Crypto-Sign® Technology Overview
THE CRYPTO-SIGN SOLUTION
The patented Crypto-Sign technology offers a new approach to mobile device security and to transactions carried out on the devices. This allows them to be used securely and easily to unleash their full productivity potential and generate significant economic savings for enterprises. It enhances the security of access to mobile devices in the event of their loss or theft by demanding a biometric sample, with or without PIN entry, and protects the data at rest on the device by encrypting it with secure keys. In addition it provides the basis for secure remote PKI-based communications and transactions, without the need to remember and enter complex passwords.
The Crypto-Sign technology also includes its own signature/sign biometric modality, combining the benefits of the PIN/Password with those of electronic signature verification to utilize the benefits of, and eliminate the disadvantages of both systems. Its author, Rod Beatson is the founder of Transaction Security and a joint author of the associated patents. Crypto-Sign is a non-invasive, low cost, biometric solution to the problem of identifying local and remote authors of electronic messages and transactions.
With the introduction of the Electronic Signatures In Global and National Commerce Act (the "E-sign" Act) an electronic signature is essentially any input submitted electronically by the author signifying intent. This could be achieved by the submission of a password, which might release a private key to generate a digital signature to "sign" the document. Alternatively the author might submit a biometric sample (any modality) to be verified by the system and hence generate the electronic signature. Crypto-Sign can use any biometric modality including the use of the behavioral Signature/Sign modality which uses automatic dynamic verification to verify a secret sign (Crypto-Sign) made on the screen of the device. Such a sign, when verified biometrically, coupled with the release of an authentic signature of the user, constitutes a secure electronic signature where prior to E-sign it would not have been a valid instrument. The secret sign is always submitted with an inkless stylus and is never stored, displayed or printed in its submitted form.
The total Crypto-Sign solution does not rely on the use of the Crypto-Sign Signature/Sign modality. It may be used with any biometric modality availabe to the device to:
- Grant access to the mobile device.
- Release a valid electronic signature of the individual and attach it to an electronic document, payment transaction or another signature-bearing transaction.
- Release a private key, rooted in the device hardware for encrypting data at rest or in transit.
- Release a password to allow the individual to gain access to the device or to a network, a secure web site site or cloud-based data.
In the field of biometrics and particularly that of dynamic signature verification there is a belief that the submission of one’s signature on a digitizer or position-sensing screen, enabling the analysis and comparison of that signature against a previously generated template would provide a secure method of tying an electronic document to the author and give the ensuing transaction a high degree of integrity. Biometrically identified documents and transactions, using dynamic signature verification have been used in a variety of applications from the early 1980’s. Applications include cash withdrawals from retail bank branches, change control of engineering drawings, entry control to Safety Deposit boxes, identification of customers using credit or charge cards at retail point-of-sale and a number of others.
With the Crypto-Sign biometric signature/sign verification system the sign is made directly on the screen and inking may be inhibited. The pen position is sampled many times a second to generate a stream of sequential X,Y coordinates. Some systems also sample the pen pressure at each coordinate sampling point. From the samples, which are taken at constant time intervals, it is possible to define features of the signature/sign, which can be based upon any combination of shape, pressure and/or timing of certain events within the signature.
One potential problem associated with dynamic signature verification is that no two signatures from the same person are ever identical and the accept/reject decision has to consider the inherent variation of the author’s signature. Crypto-Sign addresses this by including a measure of user variation in the biometric template, which is adaptive in nature and gradually molds itself to the individual.
A related problem impacting signature/sign variability, and, indeed that of any biometric sample, is the presentation angle of the sample. Typically there will be changes in angle from one sample to the next and, if these are sufficiently different, the likelihood of a successful match with the template is lowered. Crypto-Sign deals with this in US Patent 7,916,907 by rotating the biometric image to a consistent angle of inclination prior to extracting features and matching the sample with the template.
Unless the variability problem is addressed, as it is with Crypto-Sign, it may be difficult to generate a high performance set of algorithms, effective over a large population, offering powerful discrimination between an authentic sample and that of an impostor. If the accept/reject threshold level is set too tightly, to reject potential forgeries and generate a low false accept rate (FAR), the effect is often to increase the false reject rate (FRR) to unacceptable levels. In this regard, the patented Crypto-Sign signature/sign modality has another powerful advantage over other dynamic signature verification methods in that the sign, which is tested statistically against a stored template, is maintained as a secret by the user in the same way a password or a PIN is kept secret. The consequence of this is that the accept/reject threshold can be loosened significantly without increasing the FAR. Consequently, the FRR reduces to give high performance.
In addition the Crypto-Sign technology includes a novel methodology to choose and weight highly discriminating biometric features from the biometric sample input data. For the purpose of signing electronic documents the valid electronic signature (with an ink-on- paper look) of the user is also stored in electronic form and is only released to the transaction/document when a verified biometric sample or secret sign has been submitted.