There is an increasing need for secure identification of individuals. This is most reliably undertaken by means of biometric recognition methods. A substantial amount of research and development is being undertaken to develop biometric identification technologies that are cost effective, easy to use and with security sufficient for the needs of the intended application. Various biometric techniques have been developed, based on reading different biometric characteristics. These include techniques based on fingerprint recognition, facial recognition, iris recognition, retinal recognition, voice recognition, heartbeat recognition, DNA recognition, and others.
A disadvantage of conventional biometric systems is that they store users' biometric information in a central database, which can result in significant privacy and security risks if the central database is compromised—especially since biometric data cannot be revoked and replaced.
An alternative current approach, aimed at overcoming the above disadvantage of the central database method, is to undertake the biometric identification in a personal device, thereby ensuring that a user's biometric information is retained within said user's personal device. Existing biometric identification systems using such personal devices usually operate by (i) taking a biometric reading to identify the user and, if the user is positively identified, unlocking a memory portion of the personal device; (ii) using information stored in said memory portion to undertake actions, said information including for example cryptographic keys, digital certificates, etc.; (iii) separately establishing a secure communications link between the personal device and other devices with which the personal device needs to communicate and exchange information. This approach, while it does restrict the user's biometric information to the personal device, has significant disadvantages:                usually the personal device, once unlocked, can be used by anyone, at least for a period of time, without a device at the other end of said communications link being able to positively determine who is using the personal device—hence once the personal device is unlocked there is no ongoing assurance that information communicated to or from the personal device is being sent or received by the authorized user of the personal device;        there is no guaranteed correspondence between the information stored in the personal device and the authorized user's biometric identification—this correspondence is inferred since the personal device must be unlocked biometrically to access the information stored in said memory portion, but in fact said stored information does not necessarily correspond to the biometrically identified user.        
For these reasons the usual personal device method is generally not suitable for biometrically identifying and securing transactions on a network, where the user to be identified will usually be remote from other persons or devices with which said user is undertaking a transaction.
There has in recent years been a good deal of research and development activity aimed at linking biometric to cryptographic functions in order to be able to (i) reliably remotely identify individuals and (ii) secure information transfers. Citation #1 (see below) describes three categories of technique that are being investigated. These can be summarized as follows.                1. The “key release method”, in which cryptographic keys are released for use as a result of a valid biometric reading. This is the type of approach used in current portable biometric devices and suffers from the abovedescribed disadvantages.        2. Biometric key generation, in which cryptographic keys are generated directly from one or more biometric readings. This approach presents significant technical challenges that have not yet been satisfactorily resolved, except possibly for DNA-based biometrics, in that the data obtained from a biometric reading will usually differ from one instance to the next. For example, according to Citation #2 below, 10-15% of pixels in a typical iris scan will vary from scan to scan. A further disadvantage of this approach is that it does not allow maximum flexibility in the selection or derivation of cryptographic keys, which for security reasons should preferably be changed from time to time.        3. The “key binding” method, in which cryptographic keys are bound to biometric data collected at the time of user enrollment.        
Citation #3 below describes a network-based biometric identification and information transfer system using the key binding method. In this system the cryptographic keys and biometric data are stored in remote servers and the cryptographic keys are not generated locally to the user. Hence the abovedescribed privacy and security issues associated with conventional biometric systems are not addressed by the system described in citation #3—the biometric data and cryptographic keys can both be compromised if the server security is penetrated. Furthermore, the system described in citation #3 uses static cryptographic keys 7 i.e. the keys are bound to a user's biometric data at the time of enrollment are not subsequently changed. Hence if a user's cryptographic keys are compromised (i.e. made known or worked out) the user must re-enroll in order for a new set of cryptographic keys to be allocated.
Citation #4 below describes a system in which a portable device stores cryptographic keys that are used in communicating with a remote device when a biometric reading is taken by the portable device. The method used in citation #4 is not the key binding method, however, as it involves using the cryptographic keys stored in the portable device regardless of whether there is biometric authentication of the user of the portable device. The cryptographic keys stored in said portable device are used simply to ensure secure communications between said portable device and said remote device. Each time a biometric reading is taken, said portable device cryptographic keys are used to transmit the results of the biometric verification to said remote device, regardless of whether or not the biometric verification indicates the user to be an authorized user. Use of the cryptographic keys stored in said portable device is not bound to biometric data corresponding to an authorized user. In fact, use of the cryptographic keys is not in any way dependant on the outcome of a biometric process, and so the method described in this patent is neither the key release method nor the key binding method.