WO2004055717A1 - Combined authentication and control unit - Google Patents

Combined authentication and control unit Download PDF

Info

Publication number
WO2004055717A1
WO2004055717A1 PCT/NO2003/000422 NO0300422W WO2004055717A1 WO 2004055717 A1 WO2004055717 A1 WO 2004055717A1 NO 0300422 W NO0300422 W NO 0300422W WO 2004055717 A1 WO2004055717 A1 WO 2004055717A1
Authority
WO
WIPO (PCT)
Prior art keywords
fingerprint
finger
user
sensor
remote
Prior art date
Application number
PCT/NO2003/000422
Other languages
French (fr)
Inventor
Svein Mathiassen
Ivar Mathiassen
Original Assignee
Svein Mathiassen
Ivar Mathiassen
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Svein Mathiassen, Ivar Mathiassen filed Critical Svein Mathiassen
Priority to AU2003291780A priority Critical patent/AU2003291780A1/en
Publication of WO2004055717A1 publication Critical patent/WO2004055717A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/441Acquiring end-user identification, e.g. using personal code sent by the remote control or by inserting a card
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V20/00Scenes; Scene-specific elements
    • G06V20/60Type of objects
    • G06V20/69Microscopic objects, e.g. biological cells or cellular parts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B1/00Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
    • H04B1/06Receivers
    • H04B1/16Circuits
    • H04B1/20Circuits for coupling gramophone pick-up, recorder output, or microphone to receiver
    • H04B1/202Circuits for coupling gramophone pick-up, recorder output, or microphone to receiver by remote control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25866Management of end-user data
    • H04N21/25875Management of end-user data involving end-user authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/422Input-only peripherals, i.e. input devices connected to specially adapted client devices, e.g. global positioning system [GPS]
    • H04N21/42204User interfaces specially adapted for controlling a client device through a remote control device; Remote control devices therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/41Structure of client; Structure of client peripherals
    • H04N21/422Input-only peripherals, i.e. input devices connected to specially adapted client devices, e.g. global positioning system [GPS]
    • H04N21/4223Cameras
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/441Acquiring end-user identification, e.g. using personal code sent by the remote control or by inserting a card
    • H04N21/4415Acquiring end-user identification, e.g. using personal code sent by the remote control or by inserting a card using biometric characteristics of the user, e.g. by voice recognition or fingerprint scanning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/47End-user applications
    • H04N21/472End-user interface for requesting content, additional data or services; End-user interface for interacting with content, e.g. for content reservation or setting reminders, for requesting event notification, for manipulating displayed content
    • H04N21/47211End-user interface for requesting content, additional data or services; End-user interface for interacting with content, e.g. for content reservation or setting reminders, for requesting event notification, for manipulating displayed content for requesting pay-per-view content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/173Analogue secrecy systems; Analogue subscription systems with two-way working, e.g. subscriber sending a programme selection signal
    • H04N7/17309Transmission or handling of upstream communications
    • H04N7/17318Direct or substantially direct transmission and handling of requests

Definitions

  • This invention is related to a remote control unit for operating an apparatus or system.
  • the invention is also related to a combined authentication and remote control unit for the control of a remote system in which secure authentication of the user is required.
  • the invention is also related to a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device.
  • the invention is related to a device and a method for authentication of authorized users to access a service available via a network from a remote server and a corresponding method of obtaining access to a service which is available via a network from a remote server using a set- top box.
  • An increasing number of service providers are distributing their services via a network operated by cable companies or satellite distributors.
  • a typical example is film distribution ("Pay per view") via cable networks.
  • the services e.g. movies
  • the services are distributed from one or more server (s) connected to terminals (e.g. "Set Top Boxes"), where the contents (e.g. a movie) is displayed on a monitor (e.g. a television set).
  • the Users may operate their terminal (e.g. the "Set Top Box") with a remote control while the monitor (e.g. the television set) may be operated by a similar, yet separate remote control.
  • the Monitor e.g. the television set
  • the Monitor e.g. the television set
  • the User orders a service (e.g. a movie) from the Service Provider, this is registered on the server, which distributes the service (e.g. the movie) to the User via the network.
  • a log of the transaction is stored on the server, as basis for subsequent billing to the User, e.g. on a monthly basis.
  • a first limitation of current solutions is related to the distribution chain and the system elements involved.
  • the service provider does not know with sufficient surety who the recipient is, and can therefore not judge if the recipient is an eligible receiver of the service distributed.
  • the administrative software on the server should be capable of filtering the content provided, so that minors do not have access to X-rated movies.
  • This can be resolved by password, or a PIN-code entered into the user terminal (e.g. the "Set Top Box”) .
  • passwords or PIN-codes are notoriously spread, intentionally or not, and therefore in most cases abused, sooner or later.
  • a second limitation of current systems is that the user terminal (the "Set Top Box") and the monitor (the television set) presently requires separate remote control units.
  • other devices at the customer premises such as e.g. a DVD player, video player, etc. also require separate remote controls, or may be equipped with a universal remote control, if all devices are purchased as part of a consistent set.
  • the User may purchase a programmable remote control which can be adapted to all devices to be serviced.
  • Such multi-purpose remote control may be cheaper than multiple different remote controls, and will be more convenient to use, as the simplification from many remote controls to a single unit simply reduces the number of portable devices flooding the home of the user.
  • any functionality that shall be handled by the remote control typically requires separate function buttons, representing a combination of mechanical and electronic components connected to the underlying printed circuit board.
  • Yet another limitation is presently that once the remote control are manufactured and distributed, they can not be changed or modified, without excessive expenses. Added or modified functionality can therefore only be provided by issuing new remote controls.
  • Still another limitation of present systems is related to the fact that such mechanical / electronic remote controls based on dedicated functional buttons become unnecessary expensive, due to limited competition and in particular because remote controls in most cases are tailored to the proprietary makes of devices it shall control.
  • every new device introduced on the market is normally equipped with new versions of remote controls, so that the production volumes are significantly less than could be possible.
  • a method of commerce through a set-top box is performed employing fingerprint data.
  • the fingerprint reader apparatus transmits a fingerprint, possibly a processed fingerprint, to a base unit via a tether, thus creating a transmission line which may be intercepted.
  • a monitor e.g. a television set
  • a remote control device that enables a secure and convenient authentication of a user, in order that a server may automatically effectuate an ordered service, e.g. to release any movie ordered ("pay per view") .
  • a blocking of a service e.g. the distribution of a film
  • a combined authentication and remote control device for the control of a remote system comprising a user input module, a processing unit and an interface module for communicating with the remote system having the characterizing features as given in independent claim 1.
  • the objectives of the present invention are also achieved by a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device according to claim 6 comprising the steps of independent claim 7.
  • the objectives of the invention are also achieved by a method of remotely controlling a device, apparatus or system using a device according to claim 1 and where the method comprises the steps of independent claim 8.
  • the objectives of the invention are also achieved with a set-top box for authentication of authorized users to get access to a service made available for distribution in a network from a remote server having the characterizing features given in claim 16.
  • the objectives of the invention are also achieved with a method of obtaining access to a service on a remote server through a set-top box, where the set-top box includes a fingerprint sensor for obtaining the fingerprint of a user, and in which the steps given in claim 17 are performed within a single integrated circuit in the set-top box.
  • Fig. 1 Illustrates an example of a typical television distribution system.
  • Fig. 2 Shows an example of a combined control unit according to the invention.
  • Fig. 3A Outlines the new control unit according to the invention for combining user authentication and an improved remote control.
  • Fig. 3B Shows a control unit according to the invention, held by a human hand.
  • Fig. 4A Shows a first preferable embodiment of an integrated circuit (IC) being the core of part in the control unit according to the invention.
  • Fig. 4B Shows a second even more preferable embodiment of an integrated circuit IC being the core of part in the control unit according to the invention.
  • Fig. 1 Illustrates an example of a typical television distribution system.
  • Fig. 2 Shows an example of a combined control unit according to the invention.
  • Fig. 3A Outlines the new control unit according to the invention for combining user authentication and an improved remote control.
  • Fig. 3B Shows a control unit according to the invention, held by
  • FIG. 5A-B Illustrates a control unit according to the present invention (Figure 5B) in contrast to a typical remote control device accompanying available products ( Figure 5A) .
  • Fig. 5C Illustrates a control unit according to the present invention, with an integrated display.
  • Figure 1 shows a network (N) , through which services are distributed from a server (30) to terminal (31) in the homes of the Users (34), displaying the contents on the display (33) of a television set (32).
  • the distribution network (N) may either be wireless (by satellites) or by landlines (cable companies).
  • Figure 2 displays how the terminal (31) is operated and authenticated by the new control unit (20) by giving the User feedback via the monitor (32) .
  • Figure 3 outlines the new control unit (20) combining user authentication and an improved remote control device itself, by means of an IC (1) facilitating user authentication and remote control of any device coupled to a monitor or display.
  • Figure 4A shows one version of such an IC (1) while figure 4B shows another version of the IC (1) .
  • Figure 5A illustrates a typical remote control unit according to prior-art technology, with typically extensive number of function buttons.
  • Figure 5B shows a control unit according to the present invention.
  • Figure 5C illustrates a remote control according to the present invention, in an alternative embodiment with an embedded display, enabling the user to also control apparatuses, devices or systems not incorporating a monitor.
  • the combined authentication and remote control device comprises, as illustrated by the three projections in Figure 3A, an external housing (20) which contains a fingerprint sensor (5) coupled to a miniature printed circuit board PCB (21) on which is mounted the IC (1) .
  • the control unit (20) further comprises a battery (25) for power .supply retained in the housing (20) by a removable lid (26) .
  • the battery (25) is connected to the PCB
  • the control unit is also equipped with a wireless 2-way transceiver (27) , a Power On/Off button (24) , and all the active components are connected to the IC (1) by cables (23) via the PCB (21) .
  • Figure 3B illustrates this unit
  • a biometrics sensor in the form of a fingerprint sensor (5) is coupled with a biometrics processor in the form of an integrated circuit - IC (1) that is the core device of the invention.
  • fingerprint refers to the ridge and groove patterns on any of the digits of either hand.
  • Two versions of the IC are shown in Figures 4A and 4B. The details of the ICs will now be explained.
  • the sensor (5) is connected to a fingerprint sensor image capture and pre-processing block (5C) via a first interface block (5A) as well as a wake-up circuit (5B) , the function of the latter being to power up all other blocks of the IC (1) .
  • the first blocks to be powered up are the image capture and preprocessing block (5C) as well as the high-speed bus (3) and the volatile memory (6 or 6C) , all of which are connected to the high-speed bus (3) .
  • the image capture and pre-processing block (5C) is designed to perform the initial, heavy-duty processing of the captured raw images from the sensor (5) .
  • the intermediate results are stored in the volatile memory (6A or 6C) that is interfaced via the high-speed bus (3) to a first memory interface block (6B or 6D) .
  • the volatile memory (6A or 6C) thus provides working memory that is also available to the other modules on the IC (1) .
  • the image capture and pre-processing block (5C) crunches the captured raw images to an intermediate stage of significantly compressed information, i.e. a dataset of reduced size, denoted intermediate fingerprint data.
  • the intermediate data are fed to the central processor (2) for final reduction of the captured fingerprint image to compact fingerprint representations, called minutiae.
  • Such minutiae are distinct points where fingerprint lines (ridges) starts or stops, or locations of bifurcation of the ridges and may be described by at least a vector comprising X and Y coordinates, and direction of the individual minutiae, stored as an alphanumeric string in non-volatile memory (7, 7A or 7E) .
  • the non-volatile memory (7, 7A or 7E) coupled to the high-speed bus (3) via a second memory interface block (7B or 7D) , is typically used for storing program code (e.g. administrative software) , tailored security output responses and fingerprint representations in the form of minutiae.
  • These fingerprint minutiae from the access attempt are compared by the central processor (2) with master fingerprint minutiae stored in non-volatile memory (7, 7A or 7E) .
  • These master fingerprint minutiae will typically be fingerprint minutiae of the persons authorized to use the device.
  • an encryption of a secure output signal is performed in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) .
  • the encryption modules are also connected to the high-speed bus (3) .
  • the retrieved encryption information is applied to the fingerprint data using the processing unit
  • the encryption and scrambling process can be performed in an encryption/scrambling hardware module arranged separately from the main processor (2) .
  • the chip may proceed with generating a secure key (SKG) either processed by a special algorithm on the central processor (2) based on a seed pre-stored in the nonvolatile memory (7, 7A or 7E) , or alternatively embedded in hardware block (8A) . If the same SKG algorithm is run on two separate computers [e.g. a server (30) and the central processor (2) on the IC (1) ] it will yield the same key, or password, when the identical algorithm on both of the two separate computers is fed with an identical seed.
  • SKG secure key
  • the seed is individual and secret and only known by the system administrator and the user.
  • the SKG algorithm may be constructed to produce a pseudo-random and identical key on both computers (2 and 30) that are either valid for a time frame, or alternatively changed for each and every transaction. This requires that the present key number and the past key number are stored in the non-volatile memory (7, 7A or 7E) .
  • Secret information such as seed, key numbers, IP address, etc. may either be scrambled by block (8) and stored on an external regular Flash memory (7), or securely stored in SmartCard environments (7A or 7C) .
  • the administrative software stored in the non-volatile memory (7, 7A or 7E) and run on the central processor (2) may then combine information to form the basis of a secure communication between the IC (1) and the network server (30) .
  • the information to be encrypted may comprise a User identification code (ID) , password and other info. Encryption is performed in hardware blocks (8 or 8B or 8C) .
  • the rules of secure communication enforced on the prevailing network (N) are embedded in the administrative software executed on the central processor (2), and may be adapted to include PKI and hand-shake sequences.
  • the encryption blocks (8, 8B or 8C) may also be used to encrypt general information transactions between the IC (1) and the network server (30), if desirable.
  • the IC (1) also comprises hardware and/or software required to supply output signals to a number of second interface blocks (9A, 9B, 9C or 9D) for transferring data to other devices and networks (N) external to the IC (1).
  • the IC (1) is adapted to provide data to the external access-limited apparatus, device or system.
  • This second interface block may comprise hardware and software for supporting a USB (9A), Ethernet (9B), GPIO (9C), PCMCIA/UART (9D) and/or SmartCard (7C) interface.
  • the second interface blocks are serviced by a bus (4) with lower bandwidth and capacity than the high-speed bus (3) .
  • the two buses (3 and 4) are connected by a bus bridge (11C) .
  • the hardware blocks that are not dependent on highspeed transmissions are connected to the slower bus (4) .
  • the hardware blocks of the IC (1) are designed to perform their respective tasks in a minimum of time, and to interact with each other with a minimum of delays and queuing.
  • the central processor (2) executing the administrative software renders a high degree of flexibility in adapting the programming to external devices and networks (N) .
  • the main difference between the IC (1) of Figure 4A and 4B is that the version in Figure 4B has volatile memory (6C) and non-volatile memory (7A) embedded as integral parts of the IC (1), thus reducing the demand for data exchange with external memory and thus further enhancing the security and speed of operation of the device by containing almost all data processing of the fingerprints internally within the IC ( 1 ) -
  • the IC (1) is designed as a multi-purpose tool that can service a fingerprint sensor (5) in a stand-alone mode, but it can also communicate with external devices and networks (30) by bridging the biometrics from the sensor (5) to a non-biometrics representation according to the secure communication settings on servers (30) in a network (N) .
  • the IC (1) transforms the fingerprint into a password or PKI, etc, under the prevailing secure communication rules, according to the secure communication rules implemented on server (30) .
  • the utilization of the IC (1) for authentication of an authorized user to get access to a service distributed in a network (N) from a server (30) will first be explained for the arrangement wherein the authentication and remote control is performed in a device according to the invention including an IC (1) as described above being mounted in the terminal
  • set-top box refers to any receiving device coupled to at least one local television set for receiving programming from a remote server or from a distribution network or system, controlling the television set, and possibly to descramble or decrypt received programming and to scramble or encrypt return signals, as exemplified in US-patent 6,028,950.
  • the user contacts the service provider for subscribing to selected services .
  • the service provider will furnish a suitable terminal (31) (e.g. "Set Top Box”) to the user, who hooks it up to his monitor (32) (television set) .
  • a suitable terminal e.g. "Set Top Box”
  • monitor e.g. "television set”
  • the service provider also gives the user a unique seed, which may be pre-loaded in the terminal (31) .
  • This seed is then stored in the server (30) of the network (N) , along with the user ID of the User.
  • a number of available seeds may be pre-stored in the terminal (31) to facilitate a limited number of users using the same terminal (31) .
  • the administrator of the user group to access the terminal (1) (the primary user, e.g. the head of a family) will enroll himself entering user name and his fingerprint (s) .
  • the fingerprint image from the sensor (5) will be captured by the IC (1) and reduced to compacted minutia, for storage in the non-volatile memory (7, 7A or 7E) .
  • a user identification code (ID) or user classification code will be allocated to each stored fingerprint representation.
  • the administrator will be given maximum user privileges, such as e.g. defined as "adult”, in the context of "view on demand” movies.
  • the User Name, together with the Seed Number (e.g. 1 out of ten), the assigned Access Privilege (e.g. "adult") will be encrypted in block (8, 8B or 8C) on the basis of a secure key (SKG) generated by the central processor (2) or block (8A) and transmitted via the network (N) to the server (30) of the service provider.
  • SKG secure key
  • the encrypted message will be decrypted, on the server (30) by the same encryption algorithm and for Seed Number 1 of the terminal (31) , identified by the Terminal Number, or the IP Address of the terminal (31).
  • the decrypted user information will be stored on the server (30) along with the Terminal Number (or IP Address) and the User Id.
  • the administrator of the terminal (31) may now enroll the rest of the user group (e.g. a family) to access the same terminal (31) .
  • the administrator will countersign with his own fingerprint on the sensor (5) . If that fingerprint is authenticated compared to the pre- stored master minutia representation of the administrator, he will then assign a user name and an access privilege (e.g. "minor”) to the new user.
  • an access privilege e.g. "minor
  • This information will be encrypted and transmitted to the server (30) , where it will be decrypted by Seed Number 1 of the terminal (30) , and this information (User Name, Access Privilege, etc.) will be stored on the server (30) as a subset to the administrator of that terminal number.
  • Such enrolment by administrator of new users on the terminal (31) may be done immediately after the administrator has been enrolled or gradually over time. The administrator may also authorize users for a limited time period.
  • an enrolled user (33) is accessing the terminal (31) in order to access a service via the network (N) from a remote server (30) for ordering a service assigned with restricted access (e.g. an X-rated movie) the user will be prompted to identify himself/herself by a fingerprint on the sensor (5) .
  • a service assigned with restricted access e.g. an X-rated movie
  • the access fingerprint image from the sensor (5) will be captured by the IC (1) via a first interface block (5A) .
  • the obtained fingerprint images will be pre-processed in the sensor image capture and pre-processing block (5C) .
  • the pre-processed data will be transferred via the highspeed bus (3) to the processor unit (2) for extracting features of the fingerprint thus reducing it to compact minutiae fingerprint representation,
  • the processor unit (2) retrieves fingerprint information from a storage module holding the pre-stored fingerprint minutia.
  • the compact access minutiae of the extracted features representing the captured and pre-processed fingerprint images are compared with the pre-stored master minutia tables residing in the non-volatile memory (7, 7A or 7E) .
  • the process will be aborted by the IC (1), whereas in the case of a positive match the IC (1) will allow the user to proceed with his ordering, encrypting the User ID, the password (generated from Seed number n) and the purchase description (e.g. movie title), and transmitted to the server.
  • a secure output signal is compiled in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) and applying this encryption information to fingerprint data, for producing secured communication data as an output to the high-speed bus (3) .
  • the said secure output is provided to the remote server
  • the server In response to the supplied secured data, the server will on the basis of the Terminal Number (or the IP Address) try to decrypt the message starting with Seed Number 1 registered on that terminal. If unsuccessful it will try to decrypt the message by Seed Number 2 registered on that terminal and so on, until the proper seed of the particular user of that terminal is found.
  • the number of seeds per terminal will in practice be limited to e.g. 50 users (seeds) per terminal.
  • the server When the message has been decrypted and the password retrieved, as well as the user name, the server will compare the prevailing access privilege of the requested service (e.g. an X-rated movie) and compare this with the actual access privilege of the identified user. If the actual access privilege is equal to, or higher than the prevailing access privilege, the server will endorse the transaction and proceed to download the requested service to the terminal (31) .
  • the prevailing access privilege of the requested service e.g. an X-rated movie
  • the server will categorize the user as unauthorized and will abort the operation.
  • the above method and apparatus will provide the following advantages; -
  • the administrator (the primary user) will have full control of which user is authorized to order which services. No password or PIN-codes are needed for the other users, which password may be voluntarily passed on or involuntarily acquired by non-authorized users, and thereby abused.
  • the service provider has the assurance that no services are distributed to the owner (administrator) of the terminal that the owner does not approve.
  • the users do not need to remember yet another password or PIN-code, but can conveniently use their fingerprint to access those parts of the system that they are authorized to access.
  • the service provider will benefit from biometrics verification of authorized users locally on their terminals (31) , without having to choose a biometrics standard on his server, as the IC (1) bridges biometrics input centrally at the terminal (31) , to a defined secure communication protocol in the network (N) , that may comprise SKG / password, encryption, PKI and hand-shake sequences.
  • a biometrics standard on his server As the IC (1) bridges biometrics input centrally at the terminal (31) , to a defined secure communication protocol in the network (N) , that may comprise SKG / password, encryption, PKI and hand-shake sequences.
  • N a defined secure communication protocol in the network
  • Identity authentication will be executed in a fraction of the available time of the IC (1) .
  • the central processor (2) therefore offers significant free processing capacities that may be utilized for other purposes.
  • a fingerprint sensor (5) mounted on the terminal (31) e.g. the Set Top Box
  • Figures 3A and 3B show such other preferred embodiment according to the invention as a combined authentication and remote control device (20) being a separate control unit (20) unit comprising an outer housing that is designed to fit well into the hand ( Figure 3B) , whether the user is right- or left-handed.
  • a fingerprint sensor (5) placed conveniently for ergonomic operation by e.g. the thumb.
  • a Power On / Off button (24) for power saving, if the user leaves the terminal
  • (31) e.g. for vacation or otherwise for extended periods.
  • Turning power on after a shutdown may require an authorized fingerprint to proceed for access to the system, and the network and its services.
  • the control unit (20) is powered by a battery (25) that may be of re-chargeable or dispensable type.
  • the battery is kept in position in the control unit (20) by a removable battery lid (26) for battery replacement.
  • a two-way wireless transceiver In front of the control unit (20) there is a two-way wireless transceiver
  • This embodiment of the invention requires the sensor (5) to be of a type that can serve the IC (1) in 3 modes; - Sleep mode (for power saving) . This is the default mode.
  • the wake-up circuit (5B) of the IC (1) will activate (power up) the rest of the IC (1) when a finger is touching the fingerprint sensor (5) , raising the output signal from the sensor (5) above a pre-set threshold of the wake-up circuit (5B) .
  • the IC (1) When the IC (1) is powered up from sleep mode, it will default to navigation mode.
  • finger command table a pre-stored set of navigation rules, termed finger command table, stored in non-volatile memory (7, 7A or 7E) of the IC (1) .
  • This finger command table is based on elements or combination of elements of finger movements over the surface of the sensor
  • time-related touch / non-touch sequences of the finger on the sensor (5) such as e.g. a "tap" or a
  • the IC (1) of the remote control (20) is prompted to authentication mode, waiting for a fingerprint to be captured from the sensor
  • the navigation mode on the control unit (20) will be conducted as follows;
  • the remote control menu (33) to be interacted by means of the control unit (20) will reside as software on the terminal (31) rather than as presently being embedded as hardware buttons on current remote control (s) (refer Figure 5A) .
  • This menu (33) will be displayed on the monitor (32)
  • the television set (e.g. the television set).
  • the user will navigate the cursor within the displayed menu (33) by finger commands on the control unit (20) .
  • Selection of a menu option can be performed by positioning the cursor over the desired choice or option on the display (33) , and then "double tapping" with the finger on the sensor (5) to confirm the selection.
  • FIG. 5C Another embodiment of the invention is shown in Figure 5C where the combined control unit, according to the invention, is equipped with an integrated small display.
  • the combined control unit according to the invention may also be used for controlling apparatuses, devices and systems not comprising a monitor (32) , and still providing visual feedback to the user on his finger commands inputted to the control unit (20) by finger movements over the sensor (5).
  • the method of operating such embodiment of the invention is identical to the preceding descriptions, except those menus are displayed locally on the control unit (20) itself.
  • a user group (say a family) signs up a subscription with a Service Provider (e.g. a cable company or a satellite distributor) .
  • a Service Provider e.g. a cable company or a satellite distributor
  • the Service Provider compiles a kit to the subscriber
  • This kit consists of a terminal (31) and a combined authentication and remote control unit (20) , hereinafter referred to as the control unit (20) .
  • the terminal will be a standard product, except that it is equipped with a two-way transceiver (27) and can be boxed without any further personalization.
  • the control unit (20) needs to be equipped with factory settings specified by the Service Provider. Such factory settings may typically comprise: From the factory the control unit (20) has been downloaded by software pertinent for the Service Provider. This pertains to any particular encryption algorithm if different from the resident DES/TDES algorithms embedded in hardware blocks (8, 8B or 8C) of the IC (1).
  • this will be downloaded in non-volatile memory (7, 7A or 7E) of the IC (1) .
  • the factory will download the specific communication set-up enforced by the Service Provider, into non-volatile memory (7, 7A or 7E) of the IC (1) .
  • IC (1) including all subsets of the administrative software.
  • One such subset in particular is the interface commands between the control unit (20) and the terminal (31) .
  • the Service Provider to personalize the control unit (20) to the subscriber.
  • Such personalization will be carried out by authorized personnel within the Service Provider' s organization, by a special Personalization Program on the their server (30) .
  • the Personalization Program can only be accessed through a validated fingerprint to authenticate the operator as an authorized operator.
  • the Personalization Program should be linked to other parts of the Service Provider's database, such as e.g. billing routines, etc. When a subscriber has been entered into the database, and an authenticated Operator has entered the pertinent data into the Personalization Program, this can only be entered into the database by the Operator countersigning with his fingerprint, to conclude the personalization of the control unit (20) .
  • the steps of such personalization may typically comprise the following:
  • the Operator enters the ID of the control unit (20) into the database, along with the particulars of the subscriber, such as name, billing address, and particulars of the terms for the subscription.
  • the Operator prepares particulars of the subscriber to be downloaded into the secret parts of the non-volatile memory block (7A or 7E) or alternatively to be scrambled by block (8) for storage in non-volatile memory block (7).
  • These particulars comprise: - A set of secret seeds (e.g. ten seeds) for Secure Key Generation (SKG) for DES/TDES, or other encryption.
  • IP address of the server partition to be addressed by the control unit (20) via the terminal (31) .
  • the control unit (20) will now be packaged along with the terminal (31) for shipping to the subscriber (user) .
  • the subscriber When the subscriber receives the package he will connect the terminal (31) to his television set (32) , and be ready to enroll as
  • the first person within the user group (e.g. a family) will by default be proposed as Primary User (or System Administrator) of the control unit (20), with full privileges.
  • Primary User or System Administrator
  • the control unit (20) for the first time after personalization
  • the control unit (20) will be prompted to enrolment mode, ready to enroll the Primary User through the following consecutive steps :
  • the administrative software of the control unit will trigger the enrolment menu (33) to be displayed on the monitor (32) (e.g. the television screen) prompting the person to be enrolled to enter the following information; user name (name or acronym) , age, user status (Primary
  • ID or a user classification code stored in this manner may later be used in an access discrimination operation, e.g. performed by the processor (2) in order to allow different access functionality to different users.
  • the menu (33) displayed may prompt the Primary User to a brief training session of fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) .
  • the user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image.
  • the IC (1) will capture the image by the image capture and pre-processing block (5C) which will perform the initial processing cleaning up the image (“cleaned-up image”) and temporarily storing this cleaned-up image in the working volatile memory (6A or 6C) .
  • the cleaned-up image is then transferred via the high-speed bus (3) to the central processor (2) that will reduce it to fingerprint minutia representation and calculate a quality score of the image.
  • the cleaned-up image will then be displayed in the menu (33) along with a score and a verdict of whether it is of acceptable quality, or not.
  • the minutia fingerprint representations from the training section will not be permanently stored in the IC (1) but are simply intended to give feedback to the user.
  • the administrative software shifts the control unit (20) to Enroll Mode.
  • Enroll Mode the user will be prompted by the menu (33) to swipe his finger over the sensor (5) for registration of master minutia fingerprint representations. This will be executed as per the preceding procedure, except that the extracted minutia table will be permanently stored in the non-volatile memory (7, 7A or 7E) of the IC (1) .
  • the administrative software may be pre-set to require e.g. 3 master minutia tables of acceptable quality of each finger.
  • the administrative software of the IC (1) will now assign one of the pre-loaded seeds (from the personalization by the Service Provider) to this user.
  • the seed will thereafter be accessed from the nonvolatile memory (7, 7A or 7E) .
  • the seed will be unscrambled, while in case of seed storage on SmartCard blocks (7A or 7E) it will be extracted from the secret sections of the SmartCard block (7A or 7E) .
  • This seed will never leave the interior of the IC (1) during this process, and will be unobtainable externally to the IC (1) .
  • the accessed seed will then be transferred via the high-speed bus (3) either to the central processor (2) (in case of Figure 4A) or to the Secure Key Generation (SKG) block (8A) (in case of Figure 4B) to produce a unique keyword.
  • SKG Secure Key Generation
  • This keyword will then be transferred by the administrative software via the high-speed bus (3) to the appropriate encryption block, according to the set-up in the administrative software subset on encryption; either to block (8, 8B or 8C) or alternatively the keyword is employed by an encryption algorithm (forming a subset of the administrative software) downloaded into the nonvolatile memory (7, 7A or 7E) during factory preparations of the control unit (20) according to specifications from the Service Provider.
  • the following message is then encrypted by the targeted encryption method [hardware encryption block (8, 8B or 8C) or alternatively a specific encryption algorithm executed by the central processor (2)]: E key (user ID, assigned seed number, privilege) .
  • This information is then blended with non-encrypted information Unit ID, present key number and the IP address of the server (30).
  • Menroi [ IPadr,Unit ID, key no , E key (user ID, seed no , privilege) ]
  • the Primary User thus has enrolled himself, he will be prompted by the displayed menu (33) to tick either "Continue” or "Change?". Assuming that the Primary User has correctly filled in the menu (33) and is satisfied with the input he has given is correct (no typos, etc.) he will tick off "Continue” and countersign with his fingerprint on the sensor (5) .
  • the administrative software of the IC (1) will process this countersigning fingerprint, extract the fingerprint minutia representation and compare it with the preceding master minutia recently entered by the Primary User.
  • the administrative software of the IC (1) will transmit the encrypted message "M" via the two-way wireless transceivers (27) to the terminal (31) where it will be relayed to the server (30) by the IP address .
  • the server 30) receiving the partly encrypted message "M” will retrieve the Unit ID from the non-encrypted part of the message "M” and look this up in the database on the server (30) .
  • the server (30) From the database entries of Unit ID the server (30) will retrieve seedi and key number and decrypt the encrypted parts of the message "M" .
  • the server (30) will then amend the User ID, and assigned seed number (seedi) as well as privileges (e.g. Primary User, adult) to the entities under Unit ID.
  • seedi seed number
  • privileges e.g. Primary User, adult
  • the server (30) will then increment its key number, and send an acknowledgement via the terminal (31) to the control unit (20), which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
  • the Primary User now being registered as the administrator [of his particular control unit (20)] within the database entities under the Unit ID on the server (30) now has the privileges to enroll other users (e.g. his family).
  • the Primary User is now eligible to enroll other users. This will in general follow the same procedure as for enrolling the Primary User, with some minor deviations that will be outlined below: - The Primary User will place his finger on the sensor (5) of the control unit (20) . This will raise the output signal level from the sensor (5) to a level exceeding a pre-set threshold within the wake-up block (5B) of the IC (1), powering up the IC (1) in a pre-set sequence to default waken mode "navigation".
  • a main menu (33) will be displayed on the monitor (32) .
  • the Primary User will move his finger on the sensor (5) causing the cursor on the displayed menu (33) to follow his finger movements on the sensor (5) as explained below under "Controlling Devices".
  • the Primary User will by his finger move the cursor to menu choice "Enroll” and then select this choice by double-tapping his finger on the sensor (5) .
  • the Primary User is prompted to authenticate himself, by verified fingerprint. He will swipe his finger over the sensor (5) .
  • the sensor output is directed to the IC (1) via the sensor interface block (5A) to the image capture and pre-processing block
  • the access minutia table extracted by the central processor (2) from the temporary fingerprint representation output of block (5C) is then compared with the Primary User's master minutia table (s) securely stored in nonvolatile memory block (7, 7A or 7E) . Provided the access minutia table is checked to match the master minutia table of the Primary User, the Enroll Menu is opened, and the IC (1) switches back to navigation mode. In case of no match, the enrolment process is aborted.
  • the Enroll menu starts with a registration window where the Primary enters the following information about the new user; user name (name or acronym, age and privileges (adult or minor) . Say that for the sake of demonstration this new user is entered with privilege "minor”, meaning that the Primary User will exclude the new user from being able to order X-rated movies ("pay-per-view”) .
  • the menu (33) displayed may prompt the new user to a brief training session of fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) .
  • the user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image.
  • This training is managed by the administrative software of the IC (1) in accordance with the same procedure as explained under Enrolment of Primary User.
  • the administrative software shifts the control unit (20) to Enroll Mode.
  • the new user is enrolled by fingerprint registration, by the exactly same procedures as explained under Enrolment of Primary User.
  • the Primary User When the enrolment is completed, the Primary User will countersign by one of his enrolled fingers. If the administrative software, by means of the hardware blocks, of IC (1) confirms that the Primary User is authentic (by a match with one of the previously enrolled master fingerprint minutia tables of the Primary User) , the enrolment is completed. In case of a non-match, the enrolment process is aborted at this stage.
  • the administrative software of the IC (1) then assigns the next vacant see number (s) to the new user.
  • the control unit (20) then compiles a partly encrypted message, by the administrative software and hardware blocks of IC (1) comprising:
  • M enro i [IP addr / Unit ID, key no , E ke ⁇ (user ID, seed no , privilege) ]
  • the control unit (20) then transmits this message "M" by the two-way wireless transceivers (27) to the terminal (31) which relays the message to the server (30) .
  • the server 30) receiving the partly encrypted message "M” will retrieve the Unit ID from the non-encrypted part of the message "M” and look this up in the database on the server (30) .
  • the server (30) From the database entries of Unit ID the server (30) will retrieve seed n and key number and decrypt the encrypted parts of the message "M" .
  • the server (30) will then amend the User ID, and assigned seed number (seed n ) as well as privileges (e.g. Regular User, minor) to the entities under Unit ID.
  • seed n seed number
  • privileges e.g. Regular User, minor
  • the server (30) will then increment its key number for this particular user, and send an acknowledgement via the terminal (31) to the control unit (20) , which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
  • Additional users may be enrolled by the Primary User at any time, but only by the Primary User.
  • control unit (20) may be controlled by the control unit (20) .
  • Another preferred embodiment of the method of remotely controlling a device, apparatus or system comprises in using the invention to select menus to be displayed on a monitor, and perform navigation within such menus, and finally perform selections / commands within such menus .
  • the IC (1) of the control unit (20) When triggered by a finger on the sensor (5) the IC (1) of the control unit (20) will default to wake-up in
  • the remote control device may comprise a fingerprint sensor adapted to detect finger touches as well as lateral finger movements .
  • Such finger movements or touches on the sensor (5) involves performing the following steps in said Navigation Mode :
  • the consecutively captured fingerprint images are pre- processed (5C) in the image capture and pre-processing block to provide a number of compacted images.
  • the incremental differences of the compacted image information from the pre-processing block (5C) are analyzed by the central processor (2) determining the direction of movement of the finger (A) and the associated speed of movement over the sensor (5) , and whether the contact of the finger (A) on the surface of the sensor (5) is disrupted, and possibly for how long such disrupted contact lasts.
  • the obtained information e.g. finger speed and direction, contact or no-contact versus time
  • a pre-stored table of finger commands such as for example defined by sequences and directions of finger movements over the sensor, stored in one of the non-volatile memory blocks (7, 7A or 7E) .
  • Sets of finger command structures may thereby be defined and detected, thus enabling a multi-function tool for fingerprint scanning, text/ character input in multiple modes, and cursor control, all by finger commands on a single sensor or sensor device.
  • the code for this particular finger command is transmitted from the central processor (2) via the high- speed bus (3) to a selected communication interface block (9A, 9B, 9C or 9D) . Further the command code is transmitted from said interface block to the remotely controlled device, apparatus or system, preferably in wireless form (27) .
  • Such interpretation of finger movements into commands may for example offer means for the user to navigate in and control a menu being presented to the user on the monitor.
  • the secure communication between the control unit (20) and the network server (30) , via the terminal (31) may comprise a variety of different transmissions.
  • a unique User ID e.g. in the form of a long alphanumeric string, by which the User (34) is identified in a data repository of the server (30) could be transmitted.
  • a unique password which is automatically triggered by a positive identity match in the IC (1) can be transmitted.
  • an alphanumeric code identifying the type of access or service requested may be transmitted.
  • all of the above said transmission items could be transmitted in a packaged format and encrypted using one of blocks (8, 8A, 8B or 8C) .
  • the control unit (20) may accordingly be used ' as a multifunctional authentication and remote control unit.
  • the latter application may apply to control appliances like DVD player (s), television set(s) and similar appliances.
  • the procedure below is made for ordering a movie from the Service Provider, as an example also demonstrating validating being an eligible purchaser.
  • the Primary User e.g. the head of a family
  • the control unit (20) would enable the Service Provider to offer such a service by the server automatic checking the privileges of the user ordering a service, still being sure that the biometrics authentication of the purchaser by the control unit (20) can accommodate this.
  • a finger on the sensor will trigger the IC (1) to wake up from sleep mode, defaulting into navigation mode.
  • the user will then move the cursor in the menu, by moving his finger on the sensor (5) , until the cursor is placed over the ticking box "Order Film". -
  • the user then double taps his finger on the sensor (5) confirming his choice. This presumably brings up a list of film categories.
  • the user then moves the cursor, by his finger moving over the sensor (5) till the ticking box for the wanted category and double-taps his finger on the sensor (5) to make the selection.
  • the user again moves the cursor, by his finger on the sensor, till the wanted title and then makes the selection by double-tapping his finger on the sensor (5).
  • the choice made is for an X-rated movie.
  • the selected film request is then transmitted via the terminal (31) to the server (30) that looks up the title in its database and establishes that this movie choice requires "adult" privileges of the user.
  • the server (30) then returns an authentication request to the terminal (31) relaying this request on to the control unit (20) via two-way wireless transceivers (27).
  • the control unit (20) responds by going into authentication mode, supported by a visual feedback by a message on the menu (33) .
  • the sensor output is captured by the image capture and preprocessing block (5C) of the IC (1) and the fingerprint is processed, as previously described, and comparing this with the resident master minutia in non-volatile memories (7, 7A or 7E) .
  • control unit could establish that the owner of the fingerprint matched versus an entity with privileges "minor" is not authorized for such a purchase, and thereby abort the ordering sequence then and there,
  • M enrol [IP addr ,Unit ID, key no , E key (user ID, seed no , privilege) ]
  • the server (30) will decrypt this message, as previously described, extract the privilege and then abort the ordering sequence.
  • control unit (20) The advantages of the control unit (20) and corresponding method of using the control unit (20) according to the invention are primarily;
  • the control unit (20) can be made very simple without numerous function buttons, as shown in Figures 5A and 5B, where a typical prior-art remote control unit (28) and a control unit (20) according to the present invention are shown side by side. Hence, the costs of a remote control unit can be squeezed with a control unit according to the present invention.
  • control units (20) can be significantly larger than prior-art remote controls, thereby squeezing manufacturing costs of the remote controls even further.
  • the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
  • the authentication device and the control unit will be combined into a single unit (20) that is far cheaper than current remote controls alone.
  • the remote control (20) can be made very simple without numerous function buttons as shown in Figure 5, where a typical prior art remote control unit (28) and a remote control unit according to the present invention are shown side by side. Hence, the costs of the remote control unit can be squeezed with a remote control unit according to the present invention.
  • the functionality is stored in software to be displayed on the monitor (32) this is very flexible, and can be accommodated to a large variety of makes of terminals (30) and there is no need too tailor the remote control to the terminal (31) . Accordingly the volumes of the remote control can be significantly larger than the current editions, thereby squeezing manufacturing costs of the remote controls even further.
  • the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
  • the authentication device and the remote control device will be combined into a single unit (20) that is far cheaper than current remote controls alone.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Human Computer Interaction (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Graphics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Collating Specific Patterns (AREA)
  • Selective Calling Equipment (AREA)

Abstract

A combined authentication and remote control device for the control of a remote system is provided. The device comprises a user input module, a processing unit and an interface module for communicating with the remote system. The device also compri-ses an integrated circuit - IC (1) for providing increased security in the brid-ging of fingerprint input from a user and secured communication with the remote device and the network it is connected to. The IC (1) is adapted to apply encryption/scrambling information to the fingerprint data for producing secured data as an output. A method of remotely controlling a device, apparatus or system using the combined authentication and remote control device according to the invention is also disclosed. In one version the combined authentication and remote control device is realized as a set-top box (31) for authentication of authorized users to get access to a service made available for distribution in a network (N) from a remote server (30). A corresponding method of obtaining access to a service on a remote server (30) through a set-top box (31) is provided.

Description

COMBINED AUTHENTICATION AND CONTROL UNIT.
This invention is related to a remote control unit for operating an apparatus or system. The invention is also related to a combined authentication and remote control unit for the control of a remote system in which secure authentication of the user is required.
The invention is also related to a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device.
Further the invention is related to a device and a method for authentication of authorized users to access a service available via a network from a remote server and a corresponding method of obtaining access to a service which is available via a network from a remote server using a set- top box.
An increasing number of service providers are distributing their services via a network operated by cable companies or satellite distributors. A typical example is film distribution ("Pay per view") via cable networks. The services (e.g. movies) are distributed from one or more server (s) connected to terminals (e.g. "Set Top Boxes"), where the contents (e.g. a movie) is displayed on a monitor (e.g. a television set).
The Users may operate their terminal (e.g. the "Set Top Box") with a remote control while the monitor (e.g. the television set) may be operated by a similar, yet separate remote control. When the User orders a service (e.g. a movie) from the Service Provider, this is registered on the server, which distributes the service (e.g. the movie) to the User via the network. A log of the transaction is stored on the server, as basis for subsequent billing to the User, e.g. on a monthly basis.
Current solutions have some limitations in their operation that will be described below.
A first limitation of current solutions is related to the distribution chain and the system elements involved. The service provider does not know with sufficient surety who the recipient is, and can therefore not judge if the recipient is an eligible receiver of the service distributed. For example, if the service ordered by the consumer is an X-rated movie, the administrative software on the server should be capable of filtering the content provided, so that minors do not have access to X-rated movies. This can be resolved by password, or a PIN-code entered into the user terminal (e.g. the "Set Top Box") . However, passwords or PIN-codes are notoriously spread, intentionally or not, and therefore in most cases abused, sooner or later. A second limitation of current systems is that the user terminal (the "Set Top Box") and the monitor (the television set) presently requires separate remote control units. In addition other devices at the customer premises such as e.g. a DVD player, video player, etc. also require separate remote controls, or may be equipped with a universal remote control, if all devices are purchased as part of a consistent set. Alternatively the User may purchase a programmable remote control which can be adapted to all devices to be serviced. Such multi-purpose remote control may be cheaper than multiple different remote controls, and will be more convenient to use, as the simplification from many remote controls to a single unit simply reduces the number of portable devices flooding the home of the user. However, despite using a single multi-purpose remote control is still a relatively expensive device, as any functionality that shall be handled by the remote control typically requires separate function buttons, representing a combination of mechanical and electronic components connected to the underlying printed circuit board. Yet another limitation is presently that once the remote control are manufactured and distributed, they can not be changed or modified, without excessive expenses. Added or modified functionality can therefore only be provided by issuing new remote controls. Still another limitation of present systems is related to the fact that such mechanical / electronic remote controls based on dedicated functional buttons become unnecessary expensive, due to limited competition and in particular because remote controls in most cases are tailored to the proprietary makes of devices it shall control. In addition, every new device introduced on the market is normally equipped with new versions of remote controls, so that the production volumes are significantly less than could be possible. As a typical example reference is made to a known set-top box disclosed in US-patent no. 6,028,950 wherein a method of commerce through a set-top box is performed employing fingerprint data. Typical of this application is that the fingerprint reader apparatus transmits a fingerprint, possibly a processed fingerprint, to a base unit via a tether, thus creating a transmission line which may be intercepted.
It is a main objective of the present invention to provide an improved unit that features: - secure authentication of users, for access to certain services from a service provider's server, by fingerprints, and a remote control device, that in combined form overcomes the above mentioned limitations of the previously known solutions.
It is also an objective of the present invention to provide a combinatory solution to remote control device technology which enables a secure and convenient authorization of the user, in particular for remote controls being used to order goods or services v a a network, while at the same time providing a remote control that is generic, cheap to manufacture, and flexible in adapting to new functionality and thereby being capable of controlling a number of devices connected to a monitor (e.g. a television set) .
In particular it is an objective of the invention to provide a remote control device that enables a secure and convenient authentication of a user, in order that a server may automatically effectuate an ordered service, e.g. to release any movie ordered ("pay per view") .
It is a further objective of the invention to provide a remote control device that enables a blocking of a service (e.g. the distribution of a film) if the user is identified as non-authorized for the particular service ordered (e.g. a minor attempting to order an X-rated movie) .
It is yet another objective of the present invention to provide a method of remotely controlling a device, apparatus, system or networked units using a combined authentication and remote control device. The objectives set out above are achieved with a combined authentication and remote control device for the control of a remote system according to the invention comprising a user input module, a processing unit and an interface module for communicating with the remote system having the characterizing features as given in independent claim 1.
Preferable embodiments of the combined authentication and remote control device according to the invention are given in dependent claims 2-6.
The objectives of the present invention are also achieved by a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device according to claim 6 comprising the steps of independent claim 7.
The objectives of the invention are also achieved by a method of remotely controlling a device, apparatus or system using a device according to claim 1 and where the method comprises the steps of independent claim 8.
Preferable embodiments of the method of remotely controlling a device, apparatus or system using a device according to claim 1 are given in dependent claims 9-15.
The objectives of the invention are also achieved with a set-top box for authentication of authorized users to get access to a service made available for distribution in a network from a remote server having the characterizing features given in claim 16.
Finally, the objectives of the invention are also achieved with a method of obtaining access to a service on a remote server through a set-top box, where the set-top box includes a fingerprint sensor for obtaining the fingerprint of a user, and in which the steps given in claim 17 are performed within a single integrated circuit in the set-top box.
The invention will now be explained in more detail with reference to the accompanying figures, where:
Fig. 1 Illustrates an example of a typical television distribution system. Fig. 2 Shows an example of a combined control unit according to the invention. Fig. 3A Outlines the new control unit according to the invention for combining user authentication and an improved remote control. Fig. 3B Shows a control unit according to the invention, held by a human hand. Fig. 4A Shows a first preferable embodiment of an integrated circuit (IC) being the core of part in the control unit according to the invention. Fig. 4B Shows a second even more preferable embodiment of an integrated circuit IC being the core of part in the control unit according to the invention. Fig. 5A-B Illustrates a control unit according to the present invention (Figure 5B) in contrast to a typical remote control device accompanying available products (Figure 5A) . Fig. 5C Illustrates a control unit according to the present invention, with an integrated display.
Figure 1 shows a network (N) , through which services are distributed from a server (30) to terminal (31) in the homes of the Users (34), displaying the contents on the display (33) of a television set (32). The distribution network (N) may either be wireless (by satellites) or by landlines (cable companies). Figure 2 displays how the terminal (31) is operated and authenticated by the new control unit (20) by giving the User feedback via the monitor (32) . Figure 3 outlines the new control unit (20) combining user authentication and an improved remote control device itself, by means of an IC (1) facilitating user authentication and remote control of any device coupled to a monitor or display. Figure 4A shows one version of such an IC (1) while figure 4B shows another version of the IC (1) . Figure 5A illustrates a typical remote control unit according to prior-art technology, with typically extensive number of function buttons. In contrast, Figure 5B shows a control unit according to the present invention. Figure 5C illustrates a remote control according to the present invention, in an alternative embodiment with an embedded display, enabling the user to also control apparatuses, devices or systems not incorporating a monitor.
The combined authentication and remote control device according to the invention comprises, as illustrated by the three projections in Figure 3A, an external housing (20) which contains a fingerprint sensor (5) coupled to a miniature printed circuit board PCB (21) on which is mounted the IC (1) . The control unit (20) further comprises a battery (25) for power .supply retained in the housing (20) by a removable lid (26) . The battery (25) is connected to the PCB
(21) by wires. The control unit is also equipped with a wireless 2-way transceiver (27) , a Power On/Off button (24) , and all the active components are connected to the IC (1) by cables (23) via the PCB (21) . Figure 3B illustrates this unit
(29) held by a human hand.
A biometrics sensor in the form of a fingerprint sensor (5) is coupled with a biometrics processor in the form of an integrated circuit - IC (1) that is the core device of the invention. In the context of this description the term fingerprint refers to the ridge and groove patterns on any of the digits of either hand. Two versions of the IC are shown in Figures 4A and 4B. The details of the ICs will now be explained. The sensor (5) is connected to a fingerprint sensor image capture and pre-processing block (5C) via a first interface block (5A) as well as a wake-up circuit (5B) , the function of the latter being to power up all other blocks of the IC (1) . When a finger is detected on the sensor (5) surface, the output signals from the sensor (5) will raise beyond a preset threshold, triggering the wake-up circuit (5B) to power up the rest of the IC (1) in a pre-set sequence. The first blocks to be powered up are the image capture and preprocessing block (5C) as well as the high-speed bus (3) and the volatile memory (6 or 6C) , all of which are connected to the high-speed bus (3) . The image capture and pre-processing block (5C) is designed to perform the initial, heavy-duty processing of the captured raw images from the sensor (5) . The intermediate results are stored in the volatile memory (6A or 6C) that is interfaced via the high-speed bus (3) to a first memory interface block (6B or 6D) . The volatile memory (6A or 6C) thus provides working memory that is also available to the other modules on the IC (1) .
Meanwhile the remaining blocks of the IC (1) are powered up in a pre-set sequence, starting with the central processor (2) being a powerful processor, such as ARM 9, or equivalent. The processor unit (2) is also connected to the high-speed bus (3) for communication with the other on-chip components or modules. The image capture and pre-processing block (5C) crunches the captured raw images to an intermediate stage of significantly compressed information, i.e. a dataset of reduced size, denoted intermediate fingerprint data. The intermediate data are fed to the central processor (2) for final reduction of the captured fingerprint image to compact fingerprint representations, called minutiae. Such minutiae are distinct points where fingerprint lines (ridges) starts or stops, or locations of bifurcation of the ridges and may be described by at least a vector comprising X and Y coordinates, and direction of the individual minutiae, stored as an alphanumeric string in non-volatile memory (7, 7A or 7E) . The non-volatile memory (7, 7A or 7E) , coupled to the high-speed bus (3) via a second memory interface block (7B or 7D) , is typically used for storing program code (e.g. administrative software) , tailored security output responses and fingerprint representations in the form of minutiae.
These fingerprint minutiae from the access attempt are compared by the central processor (2) with master fingerprint minutiae stored in non-volatile memory (7, 7A or 7E) . These master fingerprint minutiae will typically be fingerprint minutiae of the persons authorized to use the device. In dependence of the said comparison an encryption of a secure output signal is performed in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) . The encryption modules are also connected to the high-speed bus (3) . The retrieved encryption information is applied to the fingerprint data using the processing unit
(2), thereby producing secured data that are suitable as an output to the high-speed bus (3) . Alternatively, the encryption and scrambling process can be performed in an encryption/scrambling hardware module arranged separately from the main processor (2) . If a positive match is established, the chip may proceed with generating a secure key (SKG) either processed by a special algorithm on the central processor (2) based on a seed pre-stored in the nonvolatile memory (7, 7A or 7E) , or alternatively embedded in hardware block (8A) . If the same SKG algorithm is run on two separate computers [e.g. a server (30) and the central processor (2) on the IC (1) ] it will yield the same key, or password, when the identical algorithm on both of the two separate computers is fed with an identical seed. While the algorithms normally are assumed known, and will be the same for all computers in a network (N) , or for a user sub-set, the seed is individual and secret and only known by the system administrator and the user. The SKG algorithm may be constructed to produce a pseudo-random and identical key on both computers (2 and 30) that are either valid for a time frame, or alternatively changed for each and every transaction. This requires that the present key number and the past key number are stored in the non-volatile memory (7, 7A or 7E) . Secret information such as seed, key numbers, IP address, etc. may either be scrambled by block (8) and stored on an external regular Flash memory (7), or securely stored in SmartCard environments (7A or 7C) . When a key is generated, as per above, the administrative software, stored in the non-volatile memory (7, 7A or 7E) and run on the central processor (2) may then combine information to form the basis of a secure communication between the IC (1) and the network server (30) . The information to be encrypted may comprise a User identification code (ID) , password and other info. Encryption is performed in hardware blocks (8 or 8B or 8C) . The rules of secure communication enforced on the prevailing network (N) are embedded in the administrative software executed on the central processor (2), and may be adapted to include PKI and hand-shake sequences. The encryption blocks (8, 8B or 8C) may also be used to encrypt general information transactions between the IC (1) and the network server (30), if desirable. Access to such extended encryption will be given to the user pending a positive match of his fingerprint with an authorized fingerprint representation by compact master minutiae tables, pre-stored in the non-volatile memory (7, 7A or 7E) . The IC (1) also comprises hardware and/or software required to supply output signals to a number of second interface blocks (9A, 9B, 9C or 9D) for transferring data to other devices and networks (N) external to the IC (1). In the present invention the IC (1) is adapted to provide data to the external access-limited apparatus, device or system. This second interface block may comprise hardware and software for supporting a USB (9A), Ethernet (9B), GPIO (9C), PCMCIA/UART (9D) and/or SmartCard (7C) interface. Except from the USB and the Ethernet interfaces, the second interface blocks are serviced by a bus (4) with lower bandwidth and capacity than the high-speed bus (3) . The two buses (3 and 4) are connected by a bus bridge (11C) . The hardware blocks that are not dependent on highspeed transmissions are connected to the slower bus (4) . The hardware blocks of the IC (1) are designed to perform their respective tasks in a minimum of time, and to interact with each other with a minimum of delays and queuing. In addition to the hardware blocks the central processor (2) executing the administrative software renders a high degree of flexibility in adapting the programming to external devices and networks (N) .
The main difference between the IC (1) of Figure 4A and 4B is that the version in Figure 4B has volatile memory (6C) and non-volatile memory (7A) embedded as integral parts of the IC (1), thus reducing the demand for data exchange with external memory and thus further enhancing the security and speed of operation of the device by containing almost all data processing of the fingerprints internally within the IC ( 1 ) -
Thereby the IC (1) is designed as a multi-purpose tool that can service a fingerprint sensor (5) in a stand-alone mode, but it can also communicate with external devices and networks (30) by bridging the biometrics from the sensor (5) to a non-biometrics representation according to the secure communication settings on servers (30) in a network (N) . The IC (1) transforms the fingerprint into a password or PKI, etc, under the prevailing secure communication rules, according to the secure communication rules implemented on server (30) .
The utilization of the IC (1) for authentication of an authorized user to get access to a service distributed in a network (N) from a server (30) will first be explained for the arrangement wherein the authentication and remote control is performed in a device according to the invention including an IC (1) as described above being mounted in the terminal
(31), e.g. the Set-Top-Box. In the context of this description, the term set-top box refers to any receiving device coupled to at least one local television set for receiving programming from a remote server or from a distribution network or system, controlling the television set, and possibly to descramble or decrypt received programming and to scramble or encrypt return signals, as exemplified in US-patent 6,028,950.
The user contacts the service provider for subscribing to selected services .
The service provider will furnish a suitable terminal (31) (e.g. "Set Top Box") to the user, who hooks it up to his monitor (32) (television set) .
The service provider also gives the user a unique seed,, which may be pre-loaded in the terminal (31) . This seed is then stored in the server (30) of the network (N) , along with the user ID of the User. A number of available seeds may be pre-stored in the terminal (31) to facilitate a limited number of users using the same terminal (31) .
When the user receives the terminal (31) from the service provider, the administrator of the user group to access the terminal (1) (the primary user, e.g. the head of a family) will enroll himself entering user name and his fingerprint (s) . The fingerprint image from the sensor (5) will be captured by the IC (1) and reduced to compacted minutia, for storage in the non-volatile memory (7, 7A or 7E) . A user identification code (ID) or user classification code will be allocated to each stored fingerprint representation.
The administrator will be given maximum user privileges, such as e.g. defined as "adult", in the context of "view on demand" movies. The User Name, together with the Seed Number (e.g. 1 out of ten), the assigned Access Privilege (e.g. "adult") will be encrypted in block (8, 8B or 8C) on the basis of a secure key (SKG) generated by the central processor (2) or block (8A) and transmitted via the network (N) to the server (30) of the service provider.
The encrypted message will be decrypted, on the server (30) by the same encryption algorithm and for Seed Number 1 of the terminal (31) , identified by the Terminal Number, or the IP Address of the terminal (31). The decrypted user information will be stored on the server (30) along with the Terminal Number (or IP Address) and the User Id. The administrator of the terminal (31) may now enroll the rest of the user group (e.g. a family) to access the same terminal (31) . - When a new user is enrolled, the administrator will countersign with his own fingerprint on the sensor (5) . If that fingerprint is authenticated compared to the pre- stored master minutia representation of the administrator, he will then assign a user name and an access privilege (e.g. "minor") to the new user. This information will be encrypted and transmitted to the server (30) , where it will be decrypted by Seed Number 1 of the terminal (30) , and this information (User Name, Access Privilege, etc.) will be stored on the server (30) as a subset to the administrator of that terminal number. Such enrolment by administrator of new users on the terminal (31) may be done immediately after the administrator has been enrolled or gradually over time. The administrator may also authorize users for a limited time period. - When an enrolled user (33) is accessing the terminal (31) in order to access a service via the network (N) from a remote server (30) for ordering a service assigned with restricted access (e.g. an X-rated movie) the user will be prompted to identify himself/herself by a fingerprint on the sensor (5) .
Thereafter the following steps will typically be performed in the IC (1) :
The access fingerprint image from the sensor (5) will be captured by the IC (1) via a first interface block (5A) . - The obtained fingerprint images will be pre-processed in the sensor image capture and pre-processing block (5C) .
The pre-processed data will be transferred via the highspeed bus (3) to the processor unit (2) for extracting features of the fingerprint thus reducing it to compact minutiae fingerprint representation,
The processor unit (2) retrieves fingerprint information from a storage module holding the pre-stored fingerprint minutia.
Then the compact access minutiae of the extracted features representing the captured and pre-processed fingerprint images are compared with the pre-stored master minutia tables residing in the non-volatile memory (7, 7A or 7E) . In the case of a non-match the process will be aborted by the IC (1), whereas in the case of a positive match the IC (1) will allow the user to proceed with his ordering, encrypting the User ID, the password (generated from Seed number n) and the purchase description (e.g. movie title), and transmitted to the server.
Depending on the result of the said comparison generation of an encrypted, a secure output signal is compiled in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) and applying this encryption information to fingerprint data, for producing secured communication data as an output to the high-speed bus (3) .
The said secure output is provided to the remote server
(30) using at least one of the second interface blocks (9A,
9B or 9C) for supplying the secured data to the remote server (30) .
In response to the supplied secured data, the server will on the basis of the Terminal Number (or the IP Address) try to decrypt the message starting with Seed Number 1 registered on that terminal. If unsuccessful it will try to decrypt the message by Seed Number 2 registered on that terminal and so on, until the proper seed of the particular user of that terminal is found. The number of seeds per terminal will in practice be limited to e.g. 50 users (seeds) per terminal. When the message has been decrypted and the password retrieved, as well as the user name, the server will compare the prevailing access privilege of the requested service (e.g. an X-rated movie) and compare this with the actual access privilege of the identified user. If the actual access privilege is equal to, or higher than the prevailing access privilege, the server will endorse the transaction and proceed to download the requested service to the terminal (31) .
If the identified user has insufficient access privileges to acquire the requested service, the server will categorize the user as unauthorized and will abort the operation.
The above method and apparatus will provide the following advantages; - The administrator (the primary user) will have full control of which user is authorized to order which services. No password or PIN-codes are needed for the other users, which password may be voluntarily passed on or involuntarily acquired by non-authorized users, and thereby abused.
The service provider has the assurance that no services are distributed to the owner (administrator) of the terminal that the owner does not approve.
The users do not need to remember yet another password or PIN-code, but can conveniently use their fingerprint to access those parts of the system that they are authorized to access.
The service provider will benefit from biometrics verification of authorized users locally on their terminals (31) , without having to choose a biometrics standard on his server, as the IC (1) bridges biometrics input centrally at the terminal (31) , to a defined secure communication protocol in the network (N) , that may comprise SKG / password, encryption, PKI and hand-shake sequences. This will be possible due to the architecture and methodology of the IC (1) containing the powerful central processor (2) . Identity authentication will be executed in a fraction of the available time of the IC (1) . The central processor (2) therefore offers significant free processing capacities that may be utilized for other purposes.
Accordingly there is an option of this invention to move the preceding user authentication from a fingerprint sensor (5) mounted on the terminal (31) (e.g. the Set Top Box) to a remote control device (20) serving as a combined remote control and authentication device (20) that is more cost- efficient than traditional remote controls with numerous buttons with mechanical / electronic components for each function, connected to a printed circuit board.
Figures 3A and 3B show such other preferred embodiment according to the invention as a combined authentication and remote control device (20) being a separate control unit (20) unit comprising an outer housing that is designed to fit well into the hand (Figure 3B) , whether the user is right- or left-handed. On top of the control unit (20) there is a fingerprint sensor (5) placed conveniently for ergonomic operation by e.g. the thumb. There is also a Power On / Off button (24) for power saving, if the user leaves the terminal
(31) e.g. for vacation or otherwise for extended periods.
Turning power on after a shutdown may require an authorized fingerprint to proceed for access to the system, and the network and its services.
The control unit (20) is powered by a battery (25) that may be of re-chargeable or dispensable type. The battery is kept in position in the control unit (20) by a removable battery lid (26) for battery replacement. In front of the control unit (20) there is a two-way wireless transceiver
(27) communicating with the terminal (32) or set-top box (31) which in turn are normally connected to the network (N) , the server (30) and the monitor (32) (e.g. the television set). All active electronic components of the remote control (20) are connected to a miniature printed circuit board PCB (21) including the integrated circuit IC (1) .
This embodiment of the invention requires the sensor (5) to be of a type that can serve the IC (1) in 3 modes; - Sleep mode (for power saving) . This is the default mode. The wake-up circuit (5B) of the IC (1) will activate (power up) the rest of the IC (1) when a finger is touching the fingerprint sensor (5) , raising the output signal from the sensor (5) above a pre-set threshold of the wake-up circuit (5B) . When the IC (1) is powered up from sleep mode, it will default to navigation mode. This means that any finger movements over the surface of the sensor (5) will be interpreted by the IC (1) according to a pre-stored set of navigation rules, termed finger command table, stored in non-volatile memory (7, 7A or 7E) of the IC (1) . This finger command table is based on elements or combination of elements of finger movements over the surface of the sensor
(5) or time-related touch / non-touch sequences of the finger on the sensor (5), such as e.g. a "tap" or a
"double-tap" .
By request from the server (30), when ordering privileged services, or by the terminal (31) for powering up or configuration changes, or by the remote control (20) itself (power up, enrolling new users, etc.) the IC (1) of the remote control (20) is prompted to authentication mode, waiting for a fingerprint to be captured from the sensor
(5) .
The navigation mode on the control unit (20) will be conducted as follows;
The remote control menu (33) to be interacted by means of the control unit (20) will reside as software on the terminal (31) rather than as presently being embedded as hardware buttons on current remote control (s) (refer Figure 5A) . This menu (33) will be displayed on the monitor (32)
(e.g. the television set).
The user will navigate the cursor within the displayed menu (33) by finger commands on the control unit (20) .
Selection of a menu option can be performed by positioning the cursor over the desired choice or option on the display (33) , and then "double tapping" with the finger on the sensor (5) to confirm the selection.
Another embodiment of the invention is shown in Figure 5C where the combined control unit, according to the invention, is equipped with an integrated small display. Thereby the combined control unit according to the invention may also be used for controlling apparatuses, devices and systems not comprising a monitor (32) , and still providing visual feedback to the user on his finger commands inputted to the control unit (20) by finger movements over the sensor (5). The method of operating such embodiment of the invention is identical to the preceding descriptions, except those menus are displayed locally on the control unit (20) itself.
Now the operation of a combined authentication and remote control device will be described step-by-step, exemplified by the preferred embodiment as illustrated in Figure 2. The steps to be described comprises:
1) Personalization, by the Service Provider. 2) Enrolment of Primary User.
3) Enrolment of other users.
4) Remote control of apparatuses and devices.
5) Ordering a Service. These will be described in chronological order of typical appearances .
Personalization, by the Service Provider.
A user group (say a family) signs up a subscription with a Service Provider (e.g. a cable company or a satellite distributor) .
The Service Provider compiles a kit to the subscriber
(the family). This kit consists of a terminal (31) and a combined authentication and remote control unit (20) , hereinafter referred to as the control unit (20) . The terminal will be a standard product, except that it is equipped with a two-way transceiver (27) and can be boxed without any further personalization. The control unit (20) , however, needs to be equipped with factory settings specified by the Service Provider. Such factory settings may typically comprise: From the factory the control unit (20) has been downloaded by software pertinent for the Service Provider. This pertains to any particular encryption algorithm if different from the resident DES/TDES algorithms embedded in hardware blocks (8, 8B or 8C) of the IC (1). In case the Service Provider prefers any other encryption algorithm, this will be downloaded in non-volatile memory (7, 7A or 7E) of the IC (1) . - Further the factory will download the specific communication set-up enforced by the Service Provider, into non-volatile memory (7, 7A or 7E) of the IC (1) .
Finally the factory will download the version of the administrative software specified by the Service Provider into non-volatile memory (7, 7A or 7E) of the
IC (1) , including all subsets of the administrative software. One such subset in particular is the interface commands between the control unit (20) and the terminal (31) .
When the control units (20) have been shipped from the factory to the Service Provider, it is time for the
Service Provider to personalize the control unit (20) to the subscriber. Such personalization will be carried out by authorized personnel within the Service Provider' s organization, by a special Personalization Program on the their server (30) . Preferably the Personalization Program can only be accessed through a validated fingerprint to authenticate the operator as an authorized operator. Preferably the Personalization Program should be linked to other parts of the Service Provider's database, such as e.g. billing routines, etc. When a subscriber has been entered into the database, and an authenticated Operator has entered the pertinent data into the Personalization Program, this can only be entered into the database by the Operator countersigning with his fingerprint, to conclude the personalization of the control unit (20) . The steps of such personalization may typically comprise the following: The Operator enters the ID of the control unit (20) into the database, along with the particulars of the subscriber, such as name, billing address, and particulars of the terms for the subscription. - The Operator prepares particulars of the subscriber to be downloaded into the secret parts of the non-volatile memory block (7A or 7E) or alternatively to be scrambled by block (8) for storage in non-volatile memory block (7). These particulars comprise: - A set of secret seeds (e.g. ten seeds) for Secure Key Generation (SKG) for DES/TDES, or other encryption.
Optionally electronic certificates for PKI and public/private key cryptographies . IP address of the server partition, to be addressed by the control unit (20) via the terminal (31) .
These data are downloaded onto the control unit (20) upon positive authentication of the Operator as an authorized operator of the Personalization Program. If not the personalization routine will be aborted. At the same time as these particulars of the personalization are downloaded onto the control unit, either for scrambling by block (8) for storage on external flash (7) or for loading in secret parts of the SmartCard block (7A or 7E) , these data are copied onto the database of the server (30) linked to the subscriber, including the unit ID of the control unit.
The control unit (20) will now be packaged along with the terminal (31) for shipping to the subscriber (user) . When the subscriber receives the package he will connect the terminal (31) to his television set (32) , and be ready to enroll as
Primary User of the control unit (20) .
Enrolment of Primary User:
The first person within the user group (e.g. a family) will by default be proposed as Primary User (or System Administrator) of the control unit (20), with full privileges. When the battery (25) is inserted in the control unit (20) and the Power On button (24) is pushed, the control unit (20) for the first time (after personalization) the control unit (20) will be prompted to enrolment mode, ready to enroll the Primary User through the following consecutive steps :
- The administrative software of the control unit will trigger the enrolment menu (33) to be displayed on the monitor (32) (e.g. the television screen) prompting the person to be enrolled to enter the following information; user name (name or acronym) , age, user status (Primary
User, or regular user) and privileges (administrator, adult, minor, etc.). Typically, a user identification code
(ID) or a user classification code stored in this manner may later be used in an access discrimination operation, e.g. performed by the processor (2) in order to allow different access functionality to different users.
When this info is entered, the menu (33) displayed may prompt the Primary User to a brief training session of fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) . The user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image. For each swipe of the finger over the sensor (5) the IC (1) will capture the image by the image capture and pre-processing block (5C) which will perform the initial processing cleaning up the image ("cleaned-up image") and temporarily storing this cleaned-up image in the working volatile memory (6A or 6C) . The cleaned-up image is then transferred via the high-speed bus (3) to the central processor (2) that will reduce it to fingerprint minutia representation and calculate a quality score of the image. The cleaned-up image will then be displayed in the menu (33) along with a score and a verdict of whether it is of acceptable quality, or not. Note that the minutia fingerprint representations from the training section will not be permanently stored in the IC (1) but are simply intended to give feedback to the user. When the user thereby has swiped his finger over the sensor (5) a pre-set number of times (e.g. 3 consecutive times) with acceptable quality, the administrative software shifts the control unit (20) to Enroll Mode.
In Enroll Mode the user will be prompted by the menu (33) to swipe his finger over the sensor (5) for registration of master minutia fingerprint representations. This will be executed as per the preceding procedure, except that the extracted minutia table will be permanently stored in the non-volatile memory (7, 7A or 7E) of the IC (1) . The administrative software may be pre-set to require e.g. 3 master minutia tables of acceptable quality of each finger.
When the Primary User's first fingerprint master minutia table (s) of acceptable quality thus has been permanently stored in the IC (1), the Primary User is questioned whether he will register more fingers. Note that the administrative software may be set up to ten different fingers, so the Primary User should consider how he should allocate these between himself and his family members.
When the primary user accordingly has enrolled the selected number of his fingers, he will enter a menu choice stating that he has completed the enrolment.
The administrative software of the IC (1) will now assign one of the pre-loaded seeds (from the personalization by the Service Provider) to this user. The seed will thereafter be accessed from the nonvolatile memory (7, 7A or 7E) . In case of seed storage on the external Flash (7) the seed will be unscrambled, while in case of seed storage on SmartCard blocks (7A or 7E) it will be extracted from the secret sections of the SmartCard block (7A or 7E) . Note that this seed will never leave the interior of the IC (1) during this process, and will be unobtainable externally to the IC (1) . The accessed seed will then be transferred via the high-speed bus (3) either to the central processor (2) (in case of Figure 4A) or to the Secure Key Generation (SKG) block (8A) (in case of Figure 4B) to produce a unique keyword.
This keyword will then be transferred by the administrative software via the high-speed bus (3) to the appropriate encryption block, according to the set-up in the administrative software subset on encryption; either to block (8, 8B or 8C) or alternatively the keyword is employed by an encryption algorithm (forming a subset of the administrative software) downloaded into the nonvolatile memory (7, 7A or 7E) during factory preparations of the control unit (20) according to specifications from the Service Provider. The following message is then encrypted by the targeted encryption method [hardware encryption block (8, 8B or 8C) or alternatively a specific encryption algorithm executed by the central processor (2)]: Ekey(user ID, assigned seed number, privilege) . This information is then blended with non-encrypted information Unit ID, present key number and the IP address of the server (30). The complete message will thereby comprise: Menroi= [ IPadr,Unit ID, keyno , Ekey(user ID, seedno, privilege) ] When the Primary User thus has enrolled himself, he will be prompted by the displayed menu (33) to tick either "Continue" or "Change?". Assuming that the Primary User has correctly filled in the menu (33) and is satisfied with the input he has given is correct (no typos, etc.) he will tick off "Continue" and countersign with his fingerprint on the sensor (5) . The administrative software of the IC (1) will process this countersigning fingerprint, extract the fingerprint minutia representation and compare it with the preceding master minutia recently entered by the Primary User.
Depending a positive match of the validation of his fingerprint countersignature, the administrative software of the IC (1) will transmit the encrypted message "M" via the two-way wireless transceivers (27) to the terminal (31) where it will be relayed to the server (30) by the IP address .
The server 30) receiving the partly encrypted message "M" will retrieve the Unit ID from the non-encrypted part of the message "M" and look this up in the database on the server (30) .
From the database entries of Unit ID the server (30) will retrieve seedi and key number and decrypt the encrypted parts of the message "M" .
The server (30) will then amend the User ID, and assigned seed number (seedi) as well as privileges (e.g. Primary User, adult) to the entities under Unit ID.
The server (30) will then increment its key number, and send an acknowledgement via the terminal (31) to the control unit (20), which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
This completes the enrolment of the Primary User. The Primary User now being registered as the administrator [of his particular control unit (20)] within the database entities under the Unit ID on the server (30) now has the privileges to enroll other users (e.g. his family).
Enrolment of User
The Primary User is now eligible to enroll other users. This will in general follow the same procedure as for enrolling the Primary User, with some minor deviations that will be outlined below: - The Primary User will place his finger on the sensor (5) of the control unit (20) . This will raise the output signal level from the sensor (5) to a level exceeding a pre-set threshold within the wake-up block (5B) of the IC (1), powering up the IC (1) in a pre-set sequence to default waken mode "navigation".
A main menu (33) will be displayed on the monitor (32) .
The Primary User will move his finger on the sensor (5) causing the cursor on the displayed menu (33) to follow his finger movements on the sensor (5) as explained below under "Controlling Devices". The Primary User will by his finger move the cursor to menu choice "Enroll" and then select this choice by double-tapping his finger on the sensor (5) .
In order to access the Enroll Menu the Primary User is prompted to authenticate himself, by verified fingerprint. He will swipe his finger over the sensor (5) . The sensor output is directed to the IC (1) via the sensor interface block (5A) to the image capture and pre-processing block
(5C) . The access minutia table extracted by the central processor (2) from the temporary fingerprint representation output of block (5C) is then compared with the Primary User's master minutia table (s) securely stored in nonvolatile memory block (7, 7A or 7E) . Provided the access minutia table is checked to match the master minutia table of the Primary User, the Enroll Menu is opened, and the IC (1) switches back to navigation mode. In case of no match, the enrolment process is aborted.
The Enroll menu starts with a registration window where the Primary enters the following information about the new user; user name (name or acronym, age and privileges (adult or minor) . Say that for the sake of demonstration this new user is entered with privilege "minor", meaning that the Primary User will exclude the new user from being able to order X-rated movies ("pay-per-view") .
When this info is entered, the menu (33) displayed may prompt the new user to a brief training session of fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) . The user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image. This training is managed by the administrative software of the IC (1) in accordance with the same procedure as explained under Enrolment of Primary User. When the user thereby has swiped his finger over the sensor (5) a pre-set number of times (e.g. 3 consecutive times) with acceptable quality, the administrative software shifts the control unit (20) to Enroll Mode.
The new user is enrolled by fingerprint registration, by the exactly same procedures as explained under Enrolment of Primary User.
When a sufficient (say three) number of fingerprint master minutia representations have been collected for the finger of the new user, another of the new user's fingers may be enrolled by the same procedure.
When the enrolment is completed, the Primary User will countersign by one of his enrolled fingers. If the administrative software, by means of the hardware blocks, of IC (1) confirms that the Primary User is authentic (by a match with one of the previously enrolled master fingerprint minutia tables of the Primary User) , the enrolment is completed. In case of a non-match, the enrolment process is aborted at this stage.
The administrative software of the IC (1) then assigns the next vacant see number (s) to the new user.
The control unit (20) then compiles a partly encrypted message, by the administrative software and hardware blocks of IC (1) comprising:
Menroi= [IPaddr /Unit ID, keyno, Ekeγ(user ID, seedno, privilege) ] The control unit (20) then transmits this message "M" by the two-way wireless transceivers (27) to the terminal (31) which relays the message to the server (30) .
The server 30) receiving the partly encrypted message "M" will retrieve the Unit ID from the non-encrypted part of the message "M" and look this up in the database on the server (30) .
From the database entries of Unit ID the server (30) will retrieve seedn and key number and decrypt the encrypted parts of the message "M" .
The server (30) will then amend the User ID, and assigned seed number (seedn) as well as privileges (e.g. Regular User, minor) to the entities under Unit ID.
The server (30) will then increment its key number for this particular user, and send an acknowledgement via the terminal (31) to the control unit (20) , which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
This completes the enrolment of a new user. Additional users may be enrolled by the Primary User at any time, but only by the Primary User.
Below will be described how apparatuses and devices may be controlled by the control unit (20) .
Controlling Devices
Another preferred embodiment of the method of remotely controlling a device, apparatus or system comprises in using the invention to select menus to be displayed on a monitor, and perform navigation within such menus, and finally perform selections / commands within such menus .
When triggered by a finger on the sensor (5) the IC (1) of the control unit (20) will default to wake-up in
Navigation Mode, in which moving a finger over the sensor (5) will be interpreted as navigation commands for a cursor. The remote control device may comprise a fingerprint sensor adapted to detect finger touches as well as lateral finger movements .
Such finger movements or touches on the sensor (5) involves performing the following steps in said Navigation Mode :
- The presence of a finger on the fingerprint sensor is detected (5, 5A-B) , and the IC (1) powered up to Navigation Mode, by default.
- The consecutively captured fingerprint images are pre- processed (5C) in the image capture and pre-processing block to provide a number of compacted images.
- The incremental differences of the compacted image information from the pre-processing block (5C) are analyzed by the central processor (2) determining the direction of movement of the finger (A) and the associated speed of movement over the sensor (5) , and whether the contact of the finger (A) on the surface of the sensor (5) is disrupted, and possibly for how long such disrupted contact lasts. - In the central processor (2) the obtained information, e.g. finger speed and direction, contact or no-contact versus time, is compared with a pre-stored table of finger commands, such as for example defined by sequences and directions of finger movements over the sensor, stored in one of the non-volatile memory blocks (7, 7A or 7E) . Sets of finger command structures may thereby be defined and detected, thus enabling a multi-function tool for fingerprint scanning, text/ character input in multiple modes, and cursor control, all by finger commands on a single sensor or sensor device.
- Using the central processor (2) , and depending on the results of said comparison, it is determined which finger command the analyzed finger movements represent.
- Thereafter the code for this particular finger command is transmitted from the central processor (2) via the high- speed bus (3) to a selected communication interface block (9A, 9B, 9C or 9D) . Further the command code is transmitted from said interface block to the remotely controlled device, apparatus or system, preferably in wireless form (27) .
- Such interpretation of finger movements into commands may for example offer means for the user to navigate in and control a menu being presented to the user on the monitor.
- Finally, in the remotely controlled device, apparatus or system the said command code is interpreted and provided to the operating system of the remotely controlled device, apparatus or system. The secure communication between the control unit (20) and the network server (30) , via the terminal (31) , may comprise a variety of different transmissions. A unique User ID, e.g. in the form of a long alphanumeric string, by which the User (34) is identified in a data repository of the server (30) could be transmitted. Alternatively a unique password which is automatically triggered by a positive identity match in the IC (1) can be transmitted. In another alternative an alphanumeric code identifying the type of access or service requested may be transmitted. In yet another alternative all of the above said transmission items could be transmitted in a packaged format and encrypted using one of blocks (8, 8A, 8B or 8C) .
The control unit (20) may accordingly be used' as a multifunctional authentication and remote control unit. The latter application may apply to control appliances like DVD player (s), television set(s) and similar appliances. The procedure below is made for ordering a movie from the Service Provider, as an example also demonstrating validating being an eligible purchaser.
Ordering Services In this context the Primary User (e.g. the head of a family) may decide that his minor children shall not be able to order X-rated movies when they are home alone. If the family decides so, they would have filled in an option in their subscription contract. The control unit (20) according to the invention would enable the Service Provider to offer such a service by the server automatic checking the privileges of the user ordering a service, still being sure that the biometrics authentication of the purchaser by the control unit (20) can accommodate this.
The presumption is that the Service Provider offers such screening, and that the Primary User assigns the corresponding privileges when enrolling his family. This example demonstrates the versatility of the invention: - When a user wish to order a service from the Service
Provider (say ordering a movie by "pay-per-view") he will pick up the control unit (20) and touch the fingerprint sensor (5) .
A finger on the sensor will trigger the IC (1) to wake up from sleep mode, defaulting into navigation mode.
This will trigger a menu (33) to be displayed on the television set (32) . The user will then move the cursor in the menu, by moving his finger on the sensor (5) , until the cursor is placed over the ticking box "Order Film". - The user then double taps his finger on the sensor (5) confirming his choice. This presumably brings up a list of film categories. The user then moves the cursor, by his finger moving over the sensor (5) till the ticking box for the wanted category and double-taps his finger on the sensor (5) to make the selection. This presumably brings up a list of movie titles within the selected category. The user again moves the cursor, by his finger on the sensor, till the wanted title and then makes the selection by double-tapping his finger on the sensor (5). For the sake of the example the choice made is for an X-rated movie. The selected film request is then transmitted via the terminal (31) to the server (30) that looks up the title in its database and establishes that this movie choice requires "adult" privileges of the user. - The server (30) then returns an authentication request to the terminal (31) relaying this request on to the control unit (20) via two-way wireless transceivers (27).
The control unit (20) responds by going into authentication mode, supported by a visual feedback by a message on the menu (33) .
The user swipes his finger over the sensor (5) . The sensor output is captured by the image capture and preprocessing block (5C) of the IC (1) and the fingerprint is processed, as previously described, and comparing this with the resident master minutia in non-volatile memories (7, 7A or 7E) .
The continuation may be handled in either of two alternative ways:
Either the control unit could establish that the owner of the fingerprint matched versus an entity with privileges "minor" is not authorized for such a purchase, and thereby abort the ordering sequence then and there,
Or, the IC (1) could generate a message back to the server (30) as previously described, comprising: Menrol= [IPaddr,Unit ID, keyno, Ekey (user ID, seedno, privilege) ] The server (30) will decrypt this message, as previously described, extract the privilege and then abort the ordering sequence.
In any case this verification by fingerprint by the control unit (20) enables screening of the available contents from the Service Provider pending upon classification
(privilege) of the user. The same approach may also be used on PCs with Internet access, to block access to non-wanted contents from Service Providers (such as pornography, etc.) by classification of the contents by the web portal operators .
The advantages of the control unit (20) and corresponding method of using the control unit (20) according to the invention are primarily;
- The control unit (20) can be made very simple without numerous function buttons, as shown in Figures 5A and 5B, where a typical prior-art remote control unit (28) and a control unit (20) according to the present invention are shown side by side. Hence, the costs of a remote control unit can be squeezed with a control unit according to the present invention.
- As the functionality is stored in software to be displayed on the monitor (32) this is very flexible, and can be accommodated to a large variety of makes of terminals (30) and there is no need to tailor a remote control to the terminal (31) . Accordingly the manufacturing volumes of control units (20) according to the invention can be significantly larger than prior-art remote controls, thereby squeezing manufacturing costs of the remote controls even further.
Due to this flexibility, the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
This may accelerate adaptation to user friendliness.
The authentication device and the control unit will be combined into a single unit (20) that is far cheaper than current remote controls alone.
The advantages of the remote control unit (20) and corresponding method of using the remote control unit (20) according the invention are primarily;
The remote control (20) can be made very simple without numerous function buttons as shown in Figure 5, where a typical prior art remote control unit (28) and a remote control unit according to the present invention are shown side by side. Hence, the costs of the remote control unit can be squeezed with a remote control unit according to the present invention. As the functionality is stored in software to be displayed on the monitor (32) this is very flexible, and can be accommodated to a large variety of makes of terminals (30) and there is no need too tailor the remote control to the terminal (31) . Accordingly the volumes of the remote control can be significantly larger than the current editions, thereby squeezing manufacturing costs of the remote controls even further.
Due to this flexibility, the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
This may accelerate adaptation to user friendliness.
The authentication device and the remote control device will be combined into a single unit (20) that is far cheaper than current remote controls alone.

Claims

C l a i m s
1. A combined authentication and remote control device for the control of a remote system comprising a user input module, a processing unit and an interface module for communicating with the remote system, c h a r a c t e r i z e d b y an integrated circuit (IC) (1) for providing increased security in the bridging of fingerprint input from a user and secured communication with the remote device and the network it is connected to, the said IC having at least the following parts:
- a processor unit (2) communicating with the other on- chip components via a high-speed bus (3) , - a first memory interface block ( 6B or 6D) being connected to the high-speed bus (3) for interfacing with volatile memory (6A or 6C) , thus providing working memory available to other modules on the integrated circuit,
- a second memory interface block (7B) being connected to the high-speed bus (3) for interfacing with non-volatile memory (7A or 7 or 7E) for storing of program code, e.g. administrative software and tailored security output responses and fingerprint representations in the form of so-called minutia, - a first interface block (5A) for being coupled to a fingerprint sensor (5)
- said first interface block (5A) is connected to a fingerprint sensor signal capturing and pre-processing block (5C), - said sensor signal capturing and pre-processing block
(5C) comprises a heavy-duty processing module for reducing the large volume of raw fingerprint images captured from the sensor (5) into a dataset of reduced volume, denoted intermediate fingerprint data, for submission as output to the central processor block (2) via the high-speed bus
(3) , for final processing in the central processor block (2) to a more compact form of representations of fingerprints, denoted fingerprint minutia,
- encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) for providing encryption information, or alternatively scrambling information,
- the processor unit (2) is adapted to apply the encryption information to the fingerprint data for producing secured data as an output to the high-speed bus
(3) - second interface blocks (9A, 9B or 9C) for supplying the secured data to the remote system and the network it is being connected to.
2. A combined authentication and remote control device according to claim 1, comprising also
- fingerprint information storage means for storing information related to the fingerprint characteristics of authorized users,
- fingerprint input means for entering the fingerprint characteristics of authorized users into non-volatile memory of the IC and
- fingerprint verification means for checking the authenticity of the user trying to access the remote system.
3. A combined authentication and remote control device according to claim 1, comprising
- access discrimination means for allowing different access functionality for separate users.
4. A combined authentication and remote control device according to claim 1, comprising
- navigational and control means whereby a user is able to give navigational input commands for navigating a menu being presented to the user
5. A combined authentication and remote control device according to claim 1, comprising
- fingerprint scanner sensor with the ability to detect finger touches as well as lateral finger movements, - storing means containing predetermined categories of finger movements and sequences thereof and sets of finger command structures, enabling a multi-function tool for fingerprint scanning, text/character input in multiple modes, and cursor control, all by finger commands on a single sensor.
6. A combined authentication and remote control device according to claim 1, with an embedded integrated circuit - IC - (1) comprising
- a non-volatile storage means (7, 7A or 7E) where finger movement features are stored in a finger command table,
- said finger command table to include acceptance tolerance criteria for how finger movements shall be interpreted, and tolerance settings on how to interpret sequences of touch/no-touch finger sequences on the sensor (5),
- a image capture and pre-processing block (5C) capable of continuously processing a stream of captured images from a fingerprint sensor (5) to a condensed form of incremental finger movements,
- a central processor (2) capable of interpreting the information stream of incremental finger movements from the image capture and pre-processing block (5C) , and being capable of comparing such incremental finger movements with the finger command table stored in the non-volatile storage means (7, 7A or 7E) ,
- said central processor (2) being able to decide whether a current finger incremental movement signal received from the image capture and pre-processing block (5C) falls within the tolerance criteria of a particular finger command of the said fingerprint command table stored in the non-volatile storage means (7, 7A or 7E) ,
- said central processor (2) being able to output the identified finger command to a pre-set choice of interface blocks (9A, 9B, 9C of 9D) , and said remote control device further comprises a two-way transceiver (27) for wireless transmission of the current finger command to interact via the menu (33) displayed on the monitor (32) (e.g. the television display).
7. Method of remotely controlling a device, apparatus or system using a combined authentication and remote control device according to claim 6 in which the following steps are performed:
- an integrated circuit - IC - (1) is by default wakened up by a finger (A) on a sensor (5) triggering an output signal that powers up the IC (1) in a pre-set sequence that by default sets the remote control device into a "navigation mode", unless an external command [e.g. from the server (30)] requests an "authentication mode",
- an image capture and pre-processing block (5C) captures a stream of images from the fingerprint sensor (5) via a first interface block (5A) , - the said image capture and pre-processing block (5C) condenses the stream of captured images to incremental finger movements, said incremental finger movements are transferred continuously from the image capture and pre-processing block (5C) via the high-speed bus (3) to the central processor (2) , said central processor (2) compares a sequence of incremental finger movements received from the image capture and pre-processing block (5C) with at least one of pre-stored set(s) of finger command table (s) stored in (7, 7A or 7E) , - depending upon the result of the abovementioned comparison, a finger command may be transmitted via the high-speed bus (3) and alternatively also via the other bus (4) to a pre-set output interface block (9A, 9B, 9C or 9D) , the output finger command being further transmitted wirelessly via the two-way transceiver (27) to a terminal (31),
- the terminal (31) interprets the received finger command to a cursor control signal ("move right", "move left", "move up", move down", "select", an so on) to a menu (33) displayed on a monitor (32) (e.g. a television set) thus enabling a user (34) to interact with the cursor position within the displayed menu (33) and to decide on his next movement of his finger (A) on the sensor (5) .
8. Method of remotely controlling a device, apparatus or system using a combined authentication and remote control device according to claim 1 in which the following steps are performed in the integrated circuit (1) :
- capturing (5C) an image in a fingerprint sensor (5) via a first interface block (5A) ,
- pre-processing (5C) the captured signal in the sensor image capture and pre-processing block (5C) ,
- transferring the pre-processed data to the processor unit (2) for extracting features of the fingerprint via a high-speed bus
- retrieval by the processor unit (2) of fingerprint information from a storage module holding pre-stored fingerprint information
- comparing in the processor unit (2) the extracted features representing the captured fingerprint with features of the pre-stored fingerprints of the authorized persons,
- in dependence of the said comparison encrypting a secure output signal in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) and applying this encryption information to fingerprint data, for producing secured data as an output to the high-speed bus (3) , and - providing said secure output to the remotely controlled device .
9. Method according to claim 8 comprising performing initially the following steps, - registering the fingerprints of an administrator and of one or more authorized users,
- processing and storing representations of said registered fingerprints in non-volatile memory (7,7A or 7E) , and - allocating a user identification code (ID) or user classification code to each stored fingerprint representation.
10. Method according to claim 9, wherein in a default remote control mode the following steps are executed,
- detection of the presence of a finger over the fingerprint sensor,
- pre-processing a number of captured fingerprint images in the pre-processing unit (5C) to provide a number of compacted images,
- analyzing in the central processor (2) the incremental differences of the compacted image information from the pre-processing block (5C) determining the direction of the finger (A) movement and associated speed of movement over the sensor (5) and whether the contact of the finger (A) on the surface of the sensor (5) is disrupted, and for how long such disrupted contact lasts,
- comparing in the central processor (2) the obtained information, e.g. finger speed and direction, contact or no-contact versus time, with a pre-stored table of finger commands, such as for example defined by sequences and directions of finger movements over the sensor, stored in one of the non-volatile memory blocks (7, 7A or 7E)
- determining in the central processor (2) , depending on the results of said comparison, which finger command the finger movements represent,
- transmitting from the central processor (2) the code for this particular finger command via the high-speed bus to a selected communication interface block (9A, 9B, 9C or 9D) , - transmitting the command code from said interface block to the remotely controlled device, apparatus or system, preferably in wireless form,
- in the remotely controlled device, apparatus or system interpreting said command code, and - providing these command codes to the operating system of the remotely controlled device, apparatus or system.
11. Method according to any of the claims 8-9 wherein the remotely controlled device, apparatus or system is a terminal, preferably local, communicating with a remote host, server or service provider via a network (N) .
12. Method according to claim 11, comprising the following steps; - interpreting in the terminal the command codes originating from the central processor,
- transmitting command codes to said remote host, server or service provider via said network (N) to request a service, - said remote host, server or service provider responds by returning an authentication request to the terminal, said terminal subsequently setting the remote control device in authentication mode,
- in the remote device executing an authentication procedure to attempt to identify the user from detected fingerprints .
13. Method according to claim 12, wherein the authentication procedure comprises the following steps: - capturing (5C) an image in the fingerprint sensor (5) via a first interface block (5A) ,
- pre-processing (5C) the captured fingerprint signal in the sensor image capture and pre-processing block (5C) containing hardware-embedded algorithms optimized for high-speed processing of the most laborious initial processing of the raw fingerprint image data,
- transferring the pre-processed data to the processor unit (2) for extracting compact minutia features of the fingerprint via a high-speed bus (3), - retrieval by the processor unit (2) of compact fingerprint minutia information from a non-volatile storage module (7, 7A or 7E) holding pre-stored master fingerprint representations of authorized persons,
- comparing in the processor unit (2) the extracted features representing the captured fingerprint with features of the pre-stored master fingerprint representations,
- producing in dependence of a result from the said comparison, a pre-defined secure output to the network via the terminal through one pre-set choice of a multiple of communication interfaces (9A, 9B, 9C, 9D and 7C) in the remote control device.
- the server will receive the encrypted identity of the User and check with its data repository whether this User has the valid access privileges matching the requested access by the User
- depending on the result of this authorization check, the server determines whether to open access as requested thereby allowing the delivery of a service, e.g. an X- rated movie from a service provider in a cable TV network, to the user .
14. Method according to claim 11 wherein the secure communication between the remote control device and the network server, via the terminal, comprise a combination of one or more of the following steps:
- transmission of a unique User ID, e.g. in the form of a long alphanumeric string, by which the User is identified in the data repository of the server, - transmission of a unique password automatically triggered by a positive identity match in the IC (1) ,
- transmission of an alphanumeric code identifying the type of access or service requested,
- transmission of all above said items in a packaged and encrypted format by one of blocks (8, 8A, 8B or 8C) .
15. Method according to claim 14 comprising the following steps
- generating a password which is extensively longer than what will normally be remembered by most humans,
- changing passwords in the remote control device according to pre-stored algorithms, e.g. time-dependent or transaction count dependent.
16. Set-top box (31) for authentication of authorized users to get access to a service made available for distribution in a network (N) from a remote server (30) c h a r a c t e r i z e d b y an integrated circuit (IC) (1) for providing increased security in the bridging of fingerprint input from a user and secured communication with the remote device and the network it is connected to, the said IC having at least the following parts:
- a processor unit (2) communicating with the other on- chip components via a high-speed bus (3) , - a first memory interface block (6B or 6D) being connected to the high-speed bus (3) for interfacing with volatile memory ( 6A or 6C) , thus providing working memory available to other modules on the integrated circuit, - a second memory interface block (7B) being connected to the high-speed bus (3) for interfacing with non-volatile memory (7A or 7 or 7E) for storing of program code, e.g. administrative software and tailored security output responses and fingerprint representations in the form of so-called minutia,
- a first interface block (5A) for being coupled to a fingerprint sensor (5)
- said first interface block (5A) is connected to a fingerprint sensor image capture and pre-processing block (5C),
- said sensor image capture and pre-processing block (5C) comprises a heavy-duty processing module for reducing the large volume of raw fingerprint images captured from the sensor (5) into a data set of reduced volume, denoted intermediate fingerprint data, for submission as output to the central processor block (2) via the high-speed bus (3) , for final processing in the central processor block (2) to a more compact form of representations of fingerprints, denoted fingerprint minutia, - encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) for providing encryption information, or alternatively scrambling information,
- the processor unit (2) is adapted to apply the encryption information to the fingerprint data for producing secured data as an output to the high-speed bus (3)
- second interface blocks (9A, 9B or 9C) for supplying the secured data to the remote system and the network it is being connected to.
17. Method of obtaining access to a service on a remote server (30) through a set-top box (31) , where the set-top box includes a fingerprint sensor (5) for obtaining the fingerprint of a user, and in which the following steps are performed within a single integrated circuit (1) in the set-top box:
- capturing (5C) an image in the fingerprint sensor (5) via a first interface block (5A) ,
- pre-processing (5C) the captured signal in the sensor image capture and pre-processing block (5C),
- transferring the pre-processed data to the processor unit (2) for extracting features of the fingerprint via a high-speed bus
- retrieval by the processor unit (2) of fingerprint information from a storage module holding pre-stored fingerprint information
- comparing in the processor unit (2) the extracted features representing the captured fingerprint with features of the pre-stored fingerprints of the authorized persons,
- in dependence of the said comparison encrypting a secure output signal in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) and applying this encryption information to fingerprint data, for producing secured data as an output to the high-speed bus (3) , and
- providing said secure output to the remote server (30) using at least one of the second interface blocks (9A, 9B or 9C) for supplying the secured data to the remote server (30) .
PCT/NO2003/000422 2002-12-18 2003-12-17 Combined authentication and control unit WO2004055717A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003291780A AU2003291780A1 (en) 2002-12-18 2003-12-17 Combined authentication and control unit

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NO20026098 2002-12-18
NO20026098A NO318169B1 (en) 2002-12-18 2002-12-18 Device for remote control and authentication

Publications (1)

Publication Number Publication Date
WO2004055717A1 true WO2004055717A1 (en) 2004-07-01

Family

ID=19914308

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NO2003/000422 WO2004055717A1 (en) 2002-12-18 2003-12-17 Combined authentication and control unit

Country Status (3)

Country Link
AU (1) AU2003291780A1 (en)
NO (1) NO318169B1 (en)
WO (1) WO2004055717A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006136644A1 (en) * 2005-06-23 2006-12-28 Nokia Corporation Method and program of controlling electronic device, electronic device and subscriber equipment
EP2001223A1 (en) 2007-06-04 2008-12-10 fm marketing gmbh Multi-media configuration
EP2429183A1 (en) * 2010-09-08 2012-03-14 Nagravision S.A. Remote control with sensor
US8279049B2 (en) 2007-03-30 2012-10-02 Fm Marketing Gmbh Multimedia device and process for data transmission in a multimedia device
EP2568369A1 (en) 2011-09-08 2013-03-13 fm marketing gmbh Device for selecting multimedia information
WO2015142031A1 (en) * 2014-03-21 2015-09-24 Samsung Electronics Co., Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof
US9600304B2 (en) 2014-01-23 2017-03-21 Apple Inc. Device configuration for multiple users using remote user biometrics
US9760383B2 (en) 2014-01-23 2017-09-12 Apple Inc. Device configuration with multiple profiles for a single user using remote user biometrics
US10431024B2 (en) 2014-01-23 2019-10-01 Apple Inc. Electronic device operation using remote user biometrics
US10721516B2 (en) 2014-03-21 2020-07-21 Samsung Electronics Co., Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0871148A2 (en) * 1997-03-14 1998-10-14 GRUNDIG Aktiengesellschaft Authentication at multimedia terminals by electronic fingerprint
US5990803A (en) * 1996-09-30 1999-11-23 Samsung Electronics Co., Ltd. Multifunctional remote controller and control method for multiple appliances using the same
US6028950A (en) * 1999-02-10 2000-02-22 The National Registry, Inc. Fingerprint controlled set-top box
FR2804775A1 (en) * 2000-02-04 2001-08-10 Sagem Authorization and command module, e.g. for use as a television or video remote control, has a sensor for capturing the fingerprint and using it for access authorization and a touch pad type command element
WO2001091057A2 (en) * 2000-05-23 2001-11-29 Takeshi Harada Fingerprint activated remote input device for personal id recognition and access authentication
DE10117765A1 (en) * 2001-04-09 2002-10-10 Eberhard Floegel Television receiver remote-control incorporates fingerprint sensor for identifying user upon each operation of navigation button
EP1353291A2 (en) * 2002-04-10 2003-10-15 NEC Corporation Fingerprint authenticating system using a small fingerprint sensor

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5990803A (en) * 1996-09-30 1999-11-23 Samsung Electronics Co., Ltd. Multifunctional remote controller and control method for multiple appliances using the same
EP0871148A2 (en) * 1997-03-14 1998-10-14 GRUNDIG Aktiengesellschaft Authentication at multimedia terminals by electronic fingerprint
US6028950A (en) * 1999-02-10 2000-02-22 The National Registry, Inc. Fingerprint controlled set-top box
FR2804775A1 (en) * 2000-02-04 2001-08-10 Sagem Authorization and command module, e.g. for use as a television or video remote control, has a sensor for capturing the fingerprint and using it for access authorization and a touch pad type command element
WO2001091057A2 (en) * 2000-05-23 2001-11-29 Takeshi Harada Fingerprint activated remote input device for personal id recognition and access authentication
DE10117765A1 (en) * 2001-04-09 2002-10-10 Eberhard Floegel Television receiver remote-control incorporates fingerprint sensor for identifying user upon each operation of navigation button
EP1353291A2 (en) * 2002-04-10 2003-10-15 NEC Corporation Fingerprint authenticating system using a small fingerprint sensor

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006136644A1 (en) * 2005-06-23 2006-12-28 Nokia Corporation Method and program of controlling electronic device, electronic device and subscriber equipment
US9152840B2 (en) 2005-06-23 2015-10-06 Nokia Technologies Oy Method and program of controlling electronic device, electronic device and subscriber equipment
US8279049B2 (en) 2007-03-30 2012-10-02 Fm Marketing Gmbh Multimedia device and process for data transmission in a multimedia device
US9445146B2 (en) 2007-06-04 2016-09-13 Fm Marketing Gmbh Multimedia arrangement
WO2008148533A1 (en) * 2007-06-04 2008-12-11 Fm Marketing Gmbh Multimedia arrangement
EP2001223A1 (en) 2007-06-04 2008-12-10 fm marketing gmbh Multi-media configuration
EP2429183A1 (en) * 2010-09-08 2012-03-14 Nagravision S.A. Remote control with sensor
EP2568369A1 (en) 2011-09-08 2013-03-13 fm marketing gmbh Device for selecting multimedia information
US9600304B2 (en) 2014-01-23 2017-03-21 Apple Inc. Device configuration for multiple users using remote user biometrics
US9760383B2 (en) 2014-01-23 2017-09-12 Apple Inc. Device configuration with multiple profiles for a single user using remote user biometrics
US10431024B2 (en) 2014-01-23 2019-10-01 Apple Inc. Electronic device operation using remote user biometrics
US11210884B2 (en) 2014-01-23 2021-12-28 Apple Inc. Electronic device operation using remote user biometrics
WO2015142031A1 (en) * 2014-03-21 2015-09-24 Samsung Electronics Co., Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof
US10721516B2 (en) 2014-03-21 2020-07-21 Samsung Electronics Co., Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof
US11025980B2 (en) 2014-03-21 2021-06-01 Samsung Electronics Co., Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof
US11706476B2 (en) 2014-03-21 2023-07-18 Samsung Electronics Co.. Ltd. User terminal apparatus, electronic apparatus, system, and control method thereof

Also Published As

Publication number Publication date
AU2003291780A1 (en) 2004-07-09
NO20026098D0 (en) 2002-12-18
NO318169B1 (en) 2005-02-14

Similar Documents

Publication Publication Date Title
US8955085B2 (en) Device registration system, device registration server, device registration method, device registration program, storage medium, and terminal device
US8788813B2 (en) System and methods for assignation and use of media content subscription service privileges
US7188110B1 (en) Secure and convenient method and apparatus for storing and transmitting telephony-based data
US7787660B2 (en) Fingerprint detecting wireless device
US7478068B2 (en) System and method of selecting consumer profile and account information via biometric identifiers
US20030028883A1 (en) System and method for using user-specific information to configure and enable functions in remote control, broadcast and interactive systems
TW200412038A (en) A remote control with the fingerprint recognition capability
WO2003050719A1 (en) Consumer-centric context-aware switching model
WO2004055717A1 (en) Combined authentication and control unit
WO2001091057A2 (en) Fingerprint activated remote input device for personal id recognition and access authentication
JP3717313B2 (en) Input device, information device and information system
EP1759485A2 (en) A method and system for securing a device
JP2009043271A (en) Service providing system, terminal device, and program
WO2004055737A1 (en) Apparatus and method forming a bridge between biometrics and conventional means of secure communication
US20240160295A1 (en) Method for controlling an apparatus
GB2412211A (en) Device and user registration
AU2002320729B2 (en) A User Interface for Interaction with Smart Card Applications
GB2392540A (en) A secure distribution system for an electronic commerce system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP