[go: up one dir, main page]

GB2247964A - Controlling access to a keyboard-operated computer system - Google Patents

Controlling access to a keyboard-operated computer system Download PDF

Info

Publication number
GB2247964A
GB2247964A GB9020064A GB9020064A GB2247964A GB 2247964 A GB2247964 A GB 2247964A GB 9020064 A GB9020064 A GB 9020064A GB 9020064 A GB9020064 A GB 9020064A GB 2247964 A GB2247964 A GB 2247964A
Authority
GB
United Kingdom
Prior art keywords
intervals
user
comparison
access
functions
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9020064A
Other versions
GB9020064D0 (en
Inventor
John Robert Devany
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB9020064A priority Critical patent/GB2247964A/en
Publication of GB9020064D0 publication Critical patent/GB9020064D0/en
Publication of GB2247964A publication Critical patent/GB2247964A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/33Individual registration on entry or exit not involving the use of a pass in combination with an identity check by means of a password

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A method of controlling access to a computer system is provided wherein the delays between successive key depressions of a password are measured, S3, and are compared with stored delays, S4, the differences between successive delays are determined, S5, and are compared with stored differences, S6, and a "degree of belief" score in the range -N to +N is assigned on the basis of the two comparisons, S8. If this score is more positive than a predetermined value +M which is indicative that the delays and differences are those of an authorised user whose characteristic delays and differences are stored in the computer system, then access is allowed immediately. If the "degree of belief" score is more negative than a predetermined negative value -M then access is prohibited. If the "degree of belief" score is in the range -M to +M then the process is repeated. <IMAGE>

Description

K#yhoard-operated system and method of restricting access thereto The present invention relates to a method of restricting access to a keyboard-operated system and in another aspect relates to a keyboardoperated computer system.
It is known to restrict access to computers by assigning a password to authorised users and requiring that a correct password should be entered from the keyboard before access is allowed. Usually a predetermined number of attempts at entering the password are allowed before the computer disallows further attempts.
However in many cases the password can easily be guessed and in any case such a procedure is ineffective once the password is known to an unauthorised person. The consequences of unauthorised access to computers by "hackers" and others are notorious and can include loss and corruption of valuable data by computer "viruses" as well as theft of confidential information. Accordingly a need exists for a method of restricting access to computers and other keyboard-operated systems which is more reliable than a simple password and which does not place an undue burden on authorised users.
In one aspect the present invention provides a method of restricting access to a keyboard-operated system comprising the steps of measuring the intervals between the signals due to characters entered from a user-operated keyboard, comparing said intervals anchor functions thereof with predeterniined intervals and/or functions thereof and allowing or refusing further access of the user to said system on the basis of the comparison.
It has been found that such intervals are characteristic of a particular user, as are functions of such intervals such as the differences between successive intervals, for example.
Typically, an authorised user would initially enter a unique password (such as his name for example) a number of times and the respective intervals between each successive pair of characters would be averaged, as would the differences between successive intervals. These average values would be stored and when the same password is entered in future the new intervals and differences between successive intervals would be compared with the stored average intervals and differences which can be considered to represent the "keyboard signature" of the user. If the new intervals and differences are sufficiently close to the stored intervals and differences, it can be assumed that the password is being entered by the genuine authorised user.If there is a large discrepancy then it can be assumed that the password is being entered by someone other then the authorised user and access can be refused. If there is an intermediate discrepancy then the user can be asked to enter the same or a different password, for example, before a decision is made as to whether to allow or refuse access.
In another aspect the invention provides a keyboard-operated computer system comprising means for measuring the intervals between signals due to characters entered by a user via a keyboard, means for comparing said intervals and/or functions thereof with stored intervals andlor functions thereof and access-controlling means arranged to control further access of the user to the computer system on the basis of the comparison.
Typically, the intervals measured will be the time intervals between key depressions but the intervals can also be measured in units of processor cycles (or other arbitrary units) for example, provided that the period of each processor cycle is reasonably constant.
A preferred embodiment of the invention is described below by way of example only with reference to Figures 1 and 2 of the accompanying drawings, of which: Figure 1 is a diagrammatic representation of a computer system in accordance with the present invention, and Figure 2 is a flow diagram applicable to the system of Figure 1 which illustrates a method in accordance with the invention.
Referring to Figure 1, the computer system shown comprises a personal or mini-computer 1 which functions as a terminal to a distant mini or mainframe computer 5 which functions as a host computer. Further computers 6 and 7 are linked to host computer 5 in a local network, for example. Computer 1 is provided with a modem 3 which is connected via a telephone line to a modem 4 which is in turn connected to host computer 5. As described thus far, the computer system is entirely conventional.
In accordance with the invention, host computer 5 is programmed to measure the time intervals between signals arriving from modem 4 due to characters of a password entered by a user from the keyboard 2 of computer 1 and to compare these time intervals with stored time intervals.
Each stored time interval between two successive signals corresponding to two successive characters is the average time interval between the signals corresponding to those characters when those characters are entered by an authorised user of the password, and is derived by previously arranging for the authorised user to type in his password several (e.g. 5 or more) times, measuring the time intervals between successive signals each time the password is entered and deriving an average in respect of each pair of successive characters.It should be noted that the average time interval between the signals corresponding to frequently used characters and characters which are adjacent on the keyboard (such as E and D for example) will normally be shorter than the time interval between the signals corresponding to less frequently used characters and characters which are far apart on the keyboard (such as Z and Y for example). Each of these intervals will be characteristic of the user and moreover will to some extent be characteristic of the system, since the telephone link will introduce delays which will not necessarily be the same for each successive pair of characters. Furthermore the delays will to some extent depend on the size and other physical characteristics of the keyboard.Thus if a "hacker" or other unauthorised user attempted to gain access to host computer 5 from another terminal at another location, the system would possibly deny him access even if he typed in the correct password with delays between key depressions at the keyboard which corresponded to the delays between the authorised user's key depressions at that location.
Preferably the time interval which is measured is the time interval between the leading edge of the waveform of the first bit of a character and the leading edge of the waveform of the first bit of the next character, although this is not critical. In cases in which the computer system consists of only a single computer (and therefore has a constant processing speed) the intervals between key depression signals can be measured in terms of processor cycles rather than in units of time. Furthermore the intervals between the instants at which the keys are released can be measured, or the durations of the key depression can be measured, for example.
The way in which access is controlled in the system of Figure 1 will now be described in more detail with reference to the flow chart of Figure 2.
First the system is initialised (step S1) and an overall "degree of belief parameter, which represents the likelihood that the user is the authorised user of his password, is set to zero. This parameter can range from -N to +N (a high positive value indicating that it is likely that the user is authorised and a very negative value indicating that the user is unauthorised), so a value of zero indicates that the user is equally likely to be authorised as to be unauthorised.
In step S2, a request for a password is displayed on the screen of computer 1. The user then types in his individually assigned password in instep S11) and the time intervals t between the signals due to the key depressions are measured (step S3). These measured intervals are compared with stored intervals and an individual "degree of belief" score n is assigned to each measured interval (step S4). Similarly the differences d between successive measured intervals are determined (step S5) and are compared with the differences between the stored intervals, and an individual "degree of belief" score is assigned to each difference (step S6): TABLE 1 PA S S W OR D Measured interval: tl t2 t3 t4 t5 t6 t7 Difference: dl d2 d3 d4 d5 d6 Degree of belief (t) nl n2 n3 n4 n5 n6 n7 Degree of belief (d) n8 n9 n10 n n12 n The individual "degree of belief " scores nj to n13 are then summed (step S7). It should be noted that these scores can range from negative to positive values.An overall "degree of belief' score (which may be equal to the sum of nl to n13 for example) is then assigned (step S8) and this score is then added to the previously initialised (zero) "degree of belief' score (step S9). If the result is greater (i.e. more positive than) a value +M (step S10) then access is allowed (step S12). If the result is more negative than -M (indicating that the user is almost certainly not the user whose intervals are stored) then access is prohibited (step S13). Access is also prohibited if the password is incorrect. In many cases the result of step S9 will be greater than -M but not greater than +M (for example N') and in such cases a repetition of the password is requested on the display of computer 1 (steps S2 and S11) and steps S3 to S 10 are repeated.If the repetition of the password results in a score N" at step S8 then the sum N'+ N" is compared with the limits +M and -M (steps S10 and S14) in order to decide whether to allow access, to prohibit access or to repeat the loop via step S2. A limit may be placed on the number of allowed attempts at gaining access (for example by counting the number of repetitions of the loop) and alternatively or additionally the step S9 may be modified so as to decrement the sum of the new and old overall "degree of belief' scores so as to bias the system towards disallowing access as the number of repetitions of the loop (attempts at gaining access) increases.
It should be noted that although the system described above by way of example utilises differences between successive intervals as criteria for assigning "degree of belief" scores, numerous other functions of the time intervals could be employed - for example the maximum difference between any of the measured time intervals and the corresponding stored time intervals or the standard deviation of the measured time intervals in comparison with the standard deviation of the stored time intervals.

Claims (14)

Claims
1) A method of restricting access to a keyboard-operated system comprising the steps of measuring the intervals between the signals due to characters entered from a user-operated keyboard, comparing said intervals and/or functions thereof with predetermined intervals and/or functions thereof and allowing or refusing further access of the user to said system on the basis of the comparison.
2) A method as claimed in claim 1 wherein the intervals between successive characters of a password are measured.
3) A method as claimed in claim 1 or claim 2 wherein the differences between successive intervals are measured and said differences are compared with predetermined difference values.
4) A method as claimed in any preceding claim wherein if the comparison indicates that the discrepancy between the user's intervals and/or functions thereof and the predetermined intervals and/or functions thereof is small then further access is allowed, if the comparison indicates that the discrepancy is large then further access is prevented and if the comparison indicates that the discrepancy is intermediate then a further comparison is required before allowing or preventing further access.
5) A method as claimed in any preceding claim wherein the intervals between said signals and/or predetermined functions thereof for a given sequence of characters are compared with stored intervals and/or functions thereof which are characteristic of an authorised user entering that series of characters, a value indicative of the likelihood that the user of the keyboard is that authorised user is assigned on the basis of the comparison, the comparison is repeated for the same or a different series of characters, said assigned value is modified on the basis of the repeated comparison and further access is prevented or allowed in dependence upon the modified assigned value.
6) A method as claimed in claim 5 wherein said assigned value is modified by adding or subtracting a value, derived from the repeated comparison, indicative of the liklihood that the user of the keyboard is said authorised user.
7) A method of controlling access to a keyboard-operated system substantially as described hereinabove with reference to Figure 2 of the accompanying drawings.
8) A keyboard-operated computer system comprising means for measuring the intervals between signals due to characters entered by a user via a keyboard, means for comparing said intervals and/or functions thereof with stored intervals and/or functions thereof and access-controlling means arranged to control further access of the user to the computer system on the basis of the comparison.
9) A computer system as claimed in claim 8 wherein said accesscontrolling means is arranged to control access to the computer system on the basis of a password entered by the user and on the basis of intervals between successive characters of said password.
10) A computer system as claimed in claim 8 or claim 9 wherein said comparing means is arranged to compare the differences between successive intervals with predetermined reference values.
11) A computer system as claimed in any of claims 8 to 10 wherein said comparing means is arranged to classify the discrepancy between the user's intervals and/or functions thereof and the stored intervals and/or functions thereof as small, large or intermediate and said accesscontrolling means is arranged to prevent further access if the discrepancy is large and to require a further comparison before allowing or preventing further access if the discrepancy is intermediate.
12) A computer system as claimed in any of claims 8 to 11 wherein said comparing means is arranged to compare the intervals between said signals and/or predetermined functions thereof for a given series of characters with stored intervals and/or predetermined functions thereof which are characteristic of an authorised user entering that sequence of characters, means are provided for assigning, on the basis of the comparison, a value indicative of the likelihood that the user of the keyboard is that authorised user, said comparing means is arranged to repeat the comparison for the same or a different series of characters, said assigning means is arranged to modify said assigned value on the basis of the repeated comparison and said access-controlling means is responsive to the modified assigned value.
13) A computer system as claimed in claim 12 wherein said assigning means is arranged to add or subtract a value, derived from the repeated comparison, indiicative of the liklihood that the user of the key board is said authorised user.
14) A computer system substantially as described hereinabove with reference to Figures 1 and 2 of the accompanying drawings.
GB9020064A 1990-09-13 1990-09-13 Controlling access to a keyboard-operated computer system Withdrawn GB2247964A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9020064A GB2247964A (en) 1990-09-13 1990-09-13 Controlling access to a keyboard-operated computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9020064A GB2247964A (en) 1990-09-13 1990-09-13 Controlling access to a keyboard-operated computer system

Publications (2)

Publication Number Publication Date
GB9020064D0 GB9020064D0 (en) 1990-10-24
GB2247964A true GB2247964A (en) 1992-03-18

Family

ID=10682171

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9020064A Withdrawn GB2247964A (en) 1990-09-13 1990-09-13 Controlling access to a keyboard-operated computer system

Country Status (1)

Country Link
GB (1) GB2247964A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2281645A (en) * 1993-09-03 1995-03-08 Ibm Control of access to a networked system
WO1997023816A1 (en) * 1995-12-21 1997-07-03 Philips Electronics N.V. User identification system for data processing equipment with keyboard
WO2003073243A3 (en) * 2002-02-27 2004-04-08 Advanced Micro Devices Inc Embedded processor with direct connection of security devices for enhanced security
EP1669836A1 (en) * 2004-12-03 2006-06-14 Microsoft Corporation User authentication by combining speaker verification and reverse turing test
WO2011054718A1 (en) * 2009-11-06 2011-05-12 Psylock Gmbh Method and apparatus for avoiding manipulations in authentication and/or identification systems by means of typing behaviour
US20130061301A1 (en) * 2011-09-01 2013-03-07 Microsoft Corporation Distributed computer systems with time-dependent credentials
US9032492B2 (en) 2011-09-01 2015-05-12 Microsoft Corporation Distributed computer systems with time-dependent credentials
US9058467B2 (en) 2011-09-01 2015-06-16 Microsoft Corporation Distributed computer systems with time-dependent credentials

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2184576A (en) * 1985-12-23 1987-06-24 Saxe Frederick L Method and apparatus for verifying an individual's identity

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2184576A (en) * 1985-12-23 1987-06-24 Saxe Frederick L Method and apparatus for verifying an individual's identity

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
IBM Technical Disclosure Bulletin, Vol 17, No 11,April 1975,page 3346. *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2281645A (en) * 1993-09-03 1995-03-08 Ibm Control of access to a networked system
WO1997023816A1 (en) * 1995-12-21 1997-07-03 Philips Electronics N.V. User identification system for data processing equipment with keyboard
CN100373284C (en) * 2002-02-27 2008-03-05 先进微装置公司 Embedded processor with secure device direct connection for added security
GB2401457A (en) * 2002-02-27 2004-11-10 Advanced Micro Devices Inc Embedded processor with direct connection of security devices for enhanced security
GB2401457B (en) * 2002-02-27 2005-07-27 Advanced Micro Devices Inc Embedded processor with direct conneciton of security devices for enhanced security
WO2003073243A3 (en) * 2002-02-27 2004-04-08 Advanced Micro Devices Inc Embedded processor with direct connection of security devices for enhanced security
EP1669836A1 (en) * 2004-12-03 2006-06-14 Microsoft Corporation User authentication by combining speaker verification and reverse turing test
RU2406163C2 (en) * 2004-12-03 2010-12-10 Майкрософт Корпорейшн User authentication by combining speaker verification and reverse turing test
US8255223B2 (en) 2004-12-03 2012-08-28 Microsoft Corporation User authentication by combining speaker verification and reverse turing test
US8457974B2 (en) 2004-12-03 2013-06-04 Microsoft Corporation User authentication by combining speaker verification and reverse turing test
WO2011054718A1 (en) * 2009-11-06 2011-05-12 Psylock Gmbh Method and apparatus for avoiding manipulations in authentication and/or identification systems by means of typing behaviour
US20130061301A1 (en) * 2011-09-01 2013-03-07 Microsoft Corporation Distributed computer systems with time-dependent credentials
US8640210B2 (en) * 2011-09-01 2014-01-28 Microsoft Corporation Distributed computer systems with time-dependent credentials
US9032492B2 (en) 2011-09-01 2015-05-12 Microsoft Corporation Distributed computer systems with time-dependent credentials
US9058467B2 (en) 2011-09-01 2015-06-16 Microsoft Corporation Distributed computer systems with time-dependent credentials

Also Published As

Publication number Publication date
GB9020064D0 (en) 1990-10-24

Similar Documents

Publication Publication Date Title
US6266773B1 (en) Computer security system
US5559505A (en) Security system providing lockout for invalid access attempts
US6134661A (en) Computer network security device and method
US6601175B1 (en) Method and system for providing limited-life machine-specific passwords for data processing systems
US5991879A (en) Method for gradual deployment of user-access security within a data processing system
US5768504A (en) Method and apparatus for a system wide logan in a distributed computing environment
US20030145222A1 (en) Apparatus for setting access requirements
US20080301462A1 (en) System for protecting a user&#39;s password
US20100115583A1 (en) Method for fault-tolerant user information authentication
GB2247964A (en) Controlling access to a keyboard-operated computer system
US20070022299A1 (en) Password authentication device, recording medium which records an authentication program, and authentication method
US20040078603A1 (en) System and method of protecting data
JP4544956B2 (en) Access control system, client terminal device, and program
US6134657A (en) Method and system for access validation in a computer system
CA3002678C (en) Interception-proof authentication and encryption system and method
US7895444B2 (en) Method and apparatus for preventing illegal access using prohibit key in electronic device
DEALVARE et al. A framework for password selection
JP2005208763A (en) Password authentication method
JPH02112053A (en) Data processing system
Gong Collisionful keyed hash functions with selectable collisions
US9276927B1 (en) Systems and methods for obscuring entry of electronic security term
US7725946B2 (en) Program, system and method for authenticating permission to use a computer system and inhibiting access to an unauthorized user
JP2924768B2 (en) User identification method
JPH11134301A (en) Password processing device and recording medium
JPH04277855A (en) Log-in control system

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)