USOO8477940B2

(12) United States Patent (10) Patent No.: US 8.477,940 B2

Narendra et al. (45) Date of Patent: *Jul. 2, 2013

(54) SYMMETRICCRYPTOGRAPHY WITH USER 36. R 23. Wang CC

AUTHENTICATION 6,609,654 B1 8/2003 Anderson et al.
6,636,833 B1 10/2003 Flitcroft et al.
(75) Inventors: Siva G. Narendra, Portland, OR (US); 6,687,375 B1 2/2004 Matyas et al.
Prabhakar Tadepalli, Bangalore (IN); 6,705,520 B1 3/2004 Pitroda et al.
Thomas N. Spitzer, Portland, OR (US) 6,769,607 B1
6,805,288 B2
8/2004 Pitroda et al.
10/2004 Routhenstein et al.
6,836,843 B2 12/2004 Seroussi et al.
(73) Assignee: Tyfone, Inc., Portland, OR (US) 6,845,453 B2 1/2005 Scheidt et al.
- 6,845,908 B2 1/2005 Morita et al.
(*) Notice: Subject to any disclaimer, the term of this 6,848,050 B1 1/2005 Merman et al.
patent is extended or adjusted under 35 6,857,566 B2 2/2005 Wankmueller
U.S.C. 154(b) by 1931 days. 6,871,278 B1 3/2005 Sciupac
6,886,096 B2 4/2005 Appenzeller et al.
This patent is Subject to a terminal dis- 6,901,145 B1 5/2005 Bohannon et al.
claimer. 6,908,030 B2 6/2005 Rajasekaran et al.
7,502,928 B2 * 3/2009 Suzuoki et al. ............... T13,166
(21) Appl. No.: 11/182,099
y x- - - 9
7,805,615 B2 9/2010 Narendra et al.
(Continued)
(22) Filed: Jul. 15, 2005 FOREIGN PATENT DOCUMENTS
(65) Prior Publication Data GB 2390705 1, 2004
WO OO3656.6 A1 6, 2000
US 2007/OO144O7 A1 Jan. 18, 2007 (Continued)
(51) Int. Cl. OTHER PUBLICATIONS
(52) He to (2006.01) PCT/US2006/027980, Written Opinion, Mailed Dec. 27, 2006, 13.
USPC .......................................................... 380/270 (Continued)
(58) Field of Classification Search
USPC .......................................................... 380.277 Primary Examiner — Michael S McNally
See application file for complete search history. Assistant Examiner — Daniel Hoang
(74) Attorney, Agent, or Firm — Dana LeMoine; LeMoine
(56) References Cited Patent Services, PLLC
U.S. PATENT DOCUMENTS (57) ABSTRACT
5,585,787 A 12/1996 Wallerstein A device uses a user authentication factor to generate a sym
363 A E. Shun metric key for use in Symmetric cryptography. The user
6,035.398 A 3, 2000 E. authentication factor is encrypted and stored for authentica
6.219,439 B1 4/2001 Burger tion during decryption.
6,315,195 B1 1 1/2001 Ramachandran
6,330,674 B1 12/2001 Angelo et al. 37 Claims, 4 Drawing Sheets
20

User Authentication
Factor - UAF
e.g., PIN, Password, fingerprint,
voiceprint, retinal scan,
hardware ID, etc.

Generate Symmetric Key. This

key is mathematically related to
UAF. Without UAF the
symmetrickey cannot be
240 generated.

Non-encrypted
data
(Plaintext)

Encrypted data,
Encryption process Encrypted UAF
 US 8,477,940 B2
Page 2

U.S. PATENT DOCUMENTS 2005, 0116026 A1 6/2005 Burger et al.

2005, 0121512 A1 6/2005 Wankmueller
2001/0001876 A1 5, 2001 Morgan et al. 2005/O127164 A1 6/2005 Wankmueller
2001/OOO7132 A1 T/2001 Regev
2001/OO34718 A1 10, 2001 Shaked et al. FOREIGN PATENT DOCUMENTS
2002fOO39063 A1 4, 2002 Ritter
2002, 0096570 A1 T/2002 Wong et al. WO WO-03029942 A2 4? 2003
2002.0099665 A1 T/2002 Burger et al. WO WO-03081519 A2 10/2003
2002/0152391 A1 * 10, 2002 Willins et al. ................. T13, 186 WO 200701 1991 A2 1/2007
2002fO180584 A1 12, 2002 McGregor et al. WO WO-200701 1992 A1 1/2007
2002fO1845.09 A1 12, 2002 Scheidt et al. OTHER PUBLICATIONS
2002fO186845 A1 12, 2002 Dutta et al.
2003/00284.81 A1 2, 2003 Flitcroft et al. Menezes, et al., “Handbook of Applied Cryptography.” 1997, CC
2003/0061168 A1 3, 2003 Routhenstein
2003/0O81785 A1 * 5/2003 Boneh et al. .................. 38O,277 Press LLC, 330-331, 386-389, 394–395, 551-553.
2003/022O876 A1 11, 2003 Burger et al. Uludag, U. “Multimedia Content Protection via Biometrics-based
2004/0044896 A1 3, 2004 Kelley et al. Encryption'. Multimedia and Expo, 2003, Proceedings 2003 Inter
2004/0050930 A1 3, 2004 Rowe national Conference, vol. 3, (Jul. 2003), 237-240.
2004/O133787 A1 T/2004 Doughty et al. “PCT Search Report, PCT/US2006/027979, (Jul 17, 2006), 1-13.
2004/O139329 A1 * 7/2004 Abdallah et al. .............. T13, 182 U.S. Appl. No. 1 1/182,920 Office Action Mailed Feb. 3, 2009, 12
2005.0005135 A1 1/2005 Chen et al. pageS.
2005.0006462 A1 1/2005 Rouille et al. U.S. Appl. No. 1 1/182,920 Office Action Mailed Nov. 9, 2009, 14
2005, OO15596 A1 1/2005 Bowers pageS.
2005/0O29349 A1 2, 2005 McGregor et al. U.S. Appl. No. 1 1/182,920 Office Action Mailed Aug. 25, 2010, 14
2005/OO38736 A1 2, 2005 Saunders pageS.
2005, OO44044 A1 2, 2005 Burger U.S. Appl. No. 1 1/182,920 Office Action Mailed Apr. 8, 2011, 14
2005, OOSO367 A1 3, 2005 Burger et al. pageS.
2005/0060586 A1 3, 2005 Burger et al. U.S. Appl. No. 1 1/182,920 Office Action Mailed Feb. 14, 2012, 5
2005/OO77349 A1 4, 2005 Bonalle pageS.
2005, 0108096 A1 5/2005 Burger et al.
2005.0109838 A1 5/2005 Linlor * cited by examiner
U.S. Patent Jul. 2, 2013 Sheet 1 of 4 US 8,477,940 B2

104

FIG. I.
U.S. Patent Jul. 2, 2013 Sheet 2 of 4 US 8,477,940 B2

210

User Authentication
Factor - UAF
e.g., PIN, Password, fingerprint,
voiceprint, retinal Scan,
hardware ID, etc.

Generate Symmetric Key. This

key is mathematically related to
UAF. Without UAF the
symmetric key cannot be
generated.

Non-encrypted
data
(Plain text)

Encrypted data,
Encryption process Encrypted UAF
250

200

FIG. 2
U.S. Patent Jul. 2, 2013 Sheet 3 of 4 US 8,477,940 B2

310 360

User Authentication Generate Symmetric Key.

9 This key is mathematically
Factor - UAF related to UAF. If UAF and
e.g., PIN, Password, fingerprint, UAF are identical, the
s generated key will be same
voiceprint, retinal scan, as that was used to encrypt
hardware ID, etc. UAF.

320
Encryption
260
Encrypted Encrypted UAF
- E.
Encrypted data, <GD No
Encrypted UAF Yes

Encrypted 340
Data
350

Decryption
process

Non-encrypted
data 240
(Plain text)

300

FIG. 3
U.S. Patent Jul. 2, 2013 Sheet 4 of 4 US 8,477,940 B2

UAF COLLECTION
COMPONENT
WRELESS
INTERFACE
BIOMETRIC
COLLECTION
UNIQUEID
SYMMETRIC
CRYPTOGRAPHY
ENGINE

PROCESSOR
SYMMETRICKEY
GENERATION
COMPONENT

450 DECRYPTION
STORAGE PROCESS
COMPONENT COMPONENT

ENCRYPTION
PROCESS
COMPONENT

400

FIG. 4
 US 8,477,940 B2
1.
SYMMETRC CRYPTOGRAPHY WITH USER
AUTHENTICATION
FIELD
The present invention relates generally to secure data stor
age, and more specifically to the use of symmetric cryptog
raphy for secure data storage.
BACKGROUND
Cryptography may be used to limit access to data. For
example, sensitive data in computers or networks may be
encrypted to block access by unauthorized users. Cryptogra
phy may be utilized to securely store information or to
securely share information.
Different types of cryptography are in use today. Examples
include symmetric cryptography and asymmetric cryptogra
phy. In symmetric cryptography, encryption and decryption
are performed with the same “key.” Symmetric cryptography
is sometimes also referred to as Secret key cryptography,
because the key cannot be disclosed for the data to remain
secure. Triple-DES cryptography is an example of symmetric
cryptography.
Asymmetric cryptography uses two keys: an encryption
key, and a decryption key, where the encryption key is derived
from the decryption key using a one-way function. In asym
metric cryptography, the encryption key (also referred to as
the public key) can be disclosed since it can only encrypt and
not decrypt data. The decryption key (also referred to as the
private key) cannot be disclosed for the data to remain secure.
Examples of asymmetric cryptography include Rivest
Shamir-Adleman (RSA) and elliptic curve cryptography.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG.1 shows a mobile electronic device inaccordance with
various embodiments of the present invention;
FIGS. 2 and 3 show flow diagrams in accordance with
various embodiments of the present invention; and
FIG. 4 shows a computer system in accordance with vari
ous embodiments of the present invention.
DESCRIPTION OF EMBODIMENTS
In the following detailed description, reference is made to
the accompanying drawings that show, by way of illustration,
various embodiments of an invention. These embodiments
are described in sufficient detail to enable those skilled in the
art to practice the invention. It is to be understood that the
various embodiments of the invention, although different, are
not necessarily mutually exclusive. For example, a particular
feature, structure, or characteristic described in connection
with one embodiment may be implemented within other
embodiments without departing from the spirit and scope of
the invention. In addition, it is to be understood that the
location or arrangement of individual elements within each
disclosed embodiment may be modified without departing
from the spirit and scope of the invention. The following
detailed description is, therefore, not to be taken in a limiting
sense, and the scope of the present invention is defined only
by the appended claims, appropriately interpreted, along with
the full range of equivalents to which the claims are entitled.
In the drawings, like numerals refer to the same or similar
functionality throughout the several views.
FIG.1 shows a mobile electronic device. Mobile electronic
device 100 may be any type of electronic device considered to
2
be mobile. For example, mobile electronic device 100 may be
a personal digital assistant (PDA), a Smartphone, a mobile
phone, a handheld computer, or any other device capable of
operating as described herein. FIG. 1 also shows secondary
electronic device 120. Secondary electronic device 120 is
shown as a key fob separate from mobile electronic device
100 in FIG. 1, but this is not a limitation of the present
invention. For example, secondary electronic device 120 may
be a card that attaches to, and detaches from, mobile elec
10 tronic device 100. Accordingly, secondary electronic device
120 may be separate from, or separable from, mobile elec
tronic device 100.
Mobile electronic device 100 is shown including controls
106, fingerprint scanner 108, voice input 104, and retinal
15 scanner 102. Fingerprint scanner 108, voice input 104, and
retinal scanner 102 are examples of biometric information
collection devices capable of collecting biometric informa
tion to authenticate a user of mobile device 100. Controls 106
represent an input device capable of accepting other types of
user authentication information, such as a password or per
sonal identification number (PIN).
Biometric information, passwords, and PINs are examples
of user authentication factors (UAF) useful to authenticate a
user to mobile electronic device 100. For example, access to
25 mobile device 100 or features of mobile electronic device 100
may be limited to users that satisfy certain requirements with
respect to matching UAFs.
Other types of information may also be used as user
authentication factors. For example, UAFs may include
30 unique identifiers (IDs) related to hardware devices such as
mobile electronic device 100 or secondary electronic device
120. In some embodiments of the present invention, user
authentication is performed using a combination of UAFs.
For example, a unique ID may be combined with biometric
35 information to authenticate a user to mobile electronic device
100. Unique IDs may be received by mobile electronic device
100 in many ways. For example, a unique ID may be provided
by secondary electronic device 120 using a wireless interface,
or by physical contact between mobile electronic device 100
40 and secondary electronic device 120. Also for example, a
unique ID may be provided by an internal subsystem within
mobile electronic device 100, such as a hard disk drive, a
memory Subsystem, or a processor.
Mobile electronic device 100 may provide secure data
45 storage or secure data transfer using symmetric cryptography
that utilizes UAFs. For example, a symmetric key may be
generated from a mathematical representation of one or more
UAFS, and the symmetric key may be used for encryption.
Decryption may be performed only after a matching UAF is
50 provided and the symmetrickey is again generated. Symmet
ric cryptography embodiments are described in further detail
below with reference to later figures.
Mobile electronic device 100 may include a mechanism to
allow mobile electronic device 100 to communicate with a
55 wired or wireless network. For example, mobile electronic
device 100 may include circuitry to communicate with a
cellular phone network. Note that in these embodiments,
mobile electronic device 100 may or may not be a phone. For
example, mobile electronic device 100 may be a cellular
60 telephone having symmetric cryptography capabilities. Also
for example, mobile electronic device 100 may be a non
telephonic device that has cellular network connectivity.
Examples include personal digital assistants, and handheld
devices dedicated to secure data storage or secure data
65 exchange. Further, mobile electronic device 100 may be a
non-telephonic device having wired or wireless connectivity
to a network other than a cellular network, and in some
 US 8,477,940 B2
3 4
embodiments, mobile electronic device 100 may be a device
without network connectivity. Examples include, but are not
limited to: Blackberry devices available from Research in
Motion (RIM), music players such as MP3 players, cameras,
and the like.
In some embodiments, mobile electronic device 100 is an
example of a “wearable' device that is capable of securely
storing or exchanging data. For example, in some embodi
ments, mobile electronic device 100 may have the form factor
of a wristwatch. Some embodiments of the present invention
may have other wearable form factors. For example, a wear
able mobile electronic device may be worn in such a manner
that it contacts human skin, or it may be worn on clothing.
Any wearable intelligent electronic device may be employed
without departing from the scope of the present invention.
FIG. 2 shows a flow diagram in accordance with various
embodiments of the present invention. Diagram 200 repre
sents data flow and actions that may be performed when
encrypting data in accordance with various embodiments of
the present invention. The various actions represented in FIG.
2 may be performed by a mobile electronic device such as
mobile electronic device 100 (FIG. 1), although this is not a
limitation of the present invention. For example, the various
actions in FIG. 2 may be performed by a non-mobile com
puting device Such as a desktop computer, workstation, or
mainframe computer.
Block 210 represents the collection of one or more user
authentication factors (UAFs). As shown in block 210, a UAF
may be biometric information, a password or PIN, a hardware
ID, or any combination. For example, a user may provide a
fingerprint and also present a secondary electronic device that
transmits a unique hardware ID. The fingerprint and the hard
ware ID may together be considered a UAF. The collection of
UAF may be performed with biometric sensors such as those
shown on mobile electronic device 100 (FIG. 1). Further, the
collection of UAF may be performed over a wired or wireless
interface.
At 220, a symmetric key is generated from the UAF. Any
functional relationship may be used to relate the symmetric
key to the UAF. For example, if the generation of the key uses
one or more prime numbers, prime number generation or
selection may be a function of the UAF. Further, in some
embodiments, the symmetric key may be set equal to a
numerical representation of the UAF. Without the UAF, the
symmetric key cannot be generated.
The encryption process at 250 encrypts data 240 and the
UAF using the symmetric key generated at 220. The
encrypted data and encrypted UAF are stored 260. The sym
metric key is not stored.
FIG. 3 shows a flow diagram in accordance with various
embodiments of the present invention. Diagram 300 repre
sents data flow and actions that may be performed when
decrypting data in accordance with various embodiments of
the present invention. The various actions represented in FIG.
3 may be performed by a mobile electronic device such as
mobile electronic device 100 (FIG. 1), although this is not a
limitation of the present invention. For example, the various
actions in FIG.3 may be performed by a non-mobile com
puting device Such as a desktop computer, workstation, or
mainframe computer.
Block 310 represents the collection of one or more user
authentication factors (UAFs). The UAF in block 310 is col
lected for the decryption of data and is referred to as UAF" to
distinguish it from the UAF collected when the data is
encrypted (FIG. 2). As shown in block 310, a UAF" may be
biometric information, a password or PIN, a hardware ID, or
any combination. For example, a user may provide a finger
print and also presenta secondary electronic device that trans
mits a unique hardware ID. The fingerprint and the hardware
ID may together be considered a UAF". The collection of
UAF" may be performed with biometric sensors such as those
shown on mobile electronic device 100 (FIG. 1). Further, the
collection of UAF" may be performed over a wired or wireless
interface.
The encrypted data and encrypted UAF are shown stored at
260 as a product of the various actions shown in FIG. 2. At
10 360, a symmetric key is generated from UAF". If UAF and
UAF" are identical, then the user providing UAF" should be
granted access to the encrypted data. At 320, the collected
UAF" is encrypted using the symmetric key generated at 360,
and the result is compared with the encrypted UAF stored at
15 260. If there is no match, then data access is denied at 340. If
there is a match (signifying that UAF and UAF" are equal),
then the decryption process at 350 uses the symmetric key to
decrypt the data, and the result is the non-encrypted data 240.
Using symmetric encryption embodiments represented by
FIG. 2, once the encryption process is completed, the data
stored does not include the symmetric key needed to decrypt
the data. Using symmetric decryption embodiments repre
sented by FIG. 3, the stored data cannot be decrypted unless
and until the UAF" is authenticated to be correct. The UAF
25 Verification process generates a symmetric key from the col
lected UAF, and the encrypted data can only be decrypted if a
valid UAF is provided.
As described above, the user authentication factor (UAF)
can include one or more of biometric factors identifying an
30 individual, passwords or PINs identifying a privileged person
or class of persons, or hardware device specific IDs that
identify the presence or proximity of a particular piece of
equipment. In some embodiments, the UAF used to generate
the symmetric key is formed by combining biometric infor
35 mation with one or more hardware IDs. In these embodi
ments, a valid user may only access encrypted data when a
particular piece of hardware is present. For example, a hard
ware ID from secondary device 120 (FIG. 1) may be com
bined with a user's fingerprint to form a UAF used to generate
40 a symmetric key. Also for example, a hardware ID from
within mobile electronic device 100 (FIG. 1) may be com
bined with a biometric factor collected by one or more of the
various biometric collection components shown in FIG. 1.
FIG. 4 shows a computer system in accordance with vari
45 ous embodiments of the present invention. Computer system
400 may be a mobile electronic device such as mobile elec
tronic device 100 (FIG. 1), or may be a non-mobile device
Such as a desktop computer, workstation, server, or main
frame. Computer system 400 includes processor 460, user
50 authentication factor (UAF) collection component 410, sym
metric cryptography engine 430, and storage component 450.
UAF collection component 410 includes one or more com
ponents capable of collecting user authentication factors. For
example, UAF collection component 410 may include wire
55 less interface 412 to communicate with other electronic
devices to receive user authentication factors. Any type of
UAF information may be received over wireless interface
412. For example, wireless interface 412 may communicate
with a secondary wireless device Such as a mobile phone or
60 key fob having a unique ID that is used as a UAF. Also for
example, wireless interface 412 may communicate with other
computer systems that provide one or more UAFs.
Biometric collection component 414 may include one or
more interfaces to collect biometric information of a user. For
65 example, biometric collection component 414 may include a
fingerprint Scanner, a retinal scanner, a voice recorder, or the
like. Unique ID 416 may be collected by UAF collection
 US 8,477,940 B2
5 6
component 410 in many different ways. For example, one or
more subsystems within computer system 400 may provide a
unique hardware ID for use as a UAF. Further, unique ID 416
may be provided by a hardware device that is separate from,
or separable from, computer system 400.
UAF collection component 410 may be implemented in
hardware, Software, or any combination. For example, wire
less interface 412 may include a network interface card (NIC)
that includes a processing device and firmware. Further, bio
metric collection component 414 may include hardware to
provide a physical interface to a person, and may also include
a device driver to be executed by processor 460. User authen
tication factors collected by UAF collection component 410
may be utilized to generate symmetric keys in a symmetric
cryptography engine. For example, UAF collection compo
nent may provide the UAF referenced in FIG. 2 and the UAF"
referenced in FIG. 3.
Symmetric cryptography engine 430 includes symmetric
key generation component 432, decryption process compo
nent 436, and encryption process component 438. The vari
ous components of symmetric cryptography engine 430 may
be implemented in hardware, Software or any combination.
For example, the various components may be implemented in
software that is executed by processor 460. In these embodi
ments, the various components of symmetric cryptography
engine 430 may be embodied as instructions on a machine
readable medium Such as a memory device, hard disk drive, or
other storage medium.
In some embodiments, symmetric key generation compo
nent 432 generates a symmetric key from a user authentica
tion factor. For example, symmetric key generation compo
nent 432 may perform actions shown at 220 in FIG.2 or at 360
in FIG. 3. In some embodiments, decryption process compo
nent 436 utilizes a symmetric key to decrypt encrypted data.
For example, decryption process component 436 may per
form actions shown at 350 in FIG. 3. Also in some embodi
ments, encryption process component 438 utilizes a symmet
ric key to encrypt data. For example, encryption process
component 438 may perform actions shown at 250 in FIG. 2.
Storage component 450 may be any type of storage com
ponent capable of storing encrypted data and encrypted
UAFs. For example, storage component 450 may be a
memory Such as a static random access memory (SRAM),
dynamic random access memory (DRAM), or FLASH
memory. Also for example, storage component 450 may be a
hard disk, floppy disk, CDROM storage, or any other type of
storage. Storage component 450 may also include a machine
readable medium that includes instructions that when
accessed result in processor 460 performing actions. For
example, storage component 450 may have instructions to
implement the various components of symmetric cryptogra
phy engine 430.
Processor 460 represents a processor capable of commu
nicating with the other blocks shown incomputer system 400.
For example, processor 460 may be a microprocessor, a digi
tal signal processor (DSP), a microcontroller, or the like.
Further, processor 460 may beformed from state machines or
other sequential logic. In operation, processor 460 may read
instructions and/or data from storage component 450, sym
metric cryptography engine 430, or UAF collection compo
nent 410. For example, processor 460 may execute program
instructions that implement symmetric cryptography engine
430.
Although the present invention has been described in con
junction with certain embodiments, it is to be understood that
modifications and variations may be resorted to without
departing from the spirit and Scope of the invention as those
skilled in the art readily understand. Such modifications and
variations are considered to be within the scope of the inven
tion and the appended claims.
What is claimed is:
1. A method for encrypting data in a mobile electronic
device comprising:
receiving, at the mobile electronic device, at least one user
authentication factor to authenticate a user to the mobile
10
electronic device;
generating, by the mobile electronic device, a symmetric
key as a function of the at least one user authentication
factor; and
15 encrypting, by the mobile electronic device, the at least one
user authentication factor using the symmetric key to
produce an encrypted at least one user authentication
factor.
2. The method of claim 1 wherein the at least one user
authentication factor includes a unique ID for a hardware
device.
3. The method of claim 2 wherein the hardware device
comprises a hardware device physically separate from an
apparatus performing the method.
25 4. The method of claim 2 wherein the hardware device
comprises a hardware device physically separable from an
apparatus performing the method.
5. The method of claim 1 wherein the at least one user
authentication factor includes a biometric factor.
30 6. The method of claim 1 wherein the at least one user
authentication factor includes a unique ID for a hardware
device and a biometric factor.
7. The method of claim 1 further comprising:
storing the encrypted at least one user authentication factor.
35 8. A method for decrypting data in a mobile electronic
device comprising:
receiving, at the mobile electronic device, at least one user
authentication factor to authenticate a user to the mobile
electronic device;
40 generating, by the mobile electronic device, a symmetric
key as a function of the at least one user authentication
factor; and
encrypting, by the mobile electronic device, the at least one
user authentication factor using the symmetric key to
45 produce a result, and comparing the result with a stored
encrypted user authentication factor.
9. The method of claim 8 wherein the at least one user
authentication factor includes a unique ID for a hardware
device.
50 10. The method of claim 9 wherein the hardware device
comprises a hardware device physically separate from an
apparatus performing the method.
11. The method of claim 9 wherein the hardware device
comprises a hardware device physically separable from an
55 apparatus performing the method.
12. The method of claim 8 wherein the at least one user
authentication factor includes a biometric factor.
13. The method of claim 8 wherein the at least one user
authentication factor includes a unique ID for a hardware
60 device and a biometric factor.
14. A mobile device with a machine accessible non-tran
sitory medium having instructions stored thereon that when
accessed result in the mobile device performing:
receiving at least one user authentication factor to authen
65 ticate a user to the mobile device;
generating a symmetric key as a function of the at least one
user authentication factor; and
 US 8,477,940 B2
7 8
encrypting the at least one user authentication factor using
the symmetric key to produce an encrypted at least one
user authentication factor.
15. The mobile device of claim 14 wherein the at least one
user authentication factor includes a unique ID for a hardware
device.
16. The mobile device of claim 15 wherein the hardware
device comprises a hardware device physically separate from
the machine performing the method.
17. The mobile device of claim 15 wherein the hardware
device comprises a hardware device physically separable
from the machine performing the method.
18. The mobile device of claim 14 wherein the at least one
user authentication factor includes a biometric factor.
19. The mobile device of claim 14 wherein the at least one
user authentication factor includes a unique ID for a hardware
device and a biometric factor.
20. A mobile device with a machine accessible non-tran
sitory medium having instructions stored thereon that when
accessed result in the mobile device performing:
receiving at least one user authentication factor to authen
ticate a user to the mobile device:
generating a symmetric key as a function of the at least one
user authentication factor; and
encrypting the at least one user authentication factor using
the symmetric key to produce a result, and comparing
the result with a stored encrypted user authentication
factor.
21. The mobile device of claim 20 wherein the at least one
user authentication factor includes a unique ID for a hardware
device.
22. The mobile device of claim 21 wherein the hardware
device comprises a hardware device physically separate from
the machine performing the method.
23. The mobile device of claim 21 wherein the hardware
device comprises a hardware device physically separable
from the machine performing the method.
24. The mobile device of claim 20 wherein the at least one
user authentication factor includes a biometric factor.
25. The mobile device of claim 20 wherein the at least one
user authentication factor includes a unique ID for a hardware
device and a biometric factor.
26. A computer system for storing and accessing encrypted
data, comprising:
a user authentication factor collection component to
receive at least one user authentication factor to authen
ticate a user to the computer system;
a symmetric key generation component to generate a sym
metric key as a function of the at least one user authen
tication factor;
an encryption process component to encrypt data and the at
least one user authentication factor using the symmetric
key; and
a decryption process component to decrypt encrypted data
using the symmetric key.
27. The computer system of claim 26 further comprising a
storage component to store encrypted data and an encrypted
user authentication factor.
28. The computer system of claim 26 wherein the user
10 authentication factor collection component is configured to
receive a unique ID for a hardware device as a user authenti
cation factor.
29. The computer system of claim 28 wherein the hardware
device comprises a hardware device physically separable
15
from the computer system.
30. The computer system of claim 26 wherein the user
authentication factor collection component is configured to
receive a biometric factor as a user authentication factor.
31. The computer system of claim 26 wherein the user
authentication factor collection component is configured to
receive a unique ID for a hardware device and a biometric
factor as user authentication factors.
32. A mobile device comprising:
means for collecting at least one user authentication factor
to authenticate a user to the mobile device:
means for generating a symmetric key as a function of the
at least one user authentication factor;
means for encrypting the at least one user authentication
factor using the symmetric key:
30
means for encrypting data using the symmetric key; and
means for decrypting data using the symmetric key.
33. A handheld device to store encrypted data, comprising:
a biometric collection device to collect a biometric user
authentication factor to authenticate a user to the hand
held device; and
35 a symmetric cryptography engine to generate a symmetric
key as a function of the biometric user authentication
factor, and to encrypt the biometric user authentication
factor using the symmetric key.
34. The handheld device of claim 33 wherein the biometric
40
collection device comprises a fingerprint collection device.
35. The handheld device of claim 33 wherein the biometric
collection device comprises a retinal scanner.
36. The handheld device of claim 33 further comprising a
45
wireless interface to receive a unique ID from a wireless
device.
37. The handheld device of claim 36 wherein the symmet
ric cryptography engine is configured to generate the sym
metric key from the unique ID and the biometric user authen
tication factor.