U.S. patent application number 15/890021 was filed with the patent office on 2018-10-25 for in-circuit security system and methods for controlling access to and use of sensitive data.
The applicant listed for this patent is Apple Inc.. Invention is credited to Barry W. JOHNSON, Kristen R.O. RIEMENSCHNEIDER, David C. RUSSELL, Jonathan A. TILLACK.
Application Number | 20180309750 15/890021 |
Document ID | / |
Family ID | 33511627 |
Filed Date | 2018-10-25 |
United States Patent
Application |
20180309750 |
Kind Code |
A1 |
JOHNSON; Barry W. ; et
al. |
October 25, 2018 |
IN-CIRCUIT SECURITY SYSTEM AND METHODS FOR CONTROLLING ACCESS TO
AND USE OF SENSITIVE DATA
Abstract
A first electronic device comprises a transmitter, a secure
processor, a secure memory, and one or more biometric sensors. The
first electronic device is configured to communicate securely via
the transmitter with a second electronic device that is separate
from the first electronic device. The first electronic device
receives first biometric information of a user via the one or more
biometric sensors. In response to receiving the first biometric
information, the first electronic device compares, via the secure
processor, the first biometric information to second biometric
information stored in the secure memory; and determines, based on
the comparison, whether the user meets authentication criteria. In
accordance with a determination that the user meets authentication
criteria, the first electronic device generates a verification
signal that, when received by the second electronic device, grants
access to operate the second electronic device, and transmits the
verification signal to the second electronic device. In accordance
with a determination that the user does not meet the authentication
criteria, the first electronic device forgoes generating the
verification signal and transmitting the verification signal to the
second electronic device.
Inventors: |
JOHNSON; Barry W.;
(Charlottesville, VA) ; RIEMENSCHNEIDER; Kristen
R.O.; (Charlottesville, VA) ; RUSSELL; David C.;
(Virginia Beach, VA) ; TILLACK; Jonathan A.;
(Charlottesville, VA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Apple Inc. |
Cupertino |
CA |
US |
|
|
Family ID: |
33511627 |
Appl. No.: |
15/890021 |
Filed: |
February 6, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14716766 |
May 19, 2015 |
9923884 |
|
|
15890021 |
|
|
|
|
13947313 |
Jul 22, 2013 |
9124930 |
|
|
14716766 |
|
|
|
|
12555480 |
Sep 8, 2009 |
8495382 |
|
|
13947313 |
|
|
|
|
10858287 |
Jun 1, 2004 |
7587611 |
|
|
12555480 |
|
|
|
|
60474750 |
May 30, 2003 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/6209 20130101;
G06F 21/32 20130101; G06K 9/00087 20130101; G06F 21/85 20130101;
G06F 21/72 20130101; H04L 9/3231 20130101; G06K 9/6201 20130101;
G06F 21/31 20130101; H04L 63/102 20130101; H04N 21/25875 20130101;
G06F 16/51 20190101; G06F 21/10 20130101; H04L 63/0861 20130101;
G06F 2221/0771 20130101; G06K 9/00013 20130101; H04L 63/06
20130101; H04N 21/4415 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; H04N 21/4415 20110101 H04N021/4415; G06F 17/30 20060101
G06F017/30; H04L 9/32 20060101 H04L009/32; G06K 9/62 20060101
G06K009/62; G06K 9/00 20060101 G06K009/00; H04N 21/258 20110101
H04N021/258; G06F 21/85 20130101 G06F021/85; G06F 21/75 20130101
G06F021/75; G06F 21/72 20130101 G06F021/72; G06F 21/62 20130101
G06F021/62; G06F 21/32 20130101 G06F021/32; G06F 21/31 20130101
G06F021/31; G06F 21/10 20130101 G06F021/10 |
Claims
1. (canceled)
2. A method comprising: at a first electronic device comprising a
transmitter, a secure processor, a secure memory, and one or more
biometric sensors, wherein the first electronic device is
configured to communicate securely via the transmitter with a
second electronic device that is separate from the first electronic
device: receiving first biometric information of a user via the one
or more biometric sensors; in response to receiving the first
biometric information, comparing, via the secure processor, the
first biometric information to second biometric information stored
in the secure memory; determining, based on the comparison, whether
the user meets authentication criteria; in accordance with a
determination that the user meets authentication criteria:
generating a verification signal that, when received by the second
electronic device, grants access to operate the second electronic
device, and transmitting the verification signal to the second
electronic device; and in accordance with a determination that the
user does not meet the authentication criteria, forgoing generating
the verification signal and transmitting the verification signal to
the second electronic device.
3. The method of claim 2, wherein the second biometric information
cannot be removed from the first electronic device.
4. The method of claim 2, wherein the secure memory comprises a
tamper-resistant memory, and the second biometric information is
zeroed-out upon unauthorized attempted access.
5. The method of claim 2, wherein the second biometric information
comprises a biometric template, and the user meets authentication
criteria when the first biometric information is consistent with
the biometric template.
6. The method of claim 2, further comprising: in accordance with a
determination that the user meets authentication criteria,
providing access to a resource of the second electronic device to
the user.
7. The method of claim 2, wherein the second electronic device is
an interface device and the access provided to the user in
accordance with the determination that the user meets
authentication criteria includes access to a service and an
application on the interface device.
8. The method of claim 2, further comprising: receiving a signal
from the second electronic device after providing the verification
signal to the second electronic device.
9. The method of claim 2, wherein granting access to operate the
second electronic device comprises granting access to media content
via the second device.
10. The method of claim 9, wherein the access to media content
comprises access to a premium subscription service.
11. The method of claim 2, wherein granting access to operate the
second electronic device comprises granting access to educational
content via the second device.
12. The method of claim 11, wherein the educational content
comprises one or more of a remote learning application, a testing
service, and a testing application.
13. The method of claim 2, wherein the second electronic device is
locked by an electronic lock mechanism, and granting access to
operate the second electronic device comprises unlocking the second
electronic device.
14. The method of claim 2, wherein the verification signal, when
received by the second electronic device, permits pre-enrolling a
third electronic device with access to operate the second
electronic device.
15. The method of claim 14, wherein pre-enrolling the third
electronic device creates a master-slave relationship between the
first electronic device and the third electronic device.
16. A method comprising: at a first electronic device comprising a
transmitter, a secure processor, a secure memory, and one or more
biometric sensors, wherein the first electronic device is
configured to communicate securely via the transmitter with a
second electronic device that is separate from the first electronic
device: receiving, at the first electronic device, a request to
purchase an item via a shopping service; receiving, at the first
electronic device, a selection of a purchasing account; receiving
first biometric information of a user via the one or more biometric
sensors; in response to receiving the first biometric information,
comparing, via the secure processor, the first biometric
information to second biometric information stored in the secure
memory; determining, based on the comparison, whether the user
meets authentication criteria; in accordance with a determination
that the user meets authentication criteria: transmitting to the
second electronic device credentials that, when received by the
second electronic device, causes a seller of the item to be paid
via the purchasing account; and in accordance with a determination
that the user does not meet the authentication criteria, forgoing
transmitting the credentials to the second electronic device.
17. The method of claim 16, wherein the shopping service is
accessible via the second electronic device.
18. A first electronic device comprising: a transmitter; one or
more processors, the one or more processors comprising a secure
processor; one or more memories, the one or more memories
comprising a secure memory; one or more biometric sensors; and one
or more programs, wherein the one or more programs are stored in
the one or more memories and are configured to be executed by the
one or more processors, the one or more programs including
instructions, which when executed by the one or more processors,
cause the first electronic device to: receive first biometric
information of a user via the one or more biometric sensors; in
response to receiving the first biometric information, compare, via
the secure processor, the first biometric information to second
biometric information stored in the secure memory; determine, based
on the comparison, whether the user meets authentication criteria;
in accordance with a determination that the user meets
authentication criteria: generate a verification signal that, when
received by a second electronic device separate from the first
electronic device, grants access to operate the second electronic
device, and transmit the verification signal to the second
electronic device; and in accordance with a determination that the
user does not meet the authentication criteria, forgo generating
the verification signal and transmitting the verification signal to
the second electronic device, wherein the first electronic device
is configured to communicate securely via the transmitter with the
second electronic device.
19. A non-transitory computer readable storage medium storing one
or more programs, the one or more programs comprising instructions,
which when executed by a first electronic device comprising a
transmitter, a secure processor, a secure memory, and one or more
biometric sensors, the first electronic device configured to
communicate securely via the transmitter with a second electronic
device that is separate from the first electronic device, cause the
first electronic device to: receive first biometric information of
a user via the one or more biometric sensors; in response to
receiving the first biometric information, compare, via the secure
processor, the first biometric information to second biometric
information stored in the secure memory; determine, based on the
comparison, whether the user meets authentication criteria; in
accordance with a determination that the user meets authentication
criteria: generate a verification signal that, when received by the
second electronic device, grants access to operate the second
electronic device, and transmit the verification signal to the
second electronic device; and in accordance with a determination
that the user does not meet the authentication criteria, forgo
generating the verification signal and transmitting the
verification signal to the second electronic device.
Description
RELATED U.S. APPLICATION DATA
[0001] This application is a continuation of U.S. patent
application Ser. No. 14/716,766 (now U.S. Pat. No. 9,923,884),
filed May 19, 2015, entitled "An In-Circuit Security System And
Methods For Controlling Access To And Use Of Sensitive Data," which
is a continuation of U.S. patent application Ser. No. 13/947,313
(now U.S. Pat. No. 9,124,930), filed on Jul. 22, 2013, entitled "An
In-Circuit Security System And Methods For Controlling Access To
And Use Of Sensitive Data," which is a continuation of U.S. patent
application Ser. No. 12/555,480 (now U.S. Pat. No. 8,495,382),
filed Sep. 8, 2009, entitled "An In-Circuit Security System And
Methods For Controlling Access To And Use Of Sensitive Data," which
is a divisional of U.S. patent application Ser. No. 10/858,287 (now
U.S. Pat. No. 7,587,611), filed Jun. 1, 2004, entitled "An
In-Circuit Security System And Methods For Controlling Access To
And Use Of Sensitive Data," which claims priority under U.S.C.
.sctn. 119(e) of provisional patent application Ser. No.
60/474,750, filed May 30, 2003, entitled "Secure Biometric
Identification Devices and Systems for Various Applications," each
of which is hereby incorporated by reference in its entirety.
BACKGROUND OF THE INVENTION
Field of the Invention
[0002] The invention disclosed herein relates to the security of
sensitive data stored, processed and distributed using electronic
circuits. More particularly, the invention relates to the
identification of individuals prior to accessing/using data, and
the execution of security controls upon unauthorized attempts to
access/use said data.
[0003] In recent years there has been an explosion of electronic
devices that individuals may use for storing and transmitting
sensitive data. In a low-security example, portable devices like a
Palm.TM. or BlackBerry handled computer typically contain software
for e-mail, along with options for storing credit cards, schedules,
and other data. Most people wish to protect this information, but
most handheld devices rely on their operating system to secure
data. Unfortunately, the most common operating systems for these
handheld computers were not designed with security as the main
goal, and retrofitting basic security mechanisms has been
clumsy.
[0004] A growing number of electronic devices, such as smart cards,
are intended to specifically identify and authenticate users using
the public key infrastructure, which requires secure storage of
private keys. These devices are common in building security; for
example, an individual with proper authorization to access a
facility is assigned a smart card and an asymmetric key pair. A
certificate authority generates a digital certificate for the
public key, which is stored in the smart card. The private key is
also stored on the smart card. When the individual places his smart
card in the reader at the access point of the facility, the card
transmits its digital certificate, and the reader challenges the
card to encrypt a supplied string with the individual's private
key. The reader obtains the public key out of the digital
certificate and decrypts the private key-encrypted string to verify
that the keys are related. This has an inherent problem because
there is no guarantee that the individual using the private key is
the assigned owner of the smart card. Furthermore, it is fairly
simple for an experienced attacker to gain access to keys stored on
the card.
[0005] Some handheld devices, such as Hewlett Packard's iPAQ
PocketPC h5450, include biometric sensors for improved personal
identification before allowing access to sensitive data. An
individual possessing this device is instructed to enroll one or
more of his fingerprints into the device's software. The enrolled
fingerprint can be used as the sole password or as an alternative
to a typed password. This type of device can be a substantial
improvement on traditional data-access methods, because the
biometric can be definitively tied to a single individual. However,
if the sensitive data is stored or transmitted insecurely, the
biometric authentication does not substantially hinder an attacker
from probing the memory and compromising it.
[0006] These concerns have contributed to the marketing of products
billed as `secure memory` or `secure processor`. These products are
typically constructed with varying degrees of security; one lower
degree is considered `tamper-evident`, in which an unskilled
observer would see that someone had attempted to maliciously gain
access to secured data. A higher level is `tamper-resistant`, in
which the product actively resists tampering by use of a
self-destruct mechanism, an impermeable substance that coats the
components storing sensitive data such as a polymer-based coating
or other so-called "conformal coating", or some other process.
Furthermore, these products may encrypt input/output lines,
mislabel parts, and perform other types of obfuscation.
DESCRIPTION OF THE RELATED ART
[0007] U.S. Pat. No. 5,533,123 to Force, et al., discloses
programmable distributed personal security inventions. The patent
teaches a "Secured Processing Unit" ("SPU") comprising an "SPU
chip" and a microprocessor designed especially for secure data
processing. The invention integrates keys, encryption and
decryption engines, and algorithms in the SPU of the invention.
Purportedly, the security process is portable and easily
distributed across physical boundaries. The invention is based upon
three interdependent subsystems. The first subsystem of the
invention is a detector subsystem, which alerts an SPU to the
existence and to the character of a security attack. A second
subsystem is a filter subsystem that correlates data from multiple
detectors, then assesses the severity of the attack against the
risk to the SPU's integrity, both to its secret data and to the
design of the SPU itself. A third subsystem is a response subsystem
for generating responses, or countermeasures, calculated by the
filters to be most appropriate under the circumstances, in order to
deal with the attack(s) detected. Force does not disclose identity
credential verification within the SPU.
[0008] U.S. Pat. No. 5,825,878 to Takahashi discloses a secure
embedded memory management unit for a microprocessor. A
microprocessor memory management apparatus is used for encrypted
instruction and data transfer from an external memory. Physical
security is obtained by embedding the direct memory access
controller on the same chip with a microprocessor core, an internal
memory, and encryption/decryption logic. Data transfer to and from
an external memory takes place between the external memory and the
memory controller of the memory management unit. All firmware to
and from the external memory is handled on a page-by-page basis.
Since all of the processing takes place on buses internal to the
chip, detection of clear unencrypted instructions and data is
prevented. Takahashi does not disclose any capability,
anticipation, intention, or provision for including identity
credential verification on the management unit or within the
microprocessor core.
[0009] U.S. Pat. No. 5,832,207 to Little, et al., teaches a secure
module including a microprocessor and a co-processor. The
electronic module is provided with at least one microprocessor and
a co-processor deployed into a single integrated circuit. The
electronic module may be contained in a small form factor housing.
The electronic module provides secure bi-directional data
communication via a data bus. The electronic module may include an
integrated circuit including a microprocessor and a co-processor
adapted to handle 1,024-bit modulo mathematics primarily aimed at
RSA calculations. The electronic module is preferably contained in
a small token-sized metallic container. The module preferably
communicates via a single wire data bus using a one-wire protocol.
Little et al. does not disclose personal identification
systems.
[0010] U.S. Pat. No. 5,894,550 to Thireit discloses a method of
implementing a secure program in a microprocessor card, and a
microprocessor card including a secure program. The invention
claims that a program can be made secure relative to a CPU. The
invention accomplishes this by storing in a first memory zone
predetermined address functions that are directly executable by the
CPU. The first memory zone is then write-protected, then the
program is stored in a second memory zone in the form of a series
of instructions that are executable within the second memory zone
or that activate functions contained in the first memory zone.
[0011] U.S. Pat. Nos. 5,481,265, 5,729,220, 6,201,484 and 6,441,770
to Russell detail a handheld device used to authenticate persons
and said device to remote computer systems. The invention further
includes a "kill switch" or "kill signal" enabling the computer
system to remotely disable the handheld device and restrict further
emissions. However, the system is primarily targeted at local area
network applications and does not anticipate or suggestion broader
applications.
BRIEF SUMMARY OF THE INVENTION
[0012] The invention disclosed herein is an in-circuit security
system for electronic devices. The in-circuit security system
incorporates identity credential verification, secure data and
instruction storage, and secure data transmission capabilities. It
comprises a single semiconductor chip, lowering component cost and
reducing board space. The in-circuit security system chip is
secured using mechanisms for preventing information tampering or
eavesdropping, such as the addition of oxygen reactive layers. This
invention also incorporates means for establishing security
settings and profiles for the in-circuit security system and
enrolled individuals. The in-circuit security system can be used in
a variety of electronic devices, including handheld computers,
secure facility keys, vehicle operation/ignition systems, and
digital rights management.
BRIEF DESCRIPTION OF DRAWINGS
Master Reference Numeral List
[0013] FIG. 1: Sample embodiment of in-circuit security system
components [0014] 100 In-circuit security system [0015] 101
Processor [0016] 102 Memory [0017] 103 Identity credential
verification subsystem [0018] 104 Cryptographic subsystem [0019]
105 Real-time clock [0020] 106 Power source (OPTIONAL) [0021] 107
Transceiver (OPTIONAL) [0022] 108 Random number generator [0023]
110 Connection to identity credential sensor [0024] 111 Connection
to peripheral components [0025] 112 Connection to antenna or
cables
[0026] FIG. 2: Handheld computer with the in-circuit security
system [0027] 100 In-circuit security system [0028] 201 Non-secure
processor [0029] 202 Non-secure memory [0030] 203 Fingerprint
sensor [0031] 204 Antenna [0032] 213 Display [0033] 214 Keypad
[0034] FIG. 3: Electronic lock mechanism with the in-circuit
security system [0035] 100 In-circuit security system [0036] 313
LEDs [0037] 314 Electronic lock mechanism
[0038] FIG. 1 is a schematic view of a sample embodiment of the
in-circuit security system.
[0039] FIG. 2 is a schematic view of the components of a simple
handheld computer using the in-circuit security system.
[0040] FIG. 3 is a schematic view of the components of an
electronic lock mechanism using the in-circuit security system.
[0041] FIGS. 4-5 depict embodiments of a biometric personal
identification device (BPID) for remoted controlled
applications.
DETAILED DESCRIPTION OF THE INVENTION
[0042] The invention described herein is an in-circuit security
system by which pre-enrolled individuals may access sensitive data
or perform actions on sensitive data in an environment that is
fully monitored and protected. The in-circuit security system
requires full authentication of individuals and can perform a
variety of programmed responses in the event that pre-established
authentication standards are not met. The in-circuit security
system includes secure transmission of sensitive data to remote
devices.
[0043] The in-circuit security system comprises several components
combined securely into a single, secure chip. As seen in FIG. 1,
the primary embodiment of the in-circuit security system 100
comprises a processor 101, a memory 102, a real-time clock 105, and
a random number generator 108. The in-circuit security system 100
also includes a cryptographic subsystem 104 and an identity
credential verification subsystem 103. These subsystems may be
logical, physical, or some combination thereof, and are described
in further detail below. In typical embodiments, the in-circuit
security system 100 will also contain a power source 106, such as a
battery, in order to maintain power to the real-time clock 105.
During manufacture, the in-circuit security system 100 receives a
unique, one-time programmable electronic identification code that
can be read but cannot be altered or removed. The in-circuit
security system 100 also preferably provides multiple input/output
interfaces 110-112 for connection to optional internal/external
components, such as transceivers 107, antennae, identity credential
sensors, non-secure processors, etc.
[0044] The processor 101 is the main control component; it is
responsible for loading and executing instructions to control the
various components of the chip, as well as performing
user-requested tasks. The memory 102 is coupled to the processor
101. It comprises both volatile and non-volatile components and can
be used to store instructions or data, such as security settings or
profiles and cryptographic keys. The application of these security
settings is discussed below. The real-time clock 105 is also
coupled to the processor 101 and is used to maintain an accurate
time, which can be used in cryptographic signing, audit records, or
other transactions. The real-time clock 105 may be connected to a
power source 106 in order to constantly maintain time. If the
in-circuit security system 100 does not include the power source
106, the real-time clock 105 must be cognizant of power
disconnects, which means that it can no longer provide an accurate
time.
[0045] The fourth component of the in-circuit security system 100
is a random number generator 108. The random number generator 108
is used for seeding cryptographic algorithms, and may use any of
established methods for guaranteeing sufficient randomness. The
random number generator 108 may be included as part of the
cryptographic subsystem 104 or may be a standalone component
coupled to the subsystem 104. The cryptographic subsystem 104 is a
dedicated system for performing encryption and decryption, digital
signing and digital signature verification. In one embodiment the
subsystem 104 is responsible for storing cryptographic keys in its
own memory; in another, the subsystem is coupled to and uses the
main memory 102 of the in-circuit security system 100.
Additionally, one primary embodiment of the invention uses a
cryptographic acceleration chip or component as the cryptographic
subsystem 104. Alternative embodiments are coupled to and use the
main processor 101 as the cryptographic engine.
[0046] The identity credential verification subsystem 103 is used
to determine the identity of an individual attempting to use the
in-circuit security system 100 and identify his associated security
privileges. The identity credential verification subsystem 103
performs identity credential acquisition, analysis, storage and
matching. In the primary embodiment of the invention, the identity
credential verification subsystem 103 uses digital representations
of fingerprints as the identity credential. In this embodiment the
identity credential verification subsystem 103 performs fingerprint
image acquisition, and template generation, storage, and matching.
The identity credential verification subsystem 103 may use the main
processor 101 of the in-circuit security system 100 for credential
processing actions or may use its own specialized processor.
Similarly, it may employ its own memory for credential storage or
use the main memory 102 of the in-circuit security system 100. The
in-circuit security system 100 provides one or more connections 110
to external components for credential sensing, such as a
fingerprint sensor.
[0047] The in-circuit security system 100 incorporates an interface
112 to a transceiver 107, antenna, wire, or other remote
communication device that is coupled to the processor 101. This
component is used for transmission of data from one device to
another. All sensitive data that is to be transmitted from the
in-circuit security system 100 can be encrypted using the
cryptographic subsystem 104, so it is not necessary to place a
transceiver 107 within the secure boundaries of the in-circuit
security system 100. However, in some embodiments it may prove to
be convenient to incorporate the transceiver 107 into the chip. In
these embodiments the interface 112 would be from the transceiver
to an antenna, wire, or other communication device. In a primary
embodiment of the invention, the transmission technology is
radio-frequency identification (RFID), such as the ISO 14443 A/B or
15693 standards. In another embodiment the in-circuit security
system 100 uses Bluetooth or infrared technology. Other embodiments
provide a combination of these technologies or others. In
alternative embodiments, it may be useful to use a wired
technology, such as a serial or USB connection. The in-circuit
security system 100 preferably provides external connections 112
for requisite connectors, cables or antennae.
[0048] The authentication of individuals allows the in-circuit
security system 100 to associate an individual with specific
security privileges within the system. For example, one user may be
enrolled and identified as a typical user with no ability to reset
the system 100, while an alternate user may be identified as an
administrator with that ability. Additionally, the in-circuit
security system 100 may be programmed to perform a variety of both
temporary and permanent responses to security events. For example,
a specified number of access denials within a particular time
interval may cause the in-circuit security system 100 to suspend
all actions or halt the real-time clock 105 until reset by an
enrolled administrator. Alternatively, an attempt to crack open the
case of the chip housing the in-circuit security system 100 may
result in permanent erasure of memory 102, or destruction of other
components. The in-circuit security system 100 may also be
programmed to allow an enrolled individual to directly disable or
destroy components.
[0049] As described above, the in-circuit security system 100 is
combined into one secured chip with three major interfaces: an
interface to a credential sensing mechanism, such as a fingerprint
sensor; an interface to peripheral components, such as non-secure
processors or user-interface devices; and an interface to a
transceiver or antenna for remote communications. Other interfaces
are strictly prevented. The chip may use one or more physical
security measures to prevent information eavesdropping. These
obfuscation techniques include use of "potting", oxygen-reactive
layers, photo-sensors, Hall effect sensors, and circuits that
monitor clock frequency and/or reset frequency.
[0050] The system 100 may additionally perform algorithmic analysis
of interface traffic. For example, fingerprint images received from
a fingerprint sensor may be analyzed by the identity credential
verification subsystem 103; if the identity credential verification
subsystem 103 repeatedly receives the exact same bit pattern
representation of fingerprints, it is possible that someone is
deliberately placing that bit pattern on the interface. Similarly,
if the identity credential verification subsystem 103 receives bit
patterns that are an exact rotation or other permutation of a
previously received image, again someone may be altering the
contents of the interface.
[0051] The in-circuit security system can be used as a standalone
component for security applications or as one of multiple
components within an electronic device. In one use of the
invention, a handheld computer is equipped with the in-circuit
security system 100, as seen in FIG. 2. The computer further
comprises a display 213, a keypad 214, a non-secure processor 201
and memory 202, and a fingerprint sensor 203. Additionally, for
embodiments in which the in-circuit security system 100 includes a
transceiver 107 that uses cellular wireless technology, the
handheld computer also incorporates an antenna 204.
[0052] The primary user of the handheld computer enrolls a
fingerprint, a digital certificate, and an associated private key
into the in-circuit security system 100. The fingerprint is stored
in the identity credential verification subsystem 103 and is used
to authorize use of the private key associated with the digital
certificate. The digital certificate may be stored in the
cryptographic subsystem 104 or the main memory 102 of the
in-circuit security system 100.
[0053] The individual typically uses the handheld computer to
transmit and receive e-mail. He requires the in-circuit security
system 100 to digitally sign his e-mail, which requires accessing
the stored private key associated with his fingerprint. He selects
his e-mail program, and types an e-mail for transmission using the
keypad 214. The keypad 214 is coupled to the processor 201, which
receives the data and creates an appropriate message packet for
transmission. Once created, the message packet is sent to the
in-circuit security system 100 for further processing.
[0054] The processor 101 of the in-circuit security system 100
receives the message packet and analyzes the established security
settings for transmission of e-mail. Because the in-circuit
security system 100 is configured to require digital signing of
e-mail prior to transmission, the individual must first
authenticate his fingerprint to the identity credential
verification subsystem 103. The biometric authentication is
required to prevent unauthorized users from encrypting e-mail with
a private key that is not theirs. The processor 101 signals the
identity credential verification subsystem 103 to wait for a new
fingerprint sample from the fingerprint sensor 203, and signals the
non-secure processor 201 to provide a visual prompt to the user on
the display 213. After the user places his finger on the
fingerprint sensor 203 it sends the new fingerprint image to the
identity credential verification subsystem 103. The identity
credential verification subsystem 103 analyzes the image, generates
a template, and compares it to the enrolled fingerprint template.
If the two match, the identity credential verification subsystem
103 sends a signal to the processor 101 that the individual is
authorized to use the stored private key.
[0055] The processor 101 now sends the e-mail message to the
cryptographic subsystem 104 and instructs the cryptographic
subsystem 104 to sign the message. This typically involves
generating a hash of the message and encrypting it with the private
key. The cryptographic subsystem 104 may also include a timestamp
generated by the real-time clock, the unique device identifier, or
other data, prior to the hash. The cryptographic subsystem 104 now
sends the signed e-mail message back to the processor 101. The
processor 101, in turn, sends the signed e-mail to the cellular
transceiver 107 for transmission to a remote recipient.
[0056] In a second embodiment of the invention, the in-circuit
security system 100 is embedded into an electronic door locking
mechanism that is used to control access to a secure facility. As
seen in FIG. 3, the system comprises the in-circuit security system
100 with a wired connection to the electronic door lock 314, a
fingerprint sensor 203, and a series of light emitting diodes
(LEDs) 313 that are used to provide visual feedback to the user.
Individuals access the secure facility by demonstrating enrollment
of their fingerprint into the in-circuit security system 100. The
security settings of the in-circuit security system 100 are
configured to shut down the entire locking mechanism on a
pre-specified number of failed attempts within a pre-specified time
span. This is example of security parameters and settings that are
stored within the memory 102.
[0057] An enrolled individual wishes to enter the facility. One LED
313 glows green, signaling that the fingerprint sensor 303 is
ready. The individual places his finger on the sensor 203, which
generates a fingerprint image and sends it to the identity
credential verification subsystem 103. The identity credential
verification subsystem 103 generates a fingerprint template and
compares it to the enrolled fingerprints. The new fingerprint
template matches an existing template, so the identity credential
verification subsystem 103 sends the individual's unique identifier
to the processor 101. The processor 101 accesses the memory 102,
which stores security privileges associated with enrolled
individuals. The individual who is currently authenticated is
authorized to enter the secure facility alone, so the processor 101
sends a signal to the transceiver 107 to trigger the lock 314 to
release.
[0058] Now an individual who has not been pre-enrolled into the
identity credential verification subsystem 103 attempts to enter
the secure facility. The individual places his finger on the
fingerprint sensor 203, which sends an image of the fingerprint
back to the identity credential verification subsystem 103. The
fingerprint is compared to all of the enrolled fingerprints, and no
match is found because the individual is not enrolled. The identity
credential verification subsystem 103 records the date, time and
other requisite characteristics of the failed access attempt, and
flashes a red LED 313 to show that access has been denied. The
identity credential verification subsystem 103 also notifies the
appropriate process within the processor 101 that an access failure
has occurred.
[0059] The individual now tries another, un-enrolled finger. The
identity credential verification subsystem 103 records the
subsequent failure, and notifies the processor 101 that there has
been another failure. When the number of failed attempts reaches
the pre-established limit, the identity credential verification
subsystem 103 again notifies the processor 101 that a failure has
occurred. At this point, the processor 101 applies the security
settings and places the electronic lock mechanism 314 in a state
where it cannot be unlocked unless it is reset by a recognized
authority; in a primary embodiment this would be implemented using
a "fail-secure" lock and would involve disconnecting a power
source. Alternative actions can occur to put the lock 314 into this
state as necessary. The processor 101 may also put the identity
credential verification subsystem 103 into a state where it does
not accept new fingerprints, create images, or perform matching. As
desired by the regulator of the secure facility, the processor 101
may instruct the identity credential verification subsystem 103 to
delete any enrolled fingerprint images. These are all examples of
programmable security settings.
[0060] FIGS. 4-5 depict embodiments of a biometric personal
identification device (BPID) for remoted controlled
applications.
[0061] Necessity of the BPID of the present invention:
[0062] Remote control products have been in service for decades and
have become ubiquitous for many applications. However, despite the
many successful applications for saving time, steps, and effort,
there are only limited examples among remote control products and
remote control communication systems that demonstrate the capacity
to provide security to remote control applications that need or
could be improved by security.
[0063] Moreover, at the time of this writing, the inventors have
found few existing examples in the arts relating to "remote
control" intellectual property or to "remote-controlled products
and applications", where privacy concerns are simultaneously
addressed along with security and authentication concerns.
Notwithstanding, there are many existing and potential remote
control applications where privacy and security, user
authentication, user auditing, and user monitoring, concerns
abound. Unsurprisingly, latent demand exists for appropriate
existing and potential applications. The marketplace is ready for
privacy and security oriented remote controller devices and
associated remote-controlled products and applications, despite the
shortage of applicable technology prior to the emergence of the
present inventions.
[0064] More specifically, latent demand exists for apparatuses,
methods, and systems capable of monitoring, auditing, and enforcing
different privilege levels of authorized usage for a remote control
apparatus and corresponding different privilege levels of
authorized remote control of remote-controlled resources, e.g.,
entertainment resources, polling resources, testing resources,
interactive or user response-oriented resources, and other
resources and assets including remote controlled machinery, etc.
Typical examples of potential products and applications for which
latent demand exists where differentiable privacy- and
security-oriented remote control transmitter and/or transceiver
apparatuses are appropriate include: [0065] Entertainment
Applications, most notably, conventional TV and/or PC control
applications such as parental control, Nielsen sweep analysis,
etc.; cable television (CATV) applications including "set-top box"
control applications including parental control and Nielsen sweeps,
access to premium services, access to portable and mobile
subscription services, access to bi-directional interactive
applications such as multi-player leisure game services, leisure
game show inputs, etc.; [0066] Remote Polling, Voting, and Testing
Applications, where differentiable remote control transmitters and
transceivers can be used to register, verify, and log in--and where
applicable, continuously verify--proven single instances of
distinct, unique, authenticated voters' votes, or responders'
voting responses to polling application choices, or test subjects'
responses to test questions; [0067] Educational Services, such as
unidirectional and bi-directional "remote learning" content control
applications, including "Interactive Learning" applications,
including continuously verifiable, preauthorized testing services
and applications; [0068] Military, Government, and Law Enforcement
Services, e.g., "Soldier of the Future" products.
[0069] Everything considered, there is a definite need in the art
to provide consolidated security, and privacy features into remote
control apparatuses and remote controlled systems. There is also a
definite need in the art to provide anonymity features, where
applicable and appropriate, into remote control apparatuses and
remote controlled systems. While prior art inventors have addressed
security concerns to a certain extent, and while a few inventors
have addressed privacy and security concerns together, no prior art
or products have addressed privacy and security in the flexible and
robust apparatuses, methods, and systems of the present BPID.
Several examples of prior art addressing privacy and/or security
follow below.
[0070] Accordingly, it is a primary object of the BPID disclosed
herein, to provide a privacy- and security-oriented remote
controller apparatus, method, and system for privately and securely
controlling a variety of remotely controllable machinery, including
(but not limited to) televisions, personal computers, set-top
control terminals, etc.
[0071] It is another primary object to provide a privacy- and
security-oriented remote control apparatus, method, and system for
cross-platform and cross-application mobility and portability,
where preauthorized, enrolled users can freely carry their
privileges from one location to another to control the same,
similar, and/or different remotely controlled equipment.
[0072] It is another primary object, to provide an apparatus,
method and system, which taken together, provide means for absolute
personal identity authentication for individuals wishing to
remotely control access-protected, restricted, metered, monitored
resources, assets, and services.
[0073] Another object of the BPID is to enable service providers to
monitor, audit, and track the activity of users accessing, or
attempting to access, restricted and protected equipment and
services by means of remote controllers.
[0074] Another object of the present BPID is to match physical
persons to discrete devices such that only authorized individuals
are associated with each device and so that only authorized
individuals can effectuate access with a remote controller. A
related object of the BPID is to create multiple levels of
privilege and access for a plurality of users accessing a plurality
of remote control apparatuses to control a plurality of
remote-controlled devices and applications.
[0075] It is another primary object of the BPID to decentralize
authentication and verification services such that the user
apparatuses serve as autonomous authentication devices and can
identify persons and their assigned user privileges without
requiring remote access to a central system or to a centralized
authentication database.
[0076] The BPIDs disclosed herein provide privacy- and
security-oriented identity credential verification devices (in
prior art applications of the instant inventors) and privacy- and
security oriented remote control apparatuses, subsystem
apparatuses, methods, and systems adapted for authenticating and
verifying prospective remote control apparatus users (in this
application).
[0077] The most basic user-operated devices of prior art inventions
to the instant inventors are simply identity credential
verification devices. While such devices excel at identifying
prospective users thereof, by means of re-verifying a submitted
biometric credential such as a fingerprint, they do not effectuate
remote control events in remotely controlled machinery.
[0078] Prospective users of remote controllers of the present BPID
must verify their pre-enrolled identities prior to accessing their
preauthorized, assigned privileges to their remote control devices,
prior to being authorized and granted access to their remote
control devices, and subsequently, to compatible remote-controlled
resources equipped according to teachings of the present BPID.
User-operated apparatuses of the BPID are privacy- and security
oriented, remote control apparatuses. The authenticated and
verified, user-operated remote control apparatuses of the present
BPID either (1) include an identity credential verification
subsystem (ICVS) module for verifying a prospective user's
pre-enrolled status and privileges, and/or (2) interface with
either an independent, proximate, ICVS, and/or (3) an ICVS module
embedded into a remote-controlled resource. Such a
remote-controlled resource can only be operated by properly enabled
remote controllers, which are accessible and operable only by
pre-enrolled, preauthorized users who are re-authenticated and
re-verified prior to each operational event.
[0079] The methods of the BPID comprise steps, procedures, policies
for accomplishing and enforcing pre-enrollment and subsequent
authentication of preauthorized users. The systems of the BPID
embed an ICVS subsystem in the remote control apparatus of the BPID
and/or implement an ICVS system external and proximate to the
remote control apparatus by means of a wireless interactive
communication link, such as a Bluetooth connection.
[0080] The platform, fundamental apparatus of the invention
comprises the BPID as described above, plus one or more
implementations of enabling application software. This allows the
device to function as a remote control for apparatuses including
(but not limited to) televisions, VCRs, DVD players and stereo
systems, radios, etc., which can be pre-programmed to respond only
to pre-determined, authorized remote control apparatuses. The
remote control apparatuses of the present invention including
platform BPID functionality, can be embodied as either
transmitters--using any appropriate transmission media, including,
but not limited to, infrared and RF--or, in more advanced
applications with additional privacy and security features--as
transceivers. Optionally, some or all of the remotely controlled
functionality of the present invention can be alternatively
embodied into interface controller devices such as "set-top
controllers" or "set-top boxes", rather than solely in one or more
remotely controlled devices themselves such as televisions, DVD
players and stereo systems, radios, etc.
[0081] Notwithstanding, in most embodiments there is no need for
external "central site interaction", nor a need for elaborate,
expensive, or technically laborious centralized interactions or
complex, non-proximate signal processing chains.
[0082] The ICVS subsystem apparatuses of the invention include (1)
modular, factory-installed components for implementing ICVS in a
remote control apparatus of the present invention; (2) standalone
and independent ICVS-class apparatuses, i.e., either (2a)
multi-functional set-top boxes or (2b) single function ICVS boxes
accessible by RF or other viable communications standard; and (3)
customer-installable modules to upgrade platform devices such as to
implement advanced features, or to upgrade existing features.
[0083] To implement privacy and security features into remote
controllers of the present invention, both a factory-installed,
embedded core ICVS subsystem apparatus and a user-installed modular
core subsystem apparatus are disclosed; either or both can be
installed in the remote control of the present invention. Both
installed and/or modularly installable subsystem apparatuses can
enable and perform authentication of pre-authorized users.
ICVS-borne, "user authentication functions" implement not only
basic user authentication in a remote controller, but can also
permit multiple levels of privileged access to remote-controlled
resources as well as portable privileges for accessing
remote-controlled resources and their applications, services,
etc.
[0084] The user authentication process is further performed in a
manner supportive of the individual's right to privacy, in accord
with the application accessed and the stipulations of the
remote-controlled resource or application owner, if any. The
preferred embodiment of the invention stores a pre-enrolled
biometric template of the authorized individual within
tamper-resistant memory within the remote control apparatus. The
template is never authorized to leave the device, and is
"zeroed-out" upon unauthorized attempted physical or logical
access. When an individual wishes to access controlled resources,
he/she submits another biometric template through a reader on the
device. If the submitted identity credential matches the template
stored therein, the user is granted access to operate the remote
controller and the machinery it controls.
[0085] One primary preferred embodiment of the remote controller
apparatus of the present invention is a transmitter adapted for
generating and transmitting a basic, "standalone", simplex, one-way
"identity credential verification signal" transmission from a
user's remote control device to a target device after successful
initial user authentication. This first primary embodiment performs
the user authentication process, displays of the result in the form
of a user "identity credential verification display", generates and
transmits as appropriate, a user "identity credential verification
signal", and also transmits user control signals to the remotely
controlled device.
[0086] A second primary preferred embodiment of the remote
controller apparatus comprises a transceiver version. The
transceiver version is capable of performing standalone user
authentication, but is also capable of communicating with an
external identity credential verification system (ICVS) and/or
other external device or transceiver, based on how it is configured
at manufacturing and/or based on how it was optioned by a user and
a system administrator after deployment. As described in the BPID
discussion, the user-operated remote control transceiver may use a
wireless technology ranging from IrDA to RF, or optionally, may use
a wired communications medium and/or protocol. In Willis of
interactivity, this second preferred embodiment is capable of
receiving a plurality of signals from other remote control user
apparatuses and/or from external, remote-controlled apparatuses,
appropriately equipped. Depending on the situation, a variety of
different signal types may be transmitted and received by
appropriately equipped user remote control apparatuses and remotely
controlled interface devices including set-top boxes and/or other
appropriately equipped transceiver apparatuses.
[0087] For purposes of illustration, the apparatus of the invention
will be described as using a fingerprint for the identity
credential verification method and Bluetooth RF wireless technology
as the communication media. However, a variety of modifications and
substitutions may be made thereto without departing from the spirit
and scope of the inventions. Thus, by way of example, the invention
is not limited to the use of any specific communications
architecture or system, or specific method or type of ICVS.
Theory of Operation
[0088] In one operational embodiment, the remote control apparatus
of the invention is used in conjunction with a television, a
television set-top box, and a premium cable channel such as HBO,
Cinemax or Showtime. The remote control is issued to the paying
customer and is enrolled with his fingerprint upon application for
the premium service. The enrollment process may take place within
the cable company's office, online, or through another
company-approved method. As per traditional methods, the cable
company will also supply the set-top box in order to provide access
to the premium cable channel. In this embodiment of the invention,
the set-top box is adapted to allow access to the premium channel
only upon receipt of an encrypted authorization signal from the
authorized remote control device, from among a "premium class" of
remote control devices. This further requires that the set-top box
is assigned either a public/private key pair or a symmetric key,
and that it receives the public key of the authorized remote
control apparatus.
[0089] When the individual wishes to access the channel, he selects
the remote control function within his BPID, and selects the
premium access channel that he wishes to watch. The device will
prompt the individual to authenticate himself. Upon successful
verification, the device searches the memory to verify that the
authenticated individual owns the necessary privileges to watch the
channel. If the individual is accepted, the device creates a
message comprising the selected service and an authorization
notice, and signs it with the device private key. The device
further encrypts the message with either a shared symmetric key or
the public key of the set-top box before message transmission.
Successful decryption and signature verification within the set-top
box will enable the television to display the premium channel. It
is important to note that the set-top box functionality, as
described, may be implemented within the television itself in order
to reduce the physical equipment required by the system.
[0090] An important ramification of a decentralized architecture,
as described above, is the portability of users' privileges. One
individual, Alice, may have a subscription to a premium cable
channel, while another individual, Bob, may not. Alice and Bob
would like to watch a movie on the premium channel together, but
for practical reasons cannot watch the movie at Alice's home. In
the traditional implementation of premium services, Alice and Bob
would not be able to watch the movie at Bob's home, as he does not
subscribe to the service. With the present invention, however,
Alice can use her remote control apparatus to take her privileges
to Bob's house if he has an appropriate set-top box or television,
and they can watch the movie together.
[0091] In another primary embodiment of the invention, again an
individual purchases rights to a premium cable channel, and the
cable provider issues and enrolls the individual into one device.
However, it may be convenient for the individual, or the
individual's family, to have multiple remote control devices. In
this situation, the individual may use the pre-enrolled device to
enroll subsequent devices, creating a master-slave
relationship.
[0092] Another embodiment of the invention creates a "parental
control" method for limiting individuals' access to programs,
movies and channels that have comment deemed unsuitable. The owner
of the remote control device may enroll multiple persons--and their
corresponding fingerprints--into his or an alternate remote control
device, along with authorization and privilege levels. Similarly to
the request for premium cable services as described above, persons
wishing to watch particular television programs must authenticate
to the remote control device. The remote control processes the
authorization, and transmits an authorization or denial signal
appropriately to the television or set-top box. This invention can
be extended to cover the operation of VCRs and DVD players; DVDs,
for example, can be encoded to include multiple versions of a movie
satisfying multiple Motion Picture Association of America (MPAA)
ratings.
[0093] In another primary embodiment of the invention, users can
perform purchasing and other financial transactions through their
television and/or set-top box. In recent years we have seen a
proliferation of home shopping television networks and
infomercials, in which individuals view purchasable items on their
televisions. If the individual would like to place an order, he
typically calls a telephone number provided at the bottom of the
television screen, and supplies a credit card number for payment.
This method of shopping is convenient for many users, but lacks
personal security because it simply requires possession of a credit
card number, without ensuring ownership of the number. In this
embodiment of the invention, persons can still order items through
their televisions, yet making use of the security benefits of the
remote control apparatus. Because the BPID is designed to store a
variety of account information, individuals can store credit card
numbers and other financial data for this application.
[0094] When the viewer selects a home shopping channel, the remote
control will register an option for purchasing. If the individual
decides to purchase an item, he simply selects the purchasing
option on the remote control, and enters the item number and price.
He will then select one of the enrolled accounts to pay for the
item. This will prompt the user to authenticate himself/herself to
the device. If the user is authenticated successfully, the device
will sign the message and transmit the appropriate credentials to
the television or set-top box. The information can then be
transmitted via Internet, phone or other connective medium to pay
the seller.
[0095] The operational embodiments as described above are also
suited for accessing "content distribution" subscription services
within stereophonic audio systems in homes, offices and
automobiles, such as the emerging XM radio service, pay-per-view
television services, and other types of subscription services that
use remote control devices.
[0096] For example, the various features and characteristics of the
BPID interactive system may include:
[0097] 1) A private and secure remote control apparatus adapted for
authenticating and for matching at least one user identity
credential of a prospective user with at least one stored
pre-enrolled user identity credential of at least one preauthorized
user, further adapted for transmitting user permissions and
transmitting remote control signals for accessing and controlling
remotely controlled apparatuses comprising resources, applications,
and services.
[0098] 2) The private and secure remote control apparatus recited
in 1, wherein the user identity credential comprises at least one
personal biometric means.
[0099] 3) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
fingerprints.
[0100] 4) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
handprints.
[0101] 5) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
voice.
[0102] 6) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
iris patterns.
[0103] 7) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
facial patterns.
[0104] 8) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
retinal patterns.
[0105] 9) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
heartbeat patterns.
[0106] 10) The private and secure remote control apparatus as
recited in 2, wherein said personal biometric means comprise human
DNA patterns.
[0107] 11) The private and secure remote control apparatus as
recited in 1, further adapted as a transceiver means both for
transmitting user permissions and remote control signals and for
receiving data, information, and control signals from
remote-controlled apparatuses and interface devices comprising
resources, applications, services.
[0108] 12) The private and secure remote control apparatus as
recited in 11, wherein the user identity credential comprises at
least one personal biometric means.
[0109] 13) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
fingerprints.
[0110] 14) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
handprints.
[0111] 15) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
voice.
[0112] 16) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
iris patterns.
[0113] 17) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
facial patterns.
[0114] 18) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
retinal patterns.
[0115] 19) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
heartbeat patterns.
[0116] 20) The private and secure remote control apparatus as
recited in 12, wherein said personal biometric means comprise human
DNA patterns.
[0117] 21) A method for administering and distributing premium
cable television services comprising:
[0118] a) assigning at least one of the private and secure remote
control apparatus (of any of the preceding claims) to a
pre-authorized user,
[0119] b) assigning at least one remote-controlled interface device
comprising a set-top box adapted for communicating with said remote
control apparatus assigned to a pre-authorized user,
[0120] c) providing said remote control apparatus and said
remote-controlled interface device comprising a set-top box with
corresponding encryption keys such that the two communicate
securely,
[0121] d) enrolling a pre-authorized user's personal identity
credentials into said remote control apparatus,
[0122] e) enrolling a pre-authorized user's predetermined
privileges and authorizations into said remote control apparatus,
and
[0123] f) enrolling into said remote-controlled interface device an
access privilege list of classes of remote control apparatuses
allowed to access premium services from said remote controlled
interface device comprising a set-top box for controlling
remote-controlled apparatuses comprising resources, applications,
and services.
[0124] 22) A method for accessing premium cable television service
comprising:
[0125] a) selecting the service using the secure remote control
apparatus as recited in any of 1-20,
[0126] b) authenticating the user to said secure remote control
apparatus,
[0127] c) verifying within said secure remote control apparatus
that the user has proper privileges to access the service,
[0128] d) creating within said secure remote control apparatus a
message comprising the authorization and a digital signature,
[0129] e) encrypting within said secure remote control apparatus
the authorization message, using encryption keys distributed at
enrollment,
[0130] f) transmission from said secure remote control apparatus to
a pre-distributed remote-controlled interface device comprising a
set-top box,
[0131] g) decrypting within said interface device comprising a
set-top box,
[0132] h) verification of digital signature within said interface
device comprising a set-top box, and
[0133] i) verification of user authorization.
[0134] 23) A method for establishing restricted access for
subsequent users using the secure and private remote control
apparatus as recited in any of 1-20, comprising:
[0135] a) establishing restricted access and privilege levels for
subsequent users,
[0136] b) demonstrating ownership of said device by verifying
personal identity,
[0137] c) enrolling subsequent users' identity credentials within
said device, and
[0138] d) enrolling subsequent users' predetermined privileges and
authorizations into said remote control apparatus.
[0139] 24) An identity credential verification system for matching
and authenticating at least one submitted identity credential of a
prospective user, wherein said submitted identity credential is
matched and verified by said identity credential verification
system, comprising:
[0140] a) at least one remote control user,
[0141] b) a remote control apparatus platform,
[0142] c) an onboard identity credential verification system
embedded into said remote control apparatus platform including an
identity credential verification apparatus means for initially
enrolling said at least one user by means of storing at least one
enrolled user identity credential and for subsequently matching
said at least one user identity credential prior to authorizing and
granting access to said remote controller apparatus platform to
said at least one remote control user.
[0143] While the description above refers to particular embodiments
of the present invention, it will be understood that many
modifications may be made without departing from the spirit
thereof. The accompanying claims are intended to cover such
modifications as would fall within the true scope and spirit of the
present invention.
* * * * *