Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Page images | Web History | Sign in

Patents

  
[table][merged small][table][merged small][table][merged small][merged small][merged small]
[merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][graphic][merged small][merged small][merged small][merged small][graphic][table]
[merged small][merged small][merged small][merged small][graphic][table][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small][merged small]

BRIEF DESCRIPTION OF THE DRAWINGS

1 2

METHOD AND SYSTEM FOR PREBOOT SUMMARY OF THE INVENTION
USER AUTHENTICATION

The present invention provides a method and system for

FIELD OF THE INVENTION authenticating a user of a computer system using biometric

5 information. The method and system of the present inven

Tt, . • .. , . „,,,,.,,, tion includes registering a biometric template in the comine present invention relates generally to the field of ,e _ 6 . , r, . . _ , , ^. , , ° \, , , ^ puter system, thereafter, verifying the authenticity of the computer security and particularly to a method and system . ^ , , . ^ . ^ , ^ ,°, \, , . „ , . . . „ registered biometnc template and then comparing the motor preboot system authentication of a user. ... , . ... ,i -f +u ^ J metric template with a biometric image the user if the

10 biometric template is authentic. If the user's biometric image

BACKGROUND OF THE INVENTION matches the biometric template, the computer system will

continue to boot.

With the advent of personal computer system use in every The present invention offers multiple layers of security in

day personal and business affairs, the issue of computer that it verifies the authenticity of the biometric template

security has become critical. To protect the information 15 before the template is used to authenticate the identity of the

contained in the personal computer system, which in many user attempting to log on to the computer system. In this

cases may be highly sensitive and confidential, measures manner, the computer system is protected from intruders,

must be taken to ensure that a user attempting to use the Moreover, because registration of the template is performed

computer system is an authorized user. These protective by 311 application program outside of BIOS, the limited

measures should be taken before the operating system 20 resources available in BIOS are not depleted.
("OS") boots because once the OS boots, files can be
deleted, copied, or modified to help a rogue user gain access

to the computer system. FIG j ig a Wock diagram iuustratmg a preferred embodi

Preboot security systems prevent the computer system 25 ment of a system in accordance with the present invention,

from booting if a security breach is detected. So for instance, FIG. 2 is a flowchart illustrating the template registration

a user attempting to use the computer system may be process in accordance with the present invention,

required to enter a password before the computer system FIG. 2A is a block diagram depicting the process in FIG.

will boot. While this method is simple, it has its drawbacks. 2.

First, a rogue user can steal a password from an authorized 30 FIG. 3 is a flowchart illustrating the preboot authentica

user and enter the password to gain access. Second, an tion process in accordance with the present invention,

authorized user could forget the password and therefore be FIG- 3A is a block diagram depicting the process in FIG.

locked out of the computer system. 3.

Currently, biometric data, such as a finger print, is being nrT1IT ...

. ,' , . , . . K ,. . 35 DETAILED DESCRIPTION used to identify authorized users in a variety of applications.

Using biometric data as a security check is advantageous TM . . .. , , . „

, ° i i ^ • • ^ , , ° 1 he present invention provides a method and system tor

because such data is umque to each individual and presum- ^ 5 ^. „ ^ , . :. .

,, ^ , , ,. ^ ^ , , , ^ authenticating a user of a computer using biometnc lnior

ably no other person could replicate or steal such data. .. TM . , . .. . ° , . , ,

,,J ,. , ^ . , j-^ 1 mation. 1 he iollo wing description is presented to enable one

Moreover, biometnc data is characteristic oi the individual. „ ,. , ... . ^ ° ^ , , ^ . ^. ,

„,.,.:,, , 1^-1^1 • 40 oi ordinary skill in the art to make and use the invention and

1 he individual need not remember this data because it is an . ., , . ^ ^ ^ „ ^ ^ ,. ^. ,

. , . . j., . , , . is provided in the context oi a patent application and its

inherent part oi his or her being. r. . ^. 5 ^ j- ,

requirements. Various modifications to the preferred

Applications utilizing biometric authentication generally embodiment and the generic principles and features

include some device or sensor that receives the biometnc described herein will be readily apparent to those skilled in

information. Thus, a sensor can be used to capture data 45 the ^ ^ the present invention is not intended to be

corresponding to a thumbprint or fingerpnnt. This data is limited to the embodiment shown but is to be accorded the

then transmitted to an application that creates a template that widest scope consistent with the principles and features

can be stored and used later when some type of authentica- described herein

tion is required. In such a situation, a current biometric In a preferred embodiment of the present invention, a image is captured from the sensor and compared to the 5Q sensor for obtaining the biometric information is coupled to biometnc template stored previously. If the image and the computer system^ which includes a processor. The protemplate match, then the action requested will be granted. cessor mns an application which allows a system adminis. Otherwise, the request will be denied. trator tQ register the biometric information of an authorized

Biometric authentication at the computer system preboot user into the computer system. The registered biometric

stage is very desirable. Nevertheless, implementing such a 55 information is then stored in memory, preferably, nonvola

security system is difficult. The OS preboot is typically tile memory. Thereafter, when a user tries to log on to the

controlled by the Basic Input and Output System ("BIOS"). computer system, the user will be prompted to submit his or

The available memory and executable code in BIOS is very her biometric information, e.g., fingerprint, via the sensor

limited, and BIOS would not be able to accommodate the prior to a system boot. The BIOS will retrieve the stored

memory and code required to implement a biometric authen- 60 biometric template, verify its authenticity, and compare it to

tication system. the submitted biometric information. If the biometric tem

Accordingly, what is needed is a system and method for plate is authentic and the submitted biometric information

preboot OS authentication of a user using biometric infor- matches the biometric template, the system will boot. Oth

mation. The system and method should ensure that the erwise, the system will not boot and the administrator will

biometric information stored is valid and that such informa- 65 be notified.

tion can be used by BIOS. The present invention addresses FIG. 1 is a system that can be utilized in accordance with

such needs. the preferred embodiment of the present invention. The

3

system 10 includes a computer system 20 coupled to a biometric sensor 30. The sensor 30 can either be a standalone device, which can be coupled to the computer system 20 via a Universal Serial Bus ("USB") port, for example, or the sensor 30 can be an integral part of the computer system 5 20. The computer system 20 includes a processor 50 coupled to the sensor 30 for receiving biometric information. The processor 50 runs a program application 55 that registers an authorized user's biometric information.

As is shown, the computer system 20 includes a BIOS 70 10 and nonvolatile memory 60 accessible by the BIOS 70. The computer system 20 also includes an embedded security system 80, which is coupled to both the processor 50 and the BIOS 70.

To understand the preferred embodiment of the present 15 invention, please refer first to FIGS. 2 and 2A. FIG. 2 is a flowchart illustrating a process for registering the biometric information of an authorized user in accordance with one preferred embodiment of the present invention. FIG. 2A is a block diagram illustrating the same process. The registering 20 process 100 begins at step 110 by receiving biometric information from an authorized user via the sensor 30. The sensor 30 then renders the biometric information and creates a biometric template 122 (FIG. 2A) for the authorized user via step 120. The biometric template 122 is a mathematical 25 representation of the biometric information, e.g., fingerprint, collected by the sensor 30. The biometric template 122 is then passed to the application program 55 running on the processor 50.

Next, in step 130, the application 55 hashes a copy of the 30 biometric template to form a biometric template hash 132. By hashing the biometric template 122, i.e., applying a hash algorithm to the template, slight changes between the template 122 and another hashed template (not shown) can be easily detected, as is well known to those skilled in the art. 35 The biometric template hash 132 is then encrypted in step 140 by the embedded security system 80'.

The embedded security system ("ESS") 80' is preferably a computer chip that performs a digital signature on the biometric template hash 132. In order to access the func- 40 tionality of the ESS 80', the user or administrator could be required to enter a valid password 82, which would be verified by the ESS 80'. Once the template hash 132 is encrypted, i.e. digitally signed, it is passed back to the application 55, which then links the encrypted template hash 45 142 to the biometric template 122, via step 150. The linked template and encrypted template hash pair 152 is then stored in memory 60' in step 160. In the preferred embodiment of the present invention, the linked template/template hash 152 is written to a designated area in CMOS 60', so that it can 50 later be accessed by the BIOS 70.

After registering the authorized user's biometric template 122, the linked template/template hash 152 is now available for user authentication during the next system boot. Because the application program 55 performs the registration process 55 outside of BIOS 70, it is more efficient and user friendly.

FIG. 3, also a flowchart, illustrates the process for preboot system authentication in accordance with the preferred embodiment of the present invention. FIG. 3A is an associated block diagram illustrating the same. The process 200, 60 begins when the BIOS 70 initiates a booting sequence in step 210. The BIOS 70 then prompts the user in step 220 to provide his or her biometric information, e.g., fingerprint, via the sensor 30' (FIG. 3A). In step 230, a biometric image 232 is transmitted from the sensor 30' to BIOS 70. 65

Next, BIOS verifies that the biometric template stored in memory is authentic, i.e., the biometric template is the one

4

certified by the administrator. First, in step 240, BIOS retrieves the linked template/encrypted template hash 152' from memory 60" and separates the pair into the template 122' and the encrypted template hash 142.' In step 242, a hash of the template 122' is calculated to form a first digest value 243. Next, in step 244, BIOS retrieves a public key 245 for the administrator from the ESS 80" and uses it to decode the encrypted template hash 142.' The result is a second digest value 247 representing the decoded template hash 142'. Finally, the first digest value 243 is compared to the second digest value 247 in step 246, and in step 248, it is determined whether the digest values 243, 247 match. If the digest values 243, 247 do not match, the boot sequence is terminated and the administrator notified via step 250. If the digest values 243, 247 match, BIOS 70 has verified that the template 122' has not been altered since the administrator registered the template 122,' and that the template 122' can now be used to verify the identity of the user attempting to log onto the computer system.

Thus, once the template 122' is authenticated, it is loaded into a matching engine 75 in BIOS 70, via step 260, along with the biometric image 232 provided by the user. There, the template 122' and biometric image 232 are compared in step 270. One should note that an exact match between the template 122' and biometric image 232 is not necessarily required because a user would not be expected to provide his or her biometric information in the exact same manner or location each and every time. For instance, the user providing a finger print (biometric information) might place his or her finger in a slightly different location on the sensor 30' each time he or she is prompted to provide biometric information. Thus, in one embodiment of the present invention, a matching algorithm is used in the matching engine 75 to compare "points" from the biometric image 232 and the template 122'. Other methods and algorithms to compare the image 232 and the template 122' would be readily apparent to those skilled in the art, and such methods would fall within the scope and spirit of the present invention.

In step 275, it is determined whether the biometric image 232 matches the template 122.' If a match is determined, the user is the authorized user certified by the administrator, and BIOS 70 will continue to execute the boot sequence in step 280. If a match is not determined, the user is not authorized to operate the computer system and the boot sequence will terminate and the administrator notified, via step 250.

The preferred embodiment of the present invention, therefore, provides a system and method for performing user authentication during the initial boot sequence using biometric information. Through aspects of the present invention, an unauthorized user would be prevented from tampering with the stored template, i.e., replacing the registered template with an unauthorized template, because of the additional encryption steps provided by the ESS during the registration phase. Thus, the present invention offers multiple layers of security in that it verifies the authenticity of the stored template before the template is used to authenticate the identity of the user attempting to log onto the computer system. In this manner, the computer system is protected from intruders. Moreover, because registration of the template is performed by an application program outside of BIOS, the limited resources available in BIOS are not depleted.

Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations to the embodiments and those variations would be within the spirit and scope of the present invention. Accord

« PreviousContinue »