As an initial matter, it is noted that a device for capturing, acquiring or detecting at least one biometric trait may be referred to as a ‘signature generation unit’ in the following. Such a signature generation unit may, for example, comprise one or more technical or hardware devices for capturing, acquiring or detecting at least one biometric trait of a natural person, who will electronically sign an electronic dataset.
Electronic datasets in the sense of the present invention may be any types of electronic documents, for example, and not limited to, PDF files, Word files, XML files, or other files or data that can be processed in a database by known programs or software packages.
The term “transmission” as used herein generally relates to any type of transfer, transmission, sending or conveyance of information from one device to another device. In this respect, a transmission may be effected both via active transmission (e.g., via Bluetooth or W-Lan) and storage and retrieval (e.g., a mass-storage protocol or network attached server ‘NAS’). The protocol used in this case (e.g., TCP-IP, HID or proprietary) is as irrelevant as the resulting type of information distribution during transfer, e.g., breakdown into packets of a predetermined size (e.g. in HID or TCP-IP), or transfer as a whole, e.g., as a continuous data stream (as used in a serial interface, mass-storage devices or possibly even proprietary protocols). The transmission medium (e.g., cable, radio waves, infrared, optical fibers, etc.) is also unaffected by this definition.
The term “display area” as used herein basically refers to any kind of technical or hardware device for two- or three-dimensionally displaying electronic data, e.g., an LCD display, TFT display, E-paper display, OLED display, a projection screen, etc. More particularly, any type of known graphical, single-colored or multi-colored visualization device should be understand as falling within the scope of “display area”.
The biometric traits may be captured, acquired or detected by any suitable device, e.g., a camera configured to scan or capture, for example, the iris or a fingerprint. Other suitable technical or hardware devices may include: capacitive or resistive touch sensors, load cells or an active pen with position determining devices (for example, a commercially-available graphic tablet or tablet PC with a stylus) for capturing, acquiring or detecting the biometric data of a signature, a microphone for capturing or recording a voice sample, etc. Further, a signature generation unit may also comprise suitable signal processing devices (e.g., chips, processors, memories, etc.), e.g., for carrying out encryption operations. Appropriate electronic biometric datasets are generated based upon the captured biometric traits.
In recent years, many laws and regulations regarding electronic signature of electronic datasets, so-called “electronic signatures”, have been passed. A subset of electronic signatures is ‘digital signatures’, in which, for example, an asymmetric key pair consisting of a secret private key and an associated public key is used (see, for example, known asymmetric encryption methods such as PGP and RSA).
One possible advantage of these asymmetric encryption methods is that data encrypted or signed with an asymmetric key cannot be decrypted with the same key. Instead, the corresponding other asymmetric key of the same key pair has to be used. If a checksum has been encrypted with a private key, the associated public key must be used for its decryption. Only in this manner can the checksum be verified later on.
One possible disadvantage of such digital signatures is that the owner of the signature (i.e. the signor) must carry around a private key (e.g., provided by a certificate supplier) that is associated with the signor. A recipient of the digital signature may then verify the signed document by using the public key, which corresponds to the private key of the sender, and attribute it to the person who signed the electronic document.
An additional or alternative way of using such person-specific asymmetric keys for electronic signature is the use of biometric traits or electronic biometric datasets based thereon. Such biometric datasets may include, for example, a digitalized signature with an image and, when appropriate, one or more of pressure and time elapsed (e.g., signing rhythm), digitalized iris scan, digitalized hand geometry data (e.g., palm print), digitalized fingerprint, digitalized voice sample, etc. All these biometric data can be associated with the signer as part of the electronic signature. In this case, instead of an association of the key pair with the signer, such biometric data serve as one or more characteristics or traits for identifying the signer.
Various methods for linking or associating biometric data with electronic datasets are already known and generally include the encryption of a biometric dataset and the subsequent linkage of the encrypted biometric dataset with an electronic dataset (see, for example, US 2008-0010218 A1, EP 1 944 716 A1 and its US counterpart US 2010-0106973 A1, U.S. Pat. No. 5,297,202, and U.S. Pat. No. 5,195,133). These methods may, however, also exhibit one or more of the following disadvantages.
In methods utilizing only a few encryption steps, the biometric dataset is linked only with the electronic dataset or a checksum (e.g., a hash function, such as, for example, SHA-1, SHA-2, Tiger, SHA-256, etc., performed on the electronic dataset or its display-relevant content). In this case, the checksum may be generated only for the electronic dataset. As a result, a reliable way of verifying whether the encrypted biometric dataset has been manipulated or modified or damaged after the biometric dataset has been linked with the electric dataset might not exist. Further, another possible disadvantage is that an integrity verification of the document always involves the decryption of the biometric dataset. However, a decrypted biometric dataset could be decoupled from the electronic dataset, which was originally electronically signed, and then misappropriated as a blank endorsement (signature) for other electronic documents, because the linkage, i.e. the connection of the biometric dataset to the electronic dataset, is secured only by its encryption.
EP 1 944 716 A1/US 2010-0106973 A1 also discloses the use of a plurality of checksums and the use of two asymmetric key pairs in order to, on the one hand, safeguard the association of the biometric dataset with the electronic dataset and, on the other hand, to also safeguard the integrity of the biometric data by using a second checksum.
In the first method, when the biometric dataset is decrypted and verified, it can only be determined whether the biometric dataset is intact. The second type of method requires a relatively high computing speed to carry out the plurality of encryptions of the plurality of checksums, mostly with the aid of a plurality of asymmetric key pairs. For this reason, this type of method is currently offered mostly only for use with a fully equipped computer, i.e. a data processing device. A computer, however, is regarded as an insecure environment, because keys stored or archived there might possibly be read out or downloaded und/or the operation itself might be affected by Trojan horses or hackers. Moreover, in this multiple-step method, a question is often raised whether a second checksum that represents the electronic document and the biometric dataset contained therein actually pertains to the original document, as the key used for encryption, e.g., a private key, is different from or belongs to a second asymmetric key pair than the key used to secure the biometric dataset as well as the linkage of the biometric dataset with a first checksum. A relatively complex logistical effort can result in the mapping of the key pairs to each other or to the signature device or computer used. This may render a method complex and in need of much explanation.
All methods may have in common that the first checksum safeguards the integrity of the electronic dataset. However, this particular checksum, which is directly connected with the encrypted biometric dataset and the process for capturing the biometric data, should also safeguard the integrity of the encrypted biometric dataset, as only this dataset can be indisputably associated with the capturing process. Hence, this first checksum is the only indisputable evidence for the integrity and the matching of the electronic dataset and the identifying trait and/or the authorization of the signer—with the assistance of the encrypted biometric dataset.
A second checksum may also safeguard the integrity, because it is not securely linked with the biometric dataset according to the known methods. However, this second checksum may not safeguard the matching or association, i.e. the second checksum may possibly only ensure that the encrypted biometric dataset secured therewith are unmodified after having been generated. Thus, this second checksum may not yield a reliable conclusion as to whether these encrypted biometric traits were actually captured at the time of signing of this electronic dataset.
All previous methods may further have the disadvantage that, in an environment in which not only an electronic signature is carried out but also in which the signer should be automatically identified, the biometric traits have to be transmitted to a verification engine (in most cases, software on a computer or server) for the identification operation without having a linkage with the electronic dataset. At this particular point in time, however, the biometric data may be intercepted or copied and possibly misappropriated for some other purpose.
Up to now, the only alternative has been the possibility of shifting the entire verification, i.e. the comparison of biometric traits with reference samples, into the signature generation unit, with which the biometric traits are captured. In practice, however, the required computing speed, as well as the transmission of the reference samples into the signature generation unit and/or the secure distribution thereof to all necessary signature generation units, are an obstacle to such an approach. In the context of banking applications, for example, it cannot be assumed that the customer to be verified will always go to the same branch or even use the same signature generation unit at the branch.
Moreover, the main focus may be on the efficiency of the method, so that it is not required to be carried out on a high-speed, but insecure computer, but rather, for the most part, in a secure device with a slower computing speed that also simultaneously captures biometric data.
The present teachings may be utilized to solve one or more of the above-mentioned problems, or at least to provide an improved approach for solving one or more said problems, or even other problems not mentioned herein.