Privacy-Preserving Key Generation in Biometric Authentication
Abstract
A method for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer, the method utilizing computer processes including: generating shards from a digital electronic signal, provided as an output by a second transducer, such signal characterizing a biometric of the subject; causing distribution of the generated shards to an array of servers, so that the array of servers can store the generated shards and perform a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject, where the authentication information includes a key of the subject, and processing the authentication information in a verification process to indicate whether the subject is authenticated as the individual.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer, the method utilizing computer processes comprising:
generating shards from a digital electronic signal, provided as an output by a second transducer, such signal characterizing a biometric of the subject; causing distribution of the generated shards to an array of servers, so that the array of servers can store the generated shards and perform a data exchange process using a subset of the generated shards to develop information relating to authentication of the subject, wherein the authentication information includes a key of the subject, and processing the authentication information in a verification process to indicate whether the subject is authenticated as the individual.
2 . A method according to claim 1 , wherein the processing of the authentication information includes causing the development of a signed message.
3 . A method according to claim 2 , wherein the computer processes further comprise causing the data exchange process to use the generated shards to develop a further key of the subject and to cause the further key of the subject to be used to develop a second signed message.
4 . A method according to claim 2 , wherein the verification process includes using an authentication key of the individual in relation to the signed message to determine whether the subject is authenticated as the individual.
5 . A method according to claim 4 , wherein the authentication key of the individual is an ECDSA public key that is used in the verification process in relation to the signed message, signed using a ECDSA private key of the subject to determine whether the subject is authenticated as the individual.
6 . A method according to claim 1 , wherein the key of the subject is a root private key.
7 . A method according to claim 1 , wherein the key of the subject is an ECDSA (Elliptic Curve Digital Signature Algorithm) private key.
8 . A method according to claim 1 , wherein the key of the subject is a major key.
9 . A method according to claim 8 , wherein a set of minor keys of the subject is associated with the major key of the subject.
10 . A method according to claim 9 , wherein the data exchange process to develop the key of the subject includes causing a subset of the set of the minor keys of the subject to be used in developing the signed message.
11 . A method according to claim 10 , wherein the verification process includes determining whether the subset of the set of minor keys of the subject is associated with a major key of the individual.
12 . A method according to claim 1 , wherein the recited computer processes are carried out with access to a public key of the individual, but without access to the biometric data of the individual.
13 . A method according to claim 1 , wherein the computer processes are performed by computing entities configured as information-sharing restricted with respect to a set of items of information selected from a group consisting of: the digital electronic signal; the biometric data of the individual; the biometric of the subject; the generated shards; the authentication information; the key of the subject; and a result of the verification process.
14 . A method according to claim 1 , wherein the computer processes further comprise causing use of the key of the subject for encryption.
15 . A method according to claim 1 , wherein the computer processes further comprise causing use of the key of the subject for decryption.
16 . A method according to claim 1 , wherein the computer processes further comprise: generating further shards and causing distribution of the further shards to a subset of servers in the array to be used in a second authentication process.
17 . A method according to claim 1 , wherein the computer processes further comprise, if the subject is authenticated as the individual, granting the subject access, based on a security policy, for a defined session, to a set selected from a group consisting of: one or more applications; a service; an operating system; a resource; a server; a computing facility; a set of data; an administrator configuration; and a transaction.
18 . A method for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer, the method utilizing computer processes comprising:
causing generation of authentication shards from a digital electronic signal characterizing a biometric of the subject, such signal provided as an output by a second transducer; causing distribution of the authentication shards to a first plurality of servers in an array of servers, so that the array of servers can cause storage of the authentication shards and can be caused (a) to perform a data exchange process involving a second plurality of servers in the array, and (b) using data derived from the individual's biometric data and a subset of the authentication shards, to develop information relating to authentication of the subject, wherein the authentication information includes a key of the subject; and following development of the authentication information, causing processing of the authentication information to indicate whether the subject is authenticated as the individual.
19 . A method according to claim 18 , wherein the processing of the authentication information includes causing the development of a signed message.
20 . A method according to claim 19 , wherein the computer processes further comprise causing the data exchange process to use the generated authentication shards to develop a further key of the subject and to cause the further key of the subject to be used to develop a second signed message.
21 . A method according to claim 19 , wherein the computer processes further comprise processing the authentication information in a verification process including using an authentication key of the individual in relation to the signed message to determine whether the subject is authenticated as the individual.
22 . A method according to claim 21 , wherein the authentication key of the individual is an ECDSA public key that is used in the verification process in relation to the signed message, signed using a ECDSA private key of the subject to determine whether the subject is authenticated as the individual.
23 . A method according to claim 18 , wherein the key of the subject is a root private key.
24 . A method according to claim 18 , wherein the key of the subject is an ECDSA (Elliptic Curve Digital Signature Algorithm) private key.
25 . A method according to claim 18 , wherein the key of the subject is a major key.
26 . A method according to claim 25 , wherein a set of minor keys of the subject is associated with the major key of the subject.
27 . A method according to claim 26 , wherein the data exchange process to develop the key of the subject includes causing a subset of the set of the minor keys of the subject to be used in developing a signed message.
28 . A method according to claim 27 , wherein the processing of the authentication information includes determining whether the subset of the set of minor keys of the subject is associated with a major key of the individual.
29 . A method according to claim 18 , wherein the recited computer processes are carried out with access to a public key of the individual, but without access to the biometric data of the individual.
30 . A method according to claim 18 , wherein the computer processes are performed by computing entities configured as information-sharing restricted with respect to a set of items of information selected from a group consisting of: the digital electronic signal; the biometric data of the individual; the biometric of the subject; the generated authentication shards; the authentication information; the key of the subject; and a result of the processing of the authentication information.
31 . A method according to claim 18 , wherein the computer processes further comprise causing use of the key of the subject for encryption.
32 . A method according to claim 18 , wherein the computer processes further comprise causing use of the key of the subject for decryption.
33 . A method according to claim 18 , wherein the computer processes further comprise: generating further shards and causing distribution of the further shards to a subset of servers in the array to be used in a second authentication process.
34 . A method according to claim 18 , wherein the computer processes further comprise, if the subject is authenticated as the individual, granting the subject access, based on a security policy, for a defined session, to a set selected from a group consisting of: one or more applications; a service; an operating system; a resource; a server; a computing facility; a set of data; an administrator configuration; and a transaction.
35 . A method for using biometric data to authenticate a subject as an individual whose biometric data has been previously obtained using a first transducer, the method utilizing computer processes comprising:
causing generation of authentication shards from a digital electronic signal characterizing a biometric of the subject, such signal provided as an output by a second transducer; causing distribution of the authentication shards to an array of servers; causing a plurality of servers in the array of servers to perform a data exchange process using a subset of the authentication shards to develop a signed message; and causing processing of the signed message in a verification process to indicate whether the subject is authenticated as the individual.
36 . A method according to claim 35 , wherein performing the data exchange process includes causing the data exchange process to use the subset of the authentication shards to develop a key of the subject and to cause the key of the subject to be used to develop the signed message.
37 . A method according to claim 35 , wherein the verification process includes using an authentication key of the individual in relation to the signed message to determine whether the subject is authenticated as the individual.
38 . A method according to claim 37 , wherein the authentication key of the individual is an ECDSA public key that is used in the verification process in relation to the signed message, signed using a ECDSA private key of the subject to determine whether the subject is authenticated as the individual.
39 . A method according to claim 36 , wherein the key of the subject is a root private key.
40 . A method according to claim 36 , wherein the key of the subject is an ECDSA (Elliptic Curve Digital Signature Algorithm) private key.
41 . A method according to claim 36 , wherein the key of the subject is a major key.
42 . A method according to claim 41 , wherein a set of minor keys of the subject is associated with the major key of the subject.
43 . A method according to claim 42 , wherein the data exchange process to develop the key of the subject includes causing a subset of the set of the minor keys of the subject to be used in developing the signed message.
44 . A method according to claim 43 , wherein the verification process includes determining whether the subset of the set of minor keys of the subject is associated with a major key of the individual.
45 . A method according to claim 35 , wherein the recited computer processes are carried out with access to a public key of the individual, but without access to the biometric data of the individual.
46 . A method according to claim 36 , wherein the computer processes are performed by computing entities configured as information-sharing restricted with respect to a set of items of information selected from a group consisting of: the digital electronic signal; the biometric data of the individual; the biometric of the subject; the generated authentication shards; authentication information; the key of the subject; and a result of the verification process.
47 . A method according to claim 35 , wherein the computer processes further comprise: generating further shards and causing distribution of the further shards to a subset of servers in the array to be used in a second authentication process.
48 . A method according to claim 35 , wherein the computer processes further comprise, if the subject is authenticated as the individual, granting the subject access, based on a security policy, for a defined session, to a set selected from a group consisting of: one or more applications; a service; an operating system; a resource; a server; a computing facility; a set of data; an administrator configuration; and a transaction.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.