Blockchain Fintech – Laurel Fielding, Tewodros Mulatu, Netcomm Inc
Abstract for “System and Method for Digitally Signing Documents Using Biometric Data in a Blockchain or PKI”
A system and method that is executed on one or more servers and interfaces with a Database Management System. This allows for electronic signing and exchanging of documents with or without a private key. A card reader can read the embedded biometric key on a PIV card and send the private key to a node with the corresponding public keys on the X.509 certificates. The private biometric key in the PIV card is used to generate the public key. The X.509 certificate contains information that is used to authenticate a user, such as using the SSH protocol. The biometric data is used to create a biometric hash at the subscriber node if a PIV card does not exist. A plurality of observers nodes validate the subscriber’s hash by sending validation replies based on the hash ledgers states at each observer. If the majority of the observer nosdes validate the biometric haveh, the subscriber can sign documents in any role that he or she may hold within an organization.
Background for “System and Method for Digitally Signing Documents Using Biometric Data in a Blockchain or PKI”
A legal digital signature is a digital signature that has been validated against the organization’s authentication infrastructure. If it conforms to the regulations it was created under, this type of signature has the same legal status as a handwritten one. Digital signatures can be used in ecommerce and regulatory filings to secure electronic signatures. NIST and ETSI, standardization agencies, provide guidelines for their implementation (e.g. NIST-DSS or XAdES, or PAdES). U.S. Pat. No. No. 9,495,546 describes an electronic signing process.”
“Various point to-point secure communication protocols provide cryptographic encryption for applications that communicate with client-server based network for protecting against eavesdropping, tampering and message forgery. SSH is a set standards and associated protocols that allows for the establishment of a secure channel between local and remote computers. This protocol authenticates remote computers using public-key cryptography.
“U.S. Pat. No. No. 8,990,572 discloses the ability to conduct secure smart card transactions using mobile devices. Federal Information Processing Standard Publication 201 (FIPS) is a United States federal standard that specifies Personal Identity Verification requirements (PIV), for Federal employees as well as contractors. A PIV card can be used to authenticate identity and control information access. Any pocket-sized card with an embedded circuit can be used as a PIV card. An electronic device that can read information from PIV cards is a PIV card reader. FIG. FIG.
It is also possible to use biometric data features to a hash-generator that uses boundaries to generate a haveh. This is then used to generate biometric keys. FIG. FIG. 2 is a block diagram showing the basic operation of an Iris biometric encryption system. It uses either a biometric template or a hash of biometric keys. FIG. FIG. 3. A block diagram of a quantization system that creates intervals for every element of the biometric feature vector is shown in FIG. 2. The biometric keys are created by mapping the features into the intervals.
“US Publication #20150143511 discloses biometric accessibility controls. U.S. Pat. No. 7,481,364 describes a biometric identification device that can be used with smart cards. U.S. Pat. No. No. 9,589,260 describes authenticating electronic cash using a smartcard that receives a biometric signature from a user and sends a recognition complete information to a communication device when the biometric signature matches a previously stored biometric. U.S. Pat. No. No. 9,323,914 describes a smartcard with partially or completely virtualized components, which maximizes confidentiality of stored data using digitized unique biological identifiers.
Multi-factor authentication (MFA), is a method for computer access control that requires a user to present multiple pieces of evidence to an authentication mechanism. Typically, at least two of these categories are met: possession (something they possess) and knowledge (something they know). Two-factor authentication, also known as 2FA, is a method to confirm a user’s identity using a combination of two components. An example of something that a user knows is a personal identification number (PIN), and a PIV Card is something that the user has. Documents can be digitally signed when the user authenticates the PIN number and other information from the PIV cards.
There are many ways to e-sign documents. Adode’s PDF documents can be e-signed, by inserting signature images (e.g. handwritten signatures) within the documents. Docusign (https://www.docusign.com/products/electronic-signature) uses a system and method for approvals of agreements based on e-signatures. DocuSign can be embedded into existing websites, portals, or applications.
Asymmetric cryptography employs a pair mathematically related keys, known as public keys and private keys. This eliminates the need to have prior knowledge of a shared secret keys among the communicating parties in symmetric key cryptography. Asymmetric key cryptography uses public key infrastructure (PKI). This is a well-known system to secure information. These systems allow a party to digitally sign messages using a randomly generated private key. A party at another station verifies the signature with a distributed publickey derived from that private key. Public keys are distributed to the participants in the system by corresponding certificates. These certificates are also known as Public Key Certificates. They are issued by trusted parties called Certificate Authorities (CAs). PKI allows communicating parties to authenticate each other and use the public key information contained in certificates to encrypt or decrypt messages.
“By digitally signing the Certificate, a central authority (CA), attests that it belongs to the identity. This means that the Certificate is signed by the CA. The CA is often trusted third party that issues digital certificates for communicating parties. The trust requirement requires that the CA verify identity credentials of all parties. If the parties trust the CA and are able to verify its signature, it is presumed that they can also verify that the public key belongs to the person identified in the certificate.
“Applications can often grant access to resources based upon the credentials provided by the user. These applications typically verify the identity of users and allow them to access resources based upon their roles. Roles are used to enforce policies in business and financial applications. An application may, for example, limit who can sign documents based on whether they are members of a specific role. Role Based Access Control is done via an
“U.S. Pat. No. No. 8.775,809 describes biometrics-based signatures. A verifier obtains a first biometric templates of an individual to verify based on a fingerprint. The verifier receives a first and second biometric templates and then verifies the digital signature using the public key. The first biometric template received is then compared to the second biometric template received. If a match occurs, it can be confirmed that both the digital signature (and the second biometric templates) have not been altered by an attacker to impersonate. However, biometric templates can be used as a public keys and shared with other nodes. This prevents privacy of biometric data.
“US Publication #20020176583 reveals a public key infrastructure that relies on fingerprints that are presented to an authority of public-key infrastructure. After reading the biometric data from the fingerprint of the user at a biometric input devices, the biometric data are signed with the authority’s private-key. The PKI infrastructure will send a certification request with the public-key and signed biometric data. After the authority has verified and registered the received data, the biometric data are sorted into a database and the corresponding certificate is issued. The token contains the certificate. The public-key infrastructure permits signing and encrypting digital messages using digital signatures. This allows a third party to rely on the certificate. Biometric data can be used to prove fraud in the event of fraud by being stored in a database. It is common to use biometric data that has been certified by PKI to sign messages.
“US Publication #20040059924 describes a biometric signature system. It uses biometric private keys, (BioPKI), and a digital signature. BioPKI makes use of a combination biometric technology and industry-standard PKI to create digital signatures. BioPKI uses public key cryptography to encrypt biometric signature information and send it to the BioPKI server.
“U.S. Pat. No. No. 9,037.851 describes a user authorization system that allows authorization management using a public PKI server issuing server. This server issues a PKI certification including a subscriber?s biometric signature. A sensing device that recognizes biometric patterns is included in the system. It stores the subscriber?s biometric signature as well as a PKI certificate (e.g., an X.509 certificate) that verifies that the user is authentic. If the biometric pattern of the subscriber matches that of the smart card, the smart card sends a signal to it and transmits authorization information derived form the PKI certificate. The advantage of the prior art is that biometric data is not used to generate the private and public keys. This makes it vulnerable to fraud if the infrastructure for PKI is compromised.
“U.S. Pat. No. 7,188,362 describes a smartcard that digitally signs messages using biometric data. The smart card includes an encryption module and a random number generator. An enrollment mode is when the biometric data analyzer receives user biometric data and triggers a random generator to create a public and private key. The smart card’s tamper-resistant chip stores the private key. The public key is sent to an external device such as a computer. After verifying biometric data, the smart card digitally signs all incoming messages during a signing mode using a card reader interface. This prior art has a drawback in that biometric data is used to randomly generate the private and public keys. If the generator infrastructure is compromised, it is susceptible to fraud.
“Blockchain technology has been established. Blockchain technology is a continuous growing collection of records called blocks that are linked and protected using cryptography. Blockchains are designed to be indestructible. Blockchains can be used as distributed ledgers that record transactions between two parties in an efficient, verifiable, and permanent manner. FIG. FIG. 4 shows a flow chart of blockchain that enables users to send money to other users. FIG. FIG. 5 illustrates how data blocks are linked together using hash functions that are based on a Merkle Table which acts as a hash leadger. Blockchain infrastructure has the advantage over centralized infrastructures such as PKI, which use central ledgers. This is because blockchain is more difficult to compromise since distributed hash legers are used.
With the expansion of workflow-based document exchange platforms, it is necessary to integrate and utilize existing platforms for user verification. A system and method that uses existing PIV card platforms is needed to enable verified users to sign documents in any format. This will allow counterparties to exchange documents using existing PKI infrastructures. Another example is the need to have a system and method that utilizes biometric data and user groups to eliminate the need for an authoritative central PKI authority.
“Briefly, according one embodiment of this invention, a method executed on servers in which servers interface with a Database Management System, (DBMS), for signing and exchanging electronic documents. Documents are signed using biometric information from subscribers who sign the documents that capture biometric data blocks. A subscriber node generates a biometric key that includes a biometric hash. This is derived deterministically using biometric feature elements from the biometric data blocks. Quantizations are used to construct intervals for each biometric element. The intervals are used to map the biometric feature elements. The biometric hash goes to a number of observers nodes. A plurality are of responses are received by the plurality. Each response validates or invalidates the biometric haveh according to the state of the biometric hash leadger associated with the subscriber at each of the plurality. Based on the time stamp sent by the subscriber node, the subscriber is authenticated. If the subscriber has been authenticated, and if a PIN is entered, the subscriber can sign the document.
“Accordingly to some of the more specific features of this embodiment, a plurality flow engines are executed at each node used for subscribers and observers. These include a first flow engine that forwards the subscriber’s biometric key and a plurality second flow engines that forward biometric keys derived using biometric data associated observers. They also exchange biometric keys between subscriber nodes and observer nodes. Workflow engines that assign tasks to subscribers can be part of the flow engines. This method uses the biometric haveh in a block on a blockchain that is associated with the subscriber and authenticates the subscriber using asymmetric cryptography that is based upon using the biometric as a shared secrete of the symmetric cryptography. Another way is to use the biometric haveh in a block associated with the subscriber. This method authenticates the subscriber using an asymmetric cryptography method that uses the biometric as a private key, and a certificate that contains a public key derived form the biometric.
“According another embodiment, a method can be executed on servers that interface with a Database Management System for exchanging and signing documents electronically. Documents are signed using biometric information stored on cards. A biometric key is required to be stored on a card that is given to the user. The biometric key can be described as a hash that is determined from elements of biometric information associated with the user. It is created using a quantization scheme which constructs intervals for each element. The intervals are used to map the biometric features. This involves receiving the private biometric keys from a card reader via a network of nodes using a PKI infrastructure with a CA, and then receiving a certificate that contains a public key that was derived from that hash. Based on the card’s private biometric key and the public key, the card is authenticated. If the card has been authenticated and a PIN entered verifies the identity, the user can sign the document.
“BRIEF DESCRIPTION DES DRAWINGS”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG. 2.”
“FIG. “FIG.
“FIG. “FIG.5” 5 illustrates how data blocks are linked together using a Merkle table.
“FIG. “FIG.
“FIG. “FIG.7” is a block diagram of an implementation of the invention via a card reader.
“FIG. 8 shows a block diagram of a Business Support System (BSS) system implementing the present invention on a Software-as-a-Service (SaaS) platform.”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG. 11 is a block diagram showing how biometric verification could be implemented in this invention.”
“FIG. “FIG.
“FIG. “FIG. 13” shows a flow chart of the invention that implements user verification using a card reader and a biometric reader.
“FIG. “FIG. 14” shows a flow chart of the invention that implements user verification using a card reader with PIV cards without a biometric reader.
“FIG. “FIG.
“FIG. “FIG. 16” shows a flow chart of the invention that implements biometric data as the private keys, 2FA passphrases and distributed user community validation using blockchain.
“FIG. FIG. 17 depicts an entity diagram for the present invention. 16 flow diagram is an entity diagram for the class structure of observers and subjects.
“The present invention employs a digital signature client program that communicates with SaaS-based software located in a large area network on the internet. As described below, a databases management system (DBMS), stores digital signatures and signed documents. Organizations can use the implemented signature technology to create secure cryptographic signature controls that can be deployed among subscribers or users of the system, such as employees or customers. The protocol allows for safe transmission of embedded biometric keys information from subscribers or users. The biometric key information can either be captured instantly by a verification device that interfaces with the subscriber/user, or it can be read from a card reader that interfaces to the subscriber/user.
“In one embodiment, the invention allows users with Personal Identity Verification (PIV), Common Access Cards (CAC), cards to digitally sign documents using biometric data stored on their cards using MFA. The invention can be used to store biometric data that is derived from fingerprints, Iris scanning and genetic recognitions. 1. The present invention embeds a biometric key that belongs to the user in magnetic strips or chips. This key can be used to sign any file or document of any format such as PDF, Excel and Word. The biometric key is able to sign embedded code, binary, images, or graphics in any number of input layers.
“In FIG. 7 is an embodiment of the invention. It enables organizations to connect with their existing PKI infrastructure by using the organization’s PIV/CAC smart card to digitally sign any document format. Cards communicate over HTTPS with an organization’s Business Support System system (BSS). The cards use PKI certificates such as the x509 certificates to store roles as extensions on the cards. . This embodiment embeds biometric data from the user in the PIV card, which can be used to verify digital signatures. The private biometric keys of the users are used to generate the public key.
“As shown at FIG. 2. Features of biometric data are used as input biometric data to a hash generator. FIG. FIG. 2 illustrates the enrollment and authentication process according to the invention. 2. Using a biometric template. A biometric input (e.g. data blocks) is applied to a majority decisionr to extract feature elements vectors that create a biometric hash associating with subscriber/user attributes.
“The biometric hash generator processes interval borders to generate the private biometric keys deterministically rather than randomly. FIG. 3 shows a quantization scheme. 3. This can be used in the enrollment/auth authentication process of FIG. 2 to create intervals for each element in a biometric feature vector. This is done by mapping the biometric elements into the intervals. Quantization is done using biometric data input, or data blocks to apply biometric feature to an interval definition block. A block that applies an interval encoding block to an interval block that contains the interval definitions is used to create intervals that have been mapped to biometrics features to generate a biometric hash.
“In this embodiment, asymmetric cryptography can be applied to esignatures that are based on public keys that have been determined, i.e. non-randomly, from the private biometric data. The prior art, on the other hand, uses biometric data to generate public and private keys. The public key generator in this embodiment of the invention, unlike the prior art generates the public keys based on the deterministic biometric boundaries. This allows documents to be signed using verified biometric parameters, which act as private keys embedded in a PKI infrastructure that uses publicly key certificates.
FIG. 8 shows another embodiment. 8 The invention is designed to allow digitally signing and sharing documents between subscribers. This embodiment of the invention uses blockchain technology to digitally sign documents using biometric keys. This embodiment uses a combination of symmetric and asymmetric cryptography with hashes to e-sign documents. FIG. 5 shows the chaining of hash block chains. 5. Based on biometric keys that generate hashes deterministically (i.e. non-randomly)
“FIG. “FIG. 6 illustrates the system of the invention. It includes one or more clients, clusters of servers and central databases distributed over a network that connects with subscribers or users. A node typically includes a processing unit for running codes, programs and/or applications. This unit may include one or more microprocessors, embedded controllers digital signal processors, CPUs, or microprocessors. FIG. 8 shows an example of an observer pattern implementation. 8 is an implementation of the present invention described in FIG. Any combination of wired and wireless nodes, clients, servers, routers, hubs, access points, and any other device that communicates with other devices can be used to create a node. A number of data bases can store private biometric keys on public key certificates, signed documents, and user data repositories.
“Under one arrangement multiple levels of identity verification are possible under MFA. Biometric parameters are used for authentication to identify something subscriber/user has and PINs to verify what they know. The verification can be done by entering a PIN code into an input device. A biometric identification verification device (e.g., fingerprint scanner, Iris scanner, microphone, or gene scanner) can capture the relevant biometric data and send it to a node via wired/wireless transmission mediums. A card reader can read the embedded biometric key stored on a PIV card and send the private key to a node with the corresponding public key from the X.509 certificates. The private biometric key in the PIV card is used to generate the public key. The X.509 certificate contains information that is used to authenticate a user, such as using the SSH protocol. The biometric data is used to create a biometric hash at the subscriber node if a PIV card does not exist. A plurality of observers nodes validate the subscriber’s hash by sending validation replies based on the hash ledger states at each observer. If the majority of the observer nosdes validate the biometric haveh, the subscriber can sign documents in any role that he or she may hold within an organization.
The system and method described in this article relates to different aspects of processing documents that are signed or exchanged between users. Documents can be any electronic file that contains a declaration, statement, affidavit, and/or terms and conditions information. Documents can be created in any file format, including Microsoft Word, Excel, or portable formats like Adobe PDF. Documents can be infinitely large as the system breaks down large documents into multiple signed sections. You can sign documents using biometric keys (i.e. hashes) and send them via email to your counterparties. Another embodiment allows subscribers/clients to exchange biometric keys with each other based on flow engines. These can be used to send signed documents. In one example embodiment, a Business Support System (BSS) is implemented on an electronic document exchange and collaboration Software-as-a-Service (SaaS) platform referred to as the BSS exchange service. The BSS exchange service is hosted centrally and utilizes a subscription-based software licensing and delivery model. BSS Exchange Service provides an environment for enterprise contract modeling with tools and features that can be used to create statements, declarations, and bilateral contract documents.
“FIG. “FIG.7″ shows a block diagram for a SaaS platform that offers the BSS exchange service, which includes PKI infrastructure for signing documents. The SaaS platform consists of an Application/Web Server Cluster, one or more servers that communicates with a Database Server Cluster, one or multiple databases. The SaaS platform offers the BSS exchange service for subscribers 1 and 2, over the Internet via a firewall Cluster consisting of one or more firewalls. Netcomm offers one such BSS exchange service under the name Beacon? at the following domain: http://www.netcomm.net/beacon.”
“FIG. 8 shows the BSS system that uses an observer pattern software design to implement distributed event handling systems in ‘event driven? software that implements blockchain. Modern languages like Java and C# include ‘event? constructs. Design defines one-to-many dependencies between objects so that any changes in state of one object are automatically notified to all its dependents. An object called Subject maintains a list, or observers, of its dependents. This list notifies them of any changes in state, usually by calling one their methods. The design encapsulates both the core or common engine components in a Subject abstraction and the variable or optional user interface components in an Observer hierarchy. As soon as the Subject is created, Observers register with it. Each Subject updates its state to notify all registered Observers. The Subject can?push? information at the Observers. The Subject may?push? information at the Observers or, the Observers might?pull?? The Subject will provide the information they require.”
“FIG. “FIG. 7, 8 7 or 8. A process executer/dispatcher within servers transmits messages and signed documents to Clients 1 and 2, via a Web Container (Servlet Container). A Message Oriented Middleware, which allows sending and receiving messages among distributed components of BSS’s exchange service, is possible to communicate with. Communication between Clients 1 and 2, and the BSS is achieved using a router, which is implemented as an RC )?.”.
“As shown at FIG. 9 The SaaS platform for the BSS exchange service consists of a BSS server, e.g. SQL servers, a BSS database and the router RC. To access the BSS databank, the RC communicates to the BSS server. The BSS server runs the processes necessary to implement the BSS exchange component components. Further, the BSS database stores user information such as username, email address and last login data and times. It also keeps logs of user activities and system messages. Information about Portal Users that have been created via the SaaS platform is also stored. The BSS database can store electronic versions of contracts signed between service providers.
“The execution engine used to implement the BSS Exchange service is found in the BSS Data Server. The first and second execution engines are separate components that provide service components to the SaaS platform’s first and second clients. This allows information and configurations for each client to be applied. A process definition component is part of a shared database that defines the various processes that will be executed on the SaaS platform. The cache component speeds up execution using well-known memory management methods. A workflow component is software that manages business processes and creates distinct workflow engines for each service provider. Since subscribers can also be observers, a workflow engine allows for the flow of biometric keys between subscribers and observers. Each workflow engine assigns tasks to different executors, and shares data between participants. The workflow component is able to execute any sequence of steps, monitor and control the state of activities within a workflow and decide which activity to move to according to predefined processes. These actions can be anything, from saving a document to sending an e-mail to users. Business rules engines are also included in the workflow. A business rule engine is a system that executes one to several business rules in a runtime environment. Business rule systems allow policies and other operational decisions, to be created, tested, executed, and maintained independently. Rule engines support rules, facts and functions such as priority, mutual exclusion, preconditions and preconditions. Activiti Java Workflow engine (JWE) is one example of a workflow engine that could be used in conjunction with the invention. JWE offers generic APIs that allow you to define and manage business processes using multiple components or tools. The Workflow Editor (WE tool) is used to create, manage and review process definitions.
“Under one example, first and second subscribers could be paired to exchange signed agreements documents based upon biometric data of users who sign documents on digital signature worksstations that have card readers and/or biometric verification devices. The method executes multiple flow engines at each node that subscribers and observers use, including a first flow to forward the subscriber’s biometric key and a plurality second flow engines to forward biometric keys derived using biometric data associated observers. This allows for exchanging biometric keys between subscriber and observer nodes. Workflow engines are used to assign tasks to subscribers.
“FIG. FIG. 10 shows how to generate a public Key using a private biometric Key using Secure Shell (SSH). This is the implementation of the system in FIG. 7. FIG. FIG. 11. shows an example of a sequence flow diagram for a user interface to sign documents using an MFA digital signing protocol and algorithm. It is based on:
“As shown at FIG. 11: A user requests digital signature from a client’s workstation. This could be done via a downloadable form or by requesting it in writing. The client workstation interfaces with the Web API to send user credentials if permission is granted. The Web API gives the client station an access token that allows the user to open file selector applications. The user selects a file to sign and sends it to the Web API (a subscriber/user node). The client station then sends the Web API a signed hash along with the signed file. Optionally, the Web API also sends a receipt notification. The Web API forwards both the signed hash and signed file to the databases. Log in failure occurs if permission is not granted. No access token is sent out to the client’s workstation.
“FIG. “FIG. 12” shows a block diagram showing how biometric verification could be implemented in this invention. For extracting specific features from stored templates, a biometric representation is captured. Common file formats are available for interchange of biometric data. These formats provide platform independence and separate transfer syntax content definitions. They also allow you to create application program interfaces or profiles that work based on performance metrics definitions and calculations. The invention relies on known interfaces and interactions among biometric components and subsystems. Architecture and operation for the biometric component are based on standards that allow multi-vendor systems to be used and their applications. These standards are:
“Representation formats for the interchange biometric data include:
“Various biometric based standard may be used in this invention. This includes ANSI INCITS 382-2003 Biometrics Based Verification. It is hereby incorporated. Other examples include ANSI IncITS 358-2002 BioAPI specification v1.1 and ANSI INITS 398-2005 (NISTIR 6529?A) Common Biometric Exchange File Format, which are also hereby incorporated. Other examples are ANSI INCITS 375-2004 Finger Pattern Based Interchange Format and ANSI INCITS 378?2004 Finger Minutiae format for Data Interchange. ANSI INCITS 370-2004 Iris Image Interchange Form are also incorporated by reference. These examples do not include all biometric standards that are compatible with the invention.
“FIG. “FIG. 13” shows a flow chart of the invention that implements user verification using a biometric scanner and a PIV reader in a client application. This client application involves the signing of documents by an Actor user. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application would then request the private biometric keys embedded on the PIV cards. The biometric reader would capture biometric data via finger or eyeball scanning. The card reader would then receive a PIN as well as the private biometric keys, which are passed on to the client for verification. The client application will prompt the user to insert their PIV card into its reader if the Actor hasn’t done so.
“FIG. 14. This is a flow diagram for the present invention that implements user verification using a card reader. It is used in a client application to sign documents by an Actor who has a PIN. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application will then request the private key embedded on the PIV cards. The PIV card reader then sends the private key of the user to the client application, along with an entered pin, for the purpose of signing a document.
“FIG. “FIG. 15” shows a flow diagram for the present invention that implements user verification using a biometric scanner and a PIV reader in a client application which involves the signing of documents by an Actor. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application will then request the private biometric keys embedded on the PIV cards. The biometric reader would be issued a PIN, and the card reader would get captured biometric data (e.g. via finger or eyeball scan) which would then be passed to the client application for verification. This method gives the biometric data, private biometric key, and PIN under MFA. This method uses private key, which is PKI private key pairing, to generate public key by PKI.
“In this embodiment, input to the authentication verification algorithm would consist of these inputs:
“Under this arrangement the private key stored in the PIV card is actually the biometric data that serves as the private biometric keys. The thumbprint/eyeball information can be used as the private biometric keys stored on the PIV cards. Therefore, the input to the algorithm is the thumbprint/eyeball plus the PIN with the following inputs.
“In an alternative method, without PKI, a group of observers and subject as shown in FIG. 8 validates the hashing of a biometric secret with a passphrase using a blockchain hash key ledger. This means that no point within a matrix node is more sensitive than the subject. If Alice decides to digitally sign documents, Jane, Len, and Bob are the observers. Alice is the subject, while Bob, Jane, and Len are the observer. They create a common observer architecture where Alice, the subject sends all the observers the following:
“Now everyone is ready for Alice’s digitally signed documents/messages. Alice then sends Bob the following:
“Bob isn’t sure that this is Alice so she sends Jane and Len the biometric hash value to confirm the hash against their existing hash ledger.”
The observer nodes received a plurality of responses validating or invalidating Bio hash and time stamp. Bob will be convinced that Alice signed this signature if he is validated by most observers. Alice, the subject, can change her PassPhrase/PIN anytime and pushes the new hash to all subscribers. This would allow them to maintain and update all of Alice?s Bio Hash entries and PassPhrase/PIN data. Blockchain community uses decentralized authorities to prevent fraud. FIG. FIG. 16 is a flow diagram for the invention. It implements user verification using a Biometric reader. A user community of subscribers has also been created that agrees to share digitally signed documents. Users subscribe to each other, creating a matrix of users that can validate any user/subscriber in the community using a majority rule based upon hash ledgers maintained and updated by observer nodes. Every user can be either a subscriber, an observer, or both a subject/observer in the system. The system supports a variety of 3rd-party 2 Factor authentication vendors such as DUO Security or Google Authenticator, to secure establish who is who. Each subscriber/subscriber can independently authenticate with the system using supported third-party MFA authentication apps.
This method can use the biometric haveh in a block in a blockchain associated to the subscriber and authenticate the subscriber using an asymmetric cryptography technique that is based upon using the biometric ish as a shared secrete within the symmetric cryptography algorithm. Another way is to use the biometric haveh in a block on a blockchain associated the subscriber and authenticate the subscriber using an asymmetric cryptography method that is based upon using the biometric as a private keys and a certificate that contains a public key derived form the biometric.
Each user/subject can use the system to share digitally signed documents. They download a client application that stores their biometric data, passphrase/PIN and authenticates with a third-party 2 Factor authentication scheme. To establish the exchange of signed documents, other users/observers must subscribe to each user. They will need to supply their authentication token from multiple supported vendors.
“Users digitally sign documents with a hash from their Biometric data stored at their local instance.” Users sign documents with other users, along with a Biometric hash (Passphrase/PIN hash) and a Passphrase/PIN hash. The user community then validates their identity using a majority vote. This is based on each observer’s copy of the hash data.
The system is anonymous because each observer validates an individual user without knowing their biometric data or passphrase/PIN. The blockchain method makes this system highly redundant. A threshold of n nodes responding or not responding in the positive will not affect the ability to receive a majority of positive responses from the decentralized community. The only private information about each user is stored locally on the subject’s application. One node compromise can yield information for one subject, but not for millions of users. This is because there is a common risk when the authoritative source is centrally held such as common PKI infrastructure. The matrix system validates identity, but it does not require the plaintext to provide validation assertions by group majority. The matrix system is optimized for easy reading and takes into consideration each node’s computing capabilities. It maintains high performance by storing all validation statements from the group on the local subject?s machine. To determine a group majority, the algorithm combines locally stored messages, messages to a few random observers and other variables.
“Non-repudiation can only be achieved through large group consensus. Alice signed the document if the Timestamp and BioHash data were deemed valid under majority rule. Alice can also re-generate her hash of her biometric information or have it further investigated by independent third parties including observers to discredit the authenticity of the signature.
“FIG. FIG. 17 depicts an entity diagram for the present invention. 16 flow diagram is an entity diagram for the class structure of observers and subjects.
Summary for “System and Method for Digitally Signing Documents Using Biometric Data in a Blockchain or PKI”
A legal digital signature is a digital signature that has been validated against the organization’s authentication infrastructure. If it conforms to the regulations it was created under, this type of signature has the same legal status as a handwritten one. Digital signatures can be used in ecommerce and regulatory filings to secure electronic signatures. NIST and ETSI, standardization agencies, provide guidelines for their implementation (e.g. NIST-DSS or XAdES, or PAdES). U.S. Pat. No. No. 9,495,546 describes an electronic signing process.”
“Various point to-point secure communication protocols provide cryptographic encryption for applications that communicate with client-server based network for protecting against eavesdropping, tampering and message forgery. SSH is a set standards and associated protocols that allows for the establishment of a secure channel between local and remote computers. This protocol authenticates remote computers using public-key cryptography.
“U.S. Pat. No. No. 8,990,572 discloses the ability to conduct secure smart card transactions using mobile devices. Federal Information Processing Standard Publication 201 (FIPS) is a United States federal standard that specifies Personal Identity Verification requirements (PIV), for Federal employees as well as contractors. A PIV card can be used to authenticate identity and control information access. Any pocket-sized card with an embedded circuit can be used as a PIV card. An electronic device that can read information from PIV cards is a PIV card reader. FIG. FIG.
It is also possible to use biometric data features to a hash-generator that uses boundaries to generate a haveh. This is then used to generate biometric keys. FIG. FIG. 2 is a block diagram showing the basic operation of an Iris biometric encryption system. It uses either a biometric template or a hash of biometric keys. FIG. FIG. 3. A block diagram of a quantization system that creates intervals for every element of the biometric feature vector is shown in FIG. 2. The biometric keys are created by mapping the features into the intervals.
“US Publication #20150143511 discloses biometric accessibility controls. U.S. Pat. No. 7,481,364 describes a biometric identification device that can be used with smart cards. U.S. Pat. No. No. 9,589,260 describes authenticating electronic cash using a smartcard that receives a biometric signature from a user and sends a recognition complete information to a communication device when the biometric signature matches a previously stored biometric. U.S. Pat. No. No. 9,323,914 describes a smartcard with partially or completely virtualized components, which maximizes confidentiality of stored data using digitized unique biological identifiers.
Multi-factor authentication (MFA), is a method for computer access control that requires a user to present multiple pieces of evidence to an authentication mechanism. Typically, at least two of these categories are met: possession (something they possess) and knowledge (something they know). Two-factor authentication, also known as 2FA, is a method to confirm a user’s identity using a combination of two components. An example of something that a user knows is a personal identification number (PIN), and a PIV Card is something that the user has. Documents can be digitally signed when the user authenticates the PIN number and other information from the PIV cards.
There are many ways to e-sign documents. Adode’s PDF documents can be e-signed, by inserting signature images (e.g. handwritten signatures) within the documents. Docusign (https://www.docusign.com/products/electronic-signature) uses a system and method for approvals of agreements based on e-signatures. DocuSign can be embedded into existing websites, portals, or applications.
Asymmetric cryptography employs a pair mathematically related keys, known as public keys and private keys. This eliminates the need to have prior knowledge of a shared secret keys among the communicating parties in symmetric key cryptography. Asymmetric key cryptography uses public key infrastructure (PKI). This is a well-known system to secure information. These systems allow a party to digitally sign messages using a randomly generated private key. A party at another station verifies the signature with a distributed publickey derived from that private key. Public keys are distributed to the participants in the system by corresponding certificates. These certificates are also known as Public Key Certificates. They are issued by trusted parties called Certificate Authorities (CAs). PKI allows communicating parties to authenticate each other and use the public key information contained in certificates to encrypt or decrypt messages.
“By digitally signing the Certificate, a central authority (CA), attests that it belongs to the identity. This means that the Certificate is signed by the CA. The CA is often trusted third party that issues digital certificates for communicating parties. The trust requirement requires that the CA verify identity credentials of all parties. If the parties trust the CA and are able to verify its signature, it is presumed that they can also verify that the public key belongs to the person identified in the certificate.
“Applications can often grant access to resources based upon the credentials provided by the user. These applications typically verify the identity of users and allow them to access resources based upon their roles. Roles are used to enforce policies in business and financial applications. An application may, for example, limit who can sign documents based on whether they are members of a specific role. Role Based Access Control is done via an
“U.S. Pat. No. No. 8.775,809 describes biometrics-based signatures. A verifier obtains a first biometric templates of an individual to verify based on a fingerprint. The verifier receives a first and second biometric templates and then verifies the digital signature using the public key. The first biometric template received is then compared to the second biometric template received. If a match occurs, it can be confirmed that both the digital signature (and the second biometric templates) have not been altered by an attacker to impersonate. However, biometric templates can be used as a public keys and shared with other nodes. This prevents privacy of biometric data.
“US Publication #20020176583 reveals a public key infrastructure that relies on fingerprints that are presented to an authority of public-key infrastructure. After reading the biometric data from the fingerprint of the user at a biometric input devices, the biometric data are signed with the authority’s private-key. The PKI infrastructure will send a certification request with the public-key and signed biometric data. After the authority has verified and registered the received data, the biometric data are sorted into a database and the corresponding certificate is issued. The token contains the certificate. The public-key infrastructure permits signing and encrypting digital messages using digital signatures. This allows a third party to rely on the certificate. Biometric data can be used to prove fraud in the event of fraud by being stored in a database. It is common to use biometric data that has been certified by PKI to sign messages.
“US Publication #20040059924 describes a biometric signature system. It uses biometric private keys, (BioPKI), and a digital signature. BioPKI makes use of a combination biometric technology and industry-standard PKI to create digital signatures. BioPKI uses public key cryptography to encrypt biometric signature information and send it to the BioPKI server.
“U.S. Pat. No. No. 9,037.851 describes a user authorization system that allows authorization management using a public PKI server issuing server. This server issues a PKI certification including a subscriber?s biometric signature. A sensing device that recognizes biometric patterns is included in the system. It stores the subscriber?s biometric signature as well as a PKI certificate (e.g., an X.509 certificate) that verifies that the user is authentic. If the biometric pattern of the subscriber matches that of the smart card, the smart card sends a signal to it and transmits authorization information derived form the PKI certificate. The advantage of the prior art is that biometric data is not used to generate the private and public keys. This makes it vulnerable to fraud if the infrastructure for PKI is compromised.
“U.S. Pat. No. 7,188,362 describes a smartcard that digitally signs messages using biometric data. The smart card includes an encryption module and a random number generator. An enrollment mode is when the biometric data analyzer receives user biometric data and triggers a random generator to create a public and private key. The smart card’s tamper-resistant chip stores the private key. The public key is sent to an external device such as a computer. After verifying biometric data, the smart card digitally signs all incoming messages during a signing mode using a card reader interface. This prior art has a drawback in that biometric data is used to randomly generate the private and public keys. If the generator infrastructure is compromised, it is susceptible to fraud.
“Blockchain technology has been established. Blockchain technology is a continuous growing collection of records called blocks that are linked and protected using cryptography. Blockchains are designed to be indestructible. Blockchains can be used as distributed ledgers that record transactions between two parties in an efficient, verifiable, and permanent manner. FIG. FIG. 4 shows a flow chart of blockchain that enables users to send money to other users. FIG. FIG. 5 illustrates how data blocks are linked together using hash functions that are based on a Merkle Table which acts as a hash leadger. Blockchain infrastructure has the advantage over centralized infrastructures such as PKI, which use central ledgers. This is because blockchain is more difficult to compromise since distributed hash legers are used.
With the expansion of workflow-based document exchange platforms, it is necessary to integrate and utilize existing platforms for user verification. A system and method that uses existing PIV card platforms is needed to enable verified users to sign documents in any format. This will allow counterparties to exchange documents using existing PKI infrastructures. Another example is the need to have a system and method that utilizes biometric data and user groups to eliminate the need for an authoritative central PKI authority.
“Briefly, according one embodiment of this invention, a method executed on servers in which servers interface with a Database Management System, (DBMS), for signing and exchanging electronic documents. Documents are signed using biometric information from subscribers who sign the documents that capture biometric data blocks. A subscriber node generates a biometric key that includes a biometric hash. This is derived deterministically using biometric feature elements from the biometric data blocks. Quantizations are used to construct intervals for each biometric element. The intervals are used to map the biometric feature elements. The biometric hash goes to a number of observers nodes. A plurality are of responses are received by the plurality. Each response validates or invalidates the biometric haveh according to the state of the biometric hash leadger associated with the subscriber at each of the plurality. Based on the time stamp sent by the subscriber node, the subscriber is authenticated. If the subscriber has been authenticated, and if a PIN is entered, the subscriber can sign the document.
“Accordingly to some of the more specific features of this embodiment, a plurality flow engines are executed at each node used for subscribers and observers. These include a first flow engine that forwards the subscriber’s biometric key and a plurality second flow engines that forward biometric keys derived using biometric data associated observers. They also exchange biometric keys between subscriber nodes and observer nodes. Workflow engines that assign tasks to subscribers can be part of the flow engines. This method uses the biometric haveh in a block on a blockchain that is associated with the subscriber and authenticates the subscriber using asymmetric cryptography that is based upon using the biometric as a shared secrete of the symmetric cryptography. Another way is to use the biometric haveh in a block associated with the subscriber. This method authenticates the subscriber using an asymmetric cryptography method that uses the biometric as a private key, and a certificate that contains a public key derived form the biometric.
“According another embodiment, a method can be executed on servers that interface with a Database Management System for exchanging and signing documents electronically. Documents are signed using biometric information stored on cards. A biometric key is required to be stored on a card that is given to the user. The biometric key can be described as a hash that is determined from elements of biometric information associated with the user. It is created using a quantization scheme which constructs intervals for each element. The intervals are used to map the biometric features. This involves receiving the private biometric keys from a card reader via a network of nodes using a PKI infrastructure with a CA, and then receiving a certificate that contains a public key that was derived from that hash. Based on the card’s private biometric key and the public key, the card is authenticated. If the card has been authenticated and a PIN entered verifies the identity, the user can sign the document.
“BRIEF DESCRIPTION DES DRAWINGS”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG. 2.”
“FIG. “FIG.
“FIG. “FIG.5” 5 illustrates how data blocks are linked together using a Merkle table.
“FIG. “FIG.
“FIG. “FIG.7” is a block diagram of an implementation of the invention via a card reader.
“FIG. 8 shows a block diagram of a Business Support System (BSS) system implementing the present invention on a Software-as-a-Service (SaaS) platform.”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG. 11 is a block diagram showing how biometric verification could be implemented in this invention.”
“FIG. “FIG.
“FIG. “FIG. 13” shows a flow chart of the invention that implements user verification using a card reader and a biometric reader.
“FIG. “FIG. 14” shows a flow chart of the invention that implements user verification using a card reader with PIV cards without a biometric reader.
“FIG. “FIG.
“FIG. “FIG. 16” shows a flow chart of the invention that implements biometric data as the private keys, 2FA passphrases and distributed user community validation using blockchain.
“FIG. FIG. 17 depicts an entity diagram for the present invention. 16 flow diagram is an entity diagram for the class structure of observers and subjects.
“The present invention employs a digital signature client program that communicates with SaaS-based software located in a large area network on the internet. As described below, a databases management system (DBMS), stores digital signatures and signed documents. Organizations can use the implemented signature technology to create secure cryptographic signature controls that can be deployed among subscribers or users of the system, such as employees or customers. The protocol allows for safe transmission of embedded biometric keys information from subscribers or users. The biometric key information can either be captured instantly by a verification device that interfaces with the subscriber/user, or it can be read from a card reader that interfaces to the subscriber/user.
“In one embodiment, the invention allows users with Personal Identity Verification (PIV), Common Access Cards (CAC), cards to digitally sign documents using biometric data stored on their cards using MFA. The invention can be used to store biometric data that is derived from fingerprints, Iris scanning and genetic recognitions. 1. The present invention embeds a biometric key that belongs to the user in magnetic strips or chips. This key can be used to sign any file or document of any format such as PDF, Excel and Word. The biometric key is able to sign embedded code, binary, images, or graphics in any number of input layers.
“In FIG. 7 is an embodiment of the invention. It enables organizations to connect with their existing PKI infrastructure by using the organization’s PIV/CAC smart card to digitally sign any document format. Cards communicate over HTTPS with an organization’s Business Support System system (BSS). The cards use PKI certificates such as the x509 certificates to store roles as extensions on the cards. . This embodiment embeds biometric data from the user in the PIV card, which can be used to verify digital signatures. The private biometric keys of the users are used to generate the public key.
“As shown at FIG. 2. Features of biometric data are used as input biometric data to a hash generator. FIG. FIG. 2 illustrates the enrollment and authentication process according to the invention. 2. Using a biometric template. A biometric input (e.g. data blocks) is applied to a majority decisionr to extract feature elements vectors that create a biometric hash associating with subscriber/user attributes.
“The biometric hash generator processes interval borders to generate the private biometric keys deterministically rather than randomly. FIG. 3 shows a quantization scheme. 3. This can be used in the enrollment/auth authentication process of FIG. 2 to create intervals for each element in a biometric feature vector. This is done by mapping the biometric elements into the intervals. Quantization is done using biometric data input, or data blocks to apply biometric feature to an interval definition block. A block that applies an interval encoding block to an interval block that contains the interval definitions is used to create intervals that have been mapped to biometrics features to generate a biometric hash.
“In this embodiment, asymmetric cryptography can be applied to esignatures that are based on public keys that have been determined, i.e. non-randomly, from the private biometric data. The prior art, on the other hand, uses biometric data to generate public and private keys. The public key generator in this embodiment of the invention, unlike the prior art generates the public keys based on the deterministic biometric boundaries. This allows documents to be signed using verified biometric parameters, which act as private keys embedded in a PKI infrastructure that uses publicly key certificates.
FIG. 8 shows another embodiment. 8 The invention is designed to allow digitally signing and sharing documents between subscribers. This embodiment of the invention uses blockchain technology to digitally sign documents using biometric keys. This embodiment uses a combination of symmetric and asymmetric cryptography with hashes to e-sign documents. FIG. 5 shows the chaining of hash block chains. 5. Based on biometric keys that generate hashes deterministically (i.e. non-randomly)
“FIG. “FIG. 6 illustrates the system of the invention. It includes one or more clients, clusters of servers and central databases distributed over a network that connects with subscribers or users. A node typically includes a processing unit for running codes, programs and/or applications. This unit may include one or more microprocessors, embedded controllers digital signal processors, CPUs, or microprocessors. FIG. 8 shows an example of an observer pattern implementation. 8 is an implementation of the present invention described in FIG. Any combination of wired and wireless nodes, clients, servers, routers, hubs, access points, and any other device that communicates with other devices can be used to create a node. A number of data bases can store private biometric keys on public key certificates, signed documents, and user data repositories.
“Under one arrangement multiple levels of identity verification are possible under MFA. Biometric parameters are used for authentication to identify something subscriber/user has and PINs to verify what they know. The verification can be done by entering a PIN code into an input device. A biometric identification verification device (e.g., fingerprint scanner, Iris scanner, microphone, or gene scanner) can capture the relevant biometric data and send it to a node via wired/wireless transmission mediums. A card reader can read the embedded biometric key stored on a PIV card and send the private key to a node with the corresponding public key from the X.509 certificates. The private biometric key in the PIV card is used to generate the public key. The X.509 certificate contains information that is used to authenticate a user, such as using the SSH protocol. The biometric data is used to create a biometric hash at the subscriber node if a PIV card does not exist. A plurality of observers nodes validate the subscriber’s hash by sending validation replies based on the hash ledger states at each observer. If the majority of the observer nosdes validate the biometric haveh, the subscriber can sign documents in any role that he or she may hold within an organization.
The system and method described in this article relates to different aspects of processing documents that are signed or exchanged between users. Documents can be any electronic file that contains a declaration, statement, affidavit, and/or terms and conditions information. Documents can be created in any file format, including Microsoft Word, Excel, or portable formats like Adobe PDF. Documents can be infinitely large as the system breaks down large documents into multiple signed sections. You can sign documents using biometric keys (i.e. hashes) and send them via email to your counterparties. Another embodiment allows subscribers/clients to exchange biometric keys with each other based on flow engines. These can be used to send signed documents. In one example embodiment, a Business Support System (BSS) is implemented on an electronic document exchange and collaboration Software-as-a-Service (SaaS) platform referred to as the BSS exchange service. The BSS exchange service is hosted centrally and utilizes a subscription-based software licensing and delivery model. BSS Exchange Service provides an environment for enterprise contract modeling with tools and features that can be used to create statements, declarations, and bilateral contract documents.
“FIG. “FIG.7″ shows a block diagram for a SaaS platform that offers the BSS exchange service, which includes PKI infrastructure for signing documents. The SaaS platform consists of an Application/Web Server Cluster, one or more servers that communicates with a Database Server Cluster, one or multiple databases. The SaaS platform offers the BSS exchange service for subscribers 1 and 2, over the Internet via a firewall Cluster consisting of one or more firewalls. Netcomm offers one such BSS exchange service under the name Beacon? at the following domain: http://www.netcomm.net/beacon.”
“FIG. 8 shows the BSS system that uses an observer pattern software design to implement distributed event handling systems in ‘event driven? software that implements blockchain. Modern languages like Java and C# include ‘event? constructs. Design defines one-to-many dependencies between objects so that any changes in state of one object are automatically notified to all its dependents. An object called Subject maintains a list, or observers, of its dependents. This list notifies them of any changes in state, usually by calling one their methods. The design encapsulates both the core or common engine components in a Subject abstraction and the variable or optional user interface components in an Observer hierarchy. As soon as the Subject is created, Observers register with it. Each Subject updates its state to notify all registered Observers. The Subject can?push? information at the Observers. The Subject may?push? information at the Observers or, the Observers might?pull?? The Subject will provide the information they require.”
“FIG. “FIG. 7, 8 7 or 8. A process executer/dispatcher within servers transmits messages and signed documents to Clients 1 and 2, via a Web Container (Servlet Container). A Message Oriented Middleware, which allows sending and receiving messages among distributed components of BSS’s exchange service, is possible to communicate with. Communication between Clients 1 and 2, and the BSS is achieved using a router, which is implemented as an RC )?.”.
“As shown at FIG. 9 The SaaS platform for the BSS exchange service consists of a BSS server, e.g. SQL servers, a BSS database and the router RC. To access the BSS databank, the RC communicates to the BSS server. The BSS server runs the processes necessary to implement the BSS exchange component components. Further, the BSS database stores user information such as username, email address and last login data and times. It also keeps logs of user activities and system messages. Information about Portal Users that have been created via the SaaS platform is also stored. The BSS database can store electronic versions of contracts signed between service providers.
“The execution engine used to implement the BSS Exchange service is found in the BSS Data Server. The first and second execution engines are separate components that provide service components to the SaaS platform’s first and second clients. This allows information and configurations for each client to be applied. A process definition component is part of a shared database that defines the various processes that will be executed on the SaaS platform. The cache component speeds up execution using well-known memory management methods. A workflow component is software that manages business processes and creates distinct workflow engines for each service provider. Since subscribers can also be observers, a workflow engine allows for the flow of biometric keys between subscribers and observers. Each workflow engine assigns tasks to different executors, and shares data between participants. The workflow component is able to execute any sequence of steps, monitor and control the state of activities within a workflow and decide which activity to move to according to predefined processes. These actions can be anything, from saving a document to sending an e-mail to users. Business rules engines are also included in the workflow. A business rule engine is a system that executes one to several business rules in a runtime environment. Business rule systems allow policies and other operational decisions, to be created, tested, executed, and maintained independently. Rule engines support rules, facts and functions such as priority, mutual exclusion, preconditions and preconditions. Activiti Java Workflow engine (JWE) is one example of a workflow engine that could be used in conjunction with the invention. JWE offers generic APIs that allow you to define and manage business processes using multiple components or tools. The Workflow Editor (WE tool) is used to create, manage and review process definitions.
“Under one example, first and second subscribers could be paired to exchange signed agreements documents based upon biometric data of users who sign documents on digital signature worksstations that have card readers and/or biometric verification devices. The method executes multiple flow engines at each node that subscribers and observers use, including a first flow to forward the subscriber’s biometric key and a plurality second flow engines to forward biometric keys derived using biometric data associated observers. This allows for exchanging biometric keys between subscriber and observer nodes. Workflow engines are used to assign tasks to subscribers.
“FIG. FIG. 10 shows how to generate a public Key using a private biometric Key using Secure Shell (SSH). This is the implementation of the system in FIG. 7. FIG. FIG. 11. shows an example of a sequence flow diagram for a user interface to sign documents using an MFA digital signing protocol and algorithm. It is based on:
“As shown at FIG. 11: A user requests digital signature from a client’s workstation. This could be done via a downloadable form or by requesting it in writing. The client workstation interfaces with the Web API to send user credentials if permission is granted. The Web API gives the client station an access token that allows the user to open file selector applications. The user selects a file to sign and sends it to the Web API (a subscriber/user node). The client station then sends the Web API a signed hash along with the signed file. Optionally, the Web API also sends a receipt notification. The Web API forwards both the signed hash and signed file to the databases. Log in failure occurs if permission is not granted. No access token is sent out to the client’s workstation.
“FIG. “FIG. 12” shows a block diagram showing how biometric verification could be implemented in this invention. For extracting specific features from stored templates, a biometric representation is captured. Common file formats are available for interchange of biometric data. These formats provide platform independence and separate transfer syntax content definitions. They also allow you to create application program interfaces or profiles that work based on performance metrics definitions and calculations. The invention relies on known interfaces and interactions among biometric components and subsystems. Architecture and operation for the biometric component are based on standards that allow multi-vendor systems to be used and their applications. These standards are:
“Representation formats for the interchange biometric data include:
“Various biometric based standard may be used in this invention. This includes ANSI INCITS 382-2003 Biometrics Based Verification. It is hereby incorporated. Other examples include ANSI IncITS 358-2002 BioAPI specification v1.1 and ANSI INITS 398-2005 (NISTIR 6529?A) Common Biometric Exchange File Format, which are also hereby incorporated. Other examples are ANSI INCITS 375-2004 Finger Pattern Based Interchange Format and ANSI INCITS 378?2004 Finger Minutiae format for Data Interchange. ANSI INCITS 370-2004 Iris Image Interchange Form are also incorporated by reference. These examples do not include all biometric standards that are compatible with the invention.
“FIG. “FIG. 13” shows a flow chart of the invention that implements user verification using a biometric scanner and a PIV reader in a client application. This client application involves the signing of documents by an Actor user. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application would then request the private biometric keys embedded on the PIV cards. The biometric reader would capture biometric data via finger or eyeball scanning. The card reader would then receive a PIN as well as the private biometric keys, which are passed on to the client for verification. The client application will prompt the user to insert their PIV card into its reader if the Actor hasn’t done so.
“FIG. 14. This is a flow diagram for the present invention that implements user verification using a card reader. It is used in a client application to sign documents by an Actor who has a PIN. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application will then request the private key embedded on the PIV cards. The PIV card reader then sends the private key of the user to the client application, along with an entered pin, for the purpose of signing a document.
“FIG. “FIG. 15” shows a flow diagram for the present invention that implements user verification using a biometric scanner and a PIV reader in a client application which involves the signing of documents by an Actor. One implementation assumes that the Actor inserts his/her PIV card into a reader. The application will then request the private biometric keys embedded on the PIV cards. The biometric reader would be issued a PIN, and the card reader would get captured biometric data (e.g. via finger or eyeball scan) which would then be passed to the client application for verification. This method gives the biometric data, private biometric key, and PIN under MFA. This method uses private key, which is PKI private key pairing, to generate public key by PKI.
“In this embodiment, input to the authentication verification algorithm would consist of these inputs:
“Under this arrangement the private key stored in the PIV card is actually the biometric data that serves as the private biometric keys. The thumbprint/eyeball information can be used as the private biometric keys stored on the PIV cards. Therefore, the input to the algorithm is the thumbprint/eyeball plus the PIN with the following inputs.
“In an alternative method, without PKI, a group of observers and subject as shown in FIG. 8 validates the hashing of a biometric secret with a passphrase using a blockchain hash key ledger. This means that no point within a matrix node is more sensitive than the subject. If Alice decides to digitally sign documents, Jane, Len, and Bob are the observers. Alice is the subject, while Bob, Jane, and Len are the observer. They create a common observer architecture where Alice, the subject sends all the observers the following:
“Now everyone is ready for Alice’s digitally signed documents/messages. Alice then sends Bob the following:
“Bob isn’t sure that this is Alice so she sends Jane and Len the biometric hash value to confirm the hash against their existing hash ledger.”
The observer nodes received a plurality of responses validating or invalidating Bio hash and time stamp. Bob will be convinced that Alice signed this signature if he is validated by most observers. Alice, the subject, can change her PassPhrase/PIN anytime and pushes the new hash to all subscribers. This would allow them to maintain and update all of Alice?s Bio Hash entries and PassPhrase/PIN data. Blockchain community uses decentralized authorities to prevent fraud. FIG. FIG. 16 is a flow diagram for the invention. It implements user verification using a Biometric reader. A user community of subscribers has also been created that agrees to share digitally signed documents. Users subscribe to each other, creating a matrix of users that can validate any user/subscriber in the community using a majority rule based upon hash ledgers maintained and updated by observer nodes. Every user can be either a subscriber, an observer, or both a subject/observer in the system. The system supports a variety of 3rd-party 2 Factor authentication vendors such as DUO Security or Google Authenticator, to secure establish who is who. Each subscriber/subscriber can independently authenticate with the system using supported third-party MFA authentication apps.
This method can use the biometric haveh in a block in a blockchain associated to the subscriber and authenticate the subscriber using an asymmetric cryptography technique that is based upon using the biometric ish as a shared secrete within the symmetric cryptography algorithm. Another way is to use the biometric haveh in a block on a blockchain associated the subscriber and authenticate the subscriber using an asymmetric cryptography method that is based upon using the biometric as a private keys and a certificate that contains a public key derived form the biometric.
Each user/subject can use the system to share digitally signed documents. They download a client application that stores their biometric data, passphrase/PIN and authenticates with a third-party 2 Factor authentication scheme. To establish the exchange of signed documents, other users/observers must subscribe to each user. They will need to supply their authentication token from multiple supported vendors.
“Users digitally sign documents with a hash from their Biometric data stored at their local instance.” Users sign documents with other users, along with a Biometric hash (Passphrase/PIN hash) and a Passphrase/PIN hash. The user community then validates their identity using a majority vote. This is based on each observer’s copy of the hash data.
The system is anonymous because each observer validates an individual user without knowing their biometric data or passphrase/PIN. The blockchain method makes this system highly redundant. A threshold of n nodes responding or not responding in the positive will not affect the ability to receive a majority of positive responses from the decentralized community. The only private information about each user is stored locally on the subject’s application. One node compromise can yield information for one subject, but not for millions of users. This is because there is a common risk when the authoritative source is centrally held such as common PKI infrastructure. The matrix system validates identity, but it does not require the plaintext to provide validation assertions by group majority. The matrix system is optimized for easy reading and takes into consideration each node’s computing capabilities. It maintains high performance by storing all validation statements from the group on the local subject?s machine. To determine a group majority, the algorithm combines locally stored messages, messages to a few random observers and other variables.
“Non-repudiation can only be achieved through large group consensus. Alice signed the document if the Timestamp and BioHash data were deemed valid under majority rule. Alice can also re-generate her hash of her biometric information or have it further investigated by independent third parties including observers to discredit the authenticity of the signature.
“FIG. FIG. 17 depicts an entity diagram for the present invention. 16 flow diagram is an entity diagram for the class structure of observers and subjects.
Click here to view the patent on Google Patents.How to Search for Patents
A patent search is the first step to getting your patent. You can do a google patent search or do a USPTO search. Patent-pending is the term for the product that has been covered by the patent application. You can search the public pair to find the patent application. After the patent office approves your application, you will be able to do a patent number look to locate the patent issued. Your product is now patentable. You can also use the USPTO search engine. See below for details. You can get help from a patent lawyer. Patents in the United States are granted by the US trademark and patent office or the United States Patent and Trademark office. This office also reviews trademark applications.
Are you interested in similar patents? These are the steps to follow:
1. Brainstorm terms to describe your invention, based on its purpose, composition, or use.
Write down a brief, but precise description of the invention. Don’t use generic terms such as “device”, “process,” or “system”. Consider synonyms for the terms you chose initially. Next, take note of important technical terms as well as keywords.
Use the questions below to help you identify keywords or concepts.
- What is the purpose of the invention Is it a utilitarian device or an ornamental design?
- Is invention a way to create something or perform a function? Is it a product?
- What is the composition and function of the invention? What is the physical composition of the invention?
- What’s the purpose of the invention
- What are the technical terms and keywords used to describe an invention’s nature? A technical dictionary can help you locate the right terms.
2. These terms will allow you to search for relevant Cooperative Patent Classifications at Classification Search Tool. If you are unable to find the right classification for your invention, scan through the classification’s class Schemas (class schedules) and try again. If you don’t get any results from the Classification Text Search, you might consider substituting your words to describe your invention with synonyms.
3. Check the CPC Classification Definition for confirmation of the CPC classification you found. If the selected classification title has a blue box with a “D” at its left, the hyperlink will take you to a CPC classification description. CPC classification definitions will help you determine the applicable classification’s scope so that you can choose the most relevant. These definitions may also include search tips or other suggestions that could be helpful for further research.
4. The Patents Full-Text Database and the Image Database allow you to retrieve patent documents that include the CPC classification. By focusing on the abstracts and representative drawings, you can narrow down your search for the most relevant patent publications.
5. This selection of patent publications is the best to look at for any similarities to your invention. Pay attention to the claims and specification. Refer to the applicant and patent examiner for additional patents.
6. You can retrieve published patent applications that match the CPC classification you chose in Step 3. You can also use the same search strategy that you used in Step 4 to narrow your search results to only the most relevant patent applications by reviewing the abstracts and representative drawings for each page. Next, examine all published patent applications carefully, paying special attention to the claims, and other drawings.
7. You can search for additional US patent publications by keyword searching in AppFT or PatFT databases, as well as classification searching of patents not from the United States per below. Also, you can use web search engines to search non-patent literature disclosures about inventions. Here are some examples:
- Add keywords to your search. Keyword searches may turn up documents that are not well-categorized or have missed classifications during Step 2. For example, US patent examiners often supplement their classification searches with keyword searches. Think about the use of technical engineering terminology rather than everyday words.
- Search for foreign patents using the CPC classification. Then, re-run the search using international patent office search engines such as Espacenet, the European Patent Office’s worldwide patent publication database of over 130 million patent publications. Other national databases include:
- European Patent Office (EPO) provides esp@cenet to access a network of Europe’s patent databases with access to machine translation of European patents.
- Japan Patent Office (JPO) – with access to machine translations of Japanese patents.
- World Intellectual Property Organization (WIPO) offers PATENTSCOPE with a full-text search of published international patent applications and machine translations for some documents, as well as a list of international patent databases.
- Korean Intellectual Property Rights Information Service (KIPRIS)
- State Intellectual Property Office (SIPO) with machine translation of Chinese patents.
- Other International Intellectual Property Offices with online patent databases include Australia, Canada, Denmark, Finland, France, Germany, Great Britain, India, Israel, Netherlands, Norway, Sweden, Switzerland, and Taiwan.
- Search non-patent literature. Inventions can be made public in many non-patent publications. It is recommended that you search journals, books, websites, technical catalogs, conference proceedings, and other print and electronic publications.
To review your search, you can hire a registered patent attorney to assist. A preliminary search will help one better prepare to talk about their invention and other related inventions with a professional patent attorney. In addition, the attorney will not spend too much time or money on patenting basics.
Download patent guide file – Click here