초록 ▼

A portable or embedded access device is provided for being coupled to, and for allowing only authorized users access to, an access-limited apparatus, device, network or system, e.g. a computer terminal, an internet bank or a corporate or government intranet. The access device comprises an integrated

A portable or embedded access device is provided for being coupled to, and for allowing only authorized users access to, an access-limited apparatus, device, network or system, e.g. a computer terminal, an internet bank or a corporate or government intranet. The access device comprises an integrated circuit (IC) providing increased security by bridging the functionality of biometrics input from a user and, upon positive authentication of the user's fingerprint locally to provide secure communication with the said access-limited apparatus, device, network or system, whether local or remote. A corresponding method of using the portable device or the embedded device is disclosed for providing a bridge from biometrics input to a computer locally, into secure communication protocol responses to a non-biometrics network. A method of providing secured access control and user input in stand-alone appliances having an embedded access control or user input device according to the invention is also disclosed.

대표청구항 ▼

1. A portable biometrics access device, comprising: a device interface, being electronic or mechanical or both, for coupling the device to an access-limited apparatus, device, network or system, andan integrated circuit (IC) providing increased security by bridging the functionality of fingerprint i

1. A portable biometrics access device, comprising: a device interface, being electronic or mechanical or both, for coupling the device to an access-limited apparatus, device, network or system, andan integrated circuit (IC) providing increased security by bridging the functionality of fingerprint input from a user and, upon positive authentication of the user's fingerprint to provide secure communication with said access-limited apparatus, device, network or system, said IC comprising:a central processor communicating with the other on-chip components via a high speed bus,a secure internal non-volatile memory connected to the high-speed bus, wherein the non-volatile memory either stores program code, administrative software, tailored security output responses and fingerprint representations in the form of compact fingerprint minutiae securely within the IC or is capable of storing encryption seeds for sensitive data stored on an external non-volatile memory,a first memory interface block connected to the high speed bus for interfacing with volatile memory and for providing working memory available to other modules on the IC,a second memory interface block connected to the high speed bus for interfacing with non-volatile memory, for alternative storing of program code, administrative software, tailored security output responses and fingerprint representations in the form of compact fingerprint minutiae, being encrypted internally in the IC by encryption seeds from an encryption block,a first interface block coupled to a fingerprint sensor,an image capture and pre-processing block connected to the first interface block, said image capture and pre-processing block being adapted to perform the initial processing of raw fingerprint images captured from the sensor into a dataset of reduced size, denoted intermediate fingerprint data, the intermediate fingerprint data being submitted as output to the central processor via the high speed bus for final processing to compact fingerprint minutiae on the central processor,one or more encryption modules connected to the high-speed bus for providing encryption information, or alternatively scrambling information, the central processor being adapted to apply the encryption information to the fingerprint data for producing secured data as an output to the high speed bus, andone or more second interface blocks for supplying the secured data to the external access-limited apparatus, device or system via the device interface. 2. The portable device according to claim 1, wherein the integrated circuit further comprises hardware and software required to supply output signals to one or more of the second interface blocks, implemented in the form of a USB-port, a PCMCIA-port or a UART-port. 3. The portable device according to claim 1, wherein: said IC being mounted on a small printed circuit board PCB, andsaid PCB is connected to at least one of a USB interface or a PCMCIA mechanical interface,the device further comprising:electronic surface components to support at least one of the USB mechanical interface and the PCMCIA mechanical interface being mounted on the same PCB,a SDRAM chip, at least with 4 MB capacity, being mounted on the same PCB,a non-volatile serial Flash chip, with at least 256 Kbytes capacity, being mounted on the same PCB, anda fingerprint sensor being mounted on the same PCB;wherein all preceding components and chips being protected inside a housing. 4. The portable device according to claim 3, wherein said housing is designed with a recess enabling a finger to be placed on, or swiped over the sensor being protected down in said recess, but still conveniently accessible by the finger. 5. The portable device according to claim 3, wherein: said housing is equipped with a sliding lid enabling a finger to be placed on, or swiped over the sensor being protected under said sliding lid, but still conveniently accessible by the finger;said sliding lid being forced into a closed position fully covering the sensor when the sliding lid is not pushed aside by a finger when a fingerprint image is to be captured;a finger guide structure is placed adjacent to the sliding lid when the sliding lid is in closed position, fully covering the sensor, the finger guide intuitively guiding the finger in a correct position to open the sliding lid and thereby swipe the finger correctly over the sensor if the sensor is of a swipe type; andthe UART interface on the IC supports the PCMCIA port. 6. The portable device according to claim 3, wherein: said non-volatile memory is expanded with extra capacity beyond the 256 Kbytes minimum capacity, to provide extra storage capacity for data to enable the device to operate as a general portable data storage, andsaid IC is equipped with a USB mass storage class controller with at least one control endpoint and 2 bulk endpoints (in/out), to provide access to data onboard the portable device upon positive match of the captured fingerprint image with one of the fingerprint representations of authorized users stored onboard the portable device. 7. An embedded biometrics access device, comprising: a device interface, being electronic or mechanical or both, for integration by embedment in a peripheral of, or within, a computer, andan integrated circuit (IC) providing increased security by bridging the functionality of fingerprint input from a user and fingerprint authentication to provide secure communication with the computer and at least one network connected thereto, said IC comprising:a central processor communicating with the other on-chip components via a high speed bus,a secure internal non-volatile memory connected to the high-speed bus, wherein the non-volatile memory either stores all program code, administrative software, tailored security output responses and fingerprint representations in the form of compact fingerprint minutiae securely within the IC or is capable of storing encryption seeds for sensitive data stored on an external non-volatile memory,a first memory interface block connected to the high speed bus for interfacing with volatile memory and for providing working memory available to other modules on the integrated circuit,a second memory interface block connected to the high speed bus for interfacing with non-volatile memory, and for alternative storing of program code, administrative software, tailored security output responses, and fingerprint representations in the form of compact fingerprint minutiae, being encrypted internally in the IC by encryption seeds from an encryption block,a first interface block coupled to a fingerprint sensor,an image capture and pre-processing block connected to the first interface block, said image capture and pre-processing block being adapted to perform the initial processing of raw fingerprint images captured from the sensor into a dataset of reduced size, denoted intermediate fingerprint data, the intermediate fingerprint data being submitted as output to the central processor via the high speed bus for final processing to compact fingerprint minutiae on the central processor,one or more encryption modules connected to the high-speed bus for providing encryption information, or alternatively scrambling information, the central processor being adapted to apply the encryption information to the fingerprint data for producing secured data as an output to the high speed bus, andone or more second interface blocks for supplying the secured data to an external access-limited apparatus, device or system via the device interface. 8. The embedded access device according to claim 7, wherein the integrated circuit comprises hardware and software required to supply output signals to one or more of the second interface blocks, implemented in the form of a USB-port, a PCMCIA-port or a UART-port. 9. The embedded access device according to claim 7, wherein: said IC is mounted on a small printed circuit board PCB,said IC is connected to the PCB by one or more of a USB, an Ethernet, a GPIO, a UART or a SmartCard interface on the IC,said PCB is equipped with a mechanical/electronic interface suitable for the host device,the device further comprising:an SDRAM chip, with at least 4 MB capacity, being mounted on the same PCB,a non-volatile serial Flash chip, with at least 256 Kbytes capacity, being mounted on the same PCB,a fingerprint sensor being mounted on the same PCB, or mounted separately in a host device, and connected to the IC on the PCB by a cable. 10. A method for providing a bridge from biometrics input to a computer into secure communication protocol responses to a non-biometrics network, comprising a single integrated circuit (IC) executing the following steps: capturing an image from a fingerprint sensor via a first interface block,pre-processing the captured fingerprint image in an image capture and pre-processing block, using hardware-embedded algorithms optimized for high-speed processing of raw fingerprint image data, into a dataset of reduced size,transferring the pre-processed dataset to a central processor for extracting compact fingerprint minutiae via a high-speed bus,retrieving, by the central processor, compact fingerprint minutiae from a non-volatile storage module holding pre-stored master compact fingerprint minutiae of authorized persons,comparing, in the central processor, the compact fingerprint minutiae of the captured fingerprint with the pre-stored master compact fingerprint minutiae,producing, in dependence of the result from the said comparison, a secure output in a pre-defined format to an external unit, network or system through one of a plurality of communication interfaces. 11. The method according to claim 10, further comprising pre-loading into the non-volatile memory a subset of the administrative software which tailors the output secure communication response to the target network or Intranet to a pre-defined format and sequence, including handshake sequences. 12. The method according to claim 11, wherein the output from the IC is blocked, via a non-authorized access state, if the matching by IC of the captured compact fingerprint minutiae is negative relative to all of the authorized compact fingerprint minutiae stored in the non-volatile memory. 13. The method according to claim 11, wherein the output from the IC is opened, via an authorized access state, if the matching by the IC of the captured compact fingerprint minutiae is positive relative to any of the authorized compact fingerprint minutiae stored in the non-volatile memory. 14. The method according to claim 11, wherein the pre-loaded subset of the administrative software can combine the steps of: generating a pseudo-random secure key or password,applying any of the encryption methods at hand and embedded in the hardware blocks, such as DES, ECB, CBC, TDES, or any proprietary encryption algorithm also embedded in hardware, andtailoring handshake sequences according to the rules of secure communication of the device, network or system. 15. The method according to claim 11, wherein the pre-loaded subset of the administrative software is adapted to perform sequencing the operation of the respective functionality blocks of the IC in order to produce secured output data which is suitable for transmission in the targeted network and for processing by receiving units connected to the network. 16. The method according to claim 10, wherein secure communication parameters of a network or a device, including at least one of encryption seed, electronic certificates, PKI keys, and IP address of a targeted server or resident computer in a device are pre-stored during a personalization of the IC into either embedded SmartCard block or external SmartCard chip, or in scrambled format on external non-volatile memory. 17. The method according to clam 16, wherein: said secure communication parameters can only be retrieved from the embedded SmartCard block or from the external SmartCard chip upon a positive match of the captured compact fingerprint minutiae relative to compact fingerprint minutiae of an authorized person, andan output signal from the IC including secure communication responses is initiated in dependence upon the result of a comparison of the captured compact fingerprint minutiae relative with compact fingerprint minutiae of an authorized person. 18. An embedded biometric access control device, comprising: a biometric access device adapted to be embedded within a stand-alone appliance that uses an integrated circuit (IC) for bridging the functionality of fingerprint input from a user to secure communication with other parts of the said stand-alone appliance, said IC comprising:a central processor communicating with the other on-chip components via a high speed bus,a secure internal non-volatile memory connected to the high-speed bus, wherein the non-volatile memory either stores all program code, administrative software, tailored security output responses and fingerprint representations in the form of compact fingerprint minutiae securely within the IC or is capable of storing encryption seeds for sensitive data stored on an external non-volatile memory,a first memory interface block connected to the high speed bus for interfacing with volatile memory and for providing working memory available to other modules on the integrated circuit,a second memory interface block connected to the high speed bus for interfacing with non-volatile memory, for alternative storing of program code, administrative software, tailored security output responses, and fingerprint representations in the form of compact fingerprint minutiae, being encrypted internally in the IC by encryption seeds from an encryption block,a first interface block coupled to a fingerprint sensor,an image capture and pre-processing block connected to said first interface block, said image capture and pre-processing block being adapted to perform the initial processing of raw fingerprint images captured from the sensor into a dataset of reduced size, denoted intermediate fingerprint data, the intermediate fingerprint data being submitted as output to the central processor via the high speed bus for final processing to compact fingerprint minutiae on the central processor,one or more encryption modules connected to the high-speed bus for providing encryption information, or alternatively scrambling information or for performing encryption or scrambling, the central processor being adapted to apply the encryption or scrambling information to the fingerprint data for producing secured data as an output to the high speed bus, andone or more second interface blocks for supplying the secured data to other modules of the stand-alone appliance. 19. The embedded access control device according to claim 18, further comprising: fingerprint information non-volatile storage means, such as e.g. a SmartCard unit, for storing information related to the fingerprint characteristics of authorized users,fingerprint input means for entering the fingerprint characteristics of authorized users into non-volatile memory of the IC, andfingerprint verification means in the form of processing capability including biometrics software for checking the authenticity of a user trying to access the device. 20. The embedded access control device according to claim 18, further comprising: a fingerprint storage module in which the device stores a series of consecutive fingerprint representations generated by the fingerprint sensor signal capturing and pre-processing block,movement analyzing means, in the form of a hardware or a software movement analyzing program module for analyzing the obtained series of fingerprint representations to obtain a measure of the omni-directional finger movements across the sensor in two dimensions,translation means in the form of a hardware or a software translation program module for analyzing and categorizing the omni-directional finger movements across the fingerprint sensor according to predefined sets of finger movement sequences including directional and touch/no-touch finger movement sequences, anda command table for translating the categorized finger movements into control signals whereby the translating means generates control signal for controlling the stand-alone appliance in response to the finger movements on the sensor. 21. The embedded access control device according to claim 18, wherein: the operating and control software of the stand-alone appliance is loaded into the non-volatile memory block of the integrated circuit IC, andsaid operating and control software of the stand-alone appliance is executed by the central processor of the IC. 22. A method of secured access control and user input in stand-alone appliances having an embedded biometric access control device, the method comprising performing the following steps in an integrated circuit: capturing an image from a fingerprint sensor via a first interface block,pre-processing the captured image in an image capture and pre-processing block using hardware-embedded algorithms optimized for high-speed processing of raw fingerprint image data, into a dataset of reduced size,transferring the pre-processed dataset to a central processor for extracting compact fingerprint minutiae via a high-speed bus,retrieving, by the central processor, compact fingerprint minutiae from a non-volatile storage module holding pre-stored master compact fingerprint minutiae of authorized persons,comparing, in the central processor, the captured compact fingerprint minutiae with features of the pre-stored master compact fingerprint minutiae, andproducing, in dependence of the result from said comparison, a pre-defined secure output to other parts of the stand-alone appliance. 23. The embedded access control device according to claim 18, wherein said device implements secure access to various functions in an automobile, including door locks or engine ignition. 24. A biometrics security integrated circuit (IC) for biometrically authenticating individuals in a secure application comprising: at least one memory interface block for interfacing with one or more external memories;a first interface block coupled to a biometrics sensor;an image capture and pre-processing block connected to the first interface block, said image capture and pre-processing block adapted to reduce raw biometric image data into a dataset of reduced size;at least one non-volatile memory block;a secure internal non-volatile memory capable of storing either program code, administrative software, tailored security output responses and fingerprint representations in the form of compact fingerprint minutiae or encryption seeds for sensitive data stored on an external non-volatile memory;at least one encryption module, said at least one encryption module operable to encrypt and decrypt biometric data, secure applications messages, and other secret information; andone or more second interface blocks;a central processor to process the reduced-size dataset, received over the high speed bus, into compact biometric characteristics,wherein the IC, under the control of the central processor executing instructions stored in the at least one non-volatile memory block and/or accessed through the at least one memory interface block, is operable to:capture, process, and store compact biometric characteristics of at least one authorized individual;capture and process compact biometric characteristics of an individual to be authenticated;compare the compact biometric characteristics of an individual to be authenticated with stored compact biometric characteristics of the at least one authorized individual; andbased on the result of said comparison, generate a secure authorized or not authorized message to the secure application and transmit said message through the one or more second interface blocks;further wherein said compact biometric characteristics of the at least one authorized individual and other secret information are stored in the at least one non-volatile memory block and/or in encrypted form in an external memory where the encryption key for said encrypted form is stored only in the at least one non-volatile memory. 25. The biometrics security integrated circuit (IC) of claim 24, wherein: the compact biometric characteristics are compact fingerprint minutiae;the biometric data are fingerprint data;the raw biometric image data are raw fingerprint image data; andthe biometrics sensor is a fingerprint sensor.