Patent Grant
8401244
In our modern electronics driven world, a user of an electronics device typically has many such devices. For example, a user may own a set of devices, such as a cellphone (perhaps multiple), a PDA (personal data assistant), computers, and set-top boxes. Each device may be capable of being loaded with personal data such as contacts information, calendar schedules, and other data files. However, loading the same personal data in each of the user's devices, as the user often desires for data synchronization, can be burdensome to the user. Furthermore, if an update to the personal data is made to one device, the same update would need to be manually duplicated in the other devices to provide seamless service across all of the user's devices.
There exist methods and apparatuses that enable automatic synchronization of data across multiple electronic devices to avoid the need for the aforementioned burdensome manual synchronization. To facilitate properly-targeted automatic synchronization of personal data, each of the user's devices may be provisioned or loaded with identity information to ensure that the user's personal data is synchronized only with other the devices of the same user. For example, all devices of a single user may be loaded with identity information such as traditional crypto keys, PINs (personal identification numbers), passwords, biometric information and other authentication information such as mother's maiden name, place of birth, pet's name, etc. Once the user's devices are provisioned or loaded with the user's identity information, the user may use such information for authentication to access the devices and manually synchronize the user's personal data therein. Thus, there is a desire by the user to have the user's devices performing automatic authentication with one another so that the user's data may be automatically synchronized among the user's devices. However, of concern is the manner in which the user's devices must transmit and expose the user's identity information to other devices in order to perform an automatic device authentication. Clearly, there is a desire to provide secure identity authentication in the user devices for detection of those devices that belong to a single user so that the user's identity information therein may be used to facilitate synchronization of data across the user's devices. Furthermore, such identity information should be kept private or secure so as not to be exposed to unauthorized devices or users that may use such information to steal or otherwise retrieve data from the user's devices. Thus, as referred herein, identity authentication of a device involves the identification of a device or its user based on identity information contained therein for the purpose of authorizing the device to perform one or more functions, such as data synchronization with another device. Proper identity authentication is important to the future of seamless mobility because it is a crucial element for secure communications between devices.
In one embodiment, there is provided a method of authenticating a user's identity, comprising: sending an interrogating nonce; receiving a first masked template of a first identity-related template based on the interrogating nonce; and determining whether the first identity-related template matches a second identity-related template using the received first masked template of the first identity-related template, the second identity-related template, and the interrogating nonce.
In another embodiment, there is provided a method of proving a user's identity, comprising: receiving an interrogating nonce; generating a first masked template of a first identity-related template based on the interrogating nonce; and sending the first masked template based on the interrogating nonce.
In still another embodiment, there is provided a system for authenticating a user's identity across a plurality of user devices comprising a first one of the plurality of user devices operating as an interrogating device that includes: a first nonce generator that operates to generate an interrogating nonce; a first communication interface that is electrically coupled to the first nonce generator to send out the interrogating nonce generated by the first nonce generator and to receive a first masked template of a first identity template based on the interrogating nonce; and a first comparator that is electrically coupled to the first communication interface and the first nonce generator to determine whether the first identity-related template matches a second identity-related template of the interrogating device using the received first masked template provided by the first communication interface, the second identity-related template of the interrogating device, and the interrogating nonce provided by the first nonce generator.
Embodiments are illustrated by way of example and not limited in the following figure(s), in which like numerals indicate like elements, in which:
For simplicity and illustrative purposes, the principles of the embodiments are described by referring mainly to examples thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the embodiments. It will be apparent however, to one of ordinary skill in the art, that the embodiments may be practiced without limitation to these specific details. In other instances, well known methods and structures have not been described in detail so as not to unnecessarily obscure the embodiments.
Although PIN and password are commonly used as identity information in most authentication schemes, biometric authentication mechanisms are being increasingly offered as an alternative because they are considered more secure. Accordingly, embodiments discussed herein allow multiple user electronics devices to securely determine the identity information of each other by securely sharing biometric templates (or any other identity-related templates) that are very close to being the same, but not necessarily identical, due to practical limitations in deriving biometric templates from two separate instances of a biometric scan. These embodiments simplify the user involvement of comparing the user's identity information across devices. Given a collection of user devices, such devices are operable to securely discover amongst themselves whether they share a common user. If they do, they are further operable to form a connection or communication and exchange data therein. Thus, for example, two devices that share identical or sufficiently similar biometric templates may securely communicate with each other. On the other hand, two devices that do not share an identical or sufficiently similar template, learn nothing about the other device's template.
The biometric template is the data derived from a biometric scan of the user. Biometric scans include, but are not limited to, fingerprints, eye scans (e.g., iris scans), palm prints and voice prints. The user may implement a biometric template, developed from a biometric scan of the user, in each of the user's devices to serve as identity information. Each biometric scan of a single exemplar, for example a thumbprint, is not identical to the scan before it of the same exemplar of the same user. However, two biometric scans of the same exemplar of the same user are sufficiently close that the two templates developed for two different devices are sufficiently similar for use to establish a secure authenticated channel (SAC) for communications between the devices, using one or more of the embodiments described herein.
According to various embodiments described herein, when two devices communicate to determine each other's identity information, the information visible to a third party that passively or actively listens in on the information exchange is insufficient to determine either device's identity information. That is, the intercepted communication does not provide enough additional information for the third party to reconstruct biometric templates by detection or by brute-force calculations. These embodiments may be used in any setting where user-based identity information is used for security or authentication purposes. For example, these embodiments apply to many seamless mobility applications. The goal is to allow two devices to automatically discover they share a common user. With that knowledge, they can then synchronize their data in a secure manner, and their privacy integrity cannot be undermined by attackers.
In order to protect a user's identity information, such as the user's biometric template, that is maintained in a user's device, it is not prudent to send a biometric template from one device to another, otherwise any attacking device may acquire the user's template and attempt to steal the user's data through synchronization with the user's device. In one embodiment, two devices are operable to determine whether the peer device contains a common biometric template without revealing their raw templates to each other firsthand. Thus, devices will never reveal the raw biometric template to the outside world. Instead, the device may calculate a processed version of the template, hereby called a masked template. There are several methods that may be used for this calculation. One such method utilizes fuzzy extractor functions that are described by Dodis, Ostrovsky, Reyzin, and Smith in “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” Sep. 20, 2007, found online. Preliminary version appeared in Eurocrypt 2004 [DRS04].
Accordingly, user devices may send masked templates in the clear, and an attacker is not able to derive the original biometric template because the calculation used in deriving a masked template is one-way (like a cryptographic hash). The local device receiving a masked template from a remote device may use a comparator algorithm, which takes as input its own raw biometric template, its locally generated nonce, and the masked template of the remote device based on its locally generated nonce. Cryptographically, a nonce is a number or bit string that is used only once. Examples of nonces include, but are not limited to, counts, random numbers, and pseudo-random numbers. The outcome of the comparator algorithm of the local device is a decision whether enough matching bits have been received from the remote device to declare that the raw biometric templates match. Similarly, the outcome of the comparator algorithm of the remote device is a decision whether enough matching bits have been received from the local device to declare that the templates match. If both devices come to that conclusion, then the two devices may start to synchronize their data.
Embodiments use three processes, devices, and/or entities. For example, the processes may be implemented as algorithms for execution by a processor in a user device. The first process is a masked template generation utilizing a masked template generator 010 shown in
The second process is a comparison utilizing a comparator 020 shown in
The third process is a key generation utilizing a key generator 030 shown in
Knowledge of the masked template generator, comparator, and key generator functions is considered public, as security relies solely on the secrecy of the raw biometric template T and the properties of the nonces RA and RB.
There are two common attack scenarios which need to be mitigated. The first attack scenario is the replay attack. The problem to be mitigated in the first scenario is that an attacker might listen to communications between devices and receive a device's masked template that the attacker saves for later replay. Then later, the attacker sends the saved masked template back to the same device as if it were the attacker's masked template. Because the replayed masked template is identical to the masked template output by the device, the device will of course declare that the masked template matches its own.
In order to mitigate consequences of this first attack scenario, each masked template is generated with a statistically unique nonce value R as discussed above before transmitting. The nonce value R is generated such that all previously saved copies of its masked template will not be accepted.
For example, Device B generates and sends a random nonce RB to Device A. As shown in
As shown in
With continuing reference to
As shown in
If an attacker sends an earlier version of the masked template (e.g., generated with an earlier random nonce) then the comparator will reject it.
The second attack scenario is the common man-in-the-middle attack (MITM attack) associated with any attempt to derive a session key when both sides have no previous knowledge of each other. The session key is necessary so that a secure authenticated channel (SAC) can be established between the two devices to securely synchronize their data. The fact that the key generator (430, 530) is capable of outputting a set of matching bits (e.g., K as described above) that would be equally generated in both devices obviates this kind of MITM attack. These bits, KA 620 and KB 570, may be used as a session key or to derive such a session key for subsequent SAC establishment between Devices A and B. If KA 620 and KB 570 did not match on the two devices, then each device would have derived a different session key and the devices cannot communicate through the SAC. Because the MITM never obtained a raw template (which is a required input of the key generator), the MITM attack is mitigated.
The computer system 750 includes one or more processors, such as processor 752, providing an execution platform for executing software. Thus, the computerized system 750 includes one or more single-core or multi-core processors of any of a number of computer processors, such as processors from Intel, AMD, and Cyrix. As referred herein, a computer processor may be a general-purpose processor, such as a central processing unit (CPU) or any other multi-purpose processor or microprocessor. A computer processor also may be a special-purpose processor, such as a graphics processing unit (GPU), an audio processor, a digital signal processor, or another processor dedicated for one or more processing purposes. Commands and data from the processor 752 are communicated over a communication bus 754 or through point-to-point links with other components in the computer system 750.
The computer system 750 also includes a main memory 756 where software is resident during runtime, and a secondary memory 758. The secondary memory 758 may also be a computer readable medium (CRM) that may be used to store software programs, applications, and/or modules to implement the functions of the components 702-710 in
The main memory 756 and secondary memory 758 (and an optional removable storage unit 764) each includes, for example, a CRM. The computer system 750 includes a display 770 connected via a display adapter 772, user interfaces comprising one or more input devices 768, such as a keyboard, a mouse, a stylus, and the like. However, the input devices 768 and the display 770 are optional. A communication interface 780 is provided for communicating with other user devices directly or via, for example, a network, and it is operable to enable the SAC controller 710 to establish a SAC with other user devices with a session key provided by the key generator 708. The communication interface 780 may be a wired interface, such as an Ethernet, firewire (IEEE 1394), or USB interface that is electrically coupled to various components shown in
In operation, one device is an interrogating device that initiates data synchronization, and another device is a responding device that interacts with the interrogating device to establish a SAC for data synchronization.
Referring first to
At 812, the masked template generator 410 of the responding device generates a first randomized masked template [TA]RB (e.g., 450 in
At 814, the responding device sends the masked template [TA]RB to the interrogating device.
At 816, the nonce generator 706 (
At 818, the responding device further receives from the interrogating device a second randomized masked template [TB]RA (e.g., 560 in
Referring to
At 822, The comparator 420 of the responding device compares the second randomized masked template [TB]RA received from the interrogating device with the secondary masked template [TA]RA generated by the comparator 420 (or the masked template generator 410) of the responding device to determine whether they match each other. A template match is declared when the randomized masked template [TB]RA received from the interrogating device is close to the secondary masked template [TA]RA by within a predetermined threshold.
At 824, if there is not a template match, this indicates that the responding and interrogating devices do not belong to the same user. Thus, the responding device will not allow data synchronization with the interrogating device.
At 826, however, if there is a template match, this indicates that the responding and interrogating devices belong to the same user. Accordingly, the key generator 430 of the responding device proceeds to generate key bits KA (e.g., using the key generator 620 in
At 828, a SAC is established by a SAC controller, such as 710 shown in
Referring now to
At 912, the interrogating device receives from the responding device the first randomized masked template [TA]RB (e.g., 450 in
At 914, the masked template generator 510 of the interrogating device receives a responding nonce RA (e.g., 440 in
At 916, the masked template generator 510 of the interrogating device generates a second randomized masked template [TB]RA (e.g., 560 in
At 918, the comparator 520 (
At 920 in
At 922, if there is not a template match, this indicates that the responding and interrogating devices do not belong to the same user. Thus, the interrogating device will not allow data synchronization with the responding device.
At 924, however, if there is a template match, this indicates that the responding and interrogating devices belong to the same user. Accordingly, the key generator 530 of the interrogating device proceeds to generate key bits KB (e.g., 570 in
At 926, a SAC is established by a SAC controller, such as 710 shown in
The transmission and reception of data or signals between the interrogating and responding devices may be achieved through their respective communication interface 780 (
Accordingly, the systems and methods as described herein provide secure identity authentication in user devices by using identity information for device authentication and data synchronization, while keeping such identity information private to prevent forged device authentication for unauthorized data synchronization.
What has been described and illustrated herein are various embodiments along with some of their variations. The terms, descriptions and figures used herein are set forth by way of illustration only and are not meant as limitations. Those skilled in the art will recognize that many variations are possible within the spirit and scope of the subject matter, which is intended to be defined by the following claims, and their equivalents, in which all terms are meant in their broadest reasonable sense unless otherwise indicated.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4532508 | Ruell | Jul 1985 | A |
| 4805222 | Young et al. | Feb 1989 | A |
| 4962530 | Cairns | Oct 1990 | A |
| 4998279 | Weiss | Mar 1991 | A |
| 5056141 | Dyke | Oct 1991 | A |
| 5479533 | Tanaka | Dec 1995 | A |
| 5485312 | Horner et al. | Jan 1996 | A |
| 5557686 | Brown et al. | Sep 1996 | A |
| 5729608 | Janson et al. | Mar 1998 | A |
| 6741729 | Bjorn et al. | May 2004 | B2 |
| 6895514 | Kermani | May 2005 | B1 |
| 6948074 | Borella et al. | Sep 2005 | B1 |
| 7021534 | Kiliccote | Apr 2006 | B1 |
| 7178034 | Cihula et al. | Feb 2007 | B2 |
| 7454623 | Hardt | Nov 2008 | B2 |
| 7460130 | Salganicoff | Dec 2008 | B2 |
| 20040187037 | Checco | Sep 2004 | A1 |
| 20040190781 | Shiibashi et al. | Sep 2004 | A1 |
| 20060067592 | Walmsley et al. | Mar 2006 | A1 |
| 20060136725 | Walmsley | Jun 2006 | A1 |
| 20060226951 | Aull et al. | Oct 2006 | A1 |
| 20070011464 | Gorelik et al. | Jan 2007 | A1 |
| 20070026426 | Fuernkranz et al. | Feb 2007 | A1 |
| 20070160198 | Orsini et al. | Jul 2007 | A1 |
| 20070198848 | Bjorn | Aug 2007 | A1 |
| 20080005785 | Leinonen et al. | Jan 2008 | A1 |
| 20080019573 | Baltatu et al. | Jan 2008 | A1 |
| 20080049939 | Canetti et al. | Feb 2008 | A1 |
| 20090161919 | Vogler et al. | Jun 2009 | A1 |
| 20090205028 | Smeets et al. | Aug 2009 | A1 |
| 20090271634 | Boult et al. | Oct 2009 | A1 |
| Entry |
|---|
| Merriam Webster Definition of “Nonce” pp. 1-2. |
| Merriam Webster definition “Interrogate” p. 1-2. |
| Written Opinion for US/PCT 2008—087088 pp. 1-9. |
| Merriam Webster Defintiion of “Cryptographic Nonce” pp. 1-3. |
| Li et al. “Protecting RFID Communications in Supply Chains” ASIASCCS Mar. 20-22, 2007 pp. 1-8. |
| Meszaros et al. “Strengthening Passwords by Keystroke Dynamics” IEEE International Workshop on Intelligent Data Acquisition and Advanced Computing Systems Sep. 6-8, 2007, pp. 1-4. |
| PCT International Search Report; Re: PCT Application #PCT/US08/87088 Dec. 17, 2008. |
| Office Action, Korean App. No. 10-2010-7013567 (Foreign Text and English Translation), Aug. 31, 2011. |
| A. Menezes, et al, “Handbook of Applied Cryptography, Chapter 10 Identification and Entity Authentication”, CRC Press, 1997. |
| Number | Date | Country | |
|---|---|---|---|
| 20090161919 A1 | Jun 2009 | US |
