PROCEDURE AND DEVICE FOR THE PROTECTION OF A DOCUMENT WITH INSERTED SIGNATURE IMAGE AND BIOMETRIC DATA IN A COMPUTER SYSTEM

The available invention concerns a procedure for the protection of a document with inserted signature image and if necessary biometric data in a computer system as well as an accordingly working, computer-based signature system, with a document to be biometrically electronically signed can and then this document as safe file with inserted Signaturbzw. Signature picture to be ready placed and manipulation archived can.

In addition the invention concerns a procedure for Inhouse control of a document, which was coded in the aforementioned procedure secured and in special way.

Finally the available invention concerns also a procedure for the examination of the authenticity of a signed document, which became secured in accordance with one of the leading procedures.

Nowadays it is more and more necessary to place a signed document revision ready. Biometric electronic signature and/or signature so called has the advantage that a medium break, i.e. the expression are allotted to paper for signing. In addition a biometric characteristic cannot to be e.g. transferred, stolen or forgotten as the signature.

The signature is a clear declaration of intention and a procedure appreciative for a long time to the will recording. With the biometric electronic signature this usual signing procedure is not changed actually; the signature does not have to be however member in a Trustcenter so called, as it is necessary with some digital signature procedures. Besides the hand written biometric electronic signature can be e.g. examined by a handwriting expert and be compared for example also with signatures for paper; something similar is valid to be examined for a biometric electronic signature by means of fingerprint or voting sample etc. of their characteristics also by appreciative experts according to for a long time established methods can

In particular the law passed in the Federal Republic of Germany e.g. regulates the basic conditions for all paperless signature procedures, like the digital signature, to the electronic signature how it is used in connection with Smartcards so called, and the here relevant biometric electronic signature. This law basedly on the European Union guideline to the electronic signature and replaces thereby the law alone limited on Germany to the digital signature of 1997. Thus a European-wide basis is creative, on whose basis products can be transnational used to the electronic signature. One assumes on this way the electronic signature will seize in Europe far foot.

Accordingly large enterprises illustrate their internal Workflow meanwhile almost exclusively electronically. The interface to the “outside world” - for example field representatives such as insurance agent etc. - remains however so far nearly everywhere paper afflicted. Studies showed now that on each dollar spent on the production of paper further 30 to 60 dollar for the further processing results. The biometric electronic signature offers thus the possibility to the enterprises of letting electronic documents sign also electronically.

Despite all efforts a biometric electronic signature of an outstanding person could not be merged so far by electronic procedures medium break-free into an electronic Workflow. This was connected beside that until recently validly law situation also with the past solutions. The electronic signature collections, which admits so far is, permit it now that each end customers can deliver, without having to be in the possession of special equipment or certificate an unmistakable declaration of intention, which is transferred directly to an electronic document as biometric electronic signature. This form of the biometric signature possesses already today a high acceptance in the population (e.g. in form of the hand written electronic signature) - not least due to the well-known parcel delivery services -, however the doubts are still very high against abuse and manipulation in the population for signatures, which concern the signing of contracts etc.. Nevertheless the biometric electronic signature gains ever more significance. By the simple proof up to the complex treaty system, the biometric signature is not to be excluded from the everyday life any more. However for this the precautions are to be still improved against manipulation of a biometrically signed electronic document.

It is in the meantime well-known to realize the hand written electronic signature into the process chain of the digital document of the production up to archiving without medium break with the help of devices for the electronic collection of the signature - Signaturoder so called Unterschriftenpads (see for example to DE 10 2006 000 859,6 and the PADs blueMobile under the designations, blueMobile PADs LCD, plus PAD and plus PAD LCD offered Signaturpads of the StepOver GmbH/Germany) -. Central setting of tasks is thereby the clear allocation of a hand written electronic signature to a document and to a person. It is in the meantime also well-known to make on the basis the seized biometric data from the hand written electronic signature an automated authenticity examination possible and to nearly completely exclude thus an abuse. It was however shown that security against changes and manipulation signed one biometrically (e.g. handwritten) electronic document be still improved can.

For the sake of the good order different term important for the available invention are defined in the following.

electronic signature:

it is referred to the appropriate definition in the guideline 1999/93/EG of the European parliament and the advice over joint basic conditions for electronic signatures, those to 19.01.2000 in the Official Journal of the European communities (AB1. L 13 was published of 19.1.2000, P. 12).

biometric electronic signature:

like electronic signature, additionally with a clear biometric identifier of a person like e.g. a fingerprint, a hand written signature, voting recording etc., which is inserted with an electronic file surely linked and/or into these and is connected with at the time of the signature the available file content by means of a check total.

Signature image:

a visualization of the signature characteristic (thus e.g. the two-dimensional image of a fingerprint, a signature etc.)

biometric data:

Data persons bind characteristic (like a fingerprint, a voting recording, a signature etc.). Biometric data do not contain dissolving and in two dimensions representable information about the respective identifier (e.g. 3D-Fingerabdruck, typeface inclusive scanning rate, pressure pattern etc.) contrary to the signature image partially more highly

electronic document:

a file, which contains data, which can be spent or represented by means of a suitable device in a form understandable readable of humans and/or and.

In SCHNEIER B: “Applied Cryptography” APPLIED CRYPTOGRAPHY, 1996, pages 38-40, XP002155112 is described a procedure for marking documents with the help of the coding using a public key and a so-called one way Hash function. It is in particular suggested marking a document not marking but the Hash of the document. Thus one way a Hash of a document is produced. This Hash is coded with a private key, whereby the document is marked. The document and the marked Hash are then further-sent. One way a Hash of the document, which was sent, is produced. Using a digital signature algorithm the marked Hash with the public key of the transmitter is decoded. If the marked Hash agrees with the produced Hash, the signature is valid.

In the WHERE 2006/111979 a2 it are a procedure and a device reveals for inserting signatures into electronic documents. The procedure covers a producing of the document on a computer, which can be marked, and an indicating of this produced document on a device for inserting a digital signature. This device covers a signature means beside an indicator as for example an electronic pin or a fingerprint collection mechanism and at least a Smart Card reader. Thus the document is digitally signed. The digitally signed document is coded and transferred to a computer, in order to produce so not again a bring backable signature. It is to be ensured in particular that the signature actually signs, which it sees.

The available invention at the basis lying technical problem consists of being placed a procedure and a device ready being archived with the one electronic document, which contain an integrated biometric electronic signature, surely and from any abuse protected can. In addition is in accordance with a further an aspect of the available invention also the examination of the authenticity of this document to be ensured and in addition also then no abuse possibility in an enterprise exist, if such documents are dispatched by for example field representatives to their enterprise on electronic way.

This technical problem is solved in accordance with a first aspect of the available invention by a procedure for the protection of a document with inserted signature image in a computer system, with which the document available as file in a certain data format is ready placed. In addition in a step this document which can be assigned the signature image and optionally further biometric data so called of the biometric electronic signature are made available. In accordance with the procedure according to invention the digital signature image in the desired place is inserted in the document. Now a first check total is possibly, thus formed over the document with the inserted digital signature image and optionally existing biometric signature data, with the help of a pre-determined first Hash function. The first check total knows either over the file as such (file Signature) or document contents, i.e. the “visible/audible” data of the document (content Signature) and zzgl. over the biometric data which is available if necessary to be formed. In addition a second check total is formed over the document with the inserted digital signature image with the help of a pre-determined second Hash function; again either over the file as such (file Signature) or document contents i.e. the “visible/audible” data of the document (content Signature), see also for this Fig. 5b, and a genuine random value produces. Thereupon symmetrical coding of the first check total and the possibly existing biometric data takes place. The key for this symmetrical coding is thereby the sum of the second check total and the produced random value. Now takes place asymmetrical coding of the produced random value with a first public key of a first pair of keys, which consists of a first private key and an associated first public key. Finally the symmetrically coded first check total and the asymmetrically coded random value are attached to the document. The latter happens depending upon type of file of the electronic document differently. In a pdf document the data are stored either in one Custom day, in a Object or a signature container (pdf object for signatures) (see also pdf specification). In the case of a tiff file the data are written either the end of the data stream in the file or alternatively into the tiff tags (see tiff specification). With XML documents the data are stored in an appropriate XML day in the XML file. With HTML files this can take place e.g. behind one comment day. Generally this procedure can be applied to all files e.g. also audio files, a condition is however the fact that the added (coded) data and check totals are integrated in such a way into the file that this remains conformal further standard i.e. that a pdf can be e.g. brought further error free in an appropriate view program to the announcement and a marked audio file can be shown further with appropriate standard playing devices.

Such a computer-implemented procedure for the protection of an electronic document, into which an associated biometric electronic signature is inserted, offers for the first time the advantage that the actual operator and user of the procedure cannot even change or manipulate this document, if the used private keys with a third person as for example a notary is deposited. Thus an extremely safe archiving of this document and the associated signature is possible. Also in communication traffic between field representatives and enterprises such a document can be sent away surely before access. Altogether according to invention the document spent after the run of the procedure is more surely against changes through third than past solutions. It can be ensured now for the first time with very high security that the document was not changed after marking. The examination on data integrity is applicable also for a judicial proof and is alike thus a handsigned document with the examination on authenticity of this document to set.

A further advantage of the suggested procedure according to invention consists of the fact that it is also easily possible to integrate several signatures on the same document. In this exemplary execution form of the available invention are thus if several signatures on the same document to be carried out are, the steps b) - to go through h) so many marks, as signatures are to be carried out. The number of Hash functions should accordingly to be increased.

In the following a further exemplary execution form of the available invention is described, which can be used, if several signatures on only one document are to be carried out. Thus first becomes in accordance with signature in the Fig. 4 - 6 represented operational sequence inserted. When inserting a second signature (and/or a nth signature) then one proceeds as follows. First the integrity of the document is tested (in addition if necessary the Inhouse examination of the kind described before is accomplished, to which one needs the second public key or if necessary the second private key). If this examination fails positively, then the coded Doc Hash can be removed from the document. Alternatively the coded Doc Hash can be stored later with the second coded data of the new signature.

Afterwards one proceeds as follows. (First) a Hash2 is formed over the document, is not changed again the document after the first signature, must come out thereby the same Hash2, as he was used with the coding of the first signature. This Hash 2 is called now Hash2Before. Now the Hash2Before is attached together with the biometric data of the second signature to the document and the digital signature image is inserted. Then a new Hashl is formed over document contents, the contained digital signature images and the biometric data of the new signature. So far this resembles the procedure with the first signature, but another check total results naturally due to the other biometric data and the added second digital signature image. Besides into this Hash1 in addition, with the new biometric data put down the old Hash2Before with are included and the coded block of the preceding signature. Then the block is symmetrically coded consisting of new biometric data, new Hash1 and Hash2Before, besides the asymmetrically coded random key of the previous signature likewise also put into the symmetrically coded block. If necessary in addition still the asymmetrically coded Doc Hash can be stored also in the symmetrically coded data block, in order to be able to pull if necessary by the key of the second pair of keys of conclusions on place, used for the coding of this Doc Hash, and or person. As key to the symmetrical coding again (as with the first signature) the sum of the new Hash2 and a new random key is used.

Afterwards the document contains thus a coded block of the first signature, which contains the bio data and the first Hash1. Afterwards a further coded block of the second signature, which contains the bio data of the second signature, comes the pertinent Hash1 as well as the Hash2 of the previous signature (hash2Before) and (again) random coded keys of the first signature. Afterwards the asymmetrically coded random key comes to decoding the second signature is needed. Doc Hash becomes subsequently, as in the Fig. 6 schematically represented, which refers to contents of the document and (and/or to it added) coded the data contained in it. Around far signature to insert can being proceeded now again like above descriptive.

The examination of a document with several signature images can take place for example as follows: One must decode the random key for examination and/or the random value of the last signature. Then one knows the examination with the help of the pertinent hash1 would drive through. Subsequently, one can decode the random key of the proceeding signature with the help of the Hash2Before (which in the data block of the signature already decoded to be found can) from the symmetrically coded data block of the preceding signature and decode afterwards this (asymmetrically coded again) random key with the appropriate private key. Even if it does not concern with this signature first in the document, this procedure is continued similar with the next signature (then also the symmetrically coded block contains again a Has2Before and the asymmetrically coded random key of the preceding coding of this signature). The PrivateKeyl used for the coding of the random key is always i.d.R. the same (all signatures on the same computer were added in addition, at least so long, it can at other one be in each case, e.g. if the signature with a a software on that the computer and second with another software on another computer took place). For examination then if necessary all private keys must be present. The large advantage of this procedure opposite that initially described procedures exists in the fact that one can e.g. already seal the first signature surely asymmetrically to dispatch (in order the document for the obtainment of a second signature) and one can nevertheless still insert one or more further signatures.

Therefore the examination of the document with the help of the Hash1 is only with the last signature possible, if succeed in however decoding with the help of the appropriate Hash2Before check totals the signature preceded in each case then white one with absolute security that the document cannot have been manipulated between inserting this signature and that the preceded signature, i.e. one preceded thereby also equal a safe validation of the signatures.

For the sake of completeness it is to be still marked that with an exemplary further execution form of the available invention the individual Hash functions can be also identical. If different Hash functions are used, then the appropriate Hash functions must be used also with the examination on authenticity of the document accordingly again. In addition information about the used check total functions in the electronic document is deposited.

It is in the meantime also well-known that at present available Signaturoder Unterschriftenpads does not only supply the signature image in digital form, but further biometric signature data make available. Such biometric signature data can be for example dynamic data like the pressure pattern, that by the signer with would drive out for the signature on Signaturbzw. Signature PAD is applied, noted. The recording takes place in a pre-determined dissolution in a given printing size. Also the Zeitverlauf, which would drive out for the signature from the signer with be determined can, can be held. Thus the Zeitverlauf in a pre-determined dissolution in a given time size is seized regarding a given coordinate system. There can be recognized furthermore also further/other biometric sizes such as fingerprint, hand casting, face characteristics, voting samples and Irisund/or Retinamuster of the signature and can be used also for the identification of the signature.

In a further exemplary execution form of the available invention under Berücksichtung of the above explanations the procedure according to invention for the protection of a document is in such a way extended that biometric signature data in digital form are made available and into the respective electronic document are merged. This happens depending upon electronic document differently. It is referred for this to the leading remarks to the individual data types. Now a first check total over the document and the digital signature image as well as the biometric signature data are formed with the help of the pre-determined first Hash function. This step corresponds to the step d) of the fundamental arrangement of a procedure according to invention specified above. Accordingly in the above step g) now the symmetrical coding procedure not only with the first check total but also with the biometric signature data is accomplished. The key for this symmetrical coding is the sum of the second check total and the produced random value. Then the symmetrically coded biometric signature data and the symmetrically coded first check total are attached to the document. This happens as before described depending upon electronic type of document file different. For the avoidance of repetitions to the leading remarks concerning “appendices” by check totals the etc. is referred.

This further exemplary execution form of the available invention has the advantage that still safe identifying of the signature and the signature is possible. Thus the digital signature image is not only assigned to the signature, but also for example the pressure pattern and/or the Zeitverlauf with would drive out for the signature. As previously mentioned, also further and/or other biometric data can be consulted for the allocation of the signature for the signature and used in the procedure according to invention.

A still improved procedure for the protection of a document with inserted signature image in a computer system covers the additional following process steps in accordance with a further exemplary execution form of the available invention:

• k) Form for a first total check total over the document (i.e. either over the file as such (file Signature) or document contents i.e. the “visible data of the document (content Signature)) with the digital signature image and all added appendices with the help of a pre-determined third Hash function, inserted in it,
• l) Asymmetrical coding of the total check total with a second more privatenoder public key (depending upon additional requirements for identification e.g. to the assigned EDP unit or the owner of the second pair of keys e.g. the field representative) of a second pair of keys, provided in step k), which consists of a second private key and an associated second public key,
• m) Add the asymmetrically coded first total check total to the document, and optionally
• n) Spend the document with inserted visible digital signature image and the invisible appendices like the possibly existing biometric signature data, the first check total, the asymmetrically coded random value and the asymmetrically coded first total check total.

By the education of a first total check total and asymmetrical coding of this total check total with a second private - or public key (depending upon additional requirements for identification e.g. to the assigned EDP unit or the owner of the second pair of keys e.g. the field representative) of a second pair of keys a manipulation in the way described before of the secured document is still better prevented. For the first time with an genericin accordance with-eaten procedure for the protection of a document with inserted signature image is obtained and asymmetrical coding with the help of a second private key of a second pair of keys as well as the added asymmetrically coded first total check total to the document an extremely good protection of the document and thus a document protected extremely well from changes is ready placed.

As mentions already initially, can be different with the exemplary execution forms of the available invention described before the first, second and third Hash function. In a further exemplary execution form of the available invention it is to be planned possible these Hash functions identically. Appropriate is valid also for the further procedure described still later in accordance with the available invention for the examination of the authenticity of a signed document. For example the following Hash functions in the procedures according to invention described before can be used: SHA-256, SHA-384, SHA-516, RIPEMD-128, RIPEMD-160, tiger. It is for example also conceivable that a user can select, who is to be used the available Hash functions in the procedures according to invention described before. For example a such function mode is meaningful if due to legal restrictions in certain countries not all Hash functions can be offered or newer safer Hash functions to be used to be supposed. In order to be able to identify the used pairs of keys and Hashfünktionen with later examinations; appropriate information (ID of the used pair of keys and the name used check total /Hashfunktion) is stored invisibly in the document. This storage effected similarly to the storage of the coded check totals and if necessary with coded biometric data within the file.

Finally it is to be still marked that in the different before descriptive remark examples of procedures according to invention of the step of the symmetrical allotting for example the coding algorithm Blowfish 448 bits are usable and of the step of the asymmetrical coding RSA 128-1024 bits. Instead of the asymmetrical coding in accordance with RSA are however also different asymmetrical coding procedures, like them sufficiently admit are applicable; same is valid for the symmetrical Blowfish algorithm.

In accordance with a further aspect a procedure for Inhouse control of a document, whose check totals and if necessary biometric data were coded after one of the procedures according to invention described before, is made available. Such an computer-implemented inspection procedure covers a forming of a second total check total over the entire document with the digital signature image inserted in it and the appendices added in each case with the help of the second Hash function. Thereupon the step of the Entschlüsselns of the first total check total with the second public, added at the document, takes place - or private keys (depending upon additional requirements for identification e.g. in terms of the assigned EDP unit or the owner of the second pair of keys e.g. the field representative and thereby selected private or public key of the second pair of keys with the coding) of the second pair of keys. Finally the formed second total check total and the decoded first total check total are compared with one another. If the formed second total check total and the decoded first total check total are identical, then it concerns with the available document with high security the document signed by the signature. If a difference between the two values exists, is to be assumed the document was manipulated. This procedure according to invention serves, as being able to examine said, to Inhouse control over whether for example during a transfer of a document this document changes experienced and permits if necessary over the ID with the coding used second pair of keys conclusions on the person or the equipment, to who this pair of keys can be assigned. This first stage of the examination according to invention coded of the procedure permits however still no (or at least no safe) examination on the person, which marked this document and on their biometric data. In addition that serves in the following described procedures for the examination the authenticity of a signed document in accordance with the available invention.

In accordance with a further aspect of the available invention will a procedure for the examination of the authenticity of a signed document, which became secured in accordance with a procedure, like it described was ready placed before. Such a testing method covers that a third check total over the document, the file as such (file Signature) or document contents i.e. the “visible data of the document (content Signature)) with the signature image inserted in it one forms. Then decoding the random value takes place with the help of (if necessary with the notary deposited) private the key of the first pair of keys. The sum of the third check total and the random value is then used, in order the symmetrically coded check total over the document and the biometric data if necessary added, as well as if necessary with this check total together biometric data coded to decode. If the document was in the meantime changed, this decoding cannot take place any longer, since then Prüfsummeeine needed for the decoding is other one, than those, which was used for the coding. Now a check total is possibly, thus formed over the document with the inserted signature image and optionally existing biometric signature data; either over the file as such (file Signature) or document contents i.e. the “visible/audible” data of the document (content Signature) and zzgl. over the biometric data which is available if necessary. If this check total agrees with the decoded check total, it is certain with security that neither the document nor those contain to it biometric data after the signature procedure were changed. Now the biometric data can be handed over for person identification to an appropriate expert (e.g. handwriting expert).

A further aspect of the available invention concerns a signature system for the mark of a document and for the supply of a safe file with inserted digital signature image and/or signature picture. Such a computer-assisted signature system covers on the one hand signature equipment, a data processing mechanism, which stand with the signature equipment in coded communication connection, and an expenditure interface. A part of the signature system the representing signature equipment consists at least of a signature collection window, on which by means of a write mechanism a signature is to be accomplished, and a signature data acquisition mechanism, with which beside the signature image optionally also biometric signature data are seized. The signature data, which are seized by means of this mechanism, cover at least the coordinates, the signature in a pre-determined dissolution in a given coordinate system, carried out on the signature collection window. Alternatively it can concern also signature collection equipment which other biometric data e.g. by means of a finger print scanner or a camera etc. seized and these data secured e.g. coded conveyed to the data processing mechanism.

The data processing mechanism as for example a computer, at which the signature equipment of the signature system according to invention is attached, covers at least those mechanisms in the following specified. Like that a storage facility is present, in which the document and the signature data are to be stored. Furthermore a first Prüfsummenbildnereinrichtung is present, with which a first check total over the document and the possibly added biometric signature data are to be formed with the help of a pre-determined first Hash function. In addition it is present a second Prüfsummenbildnereinrichtung, with which a second check total is to be formed for the digital signature image inserted into the document over the document and with the help of a second Hash function. By means of a genuine random-number generator, which is integrated in the data processing mechanism, a random value is produced. In addition the data processing mechanism of the signature system according to invention covers a symmetrical coding mechanism and an asymmetrical coding mechanism. This symmetrical coding mechanism is trained to implement a symmetrical coding of the first check total and the possibly existing biometric signature data whereby the key for the symmetrical coding is the sum of the second check total and by means of the random-number generator of produced random value. The asymmetrical coding mechanism is trained to code a provided total check total with a second private key of a second pair of keys asymmetrically. The total check total is thereby the check total over the document with the digital signature image inserted in it and the invisibly added appendices with the help of a pre-determined third Hash function. It should be noted that this second private key part of a pair of keys is, which covers also an associated second public key. Finally the expenditure interface of the data processing mechanism of the signature system according to invention is in such a manner trained that at this expenditure interface the document with inserted visible digital signature image and the invisible appendices is made available. Thus then such documents can be dispatched easily also over for example external networks like the Internet.

A further exemplary execution form of a signature system according to invention covers a signature data acquisition mechanism, which seizes beside or instead of/the coordinates of the signature carried out on the signature collection window also further or other biometric data. These further and/or other biometric data can concern for example the characteristics specified before. In particular such a signature data acquisition mechanism covers thus at least the following mechanisms: Printer version device, time process collection mechanism, or fingerprint collection mechanism, or hand casting collection mechanism, or face collection mechanism, or voting sample collection mechanism, or Irisund/or Retinaerfassungseinrichtung, or a combination several of these procedures. The collection mechanisms mentioned were already described before regarding their arrangement and function mode in the reference to the procedures according to invention more near. Irisund mentioned/or Retinaerfassungseinrichtung is trained as it at least certain ranges Irisund/or Retina of a certain eye of the signer, who carried the signature out to seize in a pre-determined dissolution in a given coordinate system.

A further exemplary execution form of the available invention plans that the further mechanisms specified above for seizing further biometric data in relation to manipulation from the outside at least with a coded transmission and an backactionable hardware ID is protected. Thus it is prevented that stranger of body characteristics, which are not to be added to the signature, to which by the signature carried out signature can be assigned. In particular in addition, which such additional mechanisms are accommodated for seizing further biometric data for example in a housing, also the signature equipment is to be put out as for example a signature PAD or a signature PAD enclosure.

Finally a further aspect of the available invention a computer-readable medium covers also on it instructions present executable by a computer, which cause that the computer system implements a procedure for the protection of a document with inserted signature image, as they were described before. A further aspect of the available invention concerns a computer-readable medium also on it instructions present executable by a computer, which cause that the computer system implements the procedure for Inhouse control of a document, which was coded after one of the procedures according to invention described before. Finally the available invention concerns a computer-readable medium in accordance with a further aspect also on it instructions present executable by a computer, which cause that the computer system implements the procedure for the examination of the authenticity of a signed document, as it was described before. Such computer-readable media are sufficient admit and need to be not further described here. In particular by this disks, non removable disks, are to summarize CD-ROM etc. In addition the invention concerns different computer programmes, which cover executable instructions, which cause by a computer that the computer system implements the different procedures described before.

In the following several remark examples of the available invention with reference to the attached designs are more near descriptive for the further explanation and better description. It shows:

Fig. 1

a schematic opinion of a signature system according to invention in accordance with a first execution form of the available invention comprehensively a signature PAD and a data processing mechanism,

Fig. 2

a schematized flow chart representation, in which a 1st part of a flow chart of the procedure is illustrated in accordance with a first execution form of the invention,

Fig. 3

a schematized flow chart representation, in the one 2nd part in the Fig. 2 of flow chart shown of the procedure in accordance with the first execution form of the invention is illustrated,

Fig. 4

a schematized representation of a document, like it in the procedure according to invention of the available invention, those in the Fig. 1-3 shown is, one uses,

Fig. 5a

a schematized representation of a 1st part of a Verfahrensabschnitts in the Fig. 1-3 illustrated procedure according to invention,

Fig. 5b

a schematized representation of a 2nd part in the Fig. 5a Verfahrensabschnitts shown of the procedure according to invention,

Fig. 6

a schematized representation of a Verfahrensabschnitts in the Fig. 1-3 illustrated procedure according to invention,

Fig. 7

a schematized representation of the procedure according to invention for the InhouseKontrolle of a document, which was coded after one of the procedures according to invention,

Fig. 8

a schematized representation of a further execution form of the procedure according to invention for the examination in the case of court secured of a according to invention document.

In the Fig. 1 is shown in a strongly schematized representation a first exemplary execution form of a signature system according to invention. Thus this signature system Signaturbzw so called covers. Signature PAD 1, which in the execution form shown in a only one housing 7 beside a signature collection window 5, the here, the one which can be signed the document of 200 display showing 3, which lies in practice underneath transparent signature collection windows, so which one can pursue enclosure the movement of the pin during the signature on the screen which is under it. For the sake of the good order is to be marked that a signature system according to invention can contain also signature equipment 1, in which the display 3 is missing. With the execution form shown here the signature collection window 5 is in such a way trained that with a pin 26 in usual way as on a sheet paper a signature 203 can be carried out on that. With this execution form beside the actual signature image 203 with would also drive out for the signature 203 by means of the pin 26 on the signature collection window 5 expenditure-practiced pressure and the Zeitverlauf seized. For this necessary collection mechanisms 5a (for the printer version) and 5b (for the collection of the Zeitverlaufs) are in the housing 7 of the signature equipment 1 contained and sufficiently admit, so that on that not more in greater detail is to be been received.

In the execution form of the invention shown here are besides further collection mechanisms strongly schematized shown, with which the following body characteristics of the signature can be seized:

• Fingerprint collection mechanism 5c, with that the fingerprint at least a finger of a pre-determined hand of the signer, who carried the signature out 203, in a pre-determined dissolution in a given coordinate system (x, y) one seizes,
• Hand casting collection mechanism 5d, with which the hand casting of of a pre-determined hand of the signer, who carried the signature out 203, in a pre-determined dissolution in a given coordinate system x, y is seized,
• Face collection mechanism 5e, with which at least certain face portions of the signer, who carried the signature out 203, in a pre-determined dissolution in a given coordinate system x, y are seized,
• Voting sample collection mechanism 5f, with which a voting sample of a signer, who carried the signature out 203, in a pre-determined dissolution in a given coordinate system x, y is seized,
• Irisund/or Retinaerfassungseinrichtung 5g, with at least determined ranges the iris and/or the Retina of a pre-determined eye of the signer, who carried the signature out 203, in a pre-determined dissolution in a given coordinate system (x, y) to be seized.

Additionally to the collection devices specified before and the thereby received persons referred data also still the device can be deposited individualizing identity number in the device, which will transfer together with the seized data.

For the sake of the order is to be marked here, which must be signature collection equipment according to invention if necessary only able to seize one of the genanten biometric characteristics or combinations of some less biometric characteristics. To that extent is also a finger print scanner, which seizes the biometric data of a fingerprint in sufficient quality and secured (i.e. coded transfers) and besides an ID with sends, which permits late conclusions on the signature equipment (thus e.g. the finger print scanner) to regard as signature collection equipment according to invention.

With in the Fig. 1 represented execution form of a signature system according to invention is connected the signature equipment 1 by a line 24 with a data processing mechanism 2. Over the connection 24 with would drive out for the signature 203 by means of the pin 26 seized, biometric data above mentioned to further Verund treatment to the data processing mechanism 2 led. It is in all other respects to be marked that over the line 24 for example also from the data processing mechanism 2 data, as for example, will transfer the document of 200 which can be indicated in the display 3 can. Communication of the signature equipment with the data processing mechanism takes place secured (i.e. codes).

The data processing mechanism 2 covers a housing 22, in which different mechanisms 4, 6a, 6b, 8, 10, 12 and 14 are accommodated. Like that a storage facility 4 is present, in which the document and the associated signature data 200 are to be stored. The signature data cover here at least the data of the signature image 203 in pre-determined dissolution regarding a pre-determined coordinate system x, y, like it in the Fig. 1 for the case of the biometric collection of the hand written signature in the signature collection window 5 is suggested.

Furthermore a first Prüfsummenbildnereinrichtung 6a is present, which is in such a manner trained that a first check total is formed later over the document of 200 and appendices still which can be described with the help of a pre-determined first Hash function. A second Prüfsummenbildnereinrichtung 6b is in such a manner trained that a second check total is formed later over the document of 200 and appendices still which can be described with the help of a pre-determined second Hash function. A third Prüfsummenbildnereinrichtung 6c is trained to form a third check total over the document of 200 and the signature image 203 as well as the possibly existing further appendices inserted into the document of 200 with the help of a third Hash function.

A further component of the data processing mechanism 2 is a genuine random-number generator 10, with which random values are produced. This random-number generator 10 supplies a random value 206 to a symmetrical coding mechanism 12, which is likewise part of the data processing mechanism 2. This symmetrical coding mechanism 12 is trained to code the biometric signature data 201 and the first check total 202 symmetrically. The key here used is formed thereby by the sum of the second check total 204 and the produced random value 206.

Finally an asymmetrical coding mechanism 14 is present, which is trained as it, a total check total 210 with a second private key 211 of a second pair of keys 211 to code 212 asymmetrically. This second pair of keys consists of the second private key 211 and an associated second public key 212.

A further component of the data processing mechanism 2 is an expenditure interface 16, at which the document is made available to 200 appendices 201 ', 202 ', 206 ' and 210 ' invisible with inserted visible signature image 203 and, which are still described later. So can be dispatched then over the line 18 of the expenditure interface 16 the document of 200 with inserted visible signature image 203 and the invisible appendices 201 attached at the document 200 ', 202 ', 206 ' and 210 ' for example over a world-wide network like the Internet to an addressee as for example an enterprise.

Into the Fig. the fundamental operational sequence according to invention of a first execution form of the procedure according to invention for the protection of a document 200 shown 2 and 3 with inserted signature image 203 is. Thus for example by turning the signature equipment 1 on the procedure with the step 100 is started. The signature equipment 1 is ready to seize the signature and/or the biometric data of a signature by means of the pin 26 on the signature collection window 5. At the same time the document of 200 can be made available as file in a certain data format (for example as pdf file, WORD file, tiff file, JPG file, wave, mp3, divx, avi etc.) and be indicated in the display 3 of the signature equipment 1 also in accordance with the first step of the procedure according to invention. As soon as the signature with the pin 26 in the signature collection window 5 of the signature equipment 1 was carried out, the seized biometric data are made available as digital signature image 203. This mark step 102 is in the Fig. 2 likewise shown.

As mentions already before, 203 additionally biometric data 201 also further with the associated biometric data in certain dissolution in a certain coordinate system can be seized depending upon equipment of the signature equipment 1 beside the actual signature image, so that several identifiers of the signer or also different identifiers of different signers can flow later into the document. These are for example Druckund the Zeitverlauf. As in the Fig. 4a suggested, are treated these biometric data 204 as separate entity (data stream).

If the signature procedure 102 is correctly implemented, those inquiry 104 thus with beantwort, then the signature image 203 is visibly inserted in that far Verfahrensabschnitt 106 into the document 200. If available, the biometric data are attached as data block 201 invisibly to the document 200. In this Verfahrensabschnitt 106 besides different check totals are formed and different codings are implemented. These process steps become later with reference to the Fig. 5 described still in detail.

If the Verfahrensabschnitt 106 is final, then in the step of 108 queried, whether the document is to be signed 200 still from further persons to, thus further signature images 203 and associated biometric signature data 201 also to integrate are. If this is the case, then to the process step 102 back one turns and that above described operational sequence for second to nth signature continuously. If no further signatures are to be integrated, then becomes the step 110 in accordance with Fig. 3 further gone. Herein it is queried whether a further pair of keys II is configured. If this is not the case, then in the step 111 the marked document of 200 with signature image inserted in it 203 is spent and the possibly existing biometric signature data 201, which were attached as data block 201 ', as well as further appendices, which are described later.

A pair of keys is II configures that progressed to the Verfahrensabschnitt 112. This procedure section 112 becomes later with reference to the Fig. 6 described still in detail. After terminating the Verfahrensabschnitts 112 in the step 114 a marked document of 200 with inserted signature image 203 with particularly coded appendices is made available and/or spent. In the step 116 the procedure according to invention is terminated.

In the Fig. the fundamental structure of a marked document 200 is shown 4. In the document of 200 the signature image 203 is inserted in accordance with step 106. The document of 200 can be represented with the respective type of file corresponding a data processing program (as for example Microsoft Word) with the inserted signature image on here a display not shown or an other expenditure medium readably and/or audibly and/or printed. Possibly existing biometric signature data 201 are attached as invisible entity 201 to the document 200.

With reference to the Fig. 5a and 5b the Verfahrensabschnitt 106 becomes in accordance with Fig. 2 of the procedure according to invention described. Thus a first check total becomes 202 over the document 200 with the inserted signature image 203 and in this Verfahrensabschnitt 106, if available, including the attached biometric data 201 with the help of a first Hash function in an educated manner. This first check total 202 is in the Fig. 5a as “Hash 1” designates. As in the Fig. 5a symbolically represented, this first check total 202 to the document 200 is invisibly attached.

As in the Fig. 5b shown, the one continuation in the Fig. 5a Verfahrensabschnitts shown 106, now a second check total is 204 over the document 200 with the inserted signature image 203 (however not over the invisible appendices 201, 202) with the help of a pre-determined second Hash function is formed. However perhaps this second Hash function is preferably identical to the first Hash function, it can by the user of the signature system according to invention also from different Hash functions implemented in the equipment be selected. The second check total 204 is in the Fig. 5b as “Hash 2” in the Fig. 4 designates.

Now by means of the genuine random number generator 10 of the data processing mechanism 2 a random value 206 is produced and then in the step 213 a symmetrical coding of the first check total 202 and, if available, the biometric signature data 201 together with the check total 202 accomplished. The key for this symmetrical coding 213 is the sum of the second check total 204 and the just now produced random value 206. At the document now the symmetrically coded appendix attaches 200 with the inserted signature image 203 202 ' (symmetrically coded first check total 202 and/or symmetrically coded first check total 202 and biometric data) invisibly at the document 200. In other words: The first check total 202 and, if the biometric signature data are present 201 by symmetrical coding with one from the second check total 204 and keys produced for a random value 206 together symmetrically coded in a data stream. In the available case 448 bits a Blowfish coding was selected. In addition, other symmetrical kinds of coding can be used.

For the sake of the good order it is to be marked that there is only a symmetrically coded data block, which contains either only the check total or the check total and the biometric data. If the biometric data would be appropriate for coded block in an extra, then these would be individual, i.e. without the coded check total from the file solvable. The fusion of the invisible appendices 201 and 202 by the coding is plotted by those uniformly dye after the coding and the framework with only one arrow, which ends into the symmetrical coding 213.

In the Verfahrensabschnitt 106 the Fig. 5b besides the above random value 206, with which (when part of the coding password) the symmetrical coding 213 was accomplished, in that process step 214 is asymmetrically coded. The key for this asymmetrical coding 214 is a first public key 208 of a first pair of keys (208, 209), that from a first private key 209 (see Fig. 8) and the associated first public key 208 exists. The first private key 209 can be deposited for example with a notary. The signature system according to invention using field representative and enterprises are to have if possible no access to this private key 209 of the first pair of keys 208, 209, in order to guarantee that neither the field representative nor the enterprise the document of 200 with inserted signature image 203 and the invisible appendices 201 ', 202 ', 206 ' to change to be able. The public key 208 of this first pair of keys 208, 209 is deposited in simple way in the signature system 1, 2. For example it can be stored in the storage facility 4 of the data processing mechanism 2.

As in the Fig. shown , it concerns 5b with the asymmetrical coding 214 a PKI coding. In addition, other asymmetrical codings can be used. As in the Fig. 5b suggested, the asymmetrically coded random value 206 likewise invisibly to the document 200 as appendix 206 is attached '. Thus now a document of 200 provided with the signature image 203 is present. The first check total 202 and, if available, the biometric signature data 201, which were symmetrically coded by a symmetrical coding with the special key from second check total 204 and a random value 206, hang as invisible appendix 201/202' on the document 200. In addition the asymmetrically coded random value 206 is, the part of the key for the coding of the second check total 202 and the biometric signature data 201 is invisibly attached, as appendix 206 ' at the document of 200.

Thus the fundamental principle of a procedure according to invention for the protection of a document is final 200 with inserted signature image 203 in a computer system 1, 2. Over the interface 16 of the data processing unit 2 now in such a manner protected and secured document of 200 with that can be spent inserted signature image 203 and the further coded appendices 201/202 ', 206 '. A practical application of the procedure according to invention can consist for example of the fact that a field representative lets an insurance contract sign by the person who can be insured by means of the signature equipment 1. The electronically captured signature 203 and the optionally existing further biometric signature data 201 are then transmitted over the line 24 e.g. to the notebook there the 2 of the insurance agent and in accordance with the procedure according to invention described before coded and thus against unauthorized access protected. This in such a manner protected document of 200 with the appendices 201/202', 206 ' and the inserted signature 203 is then transferred over the interface 16 and the line 18 and here a communication way not shown, as for example the Internet, to e.g. the insurance company. There secured the according to invention document of 200 and the appendices 201/202 ' and 206 ' protected against changes can be archived. To the first public key 208 of the first pair of keys of 208, 209 associated first private keys 209, with which a decoding of the appendix 206 ' and thus if necessary, the appendix 201/202 would be possible, is normally present the operator enterprise not, but is deposited with a notary. Same is valid naturally also for the coworker, who was involved in the signature collection. Thus it cannot be subordinated in the controversy that the operator enterprise or the participating coworker manipulated the denied document of 200 and/or the invisible appendix 201/202.

Problem thereby is that in this case also the enterprise or generally the user of the signature system according to invention does not have a possibility of examining the data integrity of the document 200 with the inserted signature 203 even. Thus becomes in an exemplary further execution form, like it in the Fig. , the Verfahrensabschnitt 112 is shown 6 in accordance with Fig. 3 accomplished. Before the inquiry 110 was accomplished whether a second pair of keys II on the data processing mechanism 2 is configured. If this question with is answered, then the Verfahrensabschnitt 112 is accomplished. With denial of the inquiry 110 in the step 111 the marked document of 200, which is unencrypted, with the appendices 201 ', 202 ' and 206 described before is spent ', which are coded.

In the Verfahrensabschnitt 112 a first total check total 210 over the document 200 with the signature image inserted in it 203 is formed and the invisibly added appendices 201/, 202 ', for 206 ' with the help of a pre-determined third Hash function 206. It should be noted that this third Hash function to the first and second Hash function in principle identical is. Perhaps in addition, she can be selected like the other Hash functions for example by the user of the signature system freely, depending on which Hash function is made available in the system 2. In Fig. 6 remark example shown this total check total 210 is called “Doc Hash”. Now the step 112a is accomplished, one asymmetrical coding of the total check total 210 with a second private - or public key 211/212 (covered depending upon additional requirements for identification e.g. to the assigned EDP unit or the owner of the second pair of keys e.g. the field representative of a second pair of keys 211, 212. The second pair of keys consists of the second private key 211 and an associated second public key 212. In the available case this asymmetrical coding 112a is accomplished again with a PKI coding. It is naturally also possible to use other asymmetrical codings.

In such a manner asymmetrically coded total check total 210 is likewise attached beside the appendices 201/202' and 206 ' as appendix 210 ' invisibly to the document 200. Thus can now in the step 114 in accordance with Fig. 3 the marked document of 200 with the inserted signature image 203 and the coded appendices 201/202', 206 ', 210 ' to be spent.

In accordance with in the following described procedures according to invention for Inhouse control of a document 200 that after with reference to the Fig. 6 descriptive procedures, is now also possible it was continued to code to examine the manipulation freedom of the document 200 at the time of archiving. It becomes thus after receipt of the document working on in accordance with above procedure 200 and the coded appendices 201/202 ', 206 ', 210 ' in the Fig. 7 procedure shown to Inhouse control accomplished. Herein 200, like it in the step 114 becomes in accordance with Fig.3 and Fig fromthe document. 6 spent, a total check total 310 over the entire document 200 with the signature image inserted in it 203 and the added appendices 201/202' and 206 was accomplished ' with the help of the second Hash function mentioned above. If no biometric data 201 were present, only the check total becomes over the document 200 with inserted signature image 203, the coded first check total 202 ' and the coded random value 206 ' in an educated manner.

In addition an asymmetrical decoding of the first total check total of 210 ' with the second more öffentlichenoder private key (depending upon additional requirements for identification e.g. in terms of the assigned EDP unit or the owner of the second pair of keys e.g. the field representative and thereby selected private or public key of the second pair of keys with the coding) keys 211, 212 added at the document of 200 takes place. These two check totals 210, 310 are now compared with one another. If the two values are identical, is to be assumed with very high probability no change took place. A change can mean on the one hand a manipulation of the document 200 with the inserted signature image 203 and/or the further appendices 201, 202 and 206, and a transfer error when transferring the document 200 with appendices 201 ', 202 ', 206 ' from the field representative to the enterprise. This examination, as it was described here, made possible thus the enterprise to examine the document of 200 for soundness without access to the coded biometric data 201 to have had and permits if necessary over the ID with the coding used second pair of keys conclusions on the person or the equipment, to who this pair of keys can be assigned.

The procedure for examining the document 200 e.g. with court with the aid the notary, thus the person, with whom the first private key 209 of the first pair of keys 208, 209 was deposited, becomes now on the basis the Fig. 8 describes. Only by the document 200 with the signature image inserted in it 203 a check total with the second Hash function is formed. In addition the coded random value 206 attached to the document of 200 is decoded ' with the help of the first private key 209 of the first pair of keys 208, 209. Thereupon the sum of the check total formed here becomes 212, which is called Hash 2, and the decoded random value 206 in an educated manner. This sum value then for the symmetrical decoding of the biometric data 201 and the first check total 202 ' which contained in this coded data block to the document of 200 attached are used thus can now access to the decoded biometric data 201 be taken. Furthermore now also the third check total 400 over the document 200 with the signature image inserted in it 203 can be formed and the decoded biometric data 201 with the first Hash function.

Then the examination follows whether the decoded first check total is identical 202 with the formed check total 400. If this is the case, is to be assumed with security the document and the contained biometric data are unchanged and were subjected no inadvertent change or manipulation. If the first check total 202 and the formed check total 400 differ, then must be proceeded from an inadvertent change or a manipulation. This information is now spent.