COMBINED AUTHENTICATION AND CONTROL UNIT.
This invention is related to a remote control unit for operating an apparatus or system. The invention is also related to a combined authentication and remote control unit for the control of a remote system in which secure authentication of the user is required.
The invention is also related to a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device.
Further the invention is related to a device and a method for authentication of authorized users to access a service available via a network from a remote server and a corresponding method of obtaining access to a service which is available via a network from a remote server using a set- top box.
An increasing number of service providers are distributing their services via a network operated by cable companies or satellite distributors. A typical example is film distribution ("Pay per view") via cable networks. The services (e.g. movies) are distributed from one or more server (s) connected to terminals (e.g. "Set Top Boxes"), where the contents (e.g. a movie) is displayed on a monitor (e.g. a television set).
The Users may operate their terminal (e.g. the "Set Top Box") with a remote control while the monitor (e.g. the television set) may be operated by a similar, yet separate remote control. When the User orders a service (e.g. a movie) from the Service Provider, this is registered on the server, which distributes the service (e.g. the movie) to the User via the network. A log of the transaction is stored on the server, as basis for subsequent billing to the User, e.g. on a monthly basis.
Current solutions have some limitations in their
operation that will be described below.
A first limitation of current solutions is related to the distribution chain and the system elements involved. The service provider does not know with sufficient surety who the recipient is, and can therefore not judge if the recipient is an eligible receiver of the service distributed. For example, if the service ordered by the consumer is an X-rated movie, the administrative software on the server should be capable of filtering the content provided, so that minors do not have access to X-rated movies. This can be resolved by password, or a PIN-code entered into the user terminal (e.g. the "Set Top Box") . However, passwords or PIN-codes are notoriously spread, intentionally or not, and therefore in most cases abused, sooner or later. A second limitation of current systems is that the user terminal (the "Set Top Box") and the monitor (the television set) presently requires separate remote control units. In addition other devices at the customer premises such as e.g. a DVD player, video player, etc. also require separate remote controls, or may be equipped with a universal remote control, if all devices are purchased as part of a consistent set. Alternatively the User may purchase a programmable remote control which can be adapted to all devices to be serviced. Such multi-purpose remote control may be cheaper than multiple different remote controls, and will be more convenient to use, as the simplification from many remote controls to a single unit simply reduces the number of portable devices flooding the home of the user. However, despite using a single multi-purpose remote control is still a relatively expensive device, as any functionality that shall be handled by the remote control typically requires separate function buttons, representing a combination of mechanical and electronic components connected to the underlying printed circuit board. Yet another limitation is presently that once the remote
control are manufactured and distributed, they can not be changed or modified, without excessive expenses. Added or modified functionality can therefore only be provided by issuing new remote controls. Still another limitation of present systems is related to the fact that such mechanical / electronic remote controls based on dedicated functional buttons become unnecessary expensive, due to limited competition and in particular because remote controls in most cases are tailored to the proprietary makes of devices it shall control. In addition, every new device introduced on the market is normally equipped with new versions of remote controls, so that the production volumes are significantly less than could be possible. As a typical example reference is made to a known set-top box disclosed in US-patent no. 6,028,950 wherein a method of commerce through a set-top box is performed employing fingerprint data. Typical of this application is that the fingerprint reader apparatus transmits a fingerprint, possibly a processed fingerprint, to a base unit via a tether, thus creating a transmission line which may be intercepted.
It is a main objective of the present invention to provide an improved unit that features: - secure authentication of users, for access to certain services from a service provider's server, by fingerprints, and a remote control device, that in combined form overcomes the above mentioned limitations of the previously known solutions.
It is also an objective of the present invention to provide a combinatory solution to remote control device technology which enables a secure and convenient authorization of the user, in particular for remote controls being used to order goods or services v a a network, while at
the same time providing a remote control that is generic, cheap to manufacture, and flexible in adapting to new functionality and thereby being capable of controlling a number of devices connected to a monitor (e.g. a television set) .
In particular it is an objective of the invention to provide a remote control device that enables a secure and convenient authentication of a user, in order that a server may automatically effectuate an ordered service, e.g. to release any movie ordered ("pay per view") .
It is a further objective of the invention to provide a remote control device that enables a blocking of a service (e.g. the distribution of a film) if the user is identified as non-authorized for the particular service ordered (e.g. a minor attempting to order an X-rated movie) .
It is yet another objective of the present invention to provide a method of remotely controlling a device, apparatus, system or networked units using a combined authentication and remote control device. The objectives set out above are achieved with a combined authentication and remote control device for the control of a remote system according to the invention comprising a user input module, a processing unit and an interface module for communicating with the remote system having the characterizing features as given in independent claim 1.
Preferable embodiments of the combined authentication and remote control device according to the invention are given in dependent claims 2-6.
The objectives of the present invention are also achieved by a method of remotely controlling a device, apparatus or system using a combined authentication and remote control device according to claim 6 comprising the steps of independent claim 7.
The objectives of the invention are also achieved by a method of remotely controlling a device, apparatus or system
using a device according to claim 1 and where the method comprises the steps of independent claim 8.
Preferable embodiments of the method of remotely controlling a device, apparatus or system using a device according to claim 1 are given in dependent claims 9-15.
The objectives of the invention are also achieved with a set-top box for authentication of authorized users to get access to a service made available for distribution in a network from a remote server having the characterizing features given in claim 16.
Finally, the objectives of the invention are also achieved with a method of obtaining access to a service on a remote server through a set-top box, where the set-top box includes a fingerprint sensor for obtaining the fingerprint of a user, and in which the steps given in claim 17 are performed within a single integrated circuit in the set-top box.
The invention will now be explained in more detail with reference to the accompanying figures, where:
Fig. 1 Illustrates an example of a typical television distribution system. Fig. 2 Shows an example of a combined control unit according to the invention. Fig. 3A Outlines the new control unit according to the invention for combining user authentication and an improved remote control. Fig. 3B Shows a control unit according to the invention, held by a human hand. Fig. 4A Shows a first preferable embodiment of an integrated circuit (IC) being the core of part in the control unit according to the invention. Fig. 4B Shows a second even more preferable embodiment of an integrated circuit IC being the core of part in the control unit according to the invention.
Fig. 5A-B Illustrates a control unit according to the present invention (Figure 5B) in contrast to a typical remote control device accompanying available products (Figure 5A) . Fig. 5C Illustrates a control unit according to the present invention, with an integrated display.
Figure 1 shows a network (N) , through which services are distributed from a server (30) to terminal (31) in the homes of the Users (34), displaying the contents on the display (33) of a television set (32). The distribution network (N) may either be wireless (by satellites) or by landlines (cable companies). Figure 2 displays how the terminal (31) is operated and authenticated by the new control unit (20) by giving the User feedback via the monitor (32) . Figure 3 outlines the new control unit (20) combining user authentication and an improved remote control device itself, by means of an IC (1) facilitating user authentication and remote control of any device coupled to a monitor or display. Figure 4A shows one version of such an IC (1) while figure 4B shows another version of the IC (1) . Figure 5A illustrates a typical remote control unit according to prior-art technology, with typically extensive number of function buttons. In contrast, Figure 5B shows a control unit according to the present invention. Figure 5C illustrates a remote control according to the present invention, in an alternative embodiment with an embedded display, enabling the user to also control apparatuses, devices or systems not incorporating a monitor.
The combined authentication and remote control device according to the invention comprises, as illustrated by the three projections in Figure 3A, an external housing (20) which contains a fingerprint sensor (5) coupled to a miniature printed circuit board PCB (21) on which is mounted the IC (1) . The control unit (20) further comprises a battery (25) for power .supply retained in the housing (20) by a
removable lid (26) . The battery (25) is connected to the PCB
(21) by wires. The control unit is also equipped with a wireless 2-way transceiver (27) , a Power On/Off button (24) , and all the active components are connected to the IC (1) by cables (23) via the PCB (21) . Figure 3B illustrates this unit
(29) held by a human hand.
A biometrics sensor in the form of a fingerprint sensor (5) is coupled with a biometrics processor in the form of an integrated circuit - IC (1) that is the core device of the invention. In the context of this description the term fingerprint refers to the ridge and groove patterns on any of the digits of either hand. Two versions of the IC are shown in Figures 4A and 4B. The details of the ICs will now be explained. The sensor (5) is connected to a fingerprint sensor image capture and pre-processing block (5C) via a first interface block (5A) as well as a wake-up circuit (5B) , the function of the latter being to power up all other blocks of the IC (1) . When a finger is detected on the sensor (5) surface, the output signals from the sensor (5) will raise beyond a preset threshold, triggering the wake-up circuit (5B) to power up the rest of the IC (1) in a pre-set sequence. The first blocks to be powered up are the image capture and preprocessing block (5C) as well as the high-speed bus (3) and the volatile memory (6 or 6C) , all of which are connected to the high-speed bus (3) . The image capture and pre-processing block (5C) is designed to perform the initial, heavy-duty processing of the captured raw images from the sensor (5) . The intermediate results are stored in the volatile memory (6A or 6C) that is interfaced via the high-speed bus (3) to a first memory interface block (6B or 6D) . The volatile memory (6A or 6C) thus provides working memory that is also available to the other modules on the IC (1) .
Meanwhile the remaining blocks of the IC (1) are powered up in a pre-set sequence, starting with the central processor
(2) being a powerful processor, such as ARM 9, or equivalent. The processor unit (2) is also connected to the high-speed bus (3) for communication with the other on-chip components or modules. The image capture and pre-processing block (5C) crunches the captured raw images to an intermediate stage of significantly compressed information, i.e. a dataset of reduced size, denoted intermediate fingerprint data. The intermediate data are fed to the central processor (2) for final reduction of the captured fingerprint image to compact fingerprint representations, called minutiae. Such minutiae are distinct points where fingerprint lines (ridges) starts or stops, or locations of bifurcation of the ridges and may be described by at least a vector comprising X and Y coordinates, and direction of the individual minutiae, stored as an alphanumeric string in non-volatile memory (7, 7A or 7E) . The non-volatile memory (7, 7A or 7E) , coupled to the high-speed bus (3) via a second memory interface block (7B or 7D) , is typically used for storing program code (e.g. administrative software) , tailored security output responses and fingerprint representations in the form of minutiae.
These fingerprint minutiae from the access attempt are compared by the central processor (2) with master fingerprint minutiae stored in non-volatile memory (7, 7A or 7E) . These master fingerprint minutiae will typically be fingerprint minutiae of the persons authorized to use the device. In dependence of the said comparison an encryption of a secure output signal is performed in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) . The encryption modules are also connected to the high-speed bus (3) . The retrieved encryption information is applied to the fingerprint data using the processing unit
(2), thereby producing secured data that are suitable as an output to the high-speed bus (3) . Alternatively, the encryption and scrambling process can be performed in an
encryption/scrambling hardware module arranged separately from the main processor (2) . If a positive match is established, the chip may proceed with generating a secure key (SKG) either processed by a special algorithm on the central processor (2) based on a seed pre-stored in the nonvolatile memory (7, 7A or 7E) , or alternatively embedded in hardware block (8A) . If the same SKG algorithm is run on two separate computers [e.g. a server (30) and the central processor (2) on the IC (1) ] it will yield the same key, or password, when the identical algorithm on both of the two separate computers is fed with an identical seed. While the algorithms normally are assumed known, and will be the same for all computers in a network (N) , or for a user sub-set, the seed is individual and secret and only known by the system administrator and the user. The SKG algorithm may be constructed to produce a pseudo-random and identical key on both computers (2 and 30) that are either valid for a time frame, or alternatively changed for each and every transaction. This requires that the present key number and the past key number are stored in the non-volatile memory (7, 7A or 7E) . Secret information such as seed, key numbers, IP address, etc. may either be scrambled by block (8) and stored on an external regular Flash memory (7), or securely stored in SmartCard environments (7A or 7C) . When a key is generated, as per above, the administrative software, stored in the non-volatile memory (7, 7A or 7E) and run on the central processor (2) may then combine information to form the basis of a secure communication between the IC (1) and the network server (30) . The information to be encrypted may comprise a User identification code (ID) , password and other info. Encryption is performed in hardware blocks (8 or 8B or 8C) . The rules of secure communication enforced on the prevailing network (N) are embedded in the administrative software executed on the central processor (2), and may be adapted to include PKI and hand-shake sequences. The
encryption blocks (8, 8B or 8C) may also be used to encrypt general information transactions between the IC (1) and the network server (30), if desirable. Access to such extended encryption will be given to the user pending a positive match of his fingerprint with an authorized fingerprint representation by compact master minutiae tables, pre-stored in the non-volatile memory (7, 7A or 7E) . The IC (1) also comprises hardware and/or software required to supply output signals to a number of second interface blocks (9A, 9B, 9C or 9D) for transferring data to other devices and networks (N) external to the IC (1). In the present invention the IC (1) is adapted to provide data to the external access-limited apparatus, device or system. This second interface block may comprise hardware and software for supporting a USB (9A), Ethernet (9B), GPIO (9C), PCMCIA/UART (9D) and/or SmartCard (7C) interface. Except from the USB and the Ethernet interfaces, the second interface blocks are serviced by a bus (4) with lower bandwidth and capacity than the high-speed bus (3) . The two buses (3 and 4) are connected by a bus bridge (11C) . The hardware blocks that are not dependent on highspeed transmissions are connected to the slower bus (4) . The hardware blocks of the IC (1) are designed to perform their respective tasks in a minimum of time, and to interact with each other with a minimum of delays and queuing. In addition to the hardware blocks the central processor (2) executing the administrative software renders a high degree of flexibility in adapting the programming to external devices and networks (N) .
The main difference between the IC (1) of Figure 4A and 4B is that the version in Figure 4B has volatile memory (6C) and non-volatile memory (7A) embedded as integral parts of the IC (1), thus reducing the demand for data exchange with external memory and thus further enhancing the security and speed of operation of the device by containing almost all data processing of the fingerprints internally within the IC
( 1 ) -
Thereby the IC (1) is designed as a multi-purpose tool that can service a fingerprint sensor (5) in a stand-alone mode, but it can also communicate with external devices and networks (30) by bridging the biometrics from the sensor (5) to a non-biometrics representation according to the secure communication settings on servers (30) in a network (N) . The IC (1) transforms the fingerprint into a password or PKI, etc, under the prevailing secure communication rules, according to the secure communication rules implemented on server (30) .
The utilization of the IC (1) for authentication of an authorized user to get access to a service distributed in a network (N) from a server (30) will first be explained for the arrangement wherein the authentication and remote control is performed in a device according to the invention including an IC (1) as described above being mounted in the terminal
(31), e.g. the Set-Top-Box. In the context of this description, the term set-top box refers to any receiving device coupled to at least one local television set for receiving programming from a remote server or from a distribution network or system, controlling the television set, and possibly to descramble or decrypt received programming and to scramble or encrypt return signals, as exemplified in US-patent 6,028,950.
The user contacts the service provider for subscribing to selected services .
The service provider will furnish a suitable terminal (31) (e.g. "Set Top Box") to the user, who hooks it up to his monitor (32) (television set) .
The service provider also gives the user a unique seed,, which may be pre-loaded in the terminal (31) . This seed is then stored in the server (30) of the network (N) , along with the user ID of the User. A number of available seeds
may be pre-stored in the terminal (31) to facilitate a limited number of users using the same terminal (31) .
When the user receives the terminal (31) from the service provider, the administrator of the user group to access the terminal (1) (the primary user, e.g. the head of a family) will enroll himself entering user name and his fingerprint (s) . The fingerprint image from the sensor (5) will be captured by the IC (1) and reduced to compacted minutia, for storage in the non-volatile memory (7, 7A or 7E) . A user identification code (ID) or user classification code will be allocated to each stored fingerprint representation.
The administrator will be given maximum user privileges, such as e.g. defined as "adult", in the context of "view on demand" movies. The User Name, together with the Seed Number (e.g. 1 out of ten), the assigned Access Privilege (e.g. "adult") will be encrypted in block (8, 8B or 8C) on the basis of a secure key (SKG) generated by the central processor (2) or block (8A) and transmitted via the network (N) to the server (30) of the service provider.
The encrypted message will be decrypted, on the server (30) by the same encryption algorithm and for Seed Number 1 of the terminal (31) , identified by the Terminal Number, or the IP Address of the terminal (31). The decrypted user information will be stored on the server (30) along with the Terminal Number (or IP Address) and the User Id. The administrator of the terminal (31) may now enroll the rest of the user group (e.g. a family) to access the same terminal (31) . - When a new user is enrolled, the administrator will countersign with his own fingerprint on the sensor (5) . If that fingerprint is authenticated compared to the pre- stored master minutia representation of the administrator, he will then assign a user name and an access privilege (e.g. "minor") to the new user. This information will be
encrypted and transmitted to the server (30) , where it will be decrypted by Seed Number 1 of the terminal (30) , and this information (User Name, Access Privilege, etc.) will be stored on the server (30) as a subset to the administrator of that terminal number. Such enrolment by administrator of new users on the terminal (31) may be done immediately after the administrator has been enrolled or gradually over time. The administrator may also authorize users for a limited time period. - When an enrolled user (33) is accessing the terminal (31) in order to access a service via the network (N) from a remote server (30) for ordering a service assigned with restricted access (e.g. an X-rated movie) the user will be prompted to identify himself/herself by a fingerprint on the sensor (5) .
Thereafter the following steps will typically be performed in the IC (1) :
The access fingerprint image from the sensor (5) will be captured by the IC (1) via a first interface block (5A) . - The obtained fingerprint images will be pre-processed in the sensor image capture and pre-processing block (5C) .
The pre-processed data will be transferred via the highspeed bus (3) to the processor unit (2) for extracting features of the fingerprint thus reducing it to compact minutiae fingerprint representation,
The processor unit (2) retrieves fingerprint information from a storage module holding the pre-stored fingerprint minutia.
Then the compact access minutiae of the extracted features representing the captured and pre-processed fingerprint images are compared with the pre-stored master minutia tables residing in the non-volatile memory (7, 7A or 7E) . In the case of a non-match the process will be aborted by the IC (1), whereas in the case of a positive match the IC (1) will allow the user to proceed with his
ordering, encrypting the User ID, the password (generated from Seed number n) and the purchase description (e.g. movie title), and transmitted to the server.
Depending on the result of the said comparison generation of an encrypted, a secure output signal is compiled in the processor unit (2) by retrieving encryption information, or alternatively scrambling information from the encryption modules (8 or 8A, 8B and 8C) connected to the high-speed bus (3) and applying this encryption information to fingerprint data, for producing secured communication data as an output to the high-speed bus (3) .
The said secure output is provided to the remote server
(30) using at least one of the second interface blocks (9A,
9B or 9C) for supplying the secured data to the remote server (30) .
In response to the supplied secured data, the server will on the basis of the Terminal Number (or the IP Address) try to decrypt the message starting with Seed Number 1 registered on that terminal. If unsuccessful it will try to decrypt the message by Seed Number 2 registered on that terminal and so on, until the proper seed of the particular user of that terminal is found. The number of seeds per terminal will in practice be limited to e.g. 50 users (seeds) per terminal. When the message has been decrypted and the password retrieved, as well as the user name, the server will compare the prevailing access privilege of the requested service (e.g. an X-rated movie) and compare this with the actual access privilege of the identified user. If the actual access privilege is equal to, or higher than the prevailing access privilege, the server will endorse the transaction and proceed to download the requested service to the terminal (31) .
If the identified user has insufficient access privileges to acquire the requested service, the server
will categorize the user as unauthorized and will abort the operation.
The above method and apparatus will provide the following advantages; - The administrator (the primary user) will have full control of which user is authorized to order which services. No password or PIN-codes are needed for the other users, which password may be voluntarily passed on or involuntarily acquired by non-authorized users, and thereby abused.
The service provider has the assurance that no services are distributed to the owner (administrator) of the terminal that the owner does not approve.
The users do not need to remember yet another password or PIN-code, but can conveniently use their fingerprint to access those parts of the system that they are authorized to access.
The service provider will benefit from biometrics verification of authorized users locally on their terminals (31) , without having to choose a biometrics standard on his server, as the IC (1) bridges biometrics input centrally at the terminal (31) , to a defined secure communication protocol in the network (N) , that may comprise SKG / password, encryption, PKI and hand-shake sequences. This will be possible due to the architecture and methodology of the IC (1) containing the powerful central processor (2) . Identity authentication will be executed in a fraction of the available time of the IC (1) . The central processor (2) therefore offers significant free processing capacities that may be utilized for other purposes.
Accordingly there is an option of this invention to move the preceding user authentication from a fingerprint sensor (5) mounted on the terminal (31) (e.g. the Set Top Box) to a remote control device (20) serving as a combined remote control and authentication device (20) that is more cost-
efficient than traditional remote controls with numerous buttons with mechanical / electronic components for each function, connected to a printed circuit board.
Figures 3A and 3B show such other preferred embodiment according to the invention as a combined authentication and remote control device (20) being a separate control unit (20) unit comprising an outer housing that is designed to fit well into the hand (Figure 3B) , whether the user is right- or left-handed. On top of the control unit (20) there is a fingerprint sensor (5) placed conveniently for ergonomic operation by e.g. the thumb. There is also a Power On / Off button (24) for power saving, if the user leaves the terminal
(31) e.g. for vacation or otherwise for extended periods.
Turning power on after a shutdown may require an authorized fingerprint to proceed for access to the system, and the network and its services.
The control unit (20) is powered by a battery (25) that may be of re-chargeable or dispensable type. The battery is kept in position in the control unit (20) by a removable battery lid (26) for battery replacement. In front of the control unit (20) there is a two-way wireless transceiver
(27) communicating with the terminal (32) or set-top box (31) which in turn are normally connected to the network (N) , the server (30) and the monitor (32) (e.g. the television set). All active electronic components of the remote control (20) are connected to a miniature printed circuit board PCB (21) including the integrated circuit IC (1) .
This embodiment of the invention requires the sensor (5) to be of a type that can serve the IC (1) in 3 modes; - Sleep mode (for power saving) . This is the default mode. The wake-up circuit (5B) of the IC (1) will activate (power up) the rest of the IC (1) when a finger is touching the fingerprint sensor (5) , raising the output signal from the sensor (5) above a pre-set threshold of the wake-up circuit (5B) .
When the IC (1) is powered up from sleep mode, it will default to navigation mode. This means that any finger movements over the surface of the sensor (5) will be interpreted by the IC (1) according to a pre-stored set of navigation rules, termed finger command table, stored in non-volatile memory (7, 7A or 7E) of the IC (1) . This finger command table is based on elements or combination of elements of finger movements over the surface of the sensor
(5) or time-related touch / non-touch sequences of the finger on the sensor (5), such as e.g. a "tap" or a
"double-tap" .
By request from the server (30), when ordering privileged services, or by the terminal (31) for powering up or configuration changes, or by the remote control (20) itself (power up, enrolling new users, etc.) the IC (1) of the remote control (20) is prompted to authentication mode, waiting for a fingerprint to be captured from the sensor
(5) .
The navigation mode on the control unit (20) will be conducted as follows;
The remote control menu (33) to be interacted by means of the control unit (20) will reside as software on the terminal (31) rather than as presently being embedded as hardware buttons on current remote control (s) (refer Figure 5A) . This menu (33) will be displayed on the monitor (32)
(e.g. the television set).
The user will navigate the cursor within the displayed menu (33) by finger commands on the control unit (20) .
Selection of a menu option can be performed by positioning the cursor over the desired choice or option on the display (33) , and then "double tapping" with the finger on the sensor (5) to confirm the selection.
Another embodiment of the invention is shown in Figure 5C where the combined control unit, according to the invention, is equipped with an integrated small display. Thereby the
combined control unit according to the invention may also be used for controlling apparatuses, devices and systems not comprising a monitor (32) , and still providing visual feedback to the user on his finger commands inputted to the control unit (20) by finger movements over the sensor (5). The method of operating such embodiment of the invention is identical to the preceding descriptions, except those menus are displayed locally on the control unit (20) itself.
Now the operation of a combined authentication and remote control device will be described step-by-step, exemplified by the preferred embodiment as illustrated in Figure 2. The steps to be described comprises:
1) Personalization, by the Service Provider. 2) Enrolment of Primary User.
3) Enrolment of other users.
4) Remote control of apparatuses and devices.
5) Ordering a Service. These will be described in chronological order of typical appearances .
Personalization, by the Service Provider.
A user group (say a family) signs up a subscription with a Service Provider (e.g. a cable company or a satellite distributor) .
The Service Provider compiles a kit to the subscriber
(the family). This kit consists of a terminal (31) and a combined authentication and remote control unit (20) , hereinafter referred to as the control unit (20) . The terminal will be a standard product, except that it is equipped with a two-way transceiver (27) and can be boxed without any further personalization. The control unit (20) , however, needs to be equipped with factory settings specified by the Service Provider. Such factory settings may typically comprise:
From the factory the control unit (20) has been downloaded by software pertinent for the Service Provider. This pertains to any particular encryption algorithm if different from the resident DES/TDES algorithms embedded in hardware blocks (8, 8B or 8C) of the IC (1). In case the Service Provider prefers any other encryption algorithm, this will be downloaded in non-volatile memory (7, 7A or 7E) of the IC (1) . - Further the factory will download the specific communication set-up enforced by the Service Provider, into non-volatile memory (7, 7A or 7E) of the IC (1) .
Finally the factory will download the version of the administrative software specified by the Service Provider into non-volatile memory (7, 7A or 7E) of the
IC (1) , including all subsets of the administrative software. One such subset in particular is the interface commands between the control unit (20) and the terminal (31) .
When the control units (20) have been shipped from the factory to the Service Provider, it is time for the
Service Provider to personalize the control unit (20) to the subscriber. Such personalization will be carried out by authorized personnel within the Service Provider' s organization, by a special Personalization Program on the their server (30) . Preferably the Personalization Program can only be accessed through a validated fingerprint to authenticate the operator as an authorized operator. Preferably the Personalization Program should be linked to other parts of the Service Provider's database, such as e.g. billing routines, etc. When a subscriber has been entered into the database, and an authenticated Operator has entered the pertinent data into the Personalization Program, this can only be entered into the database by the Operator countersigning with his fingerprint, to conclude the personalization of the control unit (20) . The steps of such personalization may typically comprise the following:
The Operator enters the ID of the control unit (20) into the database, along with the particulars of the subscriber, such as name, billing address, and particulars of the terms for the subscription. - The Operator prepares particulars of the subscriber to be downloaded into the secret parts of the non-volatile memory block (7A or 7E) or alternatively to be scrambled by block (8) for storage in non-volatile memory block (7). These particulars comprise: - A set of secret seeds (e.g. ten seeds) for Secure Key Generation (SKG) for DES/TDES, or other encryption.
Optionally electronic certificates for PKI and public/private key cryptographies . IP address of the server partition, to be addressed by the control unit (20) via the terminal (31) .
These data are downloaded onto the control unit (20) upon positive authentication of the Operator as an authorized operator of the Personalization Program. If not the personalization routine will be aborted. At the same time as these particulars of the personalization are downloaded onto the control unit, either for scrambling by block (8) for storage on external flash (7) or for loading in secret parts of the SmartCard block (7A or 7E) , these data are copied onto the database of the server (30) linked to the subscriber, including the unit ID of the control unit.
The control unit (20) will now be packaged along with the terminal (31) for shipping to the subscriber (user) . When the subscriber receives the package he will connect the terminal (31) to his television set (32) , and be ready to enroll as
Primary User of the control unit (20) .
Enrolment of Primary User:
The first person within the user group (e.g. a family) will by default be proposed as Primary User (or System Administrator) of the control unit (20), with full privileges. When the battery (25) is inserted in the control unit (20) and the Power On button (24) is pushed, the control
unit (20) for the first time (after personalization) the control unit (20) will be prompted to enrolment mode, ready to enroll the Primary User through the following consecutive steps :
- The administrative software of the control unit will trigger the enrolment menu (33) to be displayed on the monitor (32) (e.g. the television screen) prompting the person to be enrolled to enter the following information; user name (name or acronym) , age, user status (Primary
User, or regular user) and privileges (administrator, adult, minor, etc.). Typically, a user identification code
(ID) or a user classification code stored in this manner may later be used in an access discrimination operation, e.g. performed by the processor (2) in order to allow different access functionality to different users.
When this info is entered, the menu (33) displayed may prompt the Primary User to a brief training session of fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) . The user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image. For each swipe of the finger over the sensor (5) the IC (1) will capture the image by the image capture and pre-processing block (5C) which will perform the initial processing cleaning up the image ("cleaned-up image") and temporarily storing this cleaned-up image in the working volatile memory (6A or 6C) . The cleaned-up image is then transferred via the high-speed bus (3) to the central processor (2) that will reduce it to fingerprint minutia representation and calculate a quality score of the image. The cleaned-up image will then be displayed in the menu (33) along with a score and a verdict of whether it is of acceptable quality, or not. Note that the minutia
fingerprint representations from the training section will not be permanently stored in the IC (1) but are simply intended to give feedback to the user. When the user thereby has swiped his finger over the sensor (5) a pre-set number of times (e.g. 3 consecutive times) with acceptable quality, the administrative software shifts the control unit (20) to Enroll Mode.
In Enroll Mode the user will be prompted by the menu (33) to swipe his finger over the sensor (5) for registration of master minutia fingerprint representations. This will be executed as per the preceding procedure, except that the extracted minutia table will be permanently stored in the non-volatile memory (7, 7A or 7E) of the IC (1) . The administrative software may be pre-set to require e.g. 3 master minutia tables of acceptable quality of each finger.
When the Primary User's first fingerprint master minutia table (s) of acceptable quality thus has been permanently stored in the IC (1), the Primary User is questioned whether he will register more fingers. Note that the administrative software may be set up to ten different fingers, so the Primary User should consider how he should allocate these between himself and his family members.
When the primary user accordingly has enrolled the selected number of his fingers, he will enter a menu choice stating that he has completed the enrolment.
The administrative software of the IC (1) will now assign one of the pre-loaded seeds (from the personalization by the Service Provider) to this user. The seed will thereafter be accessed from the nonvolatile memory (7, 7A or 7E) . In case of seed storage on the external Flash (7) the seed will be unscrambled, while in case of seed storage on SmartCard blocks (7A or 7E) it will be extracted from the secret sections of the SmartCard block (7A or 7E) . Note that this seed will never leave the
interior of the IC (1) during this process, and will be unobtainable externally to the IC (1) . The accessed seed will then be transferred via the high-speed bus (3) either to the central processor (2) (in case of Figure 4A) or to the Secure Key Generation (SKG) block (8A) (in case of Figure 4B) to produce a unique keyword.
This keyword will then be transferred by the administrative software via the high-speed bus (3) to the appropriate encryption block, according to the set-up in the administrative software subset on encryption; either to block (8, 8B or 8C) or alternatively the keyword is employed by an encryption algorithm (forming a subset of the administrative software) downloaded into the nonvolatile memory (7, 7A or 7E) during factory preparations of the control unit (20) according to specifications from the Service Provider. The following message is then encrypted by the targeted encryption method [hardware encryption block (8, 8B or 8C) or alternatively a specific encryption algorithm executed by the central processor (2)]: Ekey(user ID, assigned seed number, privilege) . This information is then blended with non-encrypted information Unit ID, present key number and the IP address of the server (30). The complete message will thereby comprise: Menroi= [ IPadr,Unit ID, keyno , Ekey(user ID, seedno, privilege) ] When the Primary User thus has enrolled himself, he will be prompted by the displayed menu (33) to tick either "Continue" or "Change?". Assuming that the Primary User has correctly filled in the menu (33) and is satisfied with the input he has given is correct (no typos, etc.) he will tick off "Continue" and countersign with his fingerprint on the sensor (5) . The administrative software of the IC (1) will process this countersigning fingerprint, extract the fingerprint minutia representation and compare it with the
preceding master minutia recently entered by the Primary User.
Depending a positive match of the validation of his fingerprint countersignature, the administrative software of the IC (1) will transmit the encrypted message "M" via the two-way wireless transceivers (27) to the terminal (31) where it will be relayed to the server (30) by the IP address .
The server 30) receiving the partly encrypted message "M" will retrieve the Unit ID from the non-encrypted part of the message "M" and look this up in the database on the server (30) .
From the database entries of Unit ID the server (30) will retrieve seedi and key number and decrypt the encrypted parts of the message "M" .
The server (30) will then amend the User ID, and assigned seed number (seedi) as well as privileges (e.g. Primary User, adult) to the entities under Unit ID.
The server (30) will then increment its key number, and send an acknowledgement via the terminal (31) to the control unit (20), which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
This completes the enrolment of the Primary User. The Primary User now being registered as the administrator [of his particular control unit (20)] within the database entities under the Unit ID on the server (30) now has the privileges to enroll other users (e.g. his family).
Enrolment of User
The Primary User is now eligible to enroll other users. This will in general follow the same procedure as for enrolling the Primary User, with some minor deviations that will be outlined below: - The Primary User will place his finger on the sensor (5)
of the control unit (20) . This will raise the output signal level from the sensor (5) to a level exceeding a pre-set threshold within the wake-up block (5B) of the IC (1), powering up the IC (1) in a pre-set sequence to default waken mode "navigation".
A main menu (33) will be displayed on the monitor (32) .
The Primary User will move his finger on the sensor (5) causing the cursor on the displayed menu (33) to follow his finger movements on the sensor (5) as explained below under "Controlling Devices". The Primary User will by his finger move the cursor to menu choice "Enroll" and then select this choice by double-tapping his finger on the sensor (5) .
In order to access the Enroll Menu the Primary User is prompted to authenticate himself, by verified fingerprint. He will swipe his finger over the sensor (5) . The sensor output is directed to the IC (1) via the sensor interface block (5A) to the image capture and pre-processing block
(5C) . The access minutia table extracted by the central processor (2) from the temporary fingerprint representation output of block (5C) is then compared with the Primary User's master minutia table (s) securely stored in nonvolatile memory block (7, 7A or 7E) . Provided the access minutia table is checked to match the master minutia table of the Primary User, the Enroll Menu is opened, and the IC (1) switches back to navigation mode. In case of no match, the enrolment process is aborted.
The Enroll menu starts with a registration window where the Primary enters the following information about the new user; user name (name or acronym, age and privileges (adult or minor) . Say that for the sake of demonstration this new user is entered with privilege "minor", meaning that the Primary User will exclude the new user from being able to order X-rated movies ("pay-per-view") .
When this info is entered, the menu (33) displayed may prompt the new user to a brief training session of
fingerprint capture, whereby a fingerprint image of acceptable quality (the model image) is shown on the display next to the instant fingerprint image of the finger to be swiped over the sensor (5) . The user is guided by the menu text to swipe one of his fingers over the sensor (5) , and the result (the cleaned up image) is displayed adjacent to the model image. This training is managed by the administrative software of the IC (1) in accordance with the same procedure as explained under Enrolment of Primary User. When the user thereby has swiped his finger over the sensor (5) a pre-set number of times (e.g. 3 consecutive times) with acceptable quality, the administrative software shifts the control unit (20) to Enroll Mode.
The new user is enrolled by fingerprint registration, by the exactly same procedures as explained under Enrolment of Primary User.
When a sufficient (say three) number of fingerprint master minutia representations have been collected for the finger of the new user, another of the new user's fingers may be enrolled by the same procedure.
When the enrolment is completed, the Primary User will countersign by one of his enrolled fingers. If the administrative software, by means of the hardware blocks, of IC (1) confirms that the Primary User is authentic (by a match with one of the previously enrolled master fingerprint minutia tables of the Primary User) , the enrolment is completed. In case of a non-match, the enrolment process is aborted at this stage.
The administrative software of the IC (1) then assigns the next vacant see number (s) to the new user.
The control unit (20) then compiles a partly encrypted message, by the administrative software and hardware blocks of IC (1) comprising:
Menroi= [IPaddr /Unit ID, keyno, Ekeγ(user ID, seedno, privilege) ]
The control unit (20) then transmits this message "M" by the two-way wireless transceivers (27) to the terminal (31) which relays the message to the server (30) .
The server 30) receiving the partly encrypted message "M" will retrieve the Unit ID from the non-encrypted part of the message "M" and look this up in the database on the server (30) .
From the database entries of Unit ID the server (30) will retrieve seedn and key number and decrypt the encrypted parts of the message "M" .
The server (30) will then amend the User ID, and assigned seed number (seedn) as well as privileges (e.g. Regular User, minor) to the entities under Unit ID.
The server (30) will then increment its key number for this particular user, and send an acknowledgement via the terminal (31) to the control unit (20) , which in response will increment its key number, so it is synchronized with that of the Unit ID entities of the server (30) .
This completes the enrolment of a new user. Additional users may be enrolled by the Primary User at any time, but only by the Primary User.
Below will be described how apparatuses and devices may be controlled by the control unit (20) .
Controlling Devices
Another preferred embodiment of the method of remotely controlling a device, apparatus or system comprises in using the invention to select menus to be displayed on a monitor, and perform navigation within such menus, and finally perform selections / commands within such menus .
When triggered by a finger on the sensor (5) the IC (1) of the control unit (20) will default to wake-up in
Navigation Mode, in which moving a finger over the sensor (5) will be interpreted as navigation commands for a cursor. The remote control device may comprise a fingerprint sensor
adapted to detect finger touches as well as lateral finger movements .
Such finger movements or touches on the sensor (5) involves performing the following steps in said Navigation Mode :
- The presence of a finger on the fingerprint sensor is detected (5, 5A-B) , and the IC (1) powered up to Navigation Mode, by default.
- The consecutively captured fingerprint images are pre- processed (5C) in the image capture and pre-processing block to provide a number of compacted images.
- The incremental differences of the compacted image information from the pre-processing block (5C) are analyzed by the central processor (2) determining the direction of movement of the finger (A) and the associated speed of movement over the sensor (5) , and whether the contact of the finger (A) on the surface of the sensor (5) is disrupted, and possibly for how long such disrupted contact lasts. - In the central processor (2) the obtained information, e.g. finger speed and direction, contact or no-contact versus time, is compared with a pre-stored table of finger commands, such as for example defined by sequences and directions of finger movements over the sensor, stored in one of the non-volatile memory blocks (7, 7A or 7E) . Sets of finger command structures may thereby be defined and detected, thus enabling a multi-function tool for fingerprint scanning, text/ character input in multiple modes, and cursor control, all by finger commands on a single sensor or sensor device.
- Using the central processor (2) , and depending on the results of said comparison, it is determined which finger command the analyzed finger movements represent.
- Thereafter the code for this particular finger command is transmitted from the central processor (2) via the high-
speed bus (3) to a selected communication interface block (9A, 9B, 9C or 9D) . Further the command code is transmitted from said interface block to the remotely controlled device, apparatus or system, preferably in wireless form (27) .
- Such interpretation of finger movements into commands may for example offer means for the user to navigate in and control a menu being presented to the user on the monitor.
- Finally, in the remotely controlled device, apparatus or system the said command code is interpreted and provided to the operating system of the remotely controlled device, apparatus or system. The secure communication between the control unit (20) and the network server (30) , via the terminal (31) , may comprise a variety of different transmissions. A unique User ID, e.g. in the form of a long alphanumeric string, by which the User (34) is identified in a data repository of the server (30) could be transmitted. Alternatively a unique password which is automatically triggered by a positive identity match in the IC (1) can be transmitted. In another alternative an alphanumeric code identifying the type of access or service requested may be transmitted. In yet another alternative all of the above said transmission items could be transmitted in a packaged format and encrypted using one of blocks (8, 8A, 8B or 8C) .
The control unit (20) may accordingly be used' as a multifunctional authentication and remote control unit. The latter application may apply to control appliances like DVD player (s), television set(s) and similar appliances. The procedure below is made for ordering a movie from the Service Provider, as an example also demonstrating validating being an eligible purchaser.
Ordering Services
In this context the Primary User (e.g. the head of a family) may decide that his minor children shall not be able to order X-rated movies when they are home alone. If the family decides so, they would have filled in an option in their subscription contract. The control unit (20) according to the invention would enable the Service Provider to offer such a service by the server automatic checking the privileges of the user ordering a service, still being sure that the biometrics authentication of the purchaser by the control unit (20) can accommodate this.
The presumption is that the Service Provider offers such screening, and that the Primary User assigns the corresponding privileges when enrolling his family. This example demonstrates the versatility of the invention: - When a user wish to order a service from the Service
Provider (say ordering a movie by "pay-per-view") he will pick up the control unit (20) and touch the fingerprint sensor (5) .
A finger on the sensor will trigger the IC (1) to wake up from sleep mode, defaulting into navigation mode.
This will trigger a menu (33) to be displayed on the television set (32) . The user will then move the cursor in the menu, by moving his finger on the sensor (5) , until the cursor is placed over the ticking box "Order Film". - The user then double taps his finger on the sensor (5) confirming his choice. This presumably brings up a list of film categories. The user then moves the cursor, by his finger moving over the sensor (5) till the ticking box for the wanted category and double-taps his finger on the sensor (5) to make the selection. This presumably brings up a list of movie titles within the selected category. The user again moves the cursor, by his finger on the sensor, till the wanted title and then makes the selection by double-tapping his finger on the sensor (5). For the sake of the example the choice made is for an X-rated movie.
The selected film request is then transmitted via the terminal (31) to the server (30) that looks up the title in its database and establishes that this movie choice requires "adult" privileges of the user. - The server (30) then returns an authentication request to the terminal (31) relaying this request on to the control unit (20) via two-way wireless transceivers (27).
The control unit (20) responds by going into authentication mode, supported by a visual feedback by a message on the menu (33) .
The user swipes his finger over the sensor (5) . The sensor output is captured by the image capture and preprocessing block (5C) of the IC (1) and the fingerprint is processed, as previously described, and comparing this with the resident master minutia in non-volatile memories (7, 7A or 7E) .
The continuation may be handled in either of two alternative ways:
Either the control unit could establish that the owner of the fingerprint matched versus an entity with privileges "minor" is not authorized for such a purchase, and thereby abort the ordering sequence then and there,
Or, the IC (1) could generate a message back to the server (30) as previously described, comprising: Menrol= [IPaddr,Unit ID, keyno, Ekey (user ID, seedno, privilege) ] The server (30) will decrypt this message, as previously described, extract the privilege and then abort the ordering sequence.
In any case this verification by fingerprint by the control unit (20) enables screening of the available contents from the Service Provider pending upon classification
(privilege) of the user. The same approach may also be used on PCs with Internet access, to block access to non-wanted contents from Service Providers (such as pornography, etc.)
by classification of the contents by the web portal operators .
The advantages of the control unit (20) and corresponding method of using the control unit (20) according to the invention are primarily;
- The control unit (20) can be made very simple without numerous function buttons, as shown in Figures 5A and 5B, where a typical prior-art remote control unit (28) and a control unit (20) according to the present invention are shown side by side. Hence, the costs of a remote control unit can be squeezed with a control unit according to the present invention.
- As the functionality is stored in software to be displayed on the monitor (32) this is very flexible, and can be accommodated to a large variety of makes of terminals (30) and there is no need to tailor a remote control to the terminal (31) . Accordingly the manufacturing volumes of control units (20) according to the invention can be significantly larger than prior-art remote controls, thereby squeezing manufacturing costs of the remote controls even further.
Due to this flexibility, the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
This may accelerate adaptation to user friendliness.
The authentication device and the control unit will be combined into a single unit (20) that is far cheaper than current remote controls alone.
The advantages of the remote control unit (20) and corresponding method of using the remote control unit (20) according the invention are primarily;
The remote control (20) can be made very simple without numerous function buttons as shown in Figure 5, where a typical prior art remote control unit (28) and a remote
control unit according to the present invention are shown side by side. Hence, the costs of the remote control unit can be squeezed with a remote control unit according to the present invention. As the functionality is stored in software to be displayed on the monitor (32) this is very flexible, and can be accommodated to a large variety of makes of terminals (30) and there is no need too tailor the remote control to the terminal (31) . Accordingly the volumes of the remote control can be significantly larger than the current editions, thereby squeezing manufacturing costs of the remote controls even further.
Due to this flexibility, the service provider is free to upgrade its services even when this involves modification of user interface and interaction, without having to replace obsolete hardware (terminals and remote controls) .
This may accelerate adaptation to user friendliness.
The authentication device and the remote control device will be combined into a single unit (20) that is far cheaper than current remote controls alone.