Registers – Systems controlled by data bearing records – Credit or identification card systems
Reexamination Certificate
1999-06-03
2001-05-01
Pitts, Harold I. (Department: 2876)
Registers
Systems controlled by data bearing records
Credit or identification card systems
C235S379000, C235S380000
Reexamination Certificate
active
06223985
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to access control mechanisms for preventing unauthorized access and, more particularly, to an improved system that integrates a unique fail counter in the password, pass phrase or personal identification number (PIN) validation process.
2. Description of the Background
Today, many products, devices and/or systems rely on passwords, pass-phrases or personal identification numbers (PINs) to serve as an access control mechanism. One of the security challenges related to these access control mechanisms (heretofore collectively referred to as PINs) is the determination of an optimal PIN length and character composition. Obviously, a longer PIN created from a complex character set will be harder to guess than a short PIN created from a restricted character set. Unfortunately, it will also be harder for the user to remember. In order to enhance the level of security afforded to a system that uses a PIN as an access control mechanism, it is advisable to incorporate a fail counter into the PIN validation routine.
Incorporating a fail counter into the PIN validation routine is a simple task which can be accomplished via hardware, software, and/or firmware. Typically, a comparator compares the entered PIN to the correct PIN. Of note, the correct PIN is typically stored on a token or in a database. A fail counter keeps count of failed attempts. A number of actions can be taken when an individual consistently re-enters bad PINs. For instance, the system managers can be alerted to the possibility that an unauthorized access has been attempted. In addition, the system may in prevent further access attempts after a certain number of failed attempts.
U.S. Pat. No. 5,594,227 discloses a system and method for protecting unauthorized access to data contents using a cumulative fail counter. The fail counter keeps a fail count LD indicative of the number of times that an entered password fails to match a stored password. The fail counter is incremented when the entered password fails to match the stored password and decremented when the entered password successfully matches the stored password. In addition to the fail count, a separate delay counter maintains a delay count that is incremented each time the access is attempted, regardless whether successful or not. Whenever the fail count is not equal to its starting value of zero access is denied. Access is denied even though a match might occur after initial misses because the fail count is not zero. Further, when access is denied, a delay period is imposed before comparing the next entered password received from the smart card terminal. The delay period increases each time based upon a function of the delay count. While the '227 patent reduces the chance of unauthorized access, it is a cumbersome implementation. First, a delay counter must be employed in tandem with the fail counter. Second, when access is denied a delay period is imposed before processing the next entry. This is tedious for legitimate users who have mistakenly typed the wrong PIN. Moreover, the cumulative result is longer lines at the card terminal. Third, the '227 implementation is geared specifically toward smart cards and other integrated circuit cards. It would be greatly advantageous to develop an access control system that requires fewer steps to implement, does not require a timing mechanism (for a delay counter or otherwise), and that is easier to integrate into all existing and future access control architectures.
SUMMARY OF THE INVENTION
It is, therefore, an object of the present invention to provide an improved system and method for protecting unauthorized access into an access-controlled entity (such as bank accounts when a PIN is used in conjunction with a magnetic strip card, or an employee badge to control access to a controlled facility) by an improved fail counter.
It is another object to provide an improved system and method for protecting unauthorized access that uses judicious mathematical analysis to improve protection to any access controlled entity while reducing the time and overhead hardware necessary for implementation.
It is still another object to eliminate the need for any timing mechanism (such as a delay counter), and to enable integration into any existing or future computer architectures.
In accordance with the above and other objects, the present invention relies on a fail count that is decremented upon entrance of the correct PIN (or password) and incremented upon entrance of an incorrect PIN. For the purposes of the invention, the fail counter is initially set to 1. However, the initial setting can be adjusted in accordance with the needs of any specific implementation. Access to the system is denied until the fail counter is equal to its reference value (zero, in this example). Therefore, if the PIN is correctly guessed on the i
th
entry (i−1 failed entries), then the correct PIN needs to be entered i times to gain access to the entity. Hence, it is increasingly difficult to exhaust over all the possible PINs because the correct PIN needs to be entered and re-entered repeatedly depending on the number of prior incorrect entries. Moreover, an unauthorized user receives no indication when a correct PIN is entered because the entity will not automatically unlock.
REFERENCES:
patent: 5594227 (1997-01-01), Deo
Law offices of Royal W. Craig
Pitts Harold I.
LandOfFree
System and method for protecting unauthorized access into an... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for protecting unauthorized access into an..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for protecting unauthorized access into an... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2514227