WO2004031920A1 - A smartcard security system for protecting a computer system - Google Patents

A smartcard security system for protecting a computer system Download PDF

Info

Publication number
WO2004031920A1
WO2004031920A1 PCT/AU2003/001302 AU0301302W WO2004031920A1 WO 2004031920 A1 WO2004031920 A1 WO 2004031920A1 AU 0301302 W AU0301302 W AU 0301302W WO 2004031920 A1 WO2004031920 A1 WO 2004031920A1
Authority
WO
WIPO (PCT)
Prior art keywords
smartcard
computer
biometric data
encoder
biometric
Prior art date
Application number
PCT/AU2003/001302
Other languages
French (fr)
Inventor
Christopher Ian Blake
Bradley James Blake
Belinda Mae Naujok
Karthik Sivaram
James Lawrence Fuary
Original Assignee
Bqt Solutions Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bqt Solutions Pty Ltd filed Critical Bqt Solutions Pty Ltd
Priority to AU2003266822A priority Critical patent/AU2003266822A1/en
Publication of WO2004031920A1 publication Critical patent/WO2004031920A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/08Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code using markings of different kinds or more than one marking of the same kind in the same record carrier, e.g. one marking being sensed by optical and the other by magnetic means
    • G06K19/10Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code using markings of different kinds or more than one marking of the same kind in the same record carrier, e.g. one marking being sensed by optical and the other by magnetic means at least one kind of marking being used for authentication, e.g. of credit or identity cards

Definitions

  • the present invention relates generally to security systems and in particular to security systems utilising smartcards and/or biometric sensors.
  • Existing security systems are of several different types.
  • One type of security system utilises a smartcard as a key for access to a secure location or secure equipment.
  • the smartcard contains security information providing access via a smartcard reader at the access point.
  • a user presents the reader with the smartcard. If the smartcard is authorised, the reader actuates a control mechanism to provide access.
  • the reader may signal a controller that controls operation of a latch mechanism controlling access to a door or provide access to a computer terminal.
  • a relevant reader that may be used in such a system is a Wiegand reader.
  • One significant disadvantage of such systems is that the smartcard if stolen or otherwise in the possession of an unauthorised person may allow the unauthorised person to access the secure location or equipment.
  • biometrics is a physical characteristic of a person used as a form of identification.
  • the biometrics data is used in place of, or in addition to a security key, such as a key, card or PIN.
  • a database or central repository of stored biometric data is maintained in a computer, with which the sensor can communicate. The scanned biometric data is compared with the stored biometric data, and if a match is found the user is permitted access.
  • This system is generally more secure than that of the smartcard system, but is disadvantageous in that a central repository of biometric data must be maintained and updated. Further, significant time may be required to conduct such a comparison of the scanned biometric data against the database or central repository to determine whether or not there is a match.
  • Computer systems may also require security.
  • the BIOS of a computer system may be configured to require an operator to provide a password using a keyboard to type text to access the computer system and load the operating system.
  • the operating system and/or application software may require the operator to provide a password to load the operating system or use the application software.
  • a method of controlling access to a computer using a smartcard reader or encoder coupled to the computer is a biometric smartcard reader or encoder.
  • a smartcard encoded with data is read using the smartcard reader or encoder.
  • the data read from the smartcard is stored biometric data.
  • Authentication data from the smartcard reader or encoder is checked to determine whether access to the computer is granted or prohibited. If a determination is made to grant access, access to the computer is granted.
  • the method preferably includes the step of locking all inputs of the computer other than a communications port of the computer to which said reader or encoder is coupled.
  • the granting step includes the step of unlocking the inputs.
  • the method further includes the step of obtaining scanned biometric data using a sensor of the biometric smartcard reader or encoder.
  • the authentication data may generate by the biometric smartcard reader or encoder dependent upon a comparison of the stored biometric data and the scanned biometric data. Access is granted to the computer if the stored biometric data and the scanned biometric data match.
  • the steps of the method are carried out using the computer in a process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
  • an apparatus and a computer program product are provided for controlling access to a computer using a smartcard reader or encoder coupled to the computer.
  • a system for controlling access to a computer has a communications port and implements at least one process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
  • a smartcard reader or encoder is coupled to the computer via the communications port for reading a smartcard encoded with data.
  • a module is provided for checking authentication data from the smartcard reader or encoder to determine whether access to the computer is granted or prohibited in the process.
  • a module is also provided for, if a determination is made to grant access, granting access to the computer in the process.
  • Fig. 1 is a high-level flow diagram illustrating an enrolment operation of a biometric smartcard system including a biometric smartcard reader or encoder in accordance with an embodiment of the invention
  • Fig. 2 is a flow diagram illustrating a process of enrolling a fingerprint on a smartcard using a biometric smartcard encoder, providing further details of the embodiment of Fig. 1;
  • Fig. 3 is a flow diagram illustrating a process of verifying a finger on the biometric smartcard encoder, providing further details of the embodiment of Fig. 1;
  • Fig. 4A is a block diagram illustrating the structure of storage or memory in a smartcard in accordance with the embodiment of the invention;
  • Fig. 4B is a table illustrating an arrangement of security keys used in the smartcard of Fig. 4A in accordance with the embodiment of the invention
  • Fig. 5 is a functional block diagram showing modules of a biometric smartcard reader or encoder in accordance with the embodiment of the invention
  • Fig. 6 is a perspective view of a biometric smartcard reader or encoder in accordance with the embodiment of the invention shown in Fig. 5;
  • Fig. 7 is a flow diagram illustrating a process of providing security in which software controls authentication where BIOS loop is not active but a BIOS start occurred;
  • Figs. 8A and 8B are a flow diagram illustrating another process of providing security in which software controls authentication where BIOS loop is active;
  • Fig. 9 is a flow diagram illustrating yet another process of providing security in which a BIOS start occurred and a BIOS loop is active;
  • Figs. 10A and 10B are a flow diagram illustrating a further process of providing security in which software only controls authentication where a BIOS loop is not active and a BIOS login did not occur;
  • Fig. 11 is a block diagram of a security system for controlling access to a computer system utilising a smartcard reader or encoder coupled to the computer system in accordance with the embodiments of the invention.
  • Embodiments of the invention provide equipment that utilise biometric and smartcard technologies. As the smartcard preferably holds the biometric information, the requirement of central repositories of biometric data and associated security issues are obviated. Significant applications of such an reader or encoder is as an access control device at security point, whether for access via a door or other portal, or to a computer, network, or other secure equipment or installation.
  • the present specification also discloses apparatus for performing the operations of the methods.
  • Such apparatus may be specially constructed for the required purposes, or may include a general-purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer.
  • the algorithms and displays presented herein are not inherently related to any particular computer or other apparatus.
  • Various general-purpose machines may be used with programs in accordance with the teachings herein.
  • the construction of more specialized apparatus to perform the required method steps may be appropriate.
  • the structure of a conventional general- purpose computer appears from the description below.
  • the present invention also implicitly discloses a computer program, in that it would be apparent to the person skilled in the art that the individual steps of the preferred method described herein may be put into effect by computer code.
  • the computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein.
  • the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing the spirit or scope of the invention. Furthermore one or more of the steps of the computer program may be performed in parallel rather than sequentially.
  • Such a computer program may be stored on any computer readable medium.
  • the computer readable medium may include storage devices such as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general- purpose computer.
  • the computer readable medium may also include a hard-wired medium such as exemplified in the Internet system, or wireless medium such as exemplified in the GSM mobile telephone system.
  • the computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the preferred method.
  • the preferred method(s) comprise a particular control flow. There are many other variants of the preferred method(s) which use different control flows without departing the spirit or scope of the invention. Furthermore one or more of the steps of the preferred method(s) may be performed in parallel rather sequential.
  • Fig. 11 is a block diagram of such a computer system including a computer 1102 and a monitor 1104, with which the embodiments of the invention may be practiced.
  • the technique is implemented as a BIOS login process, a software login process, a resource access process, a network resource access process, or a stop/resume process, all of which are described in greater detail hereinafter.
  • the smartcard reader or encoder 1120 is coupled to the computer 1102 via a communications port 1140 (depicted by cable in Fig. 11) and preferably is a biometric smartcard reader or encoder 1120.
  • the smartcard reader or encoder 1120 reads the data encoded in the smartcard 1130, which is preferably stored biometric data. Authentication data from the smartcard reader or encoder 1120 is checked to determine whether access to the computer 1102 is granted or prohibited. If a determination is made to grant access, access to the computer 1102 is granted.
  • the method preferably includes the step of locking all inputs of the computer 1102 other than the communications port 1140.
  • the granting step includes the step of unlocking the inputs.
  • a reader is a device that is able to scan a person's biometric data and read a smartcard to obtain stored biometric data.
  • the biometric data is preferably a fingerprint.
  • the smartcard is presented to or inserted into the reader (preferably, 10 mm to 40 mm away), and write/read operations are communicated from the reader to the smartcard.
  • the reader compares the scanned biometric data and stored biometric data to determine if there is a match.
  • the reader may be located at an access point to provide access to a location or equipment in a security system dependent on the results of the comparison.
  • An encoder is able to perform the functions of a reader including contactless communications with the smartcard, but also is able to encode a smartcard with personal details and biometric data. More particularly, the encoder preferably includes a logical access system where all access in a facility is controlled using a card, i.e. for doors, for PC access, etc. Such a smartcard access system by its nature almost ensures that the user does not forget to leave the smartcard behind.
  • an encoder has an appropriate interface to enable the encoder to be connected with a computer to enrol a person's details and biometric data on the smartcard using software running on the computer.
  • the encoder stores biometric data in a two- dimensional structure or template and card holder details on the smartcard.
  • the encoder may have an insert slot in the housing body to receive such a smartcard. The slot allows detection of the smartcard during an encoding process.
  • a reader cannot be used for enrolment of biometric data and other associated information on a smartcard as can an encoder.
  • biometric smartcard reader and biometric smartcard encoder substantially interchangeably, but the noted distinctions should be borne in mind.
  • Fig. 5 is a block diagram illustrating a smartcard 540 and a biometric smartcard reader 500 in accordance with an embodiment of the invention.
  • This biometric smartcard reader 500 is smaller than other biometric units.
  • the biometric smartcard reader 500 includes a biometric sensor 510 coupled to a sensor control module or printed circuit board 520.
  • the sensor PCB 520 contains modules for processing and encoding scanned biometric data into a suitable digital representation using a given coding algorithm (e.g., Sagem).
  • the fingerprint is stored as a template preferably and not as a digital image.
  • An algorithm is used to generate the template.
  • examples of relevant algorithms use minutiae reference points, or ridge recognition patterns, for example.
  • the sensor PCB 520 is coupled to a smartcard reader PCB 530 and sends fingerprint data in a given template to the smartcard reader PCB 530, which is also able to interrogate and obtain data from a smartcard 540.
  • This is preferably done by presenting the smartcard reader PCB 530 with the smartcard 540, in which the smartcard reader PCB 530 energises the smartcard 540 if in close proximity and communicates with the smartcard 540.
  • the smartcard reader PCB 530 is a contactless reader using a Philips Mifare® Chip, and the PCB 530 utilises the RS232 or USB format for its output. Communication between the smartcard 540 and the smartcard reader PCB 530 is encrypted.
  • the encryption utilised with this embodiment involves a proprietary encryption method of Mifare®, which is embedded in the Mifare® smartcards. Another option is to use 3 -DES encryption. However, it will be apparent to those skilled in the art in the light of this disclosure that other encryption techniques may be used without departing from the scope and spirit of the invention.
  • the biometric smartcard reader 500 incorporates a biometric finger scan sensor 510 (e.g., for scanning fingerprints) with an accompanying sensor PCB 520.
  • the fingerprint sensor technology may be optical, capacitive, thermal, tactile, or a combination of the foregoing.
  • An example of a sensor arrangement that may be used is a Bioscrypt product provided by Bioscrypt Inc. including an Authentic sensor, a Bioscrypt PCB, and Bioscrypt's own encoding algorithm.
  • the sensor arrangement may be implemented using an ST sensor, a Yuean PCB provided by Yuean Biometrics, and the Sagem algorithm, or a SecuGen product provided by SecuGen Corporation including a SecuGen sensor, a SecuGen PCB, and the SecuGen algorithm.
  • a SecuGen optical solution may be practiced that enables a rugged and robust design.
  • the sensor 510 and associated PCB 520 scan a person's fingerprint and generate a digital representation of that fingerprint as digital biometric data.
  • Fig. 6 is a perspective view of a biometric smartcard encoder 600, which embodies the reader or encoder 500 of Fig. 5 including a biometric sensor 610/510, an associated sensor PCB 520 (not shown), and a Mifare® smartcard reader PCB 530 (not shown) in a single unit.
  • the encoder 600 also includes a receptacle or socket 620 into which a smartcard can be inserted. Inside the receptacle is a latch or switch (not shown) for detecting the presence of the smartcard. Any of a number of mechanisms in addition to a latch or switch may be practiced without departing from the scope and spirit of the invention.
  • the smartcard 540 is adapted to store a digital representation of the biometric data.
  • the smartcard is a Mifare® smartcard for use with the contactless Mifare® reader.
  • the smartcard 540 has approximately 1 Kbyte of storage or memory. Smartcards with different memory sizes may be practiced, e.g. 2 KB, 4 KB, and 8 KB.
  • Fig. 4A is a block diagram illustrating the structure of the storage 400 in the
  • Mifare® smartcard which is organised into 16 separate sectors 410-414 - 0 sector 410, 1 sector 412, ..., 15 sector 414.
  • the sectors may be equally sized or may be variably sized (e.g., for 16 KB cards).
  • Each of the sectors 410-414 has two keys, Key A and Key B as shown in Fig. 4B. These keys can be designated as read and read/write keys. The keys may also be designated write only keys.
  • the keys A and B for each sector are initialised by the manufacturer (e.g. 10 hexadecimal characters each) and can be changed when the sectors are written to to contain biometric data in accordance with the embodiment of the invention.
  • Each Mifare® smartcard 540 also has a unique serial number or identifier.
  • the 15 th sector 414 contains one or more of the following security parameters for use in the system of Fig. 5: a facility code, a company code, an access code, and an issue code.
  • the facility code can identify a facility that the smartcard permits access to for a given entity or company, which is identified by the company code.
  • the issue code identifies how many smartcards have been issued to a person. For example, if the issue code is 3, the system may hotlist corresponding smartcards for the person with issue codes of 1 or 2.
  • the smartcard 540 stores such data across two or more sectors with corresponding keys for each sector of data.
  • 5 to 6 sectors are used to store a digital fingerprint representation or template.
  • an ST sensor and an Yuean PCB produce a digital fingerprint representation that is approximately 320 bytes long.
  • the length of the representation may vary depending on the different biometric sensor products and algoritlims used. As noted above, each sector needs a customer specific key to unlock the information.
  • the reader 500/600 incorporates a switch or latch internally for detecting the presence or insertion of a smartcard into the reader.
  • biometrics smartcard encoder 500 enables authorised persons using a properly enrolled smartcard to access to a secure location or equipment, for example.
  • Lost or stolen smartcards 540 are unusable as the person with the lost or stolen smartcard 540 does not have the correct biometrics data (e.g., fingerprint) to match that stored on the smartcard 540.
  • biometric smartcard reader 500 of Fig. 5 obviates the need for a central database or repository of biometric data, since the biometrics data is stored on the smartcard 540.
  • a biometrics smartcard encoder In combination with a computer (not shown), a biometrics smartcard encoder
  • the biometrics smartcard encoder 500 can also be used to enrol a person's fingerprint on a smartcard 540.
  • the biometrics smartcard encoder 500 uses an RS232 or USB communications port, in conjunction with software, to enrol the person's fingerprint onto the smartcard 540.
  • software or a computer program(s) miming on the computer in combination with the biometrics smartcard encoder 500 obtains personal details for a person, scans and records a fingerprint for the person, and then writes the personal details and fingerprint representation to the smartcard 540.
  • this embodiment does not permit fingerprint information to travel to the computer. Instead, the biometric smartcard encoder 500 stores the information and writes the information directly to the smartcard 540. The information is then erased from the memory of the biometric smartcard encoder 500.
  • the detail level for scanning by the biometric smartcard encoder 500 can be changed to enable persons with scarred hands or other aberrations to use the encoder 500. This process is set forth in greater detail with reference to Fig. 1.
  • Fig. 1 is a high-level flow diagram illustrating details of a process 100 of obtaining and storing biometric information in a smartcard 540 using the biometric smartcard encoder (i.e., biometric unit) 500/600.
  • the biometric smartcard encoder 500 is initially idle, h step 112, a command is sent to the biometric smartcard encoder 500 to capture a person's fingerprint. This is preferably done by the computer using a communications port, hi step 114, the sensor 510/610 of the biometric smartcard encoder 500 captures a fingerprint image.
  • the sensor 510/610 analyses the scanned fingerprint and creates an image, hi step 116, the image is coded and the data to be stored is created.
  • the smartcard 540 is presented to or inserted into the smartcard reader PCB 530, and the biometric data from the sensor PCB 520 is written into the smartcard 540 by the smartcard reader PCB 530.
  • State 120 at the end of the process 100 shows that the digital fingerprint representation is stored on the smartcard 540.
  • This smartcard 540 can then be used as a security key in relation to a biometric security system.
  • the smartcard 540 is presented to or inserted into the biometric smartcard reader 500/600 and the fingerprint information is read off the smartcard 540 by the biometric smartcard reader 500/600.
  • the person presents their finger to the sensor 510/610 of the biometric smartcard reader 500/600 for scanning.
  • the fingerprint representation read off the smartcard 540 is compared by the biometric smartcard reader 500/600 with the fingerprint currently obtained using the sensor 510/610.
  • the biometric smartcard reader 500/600 checks access privileges using the access code from the smartcard 540 and if the holder has appropriate access privileges, access is granted by the biometric smartcard reader 500/600 to the smartcard holder. Verification is strongly dependent on enrolment. A score of 100 applies for a high quality and content template. A medium threshold level may look for a score of 60, for example. The threshold level may be varied to adjust quality and content of a template.
  • Fig. 2 is a more detailed flow diagram of a process 200 of enrolling a fingerprint using a biometric smartcard encoder, based on Fig. 1.
  • a biometric software application is ran or launched.
  • this software is run on a computer connected to a biometric smartcard encoder 500/600, preferably using a RS232 or USB communications port.
  • a relevant RS232 or USB port is selected by the software.
  • the communications link (COM port) is tested to ensure the communications link is operating properly.
  • Communication between the smartcard reader PCB 530 and the computer is preferably triple DES or Skipjack encrypted.
  • step 216 enrolment of a person's fingerprint is commenced. Preferably, this is done by clicking on an enrolment tab in the software application to commence enrolment processing.
  • step 218 personal details of the person whose fingerprint is to be enrolled are obtained and the type of smartcard being written to is specified.
  • the relevant information may include one or more of the person's name, facility code, company code, access code, and issue code. Alternatively, the smartcard may be pre-encoded with some or all of this information.
  • the desired detail level of the fingerprint is specified using the software application. In particular, this is done using a quality meter in the software where the detail level for the sensor 510 and PCB 520 is specified. Ordinarily, the quality is set as high as possible to avoid misreads. However, the quality can be adjusted downwardly to avoid or reduce the effects of scar tissue and other aberrations on the person's finger.
  • the person's fingerprint is presented to the sensor 510/610 of the biometric smartcard encoder 500/600, and the person's fingerprint is scanned. The data stream for the scanned fingerprint is sent from the sensor 510/610 to the sensor PCB 520. The information is then coded with the specific algorithm within the sensor PCB 520. The coded information is then sent to the smartcard reader PCB 530 and from there encoded onto the smartcard 540.
  • decision block 224 a check is made to determine if the quality of the scanned fingerprint image from the sensor 510/610 is adequate.
  • the sensor 510 and PCB 520 determines quality.
  • the biometric smartcard encoder 500/600 indicates this to the computer, since the fingerprint is preferably not transferred to the computer. If the quality is inadequate (NO), the quality is reduced to enable enrolment in step 226 and processing continues at step 222. This may occur multiple times. If decision block 224 determines that the quality is adequate (YES), processing continues at step 228.
  • a smartcard 540 is presented to or inserted into the smartcard reader PCB 530 of the biometric smartcard encoder 500/600. Presentation or insertion of the smartcard 540 to the smartcard reader PCB 530 results in the encoded fingerprint template and related keys for each sector being downloaded onto the smartcard 540.
  • the commmiication between the smartcard 540 and the reader PCB 530 is encrypted. As noted above, the encrypted, encoded fingerprint representation is normally stored across several sectors in the storage of the smartcard. Also personal details and other information may be stored on the smartcard 540.
  • a check is made to determine if the encoding of the smartcard 540 was successful.
  • decision block 230 If decision block 230 returns true (YES), the fingerprint template has been encoded successfully on the smartcard 540 using the encoder 500. If decision block 230 returns false (NO), processing continues at decision block 232. hi decision block 232, a check is made to determine if the smartcard type details are correct.
  • the smartcard 540 may be a new or used smartcard. A new smartcard has default values in its storage, while a used smartcard has changed keys A and B for example. Further, or alternatively, a different type of smartcard may be used, for example, from different manufacturers. If decision block 232 returns false (NO) indicating the card type details are incorrect, processing continues at step 234 and the correct smartcard type must be specified to the software.
  • step 236 If decision block 232 returns true (YES), processing continues at step 236. In step 236, another smartcard is tried or obtained for presentation or insertion instead of the smartcard previously presented to or inserted into the smartcard reader PCB 530 of the encoder 500/600. Processing then continues at step 228.
  • Fig. 3 is a flow diagram illustrating a process 300 of verifying a fingerprint scanned by the biometric smartcard encoder 500/600 and enrolled on the smartcard 540.
  • the biometric application software is loaded.
  • the communications link e.g., COM port or USB
  • the communications link is tested to ensure the link is operating properly.
  • a verification application module in the software is activated. Preferably, this is done by clicking on a verify tab in the biometric application software.
  • the smartcard 540 with enrolled fingerprint information is presented to or inserted into the encoder 500/600, which reads and stores the fingerprint information from the smartcard 540.
  • the person's finger is presented to sensor 510/610 of the biometric smartcard encoder 500, and the person's fingerprint is scanned and stored.
  • the biometric smartcard encoder 500 compares in the smartcard reader PCB 530 the scanned fingerprint template from the sensor 510/610 and the uploaded fingerprint template from the smartcard 540.
  • decision block 322 a check is made to determine if the verification passed (OK).
  • the encoder 500/600 provides the comparison result to the computer to establish verification. If decision block 322 returns true (YES), processing continues at state 324 and the fingerprint on the smartcard is verified as that of the fingerprint obtained at the sensor 510/610. Otherwise, if decision block 322 returns false (NO), processing continues at step 326.
  • a check is made to determine if the verification bar in the software was raised.
  • a quality bar and a verification bar showing current levels are depicted graphically to an operator of the application software on opposite sides of a graphical image of a fingerprint icon, which indicates to the operator when a fingerprint has been properly scanned by the encoder 500/600.
  • Raising the verification bar indicates a better match between the scamied fingerprint and the one from the smartcard 540. Verification is dependent on the quality level at enrolment. If decision block 326 returns true (YES), processing continues at step 332 and the finger must be positioned correctly for verification, before processing continues at step 320. Otherwise, if decision block 326 returns false (NO), processing continues at step 328. A determination is made that the incorrect finger has been used in relation to the recorded fingerprint information on the smartcard. In step 330, the correct finger is determined before proceeding to step 320.
  • the biometric smartcard reader or encoder may have both contacless Mifare smartcard and contact smartcard technology. Such a hybrid biometric smartcard reader or encoder may assist in situations where the smartcards currently used are of the contact type but the needs of a business will ultimately demand a contactless solution.
  • an embodiment of the invention utilises a smartcard reader or encoder to control access to a personal computer (PC).
  • PC personal computer
  • the embodiment of the invention may be practiced with other forms of computer systems.
  • a biometric smartcard reader or encoder is used to control access to a PC.
  • Each device provides an authentication service as a peripheral device to the PC.
  • the request for authentication and the authentication are communicated to and from the reader or encoder using serial or USB communications, hi the case of a polling loop option, the device keeps monitoring the status of card presence in the encoder or reader and communicates the removal of the smartcard from there to the PC.
  • the BIOS is modified to check the latch of the reader or encoder via RS232, in a BIOS loop mode, while software and the operating system uses polling running in the background that can user RS232 or USB communications port. It will be apparent to those skilled in the art in the light of this disclosure that the embodiments of the invention have application to other computer systems, as well as personal computers. For ease of description, the embodiments of the invention are described hereinafter with reference to a biometric smartcard reader or encoder.
  • the device locks and unlocks all inputs of the PC (similar in manner to operation of a screen saver). All inputs are hooked and input activity suspended until the unlock is performed. This type of functionality is well known to those skilled in the art. Relevant inputs include one or more of a keyboard, a mouse, and the like.
  • the BIOS/operating system may activate a standby mode (in PCs like laptops) and come out of that mode (lock/unlock).
  • the biometric smartcard reader or encoder can be used in security areas as a BIOS login device for access to the PC.
  • the biometric smartcard reader or encoder uses RS232 communications (COM port).
  • the biometric smartcard reader or encoder may be coupled to the PC using a USB port.
  • Software drivers enable access via the USB port.
  • a hard line usually DTR, or RTS in the case of RS232
  • the cable may be used that monitors whether the smartcard has been retracted.
  • the information may be transmitted within a 3DES encrypted signal.
  • BIOS code or software for the PC is modified to add code for the bios login.
  • the chipsets of the PC are replaced with the updated BIOS version. This may be done for different bios chipsets.
  • the smartcard When access is needed to use the PC through the biometric smartcard reader or encoder, the smartcard is inserted into the base of the biometric smartcard reader or encoder, which is coupled to the PC. Fingerprint information is read off the smartcard and the person seeking access to the PC then presents their finger to the biometric smartcard reader or encoder. The fingerprint off the card is compared with the fingerprint on the sensor. If there is a match within the detail level set at enrolment, then the PC determines whether the user has access. The software can be made to check the person's identity as often as needed.
  • BIOS login is enacted.
  • a text message or screen prompt the user to insert a smartcard and apply finger to the sensor of the biometric smartcard reader or encoder, hi the manner described above, the scanned biometric data is compared with the stored biometric data from the smartcard to determine if the scanned and stored biometric data match. If the two match indicating a valid login, the computer continues loading the operating system. However, if the login is invalid, the computer does not load the operating system.
  • the operating system and other software may be modified to provide similar security as that provided by the biometric BIOS login procedure, with appropriate modifications.
  • the operating system may incorporate such functionality.
  • the BIOS login procedure may be invoked to start the computer, but similar checks may be performed by the operating system and/or before loading an application software. Periodically the operating system and/or application software may require successful completion of a biometric login procedure for continued use of the computer and/or software. Retraction of the smartcard from the reader or encoder invokes re- verification, as well. Further specifics of these alternate arrangements are set forth below.
  • the PC or any other host shall use the authentication service in either of the following levels:
  • the BIOS boot up sequence when nearing completion shall communicates to the device and requests an authentication. Once the device supplies a confirmation, authenticating a user via the authentication methods, the BIOS continues the boot sequence.
  • a time limit may be implemented in the BIOS to limit the duration for successful completion of a login.
  • a smartcard may be written to while in Bios level. Accordingly, blacklisting or similar restrictions may be imposed on the smartcard if a given number (e.g. 3) of failures to login occur.
  • OS login level The operating system (OS) during the Login sequence communicate to the device and request an authentication, the authentication may either be locally validated or remotely validated (network logon) and the user granted permission to use the machine (logon).
  • login level The operating system (OS) during the Login sequence communicate to the device and request an authentication, the authentication may either be locally validated or remotely validated (network logon) and the user granted permission to use the machine (logon).
  • Access to certain resources may be protected and/or encrypted.
  • an authentication may be requested from the device and if authentication is provided, then the access may be granted.
  • the device may also perform encryption and/or decryption services.
  • the device may also provide resources like private/secure information storage. Software services may use these resources.
  • the device may also provide resources like Purse and the like that might be used by software services. Cashless systems may utilise the smartcard as an electronic Purse.
  • Access to network resources may also be protected as above.
  • the authentication in this case may be reader or encoder only, device and local computer, device and remote server, device and local and remote computers, and other combinations thereof.
  • re-verification may be required involving presentation of the smartcard, biometrics data, or both.
  • BIOS or application software/operating system dependent upon the reader or encoder, may also be used to LOCK and UNLOCK the PC to allow users to temporarily stop and resume. This may also be activated automatically.
  • Figs. 7 -10 are flow diagrams illustrating processes in accordance with embodiments of the invention.
  • Fig. 9 illustrates a process 900 for protecting a computer system utilising smartcards and/or biometric sensors where a BIOS login and/or BIOS loop is activated.
  • hi step 902 the computer is turned on.
  • the BIOS runs through most checks and routines, hi step 906, the BIOS requests authentication confirmation from the device, hi step 908, a check is made to determine if a smartcard is present. If step 908 returns false (NO), processing continues at step 910.
  • h step 910 the BIOS waits for the smartcard to be inserted. Processing then continues at step 908. If step 908 returns true (YES), processing continues at step 912.
  • step 912 a check is made to determine if the authentication is valid (OK). If step 912 returns false (NO), processing continues at step 914. hi step 914, the BIOS halts. Processing then continues at decision step 920. In step 920, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 920 returns false (NO), processing continues at step 918. In step 918, the failed number is incremented. Processing then continues at step 912. Otherwise if step 920 returns true (YES), processing continues at step 922. In step 922, the computer is shutdown or resets.
  • step 924 the failure number is set equal to zero (0).
  • step 926 the BIOS completes its checks and routines.
  • step 928 the BIOS implements a loop to ensure that authentication stays active, hi step 930, the BIOS hands over operation of the computer to the operating system with the BIOS loop remaining in the background. If the smartcard is retracted, the BIOS loop restarts the computer.
  • Figs. 8A and 8B illustrate a process 800 for protecting a computer system utilising smartcards and/or biometric sensors where software controls re verfication while a BIOS loop remains activated.
  • this processing may be carried out following execution of the process 900 of Fig. 9.
  • step 802 software (S/W) takes control of authentication, but the BIOS loop is still in place, hi decision step 804, a check is made to determine if a smartcard is present in the smartcard reader or encoder. If step 804 returns false (NO), processing continues at step 806.
  • step 806 the BIOS loop is broken, which results from software issuing a command that authentication has failed.
  • step 808 the computer is reset. Otherwise, if step 804 returns true (YES), processing continues at step 810.
  • decision step 810 a check is made to determine if the first software login or a re-verification is occurring. If step 810 returns false (NO), processing continues at step 816. Otherwise, if step 810 returns true (YES), processing continues at step 812.
  • decision step 812 a check is made to determine if a first login authentication is required. If decision step 812 returns false (NO), processing continues at step 814. hi step 814, access to the computer system is granted. Processing then continues at step 824. Otherwise if decision step 812 returns true (YES), processing continues at step 816. hi step 816, a state is entered where a password or device authentication is required.
  • step 818 a check is made to determine if the authentication obtained from step 816 is valid (OK). If step 818 returns false (NO), processing continues at step 820. hi step 820, the software (S/W) initiates a re-verification. The failure number is also incremented. Processing then continues at decision step 822. h step 822, a check is made to determine if the failure number has reached a predetermined nmnber, preferably three (3). If step 822 returns false (NO), processing continues at step 816. Otherwise if step 822 returns true (YES), processing continues at step 808. Otherwise, if step 818 returns true (YES), processing continues at step 824.
  • hi step 824 the failure number is set to zero (0).
  • decision step 826 a check is made to determine if the smart card is still inserted in the device. This may be done by checking the state of the latch or switch in the reader or encoder. Again, the smartcard in the reader or encoder may be read at intervals for a smartcard number. The smartcard present signal may preferably be sent by hardwire or as an encrypted signal. If step 826 returns false (NO), processing continues at step 820. If decision block 826 returns true (YES), processing continues at step 830. hi step 830, a screen saver is activated, or a verification timeout is activated. Re-verification is needed.
  • step 832 a check is made to determine if the authentication is valid (OK). If step 832 returns true (YES), processing continues at step 824. Otherwise if step 832 returns false (NO), processing continues at step 834. In step 834, the operating system initiates a re-verification, and increments the failure number. Processing then continues at decision step 836. In step 836, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 836 returns false (NO), processing continues at step 830. Otherwise if step 836 returns true (YES), processing continues at step 808.
  • Fig. 7 illustrates a process 700 for protecting a computer system utilising smartcards and/or biometric sensors using a software process where a BIOS loop is not activated but a BIOS start did occur. That is there is no external BIOS loop, with only software in conjunction with the operating system controlling authentication and re- verification.
  • the software S/W takes control of authentication
  • hi decision step 704 a check is made to detennine if a smartcard is present in the smartcard reader or encoder. If step 704 returns false (NO), processing continues at step 706.
  • step 706 the software waits for a smartcard to be inserted into the reader or encoder. Processing then continues at step 704. Otherwise, if step 704 returns true (YES), processing continues at step 708.
  • hi decision step 708 a check is made to determine if the first software (S/W) login is occurring. If step 708 returns false (NO), processing continues at step 714. Otherwise, if step 708 returns true (YES), processing continues at step 710.
  • decision step 710 a check is made to determine if a first software login authentication is required. If decision step 710 returns false (NO), processing continues at step 712. h step 712, access to the computer system is granted. Processing then continues at step 726. Otherwise if decision step 710 returns true (YES), processing continues at step 714.
  • step 714 a state is entered where a password or device authentication is required. To do so, the smartcard must be presented to or inserted into the device, and biometrics data generated. If there is a match between the smartcard data and the scanned biometrics data, the encoder or reader generates an authentication signal
  • decision step 716 a check is made to determine if the authentication obtained from step 714 is valid (OK). If step 716 returns true (YES), processing continues at step 726.
  • step 726 the software waits for a timeout, or for the smartcard to be retracted from the reader or encoder.
  • the smartcard in the reader or encoder may be read at intervals for a smartcard number.
  • the smartcard present signal may preferably be sent by hardwire or as an encrypted signal.
  • step 728 the software initiates a re-authentication. Processing then continues at step 706.
  • step 716 returns false (NO)
  • step 718 the software initiates a re-verification.
  • the failure number is also incremented.
  • decision step 720 a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 720 returns false (NO), processing continues at step 714. Otherwise if step 720 returns true (YES), processing continues at step 722. hi step 722, the software requests an input lock. In step 724, the user must wait a pre-determined time, or be reactivated by an administrator.
  • Figs. 10A and 10B illustrate a process 1000 for protecting a computer system utilising smartcards and/or biometric sensors where software controls authentication and/or re-verfication. That is, there is no BIOS loop or BIOS start involved.
  • step 1000 for protecting a computer system utilising smartcards and/or biometric sensors where software controls authentication and/or re-verfication. That is, there is no BIOS loop or BIOS start involved.
  • step 1002 software (S/W) takes control of authentication, as the operating system loads.
  • step 1004 the computer inputs are locked until a smartcard is presented to or inserted into the device, i.e. the reader or encoder with the smartcard detection mechanism.
  • step 1006 a password or device authentication is required.
  • hi decision step 1008 a check is made to determine if the authentication obtained from step 1006 is valid (OK). If step 1008 returns false (NO), processing continues at step 1010.
  • step 1010 the software (S/W) initiates a re- verification. The failure number is also incremented. Processing then continues at decision step 1012.
  • step 1012 a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 1012 returns false (NO), processing continues at step 1006. Otherwise if step 1016 returns true (YES), processing continues at step 1014. In step 1014, the computer is reset or shutdown. Otherwise, if step 1008 returns true (YES), processing continues at step 1016.
  • step 1016 the failure number is set to zero (0).
  • decision step 1018 a check is made to determine if the smart card is still inserted or present in the device. This may be done by checking the state of the latch or switch in the reader or encoder. Again, the smartcard in the reader or encoder may be read at intervals for a smartcard number. The smartcard present signal may preferably be sent by hardwire or as an encrypted signal. If step 1018 returns false (NO), processing continues at step 1010. If decision block 1018 returns true (YES), processing continues at step 1020. hi step 1020, a screen saver is activated, or a verification timeout is activated. Re- verification is needed.
  • step 1022 a check is made to determine if the authentication is valid (OK). If step 1022 returns trae (YES), processing continues at step 1016. Otherwise if step 1022 returns false (NO), processing continues at step 1024. In step 1024, the operating system initiates a re- verification, and increments the failure number. Processing then continues at decision step 1026. In step 1026, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 1026 returns false (NO), processing continues at step 1020. Otherwise if step 1026 returns true (YES), processing continues at step 1014.
  • the method of protecting a computer system utilising smartcards and/or biometric sensors is preferably practiced using a general-purpose computer system, in which the processes of Figs. 1-3 and 7-11 may be implemented as firmware in the BIOS chip(s) and/or software, such as an application program executing within the computer system.
  • the steps of method of protecting a computer system utilising smartcards and/or biometric sensors are effected, at least in part, by instructions in the software that are carried out by the computer.
  • the instructions may be formed as one or more code modules, each for performing one or more particular tasks.
  • the software may be stored in a computer readable medium, including the storage devices described below, for example.
  • the software is loaded into the computer from the computer readable medium, and then executed by the computer.
  • a computer readable medium having such software or computer program recorded on it is a computer program product.
  • the use of the computer program product in the computer preferably effects an advantageous apparatus for protecting a computer system utilising smartcards and or biometric sensors.
  • Examples of computers on which the described arrangements can be practised include IBM-PC's and compatibles, Sun Sparcstations or alike computer systems. Still further, the software can also be loaded into the computer system from other computer readable media.
  • the term "computer readable medium” as used herein refers to any storage or transmission medium that participates in providing instructions and/or data to the computer system for execution and/or processing. Examples of storage media include floppy disks, magnetic tape, CD-ROM, a hard disk drive, a ROM or integrated circuit, a magneto-optical disk, or a computer readable card such as a PCMCIA card and the like, whether or not such devices are internal or external of the computer module. Examples of transmission media include radio or infra-red transmission channels as well as a network connection to another computer or networked device, and the Internet or Intranets including e-mail transmissions and information recorded on Websites and the like.

Abstract

A security system (1100) for controlling access to a computer system (1102, 1104) utilising a smartcard reader or encoder (1120) coupled to the computer system (1102, 1104) is disclosed. A smartcard (1130) encoded with data is read using the smartcard reader or encoder (1120). Authentication data from the smartcard reader or encoder (1120) is then checked to determine whether access to the computer system (1102, 1104) is granted or prohibited. If a determination is made to grant access, access to the computer system (1102, 1104) is granted. Preferably, biometric data is required from a user and must be identified with that of an authorised user before access is granted to the computer system (1102, 1104). The smartcard (1130) encoded with details of biometric data is read, and actual biometric data is sensed.

Description

A SMARTCARD SECURITY SYSTEM FOR PROTECTING A COMPUTER SYSTEM
Field of the Invention The present invention relates generally to security systems and in particular to security systems utilising smartcards and/or biometric sensors.
Background
Existing security systems are of several different types. One type of security system utilises a smartcard as a key for access to a secure location or secure equipment. The smartcard contains security information providing access via a smartcard reader at the access point. A user presents the reader with the smartcard. If the smartcard is authorised, the reader actuates a control mechanism to provide access. Thus, for example, the reader may signal a controller that controls operation of a latch mechanism controlling access to a door or provide access to a computer terminal. One example of a relevant reader that may be used in such a system is a Wiegand reader. One significant disadvantage of such systems is that the smartcard if stolen or otherwise in the possession of an unauthorised person may allow the unauthorised person to access the secure location or equipment.
Another security system utilises a biometric sensor to control access. A user must provide biometric data, normally a fingerprint, speech, or an eye scan via a sensor at the access point. Other forms of biometric data include facial details and hand geometry. Biometrics is a physical characteristic of a person used as a form of identification. The biometrics data is used in place of, or in addition to a security key, such as a key, card or PIN. A database or central repository of stored biometric data is maintained in a computer, with which the sensor can communicate. The scanned biometric data is compared with the stored biometric data, and if a match is found the user is permitted access. This system is generally more secure than that of the smartcard system, but is disadvantageous in that a central repository of biometric data must be maintained and updated. Further, significant time may be required to conduct such a comparison of the scanned biometric data against the database or central repository to determine whether or not there is a match. Computer systems may also require security. In such systems, the BIOS of a computer system may be configured to require an operator to provide a password using a keyboard to type text to access the computer system and load the operating system. Alternatively, the operating system and/or application software may require the operator to provide a password to load the operating system or use the application software.
However, security based on text password protection may be defeated in numerous ways. For example, another person may learn of a user's text password, or generate the password using automated techniques. One of the difficulties with password security techniques is that such a password can be readily transferred or acquired by another person.
Thus, a need clearly exists for an improved security system for protecting a computer system from access by an unauthorised person.
Summary hi accordance with an aspect of the invention, there is provided a method of controlling access to a computer using a smartcard reader or encoder coupled to the computer. Preferably, the smartcard reader or encoder is a biometric smartcard reader or encoder. A smartcard encoded with data is read using the smartcard reader or encoder. Preferably, the data read from the smartcard is stored biometric data. Authentication data from the smartcard reader or encoder is checked to determine whether access to the computer is granted or prohibited. If a determination is made to grant access, access to the computer is granted. The method preferably includes the step of locking all inputs of the computer other than a communications port of the computer to which said reader or encoder is coupled.. The granting step includes the step of unlocking the inputs.
Preferably, the method further includes the step of obtaining scanned biometric data using a sensor of the biometric smartcard reader or encoder. The authentication data may generate by the biometric smartcard reader or encoder dependent upon a comparison of the stored biometric data and the scanned biometric data. Access is granted to the computer if the stored biometric data and the scanned biometric data match. Preferably, the steps of the method are carried out using the computer in a process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
In accordance with further aspects of the invention, an apparatus and a computer program product are provided for controlling access to a computer using a smartcard reader or encoder coupled to the computer.
In accordance with yet another aspect of the invention, a system for controlling access to a computer is provided. The computer has a communications port and implements at least one process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process. A smartcard reader or encoder is coupled to the computer via the communications port for reading a smartcard encoded with data. A module is provided for checking authentication data from the smartcard reader or encoder to determine whether access to the computer is granted or prohibited in the process. A module is also provided for, if a determination is made to grant access, granting access to the computer in the process.
Brief Description of the Drawings A small number of embodiments are described hereinafter with reference to the drawings, in which:
Fig. 1 is a high-level flow diagram illustrating an enrolment operation of a biometric smartcard system including a biometric smartcard reader or encoder in accordance with an embodiment of the invention; Fig. 2 is a flow diagram illustrating a process of enrolling a fingerprint on a smartcard using a biometric smartcard encoder, providing further details of the embodiment of Fig. 1;
Fig. 3 is a flow diagram illustrating a process of verifying a finger on the biometric smartcard encoder, providing further details of the embodiment of Fig. 1; Fig. 4A is a block diagram illustrating the structure of storage or memory in a smartcard in accordance with the embodiment of the invention;
Fig. 4B is a table illustrating an arrangement of security keys used in the smartcard of Fig. 4A in accordance with the embodiment of the invention; Fig. 5 is a functional block diagram showing modules of a biometric smartcard reader or encoder in accordance with the embodiment of the invention;
Fig. 6 is a perspective view of a biometric smartcard reader or encoder in accordance with the embodiment of the invention shown in Fig. 5; Fig. 7 is a flow diagram illustrating a process of providing security in which software controls authentication where BIOS loop is not active but a BIOS start occurred;
Figs. 8A and 8B are a flow diagram illustrating another process of providing security in which software controls authentication where BIOS loop is active;
Fig. 9 is a flow diagram illustrating yet another process of providing security in which a BIOS start occurred and a BIOS loop is active;
Figs. 10A and 10B are a flow diagram illustrating a further process of providing security in which software only controls authentication where a BIOS loop is not active and a BIOS login did not occur; and
Fig. 11 is a block diagram of a security system for controlling access to a computer system utilising a smartcard reader or encoder coupled to the computer system in accordance with the embodiments of the invention.
Detailed Description
A method and a security system for protecting a computer system utilising smartcards and/or biometric sensors are described hereinafter. Numerous specific details are set forth. However, it will be apparent to those skilled in the art in the light of this disclosure that various modifications may be made without departing from the scope and spirit of the invention. Embodiments of the invention provide equipment that utilise biometric and smartcard technologies. As the smartcard preferably holds the biometric information, the requirement of central repositories of biometric data and associated security issues are obviated. Significant applications of such an reader or encoder is as an access control device at security point, whether for access via a door or other portal, or to a computer, network, or other secure equipment or installation.
Some portions of the description that follows are explicitly or implicitly presented in terms of algorithms and symbolic representations of operations on data within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
It should be borne in mind, however, that the above and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise, and as apparent from the following, it will be appreciated that throughout the present specification, discussions utilizing terms such as "scanning", "reading", "analyzing", "determining", "accessing", "generating" "initializing", "resetting", or the like, refer to the action and processes of a computer system, or similar electronic device, that manipulates and transforms data represented as physical (electronic) quantities within the registers and memories of the computer system into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
The present specification also discloses apparatus for performing the operations of the methods. Such apparatus may be specially constructed for the required purposes, or may include a general-purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer. The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose machines may be used with programs in accordance with the teachings herein. Alternatively, the construction of more specialized apparatus to perform the required method steps may be appropriate. The structure of a conventional general- purpose computer appears from the description below.
In addition, the present invention also implicitly discloses a computer program, in that it would be apparent to the person skilled in the art that the individual steps of the preferred method described herein may be put into effect by computer code. The computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein. Moreover, the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing the spirit or scope of the invention. Furthermore one or more of the steps of the computer program may be performed in parallel rather than sequentially.
Such a computer program may be stored on any computer readable medium.
The computer readable medium may include storage devices such as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general- purpose computer. The computer readable medium may also include a hard-wired medium such as exemplified in the Internet system, or wireless medium such as exemplified in the GSM mobile telephone system. The computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the preferred method.
The preferred method(s) comprise a particular control flow. There are many other variants of the preferred method(s) which use different control flows without departing the spirit or scope of the invention. Furthermore one or more of the steps of the preferred method(s) may be performed in parallel rather sequential.
Overview Generally, the embodiments of the invention relate to a technique of controlling access to a computer using a smartcard reader or encoder. Fig. 11 is a block diagram of such a computer system including a computer 1102 and a monitor 1104, with which the embodiments of the invention may be practiced. Preferably, the technique is implemented as a BIOS login process, a software login process, a resource access process, a network resource access process, or a stop/resume process, all of which are described in greater detail hereinafter. The smartcard reader or encoder 1120 is coupled to the computer 1102 via a communications port 1140 (depicted by cable in Fig. 11) and preferably is a biometric smartcard reader or encoder 1120. The smartcard reader or encoder 1120 reads the data encoded in the smartcard 1130, which is preferably stored biometric data. Authentication data from the smartcard reader or encoder 1120 is checked to determine whether access to the computer 1102 is granted or prohibited. If a determination is made to grant access, access to the computer 1102 is granted. The method preferably includes the step of locking all inputs of the computer 1102 other than the communications port 1140. The granting step includes the step of unlocking the inputs.
h the following description, the embodiments of the invention are described with reference to a biometric smartcard reader or encoder, although the scope of the invention has broader application to smartcard readers or encoders generally. With reference to a biometric smartcard reader or encoder, a reader is a device that is able to scan a person's biometric data and read a smartcard to obtain stored biometric data. The biometric data is preferably a fingerprint. The smartcard is presented to or inserted into the reader (preferably, 10 mm to 40 mm away), and write/read operations are communicated from the reader to the smartcard. The reader then compares the scanned biometric data and stored biometric data to determine if there is a match. The reader may be located at an access point to provide access to a location or equipment in a security system dependent on the results of the comparison. An encoder is able to perform the functions of a reader including contactless communications with the smartcard, but also is able to encode a smartcard with personal details and biometric data. More particularly, the encoder preferably includes a logical access system where all access in a facility is controlled using a card, i.e. for doors, for PC access, etc. Such a smartcard access system by its nature almost ensures that the user does not forget to leave the smartcard behind.
Preferably, an encoder has an appropriate interface to enable the encoder to be connected with a computer to enrol a person's details and biometric data on the smartcard using software running on the computer. The encoder stores biometric data in a two- dimensional structure or template and card holder details on the smartcard. The encoder may have an insert slot in the housing body to receive such a smartcard. The slot allows detection of the smartcard during an encoding process. A reader cannot be used for enrolment of biometric data and other associated information on a smartcard as can an encoder. For ease of description, the following text uses the two terms biometric smartcard reader and biometric smartcard encoder substantially interchangeably, but the noted distinctions should be borne in mind.
Before proceeding with a detailed description of the smartcard security system or technique for protecting a computer system, a description is provided of the some of the components of the system or technique.
Biometric Smartcard Reader or Encoder
Fig. 5 is a block diagram illustrating a smartcard 540 and a biometric smartcard reader 500 in accordance with an embodiment of the invention. This biometric smartcard reader 500 is smaller than other biometric units. The biometric smartcard reader 500 includes a biometric sensor 510 coupled to a sensor control module or printed circuit board 520. The sensor PCB 520 contains modules for processing and encoding scanned biometric data into a suitable digital representation using a given coding algorithm (e.g., Sagem). The fingerprint is stored as a template preferably and not as a digital image. An algorithm is used to generate the template. For fingerprints, examples of relevant algorithms use minutiae reference points, or ridge recognition patterns, for example. In turn, the sensor PCB 520 is coupled to a smartcard reader PCB 530 and sends fingerprint data in a given template to the smartcard reader PCB 530, which is also able to interrogate and obtain data from a smartcard 540. This is preferably done by presenting the smartcard reader PCB 530 with the smartcard 540, in which the smartcard reader PCB 530 energises the smartcard 540 if in close proximity and communicates with the smartcard 540. Preferably, the smartcard reader PCB 530 is a contactless reader using a Philips Mifare® Chip, and the PCB 530 utilises the RS232 or USB format for its output. Communication between the smartcard 540 and the smartcard reader PCB 530 is encrypted. The encryption utilised with this embodiment involves a proprietary encryption method of Mifare®, which is embedded in the Mifare® smartcards. Another option is to use 3 -DES encryption. However, it will be apparent to those skilled in the art in the light of this disclosure that other encryption techniques may be used without departing from the scope and spirit of the invention.
More preferably, the biometric smartcard reader 500 incorporates a biometric finger scan sensor 510 (e.g., for scanning fingerprints) with an accompanying sensor PCB 520. The fingerprint sensor technology may be optical, capacitive, thermal, tactile, or a combination of the foregoing. An example of a sensor arrangement that may be used is a Bioscrypt product provided by Bioscrypt Inc. including an Authentic sensor, a Bioscrypt PCB, and Bioscrypt's own encoding algorithm. Alternatively, the sensor arrangement may be implemented using an ST sensor, a Yuean PCB provided by Yuean Biometrics, and the Sagem algorithm, or a SecuGen product provided by SecuGen Corporation including a SecuGen sensor, a SecuGen PCB, and the SecuGen algorithm. Still further, a SecuGen optical solution may be practiced that enables a rugged and robust design. However, it will be apparent to those skilled in the art in the light of this disclosure that other biometric sensors may be practiced without departing from the scope and spirit of the invention. The sensor 510 and associated PCB 520 scan a person's fingerprint and generate a digital representation of that fingerprint as digital biometric data. Fig. 6 is a perspective view of a biometric smartcard encoder 600, which embodies the reader or encoder 500 of Fig. 5 including a biometric sensor 610/510, an associated sensor PCB 520 (not shown), and a Mifare® smartcard reader PCB 530 (not shown) in a single unit. The encoder 600 also includes a receptacle or socket 620 into which a smartcard can be inserted. Inside the receptacle is a latch or switch (not shown) for detecting the presence of the smartcard. Any of a number of mechanisms in addition to a latch or switch may be practiced without departing from the scope and spirit of the invention.
The smartcard 540 is adapted to store a digital representation of the biometric data. Preferably, the smartcard is a Mifare® smartcard for use with the contactless Mifare® reader. Preferably, the smartcard 540 has approximately 1 Kbyte of storage or memory. Smartcards with different memory sizes may be practiced, e.g. 2 KB, 4 KB, and 8 KB. Fig. 4A is a block diagram illustrating the structure of the storage 400 in the
Mifare® smartcard, which is organised into 16 separate sectors 410-414 - 0 sector 410, 1 sector 412, ..., 15 sector 414. The sectors may be equally sized or may be variably sized (e.g., for 16 KB cards). Each of the sectors 410-414 has two keys, Key A and Key B as shown in Fig. 4B. These keys can be designated as read and read/write keys. The keys may also be designated write only keys. The keys A and B for each sector are initialised by the manufacturer (e.g. 10 hexadecimal characters each) and can be changed when the sectors are written to to contain biometric data in accordance with the embodiment of the invention. Each Mifare® smartcard 540 also has a unique serial number or identifier. Preferably, the 15th sector 414 contains one or more of the following security parameters for use in the system of Fig. 5: a facility code, a company code, an access code, and an issue code. The facility code can identify a facility that the smartcard permits access to for a given entity or company, which is identified by the company code. The issue code identifies how many smartcards have been issued to a person. For example, if the issue code is 3, the system may hotlist corresponding smartcards for the person with issue codes of 1 or 2.
Dependent upon the format of the digital biometric data, the smartcard 540 stores such data across two or more sectors with corresponding keys for each sector of data. In the preferred embodiment, 5 to 6 sectors are used to store a digital fingerprint representation or template. For example, an ST sensor and an Yuean PCB produce a digital fingerprint representation that is approximately 320 bytes long. The length of the representation may vary depending on the different biometric sensor products and algoritlims used. As noted above, each sector needs a customer specific key to unlock the information.
Preferably, the reader 500/600 incorporates a switch or latch internally for detecting the presence or insertion of a smartcard into the reader.
As described in greater detail below, use of the biometrics smartcard encoder 500 enables authorised persons using a properly enrolled smartcard to access to a secure location or equipment, for example. Lost or stolen smartcards 540 are unusable as the person with the lost or stolen smartcard 540 does not have the correct biometrics data (e.g., fingerprint) to match that stored on the smartcard 540. Still further, another advantage of this embodiment is that the biometric smartcard reader 500 of Fig. 5 obviates the need for a central database or repository of biometric data, since the biometrics data is stored on the smartcard 540.
In combination with a computer (not shown), a biometrics smartcard encoder
500 can also be used to enrol a person's fingerprint on a smartcard 540. The biometrics smartcard encoder 500 uses an RS232 or USB communications port, in conjunction with software, to enrol the person's fingerprint onto the smartcard 540. Generally, software or a computer program(s) miming on the computer in combination with the biometrics smartcard encoder 500 obtains personal details for a person, scans and records a fingerprint for the person, and then writes the personal details and fingerprint representation to the smartcard 540. Preferably, this embodiment does not permit fingerprint information to travel to the computer. Instead, the biometric smartcard encoder 500 stores the information and writes the information directly to the smartcard 540. The information is then erased from the memory of the biometric smartcard encoder 500. When enrolling a person's fingerprint, the detail level for scanning by the biometric smartcard encoder 500 can be changed to enable persons with scarred hands or other aberrations to use the encoder 500. This process is set forth in greater detail with reference to Fig. 1.
Fig. 1 is a high-level flow diagram illustrating details of a process 100 of obtaining and storing biometric information in a smartcard 540 using the biometric smartcard encoder (i.e., biometric unit) 500/600. In state 110, the biometric smartcard encoder 500 is initially idle, h step 112, a command is sent to the biometric smartcard encoder 500 to capture a person's fingerprint. This is preferably done by the computer using a communications port, hi step 114, the sensor 510/610 of the biometric smartcard encoder 500 captures a fingerprint image. The sensor 510/610 analyses the scanned fingerprint and creates an image, hi step 116, the image is coded and the data to be stored is created. This is preferably done by the sensor PCB 520 in combination with the sensor 510. hi step 118, the smartcard 540 is presented to or inserted into the smartcard reader PCB 530, and the biometric data from the sensor PCB 520 is written into the smartcard 540 by the smartcard reader PCB 530. State 120 at the end of the process 100 shows that the digital fingerprint representation is stored on the smartcard 540. This smartcard 540 can then be used as a security key in relation to a biometric security system.
Generally, when verification or access is required using a biometric smartcard reader 500/600, the smartcard 540 is presented to or inserted into the biometric smartcard reader 500/600 and the fingerprint information is read off the smartcard 540 by the biometric smartcard reader 500/600. The person then presents their finger to the sensor 510/610 of the biometric smartcard reader 500/600 for scanning. The fingerprint representation read off the smartcard 540 is compared by the biometric smartcard reader 500/600 with the fingerprint currently obtained using the sensor 510/610. If there is a match within the detail level set at enrolment, the biometric smartcard reader 500/600 checks access privileges using the access code from the smartcard 540 and if the holder has appropriate access privileges, access is granted by the biometric smartcard reader 500/600 to the smartcard holder. Verification is strongly dependent on enrolment. A score of 100 applies for a high quality and content template. A medium threshold level may look for a score of 60, for example. The threshold level may be varied to adjust quality and content of a template.
Details of Enrolment Process
Fig. 2 is a more detailed flow diagram of a process 200 of enrolling a fingerprint using a biometric smartcard encoder, based on Fig. 1. In an initial state 210, a biometric software application is ran or launched. As noted above, this software is run on a computer connected to a biometric smartcard encoder 500/600, preferably using a RS232 or USB communications port. In step 212, a relevant RS232 or USB port is selected by the software. Other interfaces may be practiced without departing from the scope and spirit of the invention, hi step 214, the communications link (COM port) is tested to ensure the communications link is operating properly. Communication between the smartcard reader PCB 530 and the computer is preferably triple DES or Skipjack encrypted. Therefore, the information sent for access to the computer is highly difficult to compromise. In step 216, enrolment of a person's fingerprint is commenced. Preferably, this is done by clicking on an enrolment tab in the software application to commence enrolment processing. In step 218, personal details of the person whose fingerprint is to be enrolled are obtained and the type of smartcard being written to is specified. The relevant information may include one or more of the person's name, facility code, company code, access code, and issue code. Alternatively, the smartcard may be pre-encoded with some or all of this information.
In step 220, the desired detail level of the fingerprint is specified using the software application. In particular, this is done using a quality meter in the software where the detail level for the sensor 510 and PCB 520 is specified. Ordinarily, the quality is set as high as possible to avoid misreads. However, the quality can be adjusted downwardly to avoid or reduce the effects of scar tissue and other aberrations on the person's finger. In step 222, the person's fingerprint is presented to the sensor 510/610 of the biometric smartcard encoder 500/600, and the person's fingerprint is scanned. The data stream for the scanned fingerprint is sent from the sensor 510/610 to the sensor PCB 520. The information is then coded with the specific algorithm within the sensor PCB 520. The coded information is then sent to the smartcard reader PCB 530 and from there encoded onto the smartcard 540.
In decision block 224, a check is made to determine if the quality of the scanned fingerprint image from the sensor 510/610 is adequate. The sensor 510 and PCB 520 determines quality. The biometric smartcard encoder 500/600 indicates this to the computer, since the fingerprint is preferably not transferred to the computer. If the quality is inadequate (NO), the quality is reduced to enable enrolment in step 226 and processing continues at step 222. This may occur multiple times. If decision block 224 determines that the quality is adequate (YES), processing continues at step 228.
In step 228, a smartcard 540 is presented to or inserted into the smartcard reader PCB 530 of the biometric smartcard encoder 500/600. Presentation or insertion of the smartcard 540 to the smartcard reader PCB 530 results in the encoded fingerprint template and related keys for each sector being downloaded onto the smartcard 540. The commmiication between the smartcard 540 and the reader PCB 530 is encrypted. As noted above, the encrypted, encoded fingerprint representation is normally stored across several sectors in the storage of the smartcard. Also personal details and other information may be stored on the smartcard 540. In step 230, a check is made to determine if the encoding of the smartcard 540 was successful. If decision block 230 returns true (YES), the fingerprint template has been encoded successfully on the smartcard 540 using the encoder 500. If decision block 230 returns false (NO), processing continues at decision block 232. hi decision block 232, a check is made to determine if the smartcard type details are correct. For example, the smartcard 540 may be a new or used smartcard. A new smartcard has default values in its storage, while a used smartcard has changed keys A and B for example. Further, or alternatively, a different type of smartcard may be used, for example, from different manufacturers. If decision block 232 returns false (NO) indicating the card type details are incorrect, processing continues at step 234 and the correct smartcard type must be specified to the software. This may be done by clicking on the correct smartcard type in the software. Processing then continues at step 236. If decision block 232 returns true (YES), processing continues at step 236. In step 236, another smartcard is tried or obtained for presentation or insertion instead of the smartcard previously presented to or inserted into the smartcard reader PCB 530 of the encoder 500/600. Processing then continues at step 228.
Details of Verification Process
After a fingerprint representation and associated information are enrolled on a smartcard 540, verification of the enrolment on the smartcard 540 may be required.
Fig. 3 is a flow diagram illustrating a process 300 of verifying a fingerprint scanned by the biometric smartcard encoder 500/600 and enrolled on the smartcard 540. In state 310, the biometric application software is loaded. In step 312, the communications link (e.g., COM port or USB) between the computer and the biometric smartcard encoder 500 is selected. In step 314, the communications link is tested to ensure the link is operating properly. In step 316, a verification application module in the software is activated. Preferably, this is done by clicking on a verify tab in the biometric application software. In step 318, the smartcard 540 with enrolled fingerprint information is presented to or inserted into the encoder 500/600, which reads and stores the fingerprint information from the smartcard 540. hi step 320, the person's finger is presented to sensor 510/610 of the biometric smartcard encoder 500, and the person's fingerprint is scanned and stored. The biometric smartcard encoder 500 then compares in the smartcard reader PCB 530 the scanned fingerprint template from the sensor 510/610 and the uploaded fingerprint template from the smartcard 540.
In decision block 322, a check is made to determine if the verification passed (OK). The encoder 500/600 provides the comparison result to the computer to establish verification. If decision block 322 returns true (YES), processing continues at state 324 and the fingerprint on the smartcard is verified as that of the fingerprint obtained at the sensor 510/610. Otherwise, if decision block 322 returns false (NO), processing continues at step 326. hi step 326, a check is made to determine if the verification bar in the software was raised. Preferably, a quality bar and a verification bar showing current levels are depicted graphically to an operator of the application software on opposite sides of a graphical image of a fingerprint icon, which indicates to the operator when a fingerprint has been properly scanned by the encoder 500/600. Raising the verification bar indicates a better match between the scamied fingerprint and the one from the smartcard 540. Verification is dependent on the quality level at enrolment. If decision block 326 returns true (YES), processing continues at step 332 and the finger must be positioned correctly for verification, before processing continues at step 320. Otherwise, if decision block 326 returns false (NO), processing continues at step 328. A determination is made that the incorrect finger has been used in relation to the recorded fingerprint information on the smartcard. In step 330, the correct finger is determined before proceeding to step 320.
Alternative Biometric Smartcard Reader or Encoder h an alternate embodiment, the biometric smartcard reader or encoder may have both contacless Mifare smartcard and contact smartcard technology. Such a hybrid biometric smartcard reader or encoder may assist in situations where the smartcards currently used are of the contact type but the needs of a business will ultimately demand a contactless solution.
Security System for Computer System Advantageously, an embodiment of the invention utilises a smartcard reader or encoder to control access to a personal computer (PC). The embodiment of the invention may be practiced with other forms of computer systems. More preferably, a biometric smartcard reader or encoder is used to control access to a PC. Each device provides an authentication service as a peripheral device to the PC. The request for authentication and the authentication are communicated to and from the reader or encoder using serial or USB communications, hi the case of a polling loop option, the device keeps monitoring the status of card presence in the encoder or reader and communicates the removal of the smartcard from there to the PC. The BIOS is modified to check the latch of the reader or encoder via RS232, in a BIOS loop mode, while software and the operating system uses polling running in the background that can user RS232 or USB communications port. It will be apparent to those skilled in the art in the light of this disclosure that the embodiments of the invention have application to other computer systems, as well as personal computers. For ease of description, the embodiments of the invention are described hereinafter with reference to a biometric smartcard reader or encoder. The device locks and unlocks all inputs of the PC (similar in manner to operation of a screen saver). All inputs are hooked and input activity suspended until the unlock is performed. This type of functionality is well known to those skilled in the art. Relevant inputs include one or more of a keyboard, a mouse, and the like. The BIOS/operating system may activate a standby mode (in PCs like laptops) and come out of that mode (lock/unlock).
The biometric smartcard reader or encoder can be used in security areas as a BIOS login device for access to the PC. The biometric smartcard reader or encoder uses RS232 communications (COM port). Alternatively, the biometric smartcard reader or encoder may be coupled to the PC using a USB port. Software drivers enable access via the USB port. A hard line (usually DTR, or RTS in the case of RS232) in the cable may be used that monitors whether the smartcard has been retracted. Alternatively, the information may be transmitted within a 3DES encrypted signal.
BIOS code or software for the PC is modified to add code for the bios login. The chipsets of the PC are replaced with the updated BIOS version. This may be done for different bios chipsets.
When access is needed to use the PC through the biometric smartcard reader or encoder, the smartcard is inserted into the base of the biometric smartcard reader or encoder, which is coupled to the PC. Fingerprint information is read off the smartcard and the person seeking access to the PC then presents their finger to the biometric smartcard reader or encoder. The fingerprint off the card is compared with the fingerprint on the sensor. If there is a match within the detail level set at enrolment, then the PC determines whether the user has access. The software can be made to check the person's identity as often as needed.
Once the personal computer is powered on, standard detects (POST) are completed and before there is a chance to use the PC with any operating system, the BIOS login is enacted. A text message or screen prompt the user to insert a smartcard and apply finger to the sensor of the biometric smartcard reader or encoder, hi the manner described above, the scanned biometric data is compared with the stored biometric data from the smartcard to determine if the scanned and stored biometric data match. If the two match indicating a valid login, the computer continues loading the operating system. However, if the login is invalid, the computer does not load the operating system.
In a similar manner, the operating system and other software may be modified to provide similar security as that provided by the biometric BIOS login procedure, with appropriate modifications. As an alternative, the operating system may incorporate such functionality. Still further, the BIOS login procedure may be invoked to start the computer, but similar checks may be performed by the operating system and/or before loading an application software. Periodically the operating system and/or application software may require successful completion of a biometric login procedure for continued use of the computer and/or software. Retraction of the smartcard from the reader or encoder invokes re- verification, as well. Further specifics of these alternate arrangements are set forth below.
The PC or any other host shall use the authentication service in either of the following levels:
BIOS level
The BIOS boot up sequence when nearing completion shall communicates to the device and requests an authentication. Once the device supplies a confirmation, authenticating a user via the authentication methods, the BIOS continues the boot sequence. A time limit may be implemented in the BIOS to limit the duration for successful completion of a login. A smartcard may be written to while in Bios level. Accordingly, blacklisting or similar restrictions may be imposed on the smartcard if a given number (e.g. 3) of failures to login occur.
OS login level The operating system (OS) during the Login sequence communicate to the device and request an authentication, the authentication may either be locally validated or remotely validated (network logon) and the user granted permission to use the machine (logon). Resource access level
Access to certain resources (files or others) may be protected and/or encrypted. When access is required, an authentication may be requested from the device and if authentication is provided, then the access may be granted. The device may also perform encryption and/or decryption services. The device may also provide resources like private/secure information storage. Software services may use these resources. The device may also provide resources like Purse and the like that might be used by software services. Cashless systems may utilise the smartcard as an electronic Purse.
Network resource access level
Access to network resources may also be protected as above. The authentication in this case may be reader or encoder only, device and local computer, device and remote server, device and local and remote computers, and other combinations thereof. To go anywhere, re-verification may be required involving presentation of the smartcard, biometrics data, or both.
Stop/Resume level
The BIOS or application software/operating system, dependent upon the reader or encoder, may also be used to LOCK and UNLOCK the PC to allow users to temporarily stop and resume. This may also be activated automatically.
Flow Diagrams of Processes
Figs. 7 -10 are flow diagrams illustrating processes in accordance with embodiments of the invention.
BIOS Login and BIOS Loop
Fig. 9 illustrates a process 900 for protecting a computer system utilising smartcards and/or biometric sensors where a BIOS login and/or BIOS loop is activated. hi step 902, the computer is turned on. In step 904, the BIOS runs through most checks and routines, hi step 906, the BIOS requests authentication confirmation from the device, hi step 908, a check is made to determine if a smartcard is present. If step 908 returns false (NO), processing continues at step 910. h step 910, the BIOS waits for the smartcard to be inserted. Processing then continues at step 908. If step 908 returns true (YES), processing continues at step 912.
h step 912, a check is made to determine if the authentication is valid (OK). If step 912 returns false (NO), processing continues at step 914. hi step 914, the BIOS halts. Processing then continues at decision step 920. In step 920, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 920 returns false (NO), processing continues at step 918. In step 918, the failed number is incremented. Processing then continues at step 912. Otherwise if step 920 returns true (YES), processing continues at step 922. In step 922, the computer is shutdown or resets.
Otherwise, if step 912 returns true (YES), processing continues at step 924. In step 924, the failure number is set equal to zero (0). In step 926, the BIOS completes its checks and routines. In step 928, the BIOS implements a loop to ensure that authentication stays active, hi step 930, the BIOS hands over operation of the computer to the operating system with the BIOS loop remaining in the background. If the smartcard is retracted, the BIOS loop restarts the computer.
Software Login While BIOS Loop Continues
Figs. 8A and 8B illustrate a process 800 for protecting a computer system utilising smartcards and/or biometric sensors where software controls re verfication while a BIOS loop remains activated. This applies where the computer is not rebooted, but the software in conjunction with the operating system controls re-verification. For example, this processing may be carried out following execution of the process 900 of Fig. 9. In step 802, software (S/W) takes control of authentication, but the BIOS loop is still in place, hi decision step 804, a check is made to determine if a smartcard is present in the smartcard reader or encoder. If step 804 returns false (NO), processing continues at step 806. In step 806, the BIOS loop is broken, which results from software issuing a command that authentication has failed. In step 808, the computer is reset. Otherwise, if step 804 returns true (YES), processing continues at step 810. In decision step 810, a check is made to determine if the first software login or a re-verification is occurring. If step 810 returns false (NO), processing continues at step 816. Otherwise, if step 810 returns true (YES), processing continues at step 812.
In decision step 812, a check is made to determine if a first login authentication is required. If decision step 812 returns false (NO), processing continues at step 814. hi step 814, access to the computer system is granted. Processing then continues at step 824. Otherwise if decision step 812 returns true (YES), processing continues at step 816. hi step 816, a state is entered where a password or device authentication is required.
In decision step 818, a check is made to determine if the authentication obtained from step 816 is valid (OK). If step 818 returns false (NO), processing continues at step 820. hi step 820, the software (S/W) initiates a re-verification. The failure number is also incremented. Processing then continues at decision step 822. h step 822, a check is made to determine if the failure number has reached a predetermined nmnber, preferably three (3). If step 822 returns false (NO), processing continues at step 816. Otherwise if step 822 returns true (YES), processing continues at step 808. Otherwise, if step 818 returns true (YES), processing continues at step 824.
hi step 824, the failure number is set to zero (0). In decision step 826, a check is made to determine if the smart card is still inserted in the device. This may be done by checking the state of the latch or switch in the reader or encoder. Again, the smartcard in the reader or encoder may be read at intervals for a smartcard number. The smartcard present signal may preferably be sent by hardwire or as an encrypted signal. If step 826 returns false (NO), processing continues at step 820. If decision block 826 returns true (YES), processing continues at step 830. hi step 830, a screen saver is activated, or a verification timeout is activated. Re-verification is needed.
In decision step 832, a check is made to determine if the authentication is valid (OK). If step 832 returns true (YES), processing continues at step 824. Otherwise if step 832 returns false (NO), processing continues at step 834. In step 834, the operating system initiates a re-verification, and increments the failure number. Processing then continues at decision step 836. In step 836, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 836 returns false (NO), processing continues at step 830. Otherwise if step 836 returns true (YES), processing continues at step 808.
BIOS Loop Not Active. But BIOS Start Occurred
Fig. 7 illustrates a process 700 for protecting a computer system utilising smartcards and/or biometric sensors using a software process where a BIOS loop is not activated but a BIOS start did occur. That is there is no external BIOS loop, with only software in conjunction with the operating system controlling authentication and re- verification. In step 702, the software (S/W) takes control of authentication, hi decision step 704, a check is made to detennine if a smartcard is present in the smartcard reader or encoder. If step 704 returns false (NO), processing continues at step 706. In step 706, the software waits for a smartcard to be inserted into the reader or encoder. Processing then continues at step 704. Otherwise, if step 704 returns true (YES), processing continues at step 708.
hi decision step 708, a check is made to determine if the first software (S/W) login is occurring. If step 708 returns false (NO), processing continues at step 714. Otherwise, if step 708 returns true (YES), processing continues at step 710. In decision step 710, a check is made to determine if a first software login authentication is required. If decision step 710 returns false (NO), processing continues at step 712. h step 712, access to the computer system is granted. Processing then continues at step 726. Otherwise if decision step 710 returns true (YES), processing continues at step 714.
hi step 714, a state is entered where a password or device authentication is required. To do so, the smartcard must be presented to or inserted into the device, and biometrics data generated. If there is a match between the smartcard data and the scanned biometrics data, the encoder or reader generates an authentication signal In decision step 716, a check is made to determine if the authentication obtained from step 714 is valid (OK). If step 716 returns true (YES), processing continues at step 726. In step 726, the software waits for a timeout, or for the smartcard to be retracted from the reader or encoder. The smartcard in the reader or encoder may be read at intervals for a smartcard number. The smartcard present signal may preferably be sent by hardwire or as an encrypted signal. In step 728, the software initiates a re-authentication. Processing then continues at step 706.
If step 716 returns false (NO), processing continues at step 718. In step 718, the software initiates a re-verification. The failure number is also incremented. Processing then continues at decision step 720. In step 720, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 720 returns false (NO), processing continues at step 714. Otherwise if step 720 returns true (YES), processing continues at step 722. hi step 722, the software requests an input lock. In step 724, the user must wait a pre-determined time, or be reactivated by an administrator.
Software Only. No BIOS Loop or BIOS Start
Figs. 10A and 10B illustrate a process 1000 for protecting a computer system utilising smartcards and/or biometric sensors where software controls authentication and/or re-verfication. That is, there is no BIOS loop or BIOS start involved. In step
1002, software (S/W) takes control of authentication, as the operating system loads. In step 1004, the computer inputs are locked until a smartcard is presented to or inserted into the device, i.e. the reader or encoder with the smartcard detection mechanism. In step 1006, a password or device authentication is required.
hi decision step 1008, a check is made to determine if the authentication obtained from step 1006 is valid (OK). If step 1008 returns false (NO), processing continues at step 1010. In step 1010, the software (S/W) initiates a re- verification. The failure number is also incremented. Processing then continues at decision step 1012. h step 1012, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 1012 returns false (NO), processing continues at step 1006. Otherwise if step 1016 returns true (YES), processing continues at step 1014. In step 1014, the computer is reset or shutdown. Otherwise, if step 1008 returns true (YES), processing continues at step 1016.
In step 1016, the failure number is set to zero (0). In decision step 1018, a check is made to determine if the smart card is still inserted or present in the device. This may be done by checking the state of the latch or switch in the reader or encoder. Again, the smartcard in the reader or encoder may be read at intervals for a smartcard number. The smartcard present signal may preferably be sent by hardwire or as an encrypted signal. If step 1018 returns false (NO), processing continues at step 1010. If decision block 1018 returns true (YES), processing continues at step 1020. hi step 1020, a screen saver is activated, or a verification timeout is activated. Re- verification is needed.
In decision step 1022, a check is made to determine if the authentication is valid (OK). If step 1022 returns trae (YES), processing continues at step 1016. Otherwise if step 1022 returns false (NO), processing continues at step 1024. In step 1024, the operating system initiates a re- verification, and increments the failure number. Processing then continues at decision step 1026. In step 1026, a check is made to determine if the failure number has reached a predetermined number, preferably three (3). If step 1026 returns false (NO), processing continues at step 1020. Otherwise if step 1026 returns true (YES), processing continues at step 1014.
Computer Implementation
The method of protecting a computer system utilising smartcards and/or biometric sensors is preferably practiced using a general-purpose computer system, in which the processes of Figs. 1-3 and 7-11 may be implemented as firmware in the BIOS chip(s) and/or software, such as an application program executing within the computer system. In particular, the steps of method of protecting a computer system utilising smartcards and/or biometric sensors are effected, at least in part, by instructions in the software that are carried out by the computer. The instructions may be formed as one or more code modules, each for performing one or more particular tasks. The software may be stored in a computer readable medium, including the storage devices described below, for example. The software is loaded into the computer from the computer readable medium, and then executed by the computer. A computer readable medium having such software or computer program recorded on it is a computer program product. The use of the computer program product in the computer preferably effects an advantageous apparatus for protecting a computer system utilising smartcards and or biometric sensors.
Examples of computers on which the described arrangements can be practised include IBM-PC's and compatibles, Sun Sparcstations or alike computer systems. Still further, the software can also be loaded into the computer system from other computer readable media. The term "computer readable medium" as used herein refers to any storage or transmission medium that participates in providing instructions and/or data to the computer system for execution and/or processing. Examples of storage media include floppy disks, magnetic tape, CD-ROM, a hard disk drive, a ROM or integrated circuit, a magneto-optical disk, or a computer readable card such as a PCMCIA card and the like, whether or not such devices are internal or external of the computer module. Examples of transmission media include radio or infra-red transmission channels as well as a network connection to another computer or networked device, and the Internet or Intranets including e-mail transmissions and information recorded on Websites and the like.
A small number of embodiments of the invention regarding a method and a security system for protecting a computer system utilising smartcards and/or biometric sensors have been described, h the light of the foregoing, it will be apparent to those skilled in the art in the light of this disclosure that various modifications may be made without departing from the scope and spirit of the invention.

Claims

ClaimsThe claims defining the invention are as follows:
1. A method of controlling access to a computer using a smartcard reader or encoder coupled to said computer, said method including the steps of: reading a smartcard encoded with data using said smartcard reader or encoder; checking authentication data from said smartcard reader or encoder to determine whether access to said computer is granted or prohibited; and if a determination is made to grant access, granting access to said computer.
2. The method according to claim 1, further including the step of locking all inputs of said computer other than a communications port of said computer to which said reader or encoder is coupled.
3. The method according to claim 2, wherein said granting step includes the step of unlocking said inputs.
4. The method according to claim 1, wherein said smartcard reader or encoder is a biometric smartcard reader or encoder.
5. The method according to claim 4, wherein said data read from said smartcard is stored biometric data.
6. The method according to claim 5, further including the step of obtaining scanned biometric data using a sensor of said biometric smartcard reader or encoder.
7. The method according to claim 6, wherein said authentication data is generated by said biometric smartcard reader or encoder dependent upon a comparison of said stored biometric data and said scanned biometric data.
8. The method according to claim 7, wherein access is granted to said computer if said stored biometric data and said scanned biometric data match.
9. The method according to claim 4, further including the step of verifying said biometric data encoded on said smartcard is correct.
10. The method according to claim 4, further including the step of enrolling biometric data on said smartcard.
11. The method according to claim 10, wherein said enrolling step further includes the steps of: scanning a source of biometric data associated with said smartcard; encoding said scanned biometric data; and storing said encoded biometric data on said smartcard.
12. The method according to claim 5 or 6, wherein said biometric data includes a fingerprint.
13. The method according to claim 11 , further including the step of specifying a detail level for scanning said biometric data.
14. The method according to claim 1, wherein said steps are carried out using said computer in a process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
15. An apparatus for controlling access to a computer using a smartcard reader or encoder coupled to said computer, said apparatus including: a smartcard reader or encoder for reading a smartcard encoded with data; means for checking authentication data from said smartcard reader or encoder to determine whether access to said computer is granted or prohibited; and means for, if a determination is made to grant access, granting access to said computer.
16. The apparatus according to claim 15, further including means for locking all inputs of said computer other than a communications port of said computer to which said reader or encoder is coupled.
17. The apparatus according to claim 16, wherein said granting means includes means for unlocking said inputs.
18. The apparatus according to claim 15, wherein said smartcard reader or encoder is a biometric smartcard reader or encoder.
19. The apparatus according to claim 18, wherein said data read from said smartcard is stored biometric data.
20. The apparatus according to claim 19, wherein said biometric smartcard reader or encoder includes a scanner for obtaining scanned biometric data.
21. The apparatus according to claim 20, wherein said authentication data is generated by said biometric smartcard reader or encoder dependent upon a comparison of said stored biometric data and said scanned biometric data.
22. The apparatus according to claim 21, wherein access is granted to said computer if said stored biometric data and said scanned biometric data match.
23. The apparatus according to claim 18, further including means for verifying said biometric data encoded on said smartcard is correct.
24. The apparatus according to claim 18, further including means for enrolling biometric data on said smartcard.
25. The apparatus according to claim 24, wherein said enrolling means further includes: means for scanning a source of biometric data associated with said smartcard; means for encoding said scanned biometric data; and means for storing said encoded biometric data on said smartcard.
26. The apparatus according to claim 19 or 20, wherein said biometric data includes a fingerprint.
27. The apparatus according to claim 25, further including means for specifying a detail level for scanning said biometric data.
28. The apparatus according to claim 15, wherein said processing is carried out using said computer in a process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
29. A computer program product having a computer readable medium with a computer program recorded thereon for controlling access to a computer using a smartcard reader or encoder coupled to said computer, said computer program product including: computer program code means for reading a smartcard encoded with data using said smartcard reader or encoder; computer program code means for checking authentication data from said smartcard reader or encoder to determine whether access to said computer is granted or prohibited; and computer program code means for, if a determination is made to grant access, granting access to said computer.
30. The computer program product according to claim 29, further including computer program code means for locking all inputs of said computer other than a communications port of said computer to which said reader or encoder is coupled.
31. The computer program product according to claim 30, wherein said computer program code means for granting includes computer program code means for unlocking said inputs.
32. The computer program product according to claim 29, wherein said smartcard reader or encoder is a biometric smartcard reader or encoder.
33. The computer program product according to claim 32, wherein said data read from said smartcard is stored biometric data.
34. The computer program product according to claim 33, wherein said biometric smartcard reader or encoder includes a scanner for obtaining scanned biometric data.
35. The computer program product according to claim 34, wherein said authentication data is generated by said biometric smartcard reader or encoder dependent upon a comparison of said stored biometric data and said scanned biometric data.
36. The computer program product according to claim 35, wherein access is granted to said computer if said stored biometric data and said scanned biometric data match.
37. The computer program product according to claim 32, further including computer program code means for verifying said biometric data encoded on said smartcard is correct.
38. The computer program product according to claim 32, further including computer program code means for enrolling biometric data on said smartcard.
39. The computer program product according to claim 38, wherein said computer program code means for enrolling further includes: computer program code means for scanning a source of biometric data associated with said smartcard; computer program code means for encoding said scanned biometric data; and computer program code means for storing said encoded biometric data on said smartcard.
40. The computer program product according to claim 33 or 34, wherein said biometric data includes a fingerprint.
41. The computer program product according to claim 39, further including computer program code means for specifying a detail level for scanning said biometric data.
42. The computer program product according to claim 29, wherein said processing is carried out using said computer in a process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process.
43. A system for controlling access to a computer, said system including: a computer with a communications port, said computer implementing at least one process selected from the group consisting of a BIOS login process, an operating system login process, a resource access process, a network resource access process, and a stop/resume process. a smartcard reader or encoder coupled to said computer via said communications port for reading a smartcard encoded with data; means for checking authentication data from said smartcard reader or encoder to determine whether access to said computer is granted or prohibited in said process; and means for, if a determination is made to grant access, granting access to said computer in said process.
44. The system according to claim 43, further including means for locking all inputs of said computer other than said communications port.
45. The system according to claim 44, wherein said granting means includes means for unlocking said inputs.
46. The system according to claim 43, wherein said smartcard reader or encoder is a biometric smartcard reader or encoder.
47. The system according to claim 46, wherein said data read from said smartcard is stored biometric data.
48. The system according to claim 47, wherein said biometric smartcard reader or encoder includes a scanner for obtaining scanned biometric data.
49. The system according to claim 48, wherein said authentication data is generated by said biometric smartcard reader or encoder dependent upon a comparison of said stored biometric data and said scanned biometric data.
50. The system according to claim 49, wherein access is granted to said computer if said stored biometric data and said scanned biometric data match.
51. The system according to claim 46, further including means for verifying said biometric data encoded on said smartcard is correct.
52. The system according to claim 46, further including means for enrolling biometric data on said smartcard.
53. The system according to claim 52, wherein said enrolling means further includes: means for scanning a source of biometric data associated with said smartcard; means for encoding said scanned biometric data; and means for storing said encoded biometric data on said smartcard.
54. The system according to claim 47 or 48, wherein said biometric data includes a fingerprint.
55. The system according to claim 53, further including means for specifying a detail level for scanning said biometric data.
PCT/AU2003/001302 2002-10-03 2003-10-02 A smartcard security system for protecting a computer system WO2004031920A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003266822A AU2003266822A1 (en) 2002-10-03 2003-10-02 A smartcard security system for protecting a computer system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2002951755 2002-10-03
AU2002951755A AU2002951755A0 (en) 2002-10-03 2002-10-03 A smartcard security system for protecting a computer system

Publications (1)

Publication Number Publication Date
WO2004031920A1 true WO2004031920A1 (en) 2004-04-15

Family

ID=28047508

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2003/001302 WO2004031920A1 (en) 2002-10-03 2003-10-02 A smartcard security system for protecting a computer system

Country Status (2)

Country Link
AU (1) AU2002951755A0 (en)
WO (1) WO2004031920A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1684204A1 (en) * 2005-01-24 2006-07-26 THOMSON Licensing Presence-based access control
EP1684153A1 (en) * 2005-01-24 2006-07-26 Thomson Licensing Presence-based access control
WO2008095613A1 (en) * 2007-02-08 2008-08-14 Smartmachine International Holding Gmbh Method and apparatus for storage of secure information, which is required for short-range communication, on a communication terminal
WO2008095866A2 (en) * 2007-02-05 2008-08-14 Siemens Aktiengesellschaft Method for authorizing the access to at least one automation component of a technical system
EP2418601A1 (en) * 2010-08-12 2012-02-15 Samsung Electronics Co., Ltd. Computer system and method of controlling computer
US8448875B2 (en) 2008-12-01 2013-05-28 Research In Motion Limited Secure use of externally stored data
EP2581851A3 (en) * 2008-12-01 2013-06-26 Research In Motion Limited Secure use of externally stored data
EP2930639A1 (en) * 2014-04-11 2015-10-14 Accenture Global Services Limited Multimodal biometric profiling
US9424478B2 (en) 2014-04-11 2016-08-23 Accenture Global Services Limited Multimodal biometric profiling
WO2018106430A1 (en) * 2016-12-08 2018-06-14 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
EP3472754A4 (en) * 2016-06-20 2020-01-15 Fingerprint Cards AB Communication arrangement to electrically connect a slave to a host device
US10965474B1 (en) 2017-02-27 2021-03-30 Apple Inc. Modifying security state with highly secured devices

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448045A (en) * 1992-02-26 1995-09-05 Clark; Paul C. System for protecting computers via intelligent tokens or smart cards
US5812762A (en) * 1995-03-31 1998-09-22 Samsung Electronics Co., Ltd. Personal computer having card read/write controller
US5836010A (en) * 1995-03-14 1998-11-10 Samsung Electronics Co., Ltd. Personal computer using chip-in card to prevent unauthorized use
US5887131A (en) * 1996-12-31 1999-03-23 Compaq Computer Corporation Method for controlling access to a computer system by utilizing an external device containing a hash value representation of a user password
US5960084A (en) * 1996-12-13 1999-09-28 Compaq Computer Corporation Secure method for enabling/disabling power to a computer system following two-piece user verification
US6275933B1 (en) * 1999-04-30 2001-08-14 3Com Corporation Security system for a computerized apparatus
WO2002021763A1 (en) * 2000-09-08 2002-03-14 Mainstay Enterprises, Inc. System and method for protecting information stored on a computer
WO2002033522A1 (en) * 1999-01-04 2002-04-25 Codex Technologies Incorporated Preboot protection, identification and security of a computer system
US20020078372A1 (en) * 2000-09-08 2002-06-20 Gaspare Aluzzo Systems and methods for protecting information on a computer by integrating building security and computer security functions
US20020087877A1 (en) * 2000-12-28 2002-07-04 Grawrock David W. Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
WO2002084457A1 (en) * 2001-04-18 2002-10-24 Young-Ho Jun Personal computer with the smart card and organism sensor
WO2002095571A1 (en) * 2001-05-18 2002-11-28 O2 Micro, Inc. Pre-boot authentication system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448045A (en) * 1992-02-26 1995-09-05 Clark; Paul C. System for protecting computers via intelligent tokens or smart cards
US5836010A (en) * 1995-03-14 1998-11-10 Samsung Electronics Co., Ltd. Personal computer using chip-in card to prevent unauthorized use
US5812762A (en) * 1995-03-31 1998-09-22 Samsung Electronics Co., Ltd. Personal computer having card read/write controller
US5960084A (en) * 1996-12-13 1999-09-28 Compaq Computer Corporation Secure method for enabling/disabling power to a computer system following two-piece user verification
US5887131A (en) * 1996-12-31 1999-03-23 Compaq Computer Corporation Method for controlling access to a computer system by utilizing an external device containing a hash value representation of a user password
WO2002033522A1 (en) * 1999-01-04 2002-04-25 Codex Technologies Incorporated Preboot protection, identification and security of a computer system
US6275933B1 (en) * 1999-04-30 2001-08-14 3Com Corporation Security system for a computerized apparatus
WO2002021763A1 (en) * 2000-09-08 2002-03-14 Mainstay Enterprises, Inc. System and method for protecting information stored on a computer
US20020078372A1 (en) * 2000-09-08 2002-06-20 Gaspare Aluzzo Systems and methods for protecting information on a computer by integrating building security and computer security functions
US20020087877A1 (en) * 2000-12-28 2002-07-04 Grawrock David W. Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
WO2002084457A1 (en) * 2001-04-18 2002-10-24 Young-Ho Jun Personal computer with the smart card and organism sensor
WO2002095571A1 (en) * 2001-05-18 2002-11-28 O2 Micro, Inc. Pre-boot authentication system

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1684153A1 (en) * 2005-01-24 2006-07-26 Thomson Licensing Presence-based access control
US7861294B2 (en) 2005-01-24 2010-12-28 Thomson Licensing Presence-based access control
EP1684204A1 (en) * 2005-01-24 2006-07-26 THOMSON Licensing Presence-based access control
WO2008095866A2 (en) * 2007-02-05 2008-08-14 Siemens Aktiengesellschaft Method for authorizing the access to at least one automation component of a technical system
WO2008095866A3 (en) * 2007-02-05 2008-11-27 Siemens Ag Method for authorizing the access to at least one automation component of a technical system
WO2008095613A1 (en) * 2007-02-08 2008-08-14 Smartmachine International Holding Gmbh Method and apparatus for storage of secure information, which is required for short-range communication, on a communication terminal
EP2581851A3 (en) * 2008-12-01 2013-06-26 Research In Motion Limited Secure use of externally stored data
US8448875B2 (en) 2008-12-01 2013-05-28 Research In Motion Limited Secure use of externally stored data
US9235699B2 (en) 2010-08-12 2016-01-12 Samsung Electronics Co., Ltd.. Computer system and method of controlling computer
EP2418601A1 (en) * 2010-08-12 2012-02-15 Samsung Electronics Co., Ltd. Computer system and method of controlling computer
EP2930639A1 (en) * 2014-04-11 2015-10-14 Accenture Global Services Limited Multimodal biometric profiling
US9424478B2 (en) 2014-04-11 2016-08-23 Accenture Global Services Limited Multimodal biometric profiling
US9672581B2 (en) 2014-04-11 2017-06-06 Accenture Global Services Limited Multimodal biometric profiling
EP3472754A4 (en) * 2016-06-20 2020-01-15 Fingerprint Cards AB Communication arrangement to electrically connect a slave to a host device
WO2018106430A1 (en) * 2016-12-08 2018-06-14 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
US10715520B2 (en) 2016-12-08 2020-07-14 Mastercard International Incorporated Systems and methods for decentralized biometric enrollment
US11252150B2 (en) 2016-12-08 2022-02-15 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
AU2017372477B2 (en) * 2016-12-08 2022-10-06 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
US11588813B2 (en) 2016-12-08 2023-02-21 Mastercard International Incorporated Systems and methods for biometric authentication using existing databases
US11916901B2 (en) 2016-12-08 2024-02-27 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
US10965474B1 (en) 2017-02-27 2021-03-30 Apple Inc. Modifying security state with highly secured devices

Also Published As

Publication number Publication date
AU2002951755A0 (en) 2002-10-17

Similar Documents

Publication Publication Date Title
AU2002101053B4 (en) Biometric smartcard system
US7255282B2 (en) PCMCIA-complaint smart card secured memory assembly for porting user profiles and documents
US7549161B2 (en) Portable device having biometrics-based authentication capabilities
US20030005337A1 (en) Portable device having biometrics-based authentication capabilities
US8332915B2 (en) Information processing system, information processing apparatus, mobile terminal and access control method
US20080244734A1 (en) Information processing apparatus and method, program, and information processing system
CA2591751A1 (en) Biometric personal data key (pdk) authentication
US20080120726A1 (en) External storage device
WO2004031920A1 (en) A smartcard security system for protecting a computer system
US20140237581A1 (en) Authentication platform and related method of operation
JP2012043208A (en) Security management system, information processor, offline device, security management method, and program
EP1228433A1 (en) Security arrangement
JP4950337B2 (en) Fingerprint reader reset system and method
JP2006351015A (en) Storage and method for protecting stored data thereof
JP3422472B2 (en) Personal computer system
KR102248132B1 (en) Method, apparatus and program of log-in using biometric information
JP2007241800A (en) Removable memory unit and computer device
AU2003266822A1 (en) A smartcard security system for protecting a computer system
KR20070109488A (en) The mouse of finger drive ring with nand flash memory
JP2004185255A (en) Floppy disk (r) type living body information authentication device with both personal information management and living body authentication
KR20020078771A (en) Power on control apparatus and method of computer systems using biometric recognition
JP3641382B2 (en) Security system and security method
JP2001331375A (en) Program startup method, method and device for preventing unauthorized access, encoding/decoding system and card
KR100749376B1 (en) Apparatus for Controlling Access in a Finger Scan and Method thereof
JP2004334816A (en) Method to execute substitutional input of password for authentication of ic card using biometrics technology

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003266822

Country of ref document: AU

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP