`
`(12)
`
`Europaisches Patentamt
`European Patent Office
`een des brevets
`Office europeen des brevets
`
`EUROPEAN PATENT A P P L I C A T I O N
`
`E P 0 8 4 4 5 5 1 A 2
`
`(43) Date of publication:
`27.05.1998 Bulletin 1998/22
`
`(21) Application number: 97890210.4
`
`(22) Date of filing: 22.10.1997
`
`(84) Designated Contracting States:
`AT BE CH DE DK ES Fl FR GB GR IE IT LI LU MC
`NL PT SE
`Designated Extension States:
`AL LT LV RO SI
`
`(30) Priority: 28.10.1996 US 738897
`
`(71) Applicant: Veneklase, Brian J.
`San Antonio, TX 78249 (US)
`
`(72) Inventor: Veneklase, Brian J.
`San Antonio, TX 78249 (US)
`
`(54)
`
`Computer security system
`
`(51) Intel e G06F 1/00
`
`(74) Representative: Matschnig, Franz, Dipl.-lng.
`Siebensterngasse 54
`1070 Wien (AT)
`
`Remarks:
`A request for correction (exchanging the contents of
`figure 1 with figure 2 and vice versa) has been filed
`pursuant to Rule 88 EPC. A decision on the request
`will be taken during the proceedings before the
`Examining Division (Guidelines for Examination in
`the EPO, A-V, 3.).
`
`Several embodiments of computer security
`(57)
`systems are described and which are adapted to grant
`an authorized individual access to a secured domain,
`such as a computer or data stream. In one embodiment,
`the security system comprises: an analyzing means for
`receiving first and second passwords, each of said
`passwords being transmitted over a first communication
`channel, analyzing said first password, transmitting a
`first signal output only if said first password is author-
`
`ized, and granting access to said secured domain only
`if said second password is substantially identical to a
`code; and a random code generating means for gener-
`ating said code, transmitting said code over a second
`communication channel upon receipt of first signal out-
`put, and transmitting said code to said analyzing means;
`and a notification means for receiving said code and for
`notifying said authorized individual of the identity of said
`code.
`
`Printed by Jouve, 75001 PARIS (FR)
`
`Amazon.com Exhibit 1005 - Page 1
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`1
`
`EP 0 844 551 A2
`
`2
`
`Description
`
`1. Field of the Invention
`
`The present invention relates to a security and/or
`access restriction system and, in one embodiment, to a
`security and/or access restriction system which is
`adapted to grant only authorized users access to a com-
`puter system and/or to certain data which may be resi-
`dent within the computer system and/or resident within
`a communications channel and/or other communica-
`tions medium.
`
`2. Background of the Invention
`
`In recent years, computers have proliferated in all
`parts of worldwide society, including but not limited to,
`banking, financial services, business, education, and
`various governmental entities. For instance and without
`limitation, these computer systems allow individuals to
`consummate financial transactions, to exchange confi-
`dential scientific and/or medical data, and to exchange
`highly proprietary business planning data. Hence, these
`computer systems require and/or allow very sensitive
`and confidential data to be stored and transmitted over
`great geographic distances.
`Moreover, the rise of multinational communications
`networks, such as the publicly available Internet com-
`munications system, has truly made the world a smaller
`place by allowing these computers, separated by great
`geographic distances, to very easily communicate and
`exchange data. In essence, these worldwide communi-
`cations channels/networks, sometimes collectively re-
`ferred to as "the Information Superhighway" have elec-
`tronically connected the peoples of the world - both the
`good and the very bad.
`That is, while these computer systems have in-
`creased efficiency and greatly changed the manner in
`which we work and interact, they have been especially
`prone to unauthorized "break-ins", viral destruction,
`and/or unauthorized data modifications. Accordingly,
`the rather sensitive and confidential data which is stored
`and used within these computer systems and transmit-
`ted between these computer systems has been the tar-
`get of attack by people known as "hackers" and by high
`level and very sophisticated espionage and industrial
`spies. Computer access security and data transmission
`security has recently come to the forefront of importance
`and represents one of the great needs of our times.
`Many attempts have been made to create and uti-
`lize various techniques (hereinafter the term "technique"
`as used and/or employed in this Application refers to any
`combination of software, hardware, and/or firmware
`which comprise an apparatus and a methodology
`whose components cooperatively achieve an overall se-
`curity objective) to "ensure" that only authorized users
`are allowed to gain access to these respective computer
`systems. These prior techniques, while somewhat ef-
`
`25
`25
`
`
`
`30 30
`
`10
`
`is
`
`fective, suffer from various drawbacks.
`For example, one such prior computer system se-
`curity technique comprises the use of predetermined
`"passwords". That is, according to this security tech-
`5 nique, each computer system has a list of authorized
`passwords which must be communicated to it before ac-
`cess is given or allowed. In theory, one or more "trusted"
`system administrators distribute these "secret" pass-
`words to a group of authorized users of a computer sys-
`tern. The "secret" nature of the passwords, in theory,
`prevents unauthorized users from accessing the com-
`puter system (since presumably these unauthorized us-
`ers do not have the correct passwords). This technique
`is not very effective since oftentimes those authorized
`individuals mistakenly and unwittingly expose their
`password to an unauthorized user Moreover, this tech-
`nique of data security may be easily "broken" by a "hack-
`er's" deliberate and concentrated attempt at automati-
`cally inputting, to the targeted computer, hundreds and
`20 perhaps thousands of passwords until an authorized
`password is created.
`In addition to the prior password technique other,
`more sophisticated access techniques are known and
`used. For example, there are known techniques which
`require the possession of a physical object or feature,
`such as "access cards" which are "read" by a card read-
`ing device and biometric authentication techniques (e.
`g. requiring the initial input of such authorized user phys-
`ical characteristics as fingerprints and eye patterns and
`the later comparison of these input patterns to those of
`a "would-be" user). Both of these prior techniques are
`relatively complicated, are relatively costly, and are
`prone to error, such as and without limitation, mistaken
`unauthorized entry due to their complexity. These tech-
`35 niques are also prone to unauthorized entry by use of
`35
`counterfeit and/or stolen cards, objects, and fingerprint
`readers. Other prior data security techniques, such as
`encryption, attempt to prevent unauthorized use of
`transmitted data or unauthorized access to a computer
`40 system by modifying and/or changing the transmitted
`40
`data in a certain manner, and/or requiring the transmis-
`sion and receipt of modified data before access is grant-
`ed. While somewhat effective, these prior encryption
`techniques are relatively costly and complicated and re-
`45 quire one or more known "encryption keys" which are in
`45
`constant exchange between users and which are them-
`selves susceptible to theft and/or inadvertent disclo-
`sure. Furthermore, the best-known and perhaps strong-
`est encryption algorithm is proprietary and cannot be
`so used without a costly license. Moreover, since the en-
`50
`crypted message still provides all of the transmitted da-
`ta, in some form, it is still possible for one to gain access
`to the entire data stream by "breaking the encryption
`code". Since no encryption algorithm is ever considered
`55 "unbreakable", encryption is not considered to be a
`"foolproof security solution.
`There is therefore a need to provide a technique to
`substantially prevent the unauthorized access to one or
`
`2
`
`Amazon.com Exhibit 1005 - Page 2
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`3
`
`EP 0 844 551 A2
`
`4
`
`more computer systems and which overcomes the var-
`ious drawbacks of these afore-described prior tech-
`niques. There is also a need to provide a technique to
`substantially prevent the unauthorized interception and
`use of transmitted data and which overcomes the vari-
`ous drawbacks of the prior art. Applicant's invention(s)
`seek and do meet these needs. Applicant's invention, in
`one embodiment, achieves these objectives by splitting
`the data into a plurality of separate communication
`channels, each of which must be "broken" for the entire
`data stream to be obtained. In essence, in this embod-
`iment of Applicant's invention, cooperatively form the
`entire message. The splitting of the data in this manner
`may also "fool" the would be data thief into believing that
`he or she has obtained all of the data when, in fact, only
`several communication channels are obtained.
`
`SUMMARY OF THE INVENTION
`
`While a number of "objects of the invention" are set
`forth below, it should be realized by one of ordinary skill
`in the art that the invention(s) are not to be limited, in
`any manner, by these recited objects. Rather, the recited
`"objects of the invention" are to be used to place Appli-
`cant's various inventions in proper overall perspective
`and to enable the reader to better understand the man-
`ner in which Applicant's inventions are to be made and
`used, especially in the preferred embodiment of Appli-
`cant's invention. Accordingly, the various "objects of the
`invention" are set forth below:
`It is a first object of the present invention to provide
`a technique to substantially ensure that only authorized
`users gain access to a computer system.
`It is a second object of the invention to provide a
`technique to substantially ensure that only authorized
`users gain access to a computer system and which
`overcomes the various previously delineated draw-
`backs of the prior computer system security techniques.
`It is a third object of the invention to provide a tech-
`nique to substantially ensure that only authorized users
`have access and use of certain transmitted data appear-
`ing, for example, within a data stream.
`It is a fourth object of the invention to provide a tech-
`nique to substantially ensure that only authorized users
`have access and use of certain transmitted data and/or
`certain hardware, software, and/or firmware which co-
`operatively form and/or comprise a computer system,
`and that this technique overcomes the various previous-
`ly delineated drawbacks of the prior techniques.
`According to a first aspect of the present invention,
`a security system is provided. Particularly, the security
`system is adapted to be used in combination with a com-
`puter and to only grant an authorized individual access
`to the computer. The security system comprises, in one
`embodiment, password means for receiving a password
`by use of a first communications channel; and code gen-
`eration means, coupled to said password means, for
`generating a code by use of a second communications
`
`5
`
`channel, and to allow that individual access to the com-
`puter system only if that individual generates and com-
`municates the code to the code generation means.
`According to a third aspect of the present invention,
`a method is provided for use with a computer and effec-
`tive to substantially prevent an unauthorized user from
`accessing the computer. The method comprises, in one
`embodiment, the steps of assigning a password to the
`user; receiving the password by use of a first communi-
`10 cations channel; generating a code in response to the
`received password; transmitting the code by use of a
`second communications channel to the user; transmit-
`ting the code to the computer; and allowing access to
`the computer only after the code is transmitted to the
`is computer.
`According to a fourth aspect of the present inven-
`tion, a security system is provided to grant an authorized
`individual access to a secured stream of data bits. In
`one embodiment, the data security system comprises a
`20 data stream dividing means for receiving said stream of
`data bits and dividing said stream of data bits into a plu-
`rality of sub-streams; transmitting means for transmit-
`ting said sub-streams in a predetermined order over a
`communication channel; and a decoding means for re-
`25 ceiving said sub-streams and for recombining said re-
`ceived sub-streams to create said secured stream of da-
`ta bits.
`Further objects, features, and advantages of the
`present invention will become apparent from a consid-
`30 eration of the following description, the appended
`claims, and/or the appended drawings. It should further
`be realized by one of ordinary skill in the art that the
`previously delineated objects and aspects of the inven-
`tion are for illustration purposes only and are not to be
`35 construed so as to limit the generality of the inventions
`and/or to limit the interpretation to be given to the vari-
`ous appended claims. Moreover, it should also be real-
`ized by those of ordinary skill in the art that the term
`"communications channel" as used throughout this Ap-
`40 plication refers to any physical and/or electromagnetic
`means or method of transferring and/or communicating
`information from one or more sources to one or more
`receivers. Moreover, the term "communications chan-
`nel" should be given the broadest known interpretation
`45 covering any method and/or medium which facilitates
`the transfer of information and/or over which such infor-
`mation is transferred.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`For a fuller and more complete understanding of the
`nature and objects of the present invention, reference
`should be had to the following drawings wherein:
`
`FIG. 1 is a block diagram of a computer security sys-
`tem made in accordance with the teachings of the
`preferred embodiment having the preferred security
`techniques of the invention;
`
`50
`
`55
`
`3
`
`Amazon.com Exhibit 1005 - Page 3
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`5
`
`EP 0 844 551 A2
`
`6
`
`FIG. 2 is a block diagram of another embodiment of
`a computer security system made in accordance
`with the teachings of the preferred embodiment
`having the preferred techniques of the invention;
`FIG. 3 is a block diagram of yet another embodi-
`ment of a security system made in accordance with
`the teachings of the preferred embodiment having
`the preferred techniques of the invention;
`FIG. 4 is a block diagram of another embodiment of
`a computer security system made in accordance
`with the teachings of the preferred embodiment
`having the preferred techniques of the invention;
`FIG. 5 is a schematic diagram of a password table
`used by the computer security systems shown in
`Figures 1 and 2; and
`FIG. 6 is a block diagram of one embodiment of the
`preferred embodiment of the invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`Referring now to Figure 1, there is shown a block
`diagram of a computer security system 10, made in ac-
`cordance with the principles of the preferred embodi-
`ment of the invention and adapted for use in combina-
`tion with computer 80. More particularly, computer se-
`curity system 10 selectively allows communication and/
`or data processing access to computer 80 in a manner
`which is technically described throughout the remainder
`of this Application. As shown, security system 10 in-
`cludes an "analyzing means" 12 and a "random code
`generating means" 14.
`In one embodiment of the preferred embodiment of
`the invention, analyzing means 12 comprises one or
`more software subroutines which are adapted to exe-
`cute upon and/or within computer 80. Alternatively, an-
`alyzing means 12 may comprise a microprocessor and/
`or similar type of computer which is adapted to operate
`under stored program control in the manner set forth in
`this Application. One example of another type of com-
`puter operating under stored program control and which
`may be used by the preferred embodiment of the inven-
`tion is shown and described within chapter eight of the
`text entitled Advanced Computer Architecture: Parallel-
`ism Scalability, Programmability, which was authored by
`Kai Hwang, which is published by McGraw-Hill, Inc.,
`which has a
`library reference number of ISBN
`0-07-031 622-8, and the entire text of all of the chapters
`of which are fully and completely incorporated herein by
`reference, word for word and paragraph for paragraph.
`In either embodiment, analyzing means 12 receives and
`compares at least two "sets" or streams of data. Should
`the individually received "sets" match, analyzing means
`12 generates and communicates an "access granted"
`command to computer 80, allowing individual 1 8 access
`to the computer 80 Moreover, random code generating
`means 1 4 may similarly comprise a conventional pseu-
`do-random number generator which may be construct-
`ed or developed on one or more software subroutines
`
`5
`
`is
`
`which reside and operate/execute upon and/or within
`computer 80 or may comprise a microprocessor and/or
`similar type of computer which operates under stored
`program control.
`In operation, individual 18, desiring access to and
`within computer 80 utilizes a first communication chan-
`nel 82 (e.g. a first telephone line, radio channel, and/or
`satellite channel ) and communicates, by use of his or
`her voice or by use of a computer 1 9 a first password to
`10 analyzing means 12. Analyzing means 12 then checks
`and/or compares this first received password with a
`master password list which contains all of the authorized
`passwords associated with authorized entry and/or ac-
`cess to computer 80.
`As shown in Figure 5, in the preferred embodiment
`of the invention, analyzing means 1 2 contains a master
`password list 200 having a first column of entries corre-
`sponding to authorized passwords necessary to gain
`access to computer 80. Moreover, as further shown in
`20 Figure 5, each authorized password 202, contained in
`this master password list 200, has a unique first entry
`204 associated with it and which identifies the name of
`the authorized user who has been assigned that corre-
`sponding password and at least one telephone number
`25 206 and/or network address associated with the identi-
`fied user.
`If the received password matches an entry of the
`master password list, analyzing means 12 generates a
`command, by means of connecting bus 17 or software
`30 message or function call to random code generating
`means 14 and causes the random code generation
`means 14 to generate a substantially random and/or
`pseudo-random number or code, of programmable
`length, and to transmit the number and/or code, by
`35 means of a second communications channel 84, to the
`individual 85 associated with the received password 202
`in the master password list. That is, as should be appar-
`ent to one of ordinary skill in the art, code generation
`means 14 includes both a random number generator
`40 and a conventional and commercially available commu-
`nications interface (e.g. modem and/or telephone/pager
`interface), allowing the generated pseudo-random code
`to be generated or communicated over a wide variety of
`mediums.
`Further, it should be apparent that individual 85 may
`or may not be the same person as individual 18 . If in-
`dividual 18 was the individual identified in the master
`password list (e.g. "was authorized"), that individual 18
`receives the pseudo-random number and transmits the
`so number to the analyzing means 12, by means of com-
`munications channel 82. Once the pseudo-random
`number is received by the analyzing means 12, from
`channel 82, it is compared with the number generated
`by generation means 14. If the two codes are substan-
`tially the same, entry to computer 80 and/or to a certain
`part of computer 80 such as, without limitation, the hard-
`ware, software, and/or firmware portions of computer 80
`is granted to individual 18. For instance, in another em-
`
`45
`
`55
`
`4
`
`Amazon.com Exhibit 1005 - Page 4
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`7
`
`EP 0 844 551 A2
`
`8
`
`bodiment, table 200 of Figure 5 could contain yet anoth-
`er set of entries specifying the directories or portions of
`computer 80 that the individual 1 8 was allowed to have
`access to. In this manner, allowed access to computer
`80 would be further restricted to those computer por-
`tions which are specified within table 200. It should be
`apparent to one of ordinary skill in the art that these por-
`tions may be different for different users and that each
`authorized user may have a different portion that may
`be accessed in an authorized manner.
`It should be apparent to one of ordinary skill in the
`art that Applicant's foregoing computer security tech-
`nique is a relatively low-cost, but effective technique, for
`properly ensuring that only authorized users gain ac-
`cess to a computer system, such as computer system
`80. That is, Applicant's foregoing computer security em-
`bodiment, utilizes two distinct communications chan-
`nels and a random number generator in order to ensure
`that an authorized user of a computer system is notified
`that someone or something is seeking access to the
`computer system with his or her password. Moreover,
`Applicant's foregoing invention is very cost effective as
`it employs substantially "off the shelf and readily avail-
`able components. Further, the use of a "secret" pass-
`word, a "secret" substantially random number, and a
`"secret" second channel allows for multiple levels of se-
`curity before access to the computer system is achieved
`and provides enhanced security over the prior art.
`Referring now to Figure 6 there is shown a compu-
`ter system 400 made in accordance with the teachings
`of the preferred embodiment of the invention and repre-
`senting one example and/or implementation which is
`made in accordance with the various teachings of the
`preferred embodiment of the invention As shown, com-
`puter system 400 includes a host computer 402 (corre-
`sponding to computer 80 of the system shown in Figure
`1 ) to which a user or other individual 404 (corresponding
`to individual 1 8 of Figure 1 ) desires access to. As further
`shown in Figure 6. As shown, individual 404, in this im-
`plementation example, utilizes a commercially available
`and conventional computer 406 and a commercially
`available and conventional modem 408 to communicate
`with a commercially available and conventional modem
`410 by means of a typical communications channel (e.
`g. a conventional "dial-up" telephone line) 412. Hence,
`the user 404, in this embodiment, only requires conven-
`tional computer equipment. Host computer 402, in this
`embodiment, requires a conventional and commercially
`available automatic dialer which is altered, in a known
`manner, to receive and pass one or more passwords
`and/or codes as data.
`In operation, user 404 dials through and/or by
`means of his or her computer 406 and modem 408 in
`the usual and conventional manner to connect and ac-
`cess host computer 402. The host computer 402, using
`the principles of the preferred embodiment of this inven-
`tion, answers the requester's call, which occurs over
`channel 41 2, and requests and receives the user's iden-
`
`5
`
`is
`
`tification code, host computer 402 checks the received
`identification code and cross references the received
`password code against a pager phone number list res-
`ident within the user table 414 which is stored within
`computer 402. This comparison, is a match is made,
`causes the "code generator" software subroutine 415,
`resident within computer 402, to generate a pseudo-ran-
`dom number code and passes the received code along
`with the authorized user's pager number to the commer-
`10 cially available and conventional automatic dialer 418.
`The automatic dialer 418 telephones the conventional
`and commercially available pager 420 by means of con-
`ventional and commercially available communication
`channel 422 (e.g. voice line) and transmits the code to
`the user's pager. As this happens, the host computer
`402 awaits the reply from the user attempting to gain
`access to the computer.
`The user 404 now enters the code he or she has
`received from the pager 420 and any timing instructions
`20 which, in yet another embodiment of the invention may
`also be transmitted from computer 402, and sends this
`password or pseudo-random code back to computer
`402 where it is compared within the software subroutine
`module denoted as "code compare" 416 in Figure 6. If
`the comparison yields a match, the user 404 is allowed
`access to computer 402 and/or to a portion of computer
`402.
`Referring now to Figure 2, there is shown a second
`embodiment of a computer security system made in ac-
`30 cordance with the teachings of the preferred embodi-
`ment of the invention. This second embodiment 20 is
`substantially similar to system 1 0 but also includes a tim-
`er or "timing means" 40 which may comprise one or
`more software subroutines which are adapted to oper-
`35 ate and/or execute within and/or upon computer 80 or
`may comprise a microprocessor which operates under
`stored program control. In one embodiment, timing
`means 40 comprises a conventional "watchdog timer"
`as will be apparent to those of ordinary skill in the art.
`In operation, timing means 40 records the time at
`which the first and second passwords are received by
`analyzing means 12. Timing means 40, in one embodi-
`ment which is coupled to analyzing means 12 and code
`generation means 14 by bus 42 and in another embod-
`iment which is in software communication with means
`1 2 and 1 4, then compares the times to determine wheth-
`er the second password was received within a prede-
`termined period or predetermined "window" of time after
`the first password was received. In the preferred em-
`50 bodiment of the invention, the predetermined period of
`time is programmable. The predetermined period of
`time, will typically need to vary according to the nature
`or the communications medium used by means 14 to
`notify individual 85 of the value of the generated code.
`55 For example, the predetermined period of time would
`be shorter when communications channel 84 comprises
`a pager or cellular phone, since the owner has immedi-
`ate access to the code upon transmission; and longer
`
`25
`
`40
`
`45
`
`5
`
`Amazon.com Exhibit 1005 - Page 5
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`9
`
`EP 0 844 551 A2
`
`10
`
`when communications channel 84 comprises a voice-
`mail system which the owner has to affirmatively access
`to receive the code. If the second password was not re-
`ceived within the predetermined period of time, analyz-
`ing means 1 2 denies entry to the secured domain (e.g.
`computer 80). If the second password was received
`within the predetermined period of time, analyzing
`means 1 2 compares it to the code which was previously
`generated. If the second password is not substantially
`identical to the previously generated code, analyzing
`means 1 2 denies individual 1 8 entry to the secured do-
`main (e.g. computer 80). If the received password is
`substantially identical to the code, analyzing means 12
`grants individual 18 entry into the secured domain. As
`will be readily apparent to those of ordinary skill in the
`art, timing means 40 provides yet a third level of security
`to computer system 80. Moreover, it should also be ap-
`parent to one of ordinary skill in the art that this "prede-
`termined time" may be as short or as small as several
`milli-seconds or micro-seconds. This is particularly true
`if, in yet another embodiment of Applicant's invention,
`the password generated by communication means 14
`is received by a computerized device which is adapted
`to received the password and to generate a new pass-
`word code in a substantially automatic manner.
`Referring now to Figure 3, there is shown a block
`diagram of a third embodiment of a computer security
`system made in accordance with the principles of the
`preferred embodiment of the invention As shown, com-
`puter security system 70 is adapted to receive an input
`data stream 72, comprising in a first embodiment, a plu-
`rality of digital data bits 73, which are to be securely
`transmitted to a distant site. System 70