Biometric authentication system

FIELD: engineering of systems for protecting communication channels, which realize claimed method for user authentication on basis of biometric data by means of provision and extraction of cryptographic key and user authentication.

SUBSTANCE: in accordance to the invention, neither biometric template nor cryptographic user key are explicitly represented in information storage device, without provision of biometric sample and information storage device with a pack stored on it, any cryptographic operations with data are impossible.

EFFECT: creation of biometric access system and method for provision/extraction of cryptographic key and user authentication on basis of biometry, increased key secrecy level, increased reliability, expanded functional capabilities and simplified system creation process.

2 cl, 2 dwg

 

The invention relates to a device for covert or secretive communication with the means for establishing the identity of the user based on biometric data, and more particularly to a biometric authentication system through the submission and selection of a cryptographic key and user authentication based on biometric data.

For disclosure of the substance of the invention hereinafter following terminology is used: "biometric template is stored in long-term memory of a computer or other storage device generalized description of the biometric object obtained as a result of training and consists of a series of measurements and processing of the multiple projections of the same object, and "biometric template" is a characteristic of the biometric object, the resulting current, as a rule, a single measurement. It should be noted that the template and the sample can be obtained from a variety of biometric objects.

There are different ways of associating the biometric data and a cryptographic key. Common to all methods is that the retrieval key is performed only with involvement of a biometric object, corresponding measurements with the purpose of obtaining a biometric sample, processing and formation of the biome the electrical data, which are then used for recognition. Subsequently, the key can be used, for example, for encryption/decryption. Further, to simplify the reasoning lower intermediate processing stages and we will proceed from the assumption that recognition is presented biometric sample.

Methods of biometric authentication enable a decision with a certain probability within the confidence interval. More formally, the reliability of the solution is determined by the errors of the first and second kind. In biometrics, these errors are usually denoted as False Rejection Rate (FRR) and False Acceptation Rate (FAR) (cm. R.Anderson. Security Engineering. A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc. 2001 [1]). Thus, if the decision is made on the principle of "known/unknown", the FRR can be interpreted as the probability of "not to miss" his (to recognize as alien), FAR - as the probability of a "miss" alien (to recognize as his). Obviously, from the point of view of existing applications, it is important that FAR was the lowest possible.

Known descriptions of the various ways of associating biometric data and a cryptographic key. The review described in articles Colin Soutar, Danny Roberge, Alex Stoianov, Rene Gilroy, and B.V.K.Vijaya Kumar, "Biometric Encryption™ using image processing", Proc. SPIE 3314, 178-188, (1998) [2] and Colin Soutar, Danny Roberge, Alex Stoianov, Rene Gilroy and B.V.K.Vijaya Kumar, "Biometric Encryption™ - Enrollment and Verification Procedures", Proc. SPIE 3386, 2435, (1998) [3].

One way is based on the recognition biometric sample, then getting the key to positive solutions. To do this, get a sample and submit it to OCR regarding pre-formed template. Moreover, the recognition and extraction of the key is performed in the subsystem, surrounded by a security perimeter. The key is retrieved only if the sample belongs to the owner of the key.

The main disadvantage is the necessity of the organization of the security perimeter, which is usually associated with considerable costs. It is known that such costs may exceed the cost of what is inside this perimeter. In addition, you must use a secure communication channel through which data is transmitted inside the perimeter. Significant overhead to ensure reliability and efficiency result in a low competitiveness of this method.

Another method is based on using the template as a container for storing a cryptographic key. The key is loaded in the container using a secret transformation. Basically steganographic method. The submitted sample is detected relative to the template. The key is extracted from the template on the fact of a positive decision. However, there is a substitution tasks. D. the I information security (cryptographic key) is converting to a different cryptographic key.

This method has the same drawback as the previous method. It is necessary to organize the security perimeter within which the processing of the information. The disadvantage is that the cryptographic strength is not guaranteed if the template itself is stored outside the security perimeter. The essence of the attack is reduced to the formation of a number of templates (provided that you have access to the appropriate software) for various objects and a fixed key. Further analysis of the patterns can reveal the cryptographic key transformation, responsible for "download" in the container.

The essence of another way - removing bits of the cryptographic key directly from the data template. The disadvantage of this method is the difficulty of forming a template. In addition, the compromise of the key means a compromise of the template and in the vast majority of cases - the compromise of biometric object. The disadvantage of this method is that it is unacceptable by frequent change of key.

Closest to the claimed invention is a method for presenting and retrieving a cryptographic key based on biometrics (see U.S. patent 6219794, IPC G06F 12/14) [4]. Biometric object in this method are fingerprints. The method lies in the fact that cu is tographically key is "mixed" with biometric data using a Fourier transform. The cryptographic key can be retrieved by providing the example of a biometric object, which has previously been used to obtain the template.

The disadvantage of this method is that as the biometric object can only be used fingerprints.

The problem to which the invention is directed, is to create a biometric authentication system with a high level of security and functionality, as well as representation and allocation of a cryptographic key based on this system.

The problem is solved by creating a biometric authentication system that contains the module to provide biometric data and a cryptographic key, the module selection biometric data and a cryptographic key, a lot of users, each of which has a storage device, thus:

the storage device contains a bunch of biometric data with the cryptographic key and other auxiliary information, organized in a database;

module to provide biometric data and the cryptographic key is a block of the input biometric sample, a block of feature selection, bilder, the block generation criptografice is one key, unit generating a reference sample, block the implementation of the hash function, encoder, modulo two, the encoder code block, memory block, the output block input biometric sample of the user is associated with the input block of feature selection, the output of which is connected to the input of biomatera, the output of which is connected to the first input of the modulo two and with the input of block implementation of the hash function, the output of which is connected with the second input of the encoder, the output of which is connected with the encoder input block of code, the output of which is connected with the second input of the modulo two, the output of which is connected to the input of block memory, the output of which is connected to the input of storage device information output unit generating a secret key associated with the first input of the encoder and the input unit generating a reference sample, the output of which is connected to the input of the memory block;

module selection biometric data and the cryptographic key is a block of the input biometric sample, a block of feature selection, bilder, the first modulo two, the second modulo two and a decoder, the block implementation of the hash function, the decoder block of code, the memory unit and the testing unit key, and the output block input biometric sample of the user is associated with the input block of feature selection, the output of which is connected to the input of biomatera, the output of which is azan to the first input of the first modulo two, the output of which is connected to the input of the decoder block of code, the outputs of which are connected to the first input of the decoder and to the second input of the second modulo two, the output of which is connected to the input of block implementation of the hash function, the output of which is connected with the second input of the decoder, the output of which is connected to the input of the testing unit key outputs of the memory block associated with the second input of the first modulo two, the first input of the decoder and the input of the testing unit key.

The claimed method is based on a principle different from the well-known two-step process, which is based on the ways analogues, when performed first recognize, and then, depending on the result, is removing the key. The inventive method is mixing the generated biometric template and a cryptographic key (hereinafter simply "bundle"). Procedure biometric authentication is reduced to the selection of a key from the bunch, followed by testing verify its authenticity. The authenticity of the key means the authenticity of the user. That is, the allocation genuine key means was charged with the pattern of the biometric object that has previously participated in the formation of a template ("correct" sample). The difference of the claimed system and method of the above described ways, the tax is the key is not stored explicitly. And to highlight the key can only showing the correct biometric sample. Otherwise, you need to decide vychisliteljnogo task with exponential volume enumeration.

The claimed invention has several advantages. In the proposed system there is no security perimeter, which allows to significantly simplify and reduce the cost of the system. In addition, the key does not depend on the biometric data and represents a binary sequence obtained by using the true random process or by using a PRNG. Thus, key compromise does not affect the biometric template. Therefore, the key can always be replaced, without changing the template that provides flexible functionality. First, at the stage of registration and education formed the template. Then introduced a cryptographic key and a bunch of template and key. If we assume that the attacker took the bundle, it will not be able to get out of it no key, no template. Moreover, if the attacker grabbed a bunch and even opened a cryptographic key (using power attack to a pair of "plaintext/ciphertext"), the knowledge ligaments and cryptographic key does not allow you to open the template. This ensures a high level of reliability.

To function the mapping system preferably to the module input biometric sample was made with the possibility of scanning and receiving biometric data of the object from at least one user.

For operation of the system it is desirable that as the device information storage for database entries were selected at least one device from a group, including SMART card, RSST-map, long-term computer memory or any other storage device.

For operation of the system appropriate to the module to provide biometric data and the cryptographic key was made with the possibility of receiving data from at least one biometric sample, the formation of the biometric template from the biometric data received from at least one biometric sample, generating a cryptographic key and a reference sample for validation of the cryptographic key, the formation of bundles based on the biometric template and a cryptographic key, entry of this mapping in the database of the memory block, with the possibility of saving the database, at least one storage device.

For operation of the system is essential to as a biometric of the user object on the input of the system was presented, at least one bi is the metric object selected from the group comprising human finger, iris eyes, and others with individual distinctive biometric properties of the objects.

For operation of the system it is important that the module selection biometric data and the cryptographic key of the user has been configured to receive data from one biometric sample, extraction of the media bundles, at least one biometric sample and a cryptographic key, a reference sample for authentication to a cryptographic key, the selection of cryptographic user key from the bunch and authentication of the user by testing the selected key based on the reference sample.

The task is also solved by creating a way of representation and allocation of a cryptographic key based on the biometric data, which consists of the following operations:

in the module to provide biometric data and a cryptographic key:

- receive biometric data from at least one biometric sample in the module input biometric sample;

- process data received from at least one biometric sample in a block of feature selection and biomatera, resulting in a gain normalized biometrica the cue pattern;

- compute block the implementation of the hash function is a hash function from the biometric template;

- generating unit generating a cryptographic key, the cryptographic key;

- generating unit generating a reference sample reference sample for authentication to a cryptographic key;

- put the reference sample in the database of the memory block;

- encrypt the cryptographic key in the encoder; as the key to encrypt the cryptographic key used is the hash of the biometric template;

- calculate the encoder block of code a code word from the received ciphertext;

- calculate the modulo two bit sum code words and the biometric template, resulting in the receive bundle;

- put a bunch of code words and a biometric template in the database of the memory block;

- maintain a database of the memory block in the storage device;

in the module selection biometric data and a cryptographic key:

- receive biometric data sample in the module input biometric sample;

- processes the received data in the module of feature selection and biomatera, resulting in a gain normalized biometric sample;

- remove the database from the device information storage and writes the block of memory module selection biometric data and a cryptographic key;

in the first modulo two calculated bit amount biometric sample and ligaments, resulting in the receive codeword with errors.

- produced in the decoder block code decoding of the codeword with errors, if the biometric template and the sample obtained from various users, the weight of the errors in the code word exceeds the correction capability of the code, in this case, the decoding with the recovery of information symbols is impossible, and "abandoned" the output of the decoder block code formed the sign of refusal decoding, it also means that the authenticity of the user is not confirmed, if the biometric template and a sample obtained from a single user, the differences between them are minimal, and the error in the code word does not exceed the correction ability of the code, in this case, the error correct by applying standard procedures decoding with error correction, and outputs of the decoder block code generated code word with the corrected errors and the corresponding information symbols;

- calculate the second modulo-two bit sum ligaments and code words with bug fixes, resulting in a receive biometric template;

- compute module implementing a hash function is a hash function from biomatrices the first template;

- decode the information decoder sequence (ciphertext)corresponding to the code word with bug fixes, as a result providing the cryptographic key and the decryption key used is the hash of the biometric template;

- extract from the database of the memory block of the reference sample to test key;

- verify the selected cryptographic key based on the reference sample from the database, in case authentication of the selected key to the exit module selection biometric data and a cryptographic key serves a dedicated cryptographic key, the "permissive" output module selection biometric data and a cryptographic key to form a signal of confirmation of the authenticity of a user.

For operation of the system is essential to biometric data sample in the module input biometric sample was obtained by scanning.

For operation of the system it is desirable to process the received data, at least one biometric sample in a block of feature selection and biomatera by the feature extractor module of feature selection and normalization method robust biometric encoding in biomatera.

For operation of the system of alsoobe is but to block the generation of the reference sample encrypt known plaintext at a specified cryptographic key and formed the reference sample, which contains the plaintext and the corresponding ciphertext.

The system preferably selected cryptographic key is checked for authenticity through decryption of the ciphertext of the reference sample at a selected cryptographic key and the subsequent comparison of the open text reference sample.

For operation of the system it is important that the biometric template and the sample was binary sequences.

The technical result of the claimed invention is the creation of a biometric access system and method of presentation/selection of a cryptographic key and user authentication based on biometrics, raising the level of secrecy of the key, reliability, functionality and simplifying the process of forming the system.

For a deeper understanding of the functioning of the claimed invention provide a detailed job description and drawings.

Figure 1 - block diagram of the biometric authentication system according to the invention.

Figure 2 - block diagram of the sequential representation and allocation of a cryptographic key based on bi the metric authentication system according to the invention.

The requested access system includes (see Figure 1) device 1 information storage module 2 to provide biometric data and a cryptographic key, module 3 selection of biometric data and a cryptographic key, modules 4 and 14, the input biometric sample, the blocks 5 and 15 of feature selection, bilderi 6 and 16, the blocks 7 and 20 of the implementation of the hash function unit 13 generating a cryptographic key, the block 12 of the generation of the reference sample, the encoder 8, the adders 10, 17, 19 modulo two, the decoder 21, the encoder 9 and the decoder 18 block of code blocks 11 and 23 the memory unit 22 of the test key, "exemption" outputs 24 and 25 enable exit 26.

The essence of representation and allocation of a cryptographic key based on the biometric access system is illustrated in figure 2 and is that a first for userformed normalized biometric template TAndat least one biometric sample of the userand generated cryptographic key ToAnd. The sequence of binary symbols cryptographic keyAconsidered as a sequence of information symbols some code control errors. After calculation of the code word CAis the artificial introduction of errors. As of Feb is knogo the error vector is normalized biometric template T A. Making mistakes is a by-bit summation modulo two code words WithAand template TA. Thus, the code word error CA⊕TA(where "⊕" operation bit summation modulo two or XOR) and is the essence of a bunch of cryptographic key and normalized biometric template. As follows from the design, to highlight the key you want to perform decoding with error correction. Error correction is carried out in two stages. First bit is the sum modulo two code words with errors CA⊕TAand normalized biometric sample S. If we assume that the sample and the template obtained from the same biometric object, then the differences between them will be minimal. Then by-bit summation code word errors and normalized biometric sample will allow to correct a significant error in the code word. Moreover, if the Hamming weight of the binary vector error remaining after such sum, not to exceed the correction ability of the code, at the final step, the remaining error can be corrected constructive decoding with polynomial complexity. If the biometric sample and the template received from the biometric different objects is x users, the differences between them will be the maximum. Then the conversion will not only allow you to fix a significant share of mistakes, but also will make new mistakes. As a result, the weight of the error will be close to the length of the code word. Therefore, constructive decoding impossible. Moreover, theory States (see G.S.Evseev, "Complexity of decoding for linear codes," Problems of Info. Trans., 19(1) (1983), 3-8 1-6 and [5], A.Barg, "Complexity Issues in Coding Theory", Handbook of coding theory, V.S. Pless and W.C. Huffman, Eds., Amsterdam:, Elsevier, 1998, chapter 7 [6] and Avid, E.Krouk, H. van Tilborg, "On the Complexity of Minimum Distance Decoding of Long Linear Codes", IEEE Transactions on Information Theory, vol.45, no.5, July, 1999 [7])that this decoding is the essence of the NP-hard problem. Justification of the reliability of the method of forming bundles relies on this fact. It should be noted that the choice of code parameters is largely determined by the method of robust biometric encoding, which may vary from one class of biometric object to another (for example, from a papillary pattern of the finger to the pattern of the iris of the eye).

Let us consider in more detail the claimed method of representation and allocation of a cryptographic key based on the biometric data.

Set the initial parameters of the system. Let the set of algebraic linear [n, k, d] code with efficient decoding on the minimum distance. A code word consists of n, and the information follower of the spine consists of k binary digits. Through d denote the minimum code distance. This code can correct no more than t=(d-1)/2 errors (see F.J.MacWilliams and N.J.A.Sloane. theory of Error-Correcting Codes. North-Holland, Amsterdam, 1977 [8]). Linear code with decoding the minimum distance is selected for simplicity. This does not prevent the possibility of the use of any other code.

Then the way/the selection of a cryptographic key and user authentication based on biometric data consists of the following operations (Figure 2):

in module 2 to provide biometric data and a cryptographic key, perform the following operations:

1. Receive module 4 input biometric sample for the userbiometric data from at least one biometric sample.

2. Form in block 5 of feature selection and biomatera 6 for usernormalized biometric template TA(a sequence of n binary digits).

3. Generate (using a true random process or PRNG) in block 13 of generating a cryptographic key long-term cryptographic key KA.

4. Formed in the block 12 forming a reference sample reference sample-based keyA.

5. Enter the reference sample in the database unit 11 to the memory.

<> Calculated in block 7 of the implementation of the hash function is a one-way hash function from the biometric template H(TA). (Here N(·) - one-way hash function. For example, SHA-1, MD5, etc. Cm. .Schneier. Applied Cryptography. Protocols, Algorithms, and Source Code in C. Second Edition. John Wiley & Sons, Inc. 1996 [9]).

6. The cryptographic key KAencrypt the encoder 8. And Y=H(TA) is used as the encryption key, the result is the ciphertext F=EY(KA), where EY(·) is the encryption function.

7. In the encoder 9 block code coding the ciphertext F block [n, k, d]-code with the aim of obtaining a code word WithA.

8. Calculate the bit amount for CAand TAin the adder 10 modulo two (assuming that this is a binary sequence of the same length). The result set.

9. Put the link in the database unit 11 to the memory.

10. Maintain database of block 11 memory device 1 storing information.

In module 3 selection of biometric data and a cryptographic key, perform the following operations:

11. Get in module 14 of the input biometric sample for the userbiometric data from at least one biometric sample.

12. Form in block 15 of feature selection and biomatera 16 for user normalized biometric sample S.

13. Remove from the device 1 storing information database and record it in the memory block 23.

14. Calculate the sumA⊕TA⊕S in the adder 17 modulo two. (After summation code word WithAmay still contain errors.)

15. Perform the decoder 18 block of code, constructive decoding code words with errors CA⊕E, where E is a binary vector of errors. In the result of decoding, there are three possible outcomes:

i) the Weight of the error vector does not exceed t. This means that the biometric sample and the template belong to the same user. All errors will be corrected in the decoder 18 a block of code that reliably recovered information symbols F.

ii) the Weight of the error vector is slightly higher than t, but the error of a given weight fixed to not be. In this case, "exemption" output 24 of the decoder 18 block code is generated fault signal from the decoding, and the "resignation" output 25 of the block 22 test key (this output is also "abandoned" module output 3 allocation of biometric data and a cryptographic key), a signal is generated which indicates that the authenticity of the user is not confirmed.

iii) the Weight of the error vector is significantly greater than t. This means that b is amerykaski sample and pattern belong to different users. In this case, the decoder 18 block of code makes a decision error correction lower weight in another code word other thanAand instead of F restores a random sequence of information symbols [4, 5].

We denote the fixed code word through C. there are No errors in the code word indicates that the C=CAand together WithA⊕TAyou can obtain the normalized biometric template TA=⊕CA⊕TAuser.

16. Calculate the bit sum From⊕CA⊕TAthe code words obtained by decoding, and ligaments WithA⊕TAin the adder 19 modulo two, resulting allocate normalized biometric template TA.

17. Calculated in block 20 the implementation of the hash function one-way hash function from the biometric template Y=H(TA).

18. Decrypting the decoder 21 ciphertext F, resulting produce the cryptographic key KA=DY(F), where DY(·) is the decryption function.

19. Check in block 22 of the test key, the authenticity of the selected key, which remove the reference to the authentication key from the database 21 data and perform decryption reference ciphertext from the database on the key KAand compare about the indoor text with reference plain text of the reference sample. In the case that reference open text open text, the resulting decryption on a dedicated key on the "permissive" the release of 26 module 3 selection of biometric data and a cryptographic key, a signal is generated to confirm the authenticity of the user and moves the selected key.

Here is an example of the choice of code parameters, controlling the error to the claimed invention, in which the biometric object is the iris. In the work J.Daugman, "How Iris Recognition works", IEEE Transactions on Circuits and Systems for VideoTtechnology, vol.14, no.1, January, 2004 [10] published the results of research biometrics iris of the human eye. Biometric template for iris (HORN) is a binary sequence of length 2048. The results of the study include the distribution of Hamming distance for different HORN. In the terminology of the method that forms the basis of this patent, the distribution of the Hamming distance can be interpreted as a weighting of the errors that are made to the code word in two opposite cases, when the sample and the template obtained from the same or from different biometric features. If the decision is made on the principle of "known/unknown", then in the first case we have "his"and the second "alien". Hereinafter in the description of the example under "weight" refers to the EU Hamming.

Weighting error for "his" compared to the "stranger" is the same as the binomial distribution with 249 degrees of freedom, expectation 933 and a standard deviation of 41. Own weighting of recognition errors HORN in constant conditions (camera with a fixed alignment, a constant distance to the object, illumination etc) for "its" is the mathematical expectation of 39 and a standard deviation of 80. Similar distribution when conditions change from measurement to measurement, will have the expectation 225 and standard deviation 133. Assume that you use only one or a limited number of biometric input devices and processing. And for this reason, the variability of the measurement results of the biometric object is minimal. Note that the distribution in [10] was obtained as a result of processing statistics for 4 thousand people. In our example, suppose the expectation is 50 and the standard deviation is 100.

As the code will choose the BCH code with length code words of n=2048, dimension k≥398. This code is capable of correcting binary error weight is not more than t=150. The encoding and decoding of such a code is structurally (with polynomial complexity).

Based on the distribution of weights of errors, the probability that your Boo is no recognized successfully, more than 80% on average once every five trials decisive module will issue a denial. The probability that "someone else" will be recognized as "your", less than 10-45or 2-135.

Consider a situation in which an attacker tries to allocate a cryptographic key based on the ligaments. Then with high probability the Hamming weight of the error, which must be corrected, will exceed t=150. Moreover, with probability 1 to 10-30weight error 301. Obviously, to correct errors such weight a minimum distance of the code must be at least twice more. Thus, decoding at least a distance. Therefore, the attacker is forced to apply a decoding method for random code that is not constructive and is reduced to power attack. It can be concluded that the proposed method provides high cryptographic strength.

The main distinguishing features of the claimed system:

1. The biometric template of the user is not present in the storage device explicitly.

2. Cryptographic key of the user is not present in the storage device explicitly.

3. Cannot authenticate without biometric sample and storage of information with the stored mapping.

4. Without presenting biometric arr is SCA and storage of information with the stored bundle, no cryptographic operations on data impossible.

5. It is impossible to extract the cryptographic key from the storage device information without presenting a biometric sample.

6. If the attacker has taken possession of the storage device (lost or stolen) and revealed a cryptographic key (e.g., using power attack), however, he will not be able to disclose biometric template.

7. From pp.5 and 6 it follows that if an attacker has taken possession of the storage device, it will not be able to reveal different cryptographic key is the same user as the owner of the storage devices, however, will not be able to disclose cryptographic keys that belong to other users.

8. The storage device does not need to be protected.

9. The bundle can always be copied from the memory device storing information in long-term memory of any alternative storage devices without compromising security.

10. From item 9, it follows that Pets backup ligaments in order to minimize the risk of loss of information due to loss of storage devices.

11. Guaranteed certainty of key recovery, if the ligament and the biometric sample agreed template and sample were obtained from one and the CSOs same biometric object.

The application area of the method are wide enough to cover various schemes of distribution media on the Internet. In addition, the method is applicable in systems of pay-TV and will be especially in demand as a mechanism for ensuring the confidentiality of virtual services on the basis of modern network technologies.

1. Biometric authentication system that contains the module to provide biometric data and a cryptographic key, the module selection biometric data and a cryptographic key, a lot of users, each of which has a storage device:

the storage device contains a bunch of biometric data with the cryptographic key and auxiliary information, organized in a database;

module to provide biometric data and the cryptographic key is a block of the input biometric sample, a block of feature selection, bilder, block generating a cryptographic key block generating a reference sample, block the implementation of the hash function, encoder, modulo two, the encoder code block, memory block, the output block input biometric sample of the user is associated with the input block of feature selection, the output of which is connected to the input of biomatera, the output of which is connected with the first whodo the adder modulo two and with the input of block implementation of the hash function, the output of which is connected with the second input of the encoder, the output of which is connected with the encoder input block of code, the output of which is connected with the second input of the modulo two, the output of which is connected to the input of the memory block, the output of which is connected to the input of storage device information output unit generating a cryptographic key associated with the first input of the encoder and the input unit generating a reference sample, the output of which is connected to the input of the memory block;

module selection biometric data and the cryptographic key is a block of the input biometric sample, a block of feature selection, bilder, the first modulo two, the second modulo two and a decoder, the block implementation of the hash function, the decoder block of code, the memory unit and the testing unit key, and the output block input biometric sample of the user is associated with the input block of feature selection, the output of which is connected to the input of biomatera, the output of which is connected to the first input of the first modulo two, the output of which is connected to the input of the decoder block of code, the output of which is connected to the first input of decoder and with the second input of the second modulo two, the output of which is connected to the input of block implementation of the hash function, the output of which is connected with the second input of the decoder, the output of which is connected to the input unit testireba the s key, the outputs of the memory block associated with the second input of the first modulo two, the first input of the second modulo two and a unit test key.

2. Biometric system according to claim 1, characterized in that the module input biometric sample made with the possibility of scanning and receiving biometric data of the object, at least one user.

3. Biometric system according to claim 1, characterized in that as the device information storage for database entries selected at least one device from a group, including SMART card, RSST-map, long-term memory of a computer or other storage device.

4. Biometric system according to claim 1, characterized in that the module is to provide biometric data and a cryptographic key is configured to receive data from at least one biometric sample, the formation of the biometric template from the biometric data received from at least one biometric sample, generating a cryptographic key and a reference sample for validation of the cryptographic key, the formation of bundles based on the biometric template and a cryptographic key, entry of this mapping in the database of the memory block, with the possibility of saving the database, at least in the bottom of the storage device.

5. Biometric system according to claim 1, characterized in that as the biometric of the user object on the input of the system is presented to a human finger or iris or another with individual distinctive biometric properties object.

6. Biometric system according to claim 1, characterized in that the module selection biometric data and the cryptographic key of the user is configured to receive data from one biometric sample, extraction of the media bundles, at least one biometric sample and a cryptographic key, a reference sample for authentication to a cryptographic key, the selection of cryptographic user key from the bunch and authentication of the user by testing the selected key based on the reference sample.

7. The way of representation and allocation of a cryptographic key based on the biometric data, consisting of the following operations:

in the module to provide biometric data and a cryptographic key:

receive biometric data from at least one biometric sample in the block of the input biometric sample;

process data received from at least one biometric sample in the block allocation recognize the s and biomatera, resulting in a gain normalized biometric template;

compute block the implementation of the hash function is a hash function from the biometric template;

generating unit generating a cryptographic key, the cryptographic key;

generating unit generating a reference sample reference sample for authentication to a cryptographic key;

enter the reference sample in the database of the memory block;

encrypt the cryptographic key in the encoder; however, as the key to encrypt the cryptographic key used is the hash of the biometric template;

calculate the encoder block of code a code word from the received ciphertext, which is an information sequence;

calculate the modulo two bit sum code words and the biometric template, resulting in the receive bundle;

put a bunch of code words and a biometric template in the database of the memory block;

maintain a database of the memory block in the storage device;

in the module selection biometric data and a cryptographic key:

receive a biometric sample data in the block of the input biometric sample;

the resulting data is processed in BC the ke of feature selection and biomatera, resulting in a gain normalized biometric sample;

remove the database from the device information storage and record in the memory unit module selection biometric data and a cryptographic key;

in the first modulo two calculated bit amount biometric sample and ligaments, resulting in the receive codeword with errors.

produced in the decoder block code decoding of the codeword with errors, if the biometric template and the sample obtained from various users, the weight of the errors in the code word exceeds the correcting ability of the code and the output of the decoder block code formed the sign of refusal decoding, which means that the authenticity of the user is not confirmed, if the biometric template and a sample obtained from a single user, the differences between them are minimal and the error in the code word does not exceed the correction ability of the code, in this case, the error is corrected by applying the procedure of decoding with error correction, and outputs of the decoder block of code generated code word with the corrected errors and the corresponding information symbols;

calculate the second modulo-two bit sum ligaments and code words with fixed bugs, rez is ltate which receive the biometric template;

compute module implementing a hash function is a hash function from the biometric template;

decrypting the decoder information sequence corresponding to the code word with bug fixes, as a result providing the cryptographic key and the decryption key used is the hash of the biometric template;

extract from the database of the memory block of the reference sample to test key;

verify the selected cryptographic key based on the reference sample from the database, in case authentication of the selected key to the exit module selection biometric data and a cryptographic key serves a dedicated cryptographic key, resulting in the output module selection biometric data and a cryptographic key, a signal is generated on the confirmation of the authenticity of a user.

8. The method according to claim 7, characterized in that the biometric sample data in the module input biometric sample is obtained by scanning.

9. The method according to claim 7, characterized in that processes the received data, at least one biometric sample in a block of feature selection and biomatera by the feature extractor module of feature selection and normalization method robust bi the metric encoding in biomatera.

10. How to claim 7, characterized in that the unit generating the reference sample encrypt known plaintext at a specified cryptographic key to form the reference sample, which contains the plaintext and the corresponding ciphertext;

11. The method according to claim 7, characterized in that the verification of the selected cryptographic key for authenticity is carried out by decrypting the ciphertext of the reference sample at a selected cryptographic key and the subsequent comparison of the open text reference sample.

12. The method according to claim 7, characterized in that the biometric template and the sample are in the form of binary sequences.



 

Same patents:

FIELD: information processing devices.

SUBSTANCE: communication system contains data transfer device, consisting of command transmission block, control block, block for generation of expected value, authentication block, block for measuring response time, block for determining data transfer permission, and data receipt device consisting of command receipt block, block for generating authentication data, block for generating response message, block for transferring response message into data transfer device. Also disclosed are data transfer devices, data receiving devices, data transfer methods, data receipt methods.

EFFECT: increased precision of time measurement, required for transfer of data to communication partner.

14 cl, 16 dwg

FIELD: computing systems, possible use for protecting informational resources in corporate networks.

SUBSTANCE: in accordance to the invention, during registration of user, user identifier and user image identifier signals are assigned and memorized, user inputs identifier and creates corporate network access and service request signal, which is transferred into system core, user image identifier signals are read from memory, authentication of user and his image is performed, and, if user access rank signal is equal to or exceeds acceptable rank, signal is generated to permit execution of actions, description of which is contained in service request signal, where during registration of user, number of mobile device and/or identifier of other source of wireless communications given by user is additionally inputted into memory, prior to taking a decision about access to corporate network by user, a password which is active for one session is generated and sent to the source given by user.

EFFECT: increased protection of systems from unsanctioned access.

3 cl, 1 dwg

FIELD: electric communications, possible use in systems for detecting attacks with a goal of operative detection and prevention of unsanctioned actions in computing networks.

SUBSTANCE: in claimed method (variants), operative detection of unsanctioned actions and reduction of speed of transfer of generated response message packets are achieved in accordance to interaction rules. In first variant, of method, transmission of response message packets to perpetrator occurs during his access of real and fake addresses of computer network clients. In second variant of method, transmission of certain message packets is blocked resulting in imitation of bad quality of communication channel. In accordance to third variant of method, identifier of unsanctioned information streams are recorded resulting in possible detection of unsanctioned actions at initial stage.

EFFECT: increased degree of protection of computer networks from unsanctioned actions, and also bluffing with perpetrator concerning structure of computing networks.

3 cl, 8 dwg

FIELD: digital data distribution systems.

SUBSTANCE: proposed system has open-key infrastructure and functions to distribute digital data from one or more servers or suppliers through network to plurality of users and provides for verifying data integrity and authenticity. Its server saves list of digital data imprints. Other imprint is calculated for this list and supplied to client's terminal. Open-key system client's terminal receives digital data imprint list from first source of this system. Then client's terminal receives imprint for this imprint list both from first and second sources to compare both imprints received.

EFFECT: provision for controlling access to distributed digital data upon their recording by receiving party.

30 cl, 14 dwg

FIELD: access to protected system restriction technics; avoidance of accidental persons access to system.

SUBSTANCE: fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

EFFECT: increased level of protection against access of accidental persons.

3 cl, 2 dwg

FIELD: computers.

SUBSTANCE: generator of random alphabet-numeric codes is installed on mail server. Generator generates random alphabet-numeric code, which is valid limited times for a limited time interval. Its graphical representation, called "electronic postage stamp", marks the outgoing mail, and recipient user's server check the compliance of the code in the mail to sender's address, recipient address, validity time and times of usage of "electronic postage stamp".

EFFECT: avoidance of automatic mass-delivery of unauthorized mails and virus distribution.

1 dwg

FIELD: converting primary documents of enterprises into electronic type.

SUBSTANCE: proposed method enables work-out of documents electronically signed by any client with aid of single signing device, client's signature being identified using biometrical data on client which serve as integral part of electronic document and cannot be transferred to other document. Device for affixing electronic analog-digital signature to documents has protective case with built-in opening sensor accommodating memory, secret key content, microprocessor, data input device, biometrical data input device, and port for outputting electronically signed document to peripheral medium or to database. Electronic document is formed upon data input from document and client's biometrical data and signed by means of secret key. Signature is checked by means of open signature key stored in peripheral medium.

EFFECT: facilitated procedure.

13 cl, 1 dwg

FIELD: technology for providing license for controlling digital privileges between server and a set of devices.

SUBSTANCE: in accordance to method, content is transferred from server to devices, which are meant for reproduction of content, while content contains information of license, which includes, in accordance to first variant, identifiers of devices, in accordance to second variant - identifier, meant for identification of domain, to which devices belong, in accordance to third variant, number of times of possible reproduction of content, in accordance to fourth variant - number of devices, authorized to reproduce content. Aforementioned identifiers or information about amount, included in license information, are extracted from received content, and content is reproduced by means of device, if extracted identifier matches own identifier of this device or if a match is valid with amount contained in license.

EFFECT: possible reproduction of digital content on a set of devices using one license.

4 cl, 11 dwg

FIELD: technology for checking authentication and authorization.

SUBSTANCE: method for checking rights of user of end telecommunication device for using a service, while device for accessing telecommunication network receives at least one certificate and identification data from telecommunication end device, after that network control device together with certification device checks, whether certificate, confirming identification data, is valid and whether it has positive status, whether additional privileges are given by additional certificates, and if that is so, then secret data is transferred to access device (session key), which are also transferred to telecommunication end device in form, encrypted by at least an open key, and access device provides free access by taking a decision, appropriate for rights of user of telecommunication network.

EFFECT: simple and efficient authentication and authorization of users for certain services or transactions, performed via telecommunication network.

11 cl, 1 dwg

FIELD: radio engineering, in particular, authentication method for stationary regional wireless broadband access systems, possible use, for example, for protecting transferred data in stationary regional broadband access systems.

SUBSTANCE: in accordance to method, two main procedures are performed - authentication of client station and, also, authentication of base station.

EFFECT: increased protection level of transmitted data in stationary wireless broadband access systems.

4 cl, 6 dwg

FIELD: automatics and computer science, in particular, identification means for controlling access to autonomous resources.

SUBSTANCE: method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

EFFECT: increased level of protection from unsanctioned access.

3 cl, 1 dwg

FIELD: engineering of methods for cryptographic transformation of data, possible use in communication, computer and informational systems for cryptographic encryption of information and computation of numbers close to random.

SUBSTANCE: device contains two memory blocks, current time moment timer, two concatenation blocks, two hash-function computation blocks, operation block, computing block.

EFFECT: increased complexity of encryption analysis and decreased probability of reliable prediction of next values of pseudo-random series bits while increasing operation speed of generator.

1 dwg

The invention relates to telecommunications, and in particular to the field of cryptographic devices to protect information transmitted over telecommunication networks.The device consists of a S2 blocks controlled substitutions (epmo) 1 and S-1 blocks of fixed permutations (FFT) 2

The invention relates to telecommunications and computing, and more particularly to cryptographic methods and devices for data encryption

The invention relates to the field of telecommunications and computing, and specifically to the field of cryptographic methods and devices for data encryption

The invention relates to the field of telecommunications and computing, and more particularly to methods and devices for cryptographic transformation of data

FIELD: engineering of devices meant for protecting informational resources of computer network connected to external information network from unsanctioned access of users and from transmission of messages.

SUBSTANCE: claimed device contains servers with memory blocks, intermediate memory, commutators, connectors, data exchange lines, control block. Aforementioned servers are made in form of a server of computing network and a server of external computing network, which contain additionally introduced checking blocks.

EFFECT: increased degree of protection afforded to interaction of external and local networks and realized registration of all messages transmitted between networks for purposes of logging the exchange of information.

1 dwg

FIELD: computing systems, possible use for protecting informational resources in corporate networks.

SUBSTANCE: in accordance to the invention, during registration of user, user identifier and user image identifier signals are assigned and memorized, user inputs identifier and creates corporate network access and service request signal, which is transferred into system core, user image identifier signals are read from memory, authentication of user and his image is performed, and, if user access rank signal is equal to or exceeds acceptable rank, signal is generated to permit execution of actions, description of which is contained in service request signal, where during registration of user, number of mobile device and/or identifier of other source of wireless communications given by user is additionally inputted into memory, prior to taking a decision about access to corporate network by user, a password which is active for one session is generated and sent to the source given by user.

EFFECT: increased protection of systems from unsanctioned access.

3 cl, 1 dwg

FIELD: devices and methods for controlling content reproduction.

SUBSTANCE: content reproduction device contains an accumulator block, meant for storing a list of source ID and system recognition information, block for taking the decision about reproduction control system, first block for determining possibility of reproduction, meant for taking the decision that reproduction control system represents a first system, about possible reproduction of content, on basis of whether the source ID added to content is present in source ID list, second block for determining reproduction possibility, meant for taking decision in case if it is determined that reproduction control system represents a second system, about possibility of content reproduction, on basis of information about conditions of license usage, enclosed with content, and reproduction realization block, for which a decision was taken about possibility of its reproduction.

EFFECT: control of content reproduction in accordance to a set of methods for controlling copyright.

2 cl, 63 dwg

FIELD: computer systems and information processing systems.

SUBSTANCE: in accordance to the invention, generation of services of information processing system is performed from a set of functional blocks accessible to user (situated on different servers of system); working information of user is subjected to transformation, unique for each access of user to information processing system, information about storage of user account are is also subjected to unique transformation for given case and stored in other locations of information processing system. In case of repeated access, the user after passing his identification and authentication procedure, provides identifying features known to him, and parts of his working information are called to his workplace.

EFFECT: mobility of user during selection of workplace, communication channels and information storage locations; reliable protection and guaranteed restoration of information in case of accidental loss of its parts; no need to memorize passwords, keys and locations where parts of information are stored.

7 cl, 5 dwg

FIELD: device, software and method for processing a license.

SUBSTANCE: license source block contains a message creation block, meant for creating a message, including a license, manipulation type which determines license processing type between license source block and license assignment block, and block attribute, which determines attribute autonomously. License assignment block for receiving a message, including a license, manipulation type, determining type of license processing between license source block and license allocation block, and block attribute, determining attribute of license source block, and also license processing block, meant for processing of license, received from message receipt block, on basis of manipulation type and block attribute. Methods describe operation of license source block and license assignment block.

EFFECT: expanded functional capabilities due to possible transfer of content during content exchange for limited use of content.

6 cl, 38 dwg

Up!