This invention relates to a digital pen system and in particular, but not exclusively, to a digital pen system arranged to provide authentication data in order to authenticate the identity of a user. The invention also provides related methods.
The proliferation of networked processing devices, such as computers, has led to an increased need for mechanisms to prevent unauthorised access to the processing devices and also to electronic documents accessible from the computing devices. The use of PIN's (Personal Identification Numbers), passwords and the like is well known. It will be appreciated that such use of PIN's and passwords relies upon those PIN's and passwords remaining secret and as such it is undesirable to leave written records from which the PIN or password can be determined or which make the PIN or password easier to determine.
Indeed some input mechanisms, such as the digital paper system provided by the Anoto™ company, may require that confidential information such as the PIN or password should be written down. It is not desirable to leave such information written on the paper because it could easily be found and used by other people. Thus, such input mechanisms would be insecure because they leave a trace on the paper that could later be viewed by other people.
Some applications using a digital pen and paper system may need input of confidential or private data other than a password or a PIN. Such information may be explicitly written on the paper and therefore the same problem arises.
It is also well known that use of bio-metric inputs such as finger print recognition, retina scanning is becoming known. However, in order to use such techniques specialist hardware is required which adds to the complexity and the costs of systems.
According to a first aspect of the invention there is provided a digital pen system comprising a pen adapted to mark a medium and a sensor arranged to determine the position on the medium of a mark made by the pen, the system being arranged to identify a plurality of different areas on the medium and being further arranged to authenticate a user in dependence upon authentication data input by the user, the authentication data having a value dependent upon the order in which a group of the plurality of different areas of the medium are marked by the pen.
Such a system is advantageous in that it allows a user to be authenticated by use of a pen from a digital pen and paper system. It will be appreciated that the term pen may cover pens, styluses, pointers, or other hand held input devices.
The sensor may generate stroke data and the system may be arranged to store the stroke data for later processing or it may be arranged to process the stroke data as it is input to the system. It is also possible for the pen of the system to be arranged to process the stroke data, or to arrange another processing device of the system to process the stroke data.
According to a second aspect of the invention there is provided a method of authenticating a user comprising using a sensor of a digital pen system to generate stroke data, processing the stroke data to determine the position of marks made by the pen on a medium having a plurality of areas thereon, the method authenticating the user in dependence upon authentication data which has a value dependent upon the order in which a group of the plurality of different areas of the media are marked by the pen.
Such a method has advantages in that it allows the user of a digital pen system to use the pen thereof to authenticate the identity of that user.
According to a third aspect of the invention there is provided a digital pen system in combination with a medium, the system comprising a pen adapted to mark the medium and a sensor arranged to determine the position of a mark, made by the pen, on the medium and generate stroke data therefrom; the system being arranged to derive a set of symbols from the stroke data with each symbol in the set corresponding to one or more marks made by the pen; the system being further arranged to select according to predetermined criteria based upon the order in which the marks were made by the pen, a sub-set from the set of symbols wherein the sub-set constitutes information that it is desired to input to the system; and wherein use of the pen on the medium is such that, once the information has been entered, the marks upon the medium cannot be used to determine the information.
Such a combination is advantageous because a third party is not able to determine the information from the medium once the information has been input to the system. As such the security of the information may be increased
According to a fourth aspect of the invention there is provided a processing device arranged to receive stroke data, generated by use of a pen from a digital pen system on a medium having a plurality of areas thereon, the processing device being arranged to process the stroke data and identify a plurality of the areas of the medium marked by the pen, the device being further arranged to authenticate a user in dependence upon authentication data having a value dependent upon the order in which the areas of the medium were marked by the pen.
According to a fifth aspect of the invention there is provided a machine readable medium containing instructions which when read by a processing device cause that processing device to provide the method of the first or third aspects of the invention.
According to a sixth aspect of the invention there is provided a machine readable medium containing instructions which when read by a processing device cause that processing device to perform as at least a part of the system of the second aspect of the invention.
The machine readable medium of any of the aspects of the invention may be any one or more of the following: a floppy disk; a CD ROM/RAM; a DVD ROM/RAM (including +R/RW, −R/RW); any form of magneto optical disk; a hard drive; a memory; a transmitted signal (including an internet download, file transfer, or the like); a wire; or any other form of medium.
There now follows by way of example only a detailed description of the present invention with reference to the accompanying drawings in which
Referring to
The pen 8 comprises a writing nib 10, and a camera 12 made up of an infrared (IR) LED 14 and a CMOS sensor 16. The camera 12 provides a sensor of the digital pen system. The camera 12 is arranged to image a circular area adjacent to the tip 11 of the pen nib 10. A processor 18 processes images from the camera 12 taken at a predetermined rapid sample rate. A pressure sensor 20 detects when the nib 10 is in contact with the document 2 and triggers operation of the camera 12. Whenever the pen is being used on an area of the document 2 having the pattern 6 on it, the processor 18 can determine from the pattern 6 the position of the nib 10 of the pen whenever it is in contact with the document 2. From this it can determine the position and shape of any marks made on the patterned areas of the document 2. This information is stored in a memory 22 in the pen as it is being used as stroke data.
When the user has finished marking the document 2, this is recorded in a document completion process, for example by making a mark with the pen 8 in a send box 9. The pen is arranged to recognise the pattern in the send box 9 and send the stroke data to a stroke interpretation system in a suitable manner, for example via a radio transceiver 24 which provides a Bluetooth™ radio link with an internet connected PC. Suitable pens 8 are available from Logitech under the trade mark Logitech Io and Nokia™ which sells a “digital pen”.
In other embodiments the pen 8 may not rely on IR to read the document identifying indicia and may instead rely on any other suitable media. For example any of the following non-exhaustive list of media may be suitable: UV light; visible light; x-ray; radio waves, any other electro-magnetic radiation.
Further, it will be appreciated that the medium 3 need not be paper and could be any other suitable material. For example, the medium 3 may any of the following non-exhaustive list: a plastics material, glass, fabric, metal, a composite of any of the following or any other material. Further, it will be appreciated that the position identifying markings need not be printed on the surface 3 of the medium and could be provided within the medium. For example, the markings 5 could be provided on the surface of a material which has subsequently been laminated.
As the pen 8 is used on the document 2 a series of strokes are made. It is useful to think of a “stroke” as a single mark drawn by the pen 8 on the document 2. Hence, a stroke period starts when the pen 8 is pressed against the document 2 and ends when the pen 2 is lifted away from the document 2. Since the pen captures samples at a given rate, a stroke will be captured as the group of image samples taken in that period. Each sample taken by the pen 8 is timestamped.
Referring to
The skilled person will appreciate that the global network 314 allows devices, such as a server 318, to be accessed from the network 308 including the computer 304.
In the embodiment shown the computer 304 is what is commonly referred to as a desktop PC; a computer that originally conformed to the IBM™ specification but which now commonly refers to a computer being compatible with the Intel™ X86 instruction set. It will be appreciated that the computer could equally comprise any other architecture of computer or indeed could comprise a machine that was not a recognised architecture. The computer may for example comprise any of the following architectures: an Apple™ PowerPC™ or other Apple™ computer, a RISC (Reduced Instruction Set Computer) machine or the like.
The network 308 is commonly referred to as an Ethernet network covered by the IEEE 802.3 standard but the skilled person will appreciate that any other network protocol may be used. The network may for example be a token ring network or may be a wireless network such as a WIFI (WIreless FIdelity as defined by the IEEE 802.11 standard), HomeRF or HiperLAN.
In the embodiment being described the pen 8 is connected to the computer 8 with a wireless connection 306. This wireless connection 306 may conveniently be provided by a Bluetooth™ connection. Other wireless protocols may also be suitable including any of the following: WIFI (WIreless FIdelity as defined by the IEEE 802.11 standard), HomeRF or HiperLAN. The skilled person will appreciate that in other embodiments a wired connection may be suitable to connect the pen 8 to the computer 304. In such embodiment the connection may be provided by means such as a USB (Universal Serial Bus) or Firewire™ (IEEE 1394) connections or the like. Connection is intended to cover any connection allowing data to be passed between the pen 8 and the computer 304.
As shown in the example shown in
The computer 304 forwards the stroke data that it has received to the server 318. The server 318 provides the stroke interpretation system that allows the stroke data to be interpreted. As discussed, the pen has determined its position in pattern space 400 and the stroke interpretation system determines the meaning of the strokes made by the pen 8. To identify the document 2, or indeed portion of the document 2, from which the stroke data has been generated a document registry server may be accessed.
Therefore the system also comprises a document registry server which in the embodiment being described is provided by the server 312. Once the stroke data has been interpreted by the stroke interpretation system the identity of the document is determined and the document registry server performs this. The result of the stroke interpretation performed by the stroke interpretation system is provided to the document registry server which returns the identity of the document; the stroke registry server maintains a record of what position-identifying pattern 6 has been provided to what document, or portion of a document 2. In the current embodiment the document registry server and the stroke interpretation system are shown as being provided by different servers 312,318. The skilled person will appreciate that this need not be the case and the same server or other processing device could provide the two functions. The term processing device is intended to cover any device that is capable of performing processing of data. Examples of processing devices include but are not limited to the following examples: a computer, a server, a digital pen, a printer, a hub and/or switch, PDA, camera, telephone, and the like.
In other embodiments the stroke interpretation system 318 and/or the document registry server 312 may be provided by any other suitable means. For example the server 312 on the network 308 and/or the computer 304 may each be able to provide the stroke interpretation system and/or the document registry server. Any suitable processing device or combination of processing devices that the pen 8 can access via the computer 304 and the networks 308 and 314 may provide the stroke interpretation system and/or the document registry server. Indeed, the pen 8 may provide the stroke interpretation system and/or the document registry server.
Thus, the combination of the stroke interpretation server (the server 318) and the document registry server (the server 312) is able to return the identity of the document, or portion thereof, on which the pen 8 is writing by interpreting the stroke data provided by the pen 8.
An embodiment of the invention is now described that allows a user to write, i.e. input, information, which may be confidential, on the digital document 2 in such a way that it is recorded by the pen 8 but the resulting trace on the document 2 becomes indecipherable as the information input.
The document 2 shown in
Each checkbox is printed in an area of the document 2 that is provided with position-identifying pattern 6. Each of these checkboxes is associated unambiguously with a symbol and in the example shown in
Once the user has entered the information by ticking the four checkboxes 600-604 he/she ticks the ok (submit) checkbox 502 to indicate that the information has been entered (step 1202). In this embodiment the stroke data is then sent to the computer 304 for processing to determine the information (PIN) that has been entered (step 1206). This is shown in
The skilled person will appreciate that the number of possible passwords that can be created is the sum of (k=1 to N) NPk where NPk denotes the number of permutations of k out of N characters: (N!/(N−k)!). If N=10 this sum is 9,864,100. This assumes that the password is between 1 and 10 characters in length. If the characters in the password is increased further (such that a checkbox may be used more than once) then this number increases further.
The computer 304 is arranged to process the stroke data and in conjunction with the stroke interpretation server (the server 318) and the document registry server (312) determines the symbols that the user marked with the pen 8. That is, in step 1028, the stroke data is sent to a stroke interpretation system (provided by server 318). The identity of the document is obtained in step 1210 from the document registry server (provided by the server 312). Once the stroke data has been interpreted and the identity of the document 2 has been obtained then the identity of the checkboxes 500 that have been ticked, before the send checkbox 502 ticked, can be obtained in step 1212. The PIN can then be determined from the order in which the checkboxes 500 were ticked in step 1214.
If desired and/or, depending upon the security requirements, the user may ensure that each, or a random number, of checkboxes 500 are ticked more than once. Such ticking of the checkboxes is shown in
After the user has marked the four checkboxes (one box was used twice) the user checks off the submit checkbox 502 (“OK” checkbox). This again causes the stroke data to be sent to the computer 304. Since a number has been introduced twice (the numeral 2 via checkbox 702), and in order to ensure the maximum privacy, in this case the user checks off all the remaining checkboxes so that they end up with two ticks (
It may be that the more times checkboxes 500 are ticked after the submit checkbox 502 is ticked the more difficult will be to infer the information (in this case the PIN) later on. The number of times the checkboxes are ticked is a trade-off that depends on the level of security required and convenience for the user.
Although the previous embodiments are described as having the reset checkbox 304 this need not be provided. As will be described later the reset checkbox 504 could allow the user to rectify the information if he/she realises that a mistake has occurred. The reset checkbox 504 may be arranged to indicate that all information entered in the checkboxes 500 is to be reset. In other embodiments the reset checkbox 504 may refer to part of the information entered in the checkboxes 500, for instance one character (i.e. one tick in one of the checkboxes) is to be removed (for example the last one).
A third example shows how to use the reset checkbox 504 and is explained in relation to
As can be seen from
Once the user has discovered the error he/she then ticks the reset checkbox 504 (
A final example shows a simplified version where no submit checkbox (“OK” checkbox) is used and is explained in relation to
The skilled person will appreciate the information need not be the first n symbols entered and the method may be arranged such that, for example, the 3rd to 6th symbols entered provide the PIN. Such an arrangement may provide a means for increasing the security of the method further. In further examples, predetermined symbols may provide the PIN (for example the 2nd, 4th, 7th and 8th symbols that are entered may provide the PIN).
A further variation on the method is to use long passwords and a short number of characters. For example, if only numbers 0, 1, 2 and 3 are allowed, and the password has to be 15 symbols long, it is likely that all checkboxes will get checked off and hence there might be no need for checking off additional areas.
In the examples so far, the depicted ticks were composed of only one stroke as defined above. However, this may not be the case.
One way to avoid complexity in the method may be to force the user to do one-stroke ticks. A printed message on the document 2 could indicate to the user how to do this. Another solution may be to constrain the information (e.g. PIN) by not allowing two consecutive ticks in the same checkbox 500 (hence all consecutive strokes in a checkbox would be considered as belonging to the same tick).
A further solution is to program the application to recognize a single tick even in cases where multiple-stroke ticks are used. This may be done using certain time thresholds to group strokes into ticks. It is common that the time interval between strokes belonging to the same tick will be shorter than the time interval between strokes belonging to different ticks. Hence, two strokes can be considered to belong to the same tick if the timestamp value of the last sample of the first stroke is close to the timestamp value of the first sample of the following stroke.
Another solution is to perform tick recognition based on shape. Ticks usually have simple standard shapes. As we saw, for instance, a common tick is a cross, which can be easily recognized. Furthermore, a solution based on the combination of any of the methods described could be used.
In addition, it could occur that a given tick is not contained within one checkbox 500. In this case, the application will have to decide to which checkbox 500 the tick belongs. One way to do this is, for instance, to choose the checkbox that contains more samples of that tick. Other methods may be used.
Processing of the stroke data provided by an application on the computer 304 will now be described is association with the state diagram show in
At the beginning, no confidential information has been received and hence the system is in state O 1100. If information is entered, it is stored temporarily, and the system goes to state 11102. In this state, the input of information is handled the same way (data is stored). Then, when the submit checkbox 502 is ticked, the system moves to state 21104 and the information received so far is treated provisionally as the valid information to be processed. Once no more strokes are left to process, the application will take that the information and use it for the desired purposes. Whenever the reset checkbox is checked off, the application moves to back state 01100 and the system erases the information entered so far. If that occurs in state 0 or 1, no information can be processed.
Simplified versions of this algorithm (e.g. no submit or reset checkboxes) can easily be deduced for those skilled in the art. A portion of pseudo code now follows that may be suitable for realising an embodiment of the invention:
Although the embodiments described above have had one set of checkboxes 500 it is equally possible for a document 2 (which may be any number of pages in length) to have a plurality of sets of checkboxes 500 and/or submit 502 and/or reset 504 checkboxes.
Number | Date | Country | Kind |
---|---|---|---|
0409006.4 | Apr 2004 | GB | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP05/51795 | 4/22/2005 | WO | 00 | 9/12/2007 |