THE PATENTS ACT, 1970
(39 OF 1970)
AND
THE PATENTS RULES, 2003
(As Amended)
COMPLETE SPECIFICATION
(See section 10; rule 13)
"A Method and System for Performing Secured Data Exchange Over a Network"
HCL Technologies Ltd,, a corporation organized and existing under the laws of India, of 184 NSK Salai (Arcot Road) Vadapalani, Chennai-600 026 Tamil Nadu India.
The following specification particularly describes the nature of this invention and the manner in which it is to be performed:

A METHOD AND SYSTEM FOR PERFORMING SECURED DATA EXCHANGE
OVER A NETWORK
Field of Technology
The instant invention generally relates to the field of secure data transfer over networks and more particularly to a system and method for performing such secure data transfer using biometric authentication means.
Background
In the present scenario of wireless communication, mobile handsets are being looked to increasingly act as transactional mechanisms i.e. devices that can be used effortlessly as forms of persona! identification or as tools for buying goods and services.
Nonetheless these devices need essentially the same types of security measures as enterprise networks—access control, user authentication, data encryption etc. Furthermore, handheld devices and smart phones are often used precisely where they're most vulnerable—in public places, lobbies, taxis, airplanes—where risks include loss; probing or downloading of data by unauthorized persons; and frequently, theft and analysis of the device itself.
Mobile devices are at risk for the information they store and more importantly for the information they transmit. PIN numbers, corporate passwords, bank account and credit card numbers are all at risk of theft if a device holding them is lost, stolen, hacked into or intercepted.
The most important features of any transaction based system in a network environment include
1. Robust authentication: The system must be absolutely certain of the true identity of participating entities in a given transaction.
2. Non-repudiation. When a transaction is completed, there must be no way for either party to deny that it was executed willingly. E.g. digital signatures.
3. Confidentiality. Personal data on a device should be protected from unauthorized access and data transfer between participating devices during a transaction must be encrypted to avoid leaking of information,

Some of the conventional means of identification include passwords, secret codes and personal identification number (PINs) can easily be compromised by being susceptible to sharing, stealing or can be forgot as well. Further, even the recognition of the above may not mean the true identification of the person providing it - they could be misrepresented by fraudulent entity. With the advent of e-commerce there is increase of users accessing these networks and performing mobile transactions.
In view of this, the required optima! reliability in determining the entities of users may only be achieved through the use of biometrics.
Biometrics is the term given to the use of biological traits or behavioral characteristics to identify an individual. Such traits include but not limited to fingerprints, hand geometry, facial geometry, retina patterns, iris patterns, voice recognition, and handwriting recognition etc. Only recently, Biometric security has started to appear on mobile phones.
The present Invention uses a two-dimensional barcode as a graphical image that stores information both horizontally and vertically allowing It to store over 7000 characters adequate enough to store a biometric trait. The present invention is applicable for every mobile transaction wherein identity of the user and validity of the transaction is critical.
US Patent application 20100138344, "Mobile barcode generation and
payment" 6esa\bQs an application on user's mobile device having a display screen that generates a one-time use and time-limited barcode on the display when the user enters a PIN, The barcode can be scanned to make purchases at a Point of Sale terminal (POS).
However, contrary to using PIN for authenticating the user to create the barcode for authenticating the user to create the barcode as in US Patent application 20100138344, , the present invention encrypts and encodes the barcode to authenticate the user in a number of scenarios depending upon the availability of biometric sensors.
Similarly, US Patent Application US 20080046366A1, "Method and system for providing biometric autlientication at a POINT-OF-SALE", relates to using voice calls to establish identity of the user at POS. In particular, the user is authenticated remotely by voice recognition technology and once authenticated the consumer information is transmitted using barcode. In the present invention, user's biometric is encoded in the bar code along with other information to validate a transaction. The bar code is scanned, decoded and the retrieved biometric is used for authenticating. Thus, the technical scheme of

authenticating the user and the usage of barcode is entirely different in the present invention.
Also, US Patent application US007614551B2, ^^Method and System for securely encoding and decoding biometric data into a memory device using a two dimensional symbol" is based on a memory device with biometric that is used to authenticate the user to provide access to the stored information in the memory device. It uses the biometric data to validate the user and provide access to the stored information in the memory device. However, in the present invention the biometric is used to create the barcode which is scanned by a bar code scanner for decoding the biometric to authenticate the user. Also, the user is authenticated and the user information encoded in the barcode is in turn used for further processing.
Summary
The preferred embodiments of the present invention provide a method and system for performing secure data transfer using biometric authentication means.
An embodiment of the invention provides a mobile server to securely register a user's biometric and mobile number, a client application to generate a unique, secure identification tag in the form of a two-dimensional barcode, multiple Point of Sale (POS) terminals for reading and/or scanning the generated barcode and a server unit for performing biometric authentication.
In another embodiment of the Invention a biometric sensor is available on a mobile device for capturing biometric data.
In another embodiment of the invention biometric sensors are available on multiple Point of Sale (POS) terminals for capturing biometric data.
In another embodiment the client application is configured to generate a unique biometric identification tag.
In yet another embodiment, the server unit is comprises of a data repository to store registered biometric data for subsequent authentication.
Brief Description of the Drawings
Figure 1 iliustrates an exemplary architecture of the system.
Figure 2 illustrates an exemplary process flow diagram for Local authentication mode.
4

Figure 3 illustrates an exemplary process flow diagram for remote authentication mode with biometric sensor.
Figure 4 illustrates an exemplary process flow diagram for remote authentication mode without biometric sensor.
Detailed Description
The various features of the preferred embodiment of present invention together with its objects and advantages thereof may be best understood by reference to the description taken in conjunction with the accompanying schematic drawing(s).
Now referring to Figure 1, to explain an exemplary architecture used to achieve objectives of the present invention.
The authentication system of the present Invention comprises of, but not limited to, three configured devices namely a plurality of wireless device(s) [101] point of sale terminals [102] and Server Unit [103].
The preferred embodiment of the wireless device [101] of the present device is a cellular phone but may include any other electronic devices capable of communicating with other communication devices (wired or wireless).
The wireless device [101] of the present invention comprises of at least a processor that is configured to execute predefined operations, including but not limited to downloading and hosting a client utility [111] or client application [111].
The client utility [111] includes preconfigured components that enable the wireless device [101] to optionally capture and match one set of biometric data with another and carry out other related tasks.
The client utility [111] also allows the wireless device [101] to generate a unique identification tag or a barcode based on predetermined criteria. The unique identification tag or the barcode so generated, in a preferred embodiment represents one set of biometric data.
The various components of the client utility [111] include
- Biometric SDK module [112] or [131]: Biometric SDK acts as an We/face’ that end’s sensors (if present on a wireless device or a point of sale terminal or a server unit) to capture biometric data. It integrates

with client utility [111] for capturing, processing of biometric data and for template creation and template matching of one set of freshly captured biometric data with another set of registered said biometric data.
On registration, captured biometrics can be stored in a memory unit (not shown), e.g. SIM (Subscriber Identity Module) of the wireless device [101].
- Cryptography SDK module [113]: This module allows for securing of captured Biometric template, so that the information In biometric template cannot be easily leaked or compromised. It employs well known techniques for the same.
- Barcode Generator [114]: This module is configured to generate a unique identification tag or barcode comprising of a unique no. associated with the wireless device to uniquely identif/ the wireless device, biometric data, a unique transaction identification tag, and data to be exchanged.
As mentioned earlier, the wireless device [101] in a preferred embodiment Is a mobile phone and the unique number associated with the wireless device / mobile phone is a mobile number.
Similarly, Point of sale terminals [102] comprise of following components
- Scanning Unit [121] is integrated with Point of sale devices [102] and
in most embodiments is a hardware device. Scanning unit [121] allows
for scanning of the identification tag/barcode from the wireless device
[101] and mostly is a contact less operation.
The scanned data [including biometric data] can be forwarded to the server unit [103] for further processing and authentication purposes.
- Sensing Unit [122]: allows for capturing of data, preferably biometric
data and is integrated with point of sale terminals [102] when remote
authentication is to be performed.
Also, Server unit [103] comprises of components that are configured to perform a match of registered biometric data with freshly captured biometric data and validate information from two dimensional barcode.
The components of Server unit [103], comprises of
- Biometric SDK [131]: This module, when present on a server unit
[103] enabies a utility, residing on server unit to capture, process, and
create templates representing one set of biometric data and for matching

of captured biometric data with another set (registered set) of biometric data.
Registered biometrics, in two cases of remote authentication is stored in the database [135], also referred to as a data repository [135].
- Cryptography SDK [132]: This module, when on a server unit [103] allows for securing of captured biometric template/data using well known cryptographic techniques.
- Registration and Packaging Unit [133]: is coupled with Biometric SDK module [131] and is configured to perform user registration by capturing user information i.e. biometric data, along with a unique no. associated with the wireless device e.g. Mobile No.
Once the registration process is complete, client utility is packaged by the server unit [103] and is made available for users to download on the wireless device [101]. In case of remote authentication, biometric data of a user is also packaged with the client utility [111].
- Authentication Module [134]: is the central unit of server unit [103]
and integrates with all other server components to validate a user and the
associated identification tag/barcode.
The present invention broadly operates in three authentication modes:
1) Local Authentication Mode:
This mode is In use, when a plurality of biometric sensors [117] are available on the wireless device [101].
In local authentication mode, the system of performing secured data exchange comprises of wireless device that includes a plurality of sensing means to capture one set of biometric data. The utility is configured to register one set of biometric data, to make a fresh capture of biometric data as a second set of biometric data and thereafter match the second set of biometric data with one set of biometric data to optionally generate and encrypt a unique biometric identification tag The biometric identification tag so generated is based on predetermined criteria. In a preferred embodiment, the predetermined criterion includes one set of biometric data and a number uniquely associated with the wireless device.
Here, client utility [111] Is downloaded and installed on the wireless device [101]. The client utility [111] is configured to allow the user to register biometric data only once. During registration, the biometric data is checked for
7

predefined quality characteristics and is stored securely on the wireless device [101].
For subsequent authentication, a unique identification tag or barcode is generated by making a fresh capture of the user's biometric and the same is matched with the registered biometric. If the two set of biometric data match, the client utility [111] generates a unique two-dimensional barcode based on a number uniquely associated with the device, e.g. mobile number.
The unique barcode so generated is used for authenticating a mobile transaction.
2. Remote Authentication With biometric sensors (On Point of Sale Terminals):
This mode of biometric authentication Is applicable when biometric sensors are available on a Point of Sale Terminal(s) (and not on wireless devices).
In Remote Authentication With biometric sensors, the system of performing secured data exchange comprises of a server unit configured to register a one set of biometric data, a wireless device configured to download the client utility comprising of said one set of biometric data from the server unit and to generate and encrypt a unique biometric identification tag based on predetermined criteria (as described above). Such a system further comprises of a terminal device comprising of a plurality of sensing means configured to capture a second set of biometric data. The terminal device is further configured to forward said first set of biometric data and second set of biometric data to the server unit. The server unit in turn is configured to decrypt and perform a match of said one set of biometric data with the second set of biometric data, to perform said biometric authentication.
In this embodiment, user is allowed to register biometric data and an associated unique no. E.g. mobile number, at the Server unit [103]. Here also, during registration, the captured biometric data is checked for predefined quality characteristics. However, it is not stored at the data repository [135].
For authenticating a subsequent transaction, a user presents the unique two-dimensional barcode generated by the client utility [111] at the Point of Sale Terminals [102]. The unique two-dimensional barcode includes the user's registered biometric template.
Hence, the user's biometric is captured at the Point of Sale Terminals [102] and forwarded to the server unit [103] along with two-dimensional barcode information.

The server unit [103] in turn is configured to match both set of biometric data i.e. biometric data from barcode with that of point of sale terminal [102].
If a successful match is made, the mobile transaction is authenticated.
3.) Remote Authentication without Biometric Sensor: This mode of biometric authentication is possible, when a biometric is not available on wireless device [101] or point of sale terminal [102].
In Remote Authentication Without biometric sensors mode, the system of performing secured data exchange comprises of a server unit that is configured to register and store one set of biometric data in a data repository, a wireless device that is configured to download the client utility comprising of said one set of biometric data from the server unit and to generate and encrypt a unique biometric identification tag based on predetermined criteria. Such a configured system further comprises of a terminal device configured to scan and forward a second set of biometric data from said biometric identification tag to the server unit. The server unit as always is configured to decrypt and perform a match of said one set of biometric data with the second set of biometric data, to perform said biometric authentication.
Here, the user is allowed to register biometric data and an associated unique number e.g. mobile no. on the server unit [103] by using any of supported biometric sensors available.
As always, during registration, captured biometrics is checked for quality and stored securely on the server unit [103].
Thereafter a client utility [111] comprising of the registered biometric data is downloaded on to the wireless device.
To carry out biometric authentication of a mobile transaction, the user presents the unique two-dimensional barcode generated by the client utility [111] and based on an associated unique number e.g. mobile number, the unique two-dimensionai barcode also includes a user's registered biometric template.
At the Point Of Saie terminal, the two dimensional barcode information is scanned and sent to the server unit [103]. The server unit [103] performs a match of both biometric data from barcode with that of data repository [135].
If the two set of biometric data match, then validity of the barcode is established and the transaction Is authenticated.

In a preferred embodiment of the present system, the client utility includes means to interface with said plurality of sensors of the wireless device to capture process and match biometric data. The biometric data is stored in a memory unit after being registered. Also, the client utility is configured to encrypt and compress biometric data.
The unique biometric identification tag so generated comprises of a unique embedded barcode that is unique no. associated with the wireless device to uniquely identify the wireless device, biometric data, a unique transaction identification tag, and other data to be exchanged comprising of a unique no. associated with the wireless device to uniquely identify the wireless device, biometric data, a unique transaction identification tag, and related data that needs to be exchanged.
Figure 2 illustrates an exemplary process flow diagram for Local authentication mode.
In local authentication mode, one set of fresh biometric data of a user is captured [211] at a wireless device [201]. The captured biometric data is matched with registered/enrolled biometric data [212]. If the two set of biometric data match, then a unique identification tag is generated. In a preferred embodiment, the unique identification tag is barcode. The unique identification tag/barcode comprises of an encrypted unique ID i.e. a unique number associated with the wireless device e.g. mobile number and encrypted biometric data.
At the time of performing a transaction, the identification tag/bar code is scanned at a point of sale terminal [202] and the scanned information is sent to a server unit [203]. The server unit [203] is optionally configured to match [217] the biometric data of barcode with the biometric data stored in a data repository at server unit [203]. If the match is successful, the biometric data from scanned barcode is validated [218] by decrypting the unique number from It. The validated information i.e. barcode Is sent back to Point Of Sale terminal [202] for authenticating [216] the transaction.
Figure 3 illustrates an exemplary process flow diagram for remote authentication mode with biometric sensor.
Here, an identification tag/barcode comprising an encrypted unique number associated with the wireless device [301] and encrypted biometric data is generated [311] at the wireless device [301]. Thereafter the barcode/identification tag so generated Is scanned [312] at a Point Of Sale Terminal [302]. One set of fresh biometric data is captured [313] from the scanned barcode and the information is sent [314] to a server unit [303].
10

At the server unit [303], biometric data from point of sale terminal [302] is matched [316] with the biometric data from the barcode. If a correct match is made then the biometric information is validated [317] by decrypting a unique identification number from the barcode. Thereafter, the validated information is sent [318] to the point of sale terminal [302] for authenticating [315] the transaction,
Figure 4 illustrates an exemplary process flow diagram for remote authentication mode without biometric sensor.
Here, an identification tag/barcode comprising an encrypted unique number associated with the wireless device [401] and encrypted biometric data is generated [411] at the wireless device [401]. Thereafter the barcode/identification tag so generated is scanned [412] at a Point Of Sale Terminal [402] and the information is sent [413] to a server unit [403].
At the server unit [403], biometric data from data repository is matched [415] with the biometric data from the barcode. If a correct match is made then the biometric information from the barcode is validated [416] by decrypting a unique identification number from the barcode. Thereafter, the validated information is sent [417] to the point of sale terminal [402] for authenticating [414] the transaction.
The present invention is not intended to be restricted to any particular form or arrangement, or any specific embodiment, or any specific use, disclosed herein, since the same may be modified in various particulars or relations without departing from the spirit or scope of the claimed invention herein shown and described of which the apparatus or method shown is intended only for illustration and disclosure of an operative embodiment and not to show all of the various forms or modifications in which this invention might be embodied or operated.
We Claim
1. A system for performing secured data exchange in a network environment, said system comprising
- a wireless communication device comprising a processor configured to download and host a client utility configurable to generate a unique biometric identification tag based on predetermined criteria, said biometric identification tag representing at least one set of biometric data;
- a plurality of terminal devices coupled with said wireless device and configured to interpret and redirect said one set of biometric data;

- a server unit coupled with said terminal devices, configurable to receive said one set of biometric data and host a second set of biometric data , said server unit comprising of a processor configured to compare said second set of biometric data with said one set of biometric data for performing said biometric authentication.
2. A system for performing secured data exchange as claimed in claim 1, wherein the wireless device comprises of a plurality of sensing means to capture one set of biometric data , said utility configured to register a said one set of biometric data, to make a fresh capture of biometric data as a second set of biometric data and match the second set of biometric data with said one set of biometric data to optionally generate and encrypt a unique biometric identification tag based on predetermined criteria.
3. A system for performing secured data exchange as claimed in claim 1, said system comprising a server unit configured to register a one set of biometric data , a wireless device configured to download the client utility comprising of said one set of biometric data from the server unit and to generate and encrypt a unique biometric identification tag based on predetermined criteria, a terminal device comprising of a plurality of sensing means configured to capture a second set of biometric data , said terminal device configured to forward said first set of biometric data and second set of biometric data to the server unit, wherein said server unit is configured to decrypt and perform a match of said one set of biometric data with the second set of biometric data, to perform said biometric authentication.
4. A system for performing secured data exchange as claimed in claim 1, said system comprising a server unit configured to register and store a one set of biometric data in a data repository, a wireless device configured to download the client utility comprising of said one set of biometric data from the server unit and to generate and encrypt a unique biometric identification tag based on predetermined criteria, a terminal device configured to scan and forward a second set of biometric data from said biometric identification tag to the server unit, wherein said server unit is configured to decrypt and perform a match of said one set of biometric data with the second set of biometric data, to perform said biometric authentication.
5. A system for performing secured data exchange as claimed in claim 2, wherein said client utility comprises means to interface with said plurality of sensors of the wireless device to capture process and match biometric data, said biometric data being stored in a memory unit after being registered.
12

6. A system for performing secured data exchange as claimed in claim 1,1, 3 and 4 wherein said client utility is configured to encrypt and compress biometric data.
7. A system for performing secured data exchange as claimed in claim 1, 2, 3 and 4 wherein said biometric identification tag comprises of a unique embedded barcode, said barcode comprising of a unique no. associated with the wireless device to uniquely identify the wireless device, biometric data, a unique transaction identification tag, and reiated data to be exchanged.
8. A system for performing secured data exchange as claimed in claim 1 and 3, wherein said terminal device comprises of

- a scanning unit to scan said biometric identification tag and;
- optional sensing means.
9. A system for performing secured data exchange as claimed in claim 1 , 2,3
and 4 wherein said predetermined criteria comprises of - said one set of
biometric data and
- a number uniquely associated with the wireless device.
iO. A system for performing secured data exchange as claimed in claim 1, 2, 3 and 4, wherein said server unit comprises of
- means to capture, process, and for template creation;
- means to secure biometric templates ;
- means to register a user by capturing one set of biometric data and a number uniquely associated with the wireless device; build a client utility configurable to be received at said wireless device, said client utility optionally comprising one set of biometric data and
- authentication means to validate the second set of biometric data by matching one set of biometric data with said second set of biometric data to perform said biometric authentication.
11.A method for performing secured data exchange in a network environment, the ,method comprising the steps of
- downloading and hosting a client utility configurable to generate a unique biometric identification tag on a wireless communication device, based on predetermined criteria , said biometric identification tag representing at least one set of biometric data;
- interpreting and redirecting said one set of biometric data by a plurality of terminal devices coupled with said wireless device;
- receiving said one set of biometric data and hosting a second set of biometric data by a server unit coupled with said terminal devices, said
13

server unit comprising of a processor configured for comparing said second set of biometric data with said one set of biometric data for performing said biometric authentication.
12. A method for performing secured data exchange as claimed in claim 11, wherein the wireless device comprises of a plurality of sensing means for capturing said one set of biometric data, said utility being configured for registering said one set of biometric data, for making a fresh capture of biometric data as second set of biometric data and for matching the second set of biometric data with said one set of biometric data for optionally generating and encrypting a unique biometric identification tag based on predetermined criteria.
13.A method for performing secured data exchange as claimed In claim 11, wherein said server unit is configured for registering one set of biometric data, said wireless device is configured for downloading the client utility comprising of said one set of biometric data from the server unit and for generating and encrypting a unique biometric identification tag based on predetermined criteria, said terminal device comprising of a plurality of sensing means configured for capturing a second set of biometric data , said terminal device configured for forwarding said first set of biometric data and second set of biometric data to the server unit, said server unit being configured for decrypting and performing a match of said one set of biometric data with the second set of biometric data for performing said biometric authentication.
14. A method for performing secured data exchange as claimed in claim 11 wherein server unit is configured for registering and storing one set of biometric data in a data repository, wireless device is configured for downloading the client utility comprising of said one set of biometric data from the server unit and for generating and encrypting a unique biometric identification tag based on predetermined criteria , the terminal device is configured for scanning and forwarding a second set of biometric data from said biometric identification tag to the server unit, said server unit is configured for decrypting and performing a match of said one set of biometric data with the second set of biometric data, for performing said biometric authentication.
15. A method for performing secured data exchange as claimed in claim 12, wherein said client utility comprises means for interfacing with said plurality of sensors of the wireless device for capturing, processing and matching biometric data, said biometric data being stored in a memory device after being registered.
14

16.A method for performing secured data exchange as claimed in claim 11, 12, 13 and 14 wherein said client utility is configured for encrypting and compressing biometric data.
17. A method for performing secured data exchange as claimed in claim 11, 12, 13 and 14 wherein said biometric identification tag comprises of a unique embedded barcode, said barcode comprising of biometric data, a unique no. associated with the wireless device to uniquely identify the wireless device, a unique transaction identification tag, and related data to be exchangedr
18.A method for performing secured data exchange as claimed in claim 11 and 13 , wherein said terminal device comprises of
- scanning unit for scanning said biometric identification tag and;
- optional sensing means.
19.A method for performing secured data exchange as claimed in claim 11,12,13 and 14 wherein said predetermined criteria comprises of - said one set of biometric data and - a number uniquely associated with the wireless device.
20. A method for performing secured data exchange as claimed in claim 11, 12, 13 and 14, wherein said server unit comprises of
- means for capturing, processing, template creation;
- means for securing biometric templates ;
- means for registering a user by capturing one set of biometric data and a number uniquely associated with the wireless device; building a client utility configurable for reception at said wireless device, said client utility optionally comprising one set of biometric data and
- authentication means for validating the second set of biometric data by matching one set of biometric data with said second set of biometric data for performing said biometric authentication.
Dated this 04th day of November 2010
Of Anand and Anand/ Advocates Agents for the Applicants