1. Field of the Invention
This invention relates to the field of portable, electronic personal identification and authentication devices. This invention relates more specifically to electronic devices using biometric and/or smartcard authentication technologies.
2. Related Art
U.S. Pat. No. 6,991,174 to Zuili discloses a method and apparatus for authenticating a shipping transaction. The disclosed apparatus, which is not covered by the claims of the patent, is a portable smartcard reader incorporating a number of different authentication mechanisms, including a personal identification number (PIN), asymmetric cryptographic keys, and/or biometrics. The apparatus may be used autonomously or in conjunction with other electronic devices, such as a personal digital assistant (PDA), cellular telephone, or remote control. The apparatus is designed for use in a variety of applications, including computer networks, televisions and cable access, and payment transactions. The patented invention is a method of specifically authenticating a shipping transaction by using a smartcard and a smartcard reader, acquiring biometric information and shipping information from a customer, encrypting the shipping information using the biometric information, storing the encrypted shipping information on the smartcard and in a database, permitting the customer to access the database in order to change the shipping information, and requiring the customer to resubmit biometric information in order to authenticate the shipping transaction.
U.S. Pat. No. 6,016,476 to Maes, et al., discloses a portable PDA with biometric authentication capability. The PDA is further capable of reading and writing information to smartcards, magnetic stripe cards, optical cards and/or electronically alterable read-only memory (EAROM) cards. The PDA is intended for use in payment transactions, and can communicate with other electronic devices, such as a point of sale terminal, through either wired or wireless transceivers.
Research In Motion, Ltd. (RIM) produces and sells a device called “The BlackBerry® Smart Card Reader,” which is a portable smartcard reader that provides two-factor authentication, symmetric cryptographic keys and the smartcard, for users attempting to access or use BlackBerry devices. Once the smartcard and the cryptographic key has been processed on the device, the device communicates via Bluetooth wireless technology with the BlackBerry device, enabling users to transmit secure e-mail. The device does not include biometric authentication.
Key Ovation produces the “Goldtouch ErgoSecure Smart Card and Biometric Keyboard SF2.4.” This device is a standard ergonomic computer keyboard, which incorporates both a smartcard reader and an Authentec fingerprint sensor. It is not portable, nor does it appear to possess wireless technology.
Companies, governments, and other organizations possess a variety of physical and digital resources, which are often valuable and must be protected. Some of these resources are physical, such as particular buildings, offices, or grounds, while others are more intangible, such as databases, computer files, or other digital data. As a natural consequence of wishing to protect the resource, organizations either implicitly or explicitly develop an associated security policy or structure that specifies rules for access to the resource. When an individual wants access to a protected resource, the organization's security policy will—again implicitly or explicitly—require the individual to identify himself in an acceptable manner, and will then authenticate the identified individual against the security policy. If the identified and authenticated individual has privileges to the resource he is permitted access.
Both government agencies and private industry have developed a number of different technologies to implement these security policies. One such technology is the “proximity card,” commonly used to secure physical access to commercial buildings and offices. The proximity card is typically the size of a credit card, and contains electronics sufficient to both store and wirelessly transmit a unique identifier to a receiver located at the access point. The proximity card gains its name from its characteristic type of wireless transmission, allowing the user to simply hold the card close (typically within a few inches) to the access point, without inserting the card into a reader. When a proximity card is issued to an individual, a centralized database associates the unique identifier on the card with that individual; when the individual provides the proximity card to gain access to the resource, the identifier is transmitted to the access point, and the association is verified. Once the unique identifier has been programmed onto the proximity card, it cannot be altered, nor can additional data be added to the card.
Developers have been equally prolific in generating authenticating technologies for access to computers, networks, and other digital resources. The simplest examples are passphrases or personal identification numbers (PINs) that the individual must supply before being granted access to the resource. Virtually all e-mail systems are protected this way; another common example is the Windows® log-in process, which prompts the user to enter a username and password. In more advanced systems, individuals may be provided cryptographic keys, such as one half of a public key/private key pair, or a digital certificate. These technologies similarly rest on an individual's previous association with the particular credential, such as the passphrase or cryptographic key.
One technology frequently used to accomplish one or both objectives of physical and digital access is the “smartcard.” Similar to the proximity card, the smartcard is in the form-factor of a credit card. The smartcard, however, generally contains a small integrated circuit with sufficient processing power to perform a number of different tasks, including cryptography and two-way transmission. The smartcard can store unique identifiers, such as cryptographic keys, passphrases, and other user data, as well as be transported and used to obtain access to physical resources. One smartcard can provide storage and authentication for a number of different resources, each of which may have a different identifier. Rather than wirelessly transmitting credentials, such as the proximity card, the smartcard uses contact-based transmission, and requires the user to insert the smartcard into a reader at the access point. Smartcard readers may be attached to electronic resources, such as a computer or network terminal, or physical resources, such as doors, gates, etc. Because of the two-way transmission capability, the data stored on a smartcard may be altered or updated through the smartcard reader. Smartcards are extremely popular; for example, the Department of Defense (DoD) currently uses the smartcard-based Common Access Card (CAC) to grant access to its organizations and resources. The CAC retains all of the functions and features of the traditional smartcard, and incorporates a photograph of the bearer on the outside of the card, to allow for both visual and electronic identification and authentication.
Each of these security technologies, while very useful, is susceptible to use by an impostor. If an individual loses his proximity card or smartcard, anyone who picks it up may use it to access the resource. Biometric technology, which authenticates an individual by use of physical characteristics such as fingerprints, can largely eliminate this risk. In the case of fingerprint recognition, an individual's fingerprint is electronically scanned and stored as a numeric template. When the individual wishes to access the resource, the finger is rescanned and digitally compared to the stored fingerprint to determine a match. Biometrics offer a clear advantage over previous technology—while a smartcard may be easily stolen and used by an unauthorized individual, an electronic forgery of a fingerprint is much more difficult to achieve.
The Privaris® BPID™ Security Device is one type of authentication device based on biometric technology, and is much younger technology than the smartcard. The BPID Security Device is a handheld, portable electronic device, containing a fingerprint scanner, two-way wireless communications, memory, and sufficient processing power to perform cryptographic functions and on-device fingerprint authentication algorithms. Much like the smartcard, the BPID Security Device can store unique identifiers, including cryptographic keys and passphrases, and can be used to authenticate an individual to a number of different resources. The BPID Security Device, however, possesses significantly more processing power and memory than the traditional smartcard, in part because of the fingerprint template storage and comparisons done on-board the device. Furthermore, the BPID Security Device is based on wireless technology, so it can use the same protocols as used in proximity cards, newer standards like the Bluetooth® protocol, or both. Data on the BPID Security Device can be transmitted or received without inserting the device into a reader, which, for example, allows individuals to authenticate faster at a physical access point than they could using a smartcard.
Since the advent of the smartcard, a number of organizations have attempted to create an identification system common to multiple organizations that utilized common information contained on the smartcard, while at the same time increasing the security of this information, and insuring positive identification of the individual using the smartcard, prior to granting access to approved resources. Shortage of memory, limited range for contactless applications, the need for multiple cards to accommodate existing building access systems, the need for reliable biometric authentication, and the difficulties associated with updating the data on the card all became issues. While the BPID Security Device can largely address these concerns, it does not possess the form-factor of the smartcard, and therefore does not lend itself to the visual identification component of the CAC. Nor does the BPID Security Device contain a contact-based transmission mechanism allowing it to interact with systems currently using smartcard readers. What is needed is an apparatus and methods that combines the visual identification aspect of the smartcard with the biometric and wireless components of the BPID Security Device, which can allow reversion to a contact-based smartcard system when necessary.
The present invention discloses apparatuses and methods for integrating smartcard and BPID Security Device technology. The primary apparatus of the invention, hereinafter termed a “smartcard-enabled BPID Security Device,” integrates a smartcard reader with the BPID Security Device such that an individual may insert the smartcard into an aperture in the physical enclosure of the BPID Security Device, allowing the smartcard and the BPID Security Device to electronically communicate with each other. In one primary embodiment of the invention, the smartcard-enabled BPID Security Device is based on a custom application specific integrated circuit (ASIC) that incorporates smartcard terminals, such that the BPID Security Device can communicate directly with an inserted smartcard. In an alternative embodiment of the invention, the smartcard-enabled BPID Security Device is based on a commercial off-the-shelf (COTS) microprocessor, and may communicate with a COTS smartcard receiver using a serial, USB, or other type of communication protocol. The first method of the invention is a process for enrolling a user's credentials onto the smartcard-enabled BPID Security Device. The second method of the invention is a process for authenticating an individual using the smartcard-enabled BPID Security Device.
The following detailed description is of the best presently contemplated mode of carrying out the invention. This description is not to be taken in a limiting sense, but is made merely for the purpose of illustrating general principles of embodiments of the invention.
In one embodiment, a device (not shown) uses fingerprint biometrics and fingerprint recognition algorithms to authenticate the identity of the owner of the device prior to granting access to an approved resource. The device can store personal identity credentials such as licenses, passports or identification cards, building or facility access codes, credit card or wireless payment information, or user names or passwords. These credentials are wirelessly transmitted from the device upon successful verification of the enrolled user's fingerprint(s) by the device.
The device performs all fingerprint processing, including capture, template generation, storage and matching, on the device. No centralized database of biometric information is needed, which allows the device to provide user authentication to a stand alone computer or handheld device should the infrastructure or network be disabled. Furthermore, the device transmits only the required credential, not the fingerprint or template. The user's biometric information never leaves the device. Thus, users need not be concerned about their fingerprint being compromised or shared in any manner. The device releases private or confidential information only after the user of that device successfully biometrically authenticates him/her self.
In another embodiment, the device can directly interact with a smartcard. The device will be packaged as a holder for the smartcard. All of the features of the device will be maintained, but the physical packaging will be changed. In addition, the device will include an electrical and mechanical interface to a smartcard. The smartcard will slide into the device and make contact with the device. The device will require authentication of its owner prior to the device being able to communicate with the smartcard. Also, the smartcard and the device must authenticate each other before they are capable of communicating with each other. Once the device and the smartcard have authenticated each other they will be able to communicate. Once authenticated, the combined device and smartcard provide all of the capabilities of each technology in a single unit. The combined unit provides for secure storage of credentials, remote reading of a smartcard, wireless transmission of credentials from the smartcard, support of multiple applications (physical access, logical access, identity documents and financial transactions), and coexistence of legacy (smartcard) and emerging (wireless self-contained biometric device) technologies. Users can reap the benefits of both technologies without replacing existing infrastructure.
The primary apparatus of the invention is called a “smartcard-enabled BPID Security Device.” As seen in
In the first embodiment of the apparatus, the biometric authentication component 300 may communicate with the external device terminal 212 over a standard communications protocol, such as, but not limited to, RS232 (now known as EIA232) or Universal Serial Bus (USB). In an alternative embodiment of the apparatus, the biometric authentication component 300 and the smartcard reader 210 will coexist on a secure microprocessor (hereinafter “BPID Security Device/reader”), such that communications between the external device terminal 212 and the biometric authentication component 300 will be physically and electronically located on the same ASIC. In this embodiment of the invention, the BPID Security Device/reader will be located within the physical enclosure 101 such that a smartcard 200 inserted into the aperture 102 of the physical enclosure 101 will directly contact the smartcard terminal 211 of the BPID Security Device/reader. This creates enhanced security for the BPID Smartcard Security Device 100, as the ASIC may be physically and electronically secured.
The first method of invention permits an individual with a smartcard to enroll himself into the BPID Smartcard Security Device 100. First, the individual places a smartcard 200 into the aperture 102 of the physical enclosure 101 such that the smartcard 200 contacts the smartcard terminal 211 of the reader 210. The individual then activates power to the smartcard-enabled BPID Security Device 101 and the smartcard reader 210 reads the smartcard's serial number. The smartcard reader 210 transmits the serial number to the biometric authentication component 300 using the external device terminals 212. The biometric authentication component 300 verifies that it has not previously been enrolled with the specific smartcard 200. The biometric authentication component 300 then connects to a BPID Security Device enrollment station and enrolls the individual pursuant to its regular procedure. During the enrollment procedure, the biometric authentication component 300 stores the individual's biometric data and a PIN, which are then associated in the memory of the biometric authentication component 300 with the smartcard's 200 serial number. The biometric authentication component 300 also transmits the individual's biometric data and the PIN to the smartcard reader 210 via the external device terminals 212, and the smartcard reader 210 writes the biometric data and the PIN to the smartcard 200 via the smartcard terminal 211. The BPID Smartcard Security Device 100 is now enrolled and the user may remove the smartcard from the aperture 102 of the physical enclosure 101.
The second method of the invention permits an individual to authenticate himself to a BPID Smartcard Security Device 100 he has previously enrolled in. First, the individual places a smartcard 200 into the aperture 102 of the physical enclosure 101 such that the smartcard 200 contacts the smartcard terminal 211 of the reader 210. The individual then activates power to the smartcard-enabled BPID Security Device 101 and the smartcard reader 210 reads the smartcard's serial number. The smartcard reader 210 transmits the serial number to the biometric authentication component 300 using the external device terminals 212. The biometric authentication component 300 verifies that it has previously been enrolled with the specific smartcard 200 and requests the individual to authenticate himself to the biometric authentication component 300 according to its standard procedure. If the biometric authentication component 300 successfully authenticates the individual, the biometric authentication component 300 locates the PIN associated with the smartcard's 200 serial number and transmits the PIN via the external device 212 to the smartcard reader 210. The smartcard reader 210 then transmits the PIN to the smartcard 200 via the smartcard terminal 211.
If the smartcard 200 possesses “match-on-card” capabilities, i.e. the smartcard is capable of matching fingerprint templates to those stored on the card, the biometric authentication component 300 locates the fingerprint template associated with the smartcard's 200 serial number and transmits the template via the external device 212 to the smartcard reader 210. The smartcard reader 210 then transmits the template to the smartcard 200 via the smartcard terminal 211. If the smartcard 200 matches both the transmitted PIN and fingerprint template to its stored PIN and template, it 200 transmits its stored electronic data to the smartcard reader 210 via the smartcard terminal 211, which subsequently transmits the stored electronic data to the biometric authentication component 300 via the external device terminal 212. The biometric authentication component 300 may now use the electronic data stored on the smartcard 200 as necessary.
If the smartcard 200 does not possess “match-on-card” capabilities, the smartcard 200 will only match the transmitted PIN to its stored PIN. It 200 will then transmit the stored fingerprint template to the smartcard reader 210 via the smartcard terminal 211, which in turn transmits the fingerprint template to the biometric authentication component 300 via the external device terminal 212. The biometric authentication component 300 locates the fingerprint template associated with the smartcard's 200 serial number and compares the stored template to the template transmitted from the smartcard 200. If the two match, the biometric authentication component 300 prompts the smartcard reader 210 to transmit its stored electronic data to the smartcard reader 210 via the smartcard terminal 211. The smartcard reader 210 then transmits the stored electronic data to the biometric authentication component 300 via the external device terminal 212. As above, the biometric authentication component 300 may now use the electronic data stored on the smartcard 200 as necessary.
Those having ordinary skill in the art will recognize that the precise sequence of steps may be altered such that they result in the same functional outcome. Many improvements, modifications, and additions will be apparent to the skilled artisan without departing from the spirit and scope of the present invention as described herein and defined in the following claims.
This application claims priority to and is a continuation of U.S. patent application Ser. No. 11/389,387, filed Mar. 24, 2006 entitled “Biometric Identification Device with Smartcard Capabilities,” which claims priority to U.S. Patent Application No. 60/665,043 filed Mar. 24, 2005, entitled, “Biometric Identification Device with Smartcard Capabilities,” each of which is hereby incorporated by reference in their entireties.
Number | Name | Date | Kind |
---|---|---|---|
4993068 | Piosenka et al. | Feb 1991 | A |
5053608 | Senanayake | Oct 1991 | A |
5131038 | Puhl et al. | Jul 1992 | A |
5280527 | Gullman et al. | Jan 1994 | A |
5469506 | Berson et al. | Nov 1995 | A |
5526428 | Arnold | Jun 1996 | A |
5591949 | Bernstein | Jan 1997 | A |
5594227 | Deo | Jan 1997 | A |
5613012 | Hoffman et al. | Mar 1997 | A |
5615277 | Hoffman | Mar 1997 | A |
5805719 | Pare, Jr. et al. | Sep 1998 | A |
5818029 | Thomson | Oct 1998 | A |
5838812 | Pare, Jr. et al. | Nov 1998 | A |
5870723 | Pare, Jr. et al. | Feb 1999 | A |
5920640 | Salatino et al. | Jul 1999 | A |
5952641 | Korshun | Sep 1999 | A |
5991408 | Pearson et al. | Nov 1999 | A |
6016476 | Maes et al. | Jan 2000 | A |
6038666 | Hsu et al. | Mar 2000 | A |
6041410 | Hsu et al. | Mar 2000 | A |
6070796 | Sirbu | Jun 2000 | A |
6084968 | Kennedy et al. | Jul 2000 | A |
6154879 | Pare, Jr. et al. | Nov 2000 | A |
6167517 | Gilchrist et al. | Dec 2000 | A |
6181803 | Davis | Jan 2001 | B1 |
6182221 | Hsu et al. | Jan 2001 | B1 |
6185316 | Buffam | Feb 2001 | B1 |
6219439 | Burger | Apr 2001 | B1 |
6219793 | Li et al. | Apr 2001 | B1 |
6268788 | Gray | Jul 2001 | B1 |
6282649 | Lambert et al. | Aug 2001 | B1 |
6317834 | Gennaro et al. | Nov 2001 | B1 |
6353889 | Hollingshead | Mar 2002 | B1 |
6366682 | Hoffman et al. | Apr 2002 | B1 |
6367017 | Gray | Apr 2002 | B1 |
6466781 | Bromba et al. | Oct 2002 | B1 |
6484260 | Scott et al. | Nov 2002 | B1 |
6487662 | Kharon et al. | Nov 2002 | B1 |
6490680 | Scheidt et al. | Dec 2002 | B1 |
6529885 | Johnson | Mar 2003 | B1 |
6532298 | Cambier et al. | Mar 2003 | B1 |
6581161 | Byford | Jun 2003 | B1 |
6609198 | Wood et al. | Aug 2003 | B1 |
6615264 | Stoltz et al. | Sep 2003 | B1 |
6618806 | Brown et al. | Sep 2003 | B1 |
6636973 | Novoa et al. | Oct 2003 | B1 |
6641009 | French et al. | Nov 2003 | B2 |
6657538 | Ritter | Dec 2003 | B1 |
6662166 | Pare, Jr. et al. | Dec 2003 | B2 |
6668332 | McNeil | Dec 2003 | B1 |
6671808 | Abbott et al. | Dec 2003 | B1 |
6681034 | Russo | Jan 2004 | B1 |
6719200 | Wiebe | Apr 2004 | B1 |
6728881 | Karamchetty | Apr 2004 | B1 |
6735695 | Gopalakrishnan et al. | May 2004 | B1 |
6751734 | Uchida | Jun 2004 | B1 |
6757411 | Chau | Jun 2004 | B2 |
6765470 | Shinzaki | Jul 2004 | B2 |
6766040 | Catalano et al. | Jul 2004 | B1 |
6775776 | Vogt et al. | Aug 2004 | B1 |
6786397 | Silverbrook et al. | Sep 2004 | B2 |
6819219 | Bolle et al. | Nov 2004 | B1 |
6832317 | Strongin et al. | Dec 2004 | B1 |
6836843 | Seroussi et al. | Dec 2004 | B2 |
6839688 | Drummond et al. | Jan 2005 | B2 |
6844660 | Scott | Jan 2005 | B2 |
6848052 | Hamid et al. | Jan 2005 | B2 |
6850147 | Prokoski et al. | Feb 2005 | B2 |
6850252 | Hoffberg | Feb 2005 | B1 |
6853739 | Kyle | Feb 2005 | B2 |
6857073 | French et al. | Feb 2005 | B2 |
6862443 | Witte | Mar 2005 | B2 |
6870946 | Teng et al. | Mar 2005 | B1 |
6870966 | Silverbrook et al. | Mar 2005 | B1 |
6871193 | Campbell et al. | Mar 2005 | B1 |
6871287 | Ellingson | Mar 2005 | B1 |
6871784 | Jayaratne | Mar 2005 | B2 |
6876757 | Yau et al. | Apr 2005 | B2 |
6877097 | Hamid et al. | Apr 2005 | B2 |
6879243 | Booth et al. | Apr 2005 | B1 |
6879966 | Lapsley et al. | Apr 2005 | B1 |
6880749 | Green et al. | Apr 2005 | B1 |
6880750 | Pentel | Apr 2005 | B2 |
6883709 | Joseph | Apr 2005 | B2 |
6886096 | Appenzeller et al. | Apr 2005 | B2 |
6886101 | Glazer et al. | Apr 2005 | B2 |
6886104 | McClurg et al. | Apr 2005 | B1 |
6888445 | Gotfried et al. | May 2005 | B2 |
6898577 | Johnson | May 2005 | B1 |
6901154 | Dunn | May 2005 | B2 |
6901155 | Xia et al. | May 2005 | B2 |
6901266 | Henderson | May 2005 | B2 |
6901382 | Richards et al. | May 2005 | B1 |
6970584 | O'Gorman et al. | Nov 2005 | B2 |
6985502 | Bunton | Jan 2006 | B2 |
6991174 | Zuili | Jan 2006 | B2 |
7287165 | Aono et al. | Oct 2007 | B2 |
7481364 | Cannon et al. | Jan 2009 | B2 |
20020148892 | Bardwell | Oct 2002 | A1 |
20020158127 | Hori et al. | Oct 2002 | A1 |
20030024994 | Ladyansky | Feb 2003 | A1 |
20030115490 | Russo et al. | Jun 2003 | A1 |
20040035939 | Lin | Feb 2004 | A1 |
20040050933 | Keronen et al. | Mar 2004 | A1 |
20040188519 | Cassone | Sep 2004 | A1 |
20050001028 | Zuili | Jan 2005 | A1 |
20060115134 | Kozlay | Jun 2006 | A1 |
Number | Date | Country |
---|---|---|
1 396 779 | Mar 2004 | EP |
1 473 618 | Nov 2004 | EP |
11-511278 | Sep 1999 | JP |
2002-063141 | Feb 2002 | JP |
WO 2004015620 | Feb 2004 | WO |
Number | Date | Country | |
---|---|---|---|
20090095810 A1 | Apr 2009 | US |
Number | Date | Country | |
---|---|---|---|
60665043 | Mar 2005 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 11389387 | Mar 2006 | US |
Child | 12251131 | US |