WO2003003333A2

WO2003003333A2 - Personal identification badge that resets on the removal of the badge from the wearer

Info

Publication number: WO2003003333A2
Application number: PCT/US2002/020798
Authority: WO
Inventors: Mark T. Smith
Original assignee: Hewlett-Packard Company
Priority date: 2001-06-29
Filing date: 2002-06-27
Publication date: 2003-01-09
Also published as: US20030001722A1; WO2003003333A3; JP2005527005A; US6778066B2

Abstract

A security badge to be worn by a person seeking access to a secure system. The badge includes a data processor having a non-volitile and a volitile memory, a transceiver, and an attachment sensor. The volitile memory stores information related to the wearer's security clearance. This information is loaded after the badge is attached to the person and the person's identity is verified. This information is deleated from the volitile memory if the badge is removed from the wearer or subjected to tampering. The data processing system has sufficient computing power to allow the badge to execute encrypted communications with the security system.

Description

Personal Identification Badge that Resets on the Removal of the Badge from the Wearer

Field of the Invention

The present invention relates to security systems that regulate access to secure areas, and more particularly, to a security badge that is attached to the authorized person and resets itself when removed from that individual.

Background of the Invention

To simplify the following discussion, the present invention will be explained in terms of security systems for use in accessing computers and the like; however, it will be apparent from the following discussion that the present invention may be utilized in other security systems.

Computer systems having access to a network typically utilize some form of access control to assure that unauthorized individuals do not gain access to confidential information or do damage to the network and/or computers connected thereto. The secure access protocols often require a user to memorize multiple passwords and protocols. For example, the user may need a first password to log onto a terminal in the network, a set of different passwords corresponding to the various servers in the networks or secure directories within a server, and yet another set of passwords relating to various software programs and related files.

Electronic identification cards have been used to automate the logon and access control processes. Such systems sense a personal identification presented by the user. The card can be in the form of a radio frequency identification (RFID) card which is sensed remotely by the computer terminal or a card that is passed through a reader by the user.

While such cards can be used to automate the logon process, they do not provide sufficient security to satisfy the needs of many systems. The authenticity of the card can, in principle, be verified by the system that queries the card; however, the system cannot necessarily identify the person presenting the card. An unauthorized person who has gained control of such a card can still access the system.

In principle, the computer terminal can be equipped with hardware that also allows it to authenticate the person presenting the card. In fact, if the person can be identified directly, then an identification card is not needed. Identification systems based on retinal scans, voiceprints, and fingerprints are well known in the art. This hardware would need to be present at each of the terminals. The cost of providing such hardware at each terminal is often prohibitive.

Even in those situations in which identification hardware is provided at each terminal, the system must still deal with interruptions that occur when the user leaves the terminal for a brief period of time. Consider the case of a user who has logged onto a terminal using some form of personal identification system. If the user leaves the terminal without logging off, an unauthorized user can gain access to the system through the open terminal. Hence, the terminal must have some method for determining that the authorized user remains present at the terminal after the logon. For example, an RFID card worn by the user can be queried periodically to determine that the user is still at the terminal.

If the authorized user breaks contact with the terminal, either because the user left the terminal for a short period of time or because the monitoring system failed to detect the person on one of the periodic queries, the terminal needs to disable itself. When the user again makes contact with the terminal, the logon process must be repeated. A logon process that verifies the identity of the user through fingerprints, retinal scans, etc. requires a relatively long procedure. Hence, such systems are frustrating to use, since a user who turns away from the computer or crosses the room to get a document can be forced to repeat the entire logon protocol.

Systems based on personal identification cards also present logistical problems for the users and system operators. In such systems, each user is provided with an identification card that must be presented to the system to gain authorization. The card is assigned to the particular user. To guard against an unauthorized person gaining control of the card, the assigned person usually takes the card home at night. If the user leaves the badge at home or loses the badge, the user must go through an often lengthy process of obtaining a new badge or some form of temporary badge in the case in which the user has left his or her badge at home. In addition, the system must provide one badge for each user who is authorized to use the system, whether or not that person will use the system on any particular day. Hence, the number of security badges that must be maintained can be quite large. Since these badges are typically powered by batteries, the costs of providing and maintaining the badges is significant.

Broadly, it is the object of the present invention to provide an improved security badge system.

It is a further object of the present invention to provide a security system that can authenticate a user without requiring expensive personal identification hardware at each work station.

These and other objects of the present invention will become apparent to those skilled in the art from the following detailed description of the invention and the accompanying drawings.

Summary of the Invention

The present invention is a security badge to be worn by a person seeking access to a secure system. The badge includes a data processor having a non- volatile and a volatile memory, a transceiver, and an attachment sensor. The volatile memory stores information related to a security clearance associated with the person. This information is loaded after the badge is attached to the person. The transceiver sends signals generated by the processor and receives signals specifying operations to be carried out by the badge. These signals include signals that provide the person wearing the badge access to the secure system. Upon detecting the removal of the badge from the wearer, the attachment sensor causes irrformation stored in the volatile memory to be altered such that the person no longer has access to the secure system. The transceiver can utilize optical, electromagnetic or acoustic signals for communicating with the secure system. In one embodiment of the invention, the badge includes a tamper sensor for detecting an alteration in the badge that could allow the contents of the volatile memory to be read and rendering information stored in the volatile memory unreadable when the tamper sensor detects such an alteration. In another embodiment, the badge includes a random number generator for generating random numbers for use in coded transmission between the badge and the secure system. The random number generator may utilize a sensor for sensing an environmental variable that determines the random number sequence generated by the random number generator. In another embodiment of the invention, the badge has low and high power modes, the processor being capable of performing at least one computation in the high power mode that cannot be performed in the low power mode. The processor switches from low power mode to high power mode in response to the transceiver detecting a predetermined signal while in the low power mode. In another embodiment of the invention, the attachment sensor includes an attachment mechanism and a position sensor. The attachment mechanism has an open position and a closed position. The attachment mechanism secures the badge to the person in the closed position. The position sensor monitors the state of the attachment mechanism.

Brief Description of the Drawings

Figure 1 is a schematic drawing of a system for securing access to a computer system having a number of terminals.

Figure 2 is a block diagram of one embodiment of a badge 21 according to the present invention.

Detailed Description of the Invention

The manner in which the present invention provides its advantages may be more easily understood with reference to Figure 1, which is a schematic drawing of a system for securing access to a computer system having terminals shown at 11 and 12. Access to the , system is provided by a badge 21 that is worn by a user 20 who wishes to gain access. Badge 21 is affixed to the user in a manner in which the removal of badge 21 after it has been affixed can be detected by the badge. For example, badge 21 can be placed around the neck of user 20 via a cord 22 that includes a clasp 23. Cord 22 is short enough to guarantee that the badge cannot be removed from the neck of the wearer without undoing clasp 23 or breaking cord 22. Badge 21 has a sensor that detects the opening of clasp 23 or the breakage of cord 22. For example, cord 22 may include a conducting fiber whose continuity is sensed by badge 21. When clasp 23 is opened, this conductive path is broken.

To gain access to the computer system, user 20 puts on badge 21 and approaches terminal 11, which loads the information into badge 21 needed for the user to access one or more of the other workstations in the network. Terminal 11 includes a user identification system 14 that is utilized to verify the identity of user 20. Identification system 14 may include physical sensors such as those needed to make a voice print, retinal scan, or fingerprint scan. The identification system may also include a database having information known only to user 20, which may be utilized in generating queries that only user 20 would know how to answer.

Once the identity of user 20 has been established by terminal 11, terminal 11 loads information into badge 21 that is utilized by badge 21 in subsequent communications with the other terminals in the system. To simplify the following discussion, it will be assumed that the various terminals communicate with badge 21 via infra-red signals that are sent and received by the transceivers shown at 15-16. As will be explained in more detail below, this information is loaded using an encryption system that assures that an eavesdropper cannot gain access to the stored information in a manner that would allow the eavesdropper to communicate with the various terminals in the system.

In addition to loading the various clearances associated with user 20, a "day secret" is also loaded in badge 21. The day secret is a code that changes each day and is known to all of the workstations. Since the code changes from day to day, the permissions granted to user 21, in effect, expire each day. Once badge 21 has been loaded with the various security clearances assigned to user 20, user 20 can approach the terminals that are authorized to serve user 20 such as terminal 12 and gain access thereto. Each terminal includes a transceiver that queries the identification badges. When a terminal detects a valid badge that has permission to use that terminal, the terminal allows the user to log onto the terminal and communicates the user's. various clearances to the servers within the system.

The terminal in question periodically queries badge 21 to assure that the user is still at the terminal. If the terminal loses contact with the badge, the terminal covers any material on the display with a "screen saver" display and enters a first locked mode. During this mode, the terminal periodically sends out query signals. If the badge returns, the terminal utilizes an abbreviated logon dialog to verify the user and returns the display to the condition at the time communication was originally lost. If the user is absent for more than a first predetermined time period, the terminal enters a second locked mode which requires a more extensive logon protocol to return control to the user.

Having provided the above outline of the operation of a security system according to the present invention, a more detailed description of the operation of the badges and the communication protocols will now be given. Refer now to Figure 2, which is a block diagram of one embodiment of a badge 21 according to the present invention. Badge 21 includes a processor 31 that utilizes a non-volatile memory 32 to store the operating system utilized by the processor. Badge 21 also includes a user certificate volatile memory 33 that is used to store the "permissions" granted to the user and other information needed to gain and maintain access to a terminal. Badge 21 is also assumed to hold an identification number that is stored in the non-volatile memory of the badge.

Badge 21 utilizes a transceiver 34 to communicate with the various computer terminals. Transceiver 34 may utilize any form of communication link to communicate with the computer terminals in the system. In the preferred embodiment of the present invention, transceiver 34 utilizes an infra-red link; however, communication links based on radio frequency signals or ultra-sound may also be utilized. Infra-red or RF links are preferred because they impose the lowest power requirements on badge 21 which is typically powered by a battery. Infra-red links have the added advantage of assuring that the badge will only respond if it is near a terminal and properly oriented with respect thereto. In contrast, RF links tend to be omnidirectional, and RF signals can pass through many types of walls. Hence, a terminal cannot be assured that the badge wearer is nearby without some other form of badge localization.

In addition, badge 21 has a sensor 35 that detects a break in the continuity of cord 22. Whenever sensor 35 detects a break in cord 22, processor 31 erases the contents of memory 33. Similarly, if power is lost, the contents of memory 33 are lost. Badge 21 can also be equipped with other forms of "tamper" sensors, such as sensor 38, that cause the contents of memory 33 to be lost if someone attempts to open the badge or otherwise gain access to the contents of memory 33. Hence, badge 21 is automatically reset whenever it is removed, loses power, or subjected to tampering.

As will be explained in more detail below, badge 21 preferably includes a random number generator 39 that provides the random numbers utilized in the various secure communications protocols. Pseudo-random number generators based on computer computations that start from a "seed" are known to the art and may be utilized when the highest degree of security is not needed. However, in the preferred embodiment of the present invention, random number generator 39 utilizes one or more environmental sensors to generate the random numbers provided by generator 39 in a manner that cannot be predicted even by observing the previously generated random numbers provided by generator 39. Unpredictable random number sources can be based on temperature sensors or noise signals generated by resistors or other circuit components.

The affixation of the badge to the user prior to the badge being loaded by terminal 11 can be verified by security personnel stationed at a point that all users must pass before reaching terminal 11. Such verification prevents a user from closing clasp 23 when the badge is not affixed to the user and then presenting himself and the badge to terminal 11 for loading.

As noted above, the communications between the various terminals and badge 21 must be secure from eavesdropping. Data encryption protocols for securing such communications are well known to those skilled in the art, and hence, will not be discussed in detail here. For the purposes of this discussion, it will be assumed that terminal 11 and each badge have a protocol that allows terminal 11 and each badge to generate a "secret", denoted by "k" that is known only to terminal 11 and the particular badge in question. The value of k is determined by protocols that depend on the random numbers generated by generator 39. For example, the elliptic curve version of the Diffie-Hellman protocol may be utilized to generate such a secret. The reader is directed to Handbook of Applied Cryptography" by Menezes, van Oorschot, and Vanstone (CRC Press, 1997, and to Elliptic Curves in Cryptography by Blake, Seroussi, and Smart, Cambridge University Press, 2000) for a more detailed discussion of various communication algorithms.

Consider a hospital setting in which controlled access to confidential records such as patient treatment records is to be provided to the clinicians while protecting the confidentiality of those records. Each clinician wears a badge similar to those described above. The badge is filled with the clinician's identity information, denoted by Cred, in the following discussion. This information is stored in the volatile memory of the badge as discussed above. In particular, the badge will automatically erase Cred and become inactive as soon as the badge is detached from the clinician to which it is assigned.

The badge is activated by the action of physically attaching the badge to a clinician and running an authentication protocol between the badge and an administrative computer such as terminal 11 discussed above. During the activation protocol, the administrative computer will verify the clinician's identity by scanning the clinician's retina. At the end of the authentication protocol, the badge will be loaded with Cred and thereby activated.

While being active (i.e., remaining worn by the clinician), the badge will be able to establish secure sessions of communications with one or more of the clinician's computers (denoted C) whenever the clinician faces the computer and is within the range of an infra-red communication link constructed from ports on C and the badge. These secure sessions of communications between the badge and C are part of a second protocol, referred to as the records protocol. In the preferred embodiment of the present invention, the badge power supply is very limited; hence, the system is preferably setup in a manner that minimizes the demands on the badge power supply. In addition to performing the various communication protocols, the badge must be able to detect the presence of the administrative computer and C computers. In addition, the badge must be capable of signaling its continued presence to these computers during interactions with them. In the preferred embodiment of the present invention, the badge has a "dormant" state in which the badge listens for signals on the communication link and "wakes up" when a signal that needs a response is detected. With the exception of this listening activity and other housekeeping functions such as providing power to the volatile memory and tamper detection circuitry, the other power consuming functions of the badge are turned off in the dormant state.

The badge enters the dormant state after it is attached to the user. The administrative computer is programmed such that its transceiver sends out a periodic login signal indicating that it is ready to activate a badge. This login signal is one of the signals that the badge is programmed to detect in the dormant state. When the wearer approaches the computer, her badge detects this login signal and wakes up for the activation protocol in which the badge is loaded with Cred and activated such that the wearer can log onto a C computer. Once the activation protocol is completed, the badge again returns to the dormant state.

Each of the C computers likewise sends out a periodic login signal when that computer is free and ready to login a new user. This second login signal is also one of the signals detected by the badge in the dormant state. When the badge wearer approaches the C computer, the badge detects the login signal and switches from the dormant state to engage in the login protocol discussed below.

At the end of the C computer login protocol, the C computer transceiver is programmed to send a third signal that is recognized by the badge in the dormant state. This signal is used to verify that the user is still at the terminal. The badge is programmed to respond to this signal by sending a specific acknowledgment signal in return. This communication can be part of the dormant state operations or part of a second low power state. If a badge does not acknowledge the verification signal described above, the C computer initiates a re-login procedure by sending a fourth signal that is recognized by the badge in the dormant or low power state. This signal is repeated until the badge responds accordingly or a predetermined period of time elapses. If the badge responds according to that protocol, the C computer resumes the verification signal. If the badge does not respond appropriately, the user is logged off of the terminal, and the C computer enters the mode in which it sends the C computer login signal.

The badge is capable of performing the less computationally intensive public-key encryption operations such as elliptic-curve point multiplication and generating the hash function SHA-1 utilized in the Secure Hash Standard as published in the Federal Register.

The level of security needed in the interchange between the administrative computer and the badge wearer depends on the level of security surrounding the administrative computer and the degree of honesty of the badge wearer. For example, if the badge wearer can be assumed to be honest, then the system does not need to guard against the wearer recording the exchange. This leaves only the possibility that a third party will eavesdrop on the exchange between the badge and the terminal. If the administrative computer is in a location that is secured with respect to such eavesdropping, the exchange need not be encrypted at all.

If, on the other hand, the badge wearer cannot be trusted, then an encryption protocol that is immune from eavesdropping must be utilized. In this case, any suitable public or private key encryption system may be used by the computers and the badges to develop a key for later use in encrypting messages. If a private key system is utilized, the system must be arranged in a manner that guarantees that the key cannot be extracted from the badge. For example, the badge can include tamper sensors that erase the key information if tampering is detected. \

Similarly, the level of security needed in the exchanges between the C computers and the badge depend on the value of the information and the trustworthiness of the wearer. In general, the badge and the C computer must authenticate each other, since it is assumed that the C computers are not secure. If, however, the C computers are secure, then only the badge needs to be authenticated by the C computer. The level of security needed to assure privacy with respect to the communications between the badge and the C computer again depends on the ease with which these communications can be monitored. If there is a possibility of eavesdropping, then a suitable public or private key encryption system must be utilized in the authentication exchange. Similarly, the secondary protocol utilized at the C computers to reestablish a lost link with a badge can be replaced by any suitably secure protocol that is less computationally intensive that the login protocol used to commence the session between a badge wearer and C.

As noted above, the system can utilize any type of transceiver to generate the communication link between the badge and the relevant computer terminals. Infra-red sensors are preferred, however, because such sensors require relatively low power and provide increased security over other types of communication links such as RF links. An eavesdropper can monitor an RF signal from a location outside of the cubical or room in which the badge and terminal are operating. In contrast, light-based systems require the eavesdropper to have a clear line of sight to both the terminal and badge transceivers.

The above-described embodiments of the present invention utilized a sensor in an attachment cord to detect the removal of the badge from the person's body. However, other mechanisms for sensing the removal of the badge from the wearer can be utilized for this function. Any form of sensor that provides a signal when the badge is removed from the user can be utilized. For example, the badge can be attached to the wearer's clothing via a clip that can detect the opening thereof. When the clip is opened, the badge resets itself to the inactive state. Similarly, the badge can be incorporated into a wrist band that has an expandable band that provides a signal to the badge when the band expands sufficiently to allow it to be removed from the wearer's wrist.

In addition, embodiments in which the badge utilizes some form of biometric measurement to assure that the badge is still on the authorized individual's body can be constructed. Sensor's that detect body heat or pulse can be utilized for this function. Such sensors may be included in wristwatch-like embodiments of the invention in which the sensor is pressed against the wrist of the user when the badge is worn by the user. If the badge is removed, the temperature will decrease or the pulse signal will be lost. If the badge is carried in the person's wallet, a light sensor can be used to detect the removal of the badge from the wallet. Accordingly, break sensor 35 can be replaced by any sensor that detects the removal of the badge from the wearer. Similarly, cord 22 and clasp 23 can be replaced by any attachment mechanism that provides a signal indicating that the badge has been removed from the wearer.

The above-described embodiments of the present invention assume that the authentication of the wearer is performed by equipment attached to an administrative computer. However, embodiments in which authentication hardware is part of the badge itself can also be practiced. For example, the badge may include an identification sensor 41 such as a fingerprint scanner. In such an embodiment, memory 32 would also store a file of authorized fingerprints. In such an embodiment, the fingerprint scanner would be enabled when the controller in the badge detects the attachment of the badge to the wearer. Similarly, the badge may include a microphone that is used to record the voiceprint of the user after the badge is attached to the user. The detected voiceprint would then be compared to a library of voiceprints to verify the identity of the user.

The recognition work can also be split between the badge and the computer terminals. For example, the biometric identification hardware such as the fingerprint scanner, microphone, pulse detector, or temperature detector can be part of the badge. The measurements made by these elements would then be communicated to the computer terminal. The computer terminal would then compare the received measurements with data identifying the various authorized users.

While the above-described embodiments of the sensors for detecting the removal of the badge from the wearer have utilized a single attachment sensor, a combination of several sensors can also be utilized. For example, an attachment sensor constructed from a combination of sensors that detect both the temperature and pulse of the wearer can provide increased security. Similarly, a combination of measurements can be utilized to increase the confidence level of the user identification process. For example, both a fingerprint and a series of questions posed to the wearer can be utilized.

It should be noted that the badges of the present invention are not permanently associated with particular individuals, and hence, an employee does not need to take his or her badge home. The badges can be picked up from a big basket near station A when needed and thrown back to the basket at the end of the day. Hence, the costs and inconvenience associated with losing or damaging a badge are significantly reduced.

Various modifications to the present invention will become apparent to those skilled in the art from the foregoing description and accompanying drawings. Accordingly, the present invention is to be limited solely by the scope of the following claims.

Claims

WHAT IS CLAIMED IS:

1. A security badge to be worn by a person, said badge comprising:

a data processor having a non- volatile memory and a volatile memory;

a transceiver for sending signals generated by said processor and receiving signals specifying operations to be carried out by said badge, said signals including signals that provide said person access to a secure system; and

an attachment sensor for detecting the removal of said badge from said person, said attachment sensor causing information stored in said volatile memory to be altered such that said person no longer has access to said secure system when said attachment sensor detects said removal, wherein said volatile memory stores information related to a security clearance associated with said person.

2. The security badge of Claim 1 wherein said volatile memory stores information enabling the wearer of said badge to gain access to a data processing system.

3. The security badge of Claim 1 wherein said badge stores a program enabling said badge to load information in said volatile memory.

4. The security badge of Claim 3 wherein said attachment sensor detects the attachment of said badge to said person and, in response thereto, enables said badge to load information in said volatile memory.

5. The badge of Claim 1 wherein said transceiver comprises a receiver and a transmitter for respectively receiving and transmitting optical signals.

6. The badge of Claim 1 further comprising a tamper sensor for detecting an alteration in said badge that could allow the contents of said volatile memory to be read, said tamper sensor causing information stored in said volatile memory to be rendered unreadable when said tamper sensor detects said alteration.

7. The badge of Claim 6 wherein said tamper sensor causes one piece of information stored in said non- volatile memory to be rendered unreadable when said tamper sensor detects said alteration.

8. The badge of Claim 1 further comprising a random number generator.

9. The badge of Claim 8 wherein said random number comprises a sensor for sensing an environmental variable that determines a random number generated by said random number generator.

10. The badge of Claim 1 wherein said badge has low and high power modes, said processor being capable of performing at least one computation in said high power mode that cannot be performed in said low power mode, said processor detecting a first signal from said transceiver while in said low power mode and causing said badge to enter said high power mode when said first signal is detected, wherein said badge consumes more power in said high power mode than in said low power mode.

11. The badge of Claim 10 wherein said processor detects a second signal from said transceiver in said low power mode and responds by sending a reply signal without leaving said low power mode.

12. The badge of Claim 1 wherein said processor executes a first program in response to receiving a first signal on said transceiver and a second program in response to receiving a second signal on said transceiver.

13. The badge of Claim 1 wherein said attachment sensor comprises an attachment mechanism having an open position and a closed position for securing said badge to said person in said closed position and a position sensor for detecting that said mechanism is in said open position.

14. The badge of Claim 13 wherein said attachment mechanism comprises a band for encircling part of said person's body.

15. The badge of Claim 14 wherein said position sensor detects that said band includes a break.

16. The badge of Claim 14 wherein said position sensor detects that said band has a length greater than a predetermined value.

17. The badge of Claim 13 wherein said attachment mechanism comprises a clip for securing said badge to an article of clothing worn by said person.

18. The badge of Claim 13 wherein said position sensor comprises a temperature sensor.

19. The badge of Claim 13 wherein said position sensor comprises a pulse sensor for detecting the pulse of said person.