WO2010030157A1 - Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données - Google Patents
Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données Download PDFInfo
- Publication number
- WO2010030157A1 WO2010030157A1 PCT/MY2008/000098 MY2008000098W WO2010030157A1 WO 2010030157 A1 WO2010030157 A1 WO 2010030157A1 MY 2008000098 W MY2008000098 W MY 2008000098W WO 2010030157 A1 WO2010030157 A1 WO 2010030157A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- computer
- authentication
- data storage
- storage device
- portable data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2129—Authenticate client device independently of the user
Definitions
- employee may retrieve the corporate sensitive data and bringing out of company without management approval. Due to its portability and small in size, it is difficult for organization to detect if employee carrying the portable data storage devices.
- a method of authentication involving computer's unique identifier or ID is used to limit the use of portable data storage to within the organization or in any other approved computers.
- Approved computers are computers that allows the portable data storage device of current invention to be used with.
- Each computer has it's unique identifiers.
- a computer is made up of many components such as CPU, hard disk drive, DVD ROM drive, Ethernet Network Interface Card, wireless network adapter, USB Root HUBs, Operating systems, etc. Each of this component has its unique ID.
- a Computer ID can also be generated by software and store encrypted within a specific directory or folder. Therefore, to identify a computer, one can base on a computer ID or a combination of computer IDs. And the method of Computer ID authentication of present invention can be used to authenticate a host computer ID or a combination of host computer IDs.
- a portable data storage device has to be loaded with the organization's computer JDs before it is deployed in its organization. That is, the information security officer compiles a list of computer IDs, let say in Microsoft Excel.
- Storage components such as NAND Flash and EEPROM that are external to processor are usually much cheaper in cost and can be used to store the list of computer IDs. However, they are slower and less secure as it can be accessible by removing the storage components from the device.
- the device of the present invention When the device of the present invention is attached to the USB port of a computer which is without driver installed, the device will not receive any computer ID from the computer. Therefore, the device shall set a timeout timing for authentication. The current method of computer ID authentication is failed if computer ID is not sent within a defined time frame.
- the device of the present invention When the device of the present invention is attached to the USB port of a computer with driver installed, the device will be found by the driver, and driver shall send the Computer IDs to the device under current invention for authentication. When the Computer ID is sent, then this Computer ID will be used to compare with the list of computer IDs stored within the device of current invention. If the host Computer ID is found in the list, then authentication is valid and the portable data store device is enabled to the used with the computer.
- One objective of current method of authentication is to limit the use of portable data storage device to within an organization or in any other computers that are allowed by the organization's information security office. That is even if they install driver software in any other computer, the portable data storage device will not be lunctional as the current computer IDs is not the same as computer IDs stored within the portable data storage device.
- Another objective of current method of authentication is to add another factor of authentication to the portable data storage device so that it is more secure.
- the current method of authentication also apply to portable security token which consists of cryptographic processor and storage components such as EEPROM, or internal flash ROM.
- the current method of authentication is also applicable to Smart Card as well.
- a smart card consists of storage component and cryptographic functionality.
- the Computer IDs can be stored within Smart Card by the administrator via smart card reader. In this case, the Smart Card can be used only in designated computer only.
- the current method of authentication requires 3 components to operate namely - a software driver, an administrator software and a device in current invention which includes a storage components that store a list of computer a IDs.
- the software driver that is installed in computer is constantly looking if the device in present invention is attached to computer.
- the device of present invention such as portable USB data storage device, portable USB security tokens and Smart Card has it's own unique identifiers. These unique IDs includes vendor ID, product ID, etc. When this unique identifier is detected, the host computer IDs will be sent to the device for authentication.
- the Administrator software is used to retrieve the computer IDs from a file and store the computer IDs into the device in present invention.
- a scheme has to be developed to prevent the use of Administrator software by any user.
- administrator software may require a password known only to the administrator before it can be executed.
- biometrics flash disk the administrator may have to authenticate with her fingerprint.
- Figure 1 shows the block diagram of fingerprint biometrics secure portable data storage device where by the data storage is based on NAND flash memory. It consists of a USB connector 14, a NAND flash memory 22, a LED indicator 08, a fingerprint sensor 12 and a processor 50.
- the list of Computer IDs is preferred to be stored encrypted within the flash program memory within the processor 50. Alternately, the list of Computer IDs can be stored encrypted within a secret compartment of the NAND flash memory.
- the processor 50 not only serves as a NAND flash controller and a biometrics processor, but it also used to authenticate with the Computer ID input from the host computer.
- the processor 50 is able to retrieve raw fingerprint biometrics data from fingerprint sensor 12, process and generate fingerprint template and then store the fingerprint template within the processor 50. It is also able authenticate against the biometrics fingerprint input from fingerprint sensor 12 with its stored fingerprint template.
- biometrics flash disk of a present invention employing method of authentication as described above.
- the biometrics flash disk of present invention has allocated 2 fingerprints enrollment for administrator and 4 fingerprints enrollment for its user.
- the administrator fingerprints has to be enrolled before the enrollment of user fingerprints.
- the LED indicator 08 will be blinking RED prompting the administrator to enroll her fingerprints.
- the administrator is required to swipe her fingerprint on fingerprint sensor 12 to enter her first fingerprint. She has to swipe a second time with different finger to enroll the second fingerprints. Thereafter, she can access to the removable disk.
- the device is functional. That is a removable ⁇ on appears in My Computer of Windows operating systems and the mass storage data is accessible.
- the administration software will verify with the device in present invention if the authentication is done by the administrator. This is to prevent the user from running the administration software. If it is YES, then administrator software will work as follows.
- Figure 2 shows an example of administration software graphics user interface used in current invention, first, the administrator finds all the devices connected to host computer by clicking on "Find Device” button, she may erase the list of computer IDs previously stored if she wishes to. She can import the list of computer IDs from a file such as Microsoft Excel file and program all computer IDs into the device of current invention.
- the administration software shown in figure 2 is able to store a list of computer IDs to a maximum of 12 biometrics flash disk at any one time.
- the administrator will pass the unit to be enrolled by the user.
- a user is to enroll 4 of his fingerprints guided by the LED 08.
- the device of current invention When the device of current invention is attached to a computer USB port, it will check if the list of computer IDs is stored, if it is, it will set a timer and establish a USB communication channel with host computer. However, the list of Computer IDs stored within the device is inaccessible from host computer. The USB communfcation channel will be terminated once the host computer ID is received or if the time out expired.
- the user can enroll its fingerprint.
- the fingerprint enrollment is valid if a valid computer ID is received from the host computer within a limited time frame. Otherwise, all enrolled user fingerprints will be deleted.
- USB communfcation is open briefly for host computer to send the computer IDs to the device of current invention within a specific time limit. During this time, the data stored within the device is inaccessible.
- the data store within the device is accessible once a valid fingerprint has been authenticated and a valid Computer ID had been entered into the device within a spe ⁇ fc time frame.
- the host computer has to send the computer ID to the device of current invention within the time frame of 3 seconds.
- the method of computer ID authentication not only works in Windows operating systems such as Windows XP and Windows Vista, but also works with Linux and Mac OS.
- the method of computer ID authentication of present invention is operating systems independent.
- FIG. 3 shows the block diagram of a typical portable data storage device.
- a USB flash disk then it consists of a USB flash controller 51, NAND Flash memory 22 and a USB connector 14.
- USB flash controller 51 In the case of portable USB hard disk drive, then it consists of a USD HDD controller 51, a Hard disk 22 and a USB connector 14.
- the administrator or information security officer will store a list of computer IDs in the secret compartment of NAND Flash memory 22 or in the flash program memory of processor 51, not accessible by user. All computers within the organization must install a driver su ⁇ . that when the portable flash storage of current invention is attached to the computer's USB port, the driver will be able to detect the device and then send the host computer IDs to the device of current invention.
- the device When the user plug the device into a USB port, the device can be detected by the computer, a timeout is set within the devfce. At this point of time, the storage data is inaccessible by the computer. If the device receive the Computer IDs from the host computer, it will terminate the USB communication with host computer, it will then compare with the list of Computer IDs store within the secret compartment. If the ID match, the device will establish the communication with computer and the mass storage data stored within the device will be accessible.
- the portable device of current invention has another factor authentication involving password, then the device will be detected by computer but no access of data is allowed till both password and Computer IDs authentication are OK.
- FIG. 4 shows the block diagram of a portable security token. It consists of a cryptographic processor 52, and an EEPROM 23.
- a portable security token is used for authentication purpose. It may be used to store cryptographic keys, such as digital signature, or biometric data.
- the list of Computer IDs may be stored in cryptographic processor 52 or EEPROM 23. Therefore current method of authentication can be used to serve as additional factor of authentication to portable security token. That is, the portable security token of current invention will not be functional if it is attached to the computer that its computer IDs does not match with the list of Computer IDs stored within itself, or the driver software that send the computer ID to the portable security token of current invention was not installed in the computer.
Abstract
La présente invention concerne un procédé d’authentification faisant intervenir les identifiants informatiques d’un ordinateur muni d’un dispositif portable de stockage de données. Les identifiants informatiques des ordinateurs prévus pour être utilisés avec le dispositif portable de stockage de données considéré sont mémorisés au sein du dispositif portable de stockage de données par le responsable de la sécurité des systèmes d’une organisation. Tous les ordinateurs de l’organisation doivent être installés à l’aide d’un pilote spécial. Lorsque le pilote détecte que le dispositif portable de stockage de données est relié à l’ordinateur hôte, il envoie l’identifiant informatique de l’ordinateur hôte au dispositif portable de stockage de données. Si l’identifiant informatique de l’ordinateur hôte correspond à l’un des identifiants informatiques mémorisés au sein du dispositif portable de stockage de données, alors l’authentification est considérée comme correcte ou valide et l’accès aux données de la mémoire de masse est autorisé. Dans le cas contraire, l’accès est refusé. Ce procédé d’authentification limite l’utilisation du dispositif portable de stockage de données aux seuls ordinateurs habilités. Le présent procédé d’authentification empêche qu’un employé utilise le dispositif portable de stockage de données sur un ordinateur domestique ou tout autre ordinateur susceptible de subir un vol de données ou une infection par un virus. Pour une protection accrue de l’authentification, le dispositif portable de stockage de données peut se voir adjoindre une authentification biométrique ou par mot de passe. Le présent procédé d’authentification par identifiants informatiques est également applicable à un jeton portable de sécurité et à une carte à puce.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/MY2008/000098 WO2010030157A1 (fr) | 2008-09-11 | 2008-09-11 | Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/MY2008/000098 WO2010030157A1 (fr) | 2008-09-11 | 2008-09-11 | Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010030157A1 true WO2010030157A1 (fr) | 2010-03-18 |
Family
ID=42005307
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/MY2008/000098 WO2010030157A1 (fr) | 2008-09-11 | 2008-09-11 | Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2010030157A1 (fr) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2479227A (en) * | 2010-03-30 | 2011-10-05 | Fujitsu Ltd | Preventing unauthorised access to protected data via registration and verification of device information, with hard disk self-erase capability |
CH706584A1 (it) * | 2012-06-01 | 2013-12-13 | Quantec Sa | Dispositivo portatile di back up/restore. |
WO2014029389A1 (fr) * | 2012-08-21 | 2014-02-27 | Ulf Feistel | Procédé d'utilisation sécurisée de supports de données transportables dans des réseaux fermés |
EP2725514A3 (fr) * | 2012-10-29 | 2014-06-18 | Walton Advanced Engineering Inc. | Système de partage d'informations de sécurité et procédé d'exécution de celui-ci |
US20160212796A1 (en) * | 2015-01-20 | 2016-07-21 | Awind Inc. | System and method for projecting a displayed image of an electronic device through networking |
EP3082059A1 (fr) * | 2015-04-16 | 2016-10-19 | Alcatel Lucent | Accès personnalisé à un dispositif de stockage |
CN107426133A (zh) * | 2016-05-23 | 2017-12-01 | 株式会社理光 | 一种建立用户身份映射关系的方法及装置 |
WO2020205497A1 (fr) * | 2019-04-01 | 2020-10-08 | Raytheon Company | Commande d'accès à assistance par racine de confiance de lecteurs cryptés sécurisés |
US10878101B2 (en) | 2018-09-07 | 2020-12-29 | Raytheon Company | Trusted booting by hardware root of trust (HRoT) device |
US11178159B2 (en) | 2018-09-07 | 2021-11-16 | Raytheon Company | Cross-domain solution using network-connected hardware root-of-trust device |
US11347861B2 (en) | 2018-04-10 | 2022-05-31 | Raytheon Company | Controlling security state of commercial off the shelf (COTS) system |
US11379588B2 (en) | 2019-12-20 | 2022-07-05 | Raytheon Company | System validation by hardware root of trust (HRoT) device and system management mode (SMM) |
US11423150B2 (en) | 2018-09-07 | 2022-08-23 | Raytheon Company | System and method for booting processors with encrypted boot image |
US11595411B2 (en) | 2019-04-01 | 2023-02-28 | Raytheon Company | Adaptive, multi-layer enterprise data protection and resiliency platform |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20060098904A (ko) * | 2005-03-09 | 2006-09-19 | 사파소프트 주식회사 | 허가되지 않은 이동저장장치의 불법사용 차단시스템과 차단방법 |
US20060272031A1 (en) * | 2005-05-24 | 2006-11-30 | Napster Llc | System and method for unlimited licensing to a fixed number of devices |
EP1130489B1 (fr) * | 2000-01-13 | 2008-01-02 | Casio Computer Co., Ltd. | Protection contre l'accès non autorisé à un support de mémorisation portable |
US20080016228A1 (en) * | 2006-07-14 | 2008-01-17 | Samsung Electronics Co., Ltd. | Method and apparatus for preventing data leakage in portable terminal |
-
2008
- 2008-09-11 WO PCT/MY2008/000098 patent/WO2010030157A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1130489B1 (fr) * | 2000-01-13 | 2008-01-02 | Casio Computer Co., Ltd. | Protection contre l'accès non autorisé à un support de mémorisation portable |
KR20060098904A (ko) * | 2005-03-09 | 2006-09-19 | 사파소프트 주식회사 | 허가되지 않은 이동저장장치의 불법사용 차단시스템과 차단방법 |
US20060272031A1 (en) * | 2005-05-24 | 2006-11-30 | Napster Llc | System and method for unlimited licensing to a fixed number of devices |
US20080016228A1 (en) * | 2006-07-14 | 2008-01-17 | Samsung Electronics Co., Ltd. | Method and apparatus for preventing data leakage in portable terminal |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2479227A (en) * | 2010-03-30 | 2011-10-05 | Fujitsu Ltd | Preventing unauthorised access to protected data via registration and verification of device information, with hard disk self-erase capability |
US8713250B2 (en) | 2010-03-30 | 2014-04-29 | Fujitsu Limited | Storage device, data processing device, registration method, and recording medium |
GB2479227B (en) * | 2010-03-30 | 2015-12-02 | Fujitsu Ltd | Storage device, data processing device, registration method, and recording medium |
US9367485B2 (en) | 2010-03-30 | 2016-06-14 | Fujitsu Limited | Storage device, data processing device, registration method, and recording medium |
CH706584A1 (it) * | 2012-06-01 | 2013-12-13 | Quantec Sa | Dispositivo portatile di back up/restore. |
WO2014029389A1 (fr) * | 2012-08-21 | 2014-02-27 | Ulf Feistel | Procédé d'utilisation sécurisée de supports de données transportables dans des réseaux fermés |
EP2725514A3 (fr) * | 2012-10-29 | 2014-06-18 | Walton Advanced Engineering Inc. | Système de partage d'informations de sécurité et procédé d'exécution de celui-ci |
US20160212796A1 (en) * | 2015-01-20 | 2016-07-21 | Awind Inc. | System and method for projecting a displayed image of an electronic device through networking |
EP3082059A1 (fr) * | 2015-04-16 | 2016-10-19 | Alcatel Lucent | Accès personnalisé à un dispositif de stockage |
WO2016165957A1 (fr) * | 2015-04-16 | 2016-10-20 | Alcatel Lucent | Accès personnalisé à un dispositif de stockage |
CN107426133A (zh) * | 2016-05-23 | 2017-12-01 | 株式会社理光 | 一种建立用户身份映射关系的方法及装置 |
CN107426133B (zh) * | 2016-05-23 | 2020-06-30 | 株式会社理光 | 一种识别用户身份信息的方法及装置 |
US11347861B2 (en) | 2018-04-10 | 2022-05-31 | Raytheon Company | Controlling security state of commercial off the shelf (COTS) system |
US10878101B2 (en) | 2018-09-07 | 2020-12-29 | Raytheon Company | Trusted booting by hardware root of trust (HRoT) device |
US11178159B2 (en) | 2018-09-07 | 2021-11-16 | Raytheon Company | Cross-domain solution using network-connected hardware root-of-trust device |
US11423150B2 (en) | 2018-09-07 | 2022-08-23 | Raytheon Company | System and method for booting processors with encrypted boot image |
WO2020205497A1 (fr) * | 2019-04-01 | 2020-10-08 | Raytheon Company | Commande d'accès à assistance par racine de confiance de lecteurs cryptés sécurisés |
US11513698B2 (en) | 2019-04-01 | 2022-11-29 | Raytheon Company | Root of trust assisted access control of secure encrypted drives |
US11595411B2 (en) | 2019-04-01 | 2023-02-28 | Raytheon Company | Adaptive, multi-layer enterprise data protection and resiliency platform |
US11379588B2 (en) | 2019-12-20 | 2022-07-05 | Raytheon Company | System validation by hardware root of trust (HRoT) device and system management mode (SMM) |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010030157A1 (fr) | Procédé d’authentification d’un identifiant informatique pour des dispositifs portables de stockage de données | |
KR101719381B1 (ko) | 저장 장치의 원격 액세스 제어 | |
US7275263B2 (en) | Method and system and authenticating a user of a computer system that has a trusted platform module (TPM) | |
US9047486B2 (en) | Method for virtualizing a personal working environment and device for the same | |
JP4054052B2 (ja) | Usbインターフェースアクセス可能生体認証プロセッサを有する生体認証パラメータ保護usbインターフェース携帯型データ記憶装置 | |
US7549161B2 (en) | Portable device having biometrics-based authentication capabilities | |
TWI494785B (zh) | 用以提供系統管理命令之系統與方法 | |
US20100023650A1 (en) | System and method for using a smart card in conjunction with a flash memory controller to detect logon authentication | |
US20030005337A1 (en) | Portable device having biometrics-based authentication capabilities | |
RU2538329C1 (ru) | Устройство создания доверенной среды для компьютеров информационно-вычислительных систем | |
US7861015B2 (en) | USB apparatus and control method therein | |
US20090055892A1 (en) | Authentication method and key device | |
US20040193925A1 (en) | Portable password manager | |
CN105243314B (zh) | 一种基于USB‑key的安全系统及其使用方法 | |
US20080052526A1 (en) | System and Method for Enrolling Users in a Pre-Boot Authentication Feature | |
WO2009095263A1 (fr) | Procédé d'entrée de numéro d'identification personnel sécurisée et de réglage de mode de fonctionnement dans un dispositif portable personnel | |
WO2010083593A1 (fr) | Dispositif de stockage de mémoire amovible avec des processus d'identification multiples | |
KR100991191B1 (ko) | 컴퓨터 보안 모듈 및 이를 적용한 컴퓨터 장치 | |
JP2007517287A (ja) | コンピュータシステムまたはプログラムへのアクセスを開放するための方法 | |
US20080263364A1 (en) | System and method for providing access to a computer resource | |
JP2010535380A (ja) | 不正使用防止制御のシステム及び方法 | |
JP2004185255A (ja) | 個人情報管理及び生体認証を兼ね備えたフロッピー(登録商標)ディスク型生体情報認証装置 | |
CN113703856A (zh) | 一种安全开机的方法及系统 | |
CN103840938A (zh) | 用户名密码加校验码两者集合认证来验证用户信息的方法 | |
CN104426897A (zh) | 用ic卡技术对信息系统特殊操作进行身份再认证的方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08876939 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 08876939 Country of ref document: EP Kind code of ref document: A1 |