US20180309750A1

US20180309750A1 - In-circuit security system and methods for controlling access to and use of sensitive data

Info

Publication number: US20180309750A1
Application number: US15/890,021
Authority: US
Inventors: Barry W. Johnson; Kristen R.O. Riemenschneider; David C. Russell; Jonathan A. Tillack
Original assignee: Apple Inc
Current assignee: Apple Inc
Priority date: 2003-05-30
Filing date: 2018-02-06
Publication date: 2018-10-25
Also published as: US7783892B2; WO2005001611A3; CA2857208A1; US9923884B2; US20100182125A1; DK1629624T3; CA2527829A1; EP1629624A2; CA2527836A1; US20090213087A1; US7688314B2; US20040239648A1; US20050093834A1; US8327152B2; US20050081040A1; CA3012154A1; EP1629408A4; JP6306493B2; CA2527836C; US20100005314A1

Abstract

A first electronic device comprises a transmitter, a secure processor, a secure memory, and one or more biometric sensors. The first electronic device is configured to communicate securely via the transmitter with a second electronic device that is separate from the first electronic device. The first electronic device receives first biometric information of a user via the one or more biometric sensors. In response to receiving the first biometric information, the first electronic device compares, via the secure processor, the first biometric information to second biometric information stored in the secure memory; and determines, based on the comparison, whether the user meets authentication criteria. In accordance with a determination that the user meets authentication criteria, the first electronic device generates a verification signal that, when received by the second electronic device, grants access to operate the second electronic device, and transmits the verification signal to the second electronic device. In accordance with a determination that the user does not meet the authentication criteria, the first electronic device forgoes generating the verification signal and transmitting the verification signal to the second electronic device.

Description

RELATED U.S. APPLICATION DATA

This application is a continuation of U.S. patent application Ser. No. 14/716,766 (now U.S. Pat. No. 9,923,884), filed May 19, 2015, entitled “An In-Circuit Security System And Methods For Controlling Access To And Use Of Sensitive Data,” which is a continuation of U.S. patent application Ser. No. 13/947,313 (now U.S. Pat. No. 9,124,930), filed on Jul. 22, 2013, entitled “An In-Circuit Security System And Methods For Controlling Access To And Use Of Sensitive Data,” which is a continuation of U.S. patent application Ser. No. 12/555,480 (now U.S. Pat. No. 8,495,382), filed Sep. 8, 2009, entitled “An In-Circuit Security System And Methods For Controlling Access To And Use Of Sensitive Data,” which is a divisional of U.S. patent application Ser. No. 10/858,287 (now U.S. Pat. No. 7,587,611), filed Jun. 1, 2004, entitled “An In-Circuit Security System And Methods For Controlling Access To And Use Of Sensitive Data,” which claims priority under U.S.C. § 119(e) of provisional patent application Ser. No. 60/474,750, filed May 30, 2003, entitled “Secure Biometric Identification Devices and Systems for Various Applications,” each of which is hereby incorporated by reference in its entirety.

BACKGROUND OF THE INVENTION

Field of the Invention

The invention disclosed herein relates to the security of sensitive data stored, processed and distributed using electronic circuits. More particularly, the invention relates to the identification of individuals prior to accessing/using data, and the execution of security controls upon unauthorized attempts to access/use said data.
In recent years there has been an explosion of electronic devices that individuals may use for storing and transmitting sensitive data. In a low-security example, portable devices like a Palm™ or BlackBerry handled computer typically contain software for e-mail, along with options for storing credit cards, schedules, and other data. Most people wish to protect this information, but most handheld devices rely on their operating system to secure data. Unfortunately, the most common operating systems for these handheld computers were not designed with security as the main goal, and retrofitting basic security mechanisms has been clumsy.
A growing number of electronic devices, such as smart cards, are intended to specifically identify and authenticate users using the public key infrastructure, which requires secure storage of private keys. These devices are common in building security; for example, an individual with proper authorization to access a facility is assigned a smart card and an asymmetric key pair. A certificate authority generates a digital certificate for the public key, which is stored in the smart card. The private key is also stored on the smart card. When the individual places his smart card in the reader at the access point of the facility, the card transmits its digital certificate, and the reader challenges the card to encrypt a supplied string with the individual's private key. The reader obtains the public key out of the digital certificate and decrypts the private key-encrypted string to verify that the keys are related. This has an inherent problem because there is no guarantee that the individual using the private key is the assigned owner of the smart card. Furthermore, it is fairly simple for an experienced attacker to gain access to keys stored on the card.
Some handheld devices, such as Hewlett Packard's iPAQ PocketPC h5450, include biometric sensors for improved personal identification before allowing access to sensitive data. An individual possessing this device is instructed to enroll one or more of his fingerprints into the device's software. The enrolled fingerprint can be used as the sole password or as an alternative to a typed password. This type of device can be a substantial improvement on traditional data-access methods, because the biometric can be definitively tied to a single individual. However, if the sensitive data is stored or transmitted insecurely, the biometric authentication does not substantially hinder an attacker from probing the memory and compromising it.
These concerns have contributed to the marketing of products billed as ‘secure memory’ or ‘secure processor’. These products are typically constructed with varying degrees of security; one lower degree is considered ‘tamper-evident’, in which an unskilled observer would see that someone had attempted to maliciously gain access to secured data. A higher level is ‘tamper-resistant’, in which the product actively resists tampering by use of a self-destruct mechanism, an impermeable substance that coats the components storing sensitive data such as a polymer-based coating or other so-called “conformal coating”, or some other process. Furthermore, these products may encrypt input/output lines, mislabel parts, and perform other types of obfuscation.

DESCRIPTION OF THE RELATED ART

U.S. Pat. No. 5,533,123 to Force, et al., discloses programmable distributed personal security inventions. The patent teaches a “Secured Processing Unit” (“SPU”) comprising an “SPU chip” and a microprocessor designed especially for secure data processing. The invention integrates keys, encryption and decryption engines, and algorithms in the SPU of the invention. Purportedly, the security process is portable and easily distributed across physical boundaries. The invention is based upon three interdependent subsystems. The first subsystem of the invention is a detector subsystem, which alerts an SPU to the existence and to the character of a security attack. A second subsystem is a filter subsystem that correlates data from multiple detectors, then assesses the severity of the attack against the risk to the SPU's integrity, both to its secret data and to the design of the SPU itself. A third subsystem is a response subsystem for generating responses, or countermeasures, calculated by the filters to be most appropriate under the circumstances, in order to deal with the attack(s) detected. Force does not disclose identity credential verification within the SPU.
U.S. Pat. No. 5,825,878 to Takahashi discloses a secure embedded memory management unit for a microprocessor. A microprocessor memory management apparatus is used for encrypted instruction and data transfer from an external memory. Physical security is obtained by embedding the direct memory access controller on the same chip with a microprocessor core, an internal memory, and encryption/decryption logic. Data transfer to and from an external memory takes place between the external memory and the memory controller of the memory management unit. All firmware to and from the external memory is handled on a page-by-page basis. Since all of the processing takes place on buses internal to the chip, detection of clear unencrypted instructions and data is prevented. Takahashi does not disclose any capability, anticipation, intention, or provision for including identity credential verification on the management unit or within the microprocessor core.
U.S. Pat. No. 5,832,207 to Little, et al., teaches a secure module including a microprocessor and a co-processor. The electronic module is provided with at least one microprocessor and a co-processor deployed into a single integrated circuit. The electronic module may be contained in a small form factor housing. The electronic module provides secure bi-directional data communication via a data bus. The electronic module may include an integrated circuit including a microprocessor and a co-processor adapted to handle 1,024-bit modulo mathematics primarily aimed at RSA calculations. The electronic module is preferably contained in a small token-sized metallic container. The module preferably communicates via a single wire data bus using a one-wire protocol. Little et al. does not disclose personal identification systems.
U.S. Pat. No. 5,894,550 to Thireit discloses a method of implementing a secure program in a microprocessor card, and a microprocessor card including a secure program. The invention claims that a program can be made secure relative to a CPU. The invention accomplishes this by storing in a first memory zone predetermined address functions that are directly executable by the CPU. The first memory zone is then write-protected, then the program is stored in a second memory zone in the form of a series of instructions that are executable within the second memory zone or that activate functions contained in the first memory zone.
U.S. Pat. Nos. 5,481,265, 5,729,220, 6,201,484 and 6,441,770 to Russell detail a handheld device used to authenticate persons and said device to remote computer systems. The invention further includes a “kill switch” or “kill signal” enabling the computer system to remotely disable the handheld device and restrict further emissions. However, the system is primarily targeted at local area network applications and does not anticipate or suggestion broader applications.

BRIEF SUMMARY OF THE INVENTION

The invention disclosed herein is an in-circuit security system for electronic devices. The in-circuit security system incorporates identity credential verification, secure data and instruction storage, and secure data transmission capabilities. It comprises a single semiconductor chip, lowering component cost and reducing board space. The in-circuit security system chip is secured using mechanisms for preventing information tampering or eavesdropping, such as the addition of oxygen reactive layers. This invention also incorporates means for establishing security settings and profiles for the in-circuit security system and enrolled individuals. The in-circuit security system can be used in a variety of electronic devices, including handheld computers, secure facility keys, vehicle operation/ignition systems, and digital rights management.

BRIEF DESCRIPTION OF DRAWINGS Master Reference Numeral List

FIG. 1: Sample embodiment of in-circuit security system components

- 100 In-circuit security system
- 101 Processor
- 102 Memory
- 103 Identity credential verification subsystem
- 104 Cryptographic subsystem
- 105 Real-time clock
- 106 Power source (OPTIONAL)
- 107 Transceiver (OPTIONAL)
- 108 Random number generator
- 110 Connection to identity credential sensor
- 111 Connection to peripheral components
- 112 Connection to antenna or cables

FIG. 2: Handheld computer with the in-circuit security system

- 100 In-circuit security system
- 201 Non-secure processor
- 202 Non-secure memory
- 203 Fingerprint sensor
- 204 Antenna
- 213 Display
- 214 Keypad

FIG. 3: Electronic lock mechanism with the in-circuit security system

- 100 In-circuit security system
- 313 LEDs
- 314 Electronic lock mechanism

FIG. 1 is a schematic view of a sample embodiment of the in-circuit security system.

FIG. 2 is a schematic view of the components of a simple handheld computer using the in-circuit security system.

FIG. 3 is a schematic view of the components of an electronic lock mechanism using the in-circuit security system.

FIGS. 4-5 depict embodiments of a biometric personal identification device (BPID) for remoted controlled applications.

DETAILED DESCRIPTION OF THE INVENTION

The invention described herein is an in-circuit security system by which pre-enrolled individuals may access sensitive data or perform actions on sensitive data in an environment that is fully monitored and protected. The in-circuit security system requires full authentication of individuals and can perform a variety of programmed responses in the event that pre-established authentication standards are not met. The in-circuit security system includes secure transmission of sensitive data to remote devices.
The in-circuit security system comprises several components combined securely into a single, secure chip. As seen in FIG. 1, the primary embodiment of the in-circuit security system 100 comprises a processor 101, a memory 102, a real-time clock 105, and a random number generator 108. The in-circuit security system 100 also includes a cryptographic subsystem 104 and an identity credential verification subsystem 103. These subsystems may be logical, physical, or some combination thereof, and are described in further detail below. In typical embodiments, the in-circuit security system 100 will also contain a power source 106, such as a battery, in order to maintain power to the real-time clock 105. During manufacture, the in-circuit security system 100 receives a unique, one-time programmable electronic identification code that can be read but cannot be altered or removed. The in-circuit security system 100 also preferably provides multiple input/output interfaces 110-112 for connection to optional internal/external components, such as transceivers 107, antennae, identity credential sensors, non-secure processors, etc.
The processor 101 is the main control component; it is responsible for loading and executing instructions to control the various components of the chip, as well as performing user-requested tasks. The memory 102 is coupled to the processor 101. It comprises both volatile and non-volatile components and can be used to store instructions or data, such as security settings or profiles and cryptographic keys. The application of these security settings is discussed below. The real-time clock 105 is also coupled to the processor 101 and is used to maintain an accurate time, which can be used in cryptographic signing, audit records, or other transactions. The real-time clock 105 may be connected to a power source 106 in order to constantly maintain time. If the in-circuit security system 100 does not include the power source 106, the real-time clock 105 must be cognizant of power disconnects, which means that it can no longer provide an accurate time.
The fourth component of the in-circuit security system 100 is a random number generator 108. The random number generator 108 is used for seeding cryptographic algorithms, and may use any of established methods for guaranteeing sufficient randomness. The random number generator 108 may be included as part of the cryptographic subsystem 104 or may be a standalone component coupled to the subsystem 104. The cryptographic subsystem 104 is a dedicated system for performing encryption and decryption, digital signing and digital signature verification. In one embodiment the subsystem 104 is responsible for storing cryptographic keys in its own memory; in another, the subsystem is coupled to and uses the main memory 102 of the in-circuit security system 100. Additionally, one primary embodiment of the invention uses a cryptographic acceleration chip or component as the cryptographic subsystem 104. Alternative embodiments are coupled to and use the main processor 101 as the cryptographic engine.
The identity credential verification subsystem 103 is used to determine the identity of an individual attempting to use the in-circuit security system 100 and identify his associated security privileges. The identity credential verification subsystem 103 performs identity credential acquisition, analysis, storage and matching. In the primary embodiment of the invention, the identity credential verification subsystem 103 uses digital representations of fingerprints as the identity credential. In this embodiment the identity credential verification subsystem 103 performs fingerprint image acquisition, and template generation, storage, and matching. The identity credential verification subsystem 103 may use the main processor 101 of the in-circuit security system 100 for credential processing actions or may use its own specialized processor. Similarly, it may employ its own memory for credential storage or use the main memory 102 of the in-circuit security system 100. The in-circuit security system 100 provides one or more connections 110 to external components for credential sensing, such as a fingerprint sensor.
The in-circuit security system 100 incorporates an interface 112 to a transceiver 107, antenna, wire, or other remote communication device that is coupled to the processor 101. This component is used for transmission of data from one device to another. All sensitive data that is to be transmitted from the in-circuit security system 100 can be encrypted using the cryptographic subsystem 104, so it is not necessary to place a transceiver 107 within the secure boundaries of the in-circuit security system 100. However, in some embodiments it may prove to be convenient to incorporate the transceiver 107 into the chip. In these embodiments the interface 112 would be from the transceiver to an antenna, wire, or other communication device. In a primary embodiment of the invention, the transmission technology is radio-frequency identification (RFID), such as the ISO 14443 A/B or 15693 standards. In another embodiment the in-circuit security system 100 uses Bluetooth or infrared technology. Other embodiments provide a combination of these technologies or others. In alternative embodiments, it may be useful to use a wired technology, such as a serial or USB connection. The in-circuit security system 100 preferably provides external connections 112 for requisite connectors, cables or antennae.
The authentication of individuals allows the in-circuit security system 100 to associate an individual with specific security privileges within the system. For example, one user may be enrolled and identified as a typical user with no ability to reset the system 100, while an alternate user may be identified as an administrator with that ability. Additionally, the in-circuit security system 100 may be programmed to perform a variety of both temporary and permanent responses to security events. For example, a specified number of access denials within a particular time interval may cause the in-circuit security system 100 to suspend all actions or halt the real-time clock 105 until reset by an enrolled administrator. Alternatively, an attempt to crack open the case of the chip housing the in-circuit security system 100 may result in permanent erasure of memory 102, or destruction of other components. The in-circuit security system 100 may also be programmed to allow an enrolled individual to directly disable or destroy components.
As described above, the in-circuit security system 100 is combined into one secured chip with three major interfaces: an interface to a credential sensing mechanism, such as a fingerprint sensor; an interface to peripheral components, such as non-secure processors or user-interface devices; and an interface to a transceiver or antenna for remote communications. Other interfaces are strictly prevented. The chip may use one or more physical security measures to prevent information eavesdropping. These obfuscation techniques include use of “potting”, oxygen-reactive layers, photo-sensors, Hall effect sensors, and circuits that monitor clock frequency and/or reset frequency.
The system 100 may additionally perform algorithmic analysis of interface traffic. For example, fingerprint images received from a fingerprint sensor may be analyzed by the identity credential verification subsystem 103; if the identity credential verification subsystem 103 repeatedly receives the exact same bit pattern representation of fingerprints, it is possible that someone is deliberately placing that bit pattern on the interface. Similarly, if the identity credential verification subsystem 103 receives bit patterns that are an exact rotation or other permutation of a previously received image, again someone may be altering the contents of the interface.
The in-circuit security system can be used as a standalone component for security applications or as one of multiple components within an electronic device. In one use of the invention, a handheld computer is equipped with the in-circuit security system 100, as seen in FIG. 2. The computer further comprises a display 213, a keypad 214, a non-secure processor 201 and memory 202, and a fingerprint sensor 203. Additionally, for embodiments in which the in-circuit security system 100 includes a transceiver 107 that uses cellular wireless technology, the handheld computer also incorporates an antenna 204.
The primary user of the handheld computer enrolls a fingerprint, a digital certificate, and an associated private key into the in-circuit security system 100. The fingerprint is stored in the identity credential verification subsystem 103 and is used to authorize use of the private key associated with the digital certificate. The digital certificate may be stored in the cryptographic subsystem 104 or the main memory 102 of the in-circuit security system 100.
The individual typically uses the handheld computer to transmit and receive e-mail. He requires the in-circuit security system 100 to digitally sign his e-mail, which requires accessing the stored private key associated with his fingerprint. He selects his e-mail program, and types an e-mail for transmission using the keypad 214. The keypad 214 is coupled to the processor 201, which receives the data and creates an appropriate message packet for transmission. Once created, the message packet is sent to the in-circuit security system 100 for further processing.
The processor 101 of the in-circuit security system 100 receives the message packet and analyzes the established security settings for transmission of e-mail. Because the in-circuit security system 100 is configured to require digital signing of e-mail prior to transmission, the individual must first authenticate his fingerprint to the identity credential verification subsystem 103. The biometric authentication is required to prevent unauthorized users from encrypting e-mail with a private key that is not theirs. The processor 101 signals the identity credential verification subsystem 103 to wait for a new fingerprint sample from the fingerprint sensor 203, and signals the non-secure processor 201 to provide a visual prompt to the user on the display 213. After the user places his finger on the fingerprint sensor 203 it sends the new fingerprint image to the identity credential verification subsystem 103. The identity credential verification subsystem 103 analyzes the image, generates a template, and compares it to the enrolled fingerprint template. If the two match, the identity credential verification subsystem 103 sends a signal to the processor 101 that the individual is authorized to use the stored private key.
The processor 101 now sends the e-mail message to the cryptographic subsystem 104 and instructs the cryptographic subsystem 104 to sign the message. This typically involves generating a hash of the message and encrypting it with the private key. The cryptographic subsystem 104 may also include a timestamp generated by the real-time clock, the unique device identifier, or other data, prior to the hash. The cryptographic subsystem 104 now sends the signed e-mail message back to the processor 101. The processor 101, in turn, sends the signed e-mail to the cellular transceiver 107 for transmission to a remote recipient.
In a second embodiment of the invention, the in-circuit security system 100 is embedded into an electronic door locking mechanism that is used to control access to a secure facility. As seen in FIG. 3, the system comprises the in-circuit security system 100 with a wired connection to the electronic door lock 314, a fingerprint sensor 203, and a series of light emitting diodes (LEDs) 313 that are used to provide visual feedback to the user. Individuals access the secure facility by demonstrating enrollment of their fingerprint into the in-circuit security system 100. The security settings of the in-circuit security system 100 are configured to shut down the entire locking mechanism on a pre-specified number of failed attempts within a pre-specified time span. This is example of security parameters and settings that are stored within the memory 102.
An enrolled individual wishes to enter the facility. One LED 313 glows green, signaling that the fingerprint sensor 303 is ready. The individual places his finger on the sensor 203, which generates a fingerprint image and sends it to the identity credential verification subsystem 103. The identity credential verification subsystem 103 generates a fingerprint template and compares it to the enrolled fingerprints. The new fingerprint template matches an existing template, so the identity credential verification subsystem 103 sends the individual's unique identifier to the processor 101. The processor 101 accesses the memory 102, which stores security privileges associated with enrolled individuals. The individual who is currently authenticated is authorized to enter the secure facility alone, so the processor 101 sends a signal to the transceiver 107 to trigger the lock 314 to release.
Now an individual who has not been pre-enrolled into the identity credential verification subsystem 103 attempts to enter the secure facility. The individual places his finger on the fingerprint sensor 203, which sends an image of the fingerprint back to the identity credential verification subsystem 103. The fingerprint is compared to all of the enrolled fingerprints, and no match is found because the individual is not enrolled. The identity credential verification subsystem 103 records the date, time and other requisite characteristics of the failed access attempt, and flashes a red LED 313 to show that access has been denied. The identity credential verification subsystem 103 also notifies the appropriate process within the processor 101 that an access failure has occurred.
The individual now tries another, un-enrolled finger. The identity credential verification subsystem 103 records the subsequent failure, and notifies the processor 101 that there has been another failure. When the number of failed attempts reaches the pre-established limit, the identity credential verification subsystem 103 again notifies the processor 101 that a failure has occurred. At this point, the processor 101 applies the security settings and places the electronic lock mechanism 314 in a state where it cannot be unlocked unless it is reset by a recognized authority; in a primary embodiment this would be implemented using a “fail-secure” lock and would involve disconnecting a power source. Alternative actions can occur to put the lock 314 into this state as necessary. The processor 101 may also put the identity credential verification subsystem 103 into a state where it does not accept new fingerprints, create images, or perform matching. As desired by the regulator of the secure facility, the processor 101 may instruct the identity credential verification subsystem 103 to delete any enrolled fingerprint images. These are all examples of programmable security settings.
FIGS. 4-5 depict embodiments of a biometric personal identification device (BPID) for remoted controlled applications.
Necessity of the BPID of the present invention:
Remote control products have been in service for decades and have become ubiquitous for many applications. However, despite the many successful applications for saving time, steps, and effort, there are only limited examples among remote control products and remote control communication systems that demonstrate the capacity to provide security to remote control applications that need or could be improved by security.
Moreover, at the time of this writing, the inventors have found few existing examples in the arts relating to “remote control” intellectual property or to “remote-controlled products and applications”, where privacy concerns are simultaneously addressed along with security and authentication concerns. Notwithstanding, there are many existing and potential remote control applications where privacy and security, user authentication, user auditing, and user monitoring, concerns abound. Unsurprisingly, latent demand exists for appropriate existing and potential applications. The marketplace is ready for privacy and security oriented remote controller devices and associated remote-controlled products and applications, despite the shortage of applicable technology prior to the emergence of the present inventions.
More specifically, latent demand exists for apparatuses, methods, and systems capable of monitoring, auditing, and enforcing different privilege levels of authorized usage for a remote control apparatus and corresponding different privilege levels of authorized remote control of remote-controlled resources, e.g., entertainment resources, polling resources, testing resources, interactive or user response-oriented resources, and other resources and assets including remote controlled machinery, etc. Typical examples of potential products and applications for which latent demand exists where differentiable privacy- and security-oriented remote control transmitter and/or transceiver apparatuses are appropriate include:

- Entertainment Applications, most notably, conventional TV and/or PC control applications such as parental control, Nielsen sweep analysis, etc.; cable television (CATV) applications including “set-top box” control applications including parental control and Nielsen sweeps, access to premium services, access to portable and mobile subscription services, access to bi-directional interactive applications such as multi-player leisure game services, leisure game show inputs, etc.;
- Remote Polling, Voting, and Testing Applications, where differentiable remote control transmitters and transceivers can be used to register, verify, and log in—and where applicable, continuously verify—proven single instances of distinct, unique, authenticated voters' votes, or responders' voting responses to polling application choices, or test subjects' responses to test questions;
- Educational Services, such as unidirectional and bi-directional “remote learning” content control applications, including “Interactive Learning” applications, including continuously verifiable, preauthorized testing services and applications;
- Military, Government, and Law Enforcement Services, e.g., “Soldier of the Future” products.

Everything considered, there is a definite need in the art to provide consolidated security, and privacy features into remote control apparatuses and remote controlled systems. There is also a definite need in the art to provide anonymity features, where applicable and appropriate, into remote control apparatuses and remote controlled systems. While prior art inventors have addressed security concerns to a certain extent, and while a few inventors have addressed privacy and security concerns together, no prior art or products have addressed privacy and security in the flexible and robust apparatuses, methods, and systems of the present BPID. Several examples of prior art addressing privacy and/or security follow below.
Accordingly, it is a primary object of the BPID disclosed herein, to provide a privacy- and security-oriented remote controller apparatus, method, and system for privately and securely controlling a variety of remotely controllable machinery, including (but not limited to) televisions, personal computers, set-top control terminals, etc.
It is another primary object to provide a privacy- and security-oriented remote control apparatus, method, and system for cross-platform and cross-application mobility and portability, where preauthorized, enrolled users can freely carry their privileges from one location to another to control the same, similar, and/or different remotely controlled equipment.
It is another primary object, to provide an apparatus, method and system, which taken together, provide means for absolute personal identity authentication for individuals wishing to remotely control access-protected, restricted, metered, monitored resources, assets, and services.
Another object of the BPID is to enable service providers to monitor, audit, and track the activity of users accessing, or attempting to access, restricted and protected equipment and services by means of remote controllers.
Another object of the present BPID is to match physical persons to discrete devices such that only authorized individuals are associated with each device and so that only authorized individuals can effectuate access with a remote controller. A related object of the BPID is to create multiple levels of privilege and access for a plurality of users accessing a plurality of remote control apparatuses to control a plurality of remote-controlled devices and applications.
It is another primary object of the BPID to decentralize authentication and verification services such that the user apparatuses serve as autonomous authentication devices and can identify persons and their assigned user privileges without requiring remote access to a central system or to a centralized authentication database.
The BPIDs disclosed herein provide privacy- and security-oriented identity credential verification devices (in prior art applications of the instant inventors) and privacy- and security oriented remote control apparatuses, subsystem apparatuses, methods, and systems adapted for authenticating and verifying prospective remote control apparatus users (in this application).
The most basic user-operated devices of prior art inventions to the instant inventors are simply identity credential verification devices. While such devices excel at identifying prospective users thereof, by means of re-verifying a submitted biometric credential such as a fingerprint, they do not effectuate remote control events in remotely controlled machinery.
Prospective users of remote controllers of the present BPID must verify their pre-enrolled identities prior to accessing their preauthorized, assigned privileges to their remote control devices, prior to being authorized and granted access to their remote control devices, and subsequently, to compatible remote-controlled resources equipped according to teachings of the present BPID. User-operated apparatuses of the BPID are privacy- and security oriented, remote control apparatuses. The authenticated and verified, user-operated remote control apparatuses of the present BPID either (1) include an identity credential verification subsystem (ICVS) module for verifying a prospective user's pre-enrolled status and privileges, and/or (2) interface with either an independent, proximate, ICVS, and/or (3) an ICVS module embedded into a remote-controlled resource. Such a remote-controlled resource can only be operated by properly enabled remote controllers, which are accessible and operable only by pre-enrolled, preauthorized users who are re-authenticated and re-verified prior to each operational event.
The methods of the BPID comprise steps, procedures, policies for accomplishing and enforcing pre-enrollment and subsequent authentication of preauthorized users. The systems of the BPID embed an ICVS subsystem in the remote control apparatus of the BPID and/or implement an ICVS system external and proximate to the remote control apparatus by means of a wireless interactive communication link, such as a Bluetooth connection.
The platform, fundamental apparatus of the invention comprises the BPID as described above, plus one or more implementations of enabling application software. This allows the device to function as a remote control for apparatuses including (but not limited to) televisions, VCRs, DVD players and stereo systems, radios, etc., which can be pre-programmed to respond only to pre-determined, authorized remote control apparatuses. The remote control apparatuses of the present invention including platform BPID functionality, can be embodied as either transmitters—using any appropriate transmission media, including, but not limited to, infrared and RF—or, in more advanced applications with additional privacy and security features—as transceivers. Optionally, some or all of the remotely controlled functionality of the present invention can be alternatively embodied into interface controller devices such as “set-top controllers” or “set-top boxes”, rather than solely in one or more remotely controlled devices themselves such as televisions, DVD players and stereo systems, radios, etc.
Notwithstanding, in most embodiments there is no need for external “central site interaction”, nor a need for elaborate, expensive, or technically laborious centralized interactions or complex, non-proximate signal processing chains.
The ICVS subsystem apparatuses of the invention include (1) modular, factory-installed components for implementing ICVS in a remote control apparatus of the present invention; (2) standalone and independent ICVS-class apparatuses, i.e., either (2a) multi-functional set-top boxes or (2b) single function ICVS boxes accessible by RF or other viable communications standard; and (3) customer-installable modules to upgrade platform devices such as to implement advanced features, or to upgrade existing features.
To implement privacy and security features into remote controllers of the present invention, both a factory-installed, embedded core ICVS subsystem apparatus and a user-installed modular core subsystem apparatus are disclosed; either or both can be installed in the remote control of the present invention. Both installed and/or modularly installable subsystem apparatuses can enable and perform authentication of pre-authorized users. ICVS-borne, “user authentication functions” implement not only basic user authentication in a remote controller, but can also permit multiple levels of privileged access to remote-controlled resources as well as portable privileges for accessing remote-controlled resources and their applications, services, etc.
The user authentication process is further performed in a manner supportive of the individual's right to privacy, in accord with the application accessed and the stipulations of the remote-controlled resource or application owner, if any. The preferred embodiment of the invention stores a pre-enrolled biometric template of the authorized individual within tamper-resistant memory within the remote control apparatus. The template is never authorized to leave the device, and is “zeroed-out” upon unauthorized attempted physical or logical access. When an individual wishes to access controlled resources, he/she submits another biometric template through a reader on the device. If the submitted identity credential matches the template stored therein, the user is granted access to operate the remote controller and the machinery it controls.
One primary preferred embodiment of the remote controller apparatus of the present invention is a transmitter adapted for generating and transmitting a basic, “standalone”, simplex, one-way “identity credential verification signal” transmission from a user's remote control device to a target device after successful initial user authentication. This first primary embodiment performs the user authentication process, displays of the result in the form of a user “identity credential verification display”, generates and transmits as appropriate, a user “identity credential verification signal”, and also transmits user control signals to the remotely controlled device.
A second primary preferred embodiment of the remote controller apparatus comprises a transceiver version. The transceiver version is capable of performing standalone user authentication, but is also capable of communicating with an external identity credential verification system (ICVS) and/or other external device or transceiver, based on how it is configured at manufacturing and/or based on how it was optioned by a user and a system administrator after deployment. As described in the BPID discussion, the user-operated remote control transceiver may use a wireless technology ranging from IrDA to RF, or optionally, may use a wired communications medium and/or protocol. In Willis of interactivity, this second preferred embodiment is capable of receiving a plurality of signals from other remote control user apparatuses and/or from external, remote-controlled apparatuses, appropriately equipped. Depending on the situation, a variety of different signal types may be transmitted and received by appropriately equipped user remote control apparatuses and remotely controlled interface devices including set-top boxes and/or other appropriately equipped transceiver apparatuses.
For purposes of illustration, the apparatus of the invention will be described as using a fingerprint for the identity credential verification method and Bluetooth RF wireless technology as the communication media. However, a variety of modifications and substitutions may be made thereto without departing from the spirit and scope of the inventions. Thus, by way of example, the invention is not limited to the use of any specific communications architecture or system, or specific method or type of ICVS.

Theory of Operation

In one operational embodiment, the remote control apparatus of the invention is used in conjunction with a television, a television set-top box, and a premium cable channel such as HBO, Cinemax or Showtime. The remote control is issued to the paying customer and is enrolled with his fingerprint upon application for the premium service. The enrollment process may take place within the cable company's office, online, or through another company-approved method. As per traditional methods, the cable company will also supply the set-top box in order to provide access to the premium cable channel. In this embodiment of the invention, the set-top box is adapted to allow access to the premium channel only upon receipt of an encrypted authorization signal from the authorized remote control device, from among a “premium class” of remote control devices. This further requires that the set-top box is assigned either a public/private key pair or a symmetric key, and that it receives the public key of the authorized remote control apparatus.
When the individual wishes to access the channel, he selects the remote control function within his BPID, and selects the premium access channel that he wishes to watch. The device will prompt the individual to authenticate himself. Upon successful verification, the device searches the memory to verify that the authenticated individual owns the necessary privileges to watch the channel. If the individual is accepted, the device creates a message comprising the selected service and an authorization notice, and signs it with the device private key. The device further encrypts the message with either a shared symmetric key or the public key of the set-top box before message transmission. Successful decryption and signature verification within the set-top box will enable the television to display the premium channel. It is important to note that the set-top box functionality, as described, may be implemented within the television itself in order to reduce the physical equipment required by the system.
An important ramification of a decentralized architecture, as described above, is the portability of users' privileges. One individual, Alice, may have a subscription to a premium cable channel, while another individual, Bob, may not. Alice and Bob would like to watch a movie on the premium channel together, but for practical reasons cannot watch the movie at Alice's home. In the traditional implementation of premium services, Alice and Bob would not be able to watch the movie at Bob's home, as he does not subscribe to the service. With the present invention, however, Alice can use her remote control apparatus to take her privileges to Bob's house if he has an appropriate set-top box or television, and they can watch the movie together.
In another primary embodiment of the invention, again an individual purchases rights to a premium cable channel, and the cable provider issues and enrolls the individual into one device. However, it may be convenient for the individual, or the individual's family, to have multiple remote control devices. In this situation, the individual may use the pre-enrolled device to enroll subsequent devices, creating a master-slave relationship.
Another embodiment of the invention creates a “parental control” method for limiting individuals' access to programs, movies and channels that have comment deemed unsuitable. The owner of the remote control device may enroll multiple persons—and their corresponding fingerprints—into his or an alternate remote control device, along with authorization and privilege levels. Similarly to the request for premium cable services as described above, persons wishing to watch particular television programs must authenticate to the remote control device. The remote control processes the authorization, and transmits an authorization or denial signal appropriately to the television or set-top box. This invention can be extended to cover the operation of VCRs and DVD players; DVDs, for example, can be encoded to include multiple versions of a movie satisfying multiple Motion Picture Association of America (MPAA) ratings.
In another primary embodiment of the invention, users can perform purchasing and other financial transactions through their television and/or set-top box. In recent years we have seen a proliferation of home shopping television networks and infomercials, in which individuals view purchasable items on their televisions. If the individual would like to place an order, he typically calls a telephone number provided at the bottom of the television screen, and supplies a credit card number for payment. This method of shopping is convenient for many users, but lacks personal security because it simply requires possession of a credit card number, without ensuring ownership of the number. In this embodiment of the invention, persons can still order items through their televisions, yet making use of the security benefits of the remote control apparatus. Because the BPID is designed to store a variety of account information, individuals can store credit card numbers and other financial data for this application.
When the viewer selects a home shopping channel, the remote control will register an option for purchasing. If the individual decides to purchase an item, he simply selects the purchasing option on the remote control, and enters the item number and price. He will then select one of the enrolled accounts to pay for the item. This will prompt the user to authenticate himself/herself to the device. If the user is authenticated successfully, the device will sign the message and transmit the appropriate credentials to the television or set-top box. The information can then be transmitted via Internet, phone or other connective medium to pay the seller.
The operational embodiments as described above are also suited for accessing “content distribution” subscription services within stereophonic audio systems in homes, offices and automobiles, such as the emerging XM radio service, pay-per-view television services, and other types of subscription services that use remote control devices.
For example, the various features and characteristics of the BPID interactive system may include:
1) A private and secure remote control apparatus adapted for authenticating and for matching at least one user identity credential of a prospective user with at least one stored pre-enrolled user identity credential of at least one preauthorized user, further adapted for transmitting user permissions and transmitting remote control signals for accessing and controlling remotely controlled apparatuses comprising resources, applications, and services.
2) The private and secure remote control apparatus recited in 1, wherein the user identity credential comprises at least one personal biometric means.
3) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human fingerprints.
4) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human handprints.
5) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human voice.
6) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human iris patterns.
7) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human facial patterns.
8) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human retinal patterns.
9) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human heartbeat patterns.
10) The private and secure remote control apparatus as recited in 2, wherein said personal biometric means comprise human DNA patterns.
11) The private and secure remote control apparatus as recited in 1, further adapted as a transceiver means both for transmitting user permissions and remote control signals and for receiving data, information, and control signals from remote-controlled apparatuses and interface devices comprising resources, applications, services.
12) The private and secure remote control apparatus as recited in 11, wherein the user identity credential comprises at least one personal biometric means.
13) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human fingerprints.
14) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human handprints.
15) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human voice.
16) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human iris patterns.
17) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human facial patterns.
18) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human retinal patterns.
19) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human heartbeat patterns.
20) The private and secure remote control apparatus as recited in 12, wherein said personal biometric means comprise human DNA patterns.
21) A method for administering and distributing premium cable television services comprising:
a) assigning at least one of the private and secure remote control apparatus (of any of the preceding claims) to a pre-authorized user,
b) assigning at least one remote-controlled interface device comprising a set-top box adapted for communicating with said remote control apparatus assigned to a pre-authorized user,
c) providing said remote control apparatus and said remote-controlled interface device comprising a set-top box with corresponding encryption keys such that the two communicate securely,
d) enrolling a pre-authorized user's personal identity credentials into said remote control apparatus,
e) enrolling a pre-authorized user's predetermined privileges and authorizations into said remote control apparatus, and
f) enrolling into said remote-controlled interface device an access privilege list of classes of remote control apparatuses allowed to access premium services from said remote controlled interface device comprising a set-top box for controlling remote-controlled apparatuses comprising resources, applications, and services.
22) A method for accessing premium cable television service comprising:
a) selecting the service using the secure remote control apparatus as recited in any of 1-20,
b) authenticating the user to said secure remote control apparatus,
c) verifying within said secure remote control apparatus that the user has proper privileges to access the service,
d) creating within said secure remote control apparatus a message comprising the authorization and a digital signature,
e) encrypting within said secure remote control apparatus the authorization message, using encryption keys distributed at enrollment,
f) transmission from said secure remote control apparatus to a pre-distributed remote-controlled interface device comprising a set-top box,
g) decrypting within said interface device comprising a set-top box,
h) verification of digital signature within said interface device comprising a set-top box, and
i) verification of user authorization.
23) A method for establishing restricted access for subsequent users using the secure and private remote control apparatus as recited in any of 1-20, comprising:
a) establishing restricted access and privilege levels for subsequent users,
b) demonstrating ownership of said device by verifying personal identity,
c) enrolling subsequent users' identity credentials within said device, and
d) enrolling subsequent users' predetermined privileges and authorizations into said remote control apparatus.
24) An identity credential verification system for matching and authenticating at least one submitted identity credential of a prospective user, wherein said submitted identity credential is matched and verified by said identity credential verification system, comprising:
a) at least one remote control user,
b) a remote control apparatus platform,
c) an onboard identity credential verification system embedded into said remote control apparatus platform including an identity credential verification apparatus means for initially enrolling said at least one user by means of storing at least one enrolled user identity credential and for subsequently matching said at least one user identity credential prior to authorizing and granting access to said remote controller apparatus platform to said at least one remote control user.
While the description above refers to particular embodiments of the present invention, it will be understood that many modifications may be made without departing from the spirit thereof. The accompanying claims are intended to cover such modifications as would fall within the true scope and spirit of the present invention.

Claims

1. (canceled)

2. A method comprising:

at a first electronic device comprising a transmitter, a secure processor, a secure memory, and one or more biometric sensors, wherein the first electronic device is configured to communicate securely via the transmitter with a second electronic device that is separate from the first electronic device:

receiving first biometric information of a user via the one or more biometric sensors;

in response to receiving the first biometric information, comparing, via the secure processor, the first biometric information to second biometric information stored in the secure memory;

determining, based on the comparison, whether the user meets authentication criteria;

in accordance with a determination that the user meets authentication criteria:

generating a verification signal that, when received by the second electronic device, grants access to operate the second electronic device, and

transmitting the verification signal to the second electronic device; and

in accordance with a determination that the user does not meet the authentication criteria, forgoing generating the verification signal and transmitting the verification signal to the second electronic device.

3. The method of claim 2, wherein the second biometric information cannot be removed from the first electronic device.

4. The method of claim 2, wherein the secure memory comprises a tamper-resistant memory, and the second biometric information is zeroed-out upon unauthorized attempted access.

5. The method of claim 2, wherein the second biometric information comprises a biometric template, and the user meets authentication criteria when the first biometric information is consistent with the biometric template.

6. The method of claim 2, further comprising:

in accordance with a determination that the user meets authentication criteria, providing access to a resource of the second electronic device to the user.

7. The method of claim 2, wherein the second electronic device is an interface device and the access provided to the user in accordance with the determination that the user meets authentication criteria includes access to a service and an application on the interface device.

8. The method of claim 2, further comprising:

receiving a signal from the second electronic device after providing the verification signal to the second electronic device.

9. The method of claim 2, wherein granting access to operate the second electronic device comprises granting access to media content via the second device.

10. The method of claim 9, wherein the access to media content comprises access to a premium subscription service.

11. The method of claim 2, wherein granting access to operate the second electronic device comprises granting access to educational content via the second device.

12. The method of claim 11, wherein the educational content comprises one or more of a remote learning application, a testing service, and a testing application.

13. The method of claim 2, wherein the second electronic device is locked by an electronic lock mechanism, and granting access to operate the second electronic device comprises unlocking the second electronic device.

14. The method of claim 2, wherein the verification signal, when received by the second electronic device, permits pre-enrolling a third electronic device with access to operate the second electronic device.

15. The method of claim 14, wherein pre-enrolling the third electronic device creates a master-slave relationship between the first electronic device and the third electronic device.

16. A method comprising:

receiving, at the first electronic device, a request to purchase an item via a shopping service;

receiving, at the first electronic device, a selection of a purchasing account;

in accordance with a determination that the user meets authentication criteria:

transmitting to the second electronic device credentials that, when received by the second electronic device, causes a seller of the item to be paid via the purchasing account; and

in accordance with a determination that the user does not meet the authentication criteria, forgoing transmitting the credentials to the second electronic device.

17. The method of claim 16, wherein the shopping service is accessible via the second electronic device.

18. A first electronic device comprising:

a transmitter;

one or more processors, the one or more processors comprising a secure processor;

one or more memories, the one or more memories comprising a secure memory;

one or more biometric sensors; and

one or more programs, wherein the one or more programs are stored in the one or more memories and are configured to be executed by the one or more processors, the one or more programs including instructions, which when executed by the one or more processors, cause the first electronic device to:

receive first biometric information of a user via the one or more biometric sensors;

in response to receiving the first biometric information, compare, via the secure processor, the first biometric information to second biometric information stored in the secure memory;

determine, based on the comparison, whether the user meets authentication criteria;

in accordance with a determination that the user meets authentication criteria:

generate a verification signal that, when received by a second electronic device separate from the first electronic device, grants access to operate the second electronic device, and

transmit the verification signal to the second electronic device; and

in accordance with a determination that the user does not meet the authentication criteria, forgo generating the verification signal and transmitting the verification signal to the second electronic device,

wherein the first electronic device is configured to communicate securely via the transmitter with the second electronic device.

19. A non-transitory computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a first electronic device comprising a transmitter, a secure processor, a secure memory, and one or more biometric sensors, the first electronic device configured to communicate securely via the transmitter with a second electronic device that is separate from the first electronic device, cause the first electronic device to:

in accordance with a determination that the user meets authentication criteria:

generate a verification signal that, when received by the second electronic device, grants access to operate the second electronic device, and

transmit the verification signal to the second electronic device; and

in accordance with a determination that the user does not meet the authentication criteria, forgo generating the verification signal and transmitting the verification signal to the second electronic device.