 0.1 seconds for offline matching) and highly accurate. For example, POC software may utilize a two-dimensional fast Fourier transform ("2DFFT") to perform a spatial frequency comparison of two fingerprint patterns. 2DFFT transforms the digitized data array representing the physical two-dimensional distribution of the fingerprint into frequency space, in other words, inversely transforms the spatial distribution, where higher density patterns have higher spatial frequencies. Rotational transforms can be used to match frequency-space pattern matching. POC pattern matching has more advantages than minutiae vector matching because it is not misled by common defects in fingerprint recording patterns, which POC will consider as noise and minutiae analysis interprets these defects as meaningful data.

For particularly demanding applications, the hybrid method will provide greater accuracy and safety than any other method alone. For example, the minutiae method can be used on a point of acquisition, while the POC method can be used on a remote server. As another example, a matching program can analyze details and spatial relationships to produce a score that takes into account the combination of both outcomes.

application

The techniques described above provide a high level of security for a variety of applications, commercial and government. Multiple security applications can co-exist and operate on the same card and/or the same authentication server, depending on the requirements of the various applications. In one embodiment, a single card may contain up to 24 separate and secure applications. For example, the technology will grant/deny access (physical and/or logical), identify the precise location and/or movement of persons and/or monitor listed lists, while also running other security applications, each fully interconnected with each other ground and safely isolated.

The currently expected applications are as follows:

·Airport ID/Pass

· Building security

· Hotel room access and billing

·Hospital

·online game

·Download entertainment

·birth certificate

·Computer access

·Driving License-TWIC

·electronic wallet

·Emergency medical information

·Explosives license

·Access to government and military facilities

· HAZMAT (dangerous substance) permit

·Medical insurance and welfare card

·parking entrance

·passport

· Aviation license

·Port ID/Pass

·Certificate of insurance

·Social insurance card

·Travel credit card

·Visa or entry/exit permit

·Voting registration card

· Welfare and Food Stamp Cards

For many of these applications, preferably, the card's on-card memory also provides secure storage of various private information, which is only accessible when the registered cardholder proves his identity and authorizes such access. Examples of such personal information are:

Management information such as name, address, date of birth, place of birth, nationality, religion, organizational affiliation, social insurance number, driver's license number, passport number, and immigration information such as visa type, visa period, nationality, etc.

Financial information, such as electronic wallet, VISA (VISA credit card), MasterCard (MasterCard credit card), American Express (American Express credit card) and other credit card information, bank information, such as bank name, bank deposit balance, transfer information, IRS (Internal Revenue Service of the United States) ) number, bankruptcy records, transfer information, etc.

Physical signs and health information, such as: biological information that identifies an individual, such as height, weight, fingerprints, iris, retina, hand size, bone structure, voice, DNA; blood type; medical diagnostic test results; medical history; medication; insurance information; Certainly stimulated psychological and physiological responses.

• Event information, such as criminal records, felonies, misdemeanors, violations.

• Emergency information such as burial sites, next of kin and other contact information, attorney information, religious information.

·Education and work history, including school, degree, and FDD-related companies.

·Data access history (storing access history data of card input and card output).

• ID-related information such as fingerprint patterns, fingerprint processing patterns, results of fingerprint patterns.

• Passwords, such as permanent passwords, temporary passwords, and/or one-time passwords.

• Encryption keys, such as public keys, private keys, and/or one-time keys.

A typical card registration system is described next.

Applicant: Fill out the application form and submit it, preferably including a photo and fingerprints. For most applicants, examining their file attachments and simply checking the submitted information against one or more government and commercial databases is sufficient to establish an individual's true identity.

After they have been identified, the applicant proceeds to the issuing station, where any information the issuer deems necessary is loaded onto the card. The applicant places their finger on the sensor on the card. Once the fingerprint is satisfactorily placed on the sensor and loaded into the card, a protrusion on the card is subjected to an electrical shock which blows some fuses to prevent anyone from writing to that certain area of the card again. Then, cut/snip that little protrusion (like a card with an umbilical cord). At this point, the card can only be read or written to via the ISO contact card reader or the ISO wireless system.

In the case of a network authentication server, some or all of the same data carried on the card is also transmitted in encrypted form to the remote server, supplementing additional data not normally stored on the card but which may be required for high security applications.

Claims (28)

1. A smart identification card, comprising: On-card memory for storing reference data; On-card sensors to capture live biometric data; an on-card microprocessor for comparing the captured biometric data with corresponding stored reference data within a predetermined threshold and generating a verification message only if there is a match within the predetermined threshold, and means for sending said verification message to an external network. 2. An identification card according to claim 1, wherein the verification message comprises at least an excerpt from the stored reference data. 3. The identification card of claim 2, wherein the authentication message includes at least an excerpt from the captured biometric data. 4. The identification card of claim 3, wherein the verification message is transmitted to a remote authentication system for additional verification. 5. The identification card of claim 4, wherein the remote authentication system includes remotely stored reference data that is different from the locally stored reference data. 6. The identification card of claim 4, wherein the on-card microprocessor uses a different matching algorithm than the remote authentication system. 7. The identification card of claim 2, wherein the entire matching procedure is performed by the on-card processor and no captured biometric data is sent to the network. 8. The identification card of claim 2, wherein the raw captured biometric data and any other "private" information stored in the on-card memory are not available to any external program. 9. The identification card of claim 2, wherein the card is an ISO compliant smart card. 10. The identification card of claim 9, further comprising an ISO smart card processor. 11. The identification card of claim 10, wherein the secure processor for storing and processing the protected biometric data is functionally isolated from the ISO smart card processor by a firewall. 12. The identification card of claim 10, wherein all external data to and from the security processor passes through the ISO smart card processor. 13. The identification card of claim 10, wherein all external data to and from the ISO smart card processor passes through the secure processor. 14. The identification card of claim 10, wherein the security processor has: a first connection for loading data during the loading procedure; and a second connection for connecting to an external network. 15. The identification card of claim 14, wherein the first connection is made permanently disabled after completion of the loading procedure. 16. The identification card of claim 10, wherein the secure processor for storing and processing the protected biometric data is functionally isolated from the ISO smart card processor by a firewall. 17. The identification card of claim 10, wherein: The card includes an upper magnetic stripe area and a lower embossed area; said biosensor is a fingerprint sensor; and The security processor, the ISO smart card processor and the fingerprint sensor are located in an intermediate area between the upper magnetic stripe area and the lower embossed area. 18. The identification card of claim 2, wherein the biometric data includes fingerprint data and the sensor is a fingerprint sensor for acquiring data from a user's finger placed on the sensor. 19. The identification card of claim 18, wherein when the user places his finger over the fingerprint sensor, real-time feedback is provided to facilitate optimal positioning of the finger over the sensor. place. 20. The identification card of claim 18, wherein the matching procedure employs a hybrid matching algorithm that takes into account details and overall spatial relationships in the captured biometric data. 21. The identification card of claim 18, wherein the fingerprint sensor comprises a crystalline silicon chip supported by a backing plate. 22. The identification card of claim 21, wherein the backing plate comprises a glass epoxy layer sandwiched between two metal layers. 23. The identification card of claim 18, wherein the backing plate is reinforced by a carrier frame surrounding the silicon chip. 24. The identification card of claim 1, wherein said card further comprises means for restricting use of said card to predetermined locations. 25. The identification card of claim 1, wherein at least a portion of the captured biometric data and said reference data are transmitted to a separate authentication server for use in any authorized online access for processing involving the user Security verification of user identity is performed before the application server of the secure financial transaction. 26. An identification card as claimed in claim 25, wherein in response to a match request involving a particular login attempt on a particular application server that yields a positive match on said authentication server, a secure three-way authentication protocol is performed wherein a query The character sequence is sent from the authentication server to the identification card, and then the identification card uses the challenge character sequence and the matching request to generate a challenge response, which is then sent to the application server, and the application The server sends the challenge response to the authentication server, and then the authentication server confirms whether the challenge response is valid. 27. The identification card of claim 1, wherein said output of said card is used to gain physical access to a secure area. 28. The identification card of claim 27, wherein a record of both successful and unsuccessful access attempts is maintained on the card.

Images